In Focus: Equifax Has Salary Details on Employees at 7,100 Businesses

By Aliah D. Wright Oct 4, 2017
LIKE SAVE PRINT
Reuse Permissions

Employers say they are unlikely to stop working with consumer credit reporting agency Equifax Inc.—even after it failed to stop cyber thieves from stealing personal data from 143 million Americans.

That's because corporations depend on the analytics Equifax collects on salary history for workers nationwide.

"In the wake of the breach announced last month, Bloomberg News contacted the 40 largest U.S. employers—representing some 12.5 million workers—and asked if they would continue dealing with the service, which helps them with unemployment claims, employment eligibility and tax credits. None said they will sever existing ties," Bloomberg reported.

Companies use data from Equifax and other credit bureaus to check candidates' credit as a condition for employment—a common practice that some employment attorneys advise against. 

(Bloomberg), (SHRM Online)

Choice Words for Equifax from Congress

Meanwhile, during a hearing before members of Congress on Oct. 3, committee members questioned the company's former CEO Richard Smith closely over his responsibilities at Equifax and "indicated that tighter data security standards are long overdue," The Washington Post reported.

One of three major businesses that tracks the credit records of nearly every American, Equifax then sells people's sensitive data to employers, creditors, banks and other clients. Employers sometimes uses the information to check on potential employees.

The chairman of the House Energy and Commerce Committee Rep. Greg Walden (R-Ore.) called Equifax's reaction to the breach "unacceptable," and "ham-fisted." Other lawmakers agreed.

"In a dramatic exchange, Walden held up a thick stack of paper, which he said was an Equifax credit report, and asked Smith how such a sophisticated company responsible for so much data could allow the breach to occur," the paper reported. How, he asked, does this happen?

(The Washington Post), (The Telegraph)


IT Employee Blamed

Smith, who apologized profusely, told lawmakers repeatedly that the data breach was caused by an employee's error.

The New York Times reported that Smith said the breach was caused by an "individual in Equifax's technology department who had failed to heed security warnings and did not ensure the implementation of software fixes that would have prevented the breach. A company spokesman did not respond to questions about that employee's status with the company."

Breaches of this type are preventable, yet most companies don't regularly train their employees on how to safeguard employee data, experts say.

 Fewer than half of in-house counsel (45 percent) said their organizations require employees to take training on how to prevent cybersecurity breaches, SHRM Online reported. It's a startling statistic given that human error accounts for more than half security lapses.

 

(The New York Times), (SHRM Online)


[SHRM members-only toolkit: Record-Keeping Policy: Safeguarding Social Security Numbers]

Lesson for HR: Train Employees
Breaches of any type should serve as a reminder for HR professionals that they must be more mindful about protecting their employees' data.

Smith, 57, had been Equifax's CEO for 12 years before he announced his retirement late last month.

Cybersecurity, experts told SHRM Online, is "not something that should be bottled up in IT" but should involve the board as well as the C-suite, said Adam Levin, founder and chairman of Arizona-based IDT911, an information security firm. Organizations need "an entirely new corporate culture where security is part of the fabric of that culture." An executive should make certain sensitive employee data is restricted, encrypted and isolated from other files.

HR should also make sure employees practice good cyber security hygiene.

"Training employees on company security policy when onboarding or annual training is not enough," said Stu Sjouwerman, CEO of KnowBe4, a cybersecurity firm. "To be most effective, use anti-phishing tools to frequently test employees on a variety of types of subjects and times, then follow up with remedial training for anyone who fails."

In addition to testing employees, he recommended that employers:

  • Limit access to information to those who need to know it.
  • Institute multifactor authentication to reduce unauthorized access and identify who is accessing information.
  • Change administrative passwords frequently.

    (CNN, SHRM Online)


    Was this article useful? SHRM offers thousands of tools, templates and other exclusive member benefits, including compliance updates, sample policies, HR expert advice, education discounts, a growing online member community and much more. Join/Renew Now and let SHRM help you work smarter.
LIKE SAVE PRINT
Reuse Permissions

Job Finder

Find an HR Job Near You
Post a Job

SPONSOR OFFERS

Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 3,200 companies

Search & Connect