HR Headaches: Confidential Information Has Leaked

November 26, 2021
HR Headaches: Confidential Information Has Leaked

As vigilant as you try to be, occasionally confidential information leaks from the HR department or from within the organization. An email sent to the wrong person, a conversation overheard (or eavesdropped upon), a slip of the lip, or even recycled papers can reveal things that are not for mass consumption. With all the ways information can get into the wrong ears, it’s surprising it doesn’t happen more often, thankfully. When it does, your business and HR professionals need to switch into high gear to keep it from spreading, mitigate the damage, and assure it doesn’t happen again. Whether it’s private employee salary or medical information, intellectual property or customer data, the onus is on the business to address the situation quickly and control the fallout. Here are the fast first steps that need to be taken.

Report the leak

Make a point to tell staffers before a leak they should notify you or HR whenever the grapevine is abuzz with gossip or information that shouldn’t be circulating.

Create an environment where employees are empowered to report a leak quickly and confidentially (if necessary). The longer it’s out there, the more damage it will create. You need to address the problem, rather than cover it up or hope it dies down – it won’t. For most companies the first time you tell employees they should report hearing about confidential information they shouldn’t have is after an incident. Make a point to tell staffers before a leak they should notify you or HR whenever the grapevine is abuzz with gossip or information that shouldn’t be circulating.

Go into lockdown mode

Wherever the leak likely originated, and wherever it’s likely causing harm should go quickly into controlled, lockdown mode. You’ll want to gather the employees who might have been involved in the breach. Then, determine where and when it occurred. You’ll also need to gather staff members who had unauthorized access to the information. All staff members need to be told they are not to discuss the information further, with anyone inside or outside the company.  They should be asked to tell you how, and from whom, they heard the information so you can investigate quickly and effectively.

Find the source

Employees will be hesitant to admit they were at fault; they may be unaware their conversation was overheard. It will be critically important to find the source of the leak, if possible. Remind employees they may feel they’re protecting a coworker, but doing so may harm another colleague or the company itself. Whether an individual person is identified or not, you’ll at least need to determine where the leak originated. If it’s personnel information, it likely came from HR: proprietary information from those who had access, etc. The more you can narrow down the probable source, the better you’re able to contain the damage.

Secure data

Next, you’ll need to take steps to more vigilantly secure data from that department. Depending on the type of information, physical as well as communication security measures may have to be taken. For example, if files are left on desks overnight, or cabinets or offices are not locked when employees are not present, changes should be made immediately. Some data is acquired from paper recycle bins: any information that might be remotely confidential should be shredded. If you don’t have a shredder, invest in one to destroy personnel and other confidential information before it’s discarded or sent to recycling. You may have to consider off-site, secure data storage, depending on the nature of the material. How you respond will also depend on the type of information that was divulged.

Employee personal information

When an employee’s private data is leaked within the company it can be devastating to that staff member. Their salary, medical, or personal information can impact their ability to work with others effectively and confidently. Your first responsibility will be to notify the staff member of the breach and of the steps you’re taking to mitigate the damage. It may be a difficult conversation to have, but employees have a right to know if their confidential information has been compromised. You’ll want to let them know — as soon as you are aware of the situation — steps are being taken to stop the information from spreading further, and you’re working to find the source of the leak. You’ll need to quickly warn employees aware of the information that it’s private and they’re not to discuss it, either internally or outside the company. Remind employees who are tempted with juicy gossip that they wouldn’t like their own confidential information to be water cooler fodder. Encourage employees to report who leaked the information, even confidentially, if they know the source. If you suspect the information has spread beyond a team or department, a company-wide email should be sent immediately reminding employees that confidential information is not to be discussed. Ask them to report to HR if they’re aware of anyone breaching another employee’s privacy rights.

Underscore anti-harassment and discrimination policies

If an employee’s wages were the subject of the leak, they may be open to derision or jealousy. If their medical information was made public, they may feel ostracized or pitied. Personal information, such as religion or orientation, may result in scorn or disrespect. Your role will be to reiterate and strongly enforce your policy against bullying, harassment, or discrimination in the workplace. Employees should be notified that discussing the information, or harassing or discriminating against the employee in any way, will be subject to disciplinary action — up to and including termination.

Employees should be notified that discussing the information, or harassing or discriminating against the employee in any way, will be subject to disciplinary action.

The employee whose information was leaked is the victim in this scenario; compounding the violation with disrespect or discussion will only amplify the problem. The employee should be aware their coworkers are being warned, and they should be encouraged to report any harassment, bullying or discrimination immediately to HR for remedy.

Customer information

Contact the authorities immediately if the information breach involves:

  • Customer information
  • Sales data
  • Credit card numbers
  • Social security
  • Income information

The Federal Trade Commission offers guidance on how to respond to a data breach, who to contact, and how to mitigate the damage as quickly as possible. Speed and transparency will be of the essence to regain consumer confidence in your organization. You’ll need to notify customers the full details of the breach. Even the largest organization can be the victim of hackers; take steps to secure information internally and help customers do the same. You may offer subscriptions to credit reporting companies that report when/if new accounts are being opened in their name and to periodically check their status.

Intellectual property

If intellectual property has been leaked or stolen, you’ll need to contact the authorities as well. The FBI has a new National Intellectual Property Rights Coordination Center that can help businesses find resources to combat crime and address the needs of owners, copyright, and trademark holders. They can range from counterfeiting, piracy, brand theft, theft of trade secrets, and infringements on products. For both consumer and intellectual property breaches, work with local and federal law enforcement as well as your own attorney to mitigate the damage as much as possible.

Focus on security

An initial investigation may reveal a single source for the breach. If it’s an employee who intentionally leaked the information, they’ll need to be terminated. If the breach was accidental (files left on a desk), discipline may be required and policies will need to be communicated and strictly enforced to assure another incident doesn’t occur. Perhaps the leak can’t be traced, or it was the result of unsecure practices (like not shredding paperwork). In either case, change procedures immediately. In some instances, you cannot trace how, when, or where the leak occurred. This can be problematic, since there may be little you can do to avoid it happening again. You’ll need to focus on security as much as possible to stop another breach.

Create policies and protocols 

If you don’t already have a confidentiality policy, create one that outlines the importance of data and information security. Outline steps employees should take if they become aware of a breach of their own, others’, or the company’s information. Set procedures in departments that have access to confidential information. Locks on desks, office doors, and file cabinets should be the norm rather than the exception. Personnel who are authorized to have keys should be limited. Physical access may need to be limited as well. Employees shouldn’t be roaming through some areas of the company. Key card access doors can limit traffic to off-limits areas. Password protections are common on work computers. However, it’s critically important to remind employees to lock personal phones and laptops that have access to company sites. A simple screen lock can prevent a massive data incursion and ensure critically important data security. Data breaches and confidentiality leaks can happen in the largest organization and the smallest. Leaders must address the problem quickly and thoroughly to minimize the damage to employees, customers, and their business.

This communication is for informational purposes only; it is not legal, tax or accounting advice; and is not an offer to sell, buy or procure insurance.

This post may contain hyperlinks to websites operated by parties other than TriNet. Such hyperlinks are provided for reference only. TriNet does not control such web sites and is not responsible for their content. Inclusion of such hyperlinks on does not necessarily imply any endorsement of the material on such websites or association with their operators.

ESAC Accreditation
We comply with all ESAC standards and maintain ESAC accreditation since 1995.
Certified PEO
A TriNet subsidiary is classified as a Certified Professional Employer Organization by the IRS.