April 18, 2016
by Rebecca E. Kuehn
Responsible employers screen applicants and employees to protect the safety and welfare of their workforce and the community and to comply with state and federal law. Working with background screening companies, employers are able to identify and address possible risks. But this responsible practice may lay the groundwork for a class action lawsuit if an employer does not mind the details.
Background checks are covered by the Fair Credit Reporting Act (FCRA). Under the FCRA, an employer seeking to obtain a background check on an applicant or employee must follow certain requirements that are unique to employment: written disclosure; written consent; and, where applicable, pre-adverse action notices. Because these requirements may apply to each screening, any failure in compliance is an attractive target for class action attorneys because the violations may be numerous and similar. The best illustration of this risk is in the recent spate of class action cases concerning the written disclosure requirement.
The FCRA requires that, before an employer can obtain a report, it must provide the consumer with a “clear and conspicuous disclosure…in writing” that a consumer report may be obtained for employment purposes. The disclosure must be provided to the consumer “in a document that consists solely of the disclosure.” This last provision is the one that trips many employers up – usually because they are trying to combine other relevant notices and helpful information with the required disclosure. One word of advice: Don’t.
Multiple class actions have been filed around the country against employers for including additional provisions in their written disclosures. Some examples include:
Waivers of claims/releases from liability
State law disclosures and waivers
Explanation of employer’s screening policies
Privacy policy
At-will language and hours of work
A number of cases are still in litigation, but several have settled for sums ranging from $1.75 million dollars to $13 million dollars. This is because the exposure can be very high: the FCRA permits statutory damages ranging from $100-$1000 per violation (plus attorney’s fees), and current case law has permitted these cases to proceed even in the absence of any actual damages.[1] Unlike other consumer protection statutes, the FCRA does not contain a cap on class action damages.
The lesson for employers is to review the forms that you are using, including any sample forms provided by your screening provider. Make sure that the disclosure forms do not contain any “extras.” Note: the FCRA specifically allows an employer to include the written authorization with the written disclosure, and employers may prefer to collect the consumer’s signature on a combined disclosure/authorization document as proof that the applicant was provided with the written disclosure. Just be careful that the addition of the authorization does not come with any unwanted baggage.
Rebecca E. Kuehn (rkuehn@hudco.com) is a partner in Hudson Cook, LLP’s Washington, D.C. office. Ms.Kuehn’s practice is concentrated on regulatory issues surrounding the collection, sharing, and use of consumer data, and she counsels financial institutions, consumer reporting agencies, service providers, and others in complying with federal and state laws, including the Fair Credit Reporting Act, the Gramm Leach Bliley Act, and other privacy laws and regulations. She represents clients before federal and state agencies, particularly the Federal Trade Commission and Consumer Financial Protection Bureau, in investigations and other proceedings, and has served as an expert witness in cases involving the Fair Credit Reporting Act.
4817-9324-9072, v. 1
[1] The question of whether a plaintiff has standing to bring a claim for statutory damages in the absence of any injury in fact is currently pending before the United States Supreme Court.
January 25, 2016
The on-going discussion about what is permissible in a disclosure and authorization notice (hereinafter “notice”) for Fair Credit Reporting Act (FCRA) purposes continues. In a recent federal district court case in the Northern District of Court of California (Thomas Lagos v. The Leland Stanford Junior University, 5:15-cv-04524) the judge dismissed Defendant’s motion to dismiss on the grounds that the state disclosures included with the notice could potentially mean it is not a “clear and conspicuous disclosure.”
Under the FCRA employers have an obligation to provide the job applicant with a “clear and conspicuous” written notice, in a stand-alone document, explaining to the job applicant that a background check will be conducted for employment screening purposes. Thereafter the employer must secure the job applicant’s written authorization for said background check. (15 U.S.C. § 1681b(2)(A)) Separately, several states require that certain notices be provided by the employer with respect to a pre-employment screening background check to advise residents of additional rights. For instance, California, Minnesota, Oklahoma and New York.
