Managing Compliance and Due Diligence in International Hiring
Employers have long recognized that conducting due diligence on new hires is a mission critical task. When it comes to any position dealing with Information Technology (IT), the stakes go up exponentially due to the sensitive nature of access to data and systems that operate the company.
Security professionals, CISOs and IT Directors with the responsibility to safeguard the integrity of security systems and data cannot afford to be sidetracked by insider threats such as intellectual property theft, sabotage, embezzlement or other workplace distractions. Although there are well-established processes to exercise due diligence in the United States, U.S. employers are increasingly finding that employment screening involves an international aspect.
Security professionals may encounter five situations where international background checks become important:
- With the mobility of workers across international borders, it is no longer adequate to conduct screening just in the United States because a significant percentage of the U.S. population consists of immigrants.
- Many IT positions are filled with individuals from foreign countries in the U.S. on a H1-B1 visa.
- A U.S. citizen may have gone to school or worked outside the U.S.
- With business going global, U.S. firms are having to staff offices internationally.
- International screening may be needed if IT work is outsourced outside of the U.S. A survey of 350 IT managers by Amplitude Research found 61 percent of respondents who worked for companies that outsourced IT jobs to other countries said they experienced a data breach after outsourcing while just 35 percent of the companies that did not outsource had data breaches. In some instances, a firm may want to conduct due diligence on a business entity as well as the principal and workers to ensure data protections.
The following will introduce you to international background checks, including the legal, cultural and practical challenges faced when obtaining information outside the U.S. International Screening vs. Domestic Screening.
Because of the perceived difficulty in performing international employment screening, some security professionals have not attempted to verify international credentials or to perform foreign criminal checks. However, the mere fact that information may be more difficult to obtain from outside of the U.S. does not relieve them from their due diligence obligation.
However, security professionals face special challenges and practical difficulties when performing international screening because every country is completely different when it comes to background checks. Techniques, information and availability of public records that are taken for granted in the United States are often times not available abroad. Outside the U.S., there is generally limited access to public records and the types of information needed for a background screening. Each country has its own laws, customs and procedures for background screenings. Other challenges include:
• Differences in courts and legal systems
• Variations when expressing foreign names in the English alphabet
• Time differences when communicating around the world
• Different means and cost of communication
• Countries with country specific forms
• Foreign calendars with different holidays
• Fraud awareness of non-legitimate foreign schools and employers
• International screenings more expensive than domestic
• Payments made in currency of foreign countries
Background Checks for Applicants with Visas
Security professionals cannot assume the U.S. government has performed a background check on workers with a visa that relieves them of their due diligence obligation to conduct their own screening. Government efforts are not foolproof. After the events of Sept. 11, 2001, the U.S. Government has certainly increased checks on foreign visitors and workers on government “watch lists.”
However, these checks are primarily aimed at keeping terrorists and international fugitives from entering the U.S. or deporting non-citizens who commit crimes or overstay their visas. The efforts of the government, although vital, are not aimed at lesser convictions that may be relevant to job performance or verifications of credentials. Security professionals should consider screening internationally for criminal records, employment, education and publicly available terrorist lists.
International Criminal Records and Terrorist Databases
There are additional challenges for international criminal searches. In some foreign countries, searches may be broad and accurate, while in other countries, searches may be conducted at the local police department level and offenses in other areas can be missed.
Another alternative available for some countries is to request that an applicant obtain their own certificate of good conduct from their local police station. However, certificates have their own drawbacks, such as covering a limited time period or geographic area, and authenticity can be an issue.
Turnaround time for international criminal searches can be much longer than domestic U.S. searches. Different countries also have different rules on the level of searches, but in most countries it is possible to obtain information of offenses of at least the felony level. Another concern is name variations. Many countries have naming conventions different than the U.S., such as using the mother’s name. Complications can also arise for applicants with names based on a non-English alphabet, such as Chinese, Arabic or Japanese that must be translated into English.
Other due diligence tools include various terrorist databases available to the public, such as the Office of Foreign Assets Control (OFAC) list maintained by the U.S. Department of the Treasury.
International Employment and Education Verifications
The challenges involved in international employment verification are augmented by all the problems associated with working internationally. To obtain background screening information, security professionals may need to schedule calls for the middle of the night, locate foreign phone numbers and overcome language barriers.
Verification of an educational degree earned abroad is critical to verify credentials and to avoid fraud. Security professionals need to determine if an applicant attended the school claimed and received the degree claimed. They also need to determine if the school is accredited and authentic or a worthless “diploma mill.” The international education verification process has three parts:
• Determine if applicant attended school claimed and received degree claimed;
• Determine if school is accredited and authentic; and
• Determine equivalency of foreign degree in terms U.S. employers can understand.
Unfortunately, the world is awash with phony schools, fake degrees and worthless diplomas. Statistics show that education fraud can run as high as 20 percent. If security professionals are not familiar with a school, they should conduct their own research.
Privacy and Data Protection
Privacy and data protection is another crucial issue for international screening. Security professionals must consider the application of foreign privacy laws regarding the manner in which information is obtained, transmitted and utilized.
For example, the European Union (EU) passed strong privacy rules in 1998 affecting how personal data can be obtained and utilized. American background screening firms that do international searches should be a member of the U.S. Department of Commerce “Safe Harbor” program, which demonstrates a commitment to the EU privacy and data protection rules. Firms that acquire data on individuals from EU member countries without compliance with the EU rules can be in violation of EU law. A listing of firms on the Safe Harbor members list appears at https://safeharbor.export.gov/list.aspx.
In addition to the EU Privacy rules, other countries are in various stages of dealing with similar issues concerning personal consumer information. In 2004, a privacy law called the Personal Information Protection and Electronics Document Act (PIPEDA) went into effect in Canada that impacted international screening. Under PIPEDA, employers can still conduct pre-employment background screening, but only with some stringent privacy controls.
While international screening can be challenging, it is not impossible. Security professionals can find themselves in hot water by assuming international screening is too difficult or expensive and simply bypassing the process.
If the task of international screening is outsourced to a background screening firm, that firm has an obligation under the Fair Credit Reporting Act (FCRA) to take reasonable procedures to insure accuracy. If there is a negative public record, the firm must make certain the information is correct, up-to-date, and supplied in a way that does not violate any data or privacy protection rules.
Security professionals implementing an international background screening program should follow the following recommendations:
• Do not assume if a person has spent time outside the U.S. that an international check is not possible.
• Do not assume a worker with a valid visa has undergone a sufficient background check as part of the visa application.
• Be aware of international data and privacy protection laws that can potentially impact what data can be obtained and used by an employer.
• Understand that there is a difference between obtaining and using information for a job position in the U.S. as opposed to setting up offices or facilities outside of the U.S.
• If setting up offices or facilities outside the U.S., make sure you understand local law. However, in some cases, local law may allow inquires that go beyond what would be allowed in the U.S. In such circumstances, a firm may want to follow a standardized global process to the extent possible that is also consistent with U.S. laws as well.
• Perform the broadest criminal search allowed in each country for the most protection.
• At the very least, verify the highest education the applicant attained and the last employment where applicant worked.
• Be aware of the potential fraud issues for international education and employment verification.
• Use proper consent forms needed for each country.
• Keep all data confidential and secure.
• If using a background firm, ensure that it is Safe Harbor certified or National Association of Professional Background Screeners (NAPBS) accredited.
IT and Information security specialists have a much higher degree of due diligence given the sensitivity of their responsibilities. International background checks are an essential part of this risk-management.