Tag Archives: personally identifiable information

MA Regulations Require Businesses to Have Information Security Program to Protect Personal Information

The Massachusetts Offices of Consumer Affairs and Business Regulations (OCABR) recently passed regulations that went into effect March 1, 2010 and are aimed at safeguarding the personal information of Massachusetts residents by requiring a business to have a Written Information Security Program (WISP) to protect personal information.

The STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH cover any business that “receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of good or services or in connection with employment.”

The rules defined personal information as a Massachusetts resident’s name combined with a social security number, driver’s license or state issued ID card, or a financial account.

The regulations also apply to third parties and require that there be contracts to ensure that the regulations are implemented and maintained, although the contracts did not need to be updated before March 1, 2012. It appears that Massachusetts takes the position that the rules apply to out of state firms that handles personal information as well.

A business that is regulated by these rules must have and implement a comprehensive Written  Information Security Policy, or WISP. The rules do not specify exact policies but provides minimum requirements and indicates a business should take certain a number of factors into account such as the kind of records it maintains and the risk of identity theft.

Some of the things a business must do includes a review of foreseeable internal and external risks, evaluation and improvement of safeguards, policies for employee access outside of the business, implementing security measures such as password control and up to date firewall, employee training, ensuring that terminated employees cannot access confidential data as well as disciplinary measures for violations of the regulations.

This new law has been described as the toughest in the nation, and should go a long ways toward improving privacy and data security and fighting identity theft. A text of the new regulations can be viewed at: http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf.

With these strict information security regulations now in effect in Massachusetts, employers need to ensure that their background screening firms are in compliance, Employment Screening Resources (ESR) — a leading background check provider — maintains compliance with the new private information protection in Massachusetts. For more information on privacy and data security as it relates to background checks, contact Employment Screening Resoruces at http://www.ESRcheck.com.

Source: http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf

A text of the new regulations can be viewed at: http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf.

Ex-School Official Fined for Running Unauthorized Background Checks on Athletes, Celebrities, and Politicians

A story from Massachusetts concerning a former school official agreeing to pay a fine for using school computers to run unauthorized background checks on celebrities, pro athletes, and politicians underscores the need for employers to have policies prohibiting workers from searching files and databases without a bona fide business necessity.

According to reports on Boston.com, a former school official in Lawrence, MA agreed to pay a $5,000 fine for his use of the school district’s computers to conduct approximately 400 unauthorized background checks on various people including major league baseball players David Ortiz and Johnny Damon, actors Michael Chiklis and Hugh Laurie, and Governor of Massachusetts Deval Patrick. In the settlement, the ex-school official admitted to violating a conflict-of-interest law by repeatedly running unauthorized background checks to access the personal information of hundreds of people in a manner not related to his job and for his own private purposes, according to the Boston Globe.

In this Age of Information, such “unauthorized browsing” by employees could lead to embarrassing stories such as this, and employers dealing with the personally identifiable information (PII) of consumers – such as names, birth dates, addresses, and social security numbers – should have written policies and procedures to instruct employees on appropriate and inappropriate use of consumer information. Such documentation should include a statement of appropriate use as being limited to business purposes only and include a prohibition on unauthorized browsing.

The acceptable use of technology is an important aspect of doing business today. Rules concerning the use of technology can protect businesses from identity theft and fraud, virus attacks, compromise of network systems and services, and legal issues. These rules would also help protect consumers, employees, partners, clients, and vendors.

Employment Screening Resources (ESR) – a leading Consumer Reporting Agency (CRA) that provides background checks – protects the personal information of consumers with an “Anti-Browsing” policy that prohibits unauthorized browsing. For information on background checks, as well as the appropriate use of consumer PII, visit ESR at http://www.esrcheck.com.




New Legislation Would Make Companies Inform Customers When Calls Outsourced Outside U.S.

By Thomas Ahearn, ESR News Staff Writer

Ever wonder if the customer service call center at the other end of your phone is located in the U.S., or what foreign country it is located in if outside of the U.S.?

Newly proposed legislation would make companies inform customers when their calls are being transferred outside the United States and charge companies for those transferred calls in an effort to maintain call center jobs currently in the United States and provide a reason for companies that have already outsourced call center jobs to bring them back.