Litigation Posture
Plaintiff’s bar has been attacking the validity of the Notices employers provide on the grounds that they are not a “clear and conspicuous disclosure” and in a stand-alone document under the FCRA. This hinges on the argument that certain language in the Notice is extraneous, and the courts have held that in certain situations some language in the Notice can be extraneous, such as release of liability language.
Stanford Case
This case is currently stayed pending the Supreme Court’s decision in Spokeo v. Robins. However, earlier in the proceedings the judge refused to grant Defendant’s motion to dismiss stating that the Plaintiff alleged facts sufficient to state a facially plausible claim for relief. Stanford’s notice included seven state law notices informing applicants of additional rights under state law. It also included a sentence related to the offer of employment. The judge stated that the state disclosures combined with this one sentence “plausibly” violated section 1681b(b)(2)(A)(i)’s requirement for the notice to be in a document consisting “solely of the disclosure” because they are not “‘closely related’” to the FCRA disclosure. The judge stated that “it therefore is unclear how the state law notices contribute to the disclosure required by the FCRA.” (Order Denying Motion to Dismiss, p. 4)
Stanford’s notice included the following in this order: the Consumer Disclosure and Authorization Form (separate page); Additional State Law Notices (CA, ME, MA, MN, NJ, NY, WA) (on two, separate pages); Authorization of Background Investigation (separate page); A Summary of Your Rights Under the Fair Credit Reporting Act; California summary of rights; New Jersey summary of rights; New York Article 23-A; Washington summary of rights.
Montserrat Miller is a partner in the Privacy and Consumer Regulatory; Immigration; and Government Affairs Practice Groups at Arnall Golden Gregory. She assists clients with privacy and data protection-related matters, including counseling and defending companies regarding their compliance under the Fair Credit Reporting Act (FCRA), Driver’s Privacy Protection Act, Gramm-Leach-Bliley Act, Children’s Online Privacy Protection Act and state data breach statutes. Ms. Miller’s practice includes a special emphasis on the use of criminal and credit history information and compliance with the FCRA, Title VII of the Civil Rights Act of 1964 and state laws which impact the use of background checks for employment screening and tenancy purposes.
November 5, 2015
by Ronald Raether, CIPP/US and Mark Mao, CIPT & CIPP/US, Troutman Sanders
Cyber breaches continue to demonstrate that people are the greatest vulnerability for even the most sophisticated organizations. Although it is easy to feel prepared by talking about firewalls, detection software, and encryption methods, employees continue to be the easiest means for hackers to gain access. Accounting for the human factor requires that the organization take a holistic approach. Human nature should be factored into all aspects of data management, including product planning, incident response, and breach litigation.
Yes, Your Organization Can Survive Human Error
There is an increasing appreciation for how a data breach does not necessarily imply that an organization failed to adhere to the requisite standard of care. For example, in the regulatory context, the Federal Trade Commission (FTC) announced in August 2015 that it would not take any enforcement action against Morgan Stanley for an insider cyber breach. The incident involved Morgan Stanley allegedly configuring the access controls for one limited set of reports improperly, but correcting the problem as soon as it became aware of it.
The FTC was satisfied with Morgan Stanley’s efforts, noting: “[Morgan Stanley] had a policy limiting employee access to sensitive customer data without a legitimate business need, it monitored the size and frequency of data transfers by employees, it prohibited employee use of flash drives or other devices to download data, and it blocked access to certain high-risk apps and sites.” In closing, the FTC hinted that it might not pursue further action if an organization suffers a “human error” but had reasonably appropriate policies in place.
Similarly, in Lozano v. Regents of the University of California, BC55419 (L.A. Super. Ct., filed April 9, 2013), the plaintiff sought $1.25 million in damages against the UCLA health system, arguing that her medical records were improperly accessed by the current romantic partner of her ex-boyfriend, who allegedly used the credentials of a doctor to access and then publish plaintiff’s personal health information (PHI). Plaintiff argued that the health system failed to adhere to the requisite standard of care by not requiring a second form of security for access. UCLA disagreed, arguing that it used security protocols consistent with existing standards and that it should not be held responsible for “inside jobs.”
