Few things are as important to a business owner as the confidentiality of information. Knowledge is potential power, and should this information fall into the wrong hands, this potential power could wind up with a competitor. People and entities that do not have your company’s best interest in mind eagerly seek things such as client lists, company financials, employee information, and medical data.
There are government regulations surrounding patient and client confidentiality. The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
, is United States legislation that provides data privacy and security provisions for safeguarding medical information. The fines to a company for a HIPAA-related breach can be very costly - both monetarily and to a company’s reputation.
Other professions such as legal, accounting, real estate, and investing carry similar regulations concerning provider/client confidentiality. So, the question that we are frequently asked is “Is a company’s confidentiality in jeopardy when it decides to use the services of a Professional Employer Organization
?” The answer is, no, it should not be, but remember that every PEO’s cyber security efforts differ. Therefore, it is an important topic to discuss while evaluating firms.
Hackers have become increasingly sophisticated, and systems must have the highest level of security. This is not limited to data breaches but also email delivery systems. Consider the following statistics:
Protecting confidential company information is (or should be) not only a top priority for business owners, but also a top priority when choosing a PEO.
When deciding if a PEO is right for you, make sure they are constantly monitoring and upgrading their systems to ensure your data is not only secure today, but in the future as well. By creating and monitoring many of these systems internally, a PEO is able to control potential situations and react to them quicker than if it used an outside organization.
Just as there are new threats to information security each day, so are there new processes and technologies to deal with them. It is imperative that an organization be aware of new risks, and new methods and tools to address them. Be sure your PEO has a designated team responsible for information security that devotes time each week to exploring new threats and new controls. Information security is an ever-evolving process. Each new technology that emerges brings the promise of increased productivity and efficiency, but also new security risks to acknowledge. When comparing PEOs, make sure the organization focuses on industry best practices to stay ahead of the curve when it comes to providing a secure environment for its clients.
Who Has Access To My Information?
Make sure to ask who has access to your company’s information. Your business’s confidential data should only be available to those people in the organization who need access to serve the client’s needs. An example of this is payroll information: By limiting points of access, payroll departments are better able to keep this data confidential and secure. Remember, people are the weakest link in the security chain. Without frequent training about why the policies exist and the risks associated with violating them, employees are not motivated to think about the security risks and consequences. Make sure your PEO’s security policies reinforce continuous training with real-world examples.
Training of employees is critical, but at some point, information must be passed back and forth from clients to the PEO. In general, businesses and their employees trust email more than they should. Hours, pay rates, Social Security numbers, and additional confidential data are shared all too frequently via email, often insecurely.
Surprisingly, many PEOs still use email to transfer personally identifiable information (PII) outside their network. Check to see if the PEO you are interested in uses a function of its HRIS system to securely send and receive documents. If storing or maintaining PII in the cloud, it is strongly recommended that the data be encrypted both in-transit and at-rest, meaning stored in an encrypted form. While this does add to the overhead, it provides a reasonable assurance to clients that their data will not be compromised.
Lastly, internal controls and processes should be in place within the PEO to ensure that data security procedures are consistent and tested regularly. Certifications such as the SSAE-16, or Statements on Standards for Attestation Engagements Number 16, also provide an extra level of comfort in knowing that this certification brings a level of process and protection that non-certified PEOs may be lacking.
In summary, we live in an age where obtaining data and knowledge from companies has become a real but illegal industry. Any system is only as strong as its weakest link. Systems and technology (both hardware and software) must be monitored and updated continuously. People must receive ongoing training to reinforce procedures and to understand the ramifications of a potential data breach. So, to return to our question above, is confidentiality in jeopardy when a company decides to use the services of a PEO? The only way you can be sure is to ask about it in your evaluation process, because not every PEO’s security systems are built the same.
You Might Also Be Interested In...
We thought you might be interested in reading the following: