I completed a questionnaire the other day regarding whether the IT employees in my organization are fingerprinted at the time of employment and furthermore, did I think it was a good idea to do so?
The answer to the first question is no; we perform a thorough background check, but currently do not fingerprint IT employees. The second part of the question is a much more interesting issue.
The first consideration when regarding fingerprinting an IT employee is whether Federal or State law requires it. 12 U.S.C. 1829 (1785(d) for credit unions) requires financial institutions to take steps to avoid hiring an individual convicted of dishonest acts. SEC Rule 17 C.F.R. 240.17f-2 states that employees who handle securities must be fingerprinted. Therefore, if you work for a financial institution or handle securities, you very likely are or should be fingerprinted. I am sure there are laws that state the same for other industries.
However, if your organization is not ordered by statute to fingerprint, should you? Furthermore, should you single out IT employees? And if so, are there certain IT employees who should be subject to the rule and others that shouldn’t?
There are no clear answers here; but deciding whether you think IT employees should be fingerprinted should be based on (a) risk, (b) cost, (c) benefits, and (d) your business philosophy.
First, let's talk about IT employees and whether singling them out is a good idea and if there are classes of IT employees that are exempt. Typically, IT employees are more likely to be privy to/have access to sensitive information and systems than other employees, based on the nature of their work and their relationships with others throughout the organization. They often enjoy a level of trust with other employees (deserved or not) that other employees tend not to get. Because of this fact, I personally lean towards having IT employees singled out for fingerprinting over other employees.
As for the question of whether some IT employees should be exempt from fingerprinting, my first reaction is to say no, you should treat each of them the same. Because IT employees mingle and often have access to the same areas where sensitive information resides (whether it is in their job description or not)—I say, treat them the same.
Now, let’s talk about risk. Are you at greater risk by hiring an employee whose background has been thoroughly checked, but not fingerprinted? That is a harder question to answer. The FBI cites the statistic that 10 percent of all fingerprint cards submitted uncover a criminal record. Does that cause you great concern? Well, that depends on what kind of data you collect, the systems you manage, and what kind of damage can be done by an employee who might gain access to sensitive information. Only you and your organization’s management can determine if the risk is great enough to warrant the time and money spent on the fingerprinting process.
The last time I checked, it cost $30 per employee to be checked by the FBI, plus 8 to 10 business days of processing time. Depending on the size of your IT organization and your turnover rate—this could be an insignificant cost of doing business or a major cost. This cost must then be weighed against the perceived risk and then compared to the benefits of going through the exercise. Also keep in mind that employees should be fingerprinted and checked not just at hire, but every three to five years. So, there is an ongoing cost to this decision.
What are some of the benefits? There are both real and perceived benefits, which have value. Having your IT staff fingerprinted can result in monetary benefits such as reduced insurance costs, possible higher bond ratings for your organization because of your emphasis on security, compliance benefits, etc. You also get the benefit of having the perception (both internally and externally) that your IT organization and personnel are more “trustworthy” than your regular run-of-the-mill IT organization.
Speaking of the perception and value of “trustworthiness”, I would be remiss if I did not mention surety bonding—in particular, fidelity bonds. Fidelity bonds insure a business owner financial coverage for losses caused by a dishonest employee. Under fidelity bonding the owner is covered up to the amount of the bond. The surety company will then seek reimbursement from the employee. There are several different types of fidelity bonds, but the one most applicable to an IT shop would be a Blanket Position Bond.
Under a blanket position bond, the employer has coverage for all its employees. The bond automatically covers new employees and ceases the coverage of prior employees upon resignation or termination. The Blanket Position Bond will cover each employee involved in an incident up to the coverage amount. For example, if an employer caught 10 dishonest employees and the bond amount was $10,000, you would be eligible for $100,000 in coverage. Unlike Named Schedule Bonds, under a Blanket Position Bond, the employer does not have to prove which employee was responsible for the loss.
Why do I mention bonding? Because this is another way of reducing risk and providing perceived trustworthiness. For example; if I were in the business of selling and providing data center hosting, I certainly would use fingerprinting of employees and bonding of my employees as a selling point, and a way of setting myself apart from my competition. Additionally, the fact that I was doing so would probably garner business that I might not get had I not done so.
So in the case mentioned above, not only am I reducing risk but gaining competitive advantage with those security practices. Obviously bonding is an added cost, and it has to be weighed against all the measures described above.
Lastly, neither of these practices guarantees anything about the security practices of your IT organization; they are just part of the tool set that you can use to employ the best security practices possible. Whether your organization chooses to do so is dependent on current law and the individual circumstances of your organization. Finally, there may be some sense that this is an invasion of privacy for your IT staff and that they are being singled out unfairly. I don’t mean to downplay this, but if you can make the business case for the practice, then it should not be hard to explain it to your employees in a fashion that makes complete sense to them. If you can’t, then perhaps you don’t have a good case for it.