Q: Our company completes a background check only whenever we hire a new person. I’ve heard of continuous screening, and I’m trying to ascertain whether our company should consider this.
A: Performing integrity and background screening is a necessary part of the hiring process. The more critical the position or the greater the access to sensitive data, the more crucial the need for a deep background screening. However, many companies conduct their screening only when somebody is hired, rather than throughout the entire tenure of an employee. This is where many companies have a gap in their security risk management practices.
I have yet to hear any executive say, “I don’t have to get a check-up, my doctor said I was healthy seven years ago.” Yet, the security health of an organization is often placed at risk when there is not persistent background screening of its people. Just as many health-related issues could pop up after a single all-clear report from your doctor, so, too, can many security-related events pop up after an initial security screening.
There are two key reasons to consider continuous (or persistent) screening:
- Legal Liability: A tactic used by attorneys suing companies over security issues is to identify if a company was negligent in overseeing key personnel’s security fitness. It’s possible that if a company does not conduct on-going background screenings, thereby letting otherwise unqualified personnel continue their duties, a claim could be made that the company was not conducting due diligence around security. Additionally, almost every jurisdiction has cases referring to “negligent retention.” Under the theory of negligent retention, a company will be closely examined to determine if they “should have known” that an employee’s fitness precluded them from being retained by the company.
- Personnel are being targeted: Many criminal organizations and state actors are recruiting insiders to assist with criminal ventures. A recently unsealed indictment has shown how an IT Infrastructure and Security Manager of a French aerospace company was recruited by a Chinese group to assist with the theft of intellectual property. It is very possible that this manager’s susceptibility to recruitment could have been identified through continuous screening.
As part of your risk management processes, including access control (logical and physical) it is vital that you consider implementing persistent integrity/background screenings. Arguably, it is only under a continuous screening process that you might be able to identify employees whose situations have changed, such as (but not limited to) new financial hardships, new associations with known criminal groups, or a sudden increase in assets.
Each unique organization must decide which key positions need persistent screening, and the extent to which the screening should occur. Each company should start with a risk assessment to help decide what is most appropriate for them. If it is determined that all or some of your organization’s positions would benefit from continuous screening, you then must determine what specific policies and procedures will need to be implemented.
One word of caution, though. If you decide that it is beneficial to implement continuous screening, take time and care determining how you will roll out the process. To ensure that you are not violating FCRA rules, you will need to decide how your organization will receive informed consent for continuous screening from affected employees. Further, you will need to determine how you will handle any refusals for consent to continuous screening (e.g., reassignment or firing).
Answer provided by Jerry Vergeront, Security Executive Council Subject Matter Expert.