Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

Written by Jason Gavejian

One of the hottest topics throughout 2012 was the various states which passed, or enacted, legislation which prohibits employers from requiring current, or prospective, employees to disclose a user name or password for a personal social media account, such as Facebook or LinkedIn. In fact, this issue was recently featured in an article on nbcnews.com.   

Notably, fourteen states introduced such legislation in 2012, with Michigan becoming the most recent state to enact such legislation when Governor Rick Snyder signed his state’s equivalent law (HB 5523) last Friday. As we have discussed, California, Delaware (dealing with students at colleges and universities), Illinois, Maryland, and New Jersey (pending Governor's signature) also enacted laws on this issue in 2012.

We anticipate that other states will address this issue through legislation in 2013 and beyond. It is essential for businesses to be conscious of these new laws, and to carefully consider this issue whether or not the state in which they operate currently prohibits such conduct.
 

• Email This
• Print
• Comments
• Trackbacks

New York takes another step toward safeguarding Social Security Numbers (SSN), this time limiting certain entities, including employers, from requiring a person to disclose or furnish his or her SSN for any purpose. Signed into law by Gov. Andrew Cuomo on August 14, 2012, the new law (A.8992-A / S.6608-A) adds a new section 399-ddd to the General Business Law of the Empire State, that becomes effective 120 days from enactment (December 12, 2012). Businesses will need to revisit their practices with employees, customers and other individuals in situations where all or a part of the Social Security Number is involved. 

There are two important points to note about the law: (i) the definition of SSN; and (ii) the exceptions.

Under the new law, SSN includes the 9-digit number issued by the Social Security Administration, but also "any number derived from such number," unless the number is encrypted.  So, for example, unless one of the exceptions below applies, requiring employees or customers to use the last four digits of their SSN as part of an identification number will become unlawful later this year.  

Here are some of the exceptions:  

• The individual consents to the acquisition or use of his or her SSN (of course, while not expressly stated in the statute, a court would likely interpret this provisions to mean a voluntary consent);

• The SSN is expressly required by federal, state or local law or regulation; 

• The SSN is used for internal verification or fraud investigation;
   
• The SSN is requested for credit or credit card transaction initiated by the consumer or in connection with a lawful request for a consumer report or investigating consumer report (in addition to permissible background checks under the Fair Credit Reporting Act and New York law, this provision also may cover corporate credit card programs, frequently used by companies to better manage business expense reimbursement);

• The SSN is requested for purposes of employment, including in the course of administration of a claim, benefits, or procedure related to employment, such as termination from employment, retirement, workplace injury, or unemployment claims;

• The SSN is requested for tax compliance, collecting child or spousal support, or determining whether a person has a criminal record; and

• The SSN is requested by an authorized insurance company for purposes of furnishing information to the Centers for Medicare and Medicaid Services (this likely captures the recent reporting requirements under Section 111 of the Medicare, Medicaid and SCHIP Extension Act of 2007). 

The law does not provide for a private right of action; it is enforced by Attorney General of the State and carries a civil penalty for a first offense of not more the $500 per violation ($1,000 for second offenses). However, the law seems to suggest that so long as reasonable measures have been adopted to avoid a violation, unintentional, bona fide errors will not result in penalties. 

• Email This
• Print
• Comments
• Trackbacks

 In what could be a portend of broader actions to follow, the Federal Trade Commission (“FTC”) last week has settled a $2.6 million claim against an employment background screening company for perceived violations of the Fair Credit Reporting Act, 15 U.S.C. § 1681s(a) (the “FCRA”). U.S. v. HireRight Solutions, Inc.  This is the second-largest civil penalty obtained by the FTC against a private company for violations of the FCRA.

As employers increasingly rely on databrokers and credit reporting agencies to conduct background checks, they must review their background check providers’, as well as their own, policies and practices for legal compliance. Employer use of background report is increasingly under review by state and federal authorities. Employers that have failed to comply with the FCRA’s procedures in obtaining background reports regarding employees have also been sued and faced liability in several lawsuits in the past several years. 

As we have previously written, under recently-issued EEOC enforcement guidance, any employer seeking a criminal background check of a potential employee must engage in an individualized assessment of that individual to determine whether a background check is required. Employers also may want to look more closely at the methodologies their screening companies employ, and related representations made in service agreements, to ensure their vendors meet and continue to meet the increasing scrutiny on the screening process. 

READ ON…

• Email This
• Print
• Comments
• Trackbacks

Joining six other states, California will impose significant restrictions on an employer’s ability to obtain a credit report for employment purposes. The law becomes effective January 1, 2012.

