TriNet Group, Inc. (TNET) Earnings Call Transcript & Summary

Thank you for joining us today for our webcast on why privacy is important to your business. Before we begin, I'd just like to cover a few housekeeping items. This webinar is being recorded on January 27, 2021. After we conclude, please stay online. We'd like to ask you just 3 questions about how we did and what topics you'd like us to cover in future webinars. [Operator Instructions] Now I'd like to pass it over to Lisa Waggoner, Legal Counsel and Privacy Officer for TriNet; and Timothy Torres, Chief Security Officer for TriNet.

Good afternoon, and thank you for joining us for our webinar today. First and foremost, this presentation is for educational purposes only. TriNet provides its clients with legally compliant HR guidance and best practices, but TriNet does not provide legal, tax or accounting advice. Just going to go over what we'll be discussing today in our webinar for our journey over the next 30 or so minutes. Today is a very exciting day, particularly for all of us privacy-conscious folks. So today, we will talk about the importance of Data Privacy Day and privacy. Why privacy policies matter. What causes privacy breaches. And what businesses can do to thwart them. What to do if you personally receive a breach notification letter and how to ensure privacy on your mobile devices and any social media accounts. First, we'll start with privacy. What does privacy mean to me as the privacy officer at TriNet? Specifically, privacy means to me, protecting the personal information that is entrusted every day to our company. More granularly, data privacy day is focused on the use in governance of personal data. Certain things like putting policies in place to ensure that the consumer's personal information we collect and share and use is done in appropriate ways. We'll talk about privacy policies in a few minutes. Timothy, do you have any thoughts as our Chief Security Officer on what privacy means to you?

I do. Thanks, Lisa. So from my perspective, the concept of privacy, to me, I default to a right and expectation that our customers and colleagues have regarding their personal information they've entrusted us to honor and protect against unauthorized access and use. And starting with that principle, I think the conversation can unfold, but that's where I go with when I think about privacy.

Today is Data Privacy Day. What does that mean? It's a day, January 28, that is used to raise awareness and promote privacy and data protection best practices. It should be a reminder each year to all of us to review how our data is used. It's an excellent opportunity to take stock and evaluate our own personal cybersecurity. Timothy, will you share with us some tips that people can take to evaluate and protect themselves from a privacy and security perspective?

I sure will. So when I think about the problem we're trying to solve, we really have to contextualize the scenario that we all are involved in, in protecting our own selves. It starts with mindfulness, and it's really the human element. And I think the first question you have to ask is, who are these -- who are the bad guys trying to get access to your information, whether they're fraudsters, criminals, scam artists, maybe even sometimes, unfortunately, insiders to organizations that have ill intent. And why do they want this information? And what can we do to protect the likelihood that information is accessed or used? And for my lens as the Chief Security Officer at TriNet, I think about the world, currently, the identity theft that we see in the news, ransomware, information that's being accessed can be prevented many times if people take some very basic practices to protect that information. And it starts with understanding where your data is stored, your devices that you use and understanding how you communicate. So if you stop and think about your computer. The first thing you should do when you access your device is to start with the privacy settings. And this includes all new applications, new social media and programs that you use. Start with trying to ask the question, who has access to this, and what can I do to limit that to what's appropriate. And there are often settings that you can use about data sharing, tracking of your location and third-party use. I would always recommend opting out all of those settings and/or only use them when you need to access the application if needed. I would also recommend avoiding using public WiFi. This is especially important because you have to understand that at Starbucks or at the airport or hotel, those WiFi networks, those wireless networks are not secure. And so the communication that you are transmitting on those networks, you should assume that they can be tapped into and accessed. And so if you're using communication for banking or for shopping or any type of important information, I would avoid at all cost. And then there are other ways that you can avoid getting your information out there. I would avoid taking online quizzes that gives away your information. I see a lot of times, people willing and ready to give out their information to the Internet to answer quizzes. And those small things could be used against you when the bad guys are trying to social engineer you and figure ways to reset your password or ways to compromise it. Lastly, I would say, if you can enable multifactor authentication for all communications, e-mail, banking, logging into your Amazon or any of the accounts that you use for shopping, commerce, banking, financial, I would always recommend enabling 2-factor authentication, which requires usually a code that is texted to your phone or a phone call so that if your password is ever compromised, the bad guys don't have your phone and phone number, they're not able to access your information.

