FCRA

Mobile apps may violate Fair Credit Reporting Act

On February 6, 2012, the Federal Trade Commission (FTC) issued warning letters to the marketers of six mobile applications that provide background screening apps that they may be violating the Fair Credit Reporting Act (FCRA.) The FTC said that if the background reports are being used for employment or other FCRA purposes, then the marketers and their clients must comply with the FCRA.

According to the warning letters, the FTC has not made a determination whether the companies indeed are violating the FCRA, but encourages them to review their apps, and their related policies and procedures. The FCRA is designed to protect the privacy of consumer report information and ensure that the information provided by consumer reporting agencies is accurate. Consumer reports are communications that include information about an individual’s character, reputation, or personal characteristics, and are used or expected to be used for purposes such as employment, housing or credit.

Under the FCRA, entities/operations that assemble or evaluate information to provide to third parties qualify as consumer reporting agencies (CRAs.) Mobile apps that supply such information also may qualify as CRAs under the Act. CRAs must take reasonable measures to ensure the user of each report has a ‘permissible purpose’ to use the report, take reasonable steps to ensure the maximum possible accuracy of the information conveyed in the report, and provide users of its reports with information about their obligations under the FCRA. In employment-purpose consumer reports, for example, CRAs must provide employers with information regarding their obligation to give notice to employees and applicants of any adverse action taken on the basis of a consumer report.

February 7th, 2012|Categories: Commercial Transactions Due Diligence|Tags: , |

Paying for ambiguity: the myths of instant background checks and national databases

The cottage industry of data-collection agencies that provide inexpensive background information is flourishing even in this tough economy. Many prospective employers with tight budgets believe they can save money by relying on the “national” records that are spewed out within minutes of entering a credit card number. So just what do you get for $19.99? Not much. Or a lot…a lot of worthless data, that is. Unverified name-match only records come up by the hundreds if the name is fairly common. And it is nearly impossible to determine case details or duplicate filings, as the cryptic printouts often require specialized knowledge that is specific to each state, municipality or records venue.

Many subjects who are flagged as criminals in these databases have never been convicted of a crime. In fact, according to the U.S. Bureau of Justice statistics for felony defendants in large urban counties, one-third of felony arrests never lead to a conviction. And there is no standardized process for reporting arrests and dispositions or updating the records at the various court levels. Some reported offenses are not actually violations of the criminal code in the particular state, but may still show up in these databases.

There are few regulations governing the use of background information beyond the provisions of the Fair Credit Reporting Act (FCRA). The Federal Trade Commission (FTC) does not mandate that data aggregators provide guidance on how to properly interpret their records. The only possible value of these so-called national databases is to serve as an indicator that a record may exist, and use the search results to supplement a full investigation. Since the FCRA requires that all “reasonable procedures to assure maximum possible accuracy of the information are followed” and that “the information is complete and up-to-date,” searches for employment purposes must be conducted either manually or through direct access in the particular court where the record is filed.

Employment experts at a July 2011 Equal Employment Opportunity Commission (EEOC) hearing urged the Commission to consider the comprehensive recommendations put forth by the National Employment Law Project (NELP) in its report on the effect of criminal background checks in employment decisions. Among its recommendations, the NELP suggested that the EEOC revise its now 20-year-old guide on conviction records in view of the “intervening proliferation of instant computerized background information…” The EEOC should also address the “use of arrest records and third-party databases that are considered a part of the hiring process.”

October 17th, 2011|Categories: Commercial Transactions Due Diligence|Tags: , , , |

Controversy abounds in employment decisions based on social media searches

In May 2011, the Federal Trade Commission (FTC) ruled that companies providing social media information to employers – and employers who use the reports – must follow the same Fair Credit Reporting Act (FCRA) regulations that apply to more traditional sources. The FTC also stated that postings on any social media site can be saved by on-line background screening companies for up to seven years.

According to the FTC’s letter dated May 9, 2011 to a company that sells information from social networking sites for employment purposes, such a company is considered a Consumer Reporting Agency (CRA) and thus must take reasonable steps to ensure the accuracy of the information obtained from online social networks (as well as other sources) and positively identify it with the subject. It also must comply with other FCRA provisions, such as providing a copy of the report to the subject and maintaining an established protocol if the subject disputes the reported information. As with “traditional” background investigations, employers who use a report prepared by a CRA must certify to the CRA that the report will not be used in violations of federal or state equal employment opportunity laws or regulations. Additionally, both the CRA and the employer have a legal obligation to keep and dispose of the reports securely and properly. (For more information, see the FTC blog, “The Fair Credit Reporting Act & Social Media: What Businesses Should Know.”)

