The Dangers of “Offshoring” Personally Identifiable
Information (PII) Outside of United States
A Whitepaper
By
Employment Screening Resources (ESR)
Novato, CA
© Copyright Employment Screening Resources (ESR) 2012. All rights reserved. The materials in this document may not be republished or reproduced in any way without the written permission of Employment Screening Resources (ESR). This document may be modified in the future as developments occur. Please check the ESR website to make sure you have the most recent version of this Whitepaper.
Offshoring
Introduction... 1
Personally Identifiable Information (PII) ... 1
PII Definition... 2
Dangers of Offshoring ... 2
Quality of Work ... 2
Home Workers ... 2
Offshoring Data Breaches and Data Breach Concerns ... 2
News Stories Reveal the Dangers of Offshoring ... 3
Offshoring IT Jobs Leads to Dramatic Increases in Data Breaches ... 4
Offshoring Transcription ... 4
ConcernedCRAs ... 5
Short History of Offshoring & PII Legislation ... 6
First Law in the Nation to Address Offshoring... 6
California Senate Bill 909 (CA SB 909) ... 6
SB 909 - Notification to Consumers ... 6
SB 909 – CRA Privacy Practices on Web Site... 7
SB 909 – CRA Privacy Policies Online ... 7
SB 909 – “Conspicuously Post” ... 7
SB 909 – Language form 1786.20 ... 7
SB 909 – Third Parties ... 8
SB 909 – Separate Section on Privacy Policy ... 8
SB 909 – Damages ... 8
SB 909 – Summary ... 8
Gramm-Leach-Bliley Act ("GLBA") ... 9
Health Insurance Portability and Accountability Act of 1996 ("HIPAA") ... 9
Notify Americans Before Outsourcing Personal Information Act ... 9
International Verifications Present Unique Risks ... 9
Conclusion ... 10
About Employment Screening Resources (ESR) ... 10
Offshoring Introduction
“Offshoring” of pre-employment screening occurs because an increasingly large number of national background screening firms routinely offshore a substantial part of their workflow, including the processing of background reports and verifications. The work is offshored to countries with cheaper production costs, particularly places with inexpensive labor, such as India and the Philippines. The offshoring process necessary includes sending a great deal of Personally Identifiable Information (“PII”) offshore in order to facilitate the work. The reason for offshoring is straightforward — to reduce costs and increase profit. Unfortunately, the side effect for employers and job applicants can be putting PII at considerable risk as well as compromised quality and accuracy. In addition, once PII goes offshore, it is beyond the protections if U.S. privacy laws. If an applicant is the victim of identity theft, they cannot as a practical matter call the Mumbai or Manila Police Departments and ask for help Generally, firms that offshore provide little or no disclosure to their clients or the client’s applicants to avoid negative implications associated with the practice. Employers need to know if personal information is going offshore in order to assess if the cost savings are worth the privacy and quality considerations. Applicants need to know if offshoring is taking place in order to decide if the risk of identity theft is meaningful enough to them to forego the background screening process and seek employment elsewhere.
Personally Identifiable Information (PII)
When a United States resident applies for a job, they are likely to undergo a pre-employment background check. A disclosure and consent form required by law is completed by the applicant where they provide among other things their name, date of birth, and Social Security number (“SSN”) — in other words, everything needed for identity theft. What job applicants do not know is that there is a substantial likelihood that their Personally Identifiable Information (“PII”) will end up outside the U.S. and its territories in a foreign call center or data processing location well beyond the protection of U.S. privacy laws through the process known as “offshoring” The practice of offshoring provides virtually no protection against identity theft.
