+1.877.796.2559 | Investors|

December 2016 Privacy Summary

By Nicolas Dufour | Jan 5, 2017 | Screening Compliance Update

Federal Developments

Tenant Background Screening and the FCRA
On November 28th, the FTC issued guidance on tenant background screening in order to comply with the Fair Credit Reporting Act (FCRA). The agency highlights four key responsibilities of background screening companies covered by the FCRA, specifically: “Follow reasonable procedures to ensure accuracy; Get certifications from your clients; Provide your clients with information about the FCRA; and Honor the rights of applicants and tenants.”

CFPB Releases Report about Credit Invisible Consumers
On December 12th, the Consumer Financial Protection Bureau (CFPB) published a report entitled, “Who are the Credit Invisible” about consumers with limited credit histories. The CFPB found that consumers with limited credit histories were denied opportunities to use financial services, seek employment, or rent an apartment. The report also found that consumers that are younger, minorities, or live in low-income communities are more likely to have limited credit histories. For consumers with limited credit history, the CFPB recommends: Paying bills on time; Reporting non-traditional payment data to credit reporting companies; Using credit building financial products, such as retail credit cards; and Monitoring credit reports to fix any errors.
http://www.consumerfinance.gov/about-us/blog/who-are-credit-invisible/
https://s3.amazonaws.com/files.consumerfinance.gov/f/documents/201612_cfpb_credit_invisible_policy_report.pdf

New CFPB Consumer Credit Trends Tool
On December 15th, the Consumer Financial Protection Bureau (CFPB) announced a new web-based application, the Consumer Credit Trends that is designed to help consumers monitor trends and developments in consumer lending and to better predict future risks. The Consumer Credit Trends tool includes analyses of credit card, mortgage, auto loans, and student loans as well as charts of how specific consumer groups are faring in the financial market. The Consumer Credit Trends found that: Mortgage lending between August and October was up nearly 50 percent over last year; Credit card lending was up nearly 14 percent year-to-date in low-income neighborhoods; Higher-risk auto lending was down slightly; and Student lending volume was down slightly.
http://www.consumerfinance.gov/about-us/newsroom/cfpb-unveils-consumer-credit-trends-tool-help-forecast-potential-consumer-risks/
http://www.consumerfinance.gov/data-research/consumer-credit-trends/

FMCSA Establishes National Drug and Alcohol Testing Clearinghouse for Commercial Truck and Bus Drivers
The U.S. Department of Transportation’s (DOT) Federal Motor Carrier Safety Administration (FMCSA) today announced a final rule that establishes a national drug and alcohol clearinghouse for commercial truck and bus drivers. The clearinghouse database will serve as a central repository containing records of violations of FMCSA’s drug and alcohol testing program by commercial driver’s license (CDL) holders. The national drug and alcohol clearinghouse final rule goes into effect in January 2020, three years after its effective date.
https://www.fmcsa.dot.gov/newsroom/fmcsa-establishes-national-drug-and-alcohol-testing-clearinghouse-commercial-truck-and-bus

January 22, 2017: Out with the Old and In with the New Form I-9
The long awaited new Form I-9 is here — recently published by the U.S. Citizenship and Immigration Services (USCIS). Employers must begin using the new form (edition date 11/14/2016), no later than January 22, 2017. Until then, employers may use either the new form or the 03/08/2013 edition. You can find the new form on the USCIS’s website. The most significant change with the new Form I-9 is that it now comes in a “smart” PDF version which, if completed on a computer using Adobe Reader, provides various prompts and interactive fields designed to ensure that the form is completed accurately. Among the new features are instructional texts and pop-up alerts that force the user to make corrections as the form is filled out. Employers, however, do not have to use the “smart” version, but instead may complete the Form I 9 process entirely by hand using a plain paper version, which is also separately included on the USCIS’s website. And, even if an employer opts to use the “smart” version, the completed form must still be printed out and signed by the employee and the employer’s representative (and, if applicable, by any preparers and translators). Employers also should be aware that you need the newest version of Adobe Reader to use the “smart” PDF form. At this time, other versions of Adobe and other types of PDF viewers will not open the “smart” form. The new Form I-9 itself – both the “smart” and paper versions – includes a number of notable changes. For instance, Section 1 of the form now asks the employee to list “other last names used” rather than “other names used.” Another important revision is that an employee who identifies as an “alien authorized to work” now must list only one number from among the employee’s alien number, I-94 admission number, and foreign passport number, rather than listing multiple numbers as previously required. Given the recent increase in fines for Form I-9 violations and the more aggressive stance on immigration enforcement expected from the Trump Administration, it is critical for employers to ensure that all of their facilities and worksites are using the new Form I-9 after the January 22, 2017 effective date. Don’t forget: It is a violation of the Form I-9 regulations to use an expired version of the form, even if the form is otherwise completed correctly.
http://www.lexology.com/library/detail.aspx?g=e54f6f97-6b0e-44d5-b5a9-5c1f2911b193&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2016-12-15&utm_term=

