Security vs. Personnel and Employment Applications

Wednesday, April 24, 2013

Allan Pratt, MBA


Does your company use those out-of-date applications where the applicant must provide his or her Social Security number and driver’s license number? If so, throw them out immediately. You could be setting your business up for a potential lawsuit.

In the old days, or in other words, the pre-Internet era, employment applications included what we today call Personally Identifiable Information, or PII, which includes Social Security numbers and driver’s license numbers. The simple act of requesting these numbers wasn’t given a second thought because no one knew about identity theft. That crime had not become mainstream.

However, today, these types of documents are ripe for the picking. How long do you keep those applications, and what you do when you get rid of them? Do you shred them? Or do you just toss them in the trash. If you do toss them in the trash, dumpster divers can find a treasure trove of identities ready to be stolen.

And even if you do keep the applications, who’s to say that someone in your office won’t help himself or herself to one or two of the applications and use them to steal information and create false identities.

Naturally, being a security professional can make one paranoid. I know I am always looking for ways that identities can be stolen, and if I can think of them, others can too. We all know that people are the weakest link in the security chain. HR people are only human and are prone to making mistakes, just like the rest of us. Eventually the number of applications in Personnel Departments fills more than just one filing cabinet. At some companies, they can take up an entire room. So eliminating them is only natural. But it’s what you do while getting rid of them that matters.

Use a confetti-type shredder that shreds documents into fine pieces of paper. That is the best option since there’s no way for anyone to piece documents back together. If, by contrast, you use a standard cross-cut shredder that cuts documents into strips, that would enable anyone to piece documents back together. All prospective employee applications should be treated like any other confidential documents that your business maintains.

You may think you need this information to do a background check on prospective employees. But you don’t. Background checks aren’t needed until you’re ready to offer prospective employees a job. The offer of a job should be contingent upon passing a background check, and that should be the time that you request a driver’s license and Social Security number. When I fill out applications with those requests, I write “to be provided later.”

Many years ago, I was the victim of identity theft, and I can report firsthand, it’s not a pleasant experience. I worked with the local police department, the credit unions, the US Customs Office, banks, and credit card companies.

Depending upon what type of identity theft you are involved in, you may be considered guilty before you are proven innocent. A person’s credit rating can be severely damaged, meaning that he or she is unable to buy a home, a car, or get a loan. And all as a result of throwing out a piece of paper that had too much information on it. If I discovered that my identity had been stolen as a result of filling out an application for a prospective employer, and that the employer had mishandled my confidential information, I know the first thing I would do. How about you?

Information is the currency of the 21st century. Social Security numbers and drivers licenses are gold. Treat them as such, or mishandle them at your own risk.

Allan Pratt, an infosec strategist, represents the alignment of technology, marketing, and management. With an MBA Degree and four CompTIA certs in computers, networks, servers, and security, Allan translates tech issues into everyday language that is easily understandable by all business units. Follow Allan on Twitter and on Facebook.

Cross-Posted from Tips4Tech

Possibly Related Articles:
Privacy PII
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.