State Department Federal Register Notice
On March 30th, the Department of State issued a notice for public comment in the Federal Register regarding a proposal that would allow the Department to collect visa applicants’ social media identifiers. The Department seeks to “add several additional questions for immigrant visa applicants” to the visa application, including requiring applicants to provide any identifiers used within the last five years for “identity resolution and vetting purposes.” In addition, other questions “seek five years of previously used telephone numbers, email addresses, and international travel; all prior immigration violations; and whether specified family members have been involved in terrorist activities.” The public comment period ends May 29th.
Tax Related Identity-Theft
On April 3rd, the FTC announced that it, along with the Internal Revenue Service (IRS), launched a new initiative that will allow consumers to report identity theft to the IRS through the FTC’s IdentityTheft.gov website. The website allows consumers to report identity theft, obtain a personal recovery plan, and receive an Identity Theft Report to be used to help clear their credit reports of fraudulent information. IdentityTheft.gov will be the only website where consumers can submit an IRS Form 14039 electronically, instead of faxing or mailing it.
New E-Verify Website
U.S. Citizenship and Immigration Services (USCIS) launched a new E-Verify website (https://www.e-verify.gov/). E-Verify is a web-based system that allows enrolled employers to confirm the eligibility of their employees to work in the United States. E-Verify employers verify the identity and employment eligibility of newly hired employees by electronically matching information provided by employees on the Form I-9, Employment Eligibility Verification, against records available to the Social Security Administration (SSA) and the Department of Homeland Security (DHS).
FTC Expands Uber Settlement
On April 12th, the FTC announced that Uber agreed to expand its proposed settlement after the FTC found that the Company allegedly committed additional privacy violations. According to the original complaint, in 2014 Uber falsely claimed that it monitored employees’ access to rider and driver data and that it maintained adequate data security measures to protect personal information stored on a third-party’s cloud server. In the revised settlement, the FTC alleged that the Company failed to disclose a 2016 data breach in a timely fashion that compromised users’ and drivers’ personal information contained on a third-party’s cloud server. The server contained “more than 25 million names and email addresses, 22 million names and mobile phone numbers, and 600,000 names and driver’s license numbers of U.S. Uber drivers and riders.” In addition, Uber paid the hackers $100,000 to destroy the information through its bug-bounty program. Under the new proposed settlement, Uber must:
- Establish and implement a privacy program that is designed to address privacy risks and protect users’ and drivers’ personal information;
- Submit to the FTC all reports from the required third-party audits of its privacy program instead of only the initial report; and
- Disclose certain future incidents involving personal data.
Frito-Lay Will Pay 2.4 Million to Settle Background Check Class Action Lawsuit
Frito-Lay Inc., a subsidiary of PepsiCo Inc., has agreed to pay $2.4 million to settle a class action lawsuit alleging that the company violated the Fair Credit Reporting Act by using consumer credit reports when they conducted background checks as part of a hiring process without properly disclosing this practice to the job applicant. Plaintiff Marcus Chism, a former Frito-Lay employee, requested preliminary approval of the settlement on Friday from a California federal judge. This settlement will end his Frito-Lay class action lawsuit that claimed the company unlawfully failed to disclose the fact that they incorporated consumer reports into the background checks they run on job applicants. The Frito-Lay FCRA class action lawsuit implicates PepsiCo, Frito-Lay, and First Advantage Background Services Corp., the company Frito-Lay used to conduct the background checks on its employees. Allegedly, to comply with the FCRA, the company should have provided applicants and employees with a stand-alone disclosure of the practice. According to Chism, such a disclosure is required by state and federal law. Chism argues that the company did not take this action, and instead, put the disclosure in a general document that each individual subjected to a background check was required to sign. Allegedly, this document contained the disclosure as well as information on having his documents photocopied, and an assurance that his responses to information requested was correct. According to Chism, the document contained the phrase “I have been given a stand-alone, consumer notification that a report will be requested and used for the purpose of evaluating me for employment or retention as an employee.” He says that this statement was not true, and that in accordance with the FCRA, this statement was improperly included in this general document.
Target Settles Suit Over Asking Job Applicants About Criminal Records
Target reached a $3.74 million settlement in a class-action suit Thursday that alleged the retail giant’s hiring process unfairly discriminated against African Americans and Latinos. The lawsuit, which was filed by the NAACP Legal Defense Fund and two individuals on behalf of a group of job applicants, said the retail giant has used hiring policies that “exclude applicants with arrest or irrelevant conviction records from obtaining employment opportunities” and the process has “a disparate impact on African Americans and Latinos.” The NAACP Legal Defense Fund alleged that Target asked broad and outdated questions about job applicants’ criminal histories, even if the crimes were not related to the job they sought. “Target’s background check policy was out of step with best practices and harmful to many qualified applicants who deserved a fair shot at a good job,” said Sherrilyn Ifill, the president of the NAACP Legal Defense Fund. “Criminal background information can be a legitimate tool for screening job applicants, but only when appropriately linked to relevant questions such as how long ago the offense occurred and whether it was a non-violent or misdemeanor offense,” she added. Target said in a statement Thursday that it, along with a number of other major employers, began requiring job applicants to answer a question about their criminal history about a decade ago. “Since then, we’ve revised our hiring practices, removing the criminal history question from our employment application nationwide,” the company said. Target says it now only asks about criminal history in the “final stages” of the interview process. “We exclude applicants whose criminal histories could pose a risk to our guests,” and applicants “are given an opportunity to explain their criminal history and provide information about the circumstances, mitigating factors, good conduct and rehabilitation,” the statement reads. People covered by the lawsuit’s class definition will be able to seek jobs at Target or potentially obtain a cash reward under the settlement, according to the settlement. The complaint states the class includes “all African American and Latino applicants who sought employment with Target from 2006 through the present and were denied employment based on application of Target’s Adjudication Guidelines and/or review by Target’s Screening Team.”
