The NSA, Snowden and Third-Party Risk: Preliminary Lessons Learned

Remember this: Edward Snowden Worked for a Third-Party Vendor. While it remains uncertain what exactly Mr. Snowden shared with other nations, we do know this: he wasn’t authorized to disclose classified information. Some may believe he is a hero, others believe he is a villain. It is clear, though, that his employer, consulting firm Booz Allen, is the recipient of unwanted publicity. The company is one of the more prominent government contractors supplying personnel to the intelligence community.

It is also clear that the third-party background investigation firm that vetted Mr. Snowden is under examination. Northern Virginia-based USIS, which advertises that it is “the leader in federal background investigations ” is on the hot seat. U.S. Senator Claire McCaskill (D-Mo.) said during a Senate hearing in June that USIS is “under active criminal investigation.”

The Senator also noted that there appears to be “systemic failure to adequately conduct investigations under its contract.” In a statement that should resonate with every company engaging with third-party background investigation services, Sen. McCaskill commented that this should serve as “a reminder that background investigations can have real consequences for our national security.” The problem extends to companies outside of the Washington Beltway and the defense and intelligence arena.

While it is unlikely that third-party employee behavior will rise to the level of policy violation exhibited by Mr. Snowden, it doesn’t have to in order to compromise information integrity, breach corporate governance and contracts, and violate regulatory requirements in the forms of identity theft, trade secret theft, brand hijacking, blackmail, and extortion. The background investigation doesn’t always work.

The annals of background investigation history are rich with examples of failed policy, procedures, and even strategies associated with understanding the truth about a candidate’s past. Criminals have passed background checks. There is a reason that top secret security clearances can take up to nearly two years to conduct and may cost several thousands of dollars—and sometimes much more–depending on a number of variables relative to each case. Of course, not every candidate needs this level of background investigation. But companies should examine the background investigation process used by third-parties that have physical, logical, or administrative access to information.

It’s always good to conduct a more extensive background investigation on the basis of access. Sometimes organizations initiate background checks only on some candidates. One executive remarked that “we only conduct checks on positions with the title of vice president or above.” This can convey a false sense of security. While senior executives may have access to critical sensitive information, many lower level positions come with high level of access to this same information.

Here are ten background investigation considerations:

1. Assess how the third-party under consideration may pose risk to your company, not by the title or level of a position, but rather the level of access to information.
2. Make sure the third-party is open and responsive to questioning about the background check process. Trust but verify, as the saying goes.
3. Ask about their background investigation vendors, and then conduct your own due diligence on those firms used by the third-parties. Examine the processes and methods used to investigate candidates.
4. Don’t hesitate to ask to see background check forms. We’ve seen background reports where certain information contained in the report didn’t seem right—and it wasn’t. Maybe it was a phone number that didn’t seem correct, perhaps an area code that doesn’t exist. Yes, people actually make up telephone numbers and addresses. It may be worth knowing what type of telephone number was used by the candidate. Is it a temporary, prepaid number? Is it a registered mobile number, a home telephone, or maybe even a business telephone number? Is it the number of a family member, a friend, or other person?
5. Have the third-party firm supply references. And make sure that the references are consistent with your company. For example, if the third-party is going to handle regulated data, check out companies that have engaged the third-party to manage that type of information. The security and privacy requirements may be industry or jurisdiction specific.
6. Check the third-party breach history and the cause of any breaches. Were any breaches linked to failures in the background investigation process?
7. Ask what lessons were learned after any breaches and if those lessons were incorporated into the background analysis process.
8. Are employees ever reinvestigated?
9. What is the reinvestigation frequency and scope?
10. Are reinvestigations triggered by certain life events, or corporate events, such as a merger or acquisition?

The accuracy and effectiveness of background investigations of third-party employees is one of the best defenses against a breach and its consequences. Knowing who has access to your data, and whether they are trustworthy, is a mandatory tenant of strong corporate governance.

MacDonnell Ulsch is the CEO and Chief Analyst at ZeroPoint. He advises a wide range of clients in the private and public sectors. The author of the book “THREAT! Managing Risk in a Hostile World,” and is currently writing “CYBER THREAT! How to Control the Growing Risk of Cyber Attacks,” to be published in 2014 by John Wiley & Sons Inc.