strategies for reducing the insider threat before and ... · tremendous pressure to get new people...
TRANSCRIPT
Employment Screening Resources® (ESR)
www.ESRcheck.com
Strategies For Reducing the Insider Threat
Before and After Hiring
ASIS Atlanta
Tuesday, September 30, 2014 / 11:00 AM
Presentation Number: 3111 / Room: B308
Lester S. Rosen, Attorney at Law
Founder & CEO Employment Screening Resources (ESR)
© 2014 All Rights Reserved 2
About the Speaker
Lester S. Rosen is an Attorney at Law and CEO of Employment Screening
Resources® (ESR), a nationwide background check firm accredited by the
National Association of Professional Background Screeners (NAPBS®).
He is a frequent speaker on due diligence and background screening issues.
He is the author of “The Safe Hiring Manual,” the first comprehensive book on
background screening and hiring.
He has qualified and testified as an expert in court cases and has testified
before the California Legislature.
He was the chair of the steering committee that founded the NAPBS
(www.napbs.com), and served as the first co-chair.
© 2014 All Rights Reserved
Notice
3
This material is not intended and should not be
used as legal advice. For specific legal advice, an
employer should contact their attorney.
This material is for educational purposes only.
Questions? Please email [email protected]
© 2014 All Rights Reserved
Numerous Tools for Preventing
Insider Threats
• There are numerous types of insider/
post-hire threats ranging from
embezzlement and other thefts to child
molester and active shooter and
everything in between.
• Not just an employees but anyone with
access including contractors/temps.
4
This presentation is focused on
background screening tools.
© 2014 All Rights Reserved
Numerous Additional Tools
Identification and prevention of insider threat requires an inter-disciplinary
approach that can include:
5
Mental health assessments
Psychological testing
Physical security
Supervisor and co-worker
training to recognize danger
signals
Identification of risk factors
Culture of safety, reporting
and integrity
Sharing and analyzing
information between
agencies/sources
Internal Controls and
Continuous Evaluation
© 2014 All Rights Reserved
Why Screening is Critical
Risk-Management Tool
6
• Employees are typically a firm’s greatest
investment and largest cost.
• Each hire also represents a large
potential risk.
• Every employer has the obligation to
exercise “Due Diligence” in hiring.
• Employers, especially in industries with
higher risk, need to be able to vouch for
the integrity an honesty of employees.
! !
An employer that hires someone it either knew or
should have known was dangerous, unfit, or unqualified for the work
can be sued for negligent hiring.
© 2014 All Rights Reserved
Insider Threat from Current Employees
Workplace Violence DOJ estimates 2 million incidents a year
Fraudulent Credentials Up to 40% of resumes contain
material lies or omissions about
education, past jobs or qualifications
Why be concerned about Safe Hiring?
The “Parade of Horribles”
7
Theft, Fraud or Embezzlement
Lawsuits for Negligent
Hiring, Retention,
Promotion, or Supervision Turnover Costs Cost of a bad hire estimated at
$10,000 to $100,000 given time
wasted to recruit, hire and train
and job not done
Lost Customers/
Workplace Disruption
Past criminal conduct raises concern about propensity to repeat criminal
behavior – 10% rate of criminal records
Wrongful Termination
Lawsuits
Data Breach and ID Theft
© 2014 All Rights Reserved 8
How to Fake a Job Reference using a Virtual Job Reference Service. www.thereferencestore.com
Our Virtual (Fake)
Companies appear so real
that we receive both sales
and customer calls from the
public!
We will act as your current or past
employer and provide you with a fake
employment reference, a fake company,
and a fake H.R. Manager to give you an
outstanding recommendation for
employment.
© 2014 All Rights Reserved
Other Reasons for Safe Hiring
What is the one question everyone will ask you if there is a bad hire?
9
Strong evidence to suggest that if a person lied their way into a job,
they will be dishonest on the job
How much time do you have in addition to
everything else you are doing to be involved in
litigation?
Do you want your firm to be in the headlines?
Certain industries have legal requirements.
