Keeping Employee Information Safe in the Clouds
By Caryn Tijsseling, Litigation Partner, Lewis and Roca
The increasing popularity of cloud computing will have far-reaching effects on the data management systems of many companies. One area where cloud computing can have a major impact is on the storage of Human Resources (HR) information and records. In fact, recent studies indicate that up to 84 percent of surveyed companies either are transitioning or planning to transition their Human Resources functions to more accessible and affordable data management systems such as cloud systems.
While there are many benefits to cloud computing for this type of information, there are also significant risks. If your business is contemplating transferring your HR records to a cloud system, you’d be wise to take some precautions to protect sensitive employee information and minimize other risks associated with these new computing environments.
There are undoubtedly many benefits to using a cloud computing system to maintain HR records. Cloud computing is cost effective because it allows businesses to build huge data centers where computing and software can be provided remotely. The systems work much like utility services, wherein a business typically pays a monthly fee to a service provider for storing information in a cloud. Cloud systems also are easy to use and can streamline computer services.
Cloud computing systems are useful for all kinds of business needs but especially useful for Human Resources departments. In larger businesses, HR teams often are spread out over geographic areas, which can delay access to personnel records. A cloud computing system can maintain employee information in a centralized location that is easily accessible to the necessary HR professionals. Further, a cloud storage system can be used to keep track of employment applications, calculate payroll, track performance reviews, and maintain other employee data.
But these potential advantages do not come without certain risks. The most obvious risk with this type of system is the security of sensitive employee information—such as Social Security Numbers—contained in HR records. There is the obvious concern that sensitive employee information stored on a less secure cloud computing system will not be adequately safeguarded.
These risks can be minimized by taking the following three steps.
Step #1: Assess the privacy and security risks of putting personnel files on the cloud.
Company executives contemplating putting HR records on a cloud must assess the level of risk they are comfortable with or can afford. Data sensitivity is a crucial factor when analyzing the risk of placing sensitive HR records on a cloud system. Security risks are magnified on a cloud server. For one, there are simply more people with access to the information. Cloud computing vendors and their employees will have access to employee dates of birth, Social Security Numbers, and payroll information. Giving control of this information over to a cloud server basically means the HR department is giving up a level of control over the management of that data. What does this mean in practical terms? It means the information stored on a cloud conceivably could be mined by advertisers, subjecting employees to unsolicited advertising. More troubling is the increased risk of identity theft this presents.
Given these concerns, data sensitivity is a crucial factor in analyzing the risk involved in transferring HR records to a cloud computing system. In addition to Social Security Numbers and birth dates, HR records also may include sensitive medical information, law enforcement data related to the individual employee, culturally sensitive information, and financial information. A business must thoroughly assess whether the benefits of having HR records stored in a cloud system outweigh the risks of this sensitive information falling into the wrong hands.
Step #2: Carefully select a cloud service provider.
Mitigate some of the risks of cloud computing by carefully selecting a vendor. Cloud vendors need to be thoroughly vetted based on factors such as the experience and technical expertise of personnel employed by the vendor. Further, the quality and frequency of security and awareness training provided to their personnel should be considered. It is also important to take into account the rate at which the provider reviews and implements changes to the technologies. Finally, the cloud provider’s history and reputation for ensuring security and privacy needs should be carefully researched and considered.
Step #3: Clearly specify the business’ security and privacy requirements in any servicing agreement.
The business purchasing cloud computing services should clearly specify the requirements of the system in its servicing agreements. Businesses should consider security-related requirements in the agreement. For example, a business can specify personnel requirements such as what types of employees of the service provider have access to control of the information. Further, it is important to consider including specific provisions to specify how issues such as service availability, problem reporting, network connectivity, filtering, and backup and recovery will be managed.
The agreement also should specify how incidents will be reported, handled, and responded to by the provider. Other issues such as privacy, data ownership rights, records and management controls, and user training also should be identified. To ensure these unique specifications for HR records are met, it is critical to negotiate and carefully review the cloud computing contracts and service agreements. This ensures all security needs are identified and the protocol for a response to a breach or problem with the system is documented.
There are strong advantages—with cost savings being a big one—for placing HR records on a cloud computing system; however, HR departments must not ignore the fact that new and complicated data security and privacy issues are presented by such a system. Carefully assessing your level of risk, thoroughly vetting the cloud service provider, and having clear specifications in the servicing agreement can help mitigate these risks and ensure a business gets all the advantages of the cloud system.
This article is for information only and is not legal advice.
Caryn Tijsseling is a litigation partner in Lewis and Roca’s Reno office. Her employment law experience includes advice and counseling on cloud computing, workplace wellness programs, ADA and FMLA requirements, employee handbooks, complex wage and hour issues, restrictive covenants, non-compete agreements, and similar matters. She can be reached at CTijsseling@LRLaw.com and 775.321.3426.