Offshoring Personally Identifiable Information Outside of US Increases Concern Over Privacy and Identity Theft

A new California law due to take effect January 1, 2012 – Senate Bill 909 (SB 909) – appears to be one of the first in the nation that addresses the growing concerns over the controversial practice of “offshoring” personally identifiable information (PII) collected during background checks of job applicants by sending the data outside of United States and its territories and beyond the protection of U.S. privacy and identity theft laws. This is Trend Number 9 of the fifth annual Employment Screening Resources (ESR) ‘Top 10 Trends in Background Checks’ for 2012. To view the list of trends, visit https://www.esrcheck.com/ESR-Top-10-Trends-in-Background-Checks-for-2012.php.

Authored by State Senator Rod Wright and signed into law by former Governor Arnold Schwarzenegger in September of 2010, SB 909 is a sign of a growing awareness of the dangers of sending PII – which includes a person’s name, date of birth (DOB), and Social Security Number (SSN) – outside of the United States. Employers in California – and employers doing business in California – need to be aware of this new law relating to the offshoring of PII of consumers who are the subjects of background checks taking effect in 2012 that will change the way employers conduct background checks in the state.

SB 909 amends the California Investigative Consumer Reporting Agencies Act (ICRA) that regulates background checks in California and appears to be the first law in the nation that addresses the issue of personal information from employment background checks being sent offshore outside the United States or its territories and beyond the protection of U.S. privacy laws.

SB 909 requires a new disclosure and additions to a Consumer Reporting Agency’s (CRA) privacy policy to be made to consumers before their personally identifiable information such as SSNs is sent offshore overseas and outside of the United States. It is not a regulatory bill, since does not regulate or prohibit offshoring, and the disclosure is only so that consumers have a way to be aware of the background screening agency’s privacy practices, including whether the consumer’s PII will be sent outside the country.

SB 909 adds language to Civil Code 1786.16 that requires that a consumer must be notified as part of a disclosure before the background check of the web address where that consumer “may find information about the investigative reporting agency’s privacy practices, including whether the consumer’s personal information will be sent outside the United States or its territories.” If a background screening firm does not have a web site, then the background screening firm must provide the consumer with a phone number where the consumer can obtain the same information. This clause shall become operative on January 1, 2012.

SB 909 additionally requires an investigative Consumer Reporting Agency to “conspicuously post” on its primary Internet Web site information describing its privacy practices with respect to its preparation and processing of investigative consumer reports. If CRA does not have an Internet Web site, CRA has to mail a written copy of the privacy statement to consumers upon request. This clause shall become operative on January 1, 2012.

The CRA’s privacy policy must contain “information describing its privacy practices with respect to its preparation and processing of investigative consumer reports.” Specifically, background screening firms in California (and firms that do business in California) must have a statement in their privacy policy entitled “Personal Information Disclosure: United States or Overseas” that indicates whether the personal information will be transferred to third parties outside the United States or its territories.

The term “conspicuously post” is defined in California Business and Professions Code Section 22577:

• (b) The term “conspicuously post” with respect to a privacy policy shall include posting the privacy policy through any of the following: (1) A Web page on which the actual privacy policy is posted if the Web page is the homepage or first significant page after entering the Web site. (2) An icon that hyperlinks to a Web page on which the actual privacy policy is posted, if the icon is located on the homepage or the first significant page after entering the Web site, and if the icon contains the word “privacy.” The icon shall also use a color that contrasts with the background color of the Web page or is otherwise distinguishable. (3) A text link that hyperlinks to a Web page on which the actual privacy policy is posted, if the text link is located on the homepage or first significant page after entering the Web site, and if the text link does one of the following: (A) Includes the word “privacy.” (B) Is written in capital letters equal to or greater in size than the surrounding text. (C) Is written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language. (4) Any other functional hyperlink that is so displayed that a reasonable person would notice it.

SB 909 also defines “third parties” as including, but not being limited to:

• A contractor,
• Foreign affiliate,
• Wholly owned entity, or
• An employee of the investigative consumer reporting agency.

In addition, SB 909 requires a “separate section” that includes the name, mailing address, e-mail address, and telephone number of the investigative consumer reporting agency representatives who can assist a consumer with additional information regarding the investigative consumer reporting agency’s privacy practices or policies in the event of a compromise of his or her information.

