JULY 2022 SCREENING COMPLIANCE UPDATE
Deadline for Updating Forms I-9 Involving Expired List B Document is July 31, 2022
The July 31, 2022 deadline is rapidly approaching for employers to update the Forms I-9 of employees who presented an expired List B document (establishing the individual’s identity) between May 1, 2020 and April 30, 2022. As you may remember, the Department of Homeland Security (DHS), through the USCIS, ended the COVID-19 Temporary Policy for List B Identity Documents, effective May 1, 2022; thus, employers have not been able to accept expired List B documents since that date. At the time that the COVID-19 Temporary Policy ended, DHS announced employers had 90 days to update employees’ I-9 forms if an employee presented an expired List B document (expiring on or after March 1, 2020), between May 1, 2020, and April 30, 2022. The 90 days end on July 31, 2022.
CFPB Issues Advisory to Protect Privacy When Companies Compile Personal Data
The Consumer Financial Protection Bureau (CFPB) issued a legal interpretation to ensure that companies that use and share credit reports and background reports have a permissible purpose under the Fair Credit Reporting Act. The CFPB’s new advisory opinion makes clear that credit reporting companies and users of credit reports have specific obligations to protect the public’s data privacy. The advisory also reminds covered entities of potential criminal liability for certain misconduct.
“Americans are now subject to round-the-clock surveillance by large commercial firms seeking to monetize their personal data,” said CFPB Director Rohit Chopra. “While Congress and regulators must do more to protect our privacy, the CFPB will be taking steps to use the Fair Credit Reporting Act to combat misuse and abuse of personal data on background screening and credit reports.”
Over the last century, Congress enacted a number of sector-specific privacy laws to protect personal data, such as educational and health data. One law that includes privacy protections across multiple sectors is the Fair Credit Reporting Act. Congress enacted the Fair Credit Reporting Act in 1970 to ensure companies “exercise their grave responsibilities with fairness, impartiality, and a respect for the consumer’s right to privacy.” The Fair Credit Reporting Act regulates companies that assemble dossiers on individual consumers, including credit reporting companies, tenant screeners, and other data brokers.
Among other things, the Fair Credit Reporting Act ensures fair and accurate reporting, and it requires users who buy these dossiers to have a legally permissible purpose. This ensures that companies cannot check an individual’s personal information, including their credit history, without a bona fide reason. Some common permissible purposes include using consumer reports for credit, insurance, housing, or employment decisions. For example, a bank may request a credit report in order to determine the terms on which it will offer someone a line of credit.
Today’s advisory opinion will help to hold responsible any company, or user of credit reports, that violates the permissible purpose provisions of the Fair Credit Reporting Act. Specifically, the advisory opinion makes clear:
- Insufficient matching procedures can result in credit reporting companies providing reports to entities without a permissible purpose, which would violate consumers’ privacy rights: For example, when a credit reporting company uses name-only matching procedures, the items of information appearing on a credit report may not all correspond to a single individual. That means the user of a credit report could be provided a report about a person for whom the user does not have a permissible purpose.
- It is unlawful to provide credit reports of multiple people as “possible matches”: Credit reporting companies may not provide reports on multiple individuals where the requester only has a permissible purpose to obtain a report on one individual. They must have adequate procedures to find the right person, or else the result may be that they provide a report on at least one wrong person.
- Disclaimers about insufficient matching procedures do not cure permissible purpose violations: Disclaimers will not cure a failure to take reasonable steps to ensure the information contained in a credit report is only about the individual for whom the user has a permissible purpose.
- Users of credit reports must ensure that they do not violate a person’s privacy by obtaining a credit report when they lack a permissible purpose for doing so: The Fair Credit Reporting Act strictly prohibits anyone from using or obtaining credit reports without a permissible purpose.
Criminal Liability for Violating the Fair Credit Reporting Act’s Privacy Protections
The advisory opinion outlines some of the criminal liability provisions in the Fair Credit Reporting Act. Covered entities can face criminal liability for obtaining a background report on an individual under false pretenses or by providing a background report to an unauthorized individual. For example, Section 620 of the Fair Credit Reporting Act imposes criminal liability on any officer or employee of a consumer reporting agency who knowingly and willfully provides information concerning an individual from the agency’s files to an unauthorized person. Violators can face criminal penalties and imprisonment.
The CFPB will continue to take steps to ensure credit reporting companies and other relevant entities adhere to the Fair Credit Reporting Act and other consumer financial protection laws. In addition to some of the steps already mentioned, the CFPB has:
- Highlighted the experiences of military families with medical billing, credit reporting, and debt collection. The CFPB’s report showed that nationwide credit reporting companies are failing to correct mistakes and inaccuracies, fueled by allegedly unpaid medical bills, on servicemembers’ credit reports.
- Spotlighted medical billing challenges faced by millions of American consumers. The CFPB’s report found that many consumers reported their credit reports being used as weapons to force payments of allegedly unpaid medical bills and that the bills are surreptitiously and unlawfully placed on their credit reports.
- Identified credit reporting companies the public can hold accountable. The CFPB released its annual list of credit reporting companies. Using the list, people can exercise their right to see what personal information these companies have, dispute inaccuracies, and take action if a firm is violating the Fair Credit Reporting Act.
- Issued a bulletin to prevent unlawful medical debt collection and credit reporting. The bulletin states that the accuracy and dispute obligations imposed by the Fair Credit Reporting Act apply with respect to debts stemming from charges that exceed the amount permitted by the No Surprises Act.
- Took action to stop the false identification of consumers by background screeners. The advisory opinion affirmed that credit reporting companies and tenant and employment screening companies are violating the Fair Credit Reporting Act if they engage in shoddy name-only matching procedures.
CFPB Imposes Several New Duties on Big Data Brokers
The Consumer Financial Protection Bureau (“CFPB”) has issued several statements affecting the credit reporting industry in the last few months, including one on medical debts and one on auto financing, while at the same time emphasizing that the definition of a consumer reporting agency (“CRA”) should be interpreted broadly to include not just credit reporting companies and tenant screeners but also “other data brokers.” This means that any company collecting “Big Data” and hoping to convert that data into profit by offering reports on individual consumers should beware and consider themselves a CRA that is subject to the Fair Credit Reporting Act (“FCRA”) and the CFPB.