According to a press release on Senator Charles E. Schumer’s (D-NY) website, the new legislation would require companies that transfer calls to foreign call centers to disclose to the caller that their call is being transferred to a particular country. The disclosure requirement would also force companies to annually certify to the Federal Trade Commission (FTC) that they are fully complying with this requirement or otherwise be subject to civil penalties that the FTC would prescribe.

In addition, since 800 numbers are often transferred overseas without the caller’s knowledge, the bill would impose a $0.25 excise tax on any customer service call placed inside the United States which is then transferred to an agent in a foreign location, with the fee being assessed on the company that transferred the call.

While the bill’s major aim would be to reduce the outsourcing of U.S. jobs, another benefit could be greater protection against identity theft, since the personally identifying information (PII) of American consumers — such as names, birth dates, addresses, social security numbers, and financial information — would not be offshored as often to call centers in foreign countries beyond the reach of U.S. identity theft and privacy laws.

Employment Screening Resources (ESR) — a member of Concerned CRAs, a group of Consumer Reporting Agencies (CRA) concerned that certain data practices place the personal information of consumers at risk — does not outsource domestic background screening services outside of the U.S. in order to protect the PII contained in background screening reports. ESR believes that sending such personal information offshore places both applicants and employers at risk and should be avoided when possible. If PII is sent to countries outside the U.S., applicants and employers should be made aware of this practice. 

For more information on personally identifiable information, offshoring, and identity theft, visit Employment Screening Resources (ESR) at http://www.esrcheck.com.



Study Finds Identity Theft and Fraud Increased 12 Percent in 2009, Affecting Over 11 Million Americans

By Thomas Ahearn, ESR Staff Writer

As further proof that identity theft and fraud is a fast-growing crime that shows no sign of slowing down, a recent survey found that the number of identity theft and fraud victims in the United States increased 12 percent to affect 11.1 million adults in 2009, while the total annual fraud amount in the country increased by 12.5 percent to $54 billion.

The recently released 2010 Identity Fraud Survey Report — independently produced by Javelin Strategy & Research for the past seven consecutive years — also found that protection of data by consumers and businesses helped identity theft victims decrease the time needed to resolve fraud while also reducing or eliminating costs for consumers.

According to the survey, the average fraud resolution time dropped 30 percent to 21 hours. In addition, nearly half of identity theft and fraud victims filed police reports, which doubled the reported arrests, tripled the prosecutions, and doubled the percentage of convictions associated with identity theft and fraud in 2009.

Other key survey findings included the following:

  • Small business owners should exercise caution since they suffered identity fraud at one-and-a-half times the rate of other adults, mostly due to the fact that small office and home office business owners use personal accounts when making business transactions and make more transactions than typical adults.
  • Javelin believes the 12 percent increase in the number of identity fraud incidents from 2008 to 2009 — the highest level since the survey started in 2003 — may be due to the recent Great Recession since, historically, higher rates of fraud occur during tough economic times.
  • Data breaches continued to compromise personal information, with the Full Name (63 percent) and Physical Address (37 percent) continuing to be the identification most likely to be compromised in a data breach. Health Insurance Information, with a year-over-year increase of 4 percent, is increasingly being targeted.
  • Consumers between the ages of 18 and 24 (also known as “Millennials”) are the slowest to detect identity theft and fraud, taking nearly twice as many days to detect identity theft and fraud compared to other age groups. They are also the least likely to monitor their accounts and are victims for longer periods of time.

Overall, the number of identity theft and fraud victims in the U.S. in 2009 grew to nearly 5 percent of the population. Since businesses are helping to prevent identity theft, protect consumer identities, and respond to fraud incidents, consumers are benefitting as a result and out of pocket costs reached an all-time low of $373 in 2009, according to the survey.

Along with businesses, consumers can play a key role in preventing, detecting, and resolving identity theft and fraud committed against them. Recommendations for prevention, detection, and resolution of identity theft and fraud include:

  • Preventing criminal access to paper documents;
  • Preventing high-tech criminal access to information online;
  • Detecting unauthorized activity in existing information;
  • Detecting fraudulent establishment of new accounts, and;
  • Reporting problems immediately and taking advantage of loss protection offers.

