HR Data Security: Anticipating, Avoiding and Responding to Data Breaches
- Gather Information on Your Obligations For every state in which the company operates or may operate (remember, applicant information is protected under the laws of their home state), collect information on breach law. In particular, investigate how each state defines a breach and what each requires in terms of notification. Who qualifies as an affected individual, when must they be notified, and how must the company do it? Are state agencies or regulators involved?NOTE: Remember your HIPAA obligations (if any). HIPAA operates alongside state laws, but does not replace them. Any company that self-insures is considered a “covered entity” under HIPAA and must safeguard its data and make notifications as prescribed under that law—in addition to acting in compliance with state-specific laws on general data breaches.
- Train Employees on Handling Sensitive Data Armed with the knowledge of how state law defines breaches, educate your employees on how to avoid them. Formalize compliance with data protection laws as part of the employee handbook, add a privacy session to your on-boarding process, and coach existing employees on how to handle confidential information appropriately. Remember, most disclosures are the result of simple carelessness or ignorance. Raise employee awareness to reduce risks.
- Assemble your Incident Response Team Now that you know what the law requires the company to do when breaches occur, HR can form a specialized task force.Malone recommends a group that spans many disciplines:- Human resources - Senior management - Information management/security - Corporate security - Corporate communications - Legal Train each team member on their individual responsibilities, focusing on process and approvals. It’s helpful to identify, for example, who will authorize each step of investigating a breach, and who will ultimately sign notification letters. Determining these roles in advance will streamline your response when it counts—in the moment of crisis following a breach.
- Prepare Boilerplate Notifications Finally, HR should draft templates for notification letters (or work with a legal partner to do so), keeping all state mandates in mind. These may need to be created for employees, law enforcement, regulators, state agencies and, in extreme cases, consumer reporting agencies.Generally, most notification requirements include:- Type(s) of breached data - Description of the breach event - Date and/or length of time that information was exposed - Indications (if any) that leaked data has been misused - Steps the company is taking to prevent future breaches - Offers of remediation, as appropriate (e.g., employer-provided credit monitoring) It is possible, Malone noted, to draft a single letter that fulfills the requirements of every state. But leadership may not want to disclose all details of a breach in all cases. Continue to partner with the Incident Response Team, especially those charged with safeguarding the company’s reputation, to determine the best approach. And finally, assume that your correspondence will reach the general public, as covered by media. While not every breach becomes a front-page story, it’s always best to prepare as if yours will be.