The FTC announces that consumers are now allowed to request free credit freezes from the nationwide credit reporting agencies due to the enactment of the Economic Growth, Regulatory Relief, and Consumer Protection Act.
FDIC Amends Background Check Policy
On August 20th, the Federal Deposit Insurance Corporation (FDIC) issued modifications to Section 19 of the Federal Deposit Insurance Act, which prohibits, without the prior written consent of the FDIC, a person convicted of any criminal offense involving dishonesty, breach of trust, money laundering, or who has entered into a pretrial diversion or similar program (program entry) in connection with a prosecution for such offense, from participating in the affairs of an FDIC-insured institution. The updated SOP is available on the FDIC’s website and was published in the Federal Register on August 3, 2018.
Statement of Applicability to Institutions with Total Assets Under $1 Billion: This Financial Institution Letter applies to all FDIC-insured institutions.
- The de minimis exceptions, under which the FDIC’s consent is automatically granted and an application is not required, have been modified to encompass convictions or program entries for issuance of insufficient funds checks of moderate aggregate value; small dollar, simple theft; and isolated minor offenses committed by young adults.
- Drug-related covered offenses will be granted automatic FDIC consent and not require an application if de minimis criteria are met.
- FDIC-supervised institutions may provide prospective employees conditional offers of employment pending a background check provided that the individual does not begin employment until the institution verifies that the individual’s participation is not barred by Section 19.
- Clarifying modifications have been made to further define the terms “complete expungement,” “jail time,” and “pretrial diversion or similar programs.”
- The FDIC is in the process of updating its application forms to reflect these revisions.
- The FDIC will issue an informational brochure that explains the process for submitting an application to the FDIC.
- The modifications provide carefully measured changes to the SOP while preserving the purpose of the law that will reduce regulatory burden, promote public awareness of the law, and decrease the number of covered offenses that will require an application.
FTC Reaches Settlements with Four Companies That Falsely Claimed Participation in the EU-U.S. Privacy Shield
Four companies have agreed to settle allegations by the Federal Trade Commission that they falsely claimed certification under the EU-U.S. Privacy Shield framework and that two of these companies failed to abide by a key provision of the framework. In separate complaints, the FTC alleges that IDmission, LLC, mResource LLC (doing business as Loop Works, LLC), SmartStart Employment Screening, Inc., and VenPath, Inc. falsely claimed to be certified under the EU-U.S. Privacy Shield, which establishes a process to allow companies to transfer consumer data from European Union countries to the United States in compliance with EU law. “Companies need to know that if they fail to honor their Privacy Shield commitments, or falsely claim participation in the Privacy Shield framework, we will hold them accountable,” said Andrew Smith, director of the FTC’s Bureau of Consumer Protection. “We have now brought enforcement actions against eight companies related to the Privacy Shield, and we will continue to aggressively enforce the Privacy Shield and other cross-border privacy frameworks.”
The Department of Commerce administers the Privacy Shield framework, while the FTC enforces the promises companies make when joining the framework. The FTC alleges that IDmission, which offers cloud-based technology platform services, applied in 2017 for Privacy Shield certification with the U.S. Department of Commerce but never completed the necessary steps to be certified under the program. Despite this, the company claimed on its website that it “complies with the EU-U.S. Privacy shield framework.” According to the FTC complaints, SmartStart, VenPath and mResource each obtained Privacy Shield certification in 2016 but allowed their certifications to lapse. Despite this, all three companies included statements posted on their websites that they participated in the Privacy Shield. VenPath is a data analytics firm, while SmartStart offers employment and background screening services, and mResource provides talent management and recruitment services.
The FTC further alleges that VenPath and SmartStart failed to abide by the Privacy Shield requirement that companies that stop participation in the Privacy Shield affirm to the Department of Commerce that they will continue to apply the Privacy Shield protections to personal information collected while participating in the program. As part of the proposed settlements with the FTC, all four companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization and must comply with FTC reporting requirements. In addition, VenPath and SmartStart must also continue to apply the Privacy Shield protections to personal information they collected while participating in the program, protect it by another means authorized by the Privacy Shield framework, or return or delete the information within 10 days of the order. The Commission vote to issue the administrative complaints and to accept the proposed consent agreements was 4-0-1. Commissioner Christine S. Wilson did not participate.
CA Bill Applicable to Credit Reporting Agencies
The California legislature sent a bill to Governor Brown’s desk that will require a consumer credit reporting agency (i.e., the credit bureaus) that owns, licenses, or maintains personal information about a California resident, or a 3rd party that maintains personal information about a California resident on behalf of a consumer credit reporting agency, that knows, or reasonably should know, that a computer system it owns, operates, or maintains, and for which it controls the security protocols, is subject to a security vulnerability (i.e., security incident or data breach) that poses a significant risk to the security of computerized data within the system that contains personal information, to take certain measures to protect that data, including implementing software updates, if it knows or reasonably should know that a software update is available to address the security vulnerability.
