HR’s Data Broker Problem – Fix It!
What is a Data Broker?
A data broker is a company that gathers, processes, and sells personal information to other companies, often without a person’s awareness. You’ve likely granted technology giants like Facebook and Google some data-gathering permission at some point – read that fine print! And there are Acxiom and Nielsen, among others. As you interact with free websites, they take your data and sell it. Remember:
“If you’re not paying for the product, you are the product.”
– Tristan Harris, Former Design Ethicist at Google
The largest of the data brokers is Equifax, owners of The Work Number.
How Do Data Brokers Gain All This Data?
One of many ways data is acquired is through third-party data sharing agreements. In relation to HR, you can consider two areas. If a company hires an HR technology vendor, often the provided services require the HR or payroll department to provide the company’s entire employee data file each pay period for it to perform that service. This is known as the “send and store” method, or, providing a “flat file.” As you can imagine, that results in the transfer of a mountain of data. Once it is outside your control, the protection is only as good as your HR tech vendor’s systems. When externally stored, you’ve lost the ability to protect your data.
These credit bureaus have created HR tech service divisions as a strategic way to source and retain records. It is another way of data mining. They have gone where the data is, to provide a service that saves time and resources. And the data is highly valuable if you consider the financial statements of credit bureaus.
Focusing on just employment and income verification (VOIE), over 80% of the U.S. market share is controlled by the credit bureaus, a.k.a. data brokers. The vast majority is locked up by The Work Number’s contracts with both large and small companies. It is critical to understand the motivation behind credit bureaus branching out into providing data-heavy HR services – it guarantees their ongoing data supply. Equifax is said to have 3.4 M contributing employers, and over 170 million records, which grows 6 or 7% annually. A typical sales pitch from The Work Number to HR: “Contribute your data to us and we’ll take care of the calls.” Once the data is transferred, it is in their master database to use and monetize as they see fit.
There is a second way that data brokers gain HR data, by contracting to be the service of choice for certain HCM platforms. These “preferred vendor status” or paid exclusivity arrangements not only impact the free market, reducing competition, but also assure a steady supply of client growth to the HR tech divisions of credit bureaus.
And you can hardly blame HR departments for opting for the most prevalent vendor of a service line. Your HCM platform rep suggests “use these guys” and why wouldn’t you? It is the status quo, the well-worn path that most employers have already taken. It has already been thought out for you, and so many companies couldn’t possibly be wrong. But when you closely examine the details, as we will here, it represents a huge increase in employee data exposure. And, as we’ll come back to, it is 100% unnecessary. Every HR department has a choice to make. There are many reasons that sharing all your employee data with a data broker is a BAD IDEA.
Why Exactly Is It a BAD IDEA?
Mainly because, as an employer, the “send and store” method of sharing data with HR tech vendors is creating a lot of unnecessary data exposure. And you are increasingly required to protect this data to stay in compliance.
Once the data that is so critical to the data broker business model is in their database, it may live on indefinitely. Data brokers market products that tout the combined strength of the multiple data sets they store, including your employer data. For example, Equifax has a service called TotalVerify, self-described as a data hub that combines all sources, including employment and income information. It’s sort of like bragging “Look at how much we know about your target!” When increasing data’s market value, the name of the game is aggregation and segmentation. And, because many data sources are combined, any breach can be deeper and more damaging.
Is there any real risk of breach or misuse? You only need to look back to 2017 which confirms that this is more than a possibility. A massive data breach involving a third-party database, and 147 million people resulted in a massive $700 M settlement. Remember?
But it’s not all about breaches or exposure incidents. Perhaps those are unlikely outcomes, although the headlines seem to be multiplying. And it can be quite serious when it happens to a company.
Shouldn’t I Own My Personal Data?
There is a changing tide in the US – Americans want common-sense data protection. They want to opt in, not be required to opt out. They have a right to know if data is being shared, to whom, and how often.
