A large portion of the data breaches that occur each year involve human resource related information. Bryan Cave has put together a multi-part series to help human resource managers understand, prepare for, and react to, a data breach.

This part discusses what employers should look for when evaluating their employee whistleblower policies in connection with encouraging the reporting of data security incidents.

One of the most important factors that shape how well an organization can respond to a data security breach is how fast the organization discovers that a breach occurred and initiates a formal investigation and response. Put differently, it is hard to respond to a breach, or mitigate its impact, if you don’t know that it has occurred.

Employees are an indispensable resource for identifying security breaches. In some cases, they may be the only individuals that know that an incident occurred. For example, if an employee inadvertently throws away sensitive information that should have been shredded, the organization may never discover that it occurred until, or unless, a bad actor finds the materials.

In other situations, the organization may find out about an incident too late to mitigate the impact. For example, if an employee inadvertently sends a file that contains sensitive information to the wrong email recipient, unless the employee self-reports, the organization may first hear about it from the recipient after they open the file and view the information.

Most HR professionals are familiar with the concept of a whistleblower policy – i.e., a policy that is designed to encourage employees to report their own conduct or the conduct of their peers. While many whistleblower policies are focused on traditional employment-related issues (e.g., sexual harassment, racial discrimination, theft, etc.) some employers have adapted their whistleblower policies to encompass data security-related issues to encourage the reporting of security incidents. Employers should consider the following factors when assessing their whistleblower policies:

  • Does your current whistleblower policy have a narrow scope that would suggest to an employee that it does not apply to data security-related incidents?
  • Ramifications for self-reporting. If your whistleblower policy does not formally extend to data security-related matters, what would your organization do if an employee self-reported a security incident that they were responsible for causing?
  • Ramifications for peer-reporting. What would your organization do if an employee reported that a colleague caused a security incident?
  • How confident is management that employees would voluntarily report a security incident?

    TIP: Consider adding to whistleblower or anti-retaliation policies a provision that states when an employee reports the employee’s own conduct that is in violation of company policies or is contrary to company standards or practices, such self-reporting will be weighed as a positive factor in determining the company’s response to that conduct.