Chicago Public School Employees Barred from Returning to Work
On September 2nd, The Chicago Tribune reported that 266 Chicago Public School (CPS) employees were barred from returning to work due to their background checks. 60 of those employees were teachers and the others included vendors who interact with students such as janitors, bus drivers, and engineers. A majority of the employees were banned for failing to submit fingerprints. CPS overhauled their background check process in June following reports that some employees who abused students had criminal backgrounds. Employees who opt not to submit fingerprints risk being terminated.
Michigan Bans Felon Box on State Job Applications
Republican Gov. Rick Snyder is “banning the box” on state job applications in an attempt to help formerly convicted felons return to the workforce and set an example for employers across Michigan.
The term-limited governor on Friday will sign an executive directive for state departments that, beginning Oct. 1, will prevent them from using an application check box to ask job seekers if they’ve been convicted of a felony. While a criminal history review could still happen later in the hiring process, state departments will not be able to use criminal history as an initial screen for applicants. Snyder is also announcing that the Michigan Department of Licensing and Regulatory Affairs has removed all criminal history questions from licensing applications, except when required under state or federal law.
Applicants—primarily in skilled trades professions that require occupational licenses—will instead be asked to attest to their ability to serve the public and their rehabilitation from any former offenses.
The executive action comes six months after Snyder signed a law that generally prohibits local governments from adopting or enforcing an ordinance that regulates the information an employer must request or exclude from a job application. Snyder last year also signed a law allowing the Michigan Department of Corrections to hire formerly convicted felons.
Tennessee Department of Labor Revises Drug-Free Workplace Program Requirements
Twenty years ago, the Tennessee Department of Labor (TNDOL) adopted regulations implementing the Tennessee Drug-Free Workplace Act and establishing the Tennessee Drug-Free Workplace Program. This year, the TNDOL substantially revised these regulations. The revised regulations became effective on May 6, 2018. Employer participation in the Drug-Free Workplace Program is voluntary. The benefits for employers that participate in the program include:
- A 5 percent premium credit on their workers’ compensation insurance policies.
- A shift in the burden of proof in workers’ compensation claims involving a positive alcohol or drug test. If an employee is injured at work and later fails a post-accident drug/alcohol test, it is presumed that drugs or alcohol were the proximate cause of the injury. Workers’ compensation benefits can be denied unless the injured employee overcomes that presumption.
- A presumption that any discharge of an employee, or the refusal to hire a job applicant, who is found to be in violation of the employer’s drug-free workplace program is a discharge “for cause.” This presumption should, in most cases, disqualify an employee from receiving unemployment benefits.
In order to take advantage of these benefits, employers that choose to participate in the program must meet certain criteria the TNDOL has established with regard to drug testing, training, and notification to employees. The following is a summary of several of the more significant changes the TNDOL has made to its regulations.
Types of Drugs
The types of drugs an employer is required to test for has changed. The previous regulations included a list of six categories of drugs as well as alcohol. The revised regulations limit required testing to drugs listed on the TNDOL’s Bureau of Workers’ Compensation website. This list is drawn from the U.S. Department of Transportation’s (DOT) list of the types of drugs the DOT currently tests for: marijuana metabolites, cocaine metabolites, amphetamines, opioids, and phencyclidine (PCP), as well as alcohol. One class of drugs no longer on the required testing list is MDMA (ecstasy).
Employers are still permitted to test for other substances, but such testing does not create the presumptions allowing for the denial of Workers’ Compensation benefits and unemployment benefits.
Blood Alcohol Content Threshold
Under the prior regulations, the threshold for blood alcohol content was 0.08 percent for non-safety-sensitive positions and 0.04 percent for safety-sensitive positions. The revised regulations now apply the 0.04 percent threshold for a positive alcohol test to all employees.
Employers are required to conduct reasonable suspicion testing. The definition of “reasonable suspicion” has been expanded to include “[a]n accident which results in an injury to another individual or in property damage exceeding $5,000.00.”
Duty to Document
Before these amendments, employers were required to document the basis for their reasonable suspicion within seven days and provide a copy of the documentation to the employee “if requested.” The regulations now require an employer to document reasonable suspicion within 24 hours and to provide this documentation to the employee.
Standard of Proof
When an employee has a positive test (or refuses to test) post-accident, there is a presumption that the presence of drugs or alcohol was the proximate cause of the accident unless the employee can provide clear and convincing evidence to the contrary. Previously, an employee’s burden of proof was by a preponderance of the evidence. This increase in the standard of proof (first adopted in 2011, but only now recognized in the regulations) makes it even more difficult for employees impaired by alcohol or drugs to qualify for Workers’ Compensation benefits.
The amount of required employee training has been reduced, although certain topics are now required to be covered in that employee training. Employers were previously required to train employees for one hour at least once per year. Now employers are required to train employees at least one time (ever), but that training must take place within 60 days of the employer’s adoption of a Drug-Free Workplace Program or within 60 days of the employee’s hire date.
- The training must include information on the employer’s Drug-Free Workplace Program policies, testing procedures, consequences for violation the policies, the specific drugs to be tested for, and any substance abuse or employee assistance programs available to employees. The training can also include substance abuse awareness issues.
