BILL ANALYSIS                                                                                                                                                                                                    






                             SENATE JUDICIARY COMMITTEE
                           Senator Ellen M. Corbett, Chair
                              2009-2010 Regular Session


          SB 909 (Wright)
          As Amended March 8, 2010
          Hearing Date: May 4, 2010
          Fiscal: No
          Urgency: No
          TW:jd
                    

                                        SUBJECT
                                           
               Investigative Consumer Reporting Agencies:  Disclosures

                                      DESCRIPTION  

          This bill would require investigative consumer reporting  
          agencies to disclose, as specified, to a consumer that the  
          consumer's personal information may be sent offshore for the  
          preparation of employment background screening reports.  This  
          bill also would require investigative consumer reporting  
          agencies to post a privacy protection policy on their Web site,  
          as specified.  This bill also would provide consumers with a  
          remedy if they are harmed when their information is sent  
          offshore, as specified. 

                                      BACKGROUND  

          When a California resident applies for a job, there is typically  
          a pre-employment background check.  The form that is filled out  
          includes name, date of birth, and social security number.  With  
          the increase of U.S. companies contracting for off-shore  
          services, there is a substantial likelihood that the applicant's  
          personally identifiable information ends up offshore, beyond  
          U.S. privacy law, in a foreign call center or data processing  
          location where there is little, if any, privacy protection.  

          Studies show that off-shoring is a substantial risk to U.S.  
          privacy and data security.  A report prepared by the Federal  
          Deposit Insurance Corporation (FDIC) indicated that the overall  
          risk to privacy data is highest when a domestic third-party  
          vendor subcontracts its financial institution work overseas.   

                                                                (more)




          SB 909 (Wright)
          PageB of?


          (Federal Deposit Insurance Corporation, Offshore Outsourcing of  
          Data Services by Insured Institutions and Associated Consumer  
          Privacy Risks, June 2004  
          (  http://www.fdic.gov/regulations/examinations/offshore/offshore_
          outsourcing_06-04-04.pdf  ).)  Similarly, when U.S. businesses  
          send personal consumer information offshore for the purpose of  
          conducting an employment background check, the personally  
          identifiable information of California residents is at high risk  
          for being exploited.  
           
          In 1975, the Legislature enacted the Investigative Consumer  
          Reporting Agencies Act (the Act) which regulates consumer  
          background checks.  (AB 601 (Lewis, Ch. 1272, Stats. 1975).)  In  
          2002, AB 655 (Wright, Ch. 354, Stats. 2001) significantly  
          overhauled the Act and increased consumer protection with regard  
          to employment background checks.  SB 1451 (Figueroa, 2004)  
          sought to prevent the sharing of private information and to  
          create liability for the misuse of private information, as  
          specified.  SB 1451 applied to all privacy laws, including those  
          found under the California Medical Sharing Act (CMIA) and the  
          California Financial Information Privacy Act (CFIPA).  The CMIA  
          and CFIPA provide privacy regulations but each act has its own  
          violations and exceptions.  The provisions of these acts could  
          have conflicted with each other under the broad umbrella of  
          SB1451.  SB 1451 was vetoed by the governor for this reason.   
          Federal legislation addressing offshore violations of private  
          information is pending.

          This bill, sponsored by Employment Screening Services, Inc. and  
          Imperative Information Group, only applies to investigative  
          consumer reporting agencies and focuses on providing consumer  
          protection against companies sending the consumer's personal  
          information overseas for the preparation of employment screening  
          reports.  

                                CHANGES TO EXISTING LAW
           
           Existing law  regulates the preparation and use of investigative  
          consumer reports.  (Civ. Code Sec. 1786 et seq.)

           Existing law  requires that the person seeking an investigative  
          consumer report for employment purposes must disclose  
          information, as specified, regarding the preparation of the  
          report.  (Civ. Code Sec. 1786.16(2).)


                                                                      




          SB 909 (Wright)
          PageC of?


           Existing law  requires investigative consumer reporting agencies  
          to maintain procedures designed to avoid violations of Civil  
          Code Section 1786.18 and make certifications as required under  
          Civil Code Section 1786.16.  (Civ. Code Sec. 1786.20.)

