July 2018 Screening Compliance Update


July 2018 Screening Compliance Update

Federal Developments

FTC Enforcement
On July 2nd, the FTC announced a settlement with California-based company, ReadyTech Corporation, for allegedly falsely claiming it was in the process of being certified as complying with the EU-U.S. Privacy Shield agreement. According to the FTC, ReadyTech, which provides online training services, falsely claimed on its website that it is “in the process of certifying that we comply with the U.S.-E.U. Privacy Shield Framework,” in violation of the FTC Act. The company initiated an application in October 2016 to the Department of Commerce to participate in the Privacy Shield framework but failed to complete the necessary steps. Under the settlement, ReadyTech is prohibited from misrepresenting its participation in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization; and must also comply with standard reporting and compliance requirements.

NY Federal Court Rules That Consumer Financial Protection Bureau Is Unconstitutional
Last week, a federal court in New York ruled that the entire Consumer Financial Protection Bureau (“CFPB”) is unconstitutional. The CFPB was established by Congress in response to the 2007-2008 financial crisis to regulate financial institutions and protect consumers, especially with respect to mortgages, credit cards, and student loans. Although the CFPB has refrained from regulating virtual currencies and other distributed ledger technologies, that could change as these technologies are applied to mortgages, loans, and other areas of consumer finance. The court’s ruling is notable for its lack of analysis. Although it exceeds 100 pages, the court devotes fewer than 2 pages to the constitutionality of the CFPB. The analysis begins by rejecting, without explanation, a recent federal court of appeals decision in PHH Corp. v. CFPB, which held that the CFPB is, in fact, constitutional. Instead, the ruling combines different parts of two dissenting opinions in PHH Corp. It adopts the legal reasoning of the first dissent but rejects its remedy. Its preferred remedy-striking down the entire CFPB-comes from the second dissent, which was supported by only 1 of 10 judges who decided PHH Corp. In other words, the analysis consists of opinions already rejected by the court of appeals. Typically, this ruling would have few practical consequences. It is not precedent for other courts and, given its contradiction of the court of appeals, will likely be overturned. The Trump administration, however, is critical of the CFPB and may choose to accept the ruling. Doing so might encourage more lawsuits against the CFPB, embolden the agency’s critics, and make it easier for other courts to find the CFPB unconstitutional.

EEOC Continues to Focus on Disability Discrimination Affecting Individuals in Drug Rehab Programs

The ADA and Drug Rehabilitation Programs
The Americans with Disabilities Act (ADA) recognizes that an employee or candidate who is currently engaging in the illegal use of drugs (prescription or otherwise) is not a “qualified individual” with a disability. Individuals, however, are protected by the ADA from discrimination on the basis of past drug addiction. A “qualified individual” may be an individual who has successfully completed a supervised drug rehabilitation program or is currently participating in a supervised rehabilitation program and is no longer engaging in illegal drug use. A rehabilitation program may be an in-patient, out-patient, or employee assistance program, or a recognized self-help program.

EEOC Implications
Under 42 U.S.C. section 12117(a), the EEOC is “charged with the administration, interpretation and enforcement of Title I of the ADA.” In the last few years, the EEOC has filed various lawsuits against employers for allegedly discriminating against candidates or employees who are participants in supervised rehabilitation programs. One recent case is illustrative. In Equal Opportunity and Employment Commission v. Steel Painters, (case number 1:18-cv-00303, in the U.S. District Court for the Eastern District of Texas) Steel Painters hired Matthew Kimball as a journeyman painter in September 2016. He was required to take a pre-employment drug and alcohol test a few days before beginning his new job.

When Kimball learned the drug test came back “positive,” he provided the laboratory with a copy of his prescription for methadone as well as a letter from Texas Treatment Services confirming his treatment at the center. The lab then changed the test result to “negative.” Steel Painters’ human resources manager, however, would not let Kimball return to his job until his doctor filled out a specific form. The center told Kimball its policy was to not fill out third party forms on its patients. Even though the doctor wrote a letter detailing Kimball’s treatment and inviting the manager to call the clinic’s offices if more detailed information was needed, the human resources representative refused to call, and Kimball was discharged shortly thereafter. On June 28, 2018, the Equal Employment Opportunity Commission (EEOC) sued Steel Painters, LLC, (a painting company located in Beaumont, Texas), alleging it unlawfully discharged an employee because it regarded him as disabled and because of his disability. According to the EEOC’s complaint, Kimball sustained a shoulder and arm injury in 2012 and oxycodone was one of the prescribed medicines for managing his pain. The complaint alleges he became addicted to the opioid pain medication, which “caused physiological and psychological effects that substantially limited, among other things, his neurological and digestive functions.” Kimball became a patient of Texas Treatment Services, a drug rehabilitation clinic, in February 2015. Since then, he has been prescribed methadone from the facility, has visited a counselor at least once per month, and has taken drug tests. The EEOC alleges it “engaged in communications with Steel Painters to provide [them] the opportunity to remedy the discriminatory practices.” The Commission, however, deemed it was unable to reach a prelitigation settlement through its “conciliation process.” The EEOC seeks a permanent injunction prohibiting Steel Painters from engaging in any future disability discrimination and “specifically from discriminating against workers whose disabilities necessitate the use of methadone pursuant to a supervised treatment program.” Additionally, the EEOC is seeking back pay, compensatory and punitive damages, and other relief-including rightful-place hiring, or in the alternative, front pay-on Kimball’s behalf.

Key Takeaways
In a concerted effort, the EEOC is continuing to file lawsuits against employers that take adverse actions against candidates and employees who are participating in supervised medication-assisted treatment programs. Employers may want to think carefully about their treatment of candidates and employees who are using drugs for their past drug addictions. Employers may amend their written drug use policies to include clear exclusions for individuals who are using legally-obtained prescription medications in a lawful manner and train managers who evaluate candidates and employees on such matters. Further, when reviewing candidates or employees, employers may conduct individualized assessments to determine whether the candidate or employee’s lawful use of a prescription medication poses a direct threat the individual or others, and whether the individual can safely perform the essential functions of his or her position with or without reasonable accommodation.

State Developments

California Enacts Sweeping New Privacy Law
On June 28, 2018, California Gov. Jerry Brown signed into law the California Consumer Privacy Act (CCPA or “the Act”), which is the broadest and most comprehensive privacy law enacted in the United States to date. The CCPA will affect any organization collecting or storing data about California residents and may effectively set the floor for nationwide privacy protection, since organizations may not want to maintain two privacy frameworks—one for California residents and one for all other citizens. In general, the CCPA will give consumers more information and control over how their data is being used and requires companies to be more transparent in their handling of personal information. Importantly, the CCPA does not go into effect until January 1, 2020. As discussed below, the California legislature passed CCPA fairly quickly to avert a proposed California ballot initiative in November 2018 that sought to impose even more stringent privacy regulations. Some have argued that the rush to pre-empt the November ballot left CCPA with ambiguities that will need to be resolved over time and that the Act, as currently drafted, may not be the final law that goes into effect. California has frequently been at the forefront of privacy regulation in the United States. In 2002, California was the first state to enact a security breach notification law, which became a model for similar laws passed by a number of other states. Similarly, in 2015, the state passed the California Online Privacy Protection Act (COPPA) and the Electronic Communications Privacy Act (ECPA).2 As with the security breach notification law, these two laws have served as model regulations emulated by other states.

Overview of the Law
The intent of the CCPA is to provide California consumers the right to: (1) know what personal information is being collected about them; (2) know whether their personal information is sold or disclosed and to whom; (3) prohibit the sale of their personal information; (4) access their personal information; and (5) receive equal service and price, even if they exercise their privacy rights.

