chap 15
ren_may
Chapter15withNotes.pptxChapter 15: HRIS Privacy and Security
1
Introduction (1 of 2)
Information privacy and security.
Security breaches.
Increased accessibility to information.
Johnson, Kavanagh, Carlson, Human Resource Information Systems, Fifth Edition © SAGE Publications, 2021.
2
Satisfies Learning Objective 15.1: Describe the importance of information security and privacy in today’s technology-intensive and information-driven economy.
Information privacy and security:
This is an important issue for Human Resource Information Systems (HRIS) as it includes confidential employee data which are highly marketable on the dark web.
Safe computing protocols must be followed by organizations to tackle this.
Most companies have now moved away from “knowledge-based authentication” and use two-factor authentication (2FA), a combination of “something you know” with “something you have.”
The use of biometrics and artificial intelligence can also be helpful.
Organizations must have in place strong information security plans, procedures to protect data, and comply with legislative mandates.
Security breaches:
Data have grown to become more complex than 30 years ago when access was restricted to the mainframe was through “dumb” terminals with limited functionalities.
The threat of security breaches was minimal as information was composed mostly of physical security and simple document classification schemes.
With the rise of computer networks, threats to information security have also increased.
Increased accessibility to information:
Employees are concerned about the extent to which computer systems permit users to access a wide array of personal information.
A report suggests that there have been breaches of over 500 million organizational records since 2005 and a rise in theft of employment data.
2
Introduction (2 of 2)
Concerns about identity theft.
Role of software vendors.
Various aspects of Human Resource Information Systems (HRIS) privacy and security.
Johnson, Kavanagh, Carlson, Human Resource Information Systems, Fifth Edition © SAGE Publications, 2021.
3
Satisfies Learning Objective 15.1: Describe the importance of information security and privacy in today’s technology- intensive and information-driven economy.
Concerns about identity theft:
Various states have been increasingly concerned about identity theft and the security of employment information in HRISs.
Many states have passed privacy laws that require organizations to adopt reasonable practices to prevent unauthorized access to personal data.
However, surveys have revealed that 43% of businesses have not put any new security solutions in place despite the laws.
The cost of data breaches can be large.
Role of software vendors:
Vendors, aware of the potential security breaches, offer multiple security models.
These allow organizations to determine the kind of data access and responsibility each employee has.
Various aspects of HRIS privacy and security:
Practices that may affect individuals’ perceptions of invasion of privacy.
Components of information security.
Implications for developing fair information management policies.
Key security threats faced by organizations.
Policies that organizations need to implement to ensure HRIS privacy and security.
Contingency planning and its three components.
3
Employee Privacy in a Global Environment (1 of 12)
Recent polls.
Implications of legal restrictions on HRIS.
Johnson, Kavanagh, Carlson, Human Resource Information Systems, Fifth Edition © SAGE Publications, 2021.
4
Satisfies Learning Objective 15.3: Describe the legal requirements pertaining to information security and privacy.
Recent polls:
61% of Americans are increasingly concerned about the protection of their personal privacy.
Concerns around online privacy are on the rise around the world, namely, 65% of internet users in Latin America, 61% in Middle East and Africa, 54% in Asia and the Pacific, 35% in Europe.
Privacy laws have been put in place by approximately 109 nations.
Implications of legal restrictions on HRIS: HRIS design and use need to consider national and international privacy laws.
4
Employee Privacy in a Global Environment (2 of 12)
Worldwide Privacy Laws
Indirect indices of individuals’ privacy values.
Alternative view.
Stringent regulations in the European Union.
Johnson, Kavanagh, Carlson, Human Resource Information Systems, Fifth Edition © SAGE Publications, 2021.
5
Satisfies Learning Objective 15.3: Describe the legal requirements pertaining to information security and privacy.
Indirect indices of individuals’ privacy values:
Many researchers believe that privacy laws are indirect indices of individuals’ privacy values and norms.
They argue that individualistic nations are more concerned about privacy than those in collective countries.
Individuals value their independence and control over information allows them to retain their autonomy.
In contrast, collective nations value interdependence, security, and personalized relationships within a group that used as the unit of analysis in social relationships.
