One of the many costs of doing business in this day and age is the threat of a data breach. In the past several years data breach incidents have occurred with increasing frequency. From Target to eBay and Sony to Ashley Madison, cybercriminals have caused much consternation among organizations, governments, and consumers. While protection of consumer data is a critical issue for any entity, organizations are remiss if they do not focus on protection of employee data as well. Protection of employee data should not be seen as a benefit of employment, rather a requirement from the first employee hired to the last employee terminated, and everyone in between. Given the often sensitive nature of employee data, it is a category of information which requires protection from external cyberattacks, internal malicious actors, and innocent human errors.
Organizations obtain and store, among other things, employee social security numbers, birthdates, home addresses, medical and health records, and now even biometric data from wearable devices. The critical mass of employee data means cybercriminals are more interested in, and quite capable of, launching a variety of attacks on organizations, often directly through employees, in an attempt to access the information. Moreover, the prolific use of multiple devices by employees, as well as the increase in BYOD policies, means there are more access points to data, many of which are not secure. These realities come together to form a perfect storm, resulting in innocent mishaps or intentional attacks carried out with increasing ease and frequency.
Data breaches can be attributed to cyberespionage, denial-of-service attacks, insider attacks, phishing schemes, and human error, to name a few. No matter what type of attack, organizations need to ensure they are doing everything in their power to protect employee data. Employee Relations Manager at McManis Faulkner, Cathy Reeves, advises that “employees’ personal data must be kept safe, secure and up to date. Access to personal information should be limited only to those people in your company who have a legitimate need to know.” A failure to do so could result in adverse consequences for the organization and employees, ranging from improper use of the employee data, litigation resulting from damage to employees or failure to notify when required, as well as financial harm from litigation and also post-breach recovery efforts.
Confucius said, “A man who does not think and plan long ahead will find trouble right at his door.” This could not be more true in the context of data security. Planning and taking a proactive approach to data protection requires, at a minimum:
- Knowledge of data types, locations, and access points;
- Knowledge of who has access to particular types of data—current and former employees;
- Strong internal policies and protocols regarding sensitive data;
- Implementation of and employee training on internal policies and protocols regarding sensitive data;
- Employee acknowledgment regarding authorized and unauthorized access to and usage of sensitive data;
- Frequent internal security audits, monitoring and testing of data infrastructure;
- Patching of any vulnerabilities in data infrastructure; and
- Data breach incident response plan.
The above list is not meant to be exhaustive, nor reflective of all that is necessary to prevent a data breach. The list does, however, represent that protection of employee data is a task which requires thought and planning, executive level involvement, and a unity of efforts across departments within an organization. With a proactive approach and a proper plan in place, organizations are in a better position to provide employees with the requisite level of protection relative to their sensitive data.
Neda Shakoori is an associate at McManis Faulkner whose practice focuses on high-technology law matters. She is also the firm’s eDiscovery practice lead, where she provides management, consulting and oversight on all eDiscovery matters for the firm and the firm's clients.