Information Security Crucial for Background Screening Companies Accredited by the NAPBS

Written By ESR News Editor Thomas Ahearn

Having information security safeguards in place to protect against unauthorized users and unwanted intrusions caused by data breaches to avoid identity theft and fraud is crucial for background screening companies accredited by the National Association of Professional Background Screeners (NAPBS).

The NAPBS, a non-profit trade association representing the background screening industry founded in 2003, offers Consumer Reporting Agencies (CRAs) – the official name for background screening companies – a way to be accredited through its Background Screening Agency Accreditation Program (BSAAP).

CRAs accredited by the BSAAP are committed to uphold and deliver the highest level of industry standards for six critical areas that include “Information Security,” “Legal and Compliance,” “Client Education,” “Researcher and Data Standards,” “Verification Services Standards,” and “Business Practices.”

“Information Security” is the first of six areas covered by the BSAAP standard – which was updated in 2018 – and includes 12 clauses that CRAs must follow in order to become accredited by the NAPBS. There are 68 clauses in the entire BSAAP standard. Here are the clauses for “Information Security”:

1.1 Information Security Certification – Wherever Personally Identifiable Information (PII) is held, whether at CRA, CRA’s data center (whether internal or hosted), and/or CRA’s platform provider (whether internal or hosted) such entity must hold a current (current as defined by the certifying body) information security certification and/or provide written evidence of completing an information security audit for which no critical, high-risk, or severe security vulnerabilities remain uncured. The source of such certification and/or written evidence must be a qualified security assessor.
1.2 Information Security Policy – CRA must have and follow a written information security policy which, at a minimum, complies with applicable law and regulation. CRA must designate one or more individuals responsible for implementing, managing and enforcing the information security policy (individual(s) may be internal or contracted).
1.3 Data Security – CRA must have and follow procedures to protect consumer information under the control of the CRA from internal and external unauthorized access. These procedures must include specifications for the securing of information when electronically transmitted, as well as information in both hard copy and electronic form including information stored on portable and/or removable electronic devices. At a minimum, procedures must meet all applicable legal and regulatory requirements.
1.4 Intrusion and Data Security – CRA must have and follow procedures to prevent, detect, investigate and respond to an information system intrusion, including consumer notification and other breach notifications where mandated. At a minimum, procedures must meet all applicable legal and regulatory requirements.
1.5 Storage and Backup of Data – CRA must have and follow procedures to ensure data is backed up and stored in an encrypted or otherwise protected manner. At a minimum, procedures must meet all applicable legal and regulatory requirements.
1.6 Access Protocol – CRA must have and follow procedures requiring use of secure access protocols for CRA workers, authorized client users, and any other authorized users accessing Consumer Information. At a minimum, procedures must meet all applicable legal and regulatory requirements.
1.7 Electronic Access Control – CRA must have and follow procedures to control access to all electronic information systems and electronic media that contain consumer information. CRA must have procedures in place to administer access rights. CRA workers and authorized client users must only be given the access necessary to perform their required functions. Access rights must be updated based on personnel or system changes.
1.8 Physical Security – CRA must have and follow procedures to control physical access to all areas of CRA facilities, including data storage facilities that contain consumer information.
1.9 Consumer Information Privacy Policy – CRA must have and follow a Consumer Information Privacy Policy detailing the purpose of the collection of consumer information, the intended use, and how the information will be shared, stored and destroyed. The CRA must post this policy on its website, if it has one. CRA must have and follow procedure to make said policy available to clients and/or consumers upon request and in at least one other format.
1.10 Unauthorized Browsing – CRA must have and follow a policy that prohibits CRA workers from searching files and databases unless they have a bona fide business necessity.
1.11 Record Destruction – When records containing consumer information are to be destroyed or disposed of, CRA must have and follow a policy meeting all applicable legal and regulatory requirements and ensure that all such records and data are destroyed and unrecoverable.
1.12 Sensitive Data Masking – CRA must have and follow a procedure to suppress or truncate Social Security Numbers and other sensitive data elements as required by law. If end user requires full SSN or other sensitive data elements, CRA must obtain certification from end user that end user will comply with all applicable legal and regulatory requirements in regard to use, safeguarding, and destruction of such information.

To become accredited by the NAPBS, CRAs must demonstrate initial and ongoing compliance with the accreditation standard as prepared by the Background Screening Credentialing Council (BSCC). Compliance is demonstrated through rigorous audits completed by an independent third-party auditor.

CRAs must document each of their policies and processes as required in each of the areas within the standard and demonstrate visible compliance with their policies to the auditor. Accreditation lasts for a period of five years, after which time firms are required to recomplete the process to remain accredited.

Founded as a non-profit trade association in 2003, the NAPBS currently represents more than 880 members engaged in background screening across the United States. NAPBS member companies range from Fortune 100 firms to small local businesses. To learn more about the NAPBS, visit www.napbs.com.

In May of 2019, the NAPBS selected Dawn Standerwick, Vice President of Strategic Growth at Employment Screening Resources® (ESR), as the “NAPBS Volunteer of the Month.” Standerwick currently serves as Chair of the Ethics Committee and is active with the Finance and Government Relations Committees.

In October of 2018, Standerwick was recognized as longest serving Board Member in the history of the NAPBS with nine years of service that included four years as a Regular Director and five years serving on the Executive Committee as Secretary, Treasurer, Chair Elect, Chair, and Immediate Past Chair.

Employment Screening Resources® (ESR) is a “Founding Member” of the NAPBS and is accredited under the BSAAP. ESR Founder and CEO Attorney Lester Rosen was the Chairperson of the steering committee that founded the NAPBS and served as first co-Chair. To learn more about ESR, visit www.esrcheck.com.

NOTE: Employment Screening Resources® (ESR) does not provide or offer legal services or legal advice of any kind or nature. Any information on this website is for educational purposes only.

© 2019 Employment Screening Resources® (ESR) – Making copies or using of any part of the ESR News Blog or ESR website for any purpose other than your own personal use is prohibited unless written authorization is first obtained from ESR.

Cookie	Duration	Description
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.

Cookie	Duration	Description
__hstc	5 months 27 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_parsely_session	30 minutes	This cookie is used to track the behavior of a user within the current session.
_parsely_visitor	1 year 1 month	This cookie store anonymous user idnetifier to determine whether a visitor had visited before, or if its a new visit.
hubspotutk	5 months 27 days	HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.

Cookie	Duration	Description
cookies.js_dtest	session	No description
test	session	No description available.

Common Ways Prospective or Current Employees Sue Employers Under the FCRA

Critical Steps for Ex-Offenders to Get Back Into the Workforce

Common Ways Prospective or Current Employees Sue Employers Under the FCRA

Critical Steps for Ex-Offenders to Get Back Into the Workforce