December 2023 Screening Compliance Update

DECEMBER 2023 SCREENING COMPLIANCE UPDATE

ClearStar is happy to share the below industry related articles written by subject matter experts and published on the internet in order to assist you in establishing and keeping a compliant background screening program. To subscribe to the Screening Compliance Update or to view past updates, please visit www.clearstar.net/category/screening-compliance-update/.

Click Here for PDF Version

STATE, CITY, COUNTY AND MUNICIPAL DEVELOPMENTS

New York State’s Clean Slate Act: Highlights for Private Employers Including Healthcare and Human Services Employers

On Nov. 16, 2023, New York State Gov. Kathy Hochul signed legislation, also known as the Clean Slate Act, to automatically seal from public access criminal records for most individuals convicted of a crime.

The Act takes effect in one year, on Nov. 16, 2024, and its key intent is to increase employment opportunities for individuals with criminal histories who have no recent criminal convictions. The law amends New York’s criminal procedure law, the executive law, the correction law, the judiciary law and the civil rights law with respect to the automatic sealing of select convictions. New York follows several other states, such as California, Connecticut, Colorado, Pennsylvania, Oklahoma and Utah, who have also enacted similar laws.

To be eligible for automatic sealing of their records, individuals must complete their sentences (including probation or parole time) and do not reoffend within a stipulated period of time. This statutory period ranges from three years for misdemeanors to eight years for eligible felonies. The clock restarts if parole or probation is revoked or if there is a new conviction. All records of sex crimes, and Class A felonies (such as first or second-degree murder, first degree kidnapping), except those related to drug possession, are ineligible for sealing.

The law provides for several exceptions where sealed records could still be accessed and used for law enforcement, in criminal proceedings under certain circumstances, and other necessary purposes such as determining suitability for various licenses, and for employment and other activities where federal or state law requires or authorizes a criminal background check to be performed prior to granting licenses to or employing individuals in certain jobs.

Busting Myths

Myth: The law will erase all criminal records.
Fact Check: The law automatically seals certain criminal records but does not expunge them. Notably, the Clean Slate Act would only seal convictions under New York’s penal law. The Act would not seal criminal convictions under federal law or the criminal law of any state other than New York. Sealing is not automatic when the convicted individual has a criminal charge pending or is on probation or under parole supervision when the statutory time period for automatic sealing elapses.

Myth: Law enforcement will not have access to criminal records.
Fact Check: Records automatically sealed under this Act could still be accessed and used by law enforcement for permissible purposes including to assess the employment of law enforcement officers, or when conducting investigations.

Myth: Background checks for vulnerable populations, such as children, the disabled and the elderly, are now compromised because employers can hire individuals with criminal records.
Fact Check: Entities, including those that work with children, the elderly or vulnerable adults, that are required or authorized by law to conduct a fingerprint-based background check, are not impacted by the Clean Slate Act. Under the Act, such background checks are considered relevant and necessary prior to the employment of individuals working with these vulnerable populations and will include criminal records which have been sealed under this Act. The Act will also not seal the records of individuals who are required to register as a sex offender.

Myth: Gun licenses will be issued without a proper background check.
Fact Check: The law does not apply when licensing officers are processing a firearm license application. In this instance, the criminal records will not be sealed.

Myth: Individuals who have a criminal record may get preferential treatment for a job over an individual with no criminal record.

Fact Check: New York state law prohibits discrimination against an individual because of their criminal conviction status. The Clean Slate Act does not impact this protected status. This means that New York employers cannot make employment decisions such as terminating a current employee or refusing to hire an applicant because of their pre-employment criminal conviction record. Article 23-A of the New York State Correction Law provides an exception to this rule, where an employer may still deny employment based on a criminal conviction record if the employer can establish a direct relationship between one or more of the previous criminal offenses and the specific employment sought; or where there is an unreasonable risk to the property or to the safety or welfare of specific individuals or the general public. Employers must consider several factors when making the above determination. New York City employers must also consider the intersection of the Fair Chance Act, which prescribes additional requirements for inquiring about or making decisions based on an individual’s criminal record. Once the Clean Slate Act is in effect, employers should be aware of their additional obligations under New York state law. For example, employers should not consider sealed criminal records in employment decisions. Further, employers that receive unsealed criminal records in response to a request for criminal conviction history should provide the employee or applicant with a copy of the criminal records received, a copy of Article-23 of the New York State Correction Law and notice to the employee or applicant of their right to correct any incorrect information pursuant to the regulations and procedures established by the Division of Criminal Justice Services. Legal counsel is recommended when considering criminal conviction history in employment decisions.

Myth: Sealed conviction records can later be used against an employer as evidence of employer negligence.
Fact Check: The Clean Slate Act provides that a conviction record that was sealed pursuant to the Act and was not provided to an employer upon request for conviction record history cannot be introduced as evidence of negligence against the employer.

Considerations for Healthcare and Human Services Employers

For healthcare and human services employers, the Clean Slate Act broadly preserves access to criminal records where federal and state statutes have previously required such employers to screen potential employees in the interest of protecting patients or service recipient safety. Depending on their specific regulatory requirements, employers may be required to perform various background checks such as a Criminal History Record Check, a Staff Exclusion List (SEL) clearance through the New York State Justice Center, and the Statewide Central Register (SCR) database check through the New York State Office of Children and Family Services. As part of these checks, employers will be able to access permissible criminal records, including records that were automatically sealed under the Clean Slate Act.

As detailed above, the existing provisions of Corrections Law Article 23-A, continues to apply to any employer using such records in its employment decisions, including the requirement that there be a nexus between the prior criminal conduct and the reason an employer chooses not to employ a particular person.

Next Steps

Employers should review and update policies specifically related to hiring, background screening, use of conviction records and nondiscrimination policies. Once the law is effective, it is recommended that employers consult with legal counsel prior to taking an employment action in New York State based upon an individual’s criminal history.

Click Here for the Original Article

Colorado Adopts Equal Pay Transparency Rules to Clarify Recent Amendments to State’s Equal Pay Law

Colorado Governor Jared Polis signed SB-23-105 into law amending its Equal Pay for Equal Work Act (the “Act”) to modify an employer’s pay transparency obligations for job postings and internal promotional opportunities.  The amended law also extended the statute of limitations for wage discrimination claims from three years to six years and created new mandates for Colorado’s Department of Labor and Employment (“CDLE”) with respect to the investigation, mediation, and enforcement of wage discrimination claims.  The amendments to the law will take effect January 1, 2024.