Petco Background Check Settlement
On April 24th, TopClassActions reported that Petco and two applicants are seeking preliminary approval of a $1.2 million settlement to resolve allegations that the Company’s background screening policies are unlawful. The plaintiffs alleged that Petco violated the Fair Credit Reporting Act by not adequately informing job applicants in a stand-alone disclosure that the Company would conduct background screenings. Petco argued that the complaint was “full of vague, closure allegations without any merit or substance” and that plaintiffs failed to establish a concrete injury. In addition, one of the plaintiffs claimed that Petco failed to tell her the reason for denying her employment.
The case is Jacklyn Feist, et al. v. Petco Animal Supplies Inc., et al., Case No. 3:16-cv-01369-H-RNB, in the U.S. District Court for the Southern District of California.
Salary Court Case
On U.S. Court of Appeals for the Ninth Circuit ruled that employers cannot pay women less than men for the same work based on previous salaries, reversing the Court’s previous ruling. According to the Court, paying women less than men allows employers to “capitalize on the persistence of the wage gap.” Plaintiff Aileen Rizo sued the Fresno County Office of Education after discovering that a male employee was making more money than her but had less education and experience.
District Court Finds Job Applicant Has No Standing to Bring FCRA Adverse Action Claim Because Background Check was Accurate
Under the Fair Credit Reporting Act, when a potential employer is considering using a background check to deny an applicant employment, the employer must follow a prescribed adverse action process. For qualifying transportation employers, this means the employer must provide the applicant with a notice of adverse action within three days of the final adverse decision. The District Court for the Northern District of Illinois, however, recently confirmed that even if an employer fails to follow the proper procedure, an applicant may not have standing to bring an adverse action claim if the background check at issue is accurate. This could be a significant decision for employers facing adverse action claims from applicants who indisputably have a disqualifying conviction in their background. Specifically, in Ratliff v. A&R Logistics, Inc., plaintiff Jerome Ratliff, Jr. claimed that A&R Logistics declined to hire him based on his background check without following a proper adverse action process. In response, A&R Logistics moved to dismiss the complaint on the ground that Ratliff had not suffered any injury-in-fact stemming from the alleged violation and, therefore, had no standing. According to A&R Logistics, Ratliff could not show any injury-in-fact because the background check at issue was accurate. The Court conducted its standing analysis in two parts. It first considered whether Ratliff had suffered an “informational injury” that could satisfy the injury-in-fact requirement for standing. The Court found that a plaintiff could show “informational injury” if a third party was disseminating inaccurate information about him or her that could cause concrete harm. However, because Ratliff failed to allege that the background check on him contained any inaccuracies, he could not show any “informational injury.” Effectively, Ratliff could not show that he suffered any appreciable “real life” injury by not receiving a copy of his accurate background check. The Court also considered whether the failure to provide Ratliff with a background check constituted an “invasion of privacy” sufficient to demonstrate injury-in-fact. The Court quickly disposed of that argument. In the Court’s view, the FCRA’s adverse action provision is not designed to protect consumer privacy. As a result, Ratliff could not show that the statutory violation at issue constituted a privacy invasion sufficient to support an injury-in-fact. Ultimately, the Court’s decision in Ratliff follows a reasonable approach to injury-in-fact analysis that is rooted in the Supreme Court’s Spokeo decision. Simply stated, the violation of a statute alone does not constitute an injury-in-fact for standing purposes without an accompanying real-world injury.
Supreme Court Vacates Microsoft Case
On April 17th, the Supreme Court vacated and declared moot Microsoft’s case against the Department of Justice that addressed the validity of search warrants requesting data from servers overseas (previously reported). The decision was due to the recent enactment of the “Clarifying Lawful Overseas Use of Data Act,” which allows judges to issue warrants for data held on servers in other countries. The case is United States v. Microsoft Corp., Case No: 17-2 in the Supreme Court of the United States
Attorneys General Coalition to Protect Consumers
On February 8th, a bipartisan coalition of 16 state attorneys general filed an amicus brief urging the Supreme Court to protect consumers from unfair class action settlements in which the consumer receives none of the settlement proceeds. Google settled a consumer privacy case for $8.5 million, but the money will be diverted to counsel and various organizations not affected by the lawsuit. The brief asked the Supreme Court to set limits on such settlements so that affected consumers can receive a portion of the restitution. The case is Frank et al. v. Gaos, et al., Case No: 17-961 in the Supreme Court of the United States.
Consumer Reports Publisher Settles Privacy Lawsuit
On April 9th, Reuters reported that Consumers Union (CU), the publisher of Consumer Reports magazine, reached a $16.375 million settlement for allegedly violating Michigan privacy law. The lawsuit claimed that CU sold customers’ subscription histories and reading habits to data mining companies in exchange for demographic information—including age, race, income level, and political affiliation. The exchanged data allowed CU to create “enhanced” customer profiles for sale to third parties without customers’ consent. The case is Ruppel v. Consumers Union.
Medical Marijuana and the Illinois Workplace
There are roughly 30,000 people with medical marijuana registry identification cards in Illinois, and marijuana dispensaries are becoming a more common sight. As the popularity of this treatment continues to grow, contractors are more likely to be faced with hiring and disciplinary decisions involving employees using marijuana. As such, contractors may want to take care to understand the legal landscape governing these decisions. Under Illinois law, an employer may not refuse to hire a candidate or discharge an employee based on the fact that the individual possesses a medical marijuana card. For this reason, during the hiring process, employers may not want to ask a candidate whether he or she has a medical marijuana card. If an employer enquires about medical marijuana use during the interview process, the employer could be accused of requesting health-related information in formulating a decision not to hire. Employers often discover a candidate has a medical marijuana card as part of the drug-screening process. Sometimes a candidate, prior to submitting to a drug screen, will divulge the existence of a medical marijuana card in an effort to explain an anticipated failure. In other cases, the candidate may not mention his or her medical marijuana card until confronted with a failed screening. In most cases, provided that the candidate has a valid medical marijuana card, the employer cannot refuse to hire the candidate for failing the screening or failing to mention the license. If a candidate who holds a valid card attempts to circumvent the drug-screening process (for example, by bringing with him or her an old urine sample or one that belonged to another person), a contractor may refuse to hire the candidate based on that fraudulent conduct. If circumvention is suspected or determined, a contractor would be well served to obtain as much supporting information from the testing lab as possible, including witness statements/narratives and copies of the candidate’s test results. A contractor is within its rights under Illinois law to implement a drug-free job site policy that prohibits employees with medical marijuana cards from consuming marijuana and/or being impaired during working hours, and the contractor can discipline violating employees accordingly. An employee who tests positive must be given an opportunity to prove he or she did not consume marijuana and/or was not impaired during working hours before discipline may be administered. Additionally, a contractor may discipline or refuse to hire an individual with a medical marijuana card for failing a drug test if the contractor risks losing a federal contract or federal funding.
Washington’s Pay Equity Update Prohibits Wage Secrecy Policies, Ensures Equity in Advancement Opportunities
On March 21, 2018, Governor Jay Inslee signed the Equal Pay Opportunity Act (EPOA) into law, updating Washington’s 1943 Equal Pay Act. The 1943 Equal Pay Act created a private right of action for women who are paid less than similarly employed men because of their sex. This is the fourth year in a row the Washington legislature has considered updates to the 1943 act, which has not been modified since it was originally passed. This year, however, the EPOA gained traction and passed the Washington State House of Representatives and the Washington State Senate. The EPOA amends the existing private cause of action for pay equity complaints, prohibits wage secrecy policies, provides an administrative remedy, prohibits gender-based barriers to career development opportunities, and prohibits employer retaliation for complaints of unequal pay or other protected conduct. Further, the EPOA updates language from “sex” to “gender,” consistent with Washington’s other anti-discrimination laws.
Private Cause of Action and Defense
The EPOA retains a private cause of action, which is substantively the same as that of the 1943 act; employers may not discriminate in compensation based on gender between “similarly employed” employees. While the original act allowed an employer to assert a “good faith” defense, the updated EPOA goes further and lists the factors a court may consider in an employer’s “good faith” defense. “Good faith” factors include, but are not limited to, business necessity education, training, experience, seniority, merit, and regional differences. An employee may recover reasonable attorneys’ fees in a successful private action.
The EPOA tasks the Washington State Department of Labor and Industries with administratively enforcing the EPOA. The Department’s enforcement powers include investigating employee complaints by reviewing testimony or documentary evidence. The Department may also award damages up to $5,000 and/or assess a civil penalty up to $1,000.
The EPOA prohibits an employer from using wage secrecy measures. This change is likely to affect many employers’ existing policies and employment contracts. The EPOA prohibits an employer from requiring nondisclosure of wages as a condition of employment or requiring employees to contractually agree to nondisclosure. Further, an employer may not discharge or retaliate against employees who discuss or compare wage information. Employers are not required to disclose others’ wage information to an inquiring employee, and management employees with access to wage information are only required to disclose such information in response to a complaint, charge, or as otherwise required by an applicable legal duty. The EPOA leaves open questions, such as whether an employer may prohibit an employee from disclosure of wages outside of the company, e.g., to a competitor.
The EPOA also broadens pay equity to prohibit employers from limiting or depriving career advancement opportunities based on gender. The EPOA does not list specific illegal actions, but draft versions of the bill made it illegal to (a) fail to announce or provide access to opportunities based on gender and (b) fail to provide training based on gender. Although this language was removed in the final version, the prohibitions are instructive and certainly fall under the more general “limit or deprive an employee of career advancement opportunities” based on gender standard.
The law goes into effect on June 7, 2018. Employers should promptly review their wage secrecy and compensation policies to come into compliance.
Massachusetts Recreational Pot Regulations Offer Little Guidance to Employers
On March 9, 2018, the Massachusetts Cannabis Control Commission (“CCC”) filed its much-anticipated recreational marijuana Regulations with the Massachusetts Secretary of State. According to the CCC, the Regulations are on track to be published in the Massachusetts Register on March 23, 2018. The Regulations will become effective upon publication. While the Regulations are comprehensive in many ways, for most employers the Regulations are most notable for what they lack, namely guidance regarding employer-employee rights and responsibilities.
Link to the CCC’s website, where the final Regulations are available under the “Public Documents” tab can be found at https://mass-cannabis-control.com/. The Regulations will also be located in the Code of Massachusetts Regulations at 935 CMR 500.000, et seq.
What the Regulations Include
The copy of the final Regulations available at the CCC’s web site consists of 102 pages. It reflects hard work, thoughtfulness, and input from a variety of stakeholders and experts. Presumably by design, the Regulations focus heavily on licensing, manufacturing and sales, operations, and safety. For example, the regulations detail how Marijuana Establishments (which include marijuana cultivators, manufacturers, retailers, and transporters, among others) must:
- undergo a rigorous application and qualification process;
- pay varying application and annual license fees;
- apply for registration with the CCC for all of their directors, executives, managers, employees, and volunteers;
- refrain from delivering marijuana products to consumers or allowing consumer consumption of marijuana on-site;
- implement written operating procedures, including procedures regarding safety and sanitation;
- package, label and transport marijuana responsibly;
- train employees;
- market and advertise responsibly, without appealing to individuals under the age of 21;
- sell marijuana in certain limited amounts per transaction;
- retain certain detailed records; and
- allow CCC investigations and inspections.
