“We are writing to notify you of a data security incident that may have involved your personal information.”
So begins a letter you may have received from a bank or retailer. It explains that your personal information was part of a data security breach. If you're lucky, you've only read about some of the high-profile security violations. They've been significant. The 2013 hack of Target's credit card records cost the retailer more than $200 million. In 2019, hackers obtained the personal information of over 100 million Capital One customers.
These situations speak to the need for sophisticated data security measures. But security isn't just to ward off hackers. Many employees have access to confidential customer, patient, and coworker information. State-of-the-art information technology solutions are vital for protecting this data. But it's equally valuable to have a culture that respects data safekeeping.
Confidential information is restricted to use by only certain people. The restrictions may result from laws such as HIPAA or company policies. There are several types of confidential data in the workplace:
When customers, patients, coworkers, and employees hand over personal or business information, they believe the recipient needs it and will use it appropriately. When a customer provides private information to a bank or store, they expect it will be safeguarded. Should that data become compromised, the customer loses faith in the organization. They will likely take their business elsewhere. Employees lose trust in their management if their personal information is inappropriately shared.
Trust is foundational to any relationship, but in the case of customers and employees, it can negatively affect business. One incident may erase years of customer and employee loyalty.
Respect for confidentiality is part of a culture of integrity. Employees have an innate sense of right and wrong. Yet, they may be tempted through circumstances to test the boundaries in their workplace. Leadership needs to make it clear that unethical behavior will not be tolerated.
CultureWise CEO David Friedman notes in his book Culture by Design,
"Acting with integrity is an absolutely essential behavior that we should call out and teach and reinforce for the rest of our careers. As soon as we stop talking and teaching about acting with integrity, we run the risk of unethical behavior beginning to creep into our organizations."
Talking and teaching about acting with integrity involves coaching employees on the "right" behaviors. Most importantly, managers have to set an example. Employees are watching to see if their boss tries to "sweep a problem under the rug," or bends some rules to "make the numbers." They will also take note if they overhear their manager talking publicly about an employee's performance review or medical condition.
The cost of a breach of confidentiality can be huge, whether it's fines for breaking laws or reputational loss. Management should adopt a zero-tolerance approach to show how seriously they take confidentiality.
Breaches of confidentiality aren't necessarily intentional. Sensitive information might be carelessly left on a desk or computer screen. Employee personnel files might be stored in unlocked desk drawers. Conversations can be overheard. Confidential client information might be shared on a conference call or Teams meeting. Employees may log on to unsecured networks in coffee shops.
Those with access to confidential data must be vigilant about respecting and protecting the information. When in doubt, employees should err on the side of considering information to be private and seeking authorization to release it. Employees should secure information if they are away from their desks for some time.
Employees who overhear conversations or receive something in error must avoid feeding the rumor mill. They should let the information owner know that they inadvertently learned something confidential.
A culture where employees are encouraged to do the right thing in all situations is foundational. Yet, a framework of internal controls over confidential data is still necessary. Cutting-edge IT data security is critical in a world where information is quickly and easily shared. However, there are other non-technological safeguards, including:
Writing in Employment Law Watch, Jill Vorobiev and Amy Harwath recommend policies directed toward remote workers. They suggest strengthening the company’s reimbursement policies to encourage employees to sign up for faster internet access.
Employees may prefer to work from locations other than their home office to tap quicker internet service. However, those locations may not afford the same security and privacy as working from home. Knowing their employer will reimburse them for internet expenses may encourage them to work in a more secure environment.
Respecting the need for employee privacy can present unique challenges for employers. Collection of and access to confidential employee information is governed by laws including:
These privacy laws protect the use of employee data and require employee consent to collect and share it.
In protecting the company’s sensitive data, the organization may need to monitor employee activities and data access. Employers may use video surveillance and phone monitoring. They might screen emails to ensure confidential information is not sent outside the company. A 2022 survey by IDC found that 42% of North American companies track employee access to documents and data.
Attorney Jerome Clay, Jr. notes that there must be a balance between employee protection and business needs:
“Privacy laws safeguard the rights of employees in situations where they might face workplace monitoring or surveillance. Employers must inform employees about the extent and purpose of any monitoring activities, striking a balance between maintaining a safe and productive work environment and respecting individual privacy rights.
While employers have the right to monitor activities that occur on their own property or through company-provided devices, they must do so within the limits set by the law.”
When organizations need to implement monitoring and surveillance, they benefit from a trusting culture. Employees are more willing to cooperate when they feel valued and respected by management.
As computer hacking and electronic data security become increasingly sophisticated, it becomes more critical that organizations look to their company culture to ensure protection over confidential client, patient, company, and employee information. Employees who trust their leadership and feel trusted in return will become sentinels of their company’s information.