HR's Role after the Equifax Breach
The recent Equifax data breach publicly exposed mountains of data that HR departments depend on. Here are a few examples where HR is vulnerable and what you can do to help protect employees.
By George LaRocque
By now, you've probably heard about the massive data hacks on big-three credit reporting agency Equifax. Rightfully, much of the discussion about this hack is centered on the release of Social Security numbers and other private data for 143 million consumers, and the impact that will have on identity privacy and credit. But, along with Social Security numbers, other "static identifiers" including dates of birth, mailing addresses and driver's license numbers that are relied upon in HR were also breached. All of this begs the question: Is your HR team taking the necessary steps to protect your organization?
Respected security analyst firm Krebs on Security has an ongoing great analysis on this breach. The "sobering reality," it concludes, "is that we have no business using these static identifiers (including SSN, date of birth, address, previous address, income, mother's maiden name) for authentication, and yet this practice remains rampant across vast sectors of the American economy today."
The problem is, almost all HR teams do in fact use static identifiers such Social Security numbers daily, both in processes and in tools.
Now that SSN numbers are basically public information, here some key vulnerabilities in your HR technologies and steps you can take to help shore up security in HR.
Payroll System & HR Platform
The abundant data and financial focus will make your payroll and
HRIS systems key targets. Again, per Krebs on Security: "Identity
thieves prize the W-2 and payroll data held by companies like TALX because they
can use it to file fraudulent tax refund requests with the IRS. . . . According
to the Internal Revenue Service, some 787,000 Americans reported being
victimized by tax refund fraud last year."
TALX, an Equifax company providing payroll and HR systems to employers, was hacked earlier this year and similar data of TALX customer's employees was exposed.
What HR can do: Lock these down with strong passwords and activate two-factor authentication for log-ins, if possible. If you can't, maybe consider more modern technical solutions such as Greenhouse or Namely.
The government's E-Verify system uses SSN numbers to verify
identity. This part of the process will no longer be reliable. Anyone could use
one of the stolen SSNs to "beat" this check.
What HR can do: Make sure you're doing robust photo-ID verifications as part of your in-house hiring process. Don't just assume that the E-Verify process will protect you.
The standard method for authorizing or viewing a background check has traditionally been the knowledge of the SSN number. This means a person who knows someone's SSN can order and often view that report.
Now, because SSN numbers are effectively public information, this creates risk for your employees and your company.
If your background check vendor reveals your employee's sensitive background check data to the wrong people, it can lead to harsh negative consequences. Since so much personal data is in a background check, it's a target.
It also creates risk for your business because now you've lost your primary way to verify that a person is who they say they are.
What HR can do: Use multi-factor verifications beyond SSN (including driver's license scan, facial recognition, cell phone ID) to protect and verify your employees. Unfortunately, almost no background check vendors go beyond SSN. GoodHire recently launched identity verification integrated seamlessly into existing background check processes. This verification goes way beyond SSN checks to include other factors that cannot be easily faked.
While HR departments are rarely allocated large IT budgets, they are one of the most sensitive and targeted areas within the business. As the Equifax breach clearly demonstrates, without the right investment in security and modern technology, HR technology can become a vulnerability that could eventually lead to disaster.
George LaRocque is principal analyst and founder of HRWINS.com. Send questions or comments about this story to email@example.com.