Legislation

NYC Commission issues legal enforcement guidance on employment credit checks

The New York City Commission recently issued interpretive legal enforcement guidance clarifying some of the exemptions in the City’s Stop Credit Discrimination in Employment Act (“SCDEA”), as well as recordkeeping requirements and penalties.

As we reported previously, effective September 3, 2015, the SCDEA amends the New York City Human Rights Law (the “NYCHRL”) to make requesting and using consumer credit history for hiring and other employment purposes, with certain exceptions, an unlawful discriminatory practice.

The SCDEA defines “consumer credit history” as an individual’s “credit worthiness, credit standing, credit capacity, or payment history, as indicated by: (a) a consumer credit report; (b) credit score; or (c) information an employer obtains directly from the individual regarding details about (1) credit accounts, including the individual’s number of credit accounts, late or missed payments, charged-off debts, items in collections, credit limit, prior credit report inquiries, or (2) bankruptcies, judgments or liens.”

It remains unclear whether the law bans only inquiries, but not public record searches, for bankruptcies, judgments or liens. Under the SCDEA, a consumer credit report includes “any written or other communication of any information by a consumer reporting agency that bears on a consumer’s creditworthiness, credit standing, credit capacity or credit history,” and given the broad scope of “any  written or other communication of any information by a consumer reporting agency” caution should be taken regarding these searches and even for civil litigation, as such public records may reveal credit-related information that New York City employers are prohibited from using.

While the SCDEA generally establishes eight categories of exemptions, such as those of individuals required to be bonded under city, state, or federal law which are self-explanatory, there has been much speculation as to the scope of others. In its FAQs, the guidance specifically provides that the exemptions do not cover most low-level employees including, but not limited to, bank tellers, cashiers, salespeople, clerical workers, administrative staff, restaurant/bar workers, and private security employees.

Interpretation about non-clerical positions having regular access to trade secrets is also included in the guidance. The SCDEA defines “trade secrets” as “information that: (a) derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means, by other persons who can obtain economic value from its disclosure or use; (b) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy; and (c) can reasonably be said to be the end product of significant innovation.”

The SCDEA limits the trade secret definition to exclude “general proprietary company information such as handbooks and policies” and “access to or the use of client, customer, or mailing lists.” Consistent with this definition and the broad scope of the NYCHRL, “trade secrets” do not include information such as recipes, formulas, customer lists, processes, and other information regularly collected in the course of business or regularly used by entry-level and non-salaried employees and supervisors or managers of such employees.

The guidance emphasizes that all exemptions to coverage under the SCDEA’s anti-discrimination provisions are to be construed narrowly. Employers may claim an exemption to defend against liability, but they have the burden of proving the exemption by a preponderance of the evidence. No exemption applies to an entire employer or industry–exemptions apply only to positions or roles, and not to individual applicants or employees. The law does permits employers to request credit information in response to any lawful subpoena, court order, or law enforcement investigation.

An employer claiming an exemption must show that the position or role falls under one of the eight  general position categories referenced previously. Employers availing themselves of the exemptions should inform applicants or employees of the claimed exemption, and should also keep a record of their use of such exemptions for a period of five years from the date an exemption is used. Keeping an exemption log will help the employer respond to the Commission’s requests for information.

The guidance sets forth civil penalties for violations of the law (up to $250,000 for willful, wanton, or malicious violations, and up to $125,000 for other violations) in addition to other remedies available under the NYCHRL.

Read the SCDEA, N.Y.C. Admin. Code §§ 8-102(29), 8-107(9)(d), (24); Local Law No. 37 (2015)

Access the interpretive guidance, FAQs and other information about the credit check law here.

 

New law limits credit checks for New York City employers

New York City has joined the growing list of employers placing limits on credit checks. On April 16, the City Council overwhelmingly voted in favor of a bill prohibiting the use of credit checks in most employment situations. Mayor Bill De Blasio signed the legislation on May 6, amending the city’s Human Rights Law to make the use of credit history for hiring and other employment purposes, with certain exceptions, an unlawful discriminatory practice. Set to take effect on September 3, 2015, the law will have a sizable impact on employers in New York City. A review of current policies and procedures to determine if any exceptions apply is key, while employers with a statewide presence should consider whether to continue credit checks in other locations where they remain legal.