Social media legal experts and various literature point to a multitude of issues and risks faced by both the CRA and the employer who uses social media checks, which include, but are not limited to:

  • Problems under FCRA section 607(b) in exercising “reasonable procedures to assure maximum possible accuracy” of the information.
    Since the information on social media sites is self-reported and can be changed at any time, it is often difficult if not impossible to ascertain that the information is accurate, authentic and belongs to the subject. Online identity theft is not uncommon, as are postings under another person’s name for the purpose of “cyber–slamming” (which refers to online defamation, slander, bullying, harassment, etc.)
  • Information may be discriminatory to job candidates or employees, or in violation of anti-retaliation laws.
    Social sites and postings may reveal protected concerted activity under the National Labor Relations Act (NLRA,) and protected class information under Title VII of the Civil Rights Act and other federal laws, such as race, age, creed, nationality, ancestry, medical condition, disability, marital status, gender, sexual preference, labor union affiliations, certain social interests, or political associations. And while the information may have no impact on the employment decision, the fact that the information was accessed may support claims for discrimination, retaliation or harassment.
  • Accessing the information may be in violation of the federal Stored Communications Act (SCA).
    To the extent that an employer requests or requires an employee’s login or password information, searches of social networking sites may implicate the SCA (18 U.S.C. § 2701) and comparable state laws which prohibit access to stored electronic communications without valid authorization. A California court recently ruled that the SCA also may protect an employee’s private information on social networking sites from discovery in civil litigation.
  • Assessing the information may violate terms of use agreements and privacy rights.
    While certain social media sites have stricter privacy controls than others, most if not all limit the use of their content. The terms of use agreements typically state that the information is for “personal use only” and not for “commercial” purposes. Although the definition of “commercial” in connection with employment purposes is interpretive, most legal experts indicate that employment screening fits that scope.
  • Information may be subjective and irrelevant to the employment decision.
    Blogs, photos and similar postings often do not provide an objective depiction of the subject or predict job performance. The California Labor Code, for example, specifically provides that an employer is prevented from making employment-related decisions based on an employee’s legal off-duty conduct. Employers may use such information only if the off-duty conduct is illegal, if it presents a conflict of interest to the business or if it adversely affects the employee’s ability to do his/her job. And the evidence of such activities must be clear.

The popularity of employment-related background checks that include social media searches is growing rapidly. But the unreliable and unverifiable information from these sources is a potential landmine of legal liabilities.

August 8th, 2011|Categories: Employment Decisions|Tags: , , |

Challenges of international background investigations

Many transactions today, whether they involve an employment hiring decision or a new business relationship, are cross-border or have an international component. The need for effective risk management both in the U.S. and abroad has vastly expanded in recent years with the passing of legislation and increased enforcement actions. Behind just about every business decision, there is a widening range of stakeholders — from regulators to shareholders to board members — who expect that the due diligence process will minimize unlawful activities.

International background investigations, which are essential for a comprehensive approach to due diligence, present special challenges since each country has its own laws, customs, and procedures. Language barriers, name variations and transliterations, limited information and technology, broad definitions of crimes, and proliferation of fraudulent educational and accreditation institutions, are just some of the factors that add to the complexity of these investigations.

As a general rule, in most European countries, criminal records are not available to the public. In Asia, public accessibility to most court filings is limited. In South America, public records vary greatly from country to country. South Africa provides some disclosure of police records and warrants to the public, along with   civil filings. Canada’s public records availability differs by province, and only a few permit criminal records release. India and Australia have the most searchable records, similar to the U.S.

For employment purposes, the Fair Credit Reporting Act (FCRA) imposes certain obligations for international background screening performed by a U.S. Consumer Reporting Agency (CRA), including mandating reasonable procedures to ensure the accuracy of the information it reports. If a public record such as a criminal conviction is found, the CRA must ascertain that the information is correct, up-to-date, and reported in a way that does not violate data or privacy protection rules.

