Consumer Protection Safeguards Crucial for NAPBS Accredited Background Screening Firms

Written By ESR News Blog Editor Thomas Ahearn

Having consumer protection safeguards in place to ward off unauthorized users and unwanted intrusions is crucial for background screening firms accredited by the National Association of Professional Background Screeners (NAPBS®). These policies and procedures protect the information of individuals during background checks and guard against data breaches and identity theft. This blog is the first in a six part series about the NAPBS Background Screening Agency Accreditation Program (BSAAP).

‘Consumer Protection’ is the first of six sections of the BSAAP created for Consumer Reporting Agencies (CRAs) – the technical term for background screening companies – along with ‘Legal Compliance,’ ‘Client Education,’ ‘Researcher and Data Product Standards,’ ‘Verification Service Standards,’ and ‘General Business Practices.’ The BSAAP contains 58 clauses that CRAs must follow to be NAPBS Accredited. The ‘Consumer Protection’ section contains the 13 clauses below:

1.1 Information Security Policy – CRA shall have a Written Information Security Policy. CRA shall designate one or more individuals within the organization who are responsible for implementing, managing and enforcing the information security policy.
1.2 Data Security – CRA shall have procedures in place to protect consumer information under the control of the CRA from internal and external unauthorized access. These procedures shall include specifications for the securing of information in both hard copy and electronic form, including information stored on portable and/or removable electronic devices.
1.3 Intrusion and Data Security – CRA shall have procedures in place to reasonably detect, investigate and respond to an information system intrusion, including consumer notification where warranted.
1.4 Stored Data Security – CRA shall have procedures in place to reasonably ensure backup data is stored in an encrypted or otherwise protected manner.
1.5 Password Protocol – CRA shall require strong password protocol pursuant to current security best practices.
1.6 Electronic Access Control – CRA shall have procedures in place to control access to all electronic information systems and electronic media that contain consumer information. CRA shall have procedures in place to administer access rights. Users shall only be given the access necessary to perform their required functions. Access rights shall be updated based on personnel or system changes.
1.7 Physical Security – CRA shall have procedures in place to control physical access to all areas of CRA facilities that contain consumer information.
1.8 Consumer Information Privacy Policy – CRA shall have a Consumer Information Privacy Policy detailing the purpose of the collection of consumer information, the intended use, and how the information will be shared, stored and destroyed. The CRA shall post this policy on its Web site, if it has one, and will make said policy available to clients and/or consumers upon request in at least one other format.
1.9 Unauthorized Browsing – CRA shall have a policy that prohibits workers from searching files and databases unless they have a bona fide business necessity.
1.10 Record Destruction – When records are to be destroyed or disposed of, CRA shall follow FTC regulations and take measures to ensure that all such records and data are destroyed and unrecoverable.
1.11 Consumer Disputes – CRA shall have procedures in place for handling and documenting a consumer dispute that comply with the federal FCRA.
1.12 Sensitive Data Masking – CRA shall have a procedure to suppress or truncate Social Security numbers and other sensitive data elements as required by law.
1.13 Database Criminal Records – When reporting potentially adverse criminal record information derived from a non-government owned or non-government sponsored/supported database pursuant to the federal FCRA, the CRA shall either: A) verify the information directly with the venue that maintains the official record for that jurisdiction prior to reporting the adverse information to the client; or B) send notice to the consumer at the time information is reported.

Governed by specified requirements and measurements, the BSAAP is becoming a widely recognized seal of achievement that brings national recognition to background screening organizations. This recognition will stand as the industry “seal,” representing a background screening organization’s commitment to excellence, accountability, high professional standards, and continued institutional improvement. To learn more about the BSAPP, visit www.napbs.com/accreditation/.

Founded as a not-for-profit trade association in 2003, the NAPBS represents the interests of more than 880 member companies around the world that offer employment and tenant background screening. NAPBS member companies are defined as “consumer reporting agencies” pursuant to the Fair Credit Reporting Act (FCRA) and are regulated by both the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB). To learn more about the NAPBS, visit www.napbs.com.

To read other blogs about the NAPBS, visit www.esrcheck.com/wordpress/tag/napbs/.

ESR Is Accredited by the NAPBS

Founded in the San Francisco, California-area in 1997, Employment Screening Resources® (ESR) is a global background check firm that is accredited by the NAPBS®. ESR also undergoes annual SOC 2® audits to protect the privacy, security, and confidentiality of consumer information. ESR founder and CEO Attorney Lester Rosen wrote the book on background checks with “The Safe Hiring Manual” (3^rd Edition published in January 2017). To learn more about ESR, visit www.esrcheck.com.

NOTE: Employment Screening Resources® (ESR) does not provide or offer legal services or legal advice of any kind or nature. Any information on this website is for educational purposes only.

© 2017 Employment Screening Resources® (ESR) – Making copies or using of any part of the ESR News Blog or ESR website for any purpose other than your own personal use is prohibited unless written authorization is first obtained from ESR.

Cookie	Duration	Description
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.

Cookie	Duration	Description
__hstc	5 months 27 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_parsely_session	30 minutes	This cookie is used to track the behavior of a user within the current session.
_parsely_visitor	1 year 1 month	This cookie store anonymous user idnetifier to determine whether a visitor had visited before, or if its a new visit.
hubspotutk	5 months 27 days	HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.

Cookie	Duration	Description
cookies.js_dtest	session	No description
test	session	No description available.

Common Ways Prospective or Current Employees Sue Employers Under the FCRA

Critical Steps for Ex-Offenders to Get Back Into the Workforce

Common Ways Prospective or Current Employees Sue Employers Under the FCRA

Critical Steps for Ex-Offenders to Get Back Into the Workforce

ESR Is Accredited by the NAPBS

3 Comments