Securing Employee Data and Sensitive Information at the Workplace Protecting HR From Liability

1
Securing Employee Data and Sensitive Information
at the Workplace-Protecting HR From Liability-

• Presented by
• Daniel J. Sass, Jr.
• Special Investigative Services, LLC

2
National Statistics

• 12 million cases of Identity Fraud reported every
  year.
• A cost of 65 billion to American businesses.
• 70 of all reported cases the victims identity
  was compromised in a workplace environment.
• 75 of all cases are not investigated by law
  enforcement authorities.

3
Existing LawsBusinesses are required to

• Implement measures that are reasonable and
  appropriate under the circumstances to protect
  sensitive client and employee information.
• Notify clients and employees if there's a data
  breach.
• Protect all sensitive information including
  Social Security numbers, account information, and
  information derived from credit reports.

4
Federal Trade Commission Act (FTC Act)

• The FTC Act prohibits unfair, fraudulent and
  deceptive practices. To comply, your business
  needs to avoid practices that create an
  unreasonable risk of harm to clients and
  employees sensitive data.
• The FTC Disposal Rule requires anyone who
  obtains a consumer report to use "reasonable"
  measures when disposing of it.

5
Fair Credit Reporting Act (FCRA)

• The Fair Credit Reporting Act requires consumer
  reporting agencies to "know their customers" and
  use "reasonable procedures" to allow access to
  consumer reports only to legitimate users.

6
Gramm-Leach-Bliley Act (GLBA)

• The Gramm-Leach-Bliley Safeguards Rule requires
  "financial institutions" to provide reasonable
  safeguards in protecting customer and employee
  sensitive data.
• State Laws vary but in Illinois it is required
  that the business notify the client, consumer
  and/or the employees if there is a breach of
  sensitive data.

7
Protect your Business from LiabilityThe Five
Step Process(Federal Trade Commission)

• Conduct proper background checks on all employees
• Conduct drug screening on all employees
• Conduct credit checks on employees who handle
  money
• Shred all unnecessary documents with personal
  information
• Have appropriate security measures for visitors
  and written policies on storing personal
  information.
• Have a security consultation conducted by a
  licensed investigative agency to ensure your
  company is compliant with State and Federal
  regulations.

8
Know what information you have and who has
access to it?

• Check files and computers for what information
  you have and where is it being stored. Dont
  forget portable devices and offsite locations.
• Effective security covers data on your network
  and all devices, including laptops issued to
  10-99 employees.
• Remember the basics firewalls, strong
  passwords, antivirus software.

9
Continued

• Work with your Tech Team to detect unauthorized
  entry into your system.
• Trace the flow of data from entry to disposal.
• At every stage, determine who should have access
  and who should not have access.

10
Limit the use of Social Security numbers!

• Social Security numbers can be used by identity
  thieves to steal ones identity and commit fraud,
  which your company is liable if the theft
  occurred from within the organization.
• Dont collect Social Security numbers out of
  habit or convenience. Only collect them when
  needed, such as to report wages to the government
  or to request a credit report.

11
Training and Oversight?

• Train your employees and oversee contractors and
  service providers are escorted and signed in
  properly.
• Use good hiring procedures and build information
  security training into the initial orientation.
  Let the employee know early on in his or her
  employment that there is a no tolerance level
  within the organization.
• Get handouts, tutorials, quizzes, and tips at
  www.OnGuardOnline.gov.

12
Properly dispose of what you no longer need!

• Shred, burn, or pulverize paper records and
  information you dont need.
• Use wipe utility programs on computers and
  portable storage devices.
• Place diamond cut shredders around the office.
• If you use credit reports, you will be subject to
  the FTCs Disposal Rules.

13
Create a plan to respond to security incidents!

• Put together a What if? plan to detect and
  respond to breach of security incident.
• Designate a senior staff member to coordinate
  your response.
• Take steps to close off vulnerabilities, e.g.,
  disconnect compromised computers at all work
  stations from the Internet.
• Call an independent investigative agency right
  away and preserve evidence, such as computer
  logs.

14
Employee Data Breach Investigation Should you
use an Outside Source?

• It assures your organization that no one will be
  bias or prejudice during the investigation
• Releases HR Department from all liability
• Gives employees reassurance that the organization
  is taking the investigation seriously
• A deterrence to prevent theft of employee or
  client data in the future

15
Conclusion

• Protect your business and HR Department from
  liability
• Know the federal laws and regulations pertaining
  to securing sensitive employee and client data
• Provide in-house training on the subject and keep
  it well documented
• Special Investigative Services, LLC.
• 847-808-6400, Deerfield, IL.
• Questions?