- Employers are still required to provide two hours of training to supervisors, but now that training can be given one time only.
The regulations have added a new provision for employees to appeal a positive drug or alcohol test to the Bureau of Workers’ Compensation.
On August 29th, the U.S. Court of Appeals for the Seventh Circuit reversed a lower court’s dismissal of a case alleging violations under the Fair Credit Reporting Act (FCRA). Plaintiff Shameca Robertson alleged that Allied Solutions, LLC violated the FCRA by failing to provide her with a copy of her background report after it rescinded its initial job offer, claiming the offer was rescinded due to “non-conviction information” found on her report. Both parties reached a tentative settlement before the district court dismissed the case for lack of standing, citing a ruling in a similar case that found the plaintiff lacked standing to sue. Robertson appealed the case arguing that withholding the report limited her ability to review the basis of the adverse action and impeded her opportunity to respond. The Seventh Court ruled that Robertson’s injury was “concrete and particular to her” and remanded the case for further proceedings. The case is Shameca Robertson v. Allied Solutions LLC, Case No. 17-3196, in the U.S. Court of Appeals for the Seventh Circuit.
Court Rejects the CFPB’s Petition to Enforce its Civil Investigative Demand
On September 6, 2018, the U.S. Court of Appeals for the Fifth Circuit announced its decision in CFPB v. Source for Public Data, No. 17-10732 where it rejected the CFPB’s petition to enforce its Civil Investigative Demand (CID). The Bureau’s authorizing statute allows it to conduct investigations through CIDs, which compel the production of information, but it also requires that CIDs describe the laws violated and conduct that caused the suspected violations in a “Notification of Purpose.” In this matter, the Bureau’s Notification of Purpose essentially stated that the Bureau sought to investigate whether any person who procured or used a consumer report had violated any law enforced by the Bureau. Source for Public Data challenged the CID, primarily arguing that the CID’s vague Notification of Purpose rendered it defective. The Fifth Circuit agreed with Source for Public Data. While the Bureau has broad authority to conduct investigations, the court held that the Bureau “does not have unfettered authority to cast about for potential wrongdoing.” CID recipients should know what conduct is under investigation, what laws have potentially been violated, and whether the recipient is a third-party or a “target” of an investigation.
Court Upholds Wells Fargo Background Check Policy
On August 29th the U.S. Court of Appeals for the Eighth Circuit affirmed a lower court’s decision upholding a Wells Fargo employment policy allowing the termination of employees, or the disqualification of job applicants, based on their criminal records. The lawsuit was filed by a group of former minority workers and job applicants who claimed the company’s employment policy, which terminates or withdraws employment offers to any individual with a disqualification in their criminal background check, disproportionality affected Black and Latino individuals compared to white individuals. The Eighth Circuit ruled in favor of Wells Fargo concluding that federal law prohibits “any person who has been convicted of a criminal offense involving dishonesty or a breach of trust” from working at a financial institution insured by the Federal Deposit Insurance Corporation, which can result in fines of up to $1 million per day. As a result, even though the policy terminated minorities at a higher rate the court held “the district court correctly recognized that the bank’s ‘sound business decision was to terminate regardless of race or age or ethnicity.’” The case is Cara Williams et al. v. Wells Fargo Bank N.A., Case No. 16-4372, in the U.S. Court of Appeals for the Eighth Circuit.
Eighth Circuit Holds Individual Plaintiff Lacks Standing for Alleged Violations of the FCRA’s Authorization and Disclosure Requirement
On September 6, 2018, in Auer v. Trans Union, LLC, the U.S. Court of Appeals for the Eighth Circuit joined the Seventh Circuit in holding that an individual plaintiff did not have constitutional standing to sue in federal court under the Fair Credit Reporting Act (FCRA) for an alleged violation of the FCRA’s authorization and disclosure requirement. This is one in slew of recent federal circuit court opinions that address the threshold issue of standing. Standing is constitutionally required for the plaintiff to pursue his or her claim in federal court. In order to have standing, a plaintiff must show that he or she suffered a concrete “injury-in-fact” because of the defendant’s alleged wrongdoing. In Auer, the court held that the plaintiff failed to establish her standing and directed the trial court to dismiss the lawsuit.
Following Spokeo, Standing is a Live Issue in the Circuit Courts
Constitutional standing has been a live issue since the U.S. Supreme Court revisited the legal standard in Spokeo, Inc. In Spokeo, the plaintiff alleged that the defendant violated the FCRA by publishing false information about him to prospective employers. The Court held that a plaintiff does not “automatically” have the requisite injury-in-fact “whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right.” In other words, a plaintiff is not entitled to proceed in federal court merely because the plaintiff claims that the defendant violated the plaintiff’s statutory rights. To demonstrate standing, the plaintiff must allege and ultimately prove that the violation caused the plaintiff an injury-in-fact. The Court remanded the case to the Ninth Circuit to determine whether the plaintiff’s allegations satisfied the “concreteness” element of standing—i.e., whether the statutory violation actually caused the plaintiff to suffer some “real” harm that “actually exists in the world.”
