Spring Into Compliance: Trends and Best Practices for Background Screening

Background screening continues to be a critical component of organizational risk management and regulatory compliance. In the recent webinar "Spring Into Compliance: Background Screening Best Practices and Trends," Chad Ascar, Director of Compliance Integration at DISA Global Solutions, outlined key legal and procedural considerations employers need to understand in today's evolving landscape. Topics included disclosure and authorization requirements under the Fair Credit Reporting Act (FCRA), adverse action procedures, individualized assessments, negligent hiring risks, and emerging data privacy responsibilities. The session provided employers practical strategies for protecting their workplace, staying compliant, and adapting to new screening challenges.

Background checks are a legal necessity in regulated industries. Firms under the Financial Industry Regulatory Authority (FINRA) must complete background checks for criminal offenses, bankruptcies, liens, and civil judgments within 30 days of submitting a Form U4. In healthcare, accreditation by the Joint Commission hinges on verifying employee licensure, credentials, and employment history. Missing or incomplete screenings can trigger audits, hefty fines, or even the loss of accreditation.

Beyond regulatory demands, negligent hiring claims are rising and costly. A 2024 nonprofit study revealed that 93% of surveyed employers had incurred costs for hiring individuals with undisclosed criminal backgrounds. Courts increasingly find employers liable if a reasonable screening process could have flagged an issue. For example, the Minnesota Supreme Court found a charter school negligent for failing to vet a teacher who later harmed students, a reminder of the consequences of inadequate screening. Every hire becomes an extension of your brand. Public trust can erode quickly if an employee's past behavior surfaces, particularly when it could have been discovered during screening. In today's digital age, reputational damage can outpace the initial incident, creating long-term consequences for organizations, especially in public-facing roles or those involving financial assets and vulnerable populations.

Adding to the risk, résumé fraud is at an all-time high. A 2024 study by PoleFish, published on Business.com, found over 70% of job seekers admitted to lying on résumés, with standard fabrications including false educational credentials (44%), inflated skills (37%), and exaggerated job histories (29%). Hiring someone based on false information can cost organizations millions annually, factoring in training, onboarding, lost productivity, and potential liability. Employers should directly confirm education, licenses, and employment history rather than relying solely on résumé claims or references. Screening isn't about distrust but ensuring responsible, fact-based hiring decisions that protect the company and its employees.

Under the Fair Credit Reporting Act (FCRA), employers must provide a clear and conspicuous standalone disclosure before conducting a background check through a Consumer Reporting Agency (CRA) like DISA. This disclosure cannot be bundled into other documents like job applications or offer letters. Following the disclosure, employers must obtain written authorization from the applicant, with consent being explicit and specific to the background check. Electronic signatures are acceptable but must meet legal clarity standards.

Major brands have faced multimillion-dollar lawsuits for non-compliant disclosures. Common mistakes include adding release-of-liability language, inserting state-specific rights, or embedding the disclosure within other hiring documents. Even seemingly helpful additions can invalidate the disclosure under FCRA rules. To stay compliant, the disclosure must be simple, standalone, and strictly limited to informing the candidate about the background check. Consent must be explicit, informed, and properly documented. Employers cannot assume that applying equals authorization. As demonstrated by recent FCRA class action cases exceeding $1.8 million, missing or mishandling consent can result in costly settlements.

Many employers get tripped up in the adverse action process. One frequent mistake is simply calling a candidate to ask about a record or quietly rejecting their application without documentation. Another is skipping the process altogether and moving forward with another applicant just out of convenience. While these may seem harmless, they violate FCRA rules and can open the door to legal claims.

Employers must issue a pre-adverse action notice before taking any adverse employment action, such as declining to hire or rescinding an offer, based on a background check. This notice must include a written notice of intent, a copy of the background report, and the current version of A Summary of Rights Under the Fair Credit Reporting Act (FCRA). This allows the applicant to review the report and either dispute inaccuracies or provide relevant context, such as evidence of rehabilitation or expungement. Skipping this step robs the candidate of due process and violates federal law.

