As a networking and security professional, J. ( J-Dot) Bendonis has actively been securely connecting people through technology for over 20 years. At Check Point, he’s been assisting and educating his customers about their options surrounding cyber security; ranging from best practices to advanced architecture and future design states.
In this informative and exclusive CyberTalk interview, J. Bendonis shares insights into employee data privacy, and exactly what you should know.
Would you like to share a bit about the spectrum of employee data privacy issues that arise in the workplace?
JB: Employee privacy issues are unfortunately everywhere in the workplace. Think the basic personally identifiable information (PII) necessary for payroll, workplace selfies, equipment for remote employees shipped directly to their homes, and social media. Each of these items comes with its own privacy concerns.
As the custodians of sensitive data, how can companies take the lead when it comes to protecting personal employee data?
JB: Start by simply informing employees, in plain language. Explain why you collect and store certain information. Go beyond simply saying ‘regulations require it’. Make the employees feel safe at their job, and feel as though the company has their backs when it comes to privacy. If employees know how their data is being stored, even without specifics, they learn what’s involved in protecting their own privacy. That turns into an educational moment for employees, who then become more protective of their own data. Once employees start treating their own data with more care, they will, in turn, treat their employer’s data (in all forms) with care.
What should organizations be sure to include in a policy about personal information and steps taken to protect it?
JB: Every organization should detail, in plain language, their employee data collection and data retention policies. For example, if you were to leave the company, what information will they retain on you? As a personal note, a former employer of mine experienced a breach of one of their third party vendors, which resulted in my information being leaked years after I left that company. In addition, a well-defined social media policy is critical. More than simply stating ‘thou shalt not defame the company,’ employers need to be more inclusive of general behavior. Policies like: like no selfies in the workplace, and any cameras or recordings during meetings should be fully consensual for all parties involved.
What should employees ask their employers about in relation to personal data protection? (Address, social security number, marital status, differently-abled…etc.)
JB: Retention policy is critical. Also, items that are not relevant for employment should be questioned thoroughly. For example, why would my employer need to know if I am single or divorced? Both have the same status insofar as health insurance and tax filing status in the U.S., so why should the company know? I believe a company should collect as little data as possible to perform their functions, so an employee should always ask. There are items that every company is going to need: Name, DoB, SSN/TaxID, home address, phone number (only 1), emergency contact. For items like healthcare and taxes, single/married only.
From time-to-time, employees exit a given company. What steps should employers take to dispose of, delete, and/or erase sensitive employee data?
JB: Employers should absolutely delete all records not required for taxes. The U.S. Security and Exchange Commission (SEC) requires that employers’ records be auditable for 7 years, so they will need to keep relevant employee data for that time period. Once those 7 years are past, that information should be purged. Also, while companies are required to provide that information, it does NOT need to be accessible online. Archiving the data, ideally offline, is a good idea. All other records like HR information and healthcare information should be removed from their systems. This removes two different risks: obviously the risk for the employee, but it also reduces the risk profile for the company. No one can steal information you don’t have. Lastly, clear guidelines for what the company will keep should be presented to the employees so that the employees know exactly what information the company will retain post departure.
What should an employee data privacy training program look like? What should training cover?
JB: Obviously, the handling of employee data is a must. Training should also cover what information is employee specific data. It should also include clear terms and definitions for cases like: What should and should not be posted on social media, and not using your professional email address for non-work related activities (that is, don’t use your work email for shopping on Amazon).
Is in-building surveillance footage considered sensitive employee data and if so, what would you say to those responsible for securing it?
JB: That would entirely depend on where the surveillance footage is from. If it’s the front lobby and there is a sign that says ‘Smile, you are on camera,’ I don’t feel that data is really critical as it shouldn’t capture anything sensitive. If those cameras can see the parking lot, it should be secured, encrypted and stored safely. Why? Recording and storing the make, model and license plate number of employees’ cars can lead to a privacy problem for employees. In my opinion, it truly matters what the cameras capture. If they are in a place that can’t view information beyond who is coming and going, that’s probably not sensitive. Also, the resolution of the camera should never be an excuse. Camera technology is constantly updating. The cameras will probably be upgraded regularly, and new technology will capture more information. In general it would be best for organizations to treat any surveillance video recordings with the same level of privacy that they do with any digital PII.
Lastly, to receive more cutting-edge cyber security news, best practices and analyses, please sign up for the CyberTalk.org newsletter.