Federal circuit courts have been applying Spokeo to FCRA cases with varying results. For example, earlier this year, the Ninth Circuit issued an opinion, Dutta v. State Farm, which addressed constitutional standing under the FCRA’s “pre-adverse action” notice provision. The Ninth Circuit held that the plaintiff in Dutta failed to allege that the violation resulted in actual harm or substantial risk of harm, even though he sufficiently alleged a violation of the FCRA.
In contrast, last month the Seventh Circuit in Robertson v. Allied Solutions, LLC reached the opposite conclusion, finding that the plaintiff established standing for her class action claims based on the same alleged violation of the FCRA’s pre-adverse action notice requirement. The Seventh Circuit reasoned that the plaintiff had alleged a sufficient injury to confer standing because she claimed that she was not provided with information she was entitled to by law, i.e., a copy of the background report and a summary of her legal rights under the FCRA.
Interestingly, the Ninth and Seventh Circuits recently reached the reverse conclusion in cases involving the FCRA’s authorization and disclosure requirement—the requirement at issue in Auer. The Ninth Circuit upheld, while the Seventh Circuit rejected, the plaintiff’s standing.
The plaintiff in Auer alleged that the City of Minot, North Dakota, had wrongfully terminated her employment after it improperly obtained her credit report. She brought claims against the City, the law firm that represented the City, and the background check company, CBCInnovis, Inc. (CBC), for violations of the FCRA. The trial court dismissed the plaintiff’s claims against all of the defendants. She filed an appeal. On appeal, the Eighth Circuit reframed the issue and identified the “threshold question” as whether the plaintiff alleged sufficient injury to have standing to proceed in federal court. The plaintiff claimed that she had suffered injury to her privacy, reputation, personal security, the security of her identity information, and loss of time spent trying to prevent further violations of her rights under the FCRA. The Eighth Circuit disagreed, holding that she failed to state facts establishing any concrete injury. The court found that the plaintiff’s privacy was not harmed because she gave consent for the City’s background check. In addition, the court determined that the plaintiff’s allegation of reputational harm, which may in some instances constitute an injury for standing, was not pled with sufficient detail. Further, the plaintiff failed to allege any facts that the security of her personal information had been compromised, and the plaintiff could not manufacture standing by claiming loss of her personal time based on her “fears of hypothetical future harm that is not certainly impending.” As a result, the Eighth Circuit directed the trial court to dismiss the plaintiff’s claims for lack of jurisdiction.
The recent opinions across the federal circuit courts indicate that this is a developing area of the law that will turn on the specific facts. There is no bright-line rule that will dictate the outcome of the standing question in FCRA cases. Employers thus must continue to keep a close eye on their compliance with the FCRA in order to minimize their legal risks, including the fertile risk of class action litigation. Overall, employment-related background checks continue to implicate a host of legal obligations, including duties under the many state and local “ban the box” laws. Accordingly, employers should continue to keep the compliance with all of the various laws on the top of their to-do list.
FCRA Disclosures and Authorization
The Central District of California just issued a summary judgment ruling in case regarding how clear and conspicuous a FCRA disclosure form and authorization must be. In Luna v. Hansen & Adkins Auto Transp., Inc., 313 F. Supp. 3d 1151 (C.D. Cal. 2018), a job applicant brought a putative FCRA class action against his employer. During the potential liability period, the defendant had approximately 3,000 job applicants. Both sides moved for summary judgment. Under FCRA, job applicants must be notified in writing before an employer may obtain a consumer report for employment purposes, and this notice must be separate, clear, and conspicuous. The plaintiff alleged that his employer violated FCRA because the employer provided the FCRA disclosure with an application package containing six other documents. Plaintiff argued that this was not a clear and conspicuous disclosure that would satisfy FCRA’s stand-alone document requirement. Conversely, the employer argued its disclosure form was FCRA compliant because the form was its own single-page document that did not contain anything else other than the disclosure. The Court agreed with the employer, finding that there was nothing in the statutory language of FCRA that requires a “FCRA disclosure not only in a separate document, but also separate in time from any other documents.” The Court noted that this sort of timing requirement would make it difficult for courts to determine how much time would be adequate. Score one for the employer. FCRA also requires that an employer obtain an applicant’s written authorization before conducting a background check. The plaintiff argued that the employer’s FCRA authorization was “buried” at the end of its job application and thus did not comply with FCRA. Defendant argued that unlike FCRA disclosures, there is no stand-alone document requirement at all for FCRA authorizations. Again, the Court ruled in the employer’s favor. The Court found that FCRA’s authorization provision “sets forth no requirements about the form in which the authorization must be presented[.]” Accordingly, the Court found that plaintiff’s argument that FCRA requires a stand-along authorization form failed as a matter of law. Another point scored for the employer. But, the saga continues. The plaintiff has filed a notice of appeal with the Ninth Circuit. So we’ll have to wait and see whether this ruling remains on the books.
