Blogging background checking and security issues


DSW Joins the Club

In response to the ongoing series of publicized data theft occurrences that was kicked off by ChoicePoint and whose most recent entrant was Designer Shoe Warehouse, companies in the background screening industry are either touting their good reporting and security practices or else quickly beefing them up. The article above also points out that Equifax, one of the big three credit reporting companies, has created an online resource that offers consumers advice on how to deal with issues related to identity theft issues. There are already all kinds of resources like this available on the internet (just Google “identity theft”), but this is the first big step by a major player in the industry to capitalize on the crisis.

The whole thing reminds me of that scene in Braveheart where the Scottish nobles are all sitting around a table after betraying the Scottish army, and they’re wondering which one of them will be next. As more of these successful hacks are broadcast to the country and world, more hacker s and thefts are no doubt being drawn to try out their skills. Who will be next? Does the security exist to keep out all of the intrusion attempts? I’m not an expert on that subject so I don’t know. What I think we can expect is increased spending on network security by background screening companies, and what follows logically is increased prices for background screening services. Employers and companies that use background screening services then having to pay more for the same services may consider using lower cost screening companies – like the ones that promote quick and easy (and highly fallible) database searches as adequate background checks.

For now I think we can expect to see more occasions of consumer data theft and increased effort on the parts of the various background screening companies, legislators and various software companies to combat it and find a solution.


Cooking Up Some Changes

Ah, the fun of playing with CSS. It wouldn't be so bad if I had written it all myself, but Blogger (which I'm still using to post blogs, even though ScreenDiscussion has moved. I hope to change that soon, but this is enough for now. I still don't have things set to be equally viewable in both IE and Firefox (not to mention others), but the basic form you see now is close to what it's supposed to be. If it looks hideous on your browser please drop me a line.

Once this is set I'll be able to focus much better on posting relevant to background screening.

Criminal Records No Longer Reportable, But Still Viewable

A few days ago I wrote that easier access to public records means more accountability for criminals. This is true, but there is something there that nags me that I can’t quite get away from.

There is no doubt in my mind that our society should have consequences for the bad decisions that people make. That’s how life works. However, I’m not convinced that the current system and the current set of standards for using criminal history information is the best. 7 years is typically the standard for reporting criminal history information by background screening companies. A few states even have laws that state that criminal history information past 7 years cannot be used to make employment decisions. Other states have laws that, in effect, say that non-convictions cannot even be reported by background screening companies, much less used by employers.

So let’s say that all that is fine and good. People who were never convicted shouldn’t be punished, and people whose crimes were committed over 7 years ago should be given another chance. I’m fine with that. What I question then is why these cases are still available to the public. If they are no longer relevant, why can anyone go to the local courthouse, or even go online, and pull up the record?

It’s great that there is some level of respect for privacy and even some willingness on the part of lawmakers to account for the possibility of a criminal changing at the professional level, but since we’re talking about public records we’re not just talking about professional access. I could go to the courthouse and find out that a neighbor was charged with driving under the influence four years ago, but that his case was then dismissed. If I were a reasonable person, knowing that wouldn’t change a thing between us. I might be a little cautious, but it wouldn’t change much. However, if I were not such a reasonable person, being very discriminatory and thinking very highly of myself, that knowledge might have a severe effect on the way I treat that neighbor. I might start treating that neighbor as less than human.

Employers have laws that govern their use of criminal information. Neighbors don’t. We’re giving criminal information about individuals to people who may not know how to deal with it properly. Granted, crimes are usually crimes against society. However, I still think we should be careful about how they’re used. We don’t need any more reasons to be distrustful of our fellow citizens.


More on Removing Identifiers from Public Records

Jason Morris points out on his blog that more identifiers on case records protects consumers from being accused of crimes they may not have committed. He’s right. It’s absolutely essential to the background screening industry to be able to accurately determine who courts records belong to. I wrote about this before, but I think it’s worth bringing up again.

This is, however, a two-edged sword. Maintaining personal data in the court files helps reduce the risk of accusing innocent people of crimes they didn’t commit, but it also follows that since court records are accessible to the public there is still the risk of identity theft. Anyone is able to go into a courthouse and search the court records, which typically contain names and dates of birth, and occasionally Social Security Numbers of people who have been charged with a crime.

What’s best for the consumer? Should they be protected against false accusation when applying for a job or anything else that requires a credit check, or protection from identity theft via personal information on court records? Maybe court records should no longer be public access. Maybe the Federal government should step in and regulate the access to court records across the country so that only qualified and approved companies and organizations can access them. I don’t know what’s best, but we currently have a lose-lose situation.


Criminal History Demand too Much for States

Maine’s State Bureau of Identification is having a difficult time keeping up with the increased demand for criminal histories. The spokesman for the department said that the number of requests by private companies and law enforcement agencies increased greatly after 9/11 – no big surprise.

