California’s overlapping background check laws

For many years, employers have struggled with California’s overlapping statutes governing the use of background checks. Now, the state’s highest court has weighed in, ruling that compliance with the requirements of both laws is mandatory, even where the laws overlap.

A little history is necessary to understand the situation. In 1970, Congress passed the Fair Credit Reporting Act (FCRA). The law defined the term “consumer report” to include an individual’s “credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.” The FCRA distinguished between consumer reports that contained information obtained by personal interviews and consumer reports gathered by other means.

The California legislature responded with two state analogues in 1975: the Investigative Consumer Reporting Agencies Act (ICRAA) and the Consumer Credit Reporting Agencies Act (CCRAA). Modeled on the FCRA, the statutes had similar purposes and were intended to serve complementary goals.

As originally enacted, the ICRAA applied to consumer reports that included character information obtained only through personal interviews. It defined an “investigative consumer report” as one “in which information on a consumer’s character, general reputation, personal characteristics, or mode of living is obtained through any means.” The statute requires that the person procuring the report provide the consumer a “clear and conspicuous disclosure in writing” and that the consumer in turn provide a written authorization for the report’s procurement.

Lawmakers took a slightly different approach with CCRAA, which defined a “consumer credit report” as “any written, oral or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, or credit capacity, which is used or is expected to be used … for … employment purposes.” The definition excluded “any report containing information solely on a consumer’s character, general reputation, personal characteristics, or mode of living which is obtained through personal interviews with neighbors, friends, or associates of the consumer reported on, or others with whom he is acquainted or who may have knowledge concerning any such items of information.”

In 1998, the California legislature amended ICRAA to eliminate the personal interview limitation and expand the statute’s scope to include character information obtained under CCRAA or “obtained through any means.”

Since then, CCRAA continues to govern consumer reports that include character information obtained from a source other than personal interviews, as long as those reports contain information “bearing on a consumer’s credit worthiness, credit standing, or credit capacity.”

What does all this mean for employers? And how did the California Supreme Court get involved?

The two statutes came to the attention of the court when a group of current and former school bus drivers filed suit against their employers, First Student and First Transit, as well as the investigative consumer reporting agency (ICRA) that conducted background checks on the drivers. Eileen Connor led the class action.

After First Student acquired the company where Connor worked as a driver, it requested that the ICRA run background checks to confirm that Connor and the other workers were properly qualified to perform their job duties. The background reports elicited information about the employees’ criminal records, sex offender registries, address history, driving records and employment history.

Prior to conducting the background checks, First Student sent Connor a “Safety Packet” booklet. The booklet included an “Investigative Consumer Report Disclosure and Release” that provided authorization for the ICRA to prepare a consumer report or investigative consumer report. The notice included a checkbox that generally described Connor’s rights under ICRAA, informed her that she could check the box if she wanted to receive a copy of the report and released First Student from all claims and damages arising out of or relating to its background investigation if the box was checked.

Connor filed suit, arguing that the notice failed to satisfy ICRAA’s specific requirements and that First Student neglected to obtain her written authorization to conduct the background check, as required by ICRAA.

First Student asked the court to dismiss the suit, arguing that ICRAA is unconstitutionally vague as applied to the lawsuit because it overlaps with CCRAA and that the notice satisfied CCRAA.

The California Supreme Court found that while the statutes overlap to some degree, achieving compliance with both did not render ICRAA unconstitutional. The two statutes were not intended to be exclusive of each other, the court said, and potential employers can comply with both statutes without undermining the purpose of either.

“If an employer seeks a consumer’s credit records exclusively, then the employer need only comply with CCRAA,” the court explained. “An employer seeking other information that is obtained by any means must comply with ICRAA. In the event that any other information revealed in an ICRAA background check contains a subject’s credit information and the two statutes thus overlap, a regulated party is expected to know and follow the requirements of both statutes, even if that requires greater formality in obtaining a consumer’s credit records.”

First Student complained that because the ICRAA and CCRAA cover the same subject matter, it was unclear which statute applied in the context of employment background checks. But the court disagreed. Connor’s report, for example, fell within the scope of both statutes and “such a duality does not make legal compliance particularly difficult, must less impossible,” the court said.

