Never mind getting hired. Just applying for a job at a company could expose individuals to compromise if the potential employer gets compromised.
Consider that in November 2020, data of roughly 58,000 job applicants might have been exposed during a breach at video game developer Capcom. The year before, another data security incident exposed information on roughly 20,000 Los Angeles Police Department applicants.
Applicant information typically includes sensitive personal identifiable information, or PII, especially when the data is collected to perform financial, criminal and security-related background checks on individuals. This places the onus of responsible data stewardship on employing organizations, when in reality they’d probably prefer to move that burden elsewhere.
Raj Ananthanpillai, CEO of Endera, believes he has created a solution to this problem with Trua, a “digital trust exchange” network that allows job applicants to input their own data into a form, then uses algorithms and searchable public records to automatically verify the information they provide.
The solution formulates an unbiased trust score for the applicant from zero to 360. If applicants lie about their education history or misrepresent their name or address information, for example, Trua will flag the response as false and downgrade the person’s score accordingly – but without unnecessarily sharing the employee’s personal information, which remains encrypted and stored on a blockchain. Employers only see the final score along with which scoring categories were deemed problematic, without more specific details.
If a scoring category such as criminal history is flagged, applicants are notified and can dispute the finding, and companies can reconcile the issue offline with the prospective employee.
From beginning to end, sensitive data remains out of the hands of the employer organization, thus eliminating the chance that a breach would expose applicants’ PII. After all, it’s bad enough to be fined for regulatory violations for exposing your own employees, let alone people you didn’t find suitable to hire.
Similarly, banking and finance institutions can apply the service as part of their process to approve loan applicants.
Previously CEO of cloud and DevOps IT services company InfoZen and chief strategy officer of IT hardware, software and services company ePlus, Ananthanpillai is heavily targeting the gig economy, helping employers responsibly investigate candidates who apply for temporary, freelance or contractual jobs.
SC Media spoke to Ananthanpillai about why the gig economy needs a more secure applicant vetting and hiring process, especially as we reach a major turning point in the fight against COVID-19.
What was your inspiration behind this idea?
Ananthanpillai: This is my fourth company. If you want to call me a serial entrepreneur, I’ll take that accusation. But I build value and figure out how to solve certain unique problems.
A few years ago, Equifax had a very large breach. And there was a lot of Congressional testimony and what not. I forget who, but somebody asked [Equifax], “Hey, why do you guys need a social security number every time you do something?” And it dawned on me.
Today, if you are [applying for a loan or a job], people do a credit check on you, and they do a background check on you… They collect a bunch of personal information from you, like name, address, date of birth and social security number, or even your driver's license. And then what? They pass that on to a third party to a background check service, or to a credit bureau, and say, “Hey, give me everything about this person.”
And then the “communication” is between the second party and the third party… But [the applicant is] left out. And then, all of that… resides in the second party's database or filing cabinets in the HR department. So, that is the biggest issue that people are facing today, holding on to PII and becoming vulnerable to massive breaches.
In addition… you’ve got probably 3,000 pages of regulation of what the second party (the employer) and the third party (the credit bureau or background checking service) can and cannot do [with the data]... It's a regulatory mess, and a huge liability risk for the employer or the institution that requested your information.
So we built this platform, the Trua platform, where we said, “You as a user… you have to come to this, opt in and assemble your own report… and then the score is transmitted, but with none of the underlying information.
What do companies need to know about job applicants, and what don’t they need to know that sometimes gets unnecessarily collected?
You want to make sure there's no criminal records, there's no civil issues. Any sanctions, watch lists and so on… I don't need to know the underlying report and the data that comes with the background check report… Let’s say this person is divorced, and he's got three kids, he bought a car in 2018, and he's got a mortgage payment or a lease. All of those kinds of things are absolutely not essential for most of these jobs. Especially in the gig economy.
Why is this the right time for this product?
There are 60 million people now working in the gig economy… and that is increasing by the day. That's a big number of the population being freelance or gig, and they go from job to job, so there's a lot of turnover… And every time they go to a different employer or work for hire, they have to give all their information again. It just proliferates.
It takes anywhere from 20 to 30 days before you get your background check done... And now in the post-pandemic world, the hires are going to pick up and people are going to be in a rush to hire, and the best way to make sure that they're bringing in the right people without any issues is to say, “I need a person with a high-school diploma and five years of some experience… Go get your Trua score. Come on in, and then we'll interview you and quickly offer the job on the spot.”
If you are a business, all I need to do is know: 'Are you qualified to work for us.' So the employer is relieved of holding any PII. All they may need is the social security number for your payroll.
Take me through the verification process.
The individual goes to truascore.com and… it takes about 15 to 20 minutes... First, we verify your identity by scanning your driver's license. We have high-fidelity, facial recognition technology embedded into that. And then we verify your social security number and… your address. [You don't have to ever give your date of birth or full SSN.] We also verify your address history – at least 10 years’ worth of address history, sometimes more than that. And any aliases that you have used.
The verification process is all about getting the right data… and we have at least two sources of data to make sure it is corroborated… A user could have potentially up to 8.2 million different types of scores based on one variable change.
We go get all the court records for this individual. We have built this algorithm right in the backend, where basically we have codified literally the entire criminal justice system. So it takes into consideration recency and time, and the severity of the criminal record, or civil issue.
Before you get to the court records, we also ask you for credentials, if you have any education. If you don't have education, that's fine, they're not going to penalize that. [But] if you lie about it – let's say somebody says, “I went to Harvard, I got a bachelor's degree, but it was some other school – you will be penalized. And then if you have any professional licenses… you can verify that as well.
But the employer never collects any of the data involved, right? So it’s all about eliminating the risk of a data breach resulting from this data collection.
You hit the nail on the head. That is the biggest issue that employers are facing, because they're not doing it themselves, they're doing it through a third party, and you don't know if that third party is going to lose it… Plus there is a lot of personal information that gets scooped up, that is not relevant to the job.
We are trying to make a society change where we are putting the individual in charge of their own PII and data.
All of the underlying PI is not visible to anybody, except the individual. Even we cannot see it, unless they give us permission. Because it is encrypted… and then it's always authenticated with multi-factor authentication.
Once you get the score, all of the underlying data is going to be encrypted, and locked down.
[Let’s say] I'm working for Uber, and Uber asked me for my score. So I will affiliate my score to Uber, because I'm gonna be working with Uber for a while. Uber has access to just the score – nothing more than the score, so they have no idea about anything underlying.
When we briefly had a meeting with some of the regulatory agencies, it was music to their ears: “Wow, you’re putting the consumer, the individual as the focus. That way they get to control [the data] and then they get to share it with absolute consent."
The Right to Be Forgotten, GDPR, the California [Privacy] law – those are all catalysts for us.