News that Chinese hackers may have accessed the personnel records of some 14 million federal workers has sent shivers down the spine of the HR industry. It’s a nightmare scenario that could affect almost any workplace.
The data in your employee files—Social Security numbers, addresses, names of dependents, health records and bank account routing numbers—have real value to identity thieves.
Identity theft happens more often than anyone would like to admit. The Federal Trade Commission estimates that 9 million Americans have their identities stolen each year, causing monetary losses of more than $37 billion.
Many security breaches happen when third-party vendors—benefits providers, for example—handle employee information. If you outsource any of your HR functions, your employees’ data could be at risk. It’s your responsibility to ensure your vendors guard against the threat of identity theft.
A good contract with your vendor is your best protection against liability. It should require vendors to:
- Limit the number of people who have access to your data
- Ensure data is encrypted and securely maintained
- Transmit data only in a controlled, protected manner.
Include notification requirements if a security breach occurs. Cite the specific state and federal notification laws the vendor must follow.
Involve your attorney in drafting and reviewing the contract. It should stipulate that the vendor is legally responsible for any data breach that occurs, and that it will indemnify you and your employees for any actions arising from such a breach.
Not surprisingly, vendors are often reluctant to include that type of language in their contracts, but it’s critical. Ideally, the contract should obligate the vendor to pay any damages resulting from the data loss, no matter when it occurs.
Note: More vendors are outsourcing services to other countries, where lax law enforcement makes controlling risk more difficult. Negotiate contract language that requires vendors to obtain your approval before moving work offshore.