Third Circuit Holds Individual Plaintiffs Lack Standing for Some Alleged Violations of the FCRA’s Pre-Adverse Action Notice Requirement
On September 10, 2018, in Long v. Southeastern Pennsylvania Transportation Authority (SEPTA), the U.S. Court of Appeals for the Third Circuit joined the chorus of recent circuit court opinions tackling the question of constitutional standing to sue in federal court under the Fair Credit Reporting Act (FCRA). Standing is constitutionally required for the plaintiff to pursue any claims in federal court. It is a question that implicates the court’s jurisdiction to adjudicate the case, not a determination of the merits of the plaintiff’s claims. In order to have standing, a plaintiff must show that he or she suffered a concrete “injury-in-fact” because of the defendant’s alleged wrongdoing. In Long, the court held that the plaintiffs established standing for one type of violation of the FCRA’s “pre-adverse action” notice requirement (failing to provide them with a copy of the background report before terminating their employment), but not the other (failing to provide them with information about their rights under the FCRA before doing so).
The Circuit Court Landscape
Constitutional standing has become a primary battleground in consumer rights cases in federal court, including FCRA class actions. The Supreme Court breathed new life into the issue when it revisited the legal standard in Spokeo, Inc. v. Robins. In Spokeo, the plaintiff alleged that the defendant violated the FCRA by publishing false information about him to prospective employers. The Court held that a plaintiff does not “automatically” have the requisite injury-in-fact “whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right.” In other words, a plaintiff is not entitled to proceed in federal court merely because the plaintiff claims that the defendant violated the plaintiff’s statutory rights. To demonstrate standing, the plaintiff must allege and ultimately prove that the violation caused the plaintiff an injury-in-fact. The Court remanded the case to the Ninth Circuit to determine whether the plaintiff’s allegations satisfied the “concreteness” element of standing—i.e., whether the statutory violation actually caused the plaintiff to suffer some “real” harm that “actually exists in the world.”
Recently, the federal circuit courts have issued several opinions applying Spokeo to FCRA cases. All of the courts have been faithful to Spokeo’s mandate to require the plaintiff to do more than merely allege a statutory violation. Some courts have found the requisite injury-in-fact, but others have not. For example, in Auer v. TransUnion, et al., the Eighth Circuit recently joined the Seventh Circuit in finding that the plaintiff job applicant lacked standing to sue in federal court for a violation of the FCRA’s disclosure and authorization provision. Last year, the Ninth reached the opposite conclusion in a similar case, holding that the plaintiff had standing to sue in federal court.
The courts have likewise come to varying opinions in cases considering the question of standing to sue in federal court for violations of the FCRA’s “pre-adverse action” notice provision. Last month, the Seventh Circuit in Robertson v. Allied Solutions, LLCheld that the plaintiff established standing for her class action claims, reasoning that the plaintiff had alleged a sufficient injury to confer standing because the plaintiff claimed that she was not provided with information she was entitled to by law, i.e., a copy of the background report and a summary of her legal rights under the FCRA. Earlier in the year, the Ninth Circuit reached the opposite result in Dutta v. State Farm, holding that the plaintiff failed to allege that the violation resulted in actual harm or substantial risk of harm, even though he sufficiently alleged a violation of the FCRA itself.
The plaintiffs in Long alleged that SEPTA violated the FCRA’s pre-adverse action notice provision by terminating their employment based on their background checks, without first providing them with (i) a copy of the background report, and (ii) information about their rights under the FCRA. They filed a class action lawsuit, but the trial court dismissed it, finding the plaintiffs lacked standing under Spokeo.
On appeal, the Third Circuit held that the plaintiffs had standing for the first alleged violation, but not the second one. After explaining the purpose served by the FCRA’s pre-adverse action notice requirement, the court held that the plaintiffs established their standing by alleging they did not receive a copy of their background reports before SEPTA terminated their employment. The plaintiffs had standing even though they did not allege any errors in the background reports, because they had a right to see the background reports before any adverse action was taking against them. On the other hand, the plaintiffs lacked standing based on their failure to receive information about their rights under the FCRA, because this was a “bare procedural violation, divorced from any concrete harm.” The plaintiffs were not injured, the court explained, because they learned of their rights under the FCRA and were able to file their lawsuit within the FCRA’s two-year statute of limitations. The court thus affirmed the dismissal in part and remanded the case to the district court for further proceedings only as to the first of the two alleged FCRA violations.
The slew of recent federal circuit court opinions underscore how standing is a developing area of the law that will turn on the specific facts. There is no bright-line rule that will dictate the outcome of the standing question in FCRA cases. Employers thus must continue to keep a close eye on their compliance with the FCRA in order to minimize their legal risks, including the fertile risk of class action litigation.
Generally speaking, employment-related background checks continue to implicate a host of legal obligations, including duties under the many state and local “ban the box” laws. Employers therefore should continue to keep the compliance with all of the various laws on the top of their to-do list.
