Vol. 4, No.2
When you safeguard applicants' personal information, you protect your company's recruiting efforts as well as its reputation.
Personal data loss is a problem that is getting worse. Through carelessness, theft of equipment or intentional larceny, 200 million people have had their financial privacy and security put at risk, according to several estimates.
Some of those people may be applying for positions at your company or institution.
And they are very angry:
- "I spent the last 24 hours enraged at the senseless nature of this security breach," was one recent web site posting concerning an affected organization.
- "The [employer] has proved itself incapable of the most rudimentary security procedures."
- "Failure to secure this information is simply outrageous, and should be punishable."
With opinions and allegations such as those flying around, some of them sounding like quotations from a likely lawsuit, companies that suffer security breaches are understandably reluctant to talk about whether any lapses have caused a drop-off in the number of job applicants or if they have complicated the recruiting process at all.
Consider the Gap. Last September, the clothing retailer discovered the loss of personal data of 800,000 people who applied for jobs with the company's Old Navy, Banana Republic, Gap and Outlook stores in the United States, Puerto Rico and Canada. The affected applications were taken by telephone or online and, in the United States and Puerto Rico, the lost data contained Social Security numbers (SSN).
Gap would not comment on whether this disaster had a chilling effect on its recruiting. But how could it not, asks security expert Dan Geer: "If a firm has been sloppy with the stuff it was entrusted with, why wouldn't I think it would be sloppy with stuff it demands of me? At this point, the burden isn't 'trust me' but 'why should I trust you?' "
Geer is vice president and chief scientist at the software security firm Verdasys in Waltham, Mass. He reminds recruiting professionals that they might deal with repeat victims without realizing it, "folks to whom [loss of personal data] has happened more than once. You cannot get back the faith of people to whom it has happened more than once."
Applicants may not disclose their concerns, warns Kelly Todd, a staff member at the nonprofit computer security web site Attrition.org (see box). He says job seekers who know about a security breach might feel "dismay, possible anger and maybe a certain level of confusion, [but] their outward reaction may be different, especially if they're relying on being employed by that particular company."
Rather than wondering how many prospective employees are secretly simmering, Geer says, "You probably should score what percentage of the people are recoverable. I don't know. That's the sort of metric you're looking for."
Agrees security consultant Philip Deming, CPP, CFE, SPHR, "It's a spiky area that no one's really looked at."
Deming, whose firm Philip S. Deming & Associates is based in King of Prussia, Pa., says, "Most mid-[size] and smaller market employers don't think about" the negative implications that a data disaster can have on recruiting efforts.
A prospect, says Deming, "will spend time, 40 to 80 hours, trying to recover," securing credit and debit cards and bank accounts. Letters may have to be written to credit reporting services and collection agencies. Such prospects may decline jobs they would otherwise have taken. Others may never complete the application process.
If lost data actually is misused, victims may have legal fees and will spend many months dealing with the problem, according to Linda Foley, co-founder of the Identity Theft Resource Center in San Diego (www.idtheftcenter.org). "There's a lot of anger at the slowness of the system and the perceived slowness in clearing your name and trying to get information [from the company] about what happened."
Foley, who was also a victim of identity theft, says the anger will not be assuaged by press release apologies, even with the usual assurances that the particular security barn door now has been closed.
Blaming an HR vendor won't help, either. In a statement, Gap claimed it takes very seriously its obligation to protect personal information, but "unfortunately, contrary to our agreement with this vendor and the vendor's own requirements and procedures, the vendor's laptop contained unencrypted personal information provided to us by job applicants."
"That doesn't diminish responsibility at all," says Steve Byars, vice president of administration for AMX Corp. (www.amx.com), developers of technology hardware and software in Richardson, Texas. "If it's your responsibility, it's your responsibility."
Even offering to pay for credit monitoring and fraud resolution services is seen as inadequate. "The whole process is very difficult for the company and the job seeker," observes Byars. "As we say in Texas, once the horse is out of the pasture it's hard to get it back."
First, Do No Harm
Companies and institutions that have had data losses still must hire employees. And for staffing professionals, the first step is not to make the situation worse by being insensitive to applicants' fears.
"Not all personnel departments are as enlightened as we would wish," says Foley. "When you don't fill in every line [on an application], they don't want to deal with you."
After her identity theft (the perpetrator, who later went to jail, was her employer), Foley was afraid to apply for a new job for several months. When she finally started speaking to companies, "The first thing they wanted was a Social Security number." She claims her refusal to provide an SSN cost her many interviews but insists that there is no reason for an employer to have that information until much later in the recruiting process, and there's good reason not to provide it. "We hear all the time," she says, "about dumpsters that are full of job applications."
Another mistake is to promise too much to applicants worried about data security. Todd of Attrition.org says staffing professionals must recognize that "everything is vulnerable, so even though assurances can be made regarding the safety of personal information, there's really no guarantee that can be made regarding safety or the possibility of misuse."
Foley agrees that absolute security is impossible "because we're talking about human beings."
Making It Seem More Secure
Companies and institutions should stress to applicants the steps being taken to make personal data safer. "I talk about using that as a recruiting tool," says Deming, "what the employer does in terms of protecting information."
Security policies should be spotlighted throughout the application process. "If the employer gets out in front of that, it shows that you're pretty thoughtful and concerned about your workforce's personal data," says Deming, a longtime Society for Human Resource Management (SHRM) volunteer and a former member of the SHRM Employee Health, Safety & Security Special Expertise Panel.
Says Geer of Verdasys: "The pool of confidence is like the deposits in a bank." And the trick is to keep them there.
Making It More Secure, Period
In three separate incidents in 2005 and 2006, laptops were stolen from employees of The Boeing Co. Unencrypted files containing personal data of more than half a million current and former employees were lost.
Donald Harris, president of HR Privacy Solutions in New York (www.hrprivacy.com), has consulted for Boeing. He says the company responded with an expensive project to delete SSNs from its files whenever possible. Employees were given mandatory training in data security. Still, Harris reports, "Boeing had a couple of breaches after their major one. It's going to be a perennially recurring problem." He adds, ominously, "Anyone with HR data either has had a breach or is about to."
There are some basic steps the security experts recommend. Foley says personal data should be available on a need-to-know basis. "Most companies storing paper files â€¦ should keep them in locked file cabinets with a minimum number of eyes seeing them," and only after signing for them. "If data is stored electronically, [personal] information should be encrypted and partially truncated, with access only by people at the highest level," she adds.
Todd says, "Don't allow any personal data to be stored on mobile devices [which are more easily lost or stolen], and make sure best practices are adopted regarding document and data disposal. Companies can adopt 'shred everything' and 'clean desk' policies to further protect personal information."
Deming says companies and institutions should begin with a decision: "We don't really need the SSN. We'll use another kind of identifier and we will have firewalls and other protections." He acknowledges that, in some small- or mid-size entities, "They don't have the luxury of doing that kind of strategic planning."
But Foley says they should: "The bottom line is, if information is stolen, you have a loss of trust which can cost hundreds of thousands of dollars" and drive away uncountable numbers of applicants. "Money is replaceable," asserts Foley. "Reputation is not."
Steve Taylor's most recent article for Staffing Management magazine was "Searching for the 'Silver Bullet'" in the January-March issue.