Controversy abounds in employment decisions based on social media searches

In May 2011, the Federal Trade Commission (FTC) ruled that companies providing social media information to employers – and employers who use the reports – must follow the same Fair Credit Reporting Act (FCRA) regulations that apply to more traditional sources. The FTC also stated that postings on any social media site can be saved by on-line background screening companies for up to seven years.

According to the FTC’s letter dated May 9, 2011 to a company that sells information from social networking sites for employment purposes, such a company is considered a Consumer Reporting Agency (CRA) and thus must take reasonable steps to ensure the accuracy of the information obtained from online social networks (as well as other sources) and positively identify it with the subject. It also must comply with other FCRA provisions, such as providing a copy of the report to the subject and maintaining an established protocol if the subject disputes the reported information. As with “traditional” background investigations, employers who use a report prepared by a CRA must certify to the CRA that the report will not be used in violations of federal or state equal employment opportunity laws or regulations. Additionally, both the CRA and the employer have a legal obligation to keep and dispose of the reports securely and properly. (For more information, see the FTC blog, “The Fair Credit Reporting Act & Social Media: What Businesses Should Know.”)

Social media legal experts and various literature point to a multitude of issues and risks faced by both the CRA and the employer who uses social media checks, which include, but are not limited to:

Problems under FCRA section 607(b) in exercising “reasonable procedures to assure maximum possible accuracy” of the information.
Since the information on social media sites is self-reported and can be changed at any time, it is often difficult if not impossible to ascertain that the information is accurate, authentic and belongs to the subject. Online identity theft is not uncommon, as are postings under another person’s name for the purpose of “cyber–slamming” (which refers to online defamation, slander, bullying, harassment, etc.)

Information may be discriminatory to job candidates or employees, or in violation of anti-retaliation laws.
Social sites and postings may reveal protected concerted activity under the National Labor Relations Act (NLRA,) and protected class information under Title VII of the Civil Rights Act and other federal laws, such as race, age, creed, nationality, ancestry, medical condition, disability, marital status, gender, sexual preference, labor union affiliations, certain social interests, or political associations. And while the information may have no impact on the employment decision, the fact that the information was accessed may support claims for discrimination, retaliation or harassment.

Accessing the information may be in violation of the federal Stored Communications Act (SCA).
To the extent that an employer requests or requires an employee’s login or password information, searches of social networking sites may implicate the SCA (18 U.S.C. § 2701) and comparable state laws which prohibit access to stored electronic communications without valid authorization. A California court recently ruled that the SCA also may protect an employee’s private information on social networking sites from discovery in civil litigation.

Assessing the information may violate terms of use agreements and privacy rights.
While certain social media sites have stricter privacy controls than others, most if not all limit the use of their content. The terms of use agreements typically state that the information is for “personal use only” and not for “commercial” purposes. Although the definition of “commercial” in connection with employment purposes is interpretive, most legal experts indicate that employment screening fits that scope.

Information may be subjective and irrelevant to the employment decision.
Blogs, photos and similar postings often do not provide an objective depiction of the subject or predict job performance. The California Labor Code, for example, specifically provides that an employer is prevented from making employment-related decisions based on an employee’s legal off-duty conduct. Employers may use such information only if the off-duty conduct is illegal, if it presents a conflict of interest to the business or if it adversely affects the employee’s ability to do his/her job. And the evidence of such activities must be clear.

The popularity of employment-related background checks that include social media searches is growing rapidly. But the unreliable and unverifiable information from these sources is a potential landmine of legal liabilities.

|Employment Decisions|

Subcommittee approves legislation to protect consumers against data theft

On July 20, 2011, the Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade approved legislation to protect consumers from cyber attacks and identity theft. The Secure and Fortify Electronic Data Act (H.R. 2577), or SAFE Data Act now moves to the full Energy and Commerce Committee for consideration.

The Act would require all businesses that maintain personal information to implement security programs, which, among other mandates, would include a protocol to notify affected individuals of an information security breach. Preempting over 45 existing state information security and breach notification laws, the Act would task the Federal Trade Commission with developing the security rules.

