Cyber threats are real and growing. In an age when data incursions are regular features in the news, it's no surprise businesses strive to protect their own data. But employee data is just as vulnerable, and often, a breach that accesses personal information also provides a roadmap to business systems and infrastructure. With this in mind, how can L&D better help employees protect their personally identifiable information (PII)?
The legal side
"There is no comprehensive employment data privacy law," Bill Nolan, partner at Barnes & Thornburg, told HR Dive in an email. Employers' obligations come from a variety of sources. Personnel information, health records and other employee data have long been protected in the workplace. But digital access often leaves employer and employee information open to infiltration. All states have data breach laws that require business to report any data that has been compromised. Generally, a disclosure of employee information will trigger obligations under these laws, Nolan said.
Additionally, about a dozen states have statutes and standards for information security, Philip Gordon, shareholder and co-chair of Littler's Privacy and Background Checks Practice Group, told HR Dive. "In many of these states," he said in an email, "the law requires only that data owners, which includes employers, implement reasonable and appropriate physical, technical and administrative safeguards for personal information, such as SSNs, but some states, like Massachusetts and Oregon, establish much more detailed requirements."
Human error in some form is a frequent contributor to data breaches, according to a report from Shred-it, and more than half of the leaders polled cite employee negligence as their biggest information security risk. Remote workers also open networks to incursions, particularly when company laptops are left unattended. And the same smartphone that allows employees to check their email 24/7 may be the unlocked device, left on a counter temporarily, that allows a hacker to collect passwords for a later incursion.
"Educating employees to safeguard their own PII can help with internal compliance," Colleen Blake, SVP of people at GuideSpark, told HR Dive in an email. Training campaigns that explain the principles and showcase real world examples of breaches are some of the most effective training mechanisms, she explained. "Companies need to craft creative approaches to catch their attention," she added, "and that may mean explaining personal consequences in addition to the impact it can have to the overall company."
What to cover
"Some of the key things to include in PII training for employees is an explanation of what is private information and/or what combination of information makes it private," Erika Lance, KnowBe4's SVP people operations, suggested, "and why it's important to keep this information to themselves." The two best training tools are interactive video modules and in-person training; fun and engagement are key, she advises, and soliciting interaction and feedback is crucial.
Include how to protect personal and business information that's stored and accessed on mobile devices. Doubling up on password protections is important — particularly if staffers access company systems via their smartphone. Employees should also be trained to recognize and avoid phishing scams and malware.
Some employees will need additional, specific training, like those in the financial and healthcare industries. But training is critical for all employees. "It is eye opening to see the latest ways that people can steal our information," Nolan said. "It gets our attention and, in addition to providing information on what we are trying to prevent, just gets people engaged – because it's scary."
"The three Os"
Blake suggested a three-pronged approach to training. She called it the three Os: onboarding, ongoing and offboarding. It begins with providing new hires the basics on keeping their and the company's information private and in compliance.
Ongoing training, Blake writes, is the most difficult phase to get correct. "HR and IT need to collaborate to create a campaign to continuously remind employees of their obligations. This can include monthly, quarterly, or semi-annual reminders," she said. "To be most effective, reminders can take a number of forms – perhaps it's a poster, text message, email or video." Finally she recommended HR and IT work together to make sure the company's exit checklist includes removing access and returning equipment.
When designing a PII protection training program, it's important to include every data access point employees and the business use for both remote and in house workers. Communication is key; make sure to poll staffers about platforms they may use for remote access and examine what risk, if any, they pose. An employer may be surprised to find how they're using systems and how they're gaining access.
Using available tools
Some tools may already be in place but underutilized; access to email accounts from remote devices, for example, can require lock-screened phones. Analyzing the systems everyone uses and protocols already in place – or lacking – is a critical first step for L&D and IT. Together, the departments can develop and rollout training and continuously reinforce it. The smallest misstep can lead to a devastating data incursion.
Training has no value if it doesn't stay with employees, Lance said. "Often times, training occurs just to say training is done and to check a box instead of focusing on how to actually train people and help them retain the information," she said.
Training staff of the potential risk to themselves and their identity is critical. While they learn to protect their assets, they'll simultaneously protect the business.