strategies for reducing the insider threat before and ... · tremendous pressure to get new people...

Employment Screening Resources® (ESR)

www.ESRcheck.com

Strategies For Reducing the Insider Threat

Before and After Hiring

ASIS Atlanta

Tuesday, September 30, 2014 / 11:00 AM

Presentation Number: 3111 / Room: B308

Lester S. Rosen, Attorney at Law

Founder & CEO Employment Screening Resources (ESR)

[email protected]

© 2014 All Rights Reserved 2

About the Speaker

Lester S. Rosen is an Attorney at Law and CEO of Employment Screening

Resources® (ESR), a nationwide background check firm accredited by the

National Association of Professional Background Screeners (NAPBS®).

He is a frequent speaker on due diligence and background screening issues.

He is the author of “The Safe Hiring Manual,” the first comprehensive book on

background screening and hiring.

He has qualified and testified as an expert in court cases and has testified

before the California Legislature.

He was the chair of the steering committee that founded the NAPBS

(www.napbs.com), and served as the first co-chair.

© 2014 All Rights Reserved

Notice

3

This material is not intended and should not be

used as legal advice. For specific legal advice, an

employer should contact their attorney.

This material is for educational purposes only.

Questions? Please email [email protected]


Numerous Tools for Preventing

Insider Threats

• There are numerous types of insider/

post-hire threats ranging from

embezzlement and other thefts to child

molester and active shooter and

everything in between.

• Not just an employees but anyone with

access including contractors/temps.

4

This presentation is focused on

background screening tools.


Numerous Additional Tools

Identification and prevention of insider threat requires an inter-disciplinary

approach that can include:

5

Mental health assessments

Psychological testing

Physical security

Supervisor and co-worker

training to recognize danger

signals

Identification of risk factors

Culture of safety, reporting

and integrity

Sharing and analyzing

information between

agencies/sources

Internal Controls and

Continuous Evaluation


Why Screening is Critical

Risk-Management Tool

6

• Employees are typically a firm’s greatest

investment and largest cost.

• Each hire also represents a large

potential risk.

• Every employer has the obligation to

exercise “Due Diligence” in hiring.

• Employers, especially in industries with

higher risk, need to be able to vouch for

the integrity an honesty of employees.

! !

An employer that hires someone it either knew or

should have known was dangerous, unfit, or unqualified for the work

can be sued for negligent hiring.


Insider Threat from Current Employees

Workplace Violence DOJ estimates 2 million incidents a year

Fraudulent Credentials Up to 40% of resumes contain

material lies or omissions about

education, past jobs or qualifications

Why be concerned about Safe Hiring?

The “Parade of Horribles”

7

Theft, Fraud or Embezzlement

Lawsuits for Negligent

Hiring, Retention,

Promotion, or Supervision Turnover Costs Cost of a bad hire estimated at

$10,000 to $100,000 given time

wasted to recruit, hire and train

and job not done

Lost Customers/

Workplace Disruption

Past criminal conduct raises concern about propensity to repeat criminal

behavior – 10% rate of criminal records

Wrongful Termination

Lawsuits

Data Breach and ID Theft

© 2014 All Rights Reserved 8

How to Fake a Job Reference using a Virtual Job Reference Service. www.thereferencestore.com

Our Virtual (Fake)

Companies appear so real

that we receive both sales

and customer calls from the

public!

We will act as your current or past

employer and provide you with a fake

employment reference, a fake company,

and a fake H.R. Manager to give you an

outstanding recommendation for

employment.


Other Reasons for Safe Hiring

What is the one question everyone will ask you if there is a bad hire?

9

Strong evidence to suggest that if a person lied their way into a job,

they will be dishonest on the job

How much time do you have in addition to

everything else you are doing to be involved in

litigation?

Do you want your firm to be in the headlines?

Certain industries have legal requirements.

Under Sarbanes-Oxley, arguably background

checks are required as part of an environment

of control under Sec. 404 for position

involving access to financial data or IT.


• FBI fingerprint checks only available when mandated by

law and the FBI database is not perfect.

• Private databases are NOT official government databases

but large private “data dumps.”

• Databases can have both “false” positives and negatives.

• Primary method for obtaining criminal records is to

physically look at each relevant courthouse.

• Over 10,000 courthouses in America with court records in

over 3200 jurisdictions.

• Searches subject to human error as well.

No One Tool Tells the Story

10

Contrary to popular belief, there is no national database

available to private employers to check criminal records

or false credentials.


Gut Instinct Alone Insufficient

Cannot identify potentially bad hire

at interview:

• Many applicants tell the lie so often

it comes across naturally – they

believe their own story.

• Body language, eyes, voice, etc.

are always NOT reliable indicators.

11

Per recent studies, even trained

law enforcement officers and

judges are generally only right

about half the time

Even though

people believe

they can detect

liars, only

50-50 chance

at best


Basics of Screening

Rationale (Pre-employment screening discourages applicants with something to hide, encourages

honesty, demonstrates due diligence, and helps to hire based upon facts and not just instinct).

Even-handed (similarly situated people treated similarly).

Effectiveness – No single tool can be relied upon but need series of

overlapping tools.

Not an FBI check or Big Brother watching but a valuable due diligence

employment tool.

Sources of information are public (e.g. criminal records) and private records,

verification of credentials.

Consent in writing under Fair Credit Reporting Act (FCRA) and state laws.

12


Screening vs. Investigation

13

• Employment screening involves

verifications of supplied information

by an applicant who has given

express written consent.

• A typical international screening

means contacting the employers

and schools that have been

supplied and conducting a

reasonable criminal check to the

extent possible in that country.

• If more information is needed, the

applicant can be asked to supply it.

Screening

• International investigations may

involve qualified personnel in the

foreign country doing in-depth

personal interviews or obtaining

criminal and specialized records.

• If filling a highly sensitive position or

conducting a due diligence of a

potential business partner outside

the U.S., services of a qualified

investigator on the ground in that

country may be needed.

• Investigation is typically more

expensive then a screening.

Investigation


Legal Blinders …can be placed on Employers and Investigators

• Because employment rights are

involved, the law enforcement

approach of getting all available

information does not apply.

• Federal security clearance have

more leeway (but focus here is

private employers).

14

Law specifically places blinders on

employers, such as limits on what

can be reported and used.

• Examples: FCRA, ADA, EEOC &

NLRB

Limits on social media use:

• State laws restricting credit reports,

social media passwords, or

• Limits on the use of criminal records

for employment including limits on

ARRESTS.


Stages of Hiring

Hiring occurs on a continuum – Critical to understand different legal

obligations depending upon the stage of the hiring process.

15

1. SOURCING

4. DECISION PROCESS

7. THE POST HIRE/

ON BOARDING

(e.g. I-9

process)

2. PRELIMINARY

SCREENING

5. BACKGROUND

CHECKING

8. EMPLOYMENT

3. ASSESSMENT

(e.g. interviews)

6. THE POST OFFER/

PRE-HIRE

(ADA medical

inquiries)

9. POST-EMPLOYMENT

(such as reference

requests from

potential new

employers)

X


Realities of Hiring

• Although every organization has a broad goal of only

hiring honest, qualified, and ethical people fit for the

job, not the emphasis in the real world.

• Due diligence requires spending money, and the cost of

background checks can be seen as a drag on the

bottom line.

• Where procurement selects vendor, cost often primary

criteria.

• Everyone involved in the hiring process from hiring

managers, recruiters, and HR motivated in the short

term to fill positions.

Tremendous pressure to get new people on boarded.

A recruiter’s success is measured by “BIS” (Butts in Seat).

People respond to incentives and evaluations, and in the

short run filling positions in a timely manner is more

critical then a long term concern that maybe someone will

turn out to be a bad apple.

