My information was leaked as part of Indigo’s ransomware attack – former employers should not be allowed to retain employee data.Craig Wong/The Canadian Press
Markus Grupp is the former director of experience design at Indigo.
“Did you see the e-mail from Indigo?” asked a friend and former colleague by text one night.
I hadn’t – but I had some inkling what he was referring to. After all, as people who used to work at Canada’s largest bookstore chain, we had been closely watching the cybersecurity breach unfold from afar for the better part of two weeks.
We lamented the disappearance of the Indigo IDG-T website, mobile app and other in-store digital products that many of us had worked hard to develop over the years, replaced by a single blue screen confirming that “a cybersecurity incident” had occurred.
We commiserated over a flurry of messages and group chats, thinking of current Indigo employees working day and night to resolve the breach, and wondering what systems could have been compromised so severely to allow a multiweek outage. Eventually, the ominous blue screen was updated to confirm that customer data had not been compromised.
Weeks later, we finally learned through a tersely worded e-mail that it was employees’ data that may have been compromised. A range of emotions hit me immediately: Shock. Confusion. Concern. Anger.
“I haven’t worked for Indigo in nearly five years, how could this be?” I thought.
It has become clear that there is little clarity in the law about the obligations an employer owes to its current and former employees. Nor are there clear guidelines on how to better safeguard their data and the recourse former workers have in controlling any sensitive information retained.
This experience has demonstrated that there should be higher standards for both federally and provincially regulated organizations on employee data.
The e-mail from Indigo outlined that my personal data – including e-mail address, phone number, birth date, home address, postal code, SIN and banking details – may have been “acquired by an unauthorized third party.” In closing, it offered me two years of complimentary identity and credit monitoring.
Countless more messages and group chats followed, surfacing a similar range of emotions. Some shared stories of sleepless nights, anxiety and panic attacks caused by concerns of potential identity theft. Others speculated on what was to blame. We tried to piece together what to do next, individually spending hours setting up new bank accounts, changing e-mail passwords and enrolling in credit monitoring.
To start, we need laws that hold employers responsible for any employee data breaches regardless of the cause and, in turn, the costs incurred by affected individuals. This can range from the account switching costs and additional monitoring fees for all, to the costs related to rehabilitating any affected stolen identities.
In addition, companies should be required to handle employee data in the same way they do customer data, with the same levels of security, compliance and investment in employee data systems – subject to standardized third-party audits similar to the System and Organization Controls (SOC) audits for customer data.
Currently, employee data are governed by separate legislation from customer data, with weaker protections, and companies often view their obligations with employment record retention in mind, not cybersecurity.
During the employee off-boarding process, the employer should also provide the departing employee transparency, including which data will be kept, how long it will be retained and why it is needed, acknowledged by the employee in writing. Retention of non-essential data should strictly opt-in, or better yet, not at all. Banking details should be expunged after the employee’s final payroll.
A departing worker should be provided the option of providing a preferred e-mail address to ensure timely communication of a possible future breach. And in the case of such a breach, the employer should be obligated to provide both current and former employees the same timely updates on the event.
While credit monitoring services may provide some reassurance, they do not eliminate the sleepless nights and anxiety many feel knowing their data is on the dark web. The individual mental-health effects of a data breach can be severe and lingering, according to research from Cambridge University. As such, employers should provide affected employees with mental-health support for a similar duration.
In turn, employees need to demand more of their employers – to get transparency on how their data is protected. Industry awards recognizing top employers and workplaces need to start factoring in employee data security into their rankings.
As attacks become more frequent, will job candidates ask future employers about their employee data policies during interviews? They certainly should.