Effective Date of the CCPA
The CCPA will not become effective until January 1, 2020. Until that time, the California attorney general will be responsible for issuing a number of different regulations and interpretations of the law. In addition, the California legislature is likely to pass a variety of technical corrections and clarifications of the law to address issues and ambiguities that have been raised by consumers and businesses.

Covered Business Entities
The CCPA applies to entities that conduct business in California that either directly or indirectly control personal information collection, or that control or are controlled by such an entity and share common branding, and that meet one or more of the following criteria:

  • Have annual gross revenues in excess of $25 million, adjusted for inflation;
  • Derive 50 percent or more of their annual revenues from selling consumers’ personal information; or
  • Annually buy, receive for a commercial purpose, sell or share the personal information of 50,000 or more consumers, households or devices.

For the purposes of this summary, we refer to these as “Business Entities.”

Information Subject to the Law
The CCPA defines personal information broadly—far more broadly than, for example, various state laws on data breach notification. Under the CCPA, personal information means information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The law goes on to give a number of different examples of personal information that is subject to the law, including:

  • Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number or other similar identifiers;
  • Information about a consumer’s physical characteristics or descriptions, education or any other financial, medical or health insurance information. “Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state or local government records;
  • Commercial information, including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies;
  • Biometric information;
  • Internet or other electronic network activity information, including browsing history, search history and information regarding a consumer’s interaction with an internet website, application or advertisement;
  • Geolocation data;
  • Audio, electronic, visual, thermal, olfactory or similar information;
  • Professional or employment-related information;
  • Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act; and
  • Inferences drawn from any of the above information to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.

Publicly available information is excepted from this definition, but that term is narrowly defined and appears to be limited to information that is available through government offices and not, for example, online through private services. Personal information is not limited to information relating to a consumer but includes that relating to a “household” and thus could include such data as utility usage or delivery history. Further, despite the apparent narrowness of the term, the law does not limit a “consumer” to a purchaser of products or services but rather defines it to include any resident of California, whether or not there is any business relationship between the company and the individual or household.

The CCPA does not, however, apply to personal information subject to the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, or to medical information governed by California’s Confidentiality of Medical Information Act or the rules established under the Health Insurance Portability and Accountability Act (HIPAA).

Obligations for Business Entities Under CCPA

The CCPA requires Business Entities to disclose, upon request from a consumer, a significant amount of information about that consumer’s personal information, specifically:

  • The categories and particular pieces of personal information that are collected, sold or disclosed about a consumer;
  • The categories of sources from which that information is collected;
  • The business purposes for collecting or selling that information; and
  • The categories of third parties with which the information is shared.

The request must be a “verifiable consumer request”—a request made by the consumer or a representative of the consumer that can be reasonably verified by the Business Entity. The California attorney general is to promulgate regulations as to what is a verifiable consumer request.

In addition to responding to these specific requests, Business Entities must also make some information generally available. Specifically, they must make an online disclosure—including in their general privacy policy or any California-specific description of privacy rights—of certain information about the CCPA, including: (1) a description of the consumer’s rights under the Act; and (2) a list of categories of personal information collected, sold to a third party or disclosed for business purposes. Business Entities must update this disclosure at least annually.

Access and Portability
The CCPA allows consumers the right to access a copy of the specific pieces of personal information that a Business Entity has collected about that consumer. The Business Entity is to deliver this information “in a readily useable format that allows the consumer to transmit [the] information from one entity to another entity without hindrance.” In effect, this requirement gives consumers a data portability right since they can migrate their personal information from one service provider to another offering similar services.

The CCPA requires Business Entities to provide two or more designated methods to request a copy of this information. At a minimum, these must include a toll-free number and, if the business has a website, a website address.

Deletion Requests
Beyond disclosure, Business Entities must also honor a consumer’s verified request to delete their personal information. In honoring this request, the Business Entity must also direct service providers to delete information held on the Business Entity’s behalf. Business Entities may only refuse to delete such information under certain defined circumstances, some of which are relatively clear and some of which are not. Specifically, Business Entities may refuse to delete information if retaining the information is necessary in order to:

  • Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer or reasonably anticipated within the context of a business’ ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer;
  • Detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, or prosecute those responsible for that activity;
  • Conduct debugging to identify and repair errors that impair existing intended functionality;
  • Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law;
  • Comply with the criminal proceeding requirements under the California Electronic Communications Privacy Act pursuant to the California Penal Code;
  • Engage in public or peer-reviewed scientific, historical or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the Business Entity’s deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent;
  • Enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business;
  • Comply with a legal obligation; or
  • Otherwise use the consumer’s personal information internally in a lawful manner that is compatible with the context in which the consumer provided the information.

In addition, if a verified consumer request is “manifestly unfounded or excessive” (including if it is repetitive), a Business Entity may either charge a reasonable fee for the deletion or refuse to act on the request and notify the consumer of the reason for refusing the request.

Right to Opt Out
Business Entities must also provide consumers the right to opt out of the sale of their personal information. This right must be made clear to the consumer through a clear and conspicuous link on the Business Entity’s homepage titled “Do Not Sell My Personal Information,” as well as a link to the relevant privacy policies. Business Entities, under the CCPA, must respect a consumer’s decision to opt out of the sale of their personal information for at least 12 months before requesting the consumer to reauthorize the sale of personal information. The CCPA provides for additional regulations for personal information of children under the age of 16, including a requirement that they (or their parent for children under 13) affirmatively opt in to the sale of their information.

No Discrimination
The CCPA forbids Business Entities from discriminating against consumers with respect to prices, scope of services or denial of services based on the consumer’s exercise of his or her rights under the CCPA. There are, however, some key exceptions to this prohibition that seem to undermine the prohibition itself.

First, the Business Entity may charge different prices or provide a different level of service if the difference is “reasonably related to the value provided to the consumer by the consumer’s data.”

Second, the Business Entity may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information or the deletion of personal information. It may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data. In either of these cases, the consumer must affirmatively opt in to these financial incentives, after receiving a notice that meets certain specific requirements.

Operational Changes
The CCPA also requires Business Entities to provide a privacy policy, which it must update at least every 12 months, describing:

  • The consumer’s rights under the CCPA, together with one or more methods for submitting requests;
  • A list of the categories of personal information it has collected about consumers in the preceding 12 months;
  • A list of the categories of personal information it has sold about consumers in the preceding 12 months; and
  • A list of the categories of personal information it has disclosed about consumers for a business purpose in the preceding 12 months.

Business Entities must ensure that all individuals who are responsible for handling consumer inquiries about their privacy practices or compliance are informed of the Business Entity’s obligations and how to direct consumers to exercise their rights under the CCPA.

With the exception of when there is a data breach (as discussed below), the CCPA does not provide for a private right of action. Instead, enforcement is by the California attorney general. Business Entities that do not cure a violation within 30 days of notice from the attorney general are subject to the following statutory damages:

  • Damages of up to $2,500 per violation for those violation(s) in which a Business Entity did not cure within the 30-day window; and/or
  • Damages of up to $7,500 per violation for those intentional violation(s) of the CCPA.

Note that it is not clear from the CCPA itself whether “per violation” means per record or per incident, so it is not clear whether a single incident involving 100 records would be subject to, for example, $2,500 in liability or $250,000 in liability. There is some evidence that the legislature intended the latter (specifically, in the Senate Floor Analysis, which refers to damages being applied per consumer per incident), but it is not conclusive.

