Nationwide Free Credit Freezes
The FTC publishes a blogpost about free credit freezes.
Employers, Do You Need To Accommodate An Employee’s Use of Medical Marijuana?
Maybe. But maybe the question is not whether you need to but whether you should, given the way the judicial winds have been blowing. The Americans with Disabilities Act’s (“ADA”) requires that employers (with more than 15 employees) must provide a reasonable accommodation to a qualified employee with a “disability” within the meaning of the ADA (it’s a broadly interpreted term) that substantially limits one or more major life activity(ies) or has a record of a disability. Always important to note, the ADA only protects employees who are “qualified,” meaning that the employee possesses the skill, experience, and education to perform the essential functions of the job with or without any reasonable accommodation. A reasonable accommodation is a change in the way duties are performed to help a disabled employee perform the job’s duties or enjoy the benefits and privileges of employment. The ADA requires employers to provide reasonable accommodations to an employee unless such accommodation(s) would pose an undue hardship, i.e., major difficulty or expense based on the employer’s resources and circumstances or those that would completely change the operation of the business. More and more states are legalizing medical marijuana. However, with one extremely narrow exception, medical marijuana use is not protected under the ADA, as the ADA does not protect illegal drug use and marijuana remains illegal under federal law. However, a few recent case rulings based on state disability laws, which appears to be a growing trend, should make employers think otherwise.
The Underlying Disability Is Key
In New York a certified medical marijuana patient must be deemed as “having a ‘disability’ under the state’s human rights law.” Thus, employers must reasonably accommodate the underlying disability associated with the legal marijuana use. So, in one administrative hearing in July 2017, an administrative law judge concluded that the New York City Taxi and Limousine Commission could not revoke a driver’s license after he tested positive for marijuana because he legally used the drug in accordance with the state statute – the “New York State Compassionate Care Act.”
The ALJ reasoned that a finding of unfitness based upon a “failed drug test as a result of illegal drug use” was not applicable to the driver’s legal use. In another case, also last summer, when the employee informed her employer that she was certified to take medical marijuana to treat Crohn’s disease, a condition expressly included in that state’s (Massachusetts) medical marijuana act and stated that she would not consume it at or before work, the employer terminated her for failing the drug test after her first day of work. The employee claimed that she was “disabled” within the meaning of the Massachusetts’s state medical marijuana law and capable of performing the essential functions of her job with a reasonable accommodation. That accommodation was a waiver of the employer’s zero-tolerance drug policy. The court said-the employee is right! The employer was required to engage in the “interactive process” to determine whether there were any alternatives for her that would not violate the employer’s policy. The court held that where no such alternatives existed, an exception to the employer’s drug policy constituted a reasonable accommodation, for which the employer would have to demonstrate an undue hardship to justify its failure to provide such an accommodation. An undue hardship could also be that the employee holds a safety-sensitive position. The Massachusetts employer did not allege as such. One month later, in August 2017, a court in Connecticut agreed that a modification of an employer’s drug policy might constitute a reasonable accommodation. Under similar facts, including that the employee would not be under the influence at work, the employer argued that the state’s medical marijuana law was preempted by the federal Controlled Substances Act (“CSA”) and the ADA.
Did the court buy this argument? It did not. Rather, the Court explained that the CSA does not “purport to regulate employment practices in any manner.” It rejected similar arguments that the ADA’s provisions about drug testing and illegal drug use preempt the Connecticut law because the ADA provisions do not expressly state that an employer may prohibit an employee from the illegal use of drugs outside of the workplace. The court reasoned that just because the ADA permits employers to engage in drug testing, states could still have laws prohibiting employers from taking adverse acting against someone who fails a drug test. Similarly, and earlier in 2017, in Rhode Island another court concluded that the state’s “Medical Marijuana Act” protected disabled individuals from discrimination not only because of their status as a medical marijuana cardholder, but also because of their actual use of medical marijuana. Here, the employer refused to hire a prospective employee when the person’s drug test (post-offer, of course!) was positive for marijuana after the person disclosed taking medical marijuana for a disability.
The aforementioned employees in these cases (except the New York one) all disclosed their use of medical marijuana to treat a disability, and the employers all had drug testing policies. In denying motions to dismiss in these cases, these courts recognized causes of action under state law disability discrimination statutes and under the discrimination clauses contained in the state medical marijuana acts, which were not preempted by federal law.
These cases demonstrate a shift from “absolutely no” to “well, maybe…depending” when it comes to how employers navigate medical marijuana issues. As such, there are a few corresponding takeaways here:
- Before you do anything, know your state’s position on medical marijuana. Is your state one of the 30 that has legalized medical marijuana? If so, what does that statute say? Remember, some state laws contain explicit anti-discrimination provisions protecting employees who are medical marijuana cardholders.
- Interrogating a medical marijuana user about her (or him) disability before firing her may give rise to a viable disability discrimination claim. We’ve seen that where the disability (as opposed to the medical marijuana use) motivates the employment action, that could constitute discrimination based on a disability pursuant to state law.
- As ever, if you know—because the employee tells you or the disabling condition is obvious—that the employee has a disability, engage in the interactive process before making any irrevocable decisions.
EEOC Scrutinizes Employer Policies Regarding Prescription Drug Use
The opioid crisis is dominating the news and employers have reason to be concerned. According to the Bureau of Labor Statistics, overdoses from the non-medical use of drugs or alcohol while on the job increased from 165 in 2015 to 217 in 2016, a 32-percent increase. That same report showed that overdose fatalities have increased by at least 25 percent annually since 2012. Further, the U.S. Centers for Disease Control recently stated that use of prescription opioids can result in serious issues with addiction and that in 2014, nearly two million Americans either abused or were dependent on prescription opioid pain relievers. However, employers should tread carefully when addressing any prescription drug use in the workplace. It has long been the case that the Americans with Disabilities Act (ADA) and state disability discrimination laws provide protections to applicants and employees taking prescription medication, including opioids, and regulate the right of an employer to inquire about such use. Two recent settlements with the Equal Employment Opportunity Commission (EEOC) highlight a few common issues facing employers.
In one case, the EEOC brought suit against a pre-school that allegedly terminated an afterschool teacher after he disclosed his prior opioid addiction and his participation in a supervised medication-assisted treatment program. As part of his treatment, he was legally prescribed Suboxone, which is a prescription used to treat adults who are dependent on, or addicted to, opioids. The EEOC claimed the school terminated the teacher 30 minutes into his first work day because of his use of this medication. The EEOC claimed that the failure of the school to conduct an individualized assessment to determine what, if any, impact the drug had on the teacher’s ability to perform his job violated the ADA. As part of the settlement, which required a $5,000 payment to the teacher, the EEOC required the school to, among other things:
- Amend its written drug use policy to include a clear and specific exclusion to the policy for individuals who use legally-obtained prescription medication in a lawfully-prescribed manner.
- Create an ADA-compliant procedure for conducting an individualized assessment of an employee who is enrolled in any form of alcohol, drug, or illegal substance rehabilitation program in order to determine whether the employee can safely perform the essential functions of his or her position with or without reasonable accommodation.
