Although the FCRA allows employers to consider credit reports for employment purposes, state laws that are more protective of employee rights trump the federal law. Eight states (California, Connecticut, Hawaii, Illinois, Maryland, Oregon, Vermont and Washington) and at least one locality, the City of Chicago, limit the employers’ consideration of credit history in personnel decisions. And Colorado was just added to this list with its S.B. 18 that was signed into law on April 19, 2013. Aggressive legislative efforts are likely to continue. The most restrictive bill yet is pending before the New York City Council. It would prohibit employers from using credit reports in hiring except in few instances where such checks are required by law.
The recently introduced “Right to Know Act of 2013” (Assembly Bill 1291), would require any business that retains or shares personal information of California residents to provide, at no charge and within 30 days of receiving a request from the subject, all information retained about him/her, as well as the names and contact information for all third parties to whom that business has disclosed the information within the last 12 months. This legislation is a significant expansion of the rights provided under California’s 2003 Shine the Light law, which this bill would repeal.
During fiscal year 2012, the SEC’s Office of Investor Education and Advocacy closed 29,291 files relating to complaints, questions, and other issues received from investors, a decrease of 4,341 files compared to FY 2011. Complaints related to Ponzi and pyramid schemes were up 1,328%. A footnote to the data states that “the vast majority of these complaints related to a particular highly publicized SEC enforcement action.” Complaints related to specific market events were up 565% which too had a footnote. In this case, the vast majority of the complaints related to a particular highly publicized initial public offering…
The Federal Trade Commission (the “FTC”) interim final rule which became effective February 11, 2013 confirms that most service providers are not subject to the Red Flags Rule. The rule clarifies the meaning of “creditor” ensuring that its definition is consistent with the revised definition of that term in the amended Fair Credit Reporting Act (the “FCRA”). A “creditor” must develop and implement a written identity theft prevention program premised on identifying “red flags” of identity theft only if in the ordinary course of business, the “creditor” regularly: 1) obtains or uses consumer reports in connection with a credit transaction; 2) furnishes information to consumer reporting agencies in connection with a credit transaction; or 3) advances funds to or on behalf of a person, in certain cases.
However, any entity collecting consumer data must remain vigilant in how it collects, uses and safeguards that data. The FTC may pursue enforcement actions under the FTC Act when a company does not take reasonable privacy protection measures scaled to the risk level of their business practices.
In February 2013, identical bills aimed at reducing employment discrimination against individuals with criminal histories were introduced in the New Jersey Senate (S2586) and the New Jersey Assembly (A3837). Both bills propose the adoption of the Opportunity to Compete Act (the “Act”) which would impose multiple restrictions and requirements on employers in connection with seeking and using criminal background information about job applicants. If the Act is adopted, New Jersey will join a growing list of states, cities, and localities which have passed similar anti-discrimination legislation.
In July 2012, the newly-created Consumer Financial Protection Bureau (“CFPB”) under the Dodd-Frank Wall Street Reform and Consumer Protection Act assumed rulemaking and enforcement authority of the Fair Credit Reporting Act (“FCRA”) from the Federal Trade Commission (“FTC”).
Although more changes are likely to come, beginning January 1, 2013, businesses, including employers, and consumer reporting agencies, will be required to provide a new version of the “Summary of Rights” form to individuals before taking any adverse action based on the contents of a consumer report. Notably, the adverse action process that must be followed under the FCRA has not changed; the revisions are generally stylistic and substitute “CFPB” for references to the FTC. There is also an updated and expanded list of contacts included at the end of the form.
To download the PDF versions of the updated Summary of Rights, and forms regarding the obligations of users and furnishers of consumer reports, click on the links below.
On December 7, 2012, the Federal Trade Commission (the “FTC”), submitted its written testimony to the U.S. Civil Rights Commission on the use of criminal background checks in employment decisions. The Commission intends to apply the testimony in reviewing the EEOC’s guidance that an employer’s use of an individual’s criminal history in making employment decisions may, in some instances, violate the prohibition against employment discrimination under Title VII of the Civil Rights Act of 1964. The EEOC suggests that minorities are disproportionately likely to have criminal records, which means that when employers use criminal background reports, minorities are possibly affected more than other groups.
