We’re all busy and regardless of your industry, those responsible for hiring our workforce are pulled in many different ways and have to keep abreast of countless local, state and federal workplace related laws and regulations. The goal of this article is to take one aspect of the hiring process and break it down into five steps which will hopefully lead to greater immigration-related compliance.
Here goes. How to hire and maintain a legal workforce in five (overly) broad steps:
- Form I-9: All new hires (but not independent contractors) must complete an Employment Eligibility Verification Form (Form I-9) within three business days of hire. The Form I-9 is a two-page document issued by U.S. Citizenship and Immigration Services (USCIS) that verifies identity and work authorization. Employers must have available for inspection by Immigration and Customs Enforcement (ICE) their Forms I-9 for any employee hired post November 6, 1986. (See, Immigration Reform and Control Act of 1896 (Public Law 99-603), Section 274A(b) of the Immigration and Nationality Act and 8 C.F.R. section 274a.2). If an employer does not have Forms I-9 for their existing workforce hired after this date, ICE will allege noncompliance and the employer will be subject to civil penalties ranging from $110 to $1,100/violation for, for example, failing to produce a Form I-9. If you are reading this and suddenly realize you do not have Forms I-9 for your employees, call me to address remediation. This really is a situation where you do not want to do this yourself as you could, even if well-intentioned, make your situation worse. How? By backdating all of the Forms I-9. As a general rule, you never want to backdate a form.
- In addition to completing a Form I-9 for any new hire, an employer must maintain a Form I-9 for all current employees. Employers may destroy such forms, but only once an employee has been terminated and the requisite time period has passed. What’s the time period? Three years after date of hire or one year after termination, whichever is later. In addition to maintaining Forms I-9 for current employees, an employer must re-verify the work authorization of any employee who has temporary work authorization, such as a work permit. Section 3 of the Form I-9 is used for this purpose. Employers may maintain the Form I-9 in paper format, electronically or by using an electronic I-9 vendor.
- E-Verify: This is the federal government’s electronic employment eligibility verification program administered by USCIS, the same agency within the Department of Homeland Security that administers the Form I-9. E-Verify is a separate requirement from the Form I-9. The Form I-9 is required for all employees, but use of the E-Verify system is voluntary unless (and that’s a big “unless”) an employer is in a state that mandates use of the E-Verify system or are a federal contractor with the Federal Acquisition Regulation mandated clause requiring its use. Georgia is an example of a state that requires private employers within the state to use E-Verify and ties a company’s use to applications for, or renewals of, business licenses. Note that in some states, including Georgia, not only is there a state mandate to use E-Verify for private employers, but there is also a mandate to use E-Verify for public works contracts. Typically the state entity will write such language into the terms of the agreement or as a condition of a proposal.
- Enrolling in E-Verify is easy, painless and free. According to USCIS, it is used nationwide by more than 600,000 employers at more than 1.9 million hiring sites. To create a case in E-Verify, an employer enters information from the completed Form I-9 into the system and E-Verify will display an initial case result within a few seconds. Note that like the Form I-9, employers must create a case in E-Verify within three business days of hire. Again, according to USCIS, 98.78% of cases created in E-Verify are automatically confirmed as work authorized. At which point, an employer should close the case in the system. In cases where an employee is not automatically confirmed as work authorized, an employer may receive a Tentative Nonconfirmation (TNC). A TNC requires certain steps be taken by the employer, including advising the employee of the notice and not taking any adverse action during the pendency of the employee’s attempt to address the TNC. One major caveat about the E-Verify system. It does work and therefore, certain employers/industries may potentially experience workforce shortages due to E-Verify use. All employers using the system must post participation posters to inform current and prospective employees of their participation. These posters must be posted in English and Spanish and include the E-Verify Participation Poster and the Right to Work Poster.