They’ve requested additional staff in order to convert paper files to an electronic, searchable database, but this is a situation that is indicative of all of the states that offer criminal histories. Perhaps one of the reasons that states’ criminal departments typically provide poor customer service and slow turnaround time is simple that they’re swamped and, being a government agency, have to wade through a sea of bureaucracy before additional staff and resources can be obtained to fix the problem.

County-level courts, especially those in highly populated counties, also run into the same problems. Many courts are now offering online access to their criminal history information via databases, online or through computer terminals at the courthouse. The quality of the information obtained this way is somewhat questionable, but if that’s all that’s available then whoever is doing the search can’t be expected to do more.

There are certainly states and counties that are still very difficult to work with, but given our nation’s security climate I would expect to be able to conduct criminal history searches much more easily within the next few years. This is good news. It means lower cost for obtaining criminal history information, which means more access for the public and, to some degree, more accountability for criminals.


Private Competition or Government Control - the Best Solution to Identity Theft

Now that LexisNexis has gotten into the same boat as ChoicePoint through the criminal infiltration of its databases containing thousands of individuals’ personal information, lawmakers are getting antsy to do something about it. The issue that comes to the forefront is whether it’s better to get legislation passed right away or if it’s better to wait and let the competitive marketplace slowly work its way through to a solution. Doing something quickly is championed by some in order to protect our economy since so much of our buying and selling is done online – the primary place criminals go to steal personal data.

The opposition isn’t direct, but rather strongly recommends caution. As the article above points out, passing various pieces of legislation quickly by different states could lead to unforeseen problems. Laws that vary by state create extra work (which means higher prices) for industries that operate on a national level.

A standardized and unified approach to identity theft needs to be taken that efficiently addresses the heart of the problem. This will almost certainly include new legislation, and probably legislation that is passed fairly quickly, but it needs to be done with a national marketplace in mind. Knee-jerk legislation will only bring more headaches.

Four States have Credit-Freeze Laws for Consumer Protection

I came across a column by Priscilla Post of Kiplinger's Retirement Report the other day that had some news about newer state laws that I wasn't aware of. Here's an excerpt:
The most promising developments preventing identity theft are coming from state legislatures. Four stateshave passed credit-freeze laws and, according to Consumers Union, nearly a dozen more and considering adopting similar consumer safeguards. With a credit freeze in place, your credit files are locked. Businesses and other creditors can't access your credit report and scores without your permission. When you want to unlock your file, you contact the credit bureau and provide it with your security code.

All residents of California and Louisiana can take advantage of their state's optional credit-freeze laws. In Texas, and Vermont, the right to lock a credit file is limited to consumers who have been victims of identity theft and have reported the theft to polict. (The laws in Louisiana and Vermont take effect in July.)

The 11 other states considering adopting their own credit-freeze laws are Colorado, Connecticut, Hawaii, Illinois, Indiana, Maine, Mrayland, Massachusetts, Oregon, Utah and Washington. And lawmakers in Texas are considering giving all residents the right to use the state's credit-freeze law.

It should be noted that the large credit bureaus already have an option in place for anyone who has been a victim of identity theft to call in and have a disclaimer added to their credit report that requests that anyone considering issuing credit first contact the individual to make sure it's legitimate. It's not a real credit-freeze, but is a similar concept. The only real question I have is how this will impact people's freedoms. In today's paranoid society I can easily see an employer or creditor coming across a credit-freeze or related statement on a credit report and immdiately assuming the worst. I'm not sure how to get around that challenge, but these consumer-protection laws otherwise seem to be a pretty good idea.


State v. Private Enterprise

When it comes to background screening, the private and public sectors often clash. Maybe that’s not true…it’s more like the public sector treats the private sector like pests to be dealt with. Working for a background screening company I find that state agencies, because they aren’t subject to the same competitive pressures that private companies have to live with, are extremely inflexible and can be very difficult to work with.

For example, an employer is typically under a lot of pressure to get the background screening completed on a job applicant because once they’ve decided on who they want, they want to make an offer right away before that candidate is lost. However, if the employer chooses to do a state criminal check in say, Indiana, it could be eight weeks before the state gets around to completing the check. Who in the world came up with that great system?!? I suppose it’s nice that a state level check is even available, which is not the case in Ohio and a few other states, but the slow turnaround time renders the service nearly useless for many purposes. The employer then has to decide if it’s better to break with their internal policy and not do the state check (or hire the person before it’s complete), or hope that their applicant doesn’t find another job within the next two months.

State policies are much more difficult to influence and hold accountable than are policies held by private companies. For a private company the customer holds the leash. For the government, the people hold the leash and since most people are highly ignorant regarding background screening issues, there isn’t a lot of specific pressure applied. This may change in the future – that’s a big part of the reason I write this blog – but for now government agencies don’t tend to communicate well and don’t have a great deal of accountability for providing good service, high quality information or timely information.

Since private companies must work with government agencies to conduct background screening, greater accountability is needed at the state level. The current state of things drives those of us in the private background screening industry crazy.'s First Victory’s proposed law that requires online dating companies to disclose on their websites whether or not a background check was done has passed in its first state – Florida. There are some issues that will have to be worked out, but I think the concept is good. is no doubt seeking a temporary competitive advantage in that industry, but in theory it should make online dating safer. However, as background checking’s scope generally gets larger in our society’s quest for greater security, individuals have to keep in mind that solutions also need to be found that will safeguard our individual freedoms. Some degree of privacy is important too.


