BILL ANALYSIS SENATE JUDICIARY COMMITTEE Senator Ellen M. Corbett, Chair 2009-2010 Regular Session SB 909 (Wright) As Amended March 8, 2010 Hearing Date: May 4, 2010 Fiscal: No Urgency: No TW:jd SUBJECT Investigative Consumer Reporting Agencies: Disclosures DESCRIPTION This bill would require investigative consumer reporting agencies to disclose, as specified, to a consumer that the consumer's personal information may be sent offshore for the preparation of employment background screening reports. This bill also would require investigative consumer reporting agencies to post a privacy protection policy on their Web site, as specified. This bill also would provide consumers with a remedy if they are harmed when their information is sent offshore, as specified. BACKGROUND When a California resident applies for a job, there is typically a pre-employment background check. The form that is filled out includes name, date of birth, and social security number. With the increase of U.S. companies contracting for off-shore services, there is a substantial likelihood that the applicant's personally identifiable information ends up offshore, beyond U.S. privacy law, in a foreign call center or data processing location where there is little, if any, privacy protection. Studies show that off-shoring is a substantial risk to U.S. privacy and data security. A report prepared by the Federal Deposit Insurance Corporation (FDIC) indicated that the overall risk to privacy data is highest when a domestic third-party vendor subcontracts its financial institution work overseas. (more) SB 909 (Wright) PageB of? (Federal Deposit Insurance Corporation, Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks, June 2004 ( http://www.fdic.gov/regulations/examinations/offshore/offshore_ outsourcing_06-04-04.pdf ).) Similarly, when U.S. businesses send personal consumer information offshore for the purpose of conducting an employment background check, the personally identifiable information of California residents is at high risk for being exploited. In 1975, the Legislature enacted the Investigative Consumer Reporting Agencies Act (the Act) which regulates consumer background checks. (AB 601 (Lewis, Ch. 1272, Stats. 1975).) In 2002, AB 655 (Wright, Ch. 354, Stats. 2001) significantly overhauled the Act and increased consumer protection with regard to employment background checks. SB 1451 (Figueroa, 2004) sought to prevent the sharing of private information and to create liability for the misuse of private information, as specified. SB 1451 applied to all privacy laws, including those found under the California Medical Sharing Act (CMIA) and the California Financial Information Privacy Act (CFIPA). The CMIA and CFIPA provide privacy regulations but each act has its own violations and exceptions. The provisions of these acts could have conflicted with each other under the broad umbrella of SB1451. SB 1451 was vetoed by the governor for this reason. Federal legislation addressing offshore violations of private information is pending. This bill, sponsored by Employment Screening Services, Inc. and Imperative Information Group, only applies to investigative consumer reporting agencies and focuses on providing consumer protection against companies sending the consumer's personal information overseas for the preparation of employment screening reports. CHANGES TO EXISTING LAW Existing law regulates the preparation and use of investigative consumer reports. (Civ. Code Sec. 1786 et seq.) Existing law requires that the person seeking an investigative consumer report for employment purposes must disclose information, as specified, regarding the preparation of the report. (Civ. Code Sec. 1786.16(2).) SB 909 (Wright) PageC of? Existing law requires investigative consumer reporting agencies to maintain procedures designed to avoid violations of Civil Code Section 1786.18 and make certifications as required under Civil Code Section 1786.16. (Civ. Code Sec. 1786.20.) Existing law provides the liability structure for an investigative consumer reporting agency or employer that violates the Act. (Civ. Code Sec. 1786.50.) This bill would require the investigative consumer reporting agency subcontracting to an offshore company for the purpose of running an employment background check to disclose to the job applicant the following information: (1) the country or countries where the report, or portion thereof, is being prepared or processed; (2) the specific information about the consumer that is being transmitted or transferred outside of the United States or its territories; (3) a hyperlink to the investigative consumer reporting agency's privacy protection policy; (4) contact information, including an e-mail address and a telephone number, of a representative of the investigative consumer reporting agency who can assist a consumer who is concerned that his or her information has been compromised as a result of being prepared or processed outside of the Untied States or its territories; and (5) a description of the appropriate process for remedying a case of identity theft in the jurisdiction where the consumer resides, including the telephone number and mailing address of any agency responsible for consumer protection locally and nationally. This bill would require the employer and/or investigative SB 909 (Wright) PageD of? consumer reporting agency to obtain the job applicant's written consent for private information to be sent to an offshore company for the purpose of running an employment background check. This bill would provide that an investigative consumer reporting agency shall be liable to a consumer who is the subject of a report in the event that the consumer is harmed by any act or omission that occurs outside the United States or its territories as a result of the investigative consumer reporting agency preparing or processing an investigative consumer report, or portion thereof, outside of the United States or its territories. This bill would require the investigative consumer reporting agency contracting with offshore companies to prepare a privacy policy and post it on an Internet Web site. This bill would provide that the investigative consumer reporting agency shall not disclose the consumer's social security number, except for the last four digits. COMMENT 1. Stated need for the bill The author writes: Since AB 655, there has been a significant change that was not anticipated in 2002 - that large players in the screening industry would [undergo] a fundamental shift in business practices and shift their operations off-shore, to locations such as India and the Philippines. That means that personal and identifiable information (PII) is sent off shore in bulk beyond the protection of the U.S. and California privacy laws to places where data protection and privacy is much more limited, effectively undermining the privacy protections anticipated in 2002. . . . This bill is limited to just Investigative Consumer Reporting Agencies. Although other industries may off shore as well, an SB 909 (Wright) PageE of? Investigative Consumer Report directly impacts the ability of a consumer to obtain employment and earn a livelihood, and therefore a consumer has no choice but to give potential employers PII. This bill is not anti-off shoring, but is meant to promote privacy and data protection. It is also a disclosure bill and not a regulation bill and therefore has no financial burden on the State of California. Remedies for violation of this bill would be part of the existing structure for private remedies already contained in California law under Civil Code Section 1786.50. Privacy Rights Clearinghouse (PRC), a supporter of the bill, notes that this bill has a very narrow focus and only requires disclosures to California residents when their information is being sent offshore as part of an employment background screening. According to PRC: California has led the way in preventing the misuse of personally identifiable information in order to fight the rising tide of identity theft. Unfortunately, all protections cease to exist once information leaves the United States. Many places where information may be sent have very little privacy protection. In addition, American consumers have virtually no ability to enforce their privacy rights overseas. In many [countries], there is little access to courts and it is extremely difficult for an American consumer to contact a foreign police department to lodge a complaint or to obtain assistance. The lack of any meaningful protection once U.S. data is sent offshore is a major gap in [the] effort to combat identity theft and to protect privacy. 2. California's residents need additional protection from overseas identity theft Since the Act was enacted in 1975, U.S. companies have changed the way in which they do business. Not only are more and more companies relying on background checks to screen prospective applicants, but more and more companies are transacting business globally. Opponents of this bill claim that California laws already contain robust protections for personally identifiable information. Indeed, the 2002 amendments to the Act completely restructured the requirements of investigative consumer reporting agencies regarding consumer privacy protection. But as reported over the past 5 years in numerous articles around the globe, globalization has made U.S. laws less effective to SB 909 (Wright) PageF of? protect consumers. <1> This bill would address consumer privacy issues raised by globalization. By requiring employers to disclose to prospective job applicants that the applicant's private information may be transmitted to a source outside of the U.S., the applicant would be aware that their information is being reviewed by entities outside their prospective employer and outside the U.S. As required by this bill, disclosure of contact information of the investigative consumer reporting agencies will help California job applicants trace security breaches in the event of identity theft. Opponents of the bill argue that the disclosure language required by this bill "creates the false threat that the individual's personal information is somehow jeopardized, if an investigative report is prepared, stored or processed outside of the United States" and will limit the employer's ability to conduct an employment screening. The sponsors of this bill counter-argue that "[i]f the applicant is not told their information could be sent out of the US, then they have a false sense of security that their information IS staying in the US and that the US and California laws will be there to protect them. As we know, they would not." As world-wide markets have experienced, misuse of personally identifiable information is rampant and identity theft is a very real threat. Requiring an employer to disclose to whom they are releasing the applicant's personally identifiable information is appropriate under these circumstances. 3. Domestic investigative consumer reporting agencies contract for offshore reporting preparation and should be held accountable for this type of principal/agent relationship --------------------------- <1> See Alan Little, Overseas credit card scam exposed, BBC News, March 19, 2009, http:// news.bbc.co.uk/2/hi/uk_news/7953401.stm ; David Lazarus, Slipping out of our grasp, San Francisco Chronicle, April 9, 2004, http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2004/ 04/09/ BUGOI62GAI1.DTL ; Andy McCue, Indian Call Center Staff Sold Data, TV show says, CNET News, October 5, 2006, http://news.cnet.com/Indian-call-center-staff-sold-data,-TV-show- says/2100-7348_3-6123067.html ; John Oates, Indian call centre staff nicked for fraud, The Register, April 11, 2005, http://www.theregister.co.uk/2005/04/11/india_callcentre_fraud_ar rests/print.html . SB 909 (Wright) PageG of? If a job applicant is harmed by the release of personally identifiable information, existing law provides a cause of action and remedy under U.S. law against the investigative reporting agency. The job applicant could then attempt to locate the offshore investigative reporting agency and try to hold it responsible for misuse of personally identifiable information. However, the applicant's ability to locate the offshore investigative reporting agency is likely insurmountable under existing law. The applicant has no information from the domestic investigative reporting agency about which offshore entity ran the report and foreign laws can make it difficult for the applicant to pursue a claim. Further, because of varying facts as applied to California's long-arm statutes and federal preemption laws, California courts may be unable to assert jurisdiction over the offshore agency. This bill will provide consumers with the ability to hold domestic investigative reporting agencies responsible for bad conduct by the offshore entities with which the domestic company is doing business. Since the domestic investigative reporting agency contracts with the offshore entity to perform the investigative reports, the domestic agency holds the privity with the offshore entity. If a harmed consumer later brings an action, the domestic investigative reporting agency could bring their offshore reporting entity into the claim, and the harmed job applicant will not have to separately pursue the offshore entity. Further, federal legislation is already attempting to protect U.S. residents from the misuse of private information. The sponsors of this bill note that "SB909, if anything, could start to get these [offshore] countries to enact their own laws to protect our data. We should not be concerned with the fact that [employers] may worry about this bill, instead we need to continue to concentrate on the Privacy Rights of California and US citizens." Thus, it is appropriate, the author argues, to provide California consumers with a specific right of action against which to hold domestic investigative reporting agencies for mishandling private information once it is sent offshore. 4. The argument that employers will cease hiring Californians due to the stringent requirements of this bill is unsupported Opponent LexisNexis argues that "prudent employers seeking to conduct background checks on potential employees may avoid hiring in California altogether and look to other states for SB 909 (Wright) PageH of? qualified employees, rather than risk running afoul of SB 909's provisions." However, opponents have provided no information that any company will be so adversely affected by being required to disclose offshore background screening procedures that it will think twice before screening and hiring California job applicants. The 2002 revisions to the Act completely overhauled the investigative reporting system locally and nationally. There is no evidence that employers ceased hiring individuals in California to avoid the stringent regulations after the 2002 revisions. Yet this bill only adds one additional piece of paper to be supplied to the job applicant and one Web site posting. No evidence exists that companies will cease hiring in California due to the provisions required by this bill. 5. This bill does not discriminate against offshore companies and therefore does not demonstrate suspicion and distrust against foreign companies Another argument by LexisNexis is that this bill "sends the wrong protectionist message to countries doing business in California . . . . [T]his legislation regards California's international trade partners with suspicion and distrust." However, given the globalization of today's international markets and the potential for misuse or unauthorized use of personally identifiable information, even U.S. companies fall under suspicion. This bill does not single out offshore companies for privacy violations but rather further holds domestic companies responsible for the proper handling of private information. It is important to note that employers pay investigative reporting agencies to take private information and prepare background screening reports. If these investigative reporting agencies are utilizing offshore services that could be breached by identity thieves, these agencies should be held accountable for any breach of private information with which they have been entrusted. Such is the cost of doing business offshore. This bill is sufficiently narrow to apply only to investigative reporting agencies and the channels through which these agencies prepare the reports for which they are paid. 6. This bill is aimed at bad actors, not bad technology A final argument