“Proper storage of employee and applicant records.” It was just another item on the human resources audit checklist, right after “display federal, state and OSHA labor law posters.”
After checking off a few other items on her checklist, Ellen B. Vance, an HR consultant and auditor, asked to see the storage room. The client led her to an unlocked storage closet in the middle of the old building, surrounded by half of the nonprofit’s 40 employees.
When she opened the door, Vance encountered 15 large file-folder boxes. “When we moved to this new location, we just put this stuff in there,” said the client.
Vance and the client started opening boxes. As they did, it became clear that “this stuff” included photocopies of birth certificates; Social Security cards; driver’s licenses; and I-9 Employment Eligibility Verification forms that listed employees’ Social Security numbers, dates of birth, addresses, maiden names, signatures — everything a criminal needs to perpetrate identity theft. “I was about ready to pass out, seeing all this stuff,” said Vance, senior consultant and advisory services practice leader at Titan Group, an HR consultancy in Richmond, Va.
Why should you care about the poor compliance procedures at a nonprofit in Virginia? If you’ve applied to a job there or anywhere in the last decade, your resume may be equally exposed, your personal information similarly vulnerable to identity theft should anyone gain access to an unlocked closet and a stack of file folders. With the advent of e-mailed resumes, electronic storage and online applications, the thief need not even get so close; your resume may be open to attack from an unscrupulous recruiter or hacker.
Too few companies employ the safeguards necessary to protect applicant data, and almost none inform clients of their security practices before requesting a resume and applicant information. The economy has made matters somewhat worse, according to HR managers who said the employers’ market has left job seekers feeling compelled to hand over information they would normally be reluctant to reveal and distribute it to dozens of sources in the hopes of finding a job. Criminals have even been known to post fake job listings to capture the data of unsuspecting job seekers.
But help is on the way: Employers are on notice to improve resume data protection after data breaches precipitated several lawsuits and government action. What’s more, job seekers can implement their own safeguards to avoid being the putting their resume in the wrong hands.
Interviews with hiring professionals confirm the anecdotal evidence: Even recruiting agencies that use sophisticated applicant tracking system (ATS) software to store and protect job applications often leave the applications open to theft by allowing access to anybody and everybody who walks by an unsecured terminal; companies leave sensitive information moldering in unlocked closets accessible to all; and job applicants’ data gets left on laptops that get stolen and on USB thumb drives that get misplaced.
In her experience, Vance said that small firms without formal HR departments are most likely to fumble data. But make no mistake; large corporations with entrenched HR processes are still liable to mishandle job-applicant or employee data: In June, U.S. Insurer Aetna was sued after allegedly failing to protect personal information belonging to employees and job applicants. This was direct fallout from an incident in which the company’s job-application Web site was breached by cybercriminals, as Aetna disclosed on May 28. For its part, the Gap lost personal information, including Social Security numbers, for some 800,000 U.S. and Canadian job seekers, the company admitted in a September 2007 press release.
Several lawsuits that followed major breaches like the ones at Aetna and Gap and some action by Congress and state legislatures have put employers on notice that they need to improve resume and job-application date protection.
Can we blame the ATSes?
Job-application information is walking out the door in a number of ways, but often, insecure software is to blame. Research firm Forrester Research recently found that more than 62 percent of 200 surveyed companies experienced a security breach in the previous 12 months because of insecure software. Most were likely caused by a SQL injection attack.
In a SQL injection, a hacker uses a Web site’s online form to gain control of the database. Security procedures are designed to filter and block such attacks, but hackers are constantly developing new codes and techniques and almost no database is safe, said a security analyst who works for one of the major ATS vendors. “If you have an application publicly available on the Internet with form fields, people could potentially execute database statements if proper input filtering is not performed,” said the individual, who asked not to be identified.
How do ATS vendors fend off a SQL injection? With the exception of the aforementioned vendor, all of the major ATS vendors contacted for this article declined to participate out of fear they might encourage hackers to target their software. The ATS vendor who did speak to us said his company uses filters to prevent a SQL injection and XSS (cross-site scripting) to find and patch vulnerable code in the database software. The ATS vendor monitors activity logs for such types of attempted breaches against its Web-based applicant tracking and performance management software. In addition, the ATS vendor stores the resumes and applicant data for its clients at their own facility; only two people — the vendor’s CEO and the security analyst himself — have physical access to servers that are accessed via biometric palm-print recognition.
A people problem
But technology is only part of the problem. All the software in the world won’t protect applicant data if humans handle the technology recklessly.
Rachel Rice-Haase, human-resources and marketing coordinator for Oberstadt Landscapes & Nursery Inc. in Fremont, Wis., has witnessed that recklessness first hand. In a previous position at a recruiting company, recruiters used an ATS that Rice-Haase called “pretty up to date” to process applications. The company’s help desk made sure to give tutorials to recruiters so they knew how to use the ATS applications. It all seemed “pretty advanced,” Rice-Haase said. The software probably was sophisticated when it came to security and features, but the more she looked at it, the more Rice-Haase realized the company was using it carelessly.
“You had anybody, even people who weren’t recruiters, going in and accessing applicants’ information,” she said. “You might have 10 recruiters, and they all have access to everybody’s candidates. It’s not just people you’ve interviewed. It’s the person sitting across from you, down the hall, (they) can get in there and look at (any job applicant’s information). That part was always baffling to me. Sure, you sign a little form saying, ‘I won’t take this information home with me.’ But you have to wonder, when all this information is available to everybody at the recruiting center, how far that goes?”
It can go pretty far. As Rice-Haase describes it, the ATS collected information including Social Security number, date of birth, driver’s-license number — ”all this stuff you’d rather not have anybody and everybody have access to,” she said, and that’s typical of ATS software.
With the software, recruiters could create a resume for any candidate and e-mail it from the system. Convenient? Yes. Dangerous? Absolutely. Recruiters could e-mail out personal information or entire applications, whether by accident or for illicit purposes.
And sometimes a company doesn’t have a clue — or perhaps doesn’t much care — where its data is stored or how to prevent data loss. The Virginia nonprofit company with the unlocked storage room is another classic example of blissful ignorance: Even though the company is legally responsible for safekeeping of the confidential information stored on I-9 forms, the staff just didn’t know what was in those 15 boxes.
Titan Group’s Vance encouraged her client to go through the files, pull out the forms, put them into either a burn bin or a shredder, and to have a witness on hand to make sure the records were verifiably demolished. “She looked at me with a look of horror on her face,” Vance said. “(She was) staring at these boxes. She didn’t know how many contained employee files, so she had to go through all of them. They’re a very conscientious client. It was one of those cases where they didn’t know what they didn’t know. They didn’t have an HR person there to advise them on it.”
People problem, technology solution
Many organizations fail to grasp the scope of data protection or understand that it goes beyond the technology, said Jenny Yang, senior manager of product marketing for data-loss prevention at Symantec, a security-technology company. They don’t understand:
Companies like Symantec provide some technology solutions to the problem of managers who mishandle applicant data. Symantec makes a product that it claims will search a company’s entire network for sensitive data, like Social Security numbers, even if it’s on a USB memory stick attached to someone’s laptop. It should also ID and block such data from being transmitted outside the company’s network, either by a negligent employee or a hacker.
But such software won’t help job seekers unless until the unlikely scenario in which every single potential employer has opted to buy it, and few companies will tell applicants whether they use such technology.
Unlike e-commerce sites, which advertise their security practices to gain the trust of consumers about to hand over credit-card data, few employers advertise the steps they take to protect your resume and job application.
To protect your resume and sensitive data, the best practice, for now, Vance said, is to make less of it available.