New CA Law Regulates Offshoring Personally Identifiable Information (PII) of Consumers Used in Background Checks

By Thomas Ahearn, ESR News Editor

A recently signed California law appears to be the first in the United States to regulate the “offshoring” of Personally Identifiable Information (PII) of U.S. consumers used during background checks – such as names, dates of birth, addresses, Social Security numbers (SSNs), and financial data – overseas and outside the U.S. and its territories.

In September 2010, Governor Arnold Schwarzenegger signed into law California Senate Bill 909 (SB 909), which addresses the issue of personal information being sent offshore. SB 909 – which takes effect January 1, 2012 to allow time for background check companies to provide new releases to employers or modify online language – amends the California Investigative Consumer Reporting Agencies Act (ICRA) that regulates background checks in California and requires that a consumer must be notified as part of a disclosure before the background check of the web address for “information about the investigative reporting agency’s privacy practices, including whether the consumer’s personal information will be sent outside the United States or its territories.”

If a background check company does not have a web site, then the background check company must provide the consumer with a phone number where the consumer can obtain the same information. In addition, the background check company’s privacy policy must contain “information describing its privacy practices with respect to its preparation and processing of investigative consumer reports.” Specifically, background check companies in California (and firms that do business in California) must have a statement in their privacy policy entitled “Personal Information Disclosure: United States or Overseas” that indicates whether the personal information will be transferred to third parties outside the United States or its territories through the process of offshoring.

SB-909 defines “third parties” as including, “but not being limited to, a contractor, foreign affiliate, wholly owned entity, or an employee of the investigative consumer reporting agency” and also requires a “separate section that includes the name, mailing address, e-mail address, and telephone number of the investigative consumer reporting agency representatives who can assist a consumer with additional information regarding the investigative consumer reporting agency’s privacy practices or policies in the event of a compromise of his or her information.” In the event a consumer is harmed by virtue of a background check company negligently sending data offshore, SB-909  provides for damages to the consumer.

As reported earlier on ESR News, the practice of offshoring – whether personal information or jobs – can have a negative impact on network security since, for all intents and purposes, once personal information is sent offshore outside the U.S. it is beyond the reach and protection of U.S. laws in cases involving identity theft or privacy issues. Also, offshoring of Information Technology (IT) jobs can lead to increases in data breaches.

According to a 2009 security survey of 350 network administrators and IT executives executed by Amplitude Research and commissioned by VanDyke Software, more than two-thirds (69 percent) of respondents felt outsourcing technical jobs offshore had a negative impact on network security while only 9 percent felt it had a positive impact. In addition, the security survey found:

  • 25 percent of respondents in the survey belonged to companies that outsourced IT jobs to other countries.
  • Of these outsourcing firms, about half said their security had been negatively impacted and 61 percent said their company had experienced a data breach.
  • In contrast, only 35 percent of companies not outsourcing reported a data breach.

The security survey naturally raises questions as to the safety of sending Personally Identifiable Information (PII) of American job applicants offshore in order to prepare background checks. A group of more than 120 Consumer Reporting Agencies (CRAs) called ConcernedCRAs opposes the practice of offshoring Personally Identifiable Information (PII) of U.S. citizens outside the country to be processed beyond U.S. privacy laws.

A member of ConcernedCRAs, Employment Screening Resources (ESR) does not offshore Personally Identifiable Information (PII) and all domestic background checks are performed exclusively in the United States. ESR does all processing and preparation in the U.S. in order to protect applicants and employers, the only exception being when performing an international verification using information residing outside the U.S.

To read more about offshoring on ESR News, visit articles tagged ‘offshoring’ at:

To read California Senate Bill 909, visit:

Founded in 1996 in the San Francisco Bay area, Employment Screening Resources (ESR) is the company that wrote the book on background checks with ‘The Safe Hiring Manual’ by ESR founder and President Lester Rosen. Employment Screening Resources is recognized by The National Association of Professional Background Screeners (NAPBS®) as Background Screening Credentialing Council (BSCC) Accredited for proving compliance with the Background Screening Agency Accreditation Program (BSAAP). For more information about Employment Screening Resources, visit or contact Jared Callahan, ESR Director of Client Relations and Business Development, at 415.898.0044 or