16


After the Hire: The Potential for Insider Threats

17

After getting in the front door, a business may

still be concerned about:

• Persons in substantial authority (C-suite

executives and above)

• Persons with access to IT or sensitive

financial / proprietary information

• Persons with access to cash, accounting, etc.

• Persons in sensitive positions with access

to sensitive information such customer

lists, operations information, financial

information, etc.

• Persons who can make financial decisions

(extreme example: the “rogue trader”)

• Any current or former employee/contractor

with a grievance and a gun


Inherent Challenge …in Predicting Future Behavior

• Due to numerous factors, hard to measure how a person will react in the

future to various situations, such as need for money or ability to act in an

ethical fashion when under orders to do something less than ethical.

• Generally speaking, a person with past history of honesty much more

likely to be honest in the future.

• Conversely, study shows that if a person dishonest in how they obtained

a job, much more likely to be dishonest once they are in the job.

• Key is initial screening, ongoing screening, and an environment of control

and physical safety.

18


Problems Can Arise During Employment

19

An employee may

have access to cash or

assets and the need

for internal controls

well known.

An employee may

develop financial

issues, undergo life

stresses, gamble, drug

use, etc.

Supervisor may

suggest, encourage,

imply, or order

employee to perform

act of questionable

honesty.

A person with a

political agenda

obtains job secretly to

advance a goal

detrimental to the

employer’s interest.

Predictable risks Unpredictable risks Secret risks


Two Types of Employer Surprises

20

Information that Occurred

PRE-EMPLOYMENT that is

newly discovered:

For example, other employees

may discover that a person is a

registered sex offender or that a

credential is faked

Information or behavior that

occurs POST hire:

• Embezzlement (through various

schemes such as fake vendors)

• Violence

• Dishonesty

• Theft of trade secrets

• Creating hostile work

environment

• Misconduct


Preventing Surprises …Missed During Pre-Employment Screening

• First step: Have in place policies, practices, and procedures to carefully

select your employees in the first place.

• Have well thought out pre-employment screening program commensurate

with the risk involved.

• Ensure your application form makes it clear that any material falsehood or

omission can result in termination NO MATTER WHEN DISCOVERED.

• Have language in employee manual that deals with discovered

falsehoods or omissions post-hire.

21


Steps to Prevent Surprises

• Ensure your background check release has an “Evergreen” clause to

allow future screening if needed (although there are limits to that).

• Some firms include policy that employee must self-report any arrest since

that can impact ability to preform job.

22


Legal Implication …of Using Information Acquired After Hiring

Important to not have a knee jerk reaction and to carefully review all the facts

and circumstances and give the employee an opportunity to be heard.

23

• If employee suspended as a result of a “consumer

report” under the FCRA, remember that pre-

adverse and post-adverse notice under FCRA.

• FCRA has a process to screen where there is

possible workplace misconduct or wrongdoing.

• Especially important to carefully document

actions – especially if employee has pending

claim – and be careful of allegations of retaliation.


Screening Tools for Insider Threats

24

Ongoing “continuous”

evaluation (CE)

RE-enactment (post-mortem)

screenings

Special Problem with Fraud

and Embezzlement

Credit Reports

Asset searches

Social Media

Special Issues with Contingent

or Temporary workers

Preventing ID Fraud

Screening current workers or

newly acquired workforce

Special issues with fake

education and employment

3rd Party data theft and

Offshoring


Important – Internal Investigations can

Invoke the FCRA

• Misconception that any in-house investigation is non-FCRA

• Only true if EVERYTHING done in-house and no commercial databases

are used

• If employer uses a court runner, that can invoke FCRA

• Using commercial databases can invoke FCRA (but not public databases

such as a courthouse)

• But under the FACT ACT, FCRA amended to allow internal investigation

without notice or authorization if suspicion of wrongdoing or misconduct,

provided adverse action rules are followed

25


Continuous Evaluation (CE) –

Due Diligence Post-Employment

• Some employers looking at “continuous” or “infinity”

screening that occurs periodically AFTER hiring

• Argument: Employees may commit crime after

being hired

• Can be a deterrence?