In 2000, an agreement between the U.S. Department of Commerce and the European Commission established privacy and data protection guidelines, the “Safe Harbor Principles,” to enable U.S. companies to satisfy a requirement under European Union law for adequate protection of personal information transferred from the European Economic Area (the 25 member states of the European Union plus Iceland, Liechtenstein and Norway.) In addition to these principles, the Gramm-Leach-Bliley Act (GLBA) requires financial institutions and businesses that receive personal information to establish safeguards for the handling and disclosure of that information. And the Fair and Accurate Credit Transactions Act (FACTA), a federal legislation, also contains provisions to help reduce identity theft and obligates the proper disposal of personal consumer information.

The cost of an international background investigation typically is higher than domestic searches, and varies with each country, the type of information that needs to be obtained and the purpose of the investigation. When performed by a reputable firm with qualified foreign contacts, an international background investigation can reduce negligent hiring liability, and prevent a catastrophic investment or reputational damage.

July 25th, 2011|Categories: Employment Decisions|Tags: , |

Asset searches: who can get bank account information and why

A quick Internet search for ways to get someone’s bank or investment account information returns at least a dozen private investigation companies that promise to find these records “anywhere in the US and worldwide” for judgment collections, verification of net worth and for “just about any other purpose.” But a closer look at these Web sites reveals a fine-print disclaimer stating that the information is from public records such as divorce cases and probate filings. And there are a few that do not bother with a disclaimer, providing only an 800 number to call.

Asset searches, which may include bank and investment accounts, are not illegal; however, certain actions to obtain this information, such as pre-texting, are illegal. And although there are methods that can be used to obtain financial information covertly, most if not all, are questionable and often futile. There is no clear way for anyone other than the account holder, a designated representative or a party with a valid court order to get account information without violating the law.

There is a general misconception that a judgment, just by virtue of its issuance, can be used to force a bank or financial institution to disclose account information, but the enforcement of judgments is governed by each state’s laws. In California, for example, a writ of execution is necessary. These writs are rendered on a county-by-county basis and direct a levying officer (usually a sheriff) to serve the writ on the named institution. The institution then may be required to freeze the account and in some cases to hand over the account balance. State laws also allow the creditor, after a judgment is obtained, to examine and request asset information from the debtor. This, however, puts the debtor on notice and may result in draining an account before a writ of execution is served.

The privacy protection laws that govern access to financial information under false pretenses depend on whether the affected customer is a consumer or a business entity. The more significant legislation is directed at protecting consumers, defined generally in the laws and in interpretative decisions as ”individuals consuming goods or services for personal or household use.” The Gramm-Leach-Bliley Act (GLBA) prohibits obtaining customer information from a financial institution under false pretenses and imposes an obligation to protect customer information. Under the GLBA, a customer means “an individual consumer,” which is essentially the same as the definition of a consumer under the Fair Credit Reporting Act (FCRA). In addition to the GLBA and FCRA, there are other potentially applicable federal privacy laws, as well as a long list of state laws. But even if a specific law may cover only consumers, the financial institution’s contract with the business customer would certainly be construed as preventing third-party access.

June 10th, 2011|Categories: Commercial Transactions Due Diligence|Tags: , , , |

Illinois Employee Credit Privacy Act (096-1426)

Effective January 1, 2011, the Act will prohibit employers, in many circumstances, from inquiring about or using an employee’s or prospective employee’s credit history as a basis for employment, recruitment, discharge, or compensation. The Act also will prohibit an employer from retaliating or discriminating against a person who files a complaint under the Act, participates in an investigation, proceeding or action concerning a violation of the Act, or opposes violation of the Act. Pursuant to the Act, an employer will not:

  • Fail or refuse to hire or recruit, discharge, or otherwise discriminate against an individual with respect to employment, compensation, term, condition, or privilege of employment because of the individual’s credit history or credit report.
  • Inquire about an applicant’s or employee’s credit history.
  • Order or obtain an applicant’s or employee’s credit report from a consumer reporting agency.

Exceptions to the Act are as follows:

  • State or federal law requires bonding or other security covering the individual holding the position.
  • Duties of the position include custody of or unsupervised access to cash or marketable assets valued at $2,500 or more.
  • Duties of the position include signatory power over business assets of over $100 or more per transaction.
  • Position is managerial, and involves setting the direction or control of the business.
  • Position involves access to personal or confidential information, financial information, trade secrets, or state or federal national security information.

The Act also states that nothing in its provisions shall prohibit employers from conducting a thorough background investigation which may include obtaining a consumer report and/or investigative report without information on credit history, as permitted by the Fair Credit Reporting Act (FCRA).

