Trend No. 8: Increased Privacy Concerns Over Offshoring of Personally Identifiable Information (PII)
A new background screening trend emerging in 2011 will be the increased concern over the “offshoring” of Personally Identifiable Information (PII) of U.S. consumers.
A recently signed California law appears to be the first in the United States to regulate the “offshoring” of Personally Identifiable Information (PII) of U.S. consumers collected for background checks, a controversial practice where private data of U.S. citizens – such as names, dates of birth, addresses, and Social Security numbers (SSNs) – is sent overseas, outside the United States and its territories, and beyond the reach of U.S. privacy laws.
In September 2010, Governor Arnold Schwarzenegger signed into law California Senate Bill 909 (SB 909), which addresses the issue of personal information being sent offshore. SB 909 – which takes effect January 1, 2012 to allow time for background check firms to provide new releases to employers or modify online language – amends the California Investigative Consumer Reporting Agencies Act (ICRA) that regulates background checks in California and requires that a consumer must be notified as part of a disclosure before the background check of the web address for “information about the investigative reporting agency’s privacy practices, including whether the consumer’s personal information will be sent outside the United States or its territories.” In addition:
- If a background check company does not have a web site, then the background check company must provide the consumer with a phone number where the consumer can obtain the same information.
- “Third parties” are defined in SB-909 as including, “but not being limited to, a contractor, foreign affiliate, wholly owned entity, or an employee of the investigative consumer reporting agency” and also requires a “separate section that includes the name, mailing address, e-mail address, and telephone number of the investigative consumer reporting agency representatives who can assist a consumer with additional information regarding the investigative consumer reporting agency’s privacy practices or policies in the event of a compromise of his or her information.”
- In the event a consumer is harmed by virtue of a background check company negligently sending data offshore, SB-909 provides for damages to the consumer.
The practice of offshoring – whether personal information or jobs – can have a negative impact on network security since, for all intents and purposes, once Personally Identifiable Information (PII) is sent offshore outside the U.S. it is beyond the reach and protection of U.S. laws in cases involving identity theft or privacy issues. As reported earlier on ESR News, other states besides California have data privacy laws in effect, in legislation, or have voiced concerns over data privacy. For example:
- Ohio Governor Issues Executive Order Prohibiting Use of Public Funds for Practice of Offshore Outsourcing Known as Offshoring
- West Virginia Senator Sends Letters to Social Networking Sites Facebook and MySpace after Wall Street Journal Reports Privacy Breach
- Massachusetts Regulations Require Businesses to Have Information Security Program to Protect Personal Information
As for the definition of Personally Identifiable Information (PII), the following are often used for the express purpose of distinguishing individual identity, and thus are clearly PII under the definition used by the U.S. Office of Management and Budget:
- Full name
- Social Security Number (SSN)
- Vehicle registration plate
- Driver’s license number
- Credit card number
- National identification number
- IP ( Internet Protocol) address
- Face, fingerprints, or handwriting
- Digital identity
- Genetic information
In addition, according to a 2009 security survey of 350 network administrators and IT executives executed by Amplitude Research and commissioned by VanDyke Software, offshoring of Information Technology (IT) jobs can lead to increases in data breaches. The survey more than two-thirds (69 percent) of respondents felt outsourcing technical jobs offshore had a negative impact on network security, and 61 percent of workers at companies outsourcing IT jobs said their company had experienced a data breach.
The security survey naturally raises questions as to the safety of offshoring Personally Identifiable Information (PII) of American job applicants in order to prepare background checks. ConcernedCRAs, a group of more than 120 Consumer Reporting Agencies (CRAs), opposes the practice of offshoring Personally Identifiable Information (PII) of U.S. citizens outside the country to be processed beyond U.S. privacy laws.
A member of ConcernedCRAs, Employment Screening Resources (ESR) does not offshore Personally Identifiable Information (PII) and all domestic background checks are performed exclusively in the United States. ESR does all processing and preparation in the U.S. in order to protect applicants and employers, the only exception being when performing an international verification using information residing outside the U.S. ESR was also the third U.S. background screening firm to become “Safe Harbor” Certified for data privacy protection. See: https://safeharbor.export.gov/companyinfo.aspx?id=9239.
Before selecting a U.S. background check firm, employers should determine if that firm is processing information outside of the country. The risk is significant, even if the offshore facility is wholly owned or a subsidiary of a U.S. firm. An employer needs to have a full understanding of how data and privacy is protected once it leaves the U.S., and what duty is owed to job applicants in terms of notice that their PII is being sent abroad.
To read more about ‘Offshoring’ and ‘Personally Identifiable Information’ on ESR News, visit articles tagged at http://www.esrcheck.com/wordpress/tag/offshoring/ and http://www.esrcheck.com/wordpress/tag/personally-identifiable-information/.
Employment Screening Resources (ESR) is releasing the ESR Fourth Annual ‘Top Ten Trends in Pre-Employment Background Screening’ for 2011 throughout December. This is the Eighth of the Top Ten Trends ESR will be tracking in 2011. To see an updated list of ESR’s ‘Top Ten Trends in Pre-Employment Background Screening’ for 2011, visit: http://www.esrcheck.com/Top-Ten-Trends-In-Background-Screening-2011.php.
Founded in 1996 in the San Francisco Bay area, Employment Screening Resources (ESR) is the company that wrote the book on background checks with ‘The Safe Hiring Manual’ by ESR founder and President Lester Rosen. Employment Screening Resources is accredited by The National Association of Professional Background Screeners (NAPBS®) Background Screening Credentialing Council (BSCC) for proving compliance with the Background Screening Agency Accreditation Program (BSAAP). ESR was the third U.S. background check firm to be ‘Safe Harbor’ Certified for data privacy protection. To learn more, visit http://www.ESRcheck.com or contact Jared Callahan, ESR Director of Client Relations, at 415.898.0044 or [email protected].