Those are all awesome. My least favorite of the list is the online quizzes. They give away way too much information, and I'm convinced that it was a fraudster, that was the guy that came up with that idea. Thank you for that. And most of that stuff is all pretty simple everyday stuff that average folks out there like me can actually configure those settings myself and take care of all that stuff. Next, we're going to talk pretty briefly, but I want to touch on privacy policies. You'll see there, there's a link to trinet.com that houses not only our privacy policy, but we have a whole page on trinet.com for privacy. There are some frequently asked questions there. There's our privacy and security white paper that has a lot of information about our security controls and our privacy at TriNet. But also our privacy policy is there, as well as if you're a resident of California, our California -- our CCPA portal, or a link to the portal is there, where you can request access to your data that TriNet houses on you. But back to privacy policies. Privacy policies are a legal document that disclose the ways in which a website processes, store shares and protects user data. Basically all websites interact with and collect data from the visitor in one way or another, and a privacy policy is vital to ensure that your website complies with legal obligations. Unfortunately, right now, in the United States, we don't have a federal privacy law that designates country-wide rules for privacy policies, but some states have their own regulations in place. So for example, California, again, they're pretty on top of things. It requires that commercial websites that collect personal information on California consumers post a privacy policy and comply with it. There's other things like handling data miners and using third-party processors and cookie consent, and they have their own special rules as well and are things that should be included in a privacy policy. The TriNet privacy policy explains what information we collect and why, how we use it and how we share it. It says what we do. And then what's even more important is that we do what we say and live up to what we actually print in that policy. You should go take a look at our privacy policy and the rest of our information that we have on trinet.com/privacy. We're going to move on to the next topic, which is sometimes sensational and sometimes daunting, privacy breaches. So typically, it's most common that breaches happen when an individual's personal information is stolen, lost, or mistakenly disclosed. But they also include unauthorized collection or unauthorized access to personal information or the failure to take reasonable steps to protect that information. A few common examples of breaches of privacy are accidentally sending an e-mail that contains personal information to the wrong person. This could happen very easily. If your computer autopopulates the recipient's e-mail address in the To: line. Unfortunately, I've been guilty of that myself. So it's always important to take an extra couple of seconds to look at the To: line and the recipient on an e-mail to make sure that if you wanted to send a joke to your friend that you're not accidently sending it to your boss. The next thing that could happen is loss of hard copy files of personal information. Luckily, most things are paperless now. So we don't see this as often as we did, say, 10 years ago. Another thing that can cause a breach of privacy is disposal of personal information in a nonsecure manner. This isn't just paper because like I said, there's not much of that around anymore, but it's also electronic info, and there are requirements and things that you can do to safely dispose of electronic information. And I'm sure, Timothy, you have some thoughts on that. And then another example would be having a colleague who decides they want to look up personal information about a friend or a family member out of curiosity, not because they need it for work. So that would also be an example of unauthorized access to personal information and could result in a breach of privacy. So I'm sure everyone's familiar with all the headliner data breaches. We have Equifax, Home Depot, Target. Unfortunately, these things can happen to almost any company that houses large amounts of personal information at any time. Let's take Target, for example. And the things that I'm going to call out very specifically are because Timothy will speak to them after I give a little summary of what happened. So the attackers in the Target data breach, they backed their way into the Target corporate network by compromising a third-party vendor. They sent a fishing e-mail that duped at least one of the vendor's employees. And then that allowed them to install a piece of malware on the vendor's computers. And then with that piece of malware, they were able to take the vendors logging credentials. Once they got the vendor's logging credentials, they worked to figure out how they can subvert and get into Target's internal network. When they got into Target's internal network, unfortunately, then they found a vulnerability that they were able to exploit, and they accessed Target's point-of-sale system and stole millions of credit and debit cards. Another unfortunate thing that happened was while the attack was in progress, there was monitoring software, and it did alert the staff in Bangalore, India. They, in turn, notified Target staff in Minneapolis, but no action was taken. Then what unfolded was those cards were sold on the black market and Target ensued a massive investigation and ended up spending lots of money, not only on their investigation, but as well as what they needed to pay out to consumers. I'm hoping, Timothy, that you can share with us some security practices that could help small and medium-sized businesses thwart some data breaches or something like this that could happen to any of us?