Under Sarbanes-Oxley, arguably background
checks are required as part of an environment
of control under Sec. 404 for position
involving access to financial data or IT.
© 2014 All Rights Reserved
• FBI fingerprint checks only available when mandated by
law and the FBI database is not perfect.
• Private databases are NOT official government databases
but large private “data dumps.”
• Databases can have both “false” positives and negatives.
• Primary method for obtaining criminal records is to
physically look at each relevant courthouse.
• Over 10,000 courthouses in America with court records in
over 3200 jurisdictions.
• Searches subject to human error as well.
No One Tool Tells the Story
10
Contrary to popular belief, there is no national database
available to private employers to check criminal records
or false credentials.
© 2014 All Rights Reserved
Gut Instinct Alone Insufficient
Cannot identify potentially bad hire
at interview:
• Many applicants tell the lie so often
it comes across naturally – they
believe their own story.
• Body language, eyes, voice, etc.
are always NOT reliable indicators.
11
Per recent studies, even trained
law enforcement officers and
judges are generally only right
about half the time
Even though
people believe
they can detect
liars, only
50-50 chance
at best
© 2014 All Rights Reserved
Basics of Screening
Rationale (Pre-employment screening discourages applicants with something to hide, encourages
honesty, demonstrates due diligence, and helps to hire based upon facts and not just instinct).
Even-handed (similarly situated people treated similarly).
Effectiveness – No single tool can be relied upon but need series of
overlapping tools.
Not an FBI check or Big Brother watching but a valuable due diligence
employment tool.
Sources of information are public (e.g. criminal records) and private records,
verification of credentials.
Consent in writing under Fair Credit Reporting Act (FCRA) and state laws.
12
© 2014 All Rights Reserved
Screening vs. Investigation
13
• Employment screening involves
verifications of supplied information
by an applicant who has given
express written consent.
• A typical international screening
means contacting the employers
and schools that have been
supplied and conducting a
reasonable criminal check to the
extent possible in that country.
• If more information is needed, the
applicant can be asked to supply it.
Screening
• International investigations may
involve qualified personnel in the
foreign country doing in-depth
personal interviews or obtaining
criminal and specialized records.
• If filling a highly sensitive position or
conducting a due diligence of a
potential business partner outside
the U.S., services of a qualified
investigator on the ground in that
country may be needed.
• Investigation is typically more
expensive then a screening.
Investigation
© 2014 All Rights Reserved
Legal Blinders …can be placed on Employers and Investigators
• Because employment rights are
involved, the law enforcement
approach of getting all available
information does not apply.
• Federal security clearance have
more leeway (but focus here is
private employers).
14
Law specifically places blinders on
employers, such as limits on what
can be reported and used.
• Examples: FCRA, ADA, EEOC &
NLRB
Limits on social media use:
• State laws restricting credit reports,
social media passwords, or
• Limits on the use of criminal records
for employment including limits on
ARRESTS.
© 2014 All Rights Reserved
Stages of Hiring
Hiring occurs on a continuum – Critical to understand different legal
obligations depending upon the stage of the hiring process.
15
1. SOURCING
4. DECISION PROCESS
7. THE POST HIRE/
ON BOARDING
(e.g. I-9
process)
2. PRELIMINARY
SCREENING
5. BACKGROUND
CHECKING
8. EMPLOYMENT
3. ASSESSMENT
(e.g. interviews)
6. THE POST OFFER/
PRE-HIRE
(ADA medical
inquiries)
9. POST-EMPLOYMENT
(such as reference
requests from
potential new
employers)
X
© 2014 All Rights Reserved
Realities of Hiring
• Although every organization has a broad goal of only
hiring honest, qualified, and ethical people fit for the
job, not the emphasis in the real world.
• Due diligence requires spending money, and the cost of
background checks can be seen as a drag on the
bottom line.
• Where procurement selects vendor, cost often primary
criteria.
• Everyone involved in the hiring process from hiring
managers, recruiters, and HR motivated in the short
term to fill positions.
Tremendous pressure to get new people on boarded.
A recruiter’s success is measured by “BIS” (Butts in Seat).