It is not relevant where a firm’s servers are located. If an offshore worker is able to access PII, then the potential for Identity Theft exists. Nor is the formal legal relationship between the U.S. firm and the offshore worker relevant in the least. It does not matter if the offshore worker is an employee of the American firm, an employee of some legal subsidiary, an employee of a firm hired by the U.S. firm, or an independent contractor — once data goes offshore, U.S. legal protections vanish and there is strong historic evidence that there is a risk of Identity Theft. Of course, Identity Theft can occur inside the U.S. as well. The big difference? In the U.S. there are laws and protections in place to allow victims of Identity Theft to not only avail themselves of legal protection, but to more easily discover the cause of the theft and take appropriate legal actions. For example, data breach laws throughout the U.S are a strong protection against Identity Theft, and those have no impact once PII goes offshore. (Note: It is beyond the scope of this Whitepaper to review the protections and remedies afforded to U.S. residents in the event of Identify Theft or Data Breach in the U.S.). However, an outstanding compilation of resources and remedies available for victims of Identity Theft in the U.S. has been assembled by Privacy Rights Clearinghouse at: http://www.privacyrights.org/Identity-Theft-Data-Breaches.
PII Definition
Personally Identifiable Information (PII) is defined by the following data points often used for the express purpose of distinguishing individual identity by the U.S. Office of Management and Budget (OMB). (See: http://en.wikipedia.org/wiki/Personally_identifiable_information.):
Full name. Birthday. Birthplace.
Social Security Number (SSN). Vehicle registration plate number. Driver’s license number.
Credit card number.
National identification number. IP (Internet Protocol) address. Face, fingerprints, or handwriting. Digital identity.
Genetic information.
Dangers of Offshoring
Quality of Work
In addition to the potential of privacy violations and Identity Theft, the issue of quality of work requires emphasis since “offshore” means outside of the normal quality control ability of a U.S. firm. In background screening, cultural knowledge is necessary. For example, most people in the U.S. would know that “UCLA” stands for “University of California, Los Angeles” if verifying an applicant’s education. A person outside of the U.S. could well struggle with that simple term. Even more troubling is the opportunity for error on a criminal background check given the wide variety of screening industry specific terms relating to criminal charges and dispositions that vary from state to state, not to mention the numerous restrictions on what may be reported by the screening firm and what information may be ultimately be considered for employment purposes.
Home Workers
Another issue related to offshoring would be “home workers,” some of whom would fall under the category of “offshore workers” as well. Even where a home worker is in the U.S. any PII put into their hands loses most, if not all, of the protections it would have in a business facility with requisite access controls along with physical and technical security protocols. Employers dealing with home workers handling part of their screening work may have to deal with issues of professionalism, training, quality control, and reliability. This is not to suggest that all home workers are not perfectly capable workers, but must be examined carefully given the sensitive nature of the work and privacy issues.
Offshoring Data Breaches and Data Breach Concerns
The dangers of offshoring have been demonstrated over the past few years in a number of news stories, investigations, and studies, some of which are included below.
News Stories Reveal the Dangers of Offshoring
BBC Investigation Reveals Personal Identifiable Information Sold from Offshore Call Center:
On March 19, 2009, the British Broadcasting Corporation (BBC) broke the dramatic story about its undercover investigation into identity theft from a call center in India. According the to the story, a criminal gang selling UK credit card details stolen from Indian call centers has been exposed by an undercover BBC News investigation. Reporters posing as fraudsters bought UK names, addresses and valid credit card details from a Delhi-based man. The undercover investigators were able to purchase the credit data for $10 a card. It appeared that the data was stolen as a result of UK residents purchasing products from a call center processing sales for the large IT firm Symantec. The story is at http://news.bbc.co.uk/1/hi/uk/7953401.stm. After the story broke, Symantec notified authorities in the U.K., the U.S. and Puerto Rico that the credit card information of around 200 of its customers might have been compromised. Symantec indicted that evidence pointed to a single call center representative. http://www.infosecurity-magazine.com/view/1014/symantec-admits-card-data-probably-leaked-from-india/. This story underscores that once personally identifiable information (PII) leaves the U.S., consumers are at potential risk. In this case, but for the extraordinary efforts of undercover journalists from the BBC, the violations of personal privacy may never have surfaced and individual consumers would not have known how their card was breached, or how to deal with it. Of course, call center breaches can occur in the United States as well, but if it does, there are resources and recourses for consumers. When data is stolen offshore, consumers may never know where the problem occurred. In addition, how could a U.S. consumer, as a practical matter, call a foreign police department to ask for help?
