The "No Network is 100% Secure" series
Pre-Employment
Reference Checking
A White Paper

What is employment reference checking and why is it done?: Here's the "official" reason, right out of the HR playbook: Many job seekers misrepresent their backgrounds and credentials; others simply leave out important information. And no matter how honest applicants are, you can still learn a great deal by talking to other people who know them. A negative reference could save you from hiring someone who is woefully unqualified for a job or who has destructive tendencies that could land you in trouble. For example, you can be held liable for a new hire who becomes violent and injures an employee or customer, or commits fraud if it's proven that a reference check could have stopped you from hiring the applicant.

I suppose there's some validity to this reasoning although it doesn't speak well for the level of trust (or more accurately, the lack of trust) HR has in their fellow human beings.

As an example, most job interviews include one or more sessions with employees who understand all aspects of the job that the candidate is being considered for. So HR is going to rely on previous employers to give them a heads up that this person really can't do the job they are interviewing for?!?!?!

Clearly, doing a criminal background check on candidates makes sense. This is especially true if the employment environment would have the new hire working with money, young children or in other situations where an employer would want to do due diligence to make sure that the candidate is on the up and up. However, in my experience, this (criminal background checks) are rarely done. Many employers and "recruiting agencies" will want to do a financial background check though. And to this I would advise, "just say no". Or at the very least, remove anything in the background check form they will want you to sign that gives up any right to seek legal remedies if you are denied employment because of information that is provided that ultimately turns out to be false. I also do this with drug testing authorization forms. While I have never used illegal drugs in my life, I have little confidence that some of these drug tests can tell the difference between someone who mainlines heroin and someone who had a poppy seed bagel for breakfast. If employers feel it's important to run candidtates through this squirrel cage, that's fine. But you should always protect your rights to sue someone who causes you financial or other harm.

I happen to have concealed handgun licenses for Oregon, Washington and Utah. These require a State Police and FBI criminal background check as well as a mental health history investigation. To get a CHL, the applicant cannot have any felony convictions, ever. No misdameanor convictions in the past 4 years. No restraining orders, ever. No domestic abuse convictions, ever. And there's more, but you probably get the idea that one needs to be a straight and narrow solid citizen to get and keep a CHL. Yet in spite of the rigorous investigations that CHL issuance involves, virtually no employer or agency will accept this as a reference! They are only satisfied if you provide the names of three drinking buddies who will say nice things about you. This may make sense to you. It sure doesn't make sense to me.

Past employment verification checking: This function actually makes sense, at least to me. If someone has Company xyz listed as a previous employer one certainly has an expectation that a prospective employer may want to verify that the candidate actually worked there. Due largely to potential litigation worries, most employers will provide little more than starting and ending dates of employment and job title information. Many companies, and especially larger companies have a strict personnel policy that forbids employees from offering past employee reference information. Any competent manager will refer reference check requests to the Human Resources department. To do otherwise is to invite a civil lawsuit should any comments that are made result in the denial of employment for the prospective candidate. In addition, providing information about a previous employee could be a terminatable offense. Why risk it?

There are companies out there who offer the service of checking your references and prior employers for you. Basically, this is a service for proactive job seekers who want to know exactly what references are saying about them. Most of these companies will really push the envelope to see if anyone will say anything negative about their client. And of course, many of these questions would be completely illegal to ask in a job interview setting. Again, past employers are taking a big chance if they say anything negative about somone and could very well find themself embroiled in a lawsuit for slander. So at the end of the day, I'd have to wonder about the value of this type of verification checking other than to confirm employment dates and job titles.

Winners and losers: It ought to be abundantly clear to the astute reader that reference checking greatly benefits the prospective employer and is either neutral or a negative to the candidate. The person doing reference checks will ALWAYS put more weight on any negative comments than they will on any superlatives. They will also be keenly aware of any vague or lukewarm comments that a reference may make. The best outcome that a candidate can hope for is that one of the people being interviewed about them doesn't blow the job opportunity for them.

One of the ways that smart candidates can hedge their bets a bit is to insist on a conditional offer of employment before agreeing to submit to reference checking. That way, as stated earier, if a reference botches the process for you, you have at least a chance of taking legal action against them since you can now prove financial loses based on comments that were made. Furthermore, in my opinion, it is unreasonable for the potential employer to expect that you'd be okay agreeing to reference checking if they weren't actually prepared to make you a job offer. Good references need to be protected against frivolous calls by people who are just on fishing trips to see what kind of dirt they can dig up on someone.

Are you required to give your social security number (SSN) to an employer just because they demand it?: I receive a lot of e-mail on this question so here's the answer right from the Social Security Administration web page.

Q: Must I provide a Social Security number (SSN) to any business or government agency that asks?

