$7$ INCIDENT

Human Resource Information Systems Data Breach

Sweets, Inc., a candy manufacturer, is finalizing the implementation of a comprehensive

human resource information data system covering its $400-$plus employees. It has been

working on the system for two years and hopes to finish it within the next few months. This

system will eliminate virtually all of the paper forms used by the Human Resource Depart.

ment. The firm has been transferring all of the information contained on these forms to its

computer. When the process is complete, the firm will be able to store, analyze, retrieve, and

distribute most of its HR information.

Shortly, the company will be able to post job openings on the Internet and retrieve

incoming job applications. It will know what skills and abilities all of its employees possess

and what training each has received. It will be able to access performance appraisal

information on all employees to determine job performance levels and necessary training.

The firm will be able to examine pay and benefit information to determine individual and

aggregate compensation levels. It will also be able to easily prepare various documents such ${?}_{as}$

Form EEO$-1.$ All of this information will be available with just a few key strokes.

Until yesterday everything had gone smoothly. Then, a major problem developed that

turned everything upside down. A laptop computer containing sensitive data went missing

from one of the HR offices. Was it stolen? Did someone borrow it to work on at home? Was it

just moved to another office? No one knew for sure and a frantic search began, but it was

without success.

The human resource director decided he had better call the company president and the

head of computer operations to explain what had happened. The president wanted to know

immediately what information was stored on the computer and how this information could be

retrieved by others, assuming it was stolen. The HR director stated that he was not sure i

the laptop had been stolen, but that employee compensation information was probably on th

computer, including each person's name, address, telephone number, and social securith

number. The confidential information was password protected, so the average citizen coul

not retrieve it$,$ but an experienced hacker might be able to do so$.$ All three executives wert

aware of recent incidents in which sensitive computer data had been compromised at man

large corporations and that these corporations had issued warnings to those affected. Th

question that needed to be addressed was what action Sweets, Inc. should take given it

present situation.

What action do you recommend that Sweets, Inc. take now? Explain your reasoning,

What steps can the firm take to prevent this problem from occurring in the future?

What additional information needs to be gathered before any decisions are made

action taken?