Recent large data breaches involving the loss of sensitive employee information are signaling a shift in the security landscape. Hackers are no longer focusing solely on credit card information and financial data to sell on the black market. Instead, cyber thieves driven by different goals are now targeting a wider variety of information, from password credentials and employment records, to potentially damaging email exchanges that could be used as blackmail or to damage brand reputation.
Preparing for incidents of this nature requires organizations to rethink the type of data we secure and what it means to prepare for a data breach. In today’s world, businesses need to think broadly about fostering a security culture across the board, and know how to communicate effectively if an incident affecting more than customer data does occur.
Based on experience servicing some of the largest data breaches to date, Michael Bruemmer, vice president, Experian Data Breach Resolution, compiled five considerations organizations need to take into account in order to properly prepare for an employee data breach. First and foremost, it is important to keep in mind that employees are arguably an organization’s biggest asset, and therefore require different considerations than other audiences potentially affected by a breach.
Preparing for an Employee Data Breach
Click through for five factors organizations should consider with regards to dealing with an employee data breach, as identified by Michael Bruemmer, vice president, Experian Data Breach Resolution.
Loss of Sensitive Data
Second only to child identity theft, the sensitive nature of employee data is amongst the most damaging types of information that can be lost in a breach. Because of the unique records housed within the HR department, employee data breaches allow for the potential exposure of a wider range of information as opposed to a simple credit card number or user name/password.
Preparing for an employee data breach will take more than just increasing investment in IT security. It also means having a strong data breach response plan in place that incorporates considerations for the specific type of data that may be lost.
Though companies have an ongoing relationship with customers, their relationship with employees is even more critical as employees are expected to be advocates outside the workplace. Security executives should be involved with how their organization communicates to employees in an upfront, frank and personal manner. It is also important to consider who is delivering what message and when. For example, in addition to a notice or memo from executive leadership, companies may look to host town hall discussions where managers can speak directly with their teams about the issue.
From a public relations perspective, consider whether or not it makes sense to proactively share the breach with media or maintain a reactive-only response following an incident. In the case of an employee data breach, it is more important to prioritize direct employee communications in lieu of external communications with media. However, companies should be prepared for media to ask for comment if the issue becomes publicized.
High Redemption Rate for Protection Services
Depending on the type of data and organization breached, the loss of employee information can result in a significantly higher redemption rate for identity theft protection services. Because employees are typically more active and engaged than customers after a data breach, security professionals must work with colleagues to plan for this in advance and ensure their call center and online forums are prepared for a higher volume of requests.
Don’t Forget Former Employees and Compliance
As always with any data breach, it is important to work with legal counsel to ensure you are meeting requirements to protect those affected and prepare for the potential of a class action lawsuit. Unfortunately it is not uncommon for companies to store outdated records from previous employees. With that being the case, companies need to be prepared to communicate with and protect both current and former employees who may be impacted by a data breach.