Written By ESR News Blog Editor Thomas Ahearn
Information security is a top priority for background screening firms in today’s digital age. Background screening firms that deal with Personally Identifiable Information (PII) of consumers must guard against data breaches and identity theft. A background screening firm accredited by the National Association of Professional Background Screeners (NAPBS) has safeguards in place against unauthorized users and unwanted intrusions. This blog is the first in a six part series about NAPBS Accreditation. For previous blogs about NAPBS Accreditation, please visit http://www.esrcheck.com/wordpress/tag/accreditation/.
Data and information security is just one part of the Background Screening Agency Accreditation Program (BSAAP) created by the NAPBS for Consumer Reporting Agencies (CRAs), the technical term for background screening companies. The BSAAP contains 58 clauses that CRAs must follow to be NAPBS Accredited. The clauses are divided into six sections: 1.) Data Information and Security, 2.) Legal Compliance, 3.) Client Education, 4.) Researcher and Data Product Standards, 5.) Verification Service Standards, and 6.) Miscellaneous Business Practices. This blog will focus on ‘Section 1: Data Information and Security’ which contains 13 clauses.
The cornerstone of NAPBS Accreditation in ‘Section 1: Data Information and Security’ is Clause 1.1 which states CRAs shall have a Written Information Security Policy (WISP). The WISP contains policies to protect consumer information from internal and external unauthorized access. Section 1 also covers security issues such as intrusion detection, passwords, user access, privacy policies, data destruction, consumer disputes, and criminal databases in compliance with Federal Trade Commission (FTC) and Fair Credit Reporting Act (FCRA) rules. The 13 clauses in ‘Section 1: Data Information and Security’ for NAPBS Accreditation are as follows:
- 1.1 Information Security Policy – CRA shall have a Written Information Security Policy. CRA shall designate one or more individuals within the organization who are responsible for implementing, managing and enforcing the information security policy.
- 1.2 Data Security – CRA shall have procedures in place to protect consumer information under the control of the CRA from internal and external unauthorized access. These procedures shall include specifications for the securing of information in both hard copy and electronic form, including information stored on portable and/or removable electronic devices.
- 1.3 Intrusion and Data Security – CRA shall have procedures in place to reasonably detect, investigate and respond to an information system intrusion, including consumer notification where warranted.
- 1.4 Stored Data Security – CRA shall have procedures in place to reasonably ensure backup data is stored in an encrypted or otherwise protected manner.
- 1.5 Password Protocol – CRA shall require strong password protocol pursuant to current security best practices.
- 1.6 Electronic Access Control – CRA shall have procedures in place to control access to all electronic information systems and electronic media that contain consumer information. CRA shall have procedures in place to administer access rights. Users shall only be given the access necessary to perform their required functions. Access rights shall be updated based on personnel or system changes.
- 1.7 Physical Security – CRA shall have procedures in place to control physical access to all areas of CRA facilities that contain consumer information.
- 1.8 Consumer Information Privacy Policy – CRA shall have a Consumer Information Privacy Policy detailing the purpose of the collection of consumer information, the intended use, and how the information will be shared, stored and destroyed. The CRA shall post this policy on its Web site, if it has one, and will make said policy available to clients and/or consumers upon request in at least one other format.
- 1.9 Unauthorized Browsing – CRA shall have a policy that prohibits workers from searching files and databases unless they have a bona fide business necessity.
- 1.10 Record Destruction – When records are to be destroyed or disposed of, CRA shall follow FTC regulations and take measures to ensure that all such records and data are destroyed and unrecoverable.
- 1.11 Consumer Disputes – CRA shall have procedures in place for handling and documenting a consumer dispute that comply with the federal FCRA.
- 1.12 Sensitive Data Masking – CRA shall have a procedure to suppress or truncate Social Security numbers and other sensitive data elements as required by law.
- 1.13 Database Criminal Records – When reporting potentially adverse criminal record information derived from a non-government owned or non-government sponsored/supported database pursuant to the federal FCRA, the CRA shall either: A) verify the information directly with the venue that maintains the official record for that jurisdiction prior to reporting the adverse information to the client; or B) send notice to the consumer at the time information is reported.
According to the ‘Accreditation’ page on the NAPBS website, the BSAAP has become a widely recognized seal of approval that brings national recognition to an employment background screening-affiliated organization for its commitment to excellence, accountability, high professional standards, and continued institutional improvement. The governing body for the accreditation program and future personnel certification is the Background Screening Credentialing Council (BSCC). For more information about NAPBS Accreditation, please visit http://www.napbs.com/accreditation/.
Founded in 2003, the NAPBS – “The Voice of Screening Professionals” – exists to promote ethical business practices, compliance with the FCRA, equal employment opportunity, and state and international consumer protection laws relating to the background screening profession. The NAPBS provides educational programs aimed at empowering members to better serve their clients, while adhering to standards of excellence in the background screening profession. For more information about the NAPBS, please visit http://www.napbs.com/.
Founded in 1997, Employment Screening Resources® (ESR) – “The Background Check Authority®” – is a nationwide background screening firm accredited by the NAPBS located in the San Francisco, California-area. ESR’s SOC 2 Audit Report confirms it meets high standards set by the American Institute of Certified Public Accountants (AICPA) for protecting consumer information. ESR founder and CEO Attorney Lester Rosen also wrote the book on background checks with “The Safe Hiring Manual.” For more information about ESR, please call toll free 888.999.4474 or visit http://www.esrcheck.com.
© 2015 Employment Screening Resources® (ESR) – Making copies or using of any part of the ESR News Blog or ESR website for any purpose other than your own personal use is prohibited unless written authorization is first obtained from ESR.
The post Information Security a Top Priority for NAPBS Accredited Background Screening Firms appeared first on ESR News Blog.