“Any partial overlap between the statutes does not render one superfluous or unconstitutionally vague,” the court wrote. “They can coexist because both acts are sufficiently clear and each act regulates information that the other does not.”

The California Supreme Court opinion was a loss for First Student and the ICRA, as the court found the defendants had no excuse for not complying with both statutes. For employers more generally, the decision sends an important message: compliance with the requirements of both ICRAA and CCRAA is mandatory, even where the two statutes overlap.

October 1st, 2018|Employment Decisions, Legislation|

Amendment to San Francisco’s Fair Chance Ordinance goes into effect October 1, 2018

In April 2018, the San Francisco Board of Supervisors passed an amendment to the Fair Chance Ordinance (FCO), which takes effect on October 1, 2018. The full text of the amendment can be found here.

The FCO notice/poster has also been updated and can be accessed here. Employers must provide this notice to applicants and employees prior to conducting a criminal background check, and post it in English, Spanish, Chinese, and any other language is spoken by at least 5% of the employees at the workplace or job site.

September 28th, 2018|Employment Decisions|

New FCRA Summary of Rights

Effective September 21, 2018, section 605A(i) of the Fair Credit Reporting Act (FCRA), added by the Economic Growth, Regulatory Relief, and Consumer Protection Act requires that a new notice (which explains consumer rights about placing fraud alerts and credit freezes with nationwide consumer reporting agencies (NCRAs)) be included whenever a consumer is required to receive a summary of rights under FCRA’s section 609. Although the new notice requirement is aimed at NCRAs and potentially consumer reporting agencies, the Consumer Financial Protection Bureau published a revised “FCRA Summary of Rights” form on September 13, 2018 (which includes the new notice and updates certain contact information) and the conservative approach for employers is to use the new form also.

The new version of the “FCRA Summary of Rights” form can be accessed HERE.

September 18th, 2018|Employment Decisions|

When employment meets antitrust

Can employers be criminally liable for antitrust violations? According to the Department of Justice (DOJ), the answer is yes.

Violations of antitrust law in the employment context have made headlines in recent years, as the government has cracked down on “no-poach” and “salary-fixing” agreements between companies. Taking the issue increasingly seriously, the DOJ issued guidance promising to bring criminal charges against employers for such illegal conduct.

First, some background. From an antitrust perspective, greater competition among employers not only helps employees – who can negotiate for higher wages or better benefits between companies – but also benefits consumers more generally. Therefore, Section One of the Sherman Act prohibits employers from expressly or implicitly agreeing not to compete with one another, even for seemingly innocuous and beneficial reasons (like saving money).

Demonstrating the government’s interest in employment antitrust violations, the DOJ filed suit in 2010 against Adobe Systems, Apple, eBay, Google, Intel, Intuit, Lucasfilm, and Pixar, accusing the companies of promising not to recruit each other’s employees. While the cases resulted in consent judgments for the companies involved, the deals didn’t come cheap. Intuit, Lucas Films, and Pixar paid a total of $20 million to settle, while Adobe, Apple, Google, and Intel agreed to a $324 million settlement.

In 2016, the DOJ and the Federal Trade Commission (FTC) – the two federal agencies that share the responsibility to enforce the antitrust laws – released guidance to help employers avoid potential violations of federal law. The overriding message from the agencies: an agreement among competing employers to limit or fix the terms of employment for potential hires may violate the antitrust laws if the agreement constrains individual firm decision making with regard to wages, salaries or benefits, the terms of employment or even job opportunities.

The DOJ also vowed to proceed criminally against naked wage-fixing or no-poach agreements going forward.

“These types of agreements eliminate competition in the same irredeemable way as agreements to fix product prices or allocate consumers, which have traditionally been criminally investigated and prosecuted as hardcore cartel conduct,” the DOJ explained. If an investigation uncovers wage-fixing or no-poaching agreements, the agency “may, in the exercise of prosecutorial discretion, bring criminal, felony charges against the culpable participants in the agreement, including both individuals and companies.”

