HR Professionals: Simple Steps That Can Help Your Company Avoid Becoming A Data Breach Headline
December 20, 2013
By: Robert J. Munnelly, Jr.
Information Security and Privacy Group News
In this age of data, protecting personal information (defined as name plus social security number, driver’s license number and/or financial account number) has become a major issue for many companies. Nearly every day, media headlines draw attention to security breaches and the huge costs, both financial and reputational, that can result. State laws in Connecticut and Massachusetts, as well as federal statutes, require that businesses safeguard personal information and protected health information and impose penalties for failing to do so.
While the headlines typically involve security breaches at large companies (recent examples include Target, J.P Morgan Chase and LinkedIn), smaller institutions are not immune from risks. One major area of exposure for all companies is the human resources department, which maintains and must safeguard employee personal information. If your H.R. department has not already assessed its security risks and implemented procedures for minimizing those risks, your business is at risk of an expensive and embarrassing security breach. Here are some basic steps that all H.R. departments need to take:
- Inventory personal information in your possession: Knowing exactly what personal information your company possesses and where it is located is vital to accurately assessing your information security risks.
- Develop/Know your company’s information security plan: A written information information security plan is legally required for all businesses holding personal information of Massachusetts residents and a great idea for all businesses. If you don’t have one, develop one. If you do have one, prioritize employee training. The plan will be of no use if employees who deal with personal information on a day-to-day basis are not following the plan.
- Restrict access: Access control is a basic but crucial component of information security. Think about who has access to all hard copy and electronic files with personal information and protect these files using privacy or encryption settings or locked file cabinets. Only those who need access should have it.
- Police your vendors: Since most businesses provide employee personal information to vendors, including benefits administrators, payroll companies and others, it is critical for each business to investigate and assess its vendors’ ability and willingness to adequately safeguard such data. Failing to do so puts the company at risk and raises compliance concerns. Notably, Massachusetts law requires all businesses confirm “by contract” that vendors will comply with laws concerning the protection of personal information. Whether legally required or not, you should make immediate efforts to amend vendor contracts to ensure the adequacy of vendor data protections and to specify available remedies in the event of a breach.
- Gather less information: All personal information that comes through the door is a source of potential liability and therefore must be protected. Becoming as “lean” as possible can help your business minimize risks. For example, one easy step to reduce exposure is to collect social security numbers only from applicants you intend to hire rather than from all potential candidates.
Failing to comply with laws and regulations concerning the protection of personal information can lead to investigations and fines from government authorities. More importantly, noncompliance can lead to embarrassing and expensive security breaches. Taking basic, commonsense steps to safeguard personal information in your possession can go a long way towards avoiding these risks.
If you have any questions about the information contained in this Alert, please contact your Murtha Cullina attorney or a member of our Information Security and Privacy Group.