Computer Security: Protecting Employee Information
If your business is like most, computers have made payroll duties fast and efficient. Calculating deductions, printing checks, updating addresses—all those critical activities that once required hours of drudgery are now accomplished with the touch of a keyboard.
Advances in electronic data processing, though, carry a downside: There’s more risk than ever that sensitive employee information may be stolen by an insider with a flash drive or an outsider with an Internet line. That kind of theft can pose real problems to your business, from a plunge in workplace morale to a costly lawsuit if employees sue for negligence. That’s why, for every retailer, computer security should be a top priority.
“Protection of payroll data is something employers should be particularly concerned about, given all of the recent problems with identity theft,” warns Maria Perugini Baechli, a lawyer in the Washington, DC office of San Francisco-based Littler Mendelson, the nation’s largest employment law firm. “If sensitive information is obtained by an individual who is not trustworthy, employees could find themselves in a situation in which their information is being used for improper purposes, or their identities have been stolen.”
While organizations of all kinds maintain sensitive personal information, employers are particularly vulnerable to theft and its costly aftershock because of the comprehensive nature of payroll data. “Outside of financial institutions and credit bureaus, employers are probably the keepers of some of the largest collections of personal information,” points out Tena Friery, research director of the San Diego-based Privacy Rights Clearinghouse. “Their databases contain names, Social Security numbers, addresses, relatives’ names, and even health information.”
Recent headlines have made payroll data security a front burner issue. Last fall, a thief carried off a laptop computer containing names, Social Security numbers, birth dates and banking information of 160,000 current and former employees of the aerospace manufacturer Boeing Co. Earlier in the year Time Warner lost the Social Security numbers and other personal data of 600,000 current and former employees and relatives when a storage company misplaced computer backup tapes. Around the same time massive breaches of consumer data were reported at Citigroup, Bank of America, MCI, and two major credit card organizations.
Such events—along with an overall escalation of reported identity theft—have spooked the public and sparked federal and state laws penalizing companies negligent in the protection of employee data. (See box: “New Laws Protect Employee Data.”)
What data needs to be secured? For an answer we turned to Donald Harris, president of HR Privacy Solutions, a New York-based consulting practice that assists companies in addressing privacy challenges. “You’d have to be not reading the newspapers to miss that Social Security numbers are radioactive,” he says. “Certainly in terms of risk assessment they are at the top of the list of what to protect, along with other data that can be used in identity theft such as direct deposit bank account numbers, home addresses and drivers license numbers.”
Maybe those items are top of mind, but the payroll department is privy to other data that also should be protected. The reason is that companies face more than the risk of identity theft when payroll information gets disbursed to the wrong people. Harris offers these examples of common risks and what data need to be secured to avoid them:
- Your business can lose trade secrets and other competitive information when external parties use stolen data, often obtained by tricking current employees into revealing pay scales and chains of command over the telephone or by e-mail. Data you need to protect: employee and department ID numbers, names of individuals to whom employees report.
- Internal pay disputes can arise among employees when they perceive compensation disparities as a result of leaked payroll information. Data you need to protect: wages, bonuses, options, hours worked.
- Morale can drop when information is leaked about personal data that an employee may perceive as sensitive. Data to protect: wage garnishments, tax levies, child support payments, marital status, contributions made to charitable organizations through payroll deductions.
- An employee’s credit standing or ability to obtain another job may be jeopardized when personal information is leaked. Data to protect: sick leave data, disability payments.
What are some efficient techniques to protect sensitive data? Here are the most common ones, starting at the lower end of the technological spectrum:
- Lock up documents. “Paper documents containing sensitive data should be stored only in protected areas,” says Baechli. “Files and desks should be kept locked and discarded documents should be shredded.” Give special care to copies of paychecks, stubs, W-2 forms, and related payroll documents. Control access keys. Finally, make sure the payroll premises are not easily entered. Arrange for protection from the cleaning staff in the evenings and on weekends.
- Limit use of Social Security numbers. Many companies use Social Security numbers for employee identification and even as access codes when individuals log into company networks. Bad idea. Use alternative numbers whenever possible. “Try to limit use of Social Security numbers to documents filed with the IRS and the Social Security Administration,” suggests Friery. One more thing: “Hand W-2 forms to employees in individual sealed envelopes rather than stacking them in a central location”.
- Limit data printed on pay stubs and paychecks. Since many employees just toss their paycheck stubs in the trash, it’s wise to include only the minimum required information. “Do you really need more than a name, and perhaps an employee identification number?” poses Harris. California and some other states have mandated that only the last four digits of Social Security numbers be printed on stubs. It’s even better to omit any part of that number, since people often carelessly use the last four digits for passwords or other identification purposes.