26

Issues:

• Accuracy: In some states, the screening is through a database subject to false positives and false negatives

• Cost: What will be the return on investment given the time, cost, and administrative issues involved?

• Value: If a person is in custody for criminal offense, presumably will not show up to work

• Legal use: What rules or criteria used if a criminal matter is found?

• May consider “random pool” similar to drug testing


Re-Enactment Screening

• If situation occurs, would pre-employment or post-

employment screening tools have helped to

prevent?

• Need to review situation and what could have

been done to determine if the issue was capable

of detection, prevention, or deterrence

• Often comes down to a lack of internal controls or

a failure of internal procedures

27


Example: Fraud and Embezzlement

Issue: Embezzlers come disguised as your

best employees

• Trust is needed to have the access needed to

steal

• Background checks critical, but inadequate as

a sole line of defense in the absence of proper

internal controls

• Per 2012 ACFE Report to the Nations, most

occupational fraudsters are first-time

offenders with clean employment histories

and criminal histories

• Walkaway point: Although screening is critical

to detect and deter fraud, internal controls

seem to be the critical tool to prevent

surprises

28


Credit Reports and Ongoing Screening

• Employers use credit reports to

determine if applicant trustworthy

and responsible for handling cash

and assets

• Example: Embezzlement is crime

of motive, opportunity, and means

• Employers may look to debt-to-

income ratio on motivation

29

47%

13% 60% of

employers

check credit of

some or all job

applicants

Check

all

Check

some

Seemingly a “Catch-22” situation for job seekers – They cannot pay

bills and get bad credit without a job BUT cannot get job because of

bad credit since they cannot pay bills


Credit Report Concerns

• Urban myth – Employment credit reports DO NOT contain credit scores,

but only credit history

• Also does not have age and does not impact credit score

• Potential discrimination: EEOC held meeting on topic, and expected to

produce new guidance

• Can have errors or not tell the whole story:

Refinance situation

Confused with someone else

Credit card used for child’s health care

30


States Limiting Credit Report Checks

• Ten states have laws limiting credit reports for employment.

• Best Practice: Approach with caution and use only for positions where

there is a business justification based upon the job.

CONNECTICUT

HAWAII

ILLINOIS

MARYLAND

VERMONT

NEVADA

OREGON

WASHINGTON

COLORADO

CALIFORNIA


Using Credit Report to Detect

Insider Threat?

• May reveal excessive levels of debt or excessive spending

• Could potentially be a sign of a potential threat

• Can also be consistent with numerous innocent explanations

• Understand FCRA and state requirements before obtaining report

32

• Will a credit report reveal a sophisticated insider threat?

Using credit report to detect insider threat may only result in revealing the

“dumb” insider threat who can’t be bothered to hide assets


Asset Checks of Current Employees

• May want to go beyond credit report to search assets

• No true “asset searches”

• Can look for boats, properties, memberships in

corporations or LLC’s, FBN etc. that are filed with the

Secretary of State or local county

• Search likely to capture the “dumb” dishonest insider –

anyone without enough brains to put assets into

someone else’s name

• Entity search may help to see if someone getting

vendor kickbacks by showing an association with a

vendor

• Be careful about legality of “pre-texting” or “social

engineering” to bypass privacy rules to access bank

information

33


Issues with Social Media

• Can be like looking for a needle in a haystack

• How do you know what is relevant and who it belongs to?

