off therecord











Jul 13, 2015

“We’ve been the victim of a cyber-attack”

By: Paul Ebeltoft

After making sure that it has your undivided attention, the company that has been hacked turns down the volume. “As of now, there is no evidence that the cyber-attackers obtained confidential information.” Now you are really worried. This company is trying to have you believe that, even though they got in where they were not supposed to be, the crooks didn’t do anything bad with your personal data. As if to confirm your suspicion that the company is flimflamming you, its letter closes with “Even so, you need to monitor your credit report for unauthorized activity.”

I don’t know about you, but I’m a pretty cautious guy. I don’t give out personal information willy-nilly. I avoid giving credit card information to questionable businesses. None-the-less, it seems that I am getting a “we’ve been hacked letter” once a month. Reputable businesses and government entities are coughing up my social security number, my date of birth, my mother’s aunt’s middle name and my credit card number to cyber-thieves with jaw-dropping frequency. Worldwide, the number of security breaches is huge. One enterprise security firm, Gemalto, estimates that there were 1,500 events in 2014 with over a billion data records stolen. The wholesale mining of personal data by computer bandits has been so great that most of us have been anesthetized. We file the notification letter and carry on.

But the numbness is starting to wear off, being replaced by a sense of outrage. Free access to identity protection services paid for by the custodians of personal data that didn’t guard it well enough just isn’t good enough anymore. Knowing that, when your data is used by a mobster in Kiev, you get free credit repair is cold comfort. Many, like the fourteen million federal employees who lost their data to cyber-theft this past month, are starting to think “this is negligence,” and are suing.

This article is to encourage HR professionals to help protect your business from what may now seem inevitable, someone with bad intent grabbing important data from behind your firewall.

How can HR fight cyber-theft?

Think of all the personal identifying data that your HR department stores digitally. Are you in charge of protecting it? Probably not. This is likely the job of your IT department or of an out-sourced consultant. Do you know what protections they have put in place? A surprisingly high number of HR professionals don’t know. Here are some steps you can take to increase your own knowledge and, along the way, help your company:

• Learn the basics of how your system works and specifically learn who is in charge of protecting it.
• Identify what the most critically important data is for your company and its employees.
• Find out how where the most critical data is stored and how it is protected. Argue for a higher level of protection for this data if your current protection is one-size fits all.
• Argue for use of randomly generated passwords to access critical data.
• Help create an incident response plan.
• Help create a template of notification that meets North Dakota and federal requirements, but that avoids the jargon and hollow promises we are all becoming inured to.

Another issue that is usually not in HR’s portfolio is insurance coverage. Because of the sensitivity of employee data accumulated and stored electronically by you, it is a legitimate HR function to remind your management team to consider buying cyber liability insurance. Whether your company has already bought or is just investigating cyber insurance, here is a short list of key questions you should ask:

• Does the plan cover the cost of investigation of privacy breaches?
• Does the plan cover the cost of notifying your employees or your customers of a breach?
• Does the plan cover the costs of your public relations campaign to restore faith in your company’s ability to handle sensitive data?
• Does the plan cover the disruption to your business and lost income due to loss of data or the inevitable interruption of your ordinary work after a breach?
• Does the plan defend against claims brought by employees or customers whose data is compromised?
• Will the plan indemnify if your company is found even partially at fault for the breach?
• Will the plan cover your company if it outsources protection duties and the breach was caused by vendor conduct, whether negligent or intentional?
• Will your policy cover data stored in non-owned servers or in the cloud?

Yes, computer security breaches may be today’s new normal. But by learning some basics and asking the questions outlined above, HR professionals can play a key role in protecting company data and protecting the company if the data is stolen.

Our interest in serving you

My law firm’s goal is to give understandable information and to foster discussion about real-life issues facing human resource professionals. If we are not achieving that goal or if you would like us to address other employment law issues, please email me at We promise to take your comments and ideas to heart.

(Otherwise known as “the fine print”)

I make a serious effort to be accurate in my writings. These articles are not exhaustive treatises, though, so do not consider them complete or authoritative. Providing this information to you does not create an attorney-client relationship with my firm or me. Do not act upon the contents of this or of any article on our homepage or consider it a replacement for professional advice.

Reprinted with permission from an article submitted for publication in the July, 2015 Southwest Area Human Resource Association newsletter.