By Nicolas Dufour | Apr 13, 2017 | Privacy Summary
Federal Trade Commission
On February 10th, Capitol Network Distance Learning Programs and Stepping Stonez Development, LLC, the operators of two online high schools, agreed to settle charges with the FTC for allegedly making false claims about the value of their diplomas. According to the FTC, the Defendants falsely claimed that their online high schools were accredited and that their diplomas would be accepted by universities, employees, and the military. According to the stipulated final order, the Defendants are:
- Banned from marketing or selling any academic degree or certification programs;
- Prohibited from misrepresenting any other product or service; and
- Required to pay a $19.1 million judgement.
CFPB Fines Experian
On March 23rd, the CFPB announced that it fined Experian for allegedly deceiving consumers about the use of its credit scores sold to consumers. According to the CFPB, from at least 2012 through 2014, Experian falsely advertised that its proprietary credit scoring model known as “PLUS Score,” which is an educational credit score and not used by lenders for credit decisions, was the same score lenders used to make credit decisions, in violation of the Dodd-Frank Act. In addition, Experian violated the Fair Credit Reporting Act until March 2014 when it required consumers obtaining their credit report to view advertisements before they were able to receive their report. Under the Consent Order, Experian must: • Pay a $3 million penalty; • Truthfully represent the usefulness of credit scores it sells; and • Put in place an effective compliance management system.
Insurer on Hook for Employee’s Drunk Driving, $1M Verdict
According to the U.S. Court of Appeals for the Eleventh Circuit, an employee involved in a car accident while under the influence did not exceed the scope of his permission to use the vehicle, leaving the employer’s insurer on the hook for approximately $1 million in damages. Brian Hensley was permitted to drive a company car for both work and personal purposes. One night, after consuming four beers, he drove home and was involved in an accident that seriously injured Ulysses Anderson. Anderson sued Hensley’s employer, which tendered the claim to Great American Alliance Insurance Company. A jury found Hensley liable and awarded Anderson roughly $1 million. The insurer then sought a declaratory judgment that Hensley had exceeded the scope of the permissive use granted by the employer because he drove while intoxicated. Despite the company’s policy banning the consumption of alcoholic beverages on company property and prohibiting employees under the influence from working, the court found Hensley remained within the scope of the employer’s permission. Even though he was intoxicated, Hensley was using the vehicle for an approved purpose, the panel wrote, and he was therefore an insured under the terms of the policy.
DC Restrictions on the Use of Credit History by Employers
Restrictions on the use of credit history by employers when conducting background checks in Washington, D.C. is official. On February 15, 2017 Mayor Bowser signed (http://lims.dccouncil.us/Legislation/B21-0244?FromSearchResults=true) the “Fair Credit in Employment Amendment Act of 2016,” (D.C. Act A21-0673) which amends D.C.’s Human Rights Act of 1977. The law will become effective following a 30-day period of Congressional review. This means that the use of credit information for employment screening purposes may, in certain circumstances, constitute an unlawful discriminatory practice. The legislation prohibits an employer from requiring, requesting, suggesting, or causing any employee to submit credit information, or using, accepting, referring or inquiring into an employee’s credit information. There are certain exceptions to this general prohibition, such as for positions in law enforcement, with financial institutions, or when use of credit information is required by law. Violations can lead to civil penalties starting at $1,000. For more about the use of credit information for employment screening
Vermont’s Crackdown on Drug Testing Underscores the Importance of Compliant, State-Specific Drug Testing Policies for Multistate Employers
Title 21, Chapter 5, Section 513 of the Vermont Statutes states: “An employer shall not request, require, or conduct random or company-wide drug tests except when such testing is required by federal law or regulation.” Stated more plainly, Vermont prohibits random drug testing of employees. Vermont does allow for employers to drug test job applicants after a conditional offer of employment has been made. The state also allows employers to drug test current employees if there is probable cause/reasonable suspicion. However, random testing is absolutely prohibited. This creates significant difficulty for Vermont employers that maintain operations in other states because most states do allow for random drug testing of employees. If an employer maintains a blanket multistate drug testing policy allowing for random testing, it may not realize it is violating Vermont law. To make things even more difficult on Vermont employers, if a current employee tests positive on a lawful drug test required because the employer had probable cause to believe the employee was using drugs, the employer may not terminate the employee’s employment for failing the test. Instead, employers must maintain an Employee Assistance Program or a comparable rehabilitation program and must give the employee an opportunity to participate. The employee can only be discharged if he or she completes the program and then subsequently fails a post-program drug test. Now, you may be asking yourself, “Does Vermont care about these technical requirements?” The answer is an overwhelming “yes.” In fact, Vermont takes drug testing so seriously that the Vermont Attorney General’s Office’s Employment Discrimination Complaint form has a specific box employees can check if their employers unlawfully required that they take a drug test or discriminated against them based on a drug test. In addition to possible employment disputes, the Vermont drug testing law provides for civil penalties of between $500 and $2,000 for each violation. Employers in Vermont should be aware of the state’s strict drug testing laws and the aggressive enforcement of these laws. Employers maintaining operations in Vermont may want to review their drug test policies to ensure they are compliant under Vermont law.
