Most companies store a broad range of personal employee information, including social security numbers, birthdates, bank account information, and in some cases, health records. With the recent data breaches at Equifax, Yahoo and other companies, employers should be taking steps to review their own record retention and data storage practices.

Businesses should evaluate how they store physical copies of this sensitive information and undertake cybersecurity reviews regarding their electronic storage of these records. HR standards for sharing information should also be formalized so that steps are taken to verify the legitimacy of an employment verification or financial inquiry.

If a data breach occurs, employers have a duty to inform employees in a timely manner so they can take steps to protect their identity from fraud. Small businesses owners don’t have the resources of big companies, but are just as exposed to a potential breach. According to the 2015 Data Breach Investigation Report, more than 70% of the businesses breached that year had fewer than 100 employees.

What Can You Do?

• Review the data you have and its location. Once you know what you have, put safeguards in place to protect access to these records. Actions that could be taken include locking a file cabinet, password protecting sensitive files, or establishing a separate drive on your server with limited access.
• Restrict access to electronic records. Regularly review HIPAA and FCRA rules with those who have access.
• Keep software up to date and regularly back up your data.  
• Use layered security. Consider adding a well configured firewall. If you already have a firewall in place, compare your current system against the new options in the marketplace. It’s important to review your options regularly as technology and threats continue to advance.
• Establish policies for employee’s use of personal devices. When an employee has access to business email and data on their personal cellphones or other electronic devices, ensure they have added additional security/encryption to their device.
• Create an Incident Response Plan in case data is compromised. Being prepared may not help you limit the scope of the breach, but will likely help you limit the spread of the damage. Have a clear plan and make sure everyone knows what is expected.  
  
  

As part of its ProBono Privacy Initiative, the International Association of Privacy Professionals (IAPP) put together a questionnaire to help businesses review their organization’s preparedness and develop a response plan.  The questionnaire can be found here.

You may want to also educate your employees about data security outside of work, particularly the importance of monitoring and protecting their financial data in the age of the Equifax breach. We put together a flyer for members to use if they feel the information would be valuable for their workers. You can access the flyer here.