What the Regulations Lack
Absent from the Regulations is any specific, concrete guidance to most employers regarding employer-employee rights and obligations around recreational marijuana use. Indeed, for employers who are not also Marijuana Establishments, the Regulations provide little clarification regarding the recreational marijuana law’s implications. Readers may recall from our November 14, 2016 client alert about the Massachusetts recreational marijuana use law (available here) that the law states that it “shall not require an employer to permit or accommodate conduct otherwise allowed by this chapter in the workplace and shall not affect the authority of employers to enact and enforce workplace policies restricting the consumption of marijuana by employees.” This language means that employers do not have to permit employee use of marijuana at work or while working. But the Regulations–like the recreational use law itself–says nothing about employer-employee rights or obligations regarding off-site and off-duty employee use of recreational marijuana. The Regulations do not state that:
- employers must allow off-site or off-duty employee use of recreational marijuana;
- employers cannot fire (or refuse to hire) someone because of recreational marijuana use;
- employees or applicants can sue employers who take adverse action against them because of recreational marijuana use; or
- employers are subject to penalties for taking adverse action against employees or applicants because of recreational marijuana use.
In fact, the word “employers” appears once in the Regulations in the text of the following statement: “Nothing in [the Regulations] shall be construed to limit the applicability of other law as it pertains to the rights of…employers…except as otherwise provided in [the Regulations].” Of course, employers must be careful to distinguish between the Massachusetts recreational marijuana use law and the Massachusetts medical marijuana use law. The Massachusetts Supreme Judicial Court ruled that, as a result of the Massachusetts medical marijuana use law, certain employers may have to accommodate employees’ disabilities by permitting off-site and off-duty use of medical marijuana.
Iowa Amends Tough Drug Testing Law to Lower Standard for Positive Alcohol Tests
Beginning July 1, 2018, private employers in Iowa may take action based on an employee’s alcohol test result of .02 grams of alcohol per two hundred ten liters of breath. The lower standard was enacted under a 2018 amendment to the Iowa drug testing law (Iowa Code Section 730.5). Prior to the amendment, employers could not take action for alcohol test results below .04 Blood Alcohol Concentration (BAC).
In addition, the law was amended effective July 1, 2017, to permit hair follicle testing only for pre-employment drug testing purposes. Prior to the passage of this amendment, Iowa allowed only private sector testing for drugs through urine, blood, and oral fluid. Iowa’s 30-year-old drug testing statute is considered one of the most difficult laws in the country for employer compliance. It contains specific and detailed drug testing procedures and safeguards that, if not carefully followed, limits employers’ ability to legally discipline or fire an employee based upon a drug or alcohol test. The Iowa law includes provisions on permissible types of tests, written notice requirements, rehabilitation for positive alcohol test results, split-specimen testing, and mandatory supervisor training, among other things. Available remedies under the statute include reinstatement, back pay, and equitable relief such as attorneys’ fees. Employers easily can violate the technical aspects of the law. For example, in 2012, the Iowa Court of Appeals held that an employer violated the statute when it provided an employee with a hand-delivered notice of her positive test results instead of sending it by certified mail, as required by the statute. See Skipton v. S&J Tube, Inc., 822 N.W.2d 122 (Iowa Ct. App. 2012). The notice also omitted the cost of a confirmatory re-test.
Since October 2017, at least five new lawsuits have been filed alleging violations of the Iowa drug testing law. Some of these lawsuits have alleged claims for wrongful discharge in violation of public policy, based on the alleged violation of the drug testing statute. This is significant because the Iowa Supreme Court has held that punitive damages may be awarded in wrongful discharge cases. See Jasper v. H. Nizam, Inc.,764 N.W.2d 751 (Iowa 2009). At least some courts have been receptive to this argument in the drug testing context. In a case before the Iowa District Court for Delaware County, the employer conceded violating the drug testing statute but argued that the drug testing statute was the exclusive remedy. The court disagreed and granted summary judgment to the plaintiff on her wrongful discharge claim. See Ferguson v. Sanders, et al., No. LACV008271 (Jan. 17, 2018). A jury later awarded the plaintiff $57,606 in damages, including $12,000 in pain and suffering. Employers that conduct drug testing in Iowa should ensure their policy complies with the amended law.
San Francisco Amends “Fair Chance Ordinance” to Align with Portions of California’s New Statewide Ban-the-Box Law
On April 3, 2018, San Francisco amended its Fair Chance Ordinance to align, in some respects with, California’s new ban-the-box law. San Francisco employers with more than five employees still must be mindful of the Ordinance’s provisions that go beyond the broader state law. California’s statewide ban-the-box law (AB 1008) went into effect on January 1, 2018. That law requires employers with five or more employees (subject to few exceptions) to:
- wait until after a conditional offer of employment is made to inquire about an applicant’s criminal history, which means asking the applicant directly whether the applicant have been convicted of a crime, ordering a criminal history background check, or making any other inquiry about an applicant’s criminal history;
- conduct an individualized assessment of an applicant’s conviction to determine whether it has a “direct and adverse relationship with the specific duties of the job that justify denying the applicant the position”;
- notify the applicant of any potential adverse action based on the conviction history, which must, among other things, identify the conviction at issue, include a copy of any conviction history report (regardless of the source), and state the deadline for the applicant to provide additional information, such as evidence of inaccuracy, rehabilitation or other mitigating circumstances; and
- after waiting the requisite time period, notify the applicant of any final adverse action, which must, among other things, describe any existing procedure the employer has to challenge the decision or request reconsideration and notify the applicant of the right to file a complaint with the Department of Fair Employment and Housing.