In line with these recent amendments, on September 29, 2023, the CDLE issued proposed Equal Pay Transparency Rules (“EPT Rules”).  Following a public hearing and comment on the proposed rules, the CDLE has now adopted the final EPT Rules.  These Rules will become effective on January 1, 2024, along with the underlying Act’s amendments.  The EPT Rules provide clarity on some the Act’s posting and notice requirements as outlined below.

Career Development:  The amended law requires that employers make reasonable efforts to announce, post, or otherwise make known each “job opportunity” to employees.  The definition of “job opportunity” expressly excludes “career development” or “career progression,” thus eliminating the requirement in the law’s prior iteration to provide notice of in-line promotional opportunities.  “Career development” is defined as a “change to an employee’s terms of compensation, benefits, full-time or part-time status, duties, or access to further advancement in order to update the employee’s job title or compensate the employee to reflect work performed or contributions already made by the employee.”  The adopted EPT Rules now spell out that such existing work or contributions must be: (1) part of the employee’s existing job; and (2) not within a position with a current or anticipated vacancy.

Career Progression:  The amended Act defines “career progression” as “a regular or automatic movement from one position to another based on time in a specific role or other objective metrics,” and adds a requirement that for positions with “career progression,” an employer must disclose and make available to all “eligible employees” the requirements to obtain a career progression, in addition to each position’s terms of compensation, benefits, full-time or part-time status, duties, and access to further advancement.  However, the law as amended did not define “eligible employees.”  The EPT Rules now define “eligible employee” as, ” those in the position that, when the requirements in the notice are satisfied, would move from their position to another position listed in the notice as a ‘career progression.’”

Clarity on Post-Selection Notice Requirements:  The amended law added a requirement that employers disclose information regarding the candidate selected for a job opportunity to those employees with whom the selected candidate will regularly be working in the new role.  However, the amended law did not define the term “work with regularly.”  The adopted EPT Rules clarify that the term “work with regularly” means “employees who, as part of their job responsibilities, either (1) collaborate or communicate about their work at least monthly, or (2) have a reporting relationship (i.e., supervisor or supervisee).”  The EPT Rules further specify that employers may comply with this requirement by providing notice of either (1) each individual selection or (2) multiple selections, as long as the notice is provided no later than thirty days after any selection in the notice.  In addition, the EPT Rules clarify the exception in the Act of disclosing the name of a selected candidate where such disclosure would violate the candidate’s privacy rights under applicable law or place at risk the selected candidate’s health or safety, and identifies a procedure by which a selected candidate can inform an employer that they believe disclosure would put their health or safety at risk.

Acting, Interim, or Temporary (“AINT”) Hires: The amended law contemplates exceptions for temporary, interim, or acting job opportunities that necessitate immediate hire.  The EPT Rules provide that no immediate job opportunity posting is required to fill a position on an AINT basis for up to nine months (note that this was six months under the prior EPT Rules) where: (1) the AINT hiring is not expected to be permanent, and if the hire may become permanent, the required job opportunity posting must be made in time for employees to apply for the permanent position; and (2) the same or a substantially similar position was not held any time in seven or more of the preceding twelve months by another AINT hire for which there was no job opportunity posting, with certain additional timing limitations.

Geographic Limits: The EPT Rules clarify that the job opportunity, post-selection, and career progression notice requirements do not require notice to employees entirely outside Colorado.

Application Deadlines: The amended Act added a requirement that employers disclose “the date the application window is anticipated to close.”  This requirement raised questions for many employers that have perpetual or ongoing job postings and do not utilize a fixed time frame for open opportunities.  The EPT Rules now provide some clarity on this ambiguity.  First, the Rules describe this requirement as employers having to disclose “the application deadline” in the job posting.  Second, the Rules specify that a deadline need not be included if the employer accepts applications on an ongoing basis and there is no fixed deadline to apply, as long as that is clearly stated in the posting.  Additionally, a deadline may be extended if (1) the original deadline was a good-faith expectation or estimate of what the deadline would be; and (2) the posting is promptly updated when the deadline is extended.

Click Here for the Original Article

New California and Washington State Marijuana Drug Testing Laws Take Effect January 1^st, 2024

On January 1, 2024, two laws in California regarding drug tests for marijuana conducted by employers on applicants – Senate Bill 700 (SB 700) and Assembly Bill 2188 (AB 2188) – along with a similar marijuana drug testing law in the State of Washington – Senate Bill 5132 (SB 5132) – will all take effect and provide protections for adult users of cannabis in those states.

Signed into law by California Governor Gavin Newsom, SB 700 will make it unlawful for an employer to discriminate against an applicant based upon “the person’s use of cannabis off the job and away from the workplace” and a “drug screening test that has found the person to have nonpsychoactive cannabis metabolites in their hair, blood, urine, or other bodily fluids.”

However, while the law prohibits an employer from asking about marijuana use, SB 700 “does not prohibit an employer from discriminating in hiring, or any term or condition of employment, or otherwise penalize a person based on scientifically valid preemployment drug screening conducted through methods that do not screen for nonpsychoactive cannabis metabolites.”

In addition, SB 700 protects information regarding a person’s past marijuana use if the information is permitted under certain state and federal laws, does not apply to job applicants seeking employment in the building and construction trades, and does not allow workers to be impaired by marijuana on the job. The law takes effect January 1, 2024.

Governor Newsom also signed AB 2188 which would prohibit employers from punishing workers who fail drug tests that detect only inactive cannabis compounds called nonpsychoactive metabolites that follow use days or weeks prior to the drug test. Instead, employers would test for tetrahydrocannabinol (THC) which indicates a worker is currently under the influence.

According to the law, THC “is the chemical compound in cannabis that can indicate impairment and cause psychoactive effects.” The law states that “employers now have access to multiple types of tests that do not rely on the presence of nonpsychoactive cannabis metabolites” and “tests that identify the presence of THC in an individual’s bodily fluids.”

