Even Administrative Agencies Make Mistakes: Corrected Model FCRA Forms Now Available To Employers Who Conduct Background Checks

Posted on November 19, 2012 by Privacy and Data Protection Practice Group

By Philip Gordon and Calder Huntington

The Consumer Financial Protection Bureau (“CFPB”) — best known as a financial services regulator and for the Senate’s rejection of the nominee to be its first chief (who, in an ironic twist, won a Senate seat in the 2012 elections) — also exercises some regulatory authority with an impact on employers. More specifically, the CFPB has taken responsibility from the Federal Trade Commission for issuing several model forms required by the Fair Credit Reporting Act (FCRA). These forms include, among others, the following: (a) the “Notice to Users of Consumer Reports: Obligations of Users Under the FCRA,” which background check providers are required to give employers who procure background check reports, and (b) the “Summary of Your Rights Under the Fair Credit Reporting Act,” which employers are required to provide to applicants and employees with the FCRA disclosure and authorization form when the employer procures an investigative consumer report and with any pre-adverse action notice sent when an employer intends to rely in whole or in part on information contained in a background check report to make an employment decision.

Last week, the CFPB acknowledged that the Notice of User Responsibilities and the Summary of Rights (as well as two other forms not pertinent to employers) published by the Bureau in December 2011 contained typographical and other technical errors. The announcement is important for employers because the deadline for using the model forms issued by CFPB is January 1, 2013, and some employers and background check companies already had started to use the model forms published in December 2011.

CFPB’s corrected model forms are available here (www.gpo.gov) and here (Amazon – Federal Register Public Inspection).

Employers who were using CFPB’s earlier-issued and erroneous forms in advance of the January 1, 2013 deadline can breathe a sigh of relief. The CFPB has stated that it will regard the use of the error-filled forms published in December 2011 to be compliant “until further notice” so as to “mitigate the impact of these changes on the users of the model forms.” Nonetheless, employers should consider transitioning to the corrected model forms promptly. The CFPB did not state how much advance notice the Bureau will provide before ending the grace period. Transitioning to the corrected forms now will help to avoid a rushed transition later.

Additional information about the new forms can be found at our prior blog post discussing them.

Tags: , , , , , , ,
  • Print
  • Trackbacks
  • Share Link

Newly Enacted New York Law May Open Trap for Unsuspecting Employers

Posted on August 28, 2012 by Privacy and Data Protection Practice Group

By Philip Gordon and Sarah Moss

[NOTE: This blog post replaces an earlier entry and provides a more detailed discussion of the new New York law.]

On August 14, 2012, New York Governor Andrew Cuomo signed into law a bill intended to reduce the risk of identity theft by generally prohibiting private entities from requesting or requiring an individual to provide the SSN in connection with almost any activity. The law, General Business Law section 399-ddd, contains several exceptions to this general prohibition, including exceptions where the request is “for purposes of employment” or “a lawful request for a consumer report or investigative consumer report.” However, these exceptions do not appear to encompass the entire hiring process.

By its plain terms, the “employment purposes” exception includes requests during “the course of administration of a claim, benefit, or procedure related to the individual’s employment by the [employer], including the individual’s termination from employment, retirement from employment, injury suffered during the course of employment, or to check on an unemployment claim of the individual.” All of the activities listed in the exception presuppose an existing or pre-existing employment relationship between the employer and the person who is being asked to disclose his or her SSN. In other words, this exception does not appear to address the hiring process at all.

The exception for consumer and investigative consumer reports covers the various types of pre-employment background checks — such as criminal history, motor vehicle records, and educational and prior employment checks — that most employers now conduct through a pre-employment screening firm. Significantly, the terms “consumer report” and “investigative consumer report” apply only to background checks conducted by a third-party consumer reporting agency. Consequently, the new law appears to prohibit employers from requesting an applicant’s SSN so that the employer can conduct its own background check. This exception’s narrow scope means that an employer cannot rely on it to justify a request for an applicant’s SSN on any form besides a background check authorization form or at any other point in the hiring process.

