Keeping Confidential HR Data Confidential
At LBi, virtually 100% of the systems we develop and support maintain at least some level of private and confidential employee information. Along with the essentials of Social Security Number, date of birth, home address, etc., our systems may also contain work background information, personal health information and other personally identifiable data as well. Therefore, it goes without saying that our clients require the highest level of data confidentiality possible, since a data breach can be costly and inconvenient at best and financially devastating at worst.
Whether our systems are hosted by LBi or deployed on the client’s internal servers, data protection and security is always the #1 concern. During the project stage, critical questions are asked about the vendor’s security measures as well as the data security processes of the hosting provider — not to mention confidentiality features built into the actual system.
Common questions early in the relationship are:
- Is the application architecture single tenant or multi-tenant (shared application server or not)?
- Is the application implemented in a shared or dedicated physical server environment?
- Is each client database deployed in separate instances or a single instance?
- Can we restrict and control who sees what data in the system? Can we control editing rights?
- Is there an audit trail that shows when any data is modified or deleted?
As the project progresses, a deeper set of questions arise:
- Do you support Single Sign-on?
- How do you integrate with our HRIS systems?
- Is your solution HIPAA compliant? SSAE16 Type II compliant? PHI and PII compliance? Safe Harbor compliance?
- Are your and your hosting partner policies and procedures well documented?
- Do you require dual factor authentication? You should especially when signing in from a new location/device.
Next, more technical questions are addressed:
- Do you encrypt the data at rest?
- Are passwords encrypted across the wire?
- Is system access strictly via VPN encryption?
- Are Intrusion Detection Services (IDS) provided? Malware and Virus protection?
- Hardware vs. software firewall?
- Data backup services? Are data destruction services Department of Defense compliant?
- Failover services to a backup server in the event of a disaster declaration at the primary hosting site?
- Are onsite audits permitted? Vulnerability testing services included?
Last and certainly not least, the legal concerns:
- Who is responsible legally and financially in the event of a data breach?
- Who pays for credit monitoring services in the event of a suspected breach?
- Are there limitations on damages in the event of gross negligence or willful misconduct?
- Uptime guarantees?
These are many of the questions and concerns we address with all of our clients. If you are not asking your vendor these questions (and more), you may be placing your organization at a higher than acceptable risk level.
Unfortunately, no system can be literally 100% secure. Just ask the Pentagon, Sony Pictures, Target, and other large organizations that have recently experienced very damaging breaches. Katherine Archuleta, the director of the United States Office of Personnel Management, just resigned from her post due to her handling of a massive breach of federal employee data, a breach impacting over 21 million employees.
But the finest and most conscientious service providers, such as LBi, place client data security at the absolute top of our priority list. For instance, recommendations such as dedicated server deployments vs shared (SaaS) environments for larger clients place one more layer of security between your confidential data and malicious cyber-thieves. Pure SaaS vendors cannot offer a dedicated server option, so they will hype the benefits of SaaS (yes, there are benefits) but downplay the security risks of a shared environment. LBi offers both alternatives, so we let the client select the deployment option that best serves their business needs and budget.
We encourage HR to team up with IT when evaluating new HR systems. HR knows best which business features are required and desired, but IT will be there to ensure the safest and most secure deployment possible.