Investigation into stolen identities in India:
An undercover TV investigation claims to have infiltrated criminal gangs selling thousands of UK credit card and passport details for as little as £5 each from the country’s offshore call centers. The Channel 4 Dispatches documentary follows a 12-month investigation that resulted in footage of middlemen offering the undercover reporter credit card details of 100,000 customers of UK high-street banks from Indian call centers. For more information, see: http://services.silicon.com/offshoring/0,3800004877,39163025,00.htm.
Indian call center staff nicked for fraud:
Three workers from an Indian call center have been arrested for defrauding US bank customers. In total twelve people have been arrested for cheating Citibank customers out of $350,000. Three of the men worked for Mphasis, an offshoring firm which runs call centers in Bangalore and Pune. They are accused of charming PIN numbers out of customers and using them to transfer funds illegally, according to the Associated Press (AP). Customers noticed the dodgy transfers and complained to Citibank, which traced the problem back to Pune. Bank officials then contacted the police. There have been concerns that offshoring business services increases the danger of fraud. The fact that this scam relied on old school social hacking — getting customers to tell you their PIN number — may reassure some. The team was in the process of transferring another raft of funds when they were arrested by Pune's Cyber Crime unit. The men have been remanded in custody until April 11. For more information about this story, see: http://www.theregister.co.uk/2005/04/11/india_callcentre_fraud_arrests/.
Recent undercover 'sting' operations reveal how easy it is to purchase customer information from call center:
Indian call centers know that overseas clients are not entirely comfortable with customer data being processed offshore, so they stop at nothing to give a warm, safe feeling. Further down the food chain the contact centers may not be as reputable or as well managed but then it's the responsibility of the mobile phone companies using the contact center service to protect their customer information - so they should only be dealing with trusted partners anyway. See: http://services.silicon.com/offshoring/0,3800004877,39163049,00.htm.
Indian call centers accused of selling Britons' personal data for as little as two pence: In March 2012, an undercover investigation discovered Indian call centers selling Britons' confidential personal data – including credit card information, medical and financial records – to criminals and marketing firms for as little as two pence. Two ‘consultants’ who claimed to be IT workers at several call centers boasted to undercover reporters of possessing personal information on nearly 500,000 Britons.The information was related to customers at major British financial companies and would allow criminals to syphon thousands of pounds from bank accounts in minutes. See: http://in.news.yahoo.com/indian-call-centres-accused-selling-britons-personal-data-045625037.html.
Offshoring IT Jobs Leads to Dramatic Increases in Data Breaches
Sending Information Technology (IT) jobs abroad can help cut costs, but it can also increase security risks. A survey of 350 IT Managers quoted in Security Management Magazine demonstrates the risk to privacy and data protection when it comes to “offshoring.” According to the survey conducted by Amplitude Research, 69 percent of all respondents said they thought outsourcing decreased network security while about half of IT managers working for companies that outsourced IT jobs to other countries said their security had been negatively impacted, and 61 percent said their company had experienced a data breach. The study noted data breaches occurred in just 35 percent of the companies that do not send IT jobs outside of the U.S. See: http://www.securitymanagement.com/article/outsourcing-risk-006564. This survey naturally raises questions as to the safety of sending Personally Identifiable Information (PII) of American job applicants off shore in order to prepare background checks. The bottom-line: Before selecting a background screening firm, employers should determine if that firm is processing information outside of the U.S. The risk is significant, even if the offshore facility is wholly owned or a subsidiary of a U.S. firm. An employer needs to have a full understanding of how data and privacy is protected once it leaves the U.S., and what duty is owed to job applicants in terms of notice that their data is going abroad.
