Section 613 of the Fair Credit Reporting Act (FCRA) requires that consumer reporting agencies (CRAs), when reporting a consumer report for employment purposes which contains public record information, which are likely have an adverse effect upon a consumer’s ability to obtain employment, must either follow strict procedures or send notice to the consumer. Both the law, and the Federal Trade Commission (FTC), are clear that CRAs can select either option and are not required to follow both 613(a)(1) and 613(a)(2). But the ridiculous amount of FCRA-related litigation has CRAs wondering…should I do both? I’m not legally required to do both, but should I have both strict procedures in place and send notice to cover all my bases from a litigation perspective? While this blog posting is not intended to offer legal advice, I am happy to discuss this broader issue with CRAs offline. For purposes of this blog, I will leave you with this nugget.
The FCRA does not define “at the time”, which is part of the notice provision of section 613(a)(1). The full section reads, “at the time such public record information is reported to the user of such consumer report, notify the consumer of the fact that public record information is being reported by the consumer reporting agency, together with the name and address of the person to whom such information is being reported;”. A recent district court opinion in the rocket docket, the 4th Circuit, provides a very generous reading of the notice provision. The case, Rodriguez v. Equifax Information Services, LLC (1:14-cv-01142) (E.D. Va., July 17, 2015), involves an employee who applied for a position with the Office of Personnel Management (OPM). Two relevant facts — the plaintiff’s security clearance was approved and he never actually received the notice. However, essentially held that Equifax Information Services had an appropriate process in place to provide notice to consumers. The process included sending notices by mail the following business day (and in some instances two business days later), after the report had been provided to OPM.
Key takeaways from the Court’s Memorandum Opinion (“Opinion”):
- The Court states that the “at the time” requirement is ambiguous (which is true) and there is “more than one reasonable interpretation of what that requirement means.” (Opinion, p. 9)
- The Court states that “Congress did not impose a ‘same time’ requirement with respect to the receipt of the notice; and in 2000, the Federal Trade Commission interpreted the ‘at the time’ requirement to permit the mailing” of such a notice. (Opinion, p. 9) This we already know and more specifically what the FTC says is, “A CRA may use first class mail or other reasonable means to notify consumers that it is providing public record information for employment purposes under subsection (a)(1).” (See, 40 Years of Experience with the Fair Credit Reporting Act: An FTC Staff Report with Summary of Interpretations, p. 81).
- This takeaway is very helpful for CRAs using the notice option of section 613. The Court does not require parity with the method by which the notice is sent. Meaning, a CRA can send the notice by automated/electronic means to the employer and by mail to the consumer. The Court states that they “cannot conclude that the text of the statute requires such technological symmetry during periods of technological innovation so long as the system initiated, at the same time a report to OPM was initiated, a process that was designed to deliver notice to the consumer according to a reasonable, standard and accepted method of delivery.” (Opinion, p. 9)
Recently the Federal Trade Commission (FTC) issued a guide, Start with Security: A Guide for Business, which pulls from lessons learned from the 50+ data security enforcement actions that the FTC has announced. To be clear, these actions are settlements and not court orders. Nonetheless, the “ten lessons” they provide in the guide are worth reading and thinking about how they apply to your company. Below top ten lessons are (literally) taken from the FTC’s guide and I then add a few summary sentences:
- Start with security — when it comes to data collection, use and retention, less is better. As the guide says, “by making conscious choices about the kind of information you collect, how long you keep it, and who can access it, you can reduce the risk of data compromise down the road.” If you don’t need driver’s license information or Social Security numbers on a particular form…don’t collect them just to collect them.
- Control access to data sensibly — not all employees need to have access to everything, be it paper files, the network, administrative controls. Pull the reins on that horse, cowboy! Limit and restrict access to data, especially sensitive data.