CRAs now must provide consumers with a means to remove, challenge or update items on their credit report that appear because the consumer has been the victim of a severe form of human trafficking or sex trafficking. This means that CRAs must develop new processes to accept, evaluate and police these kinds of reports from consumers. New changes to Regulation V, the implementing regulation of the FCRA, require completely new processes to be established to accommodate and manage such reports, and these obligations apply not just to the nationwide credit bureaus but to all companies that qualify as a CRA. Another new duty all CRAs will have to face is to track and monitor state laws addressing credit reports, as a result of the CFPB’s Interpretive Rule that seeks to limit the preemptive effects of the FCRA. As the CFPB says in the rule, this means that, “[s]tates therefore retain substantial flexibility to pass laws involving consumer reporting to reflect emerging problems affecting their local economies and citizens.”
Congress Introduces the American Data Privacy and Protection Act
On June 23, 2022, Representatives Pallone, Rodgers, Schakowsky, and Bilirakis introduced the American Data Privacy and Protection Act, HR 8152. This Act represents an effort to create a comprehensive federal privacy law. Information that could be linked to a person or a device would be covered, and the Act would provide extra protections for sensitive covered data. The Act would not cover publicly available data or de-identified data.
The Act provides certain exceptions to permit covered entities to use data to complete transactions and customer requests, maintain products and services, respond to “security incidents,” conduct internal research and analysis, and comply with legal requirements. In addition, the Act may exempt smaller entities that do not meet revenue or data thresholds.
The Act would be enforced by the FTC, state actors including Attorneys General, and individuals through a private right of action.
The bill passed the House Subcommittee on Consumer Protection and Commerce and is moving to the House Committee on Energy and Commerce, where it is expected to pass. The bill faces significant headwinds in the Senate.
I-9 Deadline Approaching: Employers Have Until July 31 to Update Critical Immigration Forms
If you accepted expired forms of identification from new employees who completed their I-9 forms during the pandemic, your deadline for updating them with current proofs of identification is fast approaching. The Department of Homeland Security recently announced that it was winding down its temporary policy that had allowed for expired List B (proof of identification) documents to be used when completing I-9s because of COVID-related difficulties in renewing such I.D. documents. You have until July 31 to update your I-9 forms to get into compliance with the law. What do you need to know about this fast-approaching deadline?
How We Ended Up Where We Are
In response to the COVID-19 pandemic, the Department of Homeland Security issued a number of temporary policies easing Form I-9 compliance. One of them was the COVID-19 Temporary Policy for List B Identity Documents.
Under this policy, employers were allowed to accept expired List B (proof of identification) documents. Many state and local agencies were under lockdown, so it was difficult – if not impossible – for individuals to renew expired documents such as drivers’ licenses, school I.D. cards, Native American tribal documents, and others.
The Department rescinded this temporary policy on May 1 and began again to require employers to accept only unexpired List B documents. USICS recently announced that employers who accepted expired List B documents prior to May 1, 2022, will have until July 31 update their Forms I-9.
What Should You Do?
Specifically, for employees hired between May 1, 2020 and April 30, 2022 who presented an expired List B document, you need to have them to present to you:
- the renewed List B document;
- a different List B document; or
- a document from List A.
You do not need to update documents for affected employees who are no longer employed.
When updating List B documentation, you should enter the document’s:
- issuing authority;
- and expiration date in the “Additional Information” field of Section 2.
Your representative should initial and date the change.
If the List B document was auto-extended by the issuing authority, making it unexpired when it was presented, no update is needed. For example, many states automatically extended the expiration date of certain drivers’ licenses due to COVID. Those documents would not need updating.
Remote I-9 Verification Remains in Place – For Now
This move by DHS does not affect its decision to extend its remote I-9 verification flexibility policy, which has been extended once again to October 31, 2022.
Under that temporary policy, if employees hired on or after April 1, 2021, work exclusively in a remote setting due to COVID-19-related precautions, they are temporarily exempt from the I-9’s physical inspection requirements until they undertake non-remote employment on a regular, consistent, or predictable basis, or the extension of the flexibilities related to such requirements is terminated by DHS, whichever is earlier. You can read more about compliance with this rule here.
With these constantly evolving rules, employers who have adjusted their document inspection protocols during the pandemic may be at a higher risk for expensive monetary fines, potentially running in the thousands of dollars. Now is a good time to review your I-9 files and process to ensure continued compliance.
EEOC Updates COVID-19 Guidance, Potentially Limiting Employers’ Ability to Screen Employees for COVID-19
On July 12, 2022, the U.S. Equal Employment Opportunity Commission updated its COVID-19 FAQs, with specific emphasis on viral testing, antibody tests, and other issues relating to workplace safety. The agency’s update arrives as the nation continues to wrestle with substantial community spread of COVID-19, and new and more contagious variants of the virus are emerging here and around the globe. Unfortunately, the update does not offer many specifics for employers, who continue to face the challenge of maintaining a safe, healthy, and productive work environment as more and more of their workers return to in-person work.
Limiting COVID Testing in the Workplace
Most notably, with respect to requiring employees to be tested for COVID as a condition of returning to or remaining at work, the EEOC’s updated guidance makes clear that an employer’s ability to require such a test is not unlimited. Rather, an employer can require such testing only where it is “job-related and consistent with business necessity” under the Americans with Disabilities Act (ADA). Specifically, the agency’s updated guidance with respect to testing provides:
A COVID-19 viral test is a medical examination within the meaning of the ADA. Therefore, if an employer implements screening protocols that include COVID-19 viral testing, the ADA requires that any mandatory medical test of employees be “job-related and consistent with business necessity.” Employer use of a COVID-19 viral test to screen employees who are or will be in the workplace will meet the “business necessity” standard when it is consistent with guidance from Centers for Disease Control and Prevention (CDC), Food and Drug Administration (FDA), and/or state/local public health authorities that is current at the time of testing.
