A woman human resources manager is seated at a desk and looks at her computer screen while holding a job candidate's resume.

The US Chamber of Commerce published an article highlighting several best practices for companies to safeguard employee information. To hear about TMG’s thoughts on sourcing the best in the industry, please contact our Vice President, Deborah Page.


Employee information is a recent target in hacking attempts and data breaches. Here’s how to protect your team’s personal data.

Just this month, payroll company Entertainment Partners — which handles payroll and residuals for many in the entertainment industry — suffered a data breach impacting nearly 500,000 people. The full names, mailing addresses, tax ID numbers, and Social Security numbers of many employees at companies like Dreamworks and HBO were exposed in the breach, putting those individuals at risk for fraud.

Many businesses focus on keeping customer data safe. The same care should be taken with employee and applicant data too. Employment or tax-related fraud cases grew at a triple-digit pace, according to a recent report. Here are some steps small business owners should take to make sure employee information is stored securely.

Comply with local and federal regulations

There are state and federal rules that govern employee privacy as well as recordkeeping — and often, these guidelines vary from state to state. These laws address which records must be kept and for how long, as well as how records must be retained.

“While there is no overarching federal law on preventing identity theft, there are liabilities under several different statutes, including the Fair and Accurate Credit Transaction Act, the Fair Credit Reporting Act, Americans with Disabilities Act (ADA), and Health Insurance Portability and Accountability Act (HIPAA) just to name a few,” explained Workest.

For instance, the ADA dictates that you restrict access to employee medical records and keep them separate from employee personnel files. Consult with an expert and do some research to learn what each of these provisions requires of your company.

Only gather information you absolutely must have

Keep only the employee information you need for hiring and payroll. For instance, it’s unlikely that you’ll need an employee’s Social Security number unless you’re performing a hiring background check. Some states, like New York, prohibit collecting and storing employees’ Social Security numbers. If you do need to collect personal information, anonymize it.

“For example, consider assigning an employee identification number to each employee, which can be used as a unique identifier on employee time cards and personnel files,” wrote ADP.

Develop a workplace records policy

A formal workplace records policy outlines how you and your HR team will comply with federal and state regulations, as well as consistently manage, retain, and safely delete employee information over the course of their relationship with your business. This policy should determine:

  1. A retention schedule: How long will you keep certain pieces of information on file? Refer to the U.S. Equal Employment Opportunity Commission’s Recordkeeping Requirements for help developing this schedule.
  2. Access: Define which of your employees can access what types of files, and outline any employee rights to review and/or copy information within their personnel file. Ideally, only those with a legitimate business purpose should be able to access employee information.
  3. Storage and format: How will employee files be saved? Will you use paper files, upload documents to a cloud-based system, or use hard drives? Most experts recommend using a cloud-based HR system for security and ease of use.
  4. Destruction of documents: Outline how records will be disposed of once retention requirements have been met. Shredding and incineration are usually your best bets.
  5. Security audits: Regularly review and update both your records policy and the security measures you put in place to make sure they’re still serving your business needs.

Implement robust security tools

Unfortunately, there’s no single security system that can ensure your employee information is kept safe. You’ll need a few key tools, such as firewalls, multifactor authentication, automated threat detection, data encryption, antivirus, and anti-malware software. It’s also strongly advised that all employees use password managers to help generate hard-to-break passwords for all devices and platforms.

In addition, implement the principle of least privilege and zero-trust security models, which restrict employee information to only those who need it and require access authorization for individual applications — even for those who are authorized. Regular training to spot phishing attempts can also help reduce the risk of insider threats.