As a result, collectivists are less concerned about privacy.
Alternative view:
Many Asian countries, otherwise considered to be collective, have privacy laws in place.
This indicates that privacy is a global value.
Stringent regulations in the European Union: The stringent regulations have important implications for how European, multinational, or transnational businesses process data.
5
Employee Privacy in a Global Environment (3 of 12)
European General Data Protection Regulation
General Data Protection Regulation.
Rights and requirements.
Implications for organizations.
Johnson, Kavanagh, Carlson, Human Resource Information Systems, Fifth Edition © SAGE Publications, 2021.
6
Satisfies Learning Objective 15.3: Describe the legal requirements pertaining to information security and privacy.
General Data Protection Regulation (GDPR): The law applies to all European Union (EU) organizations that collect, store, or disseminate personal information about individuals residing in the EU (including non- EU citizens), and any organization outside the EU that offers goods and services to EU citizens and processes information about them.
It was passed by the European Union in 2018 and superseded the 1995 European Data Protection Directive (1995).
Rights and requirements:
Rights of individuals are extended.
Privacy rights of individuals are enhanced.
Organizations must comply with data principles.
Guidelines for the lawful processing of information must be followed
Organizations must comply with stricter rules for obtaining consent.
Data controllers and processors must implement technical and organizational measures designed to ensure the safety of data.
Transfer of personal data outside of the EU is limited.
Security breaches that result in unauthorized disclosure, access, or transmission of data must be reported by organizations.
Organizations must appoint a data protection officer to oversee compliance with the law.
Implications for organizations:
The GDPR will affect the design and development of HRIS.
It will expand applicants’ and employees’ privacy rights.
It will limit the transfer of data across national boundaries.
It will provide applicants or employees with information about any breaches of their personal data.
6
Employee Privacy in a Global Environment (4 of 12)
Privacy Laws in the United States
The American Bill of Rights.
Privacy Act.
Johnson, Kavanagh, Carlson, Human Resource Information Systems, Fifth Edition © SAGE Publications, 2021.
7
Satisfies Learning Objective 15.3: Describe the legal requirements pertaining to information security and privacy.
The American Bill of Rights:
The Bill guarantees individuals the right to privacy.
However, no federal privacy law places restrictions on the collection, use or dissemination of data about private-sector job applicants or employees.
Privacy Act:
Protects the privacy of federal government employees.
Other federal and state laws restrict the collection and dissemination of employment data.
7
Employee Privacy in a Global Environment (5 of 12)
Data Collection about Applicants and Employees
Federal Laws.
State Laws.
Collection of data in social media sites.
Johnson, Kavanagh, Carlson, Human Resource Information Systems, Fifth Edition © SAGE Publications, 2021.
8
Satisfies Learning Objective 15.3: Describe the legal requirements pertaining to information security and privacy.
Federal Laws:
Under the Americans with Disabilities Act (ADA) (1990), employers cannot collect data about disabilities in the employment process.
Information on employee disabilities must be stored separately from other files.
The Genetic Information Nondiscrimination Act of 2008 prohibits the collection of genetic data about applicants or employees.
Civil Rights Laws advises employers against collecting data about individuals’ age, race, ethnicity, gender, national origin, pregnancy, religion, or other protected information as they may be used as the basis for lawsuits regarding unfair discrimination.
As per the Equal Employment Opportunity Commission (EEOC), employers should not collect data about arrests, criminal convictions, or credit that may result in a disparate impact against protected groups.
State Laws:
Many states place limit the collection of credit reports in the hiring process because racial and ethnic minorities often have lower levels of socioeconomic status and poorer credit than their white counterparts.
A few states have legally restricted the collection of data on applicants’ arrests that do not lead to convictions.
Some states restrict the collection of data on criminal convictions that are not job-related or have been sealed or expunged.
The collection, use, and disclosure of social security numbers (SSNs) in the employment process are also restricted in several states.
Collection of data in social media sites:
Employers often review applicants’ websites or social media sites to gather lifestyle data or personal information.
The sensitive nature of such information has led applicants to set privacy controls to prevent employers from accessing the data.
Many states have enacted laws that prohibit employers from asking applicants or employees for IDs and passwords for these accounts.