• Requires an “investigative” review

• Screening large numbers can be expensive when done manually by a

trained professional

• Software tools looking for key words is going to be hit or miss

• Becoming less useful as more consumers aware of danger and either

keep off the web or use passwords

• May only be useful to catch the “dumb” insider stupid enough to reveal

adverse information through their real identity without privacy protection

35


Legal Issues

Legal issues are significant

• PRE-HIRE:

Issues of discrimination, private off-duty legal conduct, privacy, authenticity ,

accuracy and FCRA compliance

• POST-HIRE:

Should have a social media policy in place

The National Labor Relations Board (NLRB) has commented extensively

about social medial policies and current employees to the extent it impacts

the right of workers to communicate about job conditions

Stored Communications Act of 1986 may limit employers from penetrating

password protected sites

New state laws prohibit requiring password or “shoulder surfing”

36


Approaches for Employers & Recruiters

Must weigh the benefit of obtaining information early against the

legal risks:

• Most conservative approach Pre-employment: Perform search AFTER

there is consent and a job offer is made, contingent upon completion of

a background check that is satisfactory to the employer

• Post-employment: Have a social media policy to ensure no invasion

of privacy

• See ESR Whitepaper ‘Ten Potential Dangers When Using Social Media

Background Checks’ at: http://www.esrcheck.com/Stay-

Updated/Download/

• Open issue if a background firm can perform this function under FCRA

37

http://www.esrcheck.com/Stay-Updated/Download/





In House Processes

• Have job description with the essential functions of the job and the

knowledge, skills an abilities needed

• Have documented training in discrimination

• Establish standard practice to show decision made on objective basis

• Perform through an employee behind an “Ethics wall” that does not make

hiring decisions, that filters out material using standardized procedures,

and only provide job related data to the decision maker after there has

been a offer

• Do not let decision maker view unfiltered internet/social media data

• Consider showing negative material to applicant first

38


Trend: Dealing with Vendors, Independent

Contractors & Temps

• Firms should apply same risk-management steps to contingent workers

(independent contactors and temps) and vendors.

• Non-employees can have access to computer systems, trade secrets,

customer lists, etc.

• Employer can be liable for contingent workforce under theory of ”co-

employment.”

39


Staffing Vendor Issues When Firm is Relying Upon Another Firm

40

What firm is being used? (Accredited?)

What is the screening protocol?

How is the screening done?

How are complicated legal issues such as past arrests handled?

Who reviews the report?

What are the accreditation criteria?

Who set the adjudication criteria?

How is the vendor audited?

Should the employment location have access to the background report (which is legal with FCRA compliance)?


ID Fraud Tools

• Consent Based SSN Verification (CBSV)

• ITRV-Income Tax Return Verifications

• I-9 process

• E-Verify process

• Social Security Number Verification (SSNV)

• Social Security Trace and Address Information Manager (including Death

File to guard against use of deceased person's SSN)

41


Identity Verification Methodologies

42


Screening Newly Acquired Employees

• If a merger or acquisition, may need to screen newly acquired employees

• Certain contracts may also require only screened employees

Issues:

• Legal Compliance – Must fully comply with federal Fair Credit Reporting

Act (FCRA) and state laws

• Cultural considerations:

Screening current employees very sensitive

Roll-out is critical

Need “buy-in” from employees

CRITICAL: Current employee needs opportunity to be involved in process so

there are no surprises

43


Diploma Mills

44


Education Fraud

• The world is awash with fake degrees.

• Case in point: Yahoo could have avoided situation with recent CEO with

simple and standard past education check.

• Fraud can range from false claims about real schools to presenting

worthless degrees from “diploma mills.”

• Authentic looking fake diplomas on the internet available for most schools

in America.

• How big a problem? USA leads the world in fake degree granting scams

but worldwide issue.

• LinkedIn exercise.

45


Education Verification

Always confirm that a school is accredited.