Court Cases

Rite Aid Asks to Dismiss FCRA Case On December 6th.
Rite Aid filed a motion to dismiss a proposed Fair Credit Reporting Act (FCRA) class-action in the U.S. District Court for the Eastern District of Pennsylvania. According to the complaint, Rite Aid violated the FCRA by allegedly failing to allow job applicants to challenge inaccurate or misleading reports after they were rejected for employment. The Defendant claims that the case should be dismissed because the Plaintiff, Kyra Moore, already settled claims with the background screening company. The case is Moore v. Rite Aid Hdqtrs Corp. et al., case number 2:13-cv-01515, in the U.S. District Court for the Eastern District of Pennsylvania. The case is Moore v. Rite Aid Hdqtrs Corp. et al., case number 2:13-cv-01515, in the U.S. District Court for the Eastern District of Pennsylvania.

Ninth Circuit will Hear Spokeo v. Robins Case
On December 9th, Bloomberg published an article about the Robins v. Spokeo Inc. case which will be heard on remand in the U.S. Court of Appeals for the Ninth Circuit later this month. The Supreme Court held, in May, that the Ninth Circuit did not properly analyze whether the Plaintiff’s injuries were sufficiently concrete and particular to give him constitutional standing to bring suit. Plaintiff Thomas Robins alleges that Spokeo, which aggregates individuals’ personally identifiable information from the Internet, violated the Fair Credit Reporting Act (FCRA) when it made available inaccurate information about him. Furthermore, he argues that his injury was concrete because “Spokeo committed rampant and persistent procedural violations that led to the dissemination of the types of false information about him that create a ‘material risk of harm’ to the interest the FCRA protects.” However, Spokeo argues in its brief that not every alleged allegation of the FCRA automatically results in a concrete harm. The case is Thomas Robins v. Spokeo Inc., case number 11-56843, in the U.S. Court of Appeals for the Ninth Circuit.

Spokeo’s Intangible Harm Analysis
On December 15th, the International Association for Privacy Professionals published an article examining two privacy-based cases that have addressed the intangible harm threshold following the U.S. Supreme Court’s ruling in Spokeo v. Robins. The Court ruled that an intangible harm must be closely related to a harm that has traditionally provided a valid basis for a lawsuit and has been identified by Congress as an intangible harm under Article III of the Constitution. Furthermore, the Court said that a mere procedural violation may not cause harm. Mey v. Got Warranty, Inc. – This case addressed telemarketing calls from Defendant Got Warranty, Inc. to Plaintiff Diana Mey, who was registered on the National Do Not Call Registry, in violation of the Telephone Consumer Protection Act. Applying Spokeo’s intangible harm analysis, the U.S. District Court for the Northern District of West Virginia ruled that the calls caused three types of intangible harms and found that the harms met the requirements under Article III of the Constitution. Jackson v. Abendroth & Russell, P.C. –Plaintiff Patrick Jackson alleged that Defendant Abendroth & Russel, P.C. violated the Fair Debt Collection Practices Act by allegedly failing to include separate informational disclosures. Based on Spokeo’s concrete harm analysis, the U.S. District Court for the Southern District of Iowa found that there was no concrete harm established saying that a procedural violation may result in no harm. Although the Defendant failed to provide separate disclosures, there was no evidence that the procedural violation caused any harm to the Defendant. The cases are Diana Mey v. Got Warranty Inc. et al., case number 5:15-cv-00101, in the U.S. District Court for the Northern District of West Virginia; and Jackson v. Abendroth v. Russell PC, case number 4:16-cv-00113, in the U.S. District Court for the Southern District of Iowa.
https://iapp.org/news/a/intangible-privacy-harms-post-spokeo/

