Organizations of all sizes collect and store sensitive, confidential employee data on a daily basis. As the number of cyberattacks on businesses grow, it’s important for human resources leaders to take a closer look at cyber security practices. Additionally, existing privacy laws and the new regulatory pressures ushered in by The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) make it more important than ever to protect data privacy and ensure compliance.
Let’s examine how you can strengthen cybersecurity, follow data protection best practices, and maintain compliance with state and federal laws as your business and workforce grow.
Businesses need to improve cybersecurity and HR data privacy
Indeed, businesses need to protect against data breaches by both external and internal actors. A Forrester study revealed that 55% of enterprise network security decision makers experienced at least one data breach in the previous 12 months; 44% were caused by employees who intentionally or not, exposed sensitive data to hackers[1]. A 2019 Verizon Security Report also found insider threats to be a growing problem as they accounted for 34% of attacks in 2019. With more employees working from home due to the COVID-19 pandemic, businesses are experiencing greater pressure on data security practices and compliance.
Potential for data breaches
The human resources department collects sensitive, personal information about employees and serves as the protector of this data. Data such as social security numbers and other personally identifying information, salaries, health insurance, and retirement plans must be protected from falling into the wrong hands or risk legal liability as well as a huge hit to business reputation. Your payroll system contains sensitive financial information such as your employees’ bank account numbers for direct deposit.
Business owners and HR professionals should consult closely with internal IT professionals, their managed IT services provider, or cloud HR software vendors to ensure information is protected from external breaches. However, hackers have also learned to go around network security and directly to individuals who may inadvertently let them into your systems or mistakenly give up sensitive logon credentials or company data. That’s why it’s also important to train employees about cybersecurity awareness so they identify and avoid threats such as phishing.
A recent HR Executive article recently noted that the recruiting function represents a significant vulnerability as it serves as an entry point for outsiders while HR collects resumes to fill open positions. When a job is posted, recruiters field and collect numerous cover letter and resume files sent in a variety of formats. Unfortunately, bad actors can hijack this opportunity to send malicious attachments or include a link to ransomware disguised as a LinkedIn profile. To prevent these types of attacks, HR can proactively work with IT to implement additional security and review best practices for tool and application usage.
Data privacy regulations and trends
One of the most important responsibilities of human resources is to protect employees and your business. That’s one reason why it’s important for your HR staff to understand both the federal and state laws that apply to your company and its compliance with data privacy protection regulations. While the US does not currently have a comprehensive federal law regarding the collection and use of personal information, there are other regulations that must be followed when handling sensitive information. Check your state laws and consult with your legal counsel to ensure compliance with applicable data privacy laws.
With the adoption of the European Union’s GDPR and the CCPA, many believe that other states across the United States will follow suit requiring companies to become more transparent and minimize collection of data. In order to be prepared, HR should stay up to date on the consideration and passage of new cybersecurity requirements and data protection regulations.
CPO Magazine discusses the acute challenges many companies will face as they work to comply with new data protection laws such as the CCPA. Since many current security systems aren’t designed for data visibility or access management, it is difficult for businesses to understand and track down the damage caused by a cyber security attack. It’s also particularly difficult to assess damage to ERP and HR systems because they are often the last systems to be updated. As organizations work toward compliance, it will help them be better prepared to respond to cybersecurity threats as well as enhance their ability to control and identify data access points.
Best practices to protect data privacy and stay compliant
Above all, employers must remember that they are also responsible for protecting and safeguarding sensitive employee data. Here are some best practices businesses should follow to improve data privacy protection and maintain compliance with regulations:
-
Be intentional about HR data collection. Businesses should minimize the amount of data they collect about employees in order to safeguard privacy and security. However, it’s also true that workforce data can be a powerful tool for analysis and growth. The key here is planning and intentionality about the types of data you collect and store.
-
Understand laws and requirements applicable to your business.Once data is collected, it’s important to understand the rules that govern how records must be stored and how long they can be retained. For example, FMLA requires that leave-related records be retained for three years. Some laws like the Texas biometric privacy statute mandate destruction of records after a maximum length of time. Businesses should also understand how to securely dispose of employee records—both paper and digital files—to maintain compliance.
-
Share data privacy rights information with employees. Communicate information about data privacy with your employees so they understand their rights as well as the regulations affecting your business. Stress the importance of data protection and work to create a culture of compliance that follows cybersecurity and data privacy best practices.
-
Be transparent. As with many best practices, maintaining transparency is key to building trust. Data prote
ction is an essential compliance function for businesses of all sizes; both your employees and clients are placing their trust in your organization to protect sensitive data and confidentiality.
Cloud HR and payroll software delivers advanced cybersecurity
If you use cloud-based HR management and payroll software, your vendor is your most powerful ally in HR cybersecurity. Your employee data is stored on your vendor’s infrastructure, which has much stronger security than most small to midsized businesses can maintain for their own servers.
Cloud vendors build in both technology and process controls to keep sensitive employee and payroll information safe and secure. For example, Asure is compliant with ACH banking rules governed by the National Automated Clearing House Association (NACHA) and has earned SOC 1 Type 2 certifications to prove it. All of our systems and customer data is hosted in the cloud with Amazon Web Services (AWS). This ensures the very highest levels in security, up-time, redundancy, and scalability.