While much of the attention has focused on consumer damage control at JP Morgan, Target, Home Depot and now Anthem after massive data breaches in the last year, what may be even harder for companies to deal with is the theft of employee data. What’s more, this risk may be rising as hackers increasingly target valuable personal information
In the cases of Sony and Anthem, both consumer and employee data was stolen, and because this data can be used for identity theft for years, the theft of it is particularly damaging. Employees of Sony have already filed a number of lawsuits against Sony for allegedly failing to provide adequate security to protect their information.
Founders, CFOs, Controllers, and HR Directors are moving to protect their employees data from outside attacks. Over ten million individuals have their identity stolen annually, and Anthem’s data breach may include information like social security numbers, birthdays, salary information, and medical information on eighty million customers and employees. This is causing many companies to pay more attention to their cybersecurity.
Steve Francis, Founder/President of LogicMonitor, a fast growing server monitoring solution said, “we scan our employee identification documents, upload them to our virtual data room and then shred the paper copies.”
Steve cited two main reasons for these precautions:
Homeland Security Compliance: In 2010, US Department of Homeland Security detailed specific thresholds for maintaining and protecting electronic employee information that included access audit trail records, and backup systems. Government audits of company security on employee data has gone up exponentially, and non-compliance can incur fines of $110-$1,000 per record. (See discussion of I-9 and E-Verify compliance)
- Identity Theft Risk: As a network specialist, Steve is keenly aware of security issues, and more importantly, he knows that in the impact of a data breach of his employees’ could mean months of unwinding false identify issues, and a massive loss of productivity. Personal direct losses due to personal identity theft can average over $9,000 per victim. (See identity theft statistics.)
Giovanni Vigna, Founder of Lastline, a cybersecurity solution for enterprise companies, recently explained why the risks Steve is trying to avoid are real. “In the 1980s cyber crime was random and anonymous and relatively harmless, almost like graffiti. Today, cyber criminals are much more sophisticated, and they specifically target companies, executives, and others for documents and information they can monetize on the black market.” A couple of years ago, Giovanni laid a trap for some cyber criminals and tracked their efforts to steal fake personal information like social security numbers, credit cards, etc. and then sell them on underground markets. Criminals quickly found and took the bait. Prices for stolen data vary, but examples include $25 for each United States identification, $7 for and Amex credit card, and the list goes on. In short, stolen identification from employers that failed to protect their employees data has a ready market of buyers. (See black market prices for personal data.)
How to Protect Your Employee Data
There are a number of solutions out there that comply with I-9 security recommendations, but here are some basic guidelines CFOs and HR Directors can use to determine whether their system is setup to protect their employees’ information:
Two-factor authentication thwarts hackers that may have stolen email addresses and passwords
Audit log that details who accessed personal records
Encryption of employee documents
Role based permissioning to control who has access to employee records
View-only permissioning to ensure employee information isn’t downloaded by anyone
Solutions that accommodate the criteria above aren’t necessarily expensive. Some virtual data rooms like SecureDocs cost as little as $200 a month for unlimited users and documents.