"Back to School" is upon us and over the next couple of weeks millions of parents (including me) will be in local stores getting our kids the stuff they need for a successful school year. The Federal Trade Commission (FTC) reminds parents, for good reason, to be mindful of how their children's personal information is used and disclosed. In fact, the agency provides a guide for parents that could be very helpful. As we have written and others have reported, the risk to children's untouched credit histories and other information is real.
In what could be a portend of broader actions to follow, the Federal Trade Commission (“FTC”) last week has settled a $2.6 million claim against an employment background screening company for perceived violations of the Fair Credit Reporting Act, 15 U.S.C. § 1681s(a) (the “FCRA”). U.S. v. HireRight Solutions, Inc. This is the second-largest civil penalty obtained by the FTC against a private company for violations of the FCRA.
As employers increasingly rely on databrokers and credit reporting agencies to conduct background checks, they must review their background check providers’, as well as their own, policies and practices for legal compliance. Employer use of background report is increasingly under review by state and federal authorities. Employers that have failed to comply with the FCRA’s procedures in obtaining background reports regarding employees have also been sued and faced liability in several lawsuits in the past several years.
As we have previously written, under recently-issued EEOC enforcement guidance, any employer seeking a criminal background check of a potential employee must engage in an individualized assessment of that individual to determine whether a background check is required. Employers also may want to look more closely at the methodologies their screening companies employ, and related representations made in service agreements, to ensure their vendors meet and continue to meet the increasing scrutiny on the screening process.
The FTC alleged that HireRight Solutions, as a data broker, regularly sold consumer information under the FCRA by providing background reports to thousands of employers throughout the United States to assist them in making hiring decisions. Alleging that the background reports, which included criminal background history of certain individuals, were consumer reports under the FCRA, the FTC claimed that HireRight failed to follow reasonable procedures to assure the information furnished was correct. In addition, the FTC alleged in its complaint that HireRight Solutions failed to disclose to consumers, upon request, all the information maintained in their consumer report files, failed to conduct reinvestigations of the accuracy of the information in a consumer's file upon the company's receipt of a notice of dispute from a consumer and failed to maintain strict procedures to ensure that the public record information in the reports was complete and up to date at the time the information was reported.
The FCRA regulates the collection, dissemination, and use of consumer information, including consumer credit information, which is broadly defined under the statute and includes personally identifiable information about background employee data and applicant criminal records. Under the statute, a consumer report is any written, oral, or other communication of any information by a consumer reporting agency that bears on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living that is used or expected to be used or collected, in whole or in part, for the purpose of serving as a factor in establishing the consumer’s eligibility for among other things, employment. Under the Act, employers that request background reports for potential employees must notify the individuals of their rights under the FCRA and if any adverse action is taken, i.e., a job is not offered, based on information received through a consumer report, the employer must provide to the individual, a copy of the report and a description of the employee's rights under the FCRA.
The FTC's action against HireRight accompanies the agency's announcement in March of this year to increase its enforcement efforts and scrutiny of screening companies and data brokers. In light of the Dodd Frank Act, the FTC now shares FCRA enforcement jurisdiction with the Consumer Financial Protection Bureau. Evidence of the FTC's increased enforcement actions is growing: last week also saw the FTC fine Google $22.5M for what it determined was Google's deceptive trade practices linked to tracking cookies placed in Apple's Safari Internet browser. We expect the FTC to continue its aggressive enforcement efforts. More actions by the FTC are expected in the coming year in light of its announced enforcement efforts.
Recruiters are increasingly turning to social media to screen and recruit candidates. Jobvite’s 2012 Social Recruiting Survey found that 92% of respondents plan to use social media for recruiting. Often, recruiters are viewing and considering information that should not be utilized in the hiring process. LinkedIn is replete with information that should not be considered when searching for or selecting candidates. Yet, the same survey found that LinkedIn is the most popular social networking site for recruiters.