In another case, the EEOC alleged the employer withdrew an applicant’s job offer based on a positive drug test result for prescription medication. The EEOC also alleged the employer maintained an unlawful policy requiring all employees to report if they were taking any prescription and nonprescription medication. Both actions, according to the EEOC, violated the ADA. The parties settled for $45,000, with a requirement that the employer adopt company-wide policies to prevent future hiring issues under the ADA and only require employees to report prescription medications if the employer has a “reasonable suspicion” that the medication may be affecting performance.
Takeaways for Employers
These settlements serve as a reminder that employers should avoid making adverse decisions based on misperceptions or a lack of information about the effect of lawful prescription drug use on their employees’ ability to perform their job duties. In general, employees have a protected right to use prescribed controlled substances and come to work unless such use creates an undue risk of harm or presents a safety issue. Moreover, employers should take precautions before implementing blanket drug-testing policies that do not account for the need under the ADA to engage in an interactive process with individuals taking prescription medications and, if necessary, provide reasonable accommodations. Employers also should consider revising any workplace policy that requires employees to disclose their prescription medication use, unless there is reason to believe the medication may impact performance, or otherwise suggests that employees taking such medication will be treated in a certain way without regard to whether their drug use impacts their work.
NYDFS Cybersecurity Regulation to Apply to Consumer Credit Reporting Agencies
On June 25, 2018, the New York Department of Financial Services (“NYDFS”) issued a final regulation (the “Regulation”) requiring consumer reporting agencies with “significant operations” in New York to (1) register with NYDFS for the first time and (2) comply with the NYDFS’s cybersecurity regulation. Under the Regulation, consumer reporting agencies that reported on 1,000 or more New York consumers in the preceding year are subject to these requirements and must register with NYDFS on or before September 1, 2018. The deadline for consumer reporting agencies to come into compliance with the cybersecurity regulation is November 1, 2018. In a statement, Governor Andrew Cuomo said, “Oversight of credit reporting agencies ensures that the personal private information of New Yorkers is less vulnerable to the threat of cyber-attacks, providing them with peace of mind about their financial future.”
Continued Enforcement of New York’s Ban the Box Law
Yesterday, the New York Attorney General (“NYAG”) announced a settlement with national retailer Aldo Group Inc. (“Aldo”) for violation of New York City’s ban the box law, which, among other things, prohibits employers from inquiring into a prospective employee’s criminal history on an initial employment application. The NYAG’s investigation revealed that (i) Aldo’s employment applications impermissibly inquired into the applicant’s criminal history and (ii) Aldo lacked consistent policies and procedures for evaluating the criminal records of applicants and employees, leading store-level managerial employees to believe they had wide latitude in how they could consider the criminal records of applicants and that they could bar applicants with a felony conviction from employment. Under the settlement terms, Aldo will pay a $120,000 fine to New York State, modify their employment applications to bring them into compliance with New York’s ban the box law, create new policies and training to ensure that its stores individually assess applicants’ criminal histories at the appropriate point in the application process, and report the company’s remediation to the NYAG. This is the first ban the box settlement reached by the NYAG in 2018, but the fifth such settlement overall. In 2017, the NYAG settled with Marshalls and Big Lots
Using Credit Histories in Employment Decisions: An Overview Of Divergent State & Local Requirements
Jurisdictions Limiting Use of Employment Credit Checks
In recent years, ten states (California, Colorado, Connecticut, Hawaii, Illinois, Maryland, Nevada, Oregon, Vermont and Washington), the District of Columbia, and the cities of Chicago, New York City and Philadelphia have passed laws restricting the use of credit reports used by employers for employment purposes, with several more jurisdictions poised to join the trend. In addition, Representative Maxine Waters (D-CA) and Senator Elizabeth Warren (D-MA) have proposed bills in both the U.S. House of Representatives and the Senate that would restrict the ways in which consumer credit information could be used for employment purposes.
The Benefit—and Risks—of Credit Checking
“Credit checks are useful to employers generally because they provide a variety of information not able to be confirmed by other sources and because they are viewed as a valid indicator of a person’s judgment and potential risk to the company…the vast majority of employers…use credit reports for a very limited number of positions such as jobs dealing with company finances, positions in accounting departments, high level executives or positions dealing with sensitive personal data of customers or employees.” Statement of Pamela Quiqley Devata, Esq., Seyfarth Shaw LLP, before the Equal Employment Opportunity Commission (“EEOC”), October 20, 2010, “Employer Use of Credit History as a Screening Tool.” The EEOC, on the other hand, has taken on greater scrutiny of background checks in employment decisions because of their potential adverse impact on classes of applicants under Title VII of the Civil Rights Act (“Title VII”).
The EEOC has taken issue with employers who utilize criminal history screening in their hiring decisions, and also has broadened their scrutiny to include credit checks for the same reason: the belief that credit checks create a disparate impact on certain minority groups. See for instance EEOC Enforcement Guidance, Number 915.002, issued April 25, 2012, entitled, “Consideration of Arrest and Conviction Records in Employment Decision under Title VII. See also EEOC v. BMW Manufacturing Co., 2015 WL 5719928 (Verdict and Settlement Summary) (Sept. 8, 2015) (EEOC claimed that automobile manufacturer excluded black logistic workers from employment at a disproportionate rate after BMW implemented a criminal background check policy, which had statistically disparate impact on black employees; the case settled for $1,600,000). EEOC v. Kaplan Higher Learning Educ. Corp., 2014 WL 1378197 (N.D. Ohio 2014) (EEOC failed to demonstrate that Kaplan’s use of credit reports had an adverse impact on African American applicants where “race rating” methodology was discredited).
Federal and State Laws Also Govern the Use of Credit Reports
The Fair Credit Reporting Act (“FCRA”) does not expressly preclude employers from using credit reports when making employment decisions, but other applicable laws may impact an employer’s use of credit reports of its applicants or employees. The FCRA disclosure form must expressly state that a credit check will be procured, however, it is illegal in certain jurisdictions to refer to credit at all if there is no lawful reason for the credit check. See Stop Credit Discrimination in Employment Act, N.Y.C. §§ 8-102(29), 8-107(9)(d), (24) (2015); D.C. “Fair Credit in Employment Amendment Act of 2016,” Act 21-673 (2016).
The jurisdictions that have enacted laws prohibiting the use of credit history for employment decisions have largely based the legislation on the premise that credit generally is not a relevant factor in employment decision-making. Thus, these prohibitions typically prevent use of a credit report in the context of employment when the report is not sufficiently related to the nature of the position.