Notably, in its testimony, the FTC, which shares the authority for enforcing the Fair Credit Reporting Act (“FCRA”) with other federal agencies, including the Consumer Financial Protection Bureau (“CFPB”) does not say anything substantial about civil rights.
The testimony does, however, provide a good recap of the legal rights and obligations prescribed by the FCRA when consumer reports are used for employment purposes, and highlights the FTC’s law enforcement efforts in this area. As its starting point, the testimony reminds that the FCRA imposes several requirements on consumer reporting agencies (“CRAs”) that provide consumer reports to employers, which include ensuring that the employer is in fact using the report for a permissible purpose. In the employment context, permissible purposes are limited to “employment, promotion, reassignment, or retention.” Thus, employers may only obtain a consumer report about applicants or employees, and may not simply use their status as employers to get information about competitors, opposing parties in litigation, or anyone else. Relatedly, under the permissible purpose requirement, CRAs must have reasonable procedures in place to ensure that the consumer report users are who they claim.
The CRAs also must comply with certain procedural requirements, such as giving all users of consumer reports a notice that informs them of their duties under the FCRA. The CRAs must obtain certifications from the employer that: (1) it is in compliance with the FCRA; and (2) it will not use consumer report information in violation of any federal or state equal employment opportunity laws or regulations.
Further, the FCRA mandates that CRAs follow “reasonable procedures to assure maximum possible accuracy of the information [15 U.S.C. § 1681e(b)].” It does not establish, however, a requirement of absolute accuracy and does not require that the CRAs guarantee that the reports are error-free.
If a CRA provides a report that has negative information about an applicant or employee that is based on public records — for example, tax liens, outstanding judgments, or criminal convictions — that CRA either has to notify the applicant or employee directly that it has provided the information to the employer, or has to adopt strict procedures to ensure that the information is complete and up to date [15 U.S.C. § 1681k(a)(1)-(2)]. Regardless of whether a CRA opts to provide the notice or adopt strict procedures, FCRA § 1681e(b), as noted above, requires CRAs to have “reasonable procedures to assure maximum possible accuracy.”]
The FCRA also places specific obligations upon employers to provide certain disclosures to the applicants or employees, and obtain their written authorization before using consumer reports. If an employer intends to take an adverse action based either in whole or in part on the information in a consumer report, such as denying a job application, reassigning or terminating an employee, or denying a promotion, the employer must provide the applicant or employee with a pre-adverse action notice before taking the action. The pre-adverse action notice must include a copy of the consumer report on which the employer is relying and a summary of rights under the FCRA. The form, which recently was reissued by the CFPB, describes the consumers’ rights under the FCRA, including the right to obtain copies of their consumer reports and dispute information.
Once the employer has taken the adverse action, it must give the applicant or employee a notice that the action was based on information in the consumer report. This adverse action notice must include the name, address, and phone number of the CRA that supplied the report, and must inform the applicant or employee of his or her right to dispute the accuracy or completeness of any information in the report, and the right to obtain a free report from the CRA upon request within 60 days. Even though a consumer has the right to dispute errors, the CRAs and furnishers of information to the CRAs typically are allowed thirty days to investigate the consumer’s dispute, and the information may not be corrected in time to affect the consumer’s consideration for a particular job.
The FTC points out that it has pursued an aggressive law enforcement program to ensure that CRAs, furnishers, and consumer report users (including employers) comply with their responsibilities under the FCRA, providing details of recent lawsuits for FCRA violations that resulted in civil penalties against CRAs ranging from $800,000 to $2.6 million. Its recent actions against employers included charges against railroad contractors for failing to provide pre-adverse action and adverse action notices to employees who were fired and job applicants who were rejected based on information in their consumer reports. Under negotiated settlement orders, the companies were required to pay penalties in the amount of $1,000 per violation, and are subject to specific injunctive, record-keeping, and reporting requirements to ensure compliance with the FCRA.
The FTC’s enforcement actions and the latest wave of class action lawsuits enforce that FCRA compliance must be a priority for employers, CRAs and furnishers of information alike.
Effective July 1, 2012, Vermont will be the eighth state to regulate the use of credit-related information for employment purposes. Although similar in many ways to laws already enacted in California, Connecticut, Hawaii, Illinois, Maryland, Oregon and Washington, Vermont’s requirements under Act No. 154 exceed those of other state laws as they prohibit even exempt employers from using an applicant or employee’s credit history as the “sole factor” in employment decisions. Additionally, Vermont exempt employers who take adverse action based in part on a credit history must return the report to the individual or destroy it altogether. Neither the Fair Credit Reporting Act (FCRA) nor any of the other similar state laws imposes such a requirement.