LinkedIn profiles likely contain photos of candidates and other information identifying a candidate’s race, ethnicity, age, disability, pregnancy, or religion. Federal and state anti-discrimination laws prohibit companies from using such non-work-related information when hiring. Additionally, the Equal Employment Opportunity Commission (EEOC) has issued regulations for the employment provisions of the Genetic Information Nondiscrimination Act (GINA) that prohibit acquisition of “genetic information” through social media.
The EEOC also has made clear that it is focusing its litigation efforts on eliminating systemic discrimination, such as discriminatory barriers in recruitment and hiring. The EEOC’s Compliance Manual states that bias is not always conscious, and that actions infected by stereotyped thinking or other forms of less conscious bias are discriminatory. It further states that it is discriminatory to use a screening procedure that has a significantly disparate impact.
Employers can separate recruiters who screen applicants through social media from individuals who are making the hiring decision. This would require a recruiter to search applicants online, scrub prohibited information, and deliver scrubbed profiles to a decision maker. This may be difficult for employers to act on without careful attention to details and legal guidance to avoid significant risks. The process relies heavily upon a recruiter’s knowledge of employment laws to scrub prohibited information. Avoiding the issue because of its burdensomeness is fast being scrubbed as an option for employers.
Companies also can utilize third parties to screen applicants through social media as long as they are aware of the pitfalls. First, many employers make little or no effort to determine whether the third party recruiters have developed appropriate safeguards. Second, the Federal Trade Commission (FTC) has stated that employers who rely upon third parties for social media information about candidates must comply with the Fair Credit Reporting Act (FCRA).
FCRA requires that an employer notify an applicant when it takes adverse actions based upon a consumer report. Employers also must provide the rejected applicant with notice of his or her right to view the data relied upon as well as give the individual the opportunity to dispute any inaccurate or incorrect information. Employers failing to comply with FCRA can be subject to tremendous liability. For example, Spokeo, Inc., a website that collects and sells detailed consumer information by compiling online data, recently agreed to pay $800,000 to settle FTC charges alleging that it violated FCRA in the employment screening context.
The EEOC, OFCCP (Office of Federal Contract Compliance Programs), and FTC are beginning to scrutinize employers that use social media to screen applicants. Unfortunately, LinkedIn and other social media sites do not yet maintain a “safe” site for recruiters. Employers need to anticipate government inquiry and not await the knock on the door. Recruiters should be restricted from considering prohibited information about applicants, whether they are working on company time or researching an applicant on their own time. They need appropriate social media guidelines and policies that are compliant with a host of laws. Further, they need to be properly trained.
Ignoring this problem or simply outsourcing recruitment to a third party without careful consideration of these issues and a recruiter’s qualifications is a recipe for lawsuits.
Addressing Social Media Use--Recent Ruling on Students' Social Networking Reaffirms Need for Policies and Training
Co-Author: Joseph J. Lazzarotti
The pervasiveness of social media in professional and everyday communication is a hot button issue (discussed at length here), particularly for private and public employers and organizations. In fact, many organizations have adopted, or are considering adopting, social media policies for employees and providing training for how employees should interact in cyberspace. But what should those policies say and what should the training focus on?
To answer those questions, organizations should, among other things, develop and shape their policies, training and discipline concerning social media with an eye toward their particular businesses, regulatory environments, and whether they are in the public or private sectors. A number of recent developments show why this is critical:
· Two recent Third Circuit opinions handed down on June 13, 2011-- J.S. v. Blue Mountain School District and Layshock v. Hermitage School District (discussed below)-- illustrate the importance of educating employees (teachers and administrators) about student’s First Amendment rights concerning social media and when discipline is appropriate,
· FTC’s guidelines for endorsement of products or services are important for businesses whose employees are likely to be commenting online about the company’s products and services,
· The NLRB’s recent actions regarding social media use and the National Labor Relations Act are important for all employers, particularly those in traditionally union-dominated industries,
· The use of social media in the health care setting is presenting a range of challenges under HIPAA and patient privacy generally.
In addressing the extent to which school officials can regulate student speech, the Third Circuit Court of Appeals has held that school officials violated students’ First Amendment free speech rights by disciplining students for creating, outside of school, “fake” social networking profiles ridiculing their school principals.