These prohibitions, however, are only subject to certain narrow exceptions. For example:
- Banks and financial institutions (Chicago, Colorado, Connecticut, DC, Hawaii, Maryland, Oregon, Philadelphia, and Vermont);
- Managerial positions (as defined by the particular state/city legislation) (California, Colorado, Hawaii, Illinois, and Philadelphia)
- Positions with access to specified personal information (other than routine transactions and as defined by the particular state legislation) (California and Maryland)
- Positions with access to confidential/proprietary information, security data, or trade secrets (California, Connecticut, Illinois, Maryland, New York City, Philadelphia, and Vermont)
- Positions in law enforcement (California, DC, New York City, Oregon, Philadelphia, and Vermont)
- Positions involving access to assets of above a certain amount or with signatory authority to enter transactions on behalf of the employer (California, Connecticut, Illinois, Maryland, New York City, Philadelphia, and Vermont)
- Positions with regular access to more than a certain amount in cash (California – $10,000 and Illinois – $2,500)
- Positions with access to expense accounts or corporate cards (Connecticut and Maryland)
Importantly, no state or city prohibits use of credit report information when such use is specifically permissible under federal or state law.
Penalties range from $100 per day to $250,000, depending upon the jurisdiction.
Given the increase in state and local laws passing credit check laws, as well as the EEOC’s stance on the use of credit checks (namely, that credit checks create a disparate impact on certain minority groups), there appears to be a trend of all employers decreasing the number of credit checks that they conduct. Given the potential exposure, even financial organizations are no longer running credit checks on all of their workforce unless they are either specifically required to do so by law or those employees are in positions of trust—specifically, those positions with signatory authority over third party assets of $10,000 or more, and positions that have a fiduciary responsibility to enter financial agreements on the employer’s behalf.
Given the incredible breadth, and potential damages of the numerous (and growing) credit report laws and the recent upsurge of private litigation on this issue, employers should not directly or indirectly request credit information and/or conduct credit checks unless required to do so under state or federal law or unless an exemption is met. Employers who seek credit information for positions that fall into jurisdictional exemptions also should review the requirements for compliance and additional process guidance. Most significantly, employers should review their applications, FCRA forms, and other employment-related documents to ensure that there are no references to the procurement and/or use of credit information. Employers in multi-state jurisdictions should also ensure compliance with the laws of all other applicable jurisdictions that regulate employers’ use of credit information.
States Continue To Pass Equal Pay Legislation
While the Federal Equal Pay Act, which mandates employers to pay men and women the same pay for the same work, has been the law for 55 years, salary surveys continue to show that women are paid less than men. In an effort to address this pay gap, states around the country are passing their own legislation. Some of the states have enacted similar provisions, while a few have enacted unique provisions.
Ban On Salary History Inquiries
Studies have shown that one factor contributing to ongoing pay discrepancies is that an employee’s starting salary with an employer is often based upon the individual’s salary with their previous employer. Consequently, discriminatory pay discrepancies may follow an individual through his or her career. In an effort to address this issue, a growing number of states have banned employers from inquiring into an applicant’s salary or compensation history during the hiring process. These states include:
- California (1/1/18);
- Connecticut (1/1/19);
- Delaware (12/14/17);
- Massachusetts (7/1/18);
- Michigan (6/24/18);
- New Jersey (2/1/18);
- Oregon (10/6/17); and
- Vermont (7/1/18).
Some states presently only have bans on public-sector employers, including New York (1/9/17) and Wisconsin (4/18/18). In addition, some counties and cities have also enacted bans. Among them are: New York City; Albany County, NY; Westchester County, NY; San Francisco; Chicago; New Orleans; Philadelphia; and Pittsburgh. While employers in these jurisdictions may not inquire into an applicant’s compensation history, employers may ask an applicant about his /her expectations regarding compensation for the position they are seeking. Moreover, in some jurisdictions, such as Connecticut, whose ban goes into effect on January 1, 2019, an applicant may raise the topic of their compensation history, and the employer then may take steps to verify the employee’s representations.
More Expansive Legislation Passed in Massachusetts and New Jersey
Some states are also passing more expansive legislation to address pay disparities. On July 1, 2018, both Massachusetts’ Equity Pay Act (MEPA), and New Jersey’s Law Against Discrimination (LAD) go into effect. Massachusetts’ recent legislation provides additional clarity as to what constitutes unlawful pay discrimination. The new legislation defines “comparable work” as work that requires substantially similar skill, effort, and responsibility, and is performed under similar working conditions. Certain differences in pay are permissible if they are based upon:
- Seniority System (Note: time spent on pregnancy-related leave, paternal leave or FMLA leave may not reduce seniority);
- Merit System;
- System measuring quantity or quality of production, sales, or revenue;
- Geographic location of the job;
- Education, training or experience required for the job; or
- Travel requirements.
One unique aspect of the Massachusetts Pay Equity Act is that employers may be immune from suit if, within the 3 years prior to suit, the employer conducted an audit of its pay practices and took reasonable steps to eliminate any impermissible gender-based wage differentials revealed in the audit. Please note, however, that employers may not correct disparities by lowering an employee’s compensation.
New Jersey’s Law Against Discrimination not only prohibits pay differences based on gender for “substantially similar work” absent a legitimate business reason, but also prohibits differences based upon any protected classes, including sex, race, creed, color, national origin, ancestry, nationality, disability, age, pregnancy, breastfeeding, marital status, sexual orientation, gender identity/expression, military status, or genetic information.
Like Massachusetts, New Jersey prohibits employers from correcting pay discrepancies by reducing an employee’s compensation. With its new legislation, New Jersey will have one of the longest statutes of limitation to bring a compensation-related claim—6 years—and employers who are not in compliance will face triple damages.