Seventh Circuit Allies with FCRA Class Action Plaintiffs on Spokeo Grounds
On August 29, the Seventh Circuit reentered the multi-front fray that has broken out among lower courts in the wake of the Supreme Court’s 2016 decision in Spokeo v. Robins, 136 S. Ct. 1540 (2016). Robertson v. Allied Solutions began with a familiar fact pattern: Robertson applied for a job with Allied, and Allied decided not to hire her based on a negative, but accurate, background check. Robertson then sued on behalf of a putative class, claiming that Allied had made its decision without first providing her with a copy of the background check and an opportunity to address its contents, as required by the FCRA. 15 U.S.C. § 1681b(b)(3). (Allied allegedly also failed to provide properly formatted pre-background check disclosures, but Robertson did not press that claim on appeal.) The parties tentatively settled the case and sought the district court’s approval of the settlement. Rather than rule on the motion, however, the district court dismissed the action of its own accord for lack of subject-matter jurisdiction, finding that Robertson had not suffered concrete harm sufficient to confer standing. The Seventh Circuit reversed. Robertson v. Allied Solutions LLC, —F.3d—, 2018 WL 4113815 (Aug. 29, 2018). It began by acknowledging that Robertson had been denied information that, by law, she should have received. That fact alone, however, was not enough to confer standing: the Seventh Circuit emphasized that so-called “informational injury” is only concrete where the plaintiff was deprived of the opportunity to use the information for a substantive purpose. In the context of “pre-adverse action” notices, the court reasoned, that substantive purpose is to give employees the chance to provide context for negative information in their background checks, regardless of the information’s truth. Because Robertson had been denied that opportunity, her claims could proceed. Notably, the panel rejected Allied’s argument that Robertson lacked standing because she could not have changed or corrected the report, for two reasons. First, the court inferred that because the FCRA specifically addresses accuracy of consumer reports in other sections, accuracy is not this subsection’s primary goal. Rather, § 1681b(b)(3) aims to facilitate dialogue between applicants and employers. Second, the court noted that Article III’s standing requirements do not require a plaintiff to show that she was deprived of some benefit, but only that she was deprived of the chance to obtain the benefit. Perhaps the most noteworthy aspect of this decision is its clash with the Ninth Circuit’s recent holding in Dutta v. State Farm, 895 F.3d 1166 (9th Cir. 2018). According to Dutta, State Farm had withdrawn his job offer based on an admittedly inaccurate background check and had not given him a chance to explain it. State Farm, like Allied, countered that it would have made the same decision regardless of any explanation Dutta could have offered because it based its decision on a part of the background check that was correct. The Ninth Circuit acknowledged that Dutta had plausibly pled a violation of § 1681b(b)(3), but nonetheless found standing lacking because he could not have gotten the job.
In light of the Ninth Circuit’s historically high tolerance for comparable claims, this rebuff was surprising—particularly so because both it and the Seventh Circuit reached opposite conclusions regarding standing to contest pre-background check disclosures under 15 U.S.C. § 1681b(b)(2). See Syed v. M-I LLC, 853 F.3d 492 (9th Cir. 2017) (standing); Groshek v. Time Warner Cable, Inc., 865 F.3d 884 (7th Cir. 2017) (no standing). Ultimately, however, all of these decisions merely underscore that the debate over Spokeo’s impact on class actions is far from over.
Connecticut Court Holds That Refusing to Hire Medical Marijuana User Constitutes Employment Discrimination
A federal court in Connecticut has held that refusing to hire a medical marijuana user who tested positive on a pre-employment drug test violates the state’s medical marijuana law. The Court granted summary judgment to the applicant on her claim for employment discrimination but declined to award her attorneys’ fees or punitive damages. The Court also dismissed her claim for negligent infliction of emotional distress. Noffsinger v. SSC Niantic Operating Co., LLC, d/b/a Bride Brook Health & Rehab. Ctr., 2018 U.S. Dist. LEXIS 150453 (D. Conn. Sept. 5, 2018).
Plaintiff Katelin Noffsinger accepted a job offer from Bride Brook, which was contingent on passing a pre-employment drug test. Noffsinger advised that she was a registered qualifying patient who has used medical marijuana since 2015, when she began using it to treat post-traumatic stress disorder. When the drug test came back positive for marijuana, she was not hired because the employer followed federal law holding that marijuana is illegal. Noffsinger filed a complaint in state court, alleging, among other things, a violation of the Connecticut Palliative Use of Marijuana Act (“PUMA”)’s anti-discrimination provision. The provision states, “[n]o employer may refuse to hire a person or may discharge, penalize or threaten an employee solely on the basis of such person’s or employee’s status as a qualifying patient.” Bride Brook made a motion to dismiss. As discussed in our earlier blog post about this case, the Court held that: (1) PUMA provides a private right of action to aggrieved medical marijuana patients; and, (2) federal law does not preempt PUMA’s prohibition on employers’ firing or refusing to hire qualified medical marijuana patients, even if they test positive on an employment-related drug test. Noffsinger v. SSC Niantic Operating Co., LLC, d/b/a Bride Brook Health & Rehab. Ctr., 273 F.Supp.3d 326 (D. Conn. Aug. 8, 2017). After that decision, the case proceeded with discovery, and then both parties moved for summary judgment.
