Personnel files not being secured

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;







up vote
8
down vote

favorite












I work for a small company (6 people) - which does not have a dedicated HR person. I have discovered some of my, along with a colleague's, personnel files laying on an open network share. This includes information ranging from reference checks on my initial application through performance reviews from the last year.



I am looking for advice on how to bring this up with management?




human-resources




share|improve this question
















  • 2




    Better yet, can you also see their personnel files?
    – Jane S♦
    Jun 29 '15 at 11:41










  • Could you explain how is the structure of the company? How many of your colleagues have their data compromised? Is it open to someone outside the company or just within the company?
    – Llopis
    Jun 29 '15 at 14:33
















up vote
8
down vote

favorite












I work for a small company (6 people) - which does not have a dedicated HR person. I have discovered some of my, along with a colleague's, personnel files laying on an open network share. This includes information ranging from reference checks on my initial application through performance reviews from the last year.



I am looking for advice on how to bring this up with management?




human-resources




share|improve this question
















  • 2




    Better yet, can you also see their personnel files?
    – Jane S♦
    Jun 29 '15 at 11:41










  • Could you explain how is the structure of the company? How many of your colleagues have their data compromised? Is it open to someone outside the company or just within the company?
    – Llopis
    Jun 29 '15 at 14:33












up vote
8
down vote

favorite









up vote
8
down vote

favorite











I work for a small company (6 people) - which does not have a dedicated HR person. I have discovered some of my, along with a colleague's, personnel files laying on an open network share. This includes information ranging from reference checks on my initial application through performance reviews from the last year.



I am looking for advice on how to bring this up with management?




human-resources




share|improve this question












I work for a small company (6 people) - which does not have a dedicated HR person. I have discovered some of my, along with a colleague's, personnel files laying on an open network share. This includes information ranging from reference checks on my initial application through performance reviews from the last year.



I am looking for advice on how to bring this up with management?





human-resources





share|improve this question











share|improve this question




share|improve this question










asked Jun 29 '15 at 11:32









Jane

441




441







  • 2




    Better yet, can you also see their personnel files?
    – Jane S♦
    Jun 29 '15 at 11:41










  • Could you explain how is the structure of the company? How many of your colleagues have their data compromised? Is it open to someone outside the company or just within the company?
    – Llopis
    Jun 29 '15 at 14:33












  • 2




    Better yet, can you also see their personnel files?
    – Jane S♦
    Jun 29 '15 at 11:41










  • Could you explain how is the structure of the company? How many of your colleagues have their data compromised? Is it open to someone outside the company or just within the company?
    – Llopis
    Jun 29 '15 at 14:33







2




2




Better yet, can you also see their personnel files?
– Jane S♦
Jun 29 '15 at 11:41




Better yet, can you also see their personnel files?
– Jane S♦
Jun 29 '15 at 11:41












Could you explain how is the structure of the company? How many of your colleagues have their data compromised? Is it open to someone outside the company or just within the company?
– Llopis
Jun 29 '15 at 14:33




Could you explain how is the structure of the company? How many of your colleagues have their data compromised? Is it open to someone outside the company or just within the company?
– Llopis
Jun 29 '15 at 14:33










2 Answers
2






active

oldest

votes

















up vote
10
down vote













This is a situation where just talking to your management is the easiest thing. Small companies often are informal and most assuredly start more informal. It may be that location was fine when there were fewer employees or the person creating it doesn't even realize others can see it (depending on how technical they are).



Just find some time and ask, "hey, I inadvertently came across my personnel file on our network share in public - this probably shouldn't be public, are you able to restrict access to this or move it?"



Depending on how your network is setup it'd be helpful to suggest ideas. Probably just securing the folder on the share drive will work. Suggestions are always great for a manager regardless.



