Organizations also need to recognize that an employee data breach carries legal risk similar to the breach of customer data. If an organization’s response to a data breach is handled incorrectly, employees could file a class action lawsuit.
Recent news of high profile data breaches impacting internal corporate files shines a light on the severity of a data breach that impacts employee personal information. Preparing for employee data loss takes careful consideration, and organizations should be thinking about how to plan ahead to protect themselves and their employees by incorporating specific tactics into their data breach response plan.
Risks associated with employee data loss
Data breaches that impact employee records present a specialized threat due to the sensitive type of information organizations keep about their employees. The type of data a human resources department holds is often very personal in nature and could include health information, employee addresses as well as Social Security and financial account information. When employee data is targeted, it can have significant, longer-term impact than simply a stolen credit card number resulting in fraudulent charges which can be rectified with the card issuer.
Loss of usernames and passwords is also a concern because this type of data can be used to overcome authentication-based workarounds to access other confidential information. Additionally, an employee data breach tied to a government agency could allow someone to create a synthetic ID to steal sensitive government information, including patents and trade secrets. Organizations also need to recognize that an employee data breach carries legal risk similar to the breach of customer data. If an organization’s response to a data breach is handled incorrectly, employees could file a class action lawsuit. When employee data is breached, organizations need to work quickly to protect their employees and account for any lost company information.
How organizations can prepare
As companies rely on their employees to serve as advocates outside the workplace, after a data breach it is important that organizations are prepared to communicate in an upfront, transparent and personal manner and provide proper identity theft protection services.
Employees are typically more active and engaged in resolution following a data breach. Depending on the type of data lost, organizations can expect a significantly higher redemption rate for protection services offered compared to a customer data breach. Companies need to take this into consideration and plan in advance to ensure their call center and online forums are prepared for the type of volume anticipated. Supplementary resources such as internal discussion forums can help support online services and provide employees with an easy and direct way to access information.
Specific to communications, it is important to consider who is sharing information and how it is being disseminated throughout the company. In addition to a formal announcement from executive leadership, companies might consider hosting public forums or an internal hotline for employees to ask questions. Organizations also need to take into account how they will notify former employees who may be impacted by a data breach. Every corporate structure is different and will require special considerations for how to best engage employees, but all companies should leverage internal resources and consider conducting face-to-face communications, such as internal town hall meetings, to connect directly with employees and share resources available.
By incorporating specific response tactics and internal communications approaches into the plan in advance, organizations can feel confident they are adequately prepared to respond to an incident of any kind.
In addition to being upfront and honest about the realities of a data breach, organizations need to be prepared to communicate what employees should and should not be discussing publicly in order to avoid potential media leaks and protect brand reputation. Ensure employees understand what resources are available to them and what proactive steps they need to take to protect themselves in the wake of a breach.
Update data breach response plans
While more organizations than ever now have a data breach incident response plan in place, companies should think critically about whether they’ve accounted for different types of data loss, including both customer information and employee records. Without the proper structure of a comprehensive response plan, companies struggle to manage and recoup from a breach of employee data. By incorporating specific response tactics and internal communications approaches into the plan in advance, organizations can feel confident they are adequately prepared to respond to an incident of any kind.
photo credit: AFGE Environmental Protection Agency Council 238 July 2013 Training via photopin (license)