1006 HR Magazine: Risky Business

By Bill Roberts Oct 1, 2006

HR Magazine, October 2006

Protect employee data from the security risks posed by the use of laptops and mobile devices.

The next time you are tempted to take home a Microsoft Excel spreadsheet on your laptop to work on that employee compensation plan over the weekend, try encrypting it first. (To find out how, see " Encryption 101" for step-by-step instructions.)

Once you've done that, the data are encrypted each time you close the spreadsheet. No one can decrypt and open the file without using the password. If someone steals the laptop, you have a good chance of avoiding the public humiliation, damaged credibility, disgruntled employees and enormous costs incurred by the U.S. Department of Veterans Affairs, Boeing and scores of other government agencies and companies affected by headline-grabbing employee data theft in recent months.

Depending on your company's size and other factors, it may not be possible to devise a data protection strategy around Microsoft's capabilities. But this example illustrates how steps can be taken to protect laptop data. Being constantly vigilant, however, is not as simple.

For HR professionals, who handle some of the most sensitive data a company keeps, it's crucial to understand the risks to the data you work with, and to devise policies, adopt encryption and other technologies to protect the data and enforce policies, and build a culture of data security.

Data Minefield

As the high-profile cases in the headlines underscore, the problem of data theft carries significant consequences for employers, for lurking behind stolen data is the potential for identity theft on a vast scale.

"If you have any HR data, either you have just had a breach or you are about to. You cannot conclude that 'it is not going to happen to me,'" warns Donald Harris, president of New York-based HR Privacy Solutions, an HR consulting firm.

Through mid-July of this year, there were 244 incidents of data theft involving nearly 89 million employee and customer records, according to the Privacy Rights Clearinghouse, a San Diego-based nonprofit consumer information and advocacy organization. Fifty-one incidents involved laptops. Among those, few involved less than 10,000 records. At least 107 incidents involved records that contained names and Social Security numbers.

In mid-February 2005, Harris began compiling his own list of HR data breaches, a subset of the Privacy Rights list. As of mid-May 2006, 32 employers had sensitive employee data stolen, most often including Social Security numbers. Laptop theft was the most common breach, the culprit in 12 incidents.

Public Enemy No. 1

While public and private enterprises have made progress in protecting networks and data in desktop computers and servers inside the office perimeter, they haven't done nearly as much to secure data on laptops and other mobile devices that leave the premises.

In fact, when it comes to data protection, several trends have turned laptops into Public Enemy No. 1.

First, today's 24/7, work-anywhere mentality is now infused in the culture of corporate America. Second, the proliferation of laptops makes it easy to remove data from the worksite. A third, HR-specific trendmanager self-service applicationsexacerbates the problem by giving managers access to their employees' sensitive information.

Several recently reported laptop cases involve such prominent employers as the U.S. Justice Department, Fidelity Investments, Hewlett-Packard and Boeing.

Harris, who has consulted for Boeing, is familiar with that company's case. An HR employee took unencrypted employee data from his office on a laptop, inadvertently in violation of company policy. The laptop was stolen from his hotel room in November 2005.

"It led to lots of news stories and a huge backlash from employees," Harris says. "The first thing Boeing had to do was identify what data on each employee were lost. It had to reconstruct this from the backup files. That took nearly a week. Then Boeing had to deliver individual communications to each employee, telling them which data fields were stolen, and provide them with three years of credit monitoring in case of identity theft. That alone will cost Boeing millions of dollars."

So far, data breaches affecting cell phones, personal digital assistants (PDAs) and USB drives are not yet a problem, but experts expect they soon will be, especially as these devices become more multifunctional with increasingly powerful processors and growing amounts of memory. Harris notes that 85,000 cell phones were left in Chicago taxicabs in 2005. "We've seen no references to mobile devices other than laptops regarding data theft," he says. "But it is just a matter of time before we see flash drives and PDAs on these lists."

Harris and others believe HR professionals are paying more attention to data security, but not nearly enough. As the Boeing incident illustrates, just having a policy won't prevent a breach; HR professionals must continually drive the point home to employees and model the behavior they seek to promote.

"HR people have grown up in an environment where it is important to keep information confidential, and that is something to build on," says Ken DeJarnette, a principal at Deloitte & Touche LLP. "But I don't think many HR people know where their risks are."

Laws Cast Light On Data Breaches

Assessing the risks requires that HR know the laws that apply to employers affected by data security breaches. Several cases involving data breaches have come to light as a result of recently enacted state laws that require public reporting of data breaches when policies and technologies have not been adopted to protect data. The European Union and some Asian countries also have privacy protection laws that require the disclosure of data breaches.

David Zetoony, a Washington, D.C.-based attorney who practices in the area of data security with Bryan Cave LLP, an international law firm, says 34 states and Puerto Rico now have data security breach notification laws, modeled after a California statute enacted in 2002.

