Lecture Outline

16

HRIS Privacy and Security

CHAPTER OBJECTIVES
After completing this chapter, you should be able to describe the following:

 The importance of information security and privacy in today’s technology-

intensive and information-driven economy

 The important components of and threats to information security

 The legal requirements pertaining to information security and privacy

 Best practices in safe information-handling procedures

INTRODUCTION
Information privacy and security are particularly important issues for HRIS because

unlike many other organizational systems, an HRIS includes a great deal of

confidential data about employees, such as Social Security numbers, medical data,

bank account data, salaries, domestic partner benefits, employment test scores, and

performance evaluations.

Therefore, it is critical for organizations to understand and pay close attention to

what employee data is collected, stored, manipulated, used, and distributed—when,

why, and by whom.

1
 Organizations also need to carefully consider the internal and external threats to

this data and develop strong information security plans and procedures to protect this

data and comply with legislative mandates.

Doing this is much more complex than it was 30 years ago. Consider that most

computers at that time were mainframes that were secured in a central physical

location, with very few HR staff having access to them. If an HR staff member had

access to the mainframe, it was through “dumb” terminals with limited functionalities,

and access was easily restricted through physical access and passwords. Due to this

closed environment, there was little threat of security breaches or vulnerabilities

being exploited.

During those days, information security was considered to be a process that was

composed mostly of physical security and simple document classification schemes.

Physical theft of equipment, espionage, and sabotage were considered the primary

threats.

However, starting in the 1990s, as computer networks became more common,

threats to information security became more involved due to presence of enterprise-

wide systems.

There is a growing concern about the extent to which these systems permit users

(both inside and outside of the organization) to access a wide array of personal

information about employees. As a result, employees may perceive that if these data

are accessed by others, the information contained in their employment files may

embarrass them or result in negative outcomes (e.g., denial of promotion or

challenging job assignment).

2
 Recent research suggests that this concern may be well founded. For example, one

report indicated that over 500 million organizational records have been breached since

2005, and there has been a rise in the theft of employment data (Privacy Rights

Clearinghouse, 2010).

In view of the growing concern about identity theft and the security of

employment information in HRIS, a number of states (e.g., AK, CA, FL, HI, IL, LA,

MO, NY, SC, and WA) passed privacy laws requiring organizations to adopt

reasonable security practices to prevent unauthorized access to personal data (Privacy

Protections in State Constitutions, 2012).

Despite these new laws, results of surveys revealed that 43% of businesses stated

that they did not put any new security solutions in place to prevent the inadvertent

release or access to employee data, and almost half did not change any internal

policies to ensure that data were secure.

The cost of these data breaches can be large. For example, the average cost of a

data breach has increased to almost $7 million per firm. In addition, a recent study by

McAfee estimated that global economic losses due to information security breaches

amounted to over $1 trillion.

Software vendors such as Oracle, are aware of the potential for security breaches

and offer multiple security models (e.g., Standard HRIS Security and Security Groups

Enabled Security) that enable an administrator to set up HRIS security specifically for

an organization. This means that the software allows companies to determine the kind

of data access and responsibility each employee has.

EMPLOYEE PRIVACY

3
The U.S. Fair Labor Standards Act of 1938 requires employers to maintain basic

information on all employees, including Social Security number, address, gender,

occupation, pay, and hours worked. However, the increased use of HRIS to store

these data has prompted concerns about the degree to which these systems have the

potential to invade personal privacy.

Information privacy has been defined as the “degree to which individuals have

control over the collection, storage, access, and release of personal data.”

Unauthorized Access to Information

One reason that employees are concerned about the storage of data in an HRIS is that

they fear that these systems may allow unauthorized access to their private

information. For example, employees may perceive that if users have access to their

Social Security numbers or bank data, they will experience identity theft. In fact,

some reports indicate that identity theft is the primary consequence of the breach of

HRIS data (Privacy Rights Clearinghouse, 2010). Similarly, if unauthorized users

have access to medical data or domestic partner benefits, then employees feel that

they will experience embarrassment or loss of job opportunities (e.g., promotions, pay

raises, or challenging job assignments).

Some research also indicated that employees were more likely to perceive an HRIS

as invasive of privacy when they were unable to control access to their personal data,

and information was accessed by users outside the organization than those inside the

organization.

