When relocating employees, HR must perform due diligence with its vendors to ensure that
employees' personal data remain secure.
Coordinating an employee’s relocation involves more than simply moving people and goods. It also involves the transmission of information—sensitive information -- usually electronically. As a result, data security -- protecting the relocating employee’s personal identifiable information -- has moved to the forefront for HR.
That’s true for employers and HR professionals on a day-to-day basis -- but even more so during a relocation.
Dick Mansfield, general counsel for the Employee Relocation Council (ERC) in Washington, D.C., says, “Data protection is a current hot button” in employee relocation.
The potential for loss or theft of personal information is higher during relocations than during other human resource activities, experts say, because many pieces of vital data are transmitted to several different vendors involved in the relocation. Add in the fact that employees, distracted by the whirlwind of a relocation, may become less cautious than normal when giving out personally identifiable information, and “it’s a recipe that’s ripe for loss of information and -- even worse -- identity theft,” says Gary Clayton, chief executive officer of Jefferson Data Strategies, a Washington, D.C.-based privacy and data management consulting firm.
Indeed, identity theft by company insiders -- including contract employees and vendors’ employees -- accounts for as much as half of information theft and is an escalating trend in today’s workplace, according to Judith M. Collins, associate professor of industrial and organizational psychology at Michigan State University School of Criminal Justice in East Lansing, citing research soon to be released by the university.
Other research also indicates that the workplace -- either yours or that of your relocation providers -- may be a fertile source of identity theft. Twenty-three percent of identity theft victims who knew the thief said it was someone who “worked at a company or financial institution that had access to the victims’ personal information,” according to a 2003 survey conducted for the Federal Trade Commission (FTC) by Synovate, a McLean, Va.-based research company.
When employees relocate from one location to another, then, HR professionals must ensure not only that their family members and possessions are handled carefully, but also that their data are kept secure as well. “HR practices in the 21st century must involve security measures,” says Collins, author of Preventing Identity Theft in Your Business: How to Protect Your Business, Customers and Employees (Wiley, 2005), due out next month.
Technological Safeguards
In relocations, HR needs to vet the many people involved in facilitating the management of an employee transfer. Many employers use relocation management companies. But those companies may also be dealing with real estate companies, mortgage companies, banks, movers and firms that assist spouses in finding new jobs. Checking the security of your vendors and vetting the security of their subcontractors are the key safeguards.
Employers are “in the best position to be more powerful negotiators with service providers to make sure service providers have the necessary security procedures in place,” says Naomi Lefkovitz, an attorney with the FTC’s identity theft program in Washington, D.C.
Those security procedures, says Laura Jagodzinski, information security manager for relocation management company Cendant Mobility in Danbury, Conn., should be “as primary a concern as the actual services provided. When choosing a relocation company to provide service, it’s of the utmost importance to understand what the company does to protect confidentiality.”
Ask questions, Jagodzinski advises. “We expect employers hiring our company to partner with us in terms of personally identifiable information protection,” she says. Human resource managers should make sure, she adds, that the vendor is covering the three major areas involved in information security: people, process and technology.
The people aspect involves assessing attitudes from the leadership on down toward the security of client data and looking into the staff’s security-related skills.
When it comes to technology, such as firewalls, intrusion prevention or detection capabilities, she says, make sure it “doesn’t just exist; make sure it is actually used.”
Know the information security measures that the various vendors are required to take under the law, according to the FTC’s Lefkovitz. The Gramm-Leach-Bliley Act of 1999 requires the FTC, federal banking agencies, the Treasury Department, the Securities and Exchange Commission and the National Credit Union Administration to regulate financial institutions’ protection of the privacy of consumers’ personal financial information. Under these regulations, various factors, such as a retail firm selling credit cards, bring a business into the financial institution category, determine whether there is a consumer or ongoing customer relationship, and require certain safeguards. The safeguards are to span all areas of operation, including employee management and training, information systems, and system failure management. The steps that must be taken include identifying and assessing information risks, designating one or more employees to coordinate the safeguards, locking rooms and file cabinets where paper records are kept, and storing electronic information on a secure server accessible only with a password or one that has other forms of security and is in a secure environment.
In November, the FTC charged two mortgage companies with violating this safeguard rule. These first two enforcements of the rule resulted in one company’s agreement to biannual independent audits of its information security program for 10 years, according to the FTC’s announcement.
The base line for what vendors should do is always what the regulations under their respective industries stipulate. “Make sure vendors are in compliance with any laws that apply to them,” says Lefkovitz. Where there are no legal requirements, HR managers should find out who has access to the information, how those employees are trained on protection and whether background checks are done, how information is disposed of, and whether the database storing personal identifiable information is password-protected.
HR managers should also know whether a vendor is required by law to collect specific pieces of personally identifiable information -- for instance, mortgage companies that need an employee’s Social Security number to run a credit check. “The underlying point is, actually, why do they need that information?” Lefkovitz says. “If they say, ‘That’s how we run our record system,’ that is not a good answer. If they say, ‘We need to check their credit report, and that information is necessary to do so,’ that is a reasonable business use.”
Cendant Mobility also works with employers to ensure that the HR department has security in place to protect information that the relocation management company sends to that client, such as monthly expense reimbursement reports.
Finally, HR managers also can ask relocation management companies if they have earned a third-party certification that their network is secure.