Employers should review online applications to ensure that protected data are not included as questions on them.
HROS should also be prevented from using or displaying SSNs as employee identifiers.
8
Employee Privacy in a Global Environment (6 of 12)
Disclosure of Applicant or Employee Data
Information breach at U. S. Office of Personnel Management.
Federal law.
State laws.
The U.S. Fair Labor Standards Act of 1938.
Johnson, Kavanagh, Carlson, Human Resource Information Systems, Fifth Edition © SAGE Publications, 2021.
9
Satisfies Learning Objective 15.3: Describe the legal requirements pertaining to information security and privacy.
Information breach at U.S. Office of Personnel Management:
The office witnessed one of the major breaches of applicant and employee information in 2015.
Over 21.5 million records were stolen.
Federal law:
The Privacy Act of 2005 prevents employers from selling or disclosing personal identifiable information about individuals to a commercial entity or non-affiliated third party and requires organizations to protect sensitive data stored in HRIS.
The Americans with Disabilities Act (ADA) (1990) and Family Medical Leave Act (FMLA) require that any information obtained by an employer about an employee’s medical condition should be maintained in separate files and treated in a confidential manner.
The Health Insurance Portability and Accountability Act (HIPAA) protects data collected by employer sponsored health plans, and health providers cannot disclose individually identifiable health information without a HIPAA authorization from the patient or participant in the health plan.
State laws:
Employers are required to notify employees if any of their computerized personal information has been breached.
In some states, employers are required to take steps to safeguard employment records and ensure that they are not released to third parties.
The U.S. Fair Labor Standards Act of 1938:
Employers are required to maintain basic information on all employees.
Storage of data on HRISs has also resulted in concerns about the potential to invade personal privacy.
9
Employee Privacy in a Global Environment (7 of 12)
Unauthorized Access to Information
Unauthorized access.
Results from research.
HRIS invasion of privacy.
Johnson, Kavanagh, Carlson, Human Resource Information Systems, Fifth Edition © SAGE Publications, 2021.
10
Satisfies Learning Objective 15.3: Describe the legal requirements pertaining to information security and privacy.
Unauthorized access:
Employees fear that storage of information on HRIS may allow unauthorized access to their private information.
Reports indicate that identity theft is the primary consequence of the breach of HRIS data.
Results from research: 34% of companies collect and store medical and prescription drug information about employees (Society for Human Resource Management [SHRM] & West Group, 2000).
HRIS invasion of privacy:
Employees perceive an HRIS as invasive of privacy when:
Employee information is accessed by supervisors.
The same data are used for employment rather than HR planning decisions.
Employees do not have the ability to check accuracy of data.
10
Employee Privacy in a Global Environment (8 of 12)
Unauthorized Disclosure of Information
Unauthorized disclosure.
Dissemination of personal information.
Negative outcomes of data disclosure.
Johnson, Kavanagh, Carlson, Human Resource Information Systems, Fifth Edition © SAGE Publications, 2021.
11
Satisfies Learning Objective 15.3: Describe the legal requirements pertaining to information security and privacy.
Unauthorized disclosure:
Research by Linowes (2000) suggests that 70% of employers regularly disclose employment data to creditors.
Organizations regularly sell data collected on recruiting websites.
60% of employers do not inform applicants or employees when they disclose information within or outside the organization
Dissemination of personal information: HRIS is likely to make this much easier, both internally as well as externally.
Negative outcomes of data disclosure:
Data collected for one purpose may be used for other purposes.
Policies to limit the unauthorized disclosure of employee information must be developed by organizations.
11
Employee Privacy in a Global Environment (9 of 12)
Data Accuracy Problems
Data accuracy.
Unfair stigmatization.
Negative effects of inaccurate data.
Johnson, Kavanagh, Carlson, Human Resource Information Systems, Fifth Edition © SAGE Publications, 2021.
12
Satisfies Learning Objective 15.3: Describe the legal requirements pertaining to information security and privacy.
Data accuracy:
HRISs may contain inaccurate or outdated employee information.
Employees are not given the opportunity to review or correct data stored in an HRIS by their organizations.