Results of other research revealed that the use of an HRIS was perceived as

invasive of privacy when (a) supervisors were able to access information in employee

records, (b) the same data were used for employment rather than HR planning

4
decisions, and (c) the employees did not have the ability to check the accuracy of the

data before decisions were made.

Unauthorized Disclosure of Information

Another concern about the use of HRIS is that employees may perceive that these

systems allow for the unauthorized disclosure of information about them to others.

For example, research revealed that 70% of employers regularly disclose employment

data to creditors, 47% give information to landlords, and 19% disclose employee data

to charitable organizations.

In addition, some reports indicated that organizations regularly sell data collected

on recruiting websites. Furthermore, 60% of employers do not inform applicants or

employees when they disclose information within or outside the organization (Society

for Human Resources Management & West Group, 2000).

Data Accuracy Problems

Employees are also troubled about data accuracy because HRIS may contain

inaccurate or outdated information about them. Not surprisingly, individuals are often

unaware that data in these systems are inaccurate, and many organizations do not give

them the opportunity to review or correct data stored in HRIS.

In support of these arguments, Linowes (2000) found that 72% of private-sector

organizations do not allow employees to review their employment records for

inaccurate data, and 24% do not give them the opportunity to correct their records. In

addition, research by Stone et al. (2001) found that individuals were more likely to

perceive that their privacy had been invaded when they were not able to check the

accuracy of data in an HRIS system than when they were allowed to check the

accuracy of data. Thus, employee concerns about the degree to which inaccurate data

5
may unfairly stigmatize them or affect their outcomes in organizations appear quite

justified.

Stigmatization Problems
Employee are often uneasy about the use of HRIS, especially when they feel that

networked data may lead to them to be stigmatized or deeply discredited in

employment.

Use of Data in Social Network Websites

Recently, organizations have started collecting and using data about applicants and

employees from social network websites (SNWS) (e.g., Facebook, MySpace,

Google+).

For instance, organizations now use SNWS to collect information about job

applicants’ lifestyle, family background, friends, sexual orientation, religion, political

affiliation, and personal interests. Estimates indicate that between 20% and 40% of

employers now scan SNWS to gather data about job applicants, and 75% of recruiters

are currently required to do online research on applicants before making hiring

decisions.

Lack of Privacy Protection Policies

Despite the widespread use of HRIS and growing concerns about the (a) unauthorized

access, (b) unauthorized release, (c) data accuracy, and (d) use of data to stigmatize

employees, many companies have not established fair information management

policies to control the use and release of employee information.

COMPONENTS OF INFORMATION SECURITY

Brief Evolution of Security Models

6
The complexity of the networked environment in which HR data is captured, stored,

and utilized means that personnel transactions and information processing are

increasingly more vulnerable to security threats and risks than ever before. Therefore,

the traditional CIA model of information security does not suffice. The National

Security Telecommunications and Information Systems Security Committee

(NSTISSC) security model, also known as the McCumber Cube, provides a more

detailed perspective on security.

The McCumber Cube provides a graphical representation of the architectural

approach widely used in information security. It examines not only the characteristics

of the information to be protected but also the context of the information state. The

Cube allows an analyst to identify the information flows within an HRIS, view it for

important security-relevant factors, and then map the findings to the cube. The cube

has three dimensions. If extrapolated, the three dimensions of each axis become a 3 ×

3 × 3 cube with 27 cells representing areas that must be addressed to secure a modern-

day information system.

 Desired Information Goals – Ensure that data is kept confidential, has

not been manipulated, and is available to those who are authorized to
access it.

 Countermeasures – Identify mechanisms that can be used to protect

data.

 State of Information – Identify the state in which data are currently

residing.

SECURITY THREATS

7
What kind of threats are our organizational security practices protecting us from? In

security, it is important to “know your enemy.” The following are common security

threats:

 Threat Sources

o Human error: When an HRIS is not well designed, developed, and

maintained and employees are not adequately trained, there is a high
potential threat of security breaches. Research suggests that human errors,
such as incorrectly entered data or accidental destruction of existing data,
constitute security threats to the availability, accessibility, and integrity of
information

o Disgruntled Employees and ex-employees: One of the concerns

overlooked by HR managers is that information may be damaged by
disgruntled employees. This is commonly referred to as an insider
threat. Employees and ex-employees are dangerous since they have
extensive knowledge of systems, have the credentials needed to access
sensitive parts of systems, often know how to avoid detection, and can
benefit from the trust that usually is accorded to an organization’s
employees.

o Other “Internal” Attackers: Many businesses hire contract workers, who

work for the organization for a short period. Contract workers usually
gain temporary access to various critical areas of an organization. This
creates risks almost identical to those created by employees.

o External Hackers: Another significant threat is the penetration of

organizational computer systems by hackers. A hacker is defined as
someone who accesses a computer or computer network unlawfully. Such
attacks, often termed intrusions, can be particularly dangerous because
once the hacker has successfully bypassed the network security, he or she
is free to damage, manipulate, or simply steal data at will.

