Transparency Is Key in Regaining Employee Trust After a Cyber Attack, Practitioners Say

Bloomberg Law for HR Professionals is a complete, one-stop resource, continuously updated, providing HR professionals with fast answers to a wide range of domestic and international human resources...

By Caryn Freeman

Feb. 24 — When an employer is hacked, workers can lose trust in its ability to protect their most personal and valuable information. In order to regain that trust, the employer should be transparent about how the breach occurred and explain to employees exactly what is being done to ensure it doesn't happen again, practitioners told Bloomberg BNA.

Recent computer hacks at two large employers, Sony Pictures Entertainment and Anthem Blue Cross Blue Shield, one of the nation's largest health insurers, which not only included employee data but consumer information, such as medical records and other personal identification, have many workers wondering if they can trust their employers with sensitive information. Both companies quickly offered credit monitoring to employees and consumers who were affected by the breach.

Matt Brosseau, chief technology officer and head recruiter at Chicago-based consulting firm Instant Alliance, told Bloomberg BNA Feb. 20 that the first step in regaining employee trust following a hack is making sure that the organization is clear in communicating exactly what happened and how it happened.

“The first stage of trust is clear and open communication,” he said. “Let them know what happened in a way that is easy to understand so they feel like they are a part of what is going on.”

Brosseau said that the better companies are at sharing that information, including what data were lost and what the organization understands about the nature of the breach, the better chance there is of “minimizing whispers among employees about whether the company is doing enough to protect their personal information.”

Attorney Suzanne J. Thomas, a partner with the labor and employment practice in K&L Gates LLP's Seattle office, told Bloomberg BNA Feb. 23 that state and federal laws require employers to make certain disclosures about data breaches to their employees.

“Where there is an ongoing criminal investigation, employers might need to defer to state and local laws about proper notice when there has been a data breach,” Thomas said.

She noted that many employers “send out a preliminary e-mail saying, ‘this is all we know right now but please be aware that a data breach has happened, we are gathering information and we will keep you fully informed.' ”

Depending on the size of the company, Thomas said, employers might have an “all hands on deck” meeting to ease employee concerns. “In my experience, the companies that have at least some informal dialogue with their employees anecdotally seem to have fewer who get completely panicked about the event,” she added.

Trisha Zulic, regional HR director at Efficient Edge HR & Insurance Services in San Diego and a technology panelist for the Society for Human Resource Management, also recommended open communication with employees.

“Explain how it happened,” she told Bloomberg BNA Feb. 20. “Transparency is the only way to regain employee trust. You want to be consistently talking to [employees] and telling them what type of efforts are being made in order to change those vulnerabilities. Say ‘we suffered this breach and now we are making changes across the board in order to improve security standards throughout the organization.' ”

Brosseau recommended setting up a roundtable discussion or a phone line with IT professionals. “That's really helpful,” he said. “It helps employees come back to trusting their organization.”

Improving Data Security

According to Thomas, a lot of the rebuilding of trust happens on the front end by employers demonstrating that they are working on improving security measures.

“What employers should be doing is checking the security of their various computer systems and devices,” she said.

Thomas asserted that often employers may either have these systems in place but they are ignored, or don't have them in place at all.

“It is the employer's responsibility to make sure that their usage settings are in line and that they have clearly defined rules in place for what employees should be doing while on the company's network, that is, what they should be sending over the company system and the type of data that they should be storing,” Zulic said.

To get ahead of a breach, Brosseau said a good security platform is always about proactive work as opposed to reactive patching and trying to stop “hemorrhages of data.”

To do that effectively, he said, organizations should set up an internal security group that monitors cyber-security risks, assesses them, researches them and brings that information back to a cyber security team.

“Spending the time to educate employees on not just the ‘this is what you need to do to be more secure' but the ‘why' is equally as important,” Brosseau said. “As much as I hate to say it, there are all kinds of cyber-security problems that happen and unfortunately 90 percent of them happen because end users make an error at some point in time. So taking the time to educate your employees on why they have to be secure in cyberspace is critical.”

To contact the reporter on this story: Caryn Freeman in Washington at

To contact the editor responsible for this story: Simon Nadel at


Request Bloomberg Law for HR Professionals