Defend Your Data

WIDE OPEN: Computer networks pose a real threat.

BETTER SAFE: Be sure to shred all discarded documents.

Computers have made payroll duties fast and efficient. Calculating deductions, printing checks, updating addresses: All those critical activities that once required hours of green eyeshade drudgery are now accomplished with the touch of a keyboard. Advances in electronic data processing, though, carry a downside: a bigger-than-ever risk that sensitive employee information will be stolen by an insider with a flash drive or an outsider with an Internet line. And that kind of theft can pose real problems to your business, from a plunge in workplace morale to a costly lawsuit when employees sue for negligence. "Protection of payroll data is something employers should be particularly concerned about, given all of the recent problems with identity theft," warns Maria Perugini Baechli, a shareholder in the Washington, DC, office of San Francisco-based Littler Mendelson, the nation's largest employment law firm. "If sensitive information is obtained by an individual who is not trustworthy, employees could find themselves in a situation in which their information is being used for improper purposes, or their identities have been stolen."

While organizations of all kinds maintain sensitive personal information, employers are particularly vulnerable to theft and its costly aftershock because of the comprehensive nature of payroll data. "Outside of financial institutions and credit bureaus, employers are probably the keepers of some of the largest collections of personal information," says Tena Friery, research director of the San Diego based Privacy Rights Clearinghouse. "Their databases contain names, social security numbers, addresses, relatives' names and even health information."

Recent headlines have made payroll data security a front burner issue. Last Fall a thief carried off a laptop computer containing names, social security numbers, birth dates and banking information of some 160,000 current and former employees of the aerospace manufacturer Boeing Co. Earlier in the year Time Warner lost the social security numbers and other personal data of some 600,000 current and former employees and relatives when a storage company misplaced computer backup tapes. Around the same time massive breaches of consumer data were reported at Citigroup, Bank of America, MCI and two major credit card organizations.

Such events, along with an overall escalation of reported identity theft, have spooked the public and sparked federal and state laws penalizing companies negligent in the protection of employee data (See box, "New Laws Protect Employee Data").

IDENTIFY SENSITIVE DATA
What data needs to be secured? For an answer we turned to Donald Harris, president of HR Privacy Solutions, a New York based consulting practice that assists companies in addressing privacy challenges. "You'd have to be not reading the newspapers to miss that social security numbers are radioactive," he says. "Certainly in terms of risk assessment they are at the top of the list of what to protect, along with other data that can be used in identity theft, such as direct deposit bank account numbers, home addresses and driver's license numbers."

Maybe those items are top of mind, but the payroll department is privy to other data that should also be protected. The reason is that companies face more than the risk of identity theft when payroll information gets disbursed to the wrong people. Harris offers these examples of common risks and just what needs to be secured to avoid each:

• Your business can lose trade secrets and other competitive information when external parties use stolen data to engage in "social engineering." This process often involves tricking employees into revealing pay scales and chains of command over the telephone or by email.
• Data you need to protect: Employee and department ID numbers and names of individuals to whom employees report.
• Internal pay disputes can arise over perceived compensation disparities as a result of leaked payroll information.
• Data to protect: Wages, bonuses, options, hours worked.
• Morale can drop when information is leaked about personal data that an employee may perceive as sensitive.
• Data to protect: Wage garnishments, tax levies, child support payments, marital status, contributions made to charitable organizations through payroll deductions.
• An employee's credit standing or ability to obtain another job may be jeopardized when information is leaked.
• Data to protect: Sick leave data, disability payments.

ESTABLISH PHYSICAL PROTECTIONS
What are some efficient techniques to protect sensitive data? Here are some commonly encountered ones, starting at the lower end of the technological spectrum:

• Lock up documents. "Paper documents containing sensitive data should be stored only in protected areas," says Baechli. "Files and desks should be kept locked and discarded documents should be shredded." Give special care to copies of pay checks, stubs, W-2 forms and related payroll documents. Control access keys. Finally, make sure the payroll premises are not easily entered. Arrange for protection from the cleaning staff in the evenings and on weekends.
• Limit use of social security numbers. Many companies use social security numbers for employee identification and even as access codes when individuals log into company networks. Bad idea. Use alternative numbers whenever possible. "Try to limit use of social security numbers to documents filed with the IRS and the Social Security Administration," suggests Friery. One more thing: "Hand W-2 forms to employees in individual sealed envelopes rather than stacking them in a central location."
• Limit data printed on pay stubs and paychecks. Since many employees just toss their paycheck stubs in the trash, it's wise to include only the minimum required information. "Do you really need more than a name, and perhaps an employee identification number?" poses Harris. California and other states have mandated that only the last four digits of social security numbers be printed on stubs. It's even better to omit any part of that number, since people often carelessly use the last four digits for passwords or other identification purposes.

