Data protection is not just an IT issue
HR data systems often store highly sensitive personal details - from names and contact information to social insurance numbers, banking data and medical histories. That's exactly the type of information cybercriminals target, warns Julia Latacka, an instructor in HR Data Analytics and Technology at Concordia University.
Her concerns come as the threat to data intensifies. A new review of 141 million files from more than 1,200 data breach incidents found that HR data was involved in nearly 82% of cases. Recruitment data, like resumes and cover letters, was present in 58%, according to a new analysis of Lab 1.
At the same time, organizations are being warned about the explosive growth of ‘shadow AI’, where employees use generative AI tools such as ChatGPT and Google Gemini through personal accounts, often inputting sensitive company data. This unmonitored behaviour exposes organizations to major risks, from accidental leaks to outright data theft, according to Menlo Security.
The problem, Latacka says, is even with strong cybersecurity measures in place, employees can inadvertently circumvent them.
Small and mid-sized companies, who often lack the cybersecurity staffing, tools and infrastructure needed to protect data, are especially exposed and without dedicated expertise or resources, these organizations are significantly more vulnerable to breaches.
“Phishing emails, accessing links that aren’t safe, or putting information somewhere it shouldn’t be are all risks,” she says. “A lot of organizations are still housing data on spreadsheets and SharePoint.”
She believes HR needs to step up with targeted, frequent training and advocated for simulated phishing emails and other proactive tests.
“Basic phishing training, social engineering training, trainings that are going to equip employees to know what to look out for, as well as how to react [are important],” she explains. “Those are all ways in which we can test how susceptible our employees are.”
Data hygiene is another concern. North America, she points out, lacks the strict data minimization frameworks, where only the personal data necessary for a specific business purpose is collected and stored, that are in place in the EU.
“The general rule is that you should really only be collecting the data that you need,” she says. “Whenever we are asking for HR data, it should really serve a purpose and then be deleted it when it no longer serves that purpose.”
The tension between utility and liability is becoming sharper in the age of AI but keeping unused or noncompliant data poses its own threats.
“You have to take into account legal requirements for deletion of data,” she says. “Reducing the risk of keeping data that really doesn’t serve a purpose may cause greater issues if it were to be breached.”
To combat this, HR leaders need to ensure they are restricting access to certain information and audit where information is currently being housed and whether or not those are secure systems, Latacka says.
“Think of a payroll system,” she says. “You really only want a handful of people overseeing payroll to get access, not everyone at the company.”
If a breach does happen, she’s clear that HR has a role – albeit a collaborative one. HR should work closely with IT, legal and leadership to respond effectively, and preparation is non-negotiable.
“Having a response plan in place, knowing your policies, knowing what data you’re collecting, why you’re collecting it, where it’s stored and who has access to it is essential,” she says. “Audits, continuous trainings, collaboration with IT and legal are extremely important.”
“It’s also important to identify which employees were impacted, what information was accessed, so you can have a conversation with those employees and have a plan in place to support them,” she says.
For companies without internal expertise, she recommends leaning on outside consultants or subject matter experts because failing to manage HR data properly could result in reputational damage.
“That often then impacts whether or not people are going to purchase their product, service or work for them in the future,” she says. “If people are worried that their data is going to get hacked, then that might just be something that’s always in the back of their mind.”
Latacka stresses that staying informed about data protection laws and evolving security standards is not optional but essential. While she admits that keeping up with regulations may not be the most exciting part of the job, she warns that failure to do so leaves organizations exposed. As new technologies like ChatGPT and generative AI reshape the workplace, the stakes are only getting higher.
“Keeping up to date on data protection regulations and best practices is critical,” she says.
