Applicants readily entrust their Personal Identifying Information (PII) to background screening firms under the assumption it will remain secure. And indeed it does—to the degree it remains within the immediate control of that firm.
However data security often deteriorates the moment a routine county background check is necessarily requested of their national, regional or in-court wholesale research providers.
National and some regional providers may also secure PII—but again this security
degrades or altogether evaporates the moment those search requests are further
outsourced to many of the thousands of in-court research providers across the
country—the majority of whom are so far removed from formal efforts to
professionalize their industry, they remain unaware of or
disinterested in the industry-critical standards established on their behalf,
including those pertaining to the secure transmission, handling, storage and disposition of consumer PII.
To compound matters certain commoditizing factors have insinuated themselves
into the screening industry, increasingly placing the more professional
research providers into "competition" with less professional providers, who are not so
inclined to invest the time, energy and expense required in complying with
industry-critical provider standards.
For instance, today third-party programs
exist that profit to the extent they head-hunt and
promote the cheapest researchers available in any given jurisdiction. Fostering
healthy competition is one thing. Aggressively promoting and rewarding "cut-rate"
providers who are disinclined or cannot afford to even minimally comply with
industry-critical standards is another matter.
In view of the fact the only
real barrier to entry is having a shingle to hang out, this factor of unprofessionalism and data insecurity
within the Provider Sector could potentially represent an Achilles heel for the
screening industry.
One immediate solution would be to simply begin requiring research providers demonstrate compliance with
current industry-critical provider standards.
A professional provider, for instance, should minimally be able to:
- Produce a written description of their default search product—i.e., what
you can expect them to do in response to a routine search request;
- Evidence any permits or licensures required to operate a
business in their jurisdiction;
- Produce their written plan to protect PII;
- Evidence background checks on all administrative staff and/or researchers with access to PII;
- Minimally evidence that all PII is securely transported, transmitted,
retained and discarded (photographs, certificates of destruction, et
cetera);
- Evidence a working grasp of Provider Standards (NAPBS-issued
certificates for passing available Guidelines Exams).
This would require some professional effort on behalf of providers—but no more
so than what their clients commonly exert in complying with
industry standards or basically securing PII entrusted to their possession.
So long as actual evidence is required, this simple measure could serve to
differentiate the more professional providers, help further professionalize the
Provider Sector and improve industry-critical data security.