We focus on providing the insights you need to improve your business.

Talk to the Scaut team about verification, screening, and workforce integrity today!

The employee is stealing! Whose fault is that?

Failure to adequately screen new employees can cost employers a lot of money. And time and effort. So, in effect, more money. Who is responsible for this? The answer may be different than you expect.

Published on:

December 12, 2022

Three risks of missing a background check

If an employer does not properly vet a candidate, they may hire someone without the right qualifications and experience. And then he or she has to teach him or her what he or she (unverified) claims he or she should have known long ago.

The employer may also decide to say goodbye to a less-than-truthful colleague. Then again, they have to spend time and money looking for a new person. In the meantime, someone else has to take his job.

However, it can also happen that a candidate not only improves his/her classification and experience in his/her CV or tactfully keeps silent about some negative facts, but also applies for the position with the direct aim of harming others. To defraud the employer, to download a client database, to leak trade secrets, to gain unauthorized access to code, and to steal money.

Sure, it doesn't happen every day. But it does happen. According to many statistics, the costs associated with insider threats are steadily rising. The cost of dealing with insider threats and attacks is in the tens of millions of crowns in the average organization.

If nothing major happens...

The attack threatens everyone

Even in our context, we have seen major attacks on the employer's property and other interests from within. A phone carrier's client database was copied and sold fraudulently, a large amount of cash was stolen, gift cards embezzled, and internal information negligently (or even intentionally) disclosed that affected the company's value on the stock market or in negotiations with an investor. Examples abound.

Do you think you are not at risk of such an attack because you are not an operator, a bank, or a large authority or fund managing billions of dollars of assets?

According to a survey by the U.S. Chamber of Commerce, retail stores face a greater threat from their employees than from thieves or "street" robbers. Yes, internal employees steal more on average than "outside thieves." Sad but true.

Who's to blame for the trouble?

Who is responsible for the fraudster getting into the company? Who should have checked him, who is responsible for the selection process? Who is to blame for the organization incurring tens or hundreds of millions of dollars in damages because it failed to vet a new employee?

In other words, who to punish for bad recruiting?

At first glance, there are several culprits:

  • We can blame HR, which is responsible for recruiting
  • We can blame the compliance officer or the security director because they should have supervised the employees better
  • And if we have an external recruitment agency or headhunter helping us with recruitment, that's also an ideal scapegoat.

But firing the head of HR, the compliance officer, or terminating an outside agency will not be fair or effective. And it won't in itself prevent similar problems from recurring in the future.

The statutory officer is personally liable

The first responsibility for the proper functioning of any organization lies with those who run it. Statutory, member of the statutory body, director, CEO, member of the board of directors.

How should this somewhat general statement be understood in the context of vetting job applicants?

It is the responsibility of the management of the organization to decide whether they intend to address applicant screening in recruitment at all, what resources they will devote to it, and whether the staff responsible will have the capacity, tools, and capabilities to do so.

When an organization's management underestimates the security of its staff or even resigns from vetting candidates altogether, the members of its statutory body put themselves at great personal risk. If this is judged to be a lack of responsibility in the exercise of their functions in breach of due care, they risk being held liable for any damage caused to the organization's assets. And, in extreme cases, they may even be prosecuted.

Due diligence and background check

What does the somewhat archaic-sounding concept of "due diligence" mean in practice? Simply that a member of a statutory body or a member of an elected body is obliged to perform his or her duties with the necessary knowledge, due care, and loyalty. He or she must have sufficient information to make decisions and must put the interests of the organization ahead of his or her interests.

What if a member of an elected body fails to act with due care and the organization suffers damage? For example, the stakeholder in question did not at all address the background checks of new employees, even though it must have been obvious to him that he was putting the company at great risk.

In such a case, the member of the statutory body shall be liable for the damage to his entire property. Cash, movable and immovable property, simply everything that he or she owns alone or together with someone else, e.g. a spouse. And that's where the fun really ends.

Background check protects the employer and the statutory agent

Candidate background checks are an important element in protecting employer assets. And, by extension, the personal assets of whoever runs the company.

Certainly, not every insurance company, county, government office, school, manufacturing company, or business needs to screen its employees to the same extent. But at least a basic consideration of which job applicants an employer will screen, to what extent, in what manner, and using what sources of information and tools, should always be made by the statutory officer. This is the only way to adequately and consistently protect the employer's assets and one's own.

František Nonnemann

author of the article

Profesionál v oblasti ochrany osobních údajů, finanční regulace, compliance, řízení rizik a bezpečnosti informací se zkušenostmi ze soukromé i veřejné sféry.