AB 2188 would also exempt applicants and employees in the building and construction trades, and in positions requiring a federal background investigation. AB 2188 does not preempt state or federal laws requiring applicants or employees to be drug tested for controlled substances as a condition of employment. The law takes effect January 1, 2024.

Signed into law by Washington Governor Jay Inslee, SB 5132 is an Act created after “the legalization of recreational cannabis in Washington state in 2012 created a disconnect between prospective employees’ legal activities and employers’ hiring practices.” The Act relating to the employment of individuals who lawfully consume cannabis will add language to state code.

“It is unlawful for an employer to discriminate against a person in the initial hiring for employment if the discrimination is based upon: (a) The person’s use of cannabis off the job and away from the workplace; or (b) An employer-required drug screening test that has found the person to have nonpsychoactive cannabis metabolites in their hair, blood, urine, or other bodily fluids.”

However, SB 5132 does not apply to specific jobs that include positions requiring a federal government background investigation or security clearance, with a Washington law enforcement agency, with a fire department, as a first responder, as a corrections officer, in the airline or aerospace industries, or a safety sensitive position. The law takes effect January 1, 2024.

Click Here for the Original Article

FTC Adds Data Breach Notification Requirement to Safeguards Rule

The Federal Trade Commission (FTC or Commission) has amended its Standards for Safeguarding Customer Information, commonly known as the “Safeguards Rule,” to require non-bank financial institutions to report certain data breaches to the Commission. The amended Safeguards Rule requires covered “financial institutions” to report “notification events” affecting 500 or more consumers to the FTC “as soon as possible, and no later than 30 days after discovery“ (the “Notification Requirement”). A “notification event” is defined as the “acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.“ The FTC intends to make the notices it receives public, although financial institutions may request that public disclosure be delayed for law enforcement purposes.

The amendments go into effect 180 days after they are published in the Federal Register, meaning that covered financial institutions likely will be required to begin reporting notification events starting in Q2 2024. The amendments do not include any requirement to notify affected individuals of a data breach.

Financial institutions covered by the Safeguards Rule (and therefore the Notification Requirement) include neobanks, alternative lenders, money transmitters, retailers that extend credit to customers, mortgage brokers, certain investment advisors, and numerous other types of entities providing financial products or services. The U.S. Department of Education also requires institutions of higher education participating in certain federal student aid programs, as well as their third-party servicers, to comply with the Safeguards Rule.

We summarize the Notification Requirement and propose various compliance measures below.

Background

The FTC issued the first version of the Safeguards Rule in 2002 pursuant to the Gramm-Leach-Bliley Act (GLBA). Under GLBA, various federal agencies including the FTC, the U.S. Securities and Exchange Commission, the federal banking regulators—the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, and the Federal Reserve Board—and the National Credit Union Administration, are required to issue standards for the security of customer information for financial institutions subject to each agency’s jurisdiction.[1]

The first version of the Safeguards Rule imposed relatively high-level requirements on covered institutions to implement a written information security program, including designating a qualified individual to lead the program, identifying information security risks, implementing and testing safeguards in response to those risks, overseeing service providers, and periodically adjusting the program based on changes to the business and other circumstances. In December 2021, the FTC overhauled the Safeguards Rule by expanding the existing requirements and enumerating new, more detailed ones. Under the current Safeguards Rule, which we discussed in a prior blog post and webinar, institutions must adopt various safeguards, including encrypting customer information in transit and at rest, multifactor authentication, secure software development as assessment measures, and annual written reports to the board of directors (or other governing body) regarding the institution’s information security program and material security risks, among others.

The FTC’s overhauled Safeguards Rule did not include any breach notification requirement. However, on the same day the FTC published the new Safeguards Rule, December 9, 2021, it also issued a Supplemental Notice of Proposed Rulemaking (SNPRM) to amend the Safeguards Rule to add breach notification.[2] The FTC issued the Notification Requirement in a final rule published on October 27, 2023 (the “Final Rule”).

The FTC published the Final Rule shortly after the release by the Consumer Financial Protection Bureau (CFPB) of its proposed “Personal Financial Data Rights” rule under Section 1033 of the Consumer Financial Protection Act of 2010. The CFPB’s proposed rule would require data providers and third parties not otherwise subject to GLBA to comply with the FTC’s Safeguards Rule (we discuss the CFPB’s proposal here), now including the Notification Requirement.

Covered Information

The Notification Requirement dramatically expands covered financial institutions’ breach reporting obligations because of the range of data covered. The Notification Requirement applies to “customer information,” which is broadly defined in the Safeguards Rule as records containing “nonpublic personal information about a customer of a financial institution.” Nonpublic personal information is (i) personally identifiable financial information[3] and (ii) “[a]ny list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.” Customer information may include a broad array of data, from more sensitive types of data such as Social Security numbers, detailed financial and purchase histories, and account access information, to relatively routine and benign data, such as basic customer demographics and contact details.

Under state data breach reporting laws, companies are required to report breaches of only enumerated categories of data, such as Social Security numbers and other government-issued ID numbers, financial account numbers in combination with access credentials, usernames and passwords, and medical information. But given the broad definition of customer information under the Safeguards Rule, covered financial institutions will have to assess their breach reporting obligations for a much larger set of data than they typically do now.[4]

At the same time, it is important to note that the Safeguards Rule, and therefore the Notification Requirement, does not apply to information about “consumers” who are not “customers.” Under the Safeguards Rule, a “consumer” is any individual that obtains a financial product or service from a financial institution to be used for a personal, family, or household purpose.” A “customer” is a type of consumer: specifically, a consumer with which the financial institution has a “customer relationship,” defined as a “continuing relationship” between the institution and customer under which the institution provides a financial product or service. No customer relationship may exist, for example, where a consumer engages in only “isolated transactions” with the institution, such as by purchasing a money order or making a wire transfer. The Notification Requirement applies only to customer information, and therefore is not triggered by a breach affecting only consumers who are not customers.

Covered Incidents

A “notification event” is defined as “acquisition of unencrypted customer information without the authorization of the individual to which the information pertains (emphasis added).” This definition raises several points for consideration:

• Acquisition: The Notification Requirement is triggered by unauthorized “acquisition” and includes a rebuttable presumption that unauthorized “access” is unauthorized acquisition unless the institution has “reliable evidence” showing that acquisition could not reasonably have occurred. On the surface, the Notification Requirement takes a sort of middle approach vis-à-vis state data breach notification laws: under most state laws, personal data must be acquiredto trigger notification obligations, but a small and growing number of states require notification where personal data has only been accessed.[5] However, it is important to note that the FTC has a very broad view of those terms. The FTC describes “acquisition” as “the actual viewing or reading of the data,” even if the data is not copied or downloaded, and “access” as merely “the opportunity to view the data”[6] (emphasis added). Based on the FTC’s reading of those terms, the rebuttable presumption may only be available if an institution has reliable evidence that unauthorized actors did not actually view customer information—even if they had the opportunity to do so.
• Unencrypted: The Notification Requirement treats encrypted data much like state data breach notification laws do. Institutions need not report acquisitions of encrypted data; however, encrypted data is considered unencrypted for the purposes of the Notification Requirement if the encryption key was accessed by an unauthorized person.
• Without Authorization of the Individual to Which the Information Pertains: Typically, when breach notification laws refer to acquisition of data being unauthorized, it is understood that they are referring to whether the acquisition was authorized by the entity that owns the data, not whether it was authorized by the individual who is the subject of the data. By specifying that a notification event occurs when acquisition was unauthorized by the individual data subject, the Notification Requirement potentially encompasses a broader range of incidents than state data breach notification laws. If, for example, a financial institution’s employee uses customer information for a purpose that is authorized by the institution but inconsistent with the institution’s privacy statement or customer agreement, one could argue that the use is acquisition not authorized by the consumer. Whether the FTC would take that novel position remains to be seen. Notably, the FTC’s Health Data Breach Rule(HNBR) includes similar language in its definition of “breach of security,”[7] and the FTC has taken the position that the HNBR applies to disclosures authorized by company holding the data but not the data subject.

Notification Obligation

Financial institutions must notify the FTC “as soon as possible, and no later than 30 days after discovery” of a notification event involving at least 500 consumers. Although not clear from the text of the amendments, the FTC appears to take the position that the Notification Requirement begins to run when an institution discovers that a notification event has occurred, and not when it discovers specifically that the notification event affects 500 or more consumers. The FTC dismissed concerns that a financial institution may not know how many consumers were affected, or other key information such as whether information was only accessed without acquisition, at the time it discovers a data breach, stating that it expects financial institutions “will be able to decide quickly whether a notification event has occurred.” Where it is difficult to ascertain how many consumers may have been affected—for example, where a data breach affected unstructured data containing an unknown amount of consumer data—institutions may face significant time pressures to meet the 30-day reporting requirement.

The Notification Requirement does not include any “risk of harm” analysis or threshold. Under the SNPRM, financial institutions would have been required to notify the FTC only where “misuse” of customer information had occurred or was “reasonably likely” to occur. The final version of the Notification Requirement removes the misuse language and simply requires notification upon discovery that customer information has been “acquired” without authorization.

The Notification Requirement is surprisingly silent on financial institutions’ obligations when data breaches occur at their service providers.[8] A financial institution is considered to have discovered a notification incident “if such event is known to any person, other than the person committing the breach, who is [the institution’s] employee, officer, or other agent.” This language indicates that financial institutions are not considered to have knowledge of a notification event that occurred at a service provider (which would not typically be considered the financial institution’s “agent”) until the service provider makes the institution aware of the event. Although there is no specific requirement that institutions obligate their vendors to notify them of security incidents, the Safeguards Rule does require institutions to oversee their service providers, including by entering into contracts requiring service providers to maintain appropriate security safeguards for customer information. The FTC may take the position that financial institutions must require their service providers to report notification events to them under these broader service provider oversight obligations. Additionally, the FTC might argue that because customer information is defined to include information “that is handled or maintained by or on behalf of” a financial institution, institutions’ responsibility for third-party notification events is assumed.

Report Requirements and Publication

Notifications to the FTC, which must be submitted via electronic form on the FTC website, must include the following information:

• The name and contact information of the reporting financial institution;
• A description of the types of information that were involved in the notification event;
• If the information is possible to determine, the date or date range of the notification event;
• The number of consumers affected;
• A general description of the notification event; and
• If applicable, whether any law enforcement official has provided the financial institution with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the Federal Trade Commission to contact the law enforcement official. A law enforcement official may request a delay in publication of the report for up to 30 days. The delay may be extended for an additional 60 days in response to a written request from the law enforcement official. Any further delay is only permitted if the FTC staff “determines that public disclosure of a security event continues to impede a criminal investigation or cause damage to national security.”

The FTC intends to make the reports it receives publicly available on its website. Financial institutions should take note that plaintiffs attorneys are likely to monitor these postings (as they do with public postings of data breach reports by various state attorneys general and the Department of Health and Human Services Office of Civil Rights) and may use them as a basis for commencing consumer class actions.

Preparing for Compliance

Financial institutions subject to the Safeguards Rule are advised to consider the following steps for preparing to comply with the Notification Requirement:

