Fortune 500 Companies’ Selling and Sharing of Employee Data
February 6, 2023
Many companies report their employee data to data brokers who manage employment records, conduct background checks, and calculate credit scores. Sharing employee data is often assumed to be a standard procedure, but there is little transparency over how this process happens and what information is reported. The need for transparency is increased by the fact that employee data is available for others to access when it is shared with third-party record management firms and data brokers. The Work Number, a subsidiary of Equifax, for example, sells 535 million active and historic records (such as salary, healthcare, and leave) from 2.5 million contributors to The Work Number.
In an attempt to better understand the industry-wide process of reporting employee data, I worked with Justin Sherman to create a survey that we sent to the chief human resource officer of every Fortune 500 company. Despite collecting accurate emails of Fortune 500 company executives, we did not expect many responses because we had heard that most companies consider this information to be confidential.
Complying with university research ethics processes, we received approval for our survey first from Duke’s Institutional Review Board (IRB). After finalizing our draft survey questions and draft stated purpose, and receiving approval from the IRB, I sent out a Qualtrics survey to all of the Fortune 500 executives simultaneously from a Duke email address. Then the wait began for responses to trickle in. As expected, many companies did not respond to the survey, and some recipients immediately removed themselves from the mailing list.
Only one of the contacted Fortune 500 companies responded to the survey on companies sharing their employee’s data with data brokers. Just that one response provides valuable insights into the inner workings of employee data reporting. Here are some takeaways:
- Employers reporting on updates to employment status is mandatory and happens often. Workers do not explicitly consent before having their personal data shared.
- Sensitive personal information—such as social security number, salary, and parental leave status—are often shared with data brokers on a weekly basis. This sensitive personal information, if stolen or illicitly acquired, could be used to impersonate someone in the company for the purposes of conducting phishing scams or carrying out identity theft.
- Companies do not appear to have protections in place to prevent a report of job loss from damaging a person’s credit score, which can have a cascading effect on their financial stress during moments of uncertainty. Further, because employees themselves have no control over their employer’s sharing of their data, if they are laid off, they have no ability to protect themselves from other companies refusing to hire them due to this record.
- Companies use data brokers to verify past employment and income as well as conduct background checks on job applicants. This means, for example, that workers who are reported as laid off or fired may find it harder to get a job afterwards.
- Employers may share data on their employees with data brokers through unsecure or unencrypted channels and may not be properly secured when stored. This kind of data can be immensely damaging when compromised, as when Equifax was hacked in 2017 and exposed the personal information of 147 million people.
There is a need for additional research in this area to understand the practice of employers sharing and selling their employees’ data, and the risks that may result, but I was unable to draw any more conclusions from just one response.
I sent the survey again in an unsuccessful attempt to garner more responses. Despite the lack of responses to our employee data survey, the singular reply helped reveal some of the structural vulnerabilities entailed in the current employee data reporting ecosystem. As we continue to do more research into employee data reporting, it will be important to engage the companies who participate in these practices. My gratitude extends to the one Fortune 500 company whose executive responded to the survey, as this kind of academic research and transparency is vital to boost the security and privacy of personal data.
Alistair Simmons is an undergraduate research assistant on the data brokerage research project at Duke University’s Sanford School of Public Policy.