Human resources (HR) representatives handle a large amount of sensitive information, from employees’ Social Security numbers to financial documents. Mishandling documents or sending information to the wrong recipient can_cost millions_ (https://www.channelfutures.com/security/sensitive-data-leaks-cost-average-organizations-1-9-million-report) of dollars in legal and recovery fees.
Knowing how to handle sensitive information during processes like employee verification, especially when working with people outside of your organization, is essential to properly doing your job as an HR representative.
HR acts as the gatekeepers for a lot of employee and company data. When a third party requests that you share it, the request should be taken seriously and handled with care. Below are the most common types of employee-related information requests that HR departments receive.
Lending companies, government agencies, or employers often contact HR departments to verify a current or former employee’s work history.
Precautions to take: When answering an employment verification request (https://www.truework.com/verifications/knowledge/employment-verification/how-do-companies-do-employment-verification/), be sure to verify the identity of the party contacting you. If they’re calling you, search their number online and see if it comes up as fraudulent. If it’s an email request, confirm that the mailing server and the sender’s address match the company the sender claims to represent.
What to provide: Typically, you’ll need to provide the employee’s start and end dates; salary information, if relevant; or simply a confirmation of current employment.
Employees or former employees may wish to obtain a copy of their personnel files for any number of reasons.
Precautions to take: Some states give employees more power than others, allowing them to request their files under certain circumstances. Even in these states, employers are never required to give employees their entire files, meaning material can be redacted. Reference the state-specific laws (https://www.thehrspecialist.com/14541/access-to-personnel-files-50-state-laws) to see what may or may not be required of your company.
What to provide: If you choose to give employees their files, provide only the information that you’re comfortable handing over. If anything is potentially damaging to the company or is too sensitive to share, either redact it or bring in a legal expert if necessary.
In rare cases, the police, the FBI, or other law agencies may request employee files for an investigation.
Precautions to take: Make sure the officer or agent is legitimate by calling their office and verifying their badge number, which they should provide to you when prompted. If you have a lawyer or other legal expert at your company, consider involving them in the process.
What to provide: Police officers will typically ask for updated contact information if they’re looking for someone who is employed by your company.
There are a number of situations in which you’ll need to handle potentially sensitive information. Whether law enforcement is requesting employee records or someone is seeking employment verification, safely handling information is always important.
The following best practices can help you safely handle information during an employment verification request and bolster your security in general.
Employment verification requests (https://www.truework.com/verifications/knowledge/employment-verification/6-types-of-employment-and-income-verification-document/) are a common type of request and can come from a number of sources: lenders, insurance companies, government agencies regarding welfare services, and more.
Typically, HR either has to give the employee a signed employment verification letter or contact the third party needing the info directly and provide verification.
With an employment verification service like Truework, employment verification requests can be handled with little interaction from HR. If a verification service is in place, a third party — like a lender or a local government agency — can contact the verification service directly. The service can then contact the employee and inform them of the request. If the employee approves, the request will then be securely processed and sent to the requesting party.
There are nearly 4 billion email users (https://www.radicati.com/wp/wp-content/uploads/2018/12/Email-Statistics-Report-2019-2023-Executive-Summary.pdf) in 2019. With 62% of small businesses (https://www.cybintsolutions.com/cyber-security-facts-stats/) experiencing phishing, which is primarily done via email, email security can’t be downplayed. By properly encrypting email, you can help prevent your company from losing records.
Encryption is a type of security that prevents emails from being accessible to those using hacking or snooping software. When an email is encrypted, the contents are scrambled until the email is received by the receiving party, at which point the email is deciphered.
Many providers, like Gmail, will encrypt emails by default. But that email still relies on the other party using encryption as well. That means Gmail to another provider may not guarantee total encryption. For internal emails, make sure all company email accounts have encryption enabled. If your company’s email provider doesn’t support encryption, either consider switching to a provider that does, or use a third-party encryption service. This will at least ensure internal communications are secure. For external accounts, you’re better off securing the contents of the email.
Email encryption isn’t always possible. Even when it is, encrypting or password-protecting files is a great way to bolster your security.
There are a few common file types that can be easily encrypted or protected with at least one layer of security:
All of the above options can protect your documents, but only if the passwords used are strong. Be sure to use different passwords for each document and to send the password in a separate message. It’s also a good idea to change this password once the other party has gotten what they need from the document.
Beyond encrypting data and locking down documents, there are best practices that should be followed in HR and enforced across the company to ensure that data is handled in a safe and secure manner.
The mishandling of data can’t ever be fully prevented, but with the right steps, it can be deterred. Be sure to actively enforce any policies that are implemented; the loss of data can be costly and should be taken seriously.
Record requests are inevitable when working in HR. These situations are an opportunity for costly mistakes, but they don’t have to be. When the proper precautions are taken, employment verification or law enforcement request can be handled quickly and safely.