- Payroll pivots the last few years have centered on technological changes to processes.
- Has the ability to secure employee and payroll data kept up with the changes?
- Payroll fraud vulnerabilities can be found in the ability to access and in the routines performed.
- Locking down the privacy and security of payroll data means changing protocols.
Payroll operations in the last several years have dramatically changed how employee data is collected, shared and secured, and not just because of the pandemic and the need to process payroll from remote locations. And payroll fraud-related data breaches remain an ongoing threat to operations. According to the Ponemon Institute’s Cost of a Data Breach Report, it cost employers an average of $3.86 million to resolve a data breach in 2020 that wasn’t discovered, on average, for some 280 days!
The cost to secure systems started going through the roof several years ago. Do you remember when companies had their own proprietary email solutions and struggled to ramp up email security (and storage capacity) in order to improve delivery? Quickly, it became untenable to maintain such a growing set of servers and to secure them and the data stored within them — and efficiently run payroll at the same time, all while avoiding payroll fraud.
With new solutions, companies no longer have to invest a lot of capital to increase the hardware capacity needed to keep up with the ever-evolving applications, and in the computer expertise that goes along with that. They could use a service company that has those capabilities. Currently, just about all payroll service organizations use cloud technology in at least some of their client offerings.
The offer of a less expensive solution for data storage and, along with it, top-of-the-line security applications — at least we hope — is being embraced now. But, this creates a new set of issues around data privacy and security that now need to be addressed.
Keeping up with the new applications
New processes, applications and technology running through third parties means changing the security protocols surrounding the data involved. And it means learning a lot of new acronyms for the different security assessments and applications. Each organization that you are considering for handling or storing some of your data should provide you with a detailed summary of their security policy.
In that policy description you should receive:
- Ways data is protected from improper access
- General description of how encryption protocols are applied
- How they secure the network, endpoints and the physical environment
- Validation that other parties they use have similarly stringent protocols
- Verification that independent security assessments are ongoing
- Incident response and business continuity plan summaries
The policy description from the third party also should include credentialed audit reporting under the oversight of The American Institute of Certified Public Accountants (AICPA) and other certifications from organizations that set up watchdog types of assessments for security and data privacy.
In 2011, the AICPA created a Statement on Standards for Attestation Engagements (SSAE) No. 16, a rigorous set of guidelines for auditing. At the same time, the AICPA announced complementary Service Organization Controls (SOC) reports that the AICPA developed, which can differ depending on the needs of a service organization and their clients. The one most visible in the payroll community is the SOC 2®: Trust Services Criteria.
What to look for when considering a third-party provider: SOC 2, Type II certified. Type II means that the organization was audited over a specific period of time to determine the effectiveness of the controls they have in place.
Several other compliance assessments and designations should be met by service providers, and some of these depend on the type of service.
For example, compliance with the Payment Card Industry Data Security Standard (PCI DSS) is necessary if payments via a pay card are being facilitated by the provider.
For information security management, there is the ISO 27001:2013 certification. Put together by the International Organization for Standardization, ISO 27001 is a family of system standards that “enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.”
The 2013 certification is for any kind of digital information.
But that’s not all!
I would be remiss to not cover the impact that Europe’s General Data Protection Regulation (GDPR) has wrought on organizations operating both within and outside the sphere of the GDPR.
The GDPR redefined data protection and the use of employee personal data for many employers, and service providers have been compelled to follow suit. The goal is to increase transparency of data processing, establish clear privacy safeguards and develop consent provisions for use of employee data.
For example, a data breach under GDPR can simply be the use of employee or an individual’s information for something other than the main purpose for which it was collected, and for which the individual consented for it to be used. This can result in huge fines. The new regime in Europe has begun to impact operations in the U.S. in how they handle cross-ocean transactions and interactions with individuals in Europe.
The landscape for ensuring the data security and privacy of payroll data is ever-changing, and there is a constant need to be vigilant about staying up to date on the new technology.
Of course, keeping the data safe from hackers and other data miners seeking to steal private information from the systems you run on involves not biting on social engineering techniques (i.e., email phishing scams), which account for a high percentage of all breaches.
Payroll fraud can come in a number of ways. Using third-party applications is beneficial, so long as you can be assured those parties are applying the right procedures to lock down that data. Leveraging the right software in tandem with best practice protocols can set you on the right path, helping you to avoid long-term damage and even prevent fraud from happening in the first place.
PYD