The Problem with Databases and Security

When it comes to doing records searches with databases, the problem isn’t with the database itself. I’ve talked about this several times, but I really don’t hate databases. Databases actually work great and do perfectly the job they were created to do. The problem lies with the people responsible for updating and maintaining the database.

A situation recently occurred where several illegal aliens were working in a prison using state-issued ID cards. Their names were checked in the California Law Enforcement Telecommunication System, and since no criminal record was found they were allowed to stay and work. One of the individuals had been ordered to be deported, but the system didn’t contain that.

This is a typical example of why reliance on databases typically results in security problems. Whether the database is managed by a state agency or by a private company, the quality of the database depends on how often it is updated and the dependability of the processes in place that guarantee that quality information is being loaded into the database.

In the situation above, there clearly needs to be improved standards and processes. Related to employment and background screening, the employer and even the screening companies involved need to be proactive about finding out about the quality of the information in the databases they access. Some questions to ask:

- How often is the database updated?
- Is the source of information for the database reliable and generally free from defect?
- What process ensures that the information is accurately entered into the database?

The employer doesn’t want to hire someone convicted of aggravated assault a month earlier whose record won’t be available for another 6 months, and the background screening company doesn’t want to be sued because they provided inferior information to the employer.


Applicant Authorization Forms – What to Include

Almost every employer has an application form in some format or another that contains spaces for the applicant’s basic information. This usually includes name, contact information, work history, references, etc. Where applications differ is the terminology used in the section where the applicant signs her name and authorizes the release of her past information. In order to be able to retrieve all the necessary, the following types of information should be included in the text under which the applicant will sign:

• Employment
• Education
• License and certification
• Driving record
• Criminal history
• Credit history

Any other areas can be added as needed, but these are the most common ones. The text should also be reviewed by a lawyer to make sure it’s worded properly and contains any other necessary information.

Once the current, potential employer has this information it is their responsibility to ensure that the information is properly used and secured.

One additional note: Online applications are often used these days and digital signatures have growing popularity, but employers need to be aware that not all agencies, institutions and employers will release information if the authorization form has a typed, “JANE SMITH” in the signature line. They usually want to see a real signature, and in my opinion rightfully so. Can you imagine how easy it is to fake this and get access to the information in someone’s past? Just type up a form and type in the person’s name at the bottom – it’s as easy as that. Unfortunately there are agencies, institutions and employers that do accept electronic signatures and will release personal information. Regulation is needed.


Stay Home

Tim Blackmore has a great, tongue-in-cheek post about privacy and how all of us happy-go-lucky technology users will one day be very wary about who or what is seeing and using our personal information. It's a great read and I highly recommend it.

Summarizing Privacy v. Security

I want to see if I can very generally summarize everything I’ve been reading on various blogs about the privacy/security balancing act. If you read this and have another perspective or thoughts that will make this clearer, please feel free to speak up. I think it’s important to note that the perspectives that exist do not have to be mutually exclusive. It’s possible to integrate them.

Everyone agrees that regardless of the enforcement method, security is needed. No one is advocating a free-for-all society where the strong rule the weak and laws aren’t enforced. What the debate comes down to is how to increase security in our society and still maintain privacy for individuals, and there are a few different thoughts.

One of the more common perspectives is that companies should not ask for or retain personal data that is not essential to their business practices. This is just extra data that either costs money to secure or is forgotten and left unsecured. A number of companies have had this kind of data compromised. The rule for consumers should be, “If it’s not needed, don’t give it.” This thought protects the consumer’s personal information and aims to preserve anonymity.

Another thought is presented by Dennis Bailey at Open Society Paradox. He argues that a higher degree of openness in society results in a higher level of accountability for the members of society. If everyone can see what you do, the cost of doing something wrong is much higher. He also points out that anonymity is the terrorist’s friend and that zero anonymity does not necessarily mean zero privacy. It’s a stimulating idea, and I’m interested in learning more about it. As it is, however, I fear a big brother effect since there has to be someone monitoring the system and enforcing laws.

There is, of course, a common belief that all personal data held by companies should be safeguarded by the latest security technology. A hacker shouldn’t have an easy time accessing a company’s database and there should be security standards that companies have to adopt. Also along these lines, businesses should have processes in place designed to ensure that new clients are indeed legitimate businesses. There currently are laws that govern data security in different industries, but I wonder how up-to-date those laws are given the changing state of technology.

Laws provide some incentive to secure stored data, and typically where laws fall short (sometimes by design) in America, competition picks up. Companies that don’t follow good business practices, including in areas related to security, shouldn’t survive. While this might be true in the long run and for many scenarios, security issues present a problem to the model. Insecure companies may eventually go out of business, but until they do there will be a lot of people adversely affected. Since we are a democratic nation and value our individual liberties, the only way to deal with this kind of problem is with legislation that attacks it immediately.

