Follow-up Thought: Facebook Credentials and Hiring Process

April 2, 2012 by · Leave a Comment

Just a quick follow-up to my previous post “Before I hire you I’ll need the keys to your home…

I read a comment on LinkedIn that said there were no laws prohibiting employers from asking you to turn over your Facebook credentials so they can see your private information.  In my non-lawyerly view I think it relates to plenty of laws that declare certain questions as “off-limits” as part of the hiring process.   Age.  Sexual orientation.  Pregnancy.  Disabilities.   It is not uncommon to find details related to these personal issues shared with friends and family on Facebook but often, they are explicitly hidden from public view.

By asking a candidate for their Facebook credentials so that the employer can rummage through these personal details is no different, at least in my view, from them asking these questions directly during an interview.   If certain pre-employment questions are already prohibited by law, then requiring a candidate to turn over access to that information via another avenue seems to splashdown in the same swimming hole.

Let me play a scenario:

A candidate had a pretty good interview.  A few days later an HR rep from the company calls him up and says there is just one more step in the process.  Since their Facebook page isn’t public, they’ll need the userID and password “just as routine”. He gives it and within a week receives a letter that he was not selected for the job.

On his Facebook page, it’s pretty clear he’s gay.  Many of his posts and those of his friends refer to him and his partner.  He believes that is the only reason he didn’t get the job.  He thinks that asking for his userID and password wasn’t “routine” at all but merely an excuse to find out information they were prohibited from asking him directly.

His next two calls are to an attorney and the media….

Now, it may be that the company had a legitimate reason to hire someone else but the perception here is what matters.  Imagine your company being dragged through the media and labeled as discriminatory.   We’ve all seen what happens when the media plants an idea into the minds of its audience.  The truth is often pushed to the back burner while the sensational, ratings-grabbing story rules the day.  There may or may not be any legal ground but it sure makes good publicity for a hard hitting lawyer.

If this came to pass, would you reconsider asking for those Facebook credentials?  Maybe sticking with traditional background checks, interview questions, reference checks, and looking at publicly available profile information with social media sites is the better choice.

 

Filed Under: Business and Security, Ethics · Tagged With: , , ,

Before I hire you I’ll need the keys to your home…

March 27, 2012 by · 1 Comment

I wouldn’t believe it if I didn’t read multiple stories talking about employers asking prospective employees to hand over their Facebook passwords during job interviews.  This is simply outrageous yet I can see how those who have been looking for work for over a year may feel compelled to provide their credentials or lose an opportunity for employment.  This really ranks as a big thumbs down for employers who are engaged in this behavior.

Now, I’ll be the first to say that publicly accessible information in a digital world is fair game.  If you allow pictures of your pot smoking adventures or previous dime-store stealing expertise to be available to anyone on the Internet then you can’t complain when that public information ruins your chance of getting a job.  If you’ve been bashing an employer on public forums using your real name, I would think that an interviewer can fairly question you about it.  The thing is, what you decide to make public on the Internet is part of your global resume available for any potential employer to view.  You can’t cry foul.

That said, asking a potential candidate to turn over their user ID and password so you can view something intended to be private is beyond the pale.  That is no different than invading a candidate’s home, snooping through their medicine cabinet and snatching their diary from under the mattress in order to read their “private” thoughts before making a hiring decision. This isn’t an episode of House, right?

Let’s take this a step further.  Do potential employers have a right to access information related to friends and family who aren’t applying for a job?  A request for Facebook credentials gives access not just to information a candidate has deemed private but also allows them to pry into the private information of friends and acquaintances.  Insanity anyone?

The potential for abuse here is enormous.  While it is fair for any employer to do as extensive a background check as they feel is necessary to vet potential employees (criminal, financial, public records, internet search, etc.), it is not appropriate to invade into areas that someone has explicitly chosen not to expose publicly as part of the hiring process.

 

Photo credit:  ntwowe at freedigitalphotos.net

Filed Under: Ethics · Tagged With: , ,

Failures in Leadership, Ethics, and Security

November 25, 2009 by · 1 Comment

A breach of patient personal information at University Medical Center has all the makings of a made for TV movie or at least provides an opportunity to examine issues in security, leadership, ethics, and even the knee-jerk reaction of ignorant politicians trying to use the opportunity to score some free publicity.  The story “FBI looking at UMC records leak” ran this past Saturday in the Las Vegas Sun.

Security – The Insider Threat

The FBI said Friday it may investigate a breach of patient privacy laws at University Medical Center, where hospital officials are reeling with the realization that at least one of their employees has leaked confidential names, birth dates and Social Security numbers.