California Assembly Bill 22, signed by Governor Jerry Brown, generally permits employers who are seeking to fill only specific, identified “exempt” positions to obtain and use credit reports to screen applicants and/or current employees. The use of the credit reports in other occupations generally is prohibited. Further, employers will be required to provide the employee or applicant with a disclosure statement setting forth the specific basis permitting the employer to obtain a credit report. 

Click here for more information about this law.

• Email This
• Print
• Comments
• Trackbacks

Connecticut joins five other states (Hawaii, Illinois, Oregon, Washington, and Maryland) in limiting what credit report information employers may use in making hiring or employment decisions. Other states have considered similar measures.

Under the new law, effective October 1, 2011, employers (including their agents, representatives or designees) may not demand that an employee or prospective employee consent to a credit report as a condition of employment unless:

1. the employer is a financial institution, 
2. the credit report is required by law,
3. the employer reasonably believes that the employee has engaged in specific activity that constitutes a violation of the law related to the employee's employment, or
4. such report is "substantially related to the employee's current or potential job" or the employer has a bona fide purpose for requesting or using information in the credit report that is substantially job-related and is disclosed in writing to the employee or applicant.

For purposes of this law, a credit report is a report that contains information about the employee's or prospective employee's credit score, credit account balances, payment history, savings or checking account balances or savings or checking account numbers. The report will be treated as being "substantially related to the employee's current or potential job," where the position:

• is a managerial position which involves setting the direction or control of a business, division, unit or an agency of a business,
• involves access to customers', employees' or the employer's personal or financial information other than information customarily provided in a retail transaction,
• involves a fiduciary responsibility to the employer, including, but not limited to, the authority to issue payments, collect debts, transfer money or enter into contracts,
• provides an expense account or corporate debit or credit card,
• provides access to certain confidential or proprietary business information, including trade secret information under certain circumstances; or
• involves access to the employer's nonfinancial assets valued at $2,005 or more, including, but not limited to, museum and library collections and to prescription drugs and other pharmaceuticals.

Employees or prospective employees who believe the law has been violated may file a complaint. Employers could be liable for $300 in civil penalties for each inquiry that violates the law.

In addition to affecting the traditional employee-employer relationship, this law (and those cited above) may affect the practice of requiring employees of a company's vendors to jump through certain hoops before coming on-site. Increasingly, company A, when it utilizes the services of employees of company B (such as for back office processing or health care staffing needs) will require company B to ensure its employees undergo certain background checks and other certification procedures and tests. Those arrangements need to consider these limitations on the kinds of inquiries that can be made by employers.

• Email This
• Print
• Comments
• Trackbacks

One might think that bankruptcy is a private matter, with little to no bearing on whether one can meet the qualifications for a particular job. As my colleagues report today, the U.S. Court of Appeals for the Eleventh Circuit (with jurisdiction over Alabama, Florida and Georgia) joins its sister Circuits (the Third and Fifth Circuits) in holding that it is not impermissible under the Bankruptcy Code for an employer to refuse to hire an applicant due to a prior bankruptcy. Myers v. Toojay’s Mgmt. Corp., No. 10-10774 (11th Cir. May 17, 2011). However, as discussed in their report, the Code does state that a private employer may not “terminate the employment of, or discriminate with respect to employment against” an employee due to a bankruptcy. 11 U.S.C. § 525(b).

Of course, what is permissible under the Bankruptcy Code may not be under state law. As the report notes, and as reported here, a handful of states (e.g., Hawaii, Illinois, Maryland, Oregon, and Washington) have enacted limitations on an employer’s ability to acquire or use credit information in making hiring decisions. Further, any bankruptcy information acquired with respect to an applicant may include personal information that may need to be safeguarded, and as my colleagues advise, the use of that information should be based on job-related considerations to avoid Equal Employment Opportunity Commission claims based on adverse impact theories. 

• Email This
• Print
• Comments
• Trackbacks

On April 12, 2011, Maryland Governor Martin O’Malley signed into law S.B. 132/H.B. 87. Under this law, Maryland employers, except in limited circumstances, are prohibited from using an individual's consumer credit history for hiring or other employment purposes. 

Beginning October 1, 2011,  employers are prohibited from using credit report data to deny employment, discharge an employee, set compensation, terms, conditions, or privileges of employment, unless, after making an offer of employment to an individual, the employer has a use for such information that is “substantially job-related.”   Additionally, an employer must disclose in writing its use of such information to the employee or applicant.

