Even Administrative Agencies Make Mistakes: Corrected Model FCRA Forms Now Available To Employers Who Conduct Background Checks

Posted on November 19, 2012 by Privacy and Data Protection Practice Group

By Philip Gordon and Calder Huntington

The Consumer Financial Protection Bureau (“CFPB”) — best known as a financial services regulator and for the Senate’s rejection of the nominee to be its first chief (who, in an ironic twist, won a Senate seat in the 2012 elections) — also exercises some regulatory authority with an impact on employers. More specifically, the CFPB has taken responsibility from the Federal Trade Commission for issuing several model forms required by the Fair Credit Reporting Act (FCRA). These forms include, among others, the following: (a) the “Notice to Users of Consumer Reports: Obligations of Users Under the FCRA,” which background check providers are required to give employers who procure background check reports, and (b) the “Summary of Your Rights Under the Fair Credit Reporting Act,” which employers are required to provide to applicants and employees with the FCRA disclosure and authorization form when the employer procures an investigative consumer report and with any pre-adverse action notice sent when an employer intends to rely in whole or in part on information contained in a background check report to make an employment decision.

Last week, the CFPB acknowledged that the Notice of User Responsibilities and the Summary of Rights (as well as two other forms not pertinent to employers) published by the Bureau in December 2011 contained typographical and other technical errors. The announcement is important for employers because the deadline for using the model forms issued by CFPB is January 1, 2013, and some employers and background check companies already had started to use the model forms published in December 2011.

CFPB’s corrected model forms are available here (www.gpo.gov) and here (Amazon – Federal Register Public Inspection).

Employers who were using CFPB’s earlier-issued and erroneous forms in advance of the January 1, 2013 deadline can breathe a sigh of relief. The CFPB has stated that it will regard the use of the error-filled forms published in December 2011 to be compliant “until further notice” so as to “mitigate the impact of these changes on the users of the model forms.” Nonetheless, employers should consider transitioning to the corrected model forms promptly. The CFPB did not state how much advance notice the Bureau will provide before ending the grace period. Transitioning to the corrected forms now will help to avoid a rushed transition later.

Additional information about the new forms can be found at our prior blog post discussing them.

Tags: , , , , , , ,
  • Print
  • Trackbacks
  • Share Link

Employers Must Update FCRA Notices for Background Checks by January 1

Posted on September 4, 2012 by Privacy and Data Protection Practice Group

High-profile enforcement actions by the Federal Trade Commission (FTC) have increased overall employer awareness of the employer-specific requirements of the Fair Credit Reporting Act (FCRA) and corresponding state laws. Before January 1, 2013, employers should use the new FCRA notices for their background check programs, which reflect modest changes to the mandatory agency-drafted FCRA summary of rights form (the "FCRA Summary of Rights"). The FCRA Summary of Rights form must be included: (1) as an enclosure with the first of the two "adverse action" notices – the "pre-adverse action" notice; and (2) with the disclosures for "investigative consumer reports" (i.e., consumer reports based on personal interviews conducted by a consumer reporting agency (CRA), such as in-depth reference checks). The updates reflect the transfer of much of the responsibility for interpreting the FCRA from the FTC to the newly created Consumer Financial Protection Bureau (CFPB). To learn more about the new FCRA notice and its potential implications for employers, please continue reading Littler's ASAP, Employers Must Update FCRA Notices for Their Background Check Programs Before January 1, 2013, by Rod Fliegel and Jennifer Mora.

Tags: , , , , , ,
  • Print
  • Trackbacks
  • Share Link

"Social Checks" Come of Age: What Does It Mean for Employers?

Posted on July 11, 2011 by Privacy and Data Protection Practice Group

By Philip Gordon

Last month, the Federal Trade Commission (FTC) published a letter closing its investigation into whether an “Internet and social media background screening service used by employers in pre-employment background screening” complied with the Fair Credit Reporting Act (FCRA). At first blush, the letter appears to be a non-event. The FTC did not impose a penalty but also admonished that its “action is not to be construed as a determination that a violation may not have occurred.” While not much can be drawn from this equivocal result, the FTC’s letter does contain the following important conclusion: the “social check” service in question, known as Social Intelligence, “is a consumer reporting agency because it assembles or evaluates consumer report information that is furnished to third parties that use such information as a factor in establishing a consumer’s eligibility for employment.” Put into plain English, employers that rely on a social check service, like Social Intelligence, to search social media for information about job candidates must comply with the FCRA.

