Securing Payroll Data in a Cloud Environment


Payroll data is a treasure trove for cybercriminals, and payroll professionals need to question applications, processes, and relationships with third parties to help ensure that data are secure, representatives of payroll-service providers said Sept. 27.

With payroll data often accessed through third parties that provide cloud-computing services, information about those arrangements needs to be understood for data-security purposes, said Bill Hicks, chief relationship officer with Ultimate Software Group Inc.

Hicks, who spoke at the opening session of the American Payroll Association’s Fall Forum in Indianapolis, said employers need to know how a third party segregates data to ensure secure access, and what encryption protocols are in place. This is in addition to knowing where data are stored, which could be abroad.

Employers should know how service providers authenticate the identities of those who are  allowed access, and to ensure that multifactor authorization is in place, said Stephanie Salavejus, vice president and chief operating officer at PenSoft.

Vendors should have documentation of cybersecurity and other policies, such as what happens if the vendor falls victim to a cyberattack or data breach, Salavejus said. Upon reviewing the documentation, employers should look for how revision dates on that guidance are updated, along with how often the policies are reexamined. If this documentation is not maintained and kept current, security gaps could develop, she said.

Third parties should meet accounting audit standards of the American Institute of CPAs and be able to provide a SSASE-16 compliance report compiled by an independent auditor. The report identifies and rates a vendor’s systems and controls for data and processing, Salavejus said.

When a data compromise occurs, a process needs to be in place to identify the gravity of the breach, and who or what was affected, Hicks said.  Efforts should be made to gather information surrounding the situation, he said.

Employers should complete a self-audit, knowing that cyberthieves are relentless, Hicks said. Tests and training of employees should be mandatory of employers, he said.

Cybersecurity is not one person’s job, Salavejus said; it involves everyone.

Take a free trial of Bloomberg BNA’s Payroll Decision Support Network, your one-stop resource for reliable, up-to-date guidance and analysis in every area of payroll administration and compliance.

Follow Bloomberg BNA on Twitter @BloombergBNA and join the Bloomberg BNA U.S. and Global Payroll group on LinkedIn.