How boards can protect the security of employee information

Employee data can be exceptionally sensitive and deserves special attention from a cyber security perspective

Does your organisation secure and manage employee data as carefully as customer data?

Organisations sometimes focus on ensuring customer data is secure, with less thought paid to data held on its own employees. But in many cases, employee data can be multiple times more sensitive than customer data.

In September 2022 it was reported a UK-based UPVC manufacturing company, Eurocell, had suffered a substantial breach of employee data.

Current and former employee data was breached, including:

  • Personal information, including:
    • Date of birth
    • Next of kin details
    • Bank account, national insurance and tax-reference numbers
  • Employment terms and conditions
  • Right to work documentation
  • Health and wellbeing related documents
  • Learning and development records
  • Disciplinary and grievance related documents

The impact on the individuals whose data is taken in these situations has the potential to be huge. Aside from increased fraudulent risks, there is the associated psychological stress and the risk of double extortion. Double extortion is where the criminals attempt to extort the impacted individuals on whom they have information, as well as the organisation.

For the organisation, consequences include reputational damage, as well as the prospect of legal action in the form of compensation claims. This is on top of the financial impacts from any business downtime, lost revenue, payment of any ransoms, and investigative and recovery costs.

Breach of employee information is not uncommon

At the time of preparing this article, January 2023, two more examples of data breaches involving employee data became known:

  • Fire Rescue Victoria (Australia): Stolen data was reported to include personally identifiable information of former, prospective, and current employees. The data emerged on the dark web
  • Guardian Media Group (International): Personal data of UK staff was reported to have been accessed, although at time of writing there was no evidence it had been published.

Questions for boards of directors to ask of management

The day-to-day responsibility for management of cyber security risk sits with an organisation’s executive management team. However, company directors should play a leading role in ensuring it gets relevant attention.

In the case of employee data security, here are five questions directors can ask of management:

  • Do we have a defined purpose and need for each piece of data we’re collecting, and if not, why do we collect it?
  • What is our organisation doing to ensure the security of employee data?
  • Do we have a policy around disposal of data relating to staff that are no longer with the organisation?
  • Do we know what our legal obligations are for reporting a breach of employee data?
  • What is our response plan, including access to relevant cyber forensic, legal, PR, credit monitoring and counselling support services quickly, if employee data is exposed?

Further cyber resources for directors can be found in the resources area.

Leave a Reply

Your email address will not be published. Required fields are marked *