If an employer seeks to implement screening testing for employees such testing must meet the “business necessity” standard based on relevant facts. Possible considerations in making the “business necessity” assessment may include the level of community transmission, the vaccination status of employees, the accuracy and speed of processing for different types of COVID-19 viral tests, the degree to which breakthrough infections are possible for employees who are “up to date” on vaccinations, the ease of transmissibility of the current variant(s), the possible severity of illness from the current variant, what types of contacts employees may have with others in the workplace or elsewhere that they are required to work (e.g., working with medically vulnerable individuals), and the potential impact on operations if an employee enters the workplace with COVID-19. In making these assessments, employers should check the latest CDC guidance (and any other relevant sources) to determine whether screening testing is appropriate for these employees.
Based on this update, it appears that the EEOC plans to take the position that a COVID-19 screening test for employees entering the workplace is not per se or presumed permissible. Rather, an employer must be able to demonstrate that such a test is necessary for the safety of the workplace, and consistent with the job in question. However, the EEOC also advises employers to keep current with CDC recommendations regarding COVID exposure and infection, as well as those of state and local public health authorities.
That said, it is not clear what, if any, immediate practical impact this updated guidance will have in light of current rates of COVID-19 community transmission. On the same date that the EEOC’s update was issued, the CDC’s Community Tracker indicated high or substantial rates of COVID-19 transmission throughout almost all of the United States.
Other factors highlighted by the EEOC would also appear to call for more testing, not less at this time. As to ease of transmissibility, it has been widely reported that the emerging Omicron BA.5 variant is far more transmissible than previous variants and is spreading rapidly worldwide. As to vaccination rates, these vary widely by state, but the U.S. remains stalled at an overall COVID-19 vaccination rate of 67%, and a booster rate of just 32%. The CDC continues to emphasize the importance of obtaining booster doses of the COVID-19 vaccine, and employers are well advised to account for employee vaccination rates in their COVID-19 safety practices.
The timing of the EEOC’s updated guidance also seems at odds with the administration’s decision to extend COVID-19 public health emergency status, which has been in effect since January 2020, and was previously scheduled to expire on July 15, 2022. On July 14, 2022, the Department of Health and Human Services (HHS) announced that it will again extend this declaration and provide at least 60 days’ notice before ending the public health emergency. Plainly, HHS views the pandemic as still very much a public health crisis, suggesting employers that base decisions on the most up-to-date guidance from the CDC and other public health authorities will have strong arguments that their testing programs are justified as a matter of public health.
Antibody Testing Still Prohibited
The updated FAQs also restate the EEOC’s position that while a viral test for COVID-19 may in some instances be justified for entry to the workplace, reliance on an antibody test is under no circumstances permissible under the ADA. In support of its position, the EEOC notes that as of July 2022, the CDC’s guidance indicates that antibody testing may not show whether an employee has a current COVID infection or whether an employee is immune, and accordingly antibody tests do not satisfy the ADA’s “business necessity” standard for medical examination. It is unclear what this means for employers in states where state law exempts an employee from a vaccination or test requirement based on COVID antibodies or “natural immunity.” Presumably, if the employer is not requiring the employee to submit to an antibody test, but rather the employee is volunteering an antibody test result in support of their request for an exemption from a vaccination requirement, the situation would not implicate the ADA’s prohibitions on employer-initiated medical examinations or inquiries. However, EEOC has yet to offer its position with respect to the numerous state laws that have departed from CDC guidance.
In light of the EEOC’s recent updates, employers may wish to review their current protocols regarding mandatory testing for entry to the workplace and ensure that they are consistent with the agency’s stated position. It may be that the EEOC has simply articulated the analysis that it intends to apply at the point when COVID-19 has abated. For now, as the pandemic continues, it would appear that testing for the virus remains “consistent with business necessity.”
Lack of federal data privacy legislation leaves US agencies to provide guidance
Five US states in particular can be seen as leaders: California, Virginia, Utah, Connecticut, and Colorado. Although their approaches to data privacy are not identical, provisions adopted by these five address issues such as information sharing, opting-out, and changing what data is collected. Further, additional pending legislation exists in other states.
Comparisons among state statutes aside, the lesson to be learned is that state legislation is being enacted in recognition that consumers want their data privacy protected and they want a legal framework built to ensure that protection.
The FTC has a long history. Created in 1915, the FTC’s mission is to protect consumers and promote competition. As a result of the Privacy Act of 1974, the agency reorganized its own system of records. One of its most well-known collection of records is the do-not-call-list, which maintains records of the phone numbers of persons who do not wish to receive telemarketing calls. The FTC also began in the 1970s enforcing the Fair Credit Reporting Act, which governs the information collected by credit reporting agencies. Although some of its fair-credit rulemaking authority was transferred to the Consumer Financial Protection Bureau upon its creation in the 2010 Dodd-Frank Act, the FTC has for decades been the main enforcer of privacy laws.
Businesses often can begin at the FTC website for FTC guidance when assessing compliance with federal laws. The FTC has additional information covering disciplines including advertising and marketing, credit and finance, privacy and security; it also covers industry sectors, ranging from funerals to finance, real estate and mortgages. Touting the use of plain-language, the FTC works to help businesses understand and comply with the law. Additionally, the FTC investigates and mitigates privacy incidents; and it also has indexed guidance documents which can clarify policy and offer advice, although they do not have the force and effect of law behind them.
The FTC weighs in on international matters as well, such as litigation on the Privacy Shield Framework. As a result of NTT Global Data Centers administrative litigation which involved noncompliance with the EU-US Privacy Data Shield, the FTC set out four compliance tips for companies that were transferring their consumer data from Europe to the United States. These tips included: i) keep Privacy Statements current; ii) if participating, honor the provisions; iii) maintain certification; and iv) follow the withdrawal procedures if withdrawal is chosen.
By accessing the FTC website, businesses can begin researching some of the privacy issues that companies face every day, and the site can become a regular resource for staying abreast of issues and for amending practices in order to remain compliant with federal law.
Providing guidance on COPPA
In another example, the FTC provides guidance on how the Children’s Online Privacy Protection Act (COPPA) applies to the collection of personal information gathered from children under 13 years of age. In particular, COPPA covers operators — i.e., any person operating a website located on the Internet or an online service that collects or maintains personal information from or about the users or visitors.
