Employees Are a Gatekeeper to Effective Data Security
Data security and privacy concerns have become one of the top issues keeping business leaders up at night. According to the Ponemon Institute’s 2018 study regarding the cost of data breaches, data breaches are increasingly costly and result in more consumer records being lost or stolen, year after year.  In 2017, for example, the average per capita cost of a data breach rose from 2016’s average of $141 to $148, an increase of 4.8%.  To help address these concerns, employees should be top of mind when it comes to ensuring good data security hygiene, especially with regard to how employers communicate data security best practices and policies to employees and monitor employee compliance with such policies.
Approximately half of the states in this country, including Maryland, and an alphabet soup of federal regulators require private entities to collect personal information to implement and maintain some form of “reasonable security procedures and practices” that are appropriate given the nature and size of the business’s operations. See, e.g., Md. Comm. Law Code, § 14-503 (2019).  To comply with data security obligations, a company should have a written information security plan (or “WISP”), which is a living document comprised of various policies that create the procedural, administrative, technological and physical safeguards for protecting the personal information of a company’s customers and employees. A WISP should also include an incident response plan and should clarify who within the organization is responsible for ensuring compliance with such safeguards. Employees play a vital role in any successfully executed WISP, especially when it comes to ensuring compliance with document retention policies, guarding against cybercrime schemes that involve social engineering or other methods to exploit an employee’s security access, and prompt reporting of potential breach incidents.
Data Minimization and Document Retention Policies
As a basic principle of data protection, employers should strive to minimize the amount of personal data that their employees collect and access and should only collect personal data that it has a reasonable business purpose to use. A WISP should adopt policies and procedures to control what information employees collect from customers and other employees, particularly if it is customer data. Beyond just stating such policies in a document, however, companies should ensure that their employees understand their role in complying with such policies. Furthermore, a WISP should include the employer’s retention policies, clarifying how long such information is retained and providing a system for reminding employees to delete information that has been kept for the duration of that time period, or trigger automatic deletion in some circumstances. The more data a business collects the more data it can lose in the event of a breach. For example, if a company could get by with only collecting the last four digits of customers’ social security numbers, or even better, using another unique identification number that only has meaning within that company, a breach of such information may not trigger data breach reporting requirements or, if it does, the resulting potential risk of identity theft to affected persons is drastically reduced.
Additionally, to limit the risk and scope of a potential data breach, companies should adopt safeguards limiting employees’ access to sensitive personal data, such as health information and biometric data, only to instances in which they have a business need to access or obtain such information.
Employers should also explore ways to segregate sensitive personal data. An often underutilized security feature in an organization’s document management system is a security filter that limits the individuals or departments that can access a document containing sensitive personal data, especially if it is compiled aggregately in one location for large numbers of people. Employers should train and require employees to utilize data security safeguards, including encryption and secure file transmission, when handling such data. A common mistake made by businesses when adopting safeguards, particularly ones of a technical nature, is failing to fully explain their intended use to employees. Thus, although such features might represent the gold standard in terms of data security best practices, they may remain underutilized or ignored by employees who do not understand their importance or how to use them. In addition to guarding against intentional misuse of data by employees, these practices also prevent the intrusion of outsider cyber criminals who have stolen or hacked an employee’s user credentials in order to access company data. If employees have limited access to sensitive information, so will a cyber-criminal using or abusing their credentials.
Early Detection and Incident Response
Employees also play a critical role in a company’s detection of cyber security incidents and incident response. Every employee should be made aware of the vital role they play in detecting and reporting suspected data breaches and other cyber incidents. Promoting a “see something, say something,” culture, even for what may appear to be minor issues, is invaluable to ensure that cyber incidents are detected and investigated promptly. Cyber incidents can go undetected within an organization for months and even years, especially when an end user fails to recognize and/or report suspicious cyber activity or an inadvertent mishandling of data. In the world of cyber incidents, early detection is key to mitigating exposure, and often, winning the war of public opinion. Indeed, the 2018 Ponemon Study found, for the fourth year in a row, that a company that quickly identifies and contains a data breach incident will experience fewer financial consequences as a result. Likewise, for cybercrime related to financial fraud, the speed of a company’s response to the breach is the single most important factor in determining the likelihood of a successful recovery of lost funds.  As such, it is worthwhile to consider finding ways to incentivize and simplify employee reporting of data security concerns. This is particularly important because many employees will be hesitant to come forward if their own error or negligence is to blame, especially if they fear that there will be discipline or termination as a result. In the age of BYOD (Bring Your Own Device), remote network access and other sources of portable media, it is essential for companies to receive prompt notification when an employee loses any device that contains or has the ability to access company systems, so that the device can be wiped clean remotely and/or so that any data breach notification requirements can begin in a timely fashion in accordance with applicable data breach notification laws.
