Then the folks at Aetna had a little problem with their employment website, outsourced to Taleo. From a Network World article:
"Insurance company Aetna has contacted 65,000 current and former employees whose Social Security numbers (SSNs) may have been compromised in a Web site data breach.
The job application Web site also held names, phone numbers, e-mail and mailing addresses for up to 450,000 applicants, Aetna spokeswoman Cynthia Michener said. SSNs for those people were not stored on the site, which was maintained by an external vendor."
Who could have imagined such a thing happening? I mean besides Martin's question and my post a month ago...
And while we're on the topic, in an interesting coincidence, I recently had a conversation with someone who provided some excellent insights into the way things work in the outsourced recruitment services field.
If they outsource wisely, most companies may be more secure than handling it internally, especially the "building and maintaining a recruiting website/portal" part of the process. The Aetna incident notwithstanding, responsible talent service agencies have dedicated personnel who continuously test the security of their websites, and in some cases have large customers who test the sites as part of their due diligence- that is certainly more attention than most small to mid-sized companies pay to their own websites. Core competencies and all that.
But how do you "outsource wisely", recruiting- or any other- services? That's the trick, especially for SMBs. While Fortune 50 companies may have the clout (and resources) to verify their service providers, neither Jimbo's Bait and Sushi nor Gunter's House of Squirrel and Kraut has either the clout or resources- so how do they handle this? Start by asking questions about security, policies, testing, indemnification, whatever seems appropriate. And ask for it in writing. Ask for a customer list and references. You will probably have to blindly trust some of what they tell you, but with a little effort you should be able to make an informed decision.
And remember, for those companies covered by Massachusetts' 201 CMR 17.00, section 17.03 (3) 6 states:
"Without limiting the generality of the foregoing, every comprehensive
information security program shall include, but shall not be limited to:
...Taking all reasonable steps to verify that any third-party service
provider with access to personal information has the capacity to
protect such personal information in the manner provided for in
201 CMR 17.00; and taking all reasonable steps to ensure that such
third party service provider is applying to such personal
information protective security measures at least as stringent as
those required to be applied to personal information under 201
CMR 17.00. "
Similar laws and regulations are coming to a jurisdiction near you- keep that in mind when selecting vendors.