A large portion of the data breaches that occur each year involve human resource related information. Bryan Cave has put together a multi-part series to help human resource managers understand, prepare for, and react to, a data breach.

This part discusses the team that an organization forms to investigate security incidents and, specifically, the role that HR managers may be asked to take within the incident response team.

Investigating a security incident that involves HR data, or the actions of an employee, often requires a team that may include representatives from Information Technology, Information Security, Legal, Risk Management, Operations, Marketing, Communications, and/or Human Resources. Ideally, a team is selected and trained on data breach response prior to the occurrence of an incident. One person should be designated to keep a log or running chronology of the investigation to enable the organization to reconstruct later what information the organization knew at what time. Personnel should take extreme care when documenting an investigation to avoid creating a factually inaccurate record by recording opinions that may be based on preliminary information.

If a representative from HR is included in the incident response team, they typically serve several functions. First, HR is uniquely situated to understand the impact that a data breach may have on employees. This includes predicting the types of questions that employees are likely to ask and predicting the impact that a security incident may have on morale. Second, HR is often best situated to help the incident response team plan how information about a security breach should be communicated to employees. The method of communication often depends on a number of variables ranging from the size of your workforce, the number of employees involved in the incident, and the organization’s normal operating procedure for conveying information. Third, if a security incident involves the actions of an employee (malicious, negligent, or inadvertent) HR may be needed to help investigate the employee motives, to take disciplinary action (if warranted), or to provide ongoing training for the employee (and perhaps others) about good security practices.

TIP: Consider designating two people from each department that may need to participate in an incident response team – a “primary” contact and a “back-up” contact in case the primary team member is unavailable.