- Religious accomodation in the workplace
- Equal pay and prior salary information
- I quit! How to avoid constructive discharge
- You Can't Shred Email
- Navigating Unemployment Claims
- Considering Criminal History in Pre-Employment Decisions
- Defamation Claims from Former Employees
- Mixed Motive Causation
- Requesting Accomodation: Kowitz v. Trinity Health
- Antitrust Law in Human Resources
- An Evolving Standard: Joint-Employment
- What Does At-Will Employment Mean for Employers?
- Let's Talk About Wages
- THE FLSA: CHANGES ARE COMING
- Follow Up: Obesity and the ADA
- The Importance of Social Media Policies
- Is Obesity a Qualifying Disability under the ADA?
- Retaliation on the Rise: The EEOC Responds
- What Motivates You?
- "But I thought ...
- Who’s expecting? And what is he expecting?
- Are You Still Doing Annual Performance Reviews?
- Who is Your Employee?
- The unpaid intern trap Part II
- “We’ve been the victim of a cyber-attack”
- So, a Hasidic Jew, a nun in a habit and a woman wearing a headscarf walk into your office?
- The unpaid intern trap
- Pregnancy in the workplace
- Let's talk about honesty.
- "Did You Know" Series - Part I
- Conducting an Internal Investigation
- What HR can look forward to in 2015!
- The chokehold of workplace technology
- Does your company have trade secrets?
- North Dakota Construction Law Compendium for 2014
- Does the North Dakota baby boom affect you?
- Ban the Box? Why?
- The end of the world as we know it
- Everybody has an opinion
- Changes, Changes, Changes!
- Nick Grant presents at North Dakota Safety Council's 41st Annual Safety and Health Conference
- Email impairment: A potentially harmful condition
- Are Employers Required to Give Stressed-Out Employees Time Off?
- Can you obtain a credit report when investigating employee wrongdoing?
- Can’t we just sidestep the ACA?
- Should Your Employees Telecommute? Part III
- Should Your Employees Telecommute? Part II
- Should Your Employees Telecommute?
- Proper Investigation of Employee Misconduct
- Battles in the Wellness War
- Rules are rules! Aren’t they?
- What's going on in Bismarck
- A glimpse ahead
- Obesity as a disability under the ADA – reweighing the issue
- What’s next for your business under the Affordable Care Act?
- Criminal Background Checks
- Becoming a lawyer is a process, not an event [Section 5 of 5]
- Congress Says Yes To North Slope Energy Jobs Bill
- Test Your Knowledge of Social Media Policies and Employee Discipline
- Becoming a lawyer is a process, not an event [Section 4 of 5]
- What Every Employer Needs to Know About the NLRA
- Will the 2012 Elections Make A Difference
- Where There's Smoke...
- Dress Code Etiquette: Is Casual Friday Becoming Freaky Friday
- The Next Disaster May Be Yours
- Hostile Work Environment Claims
- North Dakota Employment Law Links
- There's An App For That
- Am I a “Business Associate”? Why Should I Care?
- Do You Recognize a Cat's Paw When You See One?
- Cell Phones Can Cost a Lot, Part II
- Becoming a lawyer is a process, not an event [Section 3 of 5]
- Cell Phones Can Cost a Lot, Part I
- The Economy - What HR Professionals Need To Know
- Becoming a lawyer is a process, not an event [Section 2 of 5]
- Three New Challenges For HR Professionals
“We’ve been the victim of a cyber-attack”By: Paul Ebeltoft
After making sure that it has your undivided attention, the company that has been hacked turns down the volume. “As of now, there is no evidence that the cyber-attackers obtained confidential information.” Now you are really worried. This company is trying to have you believe that, even though they got in where they were not supposed to be, the crooks didn’t do anything bad with your personal data. As if to confirm your suspicion that the company is flimflamming you, its letter closes with “Even so, you need to monitor your credit report for unauthorized activity.”
I don’t know about you, but I’m a pretty cautious guy. I don’t give out personal information willy-nilly. I avoid giving credit card information to questionable businesses. None-the-less, it seems that I am getting a “we’ve been hacked letter” once a month. Reputable businesses and government entities are coughing up my social security number, my date of birth, my mother’s aunt’s middle name and my credit card number to cyber-thieves with jaw-dropping frequency. Worldwide, the number of security breaches is huge. One enterprise security firm, Gemalto, estimates that there were 1,500 events in 2014 with over a billion data records stolen. The wholesale mining of personal data by computer bandits has been so great that most of us have been anesthetized. We file the notification letter and carry on.
But the numbness is starting to wear off, being replaced by a sense of outrage. Free access to identity protection services paid for by the custodians of personal data that didn’t guard it well enough just isn’t good enough anymore. Knowing that, when your data is used by a mobster in Kiev, you get free credit repair is cold comfort. Many, like the fourteen million federal employees who lost their data to cyber-theft this past month, are starting to think “this is negligence,” and are suing.
This article is to encourage HR professionals to help protect your business from what may now seem inevitable, someone with bad intent grabbing important data from behind your firewall.
How can HR fight cyber-theft?
Think of all the personal identifying data that your HR department stores digitally. Are you in charge of protecting it? Probably not. This is likely the job of your IT department or of an out-sourced consultant. Do you know what protections they have put in place? A surprisingly high number of HR professionals don’t know. Here are some steps you can take to increase your own knowledge and, along the way, help your company:
• Learn the basics of how your system works and specifically learn who is in charge of protecting it.
• Identify what the most critically important data is for your company and its employees.
• Find out how where the most critical data is stored and how it is protected. Argue for a higher level of protection for this data if your current protection is one-size fits all.
• Argue for use of randomly generated passwords to access critical data.
• Help create an incident response plan.
• Help create a template of notification that meets North Dakota and federal requirements, but that avoids the jargon and hollow promises we are all becoming inured to.
Another issue that is usually not in HR’s portfolio is insurance coverage. Because of the sensitivity of employee data accumulated and stored electronically by you, it is a legitimate HR function to remind your management team to consider buying cyber liability insurance. Whether your company has already bought or is just investigating cyber insurance, here is a short list of key questions you should ask:
• Does the plan cover the cost of investigation of privacy breaches?
• Does the plan cover the cost of notifying your employees or your customers of a breach?
• Does the plan cover the costs of your public relations campaign to restore faith in your company’s ability to handle sensitive data?
• Does the plan cover the disruption to your business and lost income due to loss of data or the inevitable interruption of your ordinary work after a breach?
• Does the plan defend against claims brought by employees or customers whose data is compromised?
• Will the plan indemnify if your company is found even partially at fault for the breach?
• Will the plan cover your company if it outsources protection duties and the breach was caused by vendor conduct, whether negligent or intentional?
• Will your policy cover data stored in non-owned servers or in the cloud?
Yes, computer security breaches may be today’s new normal. But by learning some basics and asking the questions outlined above, HR professionals can play a key role in protecting company data and protecting the company if the data is stolen.
Our interest in serving you
My law firm’s goal is to give understandable information and to foster discussion about real-life issues facing human resource professionals. If we are not achieving that goal or if you would like us to address other employment law issues, please email me at email@example.com We promise to take your comments and ideas to heart.
(Otherwise known as “the fine print”)
I make a serious effort to be accurate in my writings. These articles are not exhaustive treatises, though, so do not consider them complete or authoritative. Providing this information to you does not create an attorney-client relationship with my firm or me. Do not act upon the contents of this or of any article on our homepage or consider it a replacement for professional advice.
Reprinted with permission from an article submitted for publication in the July, 2015 Southwest Area Human Resource Association newsletter.