Safeguarding HR Information

Take a look at some new ideas for preserving your employees' confidential data.

It’s an impressive list: Time Warner, Eastman Kodak, Motorola, MCI. All industry leaders with significant resources and large numbers of employees. And this past year, all of them had to tell current or former employees that their sensitive personal information had been compromised.

Some had computers stolen while others lost backup tapes, but the result was the same:

Workers were potentially exposed to identity theft.

It’s a danger that is not limited to this short list of top employers. There have been numerous high-profile cases where hundreds of thousands of employee, consumer and student records were lost by, or stolen from, various financial institutions, data brokers and universities.

In fact, through September there were more than 100 personal information breaches of employee, consumer or student data affecting more than 56 million people, according to a list updated regularly by the Identity Theft Resource Center (ITRC) in San Diego.

One of the largest breaches occurred at Time Warner, which announced this spring that tapes containing personal information on about 600,000 current and former U.S.-based employees had been lost by Iron Mountain Inc., a Boston-based records management and storage firm. The U.S. Secret Service is investigating.

“In the wake of the incidents of the past year involving a number of companies, we’ve made a decision to begin encrypting all of our backup tapes,” says Time Warner spokeswoman Kathy McKiernan. Time Warner also has “changed certain procedures in terms of Iron Mountain’s handling of our data,” McKiernan added, but she would not discuss details of those changes, citing security concerns.

At Kodak, MCI, Motorola and other businesses, laptops containing sensitive information were stolen—the same type of problem that accounted for one-quarter of the employee record breaches that occurred this year, says Donald Harris, president of HR Privacy Solutions Ltd., a consulting firm in New York.

Such security breaches can come at a high price. In the Internet Age, one computer that is not properly protected or one hard drive that is not adequately erased can provide thieves with access to thousands of employee records—which they can use to apply for credit cards, spend money that isn’t their own and wreak havoc on the lives of people whose only crime was trusting their employer.

For an employer, the consequences of violating that trust have been underscored by court rulings and state and federal laws that seek to hold custodians of sensitive information responsible for diligently protecting the data they obtain, and subject to penalties if they don’t.

Today, the news of a security breach can spread rapidly, informing current and potential customers or partners of a company’s failure, and can even cast doubts on a company’s ability to securely maintain other confidential business data, such as customer files or records pertaining to a pending merger or acquisition.

As a result, safeguarding and properly disposing of employee information in all forms has become a business necessity for employers for a variety of reasons, including potential legal liability, reputation, and consumer and employee confidence.

HR Taking the Lead

Employees routinely give companies their life history in the form of a resume or biography, followed by a background check and maybe a drug test—and they expect employers to protect it.

“Employers should think of their [personal employee] data just as they do their money, intellectual property or trade secrets,” says Gary Clayton, CEO of the Privacy Council, a division of Jefferson Data Strategies LLC, in Dallas.

Clayton advocates a phased approach to employee data protection that starts with support from the company’s CEO or board of directors. Once executive buy-in has been established, an HR professional should lead the process.

“It should be someone from the HR department, someone who uses and has access to the personal data,” says Clayton, adding that in-house legal counsel or an information technology manager at larger corporations also can assume that responsibility as long as they’re familiar with sensitive, personal HR data.

The next phase begins by understanding the internal and external processes and data flows that involve personal employee information. Employers must also understand the business processes involved from collection through disposal, as well as the company’s legal obligations, says Clayton, who is an attorney and has been a privacy and data protection consultant for more than a decade.

“Think of [personal employee data] like a legally controlled substance,” Harris says. “That’s a paradigm shift for people in HR. They have to understand the life cycle of the data at each point and review the risks and exposures.”

When considering the life cycle of employee records, employers should focus, in broad terms, on data input, storage and disposal. Although there are no easy answers about the best ways to collect, manage and dispose of such sensitive information, employers can—and should—take numerous steps to ensure the security of employee data.

Here are potential steps to take.

Data Input

When it comes to sensitive information, sometimes it’s better if employers don’t ask for it. Employers should look closely at the personal information they require employees and job applicants to provide—and when they ask them to provide it.

Don’t ask job applicants for their Social Security numbers (SSNs) or other personal information until absolutely necessary, cautions Linda Foley, co-founder of the ITRC.

“Too much information is being collected at the wrong period of time,” she says. “You don’t need a Social Security number until you’re going to do a background check and potentially offer them the job. The less information you collect from the beginning, the less you’re responsible for, ultimately.” (For more information on keeping SSNs secure, see “Rikki Don’t Use that Number,” at right.)

Once you collect sensitive information, track what you have. By keeping track of what confidential data you have and where they are stored, you will have an easier time ensuring that the data are secure and that, when the time comes, they will be disposed of properly.

Charles Kolodgy, research director for security products at IDC, a global information technology research firm in Framingham, Mass., says the proper classification of information—namely, what files and records contain personal employee information—is crucial in all phases of the electronic collection, processing, management, storage and ultimate destruction of data. But making the right decision about classification requires businesses to first answer some important questions:

• What is the information to be protected and in what format?
• Is it a paper or electronic record?
• Would automation make the data more or less secure?

Al Doran, CHRP (Certified Human Resources Professional, a nationally recognized level of achievement within the HR field in Canada), president of Phenix Management International, a Canadian HR management consulting company, says employers must commit to the types of information they will protect and the means they will employ to do so.

“One of the basic things employers should have is a policy about personal information,” he says. “What is personal? And what steps are taken to protect it? It should be a statement from the employer that [shows] personal information is important to them and that they respect the fact that it is personal and are taking steps to protect it.”