Offshoring Transcription
A news story (‘A tough lesson on medical privacy – Pakistani transcriber threatens UCSF over
back pay’ by David Lazarus, San Francisco Chronicle, October 22, 2003) about a California hospital that outsourced its medical transcribing and the work ended up in Pakistan shows the dangers of offshoring personal and sensitive data. In the story, a medical transcriber in Pakistan got into a dispute with her employer about wages and threatened to publish the medical records of thousands of Americans on the Internet. To read the news story, visit: http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2003/10/22/MNGCO2FN8G1.DTL.
Needless to say, the hospital suffered a great deal of negative publicity and the privacy and confidentially of medical records for numerous Americans was endangered because their personal information was sent-offshore beyond the reach of U.S. privacy laws. Of course, even after the matter was settled with appropriate payments, no one knows for sure what information the offshore worker may have decided to keep or for what reason.
According to the American Transcription Association (ATA), “offshoring” in terms of transcription is the act of subcontracting transcription to workers outside of the United States, and the ATA is against offshoring for two main reasons:
Sending personal information outside of the country can lead to unsecured transfer of personal data and even information and identity theft; and
Offshoring work means U.S.-based transcriptionists are losing jobs.
The ATA is not comfortable with personal medical, financial, legal, and other personal information of Americans being on computers in a foreign country, and does not think that many Americans would feel comfortable either. The ATA is not convinced that the full confidentiality required when handling these documents can be reasonably enforced when the work is offshored.
Medical transcriptionists in the U.S. are bound by the Health Insurance Portability and Accountability Act (HIPAA), which protects the privacy of your medical records and sets strict standards for secure handling, transfer, and storage of files. However, U.S. law does not apply in foreign countries where many companies offshore their transcription work. Some organizations may not even realize that the records of their clients or patients are leaving the country if they subcontract their work to an American transcription company and assumed all work will be done in the U.S., which is not always the case.
Although there has been talk at state and federal levels of implementing new Acts or amending current ones regarding offshoring, there are no current U.S. laws that explicitly prevent companies from offshoring personal information. As a result, documented cases of offshore transcriptionists who have threatened to disclose personally identifying information from medical records – which would have been a breach of HIPAA – face little chance of being extradited and brought to justice in America, making foreign transcriptionists immune to prosecution for all intents and purposes.
While offshoring transcription work can be cheaper because wages are so much lower in some foreign countries than in the U.S., the ATA believes personal and sensitive information “should not be handled by the lowest bidder” and serious privacy, confidentiality, and security issues need to be addressed. Find out more about offshoring at the American Transcription Association (ATA) website at: http://www.ataus.org.
ConcernedCRAs
To help combat offshoring of PII, a group of more than 125 like-minded Consumer Reporting
Agencies (“CRAs”) have formed the industry group ‘ConcernedCRAs’ —
http://www.concernedcras.com— whose members endorse and subscribe to a set of standards that opposes the processing of consumer reports outside of the United States
Members of ConcernedCRAs have committed to not offshore Personally Identifiable Information and to perform all domestic background checks exclusively in the United States.
ESR performs all processing and preparation in the U.S. in order to protect applicants and employers, the only exception being when performing an international verification using information residing outside the U.S. (see below).
Short History of Offshoring & PII Legislation
California has led the way in preventing the misuse of personal information in order to fight the rising tide of identity theft.
First Law in the Nation to Address Offshoring
The goal of a passing legislation regarding offshoring became a reality with California Senate Bill 909 (CA SB 909) signed into law in September of 2010 and effective as of January 1, 2012. SB 909 appears to be the first law in the nation to recognize and address the issue of offshoring. SB 909 does not prohibit or regulate offshoring, but is a disclosure bill, with key provisions discussed in the following section.
California Senate Bill 909 (CA SB 909)
On September 29, 2010, Governor Arnold Schwarzenegger signed into law California Senate Bill 909 (SB 909), which appears to be the first law in the nation that addresses the issue of Personally Identifiable Information (PII) of consumers who are the subjects of background checks being sent “offshore” (i.e. outside the United States or its territories and beyond the protection of U.S. privacy and identity theft laws). Employers in California – and employers doing business in California – need to be aware of this new law that will change the way employers conduct background checks in the state.
