Vol. 51, No. 6
Keep your employees and your organization secure by protecting personnel files.
Philip Deming, SPHR, is reminded every day how breaches in personnel information can damage organizations. As a former federal agent who is now president of Philip S. Deming & Associates, a security and risk consulting firm in King of Prussia, Pa., Deming makes a living helping organizations that have allowed security breaches involving employees’ personal information.
In one recent case, a large nonprofit association in Washington, D.C., paid “more than six figures” to correct the credit of 100 of its highest-paid employees. A security breach occurred when the organization changed life insurance policies. It hand-delivered to its new broker in Baltimore paper documents containing all the necessary information—names, birth dates, addresses and Social Security numbers. A temporary worker for the insurance broker proceeded to photocopy and sell the information, Deming says. The breach wasn’t discovered until employees began receiving credit card bills for hundreds of dollars in items they hadn’t purchased, he says.
Months of painstaking investigation ensued—for both the insurance company and the organization. Worse than the financial and administrative burdens was the cost to morale, Deming says. Seven of the association’s senior employees quit as a result of the security breach.
“It’s a nightmare for morale,” says Deming, who serves on the Society for Human Resource Management’s (SHRM) Employee Health, Safety and Security Special Expertise Panel. “If an employee’s information is stolen, that employee poisons the well from there on out. They will tell everyone they know about HR’s incompetence. They will take enormous amounts of time off [to repair credit, for emotional rest and for the trial]. It takes a very long time to recover from a personnel breach.”
Luckily, you can learn from the mistakes of the life insurance company, the nonprofit organization and others. Take the advice of experts and HR professionals who take the necessary—even if inconvenient—steps to secure employees’ personal information. Be diligent, doing everything from locking your office every time you step away to limiting access to files to select individuals. You will be glad you did.
Common Problems and Common Law
The biggest risk of unauthorized access to personnel information is identity theft. Identity theft has become so common that it makes up nearly half of all complaints filed with the Federal Trade Commission (FTC), which serves as the federal clearinghouse for complaints of identity theft.
An FTC investigation in 2003, for example, found 10 million cases of identity theft, mostly through information provided by credit card companies, a commission spokesman says.
FTC officials are unable to determine how often identities are stolen through employer personnel records. Still, the workplace in general, and HR offices in particular, offer many opportunities for unauthorized use of personnel records. While such a breach may conjure up images of sophisticated computer hacking that leads to multiple cases of identity theft, Deming and others say most breaches of personnel records involve one employee obtaining information on another, usually by looking at paper files.
“What happens more than any other is that files are left on a desk and another employee comes in and looks at them,” says Louis Obdyke, SPHR, a senior labor and employment attorney at Continental Airlines in Houston. Most often, one employee looks at another’s salary or performance appraisals or gets the home phone number of another and begins harassing or stalking them, says Obdyke, who also serves on SHRM’s Employee Health, Safety and Security Special Expertise Panel.
Identity theft is not the only concern for employers, who face legal problems on both the state and federal levels from almost any security breach. Employers are liable under state common laws—those established by court precedent, rather than statutes—for any security breach that violates employee privacy, Obdyke says.
And, with increasing concerns about privacy violations, Congress passed several laws in recent years that regulate how employers guard personnel information. The Americans with Disabilities Act, the Health Insurance Portability and Accountability Act, the Sarbanes-Oxley Act and the Patriot Act all govern the handling of employment documents, as does the Fair and Accurate Credit Transactions Act, which has a “disposal rule” that requires documents to be shredded, burned or pulverized after a certain time.
Still, companies are required to maintain certain personnel records for at least three years after termination of employment. Under the Fair Labor Standards Act, employers must maintain basic information on all employees, such as full name, Social Security number, address, gender, occupation, pay and hours worked. For a full listing of these requirements, go to www.dol.gov/esa. Some companies may choose to keep the records longer. At Continental, employee records are kept seven years after the termination date and then are destroyed, Obdyke says.
“It’s imperative that employers have a system for destroying files,” Obdyke stresses. “We hear horror stories of Social Security numbers and banking information being stolen. When files reach a point where they are not being used and you no longer need to keep them, they should be shredded.”