To avoid facing jail time for an employment crime, businesses need to educate human resources professionals and employees responsible for hiring about the dangers of no-poach and salary-fixing agreements and establish a compliance program to avoid any errors.

Top on the “not to do” list: entering into agreements regarding the terms of employment with companies that compete to hire employees. This prohibition applies to all agreements, whether written or unwritten, spoken or unspoken. Even informal agreements – for example, where individuals at two competing companies agree that employees at a given position should not be paid above a certain amount or a particular range, or the individuals promise each other not to hire or solicit each other’s workers – are illegal.

It is important to remember that the prohibition on salary-fixing extends beyond simply what a worker is paid and includes other benefits as well, from transit subsidies to meals. If one HR professional wants to stop offering increasingly expensive gym memberships to employees and reaches out to other companies to ask that they stop offering gym memberships as well, that would likely violate antitrust law if the companies reached an agreement.

So-called “gentleman’s agreements” with other companies are equally illegal, even if they are unwritten and informal; nor does the use of a third party intermediary insulate an employer from liability under antitrust law, such as a situation where a group of nonprofits hire a consultant who communicates a “pay scale” to all the organizations to establish a wage cap.

Employers should also take care to avoid sharing sensitive information with competitors, which could serve as evidence of an implicit illegal agreement.

Even the mere suggestion of an illegal agreement may constitute an antitrust violation, despite the fact that an agreement is not reached. The FTC filed an enforcement action against an online retailer that emailed a proposal to a competitor that both companies offer their products at the same price. The competitor passed on the invitation and notified the FTC. Even though no agreement was reached, the “invitation to collude” was sufficient for the company to face legal action.

With salary-fixing and no-poach agreements on the government’s radar – and the threat of criminal charges and penalties looming – employers should make an effort to develop antitrust training and compliance programs before a problem arises.

August 25th, 2018|Employment Decisions, Lawsuit|

Reminder to California employers about requirements when taking adverse action based on a criminal record

With the enactment of an updated ban-the-box statute (the Fair Chance Act) on January 1, 2018, employers in California may need a refresher on how to take adverse action based on the criminal record of an applicant.

For those businesses located in Los Angeles, the requirements take on an additional level of complication due to slight differences in the city’s ordinance.

Pursuant to California law, employers with five or more employees must wait until after a conditional offer of employment has been made to ask any questions about a criminal history. This means inquiries about convictions, running a background check or other efforts to find out about an applicant’s criminal past.

As an aside, several types of criminal records are not allowed to be used by employers in the hiring process (including juvenile records, diversions and deferrals, non-felony marijuana convictions that are more than two years old and arrests that did not lead to a conviction).If the employer decides not to hire the applicant, it must conduct an individualized assessment of the conviction at issue to evaluate whether it has a “direct and adverse relationship with the specific duties of the job that justify denying the applicant the position.”

The applicant needs to be notified of the potential for adverse action based on the conviction. Such notice must identify the conviction at issue and include a copy of any background check report; the employer must also provide a deadline for the applicant to submit additional information with regard to the conviction (such as rehabilitation efforts or other mitigating circumstances).

Federal law also kicks in. For those employers that intend to rely in whole or in part on a background check report to take adverse action such as rescinding a conditional job offer, the Fair Credit Reporting Act (FCRA) mandates that applicants be given a pre-adverse action notice, a copy of the report and a notice of rights.

Once the applicant has provided any information and the employer makes a final decision, a second notice is required. This time, the notice should inform the applicant of the final adverse action, explain any procedure in place for the applicant to challenge the decision or request reconsideration and describe the applicant’s right to file a complaint with the state’s Department of Fair Employment and Housing (DFEH). If the FCRA has been triggered by the use of a background check report, the employer must also provide the applicant with an adverse action notice that contains FCRA-required text.

While this process may seem onerous, employers that hire workers in Los Angeles face additional requirements under the city’s Fair Chance Initiative for Hiring Ordinance (FCIHO). The law, which took effect on January 22, 2017, applies to employers with 10 or more workers (defined to include individuals who perform at least two hours of work on average in Los Angeles and are covered by the state’s minimum wage law).