- Remote Hires and Government Audits: First, remote employees. Not all employees work in an office or near an office where they can easily complete the Form I-9 within three business days of hire. These are considered “remote hires” and because ICE is operating in the 20th century when Skype and other useful technology did not exist, employers must complete the Form I-9 for these individuals using a trusted agent or representative. This can be anyone, including a notary or the dog walker. The employee must still complete section 1 of the Form I-9 and the employer’s agent or representative must complete section 2 in its entirety, including a tactile inspection of the document(s) presented by the employee for section 2 purposes. This means, no photocopying of the documents by the employee and sending them to Human Resources for completion of section 2. Read the employer attestation in section 2 carefully to understand what you are attesting to. Second, worksite enforcement. ICE does audit employers’ compliance with our immigration laws, including proper completion of the Form I-9 as well as whether an employer knowingly hires or continues to employ an individual knowing they are not authorized to work in the United States. Note that ICE has entered into memorandums of understanding with other government agencies, including the Department of Labor, which means that what starts as a Form I-9 investigation could lead to other workplace investigations.
Above is not an attempt to provide legal counsel, but intended to be educational and provide a broad overview of general requirements. If you are currently addressing policies and procedures around your company’s use of the Form I-9 and E-Verify, or are the subject of a government investigation by ICE, I am happy to discuss these with you and provide legal counsel.
An appeals court in California recently held that California’s Investigative Consumer Reporting Agencies Act (ICRAA) is not unconstitutionally vague. (Connor v. First Student, Inc., et al., Cal. Court of Appeal, Second Appellate District, Division Four, B256075, B256077 (8/12/15)).
The court disagreed with the analysis in Ortiz v. Lyon Management Group (appeals court held that ICRAA was unconstitutionally vague as applied to tenant screening reports containing eviction records because such information relates to both creditworthiness and character information and ICRAA and CCRAA do not provide adequate notice of which law is applicable if information can be categorized as both character information and creditworthiness information). In reversing the judgment of the lower court in Connor, the appellate court stated, “We disagree with the analysis in Ortiz…. There is nothing in either the ICRAA or the CCRAA that precludes application of both acts to information that relates to both character and creditworthiness. Therefore, we conclude that ICRAA is not unconstitutionally vague as applied to such information.”
The Connor case involved employment-related background checks. Connor, a bus driver, alleged that the notice she received related to the background investigation did not contain the requisite language required by ICRAA and that her employer did not obtain her written consent.
The Connor decision follows a string of cases in which California courts held that ICRAA is unconstitutionally vague, including in Trujillo v. First American Registry, Ortiz v. Lyon Management Group, Moran v. The Screening Pros, and Roe v. LexisNexis Risk Solutions.
The E-Verify program is set to expire 9/30/15 unless it is reauthorized by Congress (cue scary movie soundtrack). So what does that mean for employers who use E-Verify? Will you be locked out of the system come October 1, 2015 if the program isn’t reauthorized by Congress?
Quick recap of the program, which allows employers to electronically verify new hires’ work authorization. The program is administered by U.S. Citizenship and Immigration Services (USCIS). It was created as the Basic Pilot program back in 1996. Over time it has changed names from the Basic Pilot program to E-Verify. Over the years it has been reauthorized by Congress for a set amount of time, usually at the last minute. Last time it was reauthorized (in 2012) it was reauthorized for a period of 3 years, until September 30, 2015. Congress is currently in recess until September 8, although discussions are on-going about reauthorization for this program and three other programs set to expire at the same time (EB-5 visa program, Conrad 30 and religious worker visas). To learn more about this and what will happen if it is not reauthorized, please join me for a FREE webinar later this week with Chad Whittenberg from Equifax Workforce Solutions. Details are below:
E-Verify Down to the Wire: Will Congress Shut It Down? (And Other Updates)
Date: Thursday, Aug. 13, 2015
Time: 2:30 PM EST
Duration: 30 minutes
The deadline for reauthorization of E-Verify is looming. Congress is likely to go right down to the wire, finalizing the needed legislation potentially only days before the Sep. 30 deadline.
In this half-hour session, we review the most likely scenarios for reauthorization based on past history, and provide updates on other recent developments that affect employers who use E-Verify.
- Reauthorization – what it is, why it happens, how often it happens
- Congress – likely paths to reauthorization, but what if…
- RIDE authorizations, signature-waived permanent resident cards, other updates
TO REGISTER, click here or here.
Section 613 of the Fair Credit Reporting Act (FCRA) requires that consumer reporting agencies (CRAs), when reporting a consumer report for employment purposes which contains public record information, which are likely have an adverse effect upon a consumer’s ability to obtain employment, must either follow strict procedures or send notice to the consumer. Both the law, and the Federal Trade Commission (FTC), are clear that CRAs can select either option and are not required to follow both 613(a)(1) and 613(a)(2). But the ridiculous amount of FCRA-related litigation has CRAs wondering…should I do both? I’m not legally required to do both, but should I have both strict procedures in place and send notice to cover all my bases from a litigation perspective? While this blog posting is not intended to offer legal advice, I am happy to discuss this broader issue with CRAs offline. For purposes of this blog, I will leave you with this nugget.
