Google, Apple workers question sharing payroll data with Equifax - The Washingto...

It turns out Google was not alone in sharing that data. Many companies send their employees’ payroll information to Equifax’s The Work Number service to offload the hassle of work verification requests, often without them actively knowing about it.

Employers may have a trove of data on workers. Here’s how to control the narrative

Workers then don’t have to rely on their former employer to directly confirm the points on their résumé each time they’re looking for a new job, or need a loan or mortgage. But the workers at Google worried that it’s risky to house such sensitive data in one central database controlled by a company that has faced data security challenges in the past.

“I think that it’s very disturbing to me that employees don’t get to have any say in whether their company is sharing that information,” said Hayley Tsukayama, a privacy analyst with the Electronic Frontier Foundation. “That should be a personal decision not a company level one.”

The Equifax service made news last month when The Washington Post reported Apple has for years changed the titles of former employees in the database to “associate,” no matter what their title was when they worked for Apple. The revelation raised questions about the accuracy of Equifax’s records and how transparent the service is to employees, whose data makes the company more than $1 billion a year.

After the 2017 data breach, Equifax’s CEO stepped down. The company said its new leaders have invested more heavily in security, hiring teams of people to fight hackers and fraudsters. “Today we’re leaders within the space relative to all the other industries and organizations out there,” said Jamil Farshchi, Equifax’s chief information security officer. One of the executives who helped build out Equifax’s security team recently got selected to help lead cybersecurity at Colonial Pipeline, which suffered a major ransomware hack last year.

Data shared with the Work Number is not passed on to other parts of Equifax, and is stored completely separately, said Joe Muchnick, senior vice president and general manager of the company’s employer services and talent solutions division. Banks, loan officers and prospective employers can only access someone’s data with their express consent, he said.

Every employee who leaves Apple becomes an ‘Associate’

After employees raised the issue at Google, the company told them that sharing information with Equifax was common practice and that outside parties could only access the data with individual employees’ consent, such as when they were applying for a loan, according to the workers. The company also said it would work with Equifax to create more ways for workers to control their data.

The two employees were generally satisfied with the company’s answers, though one noted that it left some workers uneasy that they didn’t know how their information was being shared by their employer, and that they had to opt-out after the fact rather than being warned ahead of time.

Google declined to comment.

Because payroll data held by Equifax is regulated by the Fair Credit Reporting Act, the company is also required to allow anyone to look up their own data. By entering their Social Security number, employees can see their data and who has accessed it, going back two years.

Still, correcting inaccuracies in the data is a cumbersome process and reconciling discrepancies detected in a person’s résumé can become a drawn-out challenge.

Google cut pay for some workers in North Carolina

Most big companies outsource the process of employee verification during their hiring processes entirely, using companies like HireRight, First Advantage and Sterling. These companies make sure that prospective employees did what they say they did on résumés, which includes using The Work Number and other Equifax services to confirm their previous employment. Equifax refers to those companies as “resellers” of its Workforce Solutions product.

In 2020, Equifax changed the way it prices the Workforce Solutions product, making resellers purchase more data that came bundled together. On average, prices doubled for resellers, according to a former Equifax employee who requested anonymity because of a nondisclosure agreement, and employment verification professionals who did not want to be named for fear of losing access to Equifax data. Then last year, Equifax increased prices by another 70 to 75 percent, these people said.

An Equifax spokesperson declined to comment on specific price changes but said the way data was sold was changed to make the process more efficient for customers.

The database that now houses Google’s payroll records began in 1995, when a company called Talx launched the Work Number. At the time, big companies were getting an increasingly large number of phone calls from employers, banks and other entities to verify resumes, job titles and payroll information.

Talx offered employers an alternative: Companies could send Talx all the data and then forward any inquiries to Talx, which would collect a fee from whoever was inquiring about the data.

Talx signed contracts with major companies like Microsoft and big government agencies like the state of California, and by 1999, more than 450 companies were handing over payroll data.

Privacy advocates began to take notice, however. In a July 1999 USA Today article, William Hubbartt, author of “The New Battle over Workplace Privacy,” opined: “What if a hacker gets in or someone is careless in how the information is used?”

What you need to know about unions and Big Tech

Bill Canfield, Talx’s CEO and president, assured people the likelihood of such an incident was low. “Several companies also come in on an annual basis and do a security audit,” he told the paper.

In May 2007 credit agency Equifax acquired Talx. It took another decade before the nightmare scenario privacy advocates worried about came true. Talx data was breached by fraudsters, who were able to reset the four-digit PINs of Talx customers. They then used the data to carry out tax refund scams, which were costing U.S. taxpayers about $21 billion a year at the time.

The massive Equifax data breach affecting 140 million Americans became public four months later.