When personal information stored on a computer is compromised or stolen, the potential for cyber liability arises. Staffing companies face a dual exposure — first from the information that internal employees handle, and second from the information that assigned personnel handle while working at clients. These risks become more pronounced when employees are working remotely.
According to the Identity Theft Resource Center and CyberScout, the number of data breaches increased by 40% in 2016 — the majority a result of hacking, skimming or phishing.
Know the threats. Workers at every level should be trained to recognize the warning signs of phishing scams, and employees with access to the most sensitive data should be familiar with the specific tactics currently being used to target them.
For example, “spear phishing” is a scam in which the employee responsible for payroll or recordkeeping receives an email that appears to come directly from the company’s senior management requesting copies of sensitive data, usually W-2s. If read too quickly, the email appears legitimate. The recipient hastily responds only to discover that highly confidential data was just sent to an unknown third party.
Cyber scenarios. Staffing companies are also at risk if an assigned employee removes client property — either innocently or by theft — that contains personal information or protected health information. Even if no harm occurs, such incidents can be costly.
Whenever data is stored and carried outside the office, new risks arise. One staffing company’s laptop was stolen from a recruiter’s car, triggering an investigation because the recruiter was permitted to download some candidates’ personally identifiable information.
In another example, an assigned medical staffer removed patient files to complete chart notes, exposing personal, identifiable information as well as HIPAA-protected medical information.
Other cyber scenarios include someone unwittingly sending an email or uploading software with a malicious attachment, thereby infecting another entity’s computer with malware.
Another exposure is “ransomware,” an extortion scam in which the cybercriminal forces the business to choose between losing precious data or paying a bounty to undo the crippling encryption on its system.
Unfortunately, this is just the tip of the iceberg.
Here are some steps staffing firms can take to mitigate their risks:
Policies. Develop clear privacy, back-up and information security policies — supported by a comprehensive training program.
Passwords. Require strong passwords on all devices that connect to the company’s system or contain company data. Educate employees not to share passwords with one another. Consider implementing a multi-factor authentication system for use by employees connecting to the company’s system from outside devices. Extend this education to assigned employees.
Smart data policies. Demand that vendors have smart data security policies. Ask the suppliers that store and process company data as well as company professionals, such as attorneys and accountants, about how they ensure the safekeeping of your data. Consider, if appropriate, requiring indemnification and cyber insurance.
Indemnification. Understand your indemnification obligations to clients, including responsibility for intentional or inadvertent compromise of data. Consider seeking assistance from company attorneys, accountants, insurance brokers or consultants.
Mitigation requires that steps are taken to protect the company from the risks of a malicious intruder and to avoid the company from being the cause of a client’s breach. If a breach occurs, it is essential to seek promptly the assistance of a law firm with the right expertise.
This article is intended for informational purposes only. Nothing herein should be construed as offering legal advice or creating an attorney- client relationship. Always consult with competent local counsel on any legal issues.