In less than three years, James R. Gorman went from being a newbie investment manager to the lord of $100 million in client accounts for The Vanguard Group, one of the nation's largest and most respected mutual fund companies. When Gorman's Pennsylvania insurance license came up for renewal, though, the company doing a routine background check found a problem. James R. Gorman had pleaded guilty to loan and credit card fraud. He was a convicted felon.So Vanguard did what any financial services company would do: It fired him.According to Gorman's version of events, a representative from human resources called him into a meeting one day and told him what Vanguard had learned. He insisted that he had never been arrested, much less convicted of any crime. But Vanguard forced him to leave the building immediately, without returning to his office to gather his belongings.There was just one problem: They got the wrong guy.The James R. Gorman who worked for Vanguard had a different Social Security number, date of birth and address than the James R. Gorman whose conviction record had been unearthed by Business Information Group (which did the investigation on behalf of the Aegon Financial Services Group, the company handling the licensing process).It was up to Gorman, the victim, to set the record straight. Eleven days passed before he was able to return to work. But a year later, he still felt that his career had stalled because of the accusation.So Gorman did what many Americans would do: He sued.In a lawsuit filed in the Court of Common Pleas in Philadelphia (from which the preceding story was drawn), Gorman accused the three companies of libel and slander, charging that they had failed to exercise due diligence by not checking identifying details on the background report. The companies denied his charges, but a year later, settled with Gorman out of court for an undisclosed sum. (Stefan Keller, president of Business Information Group, says the company's error rate is extremely low and that mistakes sometimes stem from errors in source materials, such as court documents. Vanguard and Aegon declined to comment.)Companies that don't adequately screen employees leave themselves open to huge risks, and the results can range from embarrassing to tragic. In spring, James J. Minder resigned from his chairman position at Smith & Wesson when the gun manufacturer learned that he had spent time in prison for armed robbery. And in New Jersey, a 43-year-old former nurse named Charles Cullen confessed to killing more than 30 patients by lethal injection at medical facilities across the country. There's intense pressure on companies to defend themselves against these kinds of mistakesand subsequent lawsuits for negligent hiringby doing background checks.But companies' reliance on credit histories, criminal backgrounds and other records to make hiring decisions has led to a smaller but more common set of risks. Identities get mixed up. Records are incomplete. Outdated information comes back to haunt job seekers. Mistakes, once made, are hard to correct; and employees may feel that their privacy has been invaded, or their civil liberties violated. The situation is made worse by a growing number of vendors relying on databases that supposedly cull information from courthouses across the nation, but that may fail to adhere to legal and professional standards. The faulty information that these checks can produce could also means that convicted felons' records come back clean.The consequence, some say, is that more and more civil lawsuits (no one knows how many) are being quietly settled out of court over background checks gone bad. "It's not atypical," says Gorman's attorney, Harold I. Goodman of the law firm Raynes, McCarty, Binder, Ross & Mundy in Philadelphia. Background Checks: Powerful, but Flawed?When it comes to protecting their companies from employees who pose serious security risks, perhaps no tool in the CSO's arsenal is as powerful as the background check. CSOs, who by the very nature of their jobs are accustomed to having their own backgrounds come under intense scrutiny, may not think twice about investigating someone else's. But with this power comes a considerable burden; CSOs need to ensure that such screening is done legally, fairly and accurately, or risk disqualifying or endangering good employees.Even in the best of circumstances, though, it would be foolish to believe that background checks alone will protect organizations against employees with bad intentions. People are "the most critical aspect of any security program," says James Mecsics, vice president of corporate security at credit bureau Equifax (which does credit checks, criminal investigations and drug testing on people it plans to hire). But, he warns, "If you hang your hat on background investigations alone, you have a false sense of security. That's terrible to say, but it's the truth."Boom TownA reference check just isn't what it used to be. Many lawsuit-shy companies have gone mum about former employees. "If I'm calling company ABC for a reference check about Joe Smith, they'll say he worked here from X date to Y date; but a lot of companies are adopting a policy not to get into information beyond basic details," says Jen Jorgensen, a Society for Human Resource Management spokeswoman. Yet what good is it to know that Joe Smith left the company on July 26 if you don't also know that he was caught stealing?To cope with the information underload, companies are increasingly asking for job candidates' permission to turn to other sources. In a recent survey done by Jorgensen's group, 80 percent of HR professionals reported that their companies did at least some criminal background checks on prospective