While the law does not contain any individual right of action, it allows individuals to file an administrative complaint with the state Commissioner of Labor and Industry. The Commissioner is authorized to assess a civil penalty of up to $500 per initial violation and up to $2,500 for repeat violations.

Employers exempt from the new law include those required by federal law to examine credit history data, financial institutions, or entities registered with the federal Securities and Exchange Commission as investment advisors.

As we have detailed previously, several other states (Florida, Michigan, and Montana) are considering similar laws, while Hawaii, Illinois, Oregon, and Washington have already enacted laws restricting the use of credit history in employment. 

• Email This
• Print
• Comments
• Trackbacks

Background checks may be a prudent practice for businesses, but they present a range of issues.

The Association of Corporate Counsel recently published a "Top Ten" list of issues businesses should consider when deciding to implement a background check program, written by our Partner, Richard Greenberg and Dani Sanchez-Gleason.

See also prior posts.     

• Email This
• Print
• Comments
• Trackbacks

Prepared by Lillian Moon

In the face of increasing unemployment, in March 2011, Florida, Michigan, and Montana joined the ranks of approximately fifteen other states that are considering bills limiting employers’ ability to use credit checks for employment purposes.

Florida. Florida’s Senate Bill 1562, introduced on March 3, would prohibit employers from using an applicant’s personal credit history as hiring criteria, except where a review of credit history is legally required. The proposed Florida law allows an employer to request credit history during the “application process if such history is shown to be directly related to the position sought by the applicant.” However, the credit history cannot be used as the “determining factor” in the hiring decision.

Michigan. Michigan’s House Bill 4363, introduced March 2, would prohibit employers from making hiring decisions based on an individual’s credit history and from inquiring about a job applicant’s or potential applicant’s credit history, unless good credit history is “an established bona fide occupational requirement of the particular position or employment classification.” Individuals cannot waive any right or protection under the proposed act and aggrieved individuals would be able to bring civil suit for damages or injunctive relief.

Montana. Montana’s House Bill 601, introduced March 1, would prohibit employers from using credit history information for employment purposes unless the employee’s current or potential position is one “for which credit is issued in goods, a line of credit is provided, or a fiduciary responsibility is owed to the employer,” or the position allows for use of such data when done in compliance with the Fair Credit Reporting Act, 15 U.S.C. §§1681(b)(2)(C) and (b)(4). Misuse of credit data or other violations of this proposed act would be punishable as a misdemeanor with fines up to $500.

Similar bills are also being considered in numerous jurisdictions such as: California, Connecticut, Georgia, Indiana, Kentucky, Maryland, Missouri, Nebraska, New Jersey, New Mexico, New York, Ohio, Pennsylvania, Vermont, and Texas. Illinois, Oregon, and Washington already have such laws in place.

“Employers with multi-state operations, in particular, must remain abreast of these developments and ensure any background check program involving credit checks complies with applicable state law. Further, due to EEOC initiatives in this area, credit checks should be limited to positions in which credit history can be deemed job-related and individualized analysis of each applicant’s history should be the goal,” counsels Richard Greenberg, a partner with Jackson Lewis LLP in New York.
 

• Email This
• Print
• Comments
• Trackbacks

Contributed by: Richard Greenberg

Pursuant to the Fair Credit Reporting Act (pdf), the Federal Trade Commission has promulgated three notices (pdf): (i) A General Summary of Rights; (ii) A Notice to Furnishers of Information to Consumer Reporting Agencies; and (iii) A Notice to Users of Consumer Reports (such as employers). In late August, the FTC proposed revisions to the three current forms.

General Summary of Rights

The proposed revised General Summary of Rights, which needs to be provided by an employer if a pre-adverse action notice is issued, incorporates notice of the individual's rights to contest the accuracy of information contained in a consumer report not only with the consumer reporting agency but also the entity that furnished the information to the consumer reporting agency. The proposed notice also is more streamlined and unlike the current notice refers to various government websites from which relevant information can be accessed rather than listing all relevant federal agencies responsible for the enforcing the FCRA.

Notice to Furnishers

The proposed Notice to Furnishers incorporates the recently imposed obligations on data furnishers to establish policies and procedures to ensure the accuracy of information provided to consumer reporting agencies, as well as the obligation to address disputes regarding accuracy raised by the subject of the report with the data furnisher.

Notice to Users

The proposed Notice to Users, which is provided by a consumer reporting agency to an employer along with an End User Certification, incorporates additional obligations imposed on users by, among others, the FTC's Address Discrepancy and Medical Information rules.

The proposed notices are now subject to a public notice and comment period. 

