A Harvard University professor who ran a statistical analysis of online ads used by an Internet data broker website that suggested certain names may have arrest records uncovered what she described as possible racial profiling when she found the company’s advertising “disproportionately” used the word “arrested” for black-identifying names even when a person had no arrest record, according to the Huffington Post. The story is available at http://www.huffingtonpost.com/2012/11/25/racial-profiling-online-ads_n_2186409.html. Continue reading
Just in time for the beginning of a new school year, which usually requires parents to fill out paperwork such as registration forms and emergency contact information, the Federal Trade Commission (FTC) offers child identity theft prevention tips in the blog ‘Protecting Your Child’s Personal Information at School’ to let parents know that many school forms containing the personal and sensitive information of their children could be used to commit fraud in their child’s name if the information falls into the wrong hands. To read the blog, visit: https://www.consumer.ftc.gov/blog/protecting-your-childs-personal-information-school. Continue reading
In the first Federal Trade Commission (FTC) case to address the sale of Internet and social media data in the employment screening context, Spokeo, Inc. – a data broker that compiles and sells detailed information profiles on millions of consumers – has agreed to pay a $800,000 fine to settle FTC charges that the company marketed profiles to companies in the human resources, background screening, and recruiting industries without taking steps to protect consumers required under the Fair Credit Reporting Act (FCRA), according to a press release at http://www.ftc.gov/opa/2012/06/spokeo.shtm. Continue reading
The Federal Trade Commission (FTC) has issued a staff report that compiles and updates the agency’s guidance on the Fair Credit Reporting Act (FCRA), the 1970 law designed to protect the privacy of credit report information and ensure that the information supplied by credit reporting agencies (CRAs) is as accurate as possible. The July 2011 report, “Forty Years of Experience with the Fair Credit Reporting Act: An FTC Staff Report and Summary of Interpretations,” provides a brief overview of the FTC’s role in enforcing and interpreting the FCRA, includes a section-by-section summary of the agency’s interpretations of the Act, and also withdraws the agency’s 1990 Commentary on the FCRA, which has become partially obsolete since it was issued 21 years ago. Continue reading
A list of top consumer complaints received in 2010 by the Federal Trade Commission (FTC), the nation’s consumer protection agency, showed that identity theft was the number one consumer complaint category for the 11th year in a row, with 250,854 – or 19 percent – of the 1,339,265 complaints received by the FTC related to identity theft. Continue reading
In the Federal Trade Commission’s (FTC) first cases against credit report resellers for the data security failures of their clients, three companies that resell credit reports of consumers have agreed to settle FTC charges that they did not take reasonable steps to protect personal information of consumers and allowed computer hackers to access that personal information, according to a recent news release from the FTC.
Administrative complaints issued by the FTC showed the three credit report resellers bought credit reports from the three nationwide consumer reporting agencies – Equifax, Experian, and TransUnion – and added them to reports to sell to determine eligibility for credit of consumers. Because these three resellers allegedly allowed clients to access these reports without basic security measures such as firewalls and updated antivirus software, hackers accessed more than 1,800 credit reports without authorization through the computer networks of clients. The three credit report resellers also allegedly did not make reasonable efforts to protect against future security even after becoming aware of these data breaches.
The three credit report resellers are charged with violating the Fair Credit Reporting Act (FCRA) by:
- Failing to protect their internet portals and thereby furnishing credit reports to hackers who lacked a permissible purpose to have them,
- Failing to maintain reasonable procedures to limit the furnishing of credit reports for such purposes, and
- Furnishing credit reports when they had reasonable grounds for believing the reports would not be used for a permissible purpose.
The failure of the three credit report resellers to protect personal information of consumers also allegedly violated the FCRA. In addition, the credit report resellers allegedly violated the Gramm-Leach-Bliley Safeguards Rule by failing to:
- Design and implement information safeguards to control the risks to consumer information;
- Regularly test or monitor the effectiveness of their controls and procedures; to evaluate and adjust their information security programs in light of known or identified risks; and
- Have comprehensive information security programs.
