Human Resources Report™
Reproduced with permission from Human Resources Report, 33 HRR 201, 3/2/15. Copyright 姝 2015 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com
Cyber Security
Transparency Is Key in Regaining Employee
Trust After a Cyber Attack, Practitioners Say
hen an employer is hacked, workers can lose
trust in its ability to protect their most personal
and valuable information. In order to regain that
trust, the employer should be transparent about how
the breach occurred and explain to employees exactly
what is being done to ensure it doesn’t happen again,
practitioners told Bloomberg BNA.
Recent computer hacks at two large employers, Sony
Pictures Entertainment (32 HRR 1351, 12/22/14) and
Anthem Blue Cross Blue Shield (33 HRR 121, 2/9/15),
one of the nation’s largest health insurers, which not
only included employee data but consumer information,
such as medical records and other personal identification, have many workers wondering if they can trust
their employers with sensitive information. Both companies quickly offered credit monitoring to employees
and consumers who were affected by the breach.
Matt Brosseau, chief technology officer and head recruiter at Chicago-based consulting firm Instant Alliance, told Bloomberg BNA Feb. 20 that the first step in
regaining employee trust following a hack is making
sure that the organization is clear in communicating exactly what happened and how it happened.
‘‘The first stage of trust is clear and open communication,’’ he said. ‘‘Let them know what happened in a
way that is easy to understand so they feel like they are
a part of what is going on.’’
Brosseau said that the better companies are at sharing that information, including what data were lost and
what the organization understands about the nature of
the breach, the better chance there is of ‘‘minimizing
whispers among employees about whether the company is doing enough to protect their personal information.’’
Attorney Suzanne J. Thomas, a partner with the labor
and employment practice in K&L Gates LLP’s Seattle
office, told Bloomberg BNA Feb. 23 that state and federal laws require employers to make certain disclosures
about data breaches to their employees.
‘‘Where there is an ongoing criminal investigation,
employers might need to defer to state and local laws
about proper notice when there has been a data
breach,’’ Thomas said.
She noted that many employers ‘‘send out a preliminary e-mail saying, ‘this is all we know right now but
please be aware that a data breach has happened, we
W
COPYRIGHT 姝 2015 BY THE BUREAU OF NATIONAL AFFAIRS, INC.
are gathering information and we will keep you fully informed.’ ’’
Depending on the size of the company, Thomas said,
employers might have an ‘‘all hands on deck’’ meeting
to ease employee concerns. ‘‘In my experience, the
companies that have at least some informal dialogue
with their employees anecdotally seem to have fewer
who get completely panicked about the event,’’ she
added.
Trisha Zulic, regional HR director at Efficient Edge
HR & Insurance Services in San Diego and a technology panelist for the Society for Human Resource Management, also recommended open communication with
employees.
‘‘Explain how it happened,’’ she told Bloomberg BNA
Feb. 20. ‘‘Transparency is the only way to regain employee trust. You want to be consistently talking to
[employees] and telling them what type of efforts are
being made in order to change those vulnerabilities.
Say ‘we suffered this breach and now we are making
changes across the board in order to improve security
standards throughout the organization.’ ’’
Brosseau recommended setting up a roundtable discussion or a phone line with IT professionals. ‘‘That’s
really helpful,’’ he said. ‘‘It helps employees come back
to trusting their organization.’’
Improving Data Security. According to Thomas, a lot of
the rebuilding of trust happens on the front end by employers demonstrating that they are working on improving security measures.
‘‘What employers should be doing is checking the security of their various computer systems and devices,’’
she said.
Thomas asserted that often employers may either
have these systems in place but they are ignored, or
don’t have them in place at all.
‘‘It is the employer’s responsibility to make sure that
their usage settings are in line and that they have
clearly defined rules in place for what employees
should be doing while on the company’s network, that
is, what they should be sending over the company system and the type of data that they should be storing,’’
Zulic said.
To get ahead of a breach, Brosseau said a good security platform is always about proactive work as opposed
to reactive patching and trying to stop ‘‘hemorrhages of
data.’’
To do that effectively, he said, organizations should
set up an internal security group that monitors cybersecurity risks, assesses them, researches them and
brings that information back to a cyber security team.
ISSN 1095-6239
2
‘‘Spending the time to educate employees on not just
the ‘this is what you need to do to be more secure’ but
the ‘why’ is equally as important,’’ Brosseau said. ‘‘As
much as I hate to say it, there are all kinds of cybersecurity problems that happen and unfortunately 90
percent of them happen because end users make an error at some point in time. So taking the time to educate
3-2-15
your employees on why they have to be secure in cyberspace is critical.’’
BY CARYN FREEMAN
To contact the reporter on this story: Caryn Freeman
in Washington at cfreeman@bna.com
To contact the editor responsible for this story:
Simon Nadel at snadel@bna.com
COPYRIGHT 姝 2015 BY THE BUREAU OF NATIONAL AFFAIRS, INC.
HRR
ISSN 1095-6239