Protecting employee data in the age of AI and remote work

The most common cause of data breaches isn’t hackers—it’s employees. According to research presented at Littler’s recent webinar on data security, 76% of data breaches are caused at least in part by insiders. Of these, 90% result from human error, not malicious intent. Yet whether accidental or deliberate, the consequences are costly: the average cost of a U.S. data breach is about $9 million, and even relatively minor breaches can rack up expenses of $20,000 to $200,000.

For HR professionals, the risks are heightened. Personnel records often contain some of the most sensitive data a company holds—Social Security numbers, health information and payroll details. Add the growing use of AI, remote work and increasingly sophisticated cyberattacks, and it’s clear that HR must play a central role in strengthening data security.

Hiring and onboarding: Your first line of defense

Many breaches begin with flawed hiring practices. Littler attorneys highlighted recent cases in which employers discovered—too late—that employees had fabricated résumés or committed identity theft, only to gain access to company data.

To reduce risk:

• Conduct thorough pre-employment screenings, including federal criminal checks and identity verification tools that go beyond basic Social Security traces.
• Revisit reference checks and education verifications, especially for remote or sensitive roles.
• Verify applicant information submitted to background check providers matches internal records.

Once hired, employees should sign confidentiality agreements that clearly cover personal data, drafted to comply with labor laws protecting employee rights. Data security training must be concrete and practical—clearly defining sensitive data, outlining proper storage and access protocols and addressing modern threats like phishing, AI misuse and data breaches through email mistakes or personal account access.

Remote work and insider threats

Remote employees pose unique challenges. They are harder to monitor and may feel less connected to company policies, making intentional or unintentional data leaks more likely. Real-world examples include a “model” remote employee who outsourced her work to unauthorized individuals, compromising health data in the process.

To mitigate these risks:

• Train remote staff specifically on secure access and data handling.
• Personalize training to build a sense of responsibility and connection.
• Maintain robust identity verification throughout the employee lifecycle, especially for remote onboarding.

Manage access, map your data

Limit sensitive data access to only those who need it, and update permissions promptly when roles change or employment ends. Additionally, many organizations don’t know where all their data lives. Data mapping—whether manual or via AI tools—can help track and manage stored data, reduce breach costs and ensure timely data deletion.

Balancing security tools and privacy

AI-based security tools can detect unusual behavior or phishing attempts, but employers must ensure these tools comply with privacy laws. Monitoring employee communications without notice or consent may violate wiretap or data protection laws, especially outside the U.S.

Protecting employee data is about both technology and people. The right hiring, training and oversight can turn your biggest risk into your strongest defense.