EmployeeScreenIQ Blog

This story out of the Palm Beach Post caught my eye because it involves so many warning signs that an employer missed or failed to follow up on and ultimately resulted in disaster.  Erika Morales showed up for her first day of work at a medical supply company with an electronic monitoring device courtesy of Palm Beach county.  When asked, she said that she needed to resolve a domestic issue.  The employer never followed up.  Ms. Morales was given access to the personal information of hundreds of clients and in turn used that information to commit identity theft and steal from them.

She is now in jail and charged with 25 counts of identity theft.  See story.

Here’s what we learned in the wash.  The employer says that they conducted an employment background check.  Of course the first signal that perhaps the check was flawed would have been the lovely jewelry she wore around her ankle.  Here’s what they missed:

• If they would have conducted employment verifications or professional reference interviews they could have known this from her past employers:
  • • Walmart: stole two $500 gift cards.
    • Yellow Cab: stole more than $4,000 by logging phony trips and running customers’ credit cards more than once.
    • Kauff’s Towing: stole about $2,500. Prosecutors declined to prosecute.
• If the would have run a credit report, they would have seen that she had over $78,000 of liens and judgments against her.
• And then to 6 arrests for fraud and a two year stint in prison that might have been revealed if a proper criminal background check was completed

Who know how much this will cost her employer or how badly their reputation has been damaged.  It could have been avoided with an inexpensive, but thorough employment background check.

Continue Reading

We are intrigued by how quickly and stealthly (word? we’ll add that to the “Nicktionary”) the March 1st deadline for complying with the new Massachusetts Data Security Regulations came and went.  We also think that there isn’t a whole lot of information out there about exactly who this affects and how they can comply; not even from the state’s attorney general.  So we sought the expert advice of Massachusetts attorney Michael S. Kraft to help educate us.  Check out our podcast below which highlights what the regulations entail, who they affect and how companies can get in compliance.  While the regulations are fairly sweeping and apply to more than just human resource practices, we focused on the personal data employers receive from job applicants and their employment applications and background check releases.

Also, Michael offered the following compliance checklist for employers:

• Develop a written information security plan (WISP);
• Identify all foreseeable risks in your organization by examining every nook and cranny where data enters, leaves or is stored;
• Implement security policies and procedures and train your employees
• Secure all paper and electronic records; provide encryption
• Obtain written assurances from all vendors that they are compliant
• Regularly monitor and review to insure compliance

Continue Reading

Massachusetts attorney Michael S. Kraft was kind enough to correct me on the entry I posted last week about the state’s new data security regulations.  According to Mr. Kraft, not only do organizations based in the state of Massachusetts need to draft a policy to protect personal information, but any business that has any employee or consumer customer located in Massachusetts.

I checked out his blog and also found other helpful advice for how employers can comply with these guidelines.

The new Massachusetts data security regulation goes into effect on Monday, March 1. If you have not yet begun to plan for the deadline, then likely either you are unaware of the requirements, or you are feeling overwhelmed by them. And who would blame you in light of the seemingly endless list of tasks:

• Develop a written information security plan (WISP);
• Identify all foreseeable risks in your organization by examining every nook and cranny where data enters, leaves or is stored;
• Implement security policies and procedures and train your employees
• Secure all paper and electronic records; provide encryption
• Obtain written assurances from all vendors that they are compliant
• Regularly monitor and review to insure compliance

You know that it is vitally important, both because it’s legally required and because it’s the right thing to do to protect your customers.  But where to begin? Do you need professional assistance – a lawyer or specialized IT firm to accomplish this task?  That really depends on the size and nature of your business, the data that requires protection and how much time and energy you are willing to devote to the process.  Many businesses are probably capable of accomplishing a lot on their own. For the most part, the regulation is a straightforward recitation of the tasks needed to comply. But is that the best use of your time? Noted author and business consultant Andy Birol would caution business owners to judge very carefully those tasks that they choose to do by themselves and those that are properly delegated.