Los Angeles and San Francisco have their own ban-the-box laws. In some respects, both provide stronger protections to job applicants, especially Los Angeles. However, in some ways, California’s new law protects job applicants more favorably than does San Francisco. Because of this, on April 3, 2018, the City and County of San Francisco Board of Supervisors approved amendments to its Fair Chance Ordinance (Article 49) to align with the California law (in some respects). The amendments are effective October 1, 2018.
The Board amended the San Francisco Fair Chance Ordinance in the following ways:
- It reduced the number of employees needed to qualify as a covered employer from twenty to five (the same number required to qualify for coverage under California’s law).
- Although the original version of the Ordinance allowed employers to inquire about criminal history after either a live interview or a conditional offer, the Ordinance now requires that, consistent with California law, covered employers wait until after a conditional offer of employment is made to make any such inquiry.
- For any violations occurring after the effective date of the amended Ordinance (October 1, 2018), employers are subject to increased penalties for non-compliance: $500 for the first violation; $1,000 for the second violation; and $2,000 for any subsequent violations (under the initial Ordinance, the maximum penalty was $50). If more than one applicant or employee is impacted by an alleged violation, the penalties apply to each employee or applicant.
- The initial Ordinance granted to the Office of Labor Standards Enforcement (“OLSE”) the right to file a civil action against an employer to recover any legal or equitable relief that may be appropriate to remedy the violation, including, but not limited to, reinstatement, back pay and attorney’s fees and costs. The amended Ordinance now grants that same right to file a civil action to aggrieved individuals, provided that he or she files a complaint with the OLSE and exhausts their administrative remedies.
In some respects, however, San Francisco’s Ordinance provides greater protections to job applicants than does California law. Subject to very few exceptions, all California employers are prohibited from considering certain types of criminal history information, including arrests that did not lead to a conviction, juvenile records, non-felony marijuana convictions that are older than two years, and diversions or deferrals. San Francisco, however, currently goes beyond this by barring covered employers from considering convictions that are more than seven years old (measured from the date of sentencing) and infractions. The Board further amended the Ordinance to add a new category of “off limits” information: “A conviction that arises out of conduct that has been decriminalized since the date of the Conviction,” measured from the date of sentencing. The amendment provides examples of such convictions to include those for certain marijuana and cannabis offenses. San Francisco employers will now have to evaluate any potentially disqualifying conviction to determine whether the charge at issue was decriminalized post-conviction.
Alabama Is Final State to Enact Data Breach Notice Law
Alabama will require companies hit with a data breach to notify impacted state residents, subject to civil penalties of no more than $500,000, under a state law that takes effect May 1. Gov. Kay Ivey (R) signed S.B. 318 on March 28, making Alabama the last state to enact a data breach notification law. South Dakota’s governor signed a similar bill a week earlier. In general, S.B. 318, enacted as Act No. 2018-396, would require companies that experience a data breach to notify affected state residents within 45 days, with some exceptions. The state attorney general and consumer credit reporting agencies would have to be notified if more than 1,000 individuals are impacted. Personal information, the breach of which can trigger the duty to notify, includes an Alabama resident’s first name or first initial and last name, in combination with one other identifier, such as his or her Social Security number, tax identification number, driver’s license number, financial account number, or physical or mental health history, Personal information does not include data that is encrypted. The law requires companies and third-party agents with access to sensitive information to implement and maintain reasonable security to protect the information. Companies must provide direct notice by mail or email to affected consumers. The new law bars private lawsuits for failure to give notice but authorizes the state attorney general to seek civil penalties, capped at $500,000, under the Alabama Deceptive Trade Practices Act. Notification may be delayed if a federal or state law enforcement agency decides that it would interfere with a criminal investigation or national security. Companies that follow the notice requirements under federal data breach laws or regulations would be exempt from the Alabama law, but would have to inform the state attorney general about notifications to more than 1,000 people. Companies would also be exempt if they follow another state’s breach notification law, as long as the other state’s notice requirements are “at least as thorough” as the Alabama law.
Michigan Bans the Ban: New Law Stops Local Government Regulations on Employer Inquiries
On March 26, 2018, Governor Rick Snyder signed an amendment to Michigan’s Local Government Labor Regulatory Limitation Act into law. Public Act 84 (2018) prohibits local government bodies from adopting or enforcing any local policy, resolution, or ordinance that regulates what a prospective employer must request, require, or exclude during the interview process or on an application for employment.
Multiple States Update Security Freeze Legislation
On March 23, the Governor of Tennessee signed HB 1486, which prohibits credit reporting agencies from charging a fee to a consumer for the placement or removal of a security freeze if the need to place or remove the security freeze was caused by the credit reporting agency. Tennessee already prohibited charging a fee for a security freeze if the consumer is a victim of identity theft and presents a copy of a police report (or other official documentation) to the credit reporting agency at the time of the request. Under Section 47-18-2108 of the Tennessee Code Annotated, the state still allows charging a fee of up to seven dollars and fifty cents for all other placements of a security freeze and up to five dollars to permanently remove a security freeze. HB 1486 is effective immediately.
On March 20, the Governor of Idaho signed SB 1265, which amends existing law to prohibit credit reporting agencies from charging a fee to a consumer for the first placement of a security freeze and for the first temporary lift of a security freeze during a twelve-month period. The law allows for a fee of up to six dollars for the second placement or temporary lift within a twelve-month period. SB 1265 still allows for a fee of up to $10.00 for the reissuance of a personal identification number or password. The legislation is effective July 1.
