Collaboration Between HR and IT Essential to Data Security

From labor disputes cases to labor and employment publications, for your research, you’ll find solutions on Bloomberg Law®. Protect your clients by developing strategies based on Litigation...

By Genevieve Douglas

Collaboration between human resources and IT departments is more critical than ever as the number of data breaches originating with employees continues to grow, attorneys tell Bloomberg BNA.

HR needs to make sure its policies on how a company handles data match up with what IT is actually doing with company data, Jim DeGraw, a partner in Ropes & Gray’s corporate technology group in San Francisco, told Bloomberg May 22. As data breaches increase, it should be obvious to companies that there a change is needed in the cybersecurity status quo, DeGraw said.

HR continues to run training programs on how to stymie employee-originating data breaches, “but we can see that there is an uptick in ransomware attacks and other types of breaches,” he said.

Most commonly, weak passwords or employees’ own devices are hacked, and that can lead to “valuable information slipping out of an organization,” DeGraw said. “We see this every day at our practice.” Companies need to refocus efforts on improving cybersecurity policies and practices, especially by aligning HR policies with IT policies and including some consequences for employees who knowingly run afoul of those policies, he said.

“HR can’t just say this is an IT function, and IT can’t just say HR needs to do training. They need to work hand in hand,” DeGraw said, and this needs to be an evolving relationship, because “it’s not going away anytime soon.”

Employers Taking Action

Despite continuing cybersecurity horror stories, many businesses may be just waking up to the need for further cooperation between IT and HR.

In Littler Mendelson’s annual employer survey, 63 percent of 1,200 executives said their HR and IT departments are collaborating on information security policies.

New strategies to better protect data are also getting some attention from the C-suite, Littler Mendelson found. Although about half (51 percent) of executives said their company was pursuing a more standard approach, providing additional training to employees, 29 percent indicated their employer had prepared cyber-incident response plans and 23 percent that their company had updated employee contracts to cover confidentiality obligations (23 percent).

But even with traditional training, improvements can be made, Philip Gordon, shareholder in the Denver office of Littler Mendelson and co-chair of the firm’s privacy and background checks practice group, told Bloomberg BNA May 22.

Specifically, training on how to handle ransomware incidents or phishing emails can greatly avoid risk of data breach. Ransomware is software that can limit users’ access to their system and files, essentially holding the data as “ransom.”

“If employees were trained to not click on links coming from unexpected sources, that would go a long way in reducing the risk of a successful attack,” Gordon said. HR and IT departments should also work to create a company culture in which employees know they can second-guess any unusual requests for information. HR needs to train people to be skeptical, ask questions, and know whom to direct questions to in the event of a strange request, he said.

A comprehensive security program should include mechanisms for IT and HR to identify a data breach action, detail what happened to prove information was compromised, and then tie those facts to HR policies to address the issue with the employee, DeGraw said. Companies have to be sure that they have already notified employees on what kind of monitoring IT will do and what the consequences may be if someone breaks cybersecurity policies, he added.

With employees who bring their own devices to work, HR should consider more restrictive access for those devices until it can determine that the laptop, smartphone, tablet, or other technology can comply with the company’s data security protocols, he said.

New Risks in International Business?

Fifty-six percent of respondents to Littler Mendelson’s survey cited global data privacy as a key area of concern in doing business outside the U.S.

HR departments are increasingly using administrative systems that allow them to send more and more data to “the cloud,” Gordon said. Although cloud solutions can be very beneficial in terms of efficiency for running a multinational business, they can also increase risk of breach, he said.

Gordon noted the rise of in-house data privacy personnel at large organizations as an indication of how far-reaching data security issues have become. The International Association of Privacy Professionals grew from 400 members in 2001 to more than 29,000 members worldwide today, he said. “The growth of the organization parallels the growth and concern about privacy,” Gordon said. “This has been substantial.”

To contact the reporter on this story: Genevieve Douglas in Washington at

To contact the editor responsible for this story: Tony Harris at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Labor & Employment on Bloomberg Law