Considering the Data Security Implications of Mobile Payroll Functionality
As far back as 2010, a Personnel Today article warned, “In comparison with desktop software, mobile apps are highly insecure as a result of the speed at which they come to market, their life spans and rules surrounding publication.” At the time, mobile payroll and HR was a barely emerging option (one of the earliest was ADP’s RUN payroll app, then available for the iPhone, iPad and iPod). A year or so later, a Bloomberg Businessweek survey found that adoption rates for handheld access to payroll & benefits information stood at 32% globally (US: 27%; Europe: 31%; and Asia/Pacific: 42%). The mobile computing trend is shaping the societies and cultures of the 21st century and it’s no surprise to see that trend being leveraged for business use, particularly in HR and payroll. After all, mobile access is a fundamental enabler of employee self-service (ESS) which is, in turn, the main route for greater employee involvement, empowerment and engagement in the payroll function. Increasingly, employees are able to access, view and update their personal payroll data, online payslips and 401(k) and retirement savings plans on a 24/7 basis, and when the scope is extended to include related software such as time and attendance (frequently bundled with mobile payroll) and benefits administration, mobile is very much the way of tomorrow’s compensation management.
However, payroll involves particularly sensitive data, even by HR standards, and considering that many employees use their own smartphones or netbooks for mobile access rather than employer-provided (and –configured) devices, the security ramifications start to become apparent. In fact, Ernst & Young’s global information security survey (Into the Cloud, Out of the Fog) identified the borderless environment resulting from mobile business applications as one of the predominant trends in future information management and therefore, a significant security issue. So, although mobile functionality will be the way forward for many organizations, the following data security-related concerns must be addressed as part of the implementation of the chosen mobile apps.
Mobile Payroll Data Security Concern #1: The Hardware
In many cases, the mobile device being used is actually the personal property of the employee. As Ernst & Young point out, this blurring of boundaries has implications for data security: “With this shift in ownership, organizations relinquish some control around limiting support to a single consistent software... Additionally, it opens up the possibility of employees knowingly or unknowingly making changes in the mobile device that lessens the security of the device.” One potential issue with personal hardware is that there is little control over what other apps and software may be installed and if an employee has inadvertently downloaded malware, the resulting compromise of the device subsequently affects the security of all data held on the device.
A further device issue is that the operating systems on smartphones and PDAs are inherently less secure than those that are found on more fixed networked desktop equipment. This makes mobile devices the weak points in the security wall and a potential target for hackers. The Bloomberg Businessweek research suggests that in past, “One of the reasons iPhones are selling so well…, is because Apple has provided a methodology for securing them. Google’s Android operating system, on the other hand, uses open-source code, and there is not currently a system set up for certifying security.” Additionally, in case of loss or theft (again, a prevalent issue with mobile technology) the potential presence of downloaded sensitive information requires the app to have suitable authentication and encryption capabilities. Employers deploying mobile payroll need to consider how to mitigate the inevitable hardware security risks and balance the cost of supplying company technology against the lack of control involved in allowing access via personal devices.
Mobile Payroll Data Security Concern #2: The Software
Given the predominance of malware in the app market generally, the tech-savvy organization will want to be reassured that the payroll app it is purchasing and distributing is as advertised; i.e. not only effective and functional but also benign. In the wider app marketplace, checking digital certifications and third party-endorsed code signing certificates (which offer reassurance that the code has not been amended since the certificate was signed) are ways of ensuring an app’s trustworthiness. A good question to ask of a potential app provider is: ‘what security measures were built in to the app development process to ensure code integrity?’
Mobile Payroll Data Security Concern #3: Compliance
Finally, there is the question of whether the app’s functionality can securely manage the payroll data in line with relevant legislation. This is of particular concern to multinationals that must comply with differing legislation in different countries. Again, the Bloomberg research found, “The first challenge comes from countries having different rules about not only privacy but also breach notification. The European Union’s Data Protection Directive prohibits European firms from transferring personal data overseas to countries with weaker privacy laws, unless the recipients agree to adhere to the DPD’s standards. Japan has regulations regarding encryption. Korea has rules around solicitation.” There may even be different requirements concerning stored data and transmitted data. Bethany Larson, a partner at Deloitte & Touche specializing in risk, information security and application security warns, “In a global organization…, You encounter risks of violating privacy information with the onward transfer of data [from one country to another]. You have to make sure that you’re properly authenticating all the users of the corporate system.” At the selection or procurement stage, this is part of ensuring that the app in question is fit for the intended purpose – can it comply with the relevant statutory requirements or not?
Mobile Payroll Data Security – The Bottom Line
Ultimately this is one of the many mobile payroll facts that you need to know: employees are demanding less restricted personal access to their data and employers are finding business advantages in leveraging more streamlined and ‘instant’ payroll functionality. It is this combination of factors that is driving rapidly increasingly usage of mobile apps for payroll and HR. The Ernst & Young survey noted, “the pace of the adoption by organizations is unprecedented. Organizations therefore need to integrate quickly, compressing the time needed to identify potential risks and develop effective strategies and implement measures to address those risks.” Mobile access may be emerging as fundamental to modern payroll automation, but the discrete and specific security issues must be addressed at both a policy and a practical level if employee data is to be protected.