Once again more HR data has been stolen, and guess what again it was not encrypted!
This time Colt Express Outsourcing Services, an HR outsourcing vendor, had data for many of it’s clients stolen in a burglary on May 26. The clients affected include Google and CBS’ CNET Networks. The data stolen in the burglary included just names, addresses, social security numbers and other data of employees and dependent, as with the Stanford case enough to open credit cards under the person’s name. More details in the letter Colt sent to the Marylands Attorney General.
What is interesting in this case is that Colt Express is in financial difficulty and is unable to help the affected customers. Further to this Google had ceased using them as a service provider a few years ago.
This scenario brings up some questions for organisations.
- Firstly encrypt personal data, even data in file servers, laptops and corporate databases. Now I know this is not a simple activity but please look into it.
- When you enter into an outsourcing arrangement do you really check to see that the vendor is complying with the contract to store data encrypted?
- When an outsourcing contract finishes and the organisation either has to keep your data for legal purposes or does keep the data, what review processes do you have in place to ensure the data is kept secure.
- Further following the contract end do are these old arrangements reviewed in light of changing privacy legislation? Does anyone remember that you had the arrangements?
- How do you ensure that data stored in old systems is correctly destroyed? Now I know what the process should be, certificates of destruction are required, but do you ever ask to view them and do you even know when hard disks containing your data are destroyed by an outsourced service provider?
This area is becoming more and more complex.
For example the Skilled Group looks after about 60,000 employees across Australia and have recently entered into an agreement to deploy Wide Area Data Services which basically means that personal data could be stored in many of their offices. Skilled admits that their IT infrastructure is very decentralised, so what happens when a disk dies in one of the smaller offices and is replaced? Will correct data destruction procedures take place?
Governance around the handling of personal data should be a priority for every HR Director during IT projects. Assuming they know that personal data is being impacted, such as in the deployment of a Wide Area Data Service which on the surface looks just like an IT project.