Performance and Talent Data Security

How Secure is your Private Performance and Talent Data?

Performance and talent data is managed inconsistently within many organizations today. Employee data may be managed centrally using an HRMS technology platform and then exported into a variety of documents and saved on individual personal computers. Strategic roadmaps may be developed under tight security by consulting companies under strict NDA agreements and then sent to the copy room for mass duplication. Technology solutions deployed to manage data behind the firewall often include legacy or otherwise substandard and unreliable technology infrastructure. Solutions delivered to manage Performance and Talent data must adhere to highest standards for solution availability and data privacy for your company’s critical, sensitive data.

Privacy of Employee Data is a Real Concern

The issues of consumer identify theft and massive losses of private employee data have brought consumer data privacy to world wide attention. Oversights by companies and their service providers have led to incidents such as Time Warner Inc. losing private data on 600,000 employees in 2005 when an outside storage company lost a set of physical backup tapes1. Legislation has been recently enacted throughout the world to protect employees from risk of their employers divulging private data. Strict penalties as well as public ill will befall any organization that loses private employee data.

Privacy of Strategic Data is a Real Concern

Would you like to have access to the strategies and tactical execution plans of your three biggest competitors? How valuable would that data be to your company? These simple questions can be the easiest way to frame the importance of the privacy of strategic data. Many companies have reacted to potential legal risk stemming from employee litigation when private identities become compromised. Many of the same companies still rely on paper processes with minimal security to document critical business strategies and tactics. The business community often demands the utmost in strategic data privacy from consultants and bankers but make no provision whatsoever to protect this data internally. Critical strategic data is often turned over to competitors due to lack of basic data security provisions.

Risk from Internal Parties

Private Performance and Talent data is currently susceptible to an intolerable level of risk from internal parties at many organizations today. Data that is stored in any of a variety of means can be accessed en masse and removed from organizational information systems. Inadvertent risk situations include private employee or talent information that has been saved locally on a laptop or printed out being lost or stolen when an individual’s property is burglarized. Premeditated risk situations can arise when private data is accessed by employees working in service centers or other work functions that require access to large amounts of data. Malicious individuals can remove private data from organizational information systems and sell it on the open market or conduct malicious activities directly. Physical systems may be compromised and massive amounts of data may be lost when employees tasked with their maintenance fail to do so properly.

Risk from External Parties

Performance and Talent data is currently at risk of compromise from external parties in a large number of organizations today. Former employees or consultants may retain access to systems or documents after they depart the organization. Malicious parties may try to access critical data directly through computer hacking or through confidence schemes. External parties may mount malicious attacks on physical and technological infrastructure that can cause data loss or service interruption. Service providers tasked with backing up information or with providing redundant facilities such as power may prove unreliable, as in the case of Time Warner in 2005.

Technology Solutions

Privacy standards for critical Performance and Talent Data can take queues from the comprehensive data privacy framework set forth in the 1998 European Commission on private data on individuals. The Safe Harbor framework developed by the US and the EU sets standards for adhering to these standards, including seven safe harbor principles: Notice, Choice, Onward Transfer (transfer to third parties), Access, Security, Data Integration, and Enforcement. Technology solutions trusted with Performance and Talent data must be deployed utilizing extremely robust technology platforms to ensure that critical data is available when required. Hosting facilities should be of the highest quality and reliability, including physical security, redundant power, redundant bandwidth, environmental controls, and data backup and recovery. Technology solutions should be engineered with data security as a clear priority, utilizing the latest technologies such as safe desktops.

On-Premise Performance and Talent Management Solutions

It is possible to conduct internal assessments of data privacy according to the seven safe harbor principles. It is also possible to engineer and deploy solutions and technology platforms that adhere to the highest technological standards for security and availability. Organizations often fall short of these goals when they find that it is simply not feasible to deploy software and platforms according to these standards, or to secure independent third party verifications. Organizations that have undergone third party verifications of their financial systems to meet the requirements of US Sarbanes-Oxley legislation can attest to the time and expense required for audits of privacy policy. Executives who have long debated cost versus benefit questions with internal IT departments can attest to the fact that the highest degrees of technology redundancy and security can be difficult to justify in annual budget meetings. The complexity of the effort required to deploy high quality On-Premise solutions and the unrelenting pressures against adherence to rigid standards of quality should be viewed as substantial barriers by organizations considering On-Premise deployments of technology solutions for Performance and Talent Management.

On-Demand Performance and Talent Management Solutions

Top providers of On-Demand Performance and Talent Management solutions can leverage a multi-tenant architecture to deliver extremely robust and secure solutions. Multi-tenant on-demand providers can also ensure that independent verifications and safe harbor certifications are applicable to all of their customers. The multi-tenant model utilized by providers such as SuccessFactors delivers solutions that utilize the exact same technology and support infrastructures for all customers. All customers are offered the same degree of protections and assurances as to the robustness and security of the platform and physical infrastructure. No single customer can deviate from the shared infrastructure; therefore the privacy of data belonging to all customers is protected in exactly the same way. Data privacy certifications such as the Safe Harbor Certification held by SuccessFactors under policies put forward by the United States Department of Commerce (acting on procedures approved by the European Union in 2002) are equally applicable to all customers. The robust infrastructure that providers such as SuccessFactors leverage offers technology level assurances of security such as database level encryption and secure desktops to all customers. The scale of the multi-tenant architecture allows privacy control, monitoring, and protection on a scale that is simply not feasible for single company behind-the-firewall software solution implementations.

Platform robustness and data privacy can be further validated by users of on-demand solutions. European organization such as La Poste, the largest single company in France, have extensive internal data privacy concerns that must be addressed by SuccessFactors as a vendor. Well proven on-demand providers of Performance and Talent Management applications such as SuccessFactors are well positioned to provide solutions that are simply too time consuming and expensive to deploy on the premises of a single company, as providers of behind-the-firewall solutions must attempt to do.