Your company’s full employee list with names, birth dates, Social Security numbers, and compensation data reveals a lot about your company, as well as the individuals who work there. If you do business in California, your company is now legally bound to comply with data protection laws, not to mention the data stewardship obligations. Why would you willingly hand that precious data over to a vendor that may not protect it? Beyond protection, that vendor as a data broker will likely seek to actively resell it to make more money.
While under contract with an HR tech services vendor, what happens to your payroll data once it’s shared each pay period? Every year, on average between 20-25% of employees request a verification, for loans, government services, or similar “sanctioned” transactions. For this example, let’s use 1 in 4 as our figure. Meaning each year, 3 out of 4 do not need this service. But the HR tech vendors want ALL the data. Why?
One data broker fulfilled 148 M verification requests in 2022, which is close to their number of total records. Ask yourself: how is that possible? That’s not 1 in 4 – it’s more like 1-to-1. For whatever purpose beyond VOIE, practically all data records are being accessed and utilized.
If it’s not for legit employee-consented verifications, what is being done with all that data? Does it get deleted? No! It gets repackaged and resold because these companies are in the business of monetizing data. They are credit bureaus, and therefore data brokers. The HR tech services are the supply-side and feed the demand for data from other businesses targeting those employees, who are all consumers as well.
How Might Data Shared by Employers with Good Intentions Be Misused?
There are many ways that data can be misused. Some of the issues are just modern-day annoyances. For example, when your employee gets a loan, and a verification is a part of that process, then that “life event” signal may be resold by a data broker to marketers that reach out and try to sell home services: streaming services, moving vans, etc. You may have thought it was the lender that resold the data. Not usually. And it’s mildly annoying, but we deal with it.
But here are a few more concerning purchasers of employment and income data, once it finds its way into a data broker’s massive databases:
- Collection Agencies – not helpful if any of your employees are going through rough financial times.
- Insurance Agencies or Divorce Attorneys – which may use the data against your employees for legal claims or settlements.
- Journalists or News Agencies – of concern when you consider sensitive executive compensation.
Employers may be unintentional participants in these distasteful activities. We do not think HR departments knowingly align with such anti-privacy practices. If a vendor was transparent and said upfront that they would require all this data to perform a legitimate service for you but would also resell the data to people like divorce attorneys, it’s highly likely that any HR department would say “no way!”
Can We Stop Employee Data Misuse?
A 2022 Pew Research study found that 79% of Americans were concerned about how much data companies were collecting about them, and that 81% of Americans felt the potential risks of data collection outweighed the potential benefits.
Despite this concern, the US has no federal data protection laws like the European Union, which has the General Data Protection Regulation (GDPR).
Of course, the data brokers are not going to sit idly by while the government creates laws to stop their practices. In 2020 alone, data brokers spent $29 M in lobbying activities to protect their interests in Washington and individual states. This is likely to create exemptions, exclusions and loopholes for credit reporting agencies who are subject to the Fair Credit Reporting Act (FCRA). The FCRA has been characterized as a “protective umbrella” that can be used as cover for other revenue sources on the data broker divisions of the credit bureaus. And a lot of proposed legislation has been killed before it was enacted, including the Data Accountability and Trust Act (2019), and the Information Transparency and Personal Data Control Act (2021). These sound like laws the average American would want, right?
There is work being done on a comprehensive federal privacy law, to regulate data in a scope similar to GDPR – it is called the American Data Privacy Protection Act. It is the first such federal legislation to pass a House committee, in July 2022. But it stalled there, still not reaching the Senate floor. The lobbying efforts have been active around this legislation because there is a lot at stake, pitting data brokers against individual rights.
All the data broker practices we’ve described here are NOT illegal, due in part to lobbying influence. But that does not make their actions right, nor does it mean that employers and HR departments need to be willing participants. If you are reading this and getting mad, there is a better way, available now! The day is coming when all this may be challenged. In 2024 we’re seeing the first enforcement efforts as the California Privacy Rights Act begins fining companies that don’t protect employee data. And the patchwork of state laws is strengthening. Refer to the International Association of Privacy Professionals (IAPP) website for a current US state privacy legislation tracker. More states like California might include employee data, which creates HR compliance requirements.