“Ban the Box” Laws & Workplace Violence: An Employer’s Failure to Sufficiently Perform Background Checks Could Lead to Costly Negligence Liability
Many states and municipalities throughout the country have enacted laws that mandate the removal of criminal conviction history questions from job applications. This so-called “Ban the Box” movement theoretically provides individuals with criminal backgrounds the opportunity to obtain jobs for which they otherwise would not have been considered. But, these laws also provide additional burdens for employers and add additional ways for them to face liability. In light of the “Ban the Box” legislation that went into effect in California as of January 1, 2018, it is important to examine the law and its potential effect on claims of negligent hiring, negligent supervision, and negligent retention. The California’s “Ban the Box” legislation amends the Fair Employment and Housing Act (FEHA) to, among other things, prohibit employers with five or more employees from directly or indirectly inquiring into, seeking the disclosure of, or considering an applicant’s criminal conviction history until after the applicant receives a conditional offer of employment. Before denying employment based on an applicant’s conviction history, employers are required to follow a “fair chance” process and make an “individualized assessment” of whether the criminal history has a direct, negative relationship to the “specific duties” of the job. Thereafter, if a decision is made to not hire the individual, the employer must provide written notice of its “preliminary decision” to disqualify the applicant based on his conviction history and undertake a number of other procedural steps that, ultimately, will delay the hiring process. While nothing in the law prevents the employer from rejecting the applicant because of prior criminal convictions, the employer still could face civil liability for the actions of the hired individual as its employee. Although this legislation lends itself to a more cumbersome background check process, it still is essential that employers conduct thorough background checks and decline to hire potentially dangerous applicants. If an employer fails to do so, and an employee commits an act of violence, the employer could potentially be liable for negligent hiring, negligent retention, or negligent supervision and face significant monetary damages as a result. These negligence-type causes of action impose liability on an employer who knows or should know that an employee creates a risk of a particular harm and that particular harm materializes. Generally, the particularized harm is an act of violence that was foreseeable based on the employee’s past acts. Notably, in order for the employer to be liable for negligence, the employee’s act of violence must have been foreseeable. While foreseeability is generally a question of fact that depends on the specific factual circumstances of the situation at issue, a worker’s previous conviction for the same or a similar act would be almost conclusive evidence that the act was foreseeable. See Doe v. Uber Techs., Inc., 184 F. Supp. 3d 774, 788 (N.D. Cal. 2016) (denying Uber’s motion to dismiss because the Uber driver’s assault was likely foreseeable because Uber “should have known about [the Uber driver’s] criminal history such that Uber may be liable for negligent hiring, supervision and retention” because, if Uber had conducted a sufficient background check, it would have uncovered the driver’s earlier assault conviction that was not disclosed by the unsatisfactory background check); see also Virginia G. v. ABC Unified School Dist., 15 Cal. App. 4th 1848 (1993) (holding school district liable for negligent hiring after school failed to perform an adequate background check which would have shown a previous termination for sexual misconduct). Accordingly, if an employer fails to perform a sufficient background check, or hires an employee despite a similar past conviction, a court very possibly will find that the employee’s violent actions were foreseeable. Recently, California courts have expanded the definition of “foreseeability” to encompass arguably random acts of violence. See Regents of the Univ. of Cal. v. Superior Court of L.A. Cty., 4 Cal.5th 607, 629 (2018) (holding that mass school shootings are likely foreseeable as a matter of law). As incidents of workplace violence, like the 2015 San Bernardino Inland Regional Center shooting, become more prevalent, it is increasingly likely that these random acts of violence will be deemed foreseeable as a matter of law. Further, the potential liability (and harm) associated with workplace violence is astronomical. For example, the San Bernardino shooting led to 14 employees being killed and 22 employees being seriously injured. A verdict or settlement based on the deaths and serious injuries of over 30 employees would be incredibly costly on many fronts. Accordingly, as employers implement “Ban the Box” requirements into their hiring processes, they should remember the potential liability associated with negligent hiring, retention, and supervision claims and ensure that their protocols are not minimized just so they do not have to face the burdens imposed by this new law. Simply put, going through the procedural hoops of rejecting some applicants (when appropriate) can be worthwhile, even if doing so adds time and effort to the hiring process.
California Expands National Origin Protections In The Workplace
In late May, California announced new amendments to the Fair Employment and Housing Act (FEHA) strengthening the protections afforded to applicants and employees, including those who are undocumented, on the basis of national origin. The changes go into effect July 1, 2018. The new regulations significantly broaden the definition of “national origin” as well as conduct that constitutes discrimination based on national origin.
Expanded Definitions Under the FEHA
Historically “national origin” referred to “the individual’s or ancestors’ actual or perceived place of birth or geographic origin, national origin group or ethnicity.” Moving forward, California law will take a much more holistic view of national origin:
- “National origin” now includes, but is not limited to, an individual’s actual or perceived:
- Physical, cultural, or linguistic characteristics associated with a national origin group
- Marriage to or association with persons of a national origin group
- Tribal affiliation
- Membership in or association with an organization identified with or seeking to promote the interests of a national origin group
- Attendance or participation in schools, churches, temples, mosques, or other religious institutions generally used by persons of a national origin group
- Name that is associated with a national origin group.
- “National origin group” now includes, but is not limited to: “ethnic groups, geographic places of origin, and countries that are not presently in existence.”
- “Discrimination on the basis of national origin” under FEHA is amended to include:
- Language restriction policies, including English-only policies, unless the restriction can be justified by business necessity and is narrowly tailored to further that business interest
- Discrimination based on an applicant’s or employee’s accent, unless the employer can show the accent materially interferes with the applicant’s or employee’s ability to perform the job
- Discrimination based on English proficiency, unless the employer can show that the proficiency requirement is justified by business necessity
- Height and weight requirements (as such may have a disparate impact on the basis of national origin), unless the requirement can be justified by business necessity and the purpose of the requirement cannot be met by less discriminatory means
- Recruitment, or assignment of positions/facilities/geographical area, based on national origin
- Inquiring into an applicant’s or employee immigration status or discriminating against an applicant or employee based on immigration status, unless required to do so under federal immigration law.
- “Retaliation” against an employee for opposing discrimination or harassment on the basis of national origin includes, but is not limited to:
- Threatening to contact or contacting immigration authorities or a law enforcement agency about the immigration status of the employee, former employee, applicant, or a family member (e.g., spouse, domestic partner, parent, sibling, child, uncle, aunt, niece, nephew, cousin, grandparent, great-grandparent, grandchild, or great-grandchild, by blood, adoption, marriage, or domestic partnership) of the employee, former employee, or applicant
- Taking adverse action against an employee because the employee updates or attempts to update personal information based on a change of name, social security number, or government-issued employment documents.
- The regulations also clarify the nexus between national origin discrimination and human trafficking under the Act, defining human trafficking as “the use of force, fraud, or coercion to compel the employment of, or subject to adverse treatment, applicants or employees on the basis of national origin.”
Impact on California Employers
California employers should review immigration-related and English-only policies:
- With respect to immigration-related practices, do not inquire into an applicant’s or employee’s immigration status unless the inquiry is necessary to comply with federal immigration law. Check employment applications and interview questions, and train HR accordingly. FEHA’s prohibitions apply regardless of immigration status, thus an applicant or employee can bring a discrimination charge whether they are documented or undocumented.
- Employers must also take care that English-only policies, if used at all, do not apply to non-work time and are essential to the company’s business.
- Prior to these amendments, English-only rules were presumptively lawful so long as the employer showed the policy was justified by a business necessity, gave sufficient notice of the circumstances in which the policy would be enforced and the consequences for non-compliance with the policy.
- However, the burden of proof flipped: English-only rules will be presumed unlawful unless an employer can demonstrate that the rule is narrowly tailored to further a business necessity. Because of this heightened standard, many English-only policies are likely to violate FEHA once the new regulations go into effect next month.
California Consumer Privacy Act Signed, Introduces Key Privacy Requirements for Businesses
On June 28, 2018, the Governor of California signed AB 375, the California Consumer Privacy Act of 2018 (the “Act”). The Act introduces key privacy requirements for businesses and was passed quickly by California lawmakers in an effort to remove a ballot initiative of the same name from the November 6, 2018, statewide ballot. The Act will take effect January 1, 2020. Key provisions of the Act include:
- The Act will apply to any for-profit business that “does business in the state of California” that (1) collects consumers’ personal information (or on the behalf of which such information is collected) and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information; (2) has annual gross revenues in excess of $25 million; (3) alone or in combination annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households or devices; or (4) derives 50 percent or more of its annual revenue from selling consumers’ personal information (collectively, “Covered Businesses”).
