How CHROs, CISOs can partner to protect job applicant data

Who is responsible for protecting applicant data?

The challenge of protecting applicant data is both an IT problem and an HR problem.

CHROs and VPs of HR should ensure that their employees don't gather sensitive data unnecessarily, particularly during the early stages of the applicant process when the company might not yet require it. HR executives must ensure that their departmental practices, as well as those of third-party vendors such as recruiters and background check providers, align with corporate privacy and security policies. They should also ask vendors how applicant data is stored, accessed and deleted and obtain that information in writing.

On the security side, CISOs and their teams must understand that sensitive HR records are part of the recruiting process and implement the proper security controls, including user authentication, access permissions and encryption. Ongoing security reviews, such as information risk assessments and vulnerability and penetration testing, will help determine whether the security controls are working for real-world attack scenarios.

A people data governance group could be helpful, with the team serving as a cross-functional subcommittee of the company's security or risk committee and including representatives from HR, IT, security and the legal department. The group can define applicant data, outline current and future protective controls, and determine escalation paths and messaging when security problems occur.

The people data governance group must be aligned with the other teams on risk tolerance and the necessary steps to protect applicant data.

Governance for applicant data

A proven way to protect applicant data, along with other HR data, is to establish documentation and processes that set expectations and provide the necessary insight into managing ongoing risks.

Some organizations might refer to regulations applicable to their industry, such as HIPAA for medical organizations or PCI DSS for companies that process customers' credit card information. A better approach is to make an organization's rules align with a broader framework, such as ISO/IEC 27001/27002 or the Health Information Trust Alliance, or HITRUST, so that all aspects of the organization are involved.

Paying for these formal certifications may not be necessary; using the frameworks as a guide might be sufficient. Following a well-known framework also helps provide defensibility in the event of a breach

One of the most important aspects of governance involves user training. The standard email phishing training that all users are likely receiving isn't enough – applicable users should receive training that is specific to HR systems and processes that store or govern applicant data. The HR department should develop and teach the curriculum when possible, and security and privacy teams should provide the cybersecurity and regulatory context.

Another critical aspect of a governance framework is data collection and retention. How is this process managed? Legal counsel should weigh in because requirements can vary based on the company's location and industry. HR and legal counsel should work together to define the collected data, the reason for collecting it and the length of retention. Meanwhile, technical teams should ensure that the necessary systems and monitoring are in place to support those decisions.

Technology for applicant data protection

Treating the company's applicant tracking system and HR platforms as critical applications is necessary for securing applicant data. They should be protected by tools for network inventory and IT asset management, data and PII discovery, identity and access management, combined with multifactor authentication, and effective logging and monitoring. Other controls might include a web application firewall, database monitoring and endpoint security.

Incident response capabilities for these systems are equally important. Documenting who works with applicant data is crucial, as communicating with the right people is essential when a suspected breach or misuse of applicant data occurs.

Compliance considerations

Regulatory compliance is an important aspect of protecting applicant data.

The records are not only personal but might also be protected under HIPAA, PCI DSS, the Fair Credit Reporting Act and various state and international privacy laws. Specific requirements will vary between countries and even between states.

Legal counsel and the person overseeing compliance within the company should also weigh in on applicant data protection. A breach of applicant data can trigger regulatory investigations, mandatory notifications, fines and long-term damage to a company's reputation.

Executive takeaway

HR records, including applicant data, often aren't properly protected, and applicant data falls into what might be considered a gray area, which could lead to neglect of proper security protocols. Focusing on the essentials of information security, such as patching, passwords and visibility, can help.

CHROs and other HR leaders should ask themselves whether they know where the company's applicant data is stored and whether they understand the threats to that data. Most IT and security professionals would find it difficult to answer those questions, let alone HR executives.

CHROs and VPs of HR must treat applicant data as critical business information and insist on a strong partnership with the company's CISO.

Kevin Beaver is an independent information security consultant, writer and professional speaker with Atlanta-based Principle Logic, LLC. With more than 30 years of experience in the industry, Beaver specializes in performing vulnerability and penetration tests, as well as virtual CISO consulting work.