Florida Prohibits Fees for Security Freezes
On March 21, the Florida governor signed HB 953, which prohibits credit reporting agencies from charging any fee to consumers or their representatives for “placing, removing, or temporarily lifting” security freezes on a credit report. Previously the state allowed for a fee of up to $10 to use the service. HB 953 still allows a consumer reporting agency to charge a fee of up to $10 for replacing or reissuing a personal identification number or password. The legislation is effective July 1.
Pay Equity and Equal Pay Day: A Short Primer on Bans on Salary History Inquiries
Pay equity legislation is burgeoning: in 2017, several jurisdictions—including Albany, New York City, California, San Francisco, Massachusetts, Delaware, Philadelphia and Oregon—approved bans on salary history inquiries. The ostensible purpose of these laws is to prevent the continuation of pay disparities that may have affected female applicants in their work experiences prior to seeking employment with a new company. In addition, on April 9, 2018, the Ninth Circuit Court of Appeals issued an en banc decision in Rizo v. Yovino, holding that prior salary does not qualify as a “factor other than sex” to justify a pay difference under the Equal Pay Act—appearing to support the thinking behind the salary history bans. With these new laws and legal developments, employers will be facing new challenges in developing policies and procedures that comply with these laws—that vary from jurisdiction to jurisdiction—while making good business decisions with respect to starting compensation for newly hired employees. In addition, many of the new pay equity laws provide greater protections for applicants and employees with respect to pay disparities and place greater burdens on employers to prove that their pay decisions are fair and grounded on legitimate justifications.
Amendment to AZ Data Breach Law
Arizona enacted H.B. 2154, which would make amendments to the state’s data breach notification law, including expanding the definition of “personal information” requiring notice within 45 days of an identified data breach; and requiring notice to the Attorney General if a breach involves more than 1,000 individuals.
Massachusetts Adjusts Limits on Employer Inquiries into Job Applicants’ Criminal History
A provision in the Massachusetts criminal justice reform law signed by Governor Charlie Baker amends the state’s restrictions on the questions employers may ask a job applicant regarding the applicant’s criminal history during the hiring process. The new restrictions include an adjusted limitation on asking about misdemeanor convictions and a bar on asking about sealed or expunged criminal records.
The new restrictions go into effect on October 13, 2018, six months after April 13, 2018, the date Governor Baker signed the measure. In 2010, Massachusetts became the second state in the nation (Hawaii was the first) to ban both public and private employers from requesting criminal record information on initial job applications. The Massachusetts “ban the box” provision was part of legislation enacted to reform the state’s criminal offender record information system. For more on this, see https://www.jacksonlewis.com/resources-publication/criminal-background-checks-what-employers-need-know-about-massachusetts-new-cori-law. Under Massachusetts law, employers are prohibited from asking for information about an applicant’s criminal history on an “initial written employment application” (this is referred to as the “ban the box” provision).
After the “initial written employment application,” Massachusetts employers are still restricted on the types of criminal history questions they may ask applicants. Massachusetts employers may not ask for information about the following types of criminal history:
- An arrest, detention, or disposition regarding any violation of law in which no conviction resulted;
- A first offense for any of the following misdemeanors: drunkenness, simple assault, speeding, minor traffic violations, affray, or disturbance of the peace; and
- Any conviction of a misdemeanor where the date of conviction, or the completion of any period of incarceration resulting therefrom, occurred five or more years prior to the date of the application, unless such person has been convicted of any offense within the preceding five-year period.
Because these restrictions on criminal history questions are so specific, many employers use special, custom forms that describe these restrictions when asking permissible criminal history questions at a later date in the application process. The new law changes the restrictions in two important ways. First, the law adjusts the timeframes related to when an employer may seek information on a misdemeanor conviction. The new law states that employers may not ask for information about misdemeanor convictions (or incarcerations resulting therefrom) that occurred three or more years prior to the date of the employment application unless the person has been convicted of any offense within the preceding three years. This has been reduced from the preceding five-year period. Second, the law prohibits employers from asking applicants for information about a criminal record that has been sealed or expunged.
Ban the Box City Developments
On April 9th, Westchester County in New York enacted the “Fair Chance to Work” Executive Order, which prohibits the County from inquiring about job applicants’ criminal history during the initial application process. However, employers are still allowed to conduct background checks following the submission of an application, but inquiries about applicants’ criminal histories will be held until after the submission of a job application.
Another State Moves to Ban Salary History Inquiries by Prospective Employers
The focus on the pay gap continues, this time in the New York State legislature. On the heels of the Ninth Circuit’s decision in Rizo v. Yovino regarding the use of prior pay to explain pay discrepancies under the Equal Pay Act, New York Governor Andrew Cuomo last week introduced a bill that would amend the New York Human Rights Law (“NYHRL”) to make it unlawful for an employer or employment agency to “rely on, or inquire about, the salary history information” of an applicant when determining whether to hire the applicant or what amount of compensation to offer. This proposed legislation is similar to New York City’s Salary History Ban, which went into effect on October 31, 2017. Neither the New York City law nor the proposed state law preclude an employer’s use of such information if an applicant voluntarily, and without prompting, discloses his or her salary history information. Further, both the proposed state law and the city law permit discussions with an applicant about his or her expectations with respect to salary, benefits, and other compensation, so long as the employer specifically refrains from inquiring about the applicant’s salary history. Still, as the Ninth Circuit’s decision in Rizo suggests, using prior pay to set compensation may still pose legal risks if later gender pay discrepancies are not explained by other variables. We cannot predict whether this proposed legislation will pass in its current form but based on the trends from the legislatures and in the courts, we expect that some version of the bill will become law in New York.