- Definition of Personal Information. Personal information is defined broadly as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This definition of personal information aligns more closely with the EU General Data Protection Regulation’s definition of personal data. The Act includes a list of enumerated examples of personal information, which includes, among other data elements, name, postal or email address, Social Security number, government-issued identification number, biometric data, Internet activity information and geolocation data, as well as “inferences drawn from any of the information identified” in this definition.
- Right to Know
- Upon a verifiable request from a California consumer, a Covered Business must disclose (1) the categories and specific pieces of personal information the business has collected about the consumer; (2) the categories of sources from which the personal information is collected; (3) the business or commercial purposes for collecting or selling personal information; and (4) the categories of third parties with whom the business shares personal information.
- In addition, upon verifiable request, a business that sells personal information about a California consumer, or that discloses a consumer’s personal information for a business purpose, must disclose (1) the categories of personal information that the business sold about the consumer; (2) the categories of third parties to whom the personal information was sold (by category of personal information for each third party to whom the personal information was sold); and (3) the categories of personal information that the business disclosed about the consumer for a business purpose.
- The above disclosures must be made within 45 days of receipt of the request using one of the prescribed methods specified in the Act. The disclosure must cover the 12-month period preceding the business’s receipt of the verifiable request. The 45-day time period may be extended when reasonably necessary, provided the consumer is provided notice of the extension within the first 45-day period. Importantly, the disclosures must be made in a “readily useable format that allows the consumer to transmit this information from one entity to another entity without hindrance.”
- Covered Businesses will not be required to make the disclosures described above to the extent the Covered Business discloses personal information to another entity pursuant to a written contract with such entity, provided the contract prohibits the recipient from selling the personal information, or retaining, using or disclosing the personal information for any purpose other than performance of services under the contract. In addition, the Act provides that a business is not liable for a service provider’s violation of the Act, provided that, at the time the business disclosed personal information to the service provider, the business had neither actual knowledge nor reason to believe that the service provider intended to commit such a violation.
- Disclosures and Opt-Out. The Act will require Covered Businesses to provide notice to consumers of their rights under the Act (e.g., their right to opt out of the sale of their personal information), a list of the categories of personal information collected about consumers in the preceding 12 months, and, where applicable, that the Covered Business sells or discloses their personal information. If the Covered Business sells consumers’ personal information or discloses it to third parties for a business purpose, the notice must also include lists of the categories of personal information sold and disclosed about consumers, respectively. Covered Businesses will be required to make this disclosure in their online privacy notice. Covered Businesses must separately provide a clear and conspicuous link on their website that says, “Do Not Sell My Personal Information,” and provide consumers a mechanism to opt out of the sale of their personal information, a decision which the Covered Business must respect. Businesses also cannot discriminate against consumers who opt out of the sale of their personal information but can offer financial incentives for the collection of personal information.
- Specific Rules for Minors. If a business has actual knowledge that a consumer is less than 16 years of age, the Act prohibits a business from selling that consumer’s personal information unless (1) the consumer is between 13-16 years of age and has affirmatively authorized the sale (i.e., they opt in); or (2) the consumer is less than 13 years of age and the consumer’s parent or guardian has affirmatively authorized the sale.
- Right to Deletion. The Act will require a business, upon verifiable request from a California consumer, to delete specified personal information that the business has collected about the consumer and direct any service providers to delete the consumer’s personal information. However, there are several enumerated exceptions to this deletion requirement. Specifically, a business or service provider is not required to comply with the consumer’s deletion request if it is necessary to maintain the consumer’s personal information to:
- Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated, within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract with the consumer.
- Detect security incidents; protect against malicious, deceptive, fraudulent or illegal activity; or prosecute those responsible for that activity.
- Debug to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act.
- Engage in public or peer-reviewed scientific, historical or statistical research in the public interest (when deletion of the information is likely to render impossible or seriously impair the achievement of such research) if the consumer has provided informed consent.
- To enable solely internal uses that are reasonably aligned with the consumer’s expectations based on the consumer’s relationship with the business.
- Comply with a legal obligation.
- Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.
- The Act is enforceable by the California Attorney General and authorizes a civil penalty up to $7,500 per violation.
- The Act provides a private right of action only in connection with “certain unauthorized access and exfiltration, theft, or disclosure of a consumer’s nonencrypted or nonredacted personal information,” as defined in the state’s breach notification law if the business failed “to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.”
- In this case, the consumer may bring an action to recover damages up to $750 per incident or actual damages, whichever is greater.
- The statute also directs the court to consider certain factors when assessing the amount of statutory damages, including the nature, seriousness, persistence and willfulness of the defendant’s misconduct, the number of violations, the length of time over which the misconduct occurred, and the defendant’s assets, liabilities and net worth.
Prior to initiating any action against a business for statutory damages, a consumer must provide the business with 30 days’ written notice of the consumer’s allegations and, if within the 30 days the business cures the alleged violation and provides an express written statement that the violations have been cured, the consumer may not initiate an action for individual statutory damages or class-wide statutory damages. These limitations do not apply to actions initiated solely for actual pecuniary damages suffered as a result of the alleged violation.
Oklahoma Voters Pass Broad Medical Marijuana Law with Anti-Discrimination Provisions
Oklahoma became the 30th state to pass a medical marijuana law after voters approved it on June 26, 2018. The law gives broad discretion to physicians in prescribing medical marijuana, which should make it fairly easy to obtain. Additionally, the law restricts employers from taking action against applicants or employees solely based on their status as a medical marijuana license holder or due to a positive drug test result. The law takes effect on July 26, 2018. The law will be implemented quickly. It gives the Oklahoma State Department of Health until July 26, 2018 to make available on its website applications for medical marijuana licenses/caregiver licenses, dispensary licenses, commercial grower licenses, and processing licenses. It also requires the Oklahoma State Department of Health to establish by August 25, 2018, a regulatory office to receive these applications. Applications are to be approved/denied within fourteen days of receipt. A medical marijuana license will be valid for two years. Temporary licenses, which are valid for 30 days, may also be requested.
No “Qualifying Medical Conditions” Specified
A medical marijuana license application must be signed by an Oklahoma Board certified physician. However, unlike most other state medical marijuana laws, there are no “qualifying medical conditions” required to make a patient eligible for medical marijuana use. Rather, the license must be recommended “according to the accepted standards a reasonable and prudent physician would follow when recommending or approving any medication.” Oklahoma’s governor, Mary Fallin, stated after the election results were clear that the new law “is written so loosely that it opens the door for basically recreational marijuana.” Prior to the election, Gov. Fallin stated that she planned on calling a special session of the legislature if voters passed the measure. Medical marijuana license holders will be permitted to legally possess up to three ounces of marijuana on their person and up to eight ounces in their residence (as well as specified amounts of edible marijuana, concentrated marijuana, and plants). The law permits the issuance of a license to applicants 18 years or older, but also has provisions to allow applicants under the age of 18 to obtain a license.
