Regaining Employees’ Trust After a Data Breach

By Bill Leonard Mar 5, 2015

As more details about several high-profile cyberattacks come to light, the affected employers are discovering that the long and laborious road to recovery begins with rebuilding employee trust.

While damaged employee trust is a casualty that many business leaders may be reluctant to acknowledge publicly, it is crucial for employers to react quickly and demonstrate to their staffs that protecting personal and sensitive data is paramount.

“The worst thing an employer can do in this situation is react in a panic mode and act like there was no plan or strategy to respond to a data breach,” said Matthew Tokarz, senior corporate recruiter for Instant Alliance, a Chicago-based management consulting group. “An employer must be proactive in this case and show that the organization’s leadership is committed to ensuring that its information systems are secure.”

Communication Is Key

If a data breach occurs, communication to every person on staff is vital. The communication must clearly explain what happened and, above all, it must tell employees how the breach will affect them.

“Good and accurate communication really is the most important part of the equation here,” Tokarz said. “If employees believe you’re not being upfront with them or, worse yet, if they discover that you didn’t tell the complete truth, then you will end up facing much bigger issues down the road”—such as a complete loss of employee trust.

Once trust is gone, it is very hard to get it back, according to Tokarz. He explained that he has received numerous phone calls from employees of an employer hit by a recent massive cyberattack.

“The question that they have all asked me is ‘What should I do to make sure that my information is protected?’ ” Tokarz said. “My advice typically is ‘Talk with your employer and express your concerns and ask for an assurance that they are committed to resolving the issue.’ The bottom line here is that the employees calling me apparently lost faith in their employer’s ability to provide a safe and secure network and then do anything about the problem.”

A complete loss of trust can be extremely difficult for an employer to bounce back from, and a recovery of that trust won’t happen overnight, either.

“It takes time to rebuild trust, and it also requires a lot of effort,” Tokarz said. “And employees should be informed of every step in the rebuilding process.”

To safeguard any new security measures, communication doesn’t have to be overly specific, but the message must make it clear that a plan is in place and that every effort is being made to provide the best protections possible, Tokarz added.

Recruiting Damage

If employee trust is a casualty of a cyberattack, the organization will inevitably face the daunting challenge of attracting and hiring top-level talent to the organization.

“An organization’s recruiting function will most likely suffer some damage, too,” Tokarz said, “because if employees don’t believe a company’s IT [information technology] system is secure, then job applicants are going to have the same doubts—maybe even more so.”

Again, communication is the key to adjusting job applicants’ attitudes and addressing any negative perceptions, Tokarz asserted.

“Be upfront and acknowledge that the company has faced a challenge and is committed to resolving any problems,” Tokarz said. “The worst thing an employer can do is try to sweep the problem under the rug and hope applicants don’t notice. It should be all about demonstrating that the organization has taken a proactive stance and will remain vigilant.”

Commit to a Proactive Stance

Taking a proactive stance should involve much more than just paying lip service to the importance of securing data, Tokarz said. Employers should back up their words with a solid security plan. According to cybersecurity experts, these plans should include regular employee training, a complete security analysis of an organization’s IT system and formation of an organizational IT security committee. The committee should meet regularly to review and update the company’s safety and security protocols.

“Training for employees should be a regularly scheduled event—maybe once a month,” Tokarz said. “It doesn’t have to be an intensive all-day training session, but instead a rundown and reminder of the organization’s technology safety protocols and procedures.”

In addition, he recommended that an organization’s security committee meet at least once a month—or even once every two weeks. The organization’s HR function should play a pivotal role by providing the communications link to all employees.

“If your goal is to rebuild and maintain the trust of your staff, then none of this can be behind closed doors,” Tokarz said. “Have HR report on what the IT security committee is doing and how they’re working to protect everyone’s critical information and data. The key here is to demonstrate to employees the organization’s commitment to having safe and secure information systems.”

Many employers are now hiring outside certified cybersecurity experts to analyze and test the vulnerabilities of their IT systems. Tokarz agreed that it’s a good idea to have these experts attempt to hack your system. He added that if rebuilding and maintaining trust is an employer’s goal, employees should know that the cybersecurity experts are on the job.

“Again, you don’t have to spell out every detail on what vulnerabilities the security experts might identify,” Tokarz concluded. “It’s just important to let employees know that the security checks are being made and that any bugs or security lapses in the system will be identified and corrected. All these steps can go a long way in making sure employees feel secure and trust that the company is doing its best to protect them.”

Bill Leonard is a senior writer for SHRM.​


Job Finder

Find an HR Job Near You
Post a Job


Join us for the largest and best HR conference in the world, June 23-26, 2019 in Las Vegas.



Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect