Scherzer Blog

Digital Spring Cleaning

Spring is traditionally a time when people do a deep cleaning of their homes. Have you thought about taking this one step further and doing a digital security deep clean? We recommend reviewing at least every quarter to minimize the risk of identity theft. Here are four steps to get you started to protect your personal data. 

  • Change your passwords. Your company probably automatically asks you to switch passwords every 4-6 weeks. But when is the last time you changed your passwords on your personal social media accounts, subscriptions, or places you shop? You should consider updating these passwords, too. In fact, old passwords can be easy ways for hackers to steal your identity. Delete old accounts you no longer use. You might be surprised to find that some of those are decades old with easily guessed passwords. When you choose your new passwords, do not repeat them across various accounts. You’re just making it easier to get hacked.
  • Review your social media accounts. Have you been cloned on Facebook, Instagram, or other social media platforms? Take a moment and search for yourself on these sites and see if you appear more than once. Don’t wait for your friends to send you a text saying, “I just got a friend request from you, but we’re already friends.” If you’ve been cloned, report it and change your passwords.
  • Avoid oversharing. Think twice before you overshare information or play a social media game that asks you to list personal information about yourself. These simple activities are ways that hackers gather your data. The latest high-risk trend is sharing a picture of your COVID vaccination record with your full name and date of birth clearly visible. Instead, consider sharing a photo of an “I got vaccinated” sticker. 
  • Have you been hacked? A cybersecurity FBI agent once told me, “It used to be a case of not if, but when you’ve been hacked. Now it’s a case of you’ve been hacked, and you either know it or don’t know it yet.” HaveIBeenPwned is one of several free sites where you can check if you’ve been caught up in a security breach.

These four steps will help you do a simple yet effective spring cleaning of your digital presence and protect your online identity. 

March 18th, 2021|Risk Management, Security, Social Media|

Pre-Employment Screening during the Pandemic

It is a standard practice for employers to run background checks on potential new hires. Such checks help employers protect their company by learning about the trustworthiness of the candidate through their financial, criminal, and driving records and education and employment verifications. But the pandemic has affected the operations of many institutions worldwide. From court closures to remote college campuses, it may be more difficult for the screening provider to check a criminal record or verify an educational background. Nonetheless, the possibility of delay should not cause employers to lower the standards of their screening policies.

The most important reason why an employer should not temporarily waive certain parts of a background check is because it may make it harder to justify its necessity in the future. For example, say a court is closed and is unable to provide information on candidates’ criminal history. Because of this, an employer who is anxious to add the new hire to the frontline chooses to waive the criminal check requirement. Well, when a court begins to provide legal information again and an employer decides to reinstate the criminal check requirement, the employer could face compliance issues.

Under current anti-discrimination laws, namely Title VII of the Civil Rights Act of 1964, employers must demonstrate that its hiring practices are “job related” and “consistent with business necessity.” But if an employer chooses to forgo the criminal checks during the pandemic and wishes to reinstate them later, they may be violating this law. Since the criminal check was once suspended, one could argue that the practice was not job related or that it was not a business necessity. Furthermore, streamlining the employment screening process by waiving certain aspects could lead an employer to overlook valuable insight into a candidate’s character. Therefore, while a shorter background check program during the pandemic could bring short-term benefits, it runs significant long-term risks.

So, what are your options?

We have outlined up two possible avenues available to employers during these times.

Hire now (but reserve the right to run future background checks)

If a company is in a position in which new hires are urgently needed, they may hire the candidates based on the information available to them at the time of the background check and reserve the right to conduct additional background checks post-hire, once information providers resume to normal operations. But if an employer takes this route, they must clearly communicate with both their background check provider and the new hire.

They should work with the background check provider to take note of those candidates whose checks are not yet completed so that the provider can easily revisit the report in the future. Employers should also make it clear in an employee’s offer letter that the offer of employment is contingent upon the successful completion of a background check that may occur at a later date.

Delay the hire

For employers who are required by law to complete background checks prior to a new hire’s start date, they may have to delay the worker’s start date. But whether a background check provider can access the required information for an employment screen depends on the location of the various sources of information, from the courthouses to the educational institutions.

All in all, although background checks may take longer during the pandemic, they are, especially now, critical to manage your risk. With the rising number of job seekers and the remote workforce, companies must do what they can to ensure that they are hiring qualified professionals who will be valuable additions to the company.

September 10th, 2020|Employment Decisions|

Client Alert: EU Court of Justice Invalidates the EU-US Privacy Shield

An important and unexpected ruling was handed down by the Court of Justice of the European Union (CJEU) on July 16, 2020, in Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (“Schrems II”) that invalidates the EU-U.S. Privacy Shield (“Privacy Shield”) arrangement. Since 2016, the Privacy Shield provided U.S. companies with a mechanism to comply with the General Data Protection Regulation (GDPR) requirements when transferring personal data from the European Union to the U.S.

