You have a moral and legal obligation to keep applicant and employee data secure. Learn the risks for failing to do so and how you can shore up your data security.
Here's what you need to know:
- Organizations should create formal data protection and security policies that provide guidelines for handling any applicant or employee data
- Mitigate exposure by only gathering applicant or employee information you need
- Keep medical information separate from employee files and place limitations on access and disclosure
- Hard copies of sensitive data should be kept in restricted areas and locked up; digital data should be stored in a secure database
- HR and IT teams need to employ best practices for cybersecurity
- Provide regular training and education to help employees become more aware of dangerous online activities
Any time you collect and store personal data, you are opening yourself up to risk. While necessary, you need to put in place safeguards to protect this data.
Each year, the Federal Trade Commission (FTC) receives more than 1.4 million reports of identity theft — by far the largest category of online scams and fraud reported. This includes more than 100,000 employment or tax-related fraud cases, which grew at a triple-digit pace in the most recent report.
One of the biggest fraud increases results from using stolen identity information to apply for government benefits, such as unemployment during the pandemic. In the most recent reporting period, the FTC reported an increase of 2,920% over previous years. Employee and applicant data has become a high-value target for hackers. Not only can they use this information to perpetrate fraud, but they can also sell it on the dark web for as much as $1,000 each. If threat actors can penetrate your security, it can lead to a big payday.
Each year, the Federal Trade Commission (FTC) receives more than 1.4 million reports of identity theft.
Why keep applicant and employee data secure?
When you have a job opening and start collecting applications, the information you acquire may be sensitive. When you onboard employees, you gather even more personal information. You have a responsibility to keep this data secure — both on behalf of applicants and employees as well as your company.
You not only have a moral obligation to protect sensitive data but a legal one, too. While there is no overarching federal law on preventing identity theft, there are liabilities under several different statutes, including the Fair and Accurate Credit Transaction Act, the Fair Credit Reporting Act, Americans with Disabilities Act (ADA), and Health Insurance Portability and Accountability Act (HIPAA) just to name a few. Individual states also have data privacy laws and statutes.
In addition, companies can be subject to legal action from employees and class action suits. The University of Pittsburgh Medical Center (UPMC) suffered a data breach compromising the personally identifiable information (PII) of its employees. After years of legal battles, UPMC settled the subsequent lawsuit at a cost of $2.65 million. Kroger agreed to pay $5 million to resolve several claims, including the theft of employee data.
Navistar is currently facing a class-action lawsuit for what lawyers call the “reckless manner” in which the company stored and secured employee information, resulting in a breach of tens of thousands of current or former employees.
These are just a few examples.
How to keep applicant and employee data secure
What is employee data management? HR and IT teams should work together to safeguard applicant and employee information. Here are some of the best practices for doing so.
1. Create a data protection policy
Organizations should create formal data protection and security policies that provide guidelines for handling any applicant or employee data. Data protection policies should include:
- What data is being collected and the business purpose for doing so
- How long data is retained
- Who has access to the data, including third-parties
- The measures put in place for data protection
While such a policy is not required by law, it helps set the framework and governance for how data will be collected, stored, and processed along with establishing best practices for managing your employee database.
Only gather and keep what you need
Avoid collecting social security numbers (SSNs) or other sensitive data that is not required for making hiring decisions.
You can mitigate your exposure by only gathering the information you need. For example, you don’t need an applicant’s social security number until you need to do background checks to verify employment eligibility or when you hire them. Avoid collecting social security numbers (SSNs) or other sensitive data that is not required for making hiring decisions. This step alone can mitigate your risk.
Once you hire someone, consider using numbers other than SSNs for employee identification.
Keep any medical information separate
The Equal Employment Opportunity Commission (EEOC) recommends you keep medical information separate from employee files and place limitations on access and disclosure as another layer of security.
Restrict access to employee and applicant data
Hard copies of sensitive data should be kept in restricted areas and locked up. Digital data should be stored in a secure database and encrypted with access limited to only those with a business or legal need for accessing records.
What’s your biggest 2022 HR challenge that you’d like to resolve
Answer to see the results
Have the right security tools
HR and IT teams need to employ best practices for cybersecurity to protect applicant and employee data as well as other sensitive data, including:
- Identity and Access Management (IAM) to prevent unauthorized access
- The Principle of Least Privilege allows users only the privileges necessary to complete authorized tasks
- Segmentation of data to mitigate lateral movement inside computer network in case of a breach.
- Zero Trust security models require access authorization for individual applications even for users authorized on the network.
Organizations should also have in place a holistic approach to security which includes robust security tools such as firewalls, end-user security, real-time threat intelligence, automated threat detection, data encryption, antivirus, and anti-malware software.
Provide training and education
More than 22 billion records were exposed in data breaches in 2021. The number one cause for data breaches continues to be human error. According to the Verizon 2021 Data Breach Investigation Report (DBIR), 85% of breaches involve some form of the human element, such as clicking on a malicious link in an email or falling victim to phishing scams.
Nearly half of all breaches result from stolen credentials. Organizations can reduce their exposure by providing regular training and education for employees to help them become more aware of dangerous online activities that can reveal their credentials or allow cybercriminals to access company networks and resources.
Require employees to use best practices for protecting security, including:
- Use of complex passwords
- Two-factor authentication (2FA) or multi-factor authentication (MFA)
- Use of virtual private networks (VPN) or other secure connectivity when accessing company resources remotely
- Potential threats when using public Wi-Fi
Have a plan in place
Cybersecurity requires both resistance and resilience. Organizations need to assume they will suffer a data breach at some point that exposes employee and applicant data and plan now for a response. Incident response plans should follow the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), which includes:
Take proactive measures to protect your applicant and employee data
More than 60% of all businesses globally have experienced a cyberattack of some form. HR and IT leaders need to assume a data breach will happen at some point and take steps to protect and secure applicant and employee data.
This requires proactive measures to assess, identify, and mitigate potential security deficiencies before becoming a victim.