COPPA applies not only to game sites, educational sites, and online social media companies, it also applies to anyone who markets to children and collects information about them. Modern children carry phones, have debit cards, explore apps, and are more comfortable using technology, which almost always involves the collection of user data. How information about them is shared and distributed is subject to strict requirements under COPPA. In a bulletin to chief executive officers and compliance officers of all national banks, department and division heads, and to all examining personnel, the Office of the Comptroller of the Currency (OCC) stated:
The COPPA, which is effective April 21, 2000, prohibits unfair or deceptive acts or practices in connection with the collection, use/or disclosure of personal information from and about children on the Internet. The COPPA and the final rule [issued by the FTC] apply to national banks. In addition, section 1306 of the COPPA gives the OCC enforcement responsibility. Examination procedures, currently being developed, will provide further guidance.
- a list of all operators (such as advertising network) collecting personal information;
- a description of the personal information and how it is used;
- a description of parental rights explaining that only reasonably necessary information is required; parents can review that information, direct its deletion, and refuse any further collection of the information. (Note that parents can disallow disclosure of collected information to third parties such as social networks); and
- procedures to permit parents to exercise their rights.
Additionally, the FTC provides a chart for specific, narrow exceptions to COPPA’s consent mandate.
For those looking to ensure compliance with privacy or other government requirements, the FTC website can be helpful as an early step in the process. In addition, as law in an area develops, monitoring the site for agency interpretation and guidance can save time, energy, and resources in the quest to broaden understanding of the rules that apply in an ever-changing technological landscape.
EEOC Guidance on Artificial Intelligence in Hiring and Disability Discrimination
The Equal Employment Opportunity Commission (“EEOC”) recently issued a technical assistance document regarding the use of artificial intelligence (“AI”) tools in employment decisions with a focus on disability discrimination claims that may arise as a result. AI in the employment context typically means that the employer (including the software vendor) “relies partly on the computer’s own analysis of data to determine which criteria to use when making employment decisions.” The technical assistance document provides examples of AI tools, including “resume scanners that prioritize applications using certain keywords; employee monitoring software that rates employees on the basis of their keystrokes or other factors; ‘virtual assistants’ or ‘chatbots’ that ask job candidates about their qualifications and reject those who do not meet pre-defined requirements; video interviewing software that evaluates candidates based on their facial expressions and speech patterns; and testing software that provides ‘job fit’ scores for applicants or employees regarding their personalities, aptitudes, cognitive skills, or perceived ‘cultural fit’ based on their performance on a game or on a more traditional test.”
The EEOC identified three common ways an employer’s use of AI could violate the Americans with Disabilities Act (“ADA”): (i) by not providing reasonable accommodations, (ii) relying on AI tools that improperly “screen out” individuals with disabilities and (iii) adopting AI tools that pose disability-related inquiries or seek information that qualify as a medical exam. The EEOC noted that an employer is responsible for its use of AI tools, including AI tools designed and administered by another entity, such as a software vendor.
If an applicant or employee communicates that a medical condition may make it difficult for them to take a test or may cause an assessment result that is less acceptable to the employer, the employer must respond promptly and provide an alternative testing format unless doing so would create an undue hardship for the employer. Employers must keep medical information obtained in connection with a reasonable accommodation request confidential and separate from the applicant’s or employee’s personnel file.
An AI tool may unlawfully screen out applicants with disabilities if the disability causes the applicant to receive a lower score or an assessment result that is less acceptable to the employer, and the applicant loses a job opportunity as a result despite being able to perform the job with reasonable accommodations. For example, an AI tool that analyzes an applicant’s speech patterns may improperly screen out applicants with speech impediments. Even an AI tool that has been “validated” to predict whether applicants can perform a job under typical working conditions may unlawfully screen out applicants with disabilities who could also perform the job with reasonable accommodations. An AI tool is validated when there is evidence that it meets certain professional standards showing that the tool accurately measures or predicts a trait or characteristic that is important for a specific job.
The EEOC cautioned that employers should not rely on claims that AI tools are “bias-free” if those tools have been designed to reduce Title VII discrimination based on race, sex, national origin, color and religion, and are not tailored to address the unique nature of disabilities. Employers can reduce the chances of improper “screen outs” by (i) inquiring if and how a tool was developed with applicants with disabilities in mind, and (ii) in implementing the AI tool, clearly indicating to applicants that alternative test formats are available, and providing clear instructions on requesting reasonable accommodations and information about the AI tool, including the traits or characteristics the tool is designed to measure.
An employer may violate the ADA if it uses an AI tool that poses disability-related inquiries or seeks information that qualifies as a medical exam before giving an applicant a conditional offer of employment, regardless of whether the applicant has a disability. Disability-related inquiries are ones that are likely to elicit information about a disability or that directly ask if an applicant has disabilities. An assessment qualifies as a medical exam if it seeks information about the individual’s physical or mental impairments or health.
New York City employers should be aware of a new law going into effect Jan. 1, 2023, previously discussed here, that prohibits New York City employers from using automated employment decision tools to promote or screen job candidates, unless certain criteria have been met.
Employers should be cognizant of how their usage of AI in hiring may be interpreted as disability discrimination and respond promptly to any discrimination related issues or claims.
D.C. Council Approves the Cannabis Employment Protections Amendment Act of 2022
The District of Columbia is on the verge of joining other states and localities that prohibit testing applicants and employees for cannabis use as a condition of employment. On June 7, 2022, the D.C. Council approved the Cannabis Employment Protections Amendment Act of 2022 (Act), now pending review and approval by Mayor Muriel Bowser by July 19, 2022. If signed, the Act will become law after a 60-day congressional review.
Which Employers are Covered by the Act?
The Act is broad in that it applies to all private employers in D.C., and it defines an employer in relevant part as “any person, who, for compensation, employs an individual  and any person acting in the interest of [an] employer, directly or indirectly.” Additionally, the Act applies to most public employers, including the D.C. government and its agencies, but excludes the D.C. court system and the federal government.
How Does the Bill Limit Employers and Protect Applicants and Employees?
Under the Act, employers cannot refuse to hire, terminate, suspend, fail to promote, demote, or otherwise penalize an applicant or employee (including unpaid interns) because of:
- their cannabis use,
- their status as a medical cannabis program patient, or
- the presence of cannabinoid metabolites in their system (found via a drug test) without additional factors demonstrating impairment.
