Securing Employee Data: The Role of People Operations, SOC2, and more

play icon false

Employee data breaches have never been more common nor has their fallout been more expensive. With an understanding of some key security terminology, Human Resources & People Operations teams can play a impactful role in keeping their company’s employee data secure.


Employee data breaches have never been more common or their fallout been more expensive. Just within the last year, from 2022 to 2023, the number of such breaches is estimated to have increased by between 41% to 78%. The impacts of these breaches are wide and deep. An IBM report estimates the average cost of these breaches has risen to an all-time high of $4.88 million per incident (a 25% increase from 2020). But the monetary impact is just the beginning.

All employees whose data is affected are at risk in these situations. The impact to any individual can be catastrophic, e.g. if their identities are stolen, or if important financial transactions like home purchases are disrupted. Affected employees report increased stress as a major issue following these events, which in turn leads to loss of employee trust. Companies risk everything from lawsuits to employee attrition to the loss of reputation across customers and employees alike.

The role of people operations in securing user data

For companies with a strong security program, everyone in the organization plays a role in security. But, people teams have a particularly important role to play. A SHRM report outlines the crucial role people operations and human resources plays in cybersecurity and in particular the response to attacks. Moreover, HR professionals are often working with the most sensitive employee data and understand the importance of safeguarding it. In a recent survey, 31% of human resources managers said that they need better protection for employee data.

However, strong internal controls are often not enough to secure sensitive user data. You may not have heard of Epsilon, but it was a popular marketing tool used by big-name brands such as Verizon, Chase, Marriott and more. A data breach in Epsilon’s systems ultimately led to what is now considered the biggest breach ever, with estimates putting its impact at $4 billion.

In today’s cloud-native world, companies are using an ever-increasing number of technology vendors, and with the rise of HR tech, we are sharing more sensitive employee data with vendors than ever before. To protect employee data, it is no longer enough to secure your own systems; you need to ensure your vendors are protecting that data as well.

What does having a SOC 2 report mean?

How then can you decide whether to entrust a third-party vendor with your sensitive employee data? The most common answer you’ll hear from SaaS vendors is that they have a “SOC 2” report. Let’s dig deeper into what that actually means (perhaps less than you might think), and whether that is enough (in many cases, no).

The first important thing to note is that a SOC 2 report is NOT a certification, but an attestation. That is not simply a semantic nitpick, but goes to the heart of what SOC 2 is and is not. What that means is that there is no generally accepted standard or bar to meet to be considered SOC 2 compliant; it is a descriptive process not a prescriptive process.

The second important fact to know is that there are five different SOC 2 principles—security, privacy, availability, processing integrity and confidentiality. These are all related and interconnected topics, and all work together to truly safeguard user data. However, out of these, only one (security) is mandatory, and the rest are optional. Companies can choose which, if any, of the other four principles they include in their SOC 2 reports.

In short, the process for SOC 2 boils down to a company picking which SOC 2 principles they want included in their report, defining their own standards that they should be meeting within those principles, and then working with an accredited third party to document and demonstrate that they do meet those standards.

To be clear, the SOC 2 process and reports are incredibly valuable, especially as a starting point for establishing good security and data practices. For fledgling companies, the flexibility afforded by the SOC 2 process makes SOC 2 very attainable and is important as they get their security efforts off the ground. And thus SOC 2 can be a great first step for companies, but it’s important to remember that is just that—a first step. In particular, the fact that there’s no actual objective standard means it’s ultimately limited when it comes to truly answering the question of whether you can trust someone with your data.

Beyond SOC 2

If SOC 2 is a good first step, what else should one consider afterwards? The most widely regarded standards in this domain are established via the ISO certification standards. These are international standards that are prescriptive about certain controls one must meet. Unlike a SOC 2 attestation, you must demonstrate that you meet these established requirements, and if you do, you can get certified for the applicable ISO standard.

There are various ISO standards covering different important areas. Some key ones are ISO 27001 covering security, ISO 27701 covering privacy and ISO 22301 covering business continuity. Together, these establish best practices and standards for ensuring that your operations are secure, follow best practices to protect private data and are resilient to unexpected incidents.

While in a SOC 2 attestation, you can customize your controls, ISO standards specify requirements your business must meet. For example, the Annex A controls of the ISO 27001 process specify 93 different security controls. These include everything from technical controls around backups, monitoring and malware detection to people controls such as screening, training and reporting. To gain an ISO certification, a business must work with an accredited auditor to collect documentation supporting all of the required controls, or provide evidence for why they are not relevant.

Finally, beyond ISO, various jurisdictions have established minimum regulatory compliance standards for privacy. These include but are not limited to the GDPR in the European Union, PIPEDA in Canada and CCPA in California.

Towards better security

To be clear, it’s not a question of SOC 2 versus ISO, and a well-rounded security program should consider all of these. For instance, at Sparrow, everything we do is built on a foundation of trust, and we take that trust very seriously. Like many others, we started with a SOC 2 attestation, but we did not stop there. Since then, we have invested in obtaining certifications for all of the standards discussed above—ISO 27001, ISO 27701, ISO 22301—as well as compliance attestations for privacy standards such as GDPR, CCPA and PIPEDA. Going through these different programs has taught us much and ensures that we are thinking of security through all possible angles.

Ultimately, though, no quantity of certifications or attestations themselves is sufficient; they are no guarantee that you are safe. Security is all about mindset and to be secure, the entire organization has to prioritize it in everything they do. For people teams, one important step you can take is to take a deeper look at the security practices of your technology vendors.