Keeping information safe: when relocating employees, HR must perform due diligence with its vendors to ensure that employees' personal data remain secure

HR Magazine, Feb, 2005 by Roseanne White Geisel

Coordinating an employee's relocation involves more than simply moving people and goods. It also involves the transmission of information--sensitive information--usually electronically. As a result, data security--protecting the relocating employee's personal identifiable information--has moved to the forefront for HR.

That's true for employers and HR professionals on a day-to-day basis--but even more so during a relocation.

Dick Mansfield, general counsel for the Employee Relocation Council (ERC) in Washington, D.C., says, "Data protection is a current hot button" in employee relocation.

The potential for loss or theft of personal information is higher during relocations than during other human resource activities, experts say, because many pieces of vital data are transmitted to several different vendors involved in the relocation. Add in the fact that employees, distracted by the whirlwind of a relocation, may become less cautious than normal when giving out personally identifiable information, and "it's a recipe that's ripe for loss of information and--even worse--identity theft," says Gary Clayton, chief executive officer of Jefferson Data Strategies, a Washington, D.C.-based privacy and data management consulting firm.

Indeed, identity theft by company insiders--including contract employees and vendors' employees--accounts for as much as half of information theft and is an escalating trend in today's workplace, according to Judith M. Collins, associate professor of industrial and organizational psychology at Michigan State University School of Criminal Justice in East Lansing, citing research soon to be released by the university.

Other research also indicates that the workplace--either yours or that of your relocation providers--may be a fertile source of identity theft. Twenty-three percent of identity theft victims who knew the thief said it was someone who "worked at a company or financial institution that had access to the victims' personal information," according to a 2003 survey conducted for the Federal Trade Commission (FTC) by Synovate, a McLean, Va.-based research company.

When employees relocate from one location to another, then, HR professionals must ensure not only that their family members and possessions are handled carefully, but also that their data are kept secure as well. "HR practices in the 21st century must involve security measures," says Collins, author of Preventing Identity Theft in Your Business: How to Protect Your Business, Customers and Employees (Wiley, 2005), due out next month.

Technological Safeguards

In relocations, HR needs to vet the many people involved in facilitating the management of an employee transfer. Many employers use relocation management companies. But those companies may also be dealing with real estate companies, mortgage companies, banks, movers and firms that assist spouses in finding new jobs. Checking the security of your vendors and vetting the security of their subcontractors are the key safeguards.

Employers are "in the best position to be more powerful negotiators with service providers to make sure service providers have the necessary security procedures in place," says Naomi Lefkovitz, an attorney with the FTC's identity theft program in Washington, D.C.

Those security procedures, says Laura Jagodzinski, information security manager for relocation management company Cendant Mobility in Danbury, Conn., should be "as primary a concern as the actual services provided. When choosing a relocation company to provide service, it's of the utmost importance to understand what the company does to protect confidentiality."

Ask questions, Jagodzinski advises. "We expect employers hiring our company to partner with us in terms of personally identifiable information protection," she says. Human resource managers should make sure, she adds, that the vendor is covering the three major areas involved in information security: people, process and technology.

The people aspect involves assessing attitudes from the leadership on down toward the security of client data and looking into the staff's security-related skills.

When it comes to technology, such as firewalls, intrusion prevention or detection capabilities, she says, make sure it "doesn't just exist; make sure it is actually used."

Know the information security measures that the various vendors are required to take under the law, according to the FTC's Lefkovitz. The Gramm-Leach-Bliley Act of 1999 requires the FTC, federal banking agencies, the Treasury Department, the Securities and Exchange Commission and the National Credit Union Administration to regulate financial institutions' protection of the privacy of consumers' personal financial information. Under these regulations, various factors, such as a retail firm selling credit cards, bring a business into the financial institution category, determine whether there is a consumer or ongoing customer relationship, and require certain safeguards. The safeguards are to span all areas of operation, including employee management and training, information systems, and system failure management. The steps that must be taken include identifying and assessing information risks, designating one or more employees to coordinate the safeguards, locking rooms and file cabinets where paper records are kept, and storing electronic information on a secure server accessible only with a password or one that has other forms of security and is in a secure environment.