The FCIHO has a narrower definition of a “conditional offer of employment” than that under state law – here, an offer of employment to an applicant “is conditioned only on an assessment of the applicant’s criminal history, if any, and the duties and responsibilities of the employment position.”

Regardless of the source of criminal history, if an employer elects not to hire an applicant, a written assessment that “effectively links the specific aspects of the applicant’s criminal history with risks inherent in the duties of the employment position sought by the applicant” must be performed.

This assessment needs to be provided to the applicant as part of the “fair chance process,” along with any other documentation or information used by the employer as well as a pre-adverse action notice. Again, if a background check report was used, the FCRA requirements apply. The applicant also receives an opportunity to share information the employer should consider before making a final decision, such as evidence of rehabilitation.

After at least five business days, the employer may make a final decision. If the applicant provided additional documentation or information, the employer is obligated to consider it and conduct a written reassessment. If the employer decides to take adverse action against the applicant anyway, the employer must notify the applicant and provide a copy of the reassessment along with the adverse action notice.

June 21st, 2018|Employment Decisions, Legislation|

Reminder to New York City employers about requirements when taking adverse action based on a criminal record

Let’s say you are an employer in New York City with a position to fill. During the hiring process, you learn that an applicant has a criminal conviction. What should you do if you elect not to hire her and want to avoid breaking the law?

The answer is not simple.

In New York State, it is unlawful to deny employment or take an adverse action against an applicant because of a criminal conviction unless a direct relationship exists between the criminal offense(s) and the specific position sought, or the employment of the individual would involve an “unreasonable risk” to property or to the safety and welfare of specific individuals or the general public.

Before an adverse employment decision may be based on a conviction record, Article 23-A of the New York State Correction law provides a list of factors that employers must consider:

  • New York’s stated public policy “to encourage the licensure and employment of those with previous criminal convictions.”
  • The specific duties and responsibilities related to the employment sought or held.
  • The bearing, if any, the criminal offense(s) for which the individual was convicted will have on her fitness or ability to perform one or more of the position’s duties or responsibilities.
  • The time elapsed since the occurrence of the criminal offense(s).
  • The age of the individual at the time of the occurrence of the criminal offense(s).
  • The seriousness of the criminal offense(s).
  • Any information produced by the individual (or on her behalf) addressing rehabilitation and good conduct. Any certificate of relief from disabilities or certificate of good conduct creates a presumption of rehabilitation with regard to the offense specified in the certificate.
  • The legitimate interest of the employer in protecting property and the safety and welfare of specific individuals or the general public.

An employer must apply each of these factors on a case-by-case basis before making an adverse employment decision. If all the factors are properly weighed and an employer makes a reasonable, good faith decision that the criminal offense bears a direct relationship to the job duties or that the applicant’s employment would involve an unreasonable risk to safety and welfare, it is not illegal to deny employment.

New York law does require that if employment is denied because of a conviction record, a statement setting forth the reasons for the denial must be provided upon request of the applicant, in writing and within 30 days.

Another wrinkle for employers who use a third-party to perform a background check: the federal Fair Credit Reporting Act (FCRA). If an employer elects not to hire an employee based in whole or in part on the background check, the statute requires the applicant receive a copy of the background check report, a notice of intent to take adverse action and a notice of rights.

Employers in New York City, however, have additional legislation to contend with. The Fair Chance Act (FCA), enacted in 2015, applies to employers with at least four employees. Covered employers are prohibited from inquiring about a job applicant’s criminal history until after a conditional offer of employment has been extended.

Assuming the offer has been made and an employer has learned of a conviction that proves troubling, the FCA sets forth several requirements for an employer to rescind the offer without running afoul of the statute.

After the factors of Article 23-A have been applied, an employer must follow a “fair chance process.” This involves providing applicants with a copy of their background check report – and if a third party was used to perform the check, the FCRA notice of rights and a notice of intent to take adverse action, per the FCRA – and any other information relied upon in connection with the employment decision, such as Internet searches or written summaries of oral conversations.