The proposed settlement, part of the ongoing campaign of the FTC to protect the personal information of consumers, would require the three credit report resellers to:
- Have comprehensive information security programs designed to protect the security, confidentiality, and integrity of the personal information of consumers, including information accessible to clients;
- Obtain independent audits of their security programs, every other year for 20 years;
- Furnish credit reports only to those with a permissible purpose; and
- Maintain reasonable procedures to limit the furnishing of credit reports to those with a permissible purpose.
These cases show that the FTC will call for imposition of civil penalties against resellers of consumer reports who do not take adequate measures to fulfill their obligations to protect information contained in consumer reports as required by the FCRA. These cases also send a strong message that companies giving their clients online access to sensitive information of consumers must have reasonable procedures to secure that information.
Consumer protection through data security makes up a critical part of the National Association of Professional Background Screeners (NAPBS) accreditation process. Since its founding in 2003, the NAPBS has believed that there is a strong need for a singular cohesive industry standard and created the Background Screening Agency Accreditation Program (BSAAP). Governed by a strict professional standard composed of requirements and measurements, the BSAAP is becoming a widely recognized seal of approval that brings national recognition to background screening organizations – also referred to as Consumer Reporting Agencies (CRAs) – that will stand as the industry “seal” representing a background screening organization’s commitment to excellence, accountability, high professional standards, and continued improvement.
The NAPBS Background Screening Credentialing Council (BSCC) oversees the application process and is the governing accreditation body that will ensure the background screening organizations seeking accreditation meet or exceed a measurable standard of competence. To become accredited, a CRA must pass an onsite audit of its policies and procedures as they relate to six critical areas of the BSAAP:
- ‘Section 2: Legal Compliance’ includes standards for: Designated Compliance Person(s); State Consumer Reporting Laws; Driver Privacy Protection Act (DPPA); State Implemented DPPA Compliance; Integrity; Prescribed Notices; and Certification from Client.
- ‘Section 3: Client Education’ includes standards for: Client Legal Responsibilities; Client Required Documents; Truth in Advertising; Adverse Action; Legal Counsel; Understanding Consumer Reports; and Information Protection.
- ‘Section 4: Product Standards’ includes standards for: Public Record Researcher Agreement; Vetting Requirement; Public Record Researcher Certification; Errors and Omissions Coverage; Information Security; Auditing Procedures; Identification Confirmation; and Jurisdictional Knowledge.
- ‘Section 5: Service Standards’ includes standards for: Verification Accuracy; Current Employment; Diploma Mills; Procedural Disclosures; Verification Databases; Use of Stored Data; Documentation of Verification Attempts; Outsourced Verification Services; Conflicting Data; Professional Conduct; and Authorized Recipient.
- ‘Section 6: General Business Practices’ includes standards for: Character; Insurance; Client Credentialing; Vendor Credentialing; Consumer Credentialing; Document Management; Employee Certification; Worker Training; Visitor Security; Employee Criminal History; Quality Assurance; and Certification.
Employment Screening Resources (ESR) is formally recognized as accredited by the National Association of Professional Background Screeners (NAPBS) Background Screening Credentialing Council (BSCC) for successfully proving compliance with the Background Screening Agency Accreditation Program (BSAAP). For more information, visit Employment Screening Resources (ESR) at http://www.ESRcheck.com.
By Lester Rosen, President of ESR
Some employers may have read about new rules that went into effect July 1, 2010, that potentially affect the accuracy of employment verifications. For employers concerned about the new rules, the short answer is that it does not affect how and when an employer receives a background report. It also does not impact a standard response to a request for a past employment check. At most, it may only affect certain limited employers in their role as a â€œfurnisher of information to third parties as defined by the federal Fair Credit Reporting Act (FCRA).
For example, it has been suggested that the new rules could potentially impact an employer that is utilizing a third party services firm that routinely collects employment data such as payroll data or creates an employment database.
