In my line of work, it is often a requirement to provide our customers with background information on the employees who will be performing on-site professional services. This is not in itself an issue, but how the customer receives and handles that information can be. Tripwire best practice is for HR to provide an attestation of all requested background checks to our clients rather than providing detailed background reports or having the client run a background check on our employees. This allows us to meet our client’s background check requirements while protecting our employees’ personally Identifiable Information (PII) and privacy.

Security vs Convenience: The PII Debate

Recently, I worked with a client that requested numerous checks, including a full background, for an employee. Again, not a problem, but the amount of information and how they wished to receive the information was cause for concern. Not only did they require that we attest to each check completed in the background, but they also required the employee to provide most of the PII required to run a background check along with a full detailed report of the background results (from which we redacted as much PII as possible). Additionally, this client insisted that the information be sent to a blind email box (i.e. [email protected]). The HR team sent the client an email with a link to securely download the file, which they declined to open. Because the client had a policy against clicking on an external link to our secure file share, HR sent a password protected PDF to the customer with the password communicated separately.

During the back and forth of attempting to provide PII in a secure fashion, we learned that the blind mailbox was not the final destination, instead, it was being forwarded to a third party (Read more...)