Background Checks and Open Source Intelligence – The Top Three Considerations Every Employer Should Know

Background screening is a key aspect to any corporate risk management program, though it is often seen from a compliance perspective to the detriment of the overarching security of an organization, especially the protection of business-critical information.

Consumer reports and background checks are used extensively around the world for many reasons, including:

  • the safety and protection of employees, customers, and vendors
  • requirements of local laws/regulations
  • to improve the quality of hires
  • to protect company reputation
  • to reduce criminal activity

Background screening isn’t just part of the new hire or onboarding process. Many corporations have found that ongoing background checks throughout the employment life cycle can assist with proactive threat detection and risk management. This system revolves around the principles of ‘trust but verify’..

With more and more data becoming publicly available every day, employers can now quickly obtain the following reports on individuals:

  • Criminal and Civil Records
  • Registry Checks (Sex Offender, Child, and Elder Abuse)
  • Identity Check
  • Motor Vehicle / Driving Records
  • Drug and Alcohol Testing
  • Employment Verification
  • License Verification and Monitoring (Professional and Non-Professional)
  • Education Verification
  • Healthcare Sanctions
  • Patriot Act Searches (Terrorist Watch Lists)
  • Credit History / Financial Worthiness

There are also options to have 24/7 monitoring to notify if/when an employee is arrested.

In the United States, there is no single government database that contains complete and up-to-date records regarding an individual’s criminal history. Even the FBI database is a collection of different systems organized under the National Crime Information Center (NCIC) and is not one single database. Most records exist at the state or local level. Because of this, many employers and organizations also obtain background check information from statewide, county, regional or local sources, with a few securing them from fingerprint-based criminal searches.

Research data from an international survey of more than 2,300 Human Resources (HR) professionals shows that organizations outside of the United States are more selective with who they are screening, with an increasing number of background checks being run not only on full-time and part-time employees, but on contingent/independent contract workers, vendor representatives and unpaid volunteers.

The same report also identifies that background screening checks are more commonly occurring in the U.S. onboarding process, mainly after a conditional job offer has been made. In contrast, in locations outside of the United States, the background checks are processed after a job interview has occurred, but before a job offer is made to a candidate. For all locations, the smallest percentage of the time the screening happens after completing a job application, but before a job interview, or if it varies by job level.

Non-criminal background screenings, such as employment and education verifications, social media, and credit checks, are more common with non-U.S. locations, while sex offender registry searches, drug testing, and driving record verifications are more common in the United States.

Also to note, the fastest growing area of background checks that organizations are now starting to use or considering expanding, both in the U.S. and internationally, is social media.

There has also been a paradigm shift of the industry over the past five years to assess open source intelligence (OSINT) to get ahead of any of the following:

  • Hate speech
  • Insults and Bullying
  • Self-harm
  • Threat of Violence
  • Explicit Language
  • Drug-Related Images
  • Explicit and Violent Images

There are three key considerations organizations should take into account when conducting background checks and OSINT.

1.    Compliance is key

In the United States, Consumer Reporting Agencies (CRA) are used for background check services for the following: employment screening, tenant screening, credit screening, insurance underwriting, or any other purposes that are governed by the Fair Credit Reporting Act (FCRA), which Congress enacted in 1970. CRA’s are also regulated by state and local laws.

Part of the FCRA’s strict guidelines requires employers to notify individuals before ordering a background check. This disclosure must be a standalone document, or it violates the FCRA.

The organization must also notify the individual if they consider taking adverse action due to the findings from the screening. The FCRA requires a 2-step process for employers to follow if they decide not to hire a candidate due to information contained in the consumer report.

Any person who willfully fails to comply with any requirement in the FCRA is civilly liable for the willful non-compliance. The amount owed for damages can vary anywhere from $100 to any amount the courts see fit, plus reasonable attorney’s fees.

For example, any person who knowingly and willfully obtains information on a consumer from a consumer reporting agency under false pretenses shall be liable to the consumer reporting agency for actual damages sustained by the consumer reporting agency, or $1,000, whichever is greater. In addition to being fined by the Federal Trade Commission under Title 18, that person also risks being imprisoned for up to two years.

Violating the FCRA can be costly. In addition to personal fines, major corporations have found themselves handing out significant settlements in recent years due to non-compliance. For example, the simple mistake of not providing background check disclosure forms as standalone forms to new hire candidates led to lawsuits that settled for millions of dollars. These include:

  • Delta Airlines agreed to settle for $2.3 million in January 2019
  • Omnicare settled for $1.3 million in August 2018
  • A PepsiCo subsidiary settled for $1.2 million in July 2018
  • Frito-Lay Inc. agreed to a settlement of $2.4 million in April 2018

The fines get even worse if a company improperly uses consumer credit reports. Earlier this year, Vivint Smart Homes Inc., the smart home security and monitoring company, misused credit reports to help unqualified customers obtain financing for the company’s services and products. Vivint agreed to pay $20 million to settle the allegations made by the Federal Trade Commission. (FTC Press Release)

2.    Choose a pre-employment screening company wisely

Use a screening company that does not just rely on the National Criminal Database and looks at all Counties relevant to the person/s and then search all indexes. Use a company that always conducts a multiple-repository search, including a third level when municipal courts are appropriate. An investigative audit confirms record accuracy, with a review for legal dissemination under state, federal, and international law. A couple of companies out there that are very good are CISIVE and INTELLICORP.

Interesting to know:

  • Counties in the USA either contribute crime data to the state, or they don’t.
  • Over 65% of counties in the USA do not. They house it internally. The rest (35%) make it public on the database. As a result, there is a considerable gap in the National Database, and too many screening companies sell this as a comprehensive, robust search.
  • Also, each county, especially the large ones, often has different housing for convictions. For example, Chicago, Illinois – a very large city. They have so many convictions on file that they struggle to store the data. Sometimes they have one room for felonies or one for misdemeanors. They may have another facility at another address.
  • These are called Indexes.
  • A lot of background screening companies only search one index. Reason: It is resource and time-intensive.
  • The majority of class action lawsuits on companies and screening companies come about because of lazy research and corner cutting.

3.    Do Not neglect OSINT

OSINT monitors and analyzes social media, public records, blog posts, and media sources to quickly identify individuals or groups that may want to damage or attack the company, executives, or employees. Active-monitoring and listening help the proactive identification of emerging risks or threats and is an extremely valuable tool for corporate risk management and situational awareness. Good OSINT covers the spectrum of pro-active situational awareness and helps manage physical, technical, and reputational risk, as well as an insider threat management resource.

In summary, this service helps clients:

  • Protect facilities and assets.
  • Respond to security incidents and crises.
  • Receive an early warning when data is leaked.
  • Improve situational awareness.
  • Improve Executive protection.
  • Help protect Brand/Image reputation.

This article was written by Dustin Fain, the CFO of ETS Risk Management Inc. Dustin provides the analysis and insight that help frame the company’s most important decisions. He oversees all finance and human resource departments of ETS; establishing efficient internal protocols while incorporating new technologies to ensure smooth and simplified service to clients and stakeholders.