In Blue Mountain School District, 8th grader J.S., using her home computer, created a MySpace profile in the name of her principal. The profile was presented as a self-portrayal of a bisexual Alabama middle-school principal named “M-Hoe,” and contained crude and vulgar content. Upon learning of the content, the School District suspended J.S. for 10 days. The Court held that because J.S. was suspended for speech that caused no substantial disruption in school and that could not reasonably have led school officials to forecast substantial disruption in school, the School District’s actions violated J.S.’s First Amendment free speech rights.
In Layshock, Justin Layshock, a high school senior, using his grandmother’s computer, also created a MySpace profile in the name of his principal. The profile included “degrading” content regarding the principal. Upon learning of the profile, the School District suspended Justin for 10 days. In analyzing whether a school district may punish a student for expressive conduct that originated outside of the schoolhouse, did not disturb the school environment, and was not related to any school-sponsored event, the Court found the School District was prohibited from reaching beyond the school yard.
These decisions were based on the Supreme Court’s landmark case on the First Amendment’s application to public schools is Tinker v. Des Moines Indep. Cmty. Sch. Dist., 393 U.S. 503 (1969). In Tinker, a group of high school students decided to wear black armbands to school to protest the war in Vietnam. When school officials learned of the plan, they preemptively prohibited students from wearing armbands. Several students who ignored the prohibition and wore armbands to school were suspended. Eventually, the students brought suit alleging their First Amendment rights had been violated. The Supreme Court overruled the district and circuit courts, holding that student expression may not be suppressed unless school officials reasonably conclude that such expression will “materially and substantially" disrupt the work and discipline of the school.
These cases demonstrate the court's struggle in addressing social media content, especially where there are additional constitutional concerns when a party is a public entity. For many organizations, First Amendment issues will not be at issue, but there likely will be other considerations. As each and every industry is impacted by social media, attempting to address it in a one-size-fits-all manner without taking appropriate considerations into account is not only impractical, but in some cases unlawful. As these developments have shown, efforts to address social media must include an effective industry specific social media policy coupled with training programs to educate employees on the use of social media in all facets of employment and conducting the entity's business.
Human Resources Vendor Settles FTC Charges that it Failed to Protect the Sensitive Employee Data of its Clients
Promising a company that you will safeguard its employees’ information and then failing to do it according to Federal Trade Commission (FTC) standards likely will be viewed by the FTC as an unfair and deceptive business practice and trigger an enforcement action.
This was the case for Lookout Services, Inc., a company that maintains large amounts of sensitive information about the employees of its business customers, including Social Security numbers. According to an FTC announcement on May 3, 2011, Lookout claimed it would take reasonable measures to secure the consumer data it maintained, including Social Security numbers, but failed to do so.
Lookout markets a product that allows employers to comply with federal immigration laws. It stores information such as names, addresses, dates of birth and Social Security Numbers. According to the FTC’s complaint, despite the company’s claims that its system kept data reasonably secure from unauthorized access, it did not in fact provide adequate security. (Note that an FTC complaint is not a finding or ruling that a respondent, such as Lookout , actually has violated the law.) For example, unauthorized access to sensitive employee information allegedly could be gained without the need to enter a username or password, simply by typing a relatively simple URL into a web browser, the complaint asserted. In addition, the complaint charged that Lookout failed to require strong user passwords, failed to require periodic changes of such passwords, and failed to provide adequate employee training. As a result of these and other failures, it was claimed, an employee of one of Lookout’s customers was able to access sensitive information maintained in the company’s database, including the Social Security numbers of about 37,000 consumers.
The settlement agreed to by Lookout to resolve these charges is comprehensive. Among other things, the settlement order requires Lookout (i) to conduct a risk assessment, (ii) to implement a comprehensive, written information security program, (iii) to cease making misrepresentations, including misleading claims about the privacy, confidentiality, or integrity of any personal information collected from or about consumers, (iv) to obtain independent third party security audits of the program every other year for 20 years, and (v) to make the settlement order available to its current and future employees having responsibilities relating to safeguarding customer data.