The FCRA does not define “at the time”, which is part of the notice provision of section 613(a)(1). The full section reads, “at the time such public record information is reported to the user of such consumer report, notify the consumer of the fact that public record information is being reported by the consumer reporting agency, together with the name and address of the person to whom such information is being reported;”. A recent district court opinion in the rocket docket, the 4th Circuit, provides a very generous reading of the notice provision. The case, Rodriguez v. Equifax Information Services, LLC (1:14-cv-01142) (E.D. Va., July 17, 2015), involves an employee who applied for a position with the Office of Personnel Management (OPM). Two relevant facts — the plaintiff’s security clearance was approved and he never actually received the notice. However, essentially held that Equifax Information Services had an appropriate process in place to provide notice to consumers. The process included sending notices by mail the following business day (and in some instances two business days later), after the report had been provided to OPM.
Key takeaways from the Court’s Memorandum Opinion (“Opinion”):
- The Court states that the “at the time” requirement is ambiguous (which is true) and there is “more than one reasonable interpretation of what that requirement means.” (Opinion, p. 9)
- The Court states that “Congress did not impose a ‘same time’ requirement with respect to the receipt of the notice; and in 2000, the Federal Trade Commission interpreted the ‘at the time’ requirement to permit the mailing” of such a notice. (Opinion, p. 9) This we already know and more specifically what the FTC says is, “A CRA may use first class mail or other reasonable means to notify consumers that it is providing public record information for employment purposes under subsection (a)(1).” (See, 40 Years of Experience with the Fair Credit Reporting Act: An FTC Staff Report with Summary of Interpretations, p. 81).
- This takeaway is very helpful for CRAs using the notice option of section 613. The Court does not require parity with the method by which the notice is sent. Meaning, a CRA can send the notice by automated/electronic means to the employer and by mail to the consumer. The Court states that they “cannot conclude that the text of the statute requires such technological symmetry during periods of technological innovation so long as the system initiated, at the same time a report to OPM was initiated, a process that was designed to deliver notice to the consumer according to a reasonable, standard and accepted method of delivery.” (Opinion, p. 9)
Recently the Federal Trade Commission (FTC) issued a guide, Start with Security: A Guide for Business, which pulls from lessons learned from the 50+ data security enforcement actions that the FTC has announced. To be clear, these actions are settlements and not court orders. Nonetheless, the “ten lessons” they provide in the guide are worth reading and thinking about how they apply to your company. Below top ten lessons are (literally) taken from the FTC’s guide and I then add a few summary sentences:
- Start with security — when it comes to data collection, use and retention, less is better. As the guide says, “by making conscious choices about the kind of information you collect, how long you keep it, and who can access it, you can reduce the risk of data compromise down the road.” If you don’t need driver’s license information or Social Security numbers on a particular form…don’t collect them just to collect them.
- Control access to data sensibly — not all employees need to have access to everything, be it paper files, the network, administrative controls. Pull the reins on that horse, cowboy! Limit and restrict access to data, especially sensitive data.
- Require secure passwords and authentication — the word “password” is not a secure password. Enough said. Also, implement a policy to suspend or disable accounts after repeated log in attempts to reduce the risk of an attack being successful. Test for common vulnerabilities and widely known security flaws, such as “predictable resource location” where hackers can bypass the web app’s authentication screen and gain unauthorized access.
- Store sensitive personal information securely and protect it during transmission — in other words, be in it for the long haul and protect data at all stages. Make sure your company properly implements encryption and SSL protocols, and use industry-tested methods not some $9.99 summer special.
- Segment your network and monitor who’s trying to get in and out — limit access and have in place strong intrusion detection and prevention tools.
- Secure remote access to your network – remote access is a curse and a blessing, depending on how you look at it. It also challenges a company’s data security policies and procedures. Ensure endpoint security and have firewalls and updated antivirus software in place. Also, limit third party access to what is needed.