Consumers have a potential civil right of action against Business Entities if there has been unauthorized access and exfiltration, theft or disclosure of certain categories of nonencrypted or nonredacted personal information due to failure to implement reasonable security procedures and practices. Consumers may institute a civil action to do any of the following:

  • Recover damages in amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater;
  • Obtain injunctive or declaratory relief; or
  • Obtain any other relief the court deems proper.

If a consumer wishes to bring a private claim or class action for statutory damages, they must provide the Business Entity with 30 days’ written notice. If the Business Entity cures the breach within 30 days, it can avoid those damages. This notice is not required for a claim of actual damages. If the Business Entity does not cure the breach, consumers must notify the California attorney general, who must do one of the following within 30 days:

  • Notify the consumer of the attorney general’s intent to prosecute the violation (if the attorney general does not prosecute within six months, the consumer may proceed with the action);
  • Refrain from bringing an action (in which case the consumer can proceed immediately);
  • or Notify the consumer(s) that they may not proceed with the action.

It is not clear from the CCPA itself whether a decision by the attorney general to proceed with an action precludes the consumer from bringing a separate action, but that was likely the Act’s intent.

In the context of security breaches, personal information is defined more narrowly than for other provisions of the Act. For purposes of security breach provisions, personal information means a consumer’s first name or first initial and his or her last name and one of the following:

  • Social Security number;
  • Driver’s license number or California identification card number;
  • Account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account;
  • Medical information; or
  • Health insurance information.

It is not clear from the CCPA itself whether this right of action is intended to be limited to the typical security breach that is the subject of various data breach notification statutes. Conceivably, this right of action applies to more general failure to follow the Act’s requirements for notification and consent prior to a sale of personal information, or for deletion of personal information if that information is later made available to employees or third parties.

The CCPA also makes it far easier for consumers to sustain a data breach claim under the Act by not requiring that consumers make a showing of harm from the incident. The inability of consumers to establish any harm has, to date, resulted in the dismissal of many data breach cases for lack of standing.

Comparison With the GDPR
Many companies have recently completed internal revisions to their policies and procedures in order to comply with the European Union’s General Data Protection Regulation (GDPR), which took effect in May 2018. Now faced with the CCPA, many wonder whether compliance with GDPR will largely also satisfy compliance with the CCPA. Unfortunately, while there are some broad similarities between the two laws, compliance with one is not likely to result in compliance with the other.

Similar to the CCPA, the GDPR promises to strengthen data protection and privacy for individuals and sets forth considerable penalties for companies that fail to comply. The GDPR and the CCPA also both seek to codify certain consumer rights, such as the deletion of personal information and data portability.

However, the CCPA and the GDPR are different in execution and with respect to some specific details:

  • The CCPA’s definition of personal information is more extensive than that in the GDPR;
  • The CCPA includes a variety of specific requirements that are not present in GDPR, such as specific disclosures and the use of certain communication channels (such as toll-free phone numbers);
  • The CCPA and GDPR have different approaches to the issue of personal information deletion, including arguably broader rights to request deletion under the CCPA and different exceptions under the two laws;
  • The CCPA also includes arguably broader rights to access personal information held by a Business Entity than does the GDPR and does not provide all of the exceptions available under the GDPR; and
  • The CCPA includes more stringent restrictions on sharing personal information for commercial purposes than does the GDPR.

Therefore, it is unlikely that compliance with the GDPR will necessarily result in compliance under the CCPA. Business Entities that are GDPR-compliant must carefully consider the particular rights, obligations and exceptions under the CCPA.

ClearStar Note: Please see specific carve-outs language in the Act at Section 1798.145
(c) This act shall not apply to protected or health information that is collected by a covered entity governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56 of Division 1)) or governed by the privacy, security, and breach notification rules issued by the federal Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Availability Act of 1996. For purposes of this subdivision, the definition of “medical information” in Section 56.05 shall apply and the definitions of “protected health information” and “covered entity” from the federal privacy rule shall apply.
(d) This title shall not apply to the sale of personal information to or from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report as defined by subdivision (d) of Section 1681a of Title 15 of the United States Code and use of that information is limited by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).
(e) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, if it is in conflict with that law.
(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.), if it is in conflict with that act.

California Attempts to Clarify Salary History Ban Legislation
When AB 168 was signed into law in October 2017, California prohibited employers from asking job candidates for “salary history information.” Under this legislation, California employers must provide “candidates” with the “pay scale” for a position upon “reasonable request.” The law was rather unclear, however, about what each of these three terms meant. On July 18, 2018, Governor Brown signed new legislation, Assembly Bill 2282, designed to clarify those terms and other items in AB 168.

For example, under AB 168, it was not clear whether the term “candidate” meant only external candidates for a position or also current employees applying for the position. AB 2282 clarifies that an “candidate” is an individual who seeks employment with the employer, not a current employee.

Next, it was not clear what information an employer would have to supply when a reasonable request was made for the “pay scale” of a position. AB 2282 defines “pay scale” as a salary or hourly wage range and clarifies that the definition of “pay scale” does not include bonuses or equity ranges.

AB 2282 also clarifies what constitutes a “reasonable request” for pay scale information. A “reasonable request” is defined as a request made after the candidate has completed the initial interview.

Additionally, AB 2282 clarifies that although AB 168 prohibits employers from asking for the candidate’s salary history information, employers may ask about an candidate’s salary expectations for the position.

The new legislation addresses aspects of the California Equal Pay Act as well. It was unclear under what circumstances an employer could use prior salary to justify a disparity in pay. The new legislation attempts to clarify this: “Prior salary shall not justify any disparity in compensation. Nothing in this section shall be interpreted to mean that an employer may not make a compensation decision based on a current employee’s existing salary, so long as any wage differential resulting from that compensation decision is justified by one or more of the factors listed in this subdivision.” Those factors are (1) a seniority system, (2) a merit system, (3) a system that measures earnings by quantity or quality of production; and (4) a bona fide factor other than race or ethnicity, such as education, training, or experience.

California Fair Employment and Housing Commission Expands National Origin Protections
On July 1, 2018, new Fair Employment and Housing Commission regulations expanded the definitions of “national origin” under the Fair Employment and Housing Act (“FEHA”). The regulations increase the number of employees protected under the FEHA, restrict English-only and English-proficiency requirements, and limit actions employers may take regarding immigration status.

The FEHA applies to public and private employers with more than five employees in California, as well as labor organizations and employment agencies. It prohibits discrimination and harassment against employees (and job candidates) who fall into defined “protected categories.” It also prohibits retaliation against employees or candidates who assert their rights under the law. National origin is one of the protected categories under the FEHA. The new regulations appear in Title 2 of the California Code of Regulations, Article 4.

Expanded Definition of “National Origin” The FEHA does not define “national origin.” Rather, under prior case law, “national origin” meant “the country where a person was born” or “the country from which his or her ancestors came.” The regulation (2 C.C.R. ¬ß 11027.1) now defines “national origin” expansively to include all of the following actual or perceived characteristics:

(1) Physical, cultural, or linguistic characteristics associated with a national origin group;
(2) Marriage to or association with persons of a national origin group;
(3) Tribal affiliation;
(4) Membership in or association with an organization identified with or seeking to promote the interests of a national origin group;
(5) Attendance or participation in schools, churches, temples, mosques, or other religious institutions generally used by persons of a national origin group; and
(6) A name that is associated with a national origin group.

As with other categories under the FEHA, protection extends to an individual’s “actual or perceived” national origin. Accordingly, an individual may be protected even if he or she is not actually a member of a particular national origin group.

