Your payroll records are chock-full of the personally identifiable information (PII) you need. Unfortunately, hackers also want that data. As an employer, you must secure your payroll records against a potential PII breach. And if one does occur, you need to take swift action.
Read on to learn what does personally identifiable information include, how to prevent a breach, and more.
What is considered PII?
The Department of Homeland Security defines PII as information that directly or indirectly identifies an individual. Direct identifying information is a piece of information, like a Social Security number, that directly identifies an individual. Indirect identifying information is information that can identify someone in conjunction with other information, like an individual’s birth date and gender.
Direct personally identifiable information can include someone’s:
- Full name
- Social Security number
- Phone number
- Driver’s license
Indirect personally identifiable information can include someone’s:
- Birth date
- Zip code
- Race
- Gender
Take a second and pull up your social media account. How many pieces of PII—direct or indirect—do you see? Chances are, there’s a bit (e.g., name, birth date, gender, etc.).
Now, take a second and consider your payroll records. Chances are, there’s a lot of PII in there. You have each employee’s Social Security number on file, address, birth dates, demographic information, and full contact information (e.g., phone number and email address). You should also have copies of the employee’s identity documents (e.g., passport or driver’s license and Social Security card) that you gathered when they turned in Form I-9.
Which payroll records have PII?
So, which payroll records have PII? In short, (most likely) all of them! Any record that lists at least an employee’s name has PII.
Payroll records you may have containing PII data include:
- General employee information
- Tax withholding forms (e.g., Form W-4 and state W-4 forms)
- Form I-9
- Pay stubs
- Medical records (e.g., documents to back up a sick time request)
Is employment history PII? Yes. Again, any documents with an employee’s name and/or other direct or indirect identifiers are considered PII.
Who is responsible for protecting PII?
PII is everywhere in business. It may be tucked away in locked filing cabinets, stored in online payroll software, or downloaded onto desktop payroll. You may even have documents with PII lying around the office face-up on desks (yikes).
So, who’s responsible for making sure PII is secure? Typically, employers are accountable for protecting employee PII. According to Bloomberg Tax:
“Courts and state laws hold employers accountable for payroll breaches even if a third-party payroll provider was breached.”
As an employer, you are responsible for protecting your employees’ PII, preventing a breach, and handling any breaches quickly and efficiently.
How to prevent a PII breach
Data breaches happen. In fact, they’re common. But with an average cost of $150 per lost record, a PII data breach can get expensive—fast.
Businesses should implement a system to help prevent breaches and maximize PII security. Take a look at the following six tips to help limit PII data breaches in your organization.
1. Use a reliable payroll system
How do you run payroll? Do you do it by hand with the help of documents in your unlocked filing cabinets? Or, do you use a payroll system with questionable security measures?
One of the top ways to prevent a PII payroll breach is to use a reliable payroll system, such as secure online payroll software. With cloud payroll, documents with employee PII are stored securely in the cloud and not downloaded onto a computer in your office or shoved in filing cabinets.
But before you turn to cloud payroll to handle your most sensitive employee information, do some research.
Look for a verified payroll provider (e.g., plenty of reviews) that takes security seriously through measures like:
- Data encryption
- Annual audits
- Bonded employees
2. Change passwords regularly
Bossbusinessowner123! Firstnamelastname1. Birthdate.
Are these the types of passwords you use to get into your secure payroll system? If so, it’s definitely time for a change. And even if your passwords are impossible to figure out, it’s time for a change, too.
To protect employee and business data, regularly change passwords (e.g., every three months). And, take advantage of other password-related best practices, such as:
- Using a password generator to come up with unique and secure passwords
- Using a password manager (e.g., LastPass) to securely store passwords
- Not writing down passwords
- Changing passwords immediately if you think it’s compromised
- Not sharing passwords with employees
3. Be alert to phishing emails
“Sign in to XYZ or your account will be closed.” “Verify your identity for access.”
How often do you (and your employees) receive an email urgently telling you to click a link, download an attachment, or provide sensitive information? Chances are, you receive these pretty frequently. And if you have, you’re familiar with phishing.
Phishing is a fraudulent practice that encourages you to provide personal and financial information to someone claiming they’re legitimate (e.g., payroll system, employee, etc.). Phishing emails may use official logos, names, or even email addresses. For example, common tax scams use phishing.
If you receive a suspected phishing email, don’t click on links, download attachments, or provide any PII. Instead, contact the individual or institution directly with a known number you have.
4. Use multi-factor authentication
Multi-factor authentication (MFA) is a security method that prompts users to authenticate account access with two pieces of evidence:
- Password
- Authentication code
Typically, you can receive the authentication code via text, email, or using an authenticator app.
Use a payroll system with MFA to prevent unauthorized access. And if your password is compromised, you can rest assured that the authentication code requirement can keep unauthorized personnel at bay.
5. Limit who has access to payroll records
You trust your employees, of course. But, that doesn’t mean you need to give anyone and everyone access to payroll records teeming with PII.
Only give employees who handle payroll (e.g., HR) access to records.
6. Educate employees
You knowing security best practices is just part of the equation. Your employees need to know them, too—even if they don’t have access to payroll records.
Train employees on security best practices, like using multi-factor authentication and identifying phishing emails.
You can train employees through:
- Phishing tests (e.g., send out fake phishing emails and see if employees take the bait)
- Cyber security awareness videos
- In-person training sessions
Compare your security training options to find a solution that works for your small business without breaking the bank.
What to do in the event of a payroll data security breach
Despite best efforts, breaches happen. If a breach does hit your small business, don’t panic. According to a report by IBM, the faster you can identify and contain a data breach, the lower your costs will be.
Heads up! Prepare before a potential breach with a personally identifiable information policy. Your PII policy should detail what steps you’ll take to respond.
In case of a payroll (or another type of) breach, here are three steps the Federal Trade Commission (FTC) recommends you take:
- Secure your operations
- Fix vulnerabilities
- Notify appropriate parties
1. Secure your operations
According to the FTC, your first step in responding to a business breach is to secure your systems and prevent further breaches.
You can secure operations through actions like:
- Securing physical areas that may be related to the breach
- Assembling a team (e.g., human resources, IT, etc.) to conduct a comprehensive breach response
- Consulting with legal counsel
- Changing passwords and other credentials
- Sweeping your website and company social media accounts to determine if there’s any PII there that contributed to the breach
- Keeping all evidence related to the breach
2. Fix vulnerabilities
Next, the FTC advises that you fix vulnerabilities. You can do this by checking that your service providers are taking appropriate action and working with experts.
3. Notify appropriate parties
You need to quickly (and strategically) share news about the breach. Notify employees and any other individuals affected by the breach (e.g., business partners, customers, etc.). Also, the FTC recommends that you call your local police department and possibly your local office of the FBI.
If your employees’ Social Security numbers were stolen, advise them to contact the three major credit bureaus:
- Equifax
- Experian
- TransUnion
Your state may have specific laws or regulations that require you to take additional measures. Check with your state for more information.
For more information on how you can respond to a business data breach, check out the FTC’s website.
Shopping for new payroll software? Sign up for a free trial of Patriot’s online payroll to see what it can do for your small business!
This is not intended as legal advice; for more information, please click here.