• Assess Safeguards Rule Compliance and Address Gaps Now: The FTC issued the Notification Requirement to support its enforcement efforts.[9]The FTC intends to review breach reports and assess whether a breach may have been the result of an institution’s failure to comply with the Safeguards Rule’s technical, administrative, and physical safeguards. Institutions should prepare for this increased scrutiny by assessing and remedying any compliance gaps with the Safeguards Rule. The FTC acknowledges that a breach may occur even if an institution fully complies with the Safeguards Rule, so institutions should be prepared to show the FTC that the notification incident occurred notwithstanding their compliance with the rule.[10]
• Review and Update Incident Response Plans. The Notification Requirement dramatically expands covered financial institutions’ breach reporting obligations. Under state data breach reporting laws, companies are required to report breaches of only enumerated categories of data, such as Social Security numbers and other government-issued ID numbers, financial account numbers in combination with access credentials, usernames and passwords, and medical information. But given the broad definition of customer information under the Safeguards Rule, covered financial institutions will have to assess their breach reporting obligations for a much larger set of data. Institutions should update their incident response plans to address these expanded obligations and educate their incident response teams about them. Institutions also should determine who will be responsible for submitting any required report to the FTC. Reports should be reviewed by counsel prior to submission, given that they may form the basis for FTC enforcement or consumer class actions.[11]
• Revise Any Data Maps, Information Classification Schemes and Similar Documentation. Financial institutions also should review their data maps, data inventories, information classification schemes, and similar data management documentation to ensure that they properly address the many types of records that may be considered “customer information” containing “non-public personal information” subject to the Notification Requirement. Doing so will help financial institutions more quickly assess the impact of a security incident and determine whether it is a “notification event” under the amended Safeguards Rule (for example, by informing them of whether customer information may be present on a compromised system). Quick assessment will be important given the 30-day notification deadline, and that the FTC appears not to distinguish between when an institution becomes aware of a notification event and when it determines that the event triggers the reporting obligation.
• Assess and Amend Service Provider Agreements.Although there is no specific requirement in the Safeguards Rule that institutions obligate their service providers to notify them of notification events, the FTC may argue that such an obligation is assumed by the Safeguards Rule provisions. Accordingly, financial institutions should review their relevant service provider agreements and determine whether any amendments are necessary to support their compliance with the Notification Requirement.

Click Here for the Original Article

INTERNATIONAL DEVELOPMENTS

Data Act: Council adopts new law on fair access to and use of data

To make the EU a leader in our data-driven society, the Council adopted a new Regulation on harmonised rules on fair access to and use of data (Data Act).

Today’s adoption will be a catalyst for a Europe fit for the digital age. The new law will unlock a huge economic potential and significantly contribute to a European internal market for data. Data trading and the overarching use of data will be boosted, and new market opportunities will open to the benefit of our citizens and businesses across Europe.

José Luis Escrivá, Spanish minister of digital transformation

The data act puts obligations on manufacturers and service providers to let their users, be they companies or individuals, access and reuse the data generated by the use of their products or services, from coffee machines to wind turbines. It also allows users to share that data with third parties – for example, car owners could choose in the future to share certain vehicle data with a mechanic or their insurance company.

Main objectives of the law

The regulation sets up new rules on who can access and use data generated in the EU across all economic sectors. It aims to:

– ensure fairness in the allocation of value from data among actors in the digital environment
– stimulate a competitive data market
– open opportunities for data-driven innovation, and
– make data more accessible to all

The new law also aims to ease the switching between providers of data processing services, puts in place safeguards against unlawful data transfer and provides for the development of interoperability standards for data to be reused between sectors.

The data act will give both individuals and businesses more control over their data through a reinforced portability right, copying or transferring data easily from across different services, where the data are generated through smart objects, machines, and devices. The new law will empower consumers and companies by giving them a say on what can be done with the data generated by their connected products.

Main elements of the new regulation

Scope of the legislation

The new regulation will allow users of connected devices, ranging from smart household appliances to intelligent industrial machines, to gain access to data generated by their use which is often exclusively harvested by manufacturers and service providers.

Regarding Internet of Things (IoT) data, the new law focuses, in particular, on the functionalities of the data collected by connected products instead of the products themselves. It introduces the distinction between ‘product data’ and ‘related service data’, from which readily available data can be shared.

Trade secrets and dispute settlement

The new law ensures an adequte level of protection of trade secrets and intellectual property rights, accompanied by relevant safeguards against possible abusive behaviour. While fostering the sharing of data, the new regulation aims at supporting the EU industry while providing safeguards for exceptional circumstances and dispute settlement mechanisms.

Data sharing and compensation

The new law contains measures to prevent abuse of contractual imbalances in data sharing contracts due to unfair contractual terms imposed by a party with significantly stronger bargaining position. These measures will protect EU companies from unfair agreements and give SMEs more room for manoeuvre. Moreover, the text of the regulation provides additional guidance by the Commission regarding the reasonable compensation of businesses for making the data available.

The regulation provides the means for public sector bodies, the Commission, the European Central Bank and EU bodies to access and use data held by the private sector that is necessary in exceptional circumstances, particularly in case of a public emergency, such as floods and wildfires, or to fulfil a task in the public interest.

When it comes to such requests to access data in the ‘business to government’ context, the new regulation provides that personal data will only be shared in exceptional circumstances, such as a natural disaster, a pandemic, a terror attack, and if the data required is not otherwise accessible. Micro and small-sized enterprises will also contribute their data in such cases and will be compensated.

Benefits for consumers

The new law will allow consumers to move easily from one cloud provider to another. Safeguards against unlawful data transfers have been also introduced, as have interoperability standards for data sharing and processing. Finally, the expectation from the new law is that it could make after-sale service of certain devices cheaper and more efficient.

Governance model

The new regulation preserves member states’ flexibility to organise the implementation and enforcement tasks at national level. The coordinating authority, in those member states where such coordination role will be required, will act as a single point of contact and be labelled as ‘data coordinator’.

Next steps

Following today’s formal adoption by the Council, the new regulation will be published in the EU’s official journal in the coming weeks and will enter into force the twentieth day after this publication. It shall apply from 20 months from the date of its entry into force. However, article 3, paragraph 1 (requirements for simplified access to data for new products), shall apply to connected products and the services related to them placed on the market after 32 months from the date of entry into force of the regulation.

Background

Following the data governance act adopted by the co-legislators in 2022, the data act regulation is the second main legislative initiative resulting from the Commission’s February 2020 European strategy for data, which aims to make the EU a leader in our data-driven society.

While the data governance act creates the processes and structures to facilitate data sharing by companies, individuals and the public sector, the data act clarifies who can create value from data and under which conditions. This is a key digital principle that will contribute to creating a solid and fair data-driven economy and guide the EU’s digital transformation by 2030. It will lead to new, innovative services and more competitive prices for aftermarket services and repairs of connected objects (‘Internet of Things’ / IoT).

In its conclusions of 25 March 2021, the European Council underlined the importance of digital transformation for EU’s growth, prosperity, security, and competitiveness, as well as for the well-being of our societies. In light of these ambitions and challenges, the Commission proposed on 23 February 2022 measures for a fair and innovative data economy (data act), as a follow-up to its communication of February 2020 on the European strategy for data. On 27 June 2023, the Council and the European Parliament reached a provisional agreement on this file.

Click Here for the Original Article

Europe goes ahead and regulates Artificial Intelligence

The European Union has prioritized the regulation of Artificial Intelligence (AI) following the remarkable growth of generative AI models such as OpenAI’s ChatGPT or Google’s Gemini. Last December 8, the European Parliament and Council reached a provisional agreement on the «Artificial Intelligence Act», seeking to safeguard security and human rights without slowing down technological innovation.

The law prohibits specific uses of AI, such as the use of biometric categorization systems with sensitive data or the collection of facial images, available on the internet or CCTV cameras to create facial recognition databases, among others. In addition, the Act establishes exceptions for using biometric identification systems by security forces. These systems require judicial authorization and may only be used for the investigation of serious crimes, search for victims, prevention of terrorist attacks, and location of criminals.

Similarly, the law classifies AI systems into risk categories. For example, high-risk systems will be subject to human rights impact assessments. Citizens will be able to file complaints and receive explanations about decisions made by these systems that affect their rights. In addition, general-purpose AI systems must have technical documentation, comply with European intellectual property legislation, and disclose summaries of the content used for training. Another important aspect addressed by the new law is the relationship between AI and copyright. On the other hand, the law provides fines ranging from 35 million euros or between 1.5 to 7% of the company’s total revenue, depending on the infringement and size.

Click Here for the Original Article

News about privacy in LATAM

(i) Brazil

• Public consultation on model clauses:The National Authority for the Protection of Personal Data of Brazil (hereinafter, “ANPDP”) published on August 15 the draft Regulation on the International Transfer of Personal Data and the standard contractual clauses in accordance with the General Law on Protection of Personal Data (hereinafter, “LGPDP”).
• Bill to modify the sanctions of the LGPD and the Consumer Defence Code: The Brazilian Senate is discussing the bill Nº 4530/2023 whose purpose is to modify the laws that regulate data protection in Brazil. The project proposes increasing the level of fines that can be applied in case of non-compliance with the LGPDP. It would also modify Law No. 8079/1990 -the Consumer Defence Code- to prohibit the collection of personal data without informing consumers about the purpose and type of processing of their personal data.
• Public consultation on the draft regulation of notification of security incidents:On May of this year the ANPDP published the draft resolution that would regulate the procedure for notification of information security incidents to the ANPDP and the data owners. You can read about this subject further here.

(ii) Chile

• Data protection bill:The Legislative Branch of Chile is discussing the bill that seeks to replace the current Law 19628 on the Protection of Private Life or Protection of Personal Data, which dates back to 1999.
• Constitutional reform:On December 17, a national plebiscite will be held that will decide the approval of the constitutional proposal. The proposal delves into the right to the protection of personal data and its drafting began in early 2023.

(iii) Uruguay

• Update of the list of countries or organizations that have an adequacy decision:On November 21, Resolution No. 63/023 of the Regulatory and Control Unit of Personal Data was published, which updated the list of countries or organizations that have an adequacy decision for international data transfers set forth in Resolution No. 23/021 of the same organization. Among them are the organizations included in the “Data Privacy Framework Program” published by the United States Department of Commerce.

(iv) Colombia

• The reform of the personal data protection law is in negotiations: The bill aimed to reform Law 1581 of 2012 on the Protection of Personal Data was introduced in the House of Representatives in August of this year and is under review in the First Permanent Constitutional Commission.

(v) Ecuador

• General Regulations of the Organic Law on Protection of Personal Data:On November 13, the Presidency of the Republic published in the Official Registry the General Regulations of the Organic Law on Protection of Personal Data through Executive Decree No. 904 of 2023.

(vi) Peru

• Regulations of the Personal Data Protection Law:On August 25, the Ministry of Justice and Human Rights approved the publication of the Regulations of Law No. 29733 on the Protection of Personal Data.

Click Here for the Original Article

MISCELLANEOUS DEVELOPMENTS

Background Checks in Banks, and Conflicts with Ban-the-Box Laws

Numerous federal, state and local laws require banks to run criminal background and credit checks on employees and applicants for employment.  These include the Federal Deposit Insurance Act (FDIA), the Securities and Exchange Act, the Secure and Fair Enforcement for Mortgage Licensing Act (SAFE Act), the Truth in Lending Act (TILA), and various FINRA rules.  The background checks may also need to be re-run periodically during employment to assure the continued accuracy of the information received during the recruitment process, and to assure that the individual continues to be qualified to fill their role.

In addition to these industry-specific requirements, one must consider requirements imposed by the Office of Foreign Assets Control (OFAC).  OFAC screening is meant to enforce economic sanctions against certain countries and individuals.  All “U.S. persons” must comply with OFAC’s regulations and sanction, and federal banking regulators evaluate bank OFAC compliance programs to ensure that all banks subject to their supervision comply with OFAC sanctions. As part of such a regulatory review, regulators will typically inquire whether employees are checked against the OFAC list.

There is more. PEP screening refers to Politically Exposed Persons, also known as “senior foreign political figures,” as defined under regulations issued by the Financial Crimes Enforcement Network of the U.S. Department of the Treasury.  PEPs have been known to utilize banks as a medium for illegal activities, and the screening is meant to diminish the risk of money laundering.  The screening emanates from the Bank Secrecy Act, the Financial Action Task Force (FATF) and the Federal Financial Institutions Examination Council (FFIEC).  Under the Bank Secrecy Act, and as set forth in FFIEC’s Bank Secrecy Act/Anti-Money Laundering Examination Manual, banks operating in the U.S. are required to have procedures in place for identifying PEPs, and implementing appropriate controls and procedures to monitor the accounts and transactions of PEPs.

U.S. banking regulators have indicated to banks and other financial institutions that they should be adopting enhanced processes to identify PEPs, including as part of the employee hiring/onboarding process.  As a result, many banks have added questions to their employment application seeking to identify whether a candidate for employment or a candidate’s family member is a PEP.

In addition to these onerous requirements, Section 19 of the FDIA imposes an affirmative duty upon an insured depository institution to make a “reasonable inquiry” regarding an applicant’s criminal record history, which consists of taking steps appropriate under the circumstances, consistent with applicable law, to avoid hiring or permitting participation in its affairs by a person who has a conviction or who has agreed to enter into a pretrial diversion or similar program in connection with a prosecution for a covered offense.