employees in 2003, up from 51 percent in 1996. And 35 percent looked at candidates' credit records, compared with 19 percent seven years earlier.The proliferation of different kinds of databases has helped to power these searches. Some of the large background screening companiessuch as ChoicePoint and First Advantagehave been compiling vast databases of public records that were previously available only to researchers who went to a bevy of local courthouses and did a labor-intensive "hand search" on a particular person. Smaller companies such as National Background Data have similar databases that they sell wholesale to small background check companies. All these databases promise quick and inexpensive access to criminal records, sexual offender registries, motor vehicles bureaus and other repositories from across the country, but their results are incomplete and often out-of-date.The major credit bureaus also have amassed detailed records on nearly everyone in the country. An "above the line" report from a company like Equifax culls identifying information such as past addresses, which can help background screeners target their "hand searches" or pinpoint discrepancies on a job candidate's r\u00e9sum\u00e9. A full report includes everything from outstanding balances on credit cards to bankruptcy filings, which some companies believe helps them to identify employees who are unreliable or susceptible to bribery. Consumer advocates, however, fear that this type of data is used unfairly when the job opening has no financial responsibilities.Meanwhile, the fallout from Sept. 11 has ratcheted up the pressure on employers to do research through official channels. "Great gobs of the workforce that were never before subjected to background checks now are because of what employers have access to," says Alan Westin, cofounder of influential think tank Privacy and American Business. The Patriot Act, for instance, requires states to conduct criminal investigations on all 3.5 million drivers who transport hazardous materials in the United Statesan onerous enough task that the Transportation Security Administration recently pushed a key program deadline back, again, this time to Jan. 31, 2005. The Sarbanes-Oxley Act also intensified the need for companies to trust their employees.As a result, the demand for qualified screeners has become so acute that, in May, an official from the federal Office of Personnel Management, testifying before a U.S. House of Representatives committee, used the word stretched to describe the nation's resources for conducting background checks. "Demand for background checks exceeds capacity of the private-sector companies that provide these services," Associate Director Stephen Benowitz said, explaining a backlog of 340,000 background checks across the government.Industry has responded. Where once there were dozens of companies offering background checks, there are now hundreds of vendors in this $2 billion industry. The top five playersU.S. Investigations, First Advantage, ChoicePoint, Kroll and ADPaccount for about $900 million in annual revenue, according to KPMG, and are rapidly growing.For CSOs and HR managers evaluating the services in this expanding marketplace, it's buyer beware. "If it sounds too good to be true, it probably is," says Kevin Lampeter, senior vice president and director of corporate security at State Street. Lampeter chooses to keep his screening operations largely in-house.The Learning Annex in New York City offers a class titled: "How to Start Your Own Background Check Business." It promises students: "Make six figures working from your home!" The class lasts less than three hours. It's no wonder, then, that good practices for conducting and using background checks are failing to keep up with common practices.A Legal QuagmireStrangely enough, the main federal regulation that governs how employers use background reports is not employment law but the Fair Credit Reporting Act (FCRA). That's because, any time a company turns to a third party to obtain background information about an individual, that record is then considered a consumer report.The gist of the FCRA, which is enforced by the Federal Trade Commission (FTC), is simple enough: Companies need to have written permission to access an individual's consumer report. They need to warn that person if they are taking an "adverse action" based on this information. And they need to give him or her a chance to see the report and correct any mistakes. (Because of concerns about these reports falling into the wrong hands, the FTC is considering an amendment to the FCRA that would create strict guidelines for the disposal of these reports.) In reality, of course, the situation is much more complex, primarily because of differences in how the states allow companies to use the information obtained.Some states, for instance, don't allow employers to look at misdemeanors. Others don't allow them to consider arrests without convictions. Sometimes juvenile records are sealed; other times they aren't. Typically, a hiring manager can look back seven years, but sometimes it's only five; unless, of course, it's deemed necessary to look back even further."It's tricky for the screening agencies because they operate in many states, so they need to know what information they can provide," says Oscar Marquis, an attorney with Oldaker, Biden & Belair in Washington, D.C., who is considered a leading expert on the matter. "They may have different information depending on the state. If a potential employee applies for a job in Arizona, the arrest record may show up; if they move to California, it may not."As a rule of thumb, the employer should follow either the strictest rule, or the one that