A: The Social Security number was originally devised to keep an accurate record of each individual’s earnings, and to subsequently monitor benefits paid under the Social Security program. However, use of the number as a general identifier has grown to the point where it is the most commonly used and convenient identifier for all types of record-keeping systems in the United States.

Specific laws require a person to provide his/her number for certain purposes. While we cannot give you a comprehensive list of all situations where a number might be required or requested, a Social Security number is required/requested by:

Internal Revenue Service for tax returns and federal loans;
Employers for wage and tax reporting purposes;
States for the school lunch program;
Banks for monetary transactions;
Veterans Administration as a hospital admission number;
Department of Labor for workers' compensation;
Department of Education for Student Loans;
States to administer any tax, general public assistance, motor vehicle or drivers license law within its jurisdiction;
States for child support enforcement;
States for commercial drivers' licenses;
States for Food Stamps;
States for Medicaid;
States for Unemployment Compensation;
States for Temporary Assistance to Needy Families; or
U.S. Treasury for U.S. Savings Bonds

The Privacy Act regulates the use of Social Security numbers by government agencies. When a federal, state, or local government agency asks an individual to disclose his or her Social Security number, the Privacy Act requires the agency to inform the person of the following: the statutory or other authority for requesting the information; whether disclosure is mandatory or voluntary; what uses will be made of the information; and the consequences, if any, of failure to provide the information.

If a business or other enterprise asks you for your number, you can refuse to give it. However, that may mean doing without the purchase or service for which your number was requested. For example, utility companies and other services ask for a Social Security number, but do not need it; they can do a credit check or identify the person in their records by alternative means.

Giving your number is voluntary, even when you are asked for the number directly. If requested, you should ask why your number is needed, how your number will be used, what law requires you to give your number and what the consequences are if you refuse. The answers to these questions can help you decide if you want to give your Social Security number. The decision is yours.

Courts have consistently upheld that Plaintiffs (Employee/potential Employee) have a right to decline providing SSNs when demanded by an Employer or prospective Employer on First Amendment grounds. One cannot be denied employment for refusing to provide this information. There is no law that prohibits Employers from asking for SSNs however. In addition, there are very few regulations on what employers can do with your SSN once they have it. Obviously, you (not your Employer) are clearly at risk of identity theft the more often you offer up your Social Security Number. A prudent personal policy, therefore, would be to "just say no"! Litigation is obviously something to be avoided but if push comes to shove, Employers should plan on paying lost/back wages, damages and legal fees should they decide to force a policy of requiring SSNs. I can refer you to several really good NCOM/AIM Attorneys should you need one.

About the Author

Frank Saxton is a computer network security engineer and Easyrider LAN Pro principle. Home-based in Portland, Oregon, Frank has been designing remote diagnostic and network enterprise monitoring centers since the late 1970s. Prior to becoming a professional systems engineering consultant in 1990, Frank had a 20 year career in computer systems field engineering and field engineering management. Frank has a BSEE from Northeastern University and holds several certifications including Network General's Certified Network Expert (CNX). As a NOC design engineer and architect, Frank works regularly with enterprise-class monitoring tools such as HP Openview Operations, BMC Patrol and others. In his enterprise security audit work, Frank uses sniffers and other professional grade monitoring tools on a daily basis.

Next in the security white paper series:

Are you vulnerable to drive-by exploits?
IT employment challenges of the 21st century
Competency Certifications White Paper
ISO/IEC 27005:2008 Standard for Security Risk Management
High value sites recent hacks
Still more 2009 hacks in the news
OpenID White Paper
Firewall White Paper
Password White Paper
Digital Identification Certificates White Paper
Virus White Paper
Ghostnet White Paper
Cryptography White Paper
Intrusion Detection Systems IDS White Paper
Rootkit White Paper
Unnecessary Windows XP Services White Paper
Scareware White Paper
Exaflood Internet Brownout White Paper
Cloud Computing White Paper
Proxy Server White Paper
Personal Computer PC Security White Paper
Phishing White Paper
DNS Poisoning White Paper
Conficker White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Trojan Virus Attacks White Paper
Port Scanning White Paper
Monitoring Basics 101 White Paper
Monitoring Basics 102 White Paper
Monitoring Basics 103 White Paper
Virtual Machine Security White Paper
Aurora vulnerability White Paper
Shelfware White Paper
Outsourcing White Paper

Easyrider LAN Pro Consulting services:

Network Security Audit and PC Tune-up service

- Proxy server installation and configuration
- Enterprise security consultations
- Disaster recovery planning
- Disaster recovery services
- Capacity, migration and upgrade planning
- Build and deploy central syslog server
- Build trouble ticket systems
- Design and build monitoring environments
- Design and build Network Operations Centers (NOC)
- HP Openview, BMC Patrol consulting