In this age of digital information with smartphones, smartwatches and cloud computing, data breaches have become all too common. These breaches create serious risk for employers and employees alike, not to mention customers, who may lose valuable information and suffer irreparable harm.
Although many states have enacted data breach protection laws, which are frequently amended as technology advances, there is no comprehensive federal legislation protecting individuals and consumers.
In the wake of the Yahoo breach in which information from at least 500 million user accounts was stolen (including names, addresses, telephone numbers and passwords), there is a renewed call in Congress for legislation to create federal standards for data security, protect individual privacy, guard against identity theft and penalize penalizes businesses for failing to adequately protect consumers’ personally identifiable information.
Thus, HR and employers must be proactive and take concrete steps to prevent cyber breaches from occurring. Here are six tips to stop these security risks in their tracks:
1. Implement and Enforce Policies to Protect Information
It is critical to develop, implement and enforce policies targeted at minimizing the risk of a cyber breach, including:
• Confidentiality policies;
• Privacy policies;
• Mobile device policies;
• Polices regarding social media and internet use; and
• Policies relating to business ethics and employee conduct.
These policies should identify the information an employer views as confidential including, but not limited to, financial, business, scientific, technical, economic or engineering information. The policies should also advise employees and supervisors of how this information should be secured and protected, as well as the limited circumstances under which it may be disclosed. In addition, the policies should be distributed to all employees and made a part of the employee handbook.
2. Utilize Confidentiality Agreements
Employers should use confidentiality and nondisclosure agreements which will obligate employees and supervisors who access confidential information to keep this information secure and remind them that they will face disciplinary action for disclosing such information. Confidential information may extend to information belonging to the employer such as business methods and plans, intellectual property, marketing plans, financial statements, customer lists and sources, pricing strategies, and research and development.
An employer is obligated to employee information confidential and secure. Such information includes, but is not limited to:
• Credit reports;
• Social security numbers;
• Driver’s license information;
• Personnel files; and
• Health and medical records.
Confidential information also may include customers’ confidential and proprietary information such as credit card data and purchasing records.
3. Train Employees and Supervisors
The importance of training cannot be overstated. Employees who regularly work with private and sensitive data belonging to customers should be trained on how to safeguard it and how to report security breaches. Training should begin during the onboarding process and continue throughout the employee life cycle. Supervisors and employees should be warned about the dangers of:
• Using personal email addresses for work related communications and vice versa;
• Using the same passwords for all accounts;
• Opening mails from unknown senders;
• Clicking on suspicious links;
• Sending private and confidential information in an unencrypted form;
• Failing to keep mobile devices secured; and
• Mixing personal and work-related data and information.
4. Conduct Background Checks
As part of the hiring process, HR and the employer should ensure that thorough background screenings are conducted and look for any past signs of fraudulent or dishonest conduct that may present a potential threat to the employer. This is especially true if the individual will be able to access private and confidential information as part of their job duties.
However, in conducting any background checks, an employer should be aware of “ban the box” laws and other legislative efforts aimed at limiting an employer’s ability to access criminal history information.
5. Monitor the Workforce
HR should consistently monitor the workforce to ensure that employees are complying with confidentiality obligations, especially when using employer-provided equipment and networks that hold confidential information. However, in conducting any monitoring, the employer must be sure not to infringe upon employee rights to engage in activity protected under the National Labor Relations Act.
6. Conduct Exit Interviews
HR should be sure to conduct exit interviews with departing employees and supervisors and make sure any equipment, smartphones or other technological devices that allow access to private and confidential information are returned to the employer at the end of employment with access forfeited. Additionally, employees should be reminded of any obligations stemming from confidentiality agreements or restrictive covenants.
What steps does your organization take to protect confidential digital information, privacy rights and minimize the risk of a cyber breach? Please share by leaving a comment below.