An Inside Job
With years of experience investigating and fixing personnel breaches, Deming has identified what he believes are the three biggest threats to personnel records:
- Cleaning staff.
- Security staff.
- Human resource information systems (HRIS) staff.
All three tend to be invisible, and you don’t think of them, Deming says. Maybe they’re not even part of the organization.
In one case Deming worked, the CEO and chair of a large, publicly traded company had his Social Security number stolen and used to open credit cards. The breach happened when an attorney working on the renegotiation of the CEOs contract left the CEOs personnel file on the floor by the attorneys desk. A temporary cleaning service worker photocopied the information and sold it on the street for $75, Deming says.
In another case, a chemical company that prided itself on security had a breach in one of its offices when a security guard was given a sub-grand key to the HR office, a common practice that allows a security guard to open any door in case of emergency. The guard then broke the lock on a worn cabinet where personnel files were stored. He sold the personal information for $50 each, Deming says. The security guard later pleaded guilty to a reduced misdemeanor and served less than a year in jail, he says.
Two of Deming’s lessons from these cases:
- A high-level employee should be present when cleaning crews work.
- Only the HR director, and maybe one senior executive, should have a key to the HR office.
The problem with HRIS workers is that they have the technological know-how and often the access to get information, if they choose to, Deming says. In his work, Deming has not found HRIS staff involved in crimes like identity theft, but he says they have been caught snooping in files for salary information on other employees to leverage their pay. He recommends restricted access to curtail breaches.
Deming also suggests that one qualified person in HR or IT provide oversight for electronic data. Electronic audits looking for unusual activity or unauthorized access should be conducted regularly.
Susan Kurdziolek, president of Turn Key Office Solutions in Arlington, Va., counsels her clients on how to maintain secure personnel files. Like Deming, Kurdziolek says records security is more a matter of common sense than high-dollar security that uses things such as hidden cameras, computer thumbprints and identification cards.
“You don’t have to invest in high technology,” Kurdziolek says. “You do have to have a front door lock, and you may consider using a combination lock.”
Most important, Kurdziolek says, all organizations need to address records management in their policies and procedures, and show that there are consequences for breaking the rules.
“Too often, we see that companies address these issues with a wink, and that’s it,” Kurdziolek says.
Without strict policies, many common scenarios can place records in jeopardy. Kurdziolek uses the example of an HR staffer whose boyfriend picks her up at the office at the end of the day. Without policies about where the public can be in the building, the boyfriend may come to the HR office and overhear a conversation about a personnel matter or be left alone with personnel files while the HR staffer goes to the bathroom. What may seem innocuous to an employee puts files at risk if they’re left with the wrong person.
Kurdziolek recommends restricted access throughout a workplace, especially in the HR office. HR staff should log off their computers and lock their doors when they leave their offices, even for a quick trip down the hall. “It only takes a second for someone to lift a file,” she notes.
Only the HR director should have a key to the HR office suite, even if it means curtailing flexible arrangements that would allow an HR employee to work when the director isn’t there. If some HR staff members are bothered by the inconvenience, she says, “How inconvenienced would they feel if someone’s identity was stolen?”
HR should develop policies and procedures with either the No. 1 or No. 2 person in the organization and have them approved by legal staff, Kurdziolek adds. (For a list of recommendations, see “Policies and Procedures,” above.)
The next step is to develop a program to train HR staff on security risks and the policies and procedures that address them. Employees should sign a document that says that they completed the training, Kurdziolek says, adding that the employee signature makes them accountable.
Consequences for security breaches also should be written into policies and procedures, says Kurdziolek. For breaches such as leaving a file unattended or bringing a non-employee into a secure area, there might be an oral warning for a first offense, a written warning for a second offense, followed by probation and, eventually, firing for repeated offenses, she explains.
“Security has to come from the top down,” says Kurdziolek. “You have to have a good HR director and good management who will take the leadership to let employees know there will be consequences” for breaking the rules.
“There can’t be any security risk at all,” she adds. “The company is liable.”
Lisa Daniel is a freelance business writer in Burke, Va.