The regulations also explain that “national origin groups” include any ethnic groups, geographic places of origin, and countries that are not presently in existence. Thus, an employee’s national origin group could include a country (e.g., Mexico), a former country (e.g., Yugoslavia), or a place that is closely associated with an ethnic group but is not a country (e.g., Kurdistan). The new definitions prohibit height and weight requirements that disproportionately affect members of one national origin group. Such requirements must be related to the job and justified by a business necessity. Moreover, the requirement may still be considered unlawful if the candidate or employee can show that the purpose of the height or weight requirement can be achieved another way.

English-Only Policies
In addition to redefining “national origin,” the new regulations confirm the State’s broad restrictions on workplace language policies. Under the FEHA, workplace language restrictions are unlawful unless the restriction is justified by a “business necessity” and the employer has notified employees of the time and circumstances when the restriction must be observed and the consequence for violating it. (Government Code ¬ß 12951.) The new regulations go further by stating language restrictions are unlawful unless the restriction is also “narrowly tailored.” A “business necessity” is defined as “an overriding legitimate business purpose,” such that (1) the language restriction is necessary to the safe and efficient operation of the business; (2) the language restriction effectively fulfills the business purpose it is supposed to serve; and (3) there is no alternative practice to the language restriction that would accomplish the business purpose equally well with less discriminatory impact. Notably, the restriction may not be based on “business convenience” or customer or coworker preference. And language restriction is “never lawful” during an employee’s non-working time, including breaks, lunch, and unpaid events sponsored by the employer. The regulation clarifies that discrimination against an employee based on his or her accent is unlawful, unless the employer can show the accent “interferes materially” with the employee’s ability to perform the job.

Moreover, an employer may not discriminate against an employee based on English proficiency, unless the action is justified by “business necessity.” In this context, proficiency must be required to effectively perform the duties of the job. In deciding whether proficiency is necessary, employers should consider the type of proficiency needed for the job (spoken, written, aural, reading comprehension), the level of proficiency needed, and the job’s specific duties. However, employers can ask candidates or employees for information about their proficiency in any language, if there is a business necessity for doing so.

Inquiries into Immigration Status
One of the more complex aspects of the new regulations involves an employer’s verification of work eligibility. The new rules specify that employers may not inquire into an candidate or employee’s immigration status unless required by federal law. Under the Immigration Reform and Control Act of 1986 (IRCA), employers must verify work eligibility using federal form I 9. However, any inquiry not authorized by IRCA or another federal law may violate FEHA regulations.

The new regulations specify that employers may not take adverse action against an employee who updates or attempts to update personal information based on a change of name, social security number, or employment documents. However, IRCA prohibits knowingly hiring or continuing to employ an “unauthorized alien.” Employers may thus find themselves in a difficult situation and are strongly encouraged to consult with legal counsel before acting in this circumstance. Threatening to contact immigration or federal law enforcement authorities against an employee or candidate may constitute unlawful harassment or retaliation under the FEHA.

San Francisco Amendment to Fair Chance Act
Employers in San Francisco are now prohibited from asking prospective employees about arrest or conviction records on a job application. The amendments to the Fair Chance Ordinance (FCO) will take effect on October 1, 2018. The law will apply to employers that employ 5 or more persons, instead of the current number of employees which is 20. Employers will be prohibited from considering a conviction in the juvenile justice system, an offense other than a felony or misdemeanor (such as an infraction), a conviction that has been dismissed or expunged, or a conviction that is more than 7 years old. The changes to the FCO also increase the penalties and provide for a private right of action by employees and candidates. Click here for more details about San Francisco’s FCO.

California Voter Registration Data Requirement
On July 16th, California enacted A.B. 1678, which requires people and organizations that have California voter registration data to report security breaches affecting the storage of that information. The legislation requires the Secretary of State to adopt regulations describing best practices for storage and security of voter registration information.

Recreational Marijuana in Massachusetts: What Should Employers Know?
Beginning July 1, 2018, recreational marijuana can be legally sold, taxed, and consumed in Massachusetts—one of nine states, in addition to Washington, D.C., that now permits recreational marijuana use. Massachusetts already is one of 29 states that allow marijuana use for medicinal purposes (and 17 others permit certain low-THC cannabis products for medical reasons).

Legalization of recreational marijuana started in 2016 with a ballot initiative by Massachusetts voters. The Regulation and Taxation of Marijuana Act (“Marijuana Act“), which took effect on December 15, 2016, provides that “[t]his chapter shall not require an employer to permit or accommodate conduct otherwise allowed by this chapter in the workplace and shall not affect the authority of employers to enact and enforce workplace policies restricting the consumption of marijuana by employees.” Thus, while the Marijuana Act expressly permits employers to prohibit employees from using or being under the influence of marijuana in the workplace, it does not address whether an employer can regulate employees’ lawful use of marijuana off duty.

How Might a Court Rule if an Employer Banned Off-Duty Recreational Marijuana Use?
Employers may terminate an employee for off-duty and/or off-site recreational marijuana use because Massachusetts, unlike a number of other states, has no statutory protection for employees’ lawful off-duty conduct, such as smoking.

There are, however, other claims an aggrieved candidate or employee might bring absent the off-duty conduct statute protections. In one case, an employee who was terminated by his employer for violation of the company’s non-smoking policy when he tested positive for nicotine brought a case claiming a right to privacy. See Rodrigues v. EG Sys., 639 F. Supp. 2d 131, 133 (D. Mass. 2009). A federal court dismissed the plaintiff’s claims that the employer violated his right to privacy because the plaintiff made no attempt to keep his smoking private: he testified to smoking outdoors and purchasing cigarettes with coworkers. Id.

In Barbuto v. Advantage Sales and Marketing, LLC, a 2017 decision by the Massachusetts Supreme Judicial Court, a new hire disclosed a prescription for medical marijuana she used for Crohn’s Disease. 78 N.E. 3d 37, 42 (Mass. 2017). HR personnel informed her that her prescribed, off-duty use would be acceptable; however, when she tested positive after working for one day, the company terminated her employment.

The Barbuto court permitted the employee’s reasonable accommodations claim. Specifically, the court held that although marijuana use is still illegal at the federal level, the public policy of Massachusetts prioritizes accommodating workers with disabilities.

Although the use of medical marijuana could be considered a public policy concern under certain circumstances, given that an employee may be discharged for the off-duty conduct of smoking cigarettes, it is unlikely that Massachusetts courts would protect employees who test positive for recreational marijuana use. Unlike medical marijuana use, recreational marijuana use likely does not implicate public policy considerations because the use of medical marijuana has health benefits related to treating illness and disease, whereas the use of recreational marijuana does not.

With respect to privacy arguments akin to those asserted in Rodrigues, courts might distinguish marijuana from cigarettes for a variety of reasons. In Massachusetts, marijuana consumption in public and in vehicles is prohibited, whereas cigarette smokers have greater freedom to smoke outdoors and in vehicles. Additionally, marijuana, unlike cigarettes, is still illegal under federal law.

