A HReal HRisk HR can help HReduce

Today is Data Security Day.  You've educated your staff about limiting access to sensitive information, locking up confidential paperwork, and securing the network.  But Latanya Sweeney, the FTC’s new Chief Technologist, just clued us in about a potential security vulnerability you, your HR team, and your web master can do something right now to correct.

It can happen on any site, but it’s common for universities, research institutions, non-profit organizations, and even tech companies to include links to the CVs of professors, scientists, executives, and other staff.  For the most part, those resumes list scholarly publications and academic interests.  But scroll through all that high-minded content and you may get to the down-and-dirty stuff identity thieves live for:  dates of birth, home addresses, and even Social Security numbers.

On this topic – and a whole lot of others – when Latanya Sweeney talks, we listen.  And here’s why.  Yes, Latanya is an Ivy League Big Brain Academic.  (And we mean that in the nice way, of course.)  But she also has the tech credentials to speak geek with the very best of ‘em.  And if that weren't enough, for years she's been a leading thinker about how privacy and technology policy affects consumers.

Here are some steps you can take immediately to help plug the potential gap Latanya is warning about:

  1. HR professionals:  Survey the faculty or management pages of your site and have your web master take down any CVs or resumes that include the kind of personal information ID thieves could exploit.  Explain to your colleagues why it’s a risk they shouldn’t be taking.  As new staff members are hired, implement a policy not to upload documents that include sensitive data.  Executives and staff will appreciate that you’re looking out for them – and for the reputation of your institution or business.
     
  2. Academics and professionals:  If the CV or resume posted on your employer's site or your personal homepage includes your Social Security number, date of birth, or other personal information, take the page down.  If it's a link to a .pdf, revise the document to get rid of the data crooks could exploit.  Pass the word to your colleagues, mention it in your next staff meeting, or print this page and post it where they’ll see it.
     
  3. Job applicants, graduate students, and others with an interest in promoting their credentials online:  Be savvy about what you include on your CV, resume, or webpage.  There’s just no reason for posting your Social Security number or date of birth where it’s accessible to some random web surfer.  And your home address?  These days, isn't it more likely legitimate employers would contact you via email?

Those steps can reduce your risk from here on in, but what can you do if your personal information is already out there?  Go to annualcreditreport.com and exercise your right to one free copy of your credit report from each of the three major national credit reporting companies.  Stagger your requests and monitor your report once every four months.

Here is something else you can do:  Subscribe to Latanya Sweeney’s Tech@ftc blog.

 

2 Comments

>> Leave a Comment | Comment Policy

Nice piece of information and will certainly help our HR department. Thank you

Great information. I will pass on to my HR Department.

Leave A Comment

Don't use this blog to report fraud or deceptive practices. To file a complaint with the Federal Trade Commission, please use the FTC Complaint Assistant.

PRIVACY ACT STATEMENT: It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act and the Federal Information Security Management Act authorize this information collection for purposes of managing online comments. Comments and user names are part of our public records system, and user names are also part of our computer user records system. We may routinely use these records as described in our Privacy Act system notices. For more information on how we handle information that we collect, please read our privacy policy.