           Existing law  provides the liability structure for an  
          investigative consumer reporting agency or employer that  
          violates the Act.  (Civ. Code Sec. 1786.50.)


           This bill  would require the investigative consumer reporting  
          agency subcontracting to an offshore company for the purpose of  
          running an employment background check to disclose to the job  
          applicant the following information:  


             (1)       the country or countries where the report, or  
               portion thereof, is being prepared or processed;


             (2)       the specific information about the consumer that is  
               being transmitted or transferred outside of the United  
               States or its territories;


             (3)       a hyperlink to the investigative consumer reporting  
               agency's privacy protection policy;


             (4)       contact information, including an e-mail address  
               and a telephone number, of a representative of the  
               investigative consumer reporting agency who can assist a  
               consumer who is concerned that his or her information has  
               been compromised as a result of being prepared or processed  
               outside of the Untied States or its territories; and


             (5)       a description of the appropriate process for  
               remedying a case of identity theft in the jurisdiction  
               where the consumer resides, including the telephone number  
               and mailing address of any agency responsible for consumer  
               protection locally and nationally.


           This bill  would require the employer and/or investigative  

                                                                      




          SB 909 (Wright)
          PageD of?


          consumer reporting agency to obtain the job applicant's written  
          consent for private information to be sent to an offshore  
          company for the purpose of running an employment background  
          check.


           This bill  would provide that an investigative consumer reporting  
          agency shall be liable to a consumer who is the subject of a  
          report in the event that the consumer is harmed by any act or  
          omission that occurs outside the United States or its  
          territories as a result of the investigative consumer reporting  
          agency preparing or processing an investigative consumer report,  
          or portion thereof, outside of the United States or its  
          territories.


           This bill  would require the investigative consumer reporting  
          agency contracting with offshore companies to prepare a privacy  
          policy and post it on an Internet Web site.


           This bill  would provide that the investigative consumer  
          reporting agency shall not disclose the consumer's social  
          security number, except for the last four digits.


                                        COMMENT
           
          1.  Stated need for the bill  
          
          The author writes:
          
            Since AB 655, there has been a significant change that was not  
            anticipated in 2002 - that large players in the screening  
            industry would [undergo] a fundamental shift in business  
            practices and shift their operations off-shore, to locations  
            such as India and the Philippines.  That means that personal  
            and identifiable information (PII) is sent off shore in bulk  
            beyond the protection of the U.S. and California privacy laws  
            to places where data protection and privacy is much more  
            limited, effectively undermining the privacy protections  
            anticipated in 2002.  . . .  

            This bill is limited to just Investigative Consumer Reporting  
            Agencies.  Although other industries may off shore as well, an  

                                                                      




          SB 909 (Wright)
          PageE of?


            Investigative Consumer Report directly impacts the ability of  
            a consumer to obtain employment and earn a livelihood, and  
            therefore a consumer has no choice but to give potential  
            employers PII.  This bill is not anti-off shoring, but is  
            meant to promote privacy and data protection.  It is also a  
            disclosure bill and not a regulation bill and therefore has no  
            financial burden on the State of California.  Remedies for  
            violation of this bill would be part of the existing structure  
            for private remedies already contained in California law under  
            Civil Code Section 1786.50.

          Privacy Rights Clearinghouse (PRC), a supporter of the bill,  
          notes that this bill has a very narrow focus and only requires  
          disclosures to California residents when their information is  
          being sent offshore as part of an employment background  
          screening.  According to PRC:

            California has led the way in preventing the misuse of  
            personally identifiable information in order to fight the  
            rising tide of identity theft.  Unfortunately, all protections  
            cease to exist once information leaves the United States.   
            Many places where information may be sent have very little  
            privacy protection.  In addition, American consumers have  
            virtually no ability to enforce their privacy rights overseas.  
             In many [countries], there is little access to courts and it  
            is extremely difficult for an American consumer to contact a  
            foreign police department to lodge a complaint or to obtain  
            assistance.  The lack of any meaningful protection once U.S.  
            data is sent offshore is a major gap in [the] effort to combat  
            identity theft and to protect privacy.
          
