Advice for Employers and Recruiters
Avoid a data breach through your ATS: 6 ways employers can protect themselves
A data breach through your ATS is serious business. Job applicants assume, as they should, that their data will be protected. Employers must take this trust seriously and prevent others from accessing applicant information.
The recent news about the Equifax data breach has put many business leaders on edge. Especially for large employers, the question of a data breach is not really an “if” but “when.”
When an applicant gets far enough along in the hiring process, you have their address, Social Security Number, private comments about the application, salary history, criminal history, and when you hire them, probably their bank account. Now imagine that all that gets stolen–for thousands of people.
Saïd Radhouani, Ph.D., Co-founder of Nextal, says there are multiple reasons to pay attention to data protection right now. “First, it is the law. Some personal information is not meant to be public. Several countries and states have data privacy laws to govern how personal data is stored and handled. A second reason is the reputation of the employer. Nowadays, data breaches have become a juicy topic for the media. The way an employer handles personal data—and a data breach—can significantly impact their reputation. Having a bad incident can make a company lose potential business opportunities. A third reason is simply that the candidates and employees expect their employer to keep personal data confidential.”
Consider the costs of a data breach:
- The down time due to the distraction away from current projects and tasks
- Reduction of your talent pool due to damage to your reputation
- Lost business opportunities and customers due to lost trust
- Actual cost of professional services to enhance your systems
- Lost productivity due to disengaged employees who have dropped their trust in, and loyalty to, their employer
- Plummeting stock prices
Data breaches are on the rise, and the weakest link is your own people
 There is a growth in terms of number of data breaches year over year, according to a report from Breach Level Index, a database that Gemalto maintains on worldwide data breaches. Radhouani says that identity theft “has been the number one data breach type for the last 4 years. Since ATSs contain this type of data, they can be a potential target for hackers.”
There is a growth in terms of number of data breaches year over year, according to a report from Breach Level Index, a database that Gemalto maintains on worldwide data breaches. Radhouani says that identity theft “has been the number one data breach type for the last 4 years. Since ATSs contain this type of data, they can be a potential target for hackers.”
Outside threats are serious, but don’t ignore the internal threat, says Radhouani. “For example, a malicious insider, an accidental loss, or any other negligence can cause a serious data breach.” (There are more examples of these internal breaches than you might think.)
Even when companies have top security capabilities, “people remain the weak point,” he states. “More specifically, passwords are always the big source of problems. When passwords are too easy to be guessed, access to the system becomes easy and data breaches are inevitable.”
Six ways an employer should safeguard its data
1. Audit your ATS. Radhouani suggests working with a security specialist, who can do an audit of your ATS and make sure that the data is governed the right way. Especially, he says, “pay attention to the password management and internal negligence.”
2. Get rid of the logon process. It is worth discussing why job applicants need passwords to begin with. In Steve Gifford’s “Just stop asking—Identity theft meets your ATS,” he writes “Your applicants are only going to apply for one job.” If you find that to be true for your organization, it begs questioning the reason for a logon process. The applicant won’t be back to log in again, at least not for a long time. Gifford has this advice:
If you don’t want the information misused, don’t collect it.

3. Ask for sensitive information further into the process. This should really make you question asking all applicants for sensitive information in the beginning of your process. Most of those people won’t get hired. Imagine a data breach that compromises information of thousands of people who never even became part of your company, and yet you are now responsible for responding to their concerns.
4. Wipe data clean when you no longer need it. If you want to keep all that data to be able to track the effectiveness of sources, and other sourcing trends, have a plan for when IT can wipe it clean. For example, after you conduct a meta-analysis of applicant data, consider whether the risk of keeping all the raw data outweighs the benefit of having it on hand.
5. Train your employees in cyber security. This is one of the biggest prevention measures you can take. When they learn to be less careless, your risk goes way down. For example, their passwords could probably be much stronger, and they could change them more often. (And no cheating—they can’t go back to using an old password.) Are they overtrusting of email attachments from external senders, or even phishy looking emails? Provide wi-fi hot spots to employees who work from coffee shops or other public locations that have unsecured (read: dangerous) wi-fi. A tip from employment lawyer Jon Hyman is to train employees to report lost devices immediately to IT. He writes, “IT must have the ability to remote-wipe a missing mobile device. Guess what happens, though, if an employee’s first call upon losing a phone is to their mobile carrier? The carrier turns off the device, and your organization loses the ability to remote wipe any data from it. Employees should be told that if they lose a mobile device, their first call should be to IT so that the device can be wiped of any corporate data.”
6. If the worst happens, have a plan. To be able to respond effectively in the event of a data breach, Littler, a global employment and law practice, recommends that employers consider the following:
- Train a response team in how to comply with data breach notification regulations
- Conduct simulations to test the effectiveness of your response plan
- Develop template notification letters