Generally, the Act provides that “impaired by use of cannabis” means the employee is showing “articulable symptoms” while working that “substantially decrease or lessen the employee’s performance .” Employers also must treat medical cannabis use the same as any other legal use of a controlled substance prescribed by or taken under the supervision of a licensed health care professional.
What is the “Safety-Sensitive” Position Exception Under the Act?
Employers are permitted to test for cannabis use and discipline employees who hold “safety-sensitive” positions. A safety-sensitive position is a job, as designated by the employer, in which it is “reasonably foreseeable” that if performing the job under the influence of drugs or alcohol, the employee “would likely cause actual, immediate, and serious bodily injury or loss of life to self or others.”
The Act provides that such safety-sensitive positions may include:
- security services such as police, special police, and security officers;
- operation of motor vehicles or heavy or dangerous equipment;
- regular or frequent work on an active construction site;
- regular or frequent work on or near power or gas utility lines;
- regular or frequent handling of hazardous materials;
- supervision of, or provision of routine care for, an individual or individuals who cannot care for themselves and reside in an institutional or custodial environment; and
- positions that involve administering medications, performing or supervising surgeries, or providing other medical services requiring “professional credentials.”
Employers also may test applicants and employees to comply with their obligations under federal statutes, federal regulations, or federal contracts or funding agreements.
What Rights Do Employers Have Under the Act?
In addition to the safety-sensitive exception, employers may still restrict use of cannabis at work. Specifically, the Act allows employers to prohibit cannabis use, consumption, possession, growing, and sale or transfer at work.
Employers also may take action against employees who are impaired at work; however, a positive test is insufficient evidence to establish impairment under the Act. Rather, as noted above, an employer must observe symptoms exhibited by an employee while working that substantially decrease the employee’s performance or interfere with the employer’s ability to provide a safe and healthy workplace as required by law. Finally, employers may still maintain or adopt a “reasonable” drug-free workplace or other similar policy.
As for medical cannabis use, employers are not required to permit employees in safety-sensitive positions to use medical cannabis at work. Employers also may restrict the use of medical cannabis in a smokable form in the workplace.
What Should Employers Do Now?
Laws restricting employers from making cannabis testing a condition of employment already exist in several states and localities, including Nevada, New Jersey, New York, Philadelphia, and Rhode Island. At least 21 states provide protections for employees who are using medical marijuana. All of these laws vary in the extent of protections afforded to employees.
While the Act is pending mayoral review, employers should consider its potential impact on their workplace policies and procedures; determine which, if any, positions are safety-sensitive; and consider resources and training for managers and supervisors who may need to assess whether an employee is impaired. Notably, regulations will be forthcoming, but the Act provides that the “absence of rulemaking” will not delay enforcement. As with most D.C. statutes, applicability of the Act depends on the D.C. Council’s budgeting process, which may (or may not) delay enforcement of some of its provisions.
Revised Employment Termination Notice Requirements for Colorado Employers
Colorado employers in the private sector seeking to terminate an employment relationship now have additional notice obligations with respect to separated former employees, effective May 25, 2022. Specifically, Colorado Governor signed into new law requiring private employers to provide employees with additional information regarding the employer, employee earnings, and the reason(s) for separation in addition to previously required information regarding the availability of unemployment compensation benefits and insurance upon separation of employment. Here is what Colorado employers need to know.
Please see full Publication below for more information.
Florida’s New Law Mandates Employee Background Checks to Protect Tenants in Response to Tragedy
On June 27, 2022, Governor Ron DeSantis signed “Miya’s Law” (SB 898) into law which is designed to increase safety for residential tenants and significantly impacts the duties of Florida landlords and property managers.
Miya’s Law applies to landlords of public lodging establishments and nontransient and transient apartments and requires that employees undergo background screenings as a condition of employment. The background screening must be performed by a consumer reporting agency in accordance with the federal Fair Credit Reporting Act, and must include a screening of criminal history records and sexual predator and sexual offender registries of all 50 states and the District of Columbia. Miya’s Law allows a landlord to disqualify a person from employment if the background screening reveals that the person has been convicted or found guilty of a criminal offense involving the disregard for safety of others that is a felony or a first-degree misdemeanor, or offenses involving violence (battery, robbery, carjacking, stalking, etc.).
Some other key features of the new law include (a) requiring the maintenance of a key log and policies accounting for the issuance and return of all keys, (b) changing the period of reasonable notice provided to tenants prior to a landlord and/or the landlord’s employees entering the tenant’s unit from 12 to 24 hours, and (c) subjecting the key log and background screenings to annual inspections by the Department of Business and Professional Regulation.
Miya’s Law was enacted in response to the tragic murder of a 19-year-old female, Miya Marcano, in September 2021, when a maintenance worker from her Orlando rental complex entered her apartment and murdered her.
Florida landlords and property managers should review their current policies and procedures to ensure prompt compliance with Miya’s Law.
Eastern District of Pennsylvania Analyzes CRA Definition Under the FCRA
On February 25, the U.S. District Court for the Eastern District of Pennsylvania held that a purported public records vendor (Credit Lenders Service Agency or CLSA) is a consumer reporting agency (CRA) under the Fair Credit Reporting Act (FCRA). A copy of the decision in McGrath v. Credit Lenders Service Agency, Inc. can be found here.
As background, plaintiffs Donna and Patrick McGrath applied to refinance their home mortgage. In connection with that application, the bank engaged CLSA to conduct a public records search pertaining to the McGraths. According to CLSA’s deposition, the agency prepares “Judgment Reports” by “subcontract[ing] with people who go out to the various repositories of records and actually do the physical search.” Regarding the McGraths, CLSA engaged an independent contractor to go to the courthouse and review indices, looking for any match to the McGraths’ name and address. That contractor then sent those results back to CLSA. CLSA compiled the information into a “Judgment Report” then “included this Judgment Report as one part of a larger report that it sent back to the Bank.” The other parts of the report included information about the McGraths’ deed to their home, outstanding liens on their property, and a valuation of their property. The McGraths claimed CLSA reported seven inaccurate judgments about them to the bank, which caused the bank to delay approval. The McGraths filed a lawsuit against CLSA, alleging violations of Sections 1681e(b) and 1681i of the FCRA.
CLSA filed a motion for summary judgment. A summary of CLSA’s arguments and the court’s decision on each follow.
