Employees Are Key to Curbing Data-Breach Risks

This is the first in a three-part series of articles on data security. The first article examines employees' role in data protection. The second part will discuss how to limit data-breach risks in portable devices, and the third part focuses on cross-functional security teams.

Every state has a data-breach law that requires businesses to send out notifications when customers' or employees' personally identifiable information (such as a Social Security or bank account number) is exposed—whether on purpose by hackers or angry employees, or by a worker's mistake. "We hear about big data breaches by external hackers, but the majority of problems happen inside the organization," said Danielle Urban, an attorney with Fisher Phillips in Denver. Employees who have access to confidential information might accidently leave a company-issued smartphone on a coffee-shop table or unwittingly respond to a phishing scam. Other times, disgruntled employees may deliberately expose an organization's private information.

Develop a Program

Since workers are reportedly the top source of security incidents, employee engagement is essential in combatting data breaches, said Danielle Vanderzanden, an attorney with Ogletree Deakins in Boston.

Employees need to know how to recognize threats and should feel comfortable reporting any incidents to head off a breach or trigger a notification mandate.

Philip Gordon, an attorney with Littler in Denver, recommended that employers take the following steps to establish a culture of data-security awareness and compliance:

• Conduct thorough pre-employment screening to avoid hiring individuals who pose a risk to personal information.
  
• Require employees to sign confidentiality agreements to reinforce the importance of protecting information.
  
• Provide periodic information-security training to new hires and current employees, focusing on identifying phishing scams and protecting portable devices.
  
• Limit access to personal information to those employees who need the information to perform their job.
  
• Develop information-security policies designed for line employees, not just IT.
  

Employers should also ensure that departing employees return all company-issued equipment and delete all confidential business information from their personal devices and accounts, Gordon said.

Comply with State Law

Businesses need to ensure that consumer and employee data are safe and know when security threats must be reported.

The vast majority of state data-breach laws apply only to limited categories of information, Vanderzanden said. In most states, personally identifiable information (PII) consists of a first name or first initial combined with a last name and a:

• Social Security number.
  
• Driver's license number.
  
• Bank account, credit card or other financial account number.  
  

In the past few years, many states have added categories of protected PII, including medical information and any account information in combination with a personal identification number or password.

A main goal of these laws is to compel businesses to focus on prevention. Therefore, all state laws have a safe harbor, under which an organization is not required to provide notice of compromised information if the data is encrypted and if the decryption key is not included with the compromised information.

Many states require businesses to notify the state's attorney general or other government authorities in the event of a data breach. But most state laws require notification only if the breach could harm the affected individuals, Gordon noted. 

[SHRM members-only HR Q&A: What are some best-practice approaches to safeguarding employee data?]

Although state information-security laws have some similarities, they generally differ in their definitions of PII, what constitutes a breach and who must be notified. For example, Colorado's statute defines a breach as the "unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality or integrity of personal information maintained by a covered entity." Hawaii's statute notes that unauthorized access to encrypted records does not constitute a breach unless such disclosure includes the encryption key.  

California, Connecticut and Delaware require the compromised business to offer identity protection services to affected individuals.  

Alabama and California laws protect e-mail and other accounts when the disclosure includes enough information to provide access to people other than the account owner.

Employees are the gatekeepers of personally identifiable information, so they should be trained on security and protection measures, including phishing awareness, Vanderzanden said.

Three-Part Approach

"Employers should focus on three pillars of security: technical security, physical security and employee training," Vanderzanden said. Technical security includes using firewalls and strong password settings, restricting downloads, encrypting data and monitoring for attacks. Physical security includes locking files, offices and rooms that contain sensitive information or servers, and limiting physical access to the workspace by key card, physical key or biometric data. 

Businesses must further ensure that workers have access only to the data they need to perform their jobs, she said. 

Employees should know how to spot suspicious activity and what to do if they accidently click on a link, hit a button or go to a website that may put employer data at risk, said Stephanie Rawitt, an attorney with Clark Hill in Philadelphia. "It's important for employers to have good policies and to educate employees."

Workers should also be encouraged to take the steps necessary to prevent other employees from disclosing information, Vanderzanden said. "This includes reporting suspect activities."

It is critical to have a data-breach response plan in place before an incident occurs, Urban noted. "If you haven't thought about how you would react to a data breach, you won't be prepared when it happens." 

Part 2: How to limit data-breach risks in portable devices