Over the past ten years, individuals have been asked to relinquish more and more of their personal data in exchange for access to new ways of shopping, doing business, accessing technology, and connecting with others. These conveniences have come with a price: an increasing number of data breaches. One of the largest identity theft cyber crimes in history, the 2017 Equifax breach, exposed the personal information of 148 million Americans, 15 million British citizens, and just under 20,000 Canadian citizens. In retrospect, 2017 appears to have been the year when hackers really hit their stride; data breaches in the United States increased by 29% to a record 1,506 breaches by the end of the year. That record held until 2021, which saw 1,862 recorded data breaches, a 68% increase over the year before.
One year after the Equifax breach, the European Union (EU) passed the General Data Protection Regulation (GDPR), a strict data security and privacy law designed to give individuals more control over their personal data. The law’s passage reinvigorated the data privacy movement in the United States. Five U.S. states – California, Colorado, Virginia, Utah, and Connecticut – have recently enacted comprehensive personal data privacy laws inspired by GDPR. In July 2022, Congress advanced its first comprehensive privacy bill (the American Data Privacy and Protection Act) for a full chamber vote. Both the Equifax breach and the recent global focus on data privacy have made individuals aware of a major vulnerability: their own employers. Savvy employees now understand that if their employers trust the wrong third parties with employee data, their personally identifiable information (PII) can be exposed. This year, for example, employees at both Google and Apple questioned executives about sharing payroll data with Equifax. Employers should take these concerns seriously as they are obligated to protect the privacy of their employees’ information during all phases of employment, from recruitment through onboarding and the duration of employment. These obligations include:
- Protecting background checks by obtaining prior employee authorization and keeping results strictly confidential
- Disclosing corporate privacy and data retention policies to unsuccessful applicants and obtaining consent before retaining any data
- Disclosing corporate privacy policies to all new hires in clear, understandable language
- Transferring data securely when needed to third parties like a human resources management system (HRMS), payroll vendor, employment verification service, income verification service, and others
- Limiting the collection, retention, and processing of employees’ personal data to what’s absolutely necessary and avoiding the offline sharing or storage of employee data with any third parties
- Investing in privacy-compliant technology and clearly mapping every location where personal data is stored, how it’s used, and who has access
- Assessing high-risk data profiling and processing for risk of breach
When companies fail to safeguard employee data, the results can be expensive, disruptive, and permanently damaging to the organization’s reputation. The Ponemon Institute/IBM Security’s 2022 Cost of a Data Breach Report notes that the average total cost of a data breach increased 10% between 2020 and 2021. The most expensive type of breach is one that reveals PII. These breaches typically cost an organization about $164 per record revealed; for large employers with many years of PII stored, this can be astronomically expensive. The best way to reduce the financial impact of a data breach, according to IBM’s research, is by protecting employee data with secure AI platforms and business automation. With automation in place, organizations that experience a data breach can expect just 20% of the costs that are typically shouldered by organizations without automation.
One highly impactful business automation that organizations can incorporate is to partner with a VOI and VOE vendor that accepts real-time API feeds of employee data instead of the outdated “send and store” flat file method. Real-time API feeds limit data exposure by as much as 99% compared to flat files, dramatically improving employee data protection while saving time. Read more about the benefits of real-time API feeds over flat files.
How is your organization protecting employee data? When one employee has an income verification or verification of employment, is the rest of your employee data exposed as well? How do you manage third-party vendors to ensure you’re limiting liability and risk as much as possible? Here’s a checklist that can help you gauge how well your organization is meeting its data privacy obligations:
- Always get employee consent before sharing any PII with third parties, such as for verifications of income (VOI) or verifications of employment (VOE).
- Ensure you release employee information only to fully vetted verifiers with a legitimate purpose for accessing sensitive data.
- Release only the relevant individual employee’s data record, not your entire database of current and former employees, when necessary for VOIs, VOEs, mortgage verifications, etc.
- Ensure all data is up to date and properly configured to reflect all income sources.
- Ensure that your third-party vendors also protect employee data and never resell employee data.
Vault Verify is the only income verification and employment verification service that meets every requirement in the checklist above. To find out how we can help you strengthen your employee data protection, schedule a 30-minute demo.