Privacy Scares from the Ghosts of Job Applicants Past

Thursday, January 17, 2013

Rebecca Herold

65be44ae7088566069cc3bef454174a7

There is a topic that has been coming up, over and over and over again over the past 12 years, that I’ve never seen addressed in other publications. 

What does your organization do with all the personal information you collect from job applicants?  Consider a real situation I encountered around ten years ago.

A moment of privacy revelation (and perspiration)

I was working with a large multi-national technology company in 2003 helping them to establish their privacy program. To effectively protect privacy you need to know where the personal information is located.  I have a comprehensive set of questions I ask to help determine this (along with automated tools).  While at a meeting with their CxO levels, along with some key information management staff, when I got to the topic of job applications I asked, “How do you collect job applications?”

  • CISO: “In person on paper applications, and online on our website.”
  • Me: “What do you collect?”
  • CISO:  “The usual. Name, address, phone number, job history, references, Social Security Number, and any other information they want to provide.”
  • Me: “Why do you ask applicants for their Social Security Number?”
  • HR: “So we can do the full set of background checks. You know; criminal check, credit check, and all the others.”
  • Me: “Around how many applications do you get each month?”
  • HR: “Probably around 7,000 to 10,000.”
  • Me: “How many do you hire out of all those?”
  • HR: “Oh, just a small fraction. Maybe 1% to 3%.  We are always accepting applications even when we don’t have openings.”
  • Me: “So you could be collecting information on close to 10,000 people each month that you don’t actually hire. What do you do with the information about those applicants you don’t hire?”

The 15 people at the large table looked and stared around the room.

  • Me: “How long do you retain it? Or, do you delete it as soon as you determine you are not going to hire the applicant?”
  • IT Manager: “We keep everything until the media stops being usable or falls apart.”
  • CISO: “We’ve never thought about that. We need to do some checking.
  • Legal: “Let’s take a 15 minute break and we’ll find out.” 

Fifteen minutes later…

  • Legal: “It seems we do not do anything with those applications.”
  • Me: “Where do you keep them, then?”
  • HR: “We have many boxes of the print applications in our warehouse storage.”
  • CISO: “And the digital applications are stored in the webserver behind a firewall.”
  • Legal: “Chris, delete all the applications from the webserver that are older than 6 months as soon as possible.”
  • CISO: “I would like to determine what if any ramifications there may be first.”
  • Me: “How about the backups from that server? How far back to they go? Where are they stored? And, do any of your staff download those applications to their own desktops, other devices, or into other systems?”

The room got quiet while everyone looked around during a very pregnant pause.

  • Legal: “Well, that will take some more looking into. Do you have any more questions relating to applicant information? Let’s hear them, then you can come back and we’ll try to have the answers for you tomorrow.”

After another 20 minutes or so of questions, I left for the day. Most in the room were looking nervous and a bit stressed. The next day they had identified treasure troves of job applicant personal information in locations they’d never thought about before.

Likely a widespread but generally unidentified problem

In most organizations I’ve found this type of job applicant information, digital and hardcopy, is largely overlooked and not secured.  The information security area typically does not have this type of information in their radar when they are creating their information inventories. The privacy area typically focuses on only employee and customer information. 

The previously described situation was the first of multiple interesting engagements I’ve had on this topic in the years since. Here are some of the more egregious, and legally risky, activities that I’ve had organizations tell me they’d done with the data they’ve collected from job applicants:

  • A large retailer told me they incorporate all their applicants’ information into their marketing databases.
  • A healthcare insurer indicated they had stored all this type of data in an outsourced data warehouse, and then the data warehouse went out of business. They could not receive confirmation that the data was destroyed, or where all the backups were located.
  • A large travel industry organization indicated they check new applicants against the previous applicants to determine if it is even necessary to go further with an employment consideration.
  • A large managed services provider used the data for one of their subsidiaries that did background checks. 

Do you know; what is your organization doing with all the job applicant information they collect? Who is responsible for securing that data? Where is it located? All the copies?

Some laws kick in when job applicant data is breached

Most industry-specific regulations, such as HIPAA and GLBA, focus on patient or customer data. Others are specific to employees.  In most organizations the information management efforts are focused on patient, customer, consumer and employee information.  There is a general, mistaken, assumption that those are the only types of personal information that need to be safeguarded. 

However, don’t forget that there are at least 50 U.S. state and territory breach notice laws in effect that generally apply to all personal information, regardless of the intended use or population from where it was collected. And most data protection laws outside the U.S. require that that all personal information, regardless of the industry or purpose for which the information was collected, must be safeguarded.

What if a breach of job applicant information occurs? How would your organization react? You need to make sure your breach identification and response plans include this type of information.

And then there’s the insider threat…

Another growing problem is identity theft and identity fraud executed by trusted workers; otherwise known as the insider threat.  A study funded by the Department of Homeland Security Science and Technology Directorate examined 80 insider fraud cases that occurred between 2005 and 2012. They found the individuals cost each organization an average of $382,000 or more depending on how long they were able to operate without detection. 

The more personal information workers have access to, the more fraud that can be committed, and the more damage that can occur not only to the associated victims, but also to the organizations that are responsible for safeguarding that information.  So, how many people have access to the job applicant information in your organization? If you haven’t thought about the security of this information, chances are there are many more individuals, both inside your organization and also from outside contracted entities, that can access the job application information than you would ever have guessed. This creates significant risks for identity fraud to occur right under your nose by those workers you trust, but who see opportunity to financially profit without being caught.

Bottom line for all organizations, from the largest to the smallest:  All personal information, for all types of individuals, need to be identified and appropriately safeguarded and then destroyed when no longer necessary for the purposes for which they were collected.  You haven’t done this yet? To get you started, break this process down into four more targeted questions to answer:

  1. Where is all the job applicant information, in all forms, located?
  2. How long do you keep that information?
  3. What do you need with that information beyond the hiring decision?
  4. What if that information is breached? 

Put a target date on your calendar for finding out the answers to these important questions.

Other Information about job applicant information

Here are some other articles and reports related to using job applicant information:

This post was written as part of the IBM for Midsize Business (http://goo.gl/S6P7m) program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.

Cross-posted from Privacy Professor

Possibly Related Articles:
8504
Enterprise Security
Information Security
Privacy Employees Personally Identifiable Information Policies and Procedures
Post Rating I Like this!
Default-avatar
Ray Pesek The EEOC reference is interesting because I've been told a couple of times that all applications need to be retained in order to prove that the company is an equal opportunity employer. If that really is accurate, it means that destroying old applications could mean you could not prove you did not discriminate against someone, someone who claimed they applied but were discriminated against, but of whom you have no record because you destroyed the old applications. Or worse, only destroyed some old applications because the destruction program is inconsistent.
1359514675
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.