Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

Effective October 1, 2011, employers in Connecticut will face new restrictions on the use of credit reports regarding current or prospective employees as a result of the recent enactment this month of Connecticut Public Act 11-223. In enacting the new law, Connecticut becomes the sixth state limiting employers' use of credit reports, following Hawaii, Washington, Oregon, Illinois, and Maryland. Similar laws are pending in several other states and at the federal level. The Equal Employment Opportunity Commission (EEOC) is also conducting related investigations and pursuing at least one disparate impact claim based on the use of credit reports. Thus, employers who use credit history information to inform hiring or personnel decisions in states that have enacted credit check laws should review their policies for compliance, and employers everywhere should continue to monitor developments in this evolving area of the law. To learn more about the Connecticut law and its implications for employers, please continue reading Littler's ASAP, Use of Credit Reports by Employers Will Soon Be Restricted in Connecticut, by Rod Fliegel and William Simmons.

Photo credit: Pawel Gaul

• Print
• Trackbacks
• Share Link

by Philip L. Gordon

When Maryland enacted its law (pdf) restricting the use of credit history for employment purposes on April 12, 2011, it became the fifth state – joining Hawaii, Illinois, Oregon, and Washington – to enact a credit privacy law. Maryland’s law transforms what was a mildly complicated compliance challenge for multi-state employers into an expanding morass. With credit privacy bills currently pending in more than twenty states, multi-state employers should expect that it will become increasingly difficult to establish company-wide policies on the use of credit history for employment purposes.

The core issue for employers who use credit checks for employment purposes (other than financial institutions which are carved out from each of the laws) is the scope of the exception to the general prohibition against using credit checks for employment purposes. At first blush, there appears to be uniformity because all five states permit employers to use credit checks for employment purposes when the check is “substantially related” to the applicant’s or employee’s job responsibilities.

The crux of the problem is the near total discordance over how “substantially related” should be defined. To begin with, the laws in Washington and Oregon provide no definition at all of “substantially related.” Oregon’s Bureau of Labor and Industry (BOLI), by regulation, defines “substantially related” to mean that an essential function of the job require access to financial information, but the regulations do not define the term “financial information.” Illinois’ law also permits credit checks for positions that “involve access to . . . financial information.” However, it is not clear whether the access must be an essential job function (as is the case in Oregon). Furthermore, Illinois narrowly defines “financial information” to mean “non-public information on the overall financial direction of an organization, including, but not limited to, company taxes or profit and loss reports.” At least as of now, employers have no way of knowing whether Oregon’s BOLI intended to define “financial information” more broadly than Illinois’ legislature.

• Print
• Share Link

An article that I recently published in BNA’s Privacy & Security Law Report examined the incipient trend towards state law restrictions on the use of credit history in employment decisions. Illinois has now become the fourth state — following Hawaii, Oregon, and Washington — to impose such restrictions, and similar bills are pending in nearly one dozen other states.

The Illinois law, enacted on August 10 and effective on January 1, 2011, generally prohibits employers from making any employment decision based upon an individual’s credit report or credit history. While the term “credit report” is limited to credit information provided by a consumer reporting agency (e.g., a background check vendor), the statute broadly defines “credit history” to include “an individual’s past borrowing and repaying behavior, including paying bills on time and managing debt and other financial obligations.” The new law also generally prohibits employers from obtaining a credit report on an applicant or employee and from asking an applicant or employee about his credit history.

• Print
• Share Link

The Fair and Accurate Credit Transactions Act of 2003 (FACTA) is best known for allowing consumers to annually request and obtain one free credit report from each of the nationwide consumer credit reporting companies, as well as creating new compliance obligations designed to reduce identity theft. However, the FACTA also amended the Fair Credit Reporting Act (FCRA) to, among other things, require federal agencies to implement new rules designed to increase the "accuracy" and "integrity" of information that "furnishers" provide to consumer reporting agencies. Consistent with this directive, on July 1, 2009, the Federal Trade Commission (FTC) and several other federal agencies issued a joint Final Rule that imposes additional regulatory requirements on businesses, including employers, that provide consumer information to consumer reporting agencies. The final rule is effective July 1, 2010.

To learn more about the joint Final Rule and its implications for employers, please continue reading Littler's ASAP, The Deadline is Fast Approaching: Effective July 1, 2010, Employers Have New Compliance Obligations Under the Federal Fair Credit Reporting Act, by Rod M. Fliegel and Jennifer L. Mora.