8
o Natural disasters: Typical forms of natural disasters are floods,
earthquakes, fires, and lightning strikes, which destroy or disrupt
computing facilities and information flow.

 Types of Threats.

o Misuse of computer systems: One of the predominant internal security

threats is employees’ unauthorized access to or use of information,
particularly when it is confidential and sensitive.

o Extortion: The perpetrator tries to obtain monetary benefits or other

goods by threatening to take actions that would be against the victim’s
interest.

o Theft: The value of information can be much higher than the price of
hardware and software. With contemporary advances in technological
developments, a relatively small computer chip (e.g., a USB device) can
easily store over 100 GB of data. For example, the State of Hawaii’s HR
department had medical records stolen when doctors’ offices of two
doctors servicing workers compensation claims were burglarized.

o Computer-based fraud: There is growing evidence that computer-based

fraud is widespread. Over 90% of companies have been affected by
computer-based fraud, such as data processing or data entry routines.

o Cyberterrorism: Cyberterrorism is the leveraging of an information

system that is intended to intimidate; cause physical, real-world harm; or
cause severe disruption of a system’s infrastructure. In one such scenario,
a person with high-level computer and network skills (e.g., a hacker) is
hired to break into a specific computer or computer network to steal or
delete data and information. Cyberterrorists often send a threatening e-
mail stating that they will release some confidential information, exploit a
security leak, or launch an attack that could harm a company’s systems or
networks.

9
o Phishing: Victims usually receive e-mail messages that appear to come
from an authentic source with which the victim does business. The
official appearance of the message and the website often fool victims into
giving out confidential information. According to Gartner, the estimated
cost of phishing is around $2 billion.

o Denial-of-service: A denial-of-service (DoS) attempts to make a service

unavailable for legitimate users by flooding it with attack packets. The
server that is hosting that service is then unable to handle the large
number of requests, thereby shutting it down. The financial services
sector has been hit particularly hard by this type of attack. For example,
Bank of America and JP Morgan Chase have both experienced outages on
their public websites due to DoS attacks (Holland, 2012).

 Software Threats

o A computer virus is a type of malware that works by inserting a copy of

itself onto a computer or device (e.g., smartphone) and then becoming
part of another program. It can attach itself to files without the user’s
knowledge and duplicate itself by executing infected files. When
successful, a virus can alter data, erase or damage data, create a nuisance,
or inflict other damage.

o Worms are, in some ways, similar to viruses since they can replicate
themselves. However, unlike viruses that require the spreading of an
infected file, worms such as Code Red, Slammer, and MyDoom can
spread by themselves without attaching to files.

 Spyware is software installed on an unknowing user’s computer that

gathers information about the user’s activities on the Web (keystrokes,
websites visited, et cetera) and transmits it to third parties, such as
advertisers or attackers. Problems associated with spyware include
potential privacy invasion, appropriation of personal information, and
interference with the user’s computer operation.

10
  Blended threats: These threats propagate both as viruses and worms.
They can also post themselves on websites for people to download
unwittingly.

o Trojan is another type of malware that usually hides inside e-mail

attachments or files and infects a user’s computer when attachments are
opened or programs are executed. Trojans are named after the Trojan
horse of Greek mythology in that they appear to be something positive
but are, in reality, doing something malicious. Unlike viruses and worms,
Trojans do not reproduce by infecting other files nor do they self-
replicate. Instead, they must be opened on a computer by a user. Some
Trojans can work as spyware while others can display a login or install
screen and collect personal data, such as usernames and passwords or
other forms of identification, such as bank account or credit card
numbers. They can also copy files, delete files, uninstall applications
using remote access programs on the computers, and format disks without
alerting the victim.

Information Policy and Management

It is important that organizations have policies and procedures in place to protect

employee data. There are two mechanisms though which this can occur: fair

information management policies and strong security practices.

One way to decrease individuals’ perceptions of invasion of privacy is to establish

fair information management policies for controlling data in HRIS.

