While data breaches and cybercrimes make regular headlines, we are quick to forget that the preponderance of our private data is legally bought, sold, or freely traded without our notice or objection. Consumers typically associate this type of data harvesting with big tech giants, social media companies, and cell phone manufacturers, but at this point, any third party who handles your data should be suspected of selling it: from email providers who scan your messages for marketing data to credit card companies who sell your transaction history. This is no longer just a consumer problem. Employers also need to be vigilant about protecting their employee data, because that trove of information may be more vulnerable than previously believed.
The Third-Party Problem
In the summer of 2021, financial software giant Intuit — maker of TurboTax and QuickBooks — announced it would automatically share client payroll data with consumer credit reporting agency Equifax, Inc. The move affects 1.4 million small businesses and millions more employees, and encompasses sensitive information like payment history, social security numbers, dates of birth, home addresses, phone numbers, and of course first and last names. Intuit offers this service to expedite “…verification of employment and income info when applying for things like loans, credit, or public aid,” but aggregated sets of payroll data make prime targets for thieves, and Equifax has seen its fair share of data breaches. For those concerned about this type of exposure, Equifax has offered an opt-out feature for both employees and employers.
This kind of mass collection from the workplace is nothing new. In fact, companies, universities, and even government agencies have offered this data directly to Equifax for years, in exchange for the outsourcing of employment verification of former workers. This may come as unwelcome news to many employees who might be surprised to learn that their weekly pay stub information is available for purchase by any interested party.
But employees play their part too, submitting their resumes to recruiters without much thought of the consequences. Third-party recruiters bring talent and jobs together, but virtually all of them share resume data with affiliated sites, and who can say how broad the circle gets beyond these. A person’s resume contains any number of details that might be compromising if used to answer security questions from, say, one’s own bank (i.e. , “Where did you go to college?” “What was your first job?” “What town did you grow up in?”). There isn’t much an employer can do to curtail what a prospective employee chooses to share on these services, but employers can opt for the “apply on the company website” feature, bringing resumes directly to the employer rather than serving them through the third-party provider.
Privacy-minded employers should carefully consider the privacy policies of the third-party services they enlist. Benefits and health insurance providers have a tightrope walk to prevent running afoul of HIPAA, but their use of employee data should also fall into polite scrutiny. There’s no harm in asking for a copy of a company’s privacy policy, and many are available on a service’s website.
Also read: Five Tips for Managing Compliance on Enterprise Networks
Why Does Data Protection Matter?
In 2015, hackers compromised a database of US security clearance background check forms. These extensive forms document down the most granular level of detailed information on millions of clearance holders’ lives, along with the lives of their friends and families. It was the type of hack that never should happen, and yet, just like breaches of the Equifax database, it did. The sad reality is, no matter how securely it is stored, data can be stolen, and the onus is on each of us to be the bulwark of our personal information, sharing only what is absolutely necessary, and only with people who need it.
Even something as seemingly innocuous as connecting a name with a cellphone number can put at risk security systems such as two-factor authentication. And once-sacred social security numbers, used by banks, credit card companies, and the IRS to validate a person’s identity, have become so ubiquitous they might as well be considered public information. This didn’t happen by accident. It was the consequence of decades of data sharing between marketers, employers, and data brokers, with little evident concern that the information might find its way into the hands of identity thieves.
CPRA: Progress in California
Last year, California passed the nation’s first employee privacy protection laws, giving Californians notice and opt-out of sales of their private data by their employer. These rights extend to employees, job applicants, and independent contractors, giving those entering the workplace an expectation of privacy for the first time in decades. California-based businesses should apprise themselves of the California Privacy Rights Act (CPRA), because failures to comply can bring penalties up to $7,500 per incident. Many of these protections do not go into effect until January 1, 2023, to give employers time to prepare for compliance.
It’s a good start, but the rest of the country lacks such an omnibus employee privacy protection bill. Nonetheless, employers should show initiative and respect their own employees’ data, with or without legislative influence.