Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

An article that I recently published in BNA’s Privacy & Security Law Report examined the incipient trend towards state law restrictions on the use of credit history in employment decisions. Illinois has now become the fourth state — following Hawaii, Oregon, and Washington — to impose such restrictions, and similar bills are pending in nearly one dozen other states.

The Illinois law, enacted on August 10 and effective on January 1, 2011, generally prohibits employers from making any employment decision based upon an individual’s credit report or credit history. While the term “credit report” is limited to credit information provided by a consumer reporting agency (e.g., a background check vendor), the statute broadly defines “credit history” to include “an individual’s past borrowing and repaying behavior, including paying bills on time and managing debt and other financial obligations.” The new law also generally prohibits employers from obtaining a credit report on an applicant or employee and from asking an applicant or employee about his credit history.

• Email This
• Print
• Share Link

The Fair and Accurate Credit Transactions Act of 2003 (FACTA) is best known for allowing consumers to annually request and obtain one free credit report from each of the nationwide consumer credit reporting companies, as well as creating new compliance obligations designed to reduce identity theft. However, the FACTA also amended the Fair Credit Reporting Act (FCRA) to, among other things, require federal agencies to implement new rules designed to increase the "accuracy" and "integrity" of information that "furnishers" provide to consumer reporting agencies. Consistent with this directive, on July 1, 2009, the Federal Trade Commission (FTC) and several other federal agencies issued a joint Final Rule that imposes additional regulatory requirements on businesses, including employers, that provide consumer information to consumer reporting agencies. The final rule is effective July 1, 2010.

To learn more about the joint Final Rule and its implications for employers, please continue reading Littler's ASAP, The Deadline is Fast Approaching: Effective July 1, 2010, Employers Have New Compliance Obligations Under the Federal Fair Credit Reporting Act, by Rod M. Fliegel and Jennifer L. Mora.

• Email This
• Print
• Trackbacks
• Share Link

The Oregon Bureau of Labor and Industries (BOLI) issued final rules to implement restrictions on an employer's use of information contained in an applicant's or an employee's credit history. BOLI's final rules effectuate Oregon's new law, "The Job Applicant Fairness Act," which will go into effect July 1, 2010. To learn more about the regulations and their implications for employers, continue reading Littler's ASAP, Oregon’s Job Applicant Fairness Act Update - BOLI Issues Final Rules, by Howard Rubin and Janice Kim.

• Email This
• Print
• Trackbacks
• Share Link

Last week, Oregon joined a growing national trend, apparently in response to the recession and the foreclosure crisis, that restricts the ability of employers to use credit history in employment decisions. Under the Oregon law, it is an unlawful employment practice, except in limited circumstances, for an Oregon employer to use credit history in making hiring decisions or any decision affecting current employees. The law confers on Oregon employees the right to file an administrative complaint or a private lawsuit claiming that the law has been violated. Employees who prevail may recover lost wages and attorney fees. The law becomes effective July 1, 2010.

• Email This
• Print
• Trackbacks
• Share Link

On August 3, 2007, Governor Deval Patrick enrolled Massachusetts as the 39^th member in the soon-to-be nationwide club of states with laws requiring notice of a security breach.  While these laws vary — sometimes materially — from one another, they share a common thread: at a minimum, they require employers to notify employees (and customers) when an unauthorized person acquires unencrypted, computerized “personal information,” creating a risk of identity theft.  In all 39 states that have adopted this law, “personal information” includes (again at a minimum) the affected individual’s first name or initial and last name plus social security number, driver’s license number, or credit card, debit card, or financial account number in combination with any required security code. 

Here are five key points for employers to consider as they confront these statutes.

•  Be Prepared.  Responding to a security incident can create a pressure cooker, especially when the personal information of senior corporate executives is among the compromised data.  Identify the members of your incident response team — typically from HR, IT, Legal, and Public Relations — and do a dry run of how your organization would respond if, for example, a payroll database had been stored on a stolen laptop.
• Train  HR Professionals.  In the employment context, a security breach can take many forms — a misdirected e-mail, a CD lost by a courier service, a stolen BlackBerry, or a successful hack are just a few examples.  HR employees and others who work with personal information should  be trained that these types of occurrences, which in the past might not have been taken seriously, now pose compliance risks.  The training should help employees identify a possible security breach, list the type of information which should be reported, and explain to whom the report should be made.
• Determine Your Notice Obligations.  When a breach does occur, consult knowledgeable counsel (whether in-house or outside) to determine the organization’s obligations under all potentially applicable notice laws.  To do so, counsel will need to know all the facts related to the incident, the states of residence of affected employees, and the number of affected employees in each state.  In some circumstances, a security breach may not trigger a legal obligation to notify  — for example, the theft of a hard copy (as opposed to computerized) payroll spreadsheet -- but the employer still may decide to provide notice as an employee relations matter.
• Help Your Employees.  Employees may view themselves as innocent victims when their employer suffers a security breach and  expect their employer to protect them and foot the bill. Providing free access to a credit monitoring service is the most commonly offered form of assistance.  Employers may want to consider a new service offered by MyIDentityIQ, Inc. and National ID Recovery: 1-877-252-9891.  This service not only alerts employees to possible misuse of their personal information (like credit monitoring), it also provides fully managed identity theft recovery services for employees after their personal information has been misused.
• Learn From Your Mistakes.  After the storm subsides, figure out what went wrong, what you did right, and how you can adjust your security incident response plan (or put one in place) to improve your response the next time around.

• Email This
• Print
• Trackbacks
• Share Link

As of 2006, 1 in 9 Americans had received a notice of security breach. That ratio is bound to rise with the continued onslaught of hacking and the theft of laptop computers now the crime du jour.  The decision whether to provide notice of security breach, now governed by law in 36 states and the District of Columbia, is relatively easy when compared to the decision whether to provide free credit monitoring service.

No law requires a business to offer credit monitoring after a security breach, so why do so many businesses seem to opt for it? Preventing loss of good will seems to be the answer.  According to a 2006 study by the Ponemon Institute, businesses suffer damages in lost customer opportunity cost equaling almost $100/lost record.  That loss far exceeds the cost of one year’s worth of credit monitoring which, depending upon the size of the breach and the type of service, can range from $15 to $50 per individual.

While employees are not customers, employee disgruntlement can result in loss of productivity and increased turnover with an associated increase in recruiting costs. Employers confronting the question whether to offer free credit monitoring should try to quantify these costs as compared to the cost of providing credit monitoring service. In making this calculation, employers should keep in mind that the percentage of notice recipients who actually exercise the right to credit monitoring can be low, ranging, according to one report from as little as 5% or less to as high as 30%.
 

• Email This
• Print
• Trackbacks
• Share Link