The breach clearly demonstrates the difficulty in dealing with insider threats.  We hire employees and give them access to sensitive information in order to perform their job duties.  We certainly have a need to control and monitor access in order to achieve and enforce the practice of least privilege.  Even the best of controls however, can be circumvented by a trusted insider with an intent to do harm.  In this case, it is alleged that hard copy face sheets were taken outside the facility and sold to an unethical breed of attorney.  I’m not sure it would be reasonable for the organization to setup exit searches of their employees every day to make sure they weren’t sneaking out these documents.  Heck, would you look in a fellow employee’s underwear to make sure they didn’t have a face sheet stuffed in there?  The ACLU would be all over this “violation” of privacy.

While not a cure for this type of insider threat, UMC may want to consider both criminal and financial background checks of new hires.  I know it’s like profiling but when protecting consumer information, corpoarte finances and reputation, having an indicator of potential behavior issues can help.   However, in these economic times, a squeaky clean person may engage in this type of behavior out of desperation.  UMC could also consider physical controls for documents, especially those that should remain with a patient’s chart.   Having face sheets printed only in one place and logging who printed them may be useful.  Of course, using electronic records rather than paper records may prevent the physical face sheet from being used at all.

Information security is more than the bits and bytes that are transmitted and stored.  Information security also involves the printed document and how it is handled.

Leadership

Until Thursday, they doubted there had been any leak and had conducted only a cursory probe into rumors of the breach. Silver was warned by sources this summer about patient records being obtained illegally. She took a quick look at which attorneys were requesting records, and then dismissed it as a “nonissue.”

Hospital leadership just blew off reports suggesting something was terribly wrong.  A cursory probe and dismissal of something that could have major repurcussions to patients and the organization is completely unacceptable.  This is fairly common though.  This smells of the “we haven’t been breached so why worry about it” attitude that is prevalent among so-called leaders.   Chasing phantoms can be a nuisance but to do nothing is irresponsible.

Ethics

The nurse told the Sun she was taken to lunch by members of a personal injury law firm several years ago. They offered to pay her for “referrals” but she refused, saying it was illegal and a violation of her nursing license.

I’m a big fan of finding the root cause of a problem and eliminating it.  While it is easy to point a finger at UMC and their poor decisions or the employee who is alleged to have stolen the documents, essentially the problem is on the “demand” side.  Unethical attorneys who are practicing in this manner should be disbarred, period.  Eliminate the demand for sensitive information, eliminate the problem.  I’m not naive enough to believe that there won’t be others lined up to fill the spot but you have to start somewhere.  We should expect more from “professionals” and if they can’t behave ethically they shouldn’t be allowed to practice.

Politicians

Earlier Friday, Clark County Commission Chairman Rory Reid called for a Metro Police investigation, demanding that the hospital do what is necessary to stop what appeared to be a “criminal offense.”

Headline grabbing, clueless politician.  The only way to “stop” this criminal offense is to stop taking patients or don’t hire employees.  Politicians are famous for taking an incident and then causing tremendous havoc with their knee-jerk reactions.   Most politicians believe the “as seen on TV” ads or marketing slicks that claim 100% security and then they go down the path of making ridiculous comments or worse, ridiculously impossible (and thus ineffective) legislation.  There is no such thing as 100% security.  It’s a process of reducing risk while allowing the business to function.

Last Thoughts

There are several lessons from this particular story.  Take security threats seriously.  Reduce risk where possible.  Know that there are unethical professionals and other business people out there who have no problem violating the public trust in order to make a buck.  Take politician’s comments with a grain of salt.  Most are looking to make a headline splash yet have very little knowledge of the topic at hand.

Ultimately, leadership failed at UMC.   They chose to ignore a potential threat rather than investigate it.  While it wouldn’t have prevented the breach, they may have discovered it sooner or reduced the damage to both their finances and their reputation.

Filed Under: Business and Security, Ethics, Should Have Known Better · Tagged With: , , , , ,

Business Ethics May Actually Still Exist

June 9, 2009 by · Leave a Comment

T-Mobile is investigating a claim that customer data was stolen and attempts made to sell the information to their competitors.  While data breaches unfortunately seem common, the good news from this story is that T-Mobile’s competitors apparently denied the offer of the theives.  This whole story may be hogwash but even the idea that ethics still plays a role in the business environment is a good thing.  Kudos to those companies!

ComputerWorld Article

Filed Under: Ethics · Tagged With: ,