When a business conducts background checks, it does so to protect itself and others from potentially unsafe employees. Vetting also verifies identity and confirms the appropriate credentials. However, every business faces outside threats; the target is your computer system data. This information usually includes applicants’ and employees’ personal information. Best practices must guide your approach to protecting this information.
Personal information and related data is a valuable commodity. Hackers plunder digital databases and sell the contents on the dark web using tough-to-trace cryptocurrencies. It might sound like a dystopian science fiction movie, but it is a surprisingly common threat facing companies. Even the United States government has been a victim, as in 2015 when the Office of Personnel Management (OPM) lost tens of millions of sensitive records to a data breach.
Running background checks requires collecting vital information about applicants, such as their name, date of birth, and perhaps even address history. Resumes contain contact information for references and information about prior employers. Staff and applicant records might include Social Security numbers. All these facts are valuable commodities to exploiters who seek to engage in identity theft and social engineering for profit. Every company must safeguard this information.
In this paper, we consider balancing the need for background checks and privacy for applicant data. From creating a security foundation in your company’s culture to applying better technology and tools, there are accessible strategies for success in this area. Let’s examine how to create a framework for protecting sensitive data extracted from public and private records.
Establishing a Security Baseline
Security and data privacy must be the focus when obtaining accurate background check results. Otherwise, it is easy for cracks to develop where information can leak or be vulnerable to unauthorized access. Making safety a priority from the earliest stages of an applicant’s interaction with your business is critical. The job seeker might not notice these measures, but they will undoubtedly detect if you have to disclose mishandling their information.
Hosting applications online or using a mobile app is a popular choice. Such solutions let employers make the application process more accessible from more places and devices. They also provide a direct pipeline for populating your computer systems with applicant data. Such functionality is essential to the workflow for those who use an Applicant Tracking System (ATS). However, transmitting this information via the web can be risky for employers.
Consistently employing best-in-class data encryption on your web pages is fundamental. Be sure that your sites use the HTTPS protocol. Any pages where users can enter and process personal information should have this encryption. Otherwise, hackers could create man-in-the-middle-attacks that intercept sensitive data for nefarious purposes. Strong encryption layers are imperative, especially when collecting information such as Social Security numbers. Ensure that the destination servers or databases are also secure and not accessible by unauthorized users.
Require applicants to secure these accounts with strong passwords. Work with your IT team to ensure these passwords are never stored in plaintext or unencrypted. A hacker who often breaches a credentials database has an inroad towards other repositories of sensitive data, so close off this path with solid protections.
Online applications are a valuable tool for speeding up the hiring process. However, you must know their potential status as a risk factor for data leaks. Secure the way you collect and store personal applicant data.
Creating a Secure Atmosphere in Your Business
Security when you capture data is critical, but it isn’t the only place to apply encryption. Once an applicant’s data enters your computer network, you must safeguard it, especially when you order background checks. You may keep copies of the results in a candidate’s file during hiring. Mishandling this information could be damaging and violate the Fair Credit Reporting Act (FCRA).
Safeguarding information is crucial in transit between networks and when stored within your computer systems. Working with a background check provider that only uses strong encryption online is a safe start. You can trust that the private information about a candidate, such as their SSN or address history, remains private as it reaches you.
To protect data in your systems, you must apply strong encryption and robust passwords. As a best practice, it is wise to rotate passwords regularly. How often you rotate is a matter of preference, but some companies use 90 days as a rule of thumb before changing passwords. Ensure that only authorized human resources or management users can access personnel records.
Least Privilege
Another essential principle to use when protecting the personal information of applicants and employees is the rule of least privilege.
Least privilege refers to the level of access that any business user should have. No one should have additional levels of access or privilege beyond what is strictly necessary for someone to do their job. Any employee in the sales team, for example, shouldn’t be able to access the personnel records for the entire company. Not even everyone in HR should necessarily be able to view the information—only those directly involved in the hiring work.
This principle of least privilege is the most crucial rule to observe when handling background check information. These reports may contain sensitive or even potentially embarrassing details for individuals. Only those directly involved in evaluating candidates and making hiring decisions should see it. This rule helps prevent misuse of the data within your own company, not just from outside hackers.
