Can Employers Be Held Liable for SAP Cybersecurity Breaches?

Whether they’re signing up for a gym membership or downloading a new app, it seems like people are perpetually being asked for their personal information. And while consumers may have varying levels of trust in the organizations making the requests, there’s one party that individuals tend to trust unequivocally with personal data: their employers.

As employers, however, are we holding up our end of the bargain? And what responsibility do employers bear when employees’ sensitive personal information is stolen in a data breach?

Setting a Precedent for Data Responsibility

In 2018, the Pennsylvania Supreme Court passed down a ruling stating that an employer has a “legal duty to use reasonable care in safeguarding its employees’ sensitive personal information stored on an internet-accessible computer.” Dittman v. UPMC (University of Pittsburgh Medical Center) came about when a group of University of Pittsburgh Medical Center employees sued their employer after personal information – including names, birth dates, social security numbers, addresses, tax forms, and bank account information – was stolen from all 62,000 UPMC employees. The employees claimed that their employer was negligent and had breached an implied contract.

While this is only one case, law is built on precedent, meaning that Dittman could end up being the legal foundation for many similar cases in the future.

Could Your Employee Data Be Stolen?

Companies using SAP should all be very aware of Dittman and its implications, particularly if they use SAP and its E-Recruiting application for their human resources activities.

In our research, we discovered that an alarming number of companies are not adequately securing their E-Recruiting application or its data:

• Over 30% of the tested sites allowed SSL encryption to be bypassed by simply changing the URL protocol from https:// to http://.
• Fewer than 12% of the E-Recruiting implementations we tested required candidates to confirm their email address before submitting a job application, meaning the vast majority of E-Recruiting portals are easy targets.
• Only 38% of the E-Recruiting implementations we surveyed required the user to specify a password that meets minimum requirements for length or complexity (e.g., mix of upper and lowercase characters, special characters, etc.).

These elements increase the odds of a data thief being able to infiltrate a company’s SAP E-Recruiting system, stealing the private personal data of any individual who has ever been employed by – or even applied with – the company.

In addition, phishing is a significant risk to the security of your sensitive employee data. HR employees are less able to ignore emails, even if they appear to be a bit unusual, so it’s worth devoting the time and resources to helping these employees develop a discerning eye.

Reducing SAP Data Breach Risk

A successful data breach is nightmarish for any company. Add in the possibility of being successfully sued by your employees, and there’s even more impetus to do everything possible to keep sensitive data secured.

Here are some reasonable precautions to help improve your data security and prevent sensitive information being stolen:

• Make sure your internal SAP controls and permissions are stringent, with sensitive employee data only being accessible to the few people who really require it.
• Implement increased password security for all SAP applications, including E-Recruiting.
• Ensure that all employees, particularly those who handle sensitive data, are trained on basic cybersecurity measures, such as spotting and avoiding phishing attempts.
• Regular penetration testing should be a standard operating procedure to help spot any weaknesses in your defenses.
• Keep close watch over SAP Fiori users and ensure their cybersecurity hygiene training is up to par, as they’ll be accessing SAP from unsecured environments and servers.
• Be aware that SAP data is not stored in standard operating system disk drives, so extra attention will be needed.

As individuals become more aware of what companies – including their own – are doing with their personal data, they’re in a position to demand that these companies do a better job protecting this data. By showing your employees that you take their data seriously and that you’re doing everything within your power to protect it, you not only improve from your staff, but you reduce the chances of any data, whether it’s personal or corporate, falling into the wrong hands.