11 July 2022
July - Managing HR data – 4 of 6 Insights
When a data security incident is discovered, particularly if it is serious enough to disrupt business operations, it is essential that everyone in the affected organisation plays their part to get things back on track as quickly as possible, however workforce engagement is often low on the list of priorities. Employee error is still the single biggest cause of data security failings but in the scramble to reassure customers, suppliers or investors, it is easy to forget that employees can be a huge asset in a time of crisis and a serious liability if ignored.
When a data breach comes to light, there is a risk that panic, rather than planning, will prevail. Although it may sound counterintuitive to prepare for a security breach, it is the best way to ensure an effective response. Incident preparedness activities require a clear plan which, crucially, must identify who should be in the inner circle of respondents to any incident.
It is not always the case that the most senior individuals will be those best placed to respond to a cyberattack. A combination of skills will be required. IT specialists legal and communications or PR (in each case internal, external, or both) are essential, of course, but so too are HR specialists to consider the effect on employees.
While senior management should be aware of all significant actions and sign off on the big decisions, it is important to identify the individuals best able to assess the situation on the ground, ensuring they have the training, resources and autonomy they need to respond, long before any actual incident has occurred.
A good incident response plan will identify the key individuals, and a deputy in each case to accommodate absences. It will also list their contact details, including non-work numbers and email addresses, in case the organisation’s communication channels are compromised. A secure messaging platform can be used to set up a group chat that can be kept dormant or used for training exercises until needed.
It is important that each member of the breach response team has clearly delineated responsibilities. For example:
However, each team will have dependencies on the others. For example, the legal team cannot make a determination on the obligations to notify the ICO or data subjects without an understanding on the nature, scope and extent of the breach from the IT/security team. For this reason, regular (at least daily) meetings are advisable given the short timeframe of 72 hours in which each team must execute its responsibilities.
The efficacy of a data breach response plan and team should not first be put to the test in the circumstances of an actual data breach. It is important that the data breach response team carries out a 'dress rehearsal' for each severity categorisation to ensure that the plan is effective in meeting its objectives.
If it is not clear who among the employee base should be brought into the core incident response group, a data breach simulation exercise will help identify any gaps or missing personnel, as well as anyone who should not be there. Having a team that works well together is almost as important as having one with the correct mix of skills.
It is essential that routine training is provided to all employees (not just the breach response team) to support the implementation of the data breach response plan. Crucially, it is unlikely that a member of the data breach response team will be the employee who actually discovers the breach. This means all employees should be trained to identify possible data breaches and escalate them to defined personnel within the organisation. This should be considered as part of onboarding training and employees should be notified of any changes to the key personnel identified in the data breach response plan.
Employees also play a critical role in preventing data breaches due to accidental or unlawful destruction or loss of personal data by adhering to the organisation's security policies and procedures. In particular, employers should train their employees to:
Once the team of first responders has been identified and called into action, the next step is to activate the communications plan. A significant mistake made by organisations dealing with data security incidents is to assume that their primary concern should be external communications and perceptions, at the cost of considering internal messaging.
The HR function of the data breach response plan should also, where relevant, be responsible for keeping employees informed of the data breach. This helps ensure employees are reminded of their duty of confidentiality and do not take any action which may interfere with the organisation's PR activities. In the age of social media, even the most loyal workforce represents a major PR risk and external messaging may be heavily compromised by employees taking to Twitter or other social media outlets. Although social media and data breach training can reduce the risk of inaccurate messages getting out into the wider world, having a clear message for employees will help those with authorisation to speak to the media or post publicly about a data breach do so in the right way. It is also a good idea to remind all other employees that no public statements should come from non-official sources.
The communications team should receive specific crisis management training and only a small number of trained individuals should be authorised to post publicly or speak to the press, usually in consultation with the legal team and potentially with outside PR experts. Crisis communications can be stressful and proper management of the communications process is essential for both the organisation and the welfare of the individuals tasked with speaking about the incident so the HR function will need to work closely with the communications team.
Although there is a perception that a loss of control of customer or user data is the biggest threat posed by modern cyberattacks, customer data is often limited and protected by built-in safeguards such as password hashing and encryption. Data rich businesses are likely to invest heavily in the security of any special category (sensitive data) they hold, mindful of the risk to individuals if it is lost, obtained illegally, or made inaccessible. But it is easy to forget the sheer volume of information most businesses hold about their employees. This will often include information about health, sexuality, religious views, trade union membership and other types of information entitled to enhanced protection under the law.
Special care should be taken to ensure HR and payroll systems are protected as these are common targets of hackers. The rise in ransomware cases, where data is forcibly encrypted, placing it beyond the access of the data controller, highlights the risk of the loss of control of data. Even if employee data is never actually obtained by a hacker, an inability to pay staff, even for a short time is likely to cripple most organisations very quickly, particularly since it will be occurring at a time when employee loyalty is more important than ever.
If employee data is compromised, serious consideration should be given to making solutions to help with credit monitoring available. Such solutions are readily available in many countries and in those jurisdictions where they aren’t, other solutions such as dark web monitoring (to search for evidence of an individual’s data being sold or offered for sale) may be available. In either case the costs are often minimal per employee and will place any employer in a stronger position in the face of regulator queries or possible legal claims by employees, as well as going a long way to reassure a concerned workforce.
External threats are growing in number and sophistication but the primary cause of data security incidents is still human error. Where an employee mistake is the cause of a data breach, careful investigation is required to identify whether disciplinary action is necessary or appropriate. Great care should be taken when apportioning blame however, as the desire to identify a responsible party can mask areas in which the organisation itself could have done better, making improvement more challenging. It is also likely to make employees reluctant to raise issues or concerns around privacy and security.
There are, however, also occasions where security incidents are caused deliberately by employees or contractors for profit. In such cases immediate action is required to ensure that systems access is cut off for potential bad actors and any hardware or devices recovered without delay. Investigations into possible wrongdoing must be thoroughly documented and conducted by properly trained individuals, brought in from outside, if necessary. It is important to remember that there are criminal sanctions for those who deliberately obtain and supply personal data without the consent of the controller so it may be necessary to involve law enforcement. Given the potential impact of a police investigation external counsel should be sought before making a police report.
When a security incident is first identified it is easy for any organisation to be distracted by the many conflicting and urgent demands on the response team. Conducting a thorough and fair investigation when emotions are heightened can be difficult, just as employee engagement can easily be overlooked in the rush to reassure customers, users and investors.
A clear breach response plan and regular preparatory work including training and communication, will enable employers to get the best out of, and do the best for their employees in a time of crisis, which is when they will need them the most.
Helen Farr looks at the data protection implications of the EU Whistleblowing Directive and whistleblower hotlines more generally.
11 July 2022
by Helen Farr
Jo Joyce and Calum Parfitt look at data breach preparedness and responses from an HR perspective.
11 July 2022
by Jo Joyce
Benjamin Znaty and Marc Schuler look at the importance of transparency and purpose limitation in the context of monitoring and surveillance of employees in the EU.
11 July 2022
by multiple authors
Jo Joyce looks at legitimate interests and purpose limitation provisions in the Data Protection and Digital Information Bill.
by Jo Joyce