As defined by the law, “consumer credit history” means an individual’s credit worthiness, credit standing, credit capacity, or payment history, as indicated by: (a) a consumer credit report; (b) credit score; or (c) information an employer obtains directly from the individual regarding (1) details about credit accounts, including the individual’s number of credit accounts, late or missed payments, charged-off debts, items in collections, credit limit, prior credit report inquiries, or (2) bankruptcies, judgments or liens. The law further provides that “a consumer credit report shall include any written or other communication of any information by a consumer reporting agency that bears on a consumer’s creditworthiness, credit standing, credit capacity or credit history.”

Importantly, employers are prohibited not just from the request or use of credit history for applicants, but also from using credit history as a factor in employment decisions for current employees in “compensation, or the terms, conditions or privileges of employment.”

When initially introduced, the proposal featured no exceptions to the ban on credit checks. But over the course of the past year, limited exceptions were added to the bill. As enacted, the legislation permits the use of credit checks for prospective employees of broker-dealers who must register with the Financial Industry Regulatory Authority (FINRA) as well as for police officers and other public officials in a position involving a “high degree of public trust.” Additional exceptions allow a review of credit history when required by state or federal law or regulations; for positions when an employee must possess a security clearance or has “regular access” to intelligence or national security information; for non-clerical positions with access to “trade secrets;” for computer security positions when the employee’s duties include the ability to modify digital security systems; and for employees with signing authority over third-party funds or assets greater than $10,000 or fiduciary responsibility to an employer with the authority to enter into financial agreements of $10,000 or more.

The law permits individuals to file a complaint of discrimination with the New York City Commission on Human Rights within a one-year period or a complaint in court, with a three-year statute of limitations. Remedies include back pay, reinstatement, compensatory and punitive damages, and attorney’s fees and costs.

New York City joins 12 other jurisdictions that have prohibited credit checks in employment-related decisions, including the city of Chicago as well as California, Colorado, Connecticut, Hawaii, Illinois, Maryland, Nevada, Oregon, Vermont, and Washington.

Read the New York City legislation here.

No number, no lawsuit

Tossing a lawsuit alleging religious discrimination, the Sixth U.S. Circuit Court of Appeals found that an applicant could not sue after refusing to provide his Social Security number to a prospective employer. The plaintiff, an applicant for a position with an energy company, claimed that he had no number because he “disclaimed and disavowed it” on account of his sincerely held religious beliefs.

The company’s refusal to hire the plaintiff violated Title VII and Ohio state law, the complaint charged, requesting both injunctive relief in the form of a job and monetary damages. A federal district court judge dismissed the lawsuit, and the federal appellate panel affirmed.

Courts considering the issue apply a two-step analysis, the Sixth Circuit explained. First, the court determines whether the plaintiff established a “prima facie case of religious discrimination,” which requires proof that the plaintiff “(1) holds a sincere religious belief that conflicts with an employment requirement; (2) has informed the employer about the conflicts; and (3) was discharged or disciplined for failing to comply with the conflicting employment requirement.” If the plaintiff manages to establish a prima facie case, the burden shifts to the employer to show it could not “reasonably accommodate” the religious beliefs without “undue hardship.”

This suit failed under the first step, the panel said, because the Internal Revenue Code mandates that employers collect and provide the Social Security numbers of their employees. Because the company’s collection of the plaintiff’s number was a “requirement imposed by law” and not an “employment requirement,” the court had no need to consider the sincerity of the plaintiff’s beliefs.

The panel also noted that every other federal appellate court to consider the issue has concluded “that Title VII does not require an employer to reasonably accommodate an employee’s religious beliefs if such accommodation would violate a federal statute,” citing decisions from the Fourth, Eighth, Ninth, and Tenth Circuits, as well as federal district courts in Michigan and Virginia.

All of the courts have arrived “at the same, sensible conclusion: ‘

[A]n employer is not liable under Title VII when accommodating an employee’s religious beliefs would require the employer to violate federal … law,” the Sixth Circuit wrote. “This conclusion is consistent with Title VII’s text, which says nothing that might license an employer to disregard other federal statutes in the name of reasonably accommodating an employee’s religious practices.”

For employers, the decision provides even greater peace of mind. With five federal appellate courts in agreement that a religious discrimination claim will not stand against an employer that complies with federal requirements to collect an applicant’s Social Security number, companies do not have to worry about the merits of a Title VII lawsuit under such circumstances.

Read the opinion.

Financial regulators focus on vendor due diligence

In the wake of the economic crisis, financial institutions have faced a wave of new rules and regulations. From the Dodd-Frank Wall Street Reform and Consumer Protection Act to regulators stepping up their enforcement efforts, regulated entities must ensure compliance with a host of new requirements.

