Data Breaches and Security in Human Resources by: Ani Khachatoorian

As a Human Resources professional, I have learned (sometimes painfully) of the need to be “security aware” regarding the data for which I am responsible.

Today’s HR departments house vast amounts of data in various databases, some of which are managed on premises by our local IT departments, or due to staffing limitations are outsourced to third party vendors with hosted solutions.

This data includes Social Security numbers, addresses, contact information, driver’s license or passport information, employment history, background check blemishes, family member’s PII, at times even perhaps medically or financially sensitive information, and more often, the confessions of a stressed out work force. Some of these data are stored in back end systems and some are stored in my memory, never to be unlocked.

The records of most concern are the electronic records, and they contain the most sensitive information about an employee. Let me use myself as an example: My employers have (today and in the past) had access to all the data listed above, plus my children’s names and social security numbers – and in a few specific instances, my medical information.

Most of this information I have passed on was either directly entered or later transferred into databases that help administer the various components of my employment.

This data that I provided voluntarily and comfortably and data that I ask all those in my organizations to provide isn’t just statically housed, it is transferred back and forth to multiple vendors that administer various HR services.

The foundation of this comfort is now eroding. Every day I hear of another company that is hacked and volumes of data stolen. Like everyone else, I giggled at the salacious emails that were leaked after the Sony breach, but the professional in me felt dread because HR data was a part of the breach.

More recently, the Anthem breach revealed another layer of vulnerability, with eighty million subscriber records compromised.

In the ever shrinking world of premier insurance providers, my bet is most everyone has at one time been insured by Anthem or some other Blue Cross/Blue Shield affiliate, and most HR leaders either currently administer or have administered an Anthem plan in the past.

Like any HR professional, when looking for vendors, we partner with our internal IT or infosec departments for insight and guidance (when available), require certain security criteria be met mostly as it relates to the authentication and encryption of data in transit. We ensure SAS70 audit certificates and take all the steps that are necessary by regulation.

But the Anthem breach made me wonder: What really happens to data when it gets to the carriers? Is it not encrypted? Again, I imagine if Anthem had encrypted all its subscriber information, this breach wouldn’t be the cataclysmic event that it has become.

Please correct me if I’m wrong, but this brings into question the security practices of any Human Resources department at any company. Are we equipped with all of the information necessary to do everything we can to protect our employees?

I have had the privilege of working in technology for a large portion of my career. A part of my success in my roles both as a recruiter and later as an HR leader has been my ability to research and learn. Working with some of the best and brightest in security gave me a definite advantage.

I learned a lot, and that has lead me to shift how I view my HR data. I am more conscientious and security aware as a result of those years of experience. But what about the thousands of other HR professionals who don’t have access to those same technical resources?

One area of human resources that is cumbersome to administer is benefits. When I first began my career in HR, I disliked benefits administration because it required organizing and warehousing data from many sources and directions. I’m dating myself, but this was before online enrollment platforms.

Once the technology was adopted, benefits administrators began to have hope that they would be freed from all the paper shuffling, and it did do just that. In fact, the continued development of these platforms has most benefits administration as an electronic process.

Healthcare reform shifted the traditional paradigm of health insurance and how insurance companies are looking to expand their plan offerings for various employer types. One significant change has been the increase of private marketplaces or exchanges that allow employees to “shop” for their combination of benefits.

Insurance carriers are leveraging their vast networks to offer these exchanges utilizing the same platforms and at times are acquiring these technology platforms to sustain their growth model.

This natural evolution of the technology and the overall transformation of our healthcare system have created these vast data warehouses that store plan subscriber and dependent PII.

And as many of us move from one employer to the next throughout our careers, we will utilize many different online enrollment platforms and over time have our PII in multiple platforms.

While employee records are deactivated post separation, the data itself cannot be deleted for multiple reasons. One has to wonder if these data warehouses are just as much of a target as the insurance carriers.

So as HR departments everywhere prepare for the barrage of calls and emails from employees inquiring about the security of their data, I wonder how confident we are all going to be in our processes and our answers.