By Nicolas Dufour | Mar 20, 2015 | Privacy Summary
On September 30th, the Equal Employment Opportunity Commission (EEOC) announced a settlement agreement with The Cole Group (“Cole”), a background screening company, regarding pre-employment screening compliance with the Americans with Disabilities Act (ADA), the Genetic Nondiscrimination Act (GINA), and civil rights laws’ anti-retaliation provisions. The EEOC stated in a press release that it acknowledges Cole’s “proactive changes to screening policies and practices, employee training guidelines, and website information, to ensure compliance with the ADA and GINA with regard to applicants.” Janet Elizondo, director of the EEOC’s Dallas District Office, stated, “Increasing employment opportunities through forwarding-thinking hiring and recruitment models is what both the EEOC and businesses should support. In doing so, it is important for the EEOC to engage not only with employers directly, but also with their business partners who play an important role in facilitating connections between jobs and jobseekers.”
The CFPB publishes its “Amendment to the Annual Privacy Notice Requirement Under the Gramm-Leach-Bliley Act (Regulation P).
Recently, the Consumer Financial Protection Bureau (CFPB) published a full version of its “Summary of Your Rights Under the Fair Credit Reporting Act” (FCRA). The summary is required under §609(c)(1) of the FCRA, and must be provided to job applicants during the adverse action process under §605(b)(3)(A)(ii). The summary document was previously not accessible on the CFPB’s website, nor was it accessible as one, complete document. The summary document is available in both English and Spanish, and it highlights “major rights under the FCRA” and provides contact information for job applicants in specified types of business who seek to discuss their FCRA rights with the corresponding federal regulator. The document does not include any new, substantive language.
On October 10th, the Eleventh Circuit ruled that a Florida law requiring that a patient sign a Health Insurance Portability and Accountability Act (HIPAA) waiver prior to filing a medical negligence claim is “fully compliant with the HIPAA statute and its regulations.” The patient plaintiff considered suing the defendant physician for malpractice but declined to comply with a Florida statute requiring the plaintiff to sign an authorization form for “the disclosure of protected health information that is potentially relevant to the claim of personal injury or wrongful death.” The Eleventh Circuit ruled that the Florida law should be construed within the HIPAA privacy rule, that the plaintiff may revoke the waiver, and that a plaintiff files a suit and signs a waiver voluntarily. The court added, “Once a plaintiff executes a valid HIPAA authorization as part of his pre-suit obligations, his physician can, consistent with HIPAA, convey relevant health information about the plaintiff to a defendant. A medical provider can simultaneously comply with the state and federal requirements.”
Murphy v. Dulay, et al., No. 13-14637 (11th Cir., Oct. 10, 2014).
On October 20th, the Consumer Financial Protection Bureau (CFPB) finalized, largely as proposed on May 6th (previously reported), its proposed rule to provide additional flexibility to financial institutions regarding the distribution of Gramm-Leach-Bliley Act privacy notices in cases where the financial institution limits its information sharing. Specifically, a bank or nonbank under CFPB jurisdiction may post its annual privacy notices online if it satisfies certain conditions, such as not sharing consumer data in a manner that would trigger consumers’ opt-out rights. A qualifying institution would be required to utilize the model disclosure form that federal regulators issued in 2009. The CFPB stated that the flexibility of the proposed rule provides an incentive to qualifying institutions to limit data sharing in order to avoid disqualification from online delivery, and that online delivery provides consumers with constant access and the ability to comparison shop between the standardized model forms. The rule will go into effect upon its forthcoming publication in the Federal Register.
