Employers keep so much information on their workers, and there are so many ways this personal information can be compromised. Consider these instances of private and government entities reporting losses of employee data:
- A hardworking employee at the US Department of Veteran Affairs takes home a laptop containing the unencrypted Social Security numbers of millions of veterans and active-duty service men and women. He loses that laptop (and with it, his job) when a burglar strikes.
- An Equifax employee's company laptop containing employee Social Security numbers was stolen from a train.
- Personal information on retired employees of grocery retailer Royal Ahold NV (owner of Stop & Shop and other supermarkets), managed by data outsourcer EDS, was compromised when a laptop was stolen from or lost by an EDS worker.
What's notable is that each of these examples involves large organizations whose handling of valuable data is at the core of their business, and the list is limited just to lost or stolen laptop computers. Just think of all the other means by which personal data can be compromised.
Blame the Person or the Company?
Who's to blame for companies' loss of personal data on their workers? While corporations often portray an individual employee as the culprit, worker advocates come down hard on the employers.
"If the employer has proper data security, the employee wouldn't have been able to violate company policy," says Lewis Maltby, president of the National Workrights Institute in Princeton, New Jersey.
"I'm less inclined to point the finger at the employee," says Beth Givens, director of Privacy Rights Clearinghouse in San Diego. "It really is the employer's responsibility. My guess is that very few workplaces are doing a good job protecting sensitive employee data."
But achieving 100 percent security for all sensitive employee data in all circumstances is very difficult. "Always assume that no matter how hard you try, your controls will fail," says Kawika Daguio, direct of Northeastern University's Information Assurance Program in Boston.
Still, as California's SB 1386 law and other states' laws force companies to notify affected parties of data loss, employees can take the high -- and steep -- road of advocating for themselves, their coworkers and their reports. "It's tough to ask your boss challenging questions, but a responsible boss wouldn't take offense," says Maltby.
Technology Offers Only a Partial Solution
There are many technological responses to threats to sensitive data, whether the information is about employees, finances or trade secrets. Passwords are considered scant protection, strong encryption of data is much better, and leading-edge techniques like biometric user authentication are on the upswing.
But it's neither easy nor cheap to protect diverse data in numerous computers systems running a myriad of software across a vast corporate network whose edges are not always well-defined.
"There's not a single system that implements the appropriate technology to encrypt all sensitive data," says Jeff Montgomery, product manager of data protection solutions at nCipher in Stoneham, Massachusetts.
Workers urging their employers to improve protection of their data can begin with what matters most to them. "The number-one threat is employees' medical information," says Daguio. "The leakage of sensitive medical data can be catastrophic; it can destroy relationships and career opportunities."
Always Consider the Human Factor
Employer efforts often fall short even after they've hooked up the data-protection hardware and software. "What employers do well is follow rules and buy expensive technology," said Daguio. "What they do poorly is train everyone and set expectations."
Employees can help reality-test plans for securing data by consistently pointing out unrealistic assumptions about how humans -- even devoted professionals -- behave. "Security failures typically occur around a non-standard event," like a laptop going home without authorization or a new employee borrowing a password, says Chaz Popovich, vice president of OSI Technologies in Hauppauge, New York.
Workers can also question the bureaucratic underpinnings of company policies on employee data. "Individual employees should be asking, ‘Are the policies really adequate, or are they just convenient?'" says Gordon Eubanks, a board member of Oakley Networks and former CEO of computer security firm Symantec.
Because all data-protection schemes are fallible, workers should ask what the company will do in case of a breach. "If there's no plan in place, the information will continue to leak out," says Daguio. "People could lie, and put their companies at risk."
If these questions don't sway management, employees can put electoral muscle behind government intervention. "Things are not likely to get better unless legal protections are improved," says Maltby.