Skip to content Skip to footer

Protecting Employee Information — What is a Company’s Responsibility?

employee-information

When employees go to work, they expect to be in a safe place where their security is the number one priority. After all, workers are the life-blood of any organization, so naturally, their comfort should be a top priority. However, unfortunately, some risks cannot be avoided without intervention.

When an employee is hired, they provide a lot of personal data in the form of social security numbers, addresses, phone numbers, tax info, and the information of their emergency contacts. If that employee information were to be leaked to a cybercriminal or a disgruntled employee, the damage could be catastrophic. Luckily, there are many processes that businesses can enact today to prevent a cyberthreat and protect their employees.

The Importance of Employee Privacy

The importance of keeping private employee information secure cannot be understated. Any information stolen from their private files can be used for nefarious purposes. Hackers can sell social security numbers on the black market or use them to secure loans that could put your employees in debt. Even a phone number can be used as a stepping stone to finding additional private employee information on the internet.

But, you cannot just trust that your company will never be hacked because no business is ever totally safe. While, understandably, large corporations are a treasure trove for hackers because of the sheer amount of employee records that are up for grabs, on the other side of the coin, small businesses are sometimes more at risk.

The issue with small businesses specifically is that they usually do not have the large IT teams or the budget needed to defend against data theft, so they become prime targets for hackers. Some studies show that one of every five small businesses becomes a victim of cyberattacks, and when you factor in the cost of employee lawsuits, reputation rebuilding, and the time needed to rebuild your systems, the damages could balloon to millions of dollars. Big enterprises can front that cost. Small businesses can’t.

Keep in mind that protecting employee data is not only important from an ethical standpoint, but it is also the law. During the lawsuit of Dittman v. UPMC in 2018, for example, the supreme court ruled that employers have a “common law duty” to protect employee data because when they collect employee information, they create the potential for a data breach. The court ruled that the company may be ruled negligent in the case of an intrusion.

Anticipate and Backup

The facts about cybercrime and data breaches can be downright startling, so a company should do everything in its power to stay ahead of potential risks to protect their employees and their financial interests. The most important beginning component of any security protocol is to start with a risk assessment. This assessment will include all potential risks that could impact your business.

Whether it is a malfunctioning server, a natural disaster that brings down your systems, or a malicious hacker, you want to be prepared for anything. A risk analysis will account for all of these threats, rank them by most likely to least likely to occur, and implement a plan of action to mitigate the damage in the case that the issue does come to fruition. A team should be created to develop potential solutions and then educate all necessary employees on their part in the scenario.

Another preemptive measure is to have active backup systems in place, either in a separate server room or secured in the cloud. In the event of a breach, you will want to be able to restore your data as quickly as possible. All servers should also be encrypted, so employee and customer information cannot be read even if a breach does occur.

Proper Employee Training

It is the responsibility of the company to ensure all employees receive training on the proper protocols needed to prevent the risk of a cyber breach. One of the more common ways that hackers try to gain access to company systems is through the use of phishing emails, which target employees specifically. Essentially, these are emails that look like real communications, but once the user opens the attachment or clicks the included link, it opens a door for the hacker into the business’s infrastructure.

Companies should train employees on some of the common signs of phishing emails, including:

  • An email address that looks familiar but is off by a digit or uses symbols instead of letters.
  • The subject or body of the email is littered with misspellings.
  • An included link or attachment that the employee was not expecting.
  • Scare tactics like an email that appears to be from the boss, a bank, or another authority figure.

Employees should also be instructed on how to properly secure their workstations. Complex passwords should be used that include a combination of letters, numbers, and special characters. Workers should also be instructed to lock their computers every time they walk away so another employee or office visitors cannot access their computer without their knowledge.

Avoid Internal Threats

If a data breach does occur, it may not always be a stranger that is causing the damage. Instead, it could be a current or past employee who may be stirring the pot. This is why it is extremely important to maintain secure records. Electronic employee files should also be stored on a private system with access only for those with the proper authority.

If your business still operates with paper files and filing cabinets, then you will want those to be secured in their own file room with keypad access that allows only authorized personnel to enter. When the paperwork has exhausted its use, it should be properly shredded and then taken off-site by a professional shredding company. Keep in mind that every business has rules for how long paperwork should be retained, with many experts recommending a retention period between 2 to 7 years depending on the type of document.

Meanwhile, employers should be just as wary of ex-employees who may feel they were wronged in their termination and want to get back at the business or their previous coworkers. When a worker is fired or resigns, it is essential that your IT team eliminates all access points by disabling their passwords, deleting accounts, and reclaiming all company-owned property, including computers and modems. It is also wise to shut down associated email accounts so they cannot send those aforementioned phishing emails to current employees in an attempt to steal their data.

Regardless of the industry, no employee should need to worry about data theft or identity fraud while they are in the safe confines of their job. As an employer, it is paramount that their security comes first so you can retain a happy and fulfilled workforce.

Go to Top