- Require secure passwords and authentication — the word “password” is not a secure password. Enough said. Also, implement a policy to suspend or disable accounts after repeated log in attempts to reduce the risk of an attack being successful. Test for common vulnerabilities and widely known security flaws, such as “predictable resource location” where hackers can bypass the web app’s authentication screen and gain unauthorized access.
- Store sensitive personal information securely and protect it during transmission — in other words, be in it for the long haul and protect data at all stages. Make sure your company properly implements encryption and SSL protocols, and use industry-tested methods not some $9.99 summer special.
- Segment your network and monitor who’s trying to get in and out — limit access and have in place strong intrusion detection and prevention tools.
- Secure remote access to your network – remote access is a curse and a blessing, depending on how you look at it. It also challenges a company’s data security policies and procedures. Ensure endpoint security and have firewalls and updated antivirus software in place. Also, limit third party access to what is needed.
- Apply sound security practices when developing new products — if a company is pushing out a new mobile app or software, they need to ensure their engineers are trained in secure coding practices, don’t turn off SSL certification validation and test for common vulnerabilities. The FTC cites the Open Web Application Security Project as a resource for identifying commonly-known vulnerabilities. Finally, a big one for the FTC — do what you say you will do. In other words, if your company’s mobile app or software features specific privacy and security settings, the product needs to live up to those features/representations.
- Make sure your services providers implement reasonable security measures — in other words, company’s need to police their vendors to ensure their data security practices are reasonable. Security standards should be incorporated into the terms of service agreements and compliance should be audited.
- Put procedures in place to keep your security current and address vulnerabilities that may arise — have policies and procedures in place to update/patch third party software as well as to receive and act on security alerts.
- Secure paper, physical media, and devices — not all data is collected and maintained in electronic format. Data security applies to hard copy documents as well and confidential information there needs to be protected every bit as much as if it is in electronic form. When sensitive data is no longer needed, company’s should properly dispose of it by shredding, burning or pulverizing documents if paper documents. Throwing documents with sensitive personal information in the trash can is strictly verboten.
Not rocket science, but given the enforcement actions brought by the FTC, companies suffer from these mistakes and failures. For more details on each point above, and to learn about some of the companies impacted by these enforcement actions, click here to read the guide.
I came across this piece of information in the latest edition of E-Verify Connection and want to share it as it’s relevant to when employers complete section 2 of the Form I-9. According to the Department of Homeland Security (DHS), an increasing number of lawful permanent resident cards (a/k/a green cards) are being issued with the words “Signature Waived”. For an example of the card and to read the alert click here and click here.
Why is this relevant? Because employers shouldn’t outright reject such cards if presented as a List A document just because they aren’t signed by the individual. DHS is telling employers to accept them. As with any document(s) provided by an employee completing the Form I-9, the test is one of reasonableness. Assuming the document is on the Lists of Acceptable Documents, the employer representative completing the Form I-9 must physically examine each document presented by the employee for section 2 purposes and ask themselves, does the document reasonably appear to be genuine and does it relate to the employee presenting it? Oh, and the document cannot be expired unless you are dealing with an individual who has work authorization due to Temporary Protected Status (TPS), but that’s for another blog posting.
Nevada has removed the 7-year restriction on background screening company’s ability to report criminal conviction information for employment screening purposes. Which means that convictions can be reported without regard to a seven year look-back period. Such a restriction on the reporting of convictions is a state restriction, followed by a handful of other states. The federal Fair Credit Reporting Act (FCRA) allows for the reporting of convictions in a consumer report, regardless of a time period. Having said that, the reporting of “other adverse item(s) of information” is limited to seven years in the FCRA, with the exception of certain bankruptcies. See section 605(a) of the FCRA.
The bill, signed by Governor Bob Sandoval (R), went into effect June 9, 2015. See SB 409 for text of the legislation and note that it amends, in part, the consumer reporting chapter of Nevada Revised Statute section 598C.150(2).
