Good (and Bad) Background Checks

More organizations use background checks to investigate criminal histories and to make hiring and firing decisions. It's up to CSOs to make sure this powerful but flawed weapon doesn't backfire.

In less than three years, James R. Gorman went from being a newbie investment manager to the lord of $100 million in client accounts for The Vanguard Group, one of the nation's largest and most respected mutual fund companies. When Gorman's Pennsylvania insurance license came up for renewal, though, the company doing a routine background check found a problem. James R. Gorman had pleaded guilty to loan and credit card fraud. He was a convicted felon.

So Vanguard did what any financial services company would do: It fired him.

According to Gorman's version of events, a representative from human resources called him into a meeting one day and told him what Vanguard had learned. He insisted that he had never been arrested, much less convicted of any crime. But Vanguard forced him to leave the building immediately, without returning to his office to gather his belongings.

There was just one problem: They got the wrong guy.

The James R. Gorman who worked for Vanguard had a different Social Security number, date of birth and address than the James R. Gorman whose conviction record had been unearthed by Business Information Group (which did the investigation on behalf of the Aegon Financial Services Group, the company handling the licensing process).

It was up to Gorman, the victim, to set the record straight. Eleven days passed before he was able to return to work. But a year later, he still felt that his career had stalled because of the accusation.

So Gorman did what many Americans would do: He sued.

In a lawsuit filed in the Court of Common Pleas in Philadelphia (from which the preceding story was drawn), Gorman accused the three companies of libel and slander, charging that they had failed to exercise due diligence by not checking identifying details on the background report. The companies denied his charges, but a year later, settled with Gorman out of court for an undisclosed sum. (Stefan Keller, president of Business Information Group, says the company's error rate is extremely low and that mistakes sometimes stem from errors in source materials, such as court documents. Vanguard and Aegon declined to comment.)

Companies that don't adequately screen employees leave themselves open to huge risks, and the results can range from embarrassing to tragic. In spring, James J. Minder resigned from his chairman position at Smith & Wesson when the gun manufacturer learned that he had spent time in prison for armed robbery. And in New Jersey, a 43-year-old former nurse named Charles Cullen confessed to killing more than 30 patients by lethal injection at medical facilities across the country. There's intense pressure on companies to defend themselves against these kinds of mistakesand subsequent lawsuits for negligent hiringby doing background checks.

But companies' reliance on credit histories, criminal backgrounds and other records to make hiring decisions has led to a smaller but more common set of risks. Identities get mixed up. Records are incomplete. Outdated information comes back to haunt job seekers. Mistakes, once made, are hard to correct; and employees may feel that their privacy has been invaded, or their civil liberties violated. The situation is made worse by a growing number of vendors relying on databases that supposedly cull information from courthouses across the nation, but that may fail to adhere to legal and professional standards. The faulty information that these checks can produce could also means that convicted felons' records come back clean.

The consequence, some say, is that more and more civil lawsuits (no one knows how many) are being quietly settled out of court over background checks gone bad. "It's not atypical," says Gorman's attorney, Harold I. Goodman of the law firm Raynes, McCarty, Binder, Ross & Mundy in Philadelphia.

Background Checks: Powerful, but Flawed?

When it comes to protecting their companies from employees who pose serious security risks, perhaps no tool in the CSO's arsenal is as powerful as the background check. CSOs, who by the very nature of their jobs are accustomed to having their own backgrounds come under intense scrutiny, may not think twice about investigating someone else's. But with this power comes a considerable burden; CSOs need to ensure that such screening is done legally, fairly and accurately, or risk disqualifying or endangering good employees.

Even in the best of circumstances, though, it would be foolish to believe that background checks alone will protect organizations against employees with bad intentions. People are "the most critical aspect of any security program," says James Mecsics, vice president of corporate security at credit bureau Equifax (which does credit checks, criminal investigations and drug testing on people it plans to hire). But, he warns, "If you hang your hat on background investigations alone, you have a false sense of security. That's terrible to say, but it's the truth."Boom TownA reference check just isn't what it used to be. Many lawsuit-shy companies have gone mum about former employees. "If I'm calling company ABC for a reference check about Joe Smith, they'll say he worked here from X date to Y date; but a lot of companies are adopting a policy not to get into information beyond basic details," says Jen Jorgensen, a Society for Human Resource Management spokeswoman. Yet what good is it to know that Joe Smith left the company on July 26 if you don't also know that he was caught stealing?

To cope with the information underload, companies are increasingly asking for job candidates' permission to turn to other sources. In a recent survey done by Jorgensen's group, 80 percent of HR professionals reported that their companies did at least some criminal background checks on prospective employees in 2003, up from 51 percent in 1996. And 35 percent looked at candidates' credit records, compared with 19 percent seven years earlier.

The proliferation of different kinds of databases has helped to power these searches. Some of the large background screening companiessuch as ChoicePoint and First Advantagehave been compiling vast databases of public records that were previously available only to researchers who went to a bevy of local courthouses and did a labor-intensive "hand search" on a particular person. Smaller companies such as National Background Data have similar databases that they sell wholesale to small background check companies. All these databases promise quick and inexpensive access to criminal records, sexual offender registries, motor vehicles bureaus and other repositories from across the country, but their results are incomplete and often out-of-date.