Generally, the Act prohibits employers from inquiring into an applicant’s or employee’s credit report or credit history, and further bans employers from discriminating against or making employment decisions (e.g. hire, fire, alter the compensation or any other term or employment condition) based on a credit report or credit history. Notably, credit history in this context includes credit information obtained from any third party that reflects or pertains to an applicant’s or employee’s “borrowing or repaying behavior, financial condition or ability to meet financial obligations,” even if that information is not contained in a “credit report.”
The trend in restricting credit report use for employment purposes will continue as several other states and the federal government are considering comparable legislation. Soon to follow most likely will be New Jersey. In May 31, 2012, the Senate approved S455 that would prohibit employers from seeking credit checks on employees or applicants under most circumstances. A parallel bill (A2840) was introduced by the Assembly on May 11, 2012, and a similar bill (A704) in December 2011.
- Individual control. Consumers have a right to exercise control over what personal data companies collect from them and how they use it.
- Transparency. Consumers have a right to easily understandable and accessible information about privacy and security practices.
- Respect for context. Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
- Security. Consumers have a right to a secure and responsible handling of personal data.
- Access and accuracy. Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.
- Focused collection. Consumers have a right to reasonable limits on the personal data that companies collect and retain.
- Accountability. Consumers have a right to have personal data handled by companies with appropriate measures in place to ensure that they adhere to the Consumer Privacy Bill of Rights.
Effective January 1, 2012, California SB657, known as The California Transparency in Supply Chains Act of 2010, will mandate retail sellers and manufacturers doing business in California with annual gross receipts exceeding $100 million to conspicuously and clearly disclose their efforts and policies for ensuring that their supply chains are free from human trafficking and slavery.
The targeted companies are required to make these disclosures on their websites; if a company does not have a website, the information must be provided in writing within 30 days of a consumer request. Although the Act does not mandate any specific language, the disclosure must be easily understood and explain the procedures, if any, that the company has in place, in reference to:
- Evaluating and addressing the human trafficking and slavery risks in its product supply chains (disclosure must state whether or not the company is using a third-party to assess these risks);
- Requiring direct suppliers to certify that the materials used in the products comply with slavery and human trafficking laws in the countries in which they are doing business;
- Conducting supplier audits to evaluate compliance with company standards on trafficking and slavery (disclosure must state whether or not the audits are independent and unannounced);
- Maintaining accountability standards and procedures for employees or contractors who fail to meet company standards regarding slavery and human trafficking;
- Training employees and managers who have direct responsibility with supply chain management on the mitigation of human trafficking and slavery risks.
While the Act has gained significant attention by California companies, its expansive jurisdictional provisions make it applicable to many large retail sellers and manufacturers that are organized or domiciled outside of California, as the $100 million gross receipts threshold for compliance is based on worldwide sales revenue. And since the threshold is relatively low and set in dollar amounts, it can be as triggered by earning less than 1% of that revenue in the state, owning some property or having even one employee or contractor here (see CA Revenue and Taxation Code Section 23101 for a full definition of “doing business in California.”)
California SB657 is a disclosure law and does not require companies to do things differently, but its deceptive simplicity brings into focus the importance of proactive risk management. And for many companies, it is a call to action to move beyond this law’s mere disclosure compliance and implement or strengthen their risk management programs not only for brand equity protection but also in recognition of their corporate social responsibility.
In our products portfolio, SI offers specialized background investigations for vendor/third-party engagements which include elements and search strategies designed to find, among other criteria, indications or records of slavery and human trafficking in supply chains.
The Act is a disclosure law and does not impose any substantive regulation on supply chain activities. Nor, unlike the “conflict minerals” provisions of the Dodd-Frank regulatory reform law, 9 does it impose any affirmative obligations on companies to perform diligence regarding the existence of slavery or human trafficking in their supply chains. Nonetheless, as a matter of corporate social responsibility as well as public image, companies may wish to consider whether it is appropriate to adopt policies or procedures to mitigate the risk that slavery or human trafficking exist in their supply chains.