New Jersey Governor Signs Pay Equity Bill into Law
New Jersey’s Diane B. Allen Equal Pay Act will take effect on July 1, 2018. The new law contains sweeping changes to the New Jersey Law Against Discrimination (LAD), such as a prohibition against discrimination with respect to compensation or financial terms of employment, a six-year statute of limitations, and treble damages for violators. Governor Phil Murphy signed the Act into law on April 24, 2018. (For details of the Act, see https://www.jacksonlewis.com/publication/double-take-new-jersey-governor-poised-enact-equal-pay-act)
New York Mandates Sexual-Harassment Prevention Requirements for Private Employers
This month both the State of New York and New York City have passed separate legislation designed to prevent sexual harassment in the workplace. Both laws require employers to conduct mandatory sexual harassment training for all employees.
On April 10, 2018, Governor Cuomo signed the Budget Bill, which contains a mandate for employers in the State of New York designed to prevent future sexual harassment in the workplace. Employers are required to begin complying with the training requirement beginning October 7, 2018. Training must be interactive and include (1) an explanation of what constitutes sexual harassment, (2) examples of conduct that would constitute unlawful harassment, (3) information on state and federal laws concerning sexual harassment and remedies available to victims, and (4) information on employees’ rights and all available forums for adjudicating complaints administratively and judicially.
Employers must also implement a policy on sexual harassment by October 7, 2018. The requirements for the policy go beyond what employers typically include by requiring inclusion of the following:
- Prohibit sexual harassment and provide examples of conduct that would constitute unlawful sexual harassment.
- Include information concerning the federal and state laws concerning sexual harassment, the remedies available to harassment victims, and a statement that there may be applicable local laws.
- Include a standard complaint form and procedure for a timely and confidential investigation of complaints.
- Inform employees of their rights of redress and all available forums for adjudicating sexual harassment complaints administratively and judicially.
- State that sexual harassment is considered a form of employee misconduct and that sanctions will be enforced against individuals engaging in sexual harassment and against supervisory and managerial personnel who knowingly allow such behavior to continue.
- State that retaliation against individuals who complain of sexual harassment or who testify or assist in any proceeding under the law is unlawful.
The New York Department of Labor will publish sample sexual harassment policies and computerized training which employers will be able to implement to comply with these requirements. The New York law also includes several other measures to combat sexual harassment, including:
- Effective immediately, allowing non-employees, including contractors, subcontractors, vendors, consultants or other individuals providing services under a contract in the workplace to sue for “employers” for sexual harassment in the workplace.
- Effective July 11, 2018, prohibiting nondisclosure clauses in agreements to settle claims relating to sexual harassment, unless the complaining party desires confidentiality and is provided 21 days to consider any such clause and a 7-day revocation period.
- Also, effective July 11, 2018, prohibiting mandatory arbitration for sexual harassment claims, unless such arbitration clauses are contained in collective bargaining agreements.
- Effective January 1, 2019, requiring entities bidding on state contracts to affirm that they have a written sexual harassment policy and that they provide annual sexual harassment training to their employees.
On April 11, 2018, the New York City Council passed 11 separate bills called the “Stop Sexual Harassment in NYC Act” designed to provide greater protections to prevent workplace sexual harassment. Generally, the New York City Human Rights Law (NYCHRL) covers employers with four or more employees; however, all New York City employers will be subject to the NYCHRL with respect to sexual harassment claims. Effective April 1, 2019, the Act requires all private employer in NYC with more than 15 people on its payroll to provide annual interactive anti-sexual harassment training. The annual training requirement may be included as part of a broader anti-discrimination training and needs to include:
- An explanation of sexual harassment as a form of unlawful discrimination under local law;
- A statement that sexual harassment is a form of unlawful discrimination under federal and state law;
- A description of what sexual harassment is;
- The internal complaint process available to employees within such agency;
- The complaint process available through the commission on human rights, the division of human rights and the United State equal employment opportunity commission, including contact information;
- The prohibition of retaliation, pursuant to federal, state and local law and the internal complaint process, and examples thereof; and
- Information concerning bystander intervention, including but not limited to any resources that explain how to engage in bystander intervention.
New employees must complete training within 90 days of employment, but new employees can carry training over from one employer to another. Employers will need to keep a record of all trainings, including a signed employee acknowledgment (signature can be electronic) for three years. The commission is responsible for developing an online training module that will be made public at no cost to satisfy the training requirement. Employers can use these model training programs or implement their own training program as long as they are equal to or exceed those required by the City Commission.
The Act also requires every employer to conspicuously display an anti-sexual harassment rights and responsibilities poster designed by the commission, in both English and Spanish. Additionally, the Act expands the statute of limitations to allow employees up to three years to file sexual harassment claims with either the NYCHRC or in court. The city law, which will take effect on April 1, 2019, is presently with Mayor Bill De Blasio for signature.
What can employers do with regard to background checks and inquiries in PA?
Criminal records and arrests: Pennsylvania law prohibits an employer from considering an applicant’s arrest records, juvenile adjudications, expungements and summary offense convictions. A Pennsylvania employer may consider conviction information regarding an applicant’s criminal history record in making a hiring decision only to the extent that the applicant’s convictions relate to his or her suitability for employment in the applied-for position. Pennsylvania employers are prohibited from rejecting an applicant because of an arrest without a conviction. In addition, the City of Philadelphia has requirements that go beyond state law regarding criminal background checks and should be referenced when applicable.
Medical history: Pennsylvania employers may not use tests that tend to screen out individuals with a handicap or disability unless the tests can be shown as job-related.
Drug screening: Pennsylvania law does not regulate or prohibit private employer drug testing. However, an employer that chooses to implement such a testing program should be aware of any privacy issues involved. In addition, a recent state law bans employers from discriminating against job applicants and employees for being medical marijuana cardholders.