Unfair stigmatization: Inaccurate HRIS data can result in stigmatization of individuals and denial of job outcomes.
Negative effects of inaccurate data:
Data inaccuracy in an HRIS can negatively affect both organizations and individuals.
Example: Organizations may make erroneous decisions regarding employees and fail to hire or promote highly qualified individuals.
A study by Linowes (2000) revealed that 72% of private sector organizations do not allow employees to review their employment records for inaccurate data.
Stone et al. showed that individuals are likelier to believe that their privacy had been invaded when they are not allowed to check HRIS data accuracy.
12
Employee Privacy in a Global Environment (10 of 12)
Stigmatization Problems
Stigmatized employees.
Negative impact on career development.
Johnson, Kavanagh, Carlson, Human Resource Information Systems, Fifth Edition © SAGE Publications, 2021.
13
Satisfies Learning Objective 15.3: Describe the legal requirements pertaining to information security and privacy.
Stigmatized employees: Employees feel uneasy when they feel that networked data may result in stigmatization or to them being discredited in the employment process.
Negative impact on career development: Irrelevant HRIS data can negatively impact an employee’s advancement and career development opportunities.
13
Employee Privacy in a Global Environment (11 of 12)
Use of Data in Social Network Websites
Collection and use of social network website (SNW) data.
Consequences of use of SNW data.
Johnson, Kavanagh, Carlson, Human Resource Information Systems, Fifth Edition © SAGE Publications, 2021.
14
Satisfies Learning Objective 15.3: Describe the legal requirements pertaining to information security and privacy.
Collection and use of SNW data:
Organizations collect data about applicants and employees from social network websites (SNWs).
This information may include lifestyle, family background, friends, sexual orientation, religion, political affiliation, and personal interests.
An estimated 20% and 40% of employers scan SNWs to gather data about job applicants.
Consequences of use of SNW data:
SNW data can result in stigmatization and loss of job opportunities.
SNW data can be used without the knowledge of the individual.
14
Employee Privacy in a Global Environment (12 of 12)
Lack of Privacy Protection Policies
Growing concerns.
Lack of fair information management policies.
Policies on disclosure of HRIS data.
Johnson, Kavanagh, Carlson, Human Resource Information Systems, Fifth Edition © SAGE Publications, 2021.
15
Satisfies Learning Objective 15.3: Describe the legal requirements pertaining to information security and privacy.
Growing concerns:
Unauthorized access.
Unauthorized release.
Data accuracy.
Use of data to stigmatize employees.
Lack of fair information management policies:
Many companies have no such policies in place.
Linowes’ study revealed that 42% of companies do not have privacy protection policies.
A fair information policy can help decrease employees’ perceptions of invasion of privacy.
Policies on disclosure of HRIS data:
It is recommended that employers set policies about the disclosure of information stored in HRIS.
Employers must also ensure that they gain permission from data subjects before releasing the data, inside or outside the organization.
The privacy policies must be clearly communicated to all applicants or employees of the organization.
15
Components of Information Security (1 of 3)
Brief Evolution of Security Models
Information security.
McCumber Cube.
Three dimensions of the Cube.
HR data integrity.
Johnson, Kavanagh, Carlson, Human Resource Information Systems, Fifth Edition © SAGE Publications, 2021.
16
Satisfies Learning Objective 15.2: Describe the important components of and threats to information security.
Information security: The protection afforded to an automated information system in order to attain the applicable objectives of preserving the confidentiality, integrity, and availability (CIA) of information system resources.
1. Personnel transactions and information processing are increasingly more vulnerable to security threats and risks.
McCumber Cube: McCumber Cube, also known as the National Security Telecommunications and Information Systems Security Committee (NSTISSC) security model, provides a more detailed perspective on informational security through a graphical representation of the architectural approach.
It examines the characteristics of the information to be protected, as well as the context of the information state.
Using the Cube, an analyst can identify the information flows within an HRIS, view it for important security-relevant factors, and then map the findings to the cube.
Three dimensions of the Cube:
Desired Information Goals: Ensure the confidentiality of data and its availability to those who are authorized to access it.
State of Information: Identifies the current state of data.
Countermeasures: Identify mechanisms that can be used to protect data.