Do not retain high-risk data for too long. Refer to the FCRA’s guidelines on record retention. Have a data security plan for securely destroying background check records as soon as you no longer need them. Retaining too many unnecessary records is a logistical problem and a security risk. Review your access control and privileging procedures while planning to safeguard data under your authority.
The Potential Impact of Data Regulations on Your Business
In such a challenging and complex threat environment, many governments have attempted to implement regulations to provide better controls. Many people are concerned about how companies store and handle their personal information. As a result, several significant laws have become effective worldwide in recent years. What are these regulations, and do they affect American employers engaging in the background check process?
The most buzz-worthy legislation is the General Data Protection Regulation (GDPR) from the European Union. The GDPR established broad new rights for individuals to control their data and created new expectations for how companies receive, handle and store the data of EU citizens. Companies must comply with the GDPR if they transact in the EU or interact with EU citizens.
That means many American companies must comply with the GDPR—but mainly on the consumer-facing side. The GDPR does not apply to American businesses for internal hiring processes unless they plan to hire internationally. That’s not the case for most SMBs. Even in the rare instances where it is applicable, the GDPR allows background checks. If you believe you are subject to this regulation because of overseas hiring efforts, you should consult with an attorney familiar with this area of law. Otherwise, you may follow your usual procedures.
The California Consumer Privacy Act (CCPA)
Another law may confuse some employers in one state. The California Consumer Privacy Act (CCPA) is a state-level extension of the Fair Credit Reporting Act. The CCPA establishes new regulations and procedures for how companies handle customers’ and employees’ private information.
However, shortly after enactment, the law received an amendment that carved out an exemption for background checks. As such, the CCPA does not impact how employers conduct background checks or store information. Instead, it requires employers to provide applicants with a disclosure document explaining what information the company collects, why they collect it, and who receives it.
No concrete legislation in the United States establishes rigorous guidelines for employee data storage and protection. It is up to employers to be proactive about protecting themselves. An active approach offers better value than a high-risk strategy when the adverse outcomes include everything from a PR disaster to identity theft.
Making HR a Center of Security of Compliance
Successfully controlling the security of private information in your possession begins and ends with Human Resources. The HR team is responsible for staff records and monitors the hiring process. As a result, it is essential to center your security culture on this department. Team members should clearly understand their responsibility to individual applicants and the business.
Instruct HR to develop the policies necessary for supporting data privacy. These should be comprehensive and detailed, considering everything from where you collect data to how long you store it. Where and how you will store the data is also important.
HR should also be responsible for training others in proper data protection practices. Hiring managers and interviewers should know how to prevent applicant data from reaching unsolicited viewers. Teams should know when to use encrypted communications and avoid sharing personal data in unsafe environments, such as using public email addresses.
Human Resources should also take the lead in periodically auditing your security practices concerning personal information. Are you retaining more than necessary? Is all the info properly secured and locked down? These are essential questions that regular audits can answer.
Empower Your Business to Protect Data Optimally
At a time when the number of threats and potential attack vectors continues to increase, data security and privacy must be a core focus for even small companies. The threat environment is unlikely to shrink or become less complex to manage. On the contrary, the rising threat of new types of malware and zero-day vulnerabilities means that even small businesses may have more risk exposure than expected. Security through obscurity is no longer sufficient—you must seek to prevent threats from reaching your data without delay.
Though regulations such as the GDPR and the CCPA may not apply directly to you, there are still lessons to learn about safeguarding data. Doing so protects your business from the potential effects of a data breach or a ransomware attack. Simultaneously, you can inspire confidence in applicants and employees by demonstrating a clear commitment to protecting their private data.
The appropriate screening partner makes a difference. Working with a background check provider lets you share compliance complexities and data protection responsibilities. A reputable provider works entirely in a secure environment and always communicates results safely and confidentially to you. No background check should be a risk factor in a potential data breach. Likewise, a good partner can provide you with insights and resources on how to improve your processes.
With support from backgroundchecks.com, your company can build effective hiring workflows that don’t put private information at risk. By protecting personal information through best practices during screening and within your business, you can put up more effective barriers against today’s threats. Learn more about how backgroundchecks.com can help you obtain secure, detailed screening reports today.
Get instant updates on Background Checks for Employers
About Michael Klazema The author
Michael Klazema is the lead author and editor for Dallas-based backgroundchecks.com with a focus on human resource and employment screening developments