September 10th, 2010|Categories: Employment Decisions, Legislation|Tags: , , , , |

The FCRA and Employer’s Obligations

In recent years, negligent hiring and retention lawsuits have seen a dramatic rise, with settlement payouts averaging over a million dollars. These cases are predicated on the theory that an employer may be held liable for its negligence in placing a person with certain known propensities for criminal or other unfit behavior in an employment position where the individual poses a threat to others. The most common defense against negligent hiring or retention actions is based on foreseeability, which is often determined through a background investigation. Some courts have been more flexible than others in damage awards, but regardless of their stance, the closer the connection between the perpetrator’s dangerous propensity and the actual tortious conduct, the stronger the case against the employer. The law in both negligent hiring and negligent retention also recognizes that a company’s duty to avoid employing dangerous people does not end when an individual is hired–it extends to negligent supervision, negligent training and negligent firing.

Nearly every investigation that touches on employment is covered by the Fair Credit Reporting Act (FCRA), which defines employment (purposes) as “evaluating a consumer for employment, promotion, reassignment or retention as an employee.” If an employer uses a third party screening service to conduct a background investigation of an applicant or employee, that company is considered a “consumer reporting agency” (CRA) under the FCRA. The CRA’s reports, known as consumer reports, may contain information from educational institutions, professional licensing boards, former employers, courts, credit bureaus, references, motor vehicle departments, regulatory entities, media sources, etc.

The FCRA is a complex federal statute that has been significantly revised since 1970. But the Act’s primary mandate remains that CRAs adhere to “reasonable procedures” to protect the confidentiality, accuracy, and relevance of consumer information. Under its Fair Information Practices, the FCRA has established rules concerning personal information that include rights of data quality (to access, dispute and correct), data security, usage limitations, data destruction, disclosures, user consent, and accountability. The FCRA requires the employer/user to affirm to the CRA that it is in compliance (with FCRA) and has enacted the following directives prior to the initiation of a consumer report:

  • Verified that there is a legitimate need for requesting a consumer report
  • Certified that written permission was obtained from the applicant or employee and proper disclosures were provided
  • Stated the reason for requesting a consumer report
  • Certified that the information will be used for employment purposes only.

Before any adverse action is taken based on information in the consumer report, the FCRA obligates the employer to provide the applicant or employee a copy of the report and summary of consumer rights prescribed by the FCRA. And if adverse action is taken, the employer must deliver an “adverse action notice” to the affected individual. Further, the employer must certify that it will not use any information from a consumer report in violation of the applicable federal or state equal opportunity laws and regulations.

The FCRA makes a distinction between a “consumer report” and “investigative consumer report.” Its delineation of a “consumer report” is that it is comprised of verifications of facts about education, employment or other claims made by the applicant, while an “investigative consumer report” is a compilation of information about character, general reputation, personal characteristics, or mode of living through interviews. Thus, an employer who uses investigative consumer reports must comply with the provisions of the FCRA that apply generally to consumer reports as well as the provisions that are specific to investigative consumer reports which include “clearly and accurately” disclosing in writing that it may obtain the aforementioned information. This notice must contain a statement advising the individual of the right to request additional disclosures concerning the nature and scope of the inquiry, along with a written summary of consumer rights. Also, for an investigative consumer report, the disclosure must be made within three days after such report is requested, while in a consumer report, notice must be given before the report is procured.

The FCRA rules also apply when an employer uses a third party to investigate employee misconduct. The employee must be notified “clearly and conspicuously” and authorize, in writing, the undertaking of an investigative consumer report. If the employer disciplines or adversely treats the employee based upon the information in the report, the employer must provide the employee, within 60 days of the adverse decision, the following:

  • Notice of the disciplinary action
  • Name, address and telephone phone number of third party that prepared the report
  • Statement that said third party had no input into the decision to discipline the employee and thus will not provide information about the action taken
  • Notice that the employee is entitled to a free copy of the report and can request that the employer state the reason for the disciplinary action.

The FCRA does not apply to investigations of misconduct conducted by internal personnel or by third parties which do not regularly prepare such reports.

