Keep Employee Trust After a Breach

For companies that experience a breach, the road to recovery begins with rebuilding employee trust.

Wednesday, January 20, 2016

By Matt Cullina

Employee trust is slow to build but quick to lose, especially after a data breach.

Morale may dip as employees watch their workplace become the subject of scrutiny and scorn in the public eye. They also may have to grapple with additional fallout if their own personal information was part of the exposure.

For companies that experience a breach, the road to recovery begins with rebuilding employee trust, and Human Resources plays a crucial role in this process. Here’s how:

1. Confirm the security of employee data. This step is key for employers because it provides them with a launch pad to begin shoring up employee confidence.

Companies, even those with a solid breach response plan, must be prepared for a considerable increase in engagement when the exposure involves employee data. The reason? Once the organization communicates to impacted employees, there’s typically a “hair on fire” moment internally as people turn their attention to worries about fraud and identity theft. Being ready for this phenomenon is crucial to maintaining a foundation of trust.

The difference in a company’s strategy becomes apparent when comparing general consumer breaches against breaches where employee data was compromised. In a consumer exposure, notification letters offering support—identity protection, credit monitoring, telephone resources, etc.—typically generate a response well under 10 percent, sometimes even under 5 percent. It simply isn’t top of mind for many people. By contrast, response rates in employee breaches are almost always in the double digits, with some breach notifications triggering responses as high as 30 percent or more. Knowing this, and understanding the importance of good communication when it comes to rebuilding workers’ trust, employers are best served if they proactively think through how they will support employees after a breach.

2. Review the notification process for employees. Instead of a letter or email, the best approach for notifying employees of a breach is a straightforward discussion that involves as many facts as can reasonably be divulged. Depending on the number of workers, it may make sense to break the conversation into multiple sessions, so employees have ample opportunity to ask questions and get information on what they can do to protect themselves going forward. It’s a strategy that also demonstrates to employees that the company is genuinely concerned and intends to provide resources that are meaningful. Staff should be given the chance to voice their frustrations during these conversations, but also encouraged to offer their feedback and seek solutions.

3. Reinforce a culture of information security. Employers can nurture a trusting environment by reinforcing the organization’s culture of information security. Make sure employees understand that protecting sensitive data is one of the company’s top priorities. Provide training that gives employees effective detection mechanisms that enable them to spot potential exposure situations and avoid them.

As companies review their privacy protection and breach response strategies, other steps may also be prudent to help safeguard employees’ personal information. Employers in industries with higher data risks, such as healthcare and the financial sector, are increasingly offering identity protection proactively as an employee benefit that is either paid for by the employer or available for employees to purchase as a voluntary plan. These programs give employees a leg up ahead of an event, with identity monitoring working in advance of potential threats and the knowledge that experts are available to help them through any jam. If an employee’s personal information is breached—by a retailer, a physician’s office or any other outlet—the benefit provides peace of mind for employees and extends the trust they’ve already established with their employer.

Matt Cullina is chief executive officer of IDT911.

© IDT911, LLC. All Rights Reserved.
If you need identity theft assistance, call your provider organization to be put in touch with the IDT911 Resolution Center. More information for individual consumers.