Federal Drug-Free Workplace Act Did Not Require Withdrawal of the Job Offer
Bride Brook argued that PUMA provides for an exception from the anti-discrimination provision when “required by federal law or required to obtain federal funding.” It argued that the federal Drug-Free Workplace Act barred it from hiring Noffsinger because that law prohibits federal contractors from allowing employees to use illegal drugs. Marijuana is illegal under federal law. The Court rejected that argument because the Drug-Free Workplace Act does not require drug testing and does not regulate employees who use illegal drugs outside of work while off-duty. Similarly, the Court rejected the argument that hiring Noffsinger would violate the False Claims Act, holding that it would not defraud the federal government to hire an employee who uses medical marijuana outside of work while off-duty. Bride Brook also argued that it did not violate PUMA because it did not discriminate against Noffsinger based on her status as a medical marijuana user, but rather, it relied on the positive drug test result. The Court dismissed this argument because it would render a medical marijuana user’s protection under the statute a nullity. While the Court held that the employer had engaged in employment discrimination, it declined to award Noffsinger attorneys’ fees or punitive damages because those types of damages are not expressly recoverable under PUMA. Additionally, the Court dismissed the claim for negligent infliction of emotional distress because the employer did not engage in “unreasonable conduct” and Noffsinger chose to give notice to her prior employer before she had advised Bride Brook of her medical marijuana use.
Implications for Employers
Noffsinger illustrates that employers (including federal contractors) should not rely solely on federal law or their status as a federal contractor when making employment decisions with regard to applicants and employees who use medical marijuana. Courts in Connecticut and certain other states will enforce state law discrimination prohibitions with regard to medical marijuana use. Employers in Connecticut and elsewhere should consider the marijuana laws affecting their workplaces now, before an issue arises, and adjust their policies as necessary.
Department of Commerce Sent Letter Regarding Privacy Shield
On August 30th, the Department of Commerce sent a letter (https://epic.org/privacy/intl/Politico-USletter-PrivacyShield.pdf) to the president of the European Parliament stating that the U.S. is in compliance with the Privacy Shield Framework. The letter is in respect to a resolution passed by the Parliament calling for the suspension of the Privacy Shield agreement unless the U.S. can comply, claiming the agreement does not ensure adequate protection of citizens’ personal data following the Facebook Cambridge Analytica scandal and other privacy-related concerns. In its response, the Commerce Department provided responses to concerns highlighted by the European Parliament (https://epic.org/privacy/intl/Politico-USletterAnnex-PrivacyShield.pdf).
European Commission Publishes Draft GDPR Adequacy Decision for Japan
On September 5th, the European Commission published the draft adequacy decision for Japan. The draft includes additional safeguards Japan will apply to EU personal data transferred to Japan and commitments regarding access to personal data by Japanese authorities for law enforcement and national security purposes. The decision will now be examined by the European Data Protection Board. Key elements of the adequacy decision are: (i) Creating a set of rules providing individuals in the EU whose personal data is transferred to Japan with additional safeguards that will bridge several differences between the two data protection systems, including safeguards that will strengthen the protection of sensitive data and individual rights; (ii) Ensuring that any use of personal data by Japanese public authorities for law enforcement and national security purposes will be limited to what is necessary and proportionate and subject to independent oversight and effective redress mechanisms; and (iii) Establishing a complaint-handling mechanism to investigate and resolve complaints from Europeans regarding access to their data by Japanese public authorities.
Criminal Convictions Checks Under the GDPR
Following the implementation of the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA), UK businesses need to revisit their policies for carrying out criminal record checks (including on employees and prospective employees). Pre-GDPR, it became common practice for many UK businesses to carry out criminal convictions checks on their prospective employees as a matter of course, and to require their suppliers to do the same. UK businesses now need to carefully consider whether they can justify processing criminal convictions data under the GDPR where there is no actual legal requirement to carry out a criminal record check.
Processing of Criminal Convictions Personal Data Under the GDPR and DPA
Article 10 of the GDPR states that any employer who is processing criminal convictions personal data can only do so where a lawful basis exists to justify that processing and national law permits that processing (and puts in place appropriate safeguards).
As with the processing of any types of personal data, there still needs to be a lawful basis for processing criminal convictions data. Consequently, where there is no strict legal obligation for a business to carry out criminal convictions screening, there still needs to be careful consideration as to whether they can rely on another lawful basis. For example, where an employer is seeking to rely on legitimate interests, it must conduct further analysis to assess (among other issues) if its interests are enough to outweigh the intrusion on an employee’s privacy.
The DPA Conditions
The DPA (under section 10(5)) has introduced further conditions that businesses must meet (in addition to the requirements of the GDPR) and again, businesses must assess and be able to justify whether a specific condition applies.
There is no condition which permits any employers to carry out blanket criminal conviction checks as part of its recruitment process and so the conditions will need to be reviewed on a case-by-case basis depending on the purpose of the processing. For instance, businesses may process criminal convictions data (in accordance with the GDPR) where there is a ‘regulatory requirement’ and this includes ‘requirements forming part of general accepted principles of good practice’ in relation to the relevant area, as well as those set out in law. This is likely to be a relevant condition for a business which is authorized by the Financial Conduct Authority.
