Courtney here again! I recently had a conversation with a vendor about the topic of system security, which sparked some thoughts I wanted to share with you all.

In December, millions of Target customers were informed that their personal and banking information was compromised in a system security breach. What is being called the biggest retail hack in U.S. history has affected over 100 million cards. Thankfully my information wasn’t compromised, but as I am a Target shopper (yes, I purchased ALL of that myself) my bank took the preventative step of providing me with a brand new card, just in case.

This breach in security is not only costing Target millions of dollars ($17 million of net expenses after the $44 million covered by insurance, so $61 million total in the fourth quarter!) from lawsuits (over 90!), damages and updated security, but their revenue and profits have declined too. Sales fell 5.3% and net income fell 46% in Q4! That is a lot of money (and customers’ faith) to lose over something that could’ve (and should’ve) been prevented. Apparently, Target was warned pre-hack, but did nothing! (Read more about that here.)

Target isn’t the only retailer to have had a system security breach. Craft store Michaels Stores Inc. has reported that nearly 3 million cards have been affected by a recent breach in their security. And in 2007, TJ Maxx also reported 90 million cards affected from a security breach.

So what does this have to do with HR Technology? A lot, actually. Benefits Administration and HR systems house a lot of employees’ personal information. Think: full names, birthdays, addresses, social security numbers, etc., all needed for enrolling in benefits or for the company’s records. What would happen if your HRIS or Benefots Administration system wasn’t as secure as you thought and someone hacked in and stole all of that info? Although it may not cost as much as Target’s snafu, it would still put a big red entry on your company’s balance sheet and cause a lot of frustration  and distrust from your employees.

In October 2012, it was estimated by NetDiligence that the average cost of a security breach was $3.94 per record. (That’s not a per employee number, but a per record! Each dependent, every Beneficiary, every database entry for an employee as they’ve held multiple jobs, etc.) Plus, factor in the legal costs: the average cost of defense was around $582K and the average cost of settlement was around $2.1 million. Another report estimated the average total cost per breach at $5.5 million with an average cost of $194 per record. That is quite a chunk of change!

A security breach doesn’t only have financial consequences. It can have consequences on your employees’ morale. As an employee, who would want to work for a company who wasn’t concerned enough about your info to take the measures necessary to protect it—I know I wouldn’t!

One way to check out a vendor’s security process is the SSAE 16 audit. SSAE 16 stands for Statement on Standards for Attestation Engagements No. 16, which was finalized by the Auditing Standards Board of the American Institute of Certified Public Accountants in January of 2010, replacing the SAS 70. (Whew, that was quite a mouthful of jargon!) Basically, it’s a guideline for reporting on controls at service organizations. If a vendor is SSAE 16 certified, they have passed the audit that checks if they are properly taking measures to secure customers’ data. The important point to review is if their SSAE16 audit turned up any exceptions and, more importantly, how management addressed those concerns.

Handing over all of your employees’ sensitive information to a Benefits Administration or HRIS vendor requires a lot of trust. You want to be sure you can trust them to keep your data safe and secure from hackers.  If security wasn’t something you considered for your HRIS before, hopefully it is now!