The new rules are at http://www.ftc.gov/os/2009/07/R611017factafrn.pdf. They stem from the Fair and Accurate Credit Transactions Act (FACTA) of 2003, which among other things, provided consumers a means to obtain free yearly credit report from the credit bureaus. The new law also required federal agencies to implement new rules aimed at promoting the accuracy and â€œintegrityof information that furnishers provide to consumer reporting agencies. A furnisher is a party that provides information. The main thrust of the new regulations is aimed at organizations such as banks, financial institutions and credit card firms that provide data to the credit bureaus that are used to create consumer credit reports.
Although ESR cannot provide legal advice and it is possible that future clarifications may come out from the Federal Trade Commission or other sources, it certainly appears that the regulations do not affect an employer that simply responds to a standard request for a past employment check, and does not impact employers at all that are users of background reports.
Please contact Employment Screening Resources (ESR) at www.ESRcheck.com if you have any questions.
By Lester Rosen, President of ESR
(Originally Posted on Toolbox for HR)
From the mailbox: Why shouldn’t employers simply do their own background checks in-house? They can hire people from the screening industry and can certainly figure it out.
Answer: First, the fact that a firm may be able to set up an internal screening program does not mean it makes sense. All sorts of professional services could be done in-house. Successful firms typically spend time and energy doing what they are good at (their core function), and they outsource functions that although critical, do not need to take up in-house resources. Of course, if a firm is large enough it may make sense. Of if the firm has a special place in the market where there is a need to be able to tell people they control the process, then that may be a good reason to perform services in house. Most successful firm outsource those HR endeavors that are unusually complicated or regulated, which would include many human resource services such as benefits, retirement planning and screening.
Secondly, it can be a trap to think that the federal Fair Credit Reporting Act (FCRA), the law that controls third party background checks has no application to in-house processes. An employer that performs these activates in-house can easily hit an FCRA “tripwire” thus invoking the FCRA. There are numerous examples. Hiring an out of state agency to pull a court record for example could, per an FTC staff letter, make what appears to be a non-FCRA investigation into an FCRA regulated activity. Accessing non-public databases can make it an FCRA event. California has applied some FCRA type rules on a limited basis to employers that do public record checks in-house. So unless every single thing an in-house department does is done by your own W-2 employees and you only access public records, you may end up tripping the FCRA. Our advice is that even if done in-house, act as though the FCRA applies.
One argument made in favor of in-house processes is that a firm can conduct better reference checks because it knows what it is looking for. Verifications are an interesting issue. There are two types of verifications. Managers may call to determine if someone should be hired. Screening firms are typically called upon AFTER a tentative hiring decision has been made for the purpose of a methodical review of the work history to confirm employment. Hiring managers cannot always be counted on to document the entire work history. Either Human Resources, an internal department or an outside vendor needs to ensure that all employers have been contacted.
Finally, there are a number of specialized skills and resources that are needed, such as figuring out education fraud, or if a criminal record can be used. Unless a firm has access to experts on the laws of all 50 states, and an understanding of EEOC rules, etc, doing it in-house can be very risky. Accessing records from thousands of different courts can be very tricky. A great deal of knowledge is required,
The bottom-line is that if a business does it in-house and they miss a record that a competent third party firm would have found and someone is harmed, it would not be much of a jury defense that the business was trying to save a few bucks by doing something in-house that requires such specialized skills and knowledge.
There is also the cultural issue that some firms find it advantageous to have a third party do the background checks, so the employment relationship does not start with what may seem an invasion of privacy.
So, the bottom-line is an organization needs to figure out if at the end of the day, the time and effort it takes to perform service in-house is worth it, if it can be outsourced. There are certainly organizations that for cost savings have essentially set up their own internal background units successfully, but they essentially have became an in-house background firm that needs to know how to do everything a third party firm can do. However, for the right firm, an in-house process can make sense as long as they know how to do everything a third party firm can do and if it makes economic sense.
By Thomas Ahearn, ESR News Staff Writer
Ever wonder if the customer service call center at the other end of your phone is located in the U.S., or what foreign country it is located in if outside of the U.S.?
Newly proposed legislation would make companies inform customers when their calls are being transferred outside the United States and charge companies for those transferred calls in an effort to maintain call center jobs currently in the United States and provide a reason for companies that have already outsourced call center jobs to bring them back.