The SAFE Act, which applies to national and state banks, branches of foreign banks, credit unions, and other financial institutions, requires that mortgage loan originators who originate residential mortgage loans be subject to an FBI criminal background check and an independent credit report from a consumer reporting agency.  Regulation Z of the TILA, which generally applies to “loan originators” involved in consumer credit transactions secured by a dwelling, also requires background checks, including credit checks of all loan originators.

Further, Rule 17a-3(a)(12) of the SEA requires members and broker-dealers to make and keep current certain books and records with respect to “associated persons” of the firm containing information regarding the associated person, including a record of any arrests and indictments for any felony or certain enumerated misdemeanors, and the disposition of such arrests and indictments.

FINRA-regulated entities must also comply with FINRA Rule 3110(e), which requires each member to run a comprehensive criminal record and credit check on FINRA registered employees and applicants for a FINRA registered position to verify the accuracy and completeness of the information contained in the applicant’s initial or transfer Form U4.  Additionally, firms must perform a search of “reasonably available public records” to verify the completeness and accuracy of the details included in an individual’s Form U4.

We also must not forget the Fair Credit Reporting Act, which applies to all employers running the various checks.  Under FCRA, employers must obtain the consumer’s written authorization to conduct a background check if the employer outsources any portion of the background investigation process, formally referred to as a “consumer reporting agency.”  It requires that a company provide an applicant subject to screening with a “clear and conspicuous disclosure … in a document that consists solely of the disclosure, that a consumer report may be obtained for employment purposes.”

Ban-the-Box Laws

On the other side of these multiple and varied requirements sit “ban-the-box” laws, which many states have implemented to restrict or narrow the ability of employers to run criminal background or credit checks.  Examples of particularly onerous local laws are those in effect in New York State and New York City.  The New York Fair Chance Act (FCA) prohibits employers from conducting a criminal background check or examining a potential employee’s arrest or conviction record until after the employer has made a conditional employment offer.

Any decision to deny employment based on a criminal record must be consistent with Article 23-A of the New York Corrections Law, which requires that there be a direct relationship between one or more of the previous criminal offenses and the employment sought or held by the individual, and if granting or continuing employment would involve an unreasonable risk to property or the safety or welfare of individuals or the general public.

The law is complicated.  Employers who review an applicant’s criminal history before making a final offer of employment must implement a two-tiered screening process, wherein all non-criminal pre-employment screenings, such as a review of the applicant’s employment and educational history, must be completed and passed by the applicant before a conditional offer of employment is made. Thereafter, employers may, after making a conditional offer of employment, request and review the applicant’s criminal history, which may only be considered in compliance with the individualized assessment, notice and consideration requirements of the FCA.

Further, before taking any adverse employment action based on the inquiry, the FCA requires the employer to provide a written series of questions to the applicant to demonstrate that the employer is considering only the legitimate factors identified in Article 23-A in assessing eligibility for employment.  The employer must perform a written analysis and provide a copy to the applicant, including supporting documents that formed the basis for an adverse action and the reasons for taking any adverse action.  The employer must also allow the applicant no less than three business days to respond, and hold the position open for the applicant.

By its terms, however, the FCA does not apply if federal, state or local law, or a self-regulatory organization (SRO) requires the employer to conduct criminal background checks for employment purposes or to bar employment in a particular position based on criminal history.  Accordingly, financial services companies are exempt from compliance with the FCA and SCDEA with respect to their FINRA-registered employees or applicants for a FINRA-registered position.

Similarly, the New York City Stop Credit Discrimination in Employment Act (SCDEA) generally prohibits employers from requesting or using a potential or existing employee’s credit history – including credit reports, credit scores, and other information regarding a person’s credit, bankruptcies, judgments or liens – when making hiring, promotion, firing and other employment determinations.

The SCDEA does not, however, restrict an employer who is required by state or federal law or regulation, or by an SRO, to use an individual’s consumer credit history for employment purposes.  This exemption applies only to those positions regulated by SROs; employment decisions regarding other positions must still comply with the SCDEA.

New York is by no means the only state whose laws include exemptions for individuals employed by or seeking employment with financial institutions.  But the laws can be tricky to interpret.  Some ban-the-box statutes include explicit exclusionary language for individuals who are employed by a bank or financial institution.  These include Colorado, Illinois, Maryland, Oregon, Vermont, Washington, and, as noted above, New York, and other municipal and local jurisdictions.

Other states, though, identify other exclusions (such as being mandated by federal or state law) that do not explicitly identify financial institutions, but likely apply to individuals who may be employed by them.  These jurisdictions include California, Connecticut, Delaware, the District of Columbia, Florida (referring to a bona fide occupational qualification), Hawaii, Maine, Massachusetts, Minnesota, Nevada, New Jersey, Rhode Island, Texas, Vermont, Wisconsin, and various other municipal and local jurisdictions.

Recommended Practices

Unfortunately, the exemptions are not always crystal clear.  And financial institutions, already under heightened scrutiny with respect to their compliance procedures, have to balance competing obligations imposed by federal and state banking regulators, on the one hand, and local anti-discrimination lawmakers, on the other.  This is not a simple task; financial services companies must take care to sort through these competing rules, to avoid liability from regulators on both ends of these issues.

Consequently, employers cannot avoid the onerous task of familiarizing themselves with these restrictions, legislative and regulatory updates, and the degree to which they may apply to their hiring and periodic updating of background checks.  Recommended practices include notifying applicants and employees of the background and credit check requirements and informing them of the restrictions mandated by the applicable state on this process.

Employers should prepare a background check disclosure form that explains the information that may be gathered and indicating the sources of the information.  The form must include an authorization signed by the candidate or employee permitting the employer to obtain the background check and providing other representations, including an acknowledgment that, where permitted, the employer may rely on the authorization to order additional background reports without asking for authorization again during employment and from different credit reporting agencies.