What this means

Now companies that subscribed to the Privacy Shield must find another GDPR-compliant solution for the transfer of data. The European Data Protection Board indicated in its July 23, 2020 FAQs that it will not be providing a grace period as the authorities had done for the EU-U.S. Safe Harbor (“Safe Harbor”) framework following the “Schrems I” decision.

Notably, the CJEU’s decision expressly stated that the standard contractual clauses (SCCs) previously promulgated by the European Commission (EC) are still a valid tool for data transfers from the EU to the United States. The SCCs are sets of contractual terms and conditions that the controller and the processor of the data both execute to comply with GDPR’s requirements.  However, the CJEU’s decision does not give blanket approval to the SCCs–the decision acknowledged that future challenges to SCCs are permissible by the local data enforcement agency for any EU-member state. For example, an EU-member state might prohibit or suspend exports of personal data from its country under SCCs, if the member state concludes that the SCCs are not or cannot be complied with in the recipient third country (such as the U.S.) because of the member state’s local legal requirements.

The CJEU did not directly reference binding corporate rules (‘BCRs’) which are used for intragroup data transfers and require prior approval of the competent data protection authority. For now, this means that BCRs remain a valid transfer mechanism under the GDPR as BCRs are of a similar nature to  SCCs (both are considered an “appropriate safeguard” pursuant to Article 46 GDPR).

For some situations, an alternative is to look to the narrow derogations under Article 49 of the GDPR, such as to perform a contract or base the transfer on the subject’s explicit consent.  

What happens next

When the adequacy of the Safe Harbor was invalidated by the CJEU in 2015, the U.S. Department of Commerce (DOC) and the EC had already been negotiating for an updated trans-Atlantic program for many months. With Schrems II, and although the DOC and EC have indicated that lines of communication are open, the discussions are not nearly as advanced. And the issues cited by the CJEU in Schrems II may require some form of legislative and not merely an administrative action to address. As such, the process to revamp the Privacy Shield is unlikely to be concluded any time soon.  

The DOC, in a press release in response to the CJEU’s decision, and later in its updated Privacy Shield FAQs, stated that it will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification and maintaining the participants’ list. The DOC emphasized that the CJEU’s decision “does not relieve participating organizations of their Privacy Shield obligations.”

The UK’s Data Enforcement Agency also issued a statement advising companies to continue using the Privacy Shield until new guidance becomes available but added that companies “do not start using the Privacy Shield during this period.”

Stay tuned for more regulatory guidance and other developments in the next few weeks.

Disclaimer: This is not legal advice. The resources and information provided here are for educational purposes only. Consult your own counsel if you have legal questions related to your specific practices and compliance with applicable laws.

July 30th, 2020|Judgment|

The CFPB issues new policy guidance on credit reporting and dispute resolution

On April 1, 2020, the Consumer Financial Protection Bureau (“CFPB” or “Bureau”) issued a non-binding general policy statement (“Policy Statement”) regarding the Fair Credit Reporting Act (FCRA) and Regulation V in light of the recently enacted Coronavirus Aid, Relief, and Economic Security Act (CARES Act).

The CFPB’s Policy Statement highlights furnishers’ responsibilities and informs consumer reporting agencies (“CRAs”) of the Bureau’s flexible supervisory and enforcement approach during this pandemic. The Bureau intends to consider the circumstances that entities face as a result of the COVID-19 pandemic and their good faith efforts to comply with statutory and regulatory obligations as soon as possible.

The Bureau believes that this flexibility will help furnishers and CRAs to manage the challenges of the current crisis. Below are examples of the flexibility the Bureau intends to provide in the consumer reporting system.

Furnishing consumer information impacted by COVID-19: The Bureau reiterates its prior guidance encouraging financial institutions to work constructively with borrowers and other customers affected by COVID-19 to meet their financial needs. While companies generally are not legally obligated to furnish information to CRAs, the Bureau encourages them to continue doing so despite the current crisis. Furnishers’ providing accurate information to CRAs produces substantial benefits for consumers, users of consumer reports, and the economy as a whole. The CARES Act, a section of which amends the FCRA, generally requires furnishers to report as current certain credit obligations for which furnishers make payment accommodations to consumers affected by COVID-19 who have sought such accommodations from their lenders. Many furnishers are or will be offering consumers affected by COVID-19 various forms of payment flexibility, including allowing consumers to defer or skip payments, as required by the CARES Act or voluntarily. Such payment accommodations will avoid the reporting of delinquencies resulting from the effects of COVID-19. The Bureau supports furnishers’ voluntary efforts to provide payment relief, and it does not intend to cite in examinations or take enforcement actions against those who furnish information to CRAs that accurately reflects the payment relief measures they are employing.

