HR Professionals | 14 min read

The HR Guide to Employee Data Protection and Identity Theft Prevention

  

Want to get updates on InfoArmor News?

We’ve reached the conclusion of our first blog series dedicated to HR professionals, and to better assist you in your crusade to protect employees’ personal data, we’re putting our helpful content in one place — this blog. In the coming weeks and months, we’ll be updating this page with related material and resources you can use at your company, so be sure to bookmark it.

Additionally, you can subscribe to our blog for the most up-to-date content and alerts. Just enter your email address in the box on the upper-right side of this page, and click subscribe.

Chapter 1: HR’s Responsibility to Protect Sensitive Data

HR professionals have many responsibilities, but none quite as important as their duty to protect employees and their company. In today’s digital world, that means they must take on a much different role than in years past — they must become cyberwarriors.  

Knowledgeable and proactive HR managers are our best line of defense against phishers, identity thieves, hackers, and all other crooks who are increasingly targeting businesses and their employees. Every day, HR managers face risks they may not even know exist. Here are just a few of the challenges they must continually overcome.

HR data is like gold to identity thieves

Local and federal laws, as well as corporate policies, often require HR departments to collect, handle, and store a tremendous amount of personal data about employees. If thieves can access your HR records, then they’ve struck gold — making off with employees’ names, addresses, Social Security numbers, past work experience, and more.

Many workers have access to HR records

Other members of management often have access to HR records, making it much harder to ensure everyone follows proper security protocol. If your company stores this data in the cloud, this problem is further exacerbated, as managers can potentially access sensitive information from insecure networks or engage in other forms of risky behavior.

Disgruntled employees may take action against a company

Disgruntled employees are far more powerful than ever before, and if left unchecked, they can create havoc at your organization. In fact, a 2016 study found that 27 percent of U.S. office workers at large companies would willingly sell password data to outsiders, and some would do it for as low as $100.

Identity theft frequently begins in the workplace

As much as 30 to 50 percent of identity theft begins at the office. While this occurs through a variety of means, the most popular method is via phishing. In 2016, AlienVault surveyed more than 300 security professionals to determine how successful attacks like these are. An astonishing 37 percent of respondents revealed that executives within their organization had fallen victim to targeted phishing scams, like CEO fraud, where an email appears to come directly from their CEO.

Chapter 2: Major Costs Associated With Data Breaches and Loss of Employee Data

If your company experiences a data breach or your employees have their personal information compromised, your business will likely take a huge financial hit. It’s not all government fines and lawsuits either; many of the costs aren’t as clear-cut as you might imagine. Here are just a few ways security breaches and the loss of employee data can impact your bottom line.

Reputation damage

If a data breach occurs in your organization, everyone takes notice. Current clients could jump ship, prospective clients might turn to the competition, and you could wind up losing some of your best employees in the process. It can also drastically inhibit your ability to attract and retain top industry talent in the future. Did we mention it’s also a PR nightmare?

Regulation costs  

In the U.S., federal laws like the Fair and Accurate Credit Transactions Act (FACT Act) and the Fair Credit Reporting Act (FCRA) regulate the protection of your customers’ and employees’ confidential information. Failure to comply with these standards can result in major penalties.

Laws protecting employees and customers are even more strict outside of the U.S. In the UK and EEA states, failure to comply with the General Data Protection Regulation (GDPR) — legislation aimed at protecting the personal data of citizens — can spell big problems for any company. After the law takes effect in May, businesses that fail to properly disclose breaches within 72 hours will result in fines up to €2 million or 4 percent of annual turnover, whichever is more. These rules are also extended to any U.S.-based company that manages the personal data of any UK or EU national.

Litigation costs

Although laws in the U.S. don’t provide as many protections as other countries, that hasn’t stopped cities and states from taking matters into their own hands. When Uber revealed a previously undisclosed data breach in late 2017, the city of Chicago and the attorney general for the state of Washington each filed lawsuits against the popular ride service, citing company misconduct. Additionally, courts are increasingly ruling in favor of employees who had their personal data exposed, even in the absence of laws specifically requiring them to do so.

