A version of this article was originally published in the November 2015 issue of The HR Specialist. It is reprinted here with permission.
Cloud computing has the potential to provide on-demand efficiency, lower costs and flexibility for HR functions. However, it is important to manage a number of data privacy and security issues to protect sensitive HR data in the cloud. Otherwise, your employees' information could become the target of the next high-profile data breach.
HR data often contains the mother lode of personally identifiable information--not only about employees but also their families. Unlike some other data breaches, breaches of HR data literally "hit home."
Before Signing an Agreement
Perform appropriate due diligence to get to know the HR cloud vendors you may do business with before handing over your data to them.
Review the vendor's data security policies, procedures and other controls to ensure they are consistent with your company's requirements. Often, this can be accomplished by reviewing the results of independent, third-party audits of the vendor's internal controls related to data processing, such as an SSAE 16 SOC 1 or SOC 2 report.
Any vendor that handles sensitive customer information should perform such audits and risk assessments in the ordinary course of their business and make the summary results available to customers upon request.
The HR Cloud Vendor Agreement
Once you have completed due diligence, it is extremely important to carefully review the vendor agreement to determine the vendor's contractual commitments with regard to data privacy and security.
Cloud services are often commoditized and offered as a one-solution-fits-all model.
Thus, a vendor may be reluctant to offer special concessions to your business. Nevertheless, the agreement should appropriately address several issues:
Reasonable safeguards: Ensure that the agreement commits the vendor to maintain and enforce reasonable administrative, technical and physical safeguards appropriate to the sensitivity of the HR data being processed.
These can include logical access controls to prevent unauthorized access to vendor systems, physical access controls to prevent unauthorized persons from entering their data centers and employee training programs.
Using a cloud vendor means that sensitive HR data will be sent across the Internet, so ensuring appropriate use of encryption is also important.
Ownership and control of data: Cloud vendors often have access to the data of multiple customers, which provides them with an opportunity to use and combine data of multiple customers in search of valuable business insights.
Maintain control over your company's HR data by specifying that your company owns the data. Prohibit the vendor from using the data for any other purpose other than to provide the services to your company.
You should also ensure that the vendor can meet your data and document retention requirements and that you can track and audit your data while in the cloud.
This is important if your company is involved in employment-related litigation, or reasonably anticipates litigation. You may need to institute a "litigation hold" and require the vendor to retain certain documents.
Business continuity: An inability to access data for several days or a loss of a week's worth of data could become an operational nightmare. Add service level agreements requiring a specific level of availability, and review the vendor's business continuity and disaster recovery procedures to ensure that the vendor can protect your data in the event of a disaster.
Data breaches: Data breaches are an HR nightmare. Ensure that the vendor agreement appropriately addresses integration with your company's incident response management. Make sure the agreement provides a mechanism for the company to access and review breach-related evidence from your cloud provider's environment. Address who will pay the costs associated with handling a data breach.
Leaving the cloud: It is important to ensure that your company can get its data out of the cloud at the end of the business relationship. Whether to bring data back in house or move it to another vendor, you need a clear transition and exit strategy. Confirm that the vendor can return your data in an appropriate format.
To mitigate ongoing risk of unauthorized access to your company's HR data, require all data in your vendor's possession to be returned or destroyed at the end of the term of the agreement.
In addition to these issues, consider what steps may be appropriate to shift risk through the use of cyber insurance and the limitations of liability and indemnities in the contract.