• Print
• Trackbacks
• Share Link

The Oregon Bureau of Labor and Industries (BOLI) issued final rules to implement restrictions on an employer's use of information contained in an applicant's or an employee's credit history. BOLI's final rules effectuate Oregon's new law, "The Job Applicant Fairness Act," which will go into effect July 1, 2010. To learn more about the regulations and their implications for employers, continue reading Littler's ASAP, Oregon’s Job Applicant Fairness Act Update - BOLI Issues Final Rules, by Howard Rubin and Janice Kim.

• Print
• Trackbacks
• Share Link

Last week, Oregon joined a growing national trend, apparently in response to the recession and the foreclosure crisis, that restricts the ability of employers to use credit history in employment decisions. Under the Oregon law, it is an unlawful employment practice, except in limited circumstances, for an Oregon employer to use credit history in making hiring decisions or any decision affecting current employees. The law confers on Oregon employees the right to file an administrative complaint or a private lawsuit claiming that the law has been violated. Employees who prevail may recover lost wages and attorney fees. The law becomes effective July 1, 2010.

• Print
• Trackbacks
• Share Link

On August 3, 2007, Governor Deval Patrick enrolled Massachusetts as the 39^th member in the soon-to-be nationwide club of states with laws requiring notice of a security breach.  While these laws vary — sometimes materially — from one another, they share a common thread: at a minimum, they require employers to notify employees (and customers) when an unauthorized person acquires unencrypted, computerized “personal information,” creating a risk of identity theft.  In all 39 states that have adopted this law, “personal information” includes (again at a minimum) the affected individual’s first name or initial and last name plus social security number, driver’s license number, or credit card, debit card, or financial account number in combination with any required security code. 

Here are five key points for employers to consider as they confront these statutes.

•  Be Prepared.  Responding to a security incident can create a pressure cooker, especially when the personal information of senior corporate executives is among the compromised data.  Identify the members of your incident response team — typically from HR, IT, Legal, and Public Relations — and do a dry run of how your organization would respond if, for example, a payroll database had been stored on a stolen laptop.
• Train  HR Professionals.  In the employment context, a security breach can take many forms — a misdirected e-mail, a CD lost by a courier service, a stolen BlackBerry, or a successful hack are just a few examples.  HR employees and others who work with personal information should  be trained that these types of occurrences, which in the past might not have been taken seriously, now pose compliance risks.  The training should help employees identify a possible security breach, list the type of information which should be reported, and explain to whom the report should be made.
• Determine Your Notice Obligations.  When a breach does occur, consult knowledgeable counsel (whether in-house or outside) to determine the organization’s obligations under all potentially applicable notice laws.  To do so, counsel will need to know all the facts related to the incident, the states of residence of affected employees, and the number of affected employees in each state.  In some circumstances, a security breach may not trigger a legal obligation to notify  — for example, the theft of a hard copy (as opposed to computerized) payroll spreadsheet -- but the employer still may decide to provide notice as an employee relations matter.
• Help Your Employees.  Employees may view themselves as innocent victims when their employer suffers a security breach and  expect their employer to protect them and foot the bill. Providing free access to a credit monitoring service is the most commonly offered form of assistance.  Employers may want to consider a new service offered by MyIDentityIQ, Inc. and National ID Recovery: 1-877-252-9891.  This service not only alerts employees to possible misuse of their personal information (like credit monitoring), it also provides fully managed identity theft recovery services for employees after their personal information has been misused.
• Learn From Your Mistakes.  After the storm subsides, figure out what went wrong, what you did right, and how you can adjust your security incident response plan (or put one in place) to improve your response the next time around.

• Print
• Trackbacks
• Share Link

As of 2006, 1 in 9 Americans had received a notice of security breach. That ratio is bound to rise with the continued onslaught of hacking and the theft of laptop computers now the crime du jour.  The decision whether to provide notice of security breach, now governed by law in 36 states and the District of Columbia, is relatively easy when compared to the decision whether to provide free credit monitoring service.

No law requires a business to offer credit monitoring after a security breach, so why do so many businesses seem to opt for it? Preventing loss of good will seems to be the answer.  According to a 2006 study by the Ponemon Institute, businesses suffer damages in lost customer opportunity cost equaling almost $100/lost record.  That loss far exceeds the cost of one year’s worth of credit monitoring which, depending upon the size of the breach and the type of service, can range from $15 to $50 per individual.

While employees are not customers, employee disgruntlement can result in loss of productivity and increased turnover with an associated increase in recruiting costs. Employers confronting the question whether to offer free credit monitoring should try to quantify these costs as compared to the cost of providing credit monitoring service. In making this calculation, employers should keep in mind that the percentage of notice recipients who actually exercise the right to credit monitoring can be low, ranging, according to one report from as little as 5% or less to as high as 30%.
 

• Print
• Trackbacks
• Share Link