State Developments

Uber and Lyft Enter into Background Check Agreements in Massachusetts
On November 28th, Massachusetts officials announced that ride-sharing companies Uber and Lyft entered into agreements to implement driver background checks. According to Governor Charlie Baker, the agreements will require the companies to begin administering background screenings on January 6th, and will require all drivers to pass biannual background screenings in order to operate in the state. The new background check requirement is part of legislation that created a statewide framework for transportation network companies.

Calif. – L.A. City Council Approves Ban on Disclosing Criminal Records During Early Hiring Process
The Los Angeles City Council approved an ordinance that bans employers from asking about job applicants’ criminal records during the early stages of the hiring process. The measure, which has been called “ban the box, ” makes employers remove the checkboxes or questions that inquire about a person’s criminal record. The policy will apply to private businesses with 10 or more employees and contractors doing business with the city. They will not be able to ask about criminal records until a conditional offer is made. Once that has been made, employers can then inquire about a person’s criminal record.
http://abc7.com/business/la-city-council-approves-ban-on-criminal-records-disclosure-for-job-applicants/1634700/

California Law Restricts Employers From Asking About Juvenile Criminal History
California recently amended its existing law governing inquiries into and the use of juvenile criminal information. Effective January 1, 2017 employers will be restricted from asking about, seeking, or using a California applicant/employee’s juvenile criminal history in the employment context. Assembly bill (A.B.) No. 1843 amends California Labor Code § 432.7, the law that sets forth many of the California prohibitions on employment-related inquiries into and use of an applicant/employee’s criminal history, by establishing a number of new restrictions related to juvenile criminal history information. Specifically, the new law prohibits employers from:

  • Asking an applicant to disclose, either in writing or verbally, information concerning or related to an arrest, detention, processing, diversion, supervision, adjudication, or court disposition that occurred while the individual was subject to the process and jurisdiction of juvenile courts/ law.
  • Seeking from any source whatsoever, or using, as a factor in determining any condition of employment (e.g., hiring, promotion, termination, decisions related to a training program, etc.), any record concerning or related to an arrest, detention, processing, diversion, supervision, adjudication, or court disposition that occurred while the individual was subject to the process and jurisdiction of juvenile courts/law.

The amended law defines the word “conviction, ” as used throughout California Labor Code § 432.7, to exclude all adjudications made by any court with respect to a person who is under the process and jurisdiction of juvenile courts/law.
http://www.lexology.com/library/detail.aspx?g=3124f214-af37-45e1-8cf6-ebd6ea9f9c76

Philadelphia to Restrict Wage History in Hiring Decisions
A new Philadelphia ordinance restricting the use of wage history in hiring decisions has passed the City Council. Mayor Jim Kenney is expected to sign the bill into law soon. The ordinance will prohibit employers from inquiring about and considering prospective employees’ wage histories, subject to limited exceptions. On December 8, 2016, Philadelphia City Council passed a bill prohibiting employers from inquiring about the wage history of prospective employees (the “Wage History Ordinance”). The Ordinance will amend the “Fair Practices Ordinance” (Chapter 9-1100 of The Philadelphia Code) by adding to the broad protections already afforded to employees. The Wage History Ordinance makes it an unlawful employment practice “for an employer, employment agency, or employee or agent thereof” to “inquire about a prospective employee’s wage history, require disclosure of wage history, or condition employment or consideration for an interview or employment on disclosure of wage history.” Within the meaning of the Ordinance, “to inquire” is defined as “to ask a job applicant in writing or otherwise.” Likewise, the term “wages” is defined broadly to include “all earnings of an employee, regardless of whether determined on time, task, piece, commission or other method of calculation and including fringe benefits, wage supplements, or other compensation whether payable by the employer from employer funds or from amounts withheld from the employee’s pay by the employer.”