Disputes: The FCRA generally requires that CRAs and furnishers investigate disputes within 30 days of receipt of the consumer’s dispute. The 30-day period may be extended to 45 days if the consumer provides additional information that is relevant to the investigation during the 30-day period. The Bureau is aware that some CRAs and furnishers may face significant operational disruptions that pose challenges in the investigations. For example, some CRAs and furnishers may experience reductions in staff, difficulty in taking disputes, or lack of access to necessary information, rendering them unable to investigate the disputes within the timeframes the FCRA requires. Furnishers include a wide variety of businesses that vary in size and sophistication and can range from small retailers to very large financial services firms, each of which will face unique challenges due to the COVID-19 pandemic. In evaluating compliance with the FCRA as a result of the pandemic, the Bureau will consider a CRA’s or furnisher’s individual circumstances and does not intend to cite in an examination or bring an enforcement action against a CRA or furnisher making good faith efforts to investigate disputes as quickly as possible, even if dispute investigations take longer than the statutory timeframe. The Bureau reminds furnishers and CRAs that they may take advantage of statutory and regulatory provisions that eliminate the obligation to investigate disputes submitted by credit repair organizations and disputes they reasonably determine to be frivolous or irrelevant. The Bureau will consider the current constraints on furnishers’ and CRAs’ time, information, and other resources in assessing if such a determination is reasonable.

Regulatory requirements: The Policy Statement is a non-binding general statement of policy articulating considerations relevant to the Bureau’s exercise of its supervisory and enforcement authorities. It is therefore exempt from the notice and comment rulemaking requirements under the Administrative Procedure Act pursuant to 5 USC 553(b).

Resources for consumers and small businesses facing the impacts of the COVID-19 pandemic are available on the Bureau’s website at https://www.consumerfinance.gov/coronavirus/.

April 3rd, 2020|Guidance|

Q1 2020: UPDATE OF LAWS AFFECTING EMPLOYMENT BACKGROUND SCREENING

As the year and a new decade unfold, we bring you this update on ban-the-box legislation and laws that restrict credit report usage in employment decisions. And no update would be complete without a reminder about a standard-setting federal appellate opinion from 2019 interpreting the Fair Credit Reporting Act (FCRA) disclosure requirement for an employment background check.

Let’s start with a reminder

In January 2019, the Ninth Circuit’s opinion in Gilberg v. California Check Cashing Stores, LLC made clear that any extraneous information in an FCRA disclosure form regarding an employment background check — even if the information is related to state-mandated expansions of consumer rights — violates the FCRA’s requirement that the disclosure must be “in a document that consists solely of the disclosure.

Even seemingly innocuous content, such as asking for an acknowledgment that the candidate received the FCRA summary of rights or including a statement that hiring decisions are based on legitimate non-discriminatory reasons may run afoul of the FCRA. And any state and local notices regarding the background check must be provided in separate documents, as applicable to each candidate.

Experts believe that the number of class-action lawsuits brought under the FCRA for technical errors will continue to increase. But there is an easy way to comply:

Present the disclosure to the candidate in a separate, standalone, conspicuous document. Make it clear and simple. Keep it short.

Ban-the-box laws continue to proliferate

“Ban-the-box” measures – which generally prohibit employers from inquiring about a candidate’s criminal history (including performing background checks) until later in the hiring process – continue to proliferate. Currently, 14 states (CaliforniaColoradoConnecticutHawaii; IllinoisMaryland (effective February 29, 2020); MassachusettsMinnesotaNew JerseyNew Mexico; Oregon; Rhode Island; Vermont and Washington) and 22 local jurisdictions (Austin, TX ; Baltimore, MDBuffalo, NYChicago, ILCook County, ILColumbia, MODistrict of ColumbiaGrand Rapids, MIKansas City, MOLos Angeles, CA; Montgomery County, MDNew York City, NY;  Philadelphia, PA; Portland, ORPrince George’s County, MDRochester, NYSaint Louis, MO (effective January 1, 2021); San Francisco, CA; Seattle, WA; Spokane, WA; Waterloo, IA (effective July 1, 2020 but lawsuit filed to strike down the ordinance); and Westchester County, NY) have such laws in place for private employers.

Be mindful of credit restrictions

Less popular than state and local legislatures on ban-the-box and prohibitions on salary history inquiries, credit check restrictions remain an important consideration for employers. Ten states CaliforniaColoradoConnecticut, Hawaii, Illinois, Maryland, Nevada, OregonVermont, and Washington – as well as ChicagoDistrict of ColumbiaNew York City, and Philadelphia all place restrictions on employers’ use of credit reports with exceptions for the use of such checks when required by law or the responsibilities of the position.      

