Who “Owns” Your Company’s Data?

In the IT world times have changed, but is something critical being overlooked?

trojan-horse-outsourcing

Let’s review some quick history…
In the good ole days (1980-1995), companies hired an IT staff, bought computers, built a data center and hired programmers to write the code to process data in to information (remember VMS, Cobol, fortran, etc?).

Later (1995-2010) the industry evolved to the use of purchased software applications. Rather than building the software themselves companies purchased and configured the software, yet it ran on the company’s own dedicated computer hardware. Think software like Oracle Financials, SAP CRM, etc. For smaller businesses the use of dBase III, Lotus 123 transitioned to software like MS Access, Intuit- Quickbooks and Microsoft Exchange. That transition removed lots of the overhead costs associated with technical staffing and software maintenance.

Next (2010-now), came the transition to internet based “hosted” solutions. Now, companies no longer need to maintain their own data centers or hire staff to handle it. All you need is an internet connection, some software configuration and you are ready to go. This has been an efficiency boon to business large and small across the world. No data center to maintain and not so much worry about data security and backups. The data is now somewhere in the “cloud”. But now the question becomes… who can use that data and for what purposes?

Consumer Data Analytics – That’s Done

In the consumer space, anyone with half a brain knows that the reason Google and Facebook are worth billions is because they have provided irresistible tools that suck up personal data like a vacuum. That data is a virtual gold mine of information to marketers, company strategists, political operatives, government, police, etc. They day is coming when they will hand out phones for free (Obamaphones!), because the revenue to be gained from data collection makes it worth it. Heck they may even pay you to carry one. Most people have decided the value and convenience of those tools outweighs their discomfort about the privacy intrusion.

Business Data Analytics – That’s Coming

But what about a company’s proprietary data? Vendors of cloud based business software solutions have recognized that they have a commitment to their customer’s data privacy and security. Those customer concerns have been recognized and cloud vendors have worked hard to use encryption and other techniques to ensure that their client’s data is not stolen or tampered with. Okay so far, but the big question no one is asking is…. What rights do the cloud vendors themselves have to use your company and HR based employee data? Here is where the cloud solution vendors get very quiet. Think about the insights possible by aggregating thousands of company’s business data and the value of that information.

The Value of Aggregated HR/Payroll Information

For example, let’s just pick ADP and or Paychex. They process payroll for thousands of small businesses. They have very current information on payroll values, average wages, location of workers, etc. The ADP employment report is a widely recognized tool that Wall Street and economics analysts use to get an early indicator for the next move of the economy. That information is published by ADP and the public only perceives it as aggregated “national” information. But there is a whole lot more detailed information they actually have available. In fact it may be that a third party information aggregator has struck deals to get information from all the biggest payroll service providers and would be the ultimate information seller.

How is Payroll Data Valuable?

So now, say you are a national restaurant chain and are trying to identify the best location for your next restaurant. It would be insightful to identify the top zip codes for average wage and average wage growth. A location where wages are growing would be a preferred area to place a new store and the converse would be true as well. Areas with a shrinking wage base might be location to target for closure. Or say you are a national health care provider. Payroll providers know who makes payroll deductions for health insurance, for how much and how that is trending… all by location. For a health care provider, that information would be very valuable for deciding new markets to enter and ones to avoid. Payroll information has a lot of value.

Competitive Intelligence Value

Even more valuable is gross wage information for a company. Gross wage information for a company is a solid indicator of the trending health of a company. Growing company wages indicate a marketplace opportunity and conversely stagnant or shrinking wages indicate a business opportunity to avoid. To a potential new entrant to a market, that is valuable information. So the real question is, has your company’s payroll information (and trending) been sold to another party that one day becomes a market competitor? Things that make you go, hummm. Our discussion so far has only explored the data ownership situation for payroll data. Similar or even more serious concerns may exist in other functional areas that have “cloud” based services. For example company financial accounting software (Oracle, Intuit) or legal software (Legalzoom) or sales force management software (Salesforce.com). What rights do the cloud providers have to use that company proprietary data and how? I have not reviewed their service agreements but I bet it is a question they would prefer you didn’t ask.

Do You Even Care?

You may say that it doesn’t matter to you what they do with your company’s information. You might think… “If they can make money off of it, so be it”. Maybe one day the value of the provided business information will be enough to make it so that payroll services will be available for “free”, just like Facebook is for consumers. But, unlike the consumer space, business is war. It only makes sense to make sure those “free” cloud service aren’t actually a Trojan horse.

What about company data that contains employee’s personal information?

This is a sticky one. It is one thing when an individual elects to voluntarily turn over their personal data in exchange for the convenience provided by “free” tools like Facebook. It is a different situation when an individual’s personal data is entered in to a Human Resources information system used by their employer. That is not voluntary and the individual has no control over that data or where it goes. As a business owner, charged with safeguarding your employee’s information, you have a responsibility to ensure that the vendors you select to use that information are not putting your workers at risk for identity theft.

Getting things in Writing

Any time your company makes the decision to outsource your payroll or other information systems processing or IT infrastructure you are exposing yourself to the risk that the vendor you selected uses your company’s information in ways that you may not have intended. If your company uses a PEO or is considering joining one, you need to ask them to provide agreement language that spells out what the terms are for the use of your company’s proprietary information. Things to consider may include:

  • Who are all the named parties that will have access to your company’s information?
  • What rights and prohibitions does the vendor (and their vendors) have with your company information?
  • What is the outsourcing vendor’s liability in the event of a data breach or hacking incident?

This is by no means an exhaustive list of concerns to address, but should provide a starting point for a conversation with current or potential outsourcing vendors. Welcome to the cloud computing era.

image courtesy of Ervins Strauhmanis at Flickr.