The Ordinance also includes an anti-retaliation provision, prohibiting employers from taking adverse action against an applicant or employee who does not comply with a wage history inquiry. In addition, the Ordinance further prohibits employers from relying on the wage history of a prospective employee provided by current or former employers of the prospective employee “in determining the wages for such individual at any stage in the employment process … unless such applicant knowingly and willingly disclosed his or her wage history” to the prospective employer. The Ordinance, however, provides an exception: allowing inquiries into wage history where “any federal, state or local law … specifically authorizes the disclosure or verification of wage history for employment purposes.” This exception is significant, as it applies not only where such inquiries are required, but wherever disclosure or verification is “authorized.” A prospective employee claiming to be aggrieved by a violation of the Ordinance may file a complaint with the Philadelphia Commission on Human Relations. Any such complaint must be filed within 300 days of the alleged discriminatory act. Once the administrative remedies have been exhausted, the prospect may pursue a private civil action in court. Remedies available to a successful litigant include compensatory and punitive damages, attorneys’ fees, court costs, and injunctive relief. Employers found in violation also may be subject to administrative penalties. Implications for Employers. The Ordinance will add to the already significant anti-discrimination protections afforded under the Fair Practices Ordinance. The Ordinance is slated to take effect 120 days after Mayor Kenney signs the bill into law, meaning the expected effective date will be sometime in April 2017. Employers in Philadelphia should become familiar with the new obligations associated with compliance and potential penalties under the bill. Employers should review existing policies and practices to ensure they are compliant with the Ordinance.
http://www.lexology.com/library/detail.aspx?g=43c8e25e-a5f2-42a4-986b-454bd35c86c0&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2016-12-15&utm_term=

Texas – San Antonio Bans the Box on City Job Applications
San Antonio joined a growing list of cities to remove questions about previous criminal history from City job applications Wednesday. Proposed by Councilman Rey Saldaña (D4), the measure comes on the heels of a broader “ban the box” ordinance adopted in Austin last March, which extends to most private employers with more than 15 employees. “We have a sizable number of community members that are being stigmatized because they are being asked to put at the front of their application whether they have a criminal history, ” Saldaña told the Rivard Report. The policy – already adopted in 150 cities and counties and 24 states – requires City employers to wait until civilian job applicants have a chance to show their qualifications in an interview before requiring them to identify their criminal histories. Fire and Police Academy applications, however, will be exempt from this change.
https://therivardreport.com/san-antonio-bans-the-box-on-city-job-applications/

Proposed Law Would Bar D.C. Landlords from Automatically Rejecting Applicants with Criminal Convictions
Two years after the District made it harder for private employers to reject job applicants with criminal histories, the D.C. Council wants to put similar restrictions on landlords, barring them from automatically denying housing to ex-offenders whose conviction records date back more than seven years. The legislation, given initial approval by the council Tuesday night, also would prohibit rental-property owners from summarily rejecting prospective tenants who have more recent criminal backgrounds. In those cases, often involving newly released prisoners, landlords would have to base decisions on guidelines that are included in the statute. And housing applicants who think they have been illegally turned down could appeal to the city’s Office of Human Rights, possibly resulting in financial penalties for property owners. At a time of growing gentrification in Washington, supporters said, the bill is partly intended to help reduce recidivism by making it easier for ex-offenders to find places to live in an increasingly tight and expensive rental market.
https://www.washingtonpost.com/local/trafficandcommuting/proposed-law-would-bar-dc-landlords-from-automatically-rejecting-applicants-with-criminal-convictions/2016/12/11/4358be50-bbca-11e6-ac85-094a21c44abc_story.html?utm_term=.e71223605305

Concerns about Massachusetts facial recognition program
The Boston Globe published an article about privacy groups raising concerns about a Massachusetts facial recognition program which is used to identify criminal suspects.
https://www.bostonglobe.com/metro/2016/12/20/state-scans-mass-driver-license-photos-find-matches-with-suspects/xyVIxWkPL95hQbx4sUI2WM/story.html

