Data protection and privacy in relocation?

Does employee information become more vulnerable during a relocation? Altair Global Relocation’s Gary Dittrich, EVP and Chief Development Officer, and Kristy Crawford, Director of Enterprise Privacy, look at the issues.

Privacy issues affect relocating employees and families, and their awareness and concerns are growing. As a global management company, Altair must consistently reinforce that we are not only delivering relocation and assignment services, but we are also moving people and critical personal information. Confidential information, such as bank, family, financial and credit details, can become more vulnerable to a privacy incident as the disclosure and use of such information will likely increase. As a result, privacy is imperative to us and our clients.

So what do HR managers need to be aware of to address privacy issues? The relocation industry is dependent on suppliers or third parties to execute services on our behalf. HR managers need to verify that, once the data is given to their relocation provider, it will be protected at all times and only used for purposes surrounding the relocation.

Several recent events have propelled privacy issues into the news. For instance, a title company that promised consumers that it had “instituted measures to guard against its unauthorized access” to their confidential financial information, also put consumer home loan applications in an open dumpster. In May of 2006, an investigation by the FTC found that this failure to provide reasonable and appropriate security to protect the information violated the FTC’s Safeguards Rule; by publishing a deceptive privacy policy, it had violated the FTC’s Privacy Rule and the FTC Act.

Additionally, last May, the US government announced that, through an apparent theft of a laptop from the home of a Veterans Affairs’ employee, social security numbers and other sensitive information for more than 26 million veterans had been compromised. Although the laptop was eventually recovered, its theft highlights the vulnerability of sensitive information caused by the lack of formal established protocols for the storage and transportation of such critical data.

Criminals have also been using an internet fraud scheme (known as ‘phishing’) to create websites that look exactly like those of major banks, and then send millions of e-mails out to unsuspecting customers. The e-mail asks them to click the enclosed link to ‘update’ their accounts. When they do so, customers not only may provide their user name and password for the real bank sites, but they also may provide their social security numbers and, in some cases, credit card numbers, via the fraudulent bank website. These victims only realize later that their accounts have been depleted, their credit cards have been charged, or their identities stolen, thereby requiring months of effort to correct.

HR managers should not only require, but validate, assurances on privacy protections while educating employees and families about how relocation may make their data more vulnerable to a data breach.

Since Altair’s most valuable asset is the personal information and trust of its customers, we take our responsibility to protect this data very seriously.

We have implemented controls to minimize vulnerability and to mitigate privacy and information concerns by dividing our data safeguarding efforts into three categories: physical, technical and administrative. Each relates to the proper collection, use, disclosure, storage and transfer of personal information.

• Our administrative safeguards require documented policies and procedures for managing day-to-day operations; the conduct and access of workforce members to confidential information; and the selection, development and use of security controls.
• The physical safeguards are a series of requirements meant to protect Altair facilities, information systems and confidential information from unauthorized physical access or hazards.
• Lastly, our technical safeguards refer to the technology behind the physical or administrative safeguards that protect or control access, use or disclosure of data.

Because employees relocate around the world, we must address a variety of standards and laws that globally regulate privacy. Given that due diligence levels vary significantly from country to country, we must not only enforce, but exceed, the most stringent global safeguards.

Further, with today’s rapid technological advances in criminal capabilities, we must anticipate challenges through a range of means. Examples include the protection of personal information stored on portable devices such as cell phones, PDAs and laptops, where the data can be stolen through wireless interception, or when these devices may be stolen or lost.

As technology continues to rapidly change, and the value of information increases, personally identifiable data must be accessible only to those authorized to view or use it. Recognizing and addressing specific vulnerabilities in the relocation process is the only way to adequately prepare and prevent security and privacy breaches for our transferring employees and their families.