People respond to incentives and evaluations, and in the
short run filling positions in a timely manner is more
critical then a long term concern that maybe someone will
turn out to be a bad apple.
16
© 2014 All Rights Reserved
After the Hire: The Potential for Insider Threats
17
After getting in the front door, a business may
still be concerned about:
• Persons in substantial authority (C-suite
executives and above)
• Persons with access to IT or sensitive
financial / proprietary information
• Persons with access to cash, accounting, etc.
• Persons in sensitive positions with access
to sensitive information such customer
lists, operations information, financial
information, etc.
• Persons who can make financial decisions
(extreme example: the “rogue trader”)
• Any current or former employee/contractor
with a grievance and a gun
© 2014 All Rights Reserved
Inherent Challenge …in Predicting Future Behavior
• Due to numerous factors, hard to measure how a person will react in the
future to various situations, such as need for money or ability to act in an
ethical fashion when under orders to do something less than ethical.
• Generally speaking, a person with past history of honesty much more
likely to be honest in the future.
• Conversely, study shows that if a person dishonest in how they obtained
a job, much more likely to be dishonest once they are in the job.
• Key is initial screening, ongoing screening, and an environment of control
and physical safety.
18
© 2014 All Rights Reserved
Problems Can Arise During Employment
19
An employee may
have access to cash or
assets and the need
for internal controls
well known.
An employee may
develop financial
issues, undergo life
stresses, gamble, drug
use, etc.
Supervisor may
suggest, encourage,
imply, or order
employee to perform
act of questionable
honesty.
A person with a
political agenda
obtains job secretly to
advance a goal
detrimental to the
employer’s interest.
Predictable risks Unpredictable risks Secret risks
© 2014 All Rights Reserved
Two Types of Employer Surprises
20
Information that Occurred
PRE-EMPLOYMENT that is
newly discovered:
For example, other employees
may discover that a person is a
registered sex offender or that a
credential is faked
Information or behavior that
occurs POST hire:
• Embezzlement (through various
schemes such as fake vendors)
• Violence
• Dishonesty
• Theft of trade secrets
• Creating hostile work
environment
• Misconduct
© 2014 All Rights Reserved
Preventing Surprises …Missed During Pre-Employment Screening
• First step: Have in place policies, practices, and procedures to carefully
select your employees in the first place.
• Have well thought out pre-employment screening program commensurate
with the risk involved.
• Ensure your application form makes it clear that any material falsehood or
omission can result in termination NO MATTER WHEN DISCOVERED.
• Have language in employee manual that deals with discovered
falsehoods or omissions post-hire.
21
© 2014 All Rights Reserved
Steps to Prevent Surprises
• Ensure your background check release has an “Evergreen” clause to
allow future screening if needed (although there are limits to that).
• Some firms include policy that employee must self-report any arrest since
that can impact ability to preform job.
22
© 2014 All Rights Reserved
Legal Implication …of Using Information Acquired After Hiring
Important to not have a knee jerk reaction and to carefully review all the facts
and circumstances and give the employee an opportunity to be heard.
23
• If employee suspended as a result of a “consumer
report” under the FCRA, remember that pre-
adverse and post-adverse notice under FCRA.
• FCRA has a process to screen where there is
possible workplace misconduct or wrongdoing.
• Especially important to carefully document
actions – especially if employee has pending
claim – and be careful of allegations of retaliation.
© 2014 All Rights Reserved
Screening Tools for Insider Threats
24
Ongoing “continuous”
evaluation (CE)
RE-enactment (post-mortem)
screenings
Special Problem with Fraud
and Embezzlement
Credit Reports
Asset searches
Social Media
Special Issues with Contingent
or Temporary workers
Preventing ID Fraud
Screening current workers or
newly acquired workforce
Special issues with fake
education and employment
3rd Party data theft and
Offshoring
© 2014 All Rights Reserved
Important – Internal Investigations can
Invoke the FCRA
• Misconception that any in-house investigation is non-FCRA
• Only true if EVERYTHING done in-house and no commercial databases
are used
• If employer uses a court runner, that can invoke FCRA
• Using commercial databases can invoke FCRA (but not public databases
such as a courthouse)
• But under the FACT ACT, FCRA amended to allow internal investigation
without notice or authorization if suspicion of wrongdoing or misconduct,
provided adverse action rules are followed
25
© 2014 All Rights Reserved
Continuous Evaluation (CE) –
Due Diligence Post-Employment
• Some employers looking at “continuous” or “infinity”
screening that occurs periodically AFTER hiring
• Argument: Employees may commit crime after
being hired
• Can be a deterrence?