          2.  California's residents need additional protection from  
            overseas identity theft  

          Since the Act was enacted in 1975, U.S. companies have changed  
          the way in which they do business.  Not only are more and more  
          companies relying on background checks to screen prospective  
          applicants, but more and more companies are transacting business  
          globally.  Opponents of this bill claim that California laws  
          already contain robust protections for personally identifiable  
          information.  Indeed, the 2002 amendments to the Act completely  
          restructured the requirements of investigative consumer  
          reporting agencies regarding consumer privacy protection.  But  
          as reported over the past 5 years in numerous articles around  
          the globe, globalization has made U.S. laws less effective to  

                                                                      




          SB 909 (Wright)
          PageF of?


          protect consumers. <1>

          This bill would address consumer privacy issues raised by  
          globalization.  By requiring employers to disclose to  
          prospective job applicants that the applicant's private  
          information may be transmitted to a source outside of the U.S.,  
          the applicant would be aware that their information is being  
          reviewed by entities outside their prospective employer and  
          outside the U.S.  As required by this bill, disclosure of  
          contact information of the investigative consumer reporting  
          agencies will help California job applicants trace security  
          breaches in the event of identity theft.  
          Opponents of the bill argue that the disclosure language  
          required by this bill "creates the false threat that the  
          individual's personal information is somehow jeopardized, if an  
          investigative report is prepared, stored or processed outside of  
          the United States" and will limit the employer's ability to  
          conduct an employment screening.  The sponsors of this bill  
          counter-argue that "[i]f the applicant is not told their  
          information could be sent out of the US, then they have a false  
          sense of security that their information IS staying in the US  
          and that the US and California laws will be there to protect  
          them.  As we know, they would not."  As world-wide markets have  
          experienced, misuse of personally identifiable information is  
          rampant and identity theft is a very real threat.  Requiring an  
          employer to disclose to whom they are releasing the applicant's  
          personally identifiable information is appropriate under these  
          circumstances.

          3.  Domestic investigative consumer reporting agencies contract  
            for offshore reporting preparation and should be held  
            accountable for this type of principal/agent relationship

          ---------------------------
          <1> See Alan Little, Overseas credit card scam exposed, BBC  
          News, March 19, 2009, http://  
          news.bbc.co.uk/2/hi/uk_news/7953401.stm  ; David Lazarus, Slipping  
          out of our grasp, San Francisco Chronicle, April 9, 2004,  
           http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2004/ 04/09/  
          BUGOI62GAI1.DTL  ; Andy McCue, Indian Call Center Staff Sold Data,  
          TV show says, CNET News, October 5, 2006,  
           http://news.cnet.com/Indian-call-center-staff-sold-data,-TV-show- 
          says/2100-7348_3-6123067.html  ; John Oates, Indian call centre  
          staff nicked for fraud, The Register, April 11, 2005,  
           http://www.theregister.co.uk/2005/04/11/india_callcentre_fraud_ar 
          rests/print.html  . 

                                                                      




          SB 909 (Wright)
          PageG of?


           If a job applicant is harmed by the release of personally  
          identifiable information, existing law provides a cause of  
          action and remedy under U.S. law against the investigative  
          reporting agency.  The job applicant could then attempt to  
          locate the offshore investigative reporting agency and try to  
          hold it responsible for misuse of personally identifiable  
          information.  However, the applicant's ability to locate the  
          offshore investigative reporting agency is likely insurmountable  
          under existing law.  The applicant has no information from the  
          domestic investigative reporting agency about which offshore  
          entity ran the report and foreign laws can make it difficult for  
          the applicant to pursue a claim.  Further, because of varying  
          facts as applied to California's long-arm statutes and federal  
          preemption laws, California courts may be unable to assert  
          jurisdiction over the offshore agency.

          This bill will provide consumers with the ability to hold  
          domestic investigative reporting agencies responsible for bad  
          conduct by the offshore entities with which the domestic company  
          is doing business.  Since the domestic investigative reporting  
          agency contracts with the offshore entity to perform the  
          investigative reports, the domestic agency holds the privity  
          with the offshore entity.   If a harmed consumer later brings an  
          action, the domestic investigative reporting agency could bring  
          their offshore reporting entity into the claim, and the harmed  
          job applicant will not have to separately pursue the offshore  
          entity.  

          Further, federal legislation is already attempting to protect  
          U.S. residents from the misuse of private information.  The  
          sponsors of this bill note that "SB909, if anything, could start  
          to get these [offshore] countries to enact their own laws to  
          protect our data.  We should not be concerned with the fact that  
          [employers] may worry about this bill, instead we need to  
          continue to concentrate on the Privacy Rights of California and  
          US citizens."  Thus, it is appropriate, the author argues, to  
          provide California consumers with a specific right of action  
          against which to hold domestic investigative reporting agencies  
          for mishandling private information once it is sent offshore.
          4.  The argument that employers will cease hiring Californians  
            due to the stringent requirements of this bill is unsupported
           
          Opponent LexisNexis argues that "prudent employers seeking to  
          conduct background checks on potential employees may avoid  
          hiring in California altogether and look to other states for  

                                                                      




          SB 909 (Wright)
          PageH of?


          qualified employees, rather than risk running afoul of SB 909's  
          provisions."  However, opponents have provided no information  
          that any company will be so adversely affected by being required  
          to disclose offshore background screening procedures that it  
          will think twice before screening and hiring California job  
          applicants.  The 2002 revisions to the Act completely overhauled  
          the investigative reporting system locally and nationally.   
          There is no evidence that employers ceased hiring individuals in  
          California to avoid the stringent regulations after the 2002  
          revisions.  Yet this bill only adds one additional piece of  
          paper to be supplied to the job applicant and one Web site  
          posting.  No evidence exists that companies will cease hiring in  
          California due to the provisions required by this bill. 

          5.  This bill does not discriminate against offshore companies  
            and therefore does not demonstrate suspicion and distrust  
            against foreign companies
           
          Another argument by LexisNexis is that this bill "sends the  
          wrong protectionist message to countries doing business in  
          California . . . . [T]his legislation regards California's  
          international trade partners with suspicion and distrust."   
          However, given the globalization of today's international  
          markets and the potential for misuse or unauthorized use of  
          personally identifiable information, even U.S. companies fall  
          under suspicion.  This bill does not single out offshore  
          companies for privacy violations but rather further holds  
          domestic companies responsible for the proper handling of  
          private information.

          It is important to note that employers pay investigative  
          reporting agencies to take private information and prepare  
          background screening reports.  If these investigative reporting  
          agencies are utilizing offshore services that could be breached  
          by identity thieves, these agencies should be held accountable  
          for any breach of private information with which they have been  
          entrusted.  Such is the cost of doing business offshore.   This  
          bill is sufficiently narrow to apply only to investigative  
          reporting agencies and the channels through which these agencies  
          prepare the reports for which they are paid.  

          6.  This bill is aimed at bad actors, not bad technology  

          A final argument by LexisNexis is that this bill is  
          "overly-restrictive in that it applies to employment  

                                                                      




          SB 909 (Wright)
          PageI of?


          investigative reports prepared or processed in any manner  
          outside of the United States, with certain exceptions.  SB 909  
          could apply to a myriad of innocuous circumstances which are  
          ordinary components of working in a global society."  (Emphasis  
          in original.)   The sponsors agree that this bill could be  
          misinterpreted as applying to offshore servers if these servers  
          held any private information used in the preparation of  
          employment screening reports.  The sponsors' goal is to hold  
          people responsible for privacy information violations, not  
          undermine developing technologies.  For this reason, the author  
          would like to make the following amendments:

             Suggested Amendments  :

             (1)  On page 4, line 13, after "requested" insert ", or was  
               sent outside of the United State or its Territories solely  
               for the purpose of transmitting or storing data".

             (2)  On page 7, line 28, after "requested" insert ", or was  
               sent outside of the United State or its Territories solely  
               for the purpose of transmitting or storing data".

          Narrowing the bill in this way, while necessary to apply this  
          bill to bad actors and not bad technology, could create a  
          potential loophole for entities that transmit, process, and  
          store offshore and would not hold companies liable for failing  
          to ensure reasonable transmission and storage procedures of  
          personally identifiable information.  For this reason, the  
          author has agreed to the following amendments:

             Suggested Amendments  :

             (1)  On page 6, between lines 25 and 26 insert "(e) An  
               investigative consumer reporting agency that prepares or  
               processes in any manner an investigative consumer report,  
               or any portion thereof, outside of the United States or its  
               territories shall comply with Sections 1798.81.5 and  
               1798.82."