Beginning in late 2023 and into 2024, the Consumer Financial Protection Bureau (CPFB) is signaling a new focus on data brokers. Here are some proposed defining provisions, in brief:
- Data brokers that collect consumer information as a Credit Reporting Agency (CRA) for a permissible purpose will only be able to sell it to another user for a permissible purpose.
- The CPFB seeks to limit the circumstances under which a CRA can help third-party users market to consumers. If a CRA uses information from a consumer report in combination with information from a third party to engage in targeted advertising, under proposed language the CRA will have given a consumer report to a user without a permissible purpose.
If these provisions should take effect, credit bureaus would need to tighten up data accuracy, permissible purpose, and handling of consumer inquiries (with more transparency), because more of their activities would fall under the FCRA. All this signals higher compliance requirements. And, for data brokers, potentially less revenue from reselling data! This is a legislative compliance topic worthy of HR executive monitoring due to the significant impact on privacy rights in the US.
What Advice Is There for HR executives?
Outsourcing makes sense, and these services are extremely helpful, but the data access should be actively managed on YOUR terms, not the data-hungry terms dictated by data brokers.
We encourage all HR executives and payroll leaders to question any mass data transfer to HR tech vendors at every opportunity. Why do they need all your data and not just the data for those employees consenting to provide verification reports?
As a client, you can ask for your transaction report. If the number of annual VOIE transactions is way above 20-25% of your employee count, you should be suspicious about how that data is being repurposed by that company you contracted initially to provide basic outsourced VOIE services.
For HR executives, a suggested goal should be more active data governance or stewardship to responsibly protect personal data. Your employees are also consumers who have legitimate privacy concerns. They will expect you to do your part and maintain compliance in a rapidly evolving legal environment.
The principle of “data minimization” means that an employer should limit the collection of personal information to what is directly relevant and necessary for an HR tech service provider to accomplish a specified purpose. They should retain data only for as long as necessary to fulfil that purpose. When fulfilling a legitimate HR data request involves mass data transfers to an external database, there is exposure risk and the potential to jeopardize compliance. A “least privilege” approach provides only the access and data required to fulfill the consented service, and future-proofs your HR processes.
There are alternative approaches that offer excellent outsourced verification services but do not require the sharing of all employee data. Figuratively, in many cases a company’s IT department builds a fortress around all its systems, while their HR department is handing a data broker their entire employee data set out the back door, every few weeks.
At Vault Verify, we recently signed a large organization that was still doing in-house verifications through their payroll department. That’s rare in a big company: a team of 4 people taking incoming calls from lenders and processing reports. When they decided it was time to outsource, the reason they reached out to us specifically was because we were NOT a big data broker. And the more they learned about our approach, the more convinced they were of our business model.
Most companies have outsourced, and unfortunately the biggest player in our verifications space is a data broker. But people are getting savvy about protecting personal data. The decision criteria for HR services are shifting as more employers become aware of the data privacy concerns.
How Does Vault Verify Provide a Better Way?
We wouldn’t describe such a major issue without offering a solution!
Vault Verify integrates directly with HCM and payroll platforms through real-time APIs. We call this approach the Vault EDGe Gateway. In our published data privacy pledge, we pledge to never store, share or monetize your data beyond the single consented VOIE report.
If you decide to future-proof your data access policies based on legislative momentum towards protection of all consumer data including your own employment data, then you can make a seamless service change by contacting us. We welcome your inquiry!
Reece Nanfito is the Chief Marketing Officer at Vault Verify. Reece’s career began with successful consumer products sales and marketing roles with MARS, Inc. and ConAgra Foods, He then enjoyed several executive roles in sports marketing with the ethanol industry, then IMG and VF Corp, before becoming Chief Strategy and Growth Officer for TeleSpecialists. Reece is now focused on Vault Verify, which provides secure outsourced HR services to mid to large companies across the US through the Vault EDGe Gateway.
Reece lives in Clearwater, FL and enjoys kayaking, jazz and photography.