Due to an increase in recent employee layoffs
because of economic conditions and the increased
risk of workplace violence, as well as an increase
in domestic restraining orders that several employees have recently obtained against former spouses,
company management has decided it is time to
take a proactive position and develop a workplace
violence action plan. There are many factors to
consider, as your company has three locations
and more than 500 employees. For information to
assist you in identifying workplace violence categories and prevention strategies, visit the website
at www.fbi.gov/publications/violence.pdf.
1. Which workplace violence categories are of
most concern to your company?
2. What steps and provisions do you need to
include in your workplace violence action plan?
CASE
Data Security
Policing the workplace used to mean reminding
employees about personal phone calls and making
sure that paper clips did not disappear. But with
the computer revolution at work that began in the
1990s, checking on employee behavior at work
became considerably more technical. The threats
to data security, not to mention other threats for
potential lawsuits (e.g., sexual harassment), are now
more complex as well. New federal laws pertaining
to financial and medical records have put increased
pressure on companies to protect their data. But
auditing user privacy cannot be done without input
and buy-in from HR, notes a senior consultant with
an IT security firm in Massachusetts.
Whether the concern is in appropriate Internet
usage or transferring files outside the company, HR
may be the first to learn of a problem. Although the
possibility of outside attacks on the computer network is a real problem, the threat of internal security
breaches is even greater. The growing insider problem and the sheer volume of electronic messages
coming into and out of a company (a large company
easily processes one million e-mails per day) present
HR with a challenge on data security policy development, implementation, and enforcement.
HR may be asked to “identify personnel at
risk” who might require more stringent watching, such as people who are sending out résumés.
In many cases, people leaving organizations take
advantage of the opportunity to take intellectual
property with them. Security software identifying employee behaviors will always require HR
involvement. Policy violations, banned sites, and
stealing identity data are examples. Companies
look very bad when sensitive customer or employee
data are stolen or leaked to the public. Employees
can easily resent the security measures and see the
security as “Big Brother” watching. However, the
growth of identity theft and spyware means that
more employees have been personally affected by
data security and are more likely to recognize the
need for their employers’ data security efforts.
At Spherion, HR publishes a “computer and
telecom resources policy” that specifies appropriate usage and a code of conduct. Employees must
read and sign the policy. The company also has an
IT Risk Team with members from HR, accounting, internal auditing, and other departments.
There are, of course, attempts at a purely technical solution to the problem. But it is clear that
HR must have a role in balancing employee privacy with company risk management. A simple act,
such as a bank’s loan officer burning credit information to a CD and selling the data to another
bank, can undo all the technical protections. The
human side—developing a policy, communicating
it, helping people understand why it is needed, and
applying it fairly—is the big piece for HR.56
QUESTIONS
1. How would you communicate a data security
policy that required software checking of
employees’ emails?
2. What elements should a data security policy
for a bank include?
3. Employee data theft most frequently occurs
with new employees or when an employee has
given notice and is leaving. How would you
deal with these two very different issues?
