United States 
Canada (EN) 
México 
France 
Deutschland 
United Kingdom 
Quick Hits
- Key steps for managing a data breach incident include understanding what constitutes an incident, applying the organization’s framework and policies, and effectively communicating with the organization’s privacy officer and employees.
- Additional measures include promptly and proactively managing data breaches and reviewing and updating policies.
- The effectiveness of HR’s response to a breach of employee data can greatly influence employees’ confidence in the organization’s commitment to data privacy.
1. Understanding What Constitutes an Incident
Incidents can vary in severity. They may range from all-consuming, all-hands-on-deck scenarios like a ransomware attack to lower-profile events where a former employee has not returned confidential documents. In many jurisdictions, both scenarios are considered incidents that require prompt action. Recognizing the nature of the incident is the first step in determining the appropriate response. Understanding that not all incidents are strictly cyberattacks is important to ensuring that all incidents are reported to the privacy officer.
2. Applying the Organization’s Framework and Policies
Once an incident has been identified, it may be time to activate the organization’s framework and policies and consider who is responsible for each aspect of the incident response. An essential element of any good plan is knowing whom to contact. Incident response teams may include third-party cybersecurity firms, insurance providers, and privacy experts as part of the response team. If the organization lacks a comprehensive policy or program, this may be an opportune moment to begin developing one, as trying to come up with one during an incident is not the best moment. Even organizations with robust cybersecurity measures can fall victim to incidents, whether caused by internal actions or external threats. Preparedness is key.
3. Communicating Effectively
HR professionals may be tasked with communicating with employees and addressing their concerns. As with any good incident response—from a fire drill to a ransomware attack—clear and effective communication can assist in creating a smooth process. HR professionals’ honed skills may make them the first place to turn, especially in utilizing their expertise regarding communicating with those who are upset. Equally as important is ensuring that the organization’s privacy team is told what happened and told as soon as possible. Communicating with the organization’s privacy officer without delay can help mitigate some damage, and open communications with employees can help assuage fears and provide clarity during uncertain times.
4. Managing the Incident Proactively
When employee data is involved, reducing the risk of harm promptly can be crucial. If an incident is identified, the privacy officer will need to be informed immediately, as in many locations there are laws with short response timelines. Collaborating with other team members to assess the situation, including identifying what data was contained in HR folders, who had access, and the potential risk to individuals affected, are elements that can help manage a data breach. HR may need to determine whether notifications must be sent to employees or regulatory authorities, such as the attorney general or relevant federal entities. Having an up-to-date understanding of HR’s data inventory—including what data HR has, where it is stored, and which third-party technologies are in use—can aid significantly in keeping an investigation short, efficient, and proactive.
5. Reviewing and Updating Policies
Following an incident, HR may want to conduct a review to evaluate what went well and what areas need improvement. Consider what caused the incident: Was it a cybersecurity breach or was it related to employees’ access that should have been restricted? Identifying actionable measures to mitigate similar risks in the future can be valuable. In many jurisdictions, the standard of diligence—not perfection—applies. While no organization is immune to incidents, the effectiveness of HR’s response can greatly influence employees’ confidence in the organization’s commitment to data privacy.
Conclusion
HR professionals play a vital role in responding to confidentiality incidents involving employee data. By understanding the nature of incidents, applying established frameworks, communicating effectively, managing the situation proactively, and reviewing policies afterward, HR professionals can contribute to a stronger data privacy culture within their organizations.
Ogletree Deakins’ Cybersecurity and Privacy Practice Group will publish additional articles on the Cybersecurity and Privacy blog as an ongoing part of this series. The next article in the series explores key considerations for communicating with employees following a data breach incident.
Follow and Subscribe