Also, don't attribute malice when ignorance is likely.






share|improve this answer




















  • I took this exact approach in a larger company I worked at. I had a bit of downtime and was browsing the network structure when I found a file server, open to everyone, that had thousands of employees records on it. I immediately called the IT director, she thanked me and the problem was resolved in minutes.
    – NotMe
    Apr 14 '16 at 22:21

















up vote
-1
down vote













In my current position, I oversee internal controls, security, and compliance at my company on the IT Audit team. From personal experience,you should bring this up not only with your manager, but with the Security and IA function at your company if such function exists, and you are authorized to do so. You should review your company policies relevant to your concern - Acceptable Use of technology, confidentiality, data handling and classification...



The situation you describe seems to be an accident / lawsuit waiting to happen. It also creates great , unnecessary risk for the company. Ask yourself the following question:



  1. What other than personal ethics, job loss, and potential criminal liability stands between you disclosing the PII / sensitive information of your colleagues or them disclosing yours to an unauthorized person?


  2. Can you really be sure that your information such as SSN, DOB etc, given its your personnel file, has not already been compromised by a malicious outsider or internal employee?


I would expect most reasonable management to act promptly.






share|improve this answer






















  • I think my answer is reasonable. An explanation of the DV would be appreciated so I can improve my answer.
    – Anthony
    Apr 13 '16 at 0:20






  • 4




    It's not a helpful answer for a small company. OP's company has 6 people in it, so it probably doesn't have a dedicated IT team or formal IT policies.
    – Kevin
    Apr 13 '16 at 4:04











  • The company has no HR, they certainly don't have IT audit. All you've suggested doing here is the OP reviewing policy. How will that change the actuality and given that no IT audit function or policy exists how does the OP convince their manager?
    – Ben
    Apr 13 '16 at 4:47










  • Very unrealistic answer based on the size of the company.
    – Myles
    Apr 13 '16 at 21:38










Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "423"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);








 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fworkplace.stackexchange.com%2fquestions%2f48972%2fpersonnel-files-not-being-secured%23new-answer', 'question_page');

);

Post as a guest

















2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
10
down vote













This is a situation where just talking to your management is the easiest thing. Small companies often are informal and most assuredly start more informal. It may be that location was fine when there were fewer employees or the person creating it doesn't even realize others can see it (depending on how technical they are).



Just find some time and ask, "hey, I inadvertently came across my personnel file on our network share in public - this probably shouldn't be public, are you able to restrict access to this or move it?"



Depending on how your network is setup it'd be helpful to suggest ideas. Probably just securing the folder on the share drive will work. Suggestions are always great for a manager regardless.



Also, don't attribute malice when ignorance is likely.






share|improve this answer




















  • I took this exact approach in a larger company I worked at. I had a bit of downtime and was browsing the network structure when I found a file server, open to everyone, that had thousands of employees records on it. I immediately called the IT director, she thanked me and the problem was resolved in minutes.
    – NotMe
    Apr 14 '16 at 22:21














up vote
10
down vote













This is a situation where just talking to your management is the easiest thing. Small companies often are informal and most assuredly start more informal. It may be that location was fine when there were fewer employees or the person creating it doesn't even realize others can see it (depending on how technical they are).



Just find some time and ask, "hey, I inadvertently came across my personnel file on our network share in public - this probably shouldn't be public, are you able to restrict access to this or move it?"



Depending on how your network is setup it'd be helpful to suggest ideas. Probably just securing the folder on the share drive will work. Suggestions are always great for a manager regardless.



Also, don't attribute malice when ignorance is likely.






share|improve this answer




















  • I took this exact approach in a larger company I worked at. I had a bit of downtime and was browsing the network structure when I found a file server, open to everyone, that had thousands of employees records on it. I immediately called the IT director, she thanked me and the problem was resolved in minutes.
    – NotMe
    Apr 14 '16 at 22:21












up vote
10
down vote










up vote
10
down vote









This is a situation where just talking to your management is the easiest thing. Small companies often are informal and most assuredly start more informal. It may be that location was fine when there were fewer employees or the person creating it doesn't even realize others can see it (depending on how technical they are).



Just find some time and ask, "hey, I inadvertently came across my personnel file on our network share in public - this probably shouldn't be public, are you able to restrict access to this or move it?"



Depending on how your network is setup it'd be helpful to suggest ideas. Probably just securing the folder on the share drive will work. Suggestions are always great for a manager regardless.



