The Background Buzz

Self-Govern or Be Governed: Personally Identifiable Information, The Law and CRA's

Background checks are ubiquitous and vital for a growing array of purposes now integral to the efficient running and safety of our society and businesses, including hiring, promotion, reassignment, and retention in employment. Consumer Reporting Agencies (CRA's), are at the foundation of collecting, maintaining, and disseminating the information that eases these fundamental tasks. It is rather ironic that the Federal Government is specifically targeting the Background Screening industry by the increasingly strict application of current laws, as well as by moving towards stringent, HIPAA-type laws and sanctions for the protection of personally identifiable information. These laws apply to any person and entity involved in the CRA process, and they protect all personally identifiable information--including that obtained from so-called "public record" sources.

The irony is clear: On the one hand, CRA's provide an invaluable societal function that is inextricably tied to the ability to furnish and distribute personally identifiable information; on the other, the information CRA's must provide is slated for compelling, and worrisome legal protections.

What, then, are the present legal issues? And what can you do to protect your business as well as the integrity of the data you must transmit? Knowing the answers to these questions can maintain your businesses' viability and prevent legal sanctions due to illicit distribution of personally identifiable information. The purpose of this article is to describe the current legal climate; future articles will relate possible upcoming legislation, and your immediate and long-range options in light of these realities.

What Federal standards are CRA's facing today? The comprehensive personal data privacy and security program:

Minimum standards are already in place for safeguarding the privacy and security of personally identifiable information. All indications demonstrate that these standards are being applied with increasing force and stringency as breaches of the public trust occur. Indeed, courts are siding with plaintiffs in case after case, in which personally identifiable information has been stolen, tampered with, or illicitly distributed.

The Federal standards applicable to CRA's are broad, sweeping, and of vast import to the entire CRA industry. The current laws state that CRA's must make best efforts and exercise care in the handling of personally identifiable information; however, planned legislation will require CRA’s to implement a comprehensive personal data privacy and security program that takes into account the assessment, management, and control of risks associated with all aspects of personally identifiable information use and transmission.

The required design features are likewise nebulous and encompassing. Indeed, the program must be designed to fulfill three over-arching, essential needs for the protection of personally identifiable information:
--The program must ensure the privacy, security, and confidentiality of personal electronic records;
--The program must protect against any anticipated vulnerabilities to the privacy, security, or integrity of personal electronic records; and
--The program must protect against unauthorized access to use of personal electronic records that could result in substantial harm or inconvenience to any individual.

Risk assessment:

To protect against anticipated vulnerabilities as required by current FTC regulations and impending legislation, CRA's are mandated to undergo a risk assessment of these vulnerabilities. Here, legislation becomes a bit clearer. CRA's must identify reasonably foreseeable internal and external vulnerabilities that could result in unauthorized access, disclosure, use, or alteration of personally identifiable information or systems that contain such information. CRA's risk assessments must also take into account the likelihood of and potential damage from such breaches, and then must assess whether their policies, technologies, and safeguards are sufficient to control and minimize the risk of breach.

Risk management and control:

Simply put, you must control access to systems and facilities that contain personally identifiable information. This includes controls to authenticate and permit access only to authorized individuals, of course. But the controls must also detect actual and attempted fraudulent, unlawful, or unauthorized access, disclosure, use, or alteration of personally identifiable information--even if the persons committing the misdeeds are authorized to access the files. Finally, upcoming legislation indicates that you must use encryption or some other reasonable means to protect personally identifiable information as it is transmitted, stored, and used, and disposed of.

Accountability:

Finally, the Federal government wants CRA's to publish, via website or other accessible format, the specifics of the CRA's personal data privacy and security program. As with all other aspects of your program, it is expected that the description of your program will not compromise data security or privacy.

How is the law applied? Or, Self-govern before you get governed:

At present, the Federal standards have been applied in several public cases, the results of which have strongly favored the plaintiffs whose information had not been adequately protected. In essence, it appears that how much your company needs to do to protect personally identifiable information--and hence your businesses' existence--depends on what others within the industry are doing. And it's not just companies that suffer data breaches that should be concerned; those companies that are unable to demonstrate due diligence when it comes to information security practices could also wind up in the FTC’s crosshairs (ComputerWorld).

Moreover, the courts tend to apply a 'reasonable person' standard, asking what best supports the good of society, to decide whether a CRA has done enough to protect personally identifiable information. For example, many people today understand that if they leave their personal information in the open and unprotected, it is likely someone will take it and use it. Therefore, they want to be assured that third-party entities, i.e., CRA’s, do not leave their personal information unprotected and easily accessed by inappropriate persons.

Thus, to the degree your company does less, you incur potential liability.

To conclude, all signs indicate that the present laws are being more stringently applied, and that HIPAA-type legislation is on its way in the background screening industry. Although these changes may ultimately enhance both private business and the public good, navigating this loamy terrain may prove difficult initially. Future articles will assert what, specifically, you may do to succeed in conforming to both the letter and the spirit of the law.

Ultimately, your success will rest on this premise: Self-govern, before you get governed.

About Vincera, Inc
Vincera, Inc. is the business process improvement company whose software monitors businesses' end-user web-based activity, subsequently delivering predictive analytics that enable businesses to retain and upsell existing customers. Uniquely, Vincera's software also allows their clients to track and manage the distribution of intellectual property and content that contains personally identifiable information in a process Vincera labels "business friendly distribution," because businesses are in charge of how they use the resulting information. Vincera is the only software company that combines three vital business process improvement services--predictive analytics, behavioral monitoring, and information distribution technology--in one software tool.
Vincera's clients include research publications, background screeners, healthcare industries, and other businesses that use web-based technology. Vincera's clients share a need to track and predict how their own customers are using their licensed software products or other intellectual property, as a revenue-generating sales tool for acquiring, retaining, and upselling customers; and/or to guard intellectual property and personally identifiable information.

For more information, please visit: www.Vincera.com

Click here to return to the E-zine and/or close this window