Security around recruitment databases seems to be a hot-topic right now.. perhaps as much as anything else because the economic downturn has unfortunately led to increased redundancies within recruitment the industry, which is I guess often associate with consultants starting up on their own with data 'acquired' at their former employer's expense.
An article on recruiter earlier in the year talked about this specifically:
http://www.recruiter.co.uk/recession-blamed-for-rise-in-recruitment-data...
Obviously the starting point for protecting your own data is to make sure that the contracts of employment you issue are as water tight as they can be..probably specifically detailing conditions around ownership of data in most cases. Obviously that's one for your lawyers, though from what I've seen (a couple of our clients have successfully pursued former employees for this through the courts) it’s not worth skimping on.
In terms of practical steps you can take with you data though, there are a few things I'd suggest you should review and implement both from the perspective of access and then should the worst happen, being able to limit the damage/ pursue the offender.
The first thing to get out of the way is the contradiction that comes because on the one hand you need to make the data accessible (recruiters need it do their job after all!), but on the other means that there are opportunities for people to steal it...
The truth is that there is no complete solution to this.. recruiters need to see the data to do their job.. (yes you could significantly restrict this.. but in practical terms how is this achieved? -years ago we did have a client who appointed a 'Database Guardian'. Their entire role was to act as the intermediary between the recruiters and the database, receiving requests from the consultants, doing the search and sending them the results one at a time... not recommended... they went bust a long time ago ;-) )
So one way or another, the consultants need to have access.
That said, there are still some things you can do to make sure that the type and level of access they have is appropriate.
In evolve, this means reviewing the many 'user access and permissions' options available to you under Global Admin - turning off all of the things that the recruiter doesn't need to be able to access and restricting their ability to do certain things.
Examples of this include the 'Export to Excel' function, enabling the enhanced security options for Candidate accounts (implements workflow check process to restrict access to candidate account details) and scope of Dashboard views (there are actually lots of other useful options in there that aren't directly to do with security, but cover things like making sure a particular process workflow is stuck to.. one for another article probably.. do ask the support guys about it though).
Next on the list is looking at how your consultants are accessing the data.
One of the great things about the 2-factor authentication system we use for evolve (the hardware key 'etoken' that each consultant has) is that you can guarantee that firstly there is only 1 person able to access each account at any one time (so a consultant can't 'share' their username and password with a mate for instance) and the second is that because they are personalised with a digital certificate that is unique to that individual, you can be certain that activity on the system was actually them (both of these facts were material in recent court cases I talked about above).
This is one of the key security benefits evolve offers vs. other online recruitment software solutions..someday the other providers will wake up to just how inherently vulnerable username+password based systems are.. until then, we'll continue to see things like the Monster hack of a year or so ago
: http://news.bbc.co.uk/1/hi/technology/6956349.stm
evolve version 4 included the ability to switch on login tracking for consultants (Global Admin>Users and Permissions>View Logins) which shows when they logged in to the system each time.
The final technique to consider then database seeding.
This approach seeks to minimise risk that the data will be wholesale copied (with the best will in the world, even if you lock access right down you can't be looking over a consultant's shoulder 8 hours per day.. they could just write stuff down..), while offering you some prospect of catching someone who has managed to copy data.
To be effective, you will need to have a sufficient number of false records and make them all sufficiently plausible (full contact info, variety of email hosts).
The real power of this technique though comes about because you then need to make widely known to the consultants that the database is seeded in this way.
This at the very least will probably prevent the data being mass mailed if it is taken.. more usually in my experience it puts the would-be thief off completely..
The other option of course is not to tell them and then make good after the event.. I know of at least 1 data supplier in the industry who used this to great effect a number of years ago.. my advice though would always be that prevention is much better than retribution (less time and you don't make the lawyers rich !)