What people disagree with is the kind of legislation that is passed. There is legislation like the Homeland Security Act, which many view as a bumbling attempt to quickly solve some of the problems, and other legislation like the Fair Credit Reporting Act, which is generally accepted as very good for individual citizens. I expect (or really hope) that the laws passed will become more refined and better at addressing the real problem of reconciling high security with individual privacy and freedom.

So what should we do?

New Domain - Please Update Links

I took the plunge and bought a domain and hosting, so the site now has a permanent home at Please update your links. I was tempted to bang my head on the desk several times last night working out the kinks, but it should be working now. You can still view the site at the Blogger address, but it probably won't be around forever. Good times!


ChoicePoint Tracking

For anyone wondering what the latest ChoicePoint new is, Adam Shostack at Emerging Chaos has been keeping tabs. Check out his collection.

It will be extremely interesting to find out what, if any, legislation is passed as a result of the publicity this occurrence of data theft has received. Hopefully any change will work toward a solution that is win-win in terms of personal privacy and security. Regardless of the outcome, I suspect that change is on the horizon and that it will be good for background companies that are up to snuff with good security policies.

I just wanted to make anyone who is interested aware of Adam’s resource.

Consistency is Important

Difficult questions about background screening and security about in our society. What kind of background check should be done? Should a different background check be done on employees in job X versus employees in job Y? What should be process be for when we decide not to hire someone? Are there hidden loopholes that leave the door open to a lawsuit?

I don’t know about other people, but my college HR classes definitely didn’t cover all of these issues. Since background screening’s rise to popularity has taken place in probably the last 10 years (or less), there are a lot of industry professionals out there who don’t have a lot of past experience with these questions and are forging ahead blindly. Scarier still is the fact (yes, I happen to know that it’s a fact) that there are a number of companies who are making these decisions either without legal counsel or with a legal counsel who doesn’t provide good advice on these matters.

There are a couple basics to keep in mind. First, let the Fair Credit Reporting Act be the guide. It’s really not that hard to read, and there are a number of resources available to help make decisions about the fine points of its interpretation.

Second, be consistent. In this hypersensitive age of lawsuits and “personal rights,” it’s extremely important for companies to maintain consistent standards that guide them through the decisions that have to be made in the background screening process. Not doing so invites potential lawsuits from people who feel like they weren’t treated fairly during the applicant process or disqualified for a good reason.

On a side note how did we ever get so hung up on ourselves, anyway? Are privacy rights taken too far in some areas? Maybe this is a good topic for another post.

Comparing Background Screening Companies - Confusing Services

Deciding which company to use to do background checks is an important decision. I have another post that lists what questions to ask a screening company, and here are a few more thoughts to add to that:

1. The first step is always to decide what kind of background check you want to perform. This depends on your industry, position type, budget, etc.

2. Compare apples to apples. This is a big one. Most established, reputable background screening companies offer similar services, but they're often packaged differently and given different names. This can be highly confusing, so be cautious about discounting a company just because the title of one service sounds like it is better or different than a similar service at a different company.

One company might offer a Complete 7-Year Criminal History, and another might offer a National Criminal History Search. They each highlight a different aspect of the search, but they could be the same thing. It's important for you, the potential customer, to know enough about the industry to be able to ask the right questions. For example, seven years is the industry standard for criminal searches. No company is going to be able to consistently pull criminal records past 7 seven years from different court systems, and some states even limit the number of years back information found in a records search can be used to make employment decisions to 7 years.

Regarding a national search, it doesn't really exist. However, a company might say that a search is national only because they have the ability to search county courthouses in just about every county in the country, and will do so depending on where the applicant has lived. This isn’t a unique ability - any background screening company worth its salt will be able to do this.

Since most employers don’t know the ins and outs of the industry, the important thing for the employer is to ask lost about the sources of the information. A screening company isn't required to release information about their sources to prospective clients, but it is required to release source information, upon request, to its actual clients. If the company won't give you enough information about its sources to enable you to compare it to other companies, you might want to consider not using this company. It's a fine line, but you have to be able to make an educated decision. Also, a company not willing to work with you up front to help you make a good decision might also be a company that gives you headaches when you need information later on.


Online Dating Moving Toward Background Checking

The movement headed by is gaining momentum. While news laws in Michigan and Florida, among other states, requiring online dating services to state whether or not a background check was performed on its members are being introduced,, another online dating service, is ahead of the curve and has already contracted with Intelius, Inc. to do background checks on its daters. One of the issues with doing this is for people using these services to maintain anonymity, and it appears that this has been addressed by and Intelius.

There are some opponents of these new laws, but most of them are the large and established dating services that don’t want to take a hit. It’s inevitable that these laws will be passed eventually in one form or another. Areas on the Internet where people meet specifically for dating purposes are bound to attract people who try to find someone to take advantage of, and until now there have been no standards in place to make sure people aren’t using fake identities.