This conclusion likely will have an impact on a substantial number of employers. According to a recent study by the Society of Human Resources Management (SHRM), more than 50% of employers are relying on social media for recruitment purposes, up from 34% in 2008, and another 20% plan to use social media for recruiting in the future. The SHRM study does not address the percentage of employers that conduct these searches exclusively in-house, in which case the FCRA would not apply, as compared to those that rely on a third-party service, in which case the FCRA likely would apply. However, the fact that the social check space is beginning to fill with new enterprises, like Social Intelligence, suggests that the number of employers that are relying on third parties to conduct social checks has grown significantly.

When the FCRA does apply, employers will need to take the following steps vis-à-vis any applicant who is the subject of a social check. First, review the notice and authorization currently provided to applicants before more traditional background checks are conducted to ensure that those documents encompass social media searches. Second, ensure that applicants who may be eliminated from consideration based in whole or in part on the results of a social check receive a pre-adverse action notice which provides the applicant with the report received by the employer, the FTC’s “A Summary Of Your Rights Under the FCRA,” and an opportunity to dispute the apparently adverse information with the service provider which ran the social check. Third, upon rejecting the applicant, send a final adverse action notice to the applicant containing the language required by the FCRA.

These legal compliance requirements are straightforward enough, but they, and in particular, the pre-adverse action notice requirement, highlight vexing practical issues: What social media information should be reported in the first place? Is the information relevant to the hiring decision? Is the information reliable? There can be no question that social media posts may contain information that employers may not lawfully consider when vetting an applicant, such as disability, protected and lawful off-duty conduct, or genetic information. There also can be no question that social media posts often contain information that warrants rejection of a candidate. According to a recent study by the Society of Corporate Compliance and Ethics, more than 40% of respondents had disciplined an employee based on his or her social media conduct. However, these two groups of information set only the polar extremes; employers still must determine what, if anything, will be reported concerning the vast range of social media content falling in the middle and how they will fairly evaluate that information. Social Intelligence, for example, notes on its Web site that its customer set-up tools leave to the employer responsibility for “defining screening filters (for evaluating individuals) and redaction criteria (for censoring information).”

Reliability is another critical issue for employers using social media to evaluate job candidates. In the case of more traditional pre-employment screening, the nature of the information itself engenders a higher probability, albeit not certainty, that information is accurate. Court systems, educational institutions, and employers, for example, have an inherent interest in maintaining accurate records for their own legitimate business purposes. By contrast, social media are replete with false, doctored, and biased information about others. Social Intelligence suggests a solution to this issue by noting on its Web site that it reports “only information the applicant has created himself.” However, completely eliminating social media information posted by third persons arguably reduces the effectiveness of a social check to some extent. Perhaps more importantly, social media posts apparently created by the author can be forged. I have recently counseled clients on two separate occasions where employees denied having posted on their Facebook wall negative information about the employer or co-workers, credibly claiming that others had stolen their log-in credentials or hacked into their account.

The absence of any inherent reliability in most social media information emphasizes the importance of providing applicants with a pre-adverse notice even when there is no legal obligation to do so. Employers easily could lose potentially outstanding employees by relying on social media content that is false, misleading or inaccurate. Even if apparently adverse information turns out to be accurate and true, the applicant’s explanation of that information could demonstrate maturity and honesty as opposed to evasiveness and bad character.

With use of social media for hiring becoming increasingly common, human resources professionals and in-house employment counsel need to scrutinize their organization’s use, or potential use, of this new tool and answer several challenging questions. Most importantly, how should social checks supplement more traditional means of vetting applicants’ credentials and pre-employment screening for adverse information? What types of information does the organization need and how will that information be weighted? Next, will the information be gathered through in-house resources or an external service provider, such as Social Intelligence? If the latter, how will FCRA compliance be worked into the social check process? Finally, particularly given the newness of social checks, employers should evaluate them at least annually with one key question in mind: Have the social checks improved the effectiveness of the organization’s hiring process and the quality of new hires?

Photo credit: robas
Tags: , , , , , ,
  • Print
  • Trackbacks
  • Share Link

FTC Releases Privacy Report Advocating Modified Regulatory Approach

Posted on December 21, 2010 by Privacy and Data Protection Practice Group

Earlier this month, the Federal Trade Commission (FTC) released a preliminary staff report entitled “Protecting Consumer Privacy in an Era of Rapid Change.” The report advocates a regulatory framework that, if adopted, would modify the FTC’s previous approach toward the privacy issues over which it has jurisdiction. If the FTC were to adopt the new privacy framework, employers would need to focus new and greater attention on training their workforce about privacy and instilling attention to privacy into the business process that their workforce is required to execute.