According to its author, Chairman Bono Mack, the Act will enhance protection of personal information by establishing uniform national standards for data security and data breach notification. The preemption provision also would provide certainty for businesses in addressing information security breaches that now are subject to the multitude of state requirements.

Some legislators and advocates have criticized the proposed law as too narrow, as it would require breach notifications only when an individual’s name, telephone number or credit card number is compromised along with a Social Security number, driver’s license number or other government-issued ID. With some state laws requiring notification when, for example, a credit card number, financial account number, Social Security number, or biometric data alone (without the individuals name) is compromised, the practical notification threshold under current state breach notification laws may be significantly lower than that proposed by the Safe Data Act.

|Educational Series, Legislation|

Challenges of international background investigations

Many transactions today, whether they involve an employment hiring decision or a new business relationship, are cross-border or have an international component. The need for effective risk management both in the U.S. and abroad has vastly expanded in recent years with the passing of legislation and increased enforcement actions. Behind just about every business decision, there is a widening range of stakeholders — from regulators to shareholders to board members — who expect that the due diligence process will minimize unlawful activities.

International background investigations, which are essential for a comprehensive approach to due diligence, present special challenges since each country has its own laws, customs, and procedures. Language barriers, name variations and transliterations, limited information and technology, broad definitions of crimes, and proliferation of fraudulent educational and accreditation institutions, are just some of the factors that add to the complexity of these investigations.

As a general rule, in most European countries, criminal records are not available to the public. In Asia, public accessibility to most court filings is limited. In South America, public records vary greatly from country to country. South Africa provides some disclosure of police records and warrants to the public, along with civil filings. Canada’s public records availability differs by province, and only a few permit criminal records release. India and Australia have the most searchable records, similar to the U.S.

For employment purposes, the Fair Credit Reporting Act (FCRA) imposes certain obligations for international background screening performed by a U.S. Consumer Reporting Agency (CRA), including mandating reasonable procedures to ensure the accuracy of the information it reports. If a public record such as a criminal conviction is found, the CRA must ascertain that the information is correct, up-to-date, and reported in a way that does not violate data or privacy protection rules.

In 2000, an agreement between the U.S. Department of Commerce and the European Commission established privacy and data protection guidelines, the “Safe Harbor Principles,” to enable U.S. companies to satisfy a requirement under European Union law for adequate protection of personal information transferred from the European Economic Area (the 25 member states of the European Union plus Iceland, Liechtenstein and Norway.) In addition to these principles, the Gramm-Leach-Bliley Act (GLBA) requires financial institutions and businesses that receive personal information to establish safeguards for the handling and disclosure of that information. And the Fair and Accurate Credit Transactions Act (FACTA), a federal legislation, also contains provisions to help reduce identity theft and obligates the proper disposal of personal consumer information.

The cost of an international background investigation typically is higher than domestic searches, and varies with each country, the type of information that needs to be obtained and the purpose of the investigation. When performed by a reputable firm with qualified foreign contacts, an international background investigation can reduce negligent hiring liability, and prevent a catastrophic investment or reputational damage.

|Educational Series, Legislation|

Dodd-Frank Act amendment for credit scores took effect July 21, 2011

The Federal Reserve Board and the Federal Trade Commission (FTC) issued final rules to implement the credit score disclosure requirements of the Dodd-Frank Wall Street Reform and Consumer Protection Act. If a credit score is used in setting material terms of credit or in taking adverse action, the statute requires creditors to disclose credit scores and related information to consumers in notices under the Fair Credit Reporting Act (FCRA).

The final rules amend Regulation V (Fair Credit Reporting) to revise the content requirements for risk-based pricing notices, and to add related model forms that reflect the new credit score disclosure requirements. These rules also amend certain model notices in Regulation B (Equal Credit Opportunity), which combine the adverse action notice requirements for Regulation B and the FCRA.