A recent blog posting by the Federal Trade Commission (FTC) on data retention and disposal practices is the genesis of this blog. The posting talks about the importance of having a plan in place due to the potential that a natural disaster may visit your company, a hurricane or a flood, and what would happen with your online and offline customer data in the event a natural disaster? The FTC offers the following “data minimization and disposal tips:
- Take stock. Create an inventory of the personal information you have. That way, if your files are destroyed or lost in a natural disaster, you’ll know what information is involved.
- Scale down. Collect only what you need. For example, if there’s no business reason why you have to have someone’s Social Security number, don’t ask for it in the first place. Keep records only as long as you have a reason to maintain them. Don’t hold onto customer credit card information unless you have a business need for it.
- Lock it. Store personal information in the safest part of your building. If information is missing after a natural disaster, contact law enforcement. If possible – this is where your inventory helps – contact affected individuals so they can place a fraud alert on their credit reports.
- Pitch it. Properly dispose of what you no longer need. Shred, burn or pulverize paper records before discarding. If you use consumer credit reports for a business purpose, you may also be subject to the FTC’s Disposal Rule.”
I couldn’t agree more with the above bullet points. But let’s expand upon this topic and talk about background check reports used for employment or tenancy screening purposes and proper disposal. These reports, defined under the federal Fair Credit Reporting Act (FCRA) as consumer reports, must be disposed of in a specific way. Namely, they must be shredded, burned or pulverized if in hard-copy. If electronically stored, the electronic record should be wiped so that it cannot be reconstructed or recreated.
The FCRA’s Disposal Rule (“Rule”), which became effective in 2005, states that when a company’s data retention policy allows for the disposal of consumer reports (aka background check reports) which contain sensitive personal information about employees or tenants, they must be disposed of in a manner which protects against “unauthorized access to or use of the information.” (FCRA § 628). The FTC enforces the Rule. The Rule covers not only the background screening companies that provide the reports, but also the employers and landlords who use them.
The Rule requires practices that are reasonable and appropriate to the type of personal information retained and being disposed of. And I quote this directly from the FTC, “reasonable measures for disposing of consumer report information could include establishing and complying with policies to:
- burn, pulverize, or shred papers containing consumer report information so that the information cannot be read or reconstructed;
- destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed;
- conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information consistent with the Rule. Due diligence could include:
- reviewing an independent audit of a disposal company’s operations and/or its compliance with the Rule;
- obtaining information about the disposal company from several references;
- requiring that the disposal company be certified by a recognized trade association;
- reviewing and evaluating the disposal company’s information security policies or procedures.”
Note that section 628 of the FCRA provides for the issuance of regulations related to the disposal of records. If you want to read the actual Rule it can be found by clicking here, which takes you to 16 CFR Part 682.
New York City passed a local law to amend its administrative code to prohibit employment discrimination based on one’s arrest record or criminal conviction. Employers and background screeners take note. The legislation, the Fair Chance Act, passed City Council earlier this month (6/10/15) and Mayor Bill de Blasio is expected to sign it. Note too that the law impacts licensing and permits, but for purposes of this blog posting I will only review the sections related to employment screening. Also, note that it is being dubbed a Ban the Box law, but it is clearly so much more than that as a pure Ban the Box law would simply remove the question about one’s criminal history from the job application.
Who does the law affect and what does it do?
- It impacts private employers in New York City;
- It makes it an unlawful discriminatory practice for any “employer, employment agency or agent thereof” (background screeners take note of the agent language) to deny employment or take adverse action against any employee due to criminal convictions;
- Employers still need to abide, as they do in New York in general, by Article 23-A of the New York Correction Law which essentially requires an employer to tie the criminal history to the particular position through an individualized assessment;
- It makes it an unlawful discriminatory practice potentially to deny employment or act adversely with respect to an employee based on an arrest;
- It includes Ban the Box language in that an employer cannot make any inquiry, including on any form of application, regarding arrest or criminal accusation which does not lead to a conviction;
- Requires a conditional offer of employment before any inquiry or statement related to a pending arrest or criminal conviction record can be made and requires that if an adverse employment action is going to be taken, the individual must be provided a written analysis for the adverse action akin to an individualized assessment (again, reference Article 23-A of New York’s Correction Law for this too);
- It places restrictions on job advertisements which express limitations on a person’s arrest or criminal history as a condition or bar to employment; and,
- There are limited exceptions, tied to federal, state or local laws requiring a criminal background check or barring employment based on criminal history. It also does not apply to law enforcement job applicants.
