[No Lead Paragraph Available]
A quick check of recent news reports indicates that confidential employee and customer data has been leaking from companies like water through a sieve. Experts assert that HR must play a role in stanching the flow.
Last June, two laptops containing the names and Social Security numbers of an unspecified number of Motorola employees were stolen from the Chicago-area offices of ACS, an outsourcing firm that manages much of Motorola's HR processes. Although ACS and Motorola said none of the information appeared to have been used for identity theft, Motorola has offered the affected employees fraud-protection services at no charge.
The incident follows a similar one at Time Warner, in which a computer backup tape containing confidential data on approximately 600,000 current and former employees was misplaced by an outside contractor. Time Warner also offered to pay for fraud-protection services for the affected employees.
Both incidents were just one of a string of thefts and misplacements of confidential employee and customer data within the last several months, all of which have ratcheted up the public's concern about identity theft. Two experts say the incidents highlight the need for HR to play a stronger role in ensuring the security of employee data and other confidential information within their organizations.
"I'm shocked at the failure of companies to recognize and appreciate the open nature of their computerized records," says Linn Hynds, a senior partner at Honigman Miller Schwartz & Cohn in Detroit and former chairman of the firm's labor and employment department.
"What we have, in an electronic sense, are companies that have taken from their file cabinets their most sensitive information and laid it out on tables for anyone with proper access to see, 24 hours a day, from anywhere in the world. Companies have done very little, internally, to safeguard who has access to certain types of information."
Hynds' firm has represented a number of clients that were victimized by terminated employees who were able to steal sensitive information from their former employer simply because the companies failed to follow simple security procedures. He cites a case in which an employee who suspected (correctly, it turns out) that he was about to be fired used his computer access to retrieve sensitive information from the company, then used it as the basis for a lawsuit claiming he was terminated because of his objections to allegedly illegal behavior by the client.
In many cases, terminated employees were able to steal information because no one in HR had ensured their passwords were deactivated, says Hynds.
HR must also safeguard against "access accumulation," says Jeffrey Margolies, director of the Identity and Access Management Solutions practice at Accenture in New York.
"As employees move around internally and get new responsibilities, they get access to new applications but their old access privileges are rarely turned off," he says. "Within 10 years, an employee can accumulate what is for an auditor a 'nightmare level' of access privileges, an ability to do too many things without following proper controls."
Margolies says it's imperative that HR ensure that access privileges are monitored and disconnected as employees move from job to job and when they leave the organization. Failure to do so will leave a company vulnerable to theft, he adds.
"Recent news has focused on theft from the outside, but most studies show that the 'insider' threat is the one companies really have to worry about," says Margolies.
Vendors such as IBM, Sun Microsystems, Computer Associates and RSA Inc. sell software that can automate the process of updating and deleting access codes as employees are hired, fired or moved to different areas, he says. Additionally, companies should invest in relatively inexpensive software that searches outgoing e-mail for the sharing of sensitive company information and monitors the files accessed by employees, says Hynds.
Surprisingly, relatively few of the Fortune 500 have put systems in place to protect their sensitive information, says Margolies.
"Some companies have implemented systems to protect information that's relevant to Sarbanes-Oxley, but only a handful have deployed tools to secure and manage all of their confidential data."