New Mexico Notification Law
We are almost to a point where all 50 states and the District of Columbia will have some form of data breach notification law on their books to protect residents’ personally identifying information (PII) in the event of a data breach. The three holdout states are Alabama, New Mexico and South Dakota. But that’s about to change in New Mexico. The state legislature recently passed the Data Breach Notification Act (H.B. 15) and the legislation is awaiting Governor Susana Martinez’s signature. Some highlights of the legislation:
- A “security breach” is defined as the “unauthorized acquisition of unencrypted computerized data, or of encrypted computerized data and the confidential process or key used to decrypt the encrypted computerized data, that compromises the security, confidentiality or integrity of personal identifying information maintained by a person.”
- It requires the proper disposal of PII when records containing such are “no longer reasonably needed for business purposes.”
- It requires that any person that owns or maintains PII of New Mexico residents must “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification or disclosure.”
- In the event of a security breach, notification must be provided within 45 days. However, New Mexico will be a “risk of harm” state, meaning that notice will not be required if the incident does not “give rise to a significant risk of identity theft or fraud.”
- The notification letter must include specific content, including (but not limited to) the types of PII compromised, date of the breach, a general description of the breach, contact information for the three major credit bureaus, and “advice that directs the recipient to review personal account statements and credit reports, as applicable, to detect errors resulting from the security breach.”
- Notice is required to be provided to the state attorney general and the three major credit bureaus if the breach affects more than 1,000 New Mexico residents.
Puerto Rico enacts broad equal pay law which, among other provisions, prohibits employers from asking applicants about their prior salary history
The Commonwealth of Puerto Rico has joined the nationwide effort to eliminate pay disparity in the workplace based on gender. Despite the prohibition against wage discrimination based on sex set forth in Title VII of the Civil Rights Act of 1964 and the Equal Pay Act, federal laws which apply in Puerto Rico, there was still apparently a significant gap in pay between men and women performing comparable work in Puerto Rico. In an effort to rectify this situation, Governor Ricardo Rosselló signed the Puerto Rico Equal Pay Act (the “Act”) on March 8, 2017. The Act becomes effective immediately. For employees in jobs that require substantially similar skill, effort and responsibility performed under similar working conditions, the Act prohibits wage discrimination on the basis of sex and requires employers to pay employees of different genders the same compensation or salary unless the difference in pay is based on (1) a bona fide seniority or merit based system; (2) a compensation system based on the quantity or quality of production, sales or profits; (3) differences in education, training or experience that is reasonably related to the specific work at issue; or (4) any other reasonable factor other than sex. In addition to requiring equal pay for equal work, the Act also has a number of very employee protective provisions:
- An employer is prohibited from asking an applicant, or the applicant’s current or former employer, for the applicant’s current salary or salary history. However, if the applicant voluntarily disclosed his or her current salary or salary history, the employer may confirm the current salary or salary history with the applicant or the current or previous employer. In addition, if the compensation or salary was negotiated with the applicant and the salary is set forth in an offer of employment, the employer may thereafter confirm the applicant’s salary history;
- An employer may not, as a condition of employment, prohibit an employee or applicant from asking for, discussing, requesting or disclosing information about the employee or applicant’s compensation or salary or the compensation or salary of other employees in comparable positions. An employer may prohibit managers, supervisors, human resources employees or any other employee with access to employee wage or compensation information as part of their employment from disclosing such information without the prior written consent of the employee whose compensation information is being requested, unless that information is part of the public record; and
- An employer may not dismiss, threaten, discriminate against or otherwise subject to retaliation an employee for (1) disclosing, discussing or asking about the employee’s salary or the salary of another employee; (2) objecting to any act or practice made illegal by the Act; (3) submitting a complaint or claim under the Act in any forum; or (4) participating in any investigation concerning a violation of the Act.
An aggrieved employee may either bring a private civil action for damages or file an administrative complaint with the Puerto Rico Department of Labor and Human Resources.
