Confronting the Insider Threat

By Laura Spadanuta

Background Checks

A thorough background check is an obvious first step in screening out insider threats, with the above-mentioned red flags as one guidepost. Even the best check will miss insiders who haven’t yet done anything wrong, but it may catch others who have already transgressed or have exhibited some troublesome behaviors.

Companies that use background checks must decide whether to do the check themselves or contract it out to a third party. Going to a third party will cost more but the screening company will be more experienced at the work and will usually have
more resources to pursue for the check.

Whether the check is carried out in-house or contracted out, management must decide what the check will entail, but they must consult counsel to ensure that they are staying within all applicable laws. “And make it very transparent and visible,” says Eugene Ferraro, chief ethics officer of Convercent.

If conducted by an outside company, or what is often referred to as a consumer reporting agency or CRA, the background check is bound under the limits of the Fair Credit Reporting Act (FCRA), which is meant to protect consumers. For employment background checks, the FCRA requires that the company provide written disclosure to the applicants before obtaining a consumer report, as well as receive authorization to obtain the report. The FCRA requires strict compliance. The authorization has to be provided to an applicant on a single page, separate and apart from the application or other documents,” explains Ryan DiClemente, of Saul Ewing LLP. So, for example, if a company “includes that authorization at the very end of its application, that’s going to be insufficient under the FCRA. And there’s been litigation that has recently arisen as a result of that.”

The company must also provide a copy of the report and certain disclosures prior to taking any action against the applicant if the report leads to an “adverse action,” which could include not being hired, as well as certain additional disclosures after the adverse action is taken. Investigative reports that include interviews on the person’s background and character have additional FCRA requirements. However, when a current employee is suspected of wrongdoing and that spurs the background check or investigation, it may be exempt under FCRA. “Just by way of example, if your company suspects somebody of theft, and at that point, you decide to run a background check that is related to the conduct, the disclosure requirements of the FCRA are unlikely to apply,” notes DiClemente. He adds that it makes sense that “you would not want to be putting an employee on notice that you suspect them of something because it could jeopardize the internal investigation.” The company must work with legal advisors to ensure that it complies with all state and local laws that apply as well.



The Magazine — Past Issues


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.