Authored by State Senator Rod Wright (D – Inglewood), SB 909 amends the California Investigative Consumer Reporting Agencies Act (ICRA) that regulates background checks in California. SB 909 requires a new disclosure and additions to a Consumer Reporting Agency’s privacy policy to be made to consumers before their personally information such as Social Security Numbers (SSN) is sent offshore overseas and outside of the United States. SB 909 is NOT a regulatory bill since the bill does not regulate or prohibit offshoring. It is a disclosure bill only so that consumers have a way to be aware of the background screening agency’s privacy practices, including whether the consumer’s PII will be sent outside of the country.
SB 909 - Notification to Consumers
CA SB 909 added language to Civil Code 1786.16 that requires that a consumer must be notified as part of a disclosure before the background check of the web address where that consumer “may find information about the investigative reporting agency’s privacy practices, including whether the consumer’s personal information will be sent outside the United States or its territories.” If a background screening firm does not have a web site, then the background screening firm must provide the consumer with a phone number where the consumer can obtain the same information.
Language 1786.16
(vi) Notifies the consumer of the Internet Web site address of the investigative consumer reporting agency identified in clause (iv), or, if the agency has no Internet Web site address, the telephone number of the agency, where the consumer may find information
about the investigative reporting agency’s privacy practices, including whether the consumer’s personal information will be sent outside the United States or its territories and information that complies with subdivision (d) of Section 1786.20. This clause shall become operative on January 1, 2012.
SB 909 – CRA Privacy Practices on Web Site
SB 909 additionally requires an investigative Consumer Reporting Agency (CRA) to “conspicuously post” on its primary Internet Web site information describing its privacy practices with respect to its preparation and processing of investigative consumer reports. If CRA does not have an Internet Web site, CRA has to mail a written copy of the privacy statement to consumers upon request. This clause became operative on January 1, 2012.
SB 909 – CRA Privacy Policies Online
The CRA’s privacy policy must contain “information describing its privacy practices with respect to its preparation and processing of investigative consumer reports.” Specifically, background screening firms in California (and firms that do business in California) must have a statement in their privacy policy entitled “Personal Information Disclosure: United States or Overseas” that indicates whether the personal information will be transferred to third parties outside the United States or its territories.
SB 909 – “Conspicuously Post”
SB 909 requires a CRA to conspicuously post its privacy policy:
SB 909 – Language from 1786.20
1786.20(d) (1) An investigative consumer reporting agency doing business in this state shall conspicuously post, as defined in subdivision (b) of Section 22577 of the Business and Professions Code, on its primary Internet Web site information describing its privacy practices with respect to its preparation and processing of investigative consumer reports. If the investigative consumer reporting agency does not have an Internet Web site, it shall, upon request, mail a written copy of the privacy statement to consumers . The privacy statement shall conspicuously include, but not be limited to, both of the following: (A) A statement entitled “Personal Information Disclosure: United States or Overseas,” that indicates whether the personal information will be transferred to third parties outside the United States or its territories. (B) A separate section that includes the name, mailing address, e-mail address, and telephone number of the investigative consumer reporting agency representatives who can assist a consumer with additional information regarding the investigative consumer reporting agency's privacy practices or policies in the event of a compromise of his or her information.
The term “conspicuously post” is defined in California Business and Professions Code Section 22577:
(b) The term “conspicuously post” with respect to a privacy policy shall include posting the privacy policy through any of the following: (1) A Web page on which the actual privacy policy is posted if the Web page is the homepage or first significant page after entering the Web site. (2) An icon that hyperlinks to a Web page on which the actual privacy policy is posted, if the icon is located on the homepage or the first significant
page after entering the Web site, and if the icon contains the word "privac y." The icon shall also use a color that contrasts with the background color of the Web page or is otherwise distinguishable. (3) A text link that hyperlinks to a Web page on which the actual privacy policy is posted, if the text link is located on the hom epage or first significant page after entering the Web site, and if the text link does one of the following: (A) Includes the word "privacy." (B) Is written in capital letters equal to or greater in size than the surrounding text. (C) Is written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language. (4) Any other functional hyperlink that is so displayed that a reasonable person would notice it.