In addition, employers must provide an analysis of the Article 23-A factors (the New York City Commission for Human Rights (NYCCHR) provides a Fair Chance Act Notice Form for employers to use)) and the opportunity for the applicant to address the criminal history at issue and present any mitigating information or material prior to the employment offer being revoked.

The prospective position must be held open for at least three business days from the applicant’s receipt of the necessary documentation to allow time for a response. Further, if the employer used a third-party background check company, the FCRA also mandates that applicants receive a reasonable period of time to respond (the Federal Trade Commission has suggested that five business days would be sufficient in most circumstances).

The Notice Form requires employers to evaluate each Article 23-A factor and select which exception – direct relationship or unreasonable risk – it is relying upon, with the burden on the employer (and space provided on the Notice Form) to articulate its conclusion. In addition to the Notice Form, employers that made use of a background check report must provide an applicant with an adverse action notice required by the FCRA.

If an employer rescinds a conditional offer after receiving information about the applicant’s criminal history, the FCA established a rebuttable presumption that the withdrawal was due to criminal history.

To rebut the presumption, an employer must demonstrate that the revocation was due to a permitted reason, such as the results of a medical examination (where an exam is otherwise permitted), material information the employer could not have known before the conditional offer was made and would have kept the employer from making the offer in the first place or evidence that the employer did not have knowledge of the applicant’s criminal history prior to revoking the conditional offer.

Some employers are exempt from the FCA when hiring for certain positions if federal, state or local laws require a criminal background check or prohibit employment based on certain criminal convictions. Companies in the financial services industry or employers hiring police and peace officers, for example, may not be subject to the law’s requirements. Those employers who believe they are exempt must inform an individual upon application and keep a record of their use of the exemption.

June 21st, 2018|Employment Decisions, Legislation|

NOTICE OF UPDATES TO OUR TERMS AND CONDITIONS AGREEMENT, PRIVACY POLICY AND NEW GDPR NOTICE OF RIGHTS

Data privacy is our top priority at Scherzer International (“SI”).  SI has undertaken diligent efforts to ensure our compliance with the GDPR which became effective May 25, 2018.  Here are some of the things that we’ve done:

  • We added a clause about GDPR* compliance setting forth our respective obligations under this regulation to our Terms and Conditions Agreement (the “Agreement”), which now – unless superseded by another agreement – governs SI’s provision of background screening reports (“Reports”). The Agreement can be accessed here and is applicable to all Reports ordered from SI on or after May 25, 2018 (“Effective Date”).
  • We revised our Privacy Policy by adding information about our compliance with the GDPR requirements regarding the processing of personal data of individuals located in the European Economic Area (EEA) covered by the GDPR and made some wording changes for clarity.  Please note that as before, our website does not use cookies or otherwise track any personal data.
  • We posted a “GDPR Notice” on our website, which informs EEA individuals of their rights in connection with their personal data.

There is no need for you to take any action. By continuing to interact with SI and using our services after the Effective Date, you agree to these terms.

Of course, you can opt out at any time, by contacting Joann Gold, Executive Vice President/Chief Compliance Officer, at jgold@scherzer.com.

WE APPRECIATE YOUR BUSINESS!

*“GDPR” means Regulation 2016/679 of the European Parliament and of the Council of the European Union, and the European Commission of April 27, 2016, on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, known as the General Data Protection Regulation.

May 25th, 2018|European Union, International, Legislation, Privacy|

The legalities of monitoring employees online

As a general principle, employers are legally permitted to monitor their employees online during business hours. Keeping a close eye on workers can help maintain company confidentiality, limit workers from surfing the web on company time and ensure the prevention of harassment.

But such monitoring does come with caveats, as well as risks.

For example, screening employee email on the employer’s network may be permissible but may require advance notice. In states such as Connecticut and Delaware, laws are in place that require employers to provide prior notice before electronically monitoring employees. A union contract may also place certain limits on monitoring and public-sector employees may have some rights under the Fourth Amendment with regard to unreasonable search and seizure.