It is possible that additional legislative materials to be published several weeks after the new law takes effect on December 12, 2012, will clarify this issue. (Note: There are two different sections numbered 399-ddd that take effect this year. Section 399-ddd – Confidentiality of Social Security Numbers (emphasis added) – is a distinct statute on the confidentiality of Social Security numbers; amendments to this statute take effect on November 12, 2012. These amendments are directed at restricting access by inmates to SSNs and are not relevant to employers. The statute that is discussed herein refers to section 399-ddd – Disclosure of Social Security Numbers (emphasis added) – which takes effect on December 12, 2012.)

However, if the apparent meaning of the statute reflects the legislature’s actual intention, many New York employers likely would be required to materially revise their hiring process. For example, the box or field seeking an applicant’s SSN would have to be removed from the job application. Moreover, any request for an applicant’s SSN on any form besides the authorization form for the employer to procure a background check from a background check vendor would need to be eliminated. Oral requests for applicants’ SSNs would be prohibited. While these changes already have been adopted by many employers seeking to avoid unnecessary collection of the SSN, these practices are not universal.

Unsuspecting employers face potentially substantial penalties for violating this law. Although there is no private right of action, the New York Attorney General can recover a civil penalty of up to $500 for each infraction. Given that a job application which requests the SSN could, for a large employer, result in thousands of violations, the potential exposure is significant.

New York employers will need to scrutinize their organization’s collection of the SSN in the hiring process. Employers who request the SSN in the job application process or conduct background checks outside requesting a consumer or investigative consumer report before making a conditional offer of employment will need to carefully consider whether to revamp those procedures to avoid the risk of potentially large penalties that could be imposed under new section 399-ddd.

Photo credit: Kameleon007
Tags: , , , ,
  • Print
  • Trackbacks
  • Share Link

New Jersey Court Ruling re Workplace Computer Privacy Leaves Tough Questions Unanswered

Posted on September 4, 2008 by Philip Gordon

Joseph Braun, the owner of a New Jersey label manufacturer, hired the wrong bookkeeper and paid a hefty price. Before Braun hired the bookkeeper, referred to only as “M.A.” in a New Jersey appellate court opinion published on August 29, 2008, M.A. had completed twelve months in a pretrial intervention program after being charged with forgery and theft. One month after completing the intervention program, M.A. was charged with fourteen counts of forgery and the theft of more than $220,000 from his employer; he served 364 days in jail after a guilty plea. While still on probation, M.A. landed his bookkeeping job with Braun’s company.

Apparently not having conducted a background check, Braun gave M.A. ever-increasing responsibilities to the point where M.A. was responsible for order entries, payroll, bank records and the company’s computer system. M.A. repaid Braun’s trust by giving himself an $85,000 raise — without Braun’s authorization. The raise was just the tip of the iceberg, as M.A. defalcated more than $650,000 from Braun’s business. M.A. was prosecuted for his crimes, convicted and sentenced to seven years in prison.

On appeal, M.A. argued that the trial court had improperly denied his motion to suppress personal information stored on a laptop as well as a desktop computer found at Braun’s place of business. The New Jersey appellate court, following several frequently cited federal appellate court decisions, held that M.A. had no reasonable expectation of privacy in his workplace computer and affirmed the conviction. In reaching this conclusion, the court relied on the following facts:

(a) Braun’s business owned the computers;

(b) the computers were kept at Braun’s business;

(c) Braun told M.A. when he was hired that the business owned the computers;

(d) the desktop was connected to the corporate network;

(e) co-workers had access to both computers; and

(f) M.A.’s private office was never closed or locked.

The facts were weighed so heavily against M.A. that this case provides guidance in only the most limited circumstances.

A few minor changes of the facts show why: M.A. marked all of his personal files as “private” when saving them to the company’s document management system. It was well known within the company that system administrators respected the “private” designation. M.A. did not permit any other employees to log into his computer; nor did he share his username or password with any co-workers. When M.A. left his private office, he shut and locked his office door using a combination that was unknown to anyone else in the company. On fairly similar facts, the Florida Court of Appeals recently held that a church pastor had a reasonable expectation of privacy in child pornography stored on his office computer.

The point is that corporate ownership of computers and notice to employees of that ownership will not always open the door to searches with impunity of personal information stored on a business computer. Instead, employers should look more deeply into who, in fact, has or could have access to the information at issue and whether workplace computer use policies actually are put into practice.

Tags: , , , , , , , ,
  • Print
  • Trackbacks
  • Share Link