The FTC is empowered to take action against deceptive or unfair acts or practices. It also has authority to regulate privacy issues through enforcement of statutes regarding specific business sectors, including certain financial institutions, children’s online activities, e-mail marketing, and telemarketing. The Commission’s primary role in workplace privacy arises from the Fair Credit Reporting Act (FCRA), which protects consumers’ sensitive credit, insurance and employment information and, for example, requires an employer to obtain written authorizations from job applicants and employees before obtaining background information about them through third parties and to provide notice to applicants if they decline to hire because of that information.
 

To address privacy issues, the FTC has focused on two regulatory models:

  • The notice-and-choice mode “encourages companies to develop privacy notices describing their information collection and use practices to consumers, so that consumers can make informed choices.” (Report at iii.)
  • The harm-based model “focuses on protecting consumers from specific harms – physical security, economic injury, and unwanted intrusions into their daily lives.” (Id.)

Rather than advocating abandonment of these approaches, the report notes the drawbacks of each one: the notice-and-choice model has led to lengthy privacy policies that are neither read nor understood by consumers; the harm-based model has failed to adequately protect privacy interests that cannot be easily measured in monetary terms, such as reputational harm and the fear of being subjected to unwanted tracking in cyberspace. (Id.) Further, technological advancements have challenged both models:

  • Companies can collect, store, manipulate and share consumer data at minimal cost.
  • Companies can collect and use consumers’ information in ways that often are invisible to consumers.
  • The distinctions between personally identifiable information and non-personally identifiable information has become blurred. Customers are very interested in strong privacy protections. At the same time, however, the free flow of information is critical to providing the goods and services.
     

The report proposes an alternative, three-part framework for future privacy regulation by the FTC:

  1. Privacy by Design, an approach in which companies would promote consumer privacy throughout their organizations and at every stage of the development of their products and services. They would build into their everyday practices privacy protections, such as reasonable security for consumer data, collection of only the data needed for a specific business purpose, retention of data only as long as necessary to fulfill that purpose, safe disposal of data no longer being used, and implementation of reasonable procedures to promote data accuracy. (Report at v.) This approach also would include the assignment of privacy officers, privacy training, and internal privacy reviews when new products and services are developed.
  2. Simplified Consumer Choices. Companies would not need to provide choices to consumers before collecting and using their data for commonly accepted practices such as purchase order fulfillment. But for practices that would result in a material change from a customer’s expected use of personal data, companies would offer the choice at a time and in a context in which the consumer made a decision about providing and authorizing the use of his or her data.
  3. Greater Transparency in Data Practices. Companies would clarify, shorten and standardize privacy notices, provide reasonable access to the personal data they maintain about a person based on the sensitivity of the kind of data and the nature of its use; provide prominent disclosures; and obtain affirmative express consent before using consumer data in a materially different manner than claimed when the data was collected.
     

Whether the FTC will adopt the framework outlined in the preliminary staff report after the public comment period ends on January 31, 2011, is unclear. But if the report is adopted, it likely will be over objection. Two of the five Commissioners issued concurring written statements to the report in which they questioned whether a new or modified model is necessary or desirable.

If the report is adopted, employers would need to consider the following implications:

  • Increased Need for Privacy Training for All Employees. “Privacy by design” entails efforts at every level of a business to protect the private information of consumers during the entire data life cycle, from collection to use to transfer to storage to destruction. The population of employees who should receive privacy training likely will expand materially.
  • Institution of Privacy Reviews During Product and Service Development. Another implication of “privacy by design” is the need to scrutinize privacy issues during the service- or product-development process. That would necessarily require a broader group of employees with expertise in the area of privacy than most organizations currently have.
  • Increased Need for Employee Sensitivity to Private Customer Information at Key Points in Business Transactions. The FTC’s new framework would require a business to give customers “just in time” choices about whether and how to use sensitive data. Automated notices and prompts would help solve some of these issues in online transactions. But with respect to phone or face-to-face transactions, employees would have to be vigilant to both identify those key decision points in business transactions and then respond appropriately.

This entry was written by Christopher M. Leh.
Tags: , , , , , , , , ,
  • Print
  • Trackbacks
  • Share Link