HR Policies & Procedures

Halloween Week’s Scariest Possibility for Business: Data Breach

The scariest thing this week may not be what can happen on the streets, but what can happen around your personnel files.

With Halloween this week, ghouls and goblins are all around us. But it doesn’t take a special day for mischief-makers to show up in the workplace. And the trouble they can cause goes far beyond soaping windows and overturning trash cans.

One such troublemaker worked on a maintenance crew cleaning an office in which a company CEO’s employment contract had been left out on a desk. The cleaner copied the CEO’s personal information and cleaned up in his own way … selling the data to thieves who opened credit card accounts in the CEO’s name.

Another was a temporary employee involved in setting up insurance policies for 100 employees of a large, nonprofit organization. The temp used the workers’ personal data in an identity theft scheme. The nonprofit organization then had to correct the credit of its victimized workers, at a cost exceeding six figures.

Both these instances are examples of “data breach,” the theft or improper disclosure of employee personal information. For HR people, the safekeepers of such data, it’s a new and frightening worry.

The impact of data breach goes beyond financial.

“It’s a nightmare for morale,” too, says security consultant Philip Deming, SPHR, writing in HR Magazine. “If an employee’s information is stolen … they will tell everyone they know about HR’s incompetence. They will take enormous amounts of time off … [one study shows an average of 182 hours … to repair credit, for emotional rest, and for the trial]. It takes a very long time to recover from a personal breach.”

Data breach also imposes legal burdens on employers. At least 22 states and New York City have data breach laws, and a federal law is in the offing. The laws differ in what information must be protected, but they generally require employers to quickly notify employees of any theft or improper release of personal information. Existing federal laws, such as HIPPA, ADA, EEO, and the Fair Credit Reporting Act (FCRA) also have data protection elements.

The answer, of course, is to not lose the data in the first place. Experts say that sophisticated countermeasures help, but more often it’s just a matter of common sense. Here are some of their suggestions:

–Do not collect any personal data you really don’t need. One example: driver’s license numbers, which Donald Harris, of HR Privacy Solutions in New York, calls “the legal equivalent of radioactive.”

–Keep file drawers locked and set computers to revert to password-needed status if idle for more than a few moments. Change passwords and access codes often.

–Identify workers with employee numbers, not their Social Security numbers.

–Lock the HR office whenever not occupied by authorized personnel, even if they just leave to go to the restroom. Best solution, writes Deming, is to have only the HR director and one other executive as keyholders for the HR office and files.

–Have a senior person present whenever offices are cleaned or serviced.

–Change locks and passwords immediately if a key person quits or is terminated.

–Never discuss personal information in an email or by cell phone. Hold all sensitive discussions behind closed doors.

–Check your files several times a year to see who has accessed them.

–For sensitive documents, remember that “once you’ve read it, lock it up or shred it.”

–Develop a plan to handle breach if it happens, including notification steps, and investigative and reporting procedures.

–Finally, document all the above in company policy, and make one person responsible for ensuring compliance.