There are a number of steps you need to take to protect your employee data:
- Establish multiple security layers of access on computers. Gone are the days when you could put a computer behind a locked door and figure only people with the right key could get access. Given the ubiquity of internal and external networks, you need to create new ways to make sure payroll data is kept from the public eye and accessed only by employees who need to know.
- Create multiple levels of security within databases. Think of your security system as a series of layered shells. The outermost shell is a firewall that keeps outsiders at bay. Just inside is a password system that allows only authorized employees to get at specific categories of information. And inside that is a layer of encryption that keeps sensitive data from being seen by anyone without a software key. (Many of the new state laws addressing the security of employee data exempt employers from liability when digital files have been encrypted.)
- Establish access rules. Security experts suggest limiting the collection, use and disclosure of sensitive data to the minimum necessary for the intended purpose. “Specify who has access to which data fields,” suggests Harris. “For example, restrict access to Social Security numbers to those who really need them.” Bank account numbers, to give another example, should only be available to individuals who are involved with the direct deposit activity. Once rules are established, install a security-software module that can track employee access to specific fields, or make sure that the currently installed module is activated and its reports are actually being reviewed on a regular basis.
- Perform background checks on payroll staff. Background checks will reveal whether applicants have any history of financially related crimes or have serious debt problems that they might attempt to clear by selling information.
- Control data entered on PDAs, laptops, or paper documents. Technology that is undergoing continuing change makes security something of a moving target. The increasing use of laptops, for example, means that more employees are taking work home or carting it along on business trips. Either way it’s easy for sensitive data to be stolen along with the laptops themselves. And there are always new technological advances to deal with. For example, a company could experience a breach in payroll data if an employee’s personal digital assistant, such as a BlackBerry, is stolen.
- Close security holes when employees depart. “Upon terminating an employee with authorized access to sensitive data, promptly change all passwords and security codes available to the terminated employee and require the immediate return of computer disks, compacts disks, keys and laptop computer,” suggests Baechli. “After terminating an employee with authorized access to sensitive data, strip the employee’s computer of sensitive data before re-issuing the computer to another employee.”
- Monitor access by vendors. Bar temporary, outsourced, and vendor employees from sensitive data except when absolutely necessary. “When access is necessary, the employer should conduct a background check or ensure that the temp agency, outsourcer or vendor has done so,” says Baechli. “The employer also should monitor these employees’ use and disclosure of sensitive data to the maximum extent feasible. Consider obtaining confidentiality agreements from the employees of vendors.”
Take special care when it comes to computer service vendors. “It’s not uncommon for organizations to set up Web-based interfaces for payroll processing,” says John Kiser, CEO of Gray Hat Research Corp., a Houston-based security consultancy. “Many times that Web-based system does not belong to the company who provides the interface but sits in some Internet service provider data center.” Kiser suggests taking a hard look at any external organization that houses employee information, since his company has been involved in a number of investigative activities where such systems were subject to hacking.
- Avoid disclosure to third parties. “We recommend that employers use caution when being contacted by any outside parties,” says Friery. “Be suspicious about who is on [the other] end of [the] telephone.” A caller may claim to be a mortgage company or a creditor needing to verify salary and employment or other financial data. Insist that such requests be submitted and answered in writing. “There is the potential that the person on the other end of the line is not who they claim to be,” cautions Friery. “Could it be an ex-spouse or paramour, or even a current employee?”
Even if the caller is legitimate, it does not follow that they are entitled to the requested information. Release data only at the written request of the affected employee. “Payroll data should be protected from an employee’s creditors based on common law privacy concerns,” says Baechli. “A creditor, however, should be able to obtain payroll data through lawful means such as a subpoena or wage garnishment action.” Whatever the specific requests or the actions you take, enter it in a written journal.
- Train your staff. “Training is critical,” says Harris. “The payroll staff needs to have its eyes opened that employee information should be treated like a controlled substance. Today there is a need for much stronger awareness and sensitivity.” There’s an added benefit to a well trained staff: Employees will be reassured that the company is concerned about protecting their data.
As the guidance in this article suggests, a successful program to protect payroll data will combine techniques that address physical documents, computer files and employee practices. “While many employers have started to make needed changes in their internal practices, payroll data protection is still a work in progress,” says Baechli. “Companies need to remain flexible, responding to new problems and technological advances.” A proactive approach to protecting your employee’s personnel data is best for them—and good for you.