Safeguard Employee Data

03/07/07

This security warning from the International Association for Human Resource Information Management is sobering: What companies did in 2002 or before to manage information about employees is not sufficient now. In fact, theft and compromise of HR information is fueling an explosion of fraud and identity theft crimes. The recent theft of 26.5 million names, birthdates and Social Security numbers from an employee of the Department of Veterans Affairs only underscores the dangers of lax employee data policies. HR professionals involved in the capture, use, management or dissemination of information about employees must do all they can to help protect it. Make sure your HR staff is up to the challenge.

Mission critical: Safeguard employee data now
Most businesses are concerned about employee data file breaches, at least from a policy perspective. Sometimes, however, it takes a significant compromise of data in a particular company before management takes meaningful action — and by then it may be too late. Think about what’s at risk: employees’ Social Security numbers, home addresses, phone numbers, wage information, medical records, performance reviews, organizational charts, etc. These data are voluminous, highly confidential and very sensitive. In the wrong hands, they could be very damaging to your workforce and jeopardize the future of your organization.

Even if you manage to recover stolen data, there could still be serious repercussions. Your company may be embarrassed publicly if word of the breach reaches the news media. A flurry of lawsuits could follow. Employee morale generally will decline. Certain customers may have second thoughts of renewing existing contracts.

Of course, any employee data protection policy has to receive support from HR and top management. The president and/or owner of your company needs to recognize what’s at stake and let employees know there will be severe consequences for breaking data security rules. Your employee handbook should make that policy perfectly clear.

Build up your defenses
The good news is there are plenty of things you can do to reduce the chances of having your employee data compromised. Consider these steps:

Restrict access to Social Security numbers to all but a few key HR personnel. Rely on alternative numbers for employees, and refrain from putting Social Security numbers on paychecks.

Don’t leave cleaning crews, security personnel and miscellaneous vendors alone in a building. They may be tempted to steal information if they know they’re not being monitored.

Use encryption software that scrambles sensitive data while they’re being stored and transmitted in-house, and make sure the data on employees’ laptops are encrypted before they take them home. Keep track of which employees work on sensitive company information from home.

Reprogram computers so they require a password after not being used for a certain amount of time.

Change office keys, locks, and computer passwords after an HR employee resigns or is terminated. Only the HR manager, and perhaps a senior executive, should have a key to the HR office.

Make sure your HR staff members don’t leave files unattended or bring non-employees into a secure area. Have them lock their doors when they leave their offices, even when they’re gone for just a few minutes.

Conduct discussions on pay, hiring, promotion and other personnel matters in a secure room behind closed doors.

Shred paper personnel documents you no longer need. Disposing of documents in a dumpster makes them readily available to anybody. Business espionage professionals consider trash as the single most available source of a company’s private information.*

Stolen personnel records can have an enormous negative impact on a company. Take the initiative and institute an employee data safeguard program, and follow through so it becomes an integral part of your corporate culture.

*Source: National Association for Information Destruction Inc.