Get access to the exclusive HR Resources you need to succeed in 2018.
Sign up for free email newsletters and get more SHRM content delivered to your inbox.
Is your employee handbook keeping up with the changing world of work? With SHRM's Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Build competencies, establish credibility and advance your career—while earning PDCs—at SHRM Seminars in 14 cities across the U.S. this fall.
Gain the skills you need to rise to the next level in your career. Jon us at SHRM's Leadership Development Forum, October 2-3 in Boston.
Members may download one copy of our sample forms and templates for your personal use within your organization. Please note that all such forms and policies should be reviewed by your legal counsel for compliance with applicable law, and should be modified to suit your organization’s culture, industry, and practices. Neither members nor non-members may reproduce such samples in any other way (e.g., to republish in a book or use for a commercial purpose) without SHRM’s permission. To request permission for specific items, click on the “reuse permissions” button on the page where you find the item.
Employers say they are unlikely to stop working with consumer credit reporting agency Equifax Inc.—even after it failed to stop cyber thieves from stealing personal data from 143 million Americans.
That's because corporations depend on the analytics Equifax collects on salary history for workers nationwide.
"In the wake of the breach announced last month, Bloomberg News contacted the 40 largest U.S. employers—representing some 12.5 million workers—and asked if they would continue dealing with the service, which helps them with unemployment claims, employment eligibility and tax credits. None said they will sever existing ties," Bloomberg reported.
Companies use data from Equifax and other credit bureaus to check candidates' credit as a condition for employment—a common practice that some employment attorneys advise against.
(Bloomberg), (SHRM Online)Choice Words for Equifax from Congress
Meanwhile, during a hearing before members of Congress on Oct. 3, committee members questioned the company's former CEO Richard Smith closely over his responsibilities at Equifax and "indicated that tighter data security standards are long overdue," The Washington Post reported.
One of three major businesses that tracks the credit records of nearly every American, Equifax then sells people's sensitive data to employers, creditors, banks and other clients. Employers sometimes uses the information to check on potential employees.
The chairman of the House Energy and Commerce Committee Rep. Greg Walden (R-Ore.) called Equifax's reaction to the breach "unacceptable," and "ham-fisted." Other lawmakers agreed.
"In a dramatic exchange, Walden held up a thick stack of paper, which he said was an Equifax credit report, and asked Smith how such a sophisticated company responsible for so much data could allow the breach to occur," the paper reported. How, he asked, does this happen?
(The Washington Post), (The Telegraph)
IT Employee Blamed
Smith, who apologized profusely, told lawmakers repeatedly that the data breach was caused by an employee's error.
The New York Times reported that Smith said the breach was caused by an "individual in Equifax's technology department who had failed to heed security warnings and did not ensure the implementation of software fixes that would have prevented the breach. A company spokesman did not respond to questions about that employee's status with the company."
Breaches of this type are preventable, yet most companies don't regularly train their employees on how to safeguard employee data, experts say.
Fewer than half of in-house counsel (45 percent) said their organizations require employees to take training on how to prevent cybersecurity breaches, SHRM Online reported. It's a startling statistic given that human error accounts for more than half security lapses.
(The New York Times), (SHRM Online)
[SHRM members-only toolkit: Record-Keeping Policy: Safeguarding Social Security Numbers]Lesson for HR: Train EmployeesBreaches of any type should serve as a reminder for HR professionals that they must be more mindful about protecting their employees' data.
Smith, 57, had been Equifax's CEO for 12 years before he announced his retirement late last month.
Cybersecurity, experts told SHRM Online, is "not something that should be bottled up in IT" but should involve the board as well as the C-suite, said Adam Levin, founder and chairman of Arizona-based IDT911, an information security firm. Organizations need "an entirely new corporate culture where security is part of the fabric of that culture." An executive should make certain sensitive employee data is restricted, encrypted and isolated from other files.
HR should also make sure employees practice good cyber security hygiene.
"Training employees on company security policy when onboarding or annual training is not enough," said Stu Sjouwerman, CEO of KnowBe4, a cybersecurity firm. "To be most effective, use anti-phishing tools to frequently test employees on a variety of types of subjects and times, then follow up with remedial training for anyone who fails."
In addition to testing employees, he recommended that employers:
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Please sign in as a SHRM member before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
CA Resources at Your Fingertips
SHRM’s HR Vendor Directory contains over 10,000 companies