Over the past few years, the theft of sensitive personal data by hackers has become a serious problem for many businesses. Personal information, such as medical information or social security numbers, sells on the black market for ten times the price of stolen credit card numbers. While everyone assumes stolen information is solely used for identity theft, data from employees is also used in email phishing scams that aim to obtain an employer’s intellectual property. As personal data increasingly migrates from file cabinets to network servers and the cloud, it is becoming ever more important to protect it.

What Information Should Be Considered Personal and Confidential?
It is not always easy to tell what employee information needs to be protected. Obviously, social security numbers, bank account information, driver’s license numbers and medical information should be guarded. Beyond this, employers would be wise to protect information regarding employment history or pay rates. Many authorities also state that even an employee’s signature or his or her name, when coupled with a home address, email address or telephone number, is confidential information as well.

What Does the Law Require?
Currently, the law only requires certain types of information to be protected. Employee medical information must be kept separate from regular personnel records, and access restricted to those who have a need to know. Employers who use credit reports to screen applicants must safeguard the information obtained from the reports and render the data unreadable when it is discarded. Several states also bar employers from using social security numbers on pay stubs, employee identification badges and similar documents and things that may be publically viewed, or transmitting social security numbers over an unsecured website.

Courts and legislatures have been reluctant to impose further requirements on employers, but this is starting to change. Almost all states now require businesses that are hacked to send notice to all affected individuals if servers containing unencrypted personal information are illicitly accessed. Massachusetts has become the first state to require any business possessing personal information about its citizens to develop a data protection plan. As data breaches become ever more commonplace, employers should anticipate that similar requirements to protect the personal information of their employees may soon become law.

How To Create A Data Protection Protocol
For many human resources professionals, the idea of developing a data protection policy or procedure can seem daunting. Fortunately, creating and implementing a plan can be fairly easy if employers follow five simple steps developed by the Federal Trade Commission:

Locate Where Personal Information is Stored
Companies need to inventory where they keep personal employee information and how accessible it is. Within the human resources department, who gathers employee information and where is it kept? Do human resources employees ever transmit personal information to smartphones, or to non-human resources employees? Does the office utilize a digital copier? If so, the copier’s hard drive will contain images of all copied documents. How is personal information transmitted to vendors (for payroll or employee benefits) – and what happens to that information once received by the vendor? By thoroughly tracing everywhere that personal information may be located, you can assess how best to protect that data.

Restrict Access
Employers should limit usage of employee personal information to essential business purposes. Employers should not use social security numbers as employee identification numbers and employees who do not have a need to know should not have access to the personal information of other employees.

Implement Protective Measures
Obviously, a data protection plan requires security procedures. Any paper records containing personal information should be kept in a locked file cabinet or storeroom. Personal information stored in company databases should be password protected or maintained on computers without internet connections. Businesses must utilize a firewall. Employers should regularly screen for malware, download software patches and change default passwords on new equipment. Consider using a network breach detection system and encrypting personal information being transmitted to vendors.  

Education is key. Employers should require employees to use strong passwords, periodically warn them about potential threats, remind them about the need to keep personal information private and limit the amount and type of personal information stored on laptops or smartphones. It is also important to monitor the procedures used by vendors receiving personal information – employers should insist on contract provisions mandating the vendors use at least the same type of security procedures as are used by the employers.

Delete Any Unnecessary Personal Information
A good data protection plan renders unneeded personal information unreadable. Several laws require employment records be kept for a set period of time, but once those periods expire, employers should destroy the records as a matter of course. Paper records should be shredded or burned. Instead of simply deleting personal information on computer files, employers should use a wipe utility program, which prevents the files from being recovered.

Plan for Attacks
Finally, employers should develop a plan on how to respond to an attack, including by determining who is responsible for coordinating a response. If an incident occurs at a computer, it should immediately be disconnected from the network. Any possible hacking or other incident should be immediately investigated and vulnerabilities repaired as soon as possible. If a breach occurs, the employer will likely also have to notify affected employees and/or government agencies.

While no data protection procedure is foolproof, employers who follow these steps will avoid being easy marks for cyber-thieves and will be well-situated as the law increasingly protects electronically-stored personal information.