For companies that maintain personal information on other businesses’ employees in the course of providing services to those businesses, this development is an important reminder: Promises made to those businesses concerning the safeguarding of personal information must be supported by comprehensive policies and procedures. In addition to this kind of enforcement exposure, which also could arise at the state level from the states’ attorneys general, the employers that these businesses serve also could have causes of action for negligence and/or breach of contract. Increasingly, state laws require businesses to contractually obligate vendors to have appropriate safeguards to protect personal information provided to the vendor to perform its services. States having such laws include California, Maryland, Massachusetts, and Texas.
Last month, the Federal Trade Commission's Bureau of Consumer Protection posted FAQs on its website to guide health care providers and health plans when their patients and subscribers are affected by medical identity theft.
When most people hear about an identity theft or a data breach, they typically think about credit card data or Social Security numbers being stolen and used by unauthorized parties, and the damage to one's credit rating that sometimes follows. However, as reported by Businessweek, medical identity theft is one of the fastest growing types of identity theft. According to the article, the number of incidents of medical identity theft was approximately 275,000 in 2009; double the number in 2008. As the country implements the new health care reform law, assuming it gets past some significant obstacles, there likely will be periods of confusion and transition that may create the perfect conditions for even higher levels of medical identity theft.
The FTC's FAQs point out that health care providers and health plans may have some obligations when they learn about medical identity theft affecting their patients or subscribers. For example, depending on the circumstances, the provider or plan may have to revisit its privacy and security policies and procedures under HIPAA and other federal and state laws. The theft also may have resulted from a data breach that requires the provider or plan to notify other affected persons. Providers and plans also need to be prepared to help victims get the information they need and exercise their rights under HIPAA and other laws to help mitigate the adverse effects of this unfortunate crime.
Providers and plans should be taking steps to be prepared to address medical identify theft situations.
The Federal Trade Commission announced it is further delaying its enforcement of the “Red Flags” Rule through December 31, 2010. This move comes at the request of several Members of Congress who want to further consider legislation that would clarify who is subject to the Rule.
The delay follows the lawsuit (pdf) filed by the American Medical Association and others arguing that the Red Flags Rule should not apply to physicians. As reported by amednews.com, the plaintiffs bolster their case by pointing to a 2009 federal court ruling (pdf) (American Bar Assn. v. Federal Trade Commission) exempting lawyers from the Rule. That ruling is now on appeal to the U.S. Court of Appeals for the D.C. Circuit
Legislation is pending in the United States House of Representatives that would exempt certain professions, including physicians, from the Red Flags Rule. H.R. 3763 passed the House unanimously in October 2009, but there has been no further movement in Congress on this issue.
The Rule was developed under the Fair and Accurate Credit Transactions Act, in which Congress directed the FTC and other agencies to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft. The resulting Red Flags Rule requires all such entities that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.
In its announcement, the FTC notes that as was the case with prior enforcement delays, this enforcement delay is limited to the Red Flags Rule and does not extend to the rule regarding address discrepancies applicable to users of consumer reports, or to the rule regarding changes of address applicable to card issuers.
Nearly 100 organizations have been notified by the Federal Trade Commission (“FTC”) that personal information, including sensitive employee and customer data, shared from the organizations’ computer networks is available on peer-to-peer (P2P) file-sharing networks. This, the FTC warned, could be used to commit identity theft or fraud. The notices went to both private and public entities, including schools and local governments. The entities ranged in size from those with as few as eight employees to public corporations employing tens of thousands. The notices come not long after the Congressional Ethics breach we discussed in October.
With P2P file-sharing software, a user can share music, video, and documents. However, when not configured correctly, P2P file-sharing software may allow anyone on the P2P network to access files not intended for sharing.
To aid businesses in managing the security risks of file-sharing software, the FTC also has released education materials, including a new business education brochure – Peer-to-Peer File Sharing: A Guide for Business – designed to assist businesses and others as they consider whether to allow file-sharing technologies on their networks. The brochure also explains how to safeguard sensitive information on their systems, and provide other security recommendations. Additionally, the FTC published tips for consumers about computer security and P2P.
