A company’s human resources (HR) function naturally has to manage a wealth of personal and confidential data. The task of protecting it from breaches or unpermitted use has become more challenging and riskier after the implementation of stricter data protection regulation.
The global roll out of privacy legislation, including the EU’s Global Data Protection Regulation (GDPR), has led to a complete change in the way people and businesses view personal data. These regulations were introduced to give the individual more control over their data, or Personally Identifiable Information (PII). (Post Brexit, the UK continues to be bound by the GDPR provisions under its separate data protection legislation).
One of the most important ways the GDPR increased this level of control was by redefining personal data to be ‘any information relating to an identified or identifiable natural person.’ This is purposely very broad. This change, amongst others, has led to widespread data protection reform within businesses, accelerated by breach fines of £17.5 million (or 4% of the employer’s annual global turnover) within the UK. Having high levels of PII is increasingly perceived as a risk to employers and insurers alike and companies are now identifying the particular risk areas in which PII is stored within the business.
Unsurprisingly, HR is considered a high-risk area when it comes to the storage and use of PII. HR databases are typically a high PII-dense area within businesses as many of HR’s day-to-day processes, such as on boarding and pay scheduling, require vast amounts of PII from new and existing employees. Some of this information will be considered as sensitive, requiring enhanced due diligence when using, distributing, filing and securing the data.
Further increasing the risk of breaches is the fact that HR departments usually work with several vendors providing services to manage a wide range of areas, including recruiting, payroll, employee benefits and retirement. HR departments need to make sure that a users’ privacy rights and information are protected when using the partner platforms. A thorough analysis of the vendors’ policies is critical to avoid that the business faces regulatory scrutiny, legal proceedings and fines for breaching privacy regulation.
Once a cyber-criminal has gained access to a company’s HR database they can perform various scams. Pay roll fraud, identity theft and recruitment scams are amongst the most popular but as the compromised data may include details on passports, tax, account details, dates of birth, this can lead to a chain of criminal activity. The information is highly valuable on the Dark Web: There is a large black market for this information whereby criminals may purchase and use the data for a wide range of nefarious means.
If any type of PII is intercepted, employers may be liable for breaches of privacy regulations) but also third party claims. Ways for businesses to mitigate the risk include:
Ensuring that sensitive information is encrypted and/or accessible by password both in situ and in transit;
Ensuring the HR databases themselves are secured with appropriate data segmentation;
Implementing Multi Factor Authentication;
Limiting administrative access rights;
Implementing industry standard endpoint protection and firewall services;
Providing phishing and cyber security training for new and existing employees; and
Disposing of the PII once it has surpassed its retention period.
For further information, please contact:
Timothy K. Smit, Global Privacy and Cyber Risk Consulting Leader
M: +1 206.999.5361
Josh Bickley, Account Handler
T: +44 20 8101 174