If you read nothing else, read this…
- Employers should ensure data security measures are clearly set out in service-level agreements with benefits providers.
- Internal people risks to data security should not be overlooked.
- Under EU data protection laws coming into effect in 2016, the maximum fine for non-compliance has been set at €100 million or 5% of annual global turnover.
According to the 2014 Information security breaches survey, published by the Department for Business Innovation and Skills and PricewaterhouseCoopers (PWC) in July 2014, 81% of large organisations and 60% of small businesses suffered a security breach in the past year and 59% of respondents expect there to be more security incidents in the next year.
WM Morrison is one organisation that experienced this firsthand when it suffered a payroll data breach in March, with employees’ details being published online. On hearing this news, most benefits professionals probably breathed a sigh of relief that it had not happened to their organisation, before rushing to check whether their data could have been similarly compromised.
This was followed, in April, by the news of a server security flaw, called Heartbleed, affecting the commonly used software OpenSSL, which enabled hackers to get past the encryption used on servers to see passwords and other sensitive data.
These cases highlight the importance of ensuring security measures are in place to protect employees’ information.
And with new EU data protection laws coming into effect in 2016, the stakes have never been higher. Under the new legislation, which will apply to all 28 member states, the maximum fine for non-compliance has been set at €100 million or 5% of annual global turnover.
Charles Cotton, performance and reward manager at the Chartered Institute of Personnel and Development (CIPD), says security around sensitive benefits-related data is likely to become an issue for more employers as they reach their auto-enrolment staging dates and collate more sensitive information on their workforce. “Everyone talks about big data, but this creates risks to be managed,” he says.
To ensure their data is secure, there are a number of questions employers should ask their benefits providers.
Service-level agreements
Firstly, they should ensure robust security measures are clearly set out in service-level agreements (SLAs) with benefits providers. Ideally, this should involve an organisation’s IT and security teams. Dipa Mistry-Kandola, senior consultant at LCP, says: “Not enough interrogation is done at the initial proposal stage. A lot of the time, providers will say ‘our data is hosted through a third party, here’s our business continuity plan, which is really robust’. However, there is a point where the provider gets involved, downloads the data and puts it onto its system.
“The employer needs to get a sample SLA from a provider before appointing it, get IT to add in any additional caveats so it is very clear and open if anything goes wrong, what the provider will do and what the employer expects of it in terms of how the data is managed.”
Employers should also ask to see references from existing clients and a register of any previous data security breaches. Reputable providers that have nothing to hide will not be concerned about sharing this information, says Michelle Crook, chair of the board of trustees at the Chartered Institute of Payroll Professionals (CIPP).
Where a benefits provider uses a large data space to host its systems, employers may also wish to visit these to see firsthand how the data is stored and the security measures that are in place. They should also ask a provider whether their data will be isolated from other clients and, if not, how segregated it will be.
If an employer is switching between benefits providers, it should ensure also that all data held by the outgoing provider is destroyed, says Tom Polden, head of software as a service at Lorica Employee Benefits. “[Employers] need to get written confirmation that has been done,” he says.
Standards to look for
Some standards and accreditations can indicate how robust a provider’s data security processes are. ISO 27001 is the most popular global standard. But employers should always ask to see written confirmation from a provider that it has obtained the standards it claims to have. “Some providers will say they are certified; others will say they follow the standards [but are not formally certified],” says Polden.
Employers should also question what measures are in place to ensure data remains secure during transfer, for example between software providers and benefits suppliers. “[Employers need to ask] is it automated, is it transferred through data feeds, or if it is not automated, does the provider ensure the transfer is secure?” says Polden.
Ensuring data is encrypted is key, while audit trails specify exactly who has accessed specific data.
System testing
As part of their system maintenance, providers should appoint an approved third party to test their systems for vulnerabilities that could be exploited by hackers. This data penetration testing should be carried out at least annually.
The potential internal people risks to data security should also not be overlooked, as demonstrated in the case of Morrisons, which saw an employee arrested over its breach. According to the aforementioned Bis/PWC research, 58% of large organisations suffered staff-related security breaches in the past year. Just under one-third (31%) of the worst security breaches were caused by inadvertent human error and 20% by the deliberate misuse of systems by staff.
Crook says: “Internal controls are things like understanding your own data, knowing exactly who has access to it, both from an internal point of view and from a provider’s, having internal controls so you know what the process is and how somebody is made a leaver, and making sure user accounts are reviewed.”
She adds that employers should also have measures in place to enable them to quickly disable an employee’s access to data if they leave or are suspected of untoward activity.
The reputational damage that can result from a data security breach makes such measures an important part of any benefits procurement process.
What questions should employers ask of providers to ensure their data is safe?
- What is your information management policy, and what timelines do you place around data storage?
- Do you have an authorised data privacy manager?
- Where is data captured, held and accessed from? Are these all countries within the European Economic Area (EEA) (there are considerations for providers capturing, holding and accessing sensitive information outside the EEA).
- Are there any other parties with whom you will share our employee’s information? If so, who? And what safeguards do they have in place?
Three core safeguarding principles that HR and procurement teams should look at when considering a new provider or vendor that will access personal information about their employees:
- Technological: Is the provider using transport layered security (TLS) for all electronic communication, such as employee membership lists and medical records?
- Administrative: Are audits taking place? If so, they should be routine and event-based.
- Physical: Access to hardware and software should be limited to properly authorised individuals. Is there a policy for this?
Source: James Spencer, international account manager, Jelf Employee Benefits