The rules and heightened oversight go beyond banks themselves, and are increasingly focused on their third-party vendors. In many cases, vendors are not allowed to work with regulated entities unless they can demonstrate their compliance with various data security and privacy requirements.

Last year, New York’s Department of Financial Services (the “DFS”) sent letters to banks nationwide expressing concern about the state of their cybersecurity practices with regard to third-parties. DFS Superintendent Benjamin Lawsky requested that recipients disclose “any policies and procedures governing relationships with third-party service providers” as well as “any due diligence processes used to evaluate” all types of providers, including accountants and law firms. “It is abundantly clear that, in many respects, a firm’s level of cybersecurity is only as good as the cybersecurity of its vendors,” Lawsky wrote.

In “A Resource Guide to the U.S. Foreign Corrupt Practices Act,” the Securities and Exchange Commission (the “SEC”) and the Department of Justice (the “DOJ”) state that the agencies “assess whether the company has informed third-parties of its compliance program and commitment to ethical and lawful business practices, and where appropriate, whether it has sought assurance from third-parties, through certifications and otherwise, of reciprocal commitments.” To avoid regulatory action, the SEC and DOJ also suggest that regulated banks and financial institutions consider providing training to vendors.

The Office of the Comptroller of the Currency (the “OCC”) released new guidance in October 2013, advising banks to take a “life cycle” approach to managing third-party relationships (such as security providers, affiliates, consultants, joint ventures, and payment processors) from planning and due diligence to ongoing monitoring and termination.

When conducting due diligence – commensurate with the level of risk and complexity presented by the relationship – financial institutions should not rely on prior knowledge or experience of the third-party, the OCC said. Instead, they must conduct an “objective, in-depth assessment of the third-party’s ability to perform the activity in compliance with applicable laws and regulations and in a safe and sound manner” including a review of the third-party’s financial conditions (like any pending litigation or audited financial statements), reference checks, and evaluation of the entity’s legal and regulatory compliance.

Contracts should specify compliance with the regulations of relevant law, such as the Gramm-Leach-Bliley Act, the OCC added, and provide the financial institution with the power to conduct compliance reviews of the third-party.

Not to be outdone, the Consumer Financial Protection Bureau (the “CFPB”) followed up in January 2015 with the latest addition to its loosely-sewn patchwork of vendor management best practices and requirements. Compliance Bulletin 2015-01 which, among other directives, puts CFPB-supervised entities on notice that they may not invoke non-disclosure agreements to avoid complying with requests from the CFPB to produce a third-party’s confidential information.

For nonbanks and service providers still coming up-to-speed on the CFPB’s supervision and enforcement, confidentiality obligations, audit rights, vendor training responsibilities, and remedies for vendor breaches are among the more thorny agreement provisions that may need to be enhanced in light of developing trends.

Read OCC Bulletin 2013-29.

Read the SEC’s and DOJ’s “A Resource Guide to the U.S. Foreign Corrupt Practices Act“.

Privacy laws gain momentum in Congress

President Barack Obama has made data security a priority in recent weeks.

Speaking at the Federal Trade Commission (FTC) in January, the President announced three pieces of legislation: the Student Digital Privacy Act (which would prohibit the sale of sensitive student data for non-education purposes), the codification of the Consumer Privacy Bill of Rights issued by the White House in 2012, and the Personal Data Notification & Protection Act.

Implicating businesses across the country, the Data Notification Act would establish nationwide, uniform data breach notification rules that would preempt the existing collection of 47 different state laws. Criminal penalties for hackers would also be strengthened and companies would be required to notify consumers of a breach within 30 days.

Broader than prior proposals of federal data breach notification bills, the Act defines “sensitive personally identifiable information” to include a range of data, like an individual’s first and last name or initial and last name in combination with two other items like a home address or telephone number, birthdate, or mother’s maiden name, a Social Security number by itself, and a user name or e-mail address in combination with a password or security question answer that would permit access to an online account.

The notice provisions allow companies to inform consumers of a breach by mail, telephone, and e-mail, under certain conditions. When more than 5,000 individuals are affected in a single state, media notice is required; if more than 5,000 total individuals (regardless of residence) are impacted, the company must also notify credit reporting agencies and the federal government.

Although the bill designates the FTC as the primary enforcement agency, with the authority to promulgate rules pursuant to the law, the measure also requires the agency to coordinate with the Consumer Financial Protection Bureau (CFPB) where a data breach relates to “financial information or information associated with the provision of financial products or services.”

