In the first blog of our human resources series, we covered a brief overview of the role HR representatives play in the protection of their employees’ personal data. Today’s article will focus on the types of costs companies incur when employees or clients have their private information compromised.

The damages aren’t as clear-cut as you might imagine, and the impact to your company’s bottom line can be devastating. Here are just a few examples of the wide-ranging costs your organization can suffer due to security breaches and the loss of sensitive data. 

Reputation damage

Not all costs have a clear dollar amount attached to them, but that doesn’t mean your company won’t feel the impact for years to come. This is especially true when it comes to your business’ reputation. If a data breach occurs in your organization, people will take notice. Current clients might consider working with the competition, and prospective clients might discount working with your company altogether.

This impact isn’t limited to client and prospects either. Experiencing a data breach or having your employees’ personal data compromised can lead to good employees leaving your company. It can drastically inhibit your ability to attract and retain top industry talent in the future, not to mention it’s a PR nightmare.

Regulation and litigation costs  

Companies can lose a fortune due to regulation and litigation. In the U.S., federal laws like the Fair and Accurate Credit Transactions Act (FACT Act) and the Fair Credit Reporting Act (FCRA) regulate the protection of your customers’ and employees’ confidential information. Failure to comply with these standards can result in major penalties. Cities and states are also taking matters into their own hands. When Uber revealed a previously undisclosed data breach in late 2017, the city of Chicago, the attorney general of Los Angeles, and the attorney general for the state of Washington each filed lawsuits against the popular ride service, citing company misconduct.  

And outside the U.S., regulation is getting much stiffer. In the UK and EEA states, failure to comply with the General Data Protection Regulation (GDPR) — legislation aimed at protecting the personal data of citizens — can spell big problems for any company. After the law takes effect in May, 2018, businesses that fail to properly disclose breaches within 72 hours will result in fines up to €2 million or 4 percent of annual turnover, whichever is more. And even if your company is U.S.-based, if it manages the personal data of any UK or EU national, your company will have to prove it is GDPR-compliant.

While laws in the U.S. may not be as standardized when it comes to issuing fees, that doesn’t mean organizations are in the clear: Courts are increasingly holding companies responsible when the data of their employees and customers are exposed.

Employee disengagement 

When your employees have their personal data compromised — or, far worse, their identities stolen — they can become incredibly distracted in the workplace. Without the assistance of an identity protection service, this workplace distraction can quickly lead to the employee becoming disengaged. This can have a huge impact on your company’s bottom line.

Gallup’s annual State of the American Workplace 2016 report found that companies with low levels of engagement, when compared to companies with high levels of engagement, experience 

  • 20 percent lower sales

  • 17 percent less productivity

  • 21 percent lower profitability 

  • Between 24 and 59 percent higher turnover 

  • 70 percent more employee safety incidents

Costs associated with malware attacks

When employees fall victim to scams like phishing, they may compromise more than their personal data. In addition to stealing confidential information about the employee and their business, phishing attacks may install malware on the company’s network.

Ransomware, one form of attack, cost businesses over $1.5 billion last year. These attacks, which completely hijack a victim’s computer, charge users a significant bounty to regain access to their equipment. In 2016, the average ransom cost around $1,000 per device.

In addition to the charges businesses must pay to regain control of their equipment, productivity and sales come to a screeching halt until criminals restore functionality. Twenty-two percent of small businesses (less than 1,000 employees) that experienced ransomware attacks in 2016 had to halt operations immediately, and one in six companies reported that the attacks delayed business operations by 25 hours or more.

How HR can help reduce risk of data breaches and protect employees’ identities

The costs associated with having employees’ personal data compromised are staggering. It’s imperative your human resources department takes every action possible to protect your employees and your company.

First, you need to provide in-depth and continual training for your employees. They should be able to quickly identify scams like phishing emails, and you can even hire companies that will test your employees’ ability to detect cyberattacks and analyze your network security.

Second, provide your employees with a comprehensive identity protection service as a standard benefit. If their personal data does become compromised, your employees and company can rest assured they have a team of experts fighting to restore the stolen identity.

Third, HR needs to have a comprehensive cybersecurity plan in place. If your company has an IT department, you’ll want to work closely together to ensure you are protecting confidential data to the best of your ability and have a plan in place if sensitive material should become compromised. For smaller companies who may not have an IT team, you can begin by reviewing the FCC’s Ten Cybersecurity Tips for Small Businesses.

Finally, and most importantly, always stay vigilant.