APA Day 3: Who’s snooping in your records?
The fact is, you may never know who’s been snooping around your files. It may be a temp who wasn’t properly vetted or a vendor, such as an electronic W-2 vendor, stressed Cindy Cichosz, CPP, Supervisor, Payroll, Shared Services, for Veolia, North America. Cichosz walked APA attendees through the basics of identity theft, how to minimize its occurrence, and how to respond to it.
Helping through tough times
Personal identifying information—PII—includes any information that can be used to trace an identity and any information that’s linked or linkable.
Employees may naturally blame Payroll if their identity is stolen, since Payroll controls so much PII. And it’s emotional, she added. Cichosz’s first piece of advice is to take the emotion out of it and help employees to the best of your ability—advise them to put a hold on their credit accounts, assist with creditors, have them lock their Social Security numbers with the Social Security Administration. Locking SSNs adds another layer of protection.
Steps to mitigate the damage
Creating a policy regarding PII is your first step, she noted.
What to cover: who has access to your computers and why they have access; access control for mobile devices; encrypting work computers; prohibitions on putting PII on flash drives; and limiting those in the organization who have access to PII. Different security clearances can apply to different levels of management, she added.
Limit who has access to PII
HR, for example, doesn’t need access to most payroll information. In that vein, purge PII from as many company records as possible, she said.
If you use third-party vendors, you can ask to see their security certificates and inquire whether they’re SAS-16 compliant. SAS-16 is a security audit and shows your vendor’s willingness to protect the information in its care.
Warning: These are all good steps, but nothing’s perfect, Cichosz said. It’s entirely possible that your third party will be hacked.
You must develop a response plan, which includes who must be notified (e.g., the chief privacy officer, the COO, law enforcement, and legal counsel). You can use the IRS’ website to report the hack.
Employees are their own worst enemies
Employees expect to do everything on their phones instantly, and this includes accessing their W-2s via email. It’s up to you to educate them on why Payroll won’t comply with these requests. Another educational exercise that Cichosz mentioned was to create a seemingly valid email asking employees to change their passwords. The test is to determine whether employees can spot a fake email. More education will be necessary for those who bite.