SB 909 – Third Parties
SB 909 defines “third parties” as including, but not being limited to: A contractor,
Foreign affiliate,
Wholly owned entity, or
An employee of the investigative consumer reporting agency.
SB 909 – Separate Section on Privacy Policy
SB 909 also requires a “separate section” that includes the name, mailing address, e-mail address, and telephone number of the investigative consumer reporting agency representatives who can assist a consumer with additional information regarding the investigative consumer reporting agency’s privacy practices or policies in the event of a compromise of his or her information.
SB 909 – Damages
In the event a consumer is harmed by virtue of a background screening firm negligently preparing or processing data outside of the U.S., SB 909 provides for damages to the consumer in an amount equal to the sum of:
Any actual damages sustained by the consumer as a result of the unauthorized ac cess, and
The costs of the successful legal action together with reasonable attorney’s fees, as determined by the court.
SB 909 – Summary
By January 1, 2012, employers should add the URL (Uniform Resource Locator) link to their privacy policy to their online forms (or comply with the provision for firms without web sites). Employers should add the required information to their online privacy policy and the front page of their web site (or have material to mail to an applicant upon request). Employers should remember that there is currently civil liability of $10,000 per applicant for non-compliance by an employer or CRA, so it is important to make sure you and your client are in compliance.
To read California Senate Bill 909, visit: http://www.leginfo.ca.gov/pub/09-10/bill/sen/sb_0901-0950/sb_909_bill_20100929_chaptered.pdf.
Gramm-Leach-Bliley Act ("GLBA")
The main federal protections are contained in the Gramm-Leach-Bliley Act ("GLBA") that provides standards for financial institutions relating to administrative, technical, and physical safeguards: (1) to insure the security and confidentiality of customer records and information; (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and (3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
Health Insurance Portability and Accountability Act of 1996 ("HIPAA")
The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information.
Notify Americans Before Outsourcing Personal Information Act
Unfortunately, all such protections as a practical matter cease to exist once PII leaves the shores of the United States. Although some countries have extremely strong data and privacy protection laws, such as the European Union (EU) states, many places where information is sent offshore have very little if any protection. In addition, as a practical matter, American consumers have no ability to enforce their piracy rights overseas. In many counties, there is little practical or cost-effective access to courts and it is extremely difficult for an American consumer to contact a foreign police department to lodge a complaint or to obtain assistance. The lack of any meaningful protection once U.S. data is sent offshore is a major gap in effort to combat identity theft and to protect privacy.
As an example of the importance of this issue, a bill was introduced in Congres s on January 19, 2009 called “Notify Americans Before Outsourcing Personal Information Act.” According to the Congressional Research Service Summary, the bill: “Prohibits a business from transferring personally identifiable information of a U.S. citizen to any foreign affiliate or subcontractor in another country without providing notice to such citizen that the information may be transferred to such affiliate or subcontractor.” The bill also “authorizes a private cause of action in a state court to enforce compliance with this Act.” The bill was sponsored by Rep. Ted Poe [R-TX) was introduced and referred to committee but no further action has been taken. See: http://www.govtrack.us/congress/bill.xpd?bill=h111-427.
International Verifications Present Unique Risks
Background screening firms that send Personally Identifiable Information (PII) offshore for processing could find themselves in the same boat as the hospital mentioned earlier that ended up with its medical transcription services being sent offshore and the offshore worker threatened to place confidential material online unless more money was paid. When a background screening firm does an international verification of employment or education by sending PII such as a copy of a diploma or passport to an offshore agent, that background screening firm is playing ‘Russian Roulette’ with its reputation and the financial repercussions that can occur from a data breach. The offshore agent is completely beyond U.S. Privacy rules and there is little
control over what they do with the information. As the California hospital found out, sending private data abroad for processing is risky business.