On September 10th, researchers at George Mason University submitted comments to the CFPB on its proposal to expand disclosures of consumer complaint narrative data (79 FR 42765) (previously reported). The researchers argue that the expansion of the CFPB’s consumer complaint database would actually harm consumers, markets, and the CFPB. Specifically, the authors note that the CFPB has not identified a problem that the consumer complaint database expansion would address, and assert that the expansion would actually harm small financial institutions, “for which a single baseless complaint would likely constitute a larger percentage of the total mix of available information.” Because some information in a narrative complaint would be redacted, the researchers also argue that the CFPB would be enticing consumers to “rely on incomplete and potentially inaccurate information—exactly the type of practice the [CFPB] seeks to stop financial firms from engaging in.” Finally, the researchers argue that the CFPB simply lacks the statutory authority to publish such consumer complaint narratives.
The FCC ruled that fax senders “must include certain information on the fax that will allow consumers to opt out, even if they previously agreed to receive fax ads from such senders.”
The PCI Security Standards Council published guidance on security awareness programs.
N.Y. – Rochester Passes Ban-the-Box
Buffalo joined numerous local and state jurisdictions in adopting some form of “ban the box” legislation. The City of Rochester has now joined Buffalo to become the second city in New York to approve such legislation. After November 18, 2014, Rochester, its vendors, and entities with four or more employees (Buffalo’s ordinance applies to employers with 15 or more employees) seeking to employ persons within the city must comply with the new ordinance.
More specifically, covered employers will no longer be able to require an applicant to check a box or respond to oral or written inquiries concerning his or her criminal history prior to an “initial employment interview.” The “initial interview” is broadly defined to include “direct contact” with the applicant either “in person or by telephone to discuss the employment being sought or the applicant’s qualifications.” If no interview is conducted, the employer must inform the applicant whether a criminal background check will be conducted before employment is to begin.
Excluded from the ordinance are applicants for positions in the city’s police or fire departments or employers hiring for “police officer” or “peace officer” positions as defined in the § 1.20 or § 2.10 of the Criminal Procedure Law. Employers hiring for licensed trades or professions, such as physicians and attorneys, including interns and apprentices for such positions, are permitted to ask applicants the same questions asked by the trade or professional licensing body pursuant to New York State or federal law.
On September 30th, California Governor Jerry Brown (D) signed A.B. 1710, which will amend the state’s data breach law to require a person or business that may have exposed certain personal information to offer in its breach notification letter, to affected individuals, at least one year of “appropriate identity theft prevention and mitigation services” at no cost to the consumer if Social Security numbers or driver’s license numbers may have been breached. The bill would also prohibit the sale, advertisement for sale, or offer to sell an individual’s Social Security number except where such release is incidental to a larger transaction and is necessary to identify an individual in the interest of a legitimate business purpose. Finally, the bill would require that any business that maintains personal information that it does not own or license to “implement and maintain reasonable security procedures and practices” for such data (owners and licensees are required to do so under existing law).
On October 27th, Publix Super Markets, Inc. reached a proposed $6.8 million settlement with a class alleging that Publix violated the FCRA by providing job applicants with a disclosure stating that it would order a background check report on such applicants which also included additional information, thereby failing to provide a stand-alone disclosure. The settlement grants each of the 90, 633 class members $75.00, or $48.55 after subtracting attorneys’ fees and class representative service payments. Publix characterized the settlement as “the largest-ever settlement of its kind by far” on a gross basis, and the “only settlement of its kind with over 20, 000 class members to adopt a claims-paid structure, meaning that class members will not have to submit claims forms to receive a share of the settlement fund.” The class includes all employment applicants at a Publix store between March 12, 2012 and May 13, 2014, for whom the retailer ordered a background check report.
Knights v. Publix Super Markets, Inc., No. 3:14-cv-00720 (Oct. 17, 2014, M.D. Tenn.)
On October 9th, a proposed class action was filed in a federal district court in California against LinkedIn Corp. for allegedly violating the Fair Credit Reporting Act (FCRA) through its “Trust References” function. The function allows prospective employers to pay a fee to access reference reports, which the class defines as a consumer report covered by the FCRA, for those employment applicants who maintain LinkedIn profiles. The class alleges that the “Trusted References” function does not require the requesting entity to certify that it will use the report lawfully under federal and state employment law and provide other certifications under the FCRA. The class also alleges, among other things, that LinkedIn failed to verify that recipients would use the report exclusively for permissible purposes and, further, “failed to follow any reasonable procedures to assure maximum possible accuracy of the information in the Reference Reports that it prepared.” The proposed class includes all LinkedIn users for whom a reference report was generated, and a subclass includes all members who applied for employment through a LinkedIn posting for employment.
