Just in time for the beginning of a new school year, which usually requires parents to fill out paperwork such as registration forms and emergency contact information, the Federal Trade Commission (FTC) offers child identity theft prevention tips in the blog ‘Protecting Your Child’s Personal Information at School’ to let parents know that many school forms containing the personal and sensitive information of their children could be used to commit fraud in their child’s name if the information falls into the wrong hands. To read the blog, visit: https://www.consumer.ftc.gov/blog/protecting-your-childs-personal-information-school. Continue reading
According to The Hartford Small Business Data Protection Survey, an overwhelming 85 percent of small business owners believe a data breach is unlikely and many do not implement security measures to help protect customer or employee data, this despite the fact that the number of data breaches involving smaller businesses is growing. For more information about the survey from The Hartford, visit: http://newsroom.thehartford.com/News-Releases/Small-Business-Owners-Despite-Being-Increasingly-Targeted-Believe-Data-Breach-Unlikely-50c.aspx. Continue reading
According to a report from the Associated Press (AP), a Minneapolis, Minnesota-based Consumer Reporting Agency (CRA) that performs employment screening for businesses will close two offices in South Dakota by the end of the year and move those jobs to new sites in Arizona, India, and the Philippines. The AP reports that the company, one of the largest background screening suppliers in the country, says the closings in Aberdeen, South Dakota and Mitchell, South Dakota are due to restructuring and will affect approximately 140 workers. The AP story is the latest case of a large U.S. background screening company “offshoring” the processing of background checks to foreign countries. Continue reading
The Massachusetts Offices of Consumer Affairs and Business Regulations (OCABR) passed strict data privacy and security regulations ‘201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH’ that went into effect March 1, 2010 to protect the personal information of Massachusetts residents by requiring businesses to have a multitude of safeguards including a comprehensive Written Information Security Policy (WISP). Effective March 1, 2012, any company, in any location, that holds the personal information of Massachusetts residents must amend its existing third party vendor contracts to require compliance with Massachusetts data security regulations. The law is available at: http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf. Continue reading
To help Human Resources professionals comply with new background check laws in California, Jared Callahan, the Director of Business Development for background check firm Employment Screening Resources (ESR) and a licensed Private Investigator, will present the session “How to Comply with California’s Two New Laws Regarding Background Checks” at the Los Angeles HR Star Conference on Wednesday, February 29, 2012 at the Los Angeles Convention Center in Los Angeles, California. To register for the LA HR Star conference, which takes place from 9:00 a.m. to 4:30 p.m., visit: http://www.hrstarconference.com/la/. Continue reading
To help Human Resources professionals stay in compliance with new laws regulating background checks in California, Attorney Lester Rosen, a safe hiring expert and CEO of background check firm Employment Screening Resources (ESR), will present a session titled “How to Comply with California’s Two New Laws Regarding Background Checks” on Wednesday, February 29, 2012 at the Los Angeles HR Star Conference. To register for the conference, which takes place from 9:00 a.m. to 4:30 p.m. at the Los Angeles Convention Center in Los Angeles, CA, visit: http://www.hrstarconference.com/la/. (UPDATE: Jared Callahan, Director of Business Development for ESR and licensed Private Investigator, will speak at the LA HR Star Conference in place of Lester Rosen on February 29). Continue reading
As part of a stepped-up effort against tax refund fraud and identity theft, the Internal Revenue Service (IRS) and the Justice Department have announced that a massive nationwide sweep last week targeting 105 people in 23 states to crack down on suspected identity theft perpetrators resulted in 939 criminal charges related to identity theft, according to a news release on the IRS website available at: http://www.irs.gov/newsroom/article/0,,id=253147,00.html?portlet=108. Continue reading
Corporate insider intellectual property (IP) thieves are usually males under 40 holding technical positions, have a new job ready at the time of the theft, and steal information they were authorized to access, according to the findings of a new report “Behavioral Risk Indicators of Malicious Insider Theft of Intellectual Property: Misreading the Writing on the Wall” from leading information security solutions provider Symantec. To download the free report – which helps employers recognize the early warning signs, as well as motivations and behaviors, of insider intellectual property thieves – click here. Continue reading
In the Federal Trade Commission’s (FTC) first cases against credit report resellers for the data security failures of their clients, three companies that resell credit reports of consumers have agreed to settle FTC charges that they did not take reasonable steps to protect personal information of consumers and allowed computer hackers to access that personal information, according to a recent news release from the FTC.
Administrative complaints issued by the FTC showed the three credit report resellers bought credit reports from the three nationwide consumer reporting agencies – Equifax, Experian, and TransUnion – and added them to reports to sell to determine eligibility for credit of consumers. Because these three resellers allegedly allowed clients to access these reports without basic security measures such as firewalls and updated antivirus software, hackers accessed more than 1,800 credit reports without authorization through the computer networks of clients. The three credit report resellers also allegedly did not make reasonable efforts to protect against future security even after becoming aware of these data breaches.
The three credit report resellers are charged with violating the Fair Credit Reporting Act (FCRA) by:
- Failing to protect their internet portals and thereby furnishing credit reports to hackers who lacked a permissible purpose to have them,
- Failing to maintain reasonable procedures to limit the furnishing of credit reports for such purposes, and
- Furnishing credit reports when they had reasonable grounds for believing the reports would not be used for a permissible purpose.