by LexisNexis is that this bill is "overly-restrictive in that it applies to employment SB 909 (Wright) PageI of? investigative reports prepared or processed in any manner outside of the United States, with certain exceptions. SB 909 could apply to a myriad of innocuous circumstances which are ordinary components of working in a global society." (Emphasis in original.) The sponsors agree that this bill could be misinterpreted as applying to offshore servers if these servers held any private information used in the preparation of employment screening reports. The sponsors' goal is to hold people responsible for privacy information violations, not undermine developing technologies. For this reason, the author would like to make the following amendments: Suggested Amendments : (1) On page 4, line 13, after "requested" insert ", or was sent outside of the United State or its Territories solely for the purpose of transmitting or storing data". (2) On page 7, line 28, after "requested" insert ", or was sent outside of the United State or its Territories solely for the purpose of transmitting or storing data". Narrowing the bill in this way, while necessary to apply this bill to bad actors and not bad technology, could create a potential loophole for entities that transmit, process, and store offshore and would not hold companies liable for failing to ensure reasonable transmission and storage procedures of personally identifiable information. For this reason, the author has agreed to the following amendments: Suggested Amendments : (1) On page 6, between lines 25 and 26 insert "(e) An investigative consumer reporting agency that prepares or processes in any manner an investigative consumer report, or any portion thereof, outside of the United States or its territories shall comply with Sections 1798.81.5 and 1798.82." (2) On page 6, line 26 strike "(e)" and insert "(f)". 7. Online posting of privacy protection policy should be clarified The current language of the bill is vague with respect to online SB 909 (Wright) PageJ of? posting of the investigative consumer reporting agency's privacy policy. Under the bill, the investigative consumer reporting agency would be required only to publish their privacy protection policy on "an Internet Web site." This bill should provide that the investigative consumer reporting agency must post the privacy protection policy in accordance with the Internet privacy requirements contained in the Business and Professions Code. Further, the investigative consumer reporting agency should be required to provide the name and mailing address of the representative who can assist a consumer who is concerned that his or her information has been compromised as a result of being prepared or processed outside of the United States or its territories. Accordingly, the author has agreed to the following amendments: Suggested Amendments : (1) On page 6, line 24 strike "publish" and insert "conspicuously post, as defined under subdivisions (1) through (4) of subsection (b) of Section 22577 of the Business and Professions Code,". (2) On page 7, line 4 strike "an email address and a" and insert "a name, mailing address, email address, and". (1) On page 7, line 8 strike "Untied" and insert "United". Support : Accucheck, Inc.; All Background & People Checks; Alliance 2020; AmericanChecked, Inc.; Applicant Insight, Inc.; APSCREEN, Inc.; Ascertain Screening and Investigations; Background Profiles; Baxter Research, Inc.; C3 Intelligence, Inc.; ConcernedCRAs; Data Access Inc.; DDS, Inc.; easyBackgrounds, Inc.; EmployeeScreenIQ; Frasco Profiles; KnowMyHire.com; National Application Processing & Screening, Inc.; PreCheck, Inc.; Pre-Employment, Inc.; Privacy Rights Clearinghouse; Proforma Screening Solutions; Verifications Opposition : Acxiom; Association of California Life and Health Insurance Companies; California Chamber of Commerce; California Retailers Association; First American Corporation; Reed Elsevier Inc./LexisNexis HISTORY Source : Employment Screening Services, Inc.; Imperative SB 909 (Wright) PageK of? Information Group Related Pending Federal Legislation : H.R. 427 (Poe, 2009) (Notify Americans Before Outsourcing Personal Information Act) would prohibit businesses from transferring personal information of a U.S. citizen to any foreign affiliate or subcontractor in another country without providing notice to such citizen that the information may be transferred to such affiliate or subcontractor. This bill also would authorize a private cause of action in a state court to enforce compliance with this Act. This bill is currently in the Subcommittee on House Financial Services. Prior Legislation : SB 1451 (Figueroa, 2004) would have created civil liabilities for the unlawful disclosure of private information, as defined. This bill passed this Committee with a vote of 4 to 3 and was subsequently vetoed. AB 2868 (Wright, Ch. 1029, Stats. 2002), among other things, changed the requirement regarding the retention of an investigative consumer report from three years to two years. AB 1068 (Wright, Ch. 1030, Stats. 2002), among other things, required the employer requesting the background screening report to obtain the prospective employee's written consent. AB 655 (Wright, Ch. 354, Stats. 2001) (See Background.) AB 2462 (Wright, 2000), among other things, would have expanded the remedies and sanctions available to victims of identity theft. This bill died in this Committee. AB 601, (Lewis, Ch. 1272, Stats. 1975) (See Background.) **************