For more information about the fast-growing problem of identity theft and fraud, visit http://www.esrcheck.com/wordpress/tag/identity-theft to read the latest news on the subject. Employment Screening Resources (ESR) will post additional information in the future on how to prevent and protect against identity theft and fraud.

Source: https://www.javelinstrategy.com/news/831/92/Javelin-Study-Finds-Identity-Fraud-Reached-New-High-in-2009-but-Consumers-are-Fighting-Back/d,pressRoomDetail

Off shoring IT jobs lead to dramatic increases in Data Breaches per survey

By Les Rosen, Employment Screening Resources

A recent survey quoted in Security Management Magazine demonstrates the risk to privacy and data protection when it comes to “off shoring.”  According to a new survey, of the firms that outsourced IT jobs to other counties, about half indicted that their security has been negatively impacted. And 61 percent indicated their company had experienced a data breach.  The study noted data breaches occurred in just 35 percent of the companies that do not send IT jobs outside of the U.S.  The story, and more information about the study,  is available at:  http://www.securitymanagement.com/article/outsourcing-risk-006564

This survey naturally raises questions as to the safety of sending Personally Identifiable Information (PII) of American job applicants off shore in order to prepare background checks.  A group  called ConcernedCRA now has more than 120 screening firms that have signed on to a standard that opposes sending Personally Identifiable Information (PII) offshore beyond U.S. privacy laws to be processed.  See http://www.concernedcras.com/.  A bill was introduced into Congress in June 2009 that would limit the offshoring of data without notice in the financial sector.  A shocking undercover investigation by the BBC in 2009 showed just how easy it was to purchase PII from a call center in India. Of course, identity theft can occur in the U.S., but once data physically goes beyond U.S. privacy laws, consumers have less resources and recourses.

Employment Screening Resources (ESR) does NOT send U. S. applicant information outside of the U.S. for processing.  ESR takes the position that once data leaves the U.S., the data is beyond the reach of U.S. privacy laws and there is no meaningful recourse for a U.S. consumer.  ESR does all processing and preparation in the U.S.  in order to protect applicants and employers.  In some countries, it is a well known fact that U.S. identities are stolen and used for identity theft.  As a practical matter, someone in the U.S. has no ability to hire a lawyer in a foreign country to pursue legal action or contact a foreign police authority to get any action taken.  The only exception is where ESR is asked to perform an international verification and the information resides outside of the U.S.  Even in that situation, ESR goes to great length to protect applicant data.

The bottom-line:  Before selecting a screening firm determine if that firm is processing information outside of the U.S. The risk is significant, even if the off shore facility is wholly owned or a subsidiary of a U. S. firm. An employer needs to have a full understanding of how data and privacy is protected once it leaves the U.S., and what duty is owed to job applicants in terms of notice that their data is going abroard.

2010 Trend is focus on privacy and data protection

By Les Rosen, Employment Screening Resources

2010 Trends in Screening–Trend Three:

Employment Screening Resources (ESR), a leading national online employment screening background firm, is releasing the ESR “Third Annual Top Ten Trends in the Pre-Employment Background Screening Industry” for 2010.   This is the THIRD of the ten trends ESR will be tracking in 2010.  The ten trends will be released over the next three weeks:

3. Focus on privacy and data protection

Heating up even further in 2010 will be issues surrounding data protection and privacy.  The issues are moving beyond network security  and there is beginning to be an examination about where the data is actually going for processing. 

 The two top issues — sending data offshore or to home workers.  A group  called ConcernedCRA now has more than 120 screening firms that have signed on to a standard that opposes sending Personally Identifiable Information (PII) offshore beyond U.S. privacy laws to be processed.  See http://www.concernedcras.com/  A bill was introduced into Congress in June  2009 that would limit the offshoring of data without notice in the financial sector.  A shocking undercover investigation by the BBC in 2009 showed just how easy it was to purchase PII from a call center in India. 

Of course, identity theft can occur in the U.S., but once data physically goes beyond U.S. privacy laws, consumers have less resources and recourses.  Equally of concern to applicants is the use of home workers, where a consumer’s PII may be spread across kitchen tables and dorms rooms throughout America and be visible to who knows who.  Because of concerns over identity theft and data protection, employers will start to be more concerned with where applicant data is physically located. Part of this trend will be continued state efforts to remove or protect private information.  An example in 2009:  There was a new law in Utah that prohibits PII from being required too early in the hiring process.

