Data and privacy breaches caused by malicious actors accessing your organization’s systems are here to stay. Once considered an emerging risk, “cyber” is now a hard reality facing every organization. Given the frequency of employees causing cyber breaches, human resources professionals have a growing role to play in managing this risk.

More likely than not, your organization will suffer a cyber breach and one of your employees will be the cause. In reality, personnel are just another type of software to be manipulated. Malicious actors often use an organization’s own employees to further their unlawful goals with the majority of breaches result from the actions (or inaction) taken by an organization’s employees. The 2018 NetDiligence Cyber Claims Study found that in 2017, approximately 58% of all claims were caused by ransomware, business e-mail compromise, phishing, rogue employees, or staff mistakes.

When dealing with a breach, there are significant legal consequences for an organization from a human resources standpoint. The human resources department can play a key role before, during, and after a breach event to mitigate these consequences.

Before a breach, human resources departments are frequently tasked with arranging appropriate cyber training for an organization’s employees. Ensuring that employees establish good password hygiene, can identify phishing attempts, and know when to report a possible breach will likely fall in HR’s wheelhouse.

During a breach, a senior member of HR makes an excellent addition to an organization’s response team. Consistent and accurate internal messaging during a breach is important. HR professionals know their team of employees and the most effective methods of communication. They know the individuals involved and have (hopefully) developed a rapport with their team members. Crucially, they are familiar with performing and facilitating investigations and can provide invaluable assistance in the fact gathering stage of a breach. Employees will often be more at ease speaking to an external breach coach or forensic investigator in the presence of an HR professional they know and trust. If a malicious insider is suspected, they may have information pointing to a likely suspect.

In the aftermath of an employee-caused breached, HR has a continuing role. According to a survey from Kaspersky Lab, 31% of breaches result in organizations terminating at least one high level employee. After an employee caused breach, an organization will have to make a decision. What do you do with the at fault employee? In the case of the malicious insider, termination seems obvious; however, what of the “innocent” but negligent employee? In some cases, dismissal may not always be the most appropriate result. Additional training, supervision and guidance may be the more effective approach.

If an employee is dismissed, that dismissal may have an impact on future risk. If senior management is calling for heads to roll, HR knows the legal requirements for a proper dismissal. HR is in a good position to determine whether a dismissal for cause is legally defensible. Employers have an obligation of good faith and fair dealing in the manner of dismissal. HR knows that frog marching a negligent employee out the door in full view of the office on the same day of the breach may not be advisable. It impacts morale and risks opening the door to future litigation. Additionally, employees who are dismissed in a summary manner are less likely to be cooperative with the organization if (and when) a third party lawsuit comes knocking.

The Take Away

The risk presented by cyber breaches is daunting but has also provided an opportunity for human resources professionals to maintain their position as proactive problem solvers. While cyber is now an established risk that impacts every sector of the economy, many organizations lack a comprehensive breach response. Every organization is different and has different needs and exposures. The need for a unique and tailored approach provides a real opportunity for senior HR professionals. Early and active involvement of these team members in developing and strengthening your organization’s training, culture, and response can mitigate your risk from this growing problem at all stages.


  • Devan Marr

    As the progeny of Canadian diplomats, Devan grew up in five different countries before returning to Canada. It was somewhere between Frankfurt and Vienna where Devan first learned to ride a bicycle. He is now a cycling fanatic: Devan is also the firm’s resident employment law fanatic. Got an employment practices liability policy question? Devan has your answers.

    View all posts