Aug 5, 2009

Identity theft from Job Applicant Data

ID theft expert Brian Lapidus, chief operating officer of Kroll Fraud Solutions suggests that it is an organization's responsibility to secure applicants' data.

Some businesses may feel overwhelmed at the prospect of protecting this wealth of information --after all, everyone has heard the horror stories of businesses that toss boxes of job applications in the dumpster.  Others might not realize the responsibility before them and the significant toll that a misstep can have on their organizations.

As India moves to a universal ID project the risk of this replicating in India is also high.

Here are Brian's Top 5 Tips for Keeping Your Job Applicant Data Secure

1.      Know your organization’s data “hot spots” and secure them against misuse, loss or theft. When job seekers submit applications on your company’s Web site, is that transmission secure? Where do you store resumes, job applications, credit reports or other background check information? How are they protected?  Who has access to this data and how carefully do you screen those employees? Do you keep record of how information is distributed to other entities inside and outside of your organization during the hiring process? Companies large and small must ask these vital questions in order to close security gaps both internal and external.

2.      Establish a privacy policy at your organization and stand behind it.   Once you have identified areas of vulnerability, develop a privacy policy that addresses these issues as well as general best practice rules of handling data. Remember that a privacy policy is only as good as the mechanism for enforcing it, so be sure to review the privacy policy with employees and stress that applicant data is just as important as that of any customer. Finally, share the policy liberally with applicants to quell concerns and publicize the proactive stance your organization is taking on the protection of their information.

3.      Be sensitive to the concerns of job applicants about the use and storage of their personal information. Identity theft is a growing crime, and it’s probable that you will run across applicants who have already had their personal information either stolen or compromised in some way. While it may make your job easier, it is not necessarily vital to obtain all the information you will need up front. Be flexible and understand that reluctance to provide certain information, especially Social Security numbers, until later on in the process does not necessarily mean that person has something to hide.

4.      Familiarize yourself with the laws governing recordkeeping and disposal of information. While data protection laws vary by state and type of records, many companies have adopted a best practice policy of shredding unnecessary documentation as often as possible. The FACTA Disposal Rule, which generally applies to consumer reports run as part of a background check, requires businesses to use “reasonable and appropriate” means to dispose of these records; and the FTC encourages businesses to practice proper disposal of any and all personal information. Many states also have laws concerning the use of Social Security Numbers as identifiers, as well as minimum time periods for which applicant records should be maintained.

5.      Have a plan in place in the event an applicant’s data is breached. A pre-breach plan may be a part of your company’s overall risk management or security planning, but make sure it incorporates measures for protecting applicant records, not just employee, customer, or vendor records.

By incorporating applicant data into your company’s data security policies and procedures, your organization will significantly minimize your vulnerability to a breach.