For employers, this means that if a consumer report that includes a credit score is used to determine eligibility for employment, the employer will be required to disclose to the subject the usage of the credit score in an adverse employment decision and to provide information about the credit score, including the score itself, up to four key adverse factors in the score, and the identity of the agency that provided the score.

For credit transactions, creditors, including banks, credit unions, credit card issuers, and utilities, that extend credit on terms that are less favorable than those offered to other consumers because of information contained in a credit report, or if other adverse action is taken, will have to provide to the subject a “risk-based pricing notice” which discloses the credit scores and related information. Such notice will include: 1) the numerical credit score used by the creditor in making the decision; 2) the range of possible scores under the model used by the creditor; 3) the key factors that adversely affected the credit score; 4) the date on which the credit score was created, and 5) the name of the entity that provided the score.

In certain cases, such as for applications for a mortgage, auto loan, or another type of credit, a lender will have to furnish to the subject a “credit score notice” that lists the credit score and how the score compares to other consumers’ scores regardless of the credit terms offered. If no credit score is available for a consumer, the lender’s notice will identify the particular credit bureau which reported this information. Additionally, if a consumer’s annual percentage rate (APR) on an existing credit account is increased based on a review of a credit report, the creditor will have to provide an “account review notice.”

The Board and the FTC have stated that it is imperative to have the regulations and revised model forms in place as close as possible to July 21, 2011. This will help ensure that consumers receive consistent disclosures of credit scores and related information, and facilitate uniform compliance when Section 1100F of the Dodd-Frank Act becomes effective.

|Dodd-Frank, Legislation|

Consumer Financial Protection Bureau seeks input on non-bank entities

On June 23, 2011, the Consumer Financial Protection Bureau (CFPB) released a Notice and Request for Comment seeking public input on a key element of its non-bank supervision program — the statutory requirement to define who is a “larger participant” in certain consumer financial markets.

Created by the Dodd-Frank Act, the CFPB has been empowered to regulate non-bank financial entities. But exactly what is a “non-bank?” Various literature generally defines “non-bank” as a company that offers consumer financial products or services, but does not have a bank, thrift, or credit union charter and does not take deposits. Products from non-banks have a significant share of the overall consumer financial marketplace. Under Dodd-Frank, many of these non-banks will be subject to a federal supervision program for the first time.

In its Notice and Request for Comment, the CFPB has identified the following markets for potential inclusion in an initial rule: debt collection, consumer reporting, consumer credit and related activities, money transmitting, check cashing and related activities, prepaid cards, and debt relief services. The larger participant rule will not impose substantive consumer protection requirements. Instead, the rule will enable CFPB to begin a supervision program for larger participants in certain markets.

The issues for discussion in the Notice include:

What criteria to use to measure a market participant;
Where to set the thresholds for inclusion;
Whether to adopt a single test to define larger participants in all markets (measure the same criteria and use the same thresholds) or to use tests designed for specific markets;
What data is available to use for these purposes;
What time period to use to measure the size of a market participant;
How long a participant is to remain subject to supervision after initially meeting the larger participant threshold, and if it subsequently falls below the threshold; and
What consumer financial markets to include in the initial rule.

|Dodd-Frank, Legislation|

SEC Defines Due Diligence for Dodd-Frank ABS Certification Requirements

On May 28, 2011, as part of its ongoing efforts to implement the Dodd-Frank Wall Street Reform and Consumer Protection Act, the Securities and Exchange Commission (SEC) approved for public comments (which will be accepted until July 18, 2011) proposed rules pursuant to Section 932 that would require nationally recognized statistical rating organizations (NRSROs), issuers and underwriters to make public the findings and conclusions of any due diligence reports prepared by a third-party service provider in an asset-backed securities transaction. Such third-parties would also have to furnish a certification to each NRSRO rating the securities.