Also, don't attribute malice when ignorance is likely.






share|improve this answer












This is a situation where just talking to your management is the easiest thing. Small companies often are informal and most assuredly start more informal. It may be that location was fine when there were fewer employees or the person creating it doesn't even realize others can see it (depending on how technical they are).



Just find some time and ask, "hey, I inadvertently came across my personnel file on our network share in public - this probably shouldn't be public, are you able to restrict access to this or move it?"



Depending on how your network is setup it'd be helpful to suggest ideas. Probably just securing the folder on the share drive will work. Suggestions are always great for a manager regardless.



Also, don't attribute malice when ignorance is likely.







share|improve this answer












share|improve this answer



share|improve this answer










answered Jun 29 '15 at 15:00









Elysian Fields♦

96.8k46292449




96.8k46292449











  • I took this exact approach in a larger company I worked at. I had a bit of downtime and was browsing the network structure when I found a file server, open to everyone, that had thousands of employees records on it. I immediately called the IT director, she thanked me and the problem was resolved in minutes.
    – NotMe
    Apr 14 '16 at 22:21
















  • I took this exact approach in a larger company I worked at. I had a bit of downtime and was browsing the network structure when I found a file server, open to everyone, that had thousands of employees records on it. I immediately called the IT director, she thanked me and the problem was resolved in minutes.
    – NotMe
    Apr 14 '16 at 22:21















I took this exact approach in a larger company I worked at. I had a bit of downtime and was browsing the network structure when I found a file server, open to everyone, that had thousands of employees records on it. I immediately called the IT director, she thanked me and the problem was resolved in minutes.
– NotMe
Apr 14 '16 at 22:21




I took this exact approach in a larger company I worked at. I had a bit of downtime and was browsing the network structure when I found a file server, open to everyone, that had thousands of employees records on it. I immediately called the IT director, she thanked me and the problem was resolved in minutes.
– NotMe
Apr 14 '16 at 22:21












up vote
-1
down vote













In my current position, I oversee internal controls, security, and compliance at my company on the IT Audit team. From personal experience,you should bring this up not only with your manager, but with the Security and IA function at your company if such function exists, and you are authorized to do so. You should review your company policies relevant to your concern - Acceptable Use of technology, confidentiality, data handling and classification...



The situation you describe seems to be an accident / lawsuit waiting to happen. It also creates great , unnecessary risk for the company. Ask yourself the following question:



  1. What other than personal ethics, job loss, and potential criminal liability stands between you disclosing the PII / sensitive information of your colleagues or them disclosing yours to an unauthorized person?


  2. Can you really be sure that your information such as SSN, DOB etc, given its your personnel file, has not already been compromised by a malicious outsider or internal employee?


I would expect most reasonable management to act promptly.






share|improve this answer






















  • I think my answer is reasonable. An explanation of the DV would be appreciated so I can improve my answer.
    – Anthony
    Apr 13 '16 at 0:20






  • 4




    It's not a helpful answer for a small company. OP's company has 6 people in it, so it probably doesn't have a dedicated IT team or formal IT policies.
    – Kevin
    Apr 13 '16 at 4:04











  • The company has no HR, they certainly don't have IT audit. All you've suggested doing here is the OP reviewing policy. How will that change the actuality and given that no IT audit function or policy exists how does the OP convince their manager?
    – Ben
    Apr 13 '16 at 4:47










  • Very unrealistic answer based on the size of the company.
    – Myles
    Apr 13 '16 at 21:38














up vote
-1
down vote













In my current position, I oversee internal controls, security, and compliance at my company on the IT Audit team. From personal experience,you should bring this up not only with your manager, but with the Security and IA function at your company if such function exists, and you are authorized to do so. You should review your company policies relevant to your concern - Acceptable Use of technology, confidentiality, data handling and classification...



The situation you describe seems to be an accident / lawsuit waiting to happen. It also creates great , unnecessary risk for the company. Ask yourself the following question:



  1. What other than personal ethics, job loss, and potential criminal liability stands between you disclosing the PII / sensitive information of your colleagues or them disclosing yours to an unauthorized person?


