Original post benefitspro.com
When a cyber breach occurs, lawsuits are usually not far behind. It’s a chain of events that has become de rigueur in the consumer realm when retailers experience a breach and it is bleeding over into the workplace, too.
Employees whose data is exposed are increasingly pointing the finger at failings in the technology employers use to secure their information and lapses in protocols that allow vulnerabilities to be exploited.
Who is responsible if your employees’ personal information is stolen on company time? Where does the company’s obligations begin and end under the duty of care laws? How might state and federal breach regulations impact an organization’s proactive and reactive data security efforts?
How a breach happens and how the company responds both play a major role in determining the potential legal ramifications. To mitigate the risks, it is critical for HR professionals to understand their responsibilities before a cyber criminal strikes.
Many employers aren’t even aware of either the enormous security risks their organizations face or the best strategies to protect the employee data they hold.
Ensuring that employers have access to the right tools and expertise to address data breach concerns is an important role for benefits managers and the brokers and agents who support them.
Know the risks, have a plan
Financial information is what comes to mind most frequently when businesses consider where breach risks exist, but that thinking is too narrow. It overlooks the incredible value inherent in employee data. Not only does financial information lurk within HR’s employment records in the form of salary histories and bank routing numbers used for automatic deposits, but standard consumer data is also present.
Full names, birth dates, addresses and social security numbers exist in every employee’s file. Health and benefit data may be present, too, such as carrier names, subscriber numbers, or details on beneficiaries and dependents. And where there’s smoke, there’s fire. The same servers and systems that host employee and customer data, likely hold data pertaining to trade secrets, M&As, business plans, and more. All the more reason to get your company’s cyber strategy in gear.
Adding complexity to the situation is the fact that employers must be concerned with two types of data breaches — those that are the result of a purposeful act, such as a hacker or a malicious insider, and those that occur by accident. Lost laptops and cell phones are just one common example where an inadvertent exposure could easily happen.
Each flavor of breach represents a different risk profile and each requires its own mitigation measures. A two-pronged approach to breach prevention that marries technology and best practices enables employers to address any existing security gaps while also providing improved protection for employee data.
Deploying technology tools to safeguard sensitive information assets is one part of a comprehensive data security strategy that keeps employers in line with duty of care laws and other breach regulations.
Firms have a range of solutions to choose from and they should tailor their approach based on their network and infrastructure architecture, the information types that are vulnerable to exposure, the volume of data that must be protected, resource availability — from funding to staffing — and any regulatory guidelines or compliance mandates that must be considered.
Encryption is a perfect example of a technology that is relatively simple, but still enormously effective when it comes to securing employee data. Free and low-cost encryption platforms are available which can help to protect confidential information from unauthorized access even if a hardware item (thumb drive, laptop, etc.) falls into the wrong hands.
Other technology tools may also be appropriate depending on the employer’s needs, including firewalls, mobile device management software, and multi-factor authentication to protect access to more sensitive systems.
Security best practices are the second half of a successful data protection strategy. These protocols largely deal with the ways humans interact with the organization’s information and they also cover what to do in the event of a breach. Employers will want to manage network and data access in a way to limits who is able to view and change employee information.
Methodologies for storing, processing, analyzing, archiving, and destroying employee data should be documented in detail and anyone responsible for those tasks must be trained on the organization’s security practices.
An incident response plan is another best practice employers should include under the data security umbrella. This doesn’t need to an exhaustive plan, but it should outline the steps employees are to take if they suspect a breach has occurred — everything from blocking access to compromised servers to contacting the company’s privacy or information security employee or consultant. (Don’t have one? Here’s why you should.)
A strong plan can significantly limit the potential harm that is likely to fall upon any employee whose data was exposed. And as risks evolve, so should the incident response plan – it should be a living, breathing part of a comprehensive cyber strategy with routine reviews.
Retain the right expertise
Another concern often faced by employers, particularly those smaller organizations where internal resources are lean, is that they don’t have good insight into the evolving cyber threat environment and the latest data protection strategies.
Efforts to craft, deploy, and maintain an effective privacy and security program are made more difficult when industry expertise is lacking. Without a strong understanding of where security vulnerabilities exist, or which new threat vectors are likely to be of concern, employers could find themselves directing their limited resources in too many directions and without much effect.
Because many breach scenarios involve little or no technology — hard copies of completed enrollment forms accidentally left in a shared conference room, for example — simply turning responsibility for data privacy over to the IT function isn’t going to work. It’s important that employers are able to seek guidance from someone experienced in data protection in all its forms.
Continuously educate the front line
Employees themselves may pose potential security challenges, so continuous training is essential to protect a company’s own data and that of its customers. Companies should consider implementing educational sessions about new scams and privacy and security refreshers as part of their annual compliance training.
By partnering with employees to help protect their data, the organization can maximize its technology investment and ensure that everyone is committed to the company’s culture of security.
Social engineering schemes are increasingly popular among hackers, effectively turning the workforce into either an employer’s first line of defense or its greatest weakness.
The most recent spoof comes courtesy of a company’s top executive — or so the scammer wants you to think. An employee will receive a request from the CEO — either by way of a hacked email account or an email address that closely resembles the real thing — to cough up documents, usually W-2s. With a few clicks, countless data about a company’s employees has been exposed.
Rather than quickly react, employees should be trained that if they see something, say something.
Identity management
Along with taking appropriate security measures internally, employers may also consider offering identity-related benefits to their employees. These packages bring a powerful suite of tools to the table that provide workers with proactive education and reactive support. Informational resources teach individuals how to spot corrupt websites and suspicious e-mail links.
They give details on what to look for when conducting annual credit report reviews. And workers concerned their personal data may have been exposed — whether at work or through a health care provider, retailer or other avenue — have access to identity theft experts able to help them navigate the resolution process.
The fraud team can assist them in replacing important documents that may have been lost due to theft, fire or flood. They can even monitor known black market websites to see if an employee’s stolen data is being used fraudulently.
Together, these strategies give employers a way to keep employees’ information safe while providing workers with assurances that they’ll have the support they need if the worst should happen.