Title: Securing Employee Data and Sensitive Information at the Workplace Protecting HR From Liability
1Securing Employee Data and Sensitive Information
at the Workplace-Protecting HR From Liability-
- Presented by
- Daniel J. Sass, Jr.
- Special Investigative Services, LLC
2National Statistics
- 12 million cases of Identity Fraud reported every
year. - A cost of 65 billion to American businesses.
- 70 of all reported cases the victims identity
was compromised in a workplace environment. - 75 of all cases are not investigated by law
enforcement authorities.
3Existing LawsBusinesses are required to
- Implement measures that are reasonable and
appropriate under the circumstances to protect
sensitive client and employee information. - Notify clients and employees if there's a data
breach. - Protect all sensitive information including
Social Security numbers, account information, and
information derived from credit reports.
4Federal Trade Commission Act (FTC Act)
- The FTC Act prohibits unfair, fraudulent and
deceptive practices. To comply, your business
needs to avoid practices that create an
unreasonable risk of harm to clients and
employees sensitive data. - The FTC Disposal Rule requires anyone who
obtains a consumer report to use "reasonable"
measures when disposing of it.
5Fair Credit Reporting Act (FCRA)
- The Fair Credit Reporting Act requires consumer
reporting agencies to "know their customers" and
use "reasonable procedures" to allow access to
consumer reports only to legitimate users.
6Gramm-Leach-Bliley Act (GLBA)
- The Gramm-Leach-Bliley Safeguards Rule requires
"financial institutions" to provide reasonable
safeguards in protecting customer and employee
sensitive data. - State Laws vary but in Illinois it is required
that the business notify the client, consumer
and/or the employees if there is a breach of
sensitive data.
7Protect your Business from LiabilityThe Five
Step Process(Federal Trade Commission)
- Conduct proper background checks on all employees
- Conduct drug screening on all employees
- Conduct credit checks on employees who handle
money - Shred all unnecessary documents with personal
information - Have appropriate security measures for visitors
and written policies on storing personal
information. - Have a security consultation conducted by a
licensed investigative agency to ensure your
company is compliant with State and Federal
regulations.
8Know what information you have and who has
access to it?
- Check files and computers for what information
you have and where is it being stored. Dont
forget portable devices and offsite locations. - Effective security covers data on your network
and all devices, including laptops issued to
10-99 employees. - Remember the basics firewalls, strong
passwords, antivirus software.
9Continued
- Work with your Tech Team to detect unauthorized
entry into your system. - Trace the flow of data from entry to disposal.
- At every stage, determine who should have access
and who should not have access.
10Limit the use of Social Security numbers!
- Social Security numbers can be used by identity
thieves to steal ones identity and commit fraud,
which your company is liable if the theft
occurred from within the organization. - Dont collect Social Security numbers out of
habit or convenience. Only collect them when
needed, such as to report wages to the government
or to request a credit report.
11Training and Oversight?
- Train your employees and oversee contractors and
service providers are escorted and signed in
properly. - Use good hiring procedures and build information
security training into the initial orientation.
Let the employee know early on in his or her
employment that there is a no tolerance level
within the organization. - Get handouts, tutorials, quizzes, and tips at
www.OnGuardOnline.gov.
12Properly dispose of what you no longer need!
- Shred, burn, or pulverize paper records and
information you dont need. - Use wipe utility programs on computers and
portable storage devices. - Place diamond cut shredders around the office.
- If you use credit reports, you will be subject to
the FTCs Disposal Rules.
13Create a plan to respond to security incidents!
- Put together a What if? plan to detect and
respond to breach of security incident. - Designate a senior staff member to coordinate
your response. - Take steps to close off vulnerabilities, e.g.,
disconnect compromised computers at all work
stations from the Internet. - Call an independent investigative agency right
away and preserve evidence, such as computer
logs.
14Employee Data Breach Investigation Should you
use an Outside Source?
- It assures your organization that no one will be
bias or prejudice during the investigation - Releases HR Department from all liability
- Gives employees reassurance that the organization
is taking the investigation seriously - A deterrence to prevent theft of employee or
client data in the future
15Conclusion
- Protect your business and HR Department from
liability - Know the federal laws and regulations pertaining
to securing sensitive employee and client data - Provide in-house training on the subject and keep
it well documented - Special Investigative Services, LLC.
- 847-808-6400, Deerfield, IL.
- Questions?