And what you can do to protect your employees
I’ve always had bit of a love/hate relationship with technology. I’m always one to try out a new app or piece of kit and I highly value the benefits that new technology brings to our work and personal lives. But I’ve never been able to quiet the voice inside which questions how safe my data actually is. If I take a moment to think about how many servers have pieces of who I am stored it’s quite shocking, albeit a relatively low risk. When I think about the places that have all of my identity information stored in one place (looking at you Human Resources) I start to wonder just how safe our data is.
I’ll come back to HR and employee files soon, but in the meantime consider this: stolen identities (along with credit card and bank details) are the second-most wanted product on the dark web. In 2020, GovTech reported that the total number of records compromised by data breaches exceeded 37 billion records, a 141% increase on 2019. With increased demand, also comes increased sophistication from hackers.
2021 has started out as bit of a shocker for New Zealand – we’ve had the Stock Exchange, the Waikato District Health Board and an unknown number of schools attacked by ransomware. Who knows how many thousands of records leaked to the dark web from these attacks.
We’ve had major data hacks targeting well-known companies. A large New Zealand cleaning company had HR records and employee identification leaked to the dark web. Our national airline had its frequent flyer database hacked. And those are just the ones we know about.
What is fuelling the increase of attacks?
Money. In the case of ransomware, it’s the hope of a ransom being paid. In the case of data hacks, it’s because identity information is a valuable and tradable commodity. Identity information sells for a high price, especially when full credentials are available, known colloquially as “fullz”. Fullz are stolen identities that contain a full name, date of birth, and contact details. Fullz that come with driver’s license number and copy of identification command an even higher price.
Identity information from New Zealand citizens get some of the highest prices on the dark web, around US$20.00 per record (compared to just US$8.00 for a US citizen) according to Comparitech. I think this might help explain why we are under attack – us Kiwis are highly valuable.
So, back to Human Resources and employee files. In our experience, most companies retain significantly more data than they actually need to. Typically, you will find name, date of birth, address, background checks, application form, resume and identification. Essentially all information identity hackers need to sell an identity. Your employee files are all fullz and are highly valuable to hackers.
And the truth is, most of the information that is retained does not need to be. You may be surprised at how little information companies need to retain under the Employment Relations Act - Name. Postal Address. Age if under 20. That’s it for personal information (you do also need to keep records on hours worked, pay, contract terms and leave entitlements etc). By retaining more information than they are legally required, companies are carrying significantly more risk for both the company and their employees as well as increasing their exposure under the Privacy Act (which states that companies should only keep information for the explicit purpose for which they collected it).
So, what can you do about it?
I’ll leave it to the cyber security experts to talk about what controls can be put in place at an infrastructure and technology level, and instead focus on what you can to do to mitigate the impact of a data breach from a non-technical viewpoint:
1. Minimise the amount of personal data you are collecting and retaining through the recruitment process.
2. Retain proof of background checks being completed rather than the full set of reports.
3. Never keep ID on file. Implement an alternate process to monitor Driver Licence or Visa status.
4. Cleanse employee files as annual reviews are being completed – ask yourself if the reason you collected information is still valid.
5. Don’t share personal data via email within your organisation (including scanning and emailing files).
6. Think about the places data is stored – emails, hard drives, HR platforms, photocopier hard drives and paper-based files and try to minimise this.
These steps won’t prevent you from being caught up in a data breach, but they will help you minimise the impact of one. Your employees will not be at risk of identity fraud, and you will have honoured your obligations under the Privacy Act not to retain more information than you need to.