Anyone who thinks the human resources department only handles hiring has severely underestimated the scope of HR’s job. In a typical company, the HR team might serve dozens of functions, even playing a critical role in the company security structure. Human resources collects a great deal of personal identifiable information (PII) from employees, and it’s largely the HR team’s responsibility to protect that sensitive data from cybercriminals and internal breaches. It’s a big job, but hey – if anyone in your organization is prepared for a challenge, it’s HR.
Protecting Personal Identifiable Information: It’s the Law
Preventing PII breaches isn’t only important because it’s in the best interest of your company’s employees. It could also be a matter of law. At least 25 states now have data security laws specific to private entities. Several Northeastern states are among them.
In Massachusetts, regulation 201 CMR 17.00 protects the personal information of all residents. Any entity that owns or licenses a Massachusetts resident’s PII is required to protect that information from breaches. Under this law personal information is defined as a resident’s first name or initial and last name, in combination with the resident’s Social Security number, state-issued ID card number or any financial account information. Even if your business isn’t located in Massachusetts, you’re required to protect any such information you have related to Massachusetts residents.
Connecticut, Rhode Island and Vermont also have personal information security laws on the books. In New York, a proposed law would require companies to establish new safeguards around personal data security, and would give consumers the right to request the names of anyone with whom their data is shared. As data security laws are expanded around the country, companies may have even more complicated responsibilities around information security.
Train Employees on Best Practices for Device Security
PII theft can happen in any number of ways. Often, these breaches are caused by employees themselves, who inadvertently leave company data vulnerable to outsiders. That data is often accessed via an employee’s devices. Don’t assume that these breaches are primarily caused by shadowy cybercriminals typing away in darkened rooms. After all, stealing a physical device is easier than hacking a database for most people.
Some devastating security breaches have resulted from employees misplacing their devices or having them stolen. In 2005, the Social Security numbers and other data of 5,800 Eastman Kodak employees were compromised when a company consultant’s laptop was stolen from his car. Thefts like these may not be motivated by corporate espionage; they’re often just crimes of opportunity. Someone sees an unattended device and grabs it, having no intention to steal sensitive data related to a company’s employees. But because your company can’t be sure how a thief will use any information they find, even a crime of opportunity has to be treated as a potential data breach.
The HR team might work in a few ways to make sure all employees protect personal identifiable information. HR might oversee the distribution and use of company devices, weed out job applicants who have been lax around data security and routinely train employees on information security best practices. If the company has an IT department, HR might work side-by-side with them on this training. Your HR team might also educate new employees on any relevant data security laws.
Emphasize Security in Your BYOD Policy, Too
If your employer allows employees to use their own personal devices for work purposes, you probably already have a BYOD (bring your own devices) policy. Because these devices may be used to access company files, the HR team needs a comprehensive and clearly defined security policy around how they may be used.
What procedures should employees follow when connecting to WiFi networks out of the office, for example? There may also be an important IT component in making sure employees responsibly handle sensitive data on their personal devices. Will employees be required to download device management software on their devices? Do they have to allow the employer to install tracking and remote wiping software, in case a device is lost?
Provide Functional Phishing Training
Some estimates say that about 90 percent of cyber attacks are launched through successful phishing attempts. It only takes one employee clicking on one fraudulent email to potentially grant a cybercriminal access to personal information stored on your company’s servers. These attacks are frequently successful because so many workers don’t know how to identify phony emails, and because the criminals who craft these emails know how to appeal to their audience.
HR can help employees avoid these scams by providing training about common and current phishing techniques, and what steps employees should take if they receive questionable messages. The Federal Trade Commission provides resources about phishing. Some companies also run phishing tests, to see how likely their employees are to be tricked by fraudulent links.
The human resources team is on the first line of defense in protecting a company’s personal identifiable information. As both cybercriminals and information security practices constantly evolve, HR has to stay informed and ready to act in the company’s best interest. Join our upcoming webinar, The Intersection of HR & Information Security on Wednesday, March 25 at 1:00 PM EST. Our team is always here to help with all of your hiring questions, contact us today.