Technology is a fundamental cog in the operations of every modern business. With internet-based communication and software solutions being so prevalent and remote forms of working increasingly on the rise, it is no surprise that more and more employers are reconsidering their cyber security.
In a survey of risk management specialists by Allianz, cyber incidents were noted as being the biggest threat facing businesses in 2022. The risk of ransomware attacks and other types of data breaches was a bigger fear than COVID-19.
A cyber incident is a breach of a company’s data protection processes which harms the confidentiality, integrity or accessibility of personal data. Such incidents can occur in various ways, including malware entering a company’s systems, phishing attacks or Denial-of-Service attacks.
There is an inherent connection between HR and such attacks, as they often involve employee personal data or the actions (or negligence) of an individual employee contributing to the security breach.
Prevention is the best cure for cyber incidents, so in this article, we explore the legal and practical considerations for employers when preparing for a cyber incident.
Employees are often a company’s most important form of defence against cyber attacks. The government’s cyber security breaches survey in 2020 revealed that 63% of breaches were spotted by employees, whilst antivirus protection software only caught 7% of attacks.
Simple but effective training can be rolled out to teach staff how to identify strange emails and respond when there is an attack or data breach. The company’s data protection and IT procedures can also be covered, including issues such as how to safely use IT equipment, rules on remote working, the use of document management systems and rules on removing data from company systems.
It is common for this training to be part of the company’s induction process for new hires, but refresher training should be used to ensure good practices are maintained. In addition, training tools and quizzes could be circulated to staff on a regular basis to gauge whether they respond correctly to mock cyber security scenarios.
Keeping track of the employer’s methods and reasons for storing and processing personal data is vital. When a security breach occurs, and the compromised data contains employee data, knowledge of the employer’s data framework will be crucial in remedying the breach, communicating to staff, handling any reports to regulators and dealing with any legal claims. The information that HR should track and record includes:
Employers should make sure that they are abiding by basic storage limitation principles. That is, ensuring data is kept for only so long as it is needed for the purpose for which it is processed, which is a key principle of data protection regulations. This means that if data has achieved its purpose, it should be swiftly and securely deleted.
In addition to the commercial concerns of not adhering to good storage limitation principles, there are other risks, including breaching time limits for the storing of certain types of HR data, facing action from the ICO, greater reputational risks and a wider basis for legal claims.
It is a good idea to include a written data retention policy in the company handbook so that all staff, particularly HR and IT staff, are clear on when certain data should be securely removed from systems. Factors that will be relevant to setting retention periods are:
HR policies and procedures should be audited and updated to ensure compliance on a regular basis. This will make sure that security protocols do not become outdated and that the business is properly protected. This might include a review of data protection policies, privacy notices, IT security policies and data retention policies, data subject access request protocols and homeworking policies.
In addition, HR should reassess the adequacy of protections within contracts of employment and contracts for workers and freelancers. Confidentiality provisions and post-termination restrictions, when drafted correctly, can help protect an employer’s data during and after employment ends.
Employers are increasingly relying on technology as an important tool in their cyber incident protocols.
This can involve monitoring employee activity on company equipment, but such monitoring must be compliant with data protection laws, which generally means ensuring there is a legitimate interest for the monitoring in question and that a balanced approach is taken to ensure the monitoring goes no further than necessary in achieving its purpose.
Proportionate monitoring with the aim of highlighting cyber risks is likely to be justifiable given the dangerous and prevalent nature of cyber attacks.
In addition, many employers use data protection software to guard their data and prevent unauthorised data from exiting their networks. For example, there is software that can scan outgoing emails and notify staff when data is being sent out to the wrong recipient or a suspicious recipient.