By Les Rosen, Employment Screening Resources
A recent survey quoted in Security Management Magazine demonstrates the risk to privacy and data protection when it comes to “off shoring.” According to a new survey, of the firms that outsourced IT jobs to other counties, about half indicted that their security has been negatively impacted. And 61 percent indicated their company had experienced a data breach. The study noted data breaches occurred in just 35 percent of the companies that do not send IT jobs outside of the U.S. The story, and more information about the study, is available at: http://www.securitymanagement.com/article/outsourcing-risk-006564
This survey naturally raises questions as to the safety of sending Personally Identifiable Information (PII) of American job applicants off shore in order to prepare background checks. A group called ConcernedCRA now has more than 120 screening firms that have signed on to a standard that opposes sending Personally Identifiable Information (PII) offshore beyond U.S. privacy laws to be processed. See http://www.concernedcras.com/. A bill was introduced into Congress in June 2009 that would limit the offshoring of data without notice in the financial sector. A shocking undercover investigation by the BBC in 2009 showed just how easy it was to purchase PII from a call center in India. Of course, identity theft can occur in the U.S., but once data physically goes beyond U.S. privacy laws, consumers have less resources and recourses.
Employment Screening Resources (ESR) does NOT send U. S. applicant information outside of the U.S. for processing. ESR takes the position that once data leaves the U.S., the data is beyond the reach of U.S. privacy laws and there is no meaningful recourse for a U.S. consumer. ESR does all processing and preparation in the U.S. in order to protect applicants and employers. In some countries, it is a well known fact that U.S. identities are stolen and used for identity theft. As a practical matter, someone in the U.S. has no ability to hire a lawyer in a foreign country to pursue legal action or contact a foreign police authority to get any action taken. The only exception is where ESR is asked to perform an international verification and the information resides outside of the U.S. Even in that situation, ESR goes to great length to protect applicant data.
The bottom-line: Before selecting a screening firm determine if that firm is processing information outside of the U.S. The risk is significant, even if the off shore facility is wholly owned or a subsidiary of a U. S. firm. An employer needs to have a full understanding of how data and privacy is protected once it leaves the U.S., and what duty is owed to job applicants in terms of notice that their data is going abroard.
By Les Rosen, Employment Screening Resources
2010 Trends in Screeningâ€“Trend Three:
Employment Screening Resources (ESR), a leading national online employment screening background firm, is releasing the ESR â€œThird Annual Top Ten Trends in the Pre-Employment Background Screening Industryâ€ for 2010.Â Â Â This is the THIRD of the ten trends ESR will be tracking in 2010.Â The ten trends will be released over the next three weeks:
3. Focus on privacy and data protection
Heating up even further in 2010 will be issues surrounding data protection and privacy.Â The issues are moving beyond network securityÂ and there is beginning to be an examination about where the data is actually going for processing.Â
Â The two top issues â€” sending data offshore or to home workers.Â A groupÂ called ConcernedCRA now has more than 120 screening firms that have signed on to a standard that opposes sending Personally Identifiable Information (PII) offshore beyond U.S. privacy laws to be processed.Â See http://www.concernedcras.com/ Â A bill was introduced into Congress in June Â 2009 that would limit the offshoring of data without notice in the financial sector.Â A shocking undercover investigation by the BBC in 2009 showed just how easy it was to purchase PII from a call center in India.Â
Of course, identity theft can occur in the U.S., but once data physically goes beyond U.S. privacy laws, consumers have less resources and recourses.Â Equally of concern to applicants is the use of home workers, where a consumerâ€™s PII may be spread across kitchen tables and dorms rooms throughout America and be visible to who knows who.Â Because of concerns over identity theft and data protection, employers will start to be more concerned with where applicant data is physically located. Part of this trend will be continued state efforts to remove or protect private information.Â An example in 2009:Â There was a new law in Utah that prohibits PII from being required too early in the hiring process.
ESR has identified the following trends for 2009 in its second annual report on trends in the screening industry and safe hiring. The full report is online at: http://www.esrcheck.com/2009-trends-backgroundscreening-industry.php
- Increased Governmental Mandates: The federal and state governments for 2009 are likely to require more background checks, especially in sensitive industries.Â In addition, right-to-work verification under the E-verify program will be a hot topic for 2009.
- Privacy and Accuracy: Privacy advocates in 2009 will be focused on resolving instances of noncompliance with the Fair Credit Reporting Act’s requirements for accuracy and dispute investigations. A leading cause of inaccuracies comes from matching innocent job applicants to criminal records based upon the same, or a similar, name in a database, without re-verification of the record at the courthouse. A new organization called Concerned CRA’s (www.concernedcras.com) has taken a stance against utilizing such databases without taking proper measures to ensure accuracy of criminal records.
- Second Chance for Ex-Offenders: Unless as a society we want to build more prisons than schools or hospitals, something must be done to reduce recidivism and find employment for applicants with criminal records. The State of New York, for example, to deal with this issue directly, has passed new â second chance” laws that became effective this year. The laws place a greater emphasis on employers analyzing a past criminal record to determine whether there is a business justification to not hire a person, including providing job applicants with notice of these various new rights.
