Cybercriminals famously prefer certain types of data. Anyone working in healthcare or financial services knows how valuable their information is, and how much it needs to be protected.
Human resources data often flies under the radar. Every organization has it, regardless of industry or company size. And just about every organization assumes that HR data is protected just because it’s stored, encrypted, in a third-party application, said Michelle Reed, partner with Akin Gump and co-leader of the firm’s cybersecurity, privacy and data protection practice.
For starters, those applications can be breached, as last December’s ransomware attack on timekeeping software Kronos showed all too well. In addition, while data may be encrypted at rest, that doesn’t cover what happens when employees use the data to run reports and share them via email or messaging apps.
“What organizations don’t realize is that people can export that data and save it to all kinds of places,” Reed said. “That’s what criminals have figured out. HR data is common on the dark web because criminals know they can get it on the HR shared drive.”
Just about every organization has more HR data than they need, too. Reed said it’s not uncommon for the total notification pool for a breach of HR data to be four times the total number of current employees, as organizations have retained personal information for years after employees have left.
“HR professionals need to see cybersecurity as part of their job,” she said.
Find alignment on policies
Reed and Kari Rollins, a partner in the Sheppard Mullin intellectual property practice group, agreed that HR teams need to align with other business units that traditionally handle cybersecurity — namely legal, information technology and information security (IS). “The company as a whole is responsible for the personal information being collected and stored,” Rollins said.
This alignment plays out primarily in policy development in three areas: System access, data retention and device use.
Access. Security teams increasingly emphasize the importance of identity and access management policies. The “least privilege” rule needs to apply to HR data, Rollins said. Only those who need access to sensitive employee information as part of their day-to-day role should have access to it, and only for the tasks that require that information.
HR’s other key role in privilege management is alerting IT to how employees’ roles have changed. Employees transitioning to a new department or location shouldn’t maintain access to business applications tied to their old role. Similarly, access should be turned off as soon as employees leave — partly to prevent malicious misuse of corporate systems and partly to close loopholes that attackers are all too happy to exploit.
Data. Reed broke down data policy into four principles: Only collect what you need; keep it only as long as you need it; encrypt it where it’s stored; and restrict its potential to be moved and used elsewhere.
Improper collection can be costly. Lawsuits filed under the Illinois Biometric Information Privacy Act are on the rise, with a jury last month handing down a $228 million judgment against BNSF Railway for 45,600 instances of fingerprint scans collected without written permission.
As for retention, Rollins said there’s no reason to hold onto HR data any longer that state or federal statute requires. “Once you’ve passed the date for reporting or tax data maintenance requirements, HR, IT and IS need to ensure secure destruction of that personal information,” whether it’s shredded or permanently erased from digital storage devices. “Holding onto the data only creates greater risk.”
Devices. Most bring-your-own-device policies were thrown out the window in March 2020. Some employees used personal devices to connect to corporate systems. Others used corporate-owned devices for their children’s remote learning, or simply to connect with loved ones.
With a blurry line between corporate and personal use, organizations face a question: Enact strict policies that could upset workers, or adopt loose policies that could have other, serious consequences? What if checking personal email on a corporate laptop leads to a phishing attack? Or, what if corporate data is stored on a personal smartphone and the company is subpoenaed; will an employee consent to giving up their phone?
“HR has to be threaded in,” Rollins said. “IS can work to protect the company, but it can’t be in such a fashion that effective and efficient work is problematic and the company can’t operate.”
Take an active role in strategy
Beyond contributing to access, data and device policies, Reed and Rollins said the current threat environment shows that HR should be playing a more active role in overall cybersecurity strategy.
One example is evaluating third-party software that handles employee information. Along with ensuring that products meet functionality and security requirements, this demonstrates due diligence, Reed said. This is helpful if a data breach or other incident results in legal action against the organization.
Additional examples include involving HR in tabletop exercises — both to help locate employee data within the organization’s network and to ensure consistent communications with employees as events unfold — and aligning on employee cybersecurity training.
In many ways, Rollins said, training matters more than the tools or policies that organizations put in place.
“Protecting and transferring sensitive information requires a lot of training. It can come from legal, or IT, or HR or a combination of the three,” she said. “It’s not how much you deploy multi-factor authentication, or how many endpoint detection tools you have in place. It only takes one person clicking on the wrong link for a business email compromise.”