Federal law can also come into play. Although the Electronic Communications Privacy Act (ECPA) generally prohibits the monitoring of electronic communications, it contains a “business purpose exception” that permits employers to monitor the electronic communications of workers if the company has a “legitimate business purpose.” The statute also allows monitoring with consent and many companies do this by including such permission as part of the onboarding process for new employees before granting access to the company’s networks or systems.

Another wrinkle: third-party communications. States such as California and Illinois mandate that all parties to a communication provide consent to its interception in transit. For employers, that means providing notice to recipients of employee emails and obtaining their consent before scanning a message from a friend or third party. Many companies post a notice on the company’s website and/or include a statement in employee emails that all messages are subject to monitoring and any response implies consent with the employer’s practices.

Even with all these issues, monitoring emails may be more straightforward than focusing on employee social media accounts. The Stored Communications Act (SCA) addresses the situation of accessing electronic communications stored by a provider (such as Gmail or Microsoft), as distinct from an employer accessing emails on its own system. Under the SCA, employers can be liable for the unauthorized access and disclosure of electronic communications in storage on corporate servers of a provider.

Further, roughly half the states ban employers from either requiring or requesting a worker to verify a personal online account like a Facebook profile, blog or Instagram or to log on to their social media account. While technology is available for employers to get around these laws (using keystroke logging software, for example, or taking screenshots), some of the information being monitored by an employer could itself be protected – such as union organizing activities under the National Labor Relations Act, attorney-client communications or in some states, geolocation data.

Mobile devices add another layer to the analysis. For workers using employer-provided mobile phones or devices, the employer has the right to legally monitor use from contact lists to photos and videos to Internet visits and emails. As for bring-your-own-device (BYOD) situations, the terms are generally dictated by the employer’s BYOD policy, but this is an emerging area of law and therefore murky.

All of these legal considerations are centered in the United States. Companies that operate outside the U.S. borders will have international law to contend with as well, notably the European Union General Data Protection Regulation (GDPR) and regulations found in its member states. As a general matter, EU law and the GDPR offer employees a greater level of privacy than that found in the United States. Last year, the EU’s highest court did rule that companies can monitor employee email – if workers are notified in advance.

Perhaps most importantly, employers should recognize that like all things related to technology, the legalities of monitoring employees online are constantly evolving. Being able to adapt to changing laws, regulation and technology will keep employers on their toes.

May 4th, 2018|Educational Series, Security|

The challenges of employment applications for multi-state employers

One of the hottest trends in employment in recent years has been the passage of “ban-the-box” and salary inquiry prohibitions in states and cities across the country.

Limitations on salary inquiry have popped up in recent years as part of the legislative fight against wage discrimination and the gender pay gap. Proponents of such prohibitions argue that salary history questions feed into the discrepancy between what male and female employees are paid by continuously repeating history.

Currently, California, Delaware, Massachusetts, Oregon and Puerto Rico have banned inquiries about prior salary, as have cities including New Orleans, New York, and Philadelphia, with dozens of other states and local governments considering such measures.

The colloquial term “ban-the-box” refers to a box that applicants check to indicate they have a criminal record on standardized application forms. About 20 states and more than 150 local entities have already enacted legislation addressing inquiries into criminal history. The trend even went federal in 2015 with the Fair Chance Act introduced in Congress. Although the measure did not pass, it demonstrated the popularity of the movement.

The proposed federal legislation also shined a light on the situation facing multistate employers, with different laws in different states and in some situations, different laws in different cities or municipalities within the same state. One law may contain an outright ban on inquiries into salary or criminal history while another may place restrictions on the timing of the questions. Some laws define covered employers to include businesses with five or more, employees; another may not apply its limitations to employers with less than 50 workers.

As an example, although the state already limited employers’ ability to ask job applicants about any juvenile court matters, the California legislature broadened its ban-the-box protections for employees with a new law in 2017. Employers in the state are restricted from making hiring decisions based on an applicant’s convictions records and forbidden from considering conviction history until a conditional offer of employment has been extended.