Individual Freedom Called Into Question

Suppose the U.S. did adopt a policy of increased surveillance where there was, in theory, a benevolent “Big Brother” that monitored citizen activity. People with nothing to hide have nothing to fear, right? The issue, as presented in a situation where a County Sheriff accessed driving record information for questionable purposes, becomes whether or not personal freedom really is enhanced. The hang up I have with such a system is that there will always, or maybe I should say eventually, be someone who can’t be trusted.

I suspect that, similar to communism, it might be a case where the theory is great but the practical experience of it is awful. It would be wonderful if we could completely trust the government officials who monitored and enforced such a surveillance system. I once heard someone say that a dictatorship is the best form of government, so long as the dictator made wise decisions and cared more for the nation than for himself. Criminals are punished and law-abiding citizens are free to enjoy life. But the reality is that people aren’t perfect and anyone, regardless of how uprightly they live their lives, are highly susceptible to corruption.

Enter democracy. As far as I see, this is the best system for establishing a safe place to live. There is a high degree of transparency, evidenced by the public availability of all kinds of personal information, including criminal records, and strict laws are in place that govern the use of this information. True, there is a lot of wrangling over how to maintain this system as new technologies develop that enable, for example, crimes like identity theft, and it’s easy to start thinking that if we implemented a sweeping change and radically changed the system by moving toward an extreme (extreme openness or extreme confidentiality) that there would be a better solution. However, I tend to think that continuing to struggle along the middle road, as difficult as it is, is the best way to ensure personal freedoms while maintaining a reasonable level of security at all levels. As for the abuse of authority mentioned above, our current system of checks and balances should deal decisively with the offender.


Japan – Companies Forced to Disclose Database Use

A new law in Japan will require companies that hold personal information in databases for over 5,000 people will be required to tell those individuals why it is keeping their information. It has its critics, but is a big step toward ensuring the privacy rights of individuals.

What would this look like in the U.S.? If the popularity of the No Call Registry is any indication, it would be embraced with open arms by the general public. People generally like to protect their own privacy, and being made aware of how many companies actually hold their personal information would probably result in a public outcry. The ones who would disagree with it, obviously, would be the companies holding the information.

In the background checking industry, this kind of law would have far-reaching effects. For example, databases kept by companies like National Background Data allow background screening companies to identify where an individual has lived in the past. This information is invaluable for knowing where to look for criminal records.

I assume that such a law excludes government agencies. Our criminal system has public access to its records as a key component and I don’t see that changing in the near future. If it did, the background checking industry as we know it would no longer exist.

I’m curious - does anyone see this kind of legislation ever passing in the U.S.?

Background Checks - Not a Perfect Solution

An article in Information Week states that the Department of Homeland Security is just now considering the impact of increased security on personal freedom. I’m glad they’re trying to tackle this, but it’s a rather obvious question that should have been taken into account a few years ago. Granted, in an emergency situation (9/11) the first priority is safety and stabilization, but I’m still surprised that it’s taken three-and-a-half years for the topic to be officially addressed.

The example cited is a program called Secure Flight, the goal of which is to create a system that identifies individuals who are higher risk for flying and will thus have a more extensive background check performed on them. Currently, as far as I know, the system in place for identifying potential terrorists traveling on planes is very weak. Depending on how it’s done, beefing it up would certainly help.

But background checks can only do so much. I’m deviating slightly from the main point of the article, but this is something I think needs to be discussed. Properly done, the new system for doing background checks on airline passengers might catch people who have criminal backgrounds or, in the case of terrorists, are associated with terrorist groups (Several governments, as well as the U.N., release watch lists of terrorist names). The reason this system is needed is that conducting a thorough background check on all airline passengers is cost-prohibitive, and we know the airline industry doesn’t need any more financial challenges.

The problem with background checks is that past activity is not always an indication of future behavior. This is where extreme reliance on background checks falls short. Background checks are helpful for avoiding some problems in the workplace and also help companies avoid legal liability in the U.S., but when it comes to terrorism the stakes are much higher. A smart terrorist group will choose to use people who have no criminal records and are not on any of the watch lists.

Maybe they’ll be able to find a good solution to the security v. privacy issue, but I expect there will always be a tradeoff. At best they’ll be able to mitigate risk at a minimal cost of privacy. What we need to consider is how much privacy we’re willing to sacrifice for an imperfect solution.


Staffing Agencies and Background Checks

Staffing agencies are in a unique position when it comes to conducting background checks. They work with a variety of customers, many of which have standard policies when it comes to conducting background checks. Some customers are no doubt satisfied to know that a background check was done, regardless of its quality. Others, however, have very strict guidelines when it comes to the background check requirements of everyone employed on its behalf.

What is a staffing agency to do? There are three basic variations that can be done. One option is to tailor the background check to the standards set by the customer with which the employee with work. The advantage to this method is that the staffing agency doesn’t pay extra for unnecessary services. The disadvantages are that the employee may have to be re-checked if she is going to work for another of the staffing agency’s customers, and that the staffing agency has to deal with keeping track of the type of background check performed on each one of its employees.