  2. Can you really be sure that your information such as SSN, DOB etc, given its your personnel file, has not already been compromised by a malicious outsider or internal employee?


I would expect most reasonable management to act promptly.






share|improve this answer






















  • I think my answer is reasonable. An explanation of the DV would be appreciated so I can improve my answer.
    – Anthony
    Apr 13 '16 at 0:20






  • 4




    It's not a helpful answer for a small company. OP's company has 6 people in it, so it probably doesn't have a dedicated IT team or formal IT policies.
    – Kevin
    Apr 13 '16 at 4:04











  • The company has no HR, they certainly don't have IT audit. All you've suggested doing here is the OP reviewing policy. How will that change the actuality and given that no IT audit function or policy exists how does the OP convince their manager?
    – Ben
    Apr 13 '16 at 4:47










  • Very unrealistic answer based on the size of the company.
    – Myles
    Apr 13 '16 at 21:38












up vote
-1
down vote










up vote
-1
down vote









In my current position, I oversee internal controls, security, and compliance at my company on the IT Audit team. From personal experience,you should bring this up not only with your manager, but with the Security and IA function at your company if such function exists, and you are authorized to do so. You should review your company policies relevant to your concern - Acceptable Use of technology, confidentiality, data handling and classification...



The situation you describe seems to be an accident / lawsuit waiting to happen. It also creates great , unnecessary risk for the company. Ask yourself the following question:



  1. What other than personal ethics, job loss, and potential criminal liability stands between you disclosing the PII / sensitive information of your colleagues or them disclosing yours to an unauthorized person?


  2. Can you really be sure that your information such as SSN, DOB etc, given its your personnel file, has not already been compromised by a malicious outsider or internal employee?


I would expect most reasonable management to act promptly.






share|improve this answer














In my current position, I oversee internal controls, security, and compliance at my company on the IT Audit team. From personal experience,you should bring this up not only with your manager, but with the Security and IA function at your company if such function exists, and you are authorized to do so. You should review your company policies relevant to your concern - Acceptable Use of technology, confidentiality, data handling and classification...



The situation you describe seems to be an accident / lawsuit waiting to happen. It also creates great , unnecessary risk for the company. Ask yourself the following question:



  1. What other than personal ethics, job loss, and potential criminal liability stands between you disclosing the PII / sensitive information of your colleagues or them disclosing yours to an unauthorized person?


  2. Can you really be sure that your information such as SSN, DOB etc, given its your personnel file, has not already been compromised by a malicious outsider or internal employee?


I would expect most reasonable management to act promptly.







share|improve this answer














share|improve this answer



share|improve this answer








edited Apr 13 '16 at 0:19

























answered Apr 12 '16 at 23:42









Anthony

5,1611255




5,1611255











  • I think my answer is reasonable. An explanation of the DV would be appreciated so I can improve my answer.
    – Anthony
    Apr 13 '16 at 0:20






  • 4




    It's not a helpful answer for a small company. OP's company has 6 people in it, so it probably doesn't have a dedicated IT team or formal IT policies.
    – Kevin
    Apr 13 '16 at 4:04











  • The company has no HR, they certainly don't have IT audit. All you've suggested doing here is the OP reviewing policy. How will that change the actuality and given that no IT audit function or policy exists how does the OP convince their manager?
    – Ben
    Apr 13 '16 at 4:47










  • Very unrealistic answer based on the size of the company.
    – Myles
    Apr 13 '16 at 21:38
















  • I think my answer is reasonable. An explanation of the DV would be appreciated so I can improve my answer.
    – Anthony
    Apr 13 '16 at 0:20






  • 4




    It's not a helpful answer for a small company. OP's company has 6 people in it, so it probably doesn't have a dedicated IT team or formal IT policies.
    – Kevin
    Apr 13 '16 at 4:04











  • The company has no HR, they certainly don't have IT audit. All you've suggested doing here is the OP reviewing policy. How will that change the actuality and given that no IT audit function or policy exists how does the OP convince their manager?
    – Ben
    Apr 13 '16 at 4:47