Violations of the FCRA can lead to civil and/or criminal penalties for the CRA and the employer. Civil penalties may carry nominal damages (up to one thousand dollars if no actual damages exist), actual and punitive damages, and attorneys’ fees and costs, if there is “willful noncompliance.” Civil penalties for “negligent noncompliance” are confined to actual damages and attorneys’ fees and costs. Criminal penalties may be imposed when a party knowingly and willfully obtains information from a CRA under false pretenses.

Establishing a relationship with a reputable CRA is one of the best assurances of FCRA compliance. An experienced company can provide guidance not just in the legal process of the FCRA, but also instill trust that it has met its related obligations.

September 6th, 2010|Categories: Employment Decisions, Legislation|Tags: , , |

FTC proposes changes to improve credit reporting notices

The Federal Trade Commission announced on August 16, 2010 that it is proposing revisions to the notices that consumer reporting agencies provide to consumers, and to users and furnishers of credit report information under the Fair Credit Reporting Act (FCRA). The FCRA requires the FTC to publish model notices for several forms that must be provided by consumer reporting agencies. The proposed changes are designed to reflect new rules that the FTC and other financial regulators have enacted under the Fair and Accurate Credit Transactions Act of 2003, and to make the notices more useful and easier to understand.
In addition to revising the general Summary of Rights notice, which informs consumers about their FCRA rights, such as how to obtain a free credit report and dispute inaccurate information, the FTC is proposing improvements to the notices that credit
reporting agencies provide to users and furnishers of credit report information.
The FTC is accepting public comments on the proposed changes until September 21, 2010.
(The FTC contact is Pavneet Singh, Bureau of Consumer Protection, at 202-326-2252.) See http://www.ftc.gov/os/fedreg/2010/august/100816fcranotice.pdf for the full text of the proposed revisions.
August 19th, 2010|Categories: Commercial Transactions Due Diligence|Tags: , |

What’s wrong with using information from Facebook, MySpace, Friendster or personal Web sites for hiring decisions?

Some companies believe this is a cheap way to obtain information about an applicant. Unfortunately for the applicant, this type of background check is not covered by the Fair Credit Reporting Act (FCRA) if it is performed by the employer. And since the sites are not mandated to investigate and correct errors, the employer may miss out on hiring a qualified candidate. Additionally, much of the information posted on these sites cannot be discussed in an interview, and if not handled properly, the employer may be sued for claims under various anti-discrimination statutes, ADA, privacy laws, and state “off-duty” conduct statutes. Employers who use third-parties to conduct background investigations by searching social Web sites and Internet postings must comply with the FCRA, and thus explicitly state in the background check authorization that social networking and/or other such sites will be accessed. The FCRA does not prohibit employers from obtaining consumer reports that contain information compiled from Internet sites; however, employers are required to disclose to the applicant that the information was the basis of an adverse employment decision (Id. § 1681b(b)(3)(B)(i)(I).

Despite the liability exposure and unreliability of the information, various surveys show that employers do use information from social networking sites and blogs to support their decision to hire or disqualify an applicant. The most common causes for disqualification include:

  • Information or photographs about drinking or using drugs
  • Provocative or inappropriate photographs or information
  • Poor communication skills evident in postings
  • Bad-mouthing previous employer or fellow employee
  • Misrepresentation of qualifications
  • Discriminatory remarks related to race, gender, religion, etc.
  • Unprofessional or provocative screen name
  • Indications of criminal behavior
  • Posted confidential information from previous employers
July 1st, 2010|Categories: Employment Decisions|Tags: , |

What are “specialty consumer reports?”

“Specialty consumer reports” are compiled by specialty consumer agencies for targeted users such as insurance companies, employers, and landlords. The agencies collect information from a variety of sources and may include civil and criminal records, credit history, bankruptcy filings, driving records, business relationship information with banks or insurance companies, and even medical information.

Most consumers are unaware of the existence of a “specialty consumer report” unless they have been denied a job, insurance, or housing rental. The Fair Credit Reporting Act (FCRA) imposes certain obligations on the specialty reporting agencies, the users of such reports, and those that furnish information for the reports. (See  http://www.ftc.gov/bcp/edu/pubs/business/credit/bus33.shtm for more information.) When adverse action is taken based on the information in the report, the FCRA mandates that users of specialty consumer reports provide to the subject an “adverse action notice” along with a free copy of the report. The subject also has the right to dispute inaccurate information.

June 30th, 2010|Categories: Employment Decisions|Tags: , |
© 2012- SCHERZER INTERNATIONAL | ALL RIGHTS RESERVED
Go to Top