Another option is for the staffing agency to conduct the same background check on all of its employees. The advantages here are that it’s very easy for the agency to keep track of the services ran on each of its employees and it’s very easy to communicate to its clients what kind of background check was ran. The main disadvantage is cost. The staffing agency would have to meet the standards of its most demanding client, which no doubt means a hefty price for the background check. Customers with lower standards may not want to pay the higher price when staffing agency B will charge less for background check expenses.

The final option is a mix of the two. The staffing agency can set a standard somewhere in middle that will satisfy the security requirements of a significant number of its customers. Employees that are then sent to customers with higher standards can have an additional background check performed – kind of like “high security clearance” in the military.

Staffing agencies do have extra challenges with it comes to background checks, but there are good options.

Quality, Consistency and Cost in Background Checking

The Green Bay Press-Gazette published an article that mentions the fact that cost is a factor in how deep school districts dig when it comes to conducting background checks on employees and volunteers. Most of the schools mentioned have polices that govern the type of background check performed for individuals in different positions, but the problem is one of cost.

The schools named in the article have high standards for teachers, but varying, and often lower, standards for doing background checks on staff and volunteers. That might be okay if the teachers were the only ones that interacted with the students, but if the staff and volunteers are ever around students then the students could potentially be around someone with serious criminal convictions that weren’t uncovered by the cheaper background check. The level of liability is determined by the lowest common denominator in terms of security, and in this case the staff and volunteers whose background check is frequently of lower quality than that of the teachers’.

How far do we take this idea? Should a business run the same background check on everyone who spends time within its walls and interacts with its employees or customers? I expect that a vendor hired by a company would be responsible for conducting a background check on its own employees, but the company that hired the vendor should be responsible to ensure that the background check the vendor conducts is up to the hiring company’s standards.

Increased security, because of its significant cost for a company, organization or institution, definitely has a significant economic impact. For these entities, especially ones without plenty of cash, finding a way to do consistent background checks on all employees and volunteers without breaking the bank is a challenge. When it comes to schools and other public institutions, are taxpayers willing to shoulder this extra cost?


Adverse Action – Applicant Rights and Employer Obligations

Job applicants are given certain rights by the Fair Credit Reporting Act when it comes to adverse, or negative, information on their consumer report. Consumer report is the term used by the FCRA that refers to the "background check" report provided by a consumer reporting agency. The definition of adverse action by the FCRA is as follows:

(i) a denial or cancellation of, an increase in any charge for, or a reduction or other adverse or unfavorable change in the terms of coverage or amount of, any insurance, existing or applied for, in connection with the underwriting of insurance;

(ii) a denial of employment or any other decision for employment purposes that adversely affects any current or prospective employee;

(iii) a denial or cancellation of, an increase in any charge for, or any other adverse or unfavorable change in the terms of, any license or benefit described in section 604(a)(3)(D) [§ 1681b]; and

(iv) an action taken or determination that is

(I) made in connection with an application that was made by, or a transaction that was initiated by, any consumer, or in connection with a review of an account under section 604(a)(3)(F)(ii)[§ 1681b]; and

(II) adverse to the interests of the consumer.

It obviously covers more than employment, but that’s all I’m going to discuss here. I don’t want to bore you with legal documentation, but here is the exact wording from the FCRA regarding requirements of users of consumer reports. In our discussion, users of consumer reports are employers and consumer reporting agencies are background screening companies used by the employers.

(a) Duties of users taking adverse actions on the basis of information contained in consumer reports. If any person takes any adverse action with respect to any consumer that is based in whole or in part on any information contained in a consumer report, the person shall
(1) provide oral, written, or electronic notice of the adverse action to the consumer;

(2) provide to the consumer orally, in writing, or electronically

(A) the name, address, and telephone number of the consumer reporting agency (including a toll-free telephone number established by the agency if the agency compiles and maintains files on consumers on a nationwide basis) that furnished the report to the person; and

(B) a statement that the consumer reporting agency did not make the decision to take the adverse action and is unable to provide the consumer the specific reasons why the adverse action was taken; and

(3) provide to the consumer an oral, written, or electronic notice of the consumer's right

(A) to obtain, under section 612 [§ 1681j], a free copy of a consumer report on the consumer from the consumer reporting agency referred to in paragraph (2), which notice shall include an indication of the 60-day period under that section for obtaining such a copy; and

(B) to dispute, under section 611 [§ 1681i], with a consumer reporting agency the accuracy or completeness of any information in a consumer report furnished by the agency.

What all of this means is that if an employer chooses to deny employment to a job applicant based on the information reported by the background screening company, the employer must notify the applicant and give him a chance to respond. The employer is not required to adhere to the FCRA’s adverse action policy if the decision not to hire is based on information outside the consumer report.

If the applicant wants to dispute the information, he is directed to the background screening company and the information the applicant claims is incorrect should be re-investigated. If you work with a background screening company that doesn’t have a process in place for handling applicant disputes, look for a new company to do your background checks.