• In US, accreditation is public/private partnership:

Private bodies can accredit schools

Two bodies accredit the accreditors: US Department

of Education (USDOE) and Counsel of Higher

Education Accreditation (CHEA)

• US Department of Education site to determine if a

school is accredited:

http://ope.ed.gov/accreditation/Search.aspx

• Database of Institutions and Programs Accredited

by Recognized U.S. Accrediting Organizations:

http://www.chea.org/search/default.asp

• Fake schools have crated fake accreditation

agencies

46

http://ope.ed.gov/accreditation/Search.aspx

http://www.chea.org/search/default.asp


Lists of Bogus Schools

BEST:

• Oregon

Office of Degree Authorization (ODA) Unaccredited colleges:

http://oregonstudentaid.gov/oda-unaccredited-colleges.aspx

• Hawaii

Hawaii.gov - Unaccredited Degree Granting Institutions (UDGI):

http://hawaii.gov/dcca/ocp/udgi

• Maine

Maine Department of Education – Non-Accredited Colleges & Degree Mills:

http://www.maine.gov/doe/highered/nonaccredited/index.html

• Texas

Texas Higher Education Coordinating Board – Institutions Whose Degrees are

Illegal to Use in Texas:

http://www.thecb.state.tx.us/index.cfm?objectid=EF4C3C3B-EB44-4381-

6673F760B3946FBB

47







http://hawaii.gov/dcca/ocp/udgi



http://www.thecb.state.tx.us/index.cfm?objectid=EF4C3C3B-EB44-4381-6673F760B3946FBB










Create Your Own Genuine Fake Resume

48


The Biggest Applicant Lies?

49

LESSON: If a person was DISHONEST in getting the jobs,

likely to be DISHONEST in the job.

“I was a manager.”

“I worked there for

several years.”

“I made $65,000

a year.”

“I graduated from XXXX

University.”

(He/she was an

assistant.)

(Hiding employment

gaps)

(He/she made

less than half

that amount.)

(Either did not graduate or

the school is a worthless

“diploma mill.”)


Offshoring of data beyond the reach and protection

of U.S. Privacy Laws is rampant

In 2010, California passed the first-in-the-nation law to regulate

“offshoring” of Personally Identifiable Information (PII)

collected during employment background checks and sent

out of United States beyond protection of U.S. privacy laws.

3rd Party Data Theft and Offshoring

50

California requires screening disclosure document to contain a link to

screening firm’s privacy policy:

• Screening firms in California must have statement in their privacy

policy about offshoring using a specific format and wording

• Employers also need to be aware of risks of using offshore or home

based workers as part of their security and data protection program

• Although ID theft can occur in a domestic system, at least in US there

are resources and recourses available


Additional Trends

• New advances in technology – paperless systems with built in legal

compliance that can interface with Applicant Tacking Systems

Applicants use E-sign and a “wet” mouse signature

• NAPBS Accreditation:

The National Association of Professional Background Screeners (NAPBS) –

www.NAPBS.com – has introduced in-depth accreditation program with third

party audit called Background Screening Agency Accreditation Program

(BSAAP)

Suggestions: Look to work with an accredited firm

51

http://www.napbs.com/


Thank You!

For more information from Employment Screening Resources® (ESR), visit:

ESR website: http://www.ESRcheck.com.

Email ESR founder and CEO Attorney Lester Rosen at [email protected].

‘The Safe Hiring Manual - The Complete Guide to Employment Screening

Background Checks’ by Attorney Lester Rosen (2nd Edition / Facts on Demand

Press/ October 2012 / 736 pages): http://www.esrcheck.com/The-Safe-Hiring-

Manual/

‘The Safe Hiring Audit’ by Lester Rosen (Facts on Demand Press / 288 pages):

http://www.esrcheck.com/The-Safe-Hiring-Audit/

ESR Newsletter: www.esrcheck.com/Newsletter/

ESR News Blog: www.ESRcheck.com/wordpress

Employment Screening Resources®

Novato, CA

888-999-4474

52

http://www.esrcheck.com/

mailto:[email protected]

http://www.esrcheck.com/The-Safe-Hiring-Manual/
















http://www.esrcheck.com/Newsletter/

http://www.esrcheck.com/Newsletter/

http://www.esrcheck.com/wordpress

strategies for reducing the insider threat before and ... · tremendous pressure to get new people...

Documents