Employee disengagement

If the loss of employee data leads to identity theft, your team can become incredibly distracted in the workplace. And, if that workplace distraction turns into disengagement, your company is going to take a tremendous hit.

Gallup’s annual State of the American Workplace 2016 report found that companies with low levels of engagement, when compared to companies with high levels of engagement, experience

    • 20 percent lower sales
    • 17 percent less productivity
    • 21 percent lower profitability
    • Between 24 and 59 percent higher turnover
    • 70 percent more employee safety incidents

Costs associated with malware attacks

When employees fall victim to scams like phishing, they may compromise more than their personal data. In addition to stealing confidential information about the employee and their business, phishing attacks may install malware on the company’s network.

Ransomware, one form of attack, cost businesses over $1.5 billion last year. These attacks, which completely hijack a victim’s computer, charge users a significant bounty to regain access to their equipment. In 2016, the average ransom cost around $1,000 per device.

In addition to the charges companies must pay to regain control of their equipment, productivity and sales come to a screeching halt. Twenty-two percent of small businesses (less than 1,000 employees) that experienced ransomware attacks in 2016 had to stop operations immediately, and one in six companies reported that the attacks delayed business operations by 25 hours or more.

Chapter 3: Steps HR Can Take to Protect Employee Data

The good news is that HR has the power to protect their employees’ personal data and the company’s bottom line. While this does require considerable time, energy, and effort, the results will be well worth it.

Step one: Provide thorough and continuous training

The risks of identity theft and security breaches

When educating your employees, begin by conveying the risks identity theft and security breaches pose. Explain that these violations don’t just cost the company a fortune; they can also have a tremendous impact on employees. If team members have their identities compromised, it can take hundreds of hours and months of the victim’s life to fully repair.

How to handle personal data

Working with your IT department and senior members of management, craft a document that outlines the best policies for handling, storing, and accessing the personal data of employees.

A few items to consider might include:

  • What information about employees should be stored on the network
  • Who should be allowed to view or edit sensitive employee data
  • How, and under what circumstances, this data should be shared
  • Where it is acceptable to access this information and where is it not (ex: public WiFi)
  • How this data should be stored and encrypted
  • What steps to take if sensitive data is compromised

Recognizing and preventing various cyberattacks

Train your employees on how to identify and avoid cyberattacks, especially phishing emails. If you spot the signs below, chances are the email is actually part of a phishing scam:

  • Misspellings and grammatical errors throughout
  • Missing or incorrect contact details in the signature line
  • The email doesn’t sound as if the sender wrote it
  • The salutation is oddly worded or contains vague terms like “employee”  
  • When you hover over a link, it reveals a different URL than stated
  • A request for large amounts of private data from a company executive that seems oddly timed or out of place
  • Something just feels off

If an employee encounters any of the above issues, they should contact their manager, along with HR and IT immediately.

Warning: When checking email with your phone, you need to be especially careful. Typically, people are more distracted when using a mobile device versus a desktop, and it’s also much harder to hover over a link before clicking it and to thoroughly check for misspellings. Make it a practice to always exercise more caution on your phone.

Step two: Develop a comprehensive cybersecurity plan

Work alongside your IT department to create a robust cybersecurity plan. While there are many questions you must answer, here are a few fundamentals you should consider when developing your strategy.

  • How will you encrypt files that contain sensitive data, like employee records and all other confidential data
  • How will you conduct internal risk assessments
  • Who will oversee continued training for employees and managers
  • Should you hire an outside team to assess our network vulnerabilities
  • Who will compose your in-house team to address security issues
  • How to structure an incident response policy
  • What the plan will be if employee or customer personal data is exposed

Step three: Offer identity protection services as an employee benefit

The chance your employees may become victims of identity theft is staggering, and that can translate to a lot of lost productivity, missed work hours, and a huge financial loss. However, providing your employees with an identity protection service can help your workers tremendously and insulate your company from many associated risks.