This is a law that employers should take note given its breadth. It will take effect 120 days after enactment, meaning it will likely go into effect later this year. Also, if as an employer or background screener you are not already entirely freaked out (not a legal term) by this, note that there are also restrictions on an employer’s use of credit for employment screening purposes in New York City under the Stop Credit Discrimination in Employment Act.
Join me for a free webinar on Wednesday (June 10) at 1 pm EST. I will discuss the basics of implementing and maintaining a legally compliant background check program for employment screening purposes. The webinar is hosted by Crimcheck.com, a background screening company. The webinar is geared toward HR professionals, in-house counsel and others who are responsible for their company’s background check program.
Click here to register.
The webinar will cover:
- Steps employers must take before and after conducting a background check pursuant to the Fair Credit Reporting Act (FCRA).
- Common errors employers make when conducting background checks.
- FCRA litigation and how to mitigate your company’s risk.
- Ban the Box measures and how they could impact your company.
I hope you will join me to learn more about the legal requirements under the FCRA and state consumer protection laws regarding the use of background checks for employment screening purposes.
I recognize this is a few days late, but the content is still timely. Last month I attended the NAPBS Mid-Year Conference in Washington, DC both as an attendee and speaker. One session of particular interest to me was Maneesha Mittal’s presentation. Maneesha is the Associate Director of the Division of Privacy and Identity Protection at the Federal Trade Commission (FTC). Her team is the team that would bring an enforcement action against a background screening company for non-compliance under the Fair Credit Reporting Act (FCRA).
Below are the take-away points I found most helpful for purposes of my day to day practice advising background screening companies on their compliance with the FCRA:
- Reasonable security of data – Maneesha stressed the importance of “knowing your customer” when transacting with them and provided examples of companies who failed to maintain appropriate data security through reasonable procedures, and failed to ensure a permissible purpose to the reports (e.g., ACRAnet, Inc., SettlementOne Credit Corporation, Statewide Credit Services).
- The FCRA applies equally to social media when used for background screening purposes and she gave as examples the FTC letter to Social Intelligence Corporation and the ongoing Spokeo v. Robins case. For the Spokeo case, note that the U.S. Supreme Court granted cert. and will take up this important case next year. The Spokeo case goes to the issue of whether a plaintiff has to show actual injury in fact in order to have Article III standing, or whether a mere violation of the statute is sufficient to bring suit. Let’s hope the former and not the latter.
- Companies cannot disclaim liability under the FCRA and then proceed to sell information to employers which could be used for background screening purposes. As an example she cited the settlement against Filiquarian Publishing LLC, Choice Level LLC and their CEO for alleged failure to ensure that the information they sold was accurate and could only be used for a permissible purposes. In this matter, the maker of the mobile app claimed that users could use the app to conduct criminal background searches on individuals but used disclaimers stating that they were not FCRA complaint and that the products should not be used for employment screening purposes.
- Accuracy of the reports – reports with multiple entries listing the same offense are not acceptable. Basically, a data dump is not acceptable as it does not comply with the FCRA requirement to maintain maximum possible accuracy. As an example she cited the HireRight Solutions enforcement action and settlement.
- Consumer disclosures — have adequate staff to respond to consumer requests for their reports.
