Securing sensitive employee data – recommended HR policies and procedures - Waystone

      Securing sensitive employee data – recommended HR policies and procedures

      The onboarding and offboarding of employees is not a subject that we often think about in terms of information security. However, the secure transmission and storage of employee data is often an afterthought that only privacy advocates and cyber security professionals consider.

      In the United States, there are three common documents that are prevalent throughout the hiring process, each containing sensitive information including name, physical address, email addresses and phone numbers:

      1. resumes
      2. offer letters
      3. passports.

      HR documentation – best practice

      Resumes

      Resumes should be submitted using an ATS (Applicant Tracking System) or a system that securely transmits the resume from the prospective employee to the employer. It is not recommended that the resume be downloaded or saved. If the resume is downloaded or saved, the personal information such as phone number, email address and physical address should be removed. If a resume is requested from a candidate to an individual corporate email address, the resume should be encrypted with a password and that password should be communicated by voice or text, not a follow up email. The collection of unsolicited resumes or a ‘catch-all’ email address is not recommended. It is important to remember that some states consider a resume to contain personal information and that the United States is a patchwork of privacy laws that make up regulations that differ by state.

      Offer letters

      Offer letters generally contain compensation information that may be considered confidential to the organization hiring and to the individual being hired. It is the decision of each data owner, in this case the HR facility, to determine if compensation information is considered confidential. If it is deemed confidential, the storage and transmission of offer letters should be handled with the utmost care by explicitly encrypting the document with a password and communicating that password via text message or voice call. Under no circumstances should a document’s password be communicated by email. Alternatively, the document may be sent via US mail or an overnight or courier service.

      Passports (and other identifying documents)

      Passports, as well as state IDs and drivers’ licenses, are frequently used as identifying documents in the United States. The United States I-9 Employment Eligibility Verification form states explicitly that “You must physically examine” the documents that are listed as “Acceptable Documents”. It does not state, nor is it recommended, that you keep the documents on file (this does not apply to firms participating in E Verify). If you choose to keep the document on file for a valid reason the document must be encrypted explicitly using a unique password for each document and the passwords should be stored securely. Both PDF (Adobe, Foxit, etc.) and Microsoft Word can natively encrypt documents. It is not sufficient to state that, “only HR has access to the data”, as this is a false statement. The data is accessible by many systems and individuals that have administrative credentials, and the data is further replicated to backup, email, and e-discovery systems. Far too many breaches involve the exposure of individual passports due to the release of HR data. Keeping passports on file because of a historical way of working is failing to store your employee’s data securely or confidentially. If your firm makes the decision not to store passports or other employee documents, it is sensible to communicate any changes to your employees in writing and destroy the data. If you choose not to store employees’ personal documents going forward, the rule must be applied across the board and you should not make exceptions for senior executives.
      Finally, if you decide to keep a hard copy of the documents, please be aware that most photo-copy machines store a digital record on the hard drive and please ensure you always lock your filing cabinets.

      If you would like to discuss this topic further, please reach out to one of our dedicated cyber security and data protection specialists.

      Contact Us

       
      Share

      More like this

      Building your cyber security foundation

      At Waystone Cyber Security Solutions we believe that as you grow your firm it should be built on a strong…
      Read more

      SEC Fines Firm $35 Million for Failure to Protect Client Data

      On September 20, 2022, the U.S. Securities and Exchange Commission (“SEC”) fined Morgan Stanley Smith Barney for their purported failure…
      Read more

      Cyber Security Solutions for the US Investment Advisers

      SEC Focus on Cyber Security and Operational Resilience. The US Securities and Exchange Commission (“SEC”) has increased its focus on…
      Read more