≡ Menu

Companies put themselves at risk when doing online background checks.

Employers are vetting out applicants online. The new adage is “Google them.” Some employers are stepping over the line of a simple web search to asking for an applicant’s password to social networking sites such as Facebook, Twitter, and Myspace. This may seem like prudent vetting practice, but in fact it’s more troublesome and legally dangerous than it is worth.

After an uproar over privacy laws on the Internet, a Montana city government retracted their policy of asking for applicants’ private passwords for social networking sites. Personally, I think Montana was fortunate it was an uproar on the internet and not an EEOC lawsuit that caused them to rethink their policy. Collecting a mere applicant’s or even an employee’s privacy credentials is not only legally dangerous, but unnecessary.

Let’s think through the logic of this. Say an employer, “BigCompany,” wants to vet potential 17-year-old intern, “Sarah Genius;” they want to ensure she conducts herself in a manner that is becoming to BigCompany. BigCompany’s Human Resources staff, namely low-on-the-totem-pole tech “Pete BadApple,” conducts a simple web search and views what the public can see online about her.

Pete BadApple fancies himself an expert internet searcher. He finds every group Sarah Genius had ever briefly been a member of, every update she posted on MySpace, and every forum she ever lurked on. This is all just public information. Pete BadApple makes a note that Sarah Genius suffers from diabetes and kidney problems (information he assumes based on her group memberships). Pete BadApple uses Sarah’s passwords to log in as Sarah on Facebook. He concludes that Sarah is African-American, based on her family and friend connections. Pete BadApple had met Sarah Genius during the interview process (and found her to be quite cute, actually), and this information is jarring to him.

Still, Pete BadApple continues on, looking through Sarah Genius’s friend lists. Lo and behold, Pete finds that Sarah is a cousin of Huge MovieStar. Huge MovieStar has a private profile and is connected only to friends and family that also have private profiles. They are a tight-knit group and protect Huge MovieStar’s privacy fiercely. Well, Pete BadApple is logged in as Huge MovieStar’s cousin, Sarah Genius, so Pete can thumb through Huge MovieStar’s updates. He finds that Huge MovieStar, who is all over the headlines for being tapped to star as the Next Indiana Spider-Terminator, was newly diagnosed with Leukemia. The headlines have no idea about this, and the movie studio would certainly withdraw the offer if they knew. Pete BadApple is a little short on cash this month, so he calls and sells the story to a tabloid, sending screen shots as proof. Pete BadApple finishes his vetting process of Sarah Genius and emails his report to his boss, and then forwards a copy to his friend, adding pictures of Sarah Genius in a topless bikini, captioning the pictures with “Can you believe this chick is Black? She’s totally hot anyway!”

Lo and behold, somehow Pete BadApple’s report and email wind up in the hands of an EEOC lawyer and the local and federal law authorities that investigate child pornography. BigCompany now has a Big Problem.

Even if Pete BadApple was Pete GoodApple, the mere public web search may have brought up information that although public, should not be part of the vetting process. Pete BadApple should not have included Sarah Genius’s medical-condition support group memberships in his report. This information violates the law. The other concern is that every company has a Pete BadApple. Even Pete GoodApple can “turn bad” when faced with potentially money-making information about an applicant. Why put your employees in that situation and your company at risk?

Nowhere in this process should private interactions come into public view. When you vet a person’s background, you should worry only about what the public can see about that person. Of course, password protection and site security aren’t foolproof and one day private information may become public (although this is a very rare occurrence); we can understand why BigCompany wants to make sure Sarah Genius isn’t a closet freak. But just because the Internet makes it more possible than ever to vet out a person’s background, it doesn’t mean an employer should. Employers got along just fine before Facebook. BigCompany can better predict Sarah’s future performance by looking at her past performance than they can aptly predict her performance based on her private web page. In fact, Sarah’s private web persona is most likely very different than her work or everyday persona. If employers make assumptions based on the content of Facebook Walls, they will be likely passing up qualified candidate after qualified candidate (this is especially true when the hiring manager is a Boomer and the applicant is from Gen X or Y).

An applicant’s privacy is better left intact. If you are an employer, rely on the old-fashioned vetting methods like a credit check and recommendations, and add a regular web search of public pages. Ignore memberships in any public support groups or forums. Keep your company free of legal and civil complications.

What do you think? Have you run into a situation at work where someone’s online privacy was violated? Heard of any lawsuits about this type of thing? Let’s discuss in the comments.

Comments on this entry are closed.

  • Nancy Creighton, PurpleSwirl 27 June 2009, 2:40 pm

    Good post, Christine! I had no idea that so much public information could lead to having wrong ideas about a person. For example, Pete BadApple assumes Sarah Genius has diabetes based on her group membership. But instead, she might be a member because her mother was just diagnosed and she wants to learn more. I guess even the lowliest people on the human resources totem poles need to be well trained to keep their employer out of legal trouble.

  • Christine Cavalier 27 June 2009, 3:37 pm

    Thanks Nancy! Yes, everyone has to be aware of what is legal. There have already been cases about how employees with costly medical conditions weren’t hired or fired because the company was concerned with possible future health insurance premiums. Unfortunately, I think we have a lot more lawsuits ahead of us before people get a clue. An online life usually coincides with a person’s real life, but as you said, we can’t make assumptions based on that. I think we are going to see Pete BadApple researching the entire Genius family tree to see what Sarah Genius’s chances are of heart attack, alcoholism, breast cancer, disability, etc., before he sends his hiring recommendation on to his bosses. Not only is it an outrageous attack on privacy, it’s probably a waste of time. Statistics and efficiency evaluations on this haven’t happened yet, but based on my knowledge of other Return-on-investment time management studies, Pete BadApple’s hourly rate won’t equal the money saved by “guaranteeing” Sarah Genius’s health and ability. It just won’t be a statistically sound investment of BigCompany’s time. It’s best to stick with what Human Resources have done forever, with just perhaps a cursory Google search added (that is taken with a grain of salt).

  • Lisa Cunningham 30 June 2009, 8:54 am

    Interesting post, Christine. Employers getting a hold of medical info bothers me, too, since I’m a 19-year cancer survivor. While HR people usually know what they can’t ask, your potential boss might not. She might decide to do a more intensive search, especially if she’s been burned before.

    For all Pete knows, Sarah Genius might be very healthy and have no genetic risk of diabetes; it often runs on the mother’s side.

    As for the Google search, my name is so common that there’s no telling who might pop up. In Tampa, several other women have my name, and I used to get teased about a younger girl who showed up in the paper, playing pool in a bar. My colleagues knew she wasn’t me, but who knows what a stranger who isn’t checking birth dates and middle names might assume?

  • Christine Cavalier 30 June 2009, 1:11 pm

    Lisa, you’re totally right. Pete BadApple is wrong to assume anything from any online — or offline, for that matter — participation in groups.

    A common name, like Lisa Cunningham, is a bit of a godsend these days. I almost wish there were more than just a handful of Christine Cavaliers, because I share a name with a B-movie/soft porn star (she used “Christine Cavalier” as a stage name). Like I really want employers thinking I’m the same person. Uh, no. (plus she’s too old! she has to be at least 20 years older than me!) Here’s her imdb page: http://www.imdb.com/name/nm0146763/ I found nude pictures of this woman on the internet. One guy on Facebook asked me if I was her. It’s crazy!

    The only thing I can do is flood google with internet activity, hoping to cover it up. Who knows? Hopefully when I am a published novelist I can use my real name and the publisher won’t give me flack over this.

    But yes, the medical information issue is murky. My friend has been blogging about her experience at 23andMe, which does personal genetic screenings. I am nervous about a private company holding that much information on me, especially if genetic predispositions of life-altering diseases are found. I’m sure you empathize, being a survivor (congrats on that by the way!). Although it would satisfy a lot of curiosity, I’m not sure the risk is worth it.