HR data integrity:
There is a need to understand the intersection between the technology countermeasure, the integrity goal, and the storage state.
Developing a system to detect and alert security administrators to host intrusions is one way of understanding the intersection.
This way, only specific employees are allowed access to specific information (Confidentiality), and the data is encrypted (Technology) before being stored (Storage).
Data is transmitted via secure FTP, thereby maintaining security (Transmission).
The use of secure transmission protocols is a matter of organizational policy (Policy).
16
Components of Information Security (2 of 3)
Brief Evolution of Security Models
Johnson, Kavanagh, Carlson, Human Resource Information Systems, Fifth Edition © SAGE Publications, 2021.
17
Satisfies Learning Objective 15.2: Describe the important components of and threats to information security.
Figure 15.1: The McCumber Cube.
Source: Pohlman (2008).
17
Components of Information Security (3 of 3)
Security Threats
Know your enemy.
Threat sources.
Types of threats.
Software threats.
Johnson, Kavanagh, Carlson, Human Resource Information Systems, Fifth Edition © SAGE Publications, 2021.
18
Satisfies Learning Objective 15.2: Describe the important components of and threats to information security.
“Know your enemy”:
It is important to understand one’s own vulnerabilities.
Also important is the knowledge of the method of attack to plan your defence.
Threat Sources:
Human error: Risk potential increases when an HRIS is not well-designed and developed properly, well-maintained, and employees are not adequately trained
Disgruntled employees and ex-employees: This is commonly referred to as an insider threat.
Other “internal” attackers: Third party vendors with access to critical information.
External hackers: Someone who accesses a computer or computer network unlawfully.
Natural disasters: Floods, earthquakes, fires, and lightning strikes can destroy or disrupt computing facilities and information flow.
Types of Threats:
Misuse of computer systems: Unauthorized employee access to or use of confidential and sensitive information.
Extortion: Attempts to obtain monetary benefits or other goods by threatening to take actions against the victim’s interest.
Theft.
Computer-based fraud: These can include modifications in data processing or data entry routines.
Cyber-terrorism: The leveraging of an information system that is intended to intimidate or cause physical, real-world harm or severe disruption of a system’s infrastructure.
Cyber espionage: The use of dangerous and offensive intelligence measures in the cyber realm.
Phishing: Victims usually receive e-mail messages that appear to come from an authentic source, that fool victims into giving out confidential information.
Denial-of-service: Attempts to make a service unavailable for legitimate users by flooding it with attach packets.
Software Threats:
Malware: Any form of “malicious software” whose purpose is to infiltrate a user’s machine without his/her knowledge.
Viruses: A computer virus is a type of malware that works by inserting a copy of itself onto a computer or device and then becoming part of another program.
Worms: They can replicate themselves without attaching to files.
Spyware: Software installed on an unknowing user’s computer that gathers information about the user’s activities on the Web and transmits it to third parties.
Trojan: A type of malware that usually hides inside e-mail attachments or files and infects a user’s computer when attachments are opened, or programs are executed.
Rootkit: A type of Trojan horse that takes over a root account and uses its privileges to hide itself.
Ransomware: Locking and denying of access to a system or files until a ransom is paid to the hacker.
Preventive and recovery measures are the best way to deal with ransomware.
18
Information Policy and Management (1 of 5)
Fair Information Management Policies
Restrictions in the public sector.
Fair information management policies and practices.
Johnson, Kavanagh, Carlson, Human Resource Information Systems, Fifth Edition © SAGE Publications, 2021.
19
Satisfies Learning Objective 15.4: Describe best practices in safe information-handling procedures.
Restrictions in the public sector:
Legislation to restrict the collection, storage, use, and dissemination of employee information exists in the public sector.
However, there is no comprehensive federal legislation on the issue in private sector organizations.
An exception is the state of California that recently passed a law to protect the privacy of employee records in private sector organizations.
Fair information management policies and practices:
The establishment of such policies may help organizations decrease the degree to which employees perceive the HRIS as an invasion of their privacy.
Example: The Privacy Protection Study Commission recommended organizations should:
Limit the collection of information to job-related data.
Control unauthorized access to HRIS information in HRIS.