The failure of the three credit report resellers to protect personal information of consumers also allegedly violated the FCRA. In addition, the credit report resellers allegedly violated the Gramm-Leach-Bliley Safeguards Rule by failing to:
- Design and implement information safeguards to control the risks to consumer information;
- Regularly test or monitor the effectiveness of their controls and procedures; to evaluate and adjust their information security programs in light of known or identified risks; and
- Have comprehensive information security programs.
The proposed settlement, part of the ongoing campaign of the FTC to protect the personal information of consumers, would require the three credit report resellers to:
- Have comprehensive information security programs designed to protect the security, confidentiality, and integrity of the personal information of consumers, including information accessible to clients;
- Obtain independent audits of their security programs, every other year for 20 years;
- Furnish credit reports only to those with a permissible purpose; and
- Maintain reasonable procedures to limit the furnishing of credit reports to those with a permissible purpose.
These cases show that the FTC will call for imposition of civil penalties against resellers of consumer reports who do not take adequate measures to fulfill their obligations to protect information contained in consumer reports as required by the FCRA. These cases also send a strong message that companies giving their clients online access to sensitive information of consumers must have reasonable procedures to secure that information.
Consumer protection through data security makes up a critical part of the National Association of Professional Background Screeners (NAPBS) accreditation process. Since its founding in 2003, the NAPBS has believed that there is a strong need for a singular cohesive industry standard and created the Background Screening Agency Accreditation Program (BSAAP). Governed by a strict professional standard composed of requirements and measurements, the BSAAP is becoming a widely recognized seal of approval that brings national recognition to background screening organizations – also referred to as Consumer Reporting Agencies (CRAs) – that will stand as the industry “seal” representing a background screening organization’s commitment to excellence, accountability, high professional standards, and continued improvement.
The NAPBS Background Screening Credentialing Council (BSCC) oversees the application process and is the governing accreditation body that will ensure the background screening organizations seeking accreditation meet or exceed a measurable standard of competence. To become accredited, a CRA must pass an onsite audit of its policies and procedures as they relate to six critical areas of the BSAAP:
- ‘Section 2: Legal Compliance’ includes standards for: Designated Compliance Person(s); State Consumer Reporting Laws; Driver Privacy Protection Act (DPPA); State Implemented DPPA Compliance; Integrity; Prescribed Notices; and Certification from Client.
- ‘Section 3: Client Education’ includes standards for: Client Legal Responsibilities; Client Required Documents; Truth in Advertising; Adverse Action; Legal Counsel; Understanding Consumer Reports; and Information Protection.
- ‘Section 4: Product Standards’ includes standards for: Public Record Researcher Agreement; Vetting Requirement; Public Record Researcher Certification; Errors and Omissions Coverage; Information Security; Auditing Procedures; Identification Confirmation; and Jurisdictional Knowledge.
- ‘Section 5: Service Standards’ includes standards for: Verification Accuracy; Current Employment; Diploma Mills; Procedural Disclosures; Verification Databases; Use of Stored Data; Documentation of Verification Attempts; Outsourced Verification Services; Conflicting Data; Professional Conduct; and Authorized Recipient.
- ‘Section 6: General Business Practices’ includes standards for: Character; Insurance; Client Credentialing; Vendor Credentialing; Consumer Credentialing; Document Management; Employee Certification; Worker Training; Visitor Security; Employee Criminal History; Quality Assurance; and Certification.
Employment Screening Resources (ESR) is formally recognized as accredited by the National Association of Professional Background Screeners (NAPBS) Background Screening Credentialing Council (BSCC) for successfully proving compliance with the Background Screening Agency Accreditation Program (BSAAP). For more information, visit Employment Screening Resources (ESR) at http://www.ESRcheck.com.
A story from Massachusetts concerning a former school official agreeing to pay a fine for using school computers to run unauthorized background checks on celebrities, pro athletes, and politicians underscores the need for employers to have policies prohibiting workers from searching files and databases without a bona fide business necessity.
According to reports on Boston.com, a former school official in Lawrence, MA agreed to pay a $5,000 fine for his use of the school district’s computers to conduct approximately 400 unauthorized background checks on various people including major league baseball players David Ortiz and Johnny Damon, actors Michael Chiklis and Hugh Laurie, and Governor of Massachusetts Deval Patrick. In the settlement, the ex-school official admitted to violating a conflict-of-interest law by repeatedly running unauthorized background checks to access the personal information of hundreds of people in a manner not related to his job and for his own private purposes, according to the Boston Globe.
In this Age of Information, such “unauthorized browsing” by employees could lead to embarrassing stories such as this, and employers dealing with the personally identifiable information (PII) of consumers – such as names, birth dates, addresses, and social security numbers – should have written policies and procedures to instruct employees on appropriate and inappropriate use of consumer information. Such documentation should include a statement of appropriate use as being limited to business purposes only and include a prohibition on unauthorized browsing.
The acceptable use of technology is an important aspect of doing business today. Rules concerning the use of technology can protect businesses from identity theft and fraud, virus attacks, compromise of network systems and services, and legal issues. These rules would also help protect consumers, employees, partners, clients, and vendors.
Employment Screening Resources (ESR) – a leading Consumer Reporting Agency (CRA) that provides background checks – protects the personal information of consumers with an “Anti-Browsing” policy that prohibits unauthorized browsing. For information on background checks, as well as the appropriate use of consumer PII, visit ESR at http://www.esrcheck.com.