Some exemptions are included in the proposed bill. A business that does not access, store, or use covered data for more than 10,000 individuals during a 12-month period is exempt from the individual notice requirements. Safe harbor is also provided for companies that conduct a “risk assessment” that determines the data breach did not result in – and will not result in – harm to affected individuals. The business must notify the FTC of its “risk assessment” results and affirmatively indicate its intent to invoke the safe harbor.

A few days after he presented the proposal, President Obama reiterated his intent to pass data security measures in his State of the Union address, sending a message that he is focused on cybersecurity and privacy in the coming legislative session. Recent high-profile cyberattacks and data breaches (think Sony and Target) have also led to support from lawmakers and consumers, giving the bill momentum, but the question of its passage remains uncertain.

Learn more about Personal Data Notification & Protection Act

California expands privacy protections for state residents

A perennial trendsetter with regard to data security and privacy, California has updated its state law with tweaks that expand the scope of the privacy protections for state residents.

A.B. 1710 made three changes to existing law that go into effect January 1, 2015: first, businesses that maintain “personal information” about California residents must “implement and maintain appropriate and reasonable security procedures and practices” to protect the data from “unauthorized access, destruction, use, modification, or disclosure.” Personal information is defined to include an individual’s first name or first initial and last name, Social Security number, driver’s license number, as well as medical and financial account information.

Second, if a person or business was “the source” of a data breach and offers to provide identity theft prevention and mitigation services to affected individuals, the business must offer the services at no cost for at least 12 months. Some controversy has swirled around this provision, with debate on whether the language actually requires businesses to provide one year of free identity theft protection and mitigation services or if the law simply requires that if the services are offered, they last for 12 months and are provided gratis. Additional guidance may be forthcoming.

Finally, the new legislation prohibits a business from “selling, offering for sale, or advertising for sale” Social Security numbers. Limited exceptions were noted in the bill, including “if the release

[not necessarily a sale] of the Social Security number is incidental to a larger transaction and is necessary to identify the individual in order to accomplish a legitimate business purpose” or “for a purpose specifically authorized or specifically allowed by federal or state law.”

The law’s scope reaches well beyond the borders of California, as it applies to businesses that maintain any personal information about a state resident. Companies would be well advised to familiarize themselves with the new requirements.

To read AB 1710, click here.

New York City’s new bill would restrict using credit reports for employment decisions

Last month, the New York City Council’s Committee on Civil Rights held a hearing on a bill that would amend the city’s administrative code, prohibiting employers from using consumer credit reports for personnel decisions. Although the hearing ended without a disposition, it is expected that this bill will pass in some form in the near future. The Committee is holding a separate hearing in December on a bill that would prohibit employment discrimination based on an applicant’s or employee’s criminal history.

Congress proposes bill that protects regulated employers’ background checks

While the Equal Employment Opportunity Commission (the “EEOC”) is continuing its challenge of employers’ use of criminal history and credit report information in personnel decisions, and new “ban-the-box” laws are rapidly gaining momentum, on September 9, 2014, Congress proposed legislation that protects certain regulated employers from EEOC, state agency and private actions when they strive to comply with the screening laws that are particular to their industries. The Certainty in Enforcement Act of 2014 would amend Section 703 of the Civil Rights Act of 1964 (42 U.S.C. 2000e-2), and cover employers that include those engaged in “health care, childcare, in-home services, policing, security, education, finance, employee benefits, and fiduciary duties.”

California’s A.B. 1710 enhances privacy protections for sensitive personal information

Effective January 1, 2015, A.B. 1710 amends California’s breach notification, security procedures, and Social Security number (SSN) laws, generally outlined as follows:

  • provides that existing personal information data security obligations apply to businesses that maintain personal information, in addition to those who own or license the information;
  • provides that if the person or business issuing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, be made at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached, if the breach exposed or may have exposed SSN and driver’s license numbers;
  • provides that a person or entity may not sell, advertise for sale, or offer to sell an individual’s SSN, except as permitted.

District of Columbia joins ban-the-box movement

On August 22, 2014, District of Columbia’s mayor signed new legislation titled the Fair Criminal Record Screening Amendment Act of 2014 that prohibits most employers in DC from both inquiring about criminal history information during the application process and obtaining a criminal background check until after a conditional offer of employment is made to the applicant. The law, which imposes a host of other restrictions and requirements on using criminal record information for personnel decisions, will take effect following a 30-day period of Congressional review as provided in the District of Columbia Home Rule Act and publication in the District of Columbia Register.

Go to Top