Are You Protecting Your Employees’ Personal Identifiable Information?

As an employer, you’re privy to many forms of employee data. This information, which flows abundantly through the Human Resources department, is oftentimes sensitive. It includes employees’ personal identifiable information (PII) — which employers should formidably safeguard to prevent cyber threats such as breaches and theft. Read on to learn about PII, including:

• Definition and types of employee PII
• Why employers should protect employees’ PII
• Best practices for protecting your company’s PII

What is personal identifiable information?

PII is defined as “Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.” In other words, PII is someone’s personal information that can be used to identify them directly or indirectly. Information that directly identifies an individual includes:

• Name
• Address
• Social Security number
• Driver’s license number
• Other identifying number or code
• Email address
• Phone number
• Banking information
• Tax documents

Information that indirectly identifies an individual includes:

• Gender
• Race
• Birth date
• Geographic indicator
• Other descriptors

If the data enables someone to contact the person physically or online, then it is considered personally identifiable information. PII can be kept in paper, electronic, or media format.

Why employers should protect employees’ PII

Employers collect employees’ PII as part of the employment process. This information is used to establish employees’ personnel files, compensate employees through payroll, and for other business activities. “However, if sensitive data falls into the wrong hands, it can lead to fraud, identity theft, or similar harms,” according to a guide by the Federal Trade Commission (FTC).

Even strong infrastructures are not immune from digital attackers, as many are finding new ways to trace identities and steal PII.

Cybercriminals, in particular, often target weak data security infrastructures in order to steal employees’ PII. Even strong infrastructures are not immune from digital attackers, as many are finding new ways to trace identities and steal PII.

The loss of PII can cause significant harm to the employee/victim and your business

The average cost worldwide of a data breach rose 2.6% — from $4.24 million in 2021 to $4.35 million — in 2022. This is the highest recorded level, based on IBM Security’s “Cost of a Data Breach Report.” The report found that 83% of organizations have had more than 1 data breach. In its PII guide for businesses, the FTC addresses PII for both customers and employees. The FTC cautions, “Given the cost of a security breach—losing your customers’ trust and perhaps even defending yourself against a lawsuit—safeguarding personal information is just plain good business.”

Courts have ruled that an employer can be held liable for failing to protect their employees’ PII

In 1 case, the court found that the employee-victims had standing to sue their employer for a data breach in which their PII was stolen. The court ruled that “their claimed data breach-related injuries are fairly traceable to failure to secure its information systems.” According to Securityintelligence.com, state and national governments are taking PII very seriously, and have implemented sanctions to prevent it. “Those sanctions also mean business entities could see steep fines if they don’t protect their employees’ data.” It’s in your best interest to secure your employees’ PII, even if the law doesn't require you to do so. A good starting point is the FTC’s 5-step plan for protecting customers’ and employees’ PII.

5 steps for protecting your company’s PII

1. Take inventory of all the personal data you have on your computers and in your files

The FTC says, “No inventory is complete until you check everywhere sensitive data might be stored.” Therefore, do not leave any stones unturned when taking stock of your company’s personal information. This includes information stored in or on:

• Remote computers
• Onsite computers
• Home computers
• Desktop computers
• Laptops
• Mobile devices
• Digital copiers
• File cabinets
• Anywhere else that you store sensitive information

Moreover, you will need to track all personal identifiable information within your company. This requires frequent discussions with the relevant people in:

• Human Resources
• Information Technology
• Sales
• Finance/Accounting
• Other related departments

Also, talk with any outside service providers that handle your company’s personal information. Discussions with internal and external parties should answer the following questions:

• Who sends personal identifiable information to your company? Does it come from job applicants, financial institutions, credit bureaus, etc.?
• How does your company receive PII? Does it come through websites, email, the postal service, etc.?
• What type of sensitive personal information do you collect at each entry point? For example, do you receive background check information online?
• Where do you keep the PII you receive at each entry point? Do you keep it on a central database, individual laptops, employees’ mobile devices, disks, or in file cabinets, etc.?
• Who has (or could have) access to your PII? For example, which of your employees have authority to access PII, and do they really need access? What about service providers who handle PII, such as payroll and benefits providers?

2. Retain only what you need for your business

The FTC says, “If you don’t have a legitimate business need for sensitive personally identifying information, don’t keep it. In fact, don’t even collect it. If you have a legitimate business need for the information, keep it only as long as it’s necessary.” Tips for retaining PII:

• Have a lawful reason for using Social Security numbers. Do not use them unnecessarily.
• If you develop a mobile app for your business, make sure it accesses only information that it needs.
• Do not keep employee or customer financial information unless you have a business reason for doing so.
• Adhere to the “principle of least privilege,” which means employees should be able to access only the resources needed to do their jobs.

3. Safeguard your PII

The FTC says, “The most effective data security plans deal with four key elements: physical security, electronic security, employee training, and the security practices of contractors and service providers.” Below are examples of each element.

• Physical security. Lock away all paper documents and files. Limit who can access this information to only those who have a legitimate business need.
• Electronic security. Implement measures for general network security, authentication, laptop security, firewalls, wireless and remote access, digital copiers, and breach detection.
• Employee training. Educate employees on your data security rules, including how to spot security vulnerabilities and respond to potential breaches.
• Security practices of contractors and service providers. Investigate the data security practices of all companies and contractors to whom you will entrust PII, including outsourcing providers.

4. Appropriately discard PII that you no longer need

The FTC says, “What looks like a sack of trash to you can be a gold mine for an identity thief. Leaving credit card receipts or papers or CDs with personally identifying information in a dumpster facilitates fraud and exposes consumers to the risk of identity theft.” So, make sure you dispose of PII in ways that ensure it cannot be read or reconstructed. For example:

• Place shredders around the workplace, including near photocopiers, to properly dispose of paper documents.
• Use software with erasing capabilities to wipe old computers before discarding them.
• Inform your work-from-home employees of the procedures for disposing of sensitive documents.
• Follow the FTC’s Disposal Rule for consumer credit reports, if applicable.

5. Develop a plan for responding to security breaches

The FTC says, “Taking steps to protect data in your possession can go a long way toward preventing a security breach. Nevertheless, breaches can happen.” Therefore, it’s critical that you have a plan for responding to security breaches. For example:

• Determine who will coordinate and implement the response plan. If you do not have in-house experts, consider hiring a reputable contractor.
• Know what to immediately do if a computer has been compromised.
• Identify the internal and external parties that should be notified in the event of a security breach — such as employees, customers, law enforcement, and businesses impacted by the breach.

Protecting your employees’ PII is your responsibility

As an employer, it’s a given that you will encounter employees’ personal identifiable information. But the threat of PII theft is high, so it’s important that you protect your employees’ PII. Otherwise, your employees may fall victim to identity theft and fraud. Along with that, your business could be held liable for failing to secure your employees’ personal information. Read the FTC’s best practices for securing PII, adopt the necessary data security measures, and make sure your technologies are built to mitigate security risks.