- Use of section 603(y) of the FCRA as a defense to litigation is on the rise. It is the FTC ‘s opinion that this section of the FCRA, which relates to investigations of suspected employee misconduct, is only intended to cover current employees and not job applicants. Stay tuned for potential guidance from the FTC on this point.
- U.S. based background screening companies doing background checks on international employees – the FCRA would apply.
- Regarding the amicus brief in Moran v. The Screening Pros tied to section 605 of the FCRA and the obsolescence rule for dismissals, this is an FTC “opinion” and not just a staff view as the Commission approved the FTC’s participation in the amicus brief.
This week New York City Mayor Bill de Blasio will hold on hearing on New York City’s Proposed Int. No. 261-A, which would ban the use of consumer credit history, making its use potentially an unlawful discriminatory practice. Certain exceptions apply to the general prohibition on an employer, or their agent’s, request or use for employment purposes of consumer credit history of a job applicant or employee. The bill’s definition of “consumer credit history” limits the ban or prohibition to information found in consumer credit reports, a credit score or information provided by the individual.
Impact on Background Screening Companies
Background screening companies should pay special attention to the fact that the proposed legislation will not be limited to employers, but specifically applies the prohibition to “agents” who request consumer credit history of an applicant for employment or an employee.
Exceptions to the General Ban on the Use of Credit History
Certain exceptions to the prohibition on requesting or using credit history for employment include:
- When an employer, or agent, is required by state or federal law or regulations or by a self-regulatory organization to use an individual’s consumer credit history for employment purposes; or
- For persons applying for positions or employed in: law enforcement, positions of public trust, where bonding or a security clearance is required, positions involving fiduciary responsibilities and others.
There appears to be ambiguity with respect to how broad an employer can interpret the employer exception in proposed Section 8-107, subdivision 24, which states that the general prohibition on use of consumer credit history for employment purposes does not apply when “(1) an employer, or agent thereof, that is required by state or federal law or regulations or by a self-regulatory organization as defined in section 3(a)(26) of the securities exchange act of 1934, as amended to use an individual’s consumer credit history for employment;”. This author’s view is that this exception to the general prohibition on credit history is only for those individual’s for whom such is required by state or federal or law. Meaning it is individual specific and not meant to broadly exempt an employer if they have even one job applicant or employee for whom state or federal law requires a background check which includes credit history.
On May 6, the mayor (who is expected to sign the legislation) will hold a hearing on the proposed legislation. Click here and then on “Legislation Details” for notice of the hearing. No further information regarding the hearing has been provided. Therefore, to be clear, New York City’s ban on the use of consumer credit history for employment screening purposes is not yet in effect.
Law Citation and Effective Date
The title of the bill is the “Stop Credit Discrimination in Employment Act”, and if signed by the mayor, the law would take effect 120 days after enactment. It would amend New York City’s Human Rights Law, sections 8-102 and 8-107 of the administrative code of the city of New York.
Last week I posted a blog entry about a presentation I was doing at the NAPBS Mid-Year Conference (click here). If you weren’t able to attend our session or the conference, no worries as the session is available in webinar format thanks to ClearStar. The title of the free webinar is: Ban the Box Measures and their Impact on Background Screeners and Employers.
My colleague Henry Perlowski and I will be co-presenters. Henry and I co-chair Arnall Golden Gregory’s Background Screening Practice Group. The session will cover Ban the Box measures at the state and federal level and the impact of these measures on background screeners and employers who conduct background checks. Topics discussed will include who (public/private) is affected by these measures; the onboarding and job application process; and what, when, and where multistate companies can ask questions about criminal arrests and convictions. The session will cover federal/EEOC guidance and state and local requirements and potential discriminatory concerns associated with considering criminal arrest and conviction records in the hiring process.
Employers — if you have a box on your job application inquiring about the applicant’s criminal history and asking them to answer “yes” or “no” as to whether they have been arrested or convicted of a crime, this webinar is for you.
We hope you will join us. Click here to register for this webinar which will be held April 29th at 2 pm EST.