ELECTRONIC SECURITY STEPS

• Establish multiple security layers of access on computers. Gone are the days when you could put a computer behind a locked door and figure only people with the right key could get access. Given the ubiquity of internal and external networks, you need to create new ways to make sure payroll data is kept from the public eye and accessed only by employees who need to know. Security experts advise creating multiple levels of security around the computerized database. Think of this system as one of layered shells. The outermost one is a firewall that keeps outsiders at bay. Just inside is a password system that allows only authorized employees to get at specific categories of information. And inside that is a layer of encryption that keeps sensitive data from being seen by anyone without a software key. (Many of the new state laws addressing the security of employee data, by the way, exempt employers from liability when digital files have been encrypted.)
• Establish access rules. Security experts suggest limiting the collection, use and disclosure of sensitive data to the minimum necessary for the intended purpose. "Specify who has access to which data fields," suggests Harris. "For example, restrict access to social security numbers to those who really need them." Bank account numbers, to give another example, should only be available to individuals who are involved with the direct deposit activity. Once rules are established, install software that maintains audit trails of who attempts to access, change and delete data.
• Perform background checks on payroll staff. Background checks will reveal whether applicants have any history of financially related crimes or have serious debt problems that they might attempt to clear by selling information.
• Control data entered on PDAs, laptops or paper documents. Because technology is undergoing continuing change, security is something of a moving target. The increasing use of laptops, for example, means that more employees are taking work home or on business trips. Either way it's easy for sensitive data to be stolen along with the laptops themselves. And there are always new technological advances to deal with. For example, a company could experience a breach in payroll data if a personal digital assistant is stolen.
• Close security holes when employees depart. "Upon terminating an employee with authorized access to sensitive data, promptly change all passwords and security codes available to the terminated employee and require the immediate return of computer disks, compacts disks, keys and a laptop computer," suggests Baechli. "After terminating an employee with authorized access to sensitive data, strip the employee's computer of sensitive data before re-issuing the computer to another employee."
• Monitor access by vendors. Bar temporary, outsourced and vendor employees from sensitive data except when absolutely necessary. "When access is necessary, the employer should conduct a background check or ensure that the temp agency, outsourced or vendor has done so," says Baechli. "The employer also should monitor these employees' use and disclosure of sensitive data to the maximum extent feasible. Consider obtaining confidentiality agreements from the employees of vendors." Take special care when it comes to computer service vendors. "It's not uncommon for organizations to set up web-based interfaces for payroll processing," says John Kiser, CEO of Gray Hat Research Corp., a Houston-based security consultancy. "Many times that web-based system does not belong to the company that provides the interface but sits in some internet service provider data center." Kiser suggests taking a hard look at any external organization that houses employee information, since his company has been involved in a number of investigative activities where such systems were subject to hacking.
• Avoid disclosure to third parties. "We recommend employers use caution when being contacted by any outside parties," says Friery. "Be suspicious about who is on the end of the telephone." A caller may claim to be a mortgage company or a creditor needing to verify salary and employment or other financial data. Insist that such requests be submitted and answered in writing. Even legitimate callers are not necessarily entitled to the requested information. Release data only at the written request of the affected employee. "Payroll data should be protected from an employee's creditors based on common law privacy concerns," says Baechli. "A creditor, however, should be able to obtain payroll data through lawful means such as a subpoena or wage garnishment action." Whatever the specific requests or the actions you take, enter it in a written journal.
• Train your staff. "Training is critical," says Harris. "The payroll staff needs to have its eyes opened that employee information should be treated like a controlled substance. Today there is a need for much stronger awareness and sensitivity." As the guidance in this article suggests, a successful program to protect payroll data will combine techniques that address physical documents, computer files and employee practices. "While many employers have started to make needed changes in their internal practices, payroll data protection is still a work in progress," says Baechli. "Companies need to remain flexible, responding to new problems and technological advances."