First, CLSA argued it is not subject to the FCRA — i.e., it is not a CRA, and its reports are not consumer reports. Rather, CLSA merely reports public information. The court, however, disagreed. First, the court rejected CLSA’s argument that the terms “consumer reporting agency” and “consumer report” are mutually dependent (despite FTC guidance to the contrary). The court stated: “Reading both definitions [of CRA and consumer report] together, to be a ‘consumer reporting agency,’ an entity does not actually have to furnish a ‘consumer report.’ Instead, it must act ‘for the purpose of furnishing consumer reports.’ … In other words, the Court does not need to determine that an entity actually produced a ‘consumer report’ to find that it is a ‘consumer reporting agency.’ But, however, the opposite is not true. The definition of ‘consumer report’ within the FCRA clearly requires that the report come from a ‘consumer reporting agency.’”
After analyzing the statutory language, the court found that CLSA is a CRA because: (1) it received monetary fees for its services; (2) used a facility of interstate commerce (i.e., email); (3) CLSA’s activities constituted “assembling” (the Judgment Report is only one piece of the larger report that CLSA provided to the Bank”; “If the Agency had only transmitted the Judgment Report in isolation, this might be a much tougher issue of statutory interpretation); and (4) public record information constituted “consumer credit information” used for an eligibility determination.
CLSA also argued that even if it is subject to the FCRA, CLSA’s procedures were reasonable because CRAs “are not required to look beyond the face of court documents to verify the accuracy of the information.” The court also rejected this argument. Specifically, the court rejected CLSA’s argument that the decision in Henson, where the Seventh Circuit held that a CRA is not liable under the FCRA for reporting inaccurate information obtained from a court’s docket absent prior notice from the consumer that the information may be inaccurate, was controlling law in the Third Circuit. The court found a genuine dispute of material fact as to whether CLSA followed reasonable procedures under Section 1681e(b) and denied CLSA’s motion as to the plaintiff’s negligence claim.
However, the court granted CLSA’s motion as to the plaintiff’s willfulness claim, agreeing that CLSA’s reading of the FCRA was not objectively unreasonable.
A glance at the implementation status of the EU Whistleblowing Directive in the EU Member States
Whistleblowers play a vital role in exposing fraud, corruption and mismanagement as evidenced by a slew of high-profile cases in recent years.
While some European countries stepped up and implemented comprehensive whistleblower protection laws at some point over the past two decades, much of the continent employed a confusing patchwork of legislation. In some cases, European whistleblowers lacked protection entirely while in others, the laws did not go far enough.
Enter the EU Whistleblowing Directive. In April 2018, the EU Commission launched a proposal for a directive aimed at providing uniform protection for whistleblowers and a provisional agreement was reached between member states and the European Parliament in March 2019. It was adopted as Directive 2019/1937 in December 2019. Before the process kicked off, the Commission stated that just 10 EU member states – France, Hungary, Ireland, Italy, Lithuania, Malta, the Netherlands, Slovakia, Sweden and the UK (then a member state) had some form of “comprehensive law” protecting whistleblowers.
The EU Whistleblowing Directive aims to provide common minimum standards of protection for whistleblowers across the EU. A strong focus is being placed on establishing safe reporting channels and implementing measures to prevent retaliation. Companies and public bodies with 50 or more employees, as well as municipalities with more than 10,000 inhabitants, are therefore obliged to establish confidential whistleblowing systems and implement protective measures.
The Directive had to be transposed into national law by 17 December 2021, a deadline that most EU member states failed to meet.
States that have transposed the EU Whistleblowing Directive into national law until now:
States that have started the implementation process:
- Czech Republic
- The Netherlands
States that have not yet started the implementation process:
UK-US Data Transfers Post Brexit
The UK government’s reform of data protection laws and the mechanics of cross-border data transfers has accelerated in the first half of 2022.
Various European regulators, including the UK’s Information Commissioner’s Office (ICO) have expressed an intent to more closely monitor compliance with the data transfer rules and impose potentially significant fines where breaches are uncovered – capped in the UK at the higher of £17m or 4% of group worldwide turnover. US recipients of personal data gathered in the UK (whether from a group subsidiary or otherwise) should act now to assess their current compliance and plug any gaps.
In order for personal data gathered in the UK to be transferred, in a compliant manner, to the US a number of steps must be taken:
- An assessment of the proposed transfer’s impact, and the steps taken to mitigate any identified risks to the data, must be undertaken (a Data Transfer Impact Assessment).
- Appropriate data transfer agreements must be effected between the UK data transferor and US recipient, including a transfer agreement in a form issued by the ICO (an International Data Transfer Agreement or IDTA).
- Appropriate information must be made available to the affected data subjects – in the case of employees this may be via an appropriate privacy notice in the staff handbook.
- The business must implement sufficient technical measures, such as data security systems and access restrictions, to protect the transferred data.
- Clear internal procedures must be adopted, and employees involved in transfers must receive appropriate and regular training on the rules and the rights of affected data subjects.
The IDTA was introduced in March this year to replace the EU-issued form of approved transfer agreement, known as Standard Contractual Clauses (or SCCs). Organisations that have already implemented the pre-IDTA form of SCCs to enable data transfers can continue to rely on these until March 2024 but will need to have transitioned to the new form of IDTA by this date.
Other mechanisms are available to ensure compliance, but the above steps represent the most commonly adopted set of procedures. If investigating, the ICO will expect to see evidence of the required measures being adopted and of the implementation of appropriate internal procedures.
Importantly, these rules apply just as equally to transfers of UK-gathered personal data between group companies as they do to transfers between unrelated parties. Unless a US parent has no involvement in or knowledge of its UK subsidiary’s HR matters, the ICO’s expectation is that appropriate data transfer mechanics need to be in place. The ICO website itself gives the following example of a transfer caught by the rules1:
Example: A UK company uses a centralised human resources service in the United States provided by its parent company. The UK company passes information about its employees to its parent company in connection with the HR service. This is a restricted transfer.
The UK government has recently published a response to its consultation on proposed reforms to the UK’s data protection regime, to be contained in the upcoming Data Reform Bill. This indicates that future priorities will lie in cutting compliance red tape and increasing the list of counties able to benefit from simplified data transfer procedures, which currently does not include the US. However, these reforms will take time to implement, are currently not fully detailed and may not in any event extend to UK-US data transfers.
