ForgeAwareness
Get started
HR & People Ops Security/Course player
0 of 6 complete0%
Module 14 min

HR holds the most-regulated data in the company

TL;DR

HR systems contain SSNs, medical info, salaries, performance records, investigations — data subject to overlapping privacy laws, regulatory penalties, and class-action lawsuits. You have stronger obligations than most teams.

What HR actually holds

HR teams have access to a concentration of sensitive data unmatched in most organizations:

  • PII — full legal names, addresses, phone numbers, emergency contacts
  • Government identifiers — SSNs, driver's licenses, passport numbers, visa status, immigration documents
  • Financial — salaries, bonuses, banking for direct deposit, garnishments, equity
  • Health — disability accommodations, medical leave, benefits selections, sometimes diagnostic info
  • Background checks — criminal records, credit reports, drug test results
  • Performance & conduct — reviews, PIPs, terminations, HR investigations, whistleblower complaints
  • Family & dependents — covered dependents, beneficiaries, sometimes their PII too

Almost all of this is classified at the highest level under your company's data policy. Much of it carries regulatory obligations.

The regulations that hit HR specifically

  • State laws — California (CCPA/CPRA), Illinois (BIPA for biometrics), Washington (My Health My Data), New York SHIELD, plus state-specific employee data laws
  • GDPR for any EU employees or candidates
  • HIPAA for health-plan-administered information
  • FCRA for background checks
  • EEOC / state equivalents for investigation records
  • ADA for accommodation requests
  • Sector-specific — SOX (for public companies), GLBA (financial services), FERPA (education)

This isn't a course on the regulations — it's a course on the security behaviors that satisfy them. But the regulatory pressure is why HR security is different.

Real HR incidents

  • 23andMe (2023) — Credential stuffing affected millions; HR/recruiting data was part of the breach radius for the company itself
  • Various HR vendors — UKG, Kronos, Workday — repeated breach announcements affecting customer HR data
  • Twitter / X (2023) — Internal data including employee records exposed during management transition
  • Multiple universities and school districts — repeated HR ransomware impacts

The pattern: HR is rarely the primary target, but HR data is often the highest-value collateral damage.

Knowledge check

Knowledge check 1

Which makes HR data different from most other internal data?