- Are You Getting the Most Out of Your Performance Reviews? – read now
- Cybersecurity for the Non-Cyber Company: Part II – read now
by Greg Currey
While for many the arrival of November means the beginning of the holiday season, for Human Resources professionals and management in many organizations, it means that performance review season has arrived. Supervisors and managers are being sent forms to fill out for their subordinates with boxes to check rating them on a scale of one to ten, or one to five, or some range reflecting whether an employee is meeting, exceeding, or falling below expectations. This process is so common as to be nearly universal and yet, it is nearly universally disliked and distrusted. Nearly every study done over the past 15 years reflects that (1) managers and employees both distrust annual performance reviews and (2) annual performance reviews are not effective at improving employee performance. How then, can companies improve their performance feedback process?
- Provide regular, timely feedback to employees. One of the major drawbacks of the annual performance review is that it’s only done annually. If an employee is under-performing all year round, why wait until the end of the year to say so? Similarly, if an employee is doing a great job, providing regular feedback helps them stay motivated.
- Separate compensation reviews from performance reviews. By separating compensation from the annual performance review, well-meaning supervisors are removed from the dilemma of over-rating an employee to ensure that they receive a compensation adjustment. Allowing the supervisor to provide constructive feedback in a manner that focuses solely on the employee’s performance creates more honest feedback.
- Provide short-term and long-term goals for all employees. When providing feedback, taking the time to prepare short- and long-term goals reinforces the purpose of performance reviews – improving employee performance. For top performers, discussing advancement opportunities and the company’s plans for them reinforces that they have a future with the company. For poor performers, providing concrete areas of improvement can assist you in either addressing issues or providing the support for later employment action.
If you have questions about how to effectively update your performance appraisal process, communicate changes to employees and ensure that they are being followed, please contact Greg Currey.
by Don Walsh
A simple review of the settlements reached by the Federal Trade Commission demonstrates one of the other fundamental aspects of data security which is often overlooked—the importance of examining the terms of contracts with subcontractors and vendors who have access to data. After identifying data breaches which have occurred, the FTC has made it a regular practice to see if the breached company also made reasonable inquiries into its subcontractors’ security practices or failed to contractually require the subcontractor to implement “reasonable and appropriate security to protect personal information.” It is not enough for a business to implement strong cyber controls; businesses are also responsible for ensuring third-party providers have in place reasonable cyber controls. If a third-party provider does not have in place good practices, the company can be just as liable as the third-party vendor.
These inquiries send a warning and teach a valuable lesson for any company which is involved in the collection or transmission of sensitive data. All companies must make some level of effort to adequately ensure that their subcontractors’ data protection practices are adequate and in line with appropriate privacy and security policies. All subcontracts and supply agreements with vendors who will have access to the data should identify, represent, warrant and agree to maintain adequate physical and technological security measures.
In addition to requiring this level of protection, businesses must make sure that their vendors also start reviewing existing agreements with other vertical providers in the data chain of the organization. Not all cloud providers guarantee the confidentiality, secrecy or segregation of data stored in the cloud. For example, many typical cloud agreements reserve the right to access, remove or edit data content, disclaim warranties and damages for any breaches of the cloud, have no clear processes for releasing data under subpoena and notify users that there is no protection for any information in “public areas.”
At a minimum, third-party agreements and the process for selecting third party providers should address the following areas:
- Identification of all parties, including subcontractors of the provider, who may have access either physically or virtually to the data
- Representations and warranties about protections currently in place
- Analysis of the steps taken to ensure the integrity of data including representations as to whether and when it is encrypted and/or commingled with other data
- Identification of steps taken to backup or archive data and where these backups are stored or managed
- Whether the vendor will make any use of the information or collect any metadata
- Whether there are any audits of the vendor’s processes and who has access to the audits
- What is the provider’s response to subpoenas for data stored on its servers and equipment
- What notices the vendor will provide of any breach or loss of data and how quickly it will notify you of the breach or loss
- What ability exists to move data to other providers as necessary and whether all copies are thereafter destroyed by the vendor
- What policies exist for termination and destruction of data over time
- Indemnification against any losses and damages due to failure to safeguard data
- Consent to any sub-subcontracting
- A dispute provision including choice of law and choice of venue for resolution of disputes
Want more? Visit the Weekly Wright Report page to browse past issues.