How Can Massachusetts Employers Manage Employees While Avoiding Legal Risks of Employees Using Recreational Marijuana?
Although neither the law nor the applicable regulations address employee-employer rights in the context of recreational marijuana, and it is too soon for the courts to have weighed in, employers likely have the right to terminate an employee for recreational marijuana consumption, even where that consumption occurs off duty and/or off-site. To minimize any risk that an employee may bring a viable legal claim resulting from the termination of employment or rescission of a conditional offer of employment due to a positive drug test, employers should consider the following:

  1. Employers that continue to enforce zero tolerance policies and either decline to hire or terminate individuals for marijuana use should articulate to employees that the test will screen for marijuana, and clearly define “illegal” drugs as those banned under federal, state, or local law to avoid conflicts regarding its legal status in Massachusetts.
  2. As recreational use becomes more prevalent in Massachusetts, in light of the Marijuana Act, talent pool considerations may favor loosening drug-testing policies, at least for certain positions.
  3. Though Massachusetts law currently permits pre-employment drug screening for any reason (as long as it is non-discriminatory), employers may choose to eliminate standardized testing policies and instead opt to test only upon “reasonable suspicion” that the employee is under the influence at work.
  4. Multistate employers should update employee handbooks with particular emphasis on any changes made to their drug-testing policies and decide whether they plan to standardize testing across the company or enact carve-outs for recreational marijuana states.
  5. Notwithstanding the above, because health care employers in particular face safety issues and high risks associated with patient care, those considerations may weigh in favor of enforcement of zero tolerance and standardized testing policies—particularly with respect to recreational marijuana—in patient-care and other safety-sensitive positions.
  6. Employers in highly regulated industries, such as health care and transportation, should be aware of additional regulations that govern drug testing in their industries.
  7. Drug-testing policies should make clear that on-the-job marijuana consumption or being under the influence of marijuana remains against company policy. Further, employers wishing to prohibit off-duty or off-site recreational consumption should expressly state that such conduct may result in discipline or termination of employment.


Oklahoma Becomes the 30th State to Legalize Medical Marijuana
On June 26, 2018, voters in Oklahoma approved a ballot initiative to legalize medical marijuana (which remains illegal under federal law). The law becomes effective on July 26, 2018, giving the state a month to implement seller, grower, packaging, transportation, research, and caregiver licenses and other requirements. The law permits physicians to recommend marijuana for any condition and prohibits from discriminating against medical marijuana users. Under the new law, candidates for a medical marijuana license must be 18 years or older. The law permits a minor to apply if the application is signed by two physicians and a parent or legal guardian. Applications for a medical marijuana license must be signed by an Oklahoma board-certified physician. Unlike in other states, there are no qualifying conditions that an individual must have before obtaining medical marijuana. Instead, “a medical marijuana license must be recommended according to the accepted standards a reasonable and prudent physician would follow when recommending or approving any medication.” The law provides that no physician “may be unduly stigmatized or harassed” for signing a medical marijuana license application. Employers are generally prohibited from discriminating against medical marijuana license holders. The law provides that, “unless a failure to do so would cause an employer to imminently lose a monetary or licensing related benefit under federal law or regulations,” an employer may not discriminate against a person in hiring, termination or imposing any term or condition of employment, or otherwise penalize a person solely based upon the person’s status as a medical marijuana license holder. Additionally, employers may not act against the holder of a medical marijuana license solely based upon the results of a drug test showing positive for marijuana or its components. Employers may act against a holder of a medical marijuana license holder if the holder uses or possesses marijuana while in the holder’s place of employment or during the hours of employment. Further, no school or landlord may refuse to enroll or lease to and may not otherwise penalize a person solely for his or her status as a medical marijuana license holder, unless failing to do so would imminently cause the school or landlord to lose a monetary or licensing related benefit under federal law or regulations. And no person holding a medical marijuana license may unduly be withheld from holding a state issued license by virtue of their being a medical marijuana license holder. According to the law, “this would include such things as a concealed carry permit.” Finally, the new law protects “any device used for the consumption of medical marijuana.” These devices are deemed legal to be sold, manufactured, distributed and possessed. “No merchant, wholesaler, manufacturer, or individual may unduly be harassed or prosecuted for selling, manufacturing, or possession of medical marijuana paraphernalia.” It is unclear whether an employer can discipline an employee who possesses—but who does not use—medical marijuana paraphernalia at work. According to Oklahoma Governor Mary Fallin, the law “is written so loosely that it opens the door for basically recreational marijuana.” It remains to be seen whether additional legislation or regulations will provide more guidance and clarity on the law.

Employer Drug-Testing in Oklahoma
Oklahoma’s medical marijuana laws dictate that an employer cannot discriminate against a person in hiring or termination, or otherwise penalize a person due to the person’s status as a medical marijuana holder or as a result of a positive marijuana test. So now that Oklahoma has gone green and created such limitations on employers, how will that impact employer drug testing policies?

To put it bluntly, nothing in the new law seems to specifically prevent or impact the general testing statute which allows for random testing. As an initial matter, to have any protections under the new law, an employee needs to have a medical marijuana license; thus, without the license employees are not protected.

Second, while the law states that an employee cannot be terminated simply because he or she possesses a medical marijuana card or because he or she tests positive for marijuana in a drug screen, the law does not prevent employers from taking into consideration other factors such as any negligent work behavior or bad performance, any injuries the employee has caused in the workplace, or what type of work is being performed. With that said, employers who choose to follow this path, are in for a hazy ride. If employers refuse to hire an candidate or choose to terminate or otherwise penalize a pot-licensed employee, the employer puts itself in the difficult position of having to prove that the employer is not relying solely on the test results when making employment decisions.

Third, while the new law provides a carve out for employers—an employer may take action against an employee if it stands to lose a monetary or licensing benefit as a result of employee usage, if federal laws prohibit use of drugs (“DOT”), and if the license holder “uses” or “possesses” marijuana while at work or during hours of employment—the challenge with this statute and other similar ones is proving “use” while at work. Use is difficult to prove because drug tests do not show when employees use marijuana or are under the influence of marijuana. It’s possible that a drug test could show up positive but be as a result of an employee’s off-duty use of marijuana.

Lastly, nothing in the law discusses whether a collective bargaining agreement may waive any rights in the new law. The Oklahoma general testing law does expressly state that any CBA must have basic protections. However, it is still unclear whether a Union can waive the protections in the law in a CBA.

Accordingly, while nothing in the new law seems to prevent or impact the general testing statute, employers should review their drug-testing policies to ensure compliance with the new laws. And of course, marijuana remains an illegal drug under federal law-so there may be potential preemption issues when it comes to testing.

New Hampshire Adds Gender Identity to List of Protected Classes
New Hampshire recently enacted “An Act Prohibiting Discrimination Based on Gender Identity,” amending the New Hampshire Law Against Discrimination, and prohibiting employer discrimination because of an individual’s “gender identity.” The law will take effect on July 8, 2018. The New Hampshire law defines gender identity as a “person’s gender-related identity, appearance, or behavior, whether or not that gender-related identity, appearance, or behavior is different from that traditionally associated with the person’s physiology or assigned sex at birth.” The law states that “[g]ender-related identity may be shown by providing evidence including, but not limited to, medical history, care or treatment of the gender-related identity, consistent and uniform assertion of the gender-related identity, or any other evidence that the gender-related identity is sincerely held as part of a person’s core identity provided, however, that gender-related identity shall not be asserted for any improper purpose.” New Hampshire joins the other New England states in establishing gender identity as a protected class. There are now 20 states that prohibit discrimination on the basis of gender identity in housing, employment and public accommodations. The federal government differs. By way of memorandum dated October 4, 2017, Attorney General Jeff Sessions announced that the Department of Justice does not believe that gender identity is a per se protected class under Title VII of the Civil Rights Act, reversing a position previously announced under the Obama Administration. New Hampshire employers should review and update their equal employment opportunity policy, anti-harassment policy, applications, and other materials to include this new protected class. In addition, managers and supervisors should be trained on how to respond to gender identity-related conduct and speech in the workplace.