Moderna’s Single-Day CFO: The Importance of Conducting Thorough Background Investigations
On May 9, industry veteran Jorge Gomez reported for work as the new chief financial officer of biotechnology company Moderna, Inc., as the company sought continued global growth following the success of its messenger RNA COVID-19 vaccine.
Gomez was a known quantity and safe bet for Moderna, with Moderna CEO Stéphane Bancel praising him for his financial leadership experience and his passion for sustainability. As the Wall Street Journal reported, Gomez had worked with the outgoing Moderna CFO David Meline for nine years at General Motors. He spent the following sixteen years at medical and healthcare services companies, with a final stop as CFO of dental product manufacturer Dentsply Sirona Inc.
Yet only 24 hours later, Moderna was arranging Gomez’s departure, following Dentsply Sirona’s public disclosure of an internal investigation into allegations of financial impropriety that may have occurred on his watch related to sales incentives for distributors and the possible use of such incentives to meet executive compensation targets.
Gomez’s downfall — public, swift, and noisy — delivered a jarring blow to Moderna’s reputation and illuminates a clear breakdown in the standard practice of vetting senior executive candidates. Even a cursory media search as part of a due diligence investigation could have alerted Moderna that at least two law firms had announced ongoing securities fraud investigations into Gomez’s former firm, as the Journal reported. Instead, Moderna joined the growing list of companies that have fallen victim to failed hiring decisions at the most senior management levels.
The Role of Background Investigations into Senior Hires
Business leader hiring decisions are among the most critical companies can make. There is no more sure-fire way to set up an enterprise for success or sow the seeds of failure. The selection of an unqualified candidate or, even worse, an unethical one can cause incalculable harm to a firm’s culture, reputation, and bottom line. And not having full awareness of controversies connected to a candidate can lead to rapid changes in fortune.
Thoughtful vetting via a comprehensive background investigation is the solution. But companies need to ensure they employ a layered approach to candidate evaluation and do not short-change their vetting process by pursuing superficial reviews that almost guarantee problems will remain hidden. Successful background investigations need to incorporate multiple elements:
- Public Records Investigations: Any vetting process for a senior hire should include a comprehensive review of relevant public records in all the jurisdictions where a candidate has lived or worked. Such records include federal and state litigation and criminal records, liens, judgments, bankruptcy filings, regulatory filings, and licensing and disciplinary records. Investigations also need to include analysis of traditional and online media and social media, ranging from papers of record to the latest employer review sites and messaging platforms where allegations of impropriety or malfeasance often first surface. Direct verification of employment and educational qualifications is critical, along with a close review of any discrepancies between the factual record and a candidate’s public statements and online biographies. Especially in the United States, open source information is a rich record that due diligence professionals know how to mine. But companies need to take care as not all public records investigations are created equal. The first shortcut some companies take is to conduct “online only” investigations that rely on computer searches to identify “red flags,” or indications for potential concern. In some jurisdictions, an online search can be helpful, but very often investigators must travel to courthouses for in-person reviews to find all the records that may exist. A second shortcut is to conduct investigations targeting only the last ten or fifteen years. While simplifying the investigative process by eliminating whole sets of records from review, this limitation can lead to surprises when problems from the past become relevant again. Comprehensive investigations should stretch as far back as they can, depending on the jurisdiction.
- Source Inquiries: When discrepancies are identified or additional information is required for clarification, open source reviews should be augmented by inquiries with knowledgeable sources to identify information that may not have reached the public domain. Companies need to be careful to avoid checking only references provided by the candidate. Such individuals are always carefully chosen by the prospective employee, and while some have incentives to provide glowing reviews, none will say anything that might jeopardize the applicant’s candidacy. Independent sources contacted for inquiries could include a candidate’s former employees, colleagues, or associates; customers; litigation adversaries; social contacts; and others who can provide honest feedback through their knowledge of the candidate across the different phases of his or her life.
- A Holistic View of Risk: Background investigations are set up to fail as soon as they become check-the-box exercises. Strong investigations approach the problem of risk holistically, and search for both the “red flags” that are easy to find and those that require analysis and insight to uncover. Yes, the candidate was employed where she claimed, but how did the companies perform under her stewardship? Yes, the candidate built the businesses on his résumé, but what was his reputation amongst his former business partners? Do the candidate’s associations or activities, disclosed or not, present any conflicts of interest to her new employer? Have any of the candidate’s family members or close associates been connected to significant controversies or played unexplainable roles in his ventures? Does the candidate have any potentially problematic associations with government officials, sponsors, or patrons? Does the candidate’s standard of living match her known income? Is the candidate’s reputation and mode of operation consistent with the culture you are looking to build? Thoughtful background investigations are synoptic: they can answer these questions and others that will help companies make informed decisions about potential risks.
For background investigations with these elements to be successful, companies need to partner with experts who know how to find information and interpret it, sometimes identifying what is out of place or what is missing. These experts must also know how to operate legally and ethically within the confines of the Fair Credit Reporting Act and related laws that govern how investigative firms can collect and report their findings in employment investigations.
Expert investigators will listen to your concerns and may suggest additional areas of inquiry. Their practices evolve to keep pace with the ever-changing data and regulatory landscape. They will likely uncover more information about the candidate than your HR staff would ever be able to develop or the recruiters would deign to disclose. But most of all, they will protect your reputation by allowing you to identify controversies and problems before they and you become front page news.
Ban the Box Laws: What’s the Box and Why is it Banned?
An overwhelming majority of states have adopted what is widely known as “ban-the-box” laws or policies that generally prohibit employers from inquiring about an applicant’s criminal background until later in the hiring process. The laws are intended to allow an employer to evaluate an applicant’s job qualifications first, without a criminal record overshadowing their candidacy.
Here’s what employers need to know to make sure they are complying with ban-the-box laws.
What is banned?
For a long time, many employers included a “box” on their employment applications. If the applicant had been arrested for or convicted of a crime, then they had to check the box. Today, fifteen states and at least twenty-three localities have adopted ban-the-box laws or policies applicable to private-sector employment. Thirty-seven states have adopted statewide laws or policies applicable to public employers. Many of these jurisdictions do more than simply eliminate the box. For example, some laws incorporate the best practices set forth by the EEOC. And still others prohibit employers from even considering certain records when reviewing applications.