Does this really happen often? In addition to the problems with database searches, the actual court records themselves often contain errors. The adverse action process is on the side of the applicant. It gives applicants the opportunity to work with the appropriate agency to correct erroneous information.

There are a few exceptions, but most courts willingly work with individuals to address problems with their data. The problem applicants have is that companies that have compiled databases from public courthouse records don’t, as far as I know, have any incentive to take the time to correct their records. The final report has to be corrected each time the information is used adversely by an employer, but if the background screening company isn’t the same company as the one that houses the database with faulty information then the consumer report provided by the screening company will be changed but the database will most likely not be corrected.

Also noteworthy, the states of California (surprise surprise), Oklahoma and Minnesota all require employers to provide a place on their applications where job applicants can choose to receive or decline to receive a copy of their report. In all states applicants are allowed to request a copy of the report, but in these states they are directly notified of their right.

Adverse action protects the interests of the consumer. I don’t have the information off-hand, but there have been cases where large companies have had to pay very hefty damages for not following the adverse action process outlined by the FCRA. Even though precedent has been set for the enforcement of adverse action, there are still a number of companies that are either ignorant of it or that choose not follow it. Doing so denies individuals the opportunity to correct information that will adversely affect them in the future.

Lying Applicants

Most employers devote a section of their application to the applicant’s criminal history, asking the applicant to list any past convictions. Contrary to what the average job applicant probably thinks, many employers do not automatically disqualify the applicant from employment if there is a conviction. I have, in fact, known employers to turn down job applicants for lying about a conviction that otherwise would have been passable.

Applicant responses to adverse information on their background check is often interesting. The Fair Credit Reporting Act gives applicants the right to dispute the information reported about them, so they will often follow up with the reporting agency to see if the report can be changed. Some are nice, some are not. Some are right, most are not. The report occasionally ends up being updated with correct information, but usually it appears that the applicant lied on the application in hopes that the truth about his past wouldn’t be discovered.

The reasons applicants usually dispute information reported from the background check are 1) the reported information really is wrong, 2) they don’t understand the information (a dismissed charge is not the same as an expunged case), or 3) they’re wrong but they hope to bully the reporting agency into changing the record. Number 2 is relatively easy to deal with as it just involves an education session, but numbers 1 and 3 usually require the company to do extra, and sometimes costly, legwork.

What’s interesting is the reactions of applicants once the information has been re-verified and nothing changes. Sometimes the applicant will curse and yell and threaten lawsuits once he "figures out" what happens, only to never be heard from again. Other applicants will suddenly remember that they really were charged with a felony offense last year, even though a week before they would have sworn on their mother’s graves it wasn’t them. The stories would be funny were they not so sad.

Sometimes an applicant does get away with lying on the application, but it’s probably not worth the risk, especially if the conviction was a misdemeanor and not a felony. It’s better to disclose the information up-front. Lying on an application will probably bar an applicant from employment at the company forever, where convictions in many states will no longer be reportable after a given number of years have passed. It’s best not to permanently burn bridges.


The Identity Theft Dilemma

Emergent Chaos has a good post on Identity Theft. In it he states,
Stop asking for social security numbers. If you can't stop asking, stop storing them. If you can't stop storing them, store them on an isolated database with tightly restricted access…Get back to basics, and ask how your organization can respect your customers, rather than putting them at risk.

I’ve mentioned it before, but I think there are two sides to avoiding identity theft. One is reactive and one is proactive. Among other things, the reactive side includes making new legislation that allows for harsher punishment of those who engage in identity theft and frequent technology "fixes" for existing security holes.

The proactive side is, as mentioned on Emergent Chaos, is to take steps in the first place to prevent sensitive personal information from being stored somewhere vulnerable. Minimize the distribution of personal data. Do all these companies that ask for Social Security Numbers really need them? I think this is a good question to ask.

The obvious downside to this is that yes, some of these companies really do need sensitive, personal information in order to provide the consumer with a necessary service. For example, the three key identifiers needed by a company performing a background check are name, date of birth and Social Security Number. Additional identifiers are sometimes available, but theser are the core three. Without these the accuracy of the results of the background check is questionable. The dilemma that a job applicant faces is that failure to provide this information to an employment screening company for a background check could result in the loss of a job. In the wrong hands, this is enough information to wreak havoc on someone’s personal life.

It’s a lose-lose situation for the applicant since we know that companies that do background checks don’t always properly safeguard their data. A person applies for a job and has to provide sensitive personal information in order to get the job, but providing the information potentially opens the door to identity theft.

What real solutions are there? A job applicant has no control over the company used by an employer to conduct background checks. It’s all up to the employer, so the applicant has to hope that the employer chose a responsible company. An employer could more easily choose an employment screening company if there were standards that existed to regulate the use of personal data. For example, not all employment screening companies sell access to their database. Companies that adhered to established standards would stand out from the crowd and the job applicant might feel a little safer about providing personal information.

Another solution would be for the government’s public records systems to utilize less "stealable" methods of personal identification. Fingerprinting is a viable option that’s been used for years by the government and is now slowly making its way into the public sector.

