This newsletter is sent to clients of Employment Screening Resources (ESR) as well as employers, Human Resources and Security professionals, and law firms who have requested information on pre-employment screening, safe hiring, the FCRA and legal compliance. Please note that ESR's statements about any legal matters are not given or intended as legal advice but only general industry information.  For specific legal advice, employers should contact their attorney.  If this was sent in error, you can be removed from this mailing by simply using the “remove" feature at the end of the newsletter and you will not receive any future newsletters.

(Reading time: Less than 5 minutes)
May 2009            Vol. 9, No. 5

ESR Newsletter and Legal Update

1. BBC Investigation Reveals Personal Identifiable Information Sold from Offshore Call Center

2. Data Breach Notices from US Businesses Underscores the Importance of Data Security Measure

3. ESR Article on Trends, Developments and Best Practices Featured in Leading International Security Magazine

1. BBC Investigation Reveals Personal Identifiable Information Sold from Offshore Call Center

On March 19, 2009, the British Broadcasting Corporation (BBC) broke the dramatic story about its undercover investigation into identity theft from a call center in India.  According the to the story: 

A criminal gang selling UK credit card details stolen from Indian call centers has been exposed by an undercover BBC News investigation.

Reporters posing as fraudsters bought UK names, addresses and valid credit card details from a Delhi-based man.

The undercover investigators were able to purchase the credit data for $10 a card.  It appeared that the data was stolen as a result of UK residents purchasing products from a call center processing sales for the large IT firm Symantec.  The story is at http://news.bbc.co.uk/1/hi/uk/7953401.stm

After the story broke, Symantec notified authorities in the U.K., the U.S. and Puerto Rico that the credit card information of around 200 of its customers might have been compromised.  Symantec indicted that evidence pointed to a single call center representative. http://www.infosecurity-magazine.com/view/1014/symantec-admits-card-data-probably-leaked-from-india/

This story underscores that once personally identifiable information (PII) leaves the U.S., consumers are at potential risk.  In this case, but for the extraordinary efforts of undercover journalists from the BBC, the violations of personal privacy may never have surfaced and individual consumers would not have known how their card was breached, or how to deal with it.

Of course, call center breaches can occur in the United States as well, but if it does, there are resources and recourses for consumers.  When data is stolen offshore, consumers may never know where the problem occurred.  In addition, how could a U.S. consumer, as a practical matter, call a foreign police department to ask for help?

Although many US industries do use offshore services, some 60 background firms have branded together under the website http://www.concernedcras.com/ to demonstrate their commitment not to offshore.   The use of offshore labor will continue to be a hot issue in the US for some time. 

2. Data Breach Notices from US Businesses Underscores the Importance of Data Security Measure

According to press accounts over the last few years, U.S. businesses have been the victims of data theft or loss, resulting in the issuance of breach notices to consumer.

The screening industry, because it handles personal data, has special responsibilities to safeguard data.  Under FCRA Section 607(a), every consumer reporting agency has an obligation to…

Maintain reasonable procedures designed to ……
to limit the furnishing of consumer reports to the purposes listed” under the FCRA.

The reasonable procedures require that clients certify the purpose for getting information and further certify they will use it for no other purpose.

A background firm must make “a reasonable effort to verify the identity of a new prospective user and the uses certified by such prospective user prior to furnishing such user a consumer report.”

A background firm cannot provide information if it has reasonable grounds to believe it will not be used for a permissible purpose under the FCRA.

No consumer reporting agency may furnish a consumer report to any person if it has reasonable grounds for believing that the consumer report will not be used for a purpose listed,” in the FCRA.

What this means is that a background screening firm needs to take precautions to prevent data from falling into the wrong hands.  ESR follows industry best practices is safeguarding personal data.

3. ESR Article on Trends, Developments and Best Practices Featured in Leading International Security Magazine

Security Management Magazine, the official publication of ASIS international, featured an article on background screening by ESR as a cover story in its May, 2009 edition.  ASIS International is considered the preeminent international organization for security professionals.  The article can be found at http://www.securitymanagement.com/article/how-avoid-hiring-mishaps-005529

The article, authored by ESR President Lester Rosen, was titled, “How to Avoid Hiring Mishaps,” and covered a range of current issues affecting background screening and due diligence.  Some of the main points are:

1. Criminal databases, although valuable due to the millions of records, should not be used as a primary tool for screening, due to issues of accuracy, timeliness and complexities.
2. Criminal databases are also subject to a number of legal issues, especially surrounding the application of the federal Fair Credit Reporting Act.
3. Even if an employer locates a criminal history, its use for employment is limited by discrimination laws.  The State of New York for example, just passed a series of new laws to ensure that individuals with criminal records are not locked out permanently from society.
4. Employers need to be especially carful in the use of automatic “adjudication rules” for criminal records without taking into account the particulars of the crime, the person and the job.
5. Education fraud is on the increase, and now even includes fake accreditation agencies to accredit fake degrees.
6. Although employers have discovered a treasure trove of information by using the internet and social network sites such as Facebook and MySpace, the jury is still out on whether it is a good idea to utilize those sites.  There can be issues concerning discrimination, violation of privacy rights, the improper use of legal off duty conduct and problems with authenticity and reliability.
7. Given the mobility of workers across international borders, employers need to factor international screening into their programs.

ESR Articles (click for more info)

The FCRA in 4 Easy Steps
Find out how to be in compliance with the FCRA

Criminal Records and Employment Applications
What questions should employers be asking?

10 Safe Hiring Tools
These tools don’t cost anything and promote a safe and profitable workplace

Negligent Hiring
What occurs when Due Diligence is not performed

Please feel free to contact Jared Callahan at ESR at 415-898-0044 or jcallahan@esrcheck.com if you have any questions or comments about the matters in this newsletter. Please note that ESR's statements about any legal matters are not given or intended as legal advice.

Employment Screening Resources (ESR)
www.ESRcheck.com
7110 Redwood Blvd., Suite C
Novato, CA 94945
415-898-0044

3Back to Newsletters