Background What do the above companies along with hundreds of others have in common? When it comes to their technology, there are at least three things. First, they all have or at least profess to have the finest I.T. (information technology) systems available. Second, they purport to have the brightest and finest I.T. technicians available maintaining their I.T. systems to ensure they are adequately protected from outside intrusion. Finally, all of them have experienced unauthorized access to their data and the release of private information of their employees, clients, and customers. The Issue Should unauthorized access and information releases be of concern to PEOs? Clearly the answer is yes! PEOs maintain the personal information of their corporate employees, worksite employees, and warehouse in their databases the information of previous employees, all of which can number from hundreds to millions of records. Yet when the question of unauthorized access to data is posed to PEO owners and officers, the response is often “we have a great computer system and our I.T. technicians have assured me that there is no chance of our data being accessed”. Sound familiar? While there are exceptions, generally Fortune 1000 companies have the most recent advances in I.T. tools and technicians at their disposal. Yet, as previously noted, unauthorized access to their data still occurs. No firm in today’s world, PEOs included, can safely assume that unauthorized access to their data is not possible. Those who believe otherwise are most likely accepting substantial risk. According to the Identity Theft Resource Center, through May of 2009 over 12,000,000 records containing personal information have been compromised. The Ponemon Institute, a privacy management research firm, indicates that data breaches cost on average over $197 per personal record compromised. The legal notification requirements of a breach, or even suspected breach, cost $10 to $12 per individual record with the balance being applied to individual credit monitoring services to prevent I.D. theft as well as actual individual I.D. theft resolution expenses. In 2007, a PEO experienced a breach that resulted in the loss of records of 159,000 former and current worksite and corporate employees. Using the numbers previously cited, a conservative loss cost of this incident was over $1,500,000 not to mention the individual prevention and restoration costs. Loss Drivers There are three primary areas of data compromise. These are a) unauthorized access to data, b) lost or stolen information, and c) the acts of dishonest employees. We will explore each in more detail. Unauthorized access to private information through a company’s I.T. system is the most common method of data compromise. Companies that maintain private information on individuals and businesses are obligated to safeguard this information utilizing the most current technology applications and methods available. Many states have enacted laws requiring this private information be encrypted. It is incumbent upon the owners of companies to be sure that this is the case, typically through their I.T. technicians. It is an ongoing evolving process that continually attempts to safeguard the data from unauthorized access. Loss of Information. The second area of data breaches occurs due to the loss of information. Theft and/or loss of laptop and notebook computers is the leading cause of compromise. This is how the previously cited PEO in 2007 lost the personal records of 159,000 current and former employees. According to the Ponemon Institute, over 12,000 laptop and notebook computers are lost in U.S. airports every week. Only 33% of these lost machines are ever reclaimed by the owners. As a result, over 400,000 machines are sold at airport auctions annually, intact with all the information in place when they were lost. These numbers do not include machines lost and stolen in other places. According to employee surveys, over 58% of business laptops and notebooks contain private information of employees and clients on their hard drive. In order to eliminate this risk, PEOs should not allow corporate data to be kept on the laptop/notebook’s local hard drive. Remote data access should be through a secure private network or virtual private network via an internet connection with the data encrypted. Further, rules should be in place that forbids the transferring of corporate data to portable drives. Again, remote access should be granted only through secure networks. Additional losses of data have occurred due to server theft, lost backup tapes, lost data tapes, and lost shipments containing data. Employee Actions. Employees are the third largest source of unauthorized data releases. These releases can occur both through the I.T. system as well as through physical records. They can occur due to lax attitudes toward security as well as through dishonest acts. A recent study by the Ponemon Institute found that employees are increasingly becoming more lax in their compliance with corporate data security. Consider the following survey responses:
21% have turned off their mobile devices security tools
57% said their employers data protection policies were ineffective
42% indicated there was poor communication and enforcement of data security polices
58% said their employer failed to provide adequate data security awareness and training
Dishonest acts by employees also contribute to this problem. There has been in increase in this area that may be attributable to the current economic conditions, a problem that has increased crime and employee dishonesty for society and businesses on a global basis. Last month, a major insurance company announced that their clients’ files had been compromised by a third party vendor’s employee who had been performing work for them. It could have just as easily been a direct employee. In this case, the employee had copied information from customers’ checks, recreated the checks on his computer, and then used the checks to make purchases. In other instances, employees have stolen the private information to steal identities, have sold the information both in hardcopy and electronic formats to others, and have provided to outsiders access information such as passwords etc. allowing them to steal the private information for dishonest purposes. Risk Mitigation What can a PEO do to protect itself from what could be a financially devastating situation including the potential for bankruptcy of the firm?
Institute mandatory criminal and credit background checks for all new corporate employees.
If you are outsourcing to others that have access to your corporate and worksite employee data, as well as your client companies’ data, ensure that your provider has employee security checks in place. Also make sure they agree contractually to assume responsibility on your behalf any consequences for the acts of their employees that compromise privacy.
Establish a corporate data security policy that is under constant review to ensure it remains current. The policy should not only be included in your employee manual and procedures, it must be communicated and training provided on an ongoing basis.
Be certain your I.T. technicians are constantly updating and testing your data security systems.
Engage an outside data security firm review to review your data security and test your I.T. system safeguards on a regular basis. This will not only help prove the security of your system, but provide a professional third party opinion on your security based upon their experience with their corporate clients facing the same issues.
Risk Transfer Insurance may provide some peace of mind as a backup to your company corporate data security policy. The bad news is that the standard insurance purchased by PEOs typically does not provide any coverage for violation of privacy, and in fact most policies specifically exclude coverage for privacy issues. The good news is that insurance is available for such privacy breaches as a mitigation response should your PEO experience unauthorized access to your data. These specialty coverage insurance policies can provide coverage for notification expenses and/or to include the mitigation and restoration expenses associated with a privacy breach. Closing Privacy violations can be financially devastating to a PEO for both the immediate costs of an event as well as future revenues lost due to the bad publicity that occurs with these kinds of incidents. It is imperative that a best practices program of preparedness that includes I.T. security, compliance, training, and response be undertaken in order to avoid and limit the potential consequences of this all too often occurring situation.