The credit bureau Equifax is currently being accused of selling access to its personally identifiable information (PII) database of more than 190 million employment and salary records. This information, which details the personal information of more than a third of all American adults, is being sold to debt collectors, financial service companies and other entities, as reported by NBC News.
Via its employment verification program, the Work Number, Equifax is collecting and selling information from unknowing and unwilling individuals in clear violation of the company’s expressed terms of operation.
Employment information is considered the most sacred and protected of all personably identifiable information. Despite the fact that Facebook and Google have recently made news about selling users’ browsing information, the disclosure of salary, social security and employment history information constitute a major personal security breach and is typically not condoned civilly or criminally.
Money talks with “The Work Number”
However, for nearly a decade, the Work Number has released information as detailed as an employee’s weekly pay stubs, health care insurance information and unemployment compensation information to any company that is willing to pay for it and can demonstrate a “need-to-know.” This “need-to-know” can be as simple as a signed credit application.
The Work Number provides employment verification to a number of large companies, non-for-profit organizations and governmental offices. As a form of human resources outsourcing, The Work Number relieves these organizations of hiring staff to verify employment and salary of current and former employees and maintaining copious records. The way the system is supposed to work is that an employee who needs employment or income verification calls The Work Number and requests a one-time access code.
The employee then gives the access code and The Work Number’s verification telephone number to whomever asks for the verification. That person provides the access code and is given a one-time glimpse into the employee’s record. After the call concludes, the access code becomes inactive.
According to The Work Number, only those that the employee opted to give access to their information may actually see it. However, Equifax openly offers employment verifications and tax transcripts from the IRS about individuals to their commercial customers. “The Work Number is the largest provider of instant employment information; nearly 50 million current employment records, direct from employers. Our service rapidly verifies current employment information — online or in batch — to enhance our client’s performance and deliver immediate results. That’s important in market environments where borrowers are financially challenged and accounts receivable firms require efficiency and critical information for curing accounts,” The Work Number stated in their online sell pitch.
Protecting critical information
Most companies participate with The Work Number due to assurances of data privacy. Columbia University, which uses The Work Number for employment and salary verifications, states on its human resources webpage: “We are confident that this new employment and income verification system will be a benefit to all Columbia University employees. You are the only person who can authorize access to your salary information. The system is designed to protect your privacy and security.” Many companies that use The Work Number have well-established rules prohibiting the release of PII, such as the United States Department of Defense.
However, the realities of sharing this information can be vastly different from the original intent. In conversation with NBC News, Kathy Sandy of Sommerville, N.J. learned that a debt collector accessed her personal information only after she obtained her “consumer disclosure” from The Work Number. The “consumer disclosure” is a form of credit report, which Equifax is obliged to provide once a year to any individual inquiring about his own account, which details the records the company holds about the individual and who accessed them. On the first page of the extremely detailed and comprehensive 22-page report was a report of verifiers who have requested this data in the past 24 months. One of the verifiers listed was a debt collector that was in litigation with Sandy concerning a debt she was — at the time — repaying.
“I found out debt collectors can access this information, which is strange,” Sandy said. “I assumed with The Work Number, for that information, you had to have a (passcode) … but they got in, and got it somehow without my consent.”
According to the Fair Credit Reporting Act of 1970, The Work Number and its parent company Equifax is functioning as a “Nationwide Specialty Consumer Reporting Agency” (NSCRA), in which the companies maintain records regarding medical records or payments, residential or tenant history, check writing history, employment history and/or insurance claims. NSCRAs are allowed to sell the information they collect, but they must make a full disclosure of such activity to the affected person every year, and they must make this disclosure readily available.
Telecheck, ChoicePoint, Acxiom, Innovis, Tenant Data Services, LexisNexis, Central Credit, the Medical Information Bureau, Experian, Equifax and TransUnion are all NSCRAs and are among the many companies that have monetized their personal information databases.
“In good times, we help our customers find more customers,” Richard Smith, chairman and CEO of Equifax Inc., told NYSE Magazine in 2009. “Now we ask, how do we help them manage their portfolios better to reduce risk and maximize profitability?”