A Felony Conviction is No Longer a Bar to Employment Licensing in Kentucky
Employment is a basic need—everyone has to achieve some form of consistent revenue to survive. Many professions are required by the state to obtain some form of licensure as a means to police their ranks and assure that all those who hold themselves out as members of the profession meet minimum standards. Until 2017, however, many candidates with a felony conviction were barred from receiving occupational licenses, preventing many from finding good jobs in their trained professions. The Kentucky legislature changed all of this in 2017, amending and repealing parts of KRS Chapter 335B, the section of Kentucky statutes that deals with occupational licensing. KRS 335B.040, which allowed licensing authorities to deny licenses to persons without “good moral character,” was repealed completely. KRS 335B.030 was amended so that “a hiring or licensing authority shall not disqualify an individual from pursuing, practicing, or engaging in any occupation for which a license is required solely because of the individual’s prior conviction of a crime.” Felon candidates may still be denied a license, but the licensing authority is now required to demonstrate a connection between the prior conviction and the license being sought. The candidate also has the right to be heard at a hearing, if requested. Additionally, the licensing authority must notify the candidate of the earliest reapplication date and inform the candidate that rehabilitation evidence can be considered upon reapplication. These changes to the law are a positive step for those who have paid their debt to society and are trying to rediscover their places in the world. Expanding employment options for those with felony convictions helps to curb recidivism and breaks down barriers faced by those individuals when entering public life. After all, crime is often born out of hopelessness. Fighting crime at its source means providing better opportunities to alleviate that despair.

Certificate of Relief in NC
North Carolina enacted H.B. 744, which broadens the situations in which individuals convicted of a crime may petition for a “Certificate of Relief” and helps reduce the risks employers may face when hiring ex-offenders. The legislation takes effect in December 2018. In addition, the law protects employers from liability from most employment-related negligence claims when hiring or retaining ex-offenders with a Certificate of Relief if the employer “relied on” the certificate of relief in hiring or retaining ex-offenders, who must notify employers within 10 days of any new conviction.

South Carolina’s New Expungement Law Could Increase Candidate Pool
In an effort to increase the state’s potential workforce, the South Carolina General Assembly passed legislation last week that will expand the state’s current expungement law and allow individuals to more easily remove criminal convictions from their records. The hope is that prospective employees with low-level crimes on their records will no longer be discouraged from applying for jobs; this, then, should make it easier for employers to recruit qualified workers. What do South Carolina employers need to know about this new law?

New Law Goes One Step Beyond Ban-The-Box
Around the country, many states and localities have recently passed “ban-the-box” laws which generally prohibit employers from asking candidates about their criminal record on job applications. Employers covered by these laws are usually allowed to ask about criminal records only after an candidate is selected for an interview or given a conditional offer of employment. Proponents say these laws give offenders an improved chance to reenter the workforce, as employers are forced to first consider an candidate’s qualifications and skills before being swayed by the stigma of a criminal record. While South Carolina does not have a ban-the-box law, the state legislature has instead taken it one step further: the new law will make it easier for persons to erase certain convictions from their records. Current law permits persons to expunge a first-offense, low-level crime carrying a sentence of 30 days or less from their record following a period of good behavior. The new law removes the “first-offense” requirement and also allows persons to erase multiple convictions arising out of the same sentencing hearing if they are “closely connected.” Significantly, the law also allows offenders to expunge first-offense simple drug possession and possession of drugs with intent to distribute crimes. The law applies retroactively to those offenses committed prior to the law’s passage. The bill was backed by several prominent business groups, including many local chambers of commerce. Those groups said the legislation was necessary to expand the potential workforce in the state by removing employment barriers for thousands of offenders. “South Carolina must grow its workforce if our state is to experience continued economic growth and prosperity,” said Greenville Chamber President and CEO Carlos Phillips. “Simple mistakes, including low-level nonviolent offenses, should not result in lifelong sentences.” The bill was originally vetoed by Governor Henry McMaster on May 19; he said he was unwilling to sign legislation that would have the practical effect of erasing large categories of criminal records and telling employers what they can and cannot consider when making hiring decisions. Both houses of the General Assembly, however, overrode Governor McMaster’s veto by overwhelming margins and passed the legislation on June 27. It will take effect six months after passage, on December 27, 2018.

What Does This Mean for Employers?
From a practical standpoint, South Carolina job candidates with crimes expunged from their record under the new law will most likely not disclose that fact on a job application or during the hiring process. Employers also will be unable to discover the offenses on a commercial criminal background check.

However, employers should be relieved to know that the new legislation provides immunity to employers with respect to any administrative claim or lawsuit related to an employee’s expunged conviction. These often arise in negligent hiring, retention, and supervision claims against employers.

The law makes clear, though, that if employers somehow become aware of an employee’s expunged offense, they may not use this information adversely against the employee. Therefore, employers should refrain from asking candidates to disclose any expunged offenses on applications or during the hiring process, so they do not run afoul of the new law. Although the law does not set out any penalties or specifically allow individuals to sue employers for alleged violations, these issues may develop in the years to come.

Hawaii Joins Salary History Ban Trend
On July 5, 2018, Governor David Y. Ige signed Senate Bill 2351 into law, adding Hawaii to the list of jurisdictions generally prohibiting employers from asking candidates about their prior compensation history. As long as employers have at least one employee in the state, they are covered.

The new law will become effective on January 1, 2019. It covers several topics now common in many of the salary history ban laws:

Prohibited Inquiries: Employers, employment agencies, and their agents (hereafter “Covered Entities”) may not inquire about an candidate’s “current or prior wage, benefits, or other compensation” (hereafter “Salary History”). Employers are specifically prohibited from searching publicly available records or reports to ascertain an candidate’s salary history.

Reliance: Covered Entities are prohibited from relying upon Salary History to determine the candidate’s compensation for the job, except in the case of a voluntary disclosure, addressed below.

Permissible Inquiries: The law states that Covered Entities may discuss candidates’ compensation expectations for the job without violating the law. The law also provides that “objective measure[s] of the candidate’s productivity, such as revenue, sales, or other production reports,” are not off-limits. Further, the law provides that Covered Entities do not violate the law if a background check is used to verify an candidate’s disclosure of non-salary-related information and incidentally discloses an candidate’s Salary History, as long as the Salary History information is not then relied upon to set the compensation for the job.

Voluntary Disclosures: If an candidate “voluntarily and without prompting” discloses Salary History to a Covered Entity, the information can then be considered in setting compensation for the job, and the Covered Entity can verify that information. Of course, employers using salary history to potentially set compensation must exercise caution, both due to evolving federal court jurisprudence (the U.S. Court of Appeals for the Ninth Circuit, which covers Hawaii, issued a relevant ruling earlier this year) and Hawaii’s pre-existing pay equity law.

Current Employees: The law does not apply to “[a]pplicants for internal transfer or promotion with their current employer.”

With the passage of the law, Hawaii also joins the trend of encouraging employee dialogue about wages. The law prevents employers from retaliating against employees who discuss their wages or inquire about wages and also prevents employers from prohibiting wage employee disclosures and discussions.

Like most of the rest of these salary history ban laws, the new Hawaii law does not explicitly address thorny coverage issues, such as how the law applies when the individual resides in one state, the job is in another state, and the employer’s headquarters is in yet another location, or situations involving a mobile workforce.

The law does not have its own separate remedial provision, but does amend Hawaii’s anti-discrimination law, meaning that typical anti-discrimination processes and remedies apply for violations.

