Recent high-profile data privacy issues such as those at Target and the University of Maryland have demonstrated just how vulnerable our personal information is to theft. A session at the American Payroll Association’s Capital Summit Monday focused on how employers need to proactively protect sensitive information using a cross-functional team.

As employers, the immediacy of the situation is two-fold, since human resource departments not only have access to personal identification information such as Social Security numbers, birth dates and often bank account numbers used for payroll purposes, but also sensitive health care information used for enrollment in employee benefit plans. And, according to one security specialist, the theft of personal health care data is becoming more prevalent than any other category of data breach.

Data thieves “get more money for health care information than just Social Security numbers,” says Andrew McDevitt, compliance and government affairs manager at Xero.

While many companies are addressing the increasing threat of data theft by creating privacy teams or security teams within their corporation, McDevitt told attendees at the summit, “privacy and security compliance and management is a team sport.”

It’s not just about creating a privacy monitoring group, or relying on the HR department or payroll department to institute security practices, “it’s about creating a cross-functional team,” he said.

The Federal Trade Commission requires companies to have a reasonable security program implemented, including ongoing monitoring and adjustments to new circumstances and technologies, according to Mark Eichorn, assistant director of the FTC’s privacy division, also speaking at the summit.

Only 36% of data breaches are the result of malicious behavior, McDevitt said. Twenty-nine percent of breaches occur because of system error and 35% are due to human error.

A data breach does not necessarily show that a company failed to have reasonable security measures, FTC’s Eichorn said. “There’s no such thing as perfect security. Regardless, you may have some unreasonable security practices in place,” he added.

He said some common mistakes that employers make include:

  • Storing personal information longer than needed or online when not necessary.
  • Using default or other easy-to-guess passwords.
  • Storing or transmitting sensitive information, including passwords, in plain text.
  • Failing to take steps to segment or restrict access to data.
  • Failure to provide appropriate employee training and oversight.
  • Failing to take steps to detect or investigate data breaches or theft.

Employers should also have a strong document destruction policy in place, McDevitt said. The FTC has brought cases against several companies, such as Rite-Aid and CVS, for disposing of paper documents containing sensitive information in trash containers.
Companies should also initiate strong third-party contracts and vendor management agreements for information security. The creation of these contracts should involve members of a company’s legal team, HR team, IT team and risk management, McDevitt said.

“Even if you outsource the data functions, you don’t outsource the responsibility over that data,” he added.

Register or login for access to this item and much more

All Employee Benefit Adviser content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access