Earlier this month, Anthem announced that they were the target of a sophisticated cyber-attack and that more than 80 million subscribers had their data breached. This situation is a nightmare for everyone involved (Anthem, brokers, employers, employees) and is a headline of which no one wants to be a part. There have been countless articles and positions written on this subject and, if you’ll indulge me, I’d like to offer up another opinion and position as it relates to the broader HR technology marketplace. You see, the criminals that launched the cyber attack chose to focus on the healthcare industry because of the high profile nature of an insurance carrier, the sheer volume of data that exists within a carrier’s system, as well as the type of data that exists within those databases – name, DOBs, address, SSNs, possibly pay information, work information, etc. For a criminal mind, having access to 80 million records of data with this type of information is akin to picking the winning Powerball numbers (hopefully quality time in the penitentiary follows picking those winning numbers). As I was reading many of the articles regarding Anthem and this situation, it made me reflect back on a previous MJ Blog article that we posted last year. In this article, we recommended that all employers should be asking their HR technology provider (payroll, HRIS, benefits admin, etc) as to whether they had successfully completed an SSAE16 audit (formerly SAS70). It should be reiterated that an SSAE16 audit is by no means an insurance policy against a data breach, but it does underscore two very important points: 1) That the provider has taken technology and data security seriously enough to have an independent party assess their current policy, procedures, and practices to ensure they are meeting the prescribed requirements as set forth by the Accounting and Standard Boards; and 2) That the infrastructure, policy, and processes surrounding that technology are in accordance with those same standards. This is why every single Market Assessment project that we lead includes information about whether a provider has successfully performed an SSAE16 audit. It won’t guarantee that the provider will never have a data security breach and won’t end up purchasing LifeLock subscriptions for millions or people (which is one of the immediate remedies that are required upon discovering a breach), but it will help mitigate the potential for a breach. Ask the question of your employer and have them ask their payroll/HCM provider today. Doing so just may help them avoid showing up in the NY Times Headlines.
Questions, comments, or ready to Advance HR through Technology?
Contact us now.