Attendees of the session led by Gerry Zack, CFE, CCEP, CIA, at the 36th Annual ACFE Global Fraud Conference received a lesson in mitigating risk by identifying and responding to privacy issues when performing fraud investigations. From racist social media posts to messy divorces and document retention policies, Zack walked members of the workshop through a variety of scenarios to brainstorm how to handle difficult privacy situations in the workplace. 

Zack started the session by explaining how privacy risks affect fraud risk management in multiple ways. Every stage of the process, from prevention to due diligence and detection to investigation, creates legal, ethical and reputational risks. He stressed that simply adhering to legal compliance does not protect employees from violating employee trust or ethical norms. He also reviewed legal frameworks including the Fair Credit Reporting Act (FCRA) and Family Educational Rights and Privacy Act (FERPA) while discussing best practices for background checks, which included rules for storing, using and discarding sensitive information and the increasing role of social media data. 

Due Diligence Dilemmas 

In the first scenario Zack posed to the audience, a job applicant was denied employment based on criminal history and a racist post on a now-deleted social account. 

• Attendees debated whether human resources (HR) handled the situation correctly and how legal exposure (e.g., potential FCRA or discrimination claims) should be evaluated. 

• Conversations took place about the relevancy of certain crimes (i.e. a marijuana possession charge versus embezzlement) to the position. 

• Key takeaways included the importance of documentation, balancing transparency with risk and adherence to company policy. 

Next, attendees discussed a promotion-triggered background check that revealed poor credit, which an HR manager tied to a messy divorce. 

• The room was split. Some argued for a deeper context review despite the mention of the divorce being inappropriate; others cited fiduciary risk in financial roles. 

• The discussion highlighted the importance of aligning screening practices with role-specific risks and having policies to support those decisions. 

Balancing Between Insight and Intrusion 

The next discussion explored a situation where a group of employees complained after finding out their personal information on file was being monitored through HR data analytics. 

• Attendees discussed how to clearly communicate monitoring practices upfront to prevent backlash and explored how to share how the data was used, secured and benefits the organization. 

In another example, an analyst accessed older emails from a backup system in breach of company retention policy. 

• This was a hotly debated situation. Many attendees had to consider what outweighs what: a policy breach, which could damage reputation, or potential fraud exposure? 

• Members of the audience discussed the need for governance over investigative tools, as one person mentioned having audits of when investigators accessed data of employees’ logged actions. 

Participants left the session with not just a checklist of privacy risks, but a stronger understanding of how nuanced and situational fraud work can be.