Implications for Employers
The law provides protection to medical marijuana license holders against discrimination in the workplace. Absent the “imminent” loss of a monetary or licensing related benefit under federal law or regulations, an employer may not discriminate against a person in the hiring, termination or other term or condition of employment based on:
- The individual’s status as a medical marijuana license holder; or,
- Employers may take action against a holder of a medical marijuana license holder if the holders uses or possesses marijuana while in the holder’s place of employment or during the hours of employment. Employers may not take action against the holder of a medical marijuana license solely based upon the status of an employee as a medical marijuana license holder or the results of a drug test showing positive for marijuana or its components.
Massachusetts Enforcement Action
On June 6th, Massachusetts Attorney General Maura Healey announced a settlement with four national employers and issued warning letters to 17 Boston-based businesses for allegedly violating the state’s Ban the Box law, which prohibits most employers from inquiring about applicants’ criminal history on an initial job application. An investigation conducted by the Attorney General’s Office found that 21 employers operating in Massachusetts, including Edible Arrangements, Five Guys Burgers and Fries, and L’Occitane, were asking applicants about their criminal histories on initial job applications. The agreements entered into by the four national employers require the employers to take steps to comply with the law and pay $5,000, and the warning letters sent to the other employers require them to immediately take steps to comply with the law.
Vermont Adds Crime Victims to its List of Protected Classes with New Law
The categories of individuals protected under Vermont’s anti-discrimination statute (21 V.S.A. § 495) has been expanded to include crime victims. H.B. 711 (https://legislature.vermont.gov/assets/Documents/2018/Docs/ACTS/ACT184/ACT184%20As%20Enacted.pdf) signed by Governor Phil Scott on May 28, 2018, adds crime victims to the list of protected classes in the state’s Fair Employment Practices Act, making retaliation and discrimination against these individuals unlawful. The new law also requires employers to provide an employee who is a crime victim with unpaid leave to attend related legal proceedings. The law goes into effect on July 1, 2018.
The statute defines “crime victim” as any of the following:
- A person who has obtained a relief from an abuse order issued under 15 V.S.A. § 1103 (a state domestic relations abuse prevention law);
- A person who has obtained an order against stalking or sexual assault issued under 12 V.S.A. chapter 178;
- A person who has obtained an order against abuse of a vulnerable adult issued under 33 V.S.A. chapter 69; or
- (i) A victim as defined in 13 V.S.A. § 5301, provided that the victim is identified as a crime victim in an affidavit filed by a law enforcement official with a prosecuting attorney of competent state or federal jurisdiction; and (ii) shall include the victim’s child, foster child, parent, spouse, stepchild or ward of the victim who lives with the victim, or a parent of the victim’s spouse, provided that the individual is not identified in the affidavit as the defendant.
In addition, the new law carves out circumstances upon which “crime victims” are allowed to take unpaid leave from employment. These circumstances (listed in 21 V.S.A. § 472c) include allowing the employee to attend:3
- A deposition or other court proceeding relating to a criminal proceeding where the employee is a “victim” and the employee has a right or obligation to appear at the proceeding;
- A relief from abuse hearing pursuant to 15 V.S.A. § 1103 when the employee seeks relief as the plaintiff;
- A hearing concerning an order against stalking or sexual assault when the employee seeks relief as the plaintiff; or
- A hearing seeking relief from abuse, neglect, or exploitation when the employee seeks relief as the plaintiff.
The statute allows the employee to use accrued sick, vacation, or any other accrued paid leave in lieu of taking unpaid leave. Further, the law states that employment benefits for the duration of the leave must be provided to the employee at the same level of coverage that would be provided if the employee were continuing employment. Upon returning from the leave, the law mandates that the employee maintain the same job with the same level of compensation, benefits, and all other terms and conditions of employment. The statute does not apply if the employee was told, prior to his or her leave, that he or she was going to be terminated from her employment, or if the employer can prove, by clear and convincing evidence, that the employee would have been terminated during the same time frame as his or her leave. Any aggrieved person may bring a court action seeking compensatory and punitive damages or equitable relief, including reasonable attorney’s fees.
Maine Legislature Overrides Governor’s Veto of Recreational Marijuana Law
On November 8, 2016, Maine voters approved “Question 1 – An Act to Legalize Marijuana,” and joined a handful of other states, including California, to have legalized the recreational use, retail sale and taxation of marijuana. The voter-approved law would have allowed persons 21 years of age or older to use or possess up to 2½ ounces of marijuana, consume marijuana in nonpublic places (including a private residence), and grow, at the person’s residence, up to 6 flowering marijuana plants (and up to 12 immature plants). It also would have legalized the purchase of marijuana or marijuana seedlings or plants from retail marijuana stores and cultivation facilities. The law was to become fully effective on January 30, 2017. However, on January 27, 2017, the legislature approved a moratorium on implementing parts of the law regarding retail sales and taxation until at least February 2018, giving time to resolve issues and promulgate rules. However, on November 3, 2017, Governor Paul R. LePage vetoed legislation designed to set up a retail market for cannabis. On November 6, 2017, the Maine legislature sustained the Governor’s veto. These events did not impact the anti-discrimination portion of the voter-approved law. Effective February 1, 2018, Maine became the first state in the nation to protect employees and applicants from adverse employment action based on their use of off-duty and off-site marijuana. It effectively meant that Maine employers could no longer test job applicants for marijuana, and according to the Maine Department of Labor (DOL), for purposes of a reasonable suspicion drug test, an employee’s positive drug test, by itself, would not be sufficient to prove that the employee is “under the influence” of marijuana.
What once seemed so clear now seems hazy because the Maine Legislature and Governor had more to say about recreational marijuana. On April 27, 2018, the Governor again vetoed implementing legislation, but this time, on May 2, 2018, the Maine Legislature overrode the Governor’s second veto and passed LD 1719, “An Act to Implement a Regulatory Structure for Adult Use Marijuana.” The Act is effective immediately. Importantly for employers is that the Act removed the provision in Question 1 that protected applicants and employees from their off-duty and off-site use of marijuana. Instead, the employment provisions in the Maine recreational marijuana law state that an employer:
- Is not required to permit or accommodate the use, consumption, possession, trade, display, transportation, sale or cultivation of marijuana or marijuana products in the workplace;
- May enact and enforce workplace policies restricting the use of marijuana and marijuana products by employees in the workplace or while otherwise engaged in activities within the course and scope of employment; and
- May discipline workers who are under the influence of marijuana in the workplace or while otherwise engaged in activities within the course and scope of employment in accordance with the employer’s workplace policies regarding the use of marijuana and marijuana products by employees.
