•  
• About Us
  • Our Markets
  • Company Facts
  • Alliances
  • Sales and Account Management Team
• Our Products
  • Life insurance
  • Our products – Minnesota Life
  • Our products – Securian Life
• Our Services
  • Implementation
  • Technology Solutions
  • Communications and Enrollment
  • LifeSuite Resources
  • Executive Benefits
  • BenefitServiceCenter
  • Producer Resources
• Life Basics
  • Common questions about life insurance
  • The difference between group and individual insurance
  • The difference between term and permanent insurance
  • Buying life insurance at work
  • Group life insurance products
  • Investment basics
  • Insurance terms
• Explore
  • Find an office
  • Contact Us
  • Learn how much life insurance is enough
  • Download materials
  • Take a survey
  • Subscribe
  • Watch a video
  • Listen to a podcast
  • System requirements
•  

Home > Aware

Aware

• Aware front page
• Employer focus
  As Millennials march into the workforce, how ready are you?
• Producer spotlight
  3 Reasons customers don't buy
• Gaining ground
  How to fake charisma
• Aware archive

 

Employer focus
Keeping employee data private: HR is at the hub of safeguarding

“The good news about data privacy is that human resources departments have generally dodged this bullet,” says Damon Lovett, HRIP, a systems consultant in HR operations at Baylor HealthCare System in Dallas and a member of the Society of Human Resource Management’s (SHRM) special expertise panel on HR technology and management.

“The breaches making news to date are focused primarily on financial institutions and government agencies rather than stores of corporate employee data,” Lovett explains.

That doesn’t mean HR should be complacent about the issue, however. Instead, the current environment reinforces the need for preparedness.       

Part of HR’s role
Compliance with state and federal privacy notification laws has been an important reason for HR to take a leadership role in this arena, but it is not the only one. “Safeguarding employee data is absolutely part of our job,” says Lisa Carlton*, director of compensation and benefits for Stormont-Vail HealthCare in Topeka, KS. “Those of us in the health care field have been keenly aware of this responsibility since the passage of HIPAA (the Health Insurance Portability and Accountability Act of 1996).”
 
Linda S. Lulli*, SPHR, associate vice president for human resources at Bryant University in Smithfield, Rhode Island, also understands the need for vigilance is critical. “HR is very much a gatekeeper,” she says. “In that role, oversight is implicit.”

There’s also a human dimension that motivates HR practitioners to do all they can to prevent identity theft: witnessing the havoc it can wreak on an individual’s personal and business life. “One of our employees had his house broken into,” Lulli recalls. “His credit cards were stolen; later he had trouble with his taxes. For a full year, this man’s health and productivity suffered.”

ID theft takes a toll in real dollars as well. The average data breach in the U.S. cost $218 per compromised record and an average of $7.2 million per data breach event, according to a 2011 report by the Ponemon Institute, an independent organization that conducts research on privacy, data protection and information security policy.

Protecting data from potential breach is primarily the responsibility of the service provider, usually the vendor housing the software, Lovett explains. Service level agreements require providers to manage notifications or communications related to a breach as well as any associated costs or penalties. The organization, however, is ultimately liable for the security of the information.
Lulli has even higher expectations. Though Bryant University has not had a data breach, if it did, Lulli would expect the vendor to go above and beyond the statutory requirements and offer additional resources – such as a free subscription to a credit monitoring service – to supplement the university’s Employee Assistance Program.

Safety in numbers
With so much at stake, HR departments are forming partnerships with internal and external IT and data security specialists. In the past eight to ten years, the outsourcing and storage of electronic records and retrieval systems to third parties has become increasingly prevalent, said Lovett. Not surprisingly, there is a learning curve. “Practitioners have to familiarize themselves with HR technology products, their functionality and pitfalls.”

Professional organizations like the International Human Resource Information Management Association (IHRIM) and SHRM can be helpful in that regard. The same is true of software user groups, online networking resources like LinkedIn and magazines such as HR and Workforce Management.

“Third party vendors are doing a really good job, but you need the right resources to ask the right questions,” offers Lovett. “That’s why IT and data security professionals are an important part of the HR team. They can develop specifications for upcoming proposals, quiz prospective vendors during oral presentations and interview references.”

At Bryant University one of HR’s review and selection criteria is to make sure vendors offer identity theft protection, backup storage capabilities and the appropriate firewalls. Lulli’s technical data security committee also wants to know if a bidder has had a recent data breach. A breach would not necessarily rule out a vendor, but the committee would want to satisfy itself that the provider has taken corrective action to prevent the problem from recurring.

Financial service provider Securian Financial Group in St. Paul, Minnesota goes through a similar review with its suppliers. “Safeguarding confidential information” is a perceived strength of Securian’s Group Insurance Division, according to a 2011 survey of brokers and benefits administrators conducted by Gestalt Inc. “We want to be sure our vendors have the necessary controls in place in line with applicable laws, regulations and industry best practices,” says Todd Spicer, contract and vendor management specialist for Securian Financial Group. “If institutional clients see a problem with data security, that’s a potential deal breaker in our industry.”

Ongoing vigilance
HR also must manage and govern providers once contracts are in place. That means having regular meetings with vendors, planning upgrades to address a system’s vulnerability and building in extra safeguards to prevent malicious cyber attacks. As a further check, Bryant University has hired an outside organization to audit its procedures and make recommendations.

Regular training sessions for HR staff members and the employee population are also a given. “It’s not always the bad guys doing bad things that cause data breaches,” says the Ponemon Institute. “It’s often your best employees making silly mistakes. At 41 percent, negligence is still the leading cause of data breaches.”

*Member of SHRM’s special expertise panel on total rewards, compensation and benefits

Resources:
International Human Resource Information Management Association
Ponemon Institute
Society of Human Resource Management