In order to protect U.S. screening firms as well as U.S. employers and job applicants, a unique approach to international verification of employment and education is necessary. Employers and schools providing verification information are, in the parlance of international privacy agreements, “data controllers.” PII is only provided directly to the “data controller,” meaning the school or employer that has the information needed. Even then, only the minimum amount needed by the school or employer to get the verification is supplied.
For those countries with agents on the ground, those agents do NOT receive or handle any PII. The agent instead contacts the “data controller” to establish the means of verification. When PII is needed, it is sent DIRECTLY and securely from U.S. offices to the “data controller,” and the offshore agent never has confidential or personal information. The only exception is where the verification must be done in person. This can occur in unique situations such as schools that will not respond to email or phone calls, or countries with poor infrastructure where an in-person visit is needed to obtain the information.
The bottom line: Protection of PII is mission critical for any background screening firm, and it does not change when there is an international verification. Sending any PII offshore creates a substantial and entirely unnecessary risk. Background screening firms can and should provide their clients with international verifications without risk of compromising PII.
Conclusion
With the advent of SB 909 in California, the issue of offshoring PII is something that employers need to consider seriously. Background screening firms possess large amounts of personal data on millions of consumers. There are no official statistics on how may background checks are processed offshore and how much data is sent offshore since background screening firms that engage in this practice do not want it widely known. However, within the background screening industry, it is a well-known fact that large background screening firms offshore PII in bulk on a daily basis in order to lower their operating costs and increase profits.
An employer is well advised to ensure they understand the offshoring and privacy policies of the background screening firm they utilize in order to make a decision about whether offshoring meets their needs and the needs of the applicants. Employers should critically review thin explanations, such as the “servers” are onshore, or the foreign workers are employees of the U.S. firm. The key point is that if anyone outside the U.S. has access to PII, a substantial risk is created.
About Employment Screening Resources (ESR)
Employment Screening Resources (ESR) – ‘The Background Check AuthoritySM’ – provides accurate and actionable information, empowering employers to make informed safe hiring decisions for the benefit for our clients, their employees, and the public. ESR literally wrote the book on background screening with “The Safe Hiring Manual” by ESR founder and CEO Lester Rosen. ESR streamlines the screening process and reduces administrative overhead though its proprietary technology solutions.
ESR is one of a select few screening firms accredited by The National Association of Professional Background Screeners (NAPBS®). This important recognition was achieved by successfully passing a third party audit demonstrating compliance with the NAPBS Background Screening Agency Accreditation Program. By choosing an accredited screening firm like ESR, employers know they have selected an agency that meets the highest industry standards. For more information, visit http://www.ESRcheck.com, read the ESR News blog at
http://www.esrcheck.com/wordpress/, or call us at 415.898.0044 or Toll Free at 888.999.4474.
About the Author – Attorney Lester Rosen
Lester S. Rosen
Founder and CEO of Employment Screening Resources (ESR)
Lester S. Rosen graduated UCLA with Phi Beta Kappa honors and received a J.D. degree from the University of California at Davis where he was a member of the Law Review. He holds the highest attorney rating of A.V. in the national Martindale-Hubbell listing of American Attorneys. He is a former deputy District Attorney in Marin and Riverside Counties California, a noted criminal defense attorney, and an adjunct professor criminal law and procedure at the University of California Hastings College of the Law. Qualified as an expert witness , he has testified on issues surrounding safe hiring and due diligence.
He was the chairperson of the steering committee that founded the National Association of Professional Background Screeners (NAPBS), a professional trade organization for the
screening industry with over 600 CRA members. He was elected to the first board of directors and served as the association’s first co-chairman.
He is the author of “The Safe Hiring Manual” and “The Safe Hiring Audit” and is also a frequent presenter on pre-employment screening and safe hiring issues with speaking appearances that include numerous national and statewide conferences.