An Analysis of Vermont’s Recently Enacted Data Broker Law
The Vermont state legislature recently enacted a first-of-its-kind bill to regulate data brokers—without the signature of its governor, Phil Scott. Following the Equifax data breach, and motivated by a December 2017 report from the Vermont attorney general and Department of Financial Regulation, H.764, An act relating to the regulation of data brokers, ultimately extends to data brokers requirements for information security programs similar to those mandated by the Gramm-Leach-Bliley Act and the Security Rule of the Health Insurance Portability and Accountability Act.

Definition of Data Broker
The law narrowly defines the term “data broker” as “a business or unit/s of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” To meet the criteria of a data broker, the individual must sell or license brokered personal information which is comprised of one or more computerized data element such as name, address, date or place of birth, mother’s maiden name, biometric data and the like, as well as “other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer (with reasonable certainty) to a third party.” An important limitation on the definition of “data broker” is that the law doesn’t apply to businesses that collect information from their own customers, employees, users or donors, or to businesses that “provide services for consumer-facing businesses and maintain a direct relationship with those consumers, such as a website, ‘app,’ and e-commerce platforms.”

Consumer Protection Requirements
The law applies four approaches to ensuring consumers’ protection: prohibiting the acquisition and use of data for fraudulent purposes; increasing transparency through registration and disclosure; freeing consumers from monetary deterrents; and providing for minimum information security requirements.

Prohibition on Data Use

The Vermont law prohibits the acquisition of brokered PI by fraudulent means and the acquisition and use of brokered PI for the purpose of stalking or harassment, committing fraud (e.g. identity theft, financial fraud, or e-mail fraud), or to engage in unlawful discrimination (including but not limited to employment and housing discrimination).

Annual Registration
Under the law, data brokers who sell or license “brokered personal information” must pay $100 and register annually with the Vermont Secretary of State by January 31 following a year in which a person meets the criteria for being a data broker.

Disclosures to Consumer
Additionally, upon filing, a data broker must provide consumers with the name and primary physical email and internet addresses of the data broker, how to opt out of first-party and third-party data collection, whether the data broker implements a purchaser credentialing process, and if the business experienced any security breaches within the last year along with the number of individuals affected by breach. Data belonging to minors is subject to additional disclosure requirements.

Freedom from Monetary Deterrents
Vermont’s new law separately requires credit reporting agencies, not data brokers, to offer consumer credit security freezes and unfreezes free of charge. Consumers can already receive their credit report free once per year from each of the three major credit reporting agencies. Additionally, the law requires higher security requirements for authentication to be able to initiate or lift a credit freeze. This law also creates a one-stop shop for credit freezes in which a credit freeze with one credit reporting agency is required to initiated freezes with other credit agencies.

Requirement for Information Security Program
Data brokers are required to develop, implement, and maintain a comprehensive information security program that is written, readily accessible and able to protect personally identifiable information with administrative, technical and physical safeguards appropriate the scope and size of the business. Requirements include:

  • Designation of employees to maintain the program.
  • Privacy risk assessments for reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of any electronic, paper, or other records containing personally identifiable information, with a process for evaluating and improving the effectiveness of the current safeguards for limiting such risks.
  • Record keeping for disciplinary measures for violations of the comprehensive information security program rules.
  • Data minimization and limited employee access to records.
  • Management of third-party vendors.
  • Regular monitoring, review, and update the security program.
  • Documenting actions taken in response to security breaches and post-incident reviews.

Additionally, the minimum requirements for the information security program should include computer system requirements for secure user authentication protocols including access controls, secure password requirements, encryption or protocols with a higher degree of security, reasonable monitoring of unauthorized access or use of personally identifiable information, and up-to-date system security software and training for employees. The attorney general may adopt rules to implement the new security provisions.

H.764 provides a layered effective date in which the findings and intent of the law, elimination of fees for placing or removing a credit freeze, and future report requirements went into effect immediately following its passage. However, data brokers will have until January 1, 2019, to comply with the annual registration, technical requirements and disclosures to consumers as presented in Chapter 62.

Enforcement of data broker registration is regulated by the Attorney General’s Office and can result in civil penalties, action in the Civil Division of the Superior Court to collect penalties, and appropriate injunctive relief. Failure to meet the new security program requirements can be declared “unfair and deceptive act[s] in commerce.” Lastly, an enforcement action must be brought by both the Attorney General. However, private citizens can seek civil action under credit reporting laws.

Court Cases

Employer May Require Medical Information or Examination Based on Safety Concerns
U.S. Court of Appeals for the Sixth Circuit held that an employer was entitled to require an employee to submit information from his doctor based upon legitimate safety concerns. In Mitchell v. U.S. Postal Service, the employee suffered from depression, which required him to take a number of medical leaves. Upon his return from his most recent leave, he submitted a note from his doctor that cleared him to return. However, at the same time, the employer received a letter from the employee’s wife that questioned his mental stability and suggesting that he would suffer a breakdown if he returned to work. The employer placed the employee on leave and asked him to provide medical documentation to confirm that he posed no threat of harm to himself or others. He refused, and he was eventually terminated. He then sued for violation of the Rehabilitation Act (the corollary to the Americans with Disabilities Act applicable to government employees). The court held that the employer’s concern about workplace safety was a legitimate, nondiscriminatory reason for requesting a medical examination. In so finding, the Sixth Circuit joined at least three other circuits—the Second, Seventh and Eleventh.

Oregon Court Dismisses FCRA Class Claim Against Employer
On June 21, the United States District Court in Oregon dismissed a plaintiff’s class action complaint alleging his potential employer violated the disclosure and pre-adverse action notification requirements of the Fair Credit Reporting Act (“FCRA”). Plaintiff Daniel Walker applied for employment with defendant Fred Meyer, Inc. As part of the application process, Fred Meyer provided Walker with a disclosure form and an authorization form regarding its intent to procure a background report on Walker. Thereafter, Fred Meyer obtained from a background screening company a report that contained negative information on Walker. Fred Meyer provided a pre-adverse action notice to Walker, explaining that he could contact the background screening company about issues regarding the report. The Court’s well-reasoned opinion laid out Walker’s baseless arguments and then systematically dismantled them. Walker claimed the consumer report disclosure language was overshadowed by information about investigative consumer reports, which differ from general consumer reports. Fred Meyer’s disclosure mentioned both reports in the single initial disclosure without distinguishing between the two. However, the disclosure then set out a consumer report disclosure and did not mention a potential investigative report until the final paragraph, which stated “If [the background screening company] obtains any information by interview, you have the right to obtain a complete and accurate disclosure of the scope and nature of the investigation performed.” Contrary to Walker’s argument, the Court found this sentence in fact emphasized that the disclosure was not itself an investigative report disclosure. Likewise, the Court rejected Walker’s claim that the authorization form was unlawful because it was “riddled with extraneous information.” The Court differentiated the requirements for the authorization and the disclosure, noting that the statute does not require the authorization to consist solely of the authorization. The Court also found presenting the disclosure as a separate document along with the authorization “did not destroy the stand-alone character of the disclosure.” Walker’s pre-adverse action notice claims did not fare any better. Walker claimed Fred Meyer violated the statute by only directing him to discuss his report with the background screening company. Although the Court found he had Article III standing to bring this claim, it rejected the argument on the merits. The Court found no support suggesting that Fred Meyer’s notice violated the FCRA because it did not inform Walker he could contact the employer directly, or the date by which he must do so. This opinion highlights the importance of carefully following the requirements of the FCRA when obtaining a background report on prospective employees. Fred Meyer defeated Walker’s claim because it provided disclosure and authorization notices in separate documents, apart from a job application or employee manual.