So, can employers take action against off-duty and off-site marijuana use or not? Arguments can be made both ways. On the one hand, that the Maine Legislature removed this provision from the voter-approved law suggests the Legislature sought to grant employers the right to take action against applicants and employees for their lawful use of marijuana, even if not during working time or on the employer’s premises. On the other hand, all of the provisions that delineate what employers can do when it comes to recreational marijuana focus solely on on-duty and on-premises use and provide no guidance to employers as to what, if anything, they can do about off-duty and off-site use. Moreover, does the focus on on-duty and on-premises use, neither of which apply to job applicants, mean that employers cannot test applicants for marijuana? It remains to be seen whether the Maine DOL will clarify these ambiguities. As a reminder, Maine employers may drug test applicants and employees only if they have a written drug testing policy that has been approved by the Maine DOL. Maine employers that do have a state-approved workplace drug-testing policy should consider modifications to their existing policy and also continue to be mindful of the state’s medical marijuana law. In addition, before taking action against any employee for a positive test result for marijuana where there is no evidence of use or impairment at work, employers should consider consulting with employment counsel experienced in this evolving area of the law.
Vermont Attorney General Releases “Marijuana in the Workplace” Guidance
On June 14, 2018, the Vermont Attorney General released its “Guide to Vermont’s Laws on Marijuana in the Workplace,” which can be found here. The Guide is aimed at assisting Vermont employers in navigating the state’s new recreational marijuana law, although it also addresses the state’s medical marijuana law, disability discrimination law, and drug testing law. Effective July 1, 2018, adults age 21 or older who possess one ounce or fewer of marijuana or five grams or fewer of hashish and two (or fewer) mature marijuana plants or four (or fewer) immature marijuana plants will not be penalized or sanctioned in any manner by the State. The law is silent, however, about creating a state market for recreational marijuana. In Governor Scott’s statement about the new law, he noted that “marijuana remains a controlled substance in Vermont and its sale is prohibited.” Although the state will not have a commercial system in place when legalization goes into effect in July, the state will utilize a commission to research the viability of a tax-and-regulate system. The law makes it unlawful for those under 21 years of age to possess any marijuana or plants and does not allow for the consumption of marijuana in public places or by operators and passengers of motor vehicles. Schools, municipalities and landlords retain the right to adopt policies and ordinances that further restrict the cultivation and use of marijuana. With respect to employers, the law expressly states, and the Guide reiterates, that the law should not be construed to do any of the following:
- require an employer to permit or accommodate the use, consumption, possession, transfer, display, transportation, sale or growing of marijuana in the workplace;
- prevent an employer from adopting a policy that prohibits the use of marijuana in the workplace;
- create a cause of action against an employer that discharges an employee for violating a policy that restricts or prohibits the use of marijuana by employees; or
- prevent an employer from prohibiting or otherwise regulating the use, consumption, possession, transfer, display, transportation, sale or growing of marijuana on the employer’s premises.
The Guide addresses the conflict between the federal Controlled Substances Act, which classifies marijuana as a Schedule I drug and, thus, illegal under federal law, and Vermont’s marijuana laws. According to the Guide, Vermont law “only removes the possibility that individuals in Vermont would be prosecuted under state law for certain, minor recreational cultivation and use,” but “does not remove the possibility someone might nonetheless be prosecuted under federal law.” With respect to medical marijuana, which has been legal in Vermont for several years, the Guide notes that while employers can “ban marijuana in the workplace and prohibit all employees from working while under the influence of marijuana,” employers may have a duty to accommodate medical marijuana users under Vermont’s Fair Employment Practices Act. The Guide goes on to remind employers of their general obligation to consider reasonable accommodations for employees suffering from drug and alcohol addiction, if the addiction qualifies as a disability under federal and state law and provides an overview of Vermont’s drug testing law.
Vermont employers should consider (1) making clear that marijuana is still illegal under federal law and, thus, is considered an illegal drug under any applicable drug-free workplace policy, (2) taking steps to minimize the risks of negligent actions and safety concerns that may be caused by marijuana use, (3) understanding best practices for navigating federal and state disability discrimination laws for employees using medical marijuana or struggling with other substance abuse addictions, and (4) having conversations with drug testing vendors to determine how positive marijuana tests will be handled and reported where medical marijuana is approved. Vermont employers also should consider reviewing their drug and alcohol testing policy to ensure it complies with state requirements.
North Carolina Legislature Expands Opportunities for Employment of Persons with Criminal Records; Shields Employers from Negligence Claims
North Carolina Governor Roy Cooper recently signed House Bill (HB) 774, which will broaden the situations in which individuals convicted of certain crimes may petition for a “certificate of relief.” HB 774 will help reduce the risks employers may face when hiring persons with criminal convictions. The General Assembly of North Carolina unanimously passed the legislation to expand certificates of relief on June 15, 2018, and the governor signed the bill into law on June 25, 2018. First recognized in North Carolina in 2011, a certificate of relief is a court order that offers relief from the collateral consequences of a criminal conviction, such as a penalty, disability, or disqualification (for example, a bar on obtaining an occupational license). A certificate of relief may be considered a signal to the public, employers, and other government agencies that its recipient may deserve serious consideration (as an applicant, for example) despite a criminal past. However, the certificate is not an expungement or a pardon. HB 774 expands the availability of the certificates to individuals who have been convicted of “no more than three Class H or I felonies and any misdemeanors.” The new law also allows multiple convictions of a Class H or I felony “in the same session of court” to be treated as only one felony conviction for purposes of receiving a certificate of relief. North Carolina’s legislation is part of a national trend, as 14 or more states have begun implementing employment practices to assist persons with criminal records. Significantly, the law insulates employers from liability from most employment-related negligence claims when hiring or retaining a person with a certificate of relief, but only if the employer “relied on” the certificate of relief in hiring or retaining the person. Employers taking advantage of this protection may want to document their reliance on the certificate and maintain a copy of the certificate in the employee’s file. The law also requires an employee hired as a result of the certificate to notify the employer within 10 days of any new conviction or if the certificate is modified or revoked. HB 774 will be another step towards mutually beneficial solutions for employers and individuals seeking to reverse collateral consequences from criminal convictions. The act becomes effective December 1, 2018 and applies to petitions filed on or after that date.
NYDFS Credit Reporting Legislation
On June 26th, New York Governor Andrew Cuomo announced that the Department of Financial Services (DFS) issued a final regulation requiring consumer credit reporting agencies (CCRAs) to comply with the state’s cybersecurity regulation beginning November 1st, which is intended to protected consumers from data breaches. Under the regulation:
- CCRAs that reported on 1,000 or more New York consumers in the preceding year must register annually with DFS beginning on or before September 1st, 2018, and each year after;
- The DFS Superintendent may refuse to renew a CCRA’s registration if the Superintendent finds that the applicant or any member, principal, officer, or director of the applicant failed to comply with the regulation, among other provisions;
- CCRAs are subject to examinations by DFS as often as the Superintendent determines is necessary, and prohibits agencies from engaging in certain activities, including unfair, deceptive or predatory acts or practices; and
- CCRAs must implement a cybersecurity program to protect consumers’ private data; a written policy or policies that are approved by the board or a senior officer; a Chief Information Security Officer; and controls and plans in place to help ensure the safety and soundness of New York’s financial services industry
New Arizona Laws Address Data Breaches and Hiring Ex-Offenders
Arizona Governor Doug Ducey recently signed HB 2154 and HB 2311 into law, both taking effect on July 21, 2018. HB 2154 provides employers with additional guidance and updated notice procedures in the event of a data security system breach, and HB 2311 bolsters limited liability protections for employers when hiring employees or contracting with independent contractors previously convicted of criminal offenses.