Workplace Implications of the Massachusetts Recreational Marijuana Law
On Nov. 8, 2016, Massachusetts voters passed Question 4, which legalizes the recreational use of marijuana. The stated purpose of the Recreational Use Law, officially titled “The Regulation and Taxation of Marijuana Act, ” is “to control the production and distribution of marijuana under a system that licenses, regulates and taxes the businesses involved in a manner similar to alcohol and to make marijuana legal for adults 21 years of age or older.” Accordingly, the law makes it legal for adults to possess, use, and cultivate marijuana within certain limits. Marijuana use is, however, forbidden in public places or in any other location where smoking is prohibited. The law contains a single reference to its effect on employers, which is as follows: “This chapter shall not require an employer to permit or accommodate conduct otherwise allowed by this chapter in the workplace and shall not affect the authority of employers to enact and enforce workplace policies restricting the consumption of marijuana by employees.” Otherwise stated, the Recreational Use Law does not give employees a “free pass” to use or possess marijuana in the workplace, even if the law permits adults to use marijuana in other contexts or locations. Accordingly, employers may continue to maintain and enforce no alcohol/no drug polices which prohibit marijuana. It should be noted that use and possession of marijuana remains illegal under federal law. The Controlled Substances Act classifies marijuana as a Schedule I controlled substance. Schedule I is the category designated by federal law for controlled substances that may not be prescribed by a physician, and which have “a high potential for abuse.” Many employers are in industries that require compliance with federal requirements, such as transportation companies subject to U.S. Department of Transportation regulations. These regulations require comprehensive drug and alcohol testing guidelines for employees in safety sensitive positions. Any such federal law requirements are not modified by the Massachusetts Recreational Use Law. Federal contractors and recipients of federal funding are generally required to comply with another federal law, the Drug-Free Workplace Act of 1988, which mandates that employers maintain a “drug-free workplace.” An employer that tolerates the use of marijuana in the workplace under state law would be in violation of its federal law obligations under the Drug-Free Workplace Act. The Recreational Use Law does not prevent employers from utilizing pre-employment drug testing. Under this procedure, a job applicant is provided a conditional offer of employment, contingent on passage of a drug screening test. The new law does not abridge an employer’s right to enforce pre-employment drug screening policies that screen for the use of drugs, including marijuana. Similarly, there is nothing in the Recreational Use Law regulating or prohibiting the use of drug testing for current employees, such as post-incident or reasonable suspicion drug testing policies. Effective Dec. 15, 2016, adults in Massachusetts may possess, use and cultivate marijuana.
http://www.lexology.com/library/detail.aspx?g=e063db17-f6b0-40f2-960c-33700fcd836c&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=Lexology+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2016-12-21&utm_term

Michigan Governor Signs Law Requiring Background Screenings of Uber and Lyft Drivers
On December 21st, Michigan Governor Rick Snyder signed the “Limousine, Taxicab, and Transportation Network Company Act” into law. The legislation imposes new obligations on transportation network companies (TNCs) like Lyft and Uber. According to the new legislation: Drivers are required to disclose their driving history to their TNC; TNCs must conduct an annual local and national criminal background check for all drivers; and An individual who has more than 4 moving violations or 1 major violation three years before the date of application, was convicted of a felony five years before the date of application, or is listed on the national sex offender registry database is prohibited from being a driver for a TNC.
http://www.michigan.gov/snyder/0, 4668, 7-277–400530–, 00.html
http://www.legislature.mi.gov/documents/2015-2016/billenrolled/House/pdf/2015-HNB-4637.pdf

NYC Issues Updated Cybersecurity Regulation
On December 28th, the New York Department of Financial Services (DFS) Superintendent Maria T. Vullo announced that the DFS has updated its proposed first-in-the-nation financial sector cybersecurity regulation. The regulation, which will be effective March 1, 2017, requires banks, insurance companies, and other financial services institutions to develop and maintain a cybersecurity program designed to protect consumers and the financial services industry. The updated proposal will be finalized after a 30-day notice and public comment period.
http://www.dfs.ny.gov/about/press/pr1612281.htm

International Developments

UK Investigatory Powers Act Signed into Law
On November 29th, the United Kingdom’s (UK) Investigatory Powers Act, which will expand government hacking authority, was signed into law. The legislation requires telecommunications and internet service providers to store users’ web browsing history for 12 months, and gives law enforcement access to that data. Furthermore, it provides security services and police with new powers to access computers and phones in order to collect communications data in bulk. The act has received criticism for being non-transparent and an “extension of the surveillance state.”

