This is the third in a three-part series of articles on data security. This article explains how to organize a cross-functional security team. The first part analyzed employees' role in data protection, and the second part focused on how to limit data-breach risks in portable devices.
Protecting company information and devices may seem like a task best fit for the IT department, but an effective data-security program includes collaboration with human resources and leaders across the organization.
Businesses of all sizes and industries need to safeguard their proprietary information, as well as employee and customer data. Depending on the size of the organization, responsibility for data security can fall on compliance, technology, finance, legal or HR, said Danielle Vanderzanden, an attorney with Ogletree Deakins in Boston. "Identifying the appropriate players within your organization is an essential first step."
HR and business unit leaders should work together to give IT information about the employees who are authorized to access data and the permissible scope of access, said Philip Gordon, an attorney with Littler in Denver. They also need to promptly inform IT when an employee no longer needs access or leaves the company.
Stephanie Rawitt, an attorney with Clark Hill in Philadelphia, recommended setting up a task force to respond to data-security emergencies. "There are a lot of moving parts, so the task force should prepare an action plan before there is an event," she said.
The team should consider contacting cybersecurity and public relations specialists, as well as employment counsel, in the event of a serious breach, as businesses may need to respond to public scrutiny and comply with applicable state data-breach notification laws.
"It's a dynamic landscape," said Danielle Urban, an attorney with Fisher Phillips in Denver. "Things are changing quickly, data-breach news keeps coming, and large breaches can costs millions, even for a small employer."
Developing the Team
Company leaders should identify participants from IT, HR, legal and other business units who are committed to the data-security program and have time to participate, Gordon said. "Designate a chairperson who will make sure that tasks are accomplished and meetings are set with a productive agenda."
[SHRM members-only online discussion platform: SHRM Connect]
Team members should meet frequently to discuss changes in technology that might increase risks and update policies and processes accordingly, he added.
Team members should also take an inventory of the resources within the organization and ensure that all employees understand that keeping information secure is a daily battle, Vanderzanden said. Although members typically come from various departments, they should have a common objective: ensuring that the organization has the tools, training and resources necessary to protect information.
Start by including as many departments as possible in the discussion, and figure out what data they store and which employees can access information, Urban recommended. "It's better to be over-inclusive at first to try to understand every possible source of data."
Any contracts with vendors that handle sensitive data—such as payroll and benefits providers—should have a robust information-security clause, Gordon said. HR, IT, legal and procurement should work together to ensure that prospective vendors take appropriate measures to protect information.
"It's really important to think about what policies are in place," Urban said. "Compliance can get complicated if you operate in more than one state or even just have customers in more than one state." Consider hiring a consultant to come up with a data-breach plan if no one internally has time to do it, she added.
The data-security team should interact with employees throughout their time with the company. "During the onboarding process, employers should obtain employees' written agreement to protect employer confidential information and any personally identifiable information to which they may have access," Vanderzanden said.
During employment, HR and IT should work together to provide periodic training to employees about information security, Gordon noted.
Ideally, HR and IT will work together to keep a complete, current and accurate inventory of access and use and any devices workers use for business purposes, Vanderzanden said. "Such an inventory is critical in the event of litigation."
When employees leave, they should return all company-issued equipment and delete all confidential business information from their personal devices, Gordon said. Employers should consider conducting exit interviews to ensure that departing employees are following the appropriate procedures.