Recent high-profile data privacy issues such as those at Target and the University of Maryland have demonstrated just how vulnerable our personal information is to theft. A session at the American Payroll Associations Capital Summit Monday focused on how employers need to proactively protect sensitive information using a cross-functional team.
As employers, the immediacy of the situation is two-fold, since human resource departments not only have access to personal identification information such as Social Security numbers, birth dates and often bank account numbers used for payroll purposes, but also sensitive health care information used for enrollment in employee benefit plans. And, according to one security specialist, the theft of personal health care data is becoming more prevalent than any other category of data breach.
Data thieves get more money for health care information than just Social Security numbers, says Andrew McDevitt, compliance and government affairs manager at Xero.
While many companies are addressing the increasing threat of data theft by creating privacy teams or security teams within their corporation, McDevitt told attendees at the summit, privacy and security compliance and management is a team sport.
Its not just about creating a privacy monitoring group, or relying on the HR department or payroll department to institute security practices, its about creating a cross-functional team, he said.
The Federal Trade Commission requires companies to have a reasonable security program implemented, including ongoing monitoring and adjustments to new circumstances and technologies, according to Mark Eichorn, assistant director of the FTCs privacy division, also speaking at the summit.
Only 36% of data breaches are the result of malicious behavior, McDevitt said. Twenty-nine percent of breaches occur because of system error and 35% are due to human error.
A data breach does not necessarily show that a company failed to have reasonable security measures, FTCs Eichorn said. Theres no such thing as perfect security. Regardless, you may have some unreasonable security practices in place, he added.
He said some common mistakes that employers make include:
- Storing personal information longer than needed or online when not necessary.
- Using default or other easy-to-guess passwords.
- Storing or transmitting sensitive information, including passwords, in plain text.
- Failing to take steps to segment or restrict access to data.
- Failure to provide appropriate employee training and oversight.
- Failing to take steps to detect or investigate data breaches or theft.
Employers should also have a strong document destruction policy in place, McDevitt said. The FTC has brought cases against several companies, such as Rite-Aid and CVS, for disposing of paper documents containing sensitive information in trash containers.
Companies should also initiate strong third-party contracts and vendor management agreements for information security. The creation of these contracts should involve members of a companys legal team, HR team, IT team and risk management, McDevitt said.
Even if you outsource the data functions, you dont outsource the responsibility over that data, he added.
