State Law Developments for Credit and Criminal Background Checks

Posted on August 12, 2010 by Joseph Lazzarotti

Recent state law developments will affect whether and to what extent certain employers can conduct credit and criminal background checks on employees and applicants. Employers, particularly multi-state employers, should be sure to review these new requirements and adjust their practices accordingly.

Massachusetts

The Commonwealth has changed how employers access and use criminal offender record information ("CORI") under a new law signed by Governor Deval Patrick on August 6, 2010. Among other things, the new CORI law bans the use of questions about criminal history on written employment applications. This ban becomes effective November 4, 2010. The law also creates a new method and database for employers to access criminal records, replacing the current procedure with the Criminal History Systems Board. This becomes effective in May 2012.

(more information about this change)

Illinois

Illinois employers will have a tougher time conducting credit checks on applicants and employees and using the information for employment purposes beginning January 1, 2011. The state’s new Employee Privacy Act (House Bill 4658), signed by Governor Pat Quinn on August 10, 2010, prohibits all but a handful of employers from:

  1. inquiring into an applicant’s or an employee’s credit history;
  2. ordering a credit report on an applicant or employee from a consumer reporting agency; or
  3. taking any adverse employment action (such as refusing to hire) because of the individual’s credit history or credit report.

An aggrieved individual can bring a private cause of action in state court to enforce the Act and can seek injunctive relief and damages as well as costs and attorneys’ fees.
 

(more information about this change)

Oregon

Oregon employers’ ability to conduct credit checks and use the information for employment purposes has been significantly restricted since July 1, 2010, but the implications of this law extend well beyond state borders. With limited exceptions, Oregon Senate Bill 1045 prohibits employers from considering for employment purposes any information that bears on a consumer’s creditworthiness, credit standing or credit capacity, unless such information is substantially related to the individual’s current or potential job. Employers who believe credit information meets this job-related standard must provide the employee or applicant the reasons for their determination in writing.

(more information about this change)

Tags: , , , , , ,

Complimentary Webinar - Massachusetts Data Security Regulations: A Plan for Compliance

Posted on February 8, 2010 by Joseph Lazzarotti

Beginning March 1, 2010, businesses will be required to safeguard from identity theft and other dangers personal information about Massachusetts residents under a “written information security program” or WISP. Similar requirements exist in other states around the country, although those requirements generally are not as comprehensive as those becoming effective in the Bay state.

Our complimentary webinar is designed to help employers and businesses become compliant. The program will cover:

  • the emergence of data security mandates across the country,
  • the Massachusetts approach to data security – breach notification, data destruction, the nuts and bolts of the identity theft/data security regulations, and
  • best practices when creating a WISP.

We hope you enjoy the webinar.

Tags: , , , ,

The Final, Final Massachusetts Data Security Regulations and a Checklist for Compliance

Posted on November 15, 2009 by Joseph Lazzarotti

Massachusetts Seal

The Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) announced on November 4, 2009, the filing of final regulations (pdf) with the Secretary of State’s office, the final step before the regulations take effect March 1, 2010.

The final regulations differ slightly from the version of the regulations issued in August 2009, which made significant revisions to the earlier version of the rules.

OCABR clarified in the final regulations that:

  • those who store personal information must comply, and
  • until March 1, 2012, contracts with service providers will be deemed to satisfy the contract requirement, even if the contract does not require the service provider to maintain appropriate safeguards, as long as the contract was entered into no later than March 1, 2010. However, it is recommended that contracts with service providers be amended as soon as possible to require appropriate safeguards, as there may be similar requirements under federal or applicable state law (such as HIPAA or data security laws in Maryland, Oregon or Nevada). 

While the regulations have had a number of changes, the written information security program requirement remains, along with a number of other safeguards for personal information that require immediate attention. 

A checklist for the final regulations can be found here (pdf). 

Tags: , , ,

WISP: Do You Have a Plan for Your Company's Sensitive Information?

Posted on October 24, 2009 by Joseph Lazzarotti

Data privacy and security laws in states such as Massachusetts, Maryland and Nevada require businesses to develop written policies and procedures that provide administrative, physical, and technological safeguards to protect personal information - or a "written information security program" or "WISP." These laws do not require protections for confidential company information and trade secrets, but such information also warrants protection.

Failure to do develop a WISP can leave a business exposed. messy desk

Certain businesses also can lose a business advantage as individuals (clients, employees, dependents, and others) and business partners increasingly demand heightened security of their sensitive and personal information.

But where does a business start?

 

Don't wait any longer! Develop a plan by reading the Data Privacy Primer (PDF).

Tags: , , , ,