Data breach risks even apply to your online job applications

Posted on Jan 30, 2019 :: Partner
Posted by Guest

Beginning with California in 2002, states have increasingly focused on data security. In June 2018, Alabama became the 50th state to enact a data breach law, completing a complicated patchwork of state regulations that dictate everything from how companies must store sensitive data to how many days they have to notify victims following a breach.

Given recent headlines about a string of high-profile data breaches at big box retailers, it’s easy to assume these laws were created to protect customers, not employees. However, in most states, any entity that collects and owns personal data is subject to enforcement — even small employers with the data of a handful of employees must adhere to the same guidelines as huge national corporations with the data of millions of customers.

Are you collecting too much?

When creating online job applications, most employers don’t think twice about requesting extensive personal information, from social media profiles to Social Security numbers. After all,
the more detailed information you have equals more insight into candidates, right? And presumably, more insight equals better hiring decisions.

However, not only are there restrictions on what type of data can be collected, but storing such information electronically adds another layer of risk. As states continue to pass increasingly tough laws, employers may need to reassess the types of data they collect and when.

Start slowly

Instead of loading an online employment application with every question you can think of, try asking less. It might seem counterintuitive, but consider what you’re really looking for up front and make sure each field has a distinct purpose. Many applicants will be weeded out immediately because they lack basic qualifications, such as required years of experience, and you won’t need further personal details to make that hiring decision.

The result of a shorter initial application is a win-win. Your company ends up storing less sensitive (and irrelevant) data, and potential applicants are met with a more straightforward initial application process.

Consider your compliance

Companies that don’t ask extensive personal questions on job applications are still at risk when it comes to personnel data, given that sensitive employee information is now handled almost exclusively electronically (think bank routing numbers, tax details, even biometric data like fingerprints and facial scans).

As technology adapts, so should your approach to data storage. Check to see if your state, or a state in which you do business, has recently updated its laws regarding data protection. Even if it hasn’t, regularly assessing how you handle your employees’ sensitive data is the first step in keeping it safe.

The key to remember is this: State data breach laws continue to evolve, with many becoming stricter and more complicated. Consider collecting only the necessary data and staying up-to-date on your state’s regulations.


Ann Potratz is an associate editor with J. J. Keller & Associates, Inc., a nationally recognized compliance resource firm. The company offers a diverse line of products and services to address the broad range of responsibilities held by human resources and corporate professionals. Potratz specializes in business topics such as discrimination and harassment, background checks and security. She is the editor of J. J. Keller’s Employment Law Today newsletter and Essentials of Employment Law manual. For more information, visit and