How to protect your employees’ PII on social media

Businesses everywhere are leaking employees personal information. A quick glance on most social media platforms will show you business marketing departments celebrating things like events such as birthdays, work anniversaries, and other employee life events. If your business does this, you may be inadvertently leaking their personal information on a public platform.


What is PII and why is it important to protect?

PII is anything that can be used to identify a person. Most people recognize is it as things like a person’s full name, date of birth, address, driver’s license number, or Social Security number. Those are all correct, but there’s much more. Anything that can be linked back to the individual person as uniquely that person is considered PII. Here are a few things that we frequently see posted on social media by small businesses:

      1. Birthdays,

      1. Work anniversaries

      1. Job promotions

      1. Job titles

    According to a recent Pew Research Center study, Americans are concerned, confused and feel a lack of control over their personal information. With access to someone’s PII, an individual can easily impersonate another person and potentially gain access to social media accounts, financial accounts, medical records, and even commit fraud. Depending on what was leaked, it could mean spending time and money to recover from the information that was leaked. That’s why it’s essential to that employers ensure that all PII is secure and protected.


    What are the consequences of not protecting PII?

    Failing to protect employee PII can lead to a variety of issues, including identity theft, financial losses, legal liabilities, and even reputational damage. For example, if an employer fails to keep employees’ PII confidential, they could be subject to a lawsuit by an affected individual.

    While it may seem innocent to wish an employee a Happy Birthday, the cost of the leak far outweighs the increase in attention to the social media page. It puts the employee at risk every time an individual milestone is posted. Leaking an employee’s PII can also have more serious implications such as putting them at risk of identity theft. This can lead to fraud and theft of their money, property or assets. It can also lead to stalking or harassment. In some cases, the leaked data can be used for malicious purposes such as accessing accounts or committing crimes under the employee’s name. All of these risks are why it is so important for businesses to properly secure and protect their employees’ PII.


    Does this mean you can’t post about your team?

    It doesn’t mean that at all. Fortunately, there are ways for businesses to ensure that employee data is protected without posting employee personal information. But there are some things your team should consider when posting. The key is to consider if what you are about to post could be used to identify an individual specifically. If it can, don’t post. Here are some quick guidelines to help.


        1. Tag employees

        1. Post about birthdays or work anniversaries.

        1. Post other milestones that are unique to an individual.


          1. Feature promotions, awards and other professional accomplishments of team members in an indirect way that doesn’t reveal any personal information. For example, instead of “happy 5th work anniversary, John!” use “We are proud of our long tenured team members who have made such an impact on our business – thank you!”

          1. Tag other businesses – Ex. “Shout out to our local restaurant for feeding our team today. The food was delicious!”

          1. Post pics of groups (small or large) without identifying the individuals. – Ex. Today we gathered for team training to learn more about our industry. We love the opportunity invest in our teams”

          1. Post milestones of the business overall. Ex. We’ve reached 10,000 followers! Help us celebrate.

          1. Celebrate the community and the team’s involvement in the community. Ex.”Today our team helped out with Habitat for Humanity. We enjoy the opportunity to help build our community”

        Social media is for being social, but that doesn’t mean it’s for sharing employees personal information. It’s important to limit the amount of employee data you post on public platforms like Facebook, Twitter, Instagram, LinkedIn and other social networks. If you must include sensitive details in any post, be sure to redact them before publishing them. By sharing things about the business specifically instead of an individual person you can avoid leaking employee PII.


        How can businesses protect PII on social media?

        Businesses must take measures to keep their employee data safe from outside sources. This starts with creating social media policies around posting information about employees online that outline what information should never be shared. It should include guidelines for how employee information should be shared both internally and externally.

        It’s best to leave internal celebrations for internal communications. For example, send a company-wide communication (think email, group message etc) that celebrates individual anniversaries or birthdays. Send a public (social media posts or blogs) about milestones for the business. When you do post pictures of employees, do not include identifying information. Refer to an employee as”team member” or “employee” instead of using their full name. Also, it is important to remind all employees of proper protocols for posting on personal and professional accounts; this includes avoiding posting any type of information related to themselves or the workplace on social media platforms.


        Keep your business accounts secure

        Implementing adequate security protocols in place on your social media can help you limit access to information that should not be public. This protects both the business and the employees.

            1. Social media accounts should have two-factor authentication enabled so that even if someone were to gain access to the account, they would still need an additional piece of information to access it.
            2. Have more than one administrator, but keep that number small. You want the ability to remove an administrator of an account if their account is compromised. However, too many administrators can prove problematic.
            3. Monitor employee accounts for any suspicious activity that may indicate someone has gained unauthorized access.
            4. LImit the reach of your post to the areas you want. For example, if you are a small business and only sell in an area of Texas, limit your post visibility to the United States. This can limit the visibility to suspicious accounts that are not interested in working with you in the first place. 
            5. Have rules or guidelines for interacting with other people on social media platforms so there’s no confusion about appropriate behavior.
            6. Set up alerts that will notify you when certain topics or phrases related to sensitive topics such as employee PII appear online. This way, you’ll know right away if something concerning is happening and take action quickly to minimize the potential damage.

          By taking these steps, you can help keep your employee’s PII safe and secure while still being able to enjoy the social side of social media!