6 Ways HR Can Help Prevent a Data Breach

Employees are an organization's first line of defense against and response to cyberattacks—which have become widespread in recent years. HR, in particular, can play a critical role in protecting sensitive information and minimizing employer liability.

Data breaches can lead to enormous liability, said Danielle Vanderzanden, an attorney with Ogletree Deakins in Boston. Some losses are easy to calculate, such as time spent on help desk activities, investigations and legal defense. Other losses are harder to quantify, such as reputational damage to the business. But it's clear that the costs can be staggering: The average total organizational cost of a data breach in the United States is $7.35 million, according to a 2017 study.

[SHRM members-only HR Q&A: How can I ensure my company protects personal employee information?]

Whether a worker intentionally sold customer data, unintentionally left a laptop on a train or carelessly left boxes of medical records unattended in a high-traffic area of a hospital, employers can wind up paying millions of dollars in damages.

So what can HR do to mitigate these costs? In large part, data security is an issue for the technology department, but HR professionals can help ensure that effective programs are in place, Vanderzanden said at the 2018 Society for Human Resource Management Employment Law & Legislative Conference. Specifically, HR can lead the way by:

1. Knowing who is hired. Protecting personally identifiable information (PII) starts with properly vetting job candidates who will have access to sensitive information: those being considered for HR, payroll and finance positions, to name a few.
   
2. Accounting for equipment. During the onboarding process, employers should complete a checklist so that they have a record of all the equipment each employee receives. Then, at the time of separation, the checklist should be consulted to ensure that all equipment is returned and workers don't walk out of the building with sensitive information.
   
3. Training employees to spot issues. Workers may not always know how to identify an issue—such as a phishing scam through which a cybercriminal sends an e-mail that looks like it came from someone in the company. An employee may quickly respond to the message and divulge personal information that can be used to access payroll and other information. Employees should be trained on how to identify scams and also should know what to look for in a legitimate company e-mail, such as a standard signature line, a photo of the sender and a company e-mail address.
   
4. Encouraging workers to speak up. When a breach or attempted breach occurs, employees who handle PII must feel comfortable stepping up and notifying the appropriate staff. This is essential for resolving the situation, but also because employers must provide certain notices when information is compromised.
   
5. Carefully crafting BYOD policies. Bring-your-own-device (BYOD) policies may turn into bring-your-own-breach policies in practice, Vanderzanden said. The more mobile the device, the easier it is for an unauthorized person to walk away with the device and any sensitive information that is stored on it. If employers are going to have a BYOD policy, they should have written policies about what will happen if the device is lost or stolen and what will happen upon termination of employment. Among other things, they should also have a procedure for remotely wiping data from the device.
   
6. Building a culture of compliance. Representatives from different business functions—such as IT, HR, security and finance—should work together to ensure that data security measures are ingrained in the organization's practices. Moreover, compliance and cooperation must start in the C-suite. HR can play a role in influencing senior management about the importance of having everyone in the organization follow security procedures.
   

Check State Laws

HR professionals should note that state laws are the primary source of potential identity-theft liability for employers. "State laws in this area are a patchwork collection and are neither uniform nor completely consistent," said Patrick Fowler, an attorney with Snell & Wilmer in Phoenix, in an interview with SHRM Online. California and Massachusetts have been more active than other states in passing data privacy legislation, but virtually all of the states have data breach notification laws at this point, he noted. Employers should make sure they know what is required under relevant state laws.

Was this article useful? SHRM offers thousands of tools, templates and other exclusive member benefits, including compliance updates, sample policies, HR expert advice, education discounts, a growing online member community and much more. Join/Renew Now and let SHRM help you work smarter.