On Sept. 3, 2015, the jury agreed with UCLA, finding it was not legally liable for the breach. In business-to-business contexts, courts have also found that a well-prepared organization may not be negligent when accounts are compromised. For example, the court in Choice Escrow & Land Title, LLC v. BancorpSouth Bank, 754 F.3d 611, 613-614 (8th Cir. 2014) found the bank’s security protocols adequate despite an alleged account takeover. The lesson of these relatively new cases is that organizations may not necessarily be legally liable just because they suffer an incident as a result of human error. Surviving The Human Factor It is the natural for people to panic and blame each other in major crisis.
A well prepared organization should not only be prepared technologically, but also for human tendencies. First, well-prepared organizations should have written information security programs (WISPs) written in plain language as a guide for their employees. Regulators ask for WISPs almost as a matter of course. However, WISPs should be as much prescriptive as they are descriptive. If the WISP does not actually describe how the organization handles data, it will not provide employees much needed guidance.
Instead, the policies should reflect the practical realities of the business and describe the requirements and controls in way which can be understood and followed by the employees. Otherwise, the policies only become a standard for how the company has failed to act reasonable by regulators and class counsel. Thus, it is critical that organizations map out their technology and take data inventory when drafting their WISPs, which should also accord with their outward-facing privacy statements.
Organizations should interview both business and IT personnel to understand how they handle data. Indeed, WISPs should be tailored to the culture of the company so that compliance can be expected. A policy using common language, as opposed to legalese, will generally be best. Too often WISPs are written entirely by just the legal department or the technologists. If written by attorneys without meaningful technological experience, a WISP can miss important technical issues. WISPs written entirely by technologists can be overly technical and difficult for others to follow. Both legal and IT should therefore participate in the drafting process.
Without meaningful engagement by all stakeholders, it is too easy for drafters to protect only their interests. In such situations, it is not uncommon to find employees admitting that they did not or could not follow WISPs when interrogated during investigations or in a deposition.
Second, sufficient training is an important factor for a sound compliance program. Recent cases demonstrate that breaches often start with some form of human error. The most frequent attack vectors remain non-technical, such as unauthorized system access, misuse of privileges, use of stolen credentials, social engineering, and bribery and embezzlement. A common example is “spear phishing.” An employee with sufficiently high security credentials becomes a target, and he receives an email for “help” from someone with the apparent name of another known employee in the organization. Once he clicks on the link provided, malware is loaded onto his computer and the hacker gains access to critical parts of the organization.
While technology controls (such as intrusion detection devices or sound access controls) can limit what the hacker can do, without appropriate privacy policies and proper training, even employees in organizations with strong technological safeguards may be criticized for the unauthorized access and possibly create legal exposure.
Third, compliance needs to be tested and audited. Testing and auditing will serve as a regular reminder to employees and create awareness of emerging trends and threats. Auditing should include tests and practice runs, so that key personnel and employees can act rather than react when a real cyber incident occurs. Without meaningful practice, employees may be more inclined to blame each other, finger-point or attempt to hide facts which may implicate them rather than doing what is best for the company. Employees should get familiar with how to isolate incidents, preserve electronic evidence, handle public inquiry, and defer to responsible personnel.
Regular audits will remind employees to stay current on their training and obligations, and be mindful of potential threats. As Morgan Stanley demonstrated, a wellmanaged breach contributed to the FTC deciding to not take an enforcement action.
Conclusion
The question for most organizations these days is not whether they will be breached, but when. As the cases teach us, even the best prepared organizations cannot prevent malicious insiders and human error. However, when intruders breach an organization well-equipped with proper policies, training, and technology, it will be much more difficult for plaintiffs to claim that the organization should have any legal liability.
January 20, 2015
By guest writer Joseph Rubin, Counsel to Arnall, Golden and Gregory, LLP
The years ahead promise a lot of legislative and regulatory activity on a range of fronts. While we expect that the parties in Congress will fight over “big” issues like health care and immigration, both the Republican majority in the House and Senate and the Democratic President want to accomplish some goals over the next two years, and they will need buy-in and cooperation from each other to do so.