Adopt reasonable procedures for assuring that data are accurate and timely.
Limit external disclosures of data without employees’ consent.
19
Information Policy and Management (2 of 5)
Effective Information Security Policies
Management issue of security.
The need for effective security policies.
ISO/IEC 27000 series.
Johnson, Kavanagh, Carlson, Human Resource Information Systems, Fifth Edition © SAGE Publications, 2021.
20
Satisfies Learning Objective 15.4: Describe best practices in safe information-handling procedures.
Management issue of security:
Despite the major focus on technology, information security is more a management issue.
The management issues are complex.
They focus both on behavioral information policies as well as the technical practices.
The need for effective security policies:
Security policies identify valuable assets.
They provide a reference to review in case of security conflicts.
They outline personal responsibility
They help prevent unaccounted-for events.
They outline incident response responsibilities.
They outline an organization’s response to legal, regulatory, and standards of due care.
ISO/IEC 27000 series: An established security standard that focuses on areas such as access control, security management, good practices, and protection of health-related information.
Almost all aspects of the ISO/IEC 27000 series mesh with HRISs.
20
Information Policy and Management (3 of 5)
Effective Information Security Policies
Best practices.
Implications for global organizations.
Johnson, Kavanagh, Carlson, Human Resource Information Systems, Fifth Edition © SAGE Publications, 2021.
21
Satisfies Learning Objective 15.4: Describe best practices in safe information-handling procedures.
Best practices:
Adoption of a comprehensive information security and privacy policy.
Storage of sensitive personal data in a secure HRIS with appropriate encryption.
Proper disposal or restoration of documents.
Building document destruction capabilities into the office infrastructure.
Implementation and updating of technical and non-technical measures.
Using suitable tools to ensure that an employee does not leak sensitive information about a company on social media.
Conducting privacy “walk-throughs” and making spot checks on proper information handling.
Implications for global organizations: Laws specific to the areas of operation of an organization may limit the flow of employee data across borders, making the HRIS more complex.
21
Information Policy and Management (4 of 5)
Contingency Planning
Need for a comprehensive CP.
Incident Response (IR).
Disaster Recovery (DR).
Johnson, Kavanagh, Carlson, Human Resource Information Systems, Fifth Edition © SAGE Publications, 2021.
22
Satisfies Learning Objective 15.4: Describe best practices in safe information-handling procedures.
Need for a comprehensive contingency planning (CP):
Any company can be breached, regardless of their size.
Having a comprehensive CP in place is imperative.
The National Institute of Standards and Technology (NIST) explores CP deeply.
CP involves preparing for, detecting, and reacting to, and recovering from an unexpected event that threatens various resources and assets in an organization.
Incident Response (IR):
IR consists of a detailed set of processes and procedures that commence when an incident is detected.
Planners must develop and document the procedures to be followed during and after the incident.
The procedures may include data backup scheduling, training schedules, testing plans, and business continuity plans.
An organization must report any violation of civil or criminal law during an incident to law enforcement agencies.
Disaster Recovery (DR):
DR is the preparation for and recovery from a disaster, whether natural, or man-made.
A DR plan seeks to re-establish operations at the location where the organization is usually located.
Organizations must treat DR planning and preparation processes as a continuous task.
22
Information Policy and Management (5 of 5)
Contingency Planning
Business Continuity (BC).
Various techniques for testing.
Johnson, Kavanagh, Carlson, Human Resource Information Systems, Fifth Edition © SAGE Publications, 2021.
23
Satisfies Learning Objective 15.4: Describe best practices in safe information-handling procedures.
Business Continuity (BC):
BC planning ensures that critical business functions can continue in a disaster.
It is activated and executed in concurrence with DR.
BC relies on the identification of critical business functions and the resources needed to support them.
One of three different types of backup sites are used for this process.
Hot sites are exact replicas of the current HRIS data
Warm sites have a reasonable set of equipment present to start the recovery process.
Cold sites are configured spaces where everything needed for restoration has to be procured and delivered.
Various techniques for testing:
A CP can be tested through various techniques.
The techniques include:
Desk check.
Structured walkthrough.
Simulation.
Parallel testing.
Full interruption testing.
23