- Apply sound security practices when developing new products — if a company is pushing out a new mobile app or software, they need to ensure their engineers are trained in secure coding practices, don’t turn off SSL certification validation and test for common vulnerabilities. The FTC cites the Open Web Application Security Project as a resource for identifying commonly-known vulnerabilities. Finally, a big one for the FTC — do what you say you will do. In other words, if your company’s mobile app or software features specific privacy and security settings, the product needs to live up to those features/representations.
- Make sure your services providers implement reasonable security measures — in other words, company’s need to police their vendors to ensure their data security practices are reasonable. Security standards should be incorporated into the terms of service agreements and compliance should be audited.
- Put procedures in place to keep your security current and address vulnerabilities that may arise — have policies and procedures in place to update/patch third party software as well as to receive and act on security alerts.
- Secure paper, physical media, and devices — not all data is collected and maintained in electronic format. Data security applies to hard copy documents as well and confidential information there needs to be protected every bit as much as if it is in electronic form. When sensitive data is no longer needed, company’s should properly dispose of it by shredding, burning or pulverizing documents if paper documents. Throwing documents with sensitive personal information in the trash can is strictly verboten.
Not rocket science, but given the enforcement actions brought by the FTC, companies suffer from these mistakes and failures. For more details on each point above, and to learn about some of the companies impacted by these enforcement actions, click here to read the guide.
I came across this piece of information in the latest edition of E-Verify Connection and want to share it as it’s relevant to when employers complete section 2 of the Form I-9. According to the Department of Homeland Security (DHS), an increasing number of lawful permanent resident cards (a/k/a green cards) are being issued with the words “Signature Waived”. For an example of the card and to read the alert click here and click here.
Why is this relevant? Because employers shouldn’t outright reject such cards if presented as a List A document just because they aren’t signed by the individual. DHS is telling employers to accept them. As with any document(s) provided by an employee completing the Form I-9, the test is one of reasonableness. Assuming the document is on the Lists of Acceptable Documents, the employer representative completing the Form I-9 must physically examine each document presented by the employee for section 2 purposes and ask themselves, does the document reasonably appear to be genuine and does it relate to the employee presenting it? Oh, and the document cannot be expired unless you are dealing with an individual who has work authorization due to Temporary Protected Status (TPS), but that’s for another blog posting.
Nevada has removed the 7-year restriction on background screening company’s ability to report criminal conviction information for employment screening purposes. Which means that convictions can be reported without regard to a seven year look-back period. Such a restriction on the reporting of convictions is a state restriction, followed by a handful of other states. The federal Fair Credit Reporting Act (FCRA) allows for the reporting of convictions in a consumer report, regardless of a time period. Having said that, the reporting of “other adverse item(s) of information” is limited to seven years in the FCRA, with the exception of certain bankruptcies. See section 605(a) of the FCRA.
The bill, signed by Governor Bob Sandoval (R), went into effect June 9, 2015. See SB 409 for text of the legislation and note that it amends, in part, the consumer reporting chapter of Nevada Revised Statute section 598C.150(2).
A recent blog posting by the Federal Trade Commission (FTC) on data retention and disposal practices is the genesis of this blog. The posting talks about the importance of having a plan in place due to the potential that a natural disaster may visit your company, a hurricane or a flood, and what would happen with your online and offline customer data in the event a natural disaster? The FTC offers the following “data minimization and disposal tips:
- Take stock. Create an inventory of the personal information you have. That way, if your files are destroyed or lost in a natural disaster, you’ll know what information is involved.
- Scale down. Collect only what you need. For example, if there’s no business reason why you have to have someone’s Social Security number, don’t ask for it in the first place. Keep records only as long as you have a reason to maintain them. Don’t hold onto customer credit card information unless you have a business need for it.
- Lock it. Store personal information in the safest part of your building. If information is missing after a natural disaster, contact law enforcement. If possible – this is where your inventory helps – contact affected individuals so they can place a fraud alert on their credit reports.
- Pitch it. Properly dispose of what you no longer need. Shred, burn or pulverize paper records before discarding. If you use consumer credit reports for a business purpose, you may also be subject to the FTC’s Disposal Rule.”
