Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vivamus convallis sem tellus, vitae egestas felis vestibule ut.

Error message details.

Reuse Permissions

Request permission to republish or redistribute SHRM content and materials.

Protecting Your Candidate Data

With data breaches on the rise this past year, HR departments must be aware of the risks when dealing with job applicants’ sensitive personal information. Resumes, correspondence and data from prospective hires are a gold mine for cybercriminals. Once this information is exposed, companies not only suffer financial and reputational loss, they can be prosecuted by federal regulators for failing to protect individuals’ sensitive information.

So how can HR and the companies they work for ensure this information is safe?


Deena Coffman, CEO of cybersecurity firm IDT911 Consulting, based in Scottsdale, Ariz., offered some tips on securing talent acquisition systems and safeguarding recruiting practices in a discussion with SHRM Online.

SHRM Online: When we talk about applicant data, what type of data are we talking about and where is it stored?

Coffman: Applicant data can include sensitive and legally protected personally identifiable information, such as names, addresses, Social Security numbers and dates of birth. It can also include work history, documents used during the employment eligibility verification stage, answers to application questions, criminal background and credit checks, and emergency contact information. Especially taken all together, data thieves can have a dossier on a person that can be black-marketed. Applicant data can be targeted in an applicant tracking system [ATS] or it may be intercepted via a Web form, e-mail or even from paper files.

SHRM Online: Where are the prime exposure points in employers’ talent acquisition systems?

Coffman: Websites, e-mail, fax machines and unsecured ATS systems are all prime exposure points in the process. Candidates who progress to the interview stage likely have their resume circulated either in paper format or via e-mail, which increases their exposure beyond those that stop at the resume submission point. If candidates’ passwords in applicant tracking systems are not encrypted they can be picked up, and it’s likely that those candidates use those passwords in other places.

SHRM Online: What can employers do to secure their applicant tracking systems?

Coffman: When considering an ATS, the security of the provider and the system should be considered. The provider should attest to their secure coding methodology, and security testing both for the application and the hosting environment. Carefully evaluate the type of assessment chosen and the systems that are and are not included. I have seen some providers state they are secure because they are hosted on Amazon’s cloud. Amazon’s cloud security is one layer of protection, but it does not mean the subsequent layers are secured.

It’s important to note that HR is not trained in cybersecurity and may select a system with security not really top of mind. After selection, employers need someone experienced to implement the system and help with its configuration.

SHRM Online: How can SQL attacks—in which hackers use the company’s online application form to gain control of the ATS—be defended against?

Coffman: ATS providers should develop their code following secure coding practices and test their code for security, not just during development but on an ongoing basis to identify new vulnerabilities. I recommend a “bug bounty” program to leverage the collective intelligence of all white-hat hackers [computer security specialists who break into protected systems and networks to test and asses their defenses] to quickly identify weaknesses and correct them proactively.

SHRM Online: Besides ATS security, what other safeguards should be used to protect resume data?

Coffman: Be mindful of printed copies and copies circulated to those who will be interviewing the candidate. Do not retain candidate information longer than necessary; once the legal requirement to retain the information expires, dispose of that asset before it becomes toxic to your environment.

Roy Maurer is an online editor/manager for SHRM.

Follow him @SHRMRoy

Quick Links:

SHRM OnlineStaffing Management page

Subscribe to SHRM’s new Talent Acquisition e-newsletter


​An organization run by AI is not a futuristic concept. Such technology is already a part of many workplaces and will continue to shape the labor market and HR. Here's how employers and employees can successfully manage generative AI and other AI-powered systems.