The Issue of Employee Consent
Where alternative conditions do not exist there remains scope for businesses to rely on consent, both under the GDPR and the DPA, to carry out criminal record screening. However, there may well be difficulties in obtaining consent in such scenarios. For example, there will always remain a risk that obtaining consent from an employee (or prospective employee) raises issues given that the imbalance of power in the employer / employee relationship arguably negates real consent for fear of reprisals. Further, businesses also need to be wary that any consent mechanism, and any consent obtained, meets the enhanced requirements of the GDPR—for example, for consent to be freely given an individual should be entitled to refuse consent without being prejudiced as a result. However, absent any other available conditions, in practice consent is likely to be the only viable means of justifying the processing of criminal convictions data for a number of businesses (including in an employment context).
What should businesses do next?
Any UK business which routinely conducts criminal convictions screening will need to reconsider some of their basic screening and recruitment practices or risk being in breach of the GDPR and/or the DPA. With guidance from the Information Commissioner’s Office on this area still outstanding, analysis carried out should be kept under review and updated where appropriate. Aside from recruitment practices, businesses should also be assessing the impact of these issues on other aspects of their business. For example, service providers who are under obligations from clients to undertake criminal screening of their own employees as a condition of being appointed to an account will need to carefully consider whether those activities remain lawful under the new regime. Whatever the outcome of any further analysis, the format, positioning, provision and content of privacy notices relating to the use of criminal convictions data takes on new significance for all businesses (particularly where consent is required). Therefore, businesses will need to make sure their own employee privacy policies set out their adopted approach to criminal convictions data in a concise, transparent, intelligible and easily accessible form.
U.K.’s First GDPR Enforcement Action Against Non-E.U. Company Marks a Significant Milestone
The European Union General Data Protection Regulation (GDPR) may be only four months old, but the regulators responsible for enforcing it are already testing the limits of their powers. The United Kingdom Information Commissioner’s Office (the ICO) confirmed last week that it has issued its first extraterritorial enforcement notice under the GDPR. The subject of the action is AggregateIQ, a small Canadian company that provides targeted advertising services on social media and has no permanent presence in the E.U. Earlier this year, a whistleblower alleged that AggregateIQ was linked to Cambridge Analytica, the company that allegedly used Facebook data to aid Donald Trump’s 2016 presidential campaign in violation of Facebook’s policies. AggregateIQ was also hired by the supporters of Vote Leave, the 2016 referendum campaign that successfully persuaded U.K. voters to vote in favor of “Brexit,” the decision to leave the E.U. It was the work on Brexit that brought AggregateIQ to the attention of the ICO.
Five Things You Should be Doing to Prepare for Canada’s New Privacy Rule
Organizations should start now to get ready for Canada’s new privacy breach notification rules, say experts. The new regulations require organizations to notify individuals and Canada’s Privacy Commissioner of all security breaches that could result in a “real risk of significant harm” to an individual. The regulations, under the Personal Information Protection and Electronics Documents Act (PIPEDA), come into effect on November 1. They apply to all companies, except those in British Columbia, Alberta and Quebec, which have their own privacy laws. “It’s more than a subtle change,” said Scott Smith, senior director, Intellectual Property & Innovation Policy, Canadian Chamber of Commerce. “Every breach, whether significant or not, must be recorded.”
How to Get Started
Organizations will need all hands on deck to review their compliance with the new rules, including teams from IT, legal, security and communications, says Sylvia Kingsmill, Canadian digital privacy & compliance leader with KPMG. Here are five practical steps to consider:
- Identify the data – “The most important thing is to take a pragmatic approach to see what information you have, where it is and how sensitive it is,” says Jason Cassidy, CEO of ShinyDocs. The requirements cast a wide net, he notes. “Even an internal email about an office party could contain sensitive personal information,” Cassidy adds.
- Automate – One of the biggest challenges is to keep track of all of the breaches, says Kingsmill. Under the rules, a record of all breaches must be kept for two years after the breach was identified. Kingsmill suggests that organizations should consider automating their information management and breach tracking. “It has to be continually updated, and that is arduous to do manually,” she says. “You’d be surprised how many organizations are tracking their data on an excel spreadsheet.”
- Draft policies and procedures – Organizations need a step-by-step plan on what to do, and who will do it, when a breach happens, says Kingsmill. A coordinated communications plan is extremely important. “Keeping the regulator informed as you go along is a minimum,” she says. All communications, including to the media, must be accurate and consistent. She notes that the Alberta Privacy Commissioner provides a good guide on the key steps to respond to breaches.
- Stress test the plan – Even when organizations have a plan in place, there can be a lack of coordination among all stakeholders, especially internally, says Kingsmill. Breach response plans should be regularly tested, she says. “It takes the coming together of all stakeholders to get things right.”
- Train staff – Employees need to clearly understand what constitutes a breach and when there is a real risk of significant harm, says Kingsmill.
More Guidance Needed
The government should do more to build awareness of the rules, says Smith, noting that the Canadian Chamber of Commerce is currently working on some guidelines for business.