More

Continue Reading

Please note that the Massachusetts Data Security Regulations take affect on March 1, 2010.  This impacts all employers in the state that collect personal identifying information such as a person’s name and any or all of the following: Social Security Number, drivers license or state ID number, financial account or credit number.  Most employers gather at least a portion of this information during the on-boarding process and certainly need it if they conduct background checks.

In order to comply,  employers must have in place a written information security program (”WISP”) by 3/1/10.

View Press Release from MA Office of Consumer Affairs

Continue Reading

It is indeed a rare day when I will applaud legislation that aims to restrict those who provide employment background checks. We’ve just learned that the California legislature has introducedSenate Bill 909 which would mandate that a background screener “that prepares or processes in any manner an investigative consumer report, or portion thereof, outside of the United States or its territories to make specified disclosures to the potential user of this information, including, but not limited to, the country or countries where the report, or portion thereof, will be prepared or processed. The bill would also prohibit an investigative consumer reporting agency from transmitting a consumer’s social security number, except for the last 4 digits, outside of the United States or its territories.”

I support this bill because as an industry, we have an obligation to protect both our clients and their employees, and or prospective employees.  Identity theft is rampant in our society today and we all strive to ensure that the personal information that is provided to us in order to conduct a background check is held in the strictest of confidence.

There are some in our industry that choose to off-shore this information because let’s face it, it’s cheaper than paying someone to do it stateside.  Of course, once the information leaves the direct control of the screening company, what could happen next is anyone’s guess.

This law would obligate companies that off-shore this information to disclose that fact.  According to the bill, it would also, ”prohibit an investigative consumer reporting agency from transmitting a consumer’s social security number, except for the last 4 digits, outside of the United States or its territories. The bill would require these agencies to adopt and publish a privacy policy relating to information contained in reports that are prepared or processed outside of the United States, as specified. The bill would provide that an investigative consumer reporting agency is liable to a consumer who is harmed by any act or omission that occurs outside the United States or its territories, as specified.

Lastly, it is important to note that this bill exempts these requirements for those conducting background checks on individuals that live outside of the United States.

This bill is a win/win for employers and consumers.  We know that this effort will not be popular with those in our industry engaged in this practice, but it is efforts like these that will ultimately benefit the industry at-large.  We hope that it passes and would like to see similar legislation on a federal level.

Read the California SB909

Continue Reading

As many of you know we have done quite a bit over the years with the Society for Human Resource Management (SHRM).  Not only have we exhibited at many of their conferences but we have also had their Chief Operating Officer China Gorman participate in podcasts.  In addition we have been invited to speak at several of their chapter conferences and even the Staffing Management Conference last April.

I was honored when they asked me to participate in a video series they were conducting.  In the interview they asked many great questions including topics relating to Background Screening, Identity Theft, E-Verify and Post Employment Screening.

You must be a member to view the video’s and I encourage you to do so!  This particular clip focuses on Identity Theft and Employment Screening.

Continue Reading

In a development that should surprise absolutely no one, the Federal Trade Commission has announced another delay in their enforcement of the “Red Flag” guidelines aimed to curb identity theft until November 1, 2009.

They have done so, “To assist small businesses and other entities, the Federal Trade Commission staff will redouble its efforts to educate them about compliance with the “Red Flags” Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply. To give creditors and financial institutions more time to review this guidance and develop and implement written Identity Theft Prevention Programs, the FTC will further delay enforcement of the Rule until November 1, 2009.”

Important for Employers Engaged in Employment Screening and Background Checks!
We been in contact with the FTC and learned that this delay does not apply to employers who still need to be in compliance by the original November 1, 2008 deadline. Employers must still have a policy in place to handle “Red Flag” Address Discrepancy Notifications from National Consumer Reporting Agencies (mainly the credit bureaus).

For information for how employers can comply with the “Red Flags” Guidelines, feel free to download our webcast with Seyfarth Shaw’s Pam Devata.

Continue Reading

Stop me if you’ve heard this before.  In a move that should surprise no one, the FTC has announced that are delaying enforcement of the “Red Flags” Guidelines for Identity Theft Prevention until August 1, 2009 for all Creditors and Financial Institutions. For those of you playing at home, this is the second such delay. These guidelines were originally supposed to take effect on November 1, 2009. They were then delayed until May 1, 2009.

“Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further,” FTC Chairman Jon Leibowitz said.

It is important to note that this delay does not apply to employers who still need to be in compliance by the original November 1, 2008 deadline. Employers must still have a policy in place to handle “Red Flag” Address Discrepancy Notifications from National Consumer Reporting Agencies (mainly the credit bureaus).

If you are interested in learning more about your obligations under these guideline, check out our free webinar entitled “Users Responsibilities Under the FACT Act Red Flag Regulations”.

Continue Reading

We have seen this before and we will see it again.  Worried about identity theft, Texas legislators are attempting to remove dates of birth (DOB’s) from public records.  The National Association of Professional Background Screeners (NAPBS) is aware of the issue and will be in contact with Texas officials.  NAPBS has been successful in several states when these issues have surfaced in the past.  Whereas this bill does not directly remove DOB’s from all public records, its sends the wrong message.  Any type of redaction could open a pandora’s box of legislation. DOB’s are a critical piece of information when conducting a background check.  If the public record does not include the Social Security Number, a DOB is the only way to identify the subject as the one a search is being conducted on.  Using an individuals DOB to commit identity theft without the Social Security Number is virtually impossible, therefore NAPBS has taken a strict position against redaction of this critical information. NAPBS and employeescreenIQ will be releasing more information on how you can contact Texas lawmakers in the coming days.  We will be updating employeescreen University regularly as information becomes available.

Bill Seeks to Pull Birth Dates from Public Records

By JACKIE STONE Associated Press Writer © 2009 The Associated Press

AUSTIN, Texas — Texas lawmakers worried about identity theft are trying to remove state employees’ birth dates from public records — a move journalists and open records advocates say is unnecessary and will hamper government oversight.

A proposal by Rep. Helen Giddings, D-DeSoto, that would make the information private is scheduled for a public hearing Tuesday. A Senate version of the bill had a hearing earlier this month.

Those and at least two other bills filed in the Legislature this session could supersede a pending Texas Supreme Court case between The Dallas Morning News and the state comptroller’s office.

In 2006 the comptroller’s office filed a lawsuit asking that birth dates be ruled as personal information exempt from open records requests. That was after then-Comptroller Carole Keeton Strayhorn refused to include birth dates with employee payroll records requested by the Morning News. Past records have included the dates.

Current Comptroller Susan Combs has backed Strayhorn’s decision as the case moved through the lower courts.

“The main date-of-birth problem we have is identity theft, and identity theft is one of the nation’s fastest growing, most expensive criminal enterprises,” said Allen Spelce, a spokesman for Combs.

More

Continue Reading

The Associated Press is reporting that the state of Arkansas has lost the results of 807,000 background checks conducted on state workers.  The data from the background checks was saved to back up tape which was being stored at an off-site storage facility.  And while the facility is claiming that foul play is not a factor, they cannot say where the tape is or when it vanished.  Let’s hope they are right and that they are able to locate the tapes before someone with bad intentions discovers them and commits identity theft.

State: Background Check Data Missing

A computer storage tape with data from 12 years of criminal background checks in Arkansas is missing, though Department of Information Systems officials said Friday that there is no indication of a deliberate breach.

The department said a private off-site storage facility can’t find the tape, which has a record of criminal background checks run on 807,000 people over at least a dozen years.

The department says the storage company, Information Vaulting Services, said the tape’s disappearance does not appear to have been a malicious act.

More

Continue Reading