Stories of breaches that expose customer and client data are enough to make any business owner lose sleep night, but too often we neglect the risk to employee data -- the home addresses, social security numbers, and other sensitive information we hold on employees -- that hackers would love to get a hold of. That information is just as vulnerable, and protecting employee data needs to be your next top priority.
Failure to properly address your risks will almost guarantee a cyber attack. Here’s the information and planning you need to protect yourself.
Aren’t we already taking care of this?
That’s the unfortunate assumption among officers, owners, and board members who blindly rely on their IT departments, internal or external, to take care of cyber threats with a firewall and antivirus software -- a cheap and quick solution but entirely unreliable. A recent national survey showed just 38% of CEOs and 23% of board members were “highly engaged” in cybersecurity at their businesses. This is despite heavy financial risks, with the cost of all data breaches in 2017 estimated at nearly $2 billion.
Larger corporations can normally weather the financial impact from a data breach, and they have the resources to limit them. But, small and medium-sized firms -- firms large enough to have a significant amount of useful data on their networks but not big enough to staff their own IT departments or routinely train staff in safe practices -- often see a huge blow to their finances and reputation. It is, perhaps, even more important that their business leaders be highly engaged in security.
What laws apply?
While most U.S. laws concern the business-consumer relationship (22 states have laws in place that address aspects of data security beyond simply alerting the public when breaches occur), a recent Pennsylvania Supreme Court ruling recognized a common law duty that employers have to provide “reasonable care” with employees’ personal information. This ruling came on the heels of a class-action lawsuit filed by employees of the University of Pittsburgh Medical Center after hackers gained access to the personal information of some 62,000 former and current workers.
What’s “reasonable care”? It certainly is a broad term with no real specifics, so it’s likely left to interpretation. That’s the tricky part. Likely, you could satisfy the reasonable care requirement by using the cybersecurity framework provided by the National Institute of Standards and Technology (NIST). That would at least partly protect you from litigation.
So what can employers do now?
Protecting against litigation is one thing. What can you actually do to prevent the attack?
For starters, firms must be proactive and pay close attention to their own cybersecurity policies and procedures. At the very least, you should be taking stock of what sensitive information is on your network and consulting with IT professionals -- again, internal or external -- on how to protect it. Don’t let price be your only motivating factor here. Sometimes, you get what you pay for, and this is not an area you can afford to skimp on. Note that your IT strategy should also contain an action plan -- the “what we’ll do if we get hit” plan of action.
Beyond that, employees should be trained on the signs of phishing scams or malware in their email, as well as proper password management and other best practices. Legal counsel can also help craft a security policy that addresses the cybersecurity laws that apply to the business’ home state(s).
Lax protection for employee data may also give hackers a convenient backdoor into all data on your server, putting your employees and your entire business at risk for theft. The time to act on this is now.
