[in Your State]
State:
Category
Topic
Date Range (optional)
From: PopUp Calendar
To: PopUp Calendar
 (Example: 01/01/2007)
Quick Links
 
 Resources: Records
Time Savers:
Checklists (2)
Forms (3)
Policies (4)
News:
• HR Recordkeeping: Keeping What You Need for As Long As You Need It
• Employers Agree to Train on ID Theft
White Papers:
• What's New About the New EEO-1
• Welcome to the World of Speedy E-Discovery!
Related Topics:
Notices (Posting)
September 12, 2007
The Fight to Keep Benefits, Payroll Data Confidential--Are You Winning?

Hackers ... thieves ... miscreants of all descriptions. All you have to do is read the paper, or better yet, scan the list of data breaches maintained by the Privacy Rights Clearinghouse (www.privacyrights.org/ar/ChronDataBreaches.htm), and you'll start to notice something: Everyone is vulnerable to those mentioned above who are out to get your private data.

Bill Nolan, a partner and labor and employment attorney at law firm Squire, Sanders & Dempsey, has, in recent years been called on more and more to deal with privacy issues. Most of the time, he says, privacy breaches arise from consumer applications; but some significant employment-related breaches also occur.

Nolan cites a recent Ohio case, where a state-employed intern took home a back-up tape containing employee data, then had it stolen from the front seat of his unlocked car. "It contained the personal information of every employee in the state of Ohio, up to and including the governor," Nolan explains.

Reviewing the Privacy Rights Clearinghouse list, you'll find that improper procedures are often the cause of data breaches, like the one in Ohio. In April 2007, payroll outsourcing firm Ceridian admitted that a former employee accidentally posted sensitive information about employees of one of its payroll processing clients online.

The information, which included names, Social Security numbers, payroll data, and even bank account numbers, was included among photos the employee posted online for his family to view. The breach was discovered when an employee of the client company Googled his name, and found much more than he expected.

Increase Awareness, Decrease Opportunity

Clearly, a lack of guidelines and improper procedures--your own or those of companies to which you outsource--can result in the loss of confidential data. The Privacy Rights Clearinghouse has suggestions for companies developing their own privacy policies. In summary, their ideas boil down to these three main points:

  1. Be open with your employees about why you need their personal information. Tell them how you'll use it, especially at the time you're collecting it. Limit the information you take to what is required for the purpose, and do so only with the full knowledge and agreement of the employee. Make sure employees have the opportunity to review any personal data you've collected and to update it when necessary. The data must be accurate, complete, and relevant for the purpose.
  2. Ensure security of employees' personal data. Limit access to it. If you must disclose personal information to any other person or company, do so only with the consent of the individual.
  3. Make someone accountable for the data. Assign an individual in the company to oversee privacy policies and procedures. Hold regular privacy audits. Train employees in proper handling of private information.

What Can HR Do?

Human Resources professionals have the responsibility to maintain the privacy of their employee data, and they have an opportunity to make sure it stays confidential. "Human Resources is well positioned in the company to take a leadership role in this," Nolan says.

"Step one is for you to educate yourself about the potential for data breaches; then, you need to educate your staff. Once everyone is aware of the ways private data typically leaks out, you can take steps to plug the holes.

"Take an inventory of personal information in your organization: Who has it? Where is it? How do people get it? One thing you'll see at privacyrights .org is that in a lot of these situations, people had data they didn't need to have, or data was stored in places it didn't need to be," says Nolan. "You've really got to get this down to a 'need to know' basis. On the list, the laptop is a recurring theme. And a lot of times, the sensitive information didn't need to be on that laptop.

"So understanding the information, where it is, and who is using it, is step two." If a data breach does occur in spite of your best efforts, the best thing to do is to think back to the Privacy Rights Clearinghouse's suggestion at the top of the above list: Be open. Notify affected employees right away. Many states require companies that lose data to notify the affected consumers.

Nolan points out that these laws also apply to employers and their employee data. And even if you don't live in a state where such notification is the law, he suggests that you do so anyway.

"The wise thing to do, which I believe most companies are doing whether it's consumer data or employee data, is to give the notice," he says. "In this day and age, if you didn't give notice and then it comes out a year later, it's going to be a public relations disaster."

When Your Data Are Out of Your Hands

When you outsource tasks to another company, you've entrusted data to someone outside your control. Make sure they've earned that trust, says Nolan. While your policies and procedures may be bulletproof, perhaps those of the firms you're using for insurance, benefits administration, or payroll are not.

Nolan says you should take the time to check out the other company's procedures before you turn over the data.

"When you look at the (Privacy Rights Clearinghouse) list, it's often a third party that's involved in the data breach," he says. "It's a consultant or an insurer that has the data, and it's their employee losing the laptop. So it's important to deal with that when you start doing business with an outside company.

"I think the cleanest way to handle it is that you make sure the outside party assumes responsibility for your data when they have it," Nolan continues. "They indemnify you as an employer for any damage that results from their mishandling of your data. That puts the burden where it logically belongs."

Technology, designed to make our lives easier and more efficient, sometimes comes at such a rapid pace that it's difficult to stay on top of it. Nolan says that's part of the problem with data security.

"Over and over again, we see examples of technology going so fast that employers struggle to keep up," says Nolan. "We really want organizations to get their arms around what they have in terms of data, just like they would with physical inventory.

"These days, inventory is all right there, on a computer, so you know what is where and when. That's the model we ought to be working toward for data privacy. Companies that are able to do that are going to be able to avoid a lot of liability that other companies will struggle with."

Although we read frequently about stolen identities, Nolan says that the amount of litigation over employee-related data breaches is quite low. "One of the reasons, I think, is that it's just very hard to take an ID-theft and link it to a particular data breach.

"Oftentimes, if somebody is stealing a laptop out of your car, I'm told, it's not to steal identities; it's because the person wants the laptop. They may not even know what is on it. Arguably, there is a bit of hysteria right now. Which isn't to say that having your identity stolen isn't a miserable experience." Just ask the governor of Ohio.