Internal, external, phishing, third party, malware, hacking, rogue employee, unencrypted laptop and the list goes on. When you begin listing the litany of opportunities an organization has to lose employee data it begins to look like the lyrics of Billy Joel’s “We Didn’t Start the Fire” where he lists all the worlds challenges since the industrial revolution. For businesses, the list of potential losses is long and suffering, a breach of current and/or former employee data adds an additional layer of additional complexity.
The plaintiffs’ bar positions a loss of employee data as “The ultimate invasion of an employee’s privacy”1 while marketing their services to employees who’ve received a notice of a compromise. Litigators go on to explain the many forms of identity fraud, examples of victims and the fact that once an employee’s information has been lost, the risk of harm has no expiration date. A quick search of their sites will reveal additional examples of successful cases and testimonials from employees who law firms openly commend as brave enough to step forward and fight for their rights.
For employees, a loss of data caused by their employer carries a more emotional response than that of a retailer or other organization they choose to do business with as the victim can simply sever the relationship and shop elsewhere. Physiologically, the ability to choose a product is an immense differentiator to the victim of the breach. They aren’t required to buy products from them or do business with any particular company which gives them power to decide if or how the relationship progresses. The power to choose is lost when receiving a notice of a breach of personally identifiable information (PII) from an employer. How do you act? How do you respond? Where do you vent your frustration, fear and anger? This disparity represents additional risk for your organization and is exactly what the plaintiff’s bar preys on.
Further complicating a breach of employee data is the cost to the business itself. Sans the financial impact, this phenomenon can represent a breach of trust and future lost productivity cannot be undervalued. While investigating the event and validating what actually happened, your IT staff as well as most of your C-suite will likely cease normal operations putting your business on hold. Once an event has become public and notification is provided to employees, the second stage of internal disruption begins. Employees will spend an inordinate amount of time during the day investigating the services made available by calling the call center or restoration team to better understand how they can protect themselves moving forward.
Regardless of the type of incident your organization may suffer, there will be victims of identity fraud included in the population of employees you notify. The Insurance Information Institute article on identity theft and cybercrime cites there were 15.4 Million victims of Identity theft in 2016, an increase of 2.3 Million from 20152. The propensity of identity fraud in the United States makes the math relatively easy as you provide notice of a breach of data to your employees. If more than 10% of the adult U.S. population become victims of fraud annually, some of the employees you notify of a breach will already be victims, not necessarily from your event, but victims just the same. Since a large percentage of identity theft issues go unnoticed for some time, those already impacted prior to the breach will not realize they’re a victim until they have received notice of a loss of their PII from their employer.
The risk of harm to the employee increases dramatically due to the sensitive nature of the information organizations store about their employees. Human Resources data held is often very personal in nature and breaches often includes home addresses, health information, salaries and information about the employee’s family. The actual risk of harm is elevated as is the potential long term impact when employee data is targeted because it can impact their identity through a stolen social security number versus a stolen credit card number where the victim has certain protections in place through the card issuer.
At the end of the day, organizations need to realize that suffering a breach of employee data cannot be couched by saying “If we do” but understanding it’s really a question of “When we do”. Regardless of the security protocols in place, and your best efforts in training employees to recognize potential risks, your organization will suffer a breach of employee data. The biggest question that remains is preparing accordingly to investigate, remediate and respond in a way that doesn’t differ from your current culture, doing so can bring irreparable harm to the future success and growth of your company. After all, you don’t want executives within your organization singing “We didn’t start the fire” as you work through and respond to a breach of employee data.
About InfoArmor, Inc.
InfoArmor provides industry-leading solutions for employee identity protection and advanced threat intelligence to help organizations protect their most valuable assets. We combine an unparalleled global research network with big data analysis, actionable intelligence and customized service to meet clients’ dynamic security needs. From employee to enterprise, InfoArmor is redefining how organizations fight fraud and combat an ever-changing cyber threat landscape to mitigate risk on multiple levels. Today, more than 600 businesses and government agencies, including 50 of the Fortune 500, use PrivacyArmor, the industry leading employee identity protection solution, or VigilanteATI, our award-winning advanced threat intelligence platform to improve their data security posture. For more information, visit InfoArmor.com or follow in Twitter at @InfoArmor.