Third Party Risk Management

Employee Data v Client Data Should an Organization Equally Protect Both?

Fortrex Technologies is often asked by our clients if they should protect employee data as strongly as they protect client data. Our answer is always a resounding, “Yes!”.

Traditionally, this time of year organizations spend countless hours and effort managing employee benefit programs, determining raises and bonuses, and reporting year-end financial and tax information. Generally, third party on-line platforms are used to manage these types of activities. The employee data involved is highly sensitive, including health information, social security numbers, financial data etc. A conscientious and risk-adverse employer will ensure that robust data protection tools are in place for their employees.

Here are some questions to ask your benefit and payroll systems providers:

  • Do you use MFA (Multi-Factor Authentication)?
  • Can Geo-Fencing parameters be deployed?
  • Is the data encrypted in transit and at rest?
  • Are System Privileges managed appropriately? Does your entire HR staff really need admin access?
  • Is Multi-User Notification & Authorization triggered when certain highly sensitive changes are made?
  • Are robust Access & Activity logs in place to best understand when unauthorized activity occurs?
  • Are suspicious activity reports generated and then reviewed by a qualified staffer?

The best time to ensure your employee data is protected in the most robust manner is at the onset of a new vendor or new product relationship. If this is an existing long-term relationship, then you can review security protocol and standards at contract renewal (don’t forget to keep track of the renewal and notification periods).

Just because your employee data is in the cloud doesn’t mean that it’s shielded from hackers. Ask your providers pointed questions and document the answers. Your employees will thank you for it.

To learn more or continue this conversation, please contact Fortrex Technologies for a no-obligation meeting.