The EEOC issued guidance on the use of arrest and conviction records in employment decisions in 2012, as part of the Commission’s efforts to eliminate unlawful discrimination in employment decisions. As the EEOC warned, “[a]n employer’s use of an individual’s criminal history in making employment decisions may, in some instances, violate the prohibition against employment discrimination under Title VII of the Civil Rights Act of 1964, as amended.”
There are two ways that employers get into trouble under Title VII by using criminal records: (1) if an employer treats job applicants or employees with the same criminal records differently because of their race, national origin, or another protected characteristic; and (2) if an employer’s neutral policy of excluding applicants with criminal records has the effect of disproportionately screening out a protected group and the employer fails to demonstrate that the policy is job-related and consistent with business necessity. The EEOC’s guidance calls on employers to conduct an individualized assessment of job applicants by evaluating three factors:
- the nature and gravity of the offense;
- the time elapsed since the offense or completion of the sentence; and
- the nature of the job.
As part of the individualized assessment, the employer would notify the individual that they have been screened out because of their criminal record, and provide the individual an opportunity to demonstrate that the exclusion should not be applied due to their particular circumstances.
What does the future look like for ban the box laws?
A recent employer to “ban the box” is the U.S. government, thanks to the enactment of the Fair Chance to Compete for Jobs Act of 2019. The Act went into effect on December 20, 2021, and it prohibits federal agencies and contractors from inquiring about an applicant’s criminal history before extending a conditional job offer, with some carve-outs. But as the Office of Congressional Workplace Rights announced: “The purpose of the FCA is not to remove access to criminal history information about an applicant for government employment; rather, the purpose is to move that information to the end of the process to give those with a criminal history a fair chance to compete for a Federal job.”
Because a number of states and localities prohibit employers from requiring applicants to disclose a criminal record before a job offer has been extended, the federal law is unlikely to require significant changes for many contractors who are already subject to some form of state or local ban-the-box law.
Nevertheless, with ban-the-box laws operating in a growing number of jurisdictions, employers should take the time to review and, if necessary, revise their hiring policies and provide regular training to individuals involved in the hiring stages. Multistate employers should consider how this legal patchwork may effect their policies—including whether to have multiple policies based on the states in which they operate or a universal policy based on the strictest laws. Moreover, even if an employer does not have a physical office in a certain state, the state’s laws likely apply to remote employees who live or work there.
The Latest in Multi-Jurisdictional Compliance with Employment Application Laws
A growing number of states and municipalities are restricting the types of inquiries employers can make during hiring, creating concerns with what employers can include or must include on job applications and job postings.
This rising trend comes as respondents to Ogletree Deakins’ recent survey report, Strategies and Benchmarks for the Workplace: Ogletree’s Survey of Key Decision-Makers, indicated that multi-jurisdictional compliance is one of the three most challenging issues for employers in this current competitive hiring and retention climate.
Criminal Ban the Box Laws
Colorado, Maine, and Des Moines, Iowa, are the latest examples of jurisdictions that have passed Ban the Box laws on the books that prohibit employers from asking about an applicant’s criminal history at the application stage of the hiring process. Across the United States, a total of 15 states, the District of Columbia, and more than 20 municipalities currently have enacted such laws.
Ban the Box laws are intended to provide applicants with criminal records an opportunity to progress further into the hiring process on their merits, rather than being screened out because of their criminal histories. Most of these laws do allow employers to inquire about criminal histories at some point in the hiring process but the jurisdictions vary on when that point it. Des Moines, for instance, does not allow an employer to inquire into an indivdiaul’s criminal history until after extending a conditional offer of employment.
These variations may mean that employers must use different job applications for different jurisdictions or use applications with state-specific carve outs informing applicants that they are not required to answer certain criminal history questions. However, both New York City and Philadelphia make it unlawful to have an employment application with such state-specific carve outs, and instead say that employers may not ask about criminal history at all.
Salary History Bans
A growing number of jurisdictions are passing laws prohibiting employers from inquiring about applicants’ prior wages or salaries as a requirement for a job application, job interview, or job offer. These measures fit into broader pay equity laws aimed at preventing applicants from being offered less than what they might otherwise have been offered or to which they otherwise are entitled for a new position because they may have been underpaid at their prior positions.
Fifteen states and nine municipalities have some sort of salary history ban. Rhode Island is set to become the next. Effective January 1, 2023, the state will prohibit employers from asking about an applicant’s wage history until after extending a job offer, including on job applications. After an employer makes an offer, employers may ask about prior pay but only if the candidate voluntarily raises the topic of prior pay and the information is used to support a higher offer.
Similarly to the ban-the-box laws, New York City and Philadelphia do not allow salary history inquiries on an application or applications with carve outs.
Pay Transparency Laws
In addition to pay history bans, there is a growing set of pay transparency or wage disclosure laws, requiring employers to include the expected salary or a compensation range for a position in job postings. While these laws do not affect employment applications directly, they are closely related to the salary ban laws. Under these laws, job postings could be considered unlawfully misleading if employers offer less than what was posted.
Colorado’s is the most broad with a requirement that any job posting for work that could be performed in Colorado must include the salary range on the job posting. Thus, a remote position that could potentially be filled and performed by someone in Colorado is covered by the law and requires the job posting to disclose a “compensation range” with the minimum and maximum pay for the position.
Effective November 1, 2022, New York City will make it an “unlawful discriminatory practice” for employers with four or more employees, and at least one employee in New York City, to post job advertisements, internal promotions, or transfer opportunities without disclosing salary ranges. The ranges may not be open-ended and must include a minimum and maximum salary for the position.
Employers may want to take these growing Ban the Box and pay transparency laws into account when reviewing their hiring practices especially if hiring online for positions that could be performed anywhere in the country.
These increasing restrictions on what employers may inquire about in job applications or requirements for pay transparency in job postings impose compliance challenges for employers, particularly for those involved in nationwide job searches. Employers may want to review their current employment applications and job postings to ensure that they are inquiring about criminal histories or prior salaries in violation of state and local laws. Employers may also want to consider using different job applications for different jurisdictions or including state-specific carve outs, though this may raise compliance concerns in certain jurisdictions.