Storing Data: Access Issues

In order to limit access to HR data, employers must decide what information will be available only to the HR department, says Harris. He also advocates that employers screen HR personnel and anyone else who will be given access to personal employee information. Temporary workers who have not been properly screened should not be given access, he says.

Further, HR personnel need to understand the life cycle of sensitive employee data from collection through destruction. “It’s getting easier to do with online training,” says Harris, “but there is no standard in this area, and it’s critically needed.”

Harris, who founded the privacy committee at the International Association for Human Resource Information Management, says the organization is pursuing a best-practices initiative for protecting employee information that seeks to identify and promote effective procedures companies use today.

Employers should also take steps to limit non-HR staff access. Only those who have a business reason for seeing employee records should have access to that data. Employees don’t need to see information on their colleagues. Supervisors don’t need to know things like who an employee lives with or who their pension beneficiary is, but a departmental manager or supervisor may need access to their employees’ home phone numbers, says Doran.

Don’t overlook electronic access. Restricting access to sensitive data may require safeguarding the applications, databases and servers that house and process HR data by using firewalls; installing intrusion detection systems; and limiting who has the authority to assign passwords.

It’s also a good practice for companies to physically and electronically segment the HR department and its data, including SSNs, from the rest of the corporation to best protect sensitive employee information.

And don’t forget about low-tech security measures. While sensitive paper files don’t have to be locked up like Fort Knox every night, locks on the doors and windows and storage within the HR department are recommended protocols.

Storing Data: Technological Solutions

To keep confidential electronic data from prying eyes, businesses should encrypt as much of this data as possible. Encryption translates the data into a secret code that can be unlocked only by using a key or password. The current industry standard is 128-bit encryption, and a commercial tool at that level based on standard cryptographic algorithms (namely, Advanced Encryption Standard, Triple Data Encryption Standard or Blowfish) will effectively secure stored data, Kolodgy says.

“The level [of encryption] is less important than just doing it; just doing it is the hard part,” Kolodgy says, adding that basic file encryption is not expensive, but the cost rises when the encryption is embedded into databases or HR systems.

Because many HR systems are web-based, businesses must take steps to make sure the data in these systems can’t be tapped into. Kolodgy says there are two types of electronic data that must be protected: stored data and in-transit data.

Stored data can be effectively protected by using encryption.

In-transit data—which includes data that pass through a web portal or company network—require a different type of protection. To keep such data secure, employers should require employees to sign onto company networks through a Secure Sockets Layer (SSL) connection. SSL uses a cryptographic system that uses two keys to encrypt data—a public key known to everyone and a private or secret key known only to the recipient of the message, Kolodgy says.

And to prevent confidential information from being shared inappropriately via electronic means, Kolodgy says to consider Outbound Content Control (OCC) tools. In the past, outbound protection meant blocking employee access to certain web sites, and inbound protection meant a company had virus protection, firewalls and other tools. But OCC solutions also can screen outgoing electronic messages for certain sensitive data patterns. For example, if a message has a nine number set in a 3-2-4 sequence, such as a SSN, an OCC tool can block that traffic without actually reading the message.

The OCC market is new but includes numerous vendors, including Vericept Corp., Vontu Inc., Reconnex Corp., Tablus Inc. and others.

Data Destruction

Some companies keep job applications for auditing purposes to prove a fair and equal opportunity hiring process, and those records must be protected and disposed of properly, says Foley.

When electronic and paper files are waiting to be destroyed, they should be kept in a secure area, say privacy experts.

Experts also say that employers should establish confidentiality and security agreements that include proper return and disposal procedures for sensitive data—both internally for employees and externally with third-party vendors.

But employers need to be aware that there is no foolproof system for destroying digital data so that they can no longer be accessed.

When it comes to wiping electronic data from a computer hard drive, employers can download tools from the Internet that do not require any formal user training, says Robert Johnson, executive director of the National Association for Information Destruction Inc (NAID). However, while these tools may be relatively easy to use, they are not guaranteed to be effective.

Wiping a disk clean so that the data can no longer be accessed is difficult, says Kolodgy. Some programs overwrite files, but sometimes those files can be recovered using advanced tools. Furthermore, the typical erasure just displaces the location of a file on a computer’s hard drive. The displaced files, called a “bit bucket,” are lost but still on the drive and can be found and re-created using recovery tools. Originally developed to help users with accidental erasures, these recovery tools could be used to steal personal information or corporate secrets.

Johnson says that “it’s a hard process to retrieve wiped information, but a change in technology could make it easy.” As a result, NAID does not endorse any software wiping tools, he says.

Reformatting a drive is another option and is generally effective at erasing data, but technically skilled users can still recover information on a reformatted drive, says Kolodgy.

Pulling Out the Stops

Once they suffer a breach of security, some employers appear to be responding on several fronts to safeguard the information in their care.

For example, following a breach earlier this year involving credit reports containing information on more than 145,000 customers, Alpharetta, Ga.-based data broker Choicepoint Inc. changed its internal practices to better protect information collected from its customers as well as its 5,500 employees, says James E. Lee, the firm’s chief marketing officer.

He says the company also took steps to protect its employee records even though those records have never been breached.

Today, Choicepoint’s more than 100-person HR department, called People Services, allows only certain people access to personal data, and employees can access information only about themselves. Supervisors can access an employee’s salary and salary history, but not an SSN or other sensitive personal information. Within People Services, access to personal information is granted only to personnel who need it to perform their job.

Experts say that tackling security from multiple angles is the right way to go. From collection through disposal, they say, employers need the right combination of technology, well-trained users and secure procedures to protect their employees’ information.

Says Kolodgy: “People, policy and products—the three P’s—you need to hit all of them.”

Dan Caterinicchia is based in Washington, D.C., and writes frequently about information technology.