Once the candidate has had sufficient time to respond and the employer has reviewed any rebuttal or clarification, the Final Adverse Action Notice must be issued. Best adverse action practices include ensuring the notice contains the following:

• Preliminary written notice
• A copy of the report
• Summary of Rights
• Notice of adverse action
• Name, address, and telephone number of CRA (Consumer Reporting Agency)
• Statement that the CRA did not make the decision and is unable to provide specific reasons for the decision
• Right to get a free copy of the report
• Right to dispute the findings

Proper documentation and timing are essential. Many lawsuits arise from failing to wait long enough between the pre-adverse and final notices or from omitting key elements in the communications. Failing to include these critical items can jeopardize compliance with federal law and expose employers to legal risk.

Be mindful of state/local requirements for adverse action.

In jurisdictions like New York City, Los Angeles, and other cities adopting "Fair Chance" ordinances, an individualized assessment is required when considering criminal records in employment decisions. Employers must evaluate several factors, including the nature and gravity of the offense, the time passed since it occurred, the number of offenses, the applicant's age, evidence of rehabilitation, and relevance to the job in question. These factors are derived from the Green v. Missouri Pacific Railroad case and reflected in EEOC guidance. Employers should document the assessment process and avoid blanket exclusions based solely on criminal history, which may disproportionately impact protected groups.

Data privacy is now a front-line compliance issue, not just an IT concern. Employers must have formal policies defining applicant and employee data, why it's collected, who has access, and how it's secured. Digital records must be encrypted and stored securely, and physical records must be kept in locked locations accessible only to authorized personnel.

Employers should also ensure compliance with key data privacy principles:

• Have a Policy: Implement a formal policy that clearly defines how data will be handled and the purpose of its collection.
• Store Securely: Ensure digital records are encrypted, and physical records are kept in secure, locked locations.
• Data Minimization: Limit the data collected to what is necessary for hiring decisions to reduce privacy risks.
• Train Employees: Provide ongoing training on secure data handling to prevent breaches caused by human error.
• Legislation: Stay informed about the ever-changing state privacy laws, as more than 30 states have enacted or proposed privacy regulations.

With the rise of hybrid and remote work, unsecured devices and storage systems present increasing risks. Limiting data collection to what is necessary for hiring decisions can also reduce liability under emerging state privacy laws. Training employees on secure data handling is essential, as human error remains a leading cause of data breaches. In addition to the FCRA, more than 30 states have enacted or proposed privacy laws with unique requirements, meaning compliance must be an ongoing, proactive effort.

• Employers should thoroughly review their disclosure and authorization forms to ensure compliance with the FCRA and any state-specific laws. These forms must be clear, concise, and free from extraneous content. Consent must always be obtained in writing and specific to the background check.
• Organizations must follow the complete adverse action process, including issuing pre- and post-adverse action notices and respecting the candidate's right to dispute the findings. When criminal records are involved, especially in jurisdictions that require it, employers should perform an individualized assessment using “Green” factors.
• Finally, businesses must implement and enforce strong data privacy protocols. Data privacy should be treated with the same seriousness as financial or safety compliance, from secure storage and access controls to employee training and legal compliance.

DISA Global Solutions offers comprehensive background screening services prioritizing compliance, security, and efficiency. With built-in tools for disclosure and authorization, adverse action workflows, and individualized assessments, DISA helps employers reduce legal risk while streamlining their hiring process. Our team continuously monitors regulatory changes to ensure clients remain compliant across jurisdictions. DISA empowers employers to make informed, compliant hiring decisions that protect their workforce and reputation through our secure platforms, automated reporting, and industry expertise.

• HR Must-Know: FCRA and Adverse Action Compliance
• Navigating State Compliance: Laws & Fines Guide 
• Streamlining Healthcare Hiring: How Integrated Background Screening and Credentialing Improves Patient Safety

Founded in 1986, DISA is the industry-leading provider of employee screening and compliance services. Headquartered in Houston, with more than 35 offices throughout North America and Europe, DISA’s comprehensive scope of services includes background screening, drug and alcohol testing, DOT & HR compliance, occupational health services, and I-9/E-Verify. DISA assists employers in making informed staffing decisions while building a culture of safety in their workplace.