- The U.S. Department of Homeland Security (DHS) is notifying employees who may have been affected by a "privacy incident" that involved the release of personally identifiable information (PII), according to a DHS statement.
- In May 2017, DHS's Office of the Inspector General discovered an unauthorized copy of its investigative case management system in a former employee's possession. The incident didn't involve a cyber attack or outside interference, but PII was released — though this data was not the primary target of the unauthorized data transfer — according to DHS. The incident affected two groups: 247,167 current and former employees on DHS's staff in 2014; and people associated with investigations from 2002 to 2014, such as claimants, witnesses and subjects. PII included Social Security numbers, birth dates, positions, grade levels, addresses, phone numbers, duty stations and other data.
- DHS notified victims of the incident in December; officials said the incident's complexity caused a delay in notifying them. DHS says it's using additional security precautions so that access to the information is limited. It also said it will improve the process of identifying suspicious patterns of accessing the data and will continue monitoring its systems and practices.
No organization is immune to breaches involving sensitive employee data, even in the most secure environments. DHS's breach is also an important reminder that the biggest cyber risk isn't a shadowy foreign actor — it's probably someone sitting in your workplace at this very moment (or who formerly did so).
Employers must issue all-staff bulletins that warn against leaving PII visible and unattended on computer screens. HR also must limit access to personal information to need-to-know personnel, which might exclude employees such as clerks, assistants, secretaries and temp staff, who routinely handle personal documents.
When employees leave their jobs, their access to the organization's networks, and access to any personal or proprietary information they might have, should immediately end. Formal training in ID-theft prevention for all employees might be necessary, and should include guidelines concerning personal electronic devices.
After any workplace crisis, HR's role is to rebuild employees' trust. Delays in disseminating bad news fosters distrust among employees, so regular communication around how the organization is handling a crisis, and which future preventative measures will be taken, is vital. Offering voluntary identity theft benefits may be an additional assurance, but this must be executed transparently.