26
Issues:
• Accuracy: In some states, the screening is through a database subject to false positives and false negatives
• Cost: What will be the return on investment given the time, cost, and administrative issues involved?
• Value: If a person is in custody for criminal offense, presumably will not show up to work
• Legal use: What rules or criteria used if a criminal matter is found?
• May consider “random pool” similar to drug testing
© 2014 All Rights Reserved
Re-Enactment Screening
• If situation occurs, would pre-employment or post-
employment screening tools have helped to
prevent?
• Need to review situation and what could have
been done to determine if the issue was capable
of detection, prevention, or deterrence
• Often comes down to a lack of internal controls or
a failure of internal procedures
27
© 2014 All Rights Reserved
Example: Fraud and Embezzlement
Issue: Embezzlers come disguised as your
best employees
• Trust is needed to have the access needed to
steal
• Background checks critical, but inadequate as
a sole line of defense in the absence of proper
internal controls
• Per 2012 ACFE Report to the Nations, most
occupational fraudsters are first-time
offenders with clean employment histories
and criminal histories
• Walkaway point: Although screening is critical
to detect and deter fraud, internal controls
seem to be the critical tool to prevent
surprises
28
© 2014 All Rights Reserved
Credit Reports and Ongoing Screening
• Employers use credit reports to
determine if applicant trustworthy
and responsible for handling cash
and assets
• Example: Embezzlement is crime
of motive, opportunity, and means
• Employers may look to debt-to-
income ratio on motivation
29
47%
13% 60% of
employers
check credit of
some or all job
applicants
Check
all
Check
some
Seemingly a “Catch-22” situation for job seekers – They cannot pay
bills and get bad credit without a job BUT cannot get job because of
bad credit since they cannot pay bills
© 2014 All Rights Reserved
Credit Report Concerns
• Urban myth – Employment credit reports DO NOT contain credit scores,
but only credit history
• Also does not have age and does not impact credit score
• Potential discrimination: EEOC held meeting on topic, and expected to
produce new guidance
• Can have errors or not tell the whole story:
Refinance situation
Confused with someone else
Credit card used for child’s health care
30
© 2014 All Rights Reserved
States Limiting Credit Report Checks
• Ten states have laws limiting credit reports for employment.
• Best Practice: Approach with caution and use only for positions where
there is a business justification based upon the job.
CONNECTICUT
HAWAII
ILLINOIS
MARYLAND
VERMONT
NEVADA
OREGON
WASHINGTON
COLORADO
CALIFORNIA
© 2014 All Rights Reserved
Using Credit Report to Detect
Insider Threat?
• May reveal excessive levels of debt or excessive spending
• Could potentially be a sign of a potential threat
• Can also be consistent with numerous innocent explanations
• Understand FCRA and state requirements before obtaining report
32
• Will a credit report reveal a sophisticated insider threat?
Using credit report to detect insider threat may only result in revealing the
“dumb” insider threat who can’t be bothered to hide assets
© 2014 All Rights Reserved
Asset Checks of Current Employees
• May want to go beyond credit report to search assets
• No true “asset searches”
• Can look for boats, properties, memberships in
corporations or LLC’s, FBN etc. that are filed with the
Secretary of State or local county
• Search likely to capture the “dumb” dishonest insider –
anyone without enough brains to put assets into
someone else’s name
• Entity search may help to see if someone getting
vendor kickbacks by showing an association with a
vendor
• Be careful about legality of “pre-texting” or “social
engineering” to bypass privacy rules to access bank
information
33
34
© 2014 All Rights Reserved
Issues with Social Media
• Can be like looking for a needle in a haystack
• How do you know what is relevant and who it belongs to?
