Off shoring IT jobs lead to dramatic increases in Data Breaches per survey

By Les Rosen, Employment Screening Resources

A recent survey quoted in Security Management Magazine demonstrates the risk to privacy and data protection when it comes to “off shoring.”  According to a new survey, of the firms that outsourced IT jobs to other counties, about half indicted that their security has been negatively impacted. And 61 percent indicated their company had experienced a data breach.  The study noted data breaches occurred in just 35 percent of the companies that do not send IT jobs outside of the U.S.  The story, and more information about the study,  is available at:  http://www.securitymanagement.com/article/outsourcing-risk-006564 

This survey naturally raises questions as to the safety of sending Personally Identifiable Information (PII) of American job applicants off shore in order to prepare background checks.  A group  called ConcernedCRA now has more than 120 screening firms that have signed on to a standard that opposes sending Personally Identifiable Information (PII) offshore beyond U.S. privacy laws to be processed.  See http://www.concernedcras.com/.  A bill was introduced into Congress in June 2009 that would limit the offshoring of data without notice in the financial sector.  A shocking undercover investigation by the BBC in 2009 showed just how easy it was to purchase PII from a call center in India. Of course, identity theft can occur in the U.S., but once data physically goes beyond U.S. privacy laws, consumers have less resources and recourses. 

Employment Screening Resources (ESR) does NOT send U. S. applicant information outside of the U.S. for processing.  ESR takes the position that once data leaves the U.S., the data is beyond the reach of U.S. privacy laws and there is no meaningful recourse for a U.S. consumer.  ESR does all processing and preparation in the U.S.  in order to protect applicants and employers.  In some countries, it is a well known fact that U.S. identities are stolen and used for identity theft.  As a practical matter, someone in the U.S. has no ability to hire a lawyer in a foreign country to pursue legal action or contact a foreign police authority to get any action taken.  The only exception is where ESR is asked to perform an international verification and the information resides outside of the U.S.  Even in that situation, ESR goes to great length to protect applicant data. 

The bottom-line:  Before selecting a screening firm determine if that firm is processing information outside of the U.S. The risk is significant, even if the off shore facility is wholly owned or a subsidiary of a U. S. firm. An employer needs to have a full understanding of how data and privacy is protected once it leaves the U.S., and what duty is owed to job applicants in terms of notice that their data is going abroard.