I’m sure there are a number of additional perspectives that could be discussed here, but I think this is the key issue for consumers regarding identity theft. The distribution of personal data can, and probably should, be limited more than it currently is, but this is only viable to a certain degree given the current state of our society.


Background Checks Must Be Relevant

Board members for the Jefferson County airport in Colorado were taken to task for conducting background checks on its lessees that delved too deeply. The story caught my attention because I don’t hear much about background checks being too thorough.

A number of officials involved stepped forward and agreed that the background checks were far too revealing given they were being done on people leasing space from the airport. I imagine that the checks were done simply because air security is a hot topic right now. The report also stated that each lessee signed a release form that authorized the checks and that no negative action was taken against the lessees as a result of the background checks.

So why the fuss? Certainly no laws were broken and no one was adversely affected. Anyone in a position of ownership is also in the position of liability, be it as an employer or an airport board member. Therefore it’s up to that individual to ensure the safety of the organization, facility, etc. and that means conducting a background check that the owner deems appropriate.

The problems arise when the owner can’t show that the information collected in the background check is relevant to the situation. For example, an employer might be hard pressed to show that it was necessary to run a credit check on someone who will be standing in the same spot in an assembly line for 8 hours. It probably won’t cause a problem unless the person is denied a job because of it (or a lease, in the case of the airport situation), but it’s a safe practice to remember that the job function needs to be related to the kind of background check performed.

Here’s a overview of common background check components.

Why I Blog about Background Checking

The reason I blog about background checking is that there are very few people doing it. There are a number of blogs about closely related issues, but few about this specific industry. The ones that are out there are mostly operated by a company that does background checks in an attempt to drum up business (which I don’t think is necessarily a bad thing), and even if they have the best of intentions it’s hard to take the advice of someone who is paid money to write. Here’s an interesting post about this topic.

I’ve worked in the industry for several years and have found that there are a lot of misconceptions about background checking that are held by employers and “consumers,” or individuals on whom a background check is performed. There are also a lot of bad practices on the part of companies that actually do the background checking, and I hope to expose some of these practices and help employers and individuals make better informed decisions. I don’t have any grand notions about holding the industry accountable with this blog, but I do hope that generating more candid discussion on the Internet about the subject of background checking will save at least a few people from unnecessary stress and headaches.

On a practical note, is driving me crazy. There have been a number of problems and errors with posting lately. It also lacks a few features that paid providers offer. I don't want to spend a lot of time on the technical side, but I will if I have to. Don't be surprised if ScreenDiscussion gets its own domain name in a few months.

Open Society – Openness versus Privacy

Dennis Bailey of Open Society Paradox mentions that the Transportation and Security Administration’s Registered Traveler program has been very successful. It allows frequent flyers to submit to a background check, and after that they can go through the “express” security check.

I am very intrigued by Dennis Bailey’s “Open Society” ideas. A person with nothing to hide has nothing to fear. This is the whole idea behind the emphasis on confession in the Roman Catholic Church, right? It’s very difficult to live with your own failings, but if you take the risk of sharing them with someone else without being condemned by that person then you experience a sense of freedom and forgiveness.

Exposure involves accountability, and in this case voluntarily allowing the TSA to do a background check ensures, in theory, that no convicted criminals are traveling the airways. There is the quality of the background check that is done that needs to be taken into account (just because it’s done by the government doesn’t automatically mean it’s flawless), but in theory it seems like a good idea. I would still be concerned about those individuals, however, who are criminally-minded but smart enough not to have yet been caught. These are the people who can often be the most dangerous.

In general Dennis Bailey’s ideas provide a lot of food for thought. What would an open society look like? It would probably provide incentive to avoid criminal activity, but what would those people do who have a less than sterling history? Does it provide any room for a second chance? I’ve never been convicted of a crime, but I’m far from perfect. I would imagine that completely embracing such a philosophy could potentially create a society of priggish snobs. I haven’t read all of his materials, so maybe he addresses this concern. I don’t mean any offense to Dennis Bailey - I really am intrigued by his ideas. I just have a few reservations.

Background Check Quality Standards

There is a great need for high standards in the delivery of information in the background checking industry. Important decisions hinge on the information that is reported in a background check, so it needs to be highly accurate.

If you are an employer, it is important that you know what kind of standards are in place at the company you use for your background checks. Documented processes is a starting point, and any decent company should be able to provide you with either the documents themselves or a written guarantee that they exist.

The second thing to ask is what steps the company takes to ensure that accurate information is reported. Aside from whether or not the company exclusively uses databases, which should clue you in that they aren’t reporting highly accurate information, make sure they have a data-entry system with safeguards against errors. This usually means having a system that ensures that more than one set of eyes review the data before it is given to the customer.

Following this, what about the next level? Why not an industry-wide quality standard like that of ISO 9003? It would give companies an opportunity to see who’s really serious about the accuracy of their data. Admittedly I don’t know a lot about the ISO standards and similar official quality programs, but if there is an industry that could use them it is the background checking industry.