• Requires an “investigative” review
• Screening large numbers can be expensive when done manually by a
trained professional
• Software tools looking for key words is going to be hit or miss
• Becoming less useful as more consumers aware of danger and either
keep off the web or use passwords
• May only be useful to catch the “dumb” insider stupid enough to reveal
adverse information through their real identity without privacy protection
35
© 2014 All Rights Reserved
Legal Issues
Legal issues are significant
• PRE-HIRE:
Issues of discrimination, private off-duty legal conduct, privacy, authenticity ,
accuracy and FCRA compliance
• POST-HIRE:
Should have a social media policy in place
The National Labor Relations Board (NLRB) has commented extensively
about social medial policies and current employees to the extent it impacts
the right of workers to communicate about job conditions
Stored Communications Act of 1986 may limit employers from penetrating
password protected sites
New state laws prohibit requiring password or “shoulder surfing”
36
© 2014 All Rights Reserved
Approaches for Employers & Recruiters
Must weigh the benefit of obtaining information early against the
legal risks:
• Most conservative approach Pre-employment: Perform search AFTER
there is consent and a job offer is made, contingent upon completion of
a background check that is satisfactory to the employer
• Post-employment: Have a social media policy to ensure no invasion
of privacy
• See ESR Whitepaper ‘Ten Potential Dangers When Using Social Media
Background Checks’ at: http://www.esrcheck.com/Stay-
Updated/Download/
• Open issue if a background firm can perform this function under FCRA
37
© 2014 All Rights Reserved
In House Processes
• Have job description with the essential functions of the job and the
knowledge, skills an abilities needed
• Have documented training in discrimination
• Establish standard practice to show decision made on objective basis
• Perform through an employee behind an “Ethics wall” that does not make
hiring decisions, that filters out material using standardized procedures,
and only provide job related data to the decision maker after there has
been a offer
• Do not let decision maker view unfiltered internet/social media data
• Consider showing negative material to applicant first
38
© 2014 All Rights Reserved
Trend: Dealing with Vendors, Independent
Contractors & Temps
• Firms should apply same risk-management steps to contingent workers
(independent contactors and temps) and vendors.
• Non-employees can have access to computer systems, trade secrets,
customer lists, etc.
• Employer can be liable for contingent workforce under theory of ”co-
employment.”
39
© 2014 All Rights Reserved
Staffing Vendor Issues When Firm is Relying Upon Another Firm
40
What firm is being used? (Accredited?)
What is the screening protocol?
How is the screening done?
How are complicated legal issues such as past arrests handled?
Who reviews the report?
What are the accreditation criteria?
Who set the adjudication criteria?
How is the vendor audited?
Should the employment location have access to the background report (which is legal with FCRA compliance)?
© 2014 All Rights Reserved
ID Fraud Tools
• Consent Based SSN Verification (CBSV)
• ITRV-Income Tax Return Verifications
• I-9 process
• E-Verify process
• Social Security Number Verification (SSNV)
• Social Security Trace and Address Information Manager (including Death
File to guard against use of deceased person's SSN)
41
© 2014 All Rights Reserved
Identity Verification Methodologies
42
© 2014 All Rights Reserved
Screening Newly Acquired Employees
• If a merger or acquisition, may need to screen newly acquired employees
• Certain contracts may also require only screened employees
Issues:
• Legal Compliance – Must fully comply with federal Fair Credit Reporting
Act (FCRA) and state laws
• Cultural considerations:
Screening current employees very sensitive
Roll-out is critical
Need “buy-in” from employees
CRITICAL: Current employee needs opportunity to be involved in process so
there are no surprises
43
© 2014 All Rights Reserved
Diploma Mills
44
© 2014 All Rights Reserved
Education Fraud
• The world is awash with fake degrees.
• Case in point: Yahoo could have avoided situation with recent CEO with
simple and standard past education check.
• Fraud can range from false claims about real schools to presenting
worthless degrees from “diploma mills.”
• Authentic looking fake diplomas on the internet available for most schools
in America.
