Bloomberg Law for HR Professionals is a complete, one-stop resource, continuously updated, providing HR professionals with fast answers to a wide range of domestic and international human resources...
Collaboration between human resources and IT departments is more critical than ever as the number of data breaches originating with employees continues to grow, attorneys tell Bloomberg BNA.
HR needs to make sure its policies on how a company handles data match up with what IT is actually doing with company data, Jim DeGraw, a partner in Ropes & Gray’s corporate technology group in San Francisco, told Bloomberg May 22. As data breaches increase, it should be obvious to companies that there a change is needed in the cybersecurity status quo, DeGraw said.
HR continues to run training programs on how to stymie employee-originating data breaches, “but we can see that there is an uptick in ransomware attacks and other types of breaches,” he said.
Most commonly, weak passwords or employees’ own devices are hacked, and that can lead to “valuable information slipping out of an organization,” DeGraw said. “We see this every day at our practice.” Companies need to refocus efforts on improving cybersecurity policies and practices, especially by aligning HR policies with IT policies and including some consequences for employees who knowingly run afoul of those policies, he said.
“HR can’t just say this is an IT function, and IT can’t just say HR needs to do training. They need to work hand in hand,” DeGraw said, and this needs to be an evolving relationship, because “it’s not going away anytime soon.”
Despite continuing cybersecurity horror stories, many businesses may be just waking up to the need for further cooperation between IT and HR.
In Littler Mendelson’s annual employer survey, 63 percent of 1,200 executives said their HR and IT departments are collaborating on information security policies.
New strategies to better protect data are also getting some attention from the C-suite, Littler Mendelson found. Although about half (51 percent) of executives said their company was pursuing a more standard approach, providing additional training to employees, 29 percent indicated their employer had prepared cyber-incident response plans and 23 percent that their company had updated employee contracts to cover confidentiality obligations (23 percent).
But even with traditional training, improvements can be made, Philip Gordon, shareholder in the Denver office of Littler Mendelson and co-chair of the firm’s privacy and background checks practice group, told Bloomberg BNA May 22.
Specifically, training on how to handle ransomware incidents or phishing emails can greatly avoid risk of data breach. Ransomware is software that can limit users’ access to their system and files, essentially holding the data as “ransom.”
“If employees were trained to not click on links coming from unexpected sources, that would go a long way in reducing the risk of a successful attack,” Gordon said. HR and IT departments should also work to create a company culture in which employees know they can second-guess any unusual requests for information. HR needs to train people to be skeptical, ask questions, and know whom to direct questions to in the event of a strange request, he said.
A comprehensive security program should include mechanisms for IT and HR to identify a data breach action, detail what happened to prove information was compromised, and then tie those facts to HR policies to address the issue with the employee, DeGraw said. Companies have to be sure that they have already notified employees on what kind of monitoring IT will do and what the consequences may be if someone breaks cybersecurity policies, he added.
With employees who bring their own devices to work, HR should consider more restrictive access for those devices until it can determine that the laptop, smartphone, tablet, or other technology can comply with the company’s data security protocols, he said.
Fifty-six percent of respondents to Littler Mendelson’s survey cited global data privacy as a key area of concern in doing business outside the U.S.
HR departments are increasingly using administrative systems that allow them to send more and more data to “the cloud,” Gordon said. Although cloud solutions can be very beneficial in terms of efficiency for running a multinational business, they can also increase risk of breach, he said.
Gordon noted the rise of in-house data privacy personnel at large organizations as an indication of how far-reaching data security issues have become. The International Association of Privacy Professionals grew from 400 members in 2001 to more than 29,000 members worldwide today, he said. “The growth of the organization parallels the growth and concern about privacy,” Gordon said. “This has been substantial.”
To contact the reporter on this story: Genevieve Douglas in Washington at email@example.com
To contact the editor responsible for this story: Tony Harris at firstname.lastname@example.org
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)