A large portion of the data breaches that occur each year involve human resource related issues. This includes situations in which HR data was lost, employees were inadvertently responsible for the loss of information about other people, or, in a small number of cases, a current or former employee maliciously stole or released information.
Bryan Cave has put together a multi-part series to help human resource managers understand, prepare for, and react to, a data breach.
This part is designed to help human resource managers understand the importance, and function, of a written information security program.
After a security breach occurs, employees, the media, and regulators often ask what measures a company took to try to prevent the breach in the first place. HR professionals should consider, therefore, whether their organization would be able to produce documents that demonstrate that it was attempting to secure sensitive information. Many outside observers will expect that this includes, at a minimum, a written information security program or “WISP.” Rhode Island and Massachusetts require employers to implement and maintain WISPs if they control sensitive categories of personal information such as employee Social Security Numbers about residents of those states. Even if the laws of all 50 states do not legally require a company to have a WISP, regulators will likely inquire about whether the company has one if they become aware of a breach of employee personally identifiable information or “PII”.
The format and contents of a WISP depend greatly on the number of employees about whom you have information (and, therefore, the total quantity of information that is in your organization’s possession). Put differently, the WISP of a five employee non-profit typically looks very different than the WISP of a multinational company with tens of thousands of employees. Nonetheless, there are areas of commonality. A well-written WISP usually describes the following:
- The administrative, technical, and physical safeguards that exist to keep sensitive personal information secure
- The process used by the organization to identify, on a periodic basis, internal and external risks to the information that it maintains
- The specific employee who is ultimately responsible for maintaining and implementing security policies
- The sensitive information maintained by your organization
- Where and how sensitive information will be stored within your organization
- How sensitive information can be transported away from your organization
- Procedures for:
- Username assignment
- Password assignment
- Encryption format
- Provisioning of user credentials
- De-provisioning of user credentials (g., for taking away the ability of terminated employees to log into your network)
- Employee training on security topics
- Destroying data
- Retaining service providers that will have access to data
Companies that maintain sensitive information about individuals other than their employees may choose to base their WISP upon standards or formats created by third parties. Although there are many frameworks that can be looked to, some of the most popular frameworks are those published by the International Standards Organization (“ISO”) and the National Institute for Standards and Technology (“NIST”). Organizations that adopt one of these standards to describe how they protect consumer data typically fold the security practices that surround employee-data into their larger security framework.
TIP: For some organizations, a written information security program is a complex document that may include hundreds of sections. For others, a written information security program can be a simple document that endeavors to memorialize what your company is doing to protect employee data. If you do not already have a written plan, do not allow the perfect to be the enemy of the good. Keep it simple and focus on the main topics that others would expect to be included.