Smith continues: “With FirstSearch and TALX we can provide information about a debtor’s location, income and employment. That can help prioritize which accounts to pursue first. If they’re employed, that business has a better shot at collecting what is owed to them. We’re also doing very well with our Settlement Services business.”
Timothy Klein, Equifax spokesman, asserts that Smith misspoke. “Debt/Collection agencies may request employment information — which may be nothing more than verifying that a consumer is working where they say they are – if it qualifies under permissible purpose. Collections agencies are not provided salary information.”
The business of selling information to individuals
While the idea that a company could sell your private information to another company has terrified consumers, the idea that a company could sell your information to another individual without consent is unthinkable.
Yet, this happens on a regular basis.
Organizations such as Intelius, Acxiom and BeenVerified are known as data brokers. For a price, data brokers release publicly-available personal information to anyone that seeks it — which may include your age, your worth, vital statistics, driver’s license information, political and religious views, contact information and even photos from Facebook or Instagram. As these organizations are not NSCRAs, they do not have to disclose their possession or sale of your information.
One of the problems with data brokers is that they tend to deal with incorrect information. This was the case for Kathleen Casey, as reported by Yahoo!, an errant data broker report showed that she had a criminal indictment. This mistake cost her a job. Another example provided in the Yahoo! report is the case of Gina Marie Haynes. Haynes bought a Saab from a dealership, only to have smoke pouring from the hood the same day.
The dealer — despite “lemon” laws that establishes a warranty period for car purchases — charged for the repairs. When Haynes refused to pay for the repair, the dealer filed fraud charges. When Haynes relented and paid the charges, the courthouse removed the charges, but the charges remained in the information sold by the data brokers. She was denied a housing lease because of this.
HireRight, an pre-employment verification data broker, settled a class-action lawsuit in November 2011 on the allegation that it incorrectly dispersed information about 700,000 individuals between 2004 and 2010.
Virginia, Arizona and New Mexico have installed security software to protect its courts’ computer systems from outside attempts to mine the system for PII. However, many states recognized data brokering as an opportunity. Arizona charges $3,000 a year for physical access to its criminal records. These records contain partial Social Security numbers and driver’s license numbers. North Carolina charged $5,105 per year selling access to its criminal records, but stopped the practice in 2011 when data brokers refused to correct inaccuracies in their records. These corrections were released monthly by the state at a monthly cost of $370, which the brokers refused to pay for or simply chose not to apply the corrections. For similar reasons, Virginia has ended its data-selling scheme.
Baltimore, Md., is currently selling records that contain the PII of its employees at $14 per report, which includes the home address and driver’s license number of the employee in clear violation of state law, as reported by the Baltimore Sun.
The government’s position on privacy and PII has been complicated, and at times, contradictory.
In United States v. Miller, the defendant tried to prevent the government from using his bank records as evidence in a tax evasion investigation. The Supreme Court ruled that Miller had no privacy interest in his bank records, as they were not his personal papers and were instead the records of a private business. In general, the Supreme Court ruled “that when we convey information to a third party, we give up all constitutionally protected privacy in that information, for we assume the risk that the third party might relay it to others.”
As presented by the United States Government Accountability Office’s (GAO) June 2006 report “Personal Information: Key Federal Privacy Laws Do Not Require Information Resellers to Safeguard All Sensitive Data,” “GAO found that the applicability of the primary federal privacy and data security laws — the Fair Credit Reporting Act (FCRA) and Gramm-LeachBliley Act (GLBA) — to information resellers is limited. FCRA applies to information collected or used to help determine eligibility for such things as credit or insurance, while GLBA only applies to information obtained by or from a GLBA-defined financial institution. Although these laws include data security provisions, consumers could benefit from the expansion of such
requirements to all sensitive personal information held by resellers.”
“If companies adopt our final recommendations for best practices – and many of them already have – they will be able to innovate and deliver creative new services that consumers can enjoy without sacrificing their privacy,” said Jon Leibowitz, Chairman of the FTC.