I can absolutely do that. Thank you, Lisa. So from the security side, you have to again go back to what I originally stated is who are the bad guys, what do they want? And in this case, they wanted access to credit card information that Lisa already mentioned, has a monetary value on the black market. And in doing so, the adversary zoomed in on an organization, Target, that had already information publicly available about who their third parties were. The first lesson learned is to limit as much information as possible about your organization to a need-to-know. And I would say that, in many cases, the public doesn't need to know who your third parties are. And in this case, because that information was public, the adversary was able to perform what we call reconnaissance, which is looking for information that they can use to compromise you. They found the third party, they were able to go after that third-party through a fishing attack. And what we at TriNet and what we recommend to our customers and good practices, is to have a high awareness with your workforce. It's important that you understand that the human element is the weakest link and can be your greatest asset. And so in doing so, you think about ways that you can prevent or reduce the likelihood of social engineering. Fishing awareness is very important. And what we recommend is to create a culture of awareness around using e-mail and also using the Internet. So that individuals are thoughtful and mindful about what the new world that we live in entails regarding adversaries using fishing as a common way to lure people into clicking links, downloading attachments or even giving information out. And so that was the big lesson learned that many of you could apply. Along the way, there's also things like multifactor authentication that I talked to earlier that prevents remote access from being able to be used if they compromise a user. Also, that access, once that access is used, if it's compromised, it should be limited to minimum necessary. So -- and no vendor should have full access to your network or to your data. And so that if your vendor or your third-party is compromised, they should have limited access so that they're not able to exploit that and access further data than that third-party should have access to. Additionally, I recommend conducting risk assessments on your third parties. I recommend characterizing which of your third parties are the most critical that have access to data, that process or store your data and so that you can institute controls to reduce the likelihood of a third-party breach. And in addition, I recommend monitoring them regularly, not just assessing at one point in time, but performing regular monitoring so that you understand if anything changes in their environment, you're alerted and that you're able to help reduce the risk in that space. Lastly, all of the tools that you use on your network to monitor email alerts, anything for anti-malware or any kind of alert that you have from a security standpoint. I recommend that you monitor and react to those as appropriate. In this case, one of the major lessons learned was that the team that was monitoring these alerts, there was a deficiency in their process that led to this incident lasting longer than it should and not being contained and minimized as it should. And obviously, no organization is perfect, but there are good hygiene practices that we recommend you take to reduce the likelihood and impact of a loss event.

Thanks. So what happens? I got a data breach, oh no. So I would venture to say, everyone listening, if you haven't, you will very soon receive a data breach notification letter. I've lost count of how many I've got over the years. Every year, millions of people get data breach notification letters. So what should you do if one lands in your mailbox? First of all, don't panic, just pay attention. A breach of personal data triggers mandatory notification laws in all U.S. states and U.S. territories. So again, chances that you're going to get one, if you haven't already, are pretty good. But a breach letter doesn't mean you'll become a victim of fraud or identity theft. It just means that something happened that could put you at risk for fraud or identity theft. If you receive a breach notification letter, it doesn't mean you'll become a victim. It simply means that something happened that could put you at risk of fraud or identity theft. Most breach notification letters come with an offer of free credit monitoring. If you get an offer, take it, it's like going to Costco and there's free samples at the end of the aisle. I would never pass them up, and you should never pass up an offer of free credit monitoring. Additionally, several of my credit cards come with free credit monitoring now. So I recommend signing up for them as well, even if you haven't been a victim of a data breach, that's super helpful. A few years ago when I went and bought a car and applied for credit, I literally wasn't out of the dealership door, and I had 3 different alerts telling me that my credit was pulled. Had it not been me applying for that car loan, I likely would have been in the middle of the catastrophe, trying to clean up a mess as someone pulling credit in my name. There's other things that you can do. Certainly, you should keep the notice, read it, take the time to read it, don't just throw it in the trash. Keep it in case, for some reason, your data -- you're ever a victim of fraud, you have a backup that you were a victim in this particular data breach. Review the breached accounts, figure out what information was compromised. You can look for unauthorized activity on that account, make sure that all your personal information on that account is still the same. So check things even as simple as the address and phone number to make sure none of that was amended. Then pay extra attention to your accounts and billing statements, particularly if it's a financial account and check for charges that aren't yours. You can check your credit report to watch for other fraud. So about 30 days after you get that breach notification letter, which should be long enough for fraudulent activity to show up, you can go to annualcreditreport.com and get a free copy of your credit report from actually all 3 of the major credit bureaus. Take a look at them and look for any unusual activity, investigate the suspicious activity and stay on top of it until everything is resolved. You can also look for signs of fraud in medical files or insurance claims or in public record as well. In fact, one of the credit cards that I was mentioning that offers the free credit monitoring, they give me alerts if something happens in public records as well, humbly enough, today, I got -- my e-mail account was compromised, and they told me, this is through one of my credit cards, it was my e-mail address and my phone number, and it actually said, no, my password wasn't involved. And then change all of your user access credentials, not only to the account that may have been compromised. But if you use that same password, which please don't use the same password for multiple accounts. Change all of the passwords on all of your accounts, but always try to use unique and difficult-to-guess passwords. Lastly, you can place a fraud alert on your credit file. And this is an alert that's placed with any of the 3 major credit bureaus, and it signals to potential creditors that you could have been a victim of identity theft. At the end of the day, again, just don't panic, be vigilant and review all your accounts and sign up for as much credit monitoring and as many alerts as you can get, and it will signal you or should signal you to any attempted fraud or identity theft coming your way. Our last topic is ensuring your privacy and security on mobile devices and social media. So the biggest way to ensure your privacy on a mobile device is going to start with good security practices. So I'm going to turn it back over to you, Timothy. If you could go over some of your recommendations that you have to maintain privacy and security on a mobile device.

