US employers may want to rethink their approach to employee data protection and employment verification.
The Consumer Financial Protection Bureau (CFPB) recently announced plans to tighten regulations around data brokers and how they use and share consumer data. A recent agency study into the data industry uncovered substantial risks to Americans’ privacy if the collection and sale of personal information continues to go unregulated.
Many companies utilize data brokers for employment verification services, including verification of income (VOI) and verification of employment (VOE). Yet businesses often lack visibility into how data brokers may use employee data beyond those services. When data brokers collect employee information from businesses, it is added to a larger database and can be sold to interested parties without employee consent. In fact, some of the largest data brokers have obtained paystubs from hundreds of millions of US workers through HR departments for income verification, which they then sell to debt collectors, lenders, and landlords.
On a larger scale, data brokers have long been monetizing consumer data, selling sensitive, personal information to third parties, allowing that data to be used for AI training purposes and increasing the risk of breaches and violent crimes. Some of the more concerning data collected and sold by the industry include financial details of the US military and names of people with dementia, according to CNN.
The extension of the CFPB’s regulations is particularly urgent as the “surveillance industry” expands — with nearly every aspect of consumer behavior distilled into digital records, Americans, and specifically more vulnerable citizens, face safety threats if that data is used for the tracking and surveillance of individuals.
The CFPB’s announcement is the latest in a slew of efforts to safeguard Americans’ data, and would be a boon for consumers’ privacy rights.
Currently, there is no comprehensive federal data protection law in the US. In 2018, the European Union (EU) passed the General Data Protection Regulation (GDPR) which requires explicit consent for how personal information is used and stored, inspiring a number of US states to pass their own privacy laws. These laws have gone into effect in California, Colorado, Connecticut, and Virginia, while others will go into effect between the end of 2023 and the next few years. The Federal Trade Commission (FTC) does enforce privacy regulations, but only in specific sectors, including healthcare and financial institutions. This still leaves many US consumers and employees with no recourse when it comes to the sale of their private information by data brokers.
What are the risks for businesses working with data brokers for employment verification?
When HR departments outsource employment verification to data brokers, they are often required to routinely provide “flat files” containing sensitive employee information on a weekly basis which are then stored, repackaged, and sold to third parties, putting employees’ privacy at risk. Some companies may use APIs, pulling large datasets from HR software into their own databases, which they store. (Vault Verify uses an API model that only pulls specific, critical information to carry out employee verification, with employee consent. That data is deleted after 30 days.)
With CFPB’s upcoming proposal, along with the enforcement of the California Privacy Rights Act (CPRA), an amendment to the California Consumer Privacy Act (CCPA) that would extend regulations and further protect personal information, businesses are already rethinking how they manage sensitive employee data in order to avoid hefty fines. Noncompliance with the CPRA can range from $2,500 to $7,500 per incident, and treated as a separate violation for each affected consumer.
Data brokers are often targeted by threat actors due to their massive datasets. If sensitive employee data is exposed, businesses could be held liable. Data breaches are vastly damaging to businesses, with the global average costing $4.45 million in 2023.
Even before laws go into effect, employers can take action now to safeguard employee data, and reduce their own risk of a data breach and reputational damage, by divesting from data brokers and working with trusted vendors for employment verification.
What can employers do now to safeguard employee data?
Businesses and their HR departments have other options for VOI and VOE services that don’t involve handing over files to data brokers. Here are the steps your business can take now:
Assess your data sharing practices.
When outsourcing VOI and VOE services, employers should start by assessing their vendors’ practices around data management and data privacy. You can ask your vendor questions about:
- Data Retention: Trusted vendors will delete employee records after employment verification services are complete.
- Data Ownership: Choose a vendor that allows you to maintain full ownership over your data, even after it’s shared.
- Permissible Use: Avoid vendors who allow other third parties access to your employees’ data. Ask specific questions to understand how they will use the data, and determine if their business partners can financially benefit from your data.
You can also get a professional assessment from privacy experts like Privageo to ensure you’re taking steps to mitigate the risks of a breach or failing to comply with upcoming federal regulations.
Move away from “send and store” models for sharing data.
To avoid misuse of employee data — whether intentional or not — companies should work with trusted vendors who use real-time API models, which can prevent vendors from repurposing and selling employee data. Rather than handing over a large data set on a weekly basis, which is required by some data brokers, with an API model, HR departments can limit the information that is shared with vendors and avoid unnecessary exposure of sensitive data. Read more about the benefits of API models versus flat files.
Vault Verify is a trusted vendor that works directly with HR leaders and uses an API to securely transfer real-time data from your HR platform on request. We never resell, repackage, or otherwise reuse our customers’ data for anything other than its intended purpose: the verification of employment and income through Vault Verify.