But before one can decide on a bank vault, it’s important to evaluate what qualities comprise a thoughtful security system, and how the administrators define and maintain those qualities.

Any business partner entrusted with sensitive information should be able to provide information on how they address all security concerns, not just Internet-based vulnerabilities. Consider the whole lifecycle of the information:

• Communication: How is information exchanged with third parties? Not just from you, but with other downstream parties necessary to complete business transactions (such as carriers). Are all such communication links secured and authenticated?
• Storage: Where is the information physically stored? In a server that is physically accessible? A classic rule of computer security is that anyone with physical access to the hardware can eventually gain access to the information. What about backup copies? Are those afforded the same level of protection?
• Access: How is internal and external access to the information authorized and audited? What is done to prevent accidental disclosure within the business partner?
• Modification: What controls exist to authorize and audit changes to the information you have provided? Is such information available to you at your request?

The answers to these questions are critical in defining what a secure lifecycle actually means for your information. Without that knowledge, you’ve no idea if the bank vault is any better than the hole in the ground.

If your company isn’t using the Internet to enroll, then you are likely utilizing a paper-based system. This is tantamount to burying your employees’ personal information in the backyard and hoping no one notices. Examine the security risks involved with a paper-based system by paying special attention to points where the data is transferred, handed off, or otherwise manipulated by human operators. This allows the subtle vulnerabilities to surface.

The first flaw in the assumption that hardcopy data is protected begins with the employees themselves. Perhaps they fill out an enrollment sheet incorrectly and before going to print out a new form, toss it in the trashcan. The trashcan is then collected, and the contents eventually find their way into a local dumpster. Not exactly the most secure location, is it? Think about what kind of information is laying there: social security numbers, addresses, phone numbers… the same type of information crucial to successful identity theft.

The completed enrollment forms are then given to HR, often via fax or e-mailed documents that need to be printed. This leads to papers languishing on the fax or printer where they are open to anyone passing by. When HR eventually keys the data into their system, they send the same fax or e-mail off to the carrier while filing their copy in a cabinet.

Assuming the information ever arrives, security risks at the carrier are similar to the problems identified at the HR level: mounting faxes or printed documents containing sensitive information available to anyone who happens to pass by, another copy keyed into the computer, and yet another copy shoved into a filing cabinet or even thrown out.

How can any of this be less secure than the Internet? Would you rather your data be stored in an environment shielded by state-of-the-art firewalls, encrypted data transfer, and a staff of vigilant IT professionals, or languishing in a discount file cabinet with a lock no bigger than a quarter? Or maybe that information hasn’t even made it to the cabinet yet, and is sitting at your fax machine or printer available for anyone who has the mind to grab it.

So what kind of security should you be looking for? What is the bar for the successful safekeeping of your information?

At all times, encrypted data should be the rule governing the exchange of information. In the event of misappropriation, having your data encrypted will ensure your information is guarded from procurement.

The choice of storage facilities is equally important. Is the server a single box running openly underneath someone’s desk, or is it an array of high-powered, dedicated servers situated in a temperature-controlled, flame-resistant environment that can only be accessed by authorized personnel with the correct identification cards? You’ll both want and need a powerful back-up system, and to know that these back-ups are being placed in a location as secure as the data itself. As a final effort towards redundancy, you’ll want to inquire about the company’s disaster recovery plan. Power-outages on any scale and for any reason have the potential to disrupt the information exchange process, and you’ll sleep better knowing there’s a contingency plan in place for exactly this kind of situation.

Who has access to your data? Full-time employees who are answerable to the company or contractors whose obligation and loyalty extend only as far as the contract? It’s important to gauge the level of dedication (and trustworthiness) among the people who will come into contact with your data. A reliable employee-base whose livelihood depends on their full-time commitment to the company can translate into the type of accountability that will keep your sensitive information safe and secure.

You’ll certainly want to know how you can go about making changes to your data, and the verification process behind that system. Consider how many security filters the request needs to go through. Inquire as to the capability of holding a change in abeyance if a flag is raised regarding an inaccuracy, and if that happens what notification procedures follow.

For the first quarter of 2004, the Census Bureau of the Department of Commerce found that online sales rang in $15.5 billion — representing a 28% increase over Q1 2003's $12 billion. In 2003, the IRS reported 53 million individual returns were filed electronically. It's interesting to note that comScore Networks, a leader in the measurement and analysis of consumer behavior, found that 22 million users logged into their accounts in the nation’s top ten banks in just the first quarter of 2004, an increase of 29% from Q1 2003. Why all the statistics? Well, they help show that if this overwhelming number of people trust the Internet to conduct actions as information-dependent like shopping, direct deposit, and filing taxes, then is there really an argument that proves paper is inherently a better, more secure method for benefits enrollment?

Caution is advisable even when deciding upon an online solution. Be sure to take the time to understand that company’s capacities for secure data and how their technology copes with the unparalleled sophistication found in today’s viruses, worms, and computer hacking techniques.

The Internet isn’t 100% secure. But with the right kind of security measures, it makes a far more reliable and well-protected repository for sensitive information than paper ever will be.