Although state laws vary, none require data protection. If a company chooses to adopt procedures and protection, including encryption, it does not have to publicly disclose breaches and, in most cases, can follow its own pre-specified procedures to handle the matter. This gives companies an incentive to put in place data protection policies and technologies.

At the federal level, the Health Insurance Portability and Accountability Act mandates protecting employee health information, and the Gramm-Leach-Bliley Act of 1999 imposes data security on financial institutions. Several proposed laws modeled on the state laws are currently before Congress. The employee data in federal departments are currently covered by a Bush administration directive that mandates public disclosure in personnel data breaches.

Taking Inventory

The hardest part of data protection isn't encrypting data, choosing technology to enforce policy or even designing a policy, experts say. The hardest part is knowing what data exist, who has access and how it is used. To this end, John Oltsik, a senior analyst at the Enterprise Strategy Group, a technology advisory firm, urges every enterprise, and each HR department, to take inventory and devise a data classification system. Easier said than done, he admits.

"We frequently find confidential data spread throughout the enterprise on all kinds of devices, on all applications with lots of people having access and no one understanding that relationship," says Oltsik. "You need to understand where the data is, who has access and do they need it to run the business. In the private sector, most companies fail miserably at this."

Boeing illustrates how hard it can be to get a handle on data. Before the 2005 incident, Boeing had a project on the drawing board to determine where it used Social Security numbers and to remove them from applications where they were not absolutely necessary. Like many decentralized global companies that have grown through acquisition, Boeing had no idea where all the data were. Add to that the fact that it is a global company and must comply with the various data breach laws around the world.

"Talk about complexity," says Harris. "A lot of the data were on legacy applications. There is tremendous difficulty in these large companies."

DeJarnette says it is nearly impossible to protect everything, so once a data inventory is taken, executives must analyze risk. "You need to know what information you collect, and you need to understand its life cycle: the collection points, how it is used, where you share it, where you store it, straight on through to how you destroy it when you are done with it. From a risk perspective you need to take a look at all of that."

The Case for Encryption

To encrypt or not to encrypt has become the discussion du jour. The answers become evident after companies take inventory and work out a data handling policy. If no data are to leave the premises on any device, and you train employees that way and use monitoring technology, then you don't need to encrypt data on laptops or cell phones.

If, like in most enterprises, some employees take data home, then you need to consider encryption of the file or hard drive. In most of the reported breaches, had encryption been used, employers would not have been required to disclose them.

A recent study of data encryption for mobile devices by the Burton Group, an IT advisory firm based in Midvale, Utah, found that regulatory changes, particularly the requirement to disclose when breaches have occurred, have increased the use of encryption as a protection strategy.

If encryption is needed, there's no shortage of commercial software available. The Burton study includes descriptions of several vendors and products. One is Chicago-based Pointsec, which offers hard-drive encryption for laptops, desktops, mobile phones and other hand-held devices. The starting price is $129 per PC or laptop and $76 per cell phone, and drops with volume purchases, says Bob Egner, vice president of product management and global marketing for the company. "Interest has been growing over the past couple of years as more data breaches are reported," he says.

Much employee data reside in human resource management system databases, like those from Oracle and SAP. The databases themselves are typically encrypted, and access is controlled through passwords and other identity verification. Yet, Harris says he has heard of customers pushing the big HR application vendors to encrypt at a more granular level. Oracle points out that its HR applications are protected on a server, which can only be accessed by someone with proper access rights through passwords. However, what concerns Harris and others is the ability to extract data from these applications or databases, place it on the laptop and walk out with it in unencrypted form.

And, as mentioned at the beginning of this article, encryption options already exist in Microsoft products. Zetoony is surprised that many people are unaware of these capabilities. "Several clients have told me they do not encrypt data because their companies have not adopted encryption technology, and yet they are using Microsoft products, which offer basic encryption," Zetoony says.

Creating the Right Culture

Because no technology usage policy is fail-safe, an important aspect of data protection is creating a culture in which employees, especially HR employees, understand the importance of data security and abide by company policy.

After Boeing's HR breach, the company ramped up the multimillion-dollar project to find Social Security numbers in its files and delete them wherever possible, Harris says. It also launched mandatory data security training for every employeefour courses, including one on laptops. In addition, it stepped up the flow of communications to raise awareness. "The CEO sends out e-mails to all employees, and division heads talk about this at their management meetings," Harris says.

Oltsik says HR can greatly influence an organization's data security initiatives. "This has to be built into the culture. In successful companies, HR takes the lead in making sure there is training, that executives are involved and that it is done out of goodness for the organization, not just as a police action."

Bill Roberts is contributing editor for technology at HR Magazine

Job Finder

Find an HR Job Near You
Post a Job


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect