BILL ANALYSIS �
SENATE JUDICIARY COMMITTEE
Senator Ellen M. Corbett, Chair
2009-2010 Regular Session
SB 909 (Wright)
As Amended March 8, 2010
Hearing Date: May 4, 2010
Fiscal: No
Urgency: No
TW:jd
SUBJECT
Investigative Consumer Reporting Agencies: Disclosures
DESCRIPTION
This bill would require investigative consumer reporting
agencies to disclose, as specified, to a consumer that the
consumer's personal information may be sent offshore for the
preparation of employment background screening reports. This
bill also would require investigative consumer reporting
agencies to post a privacy protection policy on their Web site,
as specified. This bill also would provide consumers with a
remedy if they are harmed when their information is sent
offshore, as specified.
BACKGROUND
When a California resident applies for a job, there is typically
a pre-employment background check. The form that is filled out
includes name, date of birth, and social security number. With
the increase of U.S. companies contracting for off-shore
services, there is a substantial likelihood that the applicant's
personally identifiable information ends up offshore, beyond
U.S. privacy law, in a foreign call center or data processing
location where there is little, if any, privacy protection.
Studies show that off-shoring is a substantial risk to U.S.
privacy and data security. A report prepared by the Federal
Deposit Insurance Corporation (FDIC) indicated that the overall
risk to privacy data is highest when a domestic third-party
vendor subcontracts its financial institution work overseas.
(more)
�
SB 909 (Wright)
PageB of?
(Federal Deposit Insurance Corporation, Offshore Outsourcing of
Data Services by Insured Institutions and Associated Consumer
Privacy Risks, June 2004
( http://www.fdic.gov/regulations/examinations/offshore/offshore_
outsourcing_06-04-04.pdf ).) Similarly, when U.S. businesses
send personal consumer information offshore for the purpose of
conducting an employment background check, the personally
identifiable information of California residents is at high risk
for being exploited.
In 1975, the Legislature enacted the Investigative Consumer
Reporting Agencies Act (the Act) which regulates consumer
background checks. (AB 601 (Lewis, Ch. 1272, Stats. 1975).) In
2002, AB 655 (Wright, Ch. 354, Stats. 2001) significantly
overhauled the Act and increased consumer protection with regard
to employment background checks. SB 1451 (Figueroa, 2004)
sought to prevent the sharing of private information and to
create liability for the misuse of private information, as
specified. SB 1451 applied to all privacy laws, including those
found under the California Medical Sharing Act (CMIA) and the
California Financial Information Privacy Act (CFIPA). The CMIA
and CFIPA provide privacy regulations but each act has its own
violations and exceptions. The provisions of these acts could
have conflicted with each other under the broad umbrella of
SB1451. SB 1451 was vetoed by the governor for this reason.
Federal legislation addressing offshore violations of private
information is pending.
This bill, sponsored by Employment Screening Services, Inc. and
Imperative Information Group, only applies to investigative
consumer reporting agencies and focuses on providing consumer
protection against companies sending the consumer's personal
information overseas for the preparation of employment screening
reports.
CHANGES TO EXISTING LAW
Existing law regulates the preparation and use of investigative
consumer reports. (Civ. Code Sec. 1786 et seq.)
Existing law requires that the person seeking an investigative
consumer report for employment purposes must disclose
information, as specified, regarding the preparation of the
report. (Civ. Code Sec. 1786.16(2).)
�
SB 909 (Wright)
PageC of?
Existing law requires investigative consumer reporting agencies
to maintain procedures designed to avoid violations of Civil
Code Section 1786.18 and make certifications as required under
Civil Code Section 1786.16. (Civ. Code Sec. 1786.20.)
Existing law provides the liability structure for an
investigative consumer reporting agency or employer that
violates the Act. (Civ. Code Sec. 1786.50.)
This bill would require the investigative consumer reporting
agency subcontracting to an offshore company for the purpose of
running an employment background check to disclose to the job
applicant the following information:
(1) the country or countries where the report, or
portion thereof, is being prepared or processed;
(2) the specific information about the consumer that is
being transmitted or transferred outside of the United
States or its territories;
(3) a hyperlink to the investigative consumer reporting
agency's privacy protection policy;
(4) contact information, including an e-mail address
and a telephone number, of a representative of the
investigative consumer reporting agency who can assist a
consumer who is concerned that his or her information has
been compromised as a result of being prepared or processed
outside of the Untied States or its territories; and
(5) a description of the appropriate process for
remedying a case of identity theft in the jurisdiction
where the consumer resides, including the telephone number
and mailing address of any agency responsible for consumer
protection locally and nationally.
This bill would require the employer and/or investigative
�
SB 909 (Wright)
PageD of?
consumer reporting agency to obtain the job applicant's written
consent for private information to be sent to an offshore
company for the purpose of running an employment background
check.
This bill would provide that an investigative consumer reporting
agency shall be liable to a consumer who is the subject of a
report in the event that the consumer is harmed by any act or
omission that occurs outside the United States or its
territories as a result of the investigative consumer reporting
agency preparing or processing an investigative consumer report,
or portion thereof, outside of the United States or its
territories.
This bill would require the investigative consumer reporting
agency contracting with offshore companies to prepare a privacy
policy and post it on an Internet Web site.
This bill would provide that the investigative consumer
reporting agency shall not disclose the consumer's social
security number, except for the last four digits.
COMMENT
1. Stated need for the bill
The author writes:
Since AB 655, there has been a significant change that was not
anticipated in 2002 - that large players in the screening
industry would [undergo] a fundamental shift in business
practices and shift their operations off-shore, to locations
such as India and the Philippines. That means that personal
and identifiable information (PII) is sent off shore in bulk
beyond the protection of the U.S. and California privacy laws
to places where data protection and privacy is much more
limited, effectively undermining the privacy protections
anticipated in 2002. . . .
This bill is limited to just Investigative Consumer Reporting
Agencies. Although other industries may off shore as well, an
�
SB 909 (Wright)
PageE of?
Investigative Consumer Report directly impacts the ability of
a consumer to obtain employment and earn a livelihood, and
therefore a consumer has no choice but to give potential
employers PII. This bill is not anti-off shoring, but is
meant to promote privacy and data protection. It is also a
disclosure bill and not a regulation bill and therefore has no
financial burden on the State of California. Remedies for
violation of this bill would be part of the existing structure
for private remedies already contained in California law under
Civil Code Section 1786.50.
Privacy Rights Clearinghouse (PRC), a supporter of the bill,
notes that this bill has a very narrow focus and only requires
disclosures to California residents when their information is
being sent offshore as part of an employment background
screening. According to PRC:
California has led the way in preventing the misuse of
personally identifiable information in order to fight the
rising tide of identity theft. Unfortunately, all protections
cease to exist once information leaves the United States.
Many places where information may be sent have very little
privacy protection. In addition, American consumers have
virtually no ability to enforce their privacy rights overseas.
In many [countries], there is little access to courts and it
is extremely difficult for an American consumer to contact a
foreign police department to lodge a complaint or to obtain
assistance. The lack of any meaningful protection once U.S.
data is sent offshore is a major gap in [the] effort to combat
identity theft and to protect privacy.
2. California's residents need additional protection from
overseas identity theft
Since the Act was enacted in 1975, U.S. companies have changed
the way in which they do business. Not only are more and more
companies relying on background checks to screen prospective
applicants, but more and more companies are transacting business
globally. Opponents of this bill claim that California laws
already contain robust protections for personally identifiable
information. Indeed, the 2002 amendments to the Act completely
restructured the requirements of investigative consumer
reporting agencies regarding consumer privacy protection. But
as reported over the past 5 years in numerous articles around
the globe, globalization has made U.S. laws less effective to
�
SB 909 (Wright)
PageF of?
protect consumers. <1>
This bill would address consumer privacy issues raised by
globalization. By requiring employers to disclose to
prospective job applicants that the applicant's private
information may be transmitted to a source outside of the U.S.,
the applicant would be aware that their information is being
reviewed by entities outside their prospective employer and
outside the U.S. As required by this bill, disclosure of
contact information of the investigative consumer reporting
agencies will help California job applicants trace security
breaches in the event of identity theft.
Opponents of the bill argue that the disclosure language
required by this bill "creates the false threat that the
individual's personal information is somehow jeopardized, if an
investigative report is prepared, stored or processed outside of
the United States" and will limit the employer's ability to
conduct an employment screening. The sponsors of this bill
counter-argue that "[i]f the applicant is not told their
information could be sent out of the US, then they have a false
sense of security that their information IS staying in the US
and that the US and California laws will be there to protect
them. As we know, they would not." As world-wide markets have
experienced, misuse of personally identifiable information is
rampant and identity theft is a very real threat. Requiring an
employer to disclose to whom they are releasing the applicant's
personally identifiable information is appropriate under these
circumstances.
3. Domestic investigative consumer reporting agencies contract
for offshore reporting preparation and should be held
accountable for this type of principal/agent relationship
---------------------------
<1> See Alan Little, Overseas credit card scam exposed, BBC
News, March 19, 2009, http://
news.bbc.co.uk/2/hi/uk_news/7953401.stm ; David Lazarus, Slipping
out of our grasp, San Francisco Chronicle, April 9, 2004,
http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2004/ 04/09/
BUGOI62GAI1.DTL ; Andy McCue, Indian Call Center Staff Sold Data,
TV show says, CNET News, October 5, 2006,
http://news.cnet.com/Indian-call-center-staff-sold-data,-TV-show-
says/2100-7348_3-6123067.html ; John Oates, Indian call centre
staff nicked for fraud, The Register, April 11, 2005,
http://www.theregister.co.uk/2005/04/11/india_callcentre_fraud_ar
rests/print.html .
�
SB 909 (Wright)
PageG of?
If a job applicant is harmed by the release of personally
identifiable information, existing law provides a cause of
action and remedy under U.S. law against the investigative
reporting agency. The job applicant could then attempt to
locate the offshore investigative reporting agency and try to
hold it responsible for misuse of personally identifiable
information. However, the applicant's ability to locate the
offshore investigative reporting agency is likely insurmountable
under existing law. The applicant has no information from the
domestic investigative reporting agency about which offshore
entity ran the report and foreign laws can make it difficult for
the applicant to pursue a claim. Further, because of varying
facts as applied to California's long-arm statutes and federal
preemption laws, California courts may be unable to assert
jurisdiction over the offshore agency.
This bill will provide consumers with the ability to hold
domestic investigative reporting agencies responsible for bad
conduct by the offshore entities with which the domestic company
is doing business. Since the domestic investigative reporting
agency contracts with the offshore entity to perform the
investigative reports, the domestic agency holds the privity
with the offshore entity. If a harmed consumer later brings an
action, the domestic investigative reporting agency could bring
their offshore reporting entity into the claim, and the harmed
job applicant will not have to separately pursue the offshore
entity.
Further, federal legislation is already attempting to protect
U.S. residents from the misuse of private information. The
sponsors of this bill note that "SB909, if anything, could start
to get these [offshore] countries to enact their own laws to
protect our data. We should not be concerned with the fact that
[employers] may worry about this bill, instead we need to
continue to concentrate on the Privacy Rights of California and
US citizens." Thus, it is appropriate, the author argues, to
provide California consumers with a specific right of action
against which to hold domestic investigative reporting agencies
for mishandling private information once it is sent offshore.
4. The argument that employers will cease hiring Californians
due to the stringent requirements of this bill is unsupported
Opponent LexisNexis argues that "prudent employers seeking to
conduct background checks on potential employees may avoid
hiring in California altogether and look to other states for
�
SB 909 (Wright)
PageH of?
qualified employees, rather than risk running afoul of SB 909's
provisions." However, opponents have provided no information
that any company will be so adversely affected by being required
to disclose offshore background screening procedures that it
will think twice before screening and hiring California job
applicants. The 2002 revisions to the Act completely overhauled
the investigative reporting system locally and nationally.
There is no evidence that employers ceased hiring individuals in
California to avoid the stringent regulations after the 2002
revisions. Yet this bill only adds one additional piece of
paper to be supplied to the job applicant and one Web site
posting. No evidence exists that companies will cease hiring in
California due to the provisions required by this bill.
5. This bill does not discriminate against offshore companies
and therefore does not demonstrate suspicion and distrust
against foreign companies
Another argument by LexisNexis is that this bill "sends the
wrong protectionist message to countries doing business in
California . . . . [T]his legislation regards California's
international trade partners with suspicion and distrust."
However, given the globalization of today's international
markets and the potential for misuse or unauthorized use of
personally identifiable information, even U.S. companies fall
under suspicion. This bill does not single out offshore
companies for privacy violations but rather further holds
domestic companies responsible for the proper handling of
private information.
It is important to note that employers pay investigative
reporting agencies to take private information and prepare
background screening reports. If these investigative reporting
agencies are utilizing offshore services that could be breached
by identity thieves, these agencies should be held accountable
for any breach of private information with which they have been
entrusted. Such is the cost of doing business offshore. This
bill is sufficiently narrow to apply only to investigative
reporting agencies and the channels through which these agencies
prepare the reports for which they are paid.
6. This bill is aimed at bad actors, not bad technology
A final argument by LexisNexis is that this bill is
"overly-restrictive in that it applies to employment
�
SB 909 (Wright)
PageI of?
investigative reports prepared or processed in any manner
outside of the United States, with certain exceptions. SB 909
could apply to a myriad of innocuous circumstances which are
ordinary components of working in a global society." (Emphasis
in original.) The sponsors agree that this bill could be
misinterpreted as applying to offshore servers if these servers
held any private information used in the preparation of
employment screening reports. The sponsors' goal is to hold
people responsible for privacy information violations, not
undermine developing technologies. For this reason, the author
would like to make the following amendments:
Suggested Amendments :
(1) On page 4, line 13, after "requested" insert ", or was
sent outside of the United State or its Territories solely
for the purpose of transmitting or storing data".
(2) On page 7, line 28, after "requested" insert ", or was
sent outside of the United State or its Territories solely
for the purpose of transmitting or storing data".
Narrowing the bill in this way, while necessary to apply this
bill to bad actors and not bad technology, could create a
potential loophole for entities that transmit, process, and
store offshore and would not hold companies liable for failing
to ensure reasonable transmission and storage procedures of
personally identifiable information. For this reason, the
author has agreed to the following amendments:
Suggested Amendments :
(1) On page 6, between lines 25 and 26 insert "(e) An
investigative consumer reporting agency that prepares or
processes in any manner an investigative consumer report,
or any portion thereof, outside of the United States or its
territories shall comply with Sections 1798.81.5 and
1798.82."
(2) On page 6, line 26 strike "(e)" and insert "(f)".
7. Online posting of privacy protection policy should be
clarified
The current language of the bill is vague with respect to online
�
SB 909 (Wright)
PageJ of?
posting of the investigative consumer reporting agency's privacy
policy. Under the bill, the investigative consumer reporting
agency would be required only to publish their privacy
protection policy on "an Internet Web site." This bill should
provide that the investigative consumer reporting agency must
post the privacy protection policy in accordance with the
Internet privacy requirements contained in the Business and
Professions Code. Further, the investigative consumer reporting
agency should be required to provide the name and mailing
address of the representative who can assist a consumer who is
concerned that his or her information has been compromised as a
result of being prepared or processed outside of the United
States or its territories. Accordingly, the author has agreed
to the following amendments:
Suggested Amendments :
(1) On page 6, line 24 strike "publish" and insert
"conspicuously post, as defined under subdivisions (1)
through (4) of subsection (b) of Section 22577 of the
Business and Professions Code,".
(2) On page 7, line 4 strike "an email address and a" and
insert "a name, mailing address, email address, and".
(1) On page 7, line 8 strike "Untied" and insert "United".
Support : Accucheck, Inc.; All Background & People Checks;
Alliance 2020; AmericanChecked, Inc.; Applicant Insight, Inc.;
APSCREEN, Inc.; Ascertain Screening and Investigations;
Background Profiles; Baxter Research, Inc.; C3 Intelligence,
Inc.; ConcernedCRAs; Data Access Inc.; DDS, Inc.;
easyBackgrounds, Inc.; EmployeeScreenIQ; Frasco Profiles;
KnowMyHire.com; National Application Processing & Screening,
Inc.; PreCheck, Inc.; Pre-Employment, Inc.; Privacy Rights
Clearinghouse; Proforma Screening Solutions; Verifications
Opposition : Acxiom; Association of California Life and Health
Insurance Companies; California Chamber of Commerce; California
Retailers Association; First American Corporation; Reed Elsevier
Inc./LexisNexis
HISTORY
Source : Employment Screening Services, Inc.; Imperative
�
SB 909 (Wright)
PageK of?
Information Group
Related Pending Federal Legislation : H.R. 427 (Poe, 2009)
(Notify Americans Before Outsourcing Personal Information Act)
would prohibit businesses from transferring personal information
of a U.S. citizen to any foreign affiliate or subcontractor in
another country without providing notice to such citizen that
the information may be transferred to such affiliate or
subcontractor. This bill also would authorize a private cause
of action in a state court to enforce compliance with this Act.
This bill is currently in the Subcommittee on House Financial
Services.
Prior Legislation :
SB 1451 (Figueroa, 2004) would have created civil liabilities
for the unlawful disclosure of private information, as defined.
This bill passed this Committee with a vote of 4 to 3 and was
subsequently vetoed.
AB 2868 (Wright, Ch. 1029, Stats. 2002), among other things,
changed the requirement regarding the retention of an
investigative consumer report from three years to two years.
AB 1068 (Wright, Ch. 1030, Stats. 2002), among other things,
required the employer requesting the background screening report
to obtain the prospective employee's written consent.
AB 655 (Wright, Ch. 354, Stats. 2001) (See Background.)
AB 2462 (Wright, 2000), among other things, would have expanded
the remedies and sanctions available to victims of identity
theft. This bill died in this Committee.
AB 601, (Lewis, Ch. 1272, Stats. 1975) (See Background.)
**************