WORKSPAN
Feature |

Operation Data Protection

Technology in today’s workplace is about, among other things, making life easier for everyone. By using today’s creative tech tools, employees will be more engaged and productive, and corresponding positive bottom-line results will follow — or so the theory goes.

In many ways, tech tools are, in fact, making things easier and producing better results.

Yet when it comes to creating effective technology use policies, making the wrong moves can get in the way of progress, opening a proverbial Pandora’s box of legal and other problems — especially with the exposure of sensitive customer and employee data. With social media, email, instant messaging and other data-rich communications on the rise, experts and human resources leaders say a thoughtful approach to getting it right is essential.

So when it comes to managing employee use of technology at work in an effort to maintain data security, what’s a CHRO to do?

Michelle Lee Flores, a Los Angeles-based labor and employment partner at Akerman LLP, says it mainly means adopting and communicating policies that consistently remind employees of the sensitive nature of confidential company data and information.

“Providing periodic reminders to employees with specific examples of what they should not get ‘too relaxed’ about when relaying information to others is important,” she said. For example, Lee Flores says that as it relates to certain industries, and the impact on job performance that technology and social media plays, many employers may have to ban the use of personal cell phones while employees are “on the clock.”

London-based Dean Chapman, a risk management executive in cyber risk with Willis Towers Watson, says that there are known and well-documented vulnerabilities and risks associated with the usage of new, innovative technologies, and in his view, it’s pleasing to see that organizations are starting to take steps to understand and mitigate their exposures in this area.

Chapman explains that employers have access to a wide and increasing range of security solutions (employee monitoring and advanced threat protection, end-to-end email security and mobile device management, etc.) that assist with the protection of their fixed and mobile assets. Additionally, companies are slowly beginning to link these security solutions with the implementation and ongoing management of a comprehensive and measured cyber-security culture and awareness strategy.

“While a cyber threat can never be fully mitigated, companies are now beginning to appreciate the link between user behavior/culture and effective cyber-security,” Chapman said.

At the same time, he adds, a majority of organizations must, in this era, maintain a social media footprint. But the key to mastering the murky world of social media usage and engagement is in trusting your employees to do the right thing. But how? By creating an “open, honest and trusting cyber culture,” he said.

“Humans, in particular the younger generation who are considered ‘digital natives,’ are inquisitive and like to find workarounds,” he said. “So banning the use of or restricting access to social media will often encourage bad behaviors which, in turn, may present unnecessary risk.”

According to Detroit-based Sheryl Simmons, chief human resources and compliance officer at employee health and benefits company Maestro Health, the key may be in embracing technology, not limiting it.

“Rather than establishing policies forbidding usage while at work, employers should take the opportunity to harness the power of technology and social media to align usage with their company’s culture,” Simmons said. “Doing so can help build a collaborative culture that provides guidelines for embracing transparency, professionalism and accountability.”

The Challenge of Remote Work

Another challenge in managing today’s technologies is the trend toward more flexible work arrangements and remote workforces. WTW’s Chapman says that when it comes to technology and remote work, policies without sufficient implementation, distribution (availability to the general workforce), enforcement and a structured review process are ineffective and will do nothing to protect the organization.

With that, policies need to be supported by a repeatable training and awareness strategy and should include aspects of physical security as well. He says that some companies are using a range of technical controls (full disk encryption, use of virtual private networks, etc.) to secure their mobile workers, but appear slow to provide any formal training to further enhance workforce awareness of the cyber threat when remote or mobile working.

“Remote working brings physical security concerns to the fore, such as ‘shoulder surfing’ and, of course, physical theft [of devices],” he said, adding that physical security of company assets is often overlooked as being part of the wider cybersecurity strategy. But companies must remember that hackers/thieves will often take the path of least resistance, which includes device theft and damage if an easy opportunity or target is presented to them.

Then there is the added challenge of enforcing corporate policies offsite, without getting into legal hot water by breaking individual privacy laws.

Beth Zoller, attorney and legal editor at XpertHR in New York City, says that an employer has a legitimate interest in enforcing corporate policies offsite if an employee is engaged in work-related communications and using the employer’s network or employer-provided resources, such as a laptop or mobile device.

POLICIES NEED TO BE SUPPORTED BY A REPEATABLE TRAINING AND AWARENESS STRATEGY.

“An employer should make sure to provide clear notice to employees of any surveillance and monitoring it is conducting so employees are fully aware that they have a limited right to privacy,” she said. Additionally, in engaging in any surveillance and monitoring, an employer must be sure to comply with any relevant federal or state laws.

“While it is essential for an employer to protect its own interests and information, it must strike a delicate balance when weighed against employee privacy expectations,” she said.

“It is a delicate dance to say the least. But if individuals are ‘on the clock,’ then they must comply with corporate policies,” Akerman’s Flores notes.

Transparency vs. Employer Rights

One offshoot of the rise in workplace technology use is the issue of employees posting their salaries and company reviews on sites like Glassdoor.com. While it may make employers uncomfortable, it’s a fact of life today, one that requires a gentle approach — and could be a potential benefit in gauging corporate culture, according to the experts.

For instance, Simmons says that for company cultures that embrace feedback and transparency, such reviews can arm HR teams with valuable insights from both the employee and candidate perspective. Unfortunately, she adds, the posted information doesn’t necessarily have to be truthful to be published for public consumption.

