A duty to protect employees

Everyone understands that employers must protect personal data. Typically the focus is on customer data, however employee data is just as important and just as vulnerable.

Identity theft is on the rise and the human resources department is a logical target for would-be identity thieves because it's a treasure trove of personal data: social security numbers, home addresses, bank account numbers and other confidential information. Data theft does not have to be a cybercrime; it could be a matter of a file cabinet not being secured and a lot of paper-based confidential employee information can be found sitting in a drawer.

When a breach occurs and an employee has her identity stolen, there is almost always a corresponding drop in productivity as she puts her life back together. The identity theft victim has to deal with credit card companies, banks, organizations where she has memberships, social media platforms… the list can be shockingly long.  

Employees also cause risk

While there are significant incentives for employers to protect employees from the possibility of identity theft, it's also vitally important to protect the organization from employees.

Frequently, theft comes from an otherwise trusted employee. According to the Association of Certified Fraud Examiners, the more senior an employee is in a company, the greater organizational losses tend to be. There's some logic to this since these are professionals with access to information. When you add the pressures of high-level positions with the typical bumps and bruises of life—divorce, mounting bills, and the like—the temptation to pilfer personal information can become too great for some people to resist.

Employee negligence can also lead to data breaches and identity theft. They may not mean any harm, but employees can be careless. They can lose their business smartphone, laptop or other equipment. Maybe they always choose 123ABC as their device password. Greater care needs to be taken with equipment and passwords to protect information.

What employers can do

It's dangerous for employers and employees to think they know everything about protecting personal information. Employers should be actively and continually engaged in a conversation about security. Many companies require employees to sign an employment agreement that makes it clear that the business owns all work-related data and that employees must be careful. However, that is frequently the end of the conversation.

Employers must educate their workforce on an ongoing basis. By raising awareness of the employees' responsibilities and the susceptibility to identity theft, employers can create a more secure environment.

It begins with having better paper security because not all data theft is cyber theft. Employees, especially those in HR, must understand the importance of locking file drawers and not leaving personal information out in the open. There should also be a policy for shredding documents and it must be enforced.

Employers must also have clear cut rules about securing personal devices. Personal laptops, tablets and smartphones are often filled with work-related information, and employees must be vigilant about safeguarding these devices. Employees have a tendency to ignore security measures (like using passcodes) because they view them as inconvenient. An ongoing conversation should address the critical nature of this so-called inconvenience. Reinforce the need to report a loss or theft immediately so that data loss can be minimized. Also, set rules for social media to prevent employees from inadvertently sharing confidential information online.

Finally, employers have to do more than talk the talk on data security – they need to set an example and invest in security measures that help keep information protected as tightly as possible.

Mindi Hirsch, CPCU, ARM, has expertise in coverage analysis, renewal strategy and carrier negotiations. She brings 20 years of experience in the insurance field to her role as senior account executive for Corporate Synergies' Property & Casualty practice.