Since the Dodd-Frank Act does not define “due diligence services,” the SEC has identified four categories of reviews, and thus has defined “due diligence services” in the proposed Rule 17g-10 to mean “an entity that engages in a review of the assets underlying an Exchange Act-ABS for purposes of making findings with respect to:

quality or integrity of the information or data about the assets provided, directly or indirectly, by the securitizer or originator of the assets;
whether the assets origination conformed to stated underwriting or credit extension guidelines, standards, criteria or other requirements;
value of collateral securing such assets;
whether the assets originator complied with federal, state or local laws or regulations; and
any other factor or characteristic of such asset that would be material to the likelihood that the issuer of the Exchange Act-ABS will pay interest and principal according to its terms and conditions.”

Proposed Rule 17g-10 will also define “issuer” to include a sponsor (as defined in 17 CFR 229.11) or depositor (as defined in 17 CFR 229.1011) that participates in the issuance of an Exchange Act-ABS. The terms “originator” and “securitizer” as used in proposed Rule 17g-10 will have the meanings stated in Section 15Gf of the Exchange Act.

An issuer or underwriter is not required to furnish a Form ABS-15G if such issuer or underwriter obtains a representation from each NRSRO engaged in the rating of the Exchange Act-ABS that the NRSRO will publicly disclose the findings and conclusions of any third-party due diligence report obtained by the issuer or underwriter. The NRSRO must disclose the finding and conclusions of any third-party due diligence report with the publication of the credit rating in an information disclosure form prepared pursuant to new paragraph (a)(1) of Rule 17g-7 no less than five business days prior to the first sale in the offering. Rule 17g-7 as amended by the proposed rules, would require an NRSRO to disclose in the information disclosure form:

whether and to what extent it relied upon third-party due diligence services;
description of the information that such third-party reviewed in conducting its due diligence services; and
description of the findings or conclusions of such third-party.

Also in accordance with Section 15E(s)(4)(C) of the Exchange Act, the SEC proposed that the format of the certification in Form ABS Due-Diligence-15E include the following line items:

identity and address of the provider of the third-party due diligence services;
identity and address of the issuer, underwriter or NRSRO that hired the provider of the third-party due diligence services;
identity of each NRSRO that published criteria for performing;
scope and manner of the due diligence performed, including but not limited to the type of assets that were reviewed, the same size of the assets reviewed, how the sample size was determined and any other type of review conducted with respect to the assets; and
findings and conclusions resulting from the review.

In addition, any individual executing the Form ABS Due Dilignce-15E on behalf of a third-party due diligence provider will be required to represent that he/she executed the form on behalf of, and on the authority of, the third-party due diligence provider and the third-party due diligence provider conducted a complete due diligence review.

|Dodd-Frank|

Financial advice show hosts have host of problems

Just about any time of the day, the airwaves are filled with self-appointed financial gurus spewing their secrets for managing money and ways to get rich. But the true secrets of more than a dozen of these wealth peddlers may be in their shady backgrounds and off-the-air dealings. Here are a few examples of the bamboozlements, as disclosed by the Securities and Exchange Commission (SEC) and other authorities.

On June 13, 2011, Clifford Robertson was sentenced to 97 months for bank fraud, to be followed by 24 months for aggravated identity theft and ordered to pay $4,627,520 in restitution, according to a statement by the U.S. Department of Justice’s Federal Bureau of Investigation Dallas Field Office. The bureau’s investigation determined that Robertson claimed to be a real estate investment advisor who hosted AM radio real estate investment talk shows and in-person seminars. Robertson admitted that beginning in December 2007, he used the identity of another person to submit a fraudulent personal financial statement to a lending institution in order to obtain money by false pretenses. The loss to investors was estimated at around $3 million.

Another recent financial show host shakedown was announced in a June 3, 2011 press release by the Department of Justice’s U.S. Attorney’s office for the Southern District of Florida which said that “criminal information was filed against Anthony F. Cutaia, charging him with nine counts of mail fraud…” Cutaia, who was the host of “Talk About Mortgages and Real Estate,” a television and radio program, was also the managing member and beneficial owner of CMG Property Investment Group, LLC, which purportedly engaged in commercial real estate investments in Florida, and promised not to collect commissions or fees from the investors until the properties were sold and a profit was made. However, court papers allege that Cutaia invested little of the money and instead used it to make payments to pre-existing investors and to pay his own business and personal expenses. Legal documents further show that Cutaia filed for bankruptcy in 2007, but that case was tossed out. He filed another Chapter 7 petition on May 11, 2011.

