On May 25, 2013, SB 127 was signed into law adding Nevada to the fast-growing list of states that restrict employment-purpose credit reports. Nevada’s new law, which goes into effect October 1, 2013, follows closely the recently enacted legislation in Colorado. Eight other states (California, Connecticut, Hawaii, Illinois, Maryland, Oregon, Vermont and Washington) have similar laws that limit the employers’ use of credit history in personnel decisions. Aggressive legislative efforts are likely to continue, as Florida, New Jersey, and Pennsylvania are considering similar legislation. But the most restrictive bill yet is pending before the New York City Council. It would prohibit employers from using credit reports in hiring except in few instances where such checks are required by law.
On May 13, 2012, Minnesota became the latest state to restrict criminal background checks for employment purposes with its Criminal Background Check Act (S.F. No. 523). Under the new law, which will go into effect on January 1, 2014, public and private employers may not inquire about, consider or require disclosure of an applicant’s criminal history until after the applicant has been granted an interview or before a conditional offer of employment is made. Since 2009, Minnesota law prohibited only public employers from asking about criminal records on job applications.
According to a report from the National Employment Law Project (the “NELP”) dated in April 2013, six states and 50 localities have adopted “Ban the Box” legislation. And pending before Congress is the federal HR 6220 or “Ban the Box Act” introduced last July by Representative Hansen Clarke (D-MI-13) which similar to these state and local laws, would make it illegal for an employer to ask about criminal history in an interview or on an employment application.
On May 7, 2013, the Federal Trade Commission (the “FTC”) announced the results of its testing operation, revealing that 10 companies out of the 45 that the FTC approached seemed to be willing to sell consumer information without complying with the Fair Credit Reporting Act (“FCRA.”) The FTC reported that its staffers asked the companies about buying the information for purposes such as determining creditworthiness, suitability for employment or eligibility for insurance.
Six of the 10 companies appeared willing to sell consumer information for employment purposes, two for insurance decisions and two for pre-screened lists of consumers to use in making firm offers of credit. The data brokers were contacted again by the FTC, but this time in the form of letters, warning that their practices may violate the FCRA. The warning letters are part of an ongoing international effort spearheaded by the Global Privacy Law Enforcement Network, an informal group of consumer protection and privacy agencies.
The Consumer Financial Protection Bureau (the “CFPB”) announced that the nation’s largest database of federal consumer financial complaints is live and open for public viewing.
The CFPB’s recent launch significantly expands the Consumer Complaint Database from about 19,000 credit card complaints in 2012 to more than 90,000 complaints on mortgages, student loans, bank accounts and services, other consumer loans, and credit cards. It also includes product sub-categories, such as reverse mortgages, conventional fixed mortgages and adjustable mortgages, and home equity loans or lines of credit. Complaints are entered only after the company provides a response or after it has had the complaint for 15 days, whichever comes first. The CFPB states that while the allegations in the complaints are not verified, a commercial relationship between the consumer and the company is substantiated before the complaint is added to the database.
According to the CFPB, the database now has more than one million data points covering approximately 450 companies, and includes information such as the type of complaint, date of submission, consumer’s ZIP code, and the company’s name. The database also provides information about the actions taken on the complaint, i.e., whether the company’s response was timely, how the company responded, and whether the consumer disputed the response.
To file a complaint with the CFPB, consumers can:>
Last month, the SEC issued a report that makes it clear that companies can use social media outlets such as Facebook and Twitter to announce key information in compliance with Regulation Fair Disclosure (“Regulation FD”) as long as investors have been alerted about which social media will be used to disseminate the information.
On April 10, 2013, the Securities and Exchange Commission (the “SEC”) and the Commodity Futures Trading Commission (the “CFTC”) issued joint Identity Theft Red Flags Rules requiring broker-dealers, mutual funds, investment advisers, and certain other entities to adopt programs to detect red flags and prevent identity theft. Notably, certain state laws may also require the adoption of similar guidelines.
Additionally, entities that retain service providers must ensure that the providers conduct their activities in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft. A financial institution may be found in violation of the Rules if it fails to exercise appropriate and effective oversight over the engagement.
Although the FCRA allows employers to consider credit reports for employment purposes, state laws that are more protective of employee rights trump the federal law. Eight states (California, Connecticut, Hawaii, Illinois, Maryland, Oregon, Vermont and Washington) and at least one locality, the City of Chicago, limit the employers’ consideration of credit history in personnel decisions. And Colorado was just added to this list with its S.B. 18 that was signed into law on April 19, 2013. Aggressive legislative efforts are likely to continue. The most restrictive bill yet is pending before the New York City Council. It would prohibit employers from using credit reports in hiring except in few instances where such checks are required by law.
The recently introduced “Right to Know Act of 2013” (Assembly Bill 1291), would require any business that retains or shares personal information of California residents to provide, at no charge and within 30 days of receiving a request from the subject, all information retained about him/her, as well as the names and contact information for all third parties to whom that business has disclosed the information within the last 12 months. This legislation is a significant expansion of the rights provided under California’s 2003 Shine the Light law, which this bill would repeal.
During fiscal year 2012, the SEC’s Office of Investor Education and Advocacy closed 29,291 files relating to complaints, questions, and other issues received from investors, a decrease of 4,341 files compared to FY 2011. Complaints related to Ponzi and pyramid schemes were up 1,328%. A footnote to the data states that “the vast majority of these complaints related to a particular highly publicized SEC enforcement action.” Complaints related to specific market events were up 565% which too had a footnote. In this case, the vast majority of the complaints related to a particular highly publicized initial public offering…
The Federal Trade Commission (the “FTC”) interim final rule which became effective February 11, 2013 confirms that most service providers are not subject to the Red Flags Rule. The rule clarifies the meaning of “creditor” ensuring that its definition is consistent with the revised definition of that term in the amended Fair Credit Reporting Act (the “FCRA”). A “creditor” must develop and implement a written identity theft prevention program premised on identifying “red flags” of identity theft only if in the ordinary course of business, the “creditor” regularly: 1) obtains or uses consumer reports in connection with a credit transaction; 2) furnishes information to consumer reporting agencies in connection with a credit transaction; or 3) advances funds to or on behalf of a person, in certain cases.
However, any entity collecting consumer data must remain vigilant in how it collects, uses and safeguards that data. The FTC may pursue enforcement actions under the FTC Act when a company does not take reasonable privacy protection measures scaled to the risk level of their business practices.