In the event a consumer is harmed by virtue of a background screening firm negligently preparing or processing data outside of the U.S., SB 909 provides for damages to the consumer in an amount equal to the sum of:

• Any actual damages sustained by the consumer as a result of the unauthorized access, and
• The costs of the successful legal action together with reasonable attorney’s fees, as determined by the court.

Employers should also remember that there is currently civil liability of $10,000 per applicant for non-compliance by an employer or CRA, so it is important to maintain compliance.

The practice of offshoring personal information can have a negative impact on network security since, for all intents and purposes, once Personally Identifiable Information is sent offshore outside the U.S. it is beyond the reach and protection of U.S. laws in cases involving identity theft or privacy issues. Other states besides California have data privacy laws in effect, in legislation, or have voiced concerns over data privacy. As for the definition of Personally Identifiable Information (PII), the following are often used for the express purpose of distinguishing individual identity, and thus are clearly PII under the definition used by the U.S. Office of Management and Budget:

• Full name
• Birthday
• Birthplace
• Social Security Number (SSN)
• Vehicle registration plate
• Driver’s license number
• Credit card number
• National identification number
• IP ( Internet Protocol) address
• Face, fingerprints, or handwriting
• Digital identity
• Genetic information

When a person applies for a job, there is typically some form of background check involved.  The form that is filled out includes name, date of birth, and social security number – in other words, everything needed for identity theft.  What job applicants do not know is that there is a possibility that their personal information ends up offshore, beyond U.S. privacy law, in a foreign call center or data processing location where there is little if any privacy protection because many national background screening firms routinely offshore a great deal of data every day in order to increase their profits.

Before selecting a U.S. background check firm, employers should determine if that firm is processing information outside of the country. The risk is significant, even if the offshore facility is wholly owned or a subsidiary of a U.S. firm. An employer needs to have a full understanding of how data and privacy is protected once it leaves the U.S., and what duty is owed to job applicants in terms of notice that their PII is being sent abroad.

The changes brought by SB 909 are also supported a group of more than 125 Consumer Reporting Agencies (CRAs) called ‘ConcernedCRAs’ that have endorsed to a set of standards that oppose offshoring PII of U.S. citizens outside the country to be processed beyond U.S. privacy laws.  These standards are listed at http://www.concernedcras.com/.

As a member of ConcernedCRAs, Employment Screening Resources (ESR) does not offshore Personally Identifiable Information and all domestic background checks are performed exclusively in the United States. ESR performs all processing and preparation in the U.S. in order to protect applicants and employers, the only exception being when performing an international verification using information residing outside the U.S. ESR was also the third U.S. background screening firm to become “Safe Harbor” Certified for data privacy protection.

To read more about ‘Offshoring’ and ‘Personally Identifiable Information’ on ESR News, visit articles tagged at https://www.esrcheck.com/wordpress/tag/offshoring/ and https://www.esrcheck.com/wordpress/tag/personally-identifiable-information/.

To read California Senate Bill 909, visit: http://www.leginfo.ca.gov/pub/09-10/bill/sen/sb_0901-0950/sb_909_bill_20100929_chaptered.pdf.

The Employment Screening Resources (ESR) ‘Top 10 Trends in Background Checks’ for 2012 is available at https://www.esrcheck.com/ESR-Top-10-Trends-in-Background-Checks-for-2012.php.

About Employment Screening Resources (ESR):
Founded in 1997 in the San Francisco, CA area, Employment Screening Resources (ESR) literally wrote the book on background screening with “The Safe Hiring Manual” by ESR Founder and CEO Lester Rosen. ESR streamlines the screening process and reduces administrative overhead though its proprietary technology solutions.  ESR is accredited by The National Association of Professional Background Screeners (NAPBS®), a distinction held by less than two percent of all screening firms. This important recognition was achieved by successfully passing a third party audit demonstrating compliance with the NAPBS Background Screening Agency Accreditation Program. By choosing an accredited screening firm like ESR, employers know they have selected an agency that meets the highest industry standards. For more information about ESR, visit https://www.esrcheck.com or call toll free 888.999.4474.

About ESR News:
The Employment Screening Resources (ESR) News blog – ESR News – provides employment screening information for employers, recruiters, and jobseekers on a variety of topics including credit reports, criminal records, data privacy, discrimination, E-Verify, jobs reports, legal updates, negligent hiring, workplace violence, and use of search engines and social network sites for background checks. For more information about ESR News or to send comments or questions, please email ESR News Editor Thomas Ahearn at [email protected].