The major credit bureaus also have amassed detailed records on nearly everyone in the country. An "above the line" report from a company like Equifax culls identifying information such as past addresses, which can help background screeners target their "hand searches" or pinpoint discrepancies on a job candidate's résumé. A full report includes everything from outstanding balances on credit cards to bankruptcy filings, which some companies believe helps them to identify employees who are unreliable or susceptible to bribery. Consumer advocates, however, fear that this type of data is used unfairly when the job opening has no financial responsibilities.

Meanwhile, the fallout from Sept. 11 has ratcheted up the pressure on employers to do research through official channels. "Great gobs of the workforce that were never before subjected to background checks now are because of what employers have access to," says Alan Westin, cofounder of influential think tank Privacy and American Business. The Patriot Act, for instance, requires states to conduct criminal investigations on all 3.5 million drivers who transport hazardous materials in the United Statesan onerous enough task that the Transportation Security Administration recently pushed a key program deadline back, again, this time to Jan. 31, 2005. The Sarbanes-Oxley Act also intensified the need for companies to trust their employees.

As a result, the demand for qualified screeners has become so acute that, in May, an official from the federal Office of Personnel Management, testifying before a U.S. House of Representatives committee, used the word stretched to describe the nation's resources for conducting background checks. "Demand for background checks exceeds capacity of the private-sector companies that provide these services," Associate Director Stephen Benowitz said, explaining a backlog of 340,000 background checks across the government.

Industry has responded. Where once there were dozens of companies offering background checks, there are now hundreds of vendors in this $2 billion industry. The top five playersU.S. Investigations, First Advantage, ChoicePoint, Kroll and ADPaccount for about $900 million in annual revenue, according to KPMG, and are rapidly growing.

For CSOs and HR managers evaluating the services in this expanding marketplace, it's buyer beware. "If it sounds too good to be true, it probably is," says Kevin Lampeter, senior vice president and director of corporate security at State Street. Lampeter chooses to keep his screening operations largely in-house.

The Learning Annex in New York City offers a class titled: "How to Start Your Own Background Check Business." It promises students: "Make six figures working from your home!" The class lasts less than three hours. It's no wonder, then, that good practices for conducting and using background checks are failing to keep up with common practices.A Legal QuagmireStrangely enough, the main federal regulation that governs how employers use background reports is not employment law but the Fair Credit Reporting Act (FCRA). That's because, any time a company turns to a third party to obtain background information about an individual, that record is then considered a consumer report.

The gist of the FCRA, which is enforced by the Federal Trade Commission (FTC), is simple enough: Companies need to have written permission to access an individual's consumer report. They need to warn that person if they are taking an "adverse action" based on this information. And they need to give him or her a chance to see the report and correct any mistakes. (Because of concerns about these reports falling into the wrong hands, the FTC is considering an amendment to the FCRA that would create strict guidelines for the disposal of these reports.) In reality, of course, the situation is much more complex, primarily because of differences in how the states allow companies to use the information obtained.

Some states, for instance, don't allow employers to look at misdemeanors. Others don't allow them to consider arrests without convictions. Sometimes juvenile records are sealed; other times they aren't. Typically, a hiring manager can look back seven years, but sometimes it's only five; unless, of course, it's deemed necessary to look back even further.

"It's tricky for the screening agencies because they operate in many states, so they need to know what information they can provide," says Oscar Marquis, an attorney with Oldaker, Biden & Belair in Washington, D.C., who is considered a leading expert on the matter. "They may have different information depending on the state. If a potential employee applies for a job in Arizona, the arrest record may show up; if they move to California, it may not."

As a rule of thumb, the employer should follow either the strictest rule, or the one that governs the state where the job candidate lives. But there's no consensus about whose job it is to purge reports that can't be used.

Another area of confusion is what exactly constitutes a "third party" that is subject to the FCRA. Employers are free to call a job candidate's university to confirm her degree or to check employment history with past employers. As long as they do it themselves, they are also free to look up criminal records at a courthouse; that's public information. But what happens, for instance, when security departments gather information themselves by searching an online database? Marquis explains: "If the website merely diverts the employer to the public record site, it isn't a consumer reporting agency; if it 'assembles' the information, it is." All of this is tricky enough, however, that he recommends employers follow the FCRA regardless; if for no other reason, it's good business practice.

The process gets even murkier when companies are hiring employees from other countries, where records may not be public or cannot legally be used by employers. Japan, for instance, doesn't really allow background checks as we know them in the United States, and the European Union has restrictive policies on the kinds of data that employers can collect. Security departments have to team with local legal experts to create screening programs on a country-by-country basis.

"You work around it and obtain as much information as you can," says Lampeter of Boston-based State Street, which has employees in 24 countries. Because State Street is a financial services company, it has a legal obligation to make sure that it doesn't hire anyone with a history of crimes such as theft or money laundering. Lampeter relies on a global, cross-functional team of legal counsel, human resources and security to navigate the legal waters.

1 2 Page 1
Page 1 of 2
7 hot cybersecurity trends (and 2 going cold)