• Email This
• Print
• Comments
• Trackbacks

Recent state law developments will affect whether and to what extent certain employers can conduct credit and criminal background checks on employees and applicants. Employers, particularly multi-state employers, should be sure to review these new requirements and adjust their practices accordingly.

Massachusetts

The Commonwealth has changed how employers access and use criminal offender record information ("CORI") under a new law signed by Governor Deval Patrick on August 6, 2010. Among other things, the new CORI law bans the use of questions about criminal history on written employment applications. This ban becomes effective November 4, 2010. The law also creates a new method and database for employers to access criminal records, replacing the current procedure with the Criminal History Systems Board. This becomes effective in May 2012.

(more information about this change)

Illinois

Illinois employers will have a tougher time conducting credit checks on applicants and employees and using the information for employment purposes beginning January 1, 2011. The state’s new Employee Privacy Act (House Bill 4658), signed by Governor Pat Quinn on August 10, 2010, prohibits all but a handful of employers from:

1. inquiring into an applicant’s or an employee’s credit history;
2. ordering a credit report on an applicant or employee from a consumer reporting agency; or
3. taking any adverse employment action (such as refusing to hire) because of the individual’s credit history or credit report.

An aggrieved individual can bring a private cause of action in state court to enforce the Act and can seek injunctive relief and damages as well as costs and attorneys’ fees.
 

(more information about this change)

Oregon

Oregon employers’ ability to conduct credit checks and use the information for employment purposes has been significantly restricted since July 1, 2010, but the implications of this law extend well beyond state borders. With limited exceptions, Oregon Senate Bill 1045 prohibits employers from considering for employment purposes any information that bears on a consumer’s creditworthiness, credit standing or credit capacity, unless such information is substantially related to the individual’s current or potential job. Employers who believe credit information meets this job-related standard must provide the employee or applicant the reasons for their determination in writing.

(more information about this change)

• Email This
• Print
• Comments
• Trackbacks

Submitted by Susan M. Corcoran and Richard I. Greenberg

An increasing number of employers are conducting background checks on applicants and employees and many are outsourcing this function. Employers that outsource their background check function will find themselves subject to the Fair Credit Reporting Act (FCRA), which contains a set of “technical” compliance requirements.

The lack of guidance by courts in the area of background checks has left employers wondering whether their “best practices” will pass muster if challenged. A recent decision from the Southern District of Ohio, Mandy Burghy v. Dayton Racquet Club, Inc. et al., 2010 U.S. Dist. LEXIS 17373 (S.D. Ohio Feb. 26, 2010), may provide some needed assistance.

By way of background, the FCRA imposes specific procedural requirements on employers that wish to obtain consumer or investigative consumer reports (“Reports”) from third-party consumer-reporting agencies regarding applicants or employees. These employers must:

1. Obtain written consent from and provide written disclosure to applicants or employees, in a “clear and conspicuous” stand-alone document, that a Report has been requested. (Informally, the Federal Trade Commission (“FTC”) has stated these requirements can be satisfied through the use of a combined consent/disclosure form focused solely on the Report being obtained);
2. Before taking any adverse action based on information contained in a Report, provide the individual with a copy of the Report and a copy of the FTC’s Summary of Rights and allow the individual reasonable period of time to dispute the accuracy of the disqualifying information (the “Pre-Adverse Action” requirement); and
3. Issue an adverse-action letter when implementing any adverse action, such as a denial of employment or denial of promotion.

In Burghy, the Court first considered whether the employer provided a “clear and conspicuous” disclosure. It found this was satisfied because the employer put the disclosure “on the front side of a one page document,” “employed reasonably sized type,” used “bullet points to call attention to the disclosures,” and the plaintiff was aware that the employer was obtaining a Report.

Practice point - Infuse clarity and brevity into disclosures and exclude ancillary information.

The Court also considered the plaintiff’s assertion that the employer violated the “Pre-Adverse Action” requirement by implementing an adverse action prior to providing a copy of the Report and the FTC Summary of Rights. Specifically, the plaintiff claimed that the employer advised her of her termination at the same time as it provided her with the Report and Summary of Rights. The Court allowed this claim to proceed, denying the employer summary judgment.

Practice point - Eliminate factual disputes by carefully structuring conversations or correspondence pertaining to a Report so that the individual understands that no final decision (adverse or otherwise) has been made and the individual retains the right to contest the accuracy of the Report for a reasonable time. To the extent there is a conversation, having a checklist handy to delineate the process may be helpful.

• Email This
• Print
• Comments
• Trackbacks