According to a press release on Senator Charles E. Schumer’s (D-NY) website, the new legislation would require companies that transfer calls to foreign call centers to disclose to the caller that their call is being transferred to a particular country. The disclosure requirement would also force companies to annually certify to the Federal Trade Commission (FTC) that they are fully complying with this requirement or otherwise be subject to civil penalties that the FTC would prescribe.
In addition, since 800 numbers are often transferred overseas without the caller’s knowledge, the bill would impose a $0.25 excise tax on any customer service call placed inside the United States which is then transferred to an agent in a foreign location, with the fee being assessed on the company that transferred the call.
While the bill’s major aim would be to reduce the outsourcing of U.S. jobs, another benefit could be greater protection against identity theft, since the personally identifying information (PII) of American consumers — such as names, birth dates, addresses, social security numbers, and financial information — would not be offshored as often to call centers in foreign countries beyond the reach of U.S. identity theft and privacy laws.
Employment Screening Resources (ESR) — a member of Concerned CRAs, a group of Consumer Reporting Agencies (CRA) concerned that certain data practices place the personal information of consumers at risk — does not outsource domestic background screening services outside of the U.S. in order to protect the PII contained in background screening reports. ESR believes that sending such personal information offshore places both applicants and employersÂ at risk and should be avoided when possible. If PII is sent to countries outside the U.S., applicants and employersÂ should be made aware of this practice.
By Thomas Ahearn, ESR Staff Writer
The Federal Trade Commission (FTC) has further delaying enforcement of the Red Flags Rule for identity theft scheduled to begin on June 1, 2010 to December 31, 2010.
According to a FTC news release, the delay of the Red Flags Rule for identity theft to the end of the year would give Congress time to consider legislation that would resolve any questions as to which entities are covered by the Red Flags Rule and remove the need for further enforcement delays. As currently written, the Red Flags Rule — which was developed under the Fair and Accurate Credit Transactions Act (FACTA) — requires “creditors” and “financial institutions” that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or activities — called “red flags” — that may indicate identity theft.
With identity theft on the rise — a recent survey found the number of identity theft and fraud victims in the U.S. increased 12 percent to affect over 11 million adults in 2009 — the FTC’s Red Flags Rule addresses the need for businesses extending credit to customers to develop and implement written identity theft prevention programs. In addition, according to a “Facts For Businesses” page on the FTC website, the Red Flags Rule may apply to groups that might not typically use the words “financial institutions” and “creditors” with “covered accounts” to describe themselves.
- The Red Flags Rule defines a “financial institution” as banks, savings and loan associations, mutual savings banks, credit unions, or any person, directly or indirectly, holding a transaction account belonging to a consumer.
- The Red Flags Rule definition of “creditor” is broad and includes businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later. Utility companies, health care providers, and telecommunications companies may fall within this definition. Creditors also include those who regularly grant loans, arrange for loans, or extend credit.
- The Red Flags Rule defines that term “covered accounts” as 1.) A consumer account primarily designed to permit multiple payments or transactions such as credit card accounts, mortgage/auto loans, and cell phone, utility, and checking and savings accounts; and 2.) Any account for which there is a foreseeable risk to customers or to the financial institution or creditor from identity theft.
Beginning December 31, 2010, the Red Flags Rule would require the entities described above to develop, implement, and administer Identity Theft Prevention Programs that include four basic elements — Indentify, Detect, Prevent, and Update — to address the threat of identity theft:
- An Identity Theft Prevention Program must include reasonable policies and procedures to identify the “red flags” of identity theft, the patterns, practices, or activities that may indicate the possibility of identity theft.
- An Identity Theft Prevention Program must be designed to detect the red flags identified, and have procedures in place to help in the detection of red flags.
- An Identity Theft Prevention Program must spell out the appropriate response to take when red flags are detected to prevent and mitigate identity theft.
- An Identity Theft Prevention Program should go through a periodic update to reflect new risks from identity theft since this crime is an ever-changing threat.