  • Very unrealistic answer based on the size of the company.
    – Myles
    Apr 13 '16 at 21:38















I think my answer is reasonable. An explanation of the DV would be appreciated so I can improve my answer.
– Anthony
Apr 13 '16 at 0:20




I think my answer is reasonable. An explanation of the DV would be appreciated so I can improve my answer.
– Anthony
Apr 13 '16 at 0:20




4




4




It's not a helpful answer for a small company. OP's company has 6 people in it, so it probably doesn't have a dedicated IT team or formal IT policies.
– Kevin
Apr 13 '16 at 4:04





It's not a helpful answer for a small company. OP's company has 6 people in it, so it probably doesn't have a dedicated IT team or formal IT policies.
– Kevin
Apr 13 '16 at 4:04













The company has no HR, they certainly don't have IT audit. All you've suggested doing here is the OP reviewing policy. How will that change the actuality and given that no IT audit function or policy exists how does the OP convince their manager?
– Ben
Apr 13 '16 at 4:47




The company has no HR, they certainly don't have IT audit. All you've suggested doing here is the OP reviewing policy. How will that change the actuality and given that no IT audit function or policy exists how does the OP convince their manager?
– Ben
Apr 13 '16 at 4:47












Very unrealistic answer based on the size of the company.
– Myles
Apr 13 '16 at 21:38




Very unrealistic answer based on the size of the company.
– Myles
Apr 13 '16 at 21:38












 

draft saved


draft discarded


























 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fworkplace.stackexchange.com%2fquestions%2f48972%2fpersonnel-files-not-being-secured%23new-answer', 'question_page');

);

Post as a guest
































































Comments

Post a Comment

Popular posts from this blog

Long meetings (6-7 hours a day): Being “babysat” by supervisor

Image
Clash Royale CLAN TAG #URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote 31 down vote favorite 4 I hold a PhD in mechanical engineering with a 7 year background in self-guided, self-paced research including 2 years as a graduate level course instructor and a subject matter expert for various engineering projects in a university setting in the United States. For the last 10-11 months, I am working in a research industry in France where my task is to debug C++ spaghetti code written over a period of several years by my current supervisor. It is a team of 2: just I and my supervisor. Diurnally, I am posed with a "bug of the day" to get out of this C++ code. My supervisor generally gives me about 15-30 minutes to solve it and then accosts me about whether or not the task is completed and then rinses and repeats this until the end of the day. Off-late, my supervisor has been holding 6-7 hour long "meetin
Read more

Is the Concept of Multiple Fantasy Races Scientifically Flawed? [closed]

Image
Clash Royale CLAN TAG #URR8PPP up vote 2 down vote favorite Many fantasy worlds have multiple humanoid species (elves, orcs, humans, etc) living in the same world, in addition to that, they often have the ability to interbreed. And I can't help but question their believability... fantasy-races reproduction interspecies-relations share | improve this question edited Aug 9 at 14:46 Michael Kjörling ♦ 21.1k 10 85 161 asked Aug 9 at 13:13 Chlodio 118 6 closed as unclear what you're asking by MichaelK, Gryphon, John, Vincent, Frostfyre Aug 9 at 15:25 Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question. 3 Stack Exchange exist to
Read more

Confectionery

Image
Prepared foods made with a lot of sugar or other cabohydrates "Sweetmeat" redirects here. For the racehorse, see Sweetmeat (horse). Not to be confused with Sweetbread. This Kransekake is a traditional Scandinavian baker's confection. Confectionery is the art of making confections , which are food items that are rich in sugar and carbohydrates. Exact definitions are difficult. [1] In general, though, confectionery is divided into two broad and somewhat overlapping categories, bakers' confections and sugar confections. [2] Bakers' confectionery, also called flour confections , includes principally sweet pastries, cakes, and similar baked goods. Sugar confectionery includes candies ( sweets in British English), candied nuts, chocolates, chewing gum, bubble gum, pastillage, and other confections that are made primarily of sugar. In some cases, chocolate confections (confections made of chocolate) are treated as a separate category, as are sugar-free versions of
Read more