In addition to the FTC notices, employers should consider the P2P Cyber Protection and Informed User Act, which was introduced in Congress shortly after the notices were sent. Under the Act, P2P file-sharing programs must clearly inform users when their files are made available to other P2P users, are prohibited from being installed without informed consent, and are prohibited from preventing a user from blocking/disabling/removing any sharing program.
The FTC has urged entities to review their security practices and, if appropriate, the practices of their contractors and vendors, to ensure that the practices are reasonable, appropriate, and in compliance with the law. FTC Chairman Jon Leibowitz also cautioned, , “companies and institutions of all sizes are vulnerable to serious P2P-related breaches…” and “[companies] should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure.”
A company’s failure to prevent such information from being shared on a P2P network, may violate applicable law and subject the company to legal action.
Whether it be Facebook, MySpace, LinkedIn, Twitter, YouTube or the company blog, employee presence in social media is way, way up, creating risks for employers that are proving difficult to manage without careful planning and appropriate policies.
These risks can take many forms - FTC endorsement issues, inadvertent sharing of confidential company or personal information, harassment claims, blog posts harmful to the company's reputation - to name a few. The damage can be done whether the employee is posting at home or during working hours.
This white paper (pdf), which takes into account some of our prior posts, is intended to help employers get a better handle on these issues, particulalry in three area: (1) employees’ misuse of social media; (2) monitoring and regulating employees’ social media use; and (3) basing hiring decisions on information obtained from social media.
According to the newly revised Federal Trade Commission (“FTC”) Guides, employers may face liability for employees’ commenting on their employer’s services or products on “new media,” such as blogs or social networking sites, if the employment relationship is not disclosed. Potential liability may exist even if the comments were not sponsored or authorized by the employer.
The revised Guides took effect December 1, 2009. They address the application of Section 5 of the FTC Act (15 U.S.C 45) to the use of endorsements and testimonials in advertising and provide examples of the application of Section 5, including examples that could lead to potential employer liability. One such example specifies liability for an employee’s blog posting concerning his employers’ product, where the employment relationship is not previously disclosed:
An online message board designated for discussions of new music download technology is frequented by MP3 player enthusiasts. They exchange information about new products, utilities, and the functionality of numerous playback devices. Unbeknownst to the message board community, an employee of a leading playback device manufacturer has been posting messages on the discussion board promoting the manufacturer’s product. Knowledge of this poster’s employment likely would affect the weight or credibility of her endorsement. Therefore, the poster should clearly and conspicuously disclose her relationship to the manufacturer to members and readers of the message board.”
In comments to the proposed revisions, the Commission agreed that the establishment of appropriate procedures governing “new media” would be a factor in its determination as to whether law enforcement action is appropriate. Tellingly, the Commission stated that it has brought enforcement actions against companies “whose failure to establish or maintain appropriate internal procedures” had resulted in consumer injury. However, the Commission refused to spell out the procedures companies should put in place to monitor compliance with the principles set forth in the Guides, leaving companies to determine for themselves the process that would best fulfill their responsibilities.
In light of the FTC’s clear recognition of “new media” and enforcement goal, employers should adopt social media and blogging policies as soon as possible. Employers should consider policies and procedures which address employee use of blog or social networking sites. Those policies, like this sample policy, should articulate the types of disclosure employees must include when they discuss their employers or their employers’ products or services.
Last month, we briefly discussed "cloud computing," along with some issues that should be considered when deciding whether to adopt this new technology. Our post focused on data privacy and security issues.
As reported by Kim Hart, of The Hill's Technology Blog, a December 9, 2009, Federal Communications Commission filing states that the Federal Trade Commission is in the process of investigating "cloud computing" to address some of the same concerns noted in the post referenced above - privacy and security concerns.
Companies operating in the cloud, or thinking of moving in that direction, ought to be on the lookout for regulation or guidance that could come from the FTC's investigation.