Sweet, et al. v. LinkedIn (N.D. Cal., Oct. 9, 2014).
Calif. – Ride-sharing Companies Threatened With Legal Action Over Background Checks
Ride-sharing companies Uber, Lyft and Sidecar are being threatened with legal action in San Francisco and Los Angeles over how they screen drivers and charge passengers.
The cities’ district attorneys sent letters to the three companies, warning that they could face legal action if they don’t change practices representing “a continuing threat to consumers and the public, ” the San Francisco Chronicle reported Thursday.
The legal threats are the latest challenges to the companies that have popular smartphone apps allowing passengers to order rides in privately driven cars instead of taxis. Cab and limo operators in places such as New Mexico and Washington state have sued the ride-sharing businesses. Officials in some states have enacted rules regulating the companies while other cities and states have struggled to pass laws.
In California, the district attorneys’ offices, which conducted a joint investigation, say the companies falsely claim their background checks screen out drivers who have committed driving violations, sexual assaults and other criminal offenses.
The prosecutors also claim the way the companies calculate shared fares – allowing people going the same way to hop in a car and pay their fares separately – is illegal.
Oct. 20: The GAO reportedly suggested that USIS may not be adequately responsible to receive a DHS immigration contract.
USIS, the embattled major federal contractor, suffered another blow Monday after government lawyers determined that the Department of Homeland Security recently issued the company a lucrative contract without taking into account allegations of fraud against the company.
The decision by the Government Accountability Office comes a month after the Office of Personnel Management said it would not renew any of its contracts with the Falls Church-based company, which was the victim of a recent cyberattack that left thousands of government workers vulnerable to the theft of some of their personal information.
The company also faces a whistleblower lawsuit that was joined by the Justice Department alleging that it “flushed, ” or didn’t fully complete, 665, 000 background checks used in granting security clearances.
In a bid protest, one of USIS’s competitors, Ashburn-based FCi Federal, argued that the Department of Homeland Security should have considered those allegations when it awarded USIS a contract worth up to about $200 million to provide field support services related to the agency’s immigration system. The GAO agreed and recommended that DHS take the allegations into account when determining whether USIS is a “responsible” vendor.
“If, at the end of this review, USIS is found to be other than responsible, we recommended that DHS terminate USIS’s contract and make award to FCi, if otherwise appropriate, ” Ralph O. White, GAO’s managing associate general counsel for procurement law, said in a statement. “We also recommended that FCi be reimbursed its protest costs.”
Ill. – Demand for Background Checks is Soaring
In a leaner, meaner job market, it’s probably not surprising that the demand for background checks is on the rise.
“In the last several years, the demand for screenings performed by AAIM Employers Association has grown dramatically, posting a nearly 200 percent increase over a four-year period, ” said Phil Brandt, the St. Louis-based association’s president and CEO.
“It’s just exploding. There’s a lot of movement going on in the workplace, ” he said.
Brandt wasn’t necessarily referring to rampant hiring by U.S. companies but hiring replacements for the 11, 000 retirees that leave the workplace every day.
“Employers are smarter today on who they hire. If a bad hire occurs, when it becomes public, brand damage may occur – especially if no background check was done at all, ” he said
Please Note: The information contained herein is a monthly summary of the daily information provided by Arnall Golden Gregory LLP, an Atlanta firm servicing the business transactions and litigation needs of background check companies. The information described is general in nature, and may not apply to your specific situation. Legal advice should be sought before taking action based on the information contained herein. For more information about Arnall Golden Gregory LLP, please visit www.agg.com or contact Bob Belair at 202.496.3445 or email@example.com.