“Human resources and marketing teams can partner together to monitor postings, measure trends and identify actionable steps that may need to be taken to address honest and reasonable employee feedback,” she said of how to take advantage of these online sites.

Flores explains that some states have laws that specify that employers cannot prohibit employees from talking about their compensation. Employers also need to be mindful of the National Labor Relations Board’s (NLRB) Section 7 rights, which gives employees the right to engage in protected concerted activity — that is, to act together to try to improve their pay and working conditions.

“It also impacts what employers may do if someone is engaging in such protected activity,” Flores said. “So discussing matters on sites that allow this type of sharing can impact the NLRB.”

Having said that, Flores adds that she’s also aware that information on Glassdoor-like sites is generally anonymous and identified only by position.

“For these reasons, it would be difficult to determine who is disclosing what,” she pointed out.

XpertHR’s Zoller expands on Flores’ view regarding the right to engage in protected activity, adding that the National Labor Rights Act and various state laws provide employees with the right to freely discuss their wages.

AN EMPLOYER HAS A CLEAR INTEREST IN MONITORING INTERNAL NETWORKS.

“If an employer views a negative or false posting, it should certainly attempt to respond online,” Zoller said.

From an employer point of view, WTW’s Chapman concedes that the anonymous aspect of sites like Glassdoor make it very difficult to monitor. In reality, he said, all that employers can do is make reference to the acceptable use of or publishing to websites such as Glassdoor in their employee handbook or information security (and social media) policies.

“Ultimately, this again comes down to culture: Organizations should instead promote an internal ‘whistleblowing’ function whereby employees can post/discuss any aspect, negative or otherwise, of their work/company, etc., in a safe and confidential manner — but one that remains internal, not on the World Wide Web,” he said.

Internal Messaging Risks

In moving from external websites to internal messaging platforms such as Slack and Yammer, the latter could potentially become places where employees might form groups with special interests and hobbies that may teeter on inappropriate or exclusionary — driving clique-like behaviors that could be a risk on several levels. How can employers discourage that type of scenario from happening?

“Once again, reminders that while people are on the clock, the focus should be on work,” Flores suggests. She says that would mean reminders with regard to the manner in which the communication takes place, and that when communicating with co-workers while at work, employees must comply with appropriate workplace interactions and various rules, including not engaging in sexual harassment or harassment based on any protected characteristic or engaging in discriminatory conduct.

“Reminders that people should be inclusive and that all workers are equal can go a long way in the workplace,” she said.

Zoller adds that an employer has a clear interest in monitoring internal networks for signs of discriminatory, bullying or harassing behavior that may land the employer in hot water and facing claims of discrimination and harassment, as well as abusive conduct. In fact, she proposes that a person in IT or HR should be tasked with undertaking random monitoring of such networks to observe any improper behavior. Additionally, an employer should take immediate action if it learns of such behaviors on an internal network.

“An employer needs to recognize that even though it is an internal online environment, an employer may face the same measure and risk of liability, so it is best to address such issues head on,” Zoller said.

Protecting Employee Identity

Finally, there is the issue of protecting employee identity, another potential risk specific to HR and the rise in technology, whether it is cloud-based or housed in on-premises hardware.

According to Zoller, employers need to make sure to implement security measures for employees using networks, including two-step authentication, enhanced security measures and protective software, as well as the encryption of sensitive information. In addition, an employer should make sure that individuals in the organization are only privy to private and confidential information on a need-to-know basis and that the employer takes steps to shield such information and keep it protected.

Image

“Employers should also be aware of state data privacy laws and relevant obligations,” she noted.

WTW’s Chapman thinks that employers need to do more in this area, noting that from his experience, employers are taking very few proactive steps to protect employee identities. He cites that many organizations actually provide short biographies and other insightful descriptions of their employees on company websites and social media platforms, such as LinkedIn.

WTW’s Chapman thinks that employers need to do more in this area, noting that from his experience, employers are taking very few proactive steps to protect employee identities. He cites that many organizations actually provide short biographies and other insightful descriptions of their employees on company websites and social media platforms, such as LinkedIn.

“I appreciate that, for many, this is necessity, as it allows the company to showcase the capabilities of their teams and people in order to win new clients [and such],” he said. “However, this ‘data leakage’ is precisely what hackers — good and bad — use to target your business and your people.”

Often referred to as Open Source Intelligence (OSINT), freely available information obtained via the internet provides malicious actors with a treasure chest of data with which to craft a possible attack, often in the form of a spear-phishing email, Chapman explains.

On the upside, this is an area where employers will look to focus more effort in the coming months and years, he said. In particular, automated online cyber footprint assessments can provide a company with an overview of what information relating to them is available online.

“This assessment can and should be used by companies and employees to address and remediate any data leakage, further reducing the threat landscape for all involved,” he said.

Simmons noted that companies use employee data for a variety of purposes, from evaluation during the hiring process through payroll and benefits administration. To that end, a policy should be specific to the business, industry and state jurisdictions. HR, compliance and security and privacy teams must work collaboratively to create best practices that both protect the employee data and educate the employee in their role of that protection.

“Employees trust us to protect that data,” she said. “More importantly, every organization has a legal responsibility to do so.”

Tom Starner Tom Starner is a freelance writer with WorldatWork.


Have Questions?

Phone

+1 877 951 9191

USA and Canada

+1 480 951 9191

Other Countries

Online

Email Us