Also exposed this year was John Farahi, a host on a Farsi language radio station in the Los Angeles area. The SEC’s complaint filed in the U.S. District Court for the Central District of California alleges that NewPoint, co-owners John Farahi and Gissou Rastegar Farahi, and its controller Elaheh Amouei targeted investors in the Iranian-American community by touting NewPoint on a daily finance radio program hosted by Farahi. The SEC charges that the Farahis or Amouei would then make appointments with interested listeners to discuss investment opportunities offered by NewPoint, and subsequently misled more than 100 investors into purchasing over $20 million worth of debentures that they claimed were low risk. Many investors also were falsely told that they were investing in FDIC-insured certificates of deposit, or government or corporate bonds issued by companies backed by the funds from the Troubled Asset Relief Program (TARP). According to the SEC, most of the money raised was instead transferred to accounts controlled by the Farahis to, among other things, fund construction of their multi-million dollar personal residence in Beverly Hills.

|Educational Series, Fraud|

SEC issues warning about investing in reverse merger companies

On June 9, 2011, the Securities and Exchange Commission (SEC) issued an Investor Bulletin about investing in companies that enter U.S. markets through the so-called “reverse mergers.” These mergers allow private companies, including those outside the U.S., to access U.S. investors and markets by merging with an existing public shell company. The SEC and U.S. exchanges recently suspended trading in more than a dozen reverse merger companies, citing a lack of current, accurate information about these companies and their finances.

“Given the potential risks, investors should be very careful when considering investing in the stock of reverse merger companies,” said Lori J. Schock, director of the SEC’s Office of Investor Education and Advocacy. “As with any investment, investors should thoroughly research the company – including ensuring there is accurate and up-to-date information – before making a decision to invest.”

The SEC’s warning is especially strong regarding Chinese companies, as more than 150 entities have recently put their shares up for grabs to American investors through the backdoor “without any of the vetting from underwriters and investors that companies undergo when they perform a traditional IPO,” as noted by Commissioner Luis Aguilar.

Shareholders already have sued a string of China-based, U.S.-listed companies for fraud, claiming that they lost money when stocks plummeted after the financial scandals. They charge that the companies operated sham businesses, inflated revenue or gave vastly different information to U.S. and Chinese regulators. And they are starting to sue the auditors who signed off on the financial statements. But it will be tough to win these cases in American courts, as Chinese entities often have refused to comply with U.S. court proceedings.

The best hope for investors may be the SEC, which has launched an inquiry into U.S. audit firms with China-based clients. Investors could benefit if the SEC, which can force companies and auditors to cooperate in investigations, sues more auditors or companies.

|Educational Series|

Asset searches: who can get bank account information and why

A quick Internet search for ways to get someone’s bank or investment account information returns at least a dozen private investigation companies that promise to find these records “anywhere in the US and worldwide” for judgment collections, verification of net worth and for “just about any other purpose.” But a closer look at these Web sites reveals a fine-print disclaimer stating that the information is from public records such as divorce cases and probate filings. And there are a few that do not bother with a disclaimer, providing only an 800 number to call.

Asset searches, which may include bank and investment accounts, are not illegal; however, certain actions to obtain this information, such as pre-texting, are illegal. And although there are methods that can be used to obtain financial information covertly, most if not all, are questionable and often futile. There is no clear way for anyone other than the account holder, a designated representative or a party with a valid court order to get account information without violating the law.

There is a general misconception that a judgment, just by virtue of its issuance, can be used to force a bank or financial institution to disclose account information, but the enforcement of judgments is governed by each state’s laws. In California, for example, a writ of execution is necessary. These writs are rendered on a county-by-county basis and direct a levying officer (usually a sheriff) to serve the writ on the named institution. The institution then may be required to freeze the account and in some cases to hand over the account balance. State laws also allow the creditor, after a judgment is obtained, to examine and request asset information from the debtor. This, however, puts the debtor on notice and may result in draining an account before a writ of execution is served.

