Cybersecurity Regulations Are Coming. Is HR Ready?

Cybersecurity Regulations Are Coming. Is HR Ready?

As cybercrime targeting the valuable personal data organizations hold about their customers and employees becomes more common, HR can add value to and even lead efforts within organizations to strengthen cybersecurity and data protection, first because HR department handle a lot of private data and as such are common targets for cybercriminals, second because enhancing cybersecurity systems means recruiting valuable and often hard-to-find cybersecurity talent, and finally because effective cybersecurity depends on ensuring that employees adopt best practices regarding passwords, online communications, and the handling of sensitive digital materials.

Currently, cybersecurity is less about compliance and more about protecting against breaches, but laws around data security are moving in the direction that cybersecurity will become a compliance issue for many US employers, at least at the state level, in the years to come (European law is also evolving in this regard). New York State, for example, enacted a regulation earlier this year that will make it mandatory for banks, insurers and some other private companies to meet a set of minimum cybersecurity standards. At SHRM, Dinah Brin dives into how HR can help New York employers face this mandate starting next year:

Among other measures, the regulation requires each covered entity to establish a cybersecurity program to protect company data systems and private consumer information from hacking. Affected companies, also required to implement written cybersecurity policies, must be prepared to detect, respond to and report system breaches, and will have to conduct penetration testing and risk assessments. …

Of note for HR professionals, [James Koenig, partner and co-chair of Fenwick & West LLP’s privacy and cybersecurity practice in Philadelphia,] said, the New York regulation goes further than any state or federal law on cybersecurity-specific training. Covered organizations must provide regular cybersecurity awareness training for all personnel, which should be updated to reflect potential problems identified in risk assessments. Companies also must use qualified cybersecurity personnel, either from within the organization or from third-party providers, to oversee their cybersecurity programs, Koenig noted.

In the wake of recent, high-profile breaches like the one at the credit reporting agency Equifax, companies can expect regulators to look more closely at issues of data privacy and cybersecurity. If the CEO isn’t already asking about this, proactive HR leaders can play a strategic role in guiding the organization toward a cybersecurity strategy that anticipates this type of regulation and helps establish best practices. It’s also a great opportunity for the CHRO to partner with the CIO, as the converging roles of HR and technology in the workplace make this relationship increasingly important.