How to Safeguard Your Employees’ Confidential Information
Employers must ask for and keep certain information about employees to process payroll, comply with tax responsibilities, keep HR records and for other reasons. But storing this data puts it at risk.
Cybercriminals may be able to hack your company's network and take private information to then commit tax fraud, withdraw funds from investment and retirement accounts, and steal employees' identities. In such scenarios, it usually takes a lot of time and money for affected people to restore order to their financial lives.
So it's your responsibility to keep employee information safe from breaches — both internal and external — while observing the privacy rights of workers. Several federal laws are designed to protect employees. In addition, your organization may have to comply with state and international laws.
What Data Is at Risk?
Generally, you're allowed to collect from employees and store only information necessary for business purposes. You must tell workers how you'll use the data and enable them to update it.
The following types of information are often kept by employers in employee files:
Name, address and date of birth,
Social Security number (SSN),
Race, gender and sexual orientation,
Citizenship and national origin,
Marital and family status,
Bank and direct deposit information,
Retirement account information,
Employment history, performance reviews and other HR files,
Background check information, and
Medical history, workplace injury reports and workers' compensation claims.
That's a lot of information, but employers are restricted from keeping or disclosing some employee data. For example, under the Health Insurance Portability and Accountability Act (HIPAA), an employer can't share an employee's medical information with third parties unless compelled to do so by another law.
7 Steps to Protect Data
Although there's no way to guarantee that hackers won't breach your network, you can help deter intrusions by doing the following:
Develop an information retention policy. It should state, in writing, what information the company collects and retains and how it does so. Require employees to notify you if they suspect their information has been compromised. Also, restrict disclosure of sensitive information through copying, transmitting or sharing it with outside parties and even with internal ones who aren't entitled to see it.
Restrict access to data. An employee's confidential information should be available to others on a "need-to-know basis." For instance, a supervisor may have access to an employee's performance reviews and any disciplinary history. But there's usually no reason for a supervisor to be able to review an employee's medical history or direct deposit information.
Keep records safe. You need to protect both paper records and electronic files. Paper records should be stored in a locked location with limited access — generally only to HR staffers responsible for maintaining the files. Electronic records should be encrypted and password-protected. Change passwords frequently and keep network security upgrades current.
Don't overuse SSNs. Don't rely on SSNs for purposes other than payroll and tax compliance. Use employee identification numbers or some other system for differentiating workers. Note that some states, such as New York, impose additional restrictions regarding the use of SSNs.
Train your employees. Hackers often breach networks by tricking individual employees into giving them access. Phishing emails with malware-infected links or downloads are still extremely common. So be sure you instruct workers on how to spot scams and avoid cyberfraud.
Upgrade software. If you're still using cybersecurity software you purchased a decade ago, you may need to buy a new package. The latest security products generally offer better protection and adherence to regulations and state laws. For example, new software may automatically encrypt employee SSNs.
Investigate quickly. If you're notified of an incident, such as unauthorized access by an employee, don't hesitate to investigate. Determine if any action, including disciplinary action, is needed and install safeguards so unauthorized access doesn't occur again. Also, your company may need to comply with applicable federal and state laws regarding notification of individuals whose data may have been compromised.
Overall Plan
Although these seven measures are merely suggestions, consider treating them at mandates. If you can coordinate security measures and preventative efforts into an overall plan to protect employee information, everyone will benefit.
California Enforces Strict Privacy Protections
State data protection laws vary. But the most populous state has one of the toughest on the books: the California Consumer Privacy Act (CCPA). Essentially, the CCPA grants consumers certain rights. These include the right to:
Know what personal information is being collected,
Opt out of data collection,
Correct or delete data, and
Protection from retaliation for exercising any of these rights.
Most companies operating in California are subject to the CCPA. If it applies, an employer must inform its employees if any information is transferred to a third party. Failure to do so can result in fines and damages.