             (2)  On page 6, line 26 strike "(e)" and insert "(f)".

          7.  Online posting of privacy protection policy should be  
          clarified

           The current language of the bill is vague with respect to online  

                                                                      




          SB 909 (Wright)
          PageJ of?


          posting of the investigative consumer reporting agency's privacy  
          policy.  Under the bill, the investigative consumer reporting  
          agency would be required only to publish their privacy  
          protection policy on "an Internet Web site."  This bill should  
          provide that the investigative consumer reporting agency must  
          post the privacy protection policy in accordance with the  
          Internet privacy requirements contained in the Business and  
          Professions Code.  Further, the investigative consumer reporting  
          agency should be required to provide the name and mailing  
          address of the representative who can assist a consumer who is  
          concerned that his or her information has been compromised as a  
          result of being prepared or processed outside of the United  
          States or its territories.  Accordingly, the author has agreed  
          to the following amendments:

             Suggested Amendments  :

             (1)  On page 6, line 24 strike "publish" and insert  
               "conspicuously post, as defined under subdivisions (1)  
               through (4) of subsection (b) of Section 22577 of the  
               Business and Professions Code,".
             (2)  On page 7, line 4 strike "an email address and a" and  
               insert "a name, mailing address, email address, and".

             (1)  On page 7, line 8 strike "Untied" and insert "United".


           Support  :  Accucheck, Inc.; All Background & People Checks;  
          Alliance 2020; AmericanChecked, Inc.; Applicant Insight, Inc.;  
          APSCREEN, Inc.; Ascertain Screening and Investigations;  
          Background Profiles; Baxter Research, Inc.; C3 Intelligence,  
          Inc.; ConcernedCRAs; Data Access Inc.; DDS, Inc.;  
          easyBackgrounds, Inc.; EmployeeScreenIQ; Frasco Profiles;  
          KnowMyHire.com; National Application Processing & Screening,  
          Inc.; PreCheck, Inc.; Pre-Employment, Inc.; Privacy Rights  
          Clearinghouse; Proforma Screening Solutions; Verifications

           Opposition  :  Acxiom; Association of California Life and Health  
          Insurance Companies; California Chamber of Commerce; California  
          Retailers Association; First American Corporation; Reed Elsevier  
          Inc./LexisNexis

                                        HISTORY
           
           Source  :  Employment Screening Services, Inc.; Imperative  
                                            
                                                                      




          SB 909 (Wright)
          PageK of?


          Information Group

           Related Pending Federal Legislation  :  H.R. 427 (Poe, 2009)  
          (Notify Americans Before Outsourcing Personal Information Act)  
          would prohibit businesses from transferring personal information  
          of a U.S. citizen to any foreign affiliate or subcontractor in  
          another country without providing notice to such citizen that  
          the information may be transferred to such affiliate or  
          subcontractor.  This bill also would authorize a private cause  
          of action in a state court to enforce compliance with this Act.   
          This bill is currently in the Subcommittee on House Financial  
          Services.

           Prior Legislation  :

          SB 1451 (Figueroa, 2004) would have created civil liabilities  
          for the unlawful disclosure of private information, as defined.   
          This bill passed this Committee with a vote of 4 to 3 and was  
          subsequently vetoed.

          AB 2868 (Wright, Ch. 1029, Stats. 2002), among other things,  
          changed the requirement regarding the retention of an  
          investigative consumer report from three years to two years.  

          AB 1068 (Wright, Ch. 1030, Stats. 2002), among other things,  
          required the employer requesting the background screening report  
          to obtain the prospective employee's written consent.

          AB 655 (Wright, Ch. 354, Stats. 2001) (See Background.)

          AB 2462 (Wright, 2000), among other things, would have expanded  
          the remedies and sanctions available to victims of identity  
          theft.  This bill died in this Committee.

          AB 601, (Lewis, Ch. 1272, Stats. 1975) (See Background.)
                                          
                                   **************