governs the state where the job candidate lives. But there's no consensus about whose job it is to purge reports that can't be used. Another area of confusion is what exactly constitutes a "third party" that is subject to the FCRA. Employers are free to call a job candidate's university to confirm her degree or to check employment history with past employers. As long as they do it themselves, they are also free to look up criminal records at a courthouse; that's public information. But what happens, for instance, when security departments gather information themselves by searching an online database? Marquis explains: "If the website merely diverts the employer to the public record site, it isn't a consumer reporting agency; if it 'assembles' the information, it is." All of this is tricky enough, however, that he recommends employers follow the FCRA regardless; if for no other reason, it's good business practice.The process gets even murkier when companies are hiring employees from other countries, where records may not be public or cannot legally be used by employers. Japan, for instance, doesn't really allow background checks as we know them in the United States, and the European Union has restrictive policies on the kinds of data that employers can collect. Security departments have to team with local legal experts to create screening programs on a country-by-country basis."You work around it and obtain as much information as you can," says Lampeter of Boston-based State Street, which has employees in 24 countries. Because State Street is a financial services company, it has a legal obligation to make sure that it doesn't hire anyone with a history of crimes such as theft or money laundering. Lampeter relies on a global, cross-functional team of legal counsel, human resources and security to navigate the legal waters."What we have tried to do on a country-specific basis is evaluate and understand the local laws and labor practices," Lampeter says. "We're not, in many cases, able to implement 100 percent of the U.S.-based screening program in other countries, but we can implement an equivalent program within the balance of local laws and regulations."Mistakes Get MadeWhen researchers at the University of Maryland studied recidivism rates in a county in Virginia, they were unable to gain access to records housed by the state police; so, they decided to turn to the experts. To save valuable staff time, they enlisted a background check company to conduct a search on the 120 parolees and probationers that were part of the study, to see whether any additional arrests would appear on their records. Sixty-four of the 120 convicted criminals in the study came back with spotless criminal histories. "The company we hired did what was considered the gold standard approach; they went to the courthouse and checked records," says Shawn Bushway, an assistant professor at the university and a criminologist. He won't reveal the name of the company that did the checks, but he does say, "This was not one of those national $9.95 searches," which are widely acknowledged to be suspect.Inadvertently, Bushway and his colleagues had revealed in a dramatic way something that everyone in the industry knows but hates to acknowledge: Even the best companies' reports contain errors. Criminals look innocent, or the innocent look criminal."Doing a background check is still a very manual process, because the government agencies that create the records are largely paper-based systems," says James Lee, chief marketing officer of ChoicePoint. "I'm not going to deny that there are errors, because in any system that involves human beings or technology, there are going to be errors."Lee downplays the number of errors at ChoicePoint, saying that of the 6 million-plus background checks it conducts annually, less than one-tenth of 1 percent of them require an amendment. He also acknowledges that the company is doing good business in a joint endeavor with HotJobs.com, which allows job seekers to run a background check on themselves to look for mistakes.So how do errors happen? Social Security numbers get transposed during data entry. Names, addresses or dates of birth get mistyped. Identities get confused: a problem that has worsened because some jurisdictionsincluding federal courthouseshave removed identifiers such as Social Security numbers from their records for privacy reasons. There are rising concerns about identity theft, particularly the growing practice of a criminal using someone else's name when being arrested or convicted of a crime. It's also hard to get a thorough report. There are thousands of counties in the United States, all with their own records departments. Misdemeanors and felonies might appear in separate repositories. An overturned conviction that should have been erased from the record, might still appear on files at a corrections department."The overall reliability of the criminal background check, the way it's done today, is suspect," says Don Osterberg, vice president of capacity development and safety at Schneider National, where he oversees a program that performs criminal investigations, motor vehicle history checks and drug testing on all new drivers and owner operators. "It's better than nothing, but the probability of not finding a criminal conviction is pretty high."Companies, in hopes of getting a more complete criminal record, are increasingly pushing for access to FBI criminal background checks (which now can be requested only for employees in certain regulated industries). But even those files are incomplete. In the University of Maryland study, a national search of FBI files found records for only 87 of the 120 study subjects. Only part of that was due to the