Fair Information Management Policies

To date, there has been legislation restricting the collection, storage, use, and

dissemination of employee information in the public sector (e.g., Privacy Act of

1974), but there is no comprehensive federal legislation on employee information

privacy in private-sector organizations.

11
 However, one state, California, has recently passed a law that protects the privacy

of employee records in private-sector organizations (Privacy Protection in State

Constitutions, 2012).

In addition, multinational organizations should also consider the privacy practices

in the countries in which they operate. The challenge for organizations is that every

country takes a different perspective on protecting employee information privacy, and

your organization will need to be familiar with all the applicable laws in each country

in which you operate.

Even though there are few laws governing the storage, use, and dissemination of

information in HRIS, organizations may decrease the degree to which employees

perceive that HRIS invades their privacy by establishing fair information management

policies and practices.

For example, in 1977, the Privacy Protection Study Commission recommended

that private-sector organizations proactively establish policies for managing employee

information to protect individuals’ perceived or actual rights to privacy.

For instance, they recommended that organizations limit the collection of

information to data which are job related, control unauthorized access to information

in HRIS, adopt reasonable procedures for assuring that data are accurate and timely,

and limit external disclosures of data without employees’ consent.

EFFECTIVE INFORMATION SECURITY PRACTICES

The second way that organizations need to protect employee data is through their

security practices.

12
 “Security is a process, not a product” (Schneier, 2000). This statement alludes to

the nature of information security. That is, information security is not predominantly a

technical issue; it is more of a management issue. It is easy to see why, at times, there

is a major focus on technology. Technology is visible, and there are many things that

we can say about security technologies. Management can seem more abstract.

There are fewer general principles to discuss, and most of these cannot be put into

practice without well-defined and complex processes. But the management issues are

actually often complex and a focused both on behavioral information policies as well

as the technical practices.

This lends credence to importance of effective security policies. Security policies

identify valuable assets, provide a reference to review when conflicts pertaining to

security arise, outline personal responsibility, help prevent unaccounted-for events,

outline incident response responsibilities, and outline an organization’s response to

legal, regulatory, and standards of due care.

For effective implementation of security, organizations usually follow established

security standards, such as ISO/IEC 27000 series.

 This series focuses on areas such as access control, security

management, good practices, and protection of health-related
information. Almost all aspects of the ISO/IEC 27000 series mesh with
HRIS. For example, it is standard practice to require HR employees to
change their passwords on a quarterly basis to achieve optimal access
control. It is also a generally good practice to verify that all HRIS users
are properly trained in the secure use and handling of equipment, data,
and software.

13
Many breaches occur when users are not consciously aware of what they are doing.

Unconscious behavior can defeat the best efforts of security experts, meaning all of

the security protocols in the world are powerless in the face of a stressed-out worker.

According to Microsoft’s Security Intelligence Report, 44.8% of vulnerabilities result

from user action, such as clicking a link or being tricked into installing malware.

Several best practices have been proposed to ensure that employee data is secured

and employee privacy is protected. These include the following:

 Adopt a comprehensive information security and privacy policy.

 Store sensitive personal data in secure HRIS and provide appropriate

encryption.

 Dispose of documents properly, or restore persistent storage equipment.

 Build document destruction capabilities into the office infrastructure.

 Implement and continuously update technical (firewalls, antivirus,

antispyware, etc.) and nontechnical (security education, training, and
awareness) measures.

 Conduct privacy “walk-throughs,” and make spot checks on proper

information handling.

Although there is no question that all organizations need to be aware of HRIS security

issues and best practices, global organizations need to be particularly diligent. An

organization may face specific laws regarding storage, transmission, and transfer of

data based on the areas in which it operates. This may limit the flow of employee data

across borders and may make the HRIS more complex or may require the

organization to adopt different HRIS in different countries.

14
CHAPTER SUMMARY
Although it is clear that HRIS have numerous benefits in organizations, this chapter

considers some recent issues associated with their use, including employee privacy

and information security. In particular, the chapter considers (a) practices that may

affect individuals’ perceptions of invasion of privacy, (b) the components of

information security, (c) the security threats faced by organizations, (d) the

implications for developing fair information management policies and security

practices, and (e) cloud computing. Throughout the chapter, we argued that

organizations should take proactive steps to develop fair information management

policies that can be used to protect individual privacy and implement information

security practices and policies that safeguard employment data.

15