This legislative and regulatory push-and-pull will present a number of challenges and opportunities for the business community: challenges in that regulations and legislation could intentionally or unintentionally impose costs on businesses and operations. However, there will also be opportunities to help “shape” these proposals as they move forward.
Considerations about 2016 and positioning their parties in the Presidential and Senate races is going to drive most of the big picture legislative considerations of both parties over the next two years. Each party will try to take votes on issues that highlight their priorities (lower taxes for the Republicans and environmental protection for the Democrats, for example) and embarrass the other party. However, each party still wants to demonstrate the ability to “govern,” so it is unlikely that these fights will stymie efforts to enact legislation where possible.
In other words, the conventional wisdom is that this Congress is not going to accomplish much, given the very conservative House, the President’s immigration Executive Order and the focus on positioning for 2016. However, we expect that this Congress could be successful on a bipartisan basis in passing a number of bills in important areas. In particular, we anticipate that Congress and the White House will reach agreement on many bills that make the “trains run on time,” such as a budget and appropriations and the Medicare “doc fix.” Congress may also be able to pass several of “nice to have” bills, such as data breach notification and reauthorization of the Secondary Education Act.
There are several areas where Congress is likely to take a confrontational approach to issues with the Administration, including:
- The Affordable Care Act
- Consumer Financial Protection Bureau
- Energy and Environmental issues, including Keystone approval and tying the hands of the EPA
- Policy riders that seek to limit initiatives that federal agencies can fund or pursue
- Oversight and Investigations
- Immigration
Areas of cooperation could include:
- Trade
- Tax reform
- Elementary and Secondary Education reauthorization
- Medicare “doc fix”
- Data breach notification
- Technology issues
- Housing finance reform (Fannie Mae and Freddie Mac)
For simplicity’s sake, the types of bills that we expect Congress to take up are broken into several categories:
Legislation to repeal the Affordable Care Act and repeal or drastically reform the Dodd-Frank Act, along with other bills that are designed to force the other party to take an embarrassing vote, are going to be plentiful in this Congress.
- High profile, big ticket legislation, such as tax reform
We expect that there will be efforts to try to move legislation on a bipartisan basis on issues like tax reform and housing finance. The willingness of Republicans to make compromises with the Administration to get this type of legislation passed will likely depend in large part on their perceived electoral prospects in 2016 – if Republicans believe that they have a real chance of keeping the Senate and taking over the White House, that may reduce the likelihood of moving this type of legislation because they anticipate better outcomes with a Republican President. However, if they believe that Republicans may not only lose the White House, but the Senate as well, there may be a strong push to try to pass legislation before the election.
- “Keeping the Trains Running”
The third category of bills that we expect to see are important bills that demonstrate that Congress can keep the trains running – the budget and appropriations, as well as expiring provisions like the Medicare “doc fix” – where if Congress doesn’t act, the results are significant. A failure to pass these bills can be embarrassing and demonstrates a lack of an ability to “get things done.”
We also expect that these bills will be potential magnets for “compromise” provisions as they head to the Floor – bipartisan agreement is necessary to get to 60 votes to move these bills. This presents potential opportunities to have provisions added or removed from the underlying legislation. In addition, it also presents possible challenges because amendments may be sought that could be harmful to client interests.
Another category of bills are those that are “nice to have,” that a Member of Congress or constituency group feels is important. Here, there are two categories – high profile bills, like data breach notification legislation, patent litigation reform or telecommunications reform, which both the House and Senate Commerce Committees have indicated that they want to take up, as well as bills that are really only followed closely by certain groups, such as proposals to reform the EEOC.
The likelihood of bills like these passing is relatively high – they are below the radar, but a constant stream of bills sent to the President demonstrates an ability to govern and compromise for both parties.
