A massive security breach at email communication provider Epsilon recently resulted in unauthorized access of the names and email addresses maintained by more than 2,500 Epsilon clients, including giant corporations such as Citi, Capital One, Dell, Target and JPMorgan Chase. Employers can learn valuable lessons from this breach that can be applied to relationships with human resources and benefit service providers.
This breach emphasizes the need for employers, especially HR and benefit managers, to perform diligence and contract appropriately with all service providers handling personal information on behalf of the organization, even if the information held isn’t traditionally viewed as sensitive. Human resources professionals typically focus their security efforts on relationships with vendors that handle employees’ Social Security numbers or bank account information, such as retirement plan TPAs, payroll processors and employment verification service providers, or vendors handling protected health information such as health insurers or administrators. However, as the Epsilon breach illustrates, other types of vendors holding less sensitive information can cause problems for employers. Employees commonly provide their corporate email address to Epsilon’s client companies, and it is widely assumed that these email addresses were stolen to perpetrate phishing attacks, send spam, and infect systems with malware. The damage caused by one of these attacks on a corporate email system can cause the business to suffer significant productivity losses, sustain reputational damage, and incur legal and PR expense. Employers should confirm that corporate email and information systems are properly protected, and consider adopting or updating policies on the use of these systems by employees.
The most critical due diligence issues employers should consider include the nature of the vendor’s information security program, whether their employees are trained regularly, whether and in what circumstances they employ data encryption, and whether they will securely return or dispose of information upon conclusion of the services. Contracts with these vendors should clearly address their notification process in the event of a breach, their responsibility to mitigate that event, and, of course, the nature and scope of indemnifications they are willing to offer in exchange for your business. In addition, it is always appropriate to ask about (and contractually restrict) your vendor’s use of subcontractors.
Privacy laws have largely failed to keep pace with emerging threats to personal information and they do not necessarily require providers to secure information appropriately. Performing due diligence in vendor selection and acting to mitigate risk is an employer’s best defense to the type of threat seen in the Epsilon breach.