International background checks and data and privacy protection

An important consideration when U.S. screening firms do international background checks are the application of foreign privacy laws regarding the manner in which information is obtained, transmitted, and utilized. The central issues are data privacy and protection. The European Union (EU) has extensive privacy laws that affect U.S. employers and screening firms.  These rules went into effect in 1998. The European privacy rules impact the transmissions of “personally identifiable data” from offices in EU countries to businesses in the U.S.

Firms that acquire data on individuals from EU member countries without compliance with the EU rules can be in violation of EU law. This can have a serious impact on international firms or firms that do business in an EU country.

 However, American firms that develop a privacy policy may enter what is called a “Safe Harbor” by certifying a privacy policy that includes adequate mechanisms to protect confidential personal data. The program is administered by the U.S. Department of Commerce. 

A firm can become Safe Harbor certified by following the guidelines listed at the Department of Commerce.  Information can be obtained at http://www.export.gov/safeharbor/ 

Employment Screening Resources was just the third background screening firm in the U.S. to receive Safe Harbor Certification from the Department of Commerce.  

ESR provides international background checks all over the world, including criminal records, and employment and education verifications.  ESR’s president Lester Rosen was the keynote speaker at the first international background screening conference held in India in 2007, and has traveled to a number of countries to investigate background screening. ESR also published the first comprehensive white paper on international background checks as part of the book, “The Safe Hiring Manual.”   

For more information on international employee screening services, see, see: http://www.esrcheck.com/international.php

Privacy and Data Protection in Background Check Screening Reports

Because background reports and background release forms contains sensitive and confidential information, efforts must be made to keep the contents private and confidential and only available to decision-makers directly involved in the hiring process.

The Report itself, along with the Release and Authorization forms signed by the applicant, should be maintained separately from the employee’s personnel file. They should be kept in a relatively secured area, in the same fashion that medical files or sensitive employee matters are kept. These reports should definitely not be made available to supervisors or managers other than those in the hiring approval process. For example, during periodic performance appraisals, an employer would not want a supervisor to have access to a non-performance-related confidential background report.

For screening firms with advanced internet systems, there is no need to physically download the report. It is available online. However, an employer needs to be assured that the screening firm has appropriate internet and data security, and the employer needs to maintain a system of strong password protections. It is important that authorized users do not share passwords with those not authorized, nor reveal the password in any manner. Some screening firms require the user to change passwords periodically as a security measure and to sign security agreements.

Typically, reports are returned to either Human Resources or Security Departments. Reports are reviewed for any negative information. If the report is clear, then the hiring manager is notified and the hiring proceeds. If there is a red flag or derogatory information, then the information itself is shared with the appropriate decision-makers. The physical report, however, should normally stay with HR or Security. This protects against confidential information wrongfully being made known generally within the company if reports are transmitted between departments either by means of a paper copy or electronically.

The question arises as to how long records and documents should be maintained after separation. Unlike Canada where privacy laws encourage the destruction of confidential data when no longer needed, there are no U.S. requirements that materials related to background screening be destroyed.  In fact, there are a number of state and federal laws that control document retention, and labor attorneys will typically advise employers on how long various documents must be retained. However, for purposes involving safe hiring and background screening, the recommendation by ESR is six years. The FCRA was amended in 2003 to lengthen the statue of limitations under the act to as long as five years. In addition, state laws often allow a one-year period to file and serve a lawsuit. As a workable general rule, a six-year retention period should serve employers, with the six years running from the termination of employment or, if not hired, from the time the decision was made not to hire the applicant.

Many screening firms now store reports indefinitely, and if the applicant used an online system, the consent and disclosure can also be retained indefinably.  However, if an employer downloads any data, or used a paper based consent and disclosure, then consider six years as the minimum.  Although technically there is no maximum period under federal law, it is still a best practice to periodically purge old data in order to minimize the amount of Personal and Identifiable Information (PII) that is available in the work environment.  After all, most identity theft occurs in the workplace.

If disposing of any information in a consumer report, it is important to follow regulations set out by the FTC pursuant to FCRA Section 628. Paper or electronic reports must be destroyed, pulverized or erased so it cannot be read or reconstructed. an employer must show due diligence when a shredding firm is hired. See:  www.ftc.gov/bcp/conline/pubs/alerts/disposalalrt.shtm.

