In today's seemingly more dangerous world, companies and individuals are electing to undertake a criminal background check on a person they have just become acquainted with before making a decision on whether or not to trust or employ that person. This is a natural reaction to our daily exposure to the horrific crimes being committed on an almost daily basis via the media. However, with a vast majority of criminal background checks being undertaken online, what happens if the database of the supplier gets hacked?
What we mean by 'criminal background check'
Before we examine the issues of what happens if a criminal background check provider's database gets hack, we first need to determine what we mean by a 'criminal background check' and, further, how the supplier of the information we obtain from our criminal background check obtains their information.
In short, a 'criminal background check' comprises two elements. On the one hand, as the name suggests, it is a check on the criminal background of the person being enquired of. On the other hand, it is also a check of the civil records of the person being enquired of. Thus, to limit this search to merely a criminal background check is somewhat misleading, rather it is a check of the court records of the person being investigated.
Insofar as how the information is gleaned by the provider of the criminal background checking service, this is general obtained via: (i) state records; (ii) federal records; and (iii) private sources of information. Critically, however, all of the information obtained by a criminal background check is 'public' information. In other words, this information is freely available in the public domain and is not composed of 'classified' or 'private' information. The source material can be freely accessed by each of us, if we wished to spend the time undertaking the search. As we are rarely inclined to spend our time undertaking these searches, we're willing to pay a small service fee to an online website to do this for us.
The privacy issue
While it may appear that our rights to privacy are being eroded, this is in fact more of an elusion than a fact and we still have certain rights in this area. Consequently, it is important to note that certain information cannot be included in the databank of a criminal background search, as this would require the consent of the person on whom the criminal background check is being done. A highly unlikely, although not impossible, concept. Moreover, not all states will allow information they contain on individuals to be made available on public domains, such as the internet.
Aside from the above privacy issue, an additional important issue that should be noted with criminal background checks is that there is no guarantee that the information contained within the database of the service provider is going to be up-to-date. The reason why this is so is because state and federal agencies, most of whom are the primary source for the service provider's own information, will not guarantee that the information contained within their own records/database are correct and up-to-date.
Hacking of a database used for a criminal background check
Turning our attention now to what remedies their may be if a criminal background check database is hacked, we need to examine three issues (a) what rights and/or remedies does the service provider have against the person who has hacked their system; and (b) what rights or remedies does the purchaser of information provided with a criminal background check have; and (c) what rights does the person whose information was on the service provider's database have, if such information has been altered to give erroneous and false information?
In its basic form, hacking is a trespass. A computer hacker enters a computer system or network without the permission of the owner of that computer system or network. Thereafter the hacker may amend or destroy information contained within the computer system or network via various different means, such as with a virus or worm. However, the act of amending or destroying information contained on computer system or network post a successful hack is not, itself, hacking. In short, the hacking is entry without permission - hence the analogy to a trespass.
An understanding of the different elements of what constitutes hacking is important if you want to ascertain what restitution rights you have in the event that the criminal background check database you have used has been hacked. Primarily, the reason why this is so is because merely hacking a computer system or network may not give you many restitution rights; unless, of course, you are the legal owner of that computer system or network. On the other hand, if the hacker then advances to make actual constructive changes to the information contained in the database, the person undertaking the criminal background check or the person who is the subject of such a check may well have rights against the hacker (as we shall see below). In addition, the court system will also treat the offender of such actions differently.
(a) The rights of a service provider
As the owner of the computer system or network that has been hacked, the service provider likely has the strongest case in most state laws against a hacker. For example, if you were the provider of a California criminal background check service, it is highly likely that not only would you possibly have a remedy in federal law if the computer network or system were hacked, but also in local state law. Likewise for a Florida criminal background check service provider. In each of these cases you would have both a proprietary right and, most probably, a criminal case that you could claim against any hacker of your computer network or system.
In the event that you lost revenue or reputation due to a hack of your California criminal background check database, it may also be the case that you could bring a state civil claim for loss of earnings, but this would need to be quantified and worded carefully and you would also need to ensure there were no penalty claims, e.g. that you mitigated your financial loss.
Nevertheless, as the underlying state law for the likes of Florida criminal background check service providers and Iowa criminal background check service provider is highly likely to be different, you need to ensure that you check local state law. Here, it should also be noted that a difference may arise as to where you "host" the website from. For example, an Iowa criminal background check may be hosted from California, and a California Criminal background check service may be hosted from Iowa. In such a case, regardless of what service is being provided, the location of where the service is being provider from could well be instrumental in determining the rights and remedies you have against the perpetrator of a hack.
Notwithstanding the foregoing, if you are the provider of such a service it is extremely important that you include a waiver somewhere on your website and in your service contract that, while you do your up most to ensure the information being provided is correct, you cannot guarantee the accuracy of the information and that it is the responsibility of the requester of such information to ensure they check the accuracy of the information obtained from any internet-based query for information.
