To the best of my knowledge, this doesn't violate any existing or forthcoming regulations. It's important, of course, to double-check with corporate attorneys.
That being said, take some time to understand how the emails are being generated and whether the system that sends them has full Social Security numbers (SSNs) stored in it. If it does, find out how those numbers are being stored (encrypted, hashed, etc.).
There are also several other important questions to ask. For example: How is the payroll data moved to whatever system generates the email, and who has access to that system? Is the data encrypted in transmission? Is this part of an outsourced function or is it all being done in-house? If in-house, is the system being properly patched and maintained? If outsourced, what are the provider's processes and procedures for maintaining the security of the data, including patching and configuration management, as well as how this data is segmented from other customers? This may seem like a lot of questions, but the security of the data is worth it in the long run, so don't be shy about sharing any concerns with the payroll system architects.
For more information:
- Is it illegal to ask a fellow employee for his or her password? Read more.
- Learn more about creating a policy that can help avoid disgruntled employee data leaks.
This was first published in November 2009