Data Breach Notification In the EU: A Comparison of US and Soon-To-Be EU Law
In the United States Congress has repeatedly attempted, but failed, to agree on federal data breach notification legislation. As a result, there is no single federal statute that imposes a breach notification obligation on most companies. Instead, 47 states, plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have enacted their own statutes addressing an organization’s notification obligations in the wake of a data breach. The only states without such laws are Alabama, New Mexico, and South Dakota, although their citizens may be covered in some situations by the data breach laws of other states. Historically the European Union has also not had a general, non-sectoral, data breach notification statute. Uniform data breach notification rules were only established for the telecommunication sector. While some member states enacted broader breach notification legislation, by and large there was far less uniformity in the EU between, and among, member states, then existed in the United States.
http://www.jdsupra.com/legalnews/data-breach-notification-in-the-eu-a-31594/

EU-Japan trade deal.
Dec. 9: Politico reported that a fight over data privacy is blocking the EU-Japan trade deal.

ENISA Releases its Report Against Weakening
Encryption On December 12th, the European Union Agency for Network and Information Security (ENISA) released its report outlining the potential challenges of weakening encryption to facilitate law enforcement’s work. ENISA finds that: “The use of backdoors in cryptography is not a solution, as existing legitimate users are put at risk by the very existence of backdoors; Backdoors do not address the challenge of accessing decrypting material, because criminals can already develop and use their own cryptographic tools; Judicial oversight may not be a perfect solution; as different interpretations of the legislation may occur; and Law enforcement solutions need to be identified without the use of backdoors and key escrow.”
https://www.enisa.europa.eu/news/enisa-news/the-importance-of-cryptography-for-the-digital-society
https://www.enisa.europa.eu/publications/enisa-position-papers-and-opinions/enisas-opinion-paper-on-encryption

GDPR Guidance for Data Protection Officers
On December 16th, the European Union’s Article 29 Working Party released a report providing guidance about the application of the General Data Protection Regulation (GDPR), specifically the appointment of a Data Protection Officer (DPO). The report clarifies when a DPO is required and the DPO’s tasks and job responsibilities.
https://blog.evernote.com/blog/2016/12/15/evernote-revisits-privacy-policy/
http://www.csoonline.com/article/3151156/security/evernote-backs-off-from-privacy-policy-changes-says-it-messed-up.html

European Court Strikes Down Data Retention Laws
On December 21st, the Court of Justice of the European Union (CJEU) ruled that member states cannot require service providers to retain users’ electronic communications. The CJEU concluded that the general and indiscriminate mass collection and retention of internet traffic and location data is unlawful, and can only be retained for a limited time. The decision: Requires member states’ data retention laws to comply with EU data protection rules; Prohibits generalized and indiscriminate surveillance unless it is being used to help solve serious crimes; Outlines what a national data retention law must contain in order to comply with EU data protection law such as clear and precise rules, minimum safeguards, and conditions under which data retention may be adopted as a preventative measure; and Recommends that citizens’ data should be retained within the EU, which may affect agreements such as the EU-U.S. Privacy Shield Agreement.
https://iapp.org/news/a/cjeu-in-tele2-rules-broad-data-retention-laws-invalid-raises-questions-for-data-transfer-mechanisms-post-brexit-u-k/

Please Note: Some of the information contained herein is a monthly summary of the daily information provided by Arnall Golden Gregory LLP, an Atlanta firm servicing the business transactions and litigation needs of background check companies. The information described is general in nature, and may not apply to your specific situation. Legal advice should be sought before taking action based on the information contained herein. For more information about Arnall Golden Gregory LLP, please visit www.agg.com or contact Bob Belair at 202.496.3445 or robert.belair@agg.com.