Equal Pay: The Evolving Landscape
Equal pay for equal work has been required for many years, but, as of late, this rather static requirement has become the focal point of regulators, state and local governments, and activists. In order to achieve equality in compensation, the efforts are becoming increasingly creative with new pushes for transparency, privacy, and/or disclosures. Financial services firms are often the target and should not only be aware of these innovative measures and requirements but also consider what proactive actions to put in place.
Eliminating Pay Secrecy
The National Labor Relations Board made it clear years ago that “employees” (as defined under the National Labor Relations Act) could not be restricted from discussing the terms and conditions, including compensation, of their employment, based on their rights to engage in “concerted activities for the purpose of collective bargaining or other mutual aid or protection.” Yet, many employers continue to have policies or agreements, or informal rules, which restrict employees from doing so. Recently, there has been a concentrated effort to prevent employers from designating employee compensation as “confidential” and/or restricting discussion of it. For example, in connection with the former administration’s determination to eradicate equal pay impediments in the workplace, in a 2014 executive order, then-President Barack Obama prohibited federal contractors from retaliating against employees who talk about their salaries or other compensation information.
A number of states and localities that have been passing their own equal pay laws have been addressing pay secrecy as well. Such states include the following:
- California: The California Fair Pay Act, which became effective as of January 1, 2016, takes pay secrecy head on. It not only restricts policies that prevent employees from discussing their own compensation but also prevents them from prohibiting an employee from disclosing the employee’s own wages, discussing the wages of others, inquiring about another employee’s wages, or aiding or encouraging any other employee to exercise his or her rights under the law.
- Connecticut: Connecticut’s Act Concerning Pay Equity and Fairness (“Connecticut Act”) prohibits an employer from (i) barring employees from disclosing or discussing the amount of his or her wages or the wages of another employee of such employer that have been disclosed voluntarily by such other employee, (ii) inquiring about the wages of another employee of such employer, or (iii) requiring employees to sign documents waiving their rights under the Connecticut Act or taking actions against employees. The Connecticut Act does note, however, that it will not be construed to require any employer or employee to disclose the amount of wages paid to any employee.
- New York: New York State recently enacted the Achieve Pay Equity Act (“APEA”), which modified the existing equal pay law in a number of respects. One particular change bars an employer from prohibiting an employee from “inquiring about, discussing, or disclosing” the employee’s wages or the wages of another employee. However, the APEA specifically provides for limitations. The APEA states that employers may maintain, in a written policy, reasonable workplace and workday limitations on the time, place, and manner for inquiries about, discussion of, or the disclosure of wages. Also, the APEA provides that no employee is required to discuss his or her wages with another employee, and employees who have access to other employees’ wage information as a result of their job duties (e.g., human resources staff) may be limited in the disclosure of such information by their employer.
Prior Compensation: Don’t Ask, Don’t Tell
Another focus of equal pay activists has been on employers’ asking employees for their current pay information to be used in determining their pay rates. Opponents to this practice claim that it perpetuates wage gaps for women that may “follow” women from job to job. Massachusetts is the first state to take the issue head on and prohibit employers from seeking information about applicants’ compensation history in the hiring process. The Massachusetts equal pay law, which becomes effective in 2018, bars employers from asking about an applicant’s salary history on an application or during interviews for employment. Pursuant to the law, after an offer of employment with compensation terms has been negotiated and made, a prospective employer may seek or confirm a prospective employee’s wage or salary history.
Finalization of the Consideration of Criminal History in Employment Decisions” Regulation by the California Fair Employment and Housing Council
The California Fair Employment and Housing Council (FEHC) has finalized the “Consideration of Criminal History in Employment Decisions” regulation. It is scheduled to take effect on July 1, 2017. The final regulation will impact employers and consumer reporting agencies.
The regulation expands items employers are prohibited from considering. Existing prohibitions include:
- an arrest or detention that did not result in conviction;
- referral to or participation in a pre-trial or post-trial diversion program;
- a conviction that has been judicially dismissed or ordered sealed, expunged or statutorily eradicated pursuant to law;
- arrest, detention, processing, diversion, supervision, adjudication, or court disposition that occurred while a person was subject to the process and jurisdiction of a juvenile court law; and
- certain (emphasis added) marijuana infractions and misdemeanor convictions that are older than two years; Additionally, any non-felony conviction for possession of marijuana that is older than two years is prohibited from consideration.