Shoring Up the Contract
Another piece of armor in the protection of employees’ personal information consists of the initial contracts with relocation vendors.
“We have really tightened up our contracts,” says Kathleen Ford, senior vice president in corporate human resources at JPMorganChase in New York, which relocates 1,800 to 2,000 employees within the United States each year and sends 1,000 on international assignments. Contracts contain confidentiality clauses, and shippers must be bonded, she says.
“As a financial services firm and a large company, we have vetted this issue very well,” Ford says. “We’re very limited in what data we send. We only give them what they need.” JPMorganChase works with vendors to determine what information is necessary to provide the services. The company tries to stick to the basics of name, shipping address and company cost center to be billed. For example, the shipper may need to know the number of family members to set weight limits. However, the shipper does not need specifics such as names of the children. Birth date and Social Security number are given only to the accountant who provides tax preparation services to employees on assignments abroad.
Other items that should be spelled out in a contract include the employee information that must be password-protected or encrypted, and a requirement that the HR manager be notified if there’s a problem that jeopardizes information security, says Clayton of Jefferson Data Strategies.
At JPMorganChase, key pieces of information, including files of compensation data sent to accounting firms, are encrypted, Ford says. Passport information is sent either by the employee or in a sealed envelope via a messenger.
“You really have to be sensitive to the type of information you’re sending and use a lot of common sense,” she says.
Those precautions have paid off. “We’ve never had an issue where data haven’t been appropriately handled,” Ford says.
The contract also should contain language “that reflects the employer’s internal philosophy with respect to data privacy,” says the ERC’s Mansfield. But, he adds, even a simple statement that the relocation management company must keep data confidential would probably suffice.
One of the biggest mistakes employers could make is to “ignore the issue or view information security as a static subject,” says Pamela Uhl, vice president and associate general counsel for Cendant Mobility. “The laws are changing all the time.” Individual states and countries have different laws, and European laws tend to be much stricter, even imposing fines on HR departments for information security mishaps.
Mansfield says HR managers must remember that after information is transferred to the relocation management company, that company transfers it to other vendors.
At Cendant Mobility, all personal identifiable information is transferred by secure means, Uhl says. Electronically transmitted information is encrypted. Vendors are not allowed to subcontract without permission and appropriate safeguards. A list of safeguards is attached to Cendant Mobility’s contracts.
“We look for our service providers to follow the same policies and procedures that we hold our employees to,” says Jagodzinski. Among those policies: Cendant trains employees to avoid leaving files on desks, to limit gathering of information to what is necessary and to avoid traveling with a laptop that contains personally identifiable information in case the laptop is stolen.
HR managers should sit down with vendors and talk with them about what information is needed for each authorized service, Uhl says. Those handling visa and immigration issues need much more information than a real estate company or a household goods mover. (For more information on new aspects of handling visas for employees relocating from overseas, see “Unwelcome Changes".)
Other Safeguards
So is there a set of best practices every HR manager should follow in transferring information to relocation vendors?
“The best safeguard is good training” of HR staff and of the relocation vendors’ employees, says Mansfield. “Any information can be stolen. No longer do you put a Social Security number on a fax and send it to a real estate company.”
Human resource departments should do a data-flow analysis, looking at what’s collected, why it’s collected and what the risks are, says Clayton. “The more sensitive the data or the larger the volume, you probably shouldn’t send it in an open e-mail,” he says. Instead, encrypt it or password-protect it, or get a network link to the vendor with encryption. If the relocation involves security risks, then send data by overnight mail.
Clayton stresses the importance of visiting the vendor’s site. “You can tell a lot about a company by simply walking through,” he explains. If that’s not possible, have regular meetings.
For companies relocating large numbers of employees, Clayton suggests giving employees presentations on the relocation process that cover the topic of keeping personally identifiable information safe. Staff a call-in desk where trained HR personnel can answer a relocating employee’s questions about whether a vendor is allowed to collect certain information and, if so, why.
An employer also should ensure that the employee generally consents to the transfer of information, Cendant Mobility’s Uhl says.
Warning Signs
Even with the utmost precautions, problems may arise, says Lefkovitz of the FTC. “You’re dealing with criminals who are trying to break your defenses.”
But certain red flags should put an employer on notice.
“Red flags can start with employees not getting straight answers from vendors,” Clayton says. Other examples of situations that require caution are those in which the same information is required multiple times or those in which information is sought by multiple people from the same vendor.
A vendor without a privacy policy is certainly a red flag, Uhl says, as are unsolicited calls to the relocating employee from other vendors.
Any change in a provider’s procedure warrants further investigation. If anything deviates from those procedures, the employer should know the reason -- even if the change involves simply using a different fax number. Make sure the new fax number also is secure.
HR also should give employees tips for spotting possible identity theft after the relocation. Lefkovitz says employees should be alert to strange items on a credit report, calls from a debt collection agency about a purchase the employee didn’t make, receiving a credit card that wasn’t applied for or being given an unexpectedly high interest rate on a credit card.
Problems can crop up in unexpected places; you could have no problems for years with your doctors’ offices, for example, and then one of them hires a billing clerk who turns out to be an identity thief. “When information is in play, you have to be careful,” says Lefkovitz.
Once steps have been taken to keep information secure, she adds, “you need to have some confidence that the procedures will work.”
Roseanne White Geisel, a freelance business writer and editor in Arlington, Va., is the former managing editor of Business Insurance Magazine.