• How big a problem? USA leads the world in fake degree granting scams
but worldwide issue.
• LinkedIn exercise.
45
© 2014 All Rights Reserved
Education Verification
Always confirm that a school is accredited.
• In US, accreditation is public/private partnership:
Private bodies can accredit schools
Two bodies accredit the accreditors: US Department
of Education (USDOE) and Counsel of Higher
Education Accreditation (CHEA)
• US Department of Education site to determine if a
school is accredited:
http://ope.ed.gov/accreditation/Search.aspx
• Database of Institutions and Programs Accredited
by Recognized U.S. Accrediting Organizations:
http://www.chea.org/search/default.asp
• Fake schools have crated fake accreditation
agencies
46
© 2014 All Rights Reserved
Lists of Bogus Schools
BEST:
• Oregon
Office of Degree Authorization (ODA) Unaccredited colleges:
http://oregonstudentaid.gov/oda-unaccredited-colleges.aspx
• Hawaii
Hawaii.gov - Unaccredited Degree Granting Institutions (UDGI):
http://hawaii.gov/dcca/ocp/udgi
• Maine
Maine Department of Education – Non-Accredited Colleges & Degree Mills:
http://www.maine.gov/doe/highered/nonaccredited/index.html
• Texas
Texas Higher Education Coordinating Board – Institutions Whose Degrees are
Illegal to Use in Texas:
http://www.thecb.state.tx.us/index.cfm?objectid=EF4C3C3B-EB44-4381-
6673F760B3946FBB
47
© 2014 All Rights Reserved
Create Your Own Genuine Fake Resume
48
© 2014 All Rights Reserved
The Biggest Applicant Lies?
49
LESSON: If a person was DISHONEST in getting the jobs,
likely to be DISHONEST in the job.
“I was a manager.”
“I worked there for
several years.”
“I made $65,000
a year.”
“I graduated from XXXX
University.”
(He/she was an
assistant.)
(Hiding employment
gaps)
(He/she made
less than half
that amount.)
(Either did not graduate or
the school is a worthless
“diploma mill.”)
© 2014 All Rights Reserved
Offshoring of data beyond the reach and protection
of U.S. Privacy Laws is rampant
In 2010, California passed the first-in-the-nation law to regulate
“offshoring” of Personally Identifiable Information (PII)
collected during employment background checks and sent
out of United States beyond protection of U.S. privacy laws.
3rd Party Data Theft and Offshoring
50
California requires screening disclosure document to contain a link to
screening firm’s privacy policy:
• Screening firms in California must have statement in their privacy
policy about offshoring using a specific format and wording
• Employers also need to be aware of risks of using offshore or home
based workers as part of their security and data protection program
• Although ID theft can occur in a domestic system, at least in US there
are resources and recourses available
© 2014 All Rights Reserved
Additional Trends
• New advances in technology – paperless systems with built in legal
compliance that can interface with Applicant Tacking Systems
Applicants use E-sign and a “wet” mouse signature
• NAPBS Accreditation:
The National Association of Professional Background Screeners (NAPBS) –
www.NAPBS.com – has introduced in-depth accreditation program with third
party audit called Background Screening Agency Accreditation Program
(BSAAP)
Suggestions: Look to work with an accredited firm
51
© 2014 All Rights Reserved
Thank You!
For more information from Employment Screening Resources® (ESR), visit:
ESR website: http://www.ESRcheck.com.
Email ESR founder and CEO Attorney Lester Rosen at [email protected].
‘The Safe Hiring Manual - The Complete Guide to Employment Screening
Background Checks’ by Attorney Lester Rosen (2nd Edition / Facts on Demand
Press/ October 2012 / 736 pages): http://www.esrcheck.com/The-Safe-Hiring-
Manual/
‘The Safe Hiring Audit’ by Lester Rosen (Facts on Demand Press / 288 pages):
http://www.esrcheck.com/The-Safe-Hiring-Audit/
ESR Newsletter: www.esrcheck.com/Newsletter/
ESR News Blog: www.ESRcheck.com/wordpress
Employment Screening Resources®
Novato, CA
888-999-4474
52