Also, the regulation states that if an employer is considering adverse action, prior to taking final adverse action (i.e. during pre-adverse action) the “employer must give the impacted individual notice of the disqualifying conviction and a reasonable opportunity to present evidence that the information is factually inaccurate.” Thus, requiring the employer to list the specific criminal conviction(s) that was the disqualifying item(s) – differing from the FCRA. This notice is mandated regardless of whether the employer has a bright line assessment, in which there is a specific policy stating that a certain conviction history automatically disqualifies all candidates, or an individualized assessment, in which the employer considers the criminal background of a candidate in concert with all other aspects of the candidate. The FEHC stated in the regulation that no matter how much or little the past conviction was used to disqualify an applicant, it must be reported. The final regulation requires that employers with bright line policies satisfy the higher burden of showing that an across-the-board disqualification has a direct and specific negative bearing on an individual’s fitness for the specific position. FEHC has scheduled a hearing on March 30 on proposed regulations related to use of criminal background checks in the context of tenant screening.
D.C. – Council Passes Bills To ‘Ban The Box’ For Housing, Bar Employers From Asking About Credit History
The D.C. Council unanimously passed two bills on Tuesday that seek to level the playing field for people applying for jobs and housing whose history-whether credit or criminal-might otherwise preclude them. One of these bills, the Fair Criminal Record Screening for Housing Act of 2016, prohibits landlords from asking about prior convictions before extending a conditional housing offer. It extends the same logic of “ban the box” legislation passed by the council in June 2014-a measure made law in more than 150 jurisdictions that removes the question of criminal history from a job application. The D.C. Office of Human Rights docketed 365 cases in its first year of enforcing the bill.
Data Breach Notification In the EU: A Comparison of US and Soon-To-Be EU Law
In the United States Congress has repeatedly attempted, but failed, to agree on federal data breach notification legislation. As a result, there is no single federal statute that imposes a breach notification obligation on most companies. Instead, 47 states, plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have enacted their own statutes addressing an organization’s notification obligations in the wake of a data breach. The only states without such laws are Alabama, New Mexico, and South Dakota, although their citizens may be covered in some situations by the data breach laws of other states. Historically the European Union has also not had a general, non-sectoral, data breach notification statute. Uniform data breach notification rules were only established for the telecommunication sector. While some member states enacted broader breach notification legislation, by and large there was far less uniformity in the EU between, and among, member states, then existed in the United States.
For full article: http://www.jdsupra.com/legalnews/data-breach-notification-in-the-eu-a-74181/
UK’s GDPR Consent Guidance
On March 2nd, the UK Information Commissioner Office released its “Consultation: GDPR Consent Guidance,” which explains the heightened standard for consent under the General Data Protection Regulation (GDPR) and provides guidance for UK businesses and organizations on how to comply with those regulations. The Guidance emphasizes that the GDPR: Requires a clear indication of consent that must be unambiguous and involve a clear affirmative action; Bans pre-ticked opt-in boxes; Requires granular consent for distinct processing operations; Requires organizations keep clear records to demonstrate consent; and Provides consumers options to withdraw their consent.
LinkedIn Banned from Russia
On March 7th, LinkedIn Corporation announced that it failed to reach an agreement with Russian authorities to allow the social networking website to operate in Russia. In 2016, Russia blocked public access to LinkedIn’s website after it found that the Company was in violation of a Russian data localization law which requires companies holding information on Russian citizens to store it on servers within the Country. LinkedIn refused to move its servers to Russia, but the Company said that it hopes to restore access to Russian consumers in the future.
Mexico’s Data Protection Law
On March 14th, IAPP published an article analyzing Mexico’s new “Federal Law on Data Protection for the Public Sector,” which went into effect Jan. 27th. The new law applies to all parties who handle consumers’ personally identifiable information in the Mexican federal government and sets data protection standards similar to other countries. In addition, the law requires data protection impact assessments and sets requirements for cloud computing.
EU Votes Privacy Shield Inadequate
On March 23rd, the European Parliament’s Civil Liberties, Justice, and Home Affairs Committee (LIBE) passed a resolution declaring the EU-U.S. Privacy Shield to be inadequate. LIBE listed issues for the European Commission to address in its upcoming review of the Privacy Shield. The LIBE concerns about the Privacy Shield include: • The lack of a definition of “bulk surveillance;” • U.S. government surveillance techniques by the NSA and the FBI; and • U.S. government sharing of intelligence with 16 other government agencies without a court order.
