HR Data Privacy in a Cyber Crime Landscape
Every day it seems there is a new and concerning headline about data privacy and data breaches, stolen identities, and/or misappropriated IT accounts and credentials for us to worry about. While the vast majority of these have taken place in commercial settings like online shopping, financial services, and healthcare, or through social media like the 87 million exposed accounts in the Facebook Cambridge Analytica scandal; HR professionals no longer have the option of not being constantly cognizant of, and vigilant about, the responsibility to employees to ensure data privacy using every available technique at their disposal.
It’s not just financial institutions and social networks that hackers target. In the last few years alone, news reports of several well-known human capital management software companies experiencing data breaches have come to light. In one HCM provider data breach, hackers were able to access personally identifiable information (PII) through an unsecured client portal. In the case of another provider, the payroll accounts of their client’s employees were exposed and accessed without authorization, with at least one affected employee’s data used to file a fraudulent tax return.
Businesses and Employee Data are the New Focus of Cyber Criminals
The 2018 (to date) Identity Theft Resource Center Breach Stats Report reveals that in the last 13 years, 8,909 breaches were reported, exposing 1,078,783,151 records to cyber criminals. In 2018 alone, from Jan. 1, 2018, to present, more than 12.3 million data records have been affected by 383 separate reported breaches. Of those records, businesses including financial institutions were responsible for 42.6%, healthcare organizations were responsible for 38%, and financial institutions were responsible for 12%.
These statistics should serve as a warning to small-to-medium sized businesses, and, even larger organizations, that regularly reviewed policies and training can mitigate data security threats. HR can also establish a strategy to automate employee termination which would automatically shut off employee access to their network and business applications when the employee leaves an organization. Lastly, it’s critical to find an HCM provider that protects user data through encryption and multifactor authentication.
The Three Types of Employee Data Organizations Must Protect
There are three distinct areas of employee data that organizations must protect based on the level of sensitivity associated with the information and federal regulations.
PII, or personally identifiable information, is employee data that can be used to distinguish or trace an employee’s identity, including, but not limited to, name, date of birth, and even or biometric data. Sensitive Personally Identifying Information, or SPII, is personally identifiable information, which if compromised could result in substantial harm to an individual. For many employers, this means protecting an employee’s SSN, banking information, and contact information (such as email, home address, phone number, etc.). Lastly, PHI, also known as Personal Health Information, includes medical data that has been shared with an employer by employees, insurers or medical professionals, intentionally or otherwise.
Ensuring Employee Data Privacy
While no organization deliberately sets out to become another data breach statistic, some organizations still may not understand the critical need for cybersecurity protection as it relates to employee data. As evidenced by the cases noted above, HR data regularly contains sensitive PII that makes it a key target for criminals. In order to best protect an organization from attacks, and keep HR data secure, it’s critical for HR professionals to understand and answer five essential questions that indicate an organization’s preparedness.
- In the last year have you revisited your data privacy and data breach policies to ensure your organization has kept pace with the breathtaking rate at which cyber-criminals innovate methods to steal data?
- Did you work in concert with your IT and risk management professionals to address issues such as computer hardware impacts, bring-your-own-device mobile access policies, HCM solutions provider relationships, and cyber-insurance providers when developing these policies?
- Are you assured that you have taken all the steps available to you to secure employee data in meaningful ways including encrypting device hard drives, locking down or eliminating the ability to download and store PII on a memory stick?
- Have you required your HR software provider to incorporate multi-factor authentication into your employee and manager self-service portals?
Whether it’s employee’s social security numbers, insurance information, or bank account information — at some point a hacker will see your businesses vulnerable data as their next big paycheck. That’s why everyone in your company — not just IT — needs to understand the threats and how to mitigate them.