FCRA Claim-Article III Injury
The 9th Circuit has held that a consumer lacked standing to pursue FCRA claims where a prospective employer failed to provide a pre-adverse action notice, but the consumer report nevertheless contained accurate information. The case is Dutta v. State Farm, U.S.C.A., 9th Cir., No. 16-17216 (July 13, 3018). Dutta alleged that State Farm violated the FCRA by his employment application based on an erroneous consumer report-the disqualifying factor was charged off debt within the last twenty-four months. Yet, the twist here is that the report was, in fact, accurate. In summary judgment briefing, State Farm submitted an unrebutted affidavit that the disputed consumer report reflected an accurate chargeoff date. While Dutta claimed that he had stopped making payments on the debt years ago, the court correctly recognized that the report reflected the chargeoff date, not the date of the last payment. Moreover, frequent plaintiff’s advocate Francis & Mailman, P.C. utterly failed to respond to the affidavit attesting to report’s accuracy in any manner. Beyond the public castigation of plaintiff’s counsel, the court offered a helpful application of Spokeo, reasoning that, where demonstrably accurate data leads to an adverse employment decision, plaintiffs cannot demonstrate an Article III injury-even where there is a clear statutory violation of the FCRA’s notice provision coupled with allegations of inaccurate information in the consumer report. The court stated, although Dutta made a plausible showing of State Farm’s procedural violation of FCRA, he failed to establish facts showing he suffered actual harm or a material risk of harm. Thus, Dutta failed to establish a concrete injury for purposes of the injury-in-fact element of standing. This case also illustrates a continue trend in Spokeo challenges; more cases are being decided at the summary judgment stage rather than on a motion to dismiss.

FCRA Class Action Dismissed by Missouri Court of Appeals for Lack of Standing
On July 17, the Missouri Court of Appeals affirmed a ruling of the Cole County Circuit Court dismissing a putative class action under the Fair Credit Reporting Act against multinational staffing company, Kelly Services, Inc. A three-judge panel of the Missouri Court of Appeals issued a one-page order and eleven-page memorandum opinion upholding the lower court’s ruling that the plaintiff lacked standing to pursue his claim since he alleged only bare procedural violations without the requisite concrete injury.

The panel held: “Not even the most liberal construction of his pleading would support a construction favorable to finding that Mr. Boergert pleaded a concrete and actual injury. Because Mr. Boergert did not plead an invasion of a legally protected interest that is concrete and particularized and actual or imminent, not conjectural or hypothetical, the trial court did not err in dismissing his complaint for lack of standing.” Plaintiff Cott Boergert claimed Kelly Services violated the FCRA when it fired him from a job placement based on information in his consumer report indicating that he had been on probation in 2009 for commission of a felony. Boergert had previously indicated that he had not been on probation for a felony in the preceding seven years when he filled out the employment application. He then filed the class action in Cole County Circuit Court, claiming that Kelly Services violated the FCRA by including more information in its disclosure form than was allowed and by not providing him with either the report or a summary of his rights. Interestingly, the case was removed to federal court but was dismissed in 2016 under the U.S. Supreme Court’s Spokeo v. Robins decision. That federal district court, however, rethought its decision and the case was remanded back to state court. The panel’s ruling added: “While alleging that Kelly Services knowingly violated the FCRA by using a disclosure form that contained extraneous information—a bare procedural violation—and that he was therefore entitled to statutory damages for these violations, Mr. Boergert did not plead any concrete or actual injury. … Although he testified during a deposition that the form confused him, he did not plead that it did so or that he did not see the disclosure or authorize Kelly Services to obtain a consumer report.”

FCRA Lawsuit
On June 27th, the U.S. Court of Appeals for the Eleventh Circuit ruled in favor of a mortgage servicer finding that reporting the consumer as delinquent to credit reporting agencies (CRAs) during a forbearance plan is neither inaccurate nor materially misleading under the Fair Credit Reporting Act. According to the complaint, plaintiff Christina Felts enrolled in a forbearance plan with her servicer, which allowed for a monthly forbearance plan payment of $25, while the remaining balance accrued interest and became due at the end of the plan. The mortgage servicer informed Felts that the monthly payments would still be considered late because she was not paying the actual contractual payment under the note and reported Felts as past due for the duration of the plan. The court affirmed the lower court’s decision holding that Felts’ payments, even though paid on time, were not the ones she was contractually bound to make. Furthermore, the court concluded that the plaintiff failed to establish that the forbearance plan legally modified the original note; as a result, the information reported to the CRAs was not inaccurate or materially misleading. The case is Felts v. Wells Fargo, Case No. 16-16314, in the U.S. Court of Appeals for the Eleventh Circuit.

TransUnion Class Action
On July 23rd, a proposed class-action lawsuit was filed against TransUnion in the U.S. District Court for the Northern District of Illinois for allegedly violating the Fair Credit Reporting Act. The lawsuit alleges TransUnion included void and uncollectable payday loans on consumers’ credit reports, impacting their credit scores. According to the lawsuit, one of the named plaintiffs took out a payday loan from an online tribal lender and later found out that the lender was not licensed in their state and that the loan was well above state usury limits. TransUnion allegedly failed to remove the loan after the plaintiff disputed it. The case is Joseph Denan et al v. TransUnion, Case No.18-5027, in the U.S. District Court for the Northern District of Illinois.

International Developments

CJEU Will No Longer Collect Names of Litigants
On June 29th, the Court of Justice of the European Union said that it will no longer identify litigants in future preliminary rulings, citing the EU’s General Data Protection Regulation. The change went into effect on July 1st and now in all requests for preliminary rulings the court said it will “replace, in all its public documents, the name of natural persons involved in the case by initials.” However, there is currently no plan to change how the court handles hearings or other proceedings that do not involve publications.

Recommendation to Suspend the Privacy Shield Agreement
The European Parliament passed a non-binding resolution calling on the European Commission to suspend the Privacy Shield agreement, unless the U.S. fully complies (IAPP).

The Future of International Data Transfers
With the current focus on the coming into effect of the EU General Data Protection Regulation (GDPR), one could (almost) be forgiven for forgetting about the question of international data flows. However, given the political and legal developments currently affecting the future of international data transfers, that would be a very serious strategic mistake. Legitimizing data globalization remains a top business priority in our uber-digitized world. The coming of age of cloud-based services, the continuous advance of mobile communications and the push by developed and developing countries to reach a global market have made international data transfers more essential than ever. At the same time, the level of regulation affecting those transfers is becoming more impenetrable and politically charged. Against this background, what are the issues that need to be considered to develop a solid global data flows legal strategy? Eduardo Ustaran examines the future of international data transfers in this article for Privacy & Data Protection Journal.


NAPBS Releases Report
The Professional Background Screening Association (PBSA, formerly NAPBS) recently released its second annual background screening survey of Human Resources professionals that found a majority of employers conduct background screenings. The top reasons for conducting background screenings were public safety; improving the quality of hires; compliance with regulatory requirements; and protecting company reputation. Other key findings include:

  • 95 percent of employers stated their organization is conducting one or more types of employment background screening, a slight decrease from the first report;
  • 86 percent of respondents stated they are screening all full-time employees, a slight increase from 83 percent in 2017; and
  • 68 percent of respondents are including part-time employees in their screening process, a slight increase from 67 percent in 2017.



Let's start a conversation


    meritroyalbet -




    - Bursa escort -
    - eskort mersin - Grandbetting giriş - Meritking Giriş - Betvole -
    - sekabet yeni giriş - youtube seo - escort - eskort eskişehir