Technology Companies’ Concern over Brexit
On March 20th, British ministers met with the leaders of Tech UK and 22 other technology industry associations to discuss concerns over the legal and technical obstacles of data flows with the UK preparing to exit the EU. The UK committed to enforcing the EU’s General Data Protection Regulation (GDPR) but technology companies worry that this may not be enough legal protection. In order to ensure that cross-border data flows continue, the UK will need a ruling from Brussels that its data protection regimes are equivalent to the EU’s. The UK’s 2016 Investigatory Powers Act, which grants the government new surveillance authority, may be a challenge for the UK to satisfy the EU’s data privacy concerns.
Israel’s New Data Security Regulations
On March 21st, the Israeli Parliament passed extensive new data security regulations that set highly-detailed and industry-specific requirements for data protection: • Security breach reporting notifications to the government and affected consumers; • Appointments of information security officers in certain organizations; • Employee data security training; and • Rotation of passwords every six months.
EU Privacy Rights Resolution
On March 21st, the European Parliament adopted a resolution on the fundamental implications of big data. The resolution emphasizes: • Prospects and opportunities of big data can only be fully tapped into when public trust in these technologies is ensured by a strong enforcement of EU data protection law; • Sensitive information about persons can be inferred from non-sensitive data; • End-to-end encryption, security by design, and the anonymization of data should be encouraged; • Because big data works with algorithmic systems, it runs the risk of infringing on individual rights and law enforcement should actively work to prevent this; and • Government databases must be protected from data breaches.
South Africa’s Data Protection Authority
On March 28th, IAPP published an article about the establishment of South Africa’s first data protection authority (DPA). The DPA was created in 2013 under the “Protection of Personal Information Act” (PoPIA Act) but a chairman was not confirmed until late 2016 and the president of South Africa has yet to announce when PoPIA Act will be implemented. Critics are concerned that the DPA will not be allocated sufficient resources to be effective. The DPA will be responsible for protecting consumers’ data by setting privacy regulations as well as promoting access to the Internet. The PoPIA Act was closely modeled after the EU’s General Data Protection Regulation with the intention of creating privacy standards that are compatible with the EU.
Britain – Non-EU Migrants Must Provide Criminal Record Checks Before They Can Get Jobs
Thousands of migrants from outside the EU who want jobs in Britain will have to offer criminal record checks before they are allowed to work from next month. Newly employed nurses, teachers and carers will all have to adhere to the new rules when they come into force, which apply to all jobs involving working with children or vulnerable adults. Currently, skilled migrants are asked to declare they do not have a criminal record but the new rules will demand an overseas criminal record certificate. Failure to do so will be grounds to refuse a visa, the Home Office said.
Expanding Definition of PII
On February 28th, the IAPP published an article analyzing the trend of state and federal regulators to expand the definition of PII by including more data elements subject to privacy protections. In an April 2016 post, the FTC declared data to be personally identifiable “when it can be linked to a particular person, computer, or device.” States have also been expanding their definitions of PII as more data has been used by hackers to harm consumers, with states such as Florida and Nevada adding login credentials to their state definition of personal data. According to the article, the types of data subject to privacy protections will likely continue to expand, with login credentials and biometric data expected to be included in the definition of PII in the future.
Employment Screening Trends
On January 25th, the Society for Human Resource Management (SHRM) published an article entitled, “Know Before You Hire: 2017 Employment Screening Trends.” SHRM predicts that:
- Ban-the-box will become the norm;
- Employers will need to adjust how they evaluate contingent workforce employees;
- Continuous background screening of current employees will increase;
- Social media screening will continue; and
- Big data use in employment screening will be more tightly regulated.
Negative Information Will Be Omitted from Credit Scores
On March 12th, the Consumer Data Industry Association announced that starting on July 1st tax liens and civil judgements will be excluded from credit reports if the data does not include at least the person’s (1) name, (2) address, and (3) social security number and/or date of birth. Most tax liens and civil judgements do not include all of these identifiers so this is expected to result in the reporting less of this information and boosting the FICO credit scores of millions of consumers. Congress, the CFPB, and multiple state attorneys general have been putting pressure on the credit bureaus to improve the accuracy of their credit report information by using better identity-matching criteria and updating records more frequently.
Please Note: Some of the information contained herein is a monthly summary of the daily information provided by Arnall Golden Gregory LLP, an Atlanta firm servicing the business transactions and litigation needs of background check companies. The information described is general in nature, and may not apply to your specific situation. Legal advice should be sought before taking action based on the information contained herein. For more information about Arnall Golden Gregory LLP, please visit www.agg.com or contact Bob Belair at 202.496.3445 or firstname.lastname@example.org.