I couldn’t agree more with the above bullet points. But let’s expand upon this topic and talk about background check reports used for employment or tenancy screening purposes and proper disposal. These reports, defined under the federal Fair Credit Reporting Act (FCRA) as consumer reports, must be disposed of in a specific way. Namely, they must be shredded, burned or pulverized if in hard-copy. If electronically stored, the electronic record should be wiped so that it cannot be reconstructed or recreated.
The FCRA’s Disposal Rule (“Rule”), which became effective in 2005, states that when a company’s data retention policy allows for the disposal of consumer reports (aka background check reports) which contain sensitive personal information about employees or tenants, they must be disposed of in a manner which protects against “unauthorized access to or use of the information.” (FCRA § 628). The FTC enforces the Rule. The Rule covers not only the background screening companies that provide the reports, but also the employers and landlords who use them.
The Rule requires practices that are reasonable and appropriate to the type of personal information retained and being disposed of. And I quote this directly from the FTC, “reasonable measures for disposing of consumer report information could include establishing and complying with policies to:
- burn, pulverize, or shred papers containing consumer report information so that the information cannot be read or reconstructed;
- destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed;
- conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information consistent with the Rule. Due diligence could include:
- reviewing an independent audit of a disposal company’s operations and/or its compliance with the Rule;
- obtaining information about the disposal company from several references;
- requiring that the disposal company be certified by a recognized trade association;
- reviewing and evaluating the disposal company’s information security policies or procedures.”
Note that section 628 of the FCRA provides for the issuance of regulations related to the disposal of records. If you want to read the actual Rule it can be found by clicking here, which takes you to 16 CFR Part 682.
New York City passed a local law to amend its administrative code to prohibit employment discrimination based on one’s arrest record or criminal conviction. Employers and background screeners take note. The legislation, the Fair Chance Act, passed City Council earlier this month (6/10/15) and Mayor Bill de Blasio is expected to sign it. Note too that the law impacts licensing and permits, but for purposes of this blog posting I will only review the sections related to employment screening. Also, note that it is being dubbed a Ban the Box law, but it is clearly so much more than that as a pure Ban the Box law would simply remove the question about one’s criminal history from the job application.
Who does the law affect and what does it do?
- It impacts private employers in New York City;
- It makes it an unlawful discriminatory practice for any “employer, employment agency or agent thereof” (background screeners take note of the agent language) to deny employment or take adverse action against any employee due to criminal convictions;
- Employers still need to abide, as they do in New York in general, by Article 23-A of the New York Correction Law which essentially requires an employer to tie the criminal history to the particular position through an individualized assessment;
- It makes it an unlawful discriminatory practice potentially to deny employment or act adversely with respect to an employee based on an arrest;
- It includes Ban the Box language in that an employer cannot make any inquiry, including on any form of application, regarding arrest or criminal accusation which does not lead to a conviction;
- Requires a conditional offer of employment before any inquiry or statement related to a pending arrest or criminal conviction record can be made and requires that if an adverse employment action is going to be taken, the individual must be provided a written analysis for the adverse action akin to an individualized assessment (again, reference Article 23-A of New York’s Correction Law for this too);
- It places restrictions on job advertisements which express limitations on a person’s arrest or criminal history as a condition or bar to employment; and,
- There are limited exceptions, tied to federal, state or local laws requiring a criminal background check or barring employment based on criminal history. It also does not apply to law enforcement job applicants.
This is a law that employers should take note given its breadth. It will take effect 120 days after enactment, meaning it will likely go into effect later this year. Also, if as an employer or background screener you are not already entirely freaked out (not a legal term) by this, note that there are also restrictions on an employer’s use of credit for employment screening purposes in New York City under the Stop Credit Discrimination in Employment Act.
Join me for a free webinar on Wednesday (June 10) at 1 pm EST. I will discuss the basics of implementing and maintaining a legally compliant background check program for employment screening purposes. The webinar is hosted by Crimcheck.com, a background screening company. The webinar is geared toward HR professionals, in-house counsel and others who are responsible for their company’s background check program.
Click here to register.
The webinar will cover:
- Steps employers must take before and after conducting a background check pursuant to the Fair Credit Reporting Act (FCRA).
- Common errors employers make when conducting background checks.
- FCRA litigation and how to mitigate your company’s risk.
- Ban the Box measures and how they could impact your company.
I hope you will join me to learn more about the legal requirements under the FCRA and state consumer protection laws regarding the use of background checks for employment screening purposes.