While Congress will try to aggressively pass bills that the President has vowed to veto, such as changes to the Affordable Care Act and immigration legislation, and the President will likely pursue regulatory initiatives that Congress does not like, such as environmental restrictions, we believe that the Congress and the Administration will likely try to work together to find common ground in areas where they can.
The 114th Congress is going to be very active and very challenging, with lots of moving parts in Congress and the regulatory agencies. This presents both opportunities, for example to use a pending bill or regulation as a way to roll-back a regulatory challenge that your company may be facing, and challenges, as regulations may stymie business opportunities. Keeping abreast of those moving parts is difficult, and knowing when to take advantage of them or react can be difficult to ascertain. But ignoring them leaves the regulatory environment that your business will face in the hands of someone else.
Joseph Rubin, Counsel to Arnall, Golden and Gregory, is a 20 year public policy and legal affairs veteran. He focuses his practice on representing companies, particularly financial institutions and non-financial lenders, before Congress, regulatory agencies and in compliance matters.
For further information, please contact Joe at 202 557-4180 or Joe.Rubin@AGG.com.
June 24, 2014
From guest writer, Brian Lamoureux, Esq., Partner at Pannone Lopes Devereaux & West LLC
“Hi, Brian – Please see this tweet sent by someone we were just about to hire. I can comfortably state that we do not want to hire him because of this vulgar tweet. Can we decide not to hire him because of this?”
This is an actual question one of my clients emailed me recently. After confirming that the tweet did not suggest that the potential employee was part of a protected class, I told my client that they were free to pass this person over. This was not a very difficult decision. But, it shows that human resource professionals are struggling with how social media can (and should) be used to find, screen, and discipline employees.
In 2013, almost 40% of employers used social media to screen candidates, according to a CareerBuilder study. Interestingly, 43% of those employers found information on social media that disqualified candidates, whereas only 19% found information that influenced them to hire a candidate. This disparity in favor of disqualifying candidates suggests that employers and potential employees need to understand that social media poses risks for each of them.
For employees, the risks are obvious. We have all seen social media posts containing poor grammar, showing poor judgment, lack of discretion, laziness, or even criminal activity. Given that employers are using social media information more often to rule candidates “out” than to rule them “in,” candidates need to proceed extra cautiously when behaving online.
For employers, the risks are primarily legal in nature. Using social media to screen candidates can unintentionally provide information to employers about candidates that the employers could not get by asking the candidates. For example, a picture of a woman on Facebook with triplets in her arms suggests (but does not prove, of course) that she’s a mom with her hands full, and therefore perhaps unwilling to put in long hours. Or, a picture of a man in a wheelchair could suggest (but, again, does not prove) that he is disabled and would need reasonable but expensive accommodations. If the hiring manager sees these pictures and decides not to interview or hire either of these candidates, there is a risk that the candidates could make a discrimination claim.
Thus far in my practice, these issues have been largely theoretical, and none of my clients has faced a discrimination claim based upon these facts. Rather, most of my clients are struggling with how to handle information and pictures they find on social media that reflect legal, but objectionable, behavior. Generally, employers are free to consider any publicly available information about a candidate, so long as the information isn’t protected under discrimination laws or otherwise protected as legal, off-duty conduct.
By now, you are probably familiar with the oft-repeated advice on how to use social media to screen candidates, such as using a third-party screener, reviewing all candidates or none of the candidates (i.e., not cherry-picking, etc.). If you’re not familiar with these best practices, there are a lot of good articles online. I’d like to use the remainder of this article to introduce you to some new issues and concerns.
What do I mean by a “Brave Future World?” For years we have been dropping little social media “crumbs” about ourselves based upon things we’ve “liked,” places we’ve checked into, events for which we RSVP’d, pictures we’ve posted, Twitter debates we’ve engaged in, etc. These data points – standing by themselves – don’t tell much about us. But, when they are put together as a mosaic using complex algorithms, very accurate pictures can be painted about our health, sexual preferences, eating habits, social preferences, and financial security.
