Does Your VMS Protect your Temporary Personnel’s Data? | DCR Workforce Blog

Does Your VMS Protect your Temporary Personnel’s Data?

Does Your VMS Protect your Temporary Personnel’s DataAlmost every business stores large amounts of data on their personnel. They also put measures in place to see that the data is protected, allowing limited access to a few authorized officials only. Breach of such data could encourage fraud, identity theft or play havoc in other ways should the information be misused. Employers also have a duty to protect their employees’ privacy or face legal consequences.

We keep hearing of many businesses, including banks, suffering malware attacks which expose their customers’ sensitive personal data. The hack into Home Depot’s systems leaked more than 56 million credit and debit card accounts and at last count, cost a whopping $62 million in damage control. Before that, Gmail accounts were found hacked into and hospitals have found their medical information purveyed to third parties by employees. Perhaps the most alarming of all is the recent theft of sensitive personal information pertaining to federal employees held by the Office of Personnel Management (OPM). Initially estimated to be the data pertaining to 4.2 million individuals, this enormous breach has assumed mammoth proportions when it was revealed that roughly 21.5 million people’s data, within and outside the government, was compromised. These people applied for government jobs, federal contracts and partnerships with federal contractors. While 19.7 million of these were people who filed for security clearance, dating back to the year 2000, the remaining 1.8 million were their partners and spouses. In all, the data breach affects 7% of all Americans and includes their Social Security Numbers. We can now add potential targeted terrorist acts against Americans Federal workers to our growing list of online security concerns.

The hacking of data could expose financial information, medical history, social security numbers, drivers’ license numbers, and online identification data which could further expose one’s usernames and passwords to other resources. When companies allow their data to be hacked, by not setting up the required levels of security, it could affect their employees, customers, vendors and clients. When an employee record base is breached, the employer has to inform all their current employees as well as their former employees, if their data happens to be still retained by the system. However, when increasing focus on protection of employee data, many companies neglect the temporary workers who often comprise a large segment of their total worker base.

Temporary worker data is typically held in a Vendor Management System (VMS), Applicant Tracking System (ATS), and in the client company’s back office financial systems. The financial system, a critical component of every company’s infrastructure, is a main focus of protection for most companies today. But what about the VMS? These systems contain information about current and former workers. They include background information, resumes, contact information, assignment specifics, and other private details. In the event of a breach, the injured parties and their attorneys will hold the VMS provider and client company jointly responsible.

When considering the security of information stored in a VMS system, some actions are mandatory:

  • Select a system that protects data both at rest and in transit.
  • Check the physical, data and network security controls that are in place.
  • Verify that vulnerability tests are regularly conducted.
  • Insist on a rigorous authorization and authentication system.
  • Demand background checks on everyone that has system administrator privileges.
  • Most VMS systems are SaaS-based offerings. Examine the qualifications and security of the hosting site(s).
  • Know where information is stored. Is any stored outside of the country in which the workers reside and work?
  • Review the security procedures associated with patches and updates.
  • Understand the types of data stored within the VMS. While the VMS will contain rate calculation information (pay rate, bill rate, overtime eligibility, cost centers to be charged), the actual payroll information should not be stored within the VMS.
  • Be sure that results of background checks, drug tests, security clearances, and other highly sensitive information are stored only as “pass/fail”, in keeping with privacy laws.
  • Verify that every transaction is auditable, and take the time to read the audit reports.
  • Have the VMS system audited by reputable third parties on a regular basis.
  • Not heeding the warnings issued by auditors and not making any necessary improvements and changes.
  • Put a plan in place to immediately detect and respond to any breach. The plan should include ways in which all affected parties are notified, and the corrective actions to be taken. Test the plan on a regular basis.
    • Notify all potentially affected parties within 30 days. Provide guidance on changing passwords and setting up fraud alerts
    • Notify local authorities, state consumer protection agencies, major credit bureaus (Equifax, Experian, and TransUnion) and attorneys general.
  • Adopt a “see something, say something” program in which every user of the VMS is encouraged to report anything that seems suspicious.

It must be noted that any database linked to the internet is not truly secure. Sensitive and classified information is always at risk, but the risk can be significantly mitigated by setting a high level of security around the data, with the necessary authorizations and cross checks.

For a private employer, a data breach would not only result in damages and penalties but also damage the reputation of the business and lay it open to highly public procedures involving Government investigations and findings. In our next post, let us look at the steps a private employer needs to take in the event of a data breach.

The content on this blog is for informational purposes only and cannot be construed as specific legal advice or as a substitute for competent legal advice. They reflect the opinions of DCR Workforce and may not reflect the opinions of any individual attorney. Do contact an attorney for advice specific to your issue or problem.
Lalita is a people/project manager with extensive experience in operations, HCM and training and development across industries like banking, education, business consulting, BPO and information technology. She believes in a dynamic approach to life and learning as change is the only constant.