Your human resources department plays a vital role in how your company gets things done. It makes sure you are staffed properly, that benefits are administered and many other important obligations are met in a timely manner.
Everyone knows the pitfalls of the HR department. If they recruit a bad player, it can hurt morale, but it won’t necessarily sink the ship. There is, however, an HR-related obligation that, if left unmet, can take a company out in a keystroke. It’s in the news every day. That obligation is security.
If the Heartbleed fiasco taught us anything, it’s that there are myriad ways your company can be affected by security issues. Your HR department is vulnerable, too, and the most dangerous fallout comes increasingly from tax-related identity theft. Last year the, IRS issued more than $4 billion in misdirected tax refunds to fraudsters. On average, a victim has to wait more than six months to receive money stolen from them in this way, and they have to jump through a number of hoops to get it. The IRS has responded by making its filters more sophisticated and hiring more than 3,000 caseworkers, but the problem persists and is, in fact, growing to the consternation of government, law enforcement and taxpayers.
Brian Krebs reported on a new scam recently in which cyber thieves had stolen W-2s and other employee personal information from a cloud server provided by Ultimate Software’s UltiPro. In addition to providing a place where HR professionals can store employee information and other vital HR files, the cloud also provides an irresistible opportunity for cyber criminals. According to Krebs, the crime ring created created crimeware that was even available for licensing to other criminals. It allowed the fraudsters to track tax returns filed fraudulently on behalf of almost every employee with a W-2 on file with the affected companies. Ultimate Software says the incidents appear to be on the end-user side through individual employee computers that are infected with malware.
It used to be that a company’s intellectual property and trade secrets—from search engine algorithms to the secret sauce—were the most important assets to protect. That’s still the case, but increasingly employee information is just as valuable. Fail to protect it, and your company could be exposed to significant penalties and fines, as well as a wave of enterprise-killing lawsuits.
The FTC has created Identity Theft Prevention tools for the workplace. Here are some best practices that will help:
- Remember that every line item of personally identifiable information (PII) that your company collects could be used to ruin someone’s life, and that the potential to your company liability is enormous.
- Thoroughly vet your cloud service provider and check references.
- Only send double-encryption docs to the cloud.
- PII should be released on a need-to-know basis, and generally if the person who needs to know isn’t the person whose PII is requested, you shouldn’t share it.
- Remember that no job reference needs to include a request for PII.
- Create a role in your HR Department with oversight on compliance regarding how and when PII gets moved around, because transport provides opportunities for cyber crimes.
- Make sure all of your security procedures are up to date, and all software is updated, too. The security compliance officer that you’ve designated is the right person for the job.
- Design and implement a tough data retention and destruction policy. Shred any paper records containing information you wouldn’t want a third party to have when you determine they are no longer useful to you.
- Don’t use Social Security numbers as the unique identifier for your employees. (Unfortunately, this is still done at many companies!)
- Consider having a no-BYOD (Bring Your Own Device) policy among your HR staff, or make sure there is strict security compliance on personal equipment.
We live in an age where the third certainty in life is that you will have to deal with a data breach. I’ve written elsewhere about preparing for that. At close of the day, you want the “R” in HR to stand for “resource” and not “radioactivity.” By developing strict data security standards and properly training your HR personnel (continuously) to respect and utilize best practices, you can help your HR department to keep things running on time.
[Editor’s note: If you’re concerned that the security practices in your workplace HR office has left your personal information vulnerable, there are ways to monitor for fraud that may have occurred in your name as a result. By checking your credit reports regularly, and by monitoring your credit scores for unexpected drops (which you can do for free on Credit.com), you may discover signs that your identity has been stolen.]