When it comes to data integrity, I can’t think of another area of business that has such a great level of risk than human resources. Human resources managers deal with employees’ personally identifiable information (PII) and personal health information (PHI) in mass quantities on a regular basis. In addition, human resources departments typically have many different data feeds coming in and out of their department as they work closely with IT and payroll to manage data and deliverables.
Although external data breaches are frequently in the news, and certainly many hacks do occur where someone tries to intentionally access information to which they have no right, the greater risk actually involves internal staff members. Internal staff members hold the keys to the castle and the code to the safe and, if they have the correct security clearance, they have everything they need to access their employer’s system. It is important that human resources managers change an employee’s access codes when they leave the company or are terminated and disable personal logins for third-party sites. Having security policies in place when hiring is also critical. Any employee who will touch PII or PHI needs to be thoroughly cleared, perhaps with a background check, before they are hired.
Another safeguard that a manager can utilize is to install software technology that monitors email and network traffic and can create a log anytime PII or PHI is being transmitted. Network monitoring technology tracks email traffic and can provide an alert when a mass or frequent transmission of PII or PHI takes place or if confidential data is being transferred to external drives.
If a company does not use secure email, they are placing themselves at high risk. For example, a member of the human resources department sends one email with PII included to three internal staff members and two external partners – that email is now sitting in the sender’s outbox and five different inboxes. If three of those people who received the email send a reply, it is now sitting in three more sent folders and 15 more inboxes. So this quick exchange that was originally going to five people with three replies results in 24 copies of an email containing sensitive employee information. And that doesn’t even take into account mobile devices or backup tapes. Assuming each person has a mobile device that allows them to access their work email – the result is 48-96 copies generated from just one brief email exchange.
Another area of concern when it comes to internal employees is what’s called a clear desk policy. Often times, people are printing things or have handwritten notes on their desk sitting out in the open. These items can be viewed by staff members who do not have the same clearance level, who might even take a picture or make a copy of it. In addition, cleaning crews may also have access to information left out on a desk. It is important to have a policy that states that employees need to clear their desks and discard or shred sensitive information. Annual training for all staff with ongoing reminders, and follow-up sessions when security breaches appear in the news, will remind staff members how this issue directly impacts them.
Another risk factor to be aware of is the security levels of your partner organizations. The fact is that human resources departments share numerous feeds with different partners – carrier partners, TPA’s, enrollment vendors and broker partners. It is important to understand what each vendor is doing with that information. Is it stored in-house? Are they sharing it with other parties? Managers can’t just look at the first layer of access, they need to look beyond that and peel down the layers to fully protect their company data.
by SEAN LACEY
Sean Lacey is the Chief Technology Officer at Univers Workplace Solutions.