(b) As the purchaser of a criminal background check
Let's say, for example, you purchase an instant criminal background check online. It later transpire that the database for that instant criminal background check online was hacked and the information provided to you was erroneous. In such a case it is highly likely that you will not be able to make a claim against the service provider of the instant criminal background check, as you'll likely have entered into a service contract with the criminal background service provider wherein there will be a disclaimer that any erroneous information is not the fault of the service provider. This is good practice on the part of the service provider, as they're not usually the primary source for the information being given out, but act more like a databank of information collated from various sources. Nevertheless, if you do not enter into a service contract with the website from where you obtain the instant criminal background check, you may have an action in contract against the website owner.
Failing any claim you may have against the website owner for false information obtained following a criminal background check, you may yet have a claim against the hacker. However, your claim here is likely going to have to be in tort law, as you have no contractual relationship with the hacker and the hacker, per se, did not cause you harm. As such, you would need to establish that a relationship existed between the actions of the hacker and the results of your criminal background search.
(c) As the named person on whom the online criminal background check has been undertaken
As the named person against whom the online criminal background check has been undertaken, if the information in the results of such background criminal check prove to be incorrect, you may ask the website hoster to (a) correct the information; or (b) take out the information. However, here is important that you distinguish between information that is incorrect as a result of a hack and that which is incorrect because the information provided by the primary source, such as federal or state sources, is out-of-date. In the case of the former, if the information is both incorrect and damaging to your reputation, say you do not get employed because the results of a criminal background check on you were incorrect, you may have a claim for defamation and/or criminal harm against the hacker. Here, it is unlikely, beyond asking the website owner to amend the information, that you'll have a claim against the owner of the website. In the case of the latter, it is highly likely that your only action would be one of asking the website to update its records and submitting a petition to the primary source provider to do likewise.
As a practical matter, websites, those who have requested the online criminal background check and those who are the subject of the criminal background check should all takes steps to determine (a) whether or not they have a case to be heard in state law; and (b) what the likely punitive damages are if they succeed, prior to determining whether they should proceed with any action resulting from the hacking of a criminal background check database.
The reality of hacking and the economic loss
The simply fact is that less than 5 per cent. of all computer hacker get caught. In most cases the hack is a test for the computer user. Although the economic loss to the network service provider may be considerable, and although the person who requested the criminal background check may make a fundamental decision based on the wrongful outcome of that search, and although the person on whom the search was done may be wrongly punished for something they have not done, policing and enforcement action against hackers of criminal background check databases is still not taken very seriously. With such a minimal chance of ever being able to bring the culprit of a criminal background check hack to face justice, changes need to be made to see how we can (i) strengthen the safety procedures surrounding the internet; and (ii) change society's attitude towards the fame given to those who act by treating it for what it is: a criminal action that causes great distress and economic loss on those affected by the hack.
Consequently, regardless of whether you are a provider of criminal background checks or the person who has requested the criminal background check, while the service being provided is a good one, especially of you are looking to hire an new employ from out of state and you'd like to know a little more about them, the simple truth is that nothing can beat face-to-face discussions. Thus, if you are interviewing a prospective new employ you should not place all of your stock on the results of the instant criminal background check you conducted on the internet 15 minutes before the interview took place, but should also use the opportunity (a) to see if the person being interviewed fits the criteria of someone who has such tendencies; or (b) if they do have such tendencies, whether or not they have rehabilitated and amended their ways. In other words, a criminal background check should be there for you as a tool to help you decided whether you want this person to be your long-term friend, business partner or employ, but it should not replace you human judgment and it should in no way be the overriding reason why you elect to do something or not.
One exception to the above would apply to the service providers of criminal background checks. In the event that you provide an internet service for online criminal background checks and you find at any time that your database has been hacked into, the first thing you need to do following a report of such a hack attack is to rectify and make amends for any information which may have been wrongly obtained from your service. Following this, the second thing you need to be doing is going out and upgrading your protection and security programs so that, while there is no guarantee that you'll not be the victim of a hack attack again in the future, it becomes much more difficult. While you may find this additional expense unpalatable, as the provider of a service via the internet it is implicit upon you to ensure that you have the most up-to-date and secure website possible if you wish to avoid any claim that you were partially to blame for the damage that may follow any hack of your computer service or network.
Nonetheless, probably the most effective remedy against hacking of computer networks and systems, and probably the ultimate defense mechanism against such behaviour and damage that flows from such actions, to demystify the action of hackers and to take away the fame claim that is generally afford those who successful hack. Failure to do so will likely mean that hacker contain to see hacking of computer networks as a "challenge" that needs to be taken on, rather than the serious security, economic and personal cost that, in reality, it has become.