In today’s digital age, all employees who routinely use computers or have access to electronic data should receive at least basic training on cybersecurity, including best practices for data management. The failure to adequately train employees can expose employers to significant legal, financial and reputational risks. Federal and state regulations protect the privacy of a variety of information, including financial, student and health information. Violations of these laws can result in significant regulatory fines, customer and vendor lawsuits, and incalculable losses due to reputational harm, and loss of trade secrets and other confidential information. While fines and lawsuits can often be resolved by writing a check, rebuilding your customers’ trust in your ability to safeguard their personal or proprietary information after a breach is a difficult and arduous task with no simple solution. Prevention is therefore key.
Proper employee training can help reduce the risk of a data breach and the resulting legal liability and reputational harm. This article provides five tips for employers to train employees on data management best practices.
1. Ensure that employees properly manage passwords.
Electronically maintained confidential information and trade secrets are often protected by little more than a password. Therefore, proper password management is critical to any cybersecurity program. The technical barriers to data entry are only as good as the passwords that unlock them. Employees should be required to use passwords that are a certain length, contain upper and lowercase letters and special characters. Also, when possible, more sensitive information should be protected by two-factor authentication. This type of login requires the user to not only enter their password, but also to provide additional verification through a physical access tool such as phone or e-mail confirmation. This way, even if a password is compromised, access to the system will still be barred without the physical access tool.
The need for two-factor authentication is best demonstrated by the St. Louis Cardinals hacking scandal. In that instance, an employee left the Cardinals for the Houston Astros and in the process turned in his team laptop, along with the passwords associated with it. Upon joining the Astros, the employee used a similar password as the one he used with the Cardinals. A Cardinals employee was able to guess the “new” Astros password and access the employee’s emails and the Astros’ confidential scouting database. The Cardinals employee was caught and sentenced to 46 months in jail. The Cardinals paid a $2 million fine and forfeited its draft picks. The use of two-factor authentication would have avoided this scenario because even if the Cardinals employee had guessed the password, he would not have had the physical access tool needed to login.
2. Track all portable devices used by company employees.
Portable devices such as mobile phones, tablets and laptops allow employees to easily work from anywhere outside the office. This can be a boon to productivity but also requires extra diligence on the part of both the employee and the employer.
Company or customer information contained on a portable device must be protected from threats outside the confines of the office. It is much easier for someone to steal a laptop or hack into a wireless network than to breach an internal database. For example, in 2014, a company was assessed a fine of over $1.7 million under the Health Insurance Portability and Accountability Act ("HIPAA") due to a stolen laptop containing unencrypted health information. Similarly, in 2016, a healthcare company in Illinois was fined $5.55 million under HIPAA for numerous violations, including losing an unencrypted laptop with over 2,000 patient files. Encrypting data and devices with two-factor authentication, as discussed above, would have avoided these hefty fines.
Human resources or information technology ("IT") departments should also train employees on best practices regarding remotely connecting company devices to Internet wireless spots. Particular caution is required when connecting to “Free Wi-Fi” spots that are not password protected. Perpetrators often set up wireless connections to steal information from users’ devices. Also, employers should develop and implement policies that require employees to report the loss of a portable device immediately to IT or management to minimize any damages from the loss or potential loss of any confidential or customer data contained on that device.
Finally, companies need to track the location and possession of company devices and have policies for the collection of devices and data stored on personal devices when employment terminates. Otherwise, employees may attempt to steal data for a competitor of the company. While federal and state trade secret laws provide remedies against employee misappropriation of trade secrets, as a practical matter, it is hard to prove theft of trade secrets from a company device when the company has lost track of where the device is located. Also, without established data management policies, it is difficult to retrieve company information stored on a personal device from a terminated employee. Absent a policy, agreed upon when the employee was hired, that employee has ownership of the phone, which could make retrieving the information extremely costly and difficult for the company.
3. Train employees to recognize phishing emails and other scams.
Companies should train employees on phishing and spear-phishing emails, which are often designed to manipulate the recipient into clicking a link that contains malware. A phishing email may be obvious, as it is likely to contain broad information that is aimed at millions of people. A spear-phishing email, on the other hand, uses information specific to the recipient. One source of information that hackers may use to craft a spear-phishing email is an employee’s social media accounts. These accounts can be massive resources of information, allowing someone to craft an email that appears legitimate. Employees should be instructed on the benefits of managing privacy settings on their social media accounts to limit access to friends, family or people they know.
Employees should also be trained on how to handle any request for transfer of electronic information. A popular scam involves an email that appears as if it is being sent from a person high up in the organization requesting a copy of that year’s W-2 tax forms. Spear-phishing emails often are designed to convince employees to respond quickly and without thinking. The email may contain a subject line creating the impression that an urgent reply is needed. Employees need to be trained to check with an authorized employee before transferring money or sending any other personal or company information that has been solicited electronically. This simple extra step could prevent a loss of money or information that could expose a company to liability from federal and state regulators, customers and vendors.
4. Train employees on the importance of specific categories of data.
Most employees understand that social security numbers and credit card information are sensitive pieces of information that must be protected. But employees may not be aware of regulations concerning other types of information that your company may collect and the importance of keeping such data safe. A company’s disclosure of personally identifiable information could subject it to state privacy breach notification laws. Indeed, forty-eight states have their own breach notification laws, including Illinois, Indiana and Ohio. Companies and their employees need to be cognizant of what these laws require. Notably, the applicability of the notification laws is not governed by where the company is located or has offices. Instead, companies are subject to the laws of the states where their customers are located. Therefore, an Illinois company with customers in California is subject to California’s breach notification law, along with any other state where its customers are located.
Further, federal laws such as HIPAA (health information), Gramm-Leach-Bliley Act (financial information) and the Family Educational Rights and Privacy Act (student information) may also come into play when certain types of information are involved. These federal laws carry with them their own of notification requirements and potential penalties. With these numerous state and federal requirements, employees need to be aware of the importance of the information with which they are dealing and the governing laws.
5. Emphasize that cybersecurity is everyone’s responsibility.
Companies must stress the importance of data governance to every employee in the company. It cannot be the sole responsibility of the IT department to keep company data secure. Even the best IT department practices can be undermined when employees fail to follow best practices regarding data management. Employees must be trained to understand the importance of data management to the company. Disclosing electronic information could trigger data breach notifications procedures under state and federal law and cause severe financial loss, as previously discussed, and incalculable reputation damage to a company. Every employee needs to regard data governance as a priority.