For example, if I never “check-in” to a gym, regularly “check-in” to fast food restaurants, “like” donut shops, bakeries, and breweries, can you reasonably assume that I’m someone who eats a lot of junk food, likes beer and doesn’t exercise? Perhaps. Wouldn’t a health insurer or potential employer (who self-funds their employees’ health insurance) want to know this information when setting premiums? Definitely.
Suppose that I often “check-in” to casinos and exclaim every two weeks on Facebook that “Thank goodness it’s payday!” Doesn’t this suggest that I might have some financial issues? If you’re looking to hire me to be in charge of a cash operation or in a sensitive financial position, this concern isn’t far-fetched. If I told you 20 years ago that your credit score would impact your car insurance premium, you wouldn’t believe it. But, we all know now that our credit scores are a very good predictor of our insurance risk.
It shouldn’t surprise you that some very smart people are honing algorithms to put together these data points in the hopes of marketing it to employers, schools, health insurers, and banks. Based upon my research and analysis of social media, “big data,” privacy, and how our information is being used, I predict that social media data about all of us will start to gain protection under the law (much like our medical information under HIPAA). I expect states and perhaps Congress to begin passing laws prohibiting discrimination on pricing for healthcare, lending, and insurance based on social media data. However, until that protection is put in place, all of us should pause and be mindful of the personal data we’re putting out on social media and how employers are using it to make decisions.
Brian Lamoureux, Esq. is a Partner at Pannone Lopes Devereaux & West LLC in Providence, Rhode Island. He focuses on employment law, commercial litigation and disputes, social media law, and creditors’ rights. He is also an Adjunct Assistant Professor of Business Law at Providence College, where he also teaches a graduate-level course he designed called “Digital and Social Media in the Business Environment.” He can be reached at 401-824-5100, bjl@pldw.com, or on Twitter @brianattorney.
March 27, 2014
March 27, 2014
From guest writer Karyn Rhodes, Vice President of HR Consulting with the business advisory firm Cornerstone Group.
Drugs and alcohol in the workplace can be challenging to handle. They have a significant impact on business and on your bottom line. According to the US Department of Labor, alcohol and drug use costs American businesses roughly $81 billion in lost productivity per year due to premature death and $44 billion due to illness. Approximately 86% of these cases are attributed to alcohol. Employers need to do what they can to keep drugs and alcohol use out of their workforce. Having a formal policy and following drug screening procedures are essential in protecting your workplace.
A few steps to follow when instituting a drug-free workplace policy:
• Your drug-free workplace policy should clearly stipulate what the penalties for policy violations will be. If your policy includes a drug testing program, spell out exactly who will be tested, when they will be tested, and what will happen to employees who test positive.
• Every one of your employees should receive and sign a written copy of your drug-free workplace policy. Verbal agreements and unsigned agreements have little legal standing.
• Make sure that you, and all your supervisors, receive proper training in how to detect and respond to workplace drug and alcohol abuse.
• Maintain detailed and objective records documenting the performance problems of all your employees. Such records often provide a basis for referring workers to employee assistance programs.
• Never take disciplinary action against a worker or accuse a worker of a policy violation simply because that employee is acting impaired. Instead, try to clarify the reasons for the employee’s impairment. If drug testing is a part of your workplace policy, obtain a confirmatory test result before taking any action.
• Never accuse or confront an employee in front of his or her coworkers. Instead, try to stage all discussions someplace private, with another manager present to serve as a witness.
• Never single out an individual employee or particular group of employees, for special treatment-whether it is rehabilitation or punishment. Any inconsistencies in the enforcement of your policy may lead to charges of discrimination.
• Try to get to know your employees as much as possible. This may help you more quickly identify workers who are in trouble or developing substance abuse problems.
• Most importantly, try to involve workers at all levels of your organization in developing and implementing your drug-free workplace policy. This will reduce misunderstandings about the reasons for having a drug-free workplace program and help ensure that your policies and procedures are fair to everyone.
Employers who follow these basic steps, and who strive to create programs that are fair, consistent, and supported by all should have no trouble staying on the right side of the law.