Companies also should not underestimate the value of training employees on data security best practices and the particulars of a company’s WISP. Such trainings help reduce the risk of cybersecurity incidents and improve cybersecurity incident outcomes. In particular, employees should be trained so that they are well versed in the markers of social phishing and other data mining efforts.
While businesses often give the most thought to preventing hackers from getting into their systems, they should also pay attention to whether their own employees are leaving the door open. The 2018 Ponemon Study blames 27% of the prior year’s data breaches on human error, including negligent employees and contractors.  This number, however, is likely much higher when taking into account the portions of the other breach categories that are also attributable to employees, such as the 48% of breaches caused by malicious or criminal attacks. A large percentage of malicious or criminal attacks exploit security gaps created by employees or rely on social engineering or email phishing schemes—which can all be more easily recognized and managed through training.
Training can also reduce the cost of responding to a data security breach. According to the 2018 Ponemon Study, companies that provided data security training to their workforce before a major data breach occurred saved money on breach response by an average of $9.30 per record lost. Thus, it is important that employees are trained on practicing email “street smarts,” such as using complex passwords, not clicking on links from unknown or untrustworthy sources, not providing sensitive information electronically without verifying the recipient, and verifying that the sender of an email is who he or she claims to be (instead of just relying on the sender’s name in the “from” field, which can easily be fabricated).
Employers should also take steps to train their workforce on the WISP in general so that employees are familiar with its various policies, particularly those related to personal data collection, retention, and access limits. Finally, one of the single most important pieces of information in any WISP is for employees to know whom within the company they should contact in the event there is a data security incident.
Overall, data security is like a team sport that requires cohesion at all levels of a company’s organizational chart. The most effective data security efforts include policies that consider the ways in which employees face data security issues in everyday life and where all employees are trained and monitored to ensure compliance with applicable policies, laws and regulations.
 Ponemon Institute 2018 Cost of a Data Breach Study: Global Overview, Published July 2018, Available at https://www.ibm.com/security/data-breach. (Hereinafter “Ponemon Study”).
 The average per capita cost of a data breach varies greatly based on multiple factors, including the overall size of the breach, how a company prepared for and responded to the data breach, and the type of information that has been compromised. The average per capita cost of a data breach varies by industry sector. The health industry, for example, has a much higher average per capita cost of $408.00 per lost record. See, supra n.1, 2018 Ponemon Study at 18.
 Additionally, several business sectors are subject to federal laws and/or regulations requiring such security procedures and practices including the Gramm-Leach-Bliley Act, and the Health Insurance Portability and Accountability Act. See, e.g., 16 C.F.R. Part 314 (GLBA’s standards for safeguarding customer information); 45 C.F.R. Parts 160, 164 (HIPAA Security Rule) The Federal Trade Commission is also a major enforcer across all industry sectors in this area given its power to regulate data security and privacy misdeeds as an unfair trade practice under the Federal Trade Commission Act. See FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir. 2015). Furthermore, a company’s failure to take reasonable steps to secure personal information can also serve as the basis for breach of contract and common law negligence claims. Companies with international reach also must comply with applicable international data security laws, including the European Union’s General Data Protection Regulation (“GDPR”). All of the above laws and regulations require companies to employ reasonable data security measures and many specifically require a written information security plan.
 See 2018 Verizon Data Breach Investigations Report.
 See, supra, n. 1, Ponemon Study at 19.
This blog was written by Veronica Jackson at Miles & Stockbridge.
Opinions and conclusions in this post are solely those of the author unless otherwise indicated. The information contained in this blog is general in nature and is not offered and cannot be considered as legal advice for any particular situation. The author has provided the links referenced above for information purposes only and by doing so, does not adopt or incorporate the contents. Any federal tax advice provided in this communication is not intended or written by the author to be used, and cannot be used by the recipient, for the purpose of avoiding penalties which may be imposed on the recipient by the IRS. Please contact the author if you would like to receive written advice in a format which complies with IRS rules and may be relied upon to avoid penalties.