AS IDENTITY theft continues growing, one of the main treasure troves that criminals covet is employee data. After all, it typically contains your staff’s personally identifiable information and other information that should not fall into nefarious hands.
This kind of data theft can happen through brute force hacking, e-mail phishing campaigns and even your own employees making off with the data. Appropriated personally identifiable information can be sold on the dark web or used by the thieves themselves to steal people’s identities, open credit accounts and even bleed their bank accounts dry.
If someone does gain access to personnel files, you could be on the hook for penalties, responsible for notifying all affected parties and expose yourself to legal liability.
Fortunately, there are steps you can take to keep your employees’ information from falling into the wrong hands.
1. Keep your records secure
Start with the low-hanging fruit: Paper records. Files containing personal information should be kept in a sturdy filing cabinet or secure location, with access limited to the individual who is chiefly responsible for maintaining the files and one member of upper management.
Make sure that data on servers is protected with a password that only staff who need to access information can reach. Have secure servers that use encryption. Stay on top of patches for your software.
2. Set policies and procedures
Have in place policies and procedures for handling the information. It should start with which data the company will protect and how it will be protected.
You should prohibit employees from copying, sending, viewing or using personal employee information without authorization.
Policies should state who is authorized to access the information, and the consequences of accessing it if not approved.
Put policies in writing and disseminate them among your staff.
Consider holding a meeting to go over the policies, including the steps you take to protect their data.
3. Restrict access
Permit access to employee files on a need-to-know basis only.
For example, a manager should have access to their subordinates’ employee performance metrics, number of absences from work and performance reviews. But they should not have access to their Social
Security numbers, medical history, insurance information and other private information that Human Resources may keep.
4. Keep an access log
Keep a log of each time someone accesses files containing sensitive employee data.
The information collected should include who accessed the data, when they accessed it and why. Keeping this log may require purchasing new software that can track these functions.
You should review the logs regularly to identify any suspicious activity.
In case of breach
If you learn that someone may have access employee records without authorization (either an insider or outsider), you should investigate the incident immediately.
If you discover one of your staff has access the files, you should discipline them in accordance with your policies.If they broke the law, it should be reported to law enforcement.
Inform all affected employees accordingly and offer to pay for credit monitoring for them.
Depending on the circumstances, you may be required to notify regulators. It would be wise to call your attorney to find out what your obligations are under state laws.
It’s paramount that employers take all steps necessary to protect their employees’ sensitive information.
Failure to do so could lead to identity theft, and a degree of financial liability on your part.
You may even be sued for failing to protect the information.