Quick Hits
- Key steps for HR in managing a data breach incident include clarifying its role within the organization, coordinating with the privacy officer, and preparing to respond to employee inquiries effectively.
- During a stressful data breach, HR may want to prioritize delivering clear, unified messages, anticipating employee concerns, and ensuring responses align with organizational policies.
1. Understanding HR’s Role
In the event of a data incident, it is important for HR to clarify its role within the organization. HR may be the first point of contact for employees, so the HR department may want to have some information ready to be able to address questions. To effectively do so, it is likely easiest to have a plan already in place. For example, HR may want to start by validating its responsibilities during a privacy incident. A positive first step is to confer, in quiet times, with the organization’s privacy officer and to separately review the organization’s guidelines or policies so that the HR department knows what is expected from them and identify other potential areas where HR may be able to assist in protecting employee data. Collaborating with other departments can help ensure everyone is aligned on who will respond to employee inquiries.
2. Preparing for Employee Questions
HR will likely be expected to respond to employees’ questions. In preparation, HR may want to consider preparing for the types of questions that the department may receive. Understanding the basics of any incident will help HR personnel anticipate employee concerns. For example, employees might be worried about whether they are at fault for clicking on a suspicious email, concerned about potential fraud, or eager to know when they can regain access to locked systems. Identifying these concerns in advance will guide the next steps in addressing employees’ concerns and prioritizing those responses. HR may be relied upon to explain the incident to employees clearly. Some examples of questions that employees often ask are as follows:
- Is employee data involved in the breach?
- How will employees obtain information if email is not accessible?
- If employees receive any suspicious correspondence following the data breach, to whom should they address their concerns?
- What is the timeline for returning to work if employees are unable to work?
- What are the specific risks to employees?
- How did the breach occur, and what caused it?
- What is expected of employees in reference to handling the breach? (implementing multi-factor authentication, resetting passwords, etc.)?
- Has law enforcement or a regulatory authority been notified?
- Will the company provide any protection or support to employees, such as credit monitoring, in the event employee data is vulnerable?
- Will this incident lead to changes in data security policies or practices?
- How will employees be informed about ongoing measures?
Having thought through these questions in advance can assist HR in responding more rapidly. HR may also benefit from having established relationships with those working in IT or as part of the data security team prior to any event so that these contacts can be trusted to advise in moments of crisis. Every breach may be different, but having an idea of the types of questions that may be asked and the resources in place to respond to technical questions can be very helpful in managing employee concerns efficiently.
3. Establishing Clear Responses and Frequency of Responses
To provide effective communication, HR may need to collaborate with the organization’s privacy officer and other outside experts. Focusing on formulating responses to anticipated questions can help ensure they align with the organization’s mission and culture. Thoughtful and transparent responses can enhance employee confidence in HR’s communications. HR may want to consider the frequency of updates and whether it is best to maintain a consistent message or to communicate each time new information becomes available. HR may want to create a template document that establishes, in advance, key points for discussion with employees and provides clarity on the chain of command and what is expected of them. It could include information that responds to questions as outlined above.
The information can be outlined in a clear, easy-to-read document that avoids technical language or legal jargon. When creating this document, HR may want to consider the format so it can be transmitted to employees who may not have access to email in the event of a large-scale attack. Some organizations put in place a dedicated hotline or call center to respond to inquiries or create a “text-message tree” or “call tree” whereby heads of departments are called, and each is responsible for calling employees to provide them with necessary information. Finally, mobile apps can be identified as a safe portal for communication with the help of the IT and data security team to provide employees with important information. HR may want to contemplate how communication can occur and create the structure in advance, conserved in an offline format, to effectively respond during a breach if systems are inaccessible.
4. Prioritizing Consistency
Consistency in communication is crucial. HR directors may want to take steps to ensure team members understand the importance of delivering a unified response. HR directors may also want to designate one individual to answer employee questions about the breach incident. If multiple team members will respond, consider preparing a standardized text that they can refer to. This approach can help ensure that all responses are consistent and reliable. HR may want to take the lead in formulating a consistent response across teams to ensure that regardless of where employees go for information, they receive the same clear and trusted response consistently.
HR personnel authorized to communicate with employees on behalf of the organization may want to take steps to ensure they are clearly and effectively delivering information. An essential first step is to ensure that employees know, understand, and can reach the authorized HR member tasked with responding to their questions. Having employees know whom to reach out to can help alleviate employees’ concerns during a challenging time. In any crisis situation, it can bring comfort to know that there will be a person trained and ready to give thoughtful, focused, consistent, and reliable information. A useful analogy may be to consider HR as the 911 operator of a data breach or incident response plan. A 911 operator can be relied upon to provide the information as needed in an emergency situation, get a team of helpers to respond to the situation, and coordinate between the two groups to make sure knowledge is shared efficiently and effectively.
Conclusion
Managing a data breach is never easy, but effective communication can make a significant difference in addressing employee fears. By understanding HR’s role, preparing for inquiries, establishing clear responses, prioritizing consistency, and communicating effectively, HR can help maintain trust within the organization.
Ogletree Deakins’ Cybersecurity and Privacy Practice Group will publish an additional article on the Cybersecurity and Privacy blog as a part of this series. The final article in this series addresses HR’s ethical obligations when it comes to protecting employee data, ensuring compliance with policies that reflect dedicated data privacy laws and regulations, and advocating for a strong privacy-aware culture.
Follow and Subscribe