- Consumer Protection Litigation: As the screening industry matures, and applicants and their lawyers become much more informed about their consumer rights, it is likely that there will be an increase in litigation in 2009. These lawsuits, including class action lawsuits, will be filed against screening firms, particularly when it comes to various notices required under the federal Fair Credit Reporting Act and accuracy requirements for the Background Screening Report results.
- Impact of the Recession: As a result of the recession and higher unemployment, it is likely that employers will need to scrutinize applications even more carefully, to be on the watch for fraudulent credentials, such as inflated or fictional employment or education history.
- Data Security, Data Breaches, and Off-shoring Data: Since identity theft continues to be a national and international problem, expect even more emphasis in 2009 on data security and protection.Â Closely related is the continuing issue of employers and screening firms sending confidential consumer data offshore for processing to places such as India for cost savings. Once data leaves the United States, it is beyond U.S. privacy protections. Concerned CRR’s (www.concernedcras.com) has also taken a stance against off-shoring such data without notification to consumers. The use of home-operator networks also presents an unnecessary risk to privacy as well. There is no justification for personal information to be spread across kitchen tables and dorm rooms across America.
- Accreditation by the NAPBS: The non-profit trade organization for the Screening Industry, the National Association of Professional Background Screeners (www.napbs.com) has announced the introduction of an accreditation program. NAPBS has gone through an exhaustive process to develop “Best Practices” for the industry, and it is anticipated that firms will start going through the accreditation process this year.
- Social Network Sites: The use of social networking sites as a pre-employment screening device will continue to be a hot topic in 2009, as more recruiters and HR professionals go online to satisfy their curiosity about candidates. The problem: contrary to popular belief, just because it is online does not mean that it’s a good idea to utilize it without developing policies and procedures.Â Online material can be inaccurate, discriminatory, and under certain circumstances, its use can be an invasion of privacy. Stay tuned as more courts give their opinions on this issue.
- Integration of Services: With the advent of Web 2.0, it is likely that technology will play an even bigger role in the coming year. Seamless integrations with Applicant Tracking Systems allow paperless background screening systems at the click of a mouse.
- International Background Checks: With mobility of workers across international borders, Due Diligence is no longer limited to just what an applicant has done in the United States and there will be stronger demand in 2009 for International Criminal, Education, and past Employment checks.
ESR will place its Third Annual Top Ten Trends in January, 2010.
Many job applicants in the US may not realize it, but when you fill out a job application you may be sending your personal data including date of birth and/or social security number offshore beyond U.S.Â privacy laws.Â How?Â There are some background screening firms that routinely send their data to India or other destinations for processing, including calling past employers and schools.Â The information sent could well be the basis for identity theft.Â A recent sting operation by the BBC showed that confidential data Â can be purchased from Â Indian call centers for as little Â as $10 each. See:Â http://news.softpedia.com/news/Symantec-Sends-Notification-Letters-Announcing-Possible-Security-Breach-108320.shtmlÂ
Â Of course, identity theft can happen in the US, but at least here there are resources and recourses.Â Try calling the Mumbai or Bangalore police and filing a complaint.Â Nor does it help if the foreign call center is owned by a US firm.Â The same issues still apply.
The best advice for job seekers; Do NOT consent to a background check if the employment screening firm used by your prospective employer does not guarantee that they do all of their work in the USA. ESR does NOT offshore.
In the ESR April, 2009 Newsletter, ESR suggested that employers should consider a yearly due diligence check on the firms that provide due diligence.Â Â An essential element of any due diligence plan is a yearly audit of your current practices.Â In the event of a worst case scenario, and an employer hires someone that is unfit, unsafe or unqualified, the best defense is that the employer exercised due diligence in its hiring practices, including the choice of a screening firm.Â ESR has developed a checklist that can be used to send to a screening provider every year to document your due diligence and to measure the effectiveness of your current screening program.Â
Number 2 on the list:Â Â IsÂ all work performed in the USA to protect privacy and control quality (i.e., nothing sent offshore to India or other places)?Â If not, please explain in detail how privacy is protected. (See: http://www.concernedc ras.com/)
This is a critical consideration.Â Once private data on Americans go offshore, it is beyond U.S. privacy laws.Â Even if the offshore facility is owned or operated by a U.S. firm, there is still the potential for identity theft.Â Of course, identity theft can occur in the U.S. as well, but at least consumers have recourse and protection. How can a U.S. worker possibly contact the police in India or some other country to ask for an investigation of identity theft?Â It is also difficult sometimes to prove how identity theft occurred, so the fact the foreign operation center was opened or operated by a U. S. firm is not of much help to an identity theft victim who may not be able to prove that is where it occurred.
The bottom line:Â There is no good reason to offshore personal data for processing except to make more money for the firm that offshores.Â
The entire list is located at:Â http://www.esrcheck.com/newsletter/archives/April_2009.php#T3
For a Word version, contact Jared Callahan at 415-898-0044 or email him at firstname.lastname@example.org