The privacy protection laws that govern access to financial information under false pretenses depend on whether the affected customer is a consumer or a business entity. The more significant legislation is directed at protecting consumers, defined generally in the laws and in interpretative decisions as ”individuals consuming goods or services for personal or household use.” The Gramm-Leach-Bliley Act (GLBA) prohibits obtaining customer information from a financial institution under false pretenses and imposes an obligation to protect customer information. Under the GLBA, a customer means “an individual consumer,” which is essentially the same as the definition of a consumer under the Fair Credit Reporting Act (FCRA). In addition to the GLBA and FCRA, there are other potentially applicable federal privacy laws, as well as a long list of state laws. But even if a specific law may cover only consumers, the financial institution’s contract with the business customer would certainly be construed as preventing third-party access.

|Educational Series|

Dodd-Frank rule disqualifies felons and bad actors from securities offerings

On May 25, 2011, the Securities and Exchange Commission (SEC) proposed a rule to deny certain securities offerings from qualifying for exemption from registration if they involve “felons and other bad actors.”

When an individual or a company offers or sells a security such as a stock or bond, generally the offering must be registered with the SEC. However, the SEC’s Regulation D provides three exemptions that can used to avoid such registration. The most widely used exemption is Rule 506, which accounts for more than 90% of the offerings made, as well as the majority of capital raised. If an offering qualifies for the Rule 506 exemption, an issuer can raise unlimited capital from an unlimited number of “accredited investors” and from up to 35 non-accredited investors.

Section 926 of the Dodd-Frank Act requires the SEC to adopt rules that would deny this exemption to any securities offering in which certain “felons and other bad actors” are involved. This new rule is substantially similar to the bad actor disqualification provisions of another limited offering exemptive rule – Rule 262 of Regulation A – which provides for an exemption from registration for certain small offerings.

Under the proposed rule, an offering cannot rely on the Rule 506 exemption if the issuer or any other person covered by the rule (including the issuer’s predecessors and affiliated issuers, directors, officers, general partners and managing members of the issuer, 10% beneficial owners and promoters of the issuer, persons compensated for soliciting investors, and the general partners, directors, officers and managing members of any compensated solicitor) has had a “disqualifying event” identified as follows:

Criminal conviction in connection with the purchase or sale of a security, making of a false filing with the SEC or arising out of the conduct of certain types of financial intermediaries. The criminal conviction would have to have occurred within 10 years of the proposed sale of securities (or five years, in the case of the issuer and its predecessors and affiliated issuers).

Court injunction and restraining order in connection with the purchase or sale of a security, making of a false filing with the SEC or arising out of the conduct of certain types of financial intermediaries. The injunction or restraining order would have to have occurred within five years of the proposed sale of securities.

Final order from state securities, insurance, banking, savings association or credit union regulators, federal banking agencies or the National Credit Union Administration that bar the issuer from: 1) associating with a regulated entity; 2) engaging in the business of securities, insurance or banking; 3) engaging in savings association or credit union activities, or 4) orders that are based on fraudulent, manipulative or deceptive conduct and are issued within 10 years before the proposed sale of securities.

Certain commission disciplinary order relating to brokers, dealers, municipal securities dealers, investment companies and investment advisers and their associated persons, which would be disqualifying for as long as the order is in effect.

Suspension or expulsion from membership in a “self-regulatory organization” or from association with an SRO member, which would be disqualifying for the period of suspension or expulsion.

Commission stop order and order suspending the Regulation A exemption issued within five years before the proposed sale of securities; and

U.S. Postal Service false representation order issued within five years before the proposed sale of securities.

The proposed rule would provide an exception from disqualification when the issuer can show it did not know and, in the exercise of reasonable care, could not have known that a disqualification existed. Any pre-existing convictions, suspensions, injunctions and orders would be disqualifying. For further information, see http://www.sec.gov/rules/proposed/2011/33-9211.pdf