Skip to main content
close search
site logo
Dive Brief

DHS warns of massive 'privacy incident' involving more than 200K employees

Published Jan. 8, 2018
By
Valerie Bolden-Barrett Contributor
Getty Images

Dive Brief:

  • The U.S. Department of Homeland Security (DHS) is notifying employees who may have been affected by a "privacy incident" that involved the release of personally identifiable information (PII), according to a DHS statement
  • In May 2017, DHS's Office of the Inspector General discovered an unauthorized copy of its investigative case management system in a former employee's possession. The incident didn't involve a cyber attack or outside interference, but PII was released — though this data was not the primary target of the unauthorized data transfer — according to DHS. The incident affected two groups: 247,167 current and former employees on DHS's staff in 2014; and people associated with investigations from 2002 to 2014, such as claimants, witnesses and subjects. PII included Social Security numbers, birth dates, positions, grade levels, addresses, phone numbers, duty stations and other data.
  • DHS notified victims of the incident in December; officials said the incident's complexity caused a delay in notifying them. DHS says it's using additional security precautions so that access to the information is limited. It also said it will improve the process of identifying suspicious patterns of accessing the data and will continue monitoring its systems and practices.

Dive Insight:

No organization is immune to breaches involving sensitive employee data, even in the most secure environments. DHS's breach is also an important reminder that the biggest cyber risk isn't a shadowy foreign actor — it's probably someone sitting in your workplace at this very moment (or who formerly did so).

Employers must issue all-staff bulletins that warn against leaving PII visible and unattended on computer screens. HR also must limit access to personal information to need-to-know personnel, which might exclude employees such as clerks, assistants, secretaries and temp staff, who routinely handle personal documents. 

When employees leave their jobs, their access to the organization's networks, and access to any personal or proprietary information they might have, should immediately end. Formal training in ID-theft prevention for all employees might be necessary, and should include guidelines concerning personal electronic devices.

After any workplace crisis, HR's role is to rebuild employees' trust. Delays in disseminating bad news fosters distrust among employees, so regular communication around how the organization is handling a crisis, and which future preventative measures will be taken, is vital. Offering voluntary identity theft benefits may be an additional assurance, but this must be executed transparently.

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release
Goodpath Partners with Bennie to Expand Access to Whole-Person Virtual Care
From Goodpath
October 15, 2024
CuraLinc Healthcare Announces Strategic Acquisition of Marquee Health
From CuraLinc Healthcare
October 29, 2024
Goodpath Launches Whole-Person Care Pathways for Diabetes and Weight Management
From Goodpath
October 23, 2024
myHR Partner is Recognized as a 2024 Power Partner Award Winner
From myHR Partner
October 22, 2024
Editors' picks
Latest in HR Management
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell