Personnel files not being secured

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;







up vote
8
down vote

favorite












I work for a small company (6 people) - which does not have a dedicated HR person. I have discovered some of my, along with a colleague's, personnel files laying on an open network share. This includes information ranging from reference checks on my initial application through performance reviews from the last year.



I am looking for advice on how to bring this up with management?







share|improve this question
















  • 2




    Better yet, can you also see their personnel files?
    – Jane S♦
    Jun 29 '15 at 11:41










  • Could you explain how is the structure of the company? How many of your colleagues have their data compromised? Is it open to someone outside the company or just within the company?
    – Llopis
    Jun 29 '15 at 14:33
















up vote
8
down vote

favorite












I work for a small company (6 people) - which does not have a dedicated HR person. I have discovered some of my, along with a colleague's, personnel files laying on an open network share. This includes information ranging from reference checks on my initial application through performance reviews from the last year.



I am looking for advice on how to bring this up with management?







share|improve this question
















  • 2




    Better yet, can you also see their personnel files?
    – Jane S♦
    Jun 29 '15 at 11:41










  • Could you explain how is the structure of the company? How many of your colleagues have their data compromised? Is it open to someone outside the company or just within the company?
    – Llopis
    Jun 29 '15 at 14:33












up vote
8
down vote

favorite









up vote
8
down vote

favorite











I work for a small company (6 people) - which does not have a dedicated HR person. I have discovered some of my, along with a colleague's, personnel files laying on an open network share. This includes information ranging from reference checks on my initial application through performance reviews from the last year.



I am looking for advice on how to bring this up with management?







share|improve this question












I work for a small company (6 people) - which does not have a dedicated HR person. I have discovered some of my, along with a colleague's, personnel files laying on an open network share. This includes information ranging from reference checks on my initial application through performance reviews from the last year.



I am looking for advice on how to bring this up with management?









share|improve this question











share|improve this question




share|improve this question










asked Jun 29 '15 at 11:32









Jane

441




441







  • 2




    Better yet, can you also see their personnel files?
    – Jane S♦
    Jun 29 '15 at 11:41










  • Could you explain how is the structure of the company? How many of your colleagues have their data compromised? Is it open to someone outside the company or just within the company?
    – Llopis
    Jun 29 '15 at 14:33












  • 2




    Better yet, can you also see their personnel files?
    – Jane S♦
    Jun 29 '15 at 11:41










  • Could you explain how is the structure of the company? How many of your colleagues have their data compromised? Is it open to someone outside the company or just within the company?
    – Llopis
    Jun 29 '15 at 14:33







2




2




Better yet, can you also see their personnel files?
– Jane S♦
Jun 29 '15 at 11:41




Better yet, can you also see their personnel files?
– Jane S♦
Jun 29 '15 at 11:41












Could you explain how is the structure of the company? How many of your colleagues have their data compromised? Is it open to someone outside the company or just within the company?
– Llopis
Jun 29 '15 at 14:33




Could you explain how is the structure of the company? How many of your colleagues have their data compromised? Is it open to someone outside the company or just within the company?
– Llopis
Jun 29 '15 at 14:33










2 Answers
2






active

oldest

votes

















up vote
10
down vote













This is a situation where just talking to your management is the easiest thing. Small companies often are informal and most assuredly start more informal. It may be that location was fine when there were fewer employees or the person creating it doesn't even realize others can see it (depending on how technical they are).



Just find some time and ask, "hey, I inadvertently came across my personnel file on our network share in public - this probably shouldn't be public, are you able to restrict access to this or move it?"



Depending on how your network is setup it'd be helpful to suggest ideas. Probably just securing the folder on the share drive will work. Suggestions are always great for a manager regardless.



Also, don't attribute malice when ignorance is likely.






share|improve this answer




















  • I took this exact approach in a larger company I worked at. I had a bit of downtime and was browsing the network structure when I found a file server, open to everyone, that had thousands of employees records on it. I immediately called the IT director, she thanked me and the problem was resolved in minutes.
    – NotMe
    Apr 14 '16 at 22:21

















up vote
-1
down vote













In my current position, I oversee internal controls, security, and compliance at my company on the IT Audit team. From personal experience,you should bring this up not only with your manager, but with the Security and IA function at your company if such function exists, and you are authorized to do so. You should review your company policies relevant to your concern - Acceptable Use of technology, confidentiality, data handling and classification...



The situation you describe seems to be an accident / lawsuit waiting to happen. It also creates great , unnecessary risk for the company. Ask yourself the following question:



  1. What other than personal ethics, job loss, and potential criminal liability stands between you disclosing the PII / sensitive information of your colleagues or them disclosing yours to an unauthorized person?


  2. Can you really be sure that your information such as SSN, DOB etc, given its your personnel file, has not already been compromised by a malicious outsider or internal employee?


I would expect most reasonable management to act promptly.






share|improve this answer






















  • I think my answer is reasonable. An explanation of the DV would be appreciated so I can improve my answer.
    – Anthony
    Apr 13 '16 at 0:20






  • 4




    It's not a helpful answer for a small company. OP's company has 6 people in it, so it probably doesn't have a dedicated IT team or formal IT policies.
    – Kevin
    Apr 13 '16 at 4:04











  • The company has no HR, they certainly don't have IT audit. All you've suggested doing here is the OP reviewing policy. How will that change the actuality and given that no IT audit function or policy exists how does the OP convince their manager?
    – Ben
    Apr 13 '16 at 4:47










  • Very unrealistic answer based on the size of the company.
    – Myles
    Apr 13 '16 at 21:38










Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "423"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);








 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fworkplace.stackexchange.com%2fquestions%2f48972%2fpersonnel-files-not-being-secured%23new-answer', 'question_page');

);

Post as a guest






























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
10
down vote













This is a situation where just talking to your management is the easiest thing. Small companies often are informal and most assuredly start more informal. It may be that location was fine when there were fewer employees or the person creating it doesn't even realize others can see it (depending on how technical they are).



Just find some time and ask, "hey, I inadvertently came across my personnel file on our network share in public - this probably shouldn't be public, are you able to restrict access to this or move it?"



Depending on how your network is setup it'd be helpful to suggest ideas. Probably just securing the folder on the share drive will work. Suggestions are always great for a manager regardless.



Also, don't attribute malice when ignorance is likely.






share|improve this answer




















  • I took this exact approach in a larger company I worked at. I had a bit of downtime and was browsing the network structure when I found a file server, open to everyone, that had thousands of employees records on it. I immediately called the IT director, she thanked me and the problem was resolved in minutes.
    – NotMe
    Apr 14 '16 at 22:21














up vote
10
down vote













This is a situation where just talking to your management is the easiest thing. Small companies often are informal and most assuredly start more informal. It may be that location was fine when there were fewer employees or the person creating it doesn't even realize others can see it (depending on how technical they are).



Just find some time and ask, "hey, I inadvertently came across my personnel file on our network share in public - this probably shouldn't be public, are you able to restrict access to this or move it?"



Depending on how your network is setup it'd be helpful to suggest ideas. Probably just securing the folder on the share drive will work. Suggestions are always great for a manager regardless.



Also, don't attribute malice when ignorance is likely.






share|improve this answer




















  • I took this exact approach in a larger company I worked at. I had a bit of downtime and was browsing the network structure when I found a file server, open to everyone, that had thousands of employees records on it. I immediately called the IT director, she thanked me and the problem was resolved in minutes.
    – NotMe
    Apr 14 '16 at 22:21












up vote
10
down vote










up vote
10
down vote









This is a situation where just talking to your management is the easiest thing. Small companies often are informal and most assuredly start more informal. It may be that location was fine when there were fewer employees or the person creating it doesn't even realize others can see it (depending on how technical they are).



Just find some time and ask, "hey, I inadvertently came across my personnel file on our network share in public - this probably shouldn't be public, are you able to restrict access to this or move it?"



Depending on how your network is setup it'd be helpful to suggest ideas. Probably just securing the folder on the share drive will work. Suggestions are always great for a manager regardless.



Also, don't attribute malice when ignorance is likely.






share|improve this answer












This is a situation where just talking to your management is the easiest thing. Small companies often are informal and most assuredly start more informal. It may be that location was fine when there were fewer employees or the person creating it doesn't even realize others can see it (depending on how technical they are).



Just find some time and ask, "hey, I inadvertently came across my personnel file on our network share in public - this probably shouldn't be public, are you able to restrict access to this or move it?"



Depending on how your network is setup it'd be helpful to suggest ideas. Probably just securing the folder on the share drive will work. Suggestions are always great for a manager regardless.



Also, don't attribute malice when ignorance is likely.







share|improve this answer












share|improve this answer



share|improve this answer










answered Jun 29 '15 at 15:00









Elysian Fields♦

96.8k46292449




96.8k46292449











  • I took this exact approach in a larger company I worked at. I had a bit of downtime and was browsing the network structure when I found a file server, open to everyone, that had thousands of employees records on it. I immediately called the IT director, she thanked me and the problem was resolved in minutes.
    – NotMe
    Apr 14 '16 at 22:21
















  • I took this exact approach in a larger company I worked at. I had a bit of downtime and was browsing the network structure when I found a file server, open to everyone, that had thousands of employees records on it. I immediately called the IT director, she thanked me and the problem was resolved in minutes.
    – NotMe
    Apr 14 '16 at 22:21















I took this exact approach in a larger company I worked at. I had a bit of downtime and was browsing the network structure when I found a file server, open to everyone, that had thousands of employees records on it. I immediately called the IT director, she thanked me and the problem was resolved in minutes.
– NotMe
Apr 14 '16 at 22:21




I took this exact approach in a larger company I worked at. I had a bit of downtime and was browsing the network structure when I found a file server, open to everyone, that had thousands of employees records on it. I immediately called the IT director, she thanked me and the problem was resolved in minutes.
– NotMe
Apr 14 '16 at 22:21












up vote
-1
down vote













In my current position, I oversee internal controls, security, and compliance at my company on the IT Audit team. From personal experience,you should bring this up not only with your manager, but with the Security and IA function at your company if such function exists, and you are authorized to do so. You should review your company policies relevant to your concern - Acceptable Use of technology, confidentiality, data handling and classification...



The situation you describe seems to be an accident / lawsuit waiting to happen. It also creates great , unnecessary risk for the company. Ask yourself the following question:



  1. What other than personal ethics, job loss, and potential criminal liability stands between you disclosing the PII / sensitive information of your colleagues or them disclosing yours to an unauthorized person?


  2. Can you really be sure that your information such as SSN, DOB etc, given its your personnel file, has not already been compromised by a malicious outsider or internal employee?


I would expect most reasonable management to act promptly.






share|improve this answer






















  • I think my answer is reasonable. An explanation of the DV would be appreciated so I can improve my answer.
    – Anthony
    Apr 13 '16 at 0:20






  • 4




    It's not a helpful answer for a small company. OP's company has 6 people in it, so it probably doesn't have a dedicated IT team or formal IT policies.
    – Kevin
    Apr 13 '16 at 4:04











  • The company has no HR, they certainly don't have IT audit. All you've suggested doing here is the OP reviewing policy. How will that change the actuality and given that no IT audit function or policy exists how does the OP convince their manager?
    – Ben
    Apr 13 '16 at 4:47










  • Very unrealistic answer based on the size of the company.
    – Myles
    Apr 13 '16 at 21:38














up vote
-1
down vote













In my current position, I oversee internal controls, security, and compliance at my company on the IT Audit team. From personal experience,you should bring this up not only with your manager, but with the Security and IA function at your company if such function exists, and you are authorized to do so. You should review your company policies relevant to your concern - Acceptable Use of technology, confidentiality, data handling and classification...



The situation you describe seems to be an accident / lawsuit waiting to happen. It also creates great , unnecessary risk for the company. Ask yourself the following question:



  1. What other than personal ethics, job loss, and potential criminal liability stands between you disclosing the PII / sensitive information of your colleagues or them disclosing yours to an unauthorized person?


  2. Can you really be sure that your information such as SSN, DOB etc, given its your personnel file, has not already been compromised by a malicious outsider or internal employee?


I would expect most reasonable management to act promptly.






share|improve this answer






















  • I think my answer is reasonable. An explanation of the DV would be appreciated so I can improve my answer.
    – Anthony
    Apr 13 '16 at 0:20






  • 4




    It's not a helpful answer for a small company. OP's company has 6 people in it, so it probably doesn't have a dedicated IT team or formal IT policies.
    – Kevin
    Apr 13 '16 at 4:04











  • The company has no HR, they certainly don't have IT audit. All you've suggested doing here is the OP reviewing policy. How will that change the actuality and given that no IT audit function or policy exists how does the OP convince their manager?
    – Ben
    Apr 13 '16 at 4:47










  • Very unrealistic answer based on the size of the company.
    – Myles
    Apr 13 '16 at 21:38












up vote
-1
down vote










up vote
-1
down vote









In my current position, I oversee internal controls, security, and compliance at my company on the IT Audit team. From personal experience,you should bring this up not only with your manager, but with the Security and IA function at your company if such function exists, and you are authorized to do so. You should review your company policies relevant to your concern - Acceptable Use of technology, confidentiality, data handling and classification...



The situation you describe seems to be an accident / lawsuit waiting to happen. It also creates great , unnecessary risk for the company. Ask yourself the following question:



  1. What other than personal ethics, job loss, and potential criminal liability stands between you disclosing the PII / sensitive information of your colleagues or them disclosing yours to an unauthorized person?


  2. Can you really be sure that your information such as SSN, DOB etc, given its your personnel file, has not already been compromised by a malicious outsider or internal employee?


I would expect most reasonable management to act promptly.






share|improve this answer














In my current position, I oversee internal controls, security, and compliance at my company on the IT Audit team. From personal experience,you should bring this up not only with your manager, but with the Security and IA function at your company if such function exists, and you are authorized to do so. You should review your company policies relevant to your concern - Acceptable Use of technology, confidentiality, data handling and classification...



The situation you describe seems to be an accident / lawsuit waiting to happen. It also creates great , unnecessary risk for the company. Ask yourself the following question:



  1. What other than personal ethics, job loss, and potential criminal liability stands between you disclosing the PII / sensitive information of your colleagues or them disclosing yours to an unauthorized person?


  2. Can you really be sure that your information such as SSN, DOB etc, given its your personnel file, has not already been compromised by a malicious outsider or internal employee?


I would expect most reasonable management to act promptly.







share|improve this answer














share|improve this answer



share|improve this answer








edited Apr 13 '16 at 0:19

























answered Apr 12 '16 at 23:42









Anthony

5,1611255




5,1611255











  • I think my answer is reasonable. An explanation of the DV would be appreciated so I can improve my answer.
    – Anthony
    Apr 13 '16 at 0:20






  • 4




    It's not a helpful answer for a small company. OP's company has 6 people in it, so it probably doesn't have a dedicated IT team or formal IT policies.
    – Kevin
    Apr 13 '16 at 4:04











  • The company has no HR, they certainly don't have IT audit. All you've suggested doing here is the OP reviewing policy. How will that change the actuality and given that no IT audit function or policy exists how does the OP convince their manager?
    – Ben
    Apr 13 '16 at 4:47










  • Very unrealistic answer based on the size of the company.
    – Myles
    Apr 13 '16 at 21:38
















  • I think my answer is reasonable. An explanation of the DV would be appreciated so I can improve my answer.
    – Anthony
    Apr 13 '16 at 0:20






  • 4




    It's not a helpful answer for a small company. OP's company has 6 people in it, so it probably doesn't have a dedicated IT team or formal IT policies.
    – Kevin
    Apr 13 '16 at 4:04











  • The company has no HR, they certainly don't have IT audit. All you've suggested doing here is the OP reviewing policy. How will that change the actuality and given that no IT audit function or policy exists how does the OP convince their manager?
    – Ben
    Apr 13 '16 at 4:47










  • Very unrealistic answer based on the size of the company.
    – Myles
    Apr 13 '16 at 21:38















I think my answer is reasonable. An explanation of the DV would be appreciated so I can improve my answer.
– Anthony
Apr 13 '16 at 0:20




I think my answer is reasonable. An explanation of the DV would be appreciated so I can improve my answer.
– Anthony
Apr 13 '16 at 0:20




4




4




It's not a helpful answer for a small company. OP's company has 6 people in it, so it probably doesn't have a dedicated IT team or formal IT policies.
– Kevin
Apr 13 '16 at 4:04





It's not a helpful answer for a small company. OP's company has 6 people in it, so it probably doesn't have a dedicated IT team or formal IT policies.
– Kevin
Apr 13 '16 at 4:04













The company has no HR, they certainly don't have IT audit. All you've suggested doing here is the OP reviewing policy. How will that change the actuality and given that no IT audit function or policy exists how does the OP convince their manager?
– Ben
Apr 13 '16 at 4:47




The company has no HR, they certainly don't have IT audit. All you've suggested doing here is the OP reviewing policy. How will that change the actuality and given that no IT audit function or policy exists how does the OP convince their manager?
– Ben
Apr 13 '16 at 4:47












Very unrealistic answer based on the size of the company.
– Myles
Apr 13 '16 at 21:38




Very unrealistic answer based on the size of the company.
– Myles
Apr 13 '16 at 21:38












 

draft saved


draft discarded


























 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fworkplace.stackexchange.com%2fquestions%2f48972%2fpersonnel-files-not-being-secured%23new-answer', 'question_page');

);

Post as a guest













































































Comments

Popular posts from this blog

What does second last employer means? [closed]

Installing NextGIS Connect into QGIS 3?

One-line joke