For more information on selecting a comprehensive identity protection plan, you can jump to Chapter 5.

Chapter 4: Identity Protection Ranks as Top Employee Benefit

Considering American consumers lost $16 billion to identity theft in 2016, it should come as no surprise that BenefitsPro recently named identity protection the number one voluntary benefit for 2018. And, with Americans at a higher risk of identity theft than ever before, HR managers are taking notice.

In fact, a recent survey found that 68 percent of HR professionals believe identity protection benefits are growing in importance. Further, nearly 70 percent of HR executives are considering offering identity protection as a means to compete in hiring and retaining professional talent.

Identity protection as a benefit helps employees and their companies

Did you know that Americans now rank criminal hacking as the number one threat to their health, safety, and prosperity? When employees are worried about their privacy, identity, and finances, it becomes difficult to perform in the workplace. But, when an employee is offered comprehensive identity protection, they are provided much-needed peace of mind.   

Employees aren’t the only ones to benefit when a company offers identity theft protection as a benefit — their employers also prosper. According to Forbes, providing identity protection is one of the best ways to attract and retain top talent.

In addition to attracting and retaining some of the top talent in their industry, businesses are also safeguarding productivity. Considering identity theft can take hundreds of hours and many months to repair, that can amount to a lot of lost productivity in the workplace, time spent away from the office, and inability to focus.

This process can be shortened dramatically when employees have the proper identity protection service in place.  

Chapter 5: Selecting the Right Identity Protection Service for Your Employees

With so many identity protection services on the market, selecting the right one for your organization can be tricky. You’ll need to pick a service that provides your business with comprehensive support and your employees with state of the art identity protection features.

When comparing plans, you shouldn’t settle for any service that doesn’t include the following features, all of which come standard with InfoArmor’s PrivacyArmor®:

  • Dedicated customer support for your organization
  • Scalable and flexible payment models
  • Comprehensive product education and a dedicated client relationship advisor
  • Proactive alerts that notify employees on applications for credit cards, wireless carriers, utility accounts, and non-credit accounts
  • Monitoring of high-risk identity activity such as employee password resets, fund transfers, unauthorized account access, compromised credentials, address changes, and public record alerts
  • Tools to monitor and preserve an employee’s reputation across social networks
  • A dedicated advocate to guide and manage an employee’s full recovery process, restoring credit, identity, accounts, finances, and their sense of security in the event identity theft does occur
  • Identity theft insurance to cover your employee’s lost wages, legal fees, medical records request fees, CPA fees, child care fees, and more

For a complete list of features your identity protection benefit should include, click here. If you need immediate assistance or have questions about how InfoArmor can help protect your employees, contact us today.

Chapter 6: Additional Resources

Looking for additional tools, resources, or information? The following list of resources may be of assistance:

Blogs:

Ebooks and SlideShare:

New Call-to-action

At InfoArmor, we believe everyone deserves the right to privacy, security, and above all else, peace of mind. This is why we’re proud to offer industry-leading solutions for employee identity protection and advanced threat intelligence. From enterprise to employee, InfoArmor redefines how organizations combat an ever-changing cyber threat landscape. If you’d like more information on how we can help your organization protect its most valuable assets, reach out. We’d love to hear from you.

  
New Call-to-action
At InfoArmor, we believe everyone deserves the right to privacy, security, and above all else, peace of mind. This is why we’re proud to offer industry-leading solutions for employee identity protection and advanced threat intelligence. From enterprise to employee, InfoArmor redefines how organizations combat an ever-changing cyber threat landscape. If you’d like more information on how we can help your organization protect its most valuable assets, reach out. We’d love to hear from you.