When pay equity advocates sued the White House and Equal Employment Opportunity Commission for pulling back the pay data reporting portion of an annual workforce survey, they wanted the EEOC to have the ability to direct anti-bias enforcement efforts.
They also wanted to use the data to provide training on how to address pay discrimination charges, Democracy Forward senior counsel Robin Thurston told Bloomberg Law. The Washington, D.C.-based nonprofit was one of the plaintiffs in the lawsuit against EEOC and the White House’s Office of Management and Budget.
Now that a federal judge has ruled that the EEOC can begin collecting the data, employers and government cybersecurity pros warn that collecting the detailed information could put employees at risk of identity theft and companies at risk of having talent poached.
Collecting bulk amounts of sensitive personal data is a risky endeavor for any agency because government-controlled data is subject to a high hacking risk, former U.S. officials told Bloomberg Law. Agencies must balance the benefit of collecting the against the risks of it falling into the wrong hands, they said.
If the data does fall into the wrong hands, worker identities could be stolen, or competing firms could poach talent by knowing how much employees earn.
“One of the lessons of the last few years for both the federal government and the private sector alike, is that large—seemingly innocuous—data sets are attractive to our adversaries, especially when paired with other data sets at speed and scale,” Lisa Monaco, former White House homeland security adviser and co-chair of the Aspen Institute’s cybersecurity group, said. Agencies should think about the data sets they hold and ask whether the information is “being treated consistent with the risk, should it be exposed,” she said.
Drilling Down on Data
The data at stake is a comprehensive breakdown of a company’s workforce, collected establishment by establishment, showing information that drills down to the individual worker’s demographic. Employee data is organized into categories of race, sex, ethnicity, and one of 10 job categories, and then sorted into a designated pay band, one of 12. The result is a grid that shows an individual establishment’s intersectional workforce diversity.
That grid is then turned over to the EEOC for analysis, and to help the agency target outreach efforts intended to limit discrimination.
To its credit, the EEOC doesn’t have glaring cybersecurity or data security problems, according to a government-ordered fiscal year 2018 audit report. The agency “generally had sound information security controls” but could further protect the confidentiality, integrity, and availability of its systems, the Brown & Co. report said, referring to the commission’s Federal Information Security Modernization Act compliance.
The EEOC, though, can’t let its guard down, former officials said. “As an agency that deals with protecting data related to complaints against an enterprise as well as enterprise survey data, the EEOC needs to have a strong security program,” Joe Stuntz, who served on President
Employers submit the information annually using the Employer Information Report EEO-1. The EEOC didn’t request the pay data from employers when the EEO-1 report opened on March 18, but that doesn’t mean the agency won’t ask for the data before the submission deadline of May 31.
The agency issued a statement saying additional details are forthcoming but didn’t comment on whether the data will be collected before the deadline.
GOP members and attorneys submitting the information have expressed concerns about how the data will be secured and kept confidential, while Democrats and pay equity advocates have called those concerns false.
“Federal laws prohibiting pay discrimination must be vigorously enforced, but the proposed changes to the EEO-1 will do nothing to prevent pay discrimination while putting employees’ confidential pay data at risk,” Committee for Education and Labor GOP spokesperson Marty Boughton said.
On the other hand, an aide on the Democratic side of the committee told Bloomberg Law that no security concerns have been raised.
And Stuntz, now vice president of cybersecurity at One World Identity, said there are risks any time data is collected, but for EEO-1 data, much of it is already available online through other means.
A cybercriminal may “have an easier time using the available websites, like LinkedIn and GlassDoor, versus trying to get the data out of the EEOC,” Stuntz said. This social media data can be used in combination with other public information online to steal employees’ identities, he said.
Pay equity advocates say the EEOC has a long history of keeping such information private. It has collected workforce data since 1966 without issue, they said.
But that was long before the real-threat of government hacking attacks. The Office of Personnel Management was hit with a data breach in 2015 that exposed the Social Security numbers of 21.5 million people. In a separate 2015 attack, personnel records of 4.2 million current and former government employees were also stolen. The OMB still deals with fall-out from the breach, and other agencies need to step up to prevent future attacks.
“There’s a lot of work to be done across the government to adequately protect information,” said. Michael Bahar, co-lead of Evershields Sutherland’s global cybersecurity and privacy practice. Agencies are facing “state-of-the-art threats and need state-of-the-art protections,” he said.
Even if parts of the data are leaked, there’s enough information on the dark web already leaked from major hacking attacks against private and public-sector organizations. For example, a cybercriminal could use EEO-1 data combined with credit reporting bureau data to steal the identities of thousands of workers.
“The more information that is out there about you, the more chances there is a complete profile out there as well,” Bahar, former deputy security adviser to the National Security Council in the Obama administration, said.
Cybercriminals will use complete consumer profiles to launch identity theft campaigns, cybersecurity pros and former government officials said. There’s also a concern that foreign adversaries may use this information against companies to extract trade secrets and other confidential company and employee data, they said.
Competitors may also want to get in on the action.
“If I’m a competitor, and I’m trying to poach from your company, and I somehow get my hands on this data, and you’re the only person of that race and gender combination in the EEO-1 category at that location, I could easily figure out what it would take to lure you away from your current employer and over to my company,” said an attorney with experience preparing the data reports.
But, if the EEOC can keep the information secure, it is a worthwhile effort to combat pay disparity issues, Bahar said.
Security v. Litigation Concerns
Data breaches may be one concern for agencies trying to keep the EEO-1 data private. Freedom of Information Act requests, especially routed through other agencies, may be more worrisome for agencies.
“The EEOC can be hacked,” the Institute for Workplace Equality’s David Cohen said in an email. The agency has partnered with outside researchers to provide full access to EEO-1 reports in the past, he said.
“What sort of confidentiality agreements do they have with the researcher? What happens if the researchers release the data, either on purpose or on accident” Cohen said.
However, there is no evidence that data has been hacked “by a foreign government, or intentionally or unintentionally disclosed by a current or former EEOC employee,” attorney Alissa Horvitz of Roffman Horvitz told Bloomberg Law. FOIA requests are much more of a concern than security issues, she said.
The pay data collected by the EEOC, as well as the already collected workforce data, can be requested via FOIA through the Labor Department’s Office of Federal Contract Compliance Programs, according to the agency’s website. Some of the information might be subject to exemption, but it also might be readily turned over.
When soliciting the data through an OFCCP FOIA request, the companies in question are allowed “an opportunity to raise objections to the release of information pursuant to Exemption 4,” which protects “trade secrets and commercial or financial information obtained from a person that is privileged or confidential.”
But with the new pay information requirement, employers can no longer shun demands for pay data under the guise of burden, former EEOC director Lawrence Lorber told Bloomberg Law, even in litigation proceedings related to equal pay. He is now a partner with Seyfarth Shaw.
“Now you’re not going to be able to say we don’t have it, and we’re not going to put together a report,” he said.