If an employer elects not to hire an applicant because of a prior conviction, the employer is required to conduct an individualized assessment to determine whether the history has a “direct and adverse relationship” with the job duties that justifies denial of the position. Written notice must be provided to an applicant that his/her conviction history has disqualified the applicant from employment, along with five days to respond and dispute the decision. A second notice must be provided with the final decision not to hire.

In contrast, Vermont’s ban-the-box measure takes a different approach, allowing employers to question applicants about their criminal records during the job interview, albeit providing an applicant with the opportunity to explain their record. And under New York City’s law, an employer commits a per se violation of the statute by using recruiting materials of any kind (including advertisements, solicitations or applications) that express, directly or indirectly, any limitation or specification regarding criminal history.

While the overarching principle remains consistent, the details of the laws vary from jurisdiction to jurisdiction. For multi-state employers, coping with such a patchwork of legal requirements poses a serious challenge.

As the number of state and local jurisdictions with laws addressing salary inquiries or criminal history continues to expand, multi-state employers should brace themselves for a giant compliance puzzle – and consider getting help from an expert.

May 4th, 2018|Employment Decisions, Legislation|

Business identity theft is alive and well

And it can happen to your business.

Criminals do not discriminate – any type of business or organization of any size or legal structure including sole proprietorships, partnerships, LLCs, trusts, non-profits, municipalities and county governments, school districts and corporations are all targets for business identity theft.

What exactly is business identity theft?  First, let’s clarify that we are not talking about an information security breach or an incident involving the loss or theft of confidential consumer information. Rather, business identity theft discussed here involves the actual impersonation of the business itself.

It happens when criminals pose as owners, officers or employees of a business in order to get their hands on cash, credit or loans, leaving the business on the hook to deal with the debt. A favorite tactic of identity thieves involves the theft of the tax identification number (TIN) or employer identification number (EIN) of the company or the owners’ personal information to use that data to open new lines of credit or obtain a business loan based on the company’s identity.

Another common form of business identity theft occurs when criminals file fake documents with the Secretary of State’s office to change company information such as its registered address or the names of directors, officers or managers. Once the records have been changed, the identity thieves can establish lines of credit or new accounts with the false information.

Other examples of the fraudulent use of a company’s information include current or former employees making use of their access to financial documentation; establishing a temporary office space or merchant accounts in a company’s name; going through a business’s trash and recycling bins to find account numbers or other sensitive data; using phishing attacks or other scams to get the business’s banking or credit information from employees; and filing for tax credits with stolen EINs.

Businesses are an attractive target for identity thieves. Generally speaking, a company will have higher credit limits than an individual, so opening a new account or line of credit in a business’s name will yield more cash for a criminal and larger purchases will receive less scrutiny. Perhaps most frustrating, companies are required by law to report certain identifiers (an address, EIN/TIN, and names of directors in most states), meaning the information is publicly available and easily accessible to anyone.

The invoicing and payment terms typically available to businesses can also work against them. Identity thieves may have a window of up to 30 days after a purchase to disappear before a company detects a problem – and even longer if the thieves use a different address.

Unfortunately, business identity theft is an underreported crime for a variety of reasons. Companies often have no idea their identity has been compromised until they begin receiving unfamiliar bills and collection notices when it is already too late to stop the thieves. Government agencies receive frequent requests for changes to company information and an address change is unlikely to raise red flags. Some businesses aren’t paying close enough attention or fail to caution employees about the possibility of phishing scams, while others may be embarrassed or concerned about their reputation with customers and don’t want to report what happened.

Given the underreporting problem, statistics on business identity theft can be hard to come by. However, the Internal Revenue Service (IRS) said it has seen the number of corporate tax returns flagged for potential business identity theft increase exponentially in recent years, from 350 in 2015 to 4,000 in 2016 with a jump to 10,000 in only the first six months of 2017. The cost of the damage has also risen dramatically, from $122 million in 2015 to $268 million the following year and $137 million for just the first half of 2017.

Importantly, these numbers reflect just one of the many forms of business identity scams.

What can companies do to protect themselves? Click here for a checklist of the most important steps for prevention and what to do if your business becomes a victim.

April 12th, 2018|Criminal Activity, Fraud, Security|