Data Security Breaches
HB 2154 strengthens Arizona’s data breach consumer protection statutes1 by implementing increased employer notification requirements for victims of data and security system breaches. The new legislation also defines “personal information” more expansively and will include e-mail addresses in combination with passwords or security questions and answers allowing access to “online-accounts.” Protected personal information includes other data such as: Social Security numbers, driver’s license or passport numbers, pin numbers, bank account/credit/debit card numbers, health insurance and other medical information, tax payer IDs, and even unique biometric data generated from human body characteristics (facial recognition, thumb or fingerprint access, voice recognition, or eye and palm scanners).
The law requires Arizona employers that become aware of a “security incident” to conduct a prompt investigation to determine whether a security system breach has occurred. If the investigation determines a breach has occurred, businesses will now be required to notify all affected individuals within 45 days after discovery. Specifically, the law clarifies the notification requirements and acceptable forms of notice. Notice must include: (1) approximate breach date; (2) information exposed by the breach; (3) toll-free numbers of the three largest nationwide consumer reporting agencies; and (4) numbers and addresses for the Federal Trade Commission and agencies assisting consumers with identity theft. Notifications must be communicated by either e-mail, direct telephone call (no prerecorded messages), or substitute notice if the employer demonstrates it meets the minimum qualifications to notify affected consumers in an alternative format. If the breach requires notification of more than 1,000 individuals, the employer must directly notify the three largest nationwide consumer credit reporting agencies and the state attorney general. Employers are encouraged to take proactive steps in securing consumer information because knowing and willful violations of this legislation are unlawful and include civil penalties-with amounts not to exceed the lesser of $10,000 per affected individual or the total amount of economic loss sustained by the affected individuals, with the maximum penalty not exceeding $500,000. There is no private cause of action; the law is enforced solely by the Arizona attorney general.
Limited Liability for Hiring Ex-Criminal Offenders
Employers are often hesitant to contract, interview, or hire workers with criminal records. This hesitation stems at least in part from the increased risks and liability associated with possible negligent hiring claims. New Arizona legislation, HB 2311,2 has the social goal of expanding job opportunities for non-violent offenders, while shielding employers from certain lawsuits. The law prohibits introducing evidence of an employee’s or independent contractor’s criminal offenses and/or convictions prior to the date of hire or engagement in negligent hiring cases. The legislation’s definition of “criminal offense” does not cover all past crimes. “Criminal offense” is defined as “any criminal offense except violent offenses and sexual offenses.” The broadest categories of coverage will be for non-violent or aggravated theft or the possession and sale of illegal drugs. Notably, the liability limitations do not preclude potential lawsuits alleging negligent supervision. Furthermore, liability will not be precluded in situations where the employee/independent contractor was convicted of a criminal offense when the conviction is directly related to the nature of the work and the conduct giving rise to the action if the employer knows of the conviction or acted in a grossly negligent manner in not knowing of the conviction. Likewise, the following examples are specifically precluded from the employer’s limitations on liability:
- Misuse of monies or property by the employee/contractor if the employee/contractor has previously been convicted for an offense encompassing fraud or the misuse of monies prior to being hired or contracted, and it was foreseeable that the position would involve fiduciary responsibilities.
- Misappropriation of monies by an employee/contractor who was hired or contracted as an attorney, if the employee/contractor had prior convictions associated with fraud, the misuse of monies, or properties prior to being hired or contracted.
- Violent offenses or improper use of excessive force by an employee/contractor hired as a law enforcement officer or security guard.
Because both new laws take effect in a little over a month, employers should consider reviewing and revising their data security breach and hiring policies now.
St. Louis County Enacts “Ban-the-Box” Law for Government Positions
On June 11, St. Louis County officials signed an executive order, effective immediately, that would “ban the box” and ensure that St. Louis County will no longer ask job applicants for criminal histories in their initial employment applications. Other jurisdictions in Missouri with ban-the-box laws include Jackson County, Columbia, and Kansas City. “A parolee’s failure to find full-time employment becomes, quite frankly, a serious public safety issue for every county resident,” St. Louis County Executive Steve Stenger told the St. Louis Post-Dispatch. “Without a decent job, ex-prisoners are far more likely to struggle with substance abuse. And they are far more likely to engage in criminal activity.”
The executive order provides that “employment decisions will not be based on the criminal history of a job applicant unless demonstrably job-related and consistent with business necessity, or unless state or federal law prohibits hiring an applicant with certain convictions for a particular position.” Currently, more than 150 cities and counties nationwide as well as 32 states have passed ban-the-box legislation that delays questions about criminal records of job applicants until later in the hiring process. Eleven of those states have required the removal of criminal history questions from job applications for private employers.
Colorado Enacts Data Security Legislation
On May 29th, Colorado enacted H.B. 1128, which updates the state’s data breach notification law and goes into effect on September 1st, 2018. Key provisions include:
- An expansion of the definition of personal information that would require a breach notification in the event of data breach, including an individual’s “(1) student, military, or passport identification number; (2) medical information; (3) health insurance identification number; (4) biometric data; and (5) a username or email address, in combination with a password or security questions and answers, that would permit access to an online account;”
- A requirement that companies notify individuals impacted by a data breach no later than 30 days “after the date of determination that a security breach occurred.” In addition, in instances in which federal and state law conflict the legislation states that “the law or regulation with the shortest time frame for notice to the individual controls;” and
- A new requirement that a person who “maintains, owns, or licenses personal identifying information of an individual” living in Colorado implement reasonable security procedures and practices.
The following legislation was recently enacted by states:
- Connecticut enacted S.B. 472 prohibiting consumer reporting agencies from charging consumers a fee to place or remove a security freeze from the consumer’s account and requiring them to increase the amount of identity theft prevention or mitigation services provided after a data breach. https://www.cga.ct.gov/asp/cgabillstatus/cgabillstatus.asp?selBillType=Bill&which_year=2018&bill_num=472
- Illinois enacted H.B. 4095 prohibiting consumer reporting http://www.ilga.gov/legislation/BillStatus.asp?DocNum=4095&GAID=14&DocTypeID=HB&LegId=107863&SessionID=91&GA=100
Canada – PIPEDA: How to Obtain “Meaningful” Consent, and When Consent is Not Enough
On May 24, 2018, the Office of the Privacy Commissioner of Canada (the “OPC”) released its finalized consent guidelines, as well as guidance on certain “no-go zones” under the Personal Information Protection and Electronic Documents Act (“PIPEDA”). PIPEDA provides that the “knowledge and consent” of an individual are required for the collection, use, or disclosure (collectively “Processing”) of his/her personal information, and also that “consent is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.” https://mcmillan.ca/PIPEDA-How-to-Obtain-Meaningful-Consent-and-When-Consent-is-Not-Enough