fact that FBI files generally do not contain misdemeanors, and that some police departments don't report to the FBI. "The FBI data has holes too, because it's coming from the state repositories," Bushway says.In some ways, demand for access to national records has made the situation worse. Many private companies are amassing records from city, county and state jurisdictions, and advertising them as national searches. Because of the wildly disparate information that's available in the first place, the fine print reveals their limitations. For example, the "National Criminal Index" sold by companies like Peoplefind.com has records on sexual offenders in just 32 states, and its Department of Corrections data covers 34 states: sometimes felony convictions, other times incarcerations, occasionally misdemeanors.Because of all these vagariesand for legal reasons tooit's crucial that a company make every effort to confirm the accuracy of the information on a report before using it to make a hiring decision. That should be done by confirming the data with the original sourcesince databases may be out-of-date or inaccurate. But again, it's not clear whose responsibility it should be: the employer's or the screening firm's. Companies that don't take this extra step themselves need to make sure that it's written into vendor agreements.The final check, of course, ought to come from the individual himself, who should know better than anyone else whether he has committed a crime. That's why the FCRA requires companies to warn individuals before acting on the information from a background check, to let them see a copy of the report and give them time to correct any errors.Ultimately, the responsibility for correcting the record is in the hands of the individual. "It's up to them to go back to whatever court to resolve that," Equifax's Mecsics says. "We can't do that as a company." What the company can do, however, is put a process in place to help individuals correct errors, and then not hold mistakes against them.It's Not All Fair GameBut consumer advocates are afraid that that's not happening. In May, for example, Sterling Testing Systems, a background screening company in New York City, was served a $375,000 lawsuit from a Kentucky man named Edward Poore Jr. He claimed that Colgate-Palmolive had hired another candidate in the time it took him to correct an error on his background check.Tena Friery, research director of the Privacy Rights Clearinghouse in San Diego, says she gets calls all the time from people who claim to have been denied employment because of errors in their background checks. And it's become clear to her that employers are not always following the rules. "The employer sometimes says pretty outrageous things, like that the individual isn't allowed to get a copy of the report," she says. It doesn't always help if the individual fixes the mistake, either. "Employers may get spooked and say, we'll hire this other candidate," she says.More broadly, some observers voice their concerns that individuals who have paid their debt to society are being marginalized by excessive reliance on background checks. "Just because someone has a criminal history record doesn't mean they're dangerous," says Bushway, the criminologist. "How long has it been? What did they do? Employers need to know how to read these things." Employers can best address these concerns by making sure that the information they're checking truly has a bearing on the job at hand. "What information about one's life is truly relevant to one's job?" Privacy and American Business's Westin asks. "The public can say, Yes, we think this is a legitimate thing for the employer to ask, but we don't think that is." In a recent survey by his organization, for instance, 92 percent of respondents said it was acceptable for employers to check whether a job applicant's r\u00e9sum\u00e9 contains false information. But only 24 percent thought it was acceptable to check if an applicant had ever filed for bankruptcy.The way Gus Bremer, senior manager for corporate security at Ryder, sees it, there are three keys to making sure a background check program is fair: a good job description, specific standards about what constitutes a "pass" and an exception system. "If you don't have a well-defined job and a process, if you deny me employment, I might have a leg to stand on going to the [Equal Employment Opportunities Commission] and saying, Look, they actually hired others with similar records to do similar jobs, so they're being unfair to me," Bremer says. "You need pretty good standards to apply to every situation."Sometimes, though, there will be exceptionsas when, perhaps, someone has an old conviction for marijuana possession but has been a law-abiding citizen ever since. Every month, about 10 or 15 background checks land on Bremer's desk for possible exceptions. "There are people who have done some silly things that they have great regret for later, and [this process is] to make sure that you do have the right employee," he says. "You want the well-qualified person who does not have a recurring problem with honesty or drugs.""It's a tough issue," says Osterberg of Schneider National. "Where do we cross the line between your individual right to privacy and your employer's right to know specific things that could be detrimental to your performance or public safety? We've got to find a working balance, where we're not being intrusive, but we're able to learn those things that might be indicative of problematic behavior."It's no easy task; but it's worth the struggle. Because done well, the background check stands to become much more than another weapon in the CSO's arsenal. It can be a tool for doing the right thing.