Yes. So the first thing, again, that we want to understand is what are the risks associated with our mobile devices. And to answer that question, I think you should think about what your device actually has information about you. Wherever you go, whatever pictures you take, whoever you communicate with, whatever important data that you use for these applications, that information is on your phone and in many cases, is transmitting that information to third parties and to the cloud where a lot of repository store this information on your behalf, whether you know it or not. And so if you think about the problem in that context, you really want to zoom in on the access issues. So it starts with making sure your phone is locked, so that if it's ever lost, stolen or accessed by someone unauthorized, that there is the first control to prevent direct access to what's on your phone. After that, you have to then think about responsibly, what applications that you use. A lot of applications are designed by individuals who are not reputable vendors or don't design these applications with security standards. And so I would be very careful and mindful about what applications you use. A good tip is to -- if you hear about a very popular application, to wait for a while before you download it, because a lot of times, the applications are very popular in a short period of time, were not designed with security in mind and end up having security issues and privacy issues along the way. So I would spend time analyzing these applications that you use carefully. And also, I would ensure that your data is backed up to the cloud so that you have your data secure in a location in case that phone is lost, and you need that information. One other way that you can ensure that it's -- your phone and data is not accessed unauthorized on your phone is to -- or your smart device is to enable remote wiping. This allows you to be able to turn off that device remotely if you do lose it or are concerned that someone has that access to that information. And then also, one good tip is if you're at an airport or if you're somewhere in public, I would avoid using those publicly available free charging stations. There are known risks associated with plugging in your device and data being accessed in an unauthorized manner. So I hope these tips are helpful, and I think those are good measures to help reduce the risk of unauthorized access to your data.

Those little -- back in the day when we could travel, those little portable chargers for your cell phone, they actually work really good and last a decent amount of time. So there's absolutely no need to use an airport charging station. I have a couple of them and even on trips from the East Coast out to the West Coast, it lasts me the whole time, and I have plenty of juice. So thank you. That was awesome. Lastly, social media. So social media has become a place where people share news, pictures, personal views, nearly anything that's going on in their lives. Unfortunately, there's a large amount of information that people share on social media. And some of them can be pretty personal. And it does attract other viewers from outside your trusted circle of relatives and friends. There's someone somewhere who's recording much of what you do on social media. They might be ad companies, it might be vindictive acquaintances, but even worse, it could be cyber criminals who have an interest in your personal information on your social media page. So if you choose to use social media, just be cognizant of what you choose to share about yourself and be cognizant of your friends list and who you are sharing information with. When you use social media, there are certain things that we recommend that you do. First of all, making sure that your privacy settings are set appropriately. For example, choosing to make your whole profile private is a really good idea. I would say, never list any personally identifying information such as your birthday or your address. Never turn on your location to share your location or post, like, oh, I'm in Tahiti. The house is empty, the door's unlocked, go rob me. You just need to be really careful about the information that you're putting out there in social media. I think people don't realize sometimes -- I'm just doing this on my phone right here, what could happen. But believe it or not, I've seen more than my share of things that went wrong by people posting more information than they probably should have on social media. We appreciate you joining us today. I hope you were able to take something valuable from it. And I'm going to turn it over to you, Brandon.

Thanks, Lisa. And thanks to the audience for listening then today. For more information, visit trinet.com/privacy. Also, if you have a minute, please stay online for a survey. We'd like to ask you just a few questions about how we did and what topics you'd like us to cover in future webinars. Thanks, and take care.