Hacking may not be a run of the mill HR task to deal with, but after news that construction group Interserve was fined £4.4m after it failed to stop a phishing scam, it is now firmly on the people profession’s agenda.
The Information Commissioner's Office (ICO), issued the bill following a data breach two years ago, which saw the personal data of up to 113,000 employees put at risk during a cyberattack. Personal information, including bank accounts, national insurance numbers, ethnic origin and religious background were among the details compromised in the breach, which affected 283 systems and 16 accounts.
The ICO found the company had outdated systems and protocols, failed to train staff properly, and conducted inadequate risk assessments.
Companies can be fined up to £17.5 million, or 4 per cent of the company’s annual turnover, for data breaches. So how did it go wrong for Interserve, and how can others avoid this expensive mistake? People Management asked legal and HR experts what can be done to prevent this.
The importance of data protection
Before thinking about how to prevent such breaches, businesses need to understand the importance of employee data. Not only will employees have an expectation that their own data is looked after, but under the 2018 Data Protection Act and GDPR rules from EU law, employers have a legal obligation as data controllers and processors, said Alan Lewis, employment partner at Constantine Law.
When dealing with personal data, employers should remember “lawfulness, fairness and transparency; collecting data only for a specified legitimate purpose; minimising the amount of data collected; keeping personal data accurate and up to date,” added Lewis, emphasising that where there is a potential breach that could place a high risk on certain people, those individuals should be notified as soon as possible.
Ranjit Dhindsa, head of employment at Fieldfisher, said phishing scams are likely to be a personal data or ‘GDPR’ breach, meaning employers themselves are ‘controllers’ of the data. “They therefore need to urgently assess whether the breach is sufficiently serious to require notification to data protection regulators and possibly also impact data subjects,” she said.
Data protection legislation protects individuals from misuse of information about them, and gives employees control over their personal data as the digital age develops, said Amy Moylett, employment lawyer at Osborne Clarke. Failing to look after this not only puts businesses at risk of a huge ICO fine, they could also face “a regulatory investigation, follow-on litigation from former employees, a loss of customers and a loss of productivity among staff,” she said.
Paul Seath, employment partner at Bates Wells, said the main thing to remember is that the employment relationship is built on trust, and that protecting the data that employees have to provide to businesses is of paramount importance. “If an employer disregards that they could significantly undermine the trust employees have, which could lead to the whole relationship breaking down,” said Seath.
Richard Freedman, employment lawyer and partner at Stephenson Harwood, commented on the considerable risk to employees, who could become victims of financial fraud or identity theft. “If a business does not adequately recognise the importance placed on protection of personal data, it is likely to find itself being held accountable by the Information Commissioner's Office and ultimately could be handed a hefty fine,” he said.
Collaborate with other departments
Olivia Sinfield, head of GDPR for HR at Osborne Clarke, advised HR to work with other departments to ensure the right tech is in place. “HR needs to line up with their technology procurement and IT teams to ensure the business has the right tech in place, uses robust encryption, instals malware security software and improves email security, all to match the threat posed to the business,” she said. “Even with the best staff cybersecurity education programme in place, it just takes one person to let their guard down for attackers to achieve their aim,” she said.
Sinfield continued, “the organisations which have coped the best with data breaches are those with multi-stakeholder engagement, who have implemented automated tools to detect data breaches and suspicious behaviour, and who have adopted and stress tested an incident response plan with a designated team appointed to manage that plan”.
However, Seath said that while combining resources with other departments is usually a good idea, personal data of staff is an area of extra significance: “HR should lead the discussion internally and not be led by other departments,” he warned.
Lewis suggested that collaboration between departments can happen through training offerings. “Effective training can include liaising with the IT department to send out test emails with mock links that staff ought to be wary of clicking on, and then analysing the behaviour in response to those emails and retraining staff where there is non-compliance with protocols,” he said.
Dhindsa agreed that mock phishing attacks are a useful tool, as phishers will try to imitate the system or software that an organisation already uses and that a combination of training, guidance and mock exercises are best. “It is also important to make sure that once notified to IT/security, their triage processes include a prompt assessment of what personal data may have been compromised."
Dhindsa also highlighted the importance of a highly trained ‘breach team’. “Many organisations have incident response plans and people to execute them but do not have a specific team trained in responding to incidents that involve personal data” she said, suggesting that organisations “put in place a toolkit and training for this team so they are not put in the position of working out what they need to do in the midst of a crisis”.
HR can also ensure the whole organisation complies with data protection, including for customers, and anyone on a marketing database, said Jacqueline McDermott, employment partner at Keystone Law, suggesting that one way to do this would be by assigning the role of data protection officer, which would “help ensure business-wide compliance and assess how they are currently using personal and sensitive personal data”
Lessons for HR
The first thing that HR should do is understand data protection legislation, seeking advice around their responsibilities and liabilities if necessary, said McDermott, adding that reviewing their current practices and carrying out risk assessments on their systems – such as maintaining up-to-date security systems and encryption technology – is essential.
HR can help by ensuring that staff receive cybersecurity training on GDPR, to raise awareness of issues like recognising malicious emails, handing company information, reporting breaches, updating passwords and software, and understanding that staying vigilant should form part of this, said Moylett. They should also think about technical and organisational measures for protecting employee data. “Measures such as segregation from other networks (through the use of a separately hosted HRIS), access controls and HR data encryption” will be of particular importance, she said.
HR can start off compliance at the very beginning of the employment relationship, amending staff contracts to include privacy notices, and including data protection policies in staff handbooks, said Lewis. Echoing other employment lawyers, he advised that training should be provided to staff, on “data protection issues, how to keep personal data secure, how to properly dispose of digital and paper data that may include personal data,” he said.