Last month more information was revealed about the massive hack of charity donor details from fundraising firm Pareto Phone, affecting more than 50,000 donors to more than 50 of Australia’s largest and most well-known NFPs, from Mission Australia to Greenpeace to Oxfam. The data was stolen from Pareto Phone’s database by cybercriminals who published it on the ‘dark web’.
But what also made headlines was that alongside the theft of donor data was the theft of large amounts of Pareto Phone employee data by the same cybercriminals, including:
“highly sensitive documents like police checks, child support documents, pay negotiations, HR incidents, immigration sponsorship details, COVID vaccination credentials, tax file numbers, passports and licences”.
Some of that employee data was up to eight years old, but was still being retained by Pareto Phone. That’s not illegal – the Commonwealth Privacy Act 1988 contains an ‘employee records exemption‘ that makes employers exempt from the Australian Privacy Principles when it comes to personal information they hold about their employees.
But it has clearly exposed the organisation to some serious reputational damage, and put it’s employees and former employees in danger of fraud and identity theft.
It’s also important to note that not all employee data is exempt from the Act. Some employee data like tax file numbers (TFNs) are not exempt, and exposure could expose an NFP employer to legal liability.
In addition, the employee records exemption does not apply to personal information collected from your volunteers, unsuccessful job applicants, or contractors.
And that raises the question of what responsibilities employers – including NFP employers – have to ensure that their employee and volunteer data is safe from cyber-criminals.
“I can point to a lot of employers, the vast, vast majority, who don’t actually have appropriate systems in place for the proper protection of that kind of information.”
So with data breaches and cyberattacks on the rise, are you one of those employers who doesn’t have appropriate systems to protect your employee – and volunteer – information, exposing you to the risk of ending up in the news, or worse?
If so, we’re glad to be able to outline the key things that you should be doing today to protect your employee data from cyber threats.
1. Understand the scope of data you need to protect
Before delving into what you should do to protect your employee and volunteer data, it’s important to understand the scope of what data you really need to protect.
Personally Identifiable Information or ‘PII’ is the phrase for any data or information that can be used to identify, locate, or contact an individual. When it comes to PII, employee data is a treasure trove of personal and confidential information that could be of interest or use to cyber-criminals, including:
a. Basic details: Names, addresses, contact details, and tax file numbers (TFNs);
b. Financial information: Bank account details, salary information, and tax records;
c. Health information: Medical records as well as Workcover data and claims;
d. Employment records: Performance reviews, disciplinary actions, and employment contracts;
e. Sensitive legal information: Police checks, Working with Children checks and other background check data; and
f. Communication data: Emails, chat logs, and other forms of digital employee communications can also include PII.
A breach of any of this information could have legal and financial repercussions for your organisation – and also expose your current or former employees to identity theft and fraud.
2. Develop a comprehensive data protection policy
Once you understand the data you should be protecting, the next step is to develop a data protection policy tailored to your organisation’s specific needs.
Whether you’re starting from scratch or updating an existing policy, here are seven things your data protection policy should include:
a. Data classification: Clearly define different types of employee and volunteer data – for example, the types of data listed above – and their sensitivity levels. This helps in determining the appropriate level of security for each category.
b. Data access controls: Specify who within the organisation should have access to employee and volunteer data and implement role-based access controls. Not everyone in your HR or P&C team needs access to all available data.
c. Retention policies: Decide how long you really need to keep each of the various date types that you store, and why. Then create a regular process – including a responsible person – to delete any old data that you no longer need to keep.
d. Encryption: Ensure that sensitive data is stored in a system that is encrypted (protected by a strong password) and shared, so that anyone who needs to access it can do that directly, rather than having multiple copies stored on different computers. Having your data centralised and encrypted makes it significantly more challenging for cybercriminals to access or steal your data. Some common systems that allow secure, shared document storage include Google Workspace, Microsoft Teams and DropBox. Be aware that emails are not encrypted, so any sensitive data that your team emails is potentially at risk of being stolen.
e. Password policies: Implement strong password policies and encourage employees and volunteers to use unique, complex passwords. If possible, enable multi-factor authentication (MFA) for the system where your employee and volunteer data is stored.
f. Regular audits: Schedule and conduct regular audits and assessments of your data protection measures to identify vulnerabilities and areas for improvement – consider doing this every 12 months.
g. Incident response plan: Develop a detailed incident response plan that outlines the steps to be taken in case of a data breach. Should this worst-case scenario happen, then time will be of the essence, and having a well-defined plan can help to mitigate the damage.
For more information about how to create a policy like this, read our post on How to write clear and effective HR policies for your organisation.
3. Create an employee training and awareness program
Once you’ve pulled together or updated your data protection policy, it’s time to roll it out and ensure your employees – and any volunteers who may need to handle PII – understand and abide by it. Your organisation’s security is only as strong as its weakest link, which can often be human error.
Data security training doesn’t need to be complex. But it should at least include topics like best practices for handling sensitive information, how to recognise phishing attempts – by far the most common form of cyber attack – and how to report security incidents if they ever happen. Then:
a. Update your onboarding process: Add data security to your onboarding process for all relevant roles specified in your Data Access Control policy.
b. Conduct regular training: Decide how often you need to refresh your employees’ knowledge of the policy, and create a calendar reminder to make sure the training happens.
c. Encourage Reporting: Foster a culture of reporting security incidents without fear of retribution. Employees should feel comfortable reporting any suspicious emails or other activity or potential data breaches.
d. Simulate phishing attacks: If you’re really concerned about how your employees might respond to a phishing attempt, you can easily test employees’ susceptibility by conducting a simulated phishing campaigns. This can help to identify team members who may require additional training. There are a variety of free and paid tools that can help you do this easily.
e. Stay Informed: Finally, if you’re keen to stay informed, you can sign up to the Australian Government’s free Australian Cyber Security Centre Alert Service to find out about “the latest threats and vulnerabilities within an Australian context, and how to address risks to their devices or computer networks.”
By understanding the data you legally and morally need to protect, implementing robust policies and procedures, and conducting thorough employee training, you can significantly reduce the risk of data breaches and protect the sensitive information entrusted to your organisation – all without too much effort.
Remember that data security is an ongoing process that requires vigilance from key employees to avoid the worst case scenario that Pareto Phone is sadly now facing.
NB: The Privacy Act 1988 only strictly applies to NFP organisations that have an annual turnover of greater than $3 million – which excludes many small NFPs. Nevertheless, keeping the private data of your employees and volunteers safe is a moral obligation that every organisation has. No organisation should be the reason for identity theft or fraud committed against an employee or volunteer.
Image courtesy of @jefflssantos