Credit checks: Pennsylvania law provides that: “It shall be an unlawful discriminatory practice for an employer to require, as a condition of employment, an employee or prospective employee to consent to the creation of a credit report that contains information about the employee’s or prospective employee’s credit score, credit account balances, payment history, savings or checking account balances or savings or checking account numbers.”
Unless such a report is directly related to the position applied for, or unless certain exceptions are met (e.g. managerial positions and fiduciary positions are excluded). In addition, a recent City of Philadelphia ordinance makes it unlawful for employers to use the credit information of Philadelphia job applicants or employees—unless covered by one of a number of exceptions—for employment decisions such as hiring, firing, or promotion.
Immigration status: Pennsylvania follows federal law on this issue, which means that Pennsylvania employers cannot discriminate against employees based on immigration status. Once an employee has proven to be eligible to work in the United States, the individual’s immigration status cannot be used in any other employment decisions.
Social media: There is no specific Pennsylvania statute precluding the use of social media to gather information on applicants for employment positions.
Other: Pennsylvania employers are prohibited from requiring an applicant or employee to take a polygraph/lie detector test as a condition for employment or for continuation of employment. This prohibition does not apply to applicants or employees in the field of public law enforcement, or who dispense or have access to narcotics or other dangerous drugs.
Article 29 Working Party Publishes Guidelines
The EU’s Article 29 Working Party released guidelines on consent and transparency under the General Data Protection Regulation (GDPR). The guidelines are intended to help data controllers comply with the GDPR by providing “practical guidance and interpretive assistance.”
Article 29 Working Party Issues Statement on Encryption
On April 11th, the EU’s Article 29 Working Party issued a statement about encryption, saying that “the availability of strong and efficient encryption is a necessity in order to guarantee the protection of individuals.” The party issued a number of statements regarding encryption:
- Strong encryption is required to ensure a secure, free flow of data between citizens, businesses and governments;
- Backdoors and master keys deprive encryption of its utility and cannot be used in a secure manner; and
- Law enforcement agencies already have a number of legal powers and targeted tools to address the challenge of encryption, allowing them to access the data they need to investigate and prosecute criminals.
Canada’s Data Breach Notification Law
On April 18th, the Canadian Government released the final version of its data breach notification regulations (pg. 701), which goes into effect on November 1st, 2018. The regulations outline the rules companies will have to follow as a result of amendments passed in 2015 to the Personal Information Protection and Electronics Documents Act. The regulations make a number of changes regarding data breach notification, including requiring breach entities to notify affected consumers in the event of a data breach; and requiring companies to maintain a record of every data breach for at least 24 months after the data breach.
Canada Moves to Mandatory Breach Notification Guidelines
Canadian privacy laws are about to change to require mandatory breach notification. Draft regulations have been introduced to guide businesses on when and how to notify consumers and the privacy commissioner if there has been a security breach. The government has tried to strike a balance so that consumers receive meaningful notification of breaches that rise to the level of a “real risk of significant harm”.
French DPA Releases Data Security Guide
On April 4th, the French data protection authority (CNIL) released a data security guide to help organizations comply with Article 32 of the General Data Protection Regulation, which requires data processors and controllers to implement appropriate measures to “ensure a level of security appropriate to the risk.” The guide provides four steps to be used within a risk management system:
- Listing the processing of personal data, the data processed, and the media on which they rely;
- Assessing the risks caused by each processing by identifying the potential effects on the rights and freedoms of individuals concerned, the sources of risks, and the possible threats; determining the existing or planned measures which allow for each risk to be dealt with; and evaluating the severity and likelihood of the risks;
- Implementing and checking the planned measures; and
- Carrying out periodical security audits
European Commission Official on the GDPR
On April 9th, the EU Observer reported that a European Commission official said that EU companies may still be held liable for concealed past data breaches once the General Data Protection Regulation (GDPR) takes effect on May 25th. Failure to report a data breach may result in a fine of up to €10 million or two percent of the company’s revenue.
UK’s ICO Releases Data Protection Toolkit
The UK’s Information Commissioner’s Office recently released a data protection self-assessment toolkit to help small- and medium-sized businesses assess their compliance with data protection law. The assessment includes checklists for data controllers and processors and includes assessments for different topics, including information security, direct marketing, and data sharing and subject access.
Google Loses “Right to be Forgotten” Case
On April 13th, Politico reported that the London High Court ruled in favor of a businessman who sued Google after it denied his request to remove a 20-year old criminal conviction from its search engine. Google said that it would respect the Court’s judgement but that it takes “great care not to remove search results that are in the public interest.”
Credit Card Signature
American Express, Discover, Mastercard and Visa announced they are eliminating the need for credit card signatures
TransUnion acquires UK consumer credit bureau, Callcredit Information Group, Ltd.
Uber Announces Plan to Improve Background Screening
Uber announced a plan strengthen background check procedures for its drivers and implement other standards to increase overall safety for riders. The new background screening measures include:
- Rerunning criminal and motor vehicle checks on drivers each year, even when not legally required; and
- Utilizing new technology that will send notifications to the Company about any new criminal offenses to continuously screen drivers.
SunTrust Data Incident
On April 20th, SunTrust announced a potential data incident that may have affected approximately 1.5 million customers. According to the Company, a former employee attempted to download client information—including names, addresses, phone numbers, and account balances—and share the information with a criminal third party. SunTrust said that personally identifiable information such as Social Security Numbers, account numbers, and pins were not compromised. As of last week, the Company said that it believed the information had not left the bank and that no significant fraudulent activity was identified. SunTrust is offering free identity protection services to all of its clients.