The employer must also provide the employee with the statutorily required summary of rights under the FCRA, which include, among other things, the right to be informed if the results are used against the individual; to know what is in the file; the right to one free disclosure every 12 months from nationwide credit bureaus; to request a credit score; to dispute incomplete or inaccurate information; and to place a “security freeze” on their credit report, which will prohibit a consumer reporting agency from releasing information in the credit report without the individual’s express authorization.

Finally, employers must keep careful records, via a log sheet supplemented by contemporaneous records, of the background checks performed, identifying each individual, the particular background check, when it was conducted, the verification process, a record of references, and other similar information.

There are no short-cuts to compliance.  Well-run financial services organizations will stay in touch with employment counsel familiar with these compliance-related requirements, provide periodic internal training to relevant personnel, and prepare form documents that comply with the various applicable federal, state, and local laws, regulations, and guidances.

Click Here for the Original Article

FTC Approves Compulsory Process for AI-related Products and Services

On November 21, the FTC voted 3-0 to approve the omnibus resolution authorizing the use of compulsory process in nonpublic investigations involving products and services that use or claim to be produced using artificial intelligence (AI) or claim to detect its use. The resolution will make it easier for FTC staff to issue civil investigative demands (CIDs), which are a form of compulsory process similar to a subpoena, in investigations relating to AI, while retaining the Commission’s authority to determine when CIDs are issued. This resolution will be in effect for 10 years.

Putting It Into Practice: The FTC’s resolution fits into a broader push by the Biden Administration to establish new standards for AI safety and security. The FTC is likely to continue scrutinizing AI practices and make companies responsible for any harm they cause to consumers or competition, including as a result of products or services that claim to involve AI. The resolution aims to enhance the FTC’s ability to monitor and enforce compliance with existing laws and regulations that apply to AI, such as the FCRA, the COPPA and the FTC Act’s prohibition against UDAPs. Note the FTC approved an earlier omnibus compulsory process resolution in September 2021 related to investigations involving unfair or deceptive acts or practices relating to algorithms, including bias in algorithms in violation of Section 5 of the FTC Act. Companies utilizing AI should verify that they have proper AI policies and procedures to evaluate their practices.

On November 16, 2023, New York Governor Kathy Hochul signed a bill into law requiring records of certain past criminal convictions to be sealed. The legislation is intended in part to prevent discrimination in hiring against previously incarcerated individuals who have satisfied their sentences.

Quick Hits

• The Clean Slate Act calls for eligible misdemeanor convictions to be sealed after three years from an individual’s satisfaction of a sentence and eligible felony convictions to be sealed after eight years from an individual’s satisfaction of a sentence.
• The New York State Human Rights Law has been amended to prohibit discrimination based on a sealed conviction, subject to limited exceptions.
• The law will likely have an impact on employer background checks and hiring practices.

Click Here for the Original Article

Minimum Wage Increase of 20% in Mexico by 2024

The minimum wage in Mexico will reach $374.89 pesos per day in the Northern Border Zone and $248.93 pesos per day in the rest of the country starting next year.

On December 12, 2023, a resolution was published in the Federal Official Gazette (“Diario Oficial de la Federación”) establishing a 20% increase in the minimum wage in Mexico. The Council of Representatives of the National Commission of Minimum Wages (CONASAMI) on December 1, 2023, resolved to increase the general minimum wage as of January 1, 2024.

Therefore, as of January 1, 2024, the minimum wage will be as follows:

The increase in the minimum wage in Mexico may affect employers and businesses in various ways, depending on several factors, including the size of the company, the sector in which it operates and the financial capacity of the company.

An increase in the minimum wage implies higher labor costs for companies, as they will have to pay higher wages to their employees. This may particularly affect small and medium-sized companies with tight profit margins.

Increases in minimum wages may also contribute to inflation, as companies may pass on some of these additional costs to the prices of the goods and services they offer. This can affect consumers and the economy as a whole.

One of the most direct benefits is the improvement in the purchasing power of minimum wage workers. By increasing their income, workers have the ability to purchase more goods and services, improving their quality of life.

Finally, the implementation and impact of a minimum wage increase depends on several factors, and balancing the interests of workers and businesses is crucial to achieving sustainable and equitable economic growth.

Click Here for the Original Article

© 2024 ClearStar. All rights reserved. – Making copies of or using any part of the ClearStar website for any purpose is prohibited unless written authorization is first obtained from ClearStar. ClearStar does not provide or offer legal services or legal advice of any kind or nature. Any information on this website is for educational purposes only.

---

Nicolas Dufour - EVP and General Counsel, Corporate Secretary

Nicolas Dufour serves as EVP, General Counsel, corporate secretary, privacy officer, and a member of the executive management team for ClearStar. He is proficient in the FCRA, GLBA, Privacy Shield, and GDPR compliance, as well as other data privacy regimes and publicly traded companies' governance. He is responsible for managing all legal functions to support the evolving needs of a fast-paced and rapidly changing industry. His position includes providing legal guidance and legal management best practices and operating standards related to the background screening industry, federal, state, and local laws and regulations, legal strategic matters, product development, and managing outside counsels. He represents the company in a broad range of corporate and commercial matters, including commercial transactions, M&A, licensing, regulatory compliance, litigation management, and corporate and board governance. He researches and evaluates all aspects of legal risks associated with growth in to different markets. He assists the management team in setting goals and objectives in the development, implementation, and marketing of new products and services. He advises and supports management, Board of Directors, and operating personnel on corporate governance, company policies, and regulatory compliance.

At ClearStar, we are committed to your success. An important part of your employment screening program involves compliance with various laws and regulations, which is why we are providing information regarding screening requirements in certain countries, region, etc. While we are happy to provide you with this information, it is your responsibility to comply with applicable laws and to understand how such information pertains to your employment screening program. The foregoing information is not offered as legal advice but is instead offered for informational purposes. ClearStar is not a law firm and does not offer legal advice and this communication does not form an attorney client relationship. The foregoing information is therefore not intended as a substitute for the legal advice of a lawyer knowledgeable of the user’s individual circumstances or to provide legal advice. ClearStar makes no assurances regarding the accuracy, completeness, or utility of the information contained in this publication. Legislative, regulatory and case law developments regularly impact on general research and this area is evolving rapidly. ClearStar expressly disclaim any warranties or responsibility or damages associated with or arising out of the information provided herein.