For best practices when it comes to privacy in the workplace, see the recommendations from the Privacy Rights Clearinghouse available at: www.privacyrights.org/ar/SDCountyIT.htm

Court Case on Use of Social Networking Sites

As ESR has noted in numerous presentations on the use of social networking sites, such as Facebook or MySpace for employment, this is an evolving area of law that is still waiting for lawsuits to wind their ways through courts resulting in published judicial opinions. Continue reading

Annual Top Ten Trends in the Background Screening Industry

ESR has identified the following trends for 2009 in its second annual report on trends in the screening industry and safe hiring.  The full report is online at:  http://www.esrcheck.com/2009-trends-backgroundscreening-industry.php

  1. Increased Governmental Mandates: The federal and state governments for 2009 are likely to require more background checks, especially in sensitive industries.  In addition, right-to-work verification under the E-verify program will be a hot topic for 2009.
  2. Privacy and Accuracy:  Privacy advocates in 2009 will be focused on resolving instances of noncompliance with the Fair Credit Reporting Act’s requirements for accuracy and dispute investigations.  A leading cause of inaccuracies comes from matching innocent job applicants to criminal records based upon the same, or a similar, name in a database, without re-verification of the record at the courthouse.  A new organization called Concerned CRA’s (www.concernedcras.com) has taken a stance against utilizing such databases without taking proper measures to ensure accuracy of criminal records.
  3. Second Chance for Ex-Offenders: Unless as a society we want to build more prisons than schools or hospitals, something must be done to reduce recidivism and find employment for applicants with criminal records.  The State of New York, for example, to deal with this issue directly, has passed new â second chance” laws that became effective this year. The laws place a greater emphasis on employers analyzing a past criminal record to determine whether there is a business justification to not hire a person, including providing job applicants with notice of these various new rights.
  4. Consumer Protection Litigation:  As the screening industry matures, and applicants and their lawyers become much more informed about their consumer rights, it is likely that there will be an increase in litigation in 2009.  These lawsuits, including class action lawsuits, will be filed against screening firms, particularly when it comes to various notices required under the federal Fair Credit Reporting Act and accuracy requirements for the Background Screening Report results.
  5. Impact of the Recession: As a result of the recession and higher unemployment, it is likely that employers will need to scrutinize applications even more carefully, to be on the watch for fraudulent credentials, such as inflated or fictional employment or education history.
  6. Data Security, Data Breaches, and Off-shoring Data: Since identity theft continues to be a national and international problem, expect even more emphasis in 2009 on data security and protection.  Closely related is the continuing issue of employers and screening firms sending confidential consumer data offshore for processing to places such as India for cost savings.  Once data leaves the United States, it is beyond U.S. privacy protections.  Concerned CRR’s (www.concernedcras.com) has also taken a stance against off-shoring such data without notification to consumers.  The use of home-operator networks also presents an unnecessary risk to privacy as well.  There is no justification for personal information to be spread across kitchen tables and dorm rooms across America.
  7. Accreditation by the NAPBS: The non-profit trade organization for the Screening Industry, the National Association of Professional Background Screeners (www.napbs.com) has announced the introduction of an accreditation program.  NAPBS has gone through an exhaustive process to develop “Best Practices” for the industry, and it is anticipated that firms will start going through the accreditation process this year.
  8. Social Network Sites:  The use of social networking sites as a pre-employment screening device will continue to be a hot topic in 2009, as more recruiters and HR professionals go online to satisfy their curiosity about candidates.  The problem: contrary to popular belief, just because it is online does not mean that it’s a good idea to utilize it without developing policies and procedures.  Online material can be inaccurate, discriminatory, and under certain circumstances, its use can be an invasion of privacy.  Stay tuned as more courts give their opinions on this issue.
  9. Integration of Services:  With the advent of Web 2.0, it is likely that technology will play an even bigger role in the coming year.  Seamless integrations with Applicant Tracking Systems allow paperless background screening systems at the click of a mouse.
  10. International Background Checks: With mobility of workers across international borders, Due Diligence is no longer limited to just what an applicant has done in the United States and there will be stronger demand in 2009 for International Criminal, Education, and past Employment checks.


ESR will place its Third Annual Top Ten Trends in January, 2010.