Instances of wide-spread hacking are now constantly in the headlines. Unfortunately, an alarming aspect of the use of technology, one that individuals and businesses, including staffing companies, must effectively address, is cyber crime. As recent news evidences, Cyber attacks come in a variety of forms and are often an attempt to bring down a computer system, or an intrusion seeking to access and steal personal or proprietary data and information. At risk are such things as trade secrets, corporate reputation, employee data, customer data and even physical damage to equipment. These attacks have even reached the staffing industry. Notably, in 2012, executive search firm Korn/Ferry International, was a victim of sophisticated cyber attacks which accessed the company’s databases potentially exposing individual social security, driver’s license and credit card numbers to theft.
Of course, Cybercriminals may be on the hook for these attacks. Such wrongdoers may face prosecution for claims caused by security breaches, including actions filed under the Computer Fraud and Abuse Act and the Economic Espionage Act. However, finding and prosecuting these criminals often proves difficult, costly and time consuming.
PREMIUM CONTENT: Strategic Workforce Planning and Workforce Analytics
But companies still must protect their data. Businesses, including staffing companies, that possess personally identifiable information have numerous responsibilities under state, federal, and – in some cases – international law. Businesses have a responsibility to shareholders and other stakeholders (i.e., clients, employees, contract employees and independent contractors) to safeguard proprietary, confidential and trade-secret information. Regardless of size, businesses must comply with the laws that pertain to their possession or ownership of data. Actions may be brought against businesses as a result of breaches of these obligations, including actions filed under federal laws such as Gramm–Leach–Bliley Act, Computer Fraud and Abuse Act, Electronic Communications Privacy Act, HIPAA, and numerous individual state and local consumer protection laws.
Steps to Take
So what should a staffing company do to protect important data to mitigate the associated risks? At a minimum, staffing companies should consider implementing the following measures.
- Identify the type, location and accessibility of important data. Obviously, one cannot protect such valuable information without first understanding of what you have and where it is. Further, roles and responsibilities with respect to the data will differ depending upon the location of the data, i.e., on the premises or in the “cloud.” Safeguarding data on your own servers requires a degree of technical know-how and specialized encryption hardware and software. Using the cloud to store data is fraught with peril, as well. A thorough vetting of any cloud provider is strongly recommended.
- Determine the statutory and regulatory obligations applicable to the company’s business. A staffing company’s industry sector will dictate the applicable obligations. In addition to general protections applicable to important data, staffing companied with clients in the health care space may have the added obligations of HIPAA, for example. Guessing what laws or regulations apply or ignoring the same is dangerous to say the least. The guidance of a qualified legal professional is strongly recommended. Use these resources. In the long run, such professionals may help in a more efficient and comprehensive manner than the use of internal company resources.
- Develop well-crafted, written security policies for employees regarding the use and protection of important data. These policies must be effectively communicated, if they are to be enforced. Use of comprehensive onboarding and offboarding processes go a long way to impressing the importance of such data to both internal employees and contract employees. Making it a part of the on-boarding experience helps set a tone that is vital to protecting such data. Again, the guidance of qualified legal professional to guide a company with respect to such policies is highly recommended.
- Have and enforce written security policies for third-parties that have access to important data. Confidentiality and Non-disclosure Agreements are a must. Well-crafted agreements of this nature not only place clear obligations on the third-parties, but often serve as a convenient vetting tool. If a third-party is not willing to entertain such an agreement, perhaps a staffing company should think twice about giving such third-parties access to important data.
MORE: Disaster recovery considerations for staffing firms
[…] Instances of wide-spread hacking are now constantly in the headlines. Unfortunately, an alarming aspect of the use of technology, one that individuals and businesses, including staffing companies, must effectively address, is cyber crime. […]