A Rogue Data Safari

payrollguy Security Corner Leave a Comment

Recently I made a little LinkedIn comment on an article regarding what is known as, “Rogue Data” within an organization (https://goo.gl/bWzv2G).  Sounds ominous, yes? The article was a bit nerdy, and a bit of an advertisement, but still was worth a read.

I’m going to break this down in a way that can be understood by those without big bad datacenters, AWS cloud accounts, or other amazing resources.  Most of us are just trying to win the day for our customers, and take great care of our employees.

Let the Safari begin!

A briefe ode to GDPR and our EU friends (Very brief – not an annoying consulting advertisement I swear!)

When you work in a world that includes payroll or for that matter, with any other Personally Identifying Information (PII for short), your life will only be getting more complex as time goes on.  Who hasn’t gotten some spam regarding GDPR Compliance or New EU Privacy Regulations?

What this really means to us is that if it hasn’t come across the big pond, and landed in your little pond, it will be soon.

The extra short version of this for those of us with really short attention spans is that privacy just became a really big deal.  It was already a really big deal, but governments are now putting teeth into the enforcement of regulations surrounding PII.

But this isn’t one of those GDPR/EU privacy spams or consulting plays.  This is about your client and employee data and where it might be hiding, lost, misplaced, or otherwise ready to bite you in the butt.

Humans aren’t perfect

So, you have an office.  Offices have computers and sometimes servers.  Offices have printers. Offices have humans. Humans are human, and humans aren’t perfect – I know I’m not.

If you’ve done an audit like a SOC2, you have already done great things to take care of your systems and security.  Rogue Data isn’t really about that. What we’re talking about can sometimes simply be data you do not need (or no longer need) to possess in order to do good work for your customers…

PSA:  If there is no regulatory requirement to retain Personally Identifying Information – it is a liability, not an asset!

…at other times, it is the mis-management of the PII that you DO need to do good work for your customers.  I’d like to assume you’re handling that, and focus on the sneaky data that no one thinks about.

Rogue Data hides in dark corners, and sometimes right on your desktop.  Let’s break this up into bites… in fact, let’s not talk about servers – you can bug your IT folks about that.

The Dirty, Dirty Desktop

“On this episode of hoarders… we interview the Payroll Implementation Specialist…”

Literally… The Dirty Desktop

Have you looked at the desktop of your computer recently?  On it you will find unnecessary reports, spreadsheets, and possibly little innocent folders labeled, “save” or “archived” or “implementation research”.  Check the dates… doh.

Taking Out the Trash

What about the trash can or recycle bin?  Is it filled with deleted spreadsheets and scans of payroll registers or little ACH files?  How long has it really been since you empied that puppy out? 59,228 items strong? A Hefty Bag won’t cut it.

Downloads Folder

If you use a web based email client, every single time you open up an attachment from a client, a copy drops right in there for safe keeping while you view their new employees social security numbers, direct deposit information, and health plan account numbers.  What about pulling down ACH records to review from your provider? Did they scan an entire quarters reports and email them to you? Yup, those are in there too.

My Printer Has Forsaken Me!

Still rocking that old beige HP printer that just won’t die?  I know… that high-capacity toner cartridge just can’t be matched by today’s machines…  Back in the day did you pay for the high-capacity upgrades with the built-in hard drive that helps you keep hope alive when you’re printing on a Semi-Wednesday, Quarter-End or Year-End?

Unfortunately that old hard drive doesn’t necessarily get purged once the print job is finished.  It might just be filled with those reports. And guess what? Nerding out here a bit… The network card on it probably has a default password and no firmware upgrades (since 200X).  Soooo hackable!

What about your more modern investment?  Is your scanner-printer-fax-coffee-maker sitting in the corner in all of it’s glorious sleek black casing with it’s iPad-like touch screen interface?  New era, same old problems. Just where do those scanned documents go my friend? Do you really know? Maybe you should find out?

Epilogue

Now that you’re busy doing the CTRL-A, DELETE on your ‘Archive’ folders on your desktop, and dutifully emptying the trash can (or still waiting for the trash can to empty its initial contents), what can you do to rally your staff around keeping things cleaned up?  Usually it’s just regularly keeping people aware of what needs to happen. Maybe you could schedule a team computer cleansing day, and rally around it for your customers sake? Engage your IT folks to help find a safe storage management option for PII?

In the end, just being aware of what you’re doing, and taking a moment to think about the value of the data you possess, and what it would mean to that client’s employee should it leak out might just be enough to inspire doing a better job caring for it.  And that’s all we can do right? Always striving for improvement and doing a better job each day for our clients and our employees. Be safe.

Leave a Reply

Your email address will not be published. Required fields are marked *