Arguably, the most imposing local credit report law to date continues to be the New York City’s Human Rights amendment that went into effect on May 6, 2015, and made requesting and using consumer credit history for hiring and other employment purposes, with certain exceptions, an unlawful discriminatory practice. The law provides that a “consumer credit report” includes “any written or other communication of any information by a consumer reporting agency that bears on a consumer’s creditworthiness, credit standing, credit capacity or credit history.”Many legal experts hold that the broad scope of this definition not only prohibits obtaining a consumer credit report but also searches of liens, judgments, bankruptcies, and financially-related lawsuits if there is no exemption. There is no case law on this matter. 

On the national level, the U.S. House of Representatives on January 29, 2020, passed legislation that prohibits employers from using credit reports for employment decisions, except when required by law or for a national security clearance. The bill also prohibits asking questions about applicants’ financial past during job interviews or including questions about credit history on job applications. The U.S. Senate, however, is not expected to introduce the legislation.

March 6th, 2020|Employment Decisions|

Ninth Circuit Defines “Standalone, Clear and Conspicuous” Disclosure for Obtaining Employment-Purpose Background Checks

On January 29, 2019, the U.S. Court of Appeals for the Ninth Circuit in Gilberg v. California Check Cashing Stores, LLC instructed employers about the importance of complying with background check disclosure requirements found in the Fair Credit Reporting Act (FCRA).

Pursuant to the federal statute, employers who want to obtain a consumer report (commonly referred to as a background check report) on a job candidate must provide to the candidate a “clear and conspicuous disclosure” about the report in a document that consists “solely of the disclosure.” 15 U.S.C. § 1681b(b)(2)(A).

But when Desiree Gilberg applied for a job with CheckSmart Financial, she received something different. First Gilberg completed a three-page form containing an employment application, a math screening and an employment history verification. She then signed a separate form entitled, “Disclosure Regarding Background Investigation.”

The one-page form included the required FCRA disclosure as well as mandated state disclosures for California, Maine, Minnesota, New York, Oklahoma, Oregon and Washington.

Gilberg worked for CheckSmart for five months before voluntarily leaving the job. She then filed a putative class action against the company, alleging that it failed to make proper disclosures as set forth in both the FCRA and California’s Investigative Consumer Reporting Agencies Act (ICRAA).

A district court sided with the employer and dismissed the case. The judge agreed with CheckSmart that its disclosure form complied with both statutes. Gilberg appealed to the Ninth Circuit. She argued that the standalone requirement didn’t permit the combination of state and federal disclosures as CheckSmart had tried.

Considering the issue, the Ninth Circuit recalled a 2017 decision in Syed v. M-I, LLC. In that case, which also involved the standalone requirement, the federal appellate panel held that a prospective employer violated the FCRA when it included a liability waiver in the same document as the mandated disclosure. The statute means what it says, the court emphasized: the required disclosure must be in a document that “consist

[s] ‘solely’ of the disclosure.”

In an effort to distinguish its disclosure from that in the Syed case, CheckSmart told the court that the additional information in its form actually furthered the FCRA’s purpose.

“We disagree,” the court wrote. “Syed’s holding and statutory analysis were not limited to liability waivers; Syed considered the standalone requirement with regard to any surplusage. Syed grounded its analysis of the liability waiver in its statutory analysis of the word ‘solely,’ noting that FCRA should not be read to have implied exceptions, especially when the exception – in that case, a liability waiver – was contrary to FCRA’s purpose. Syed also cautioned ‘against finding additional, implied exceptions’ simply because Congress had created one exception. Consistent with Syed, we decline CheckSmart’s invitation to create an implied exception here.”

Plain meaning trumps purpose, the Ninth Circuit said, rejecting the employer’s contention that its disclosure form was consistent with the intent of the FCRA. Since the surplus language included disclosures required by various state laws that were inapplicable to Gilberg, the court was unable to understand how the CheckSmart form comported with the purpose of the federal statute.

“Because the presence of this extraneous information is as likely to confuse as it is to inform, it does not further FCRA’s purpose,” the court declared.

“Syed holds that the standalone requirement forecloses implicit exceptions,” the panel wrote. “The statute’s one express exception does not apply here, and CheckSmart’s disclosure contains extraneous and irrelevant information beyond what FCRA itself requires. The disclosure, therefore, violates FCRA’s standalone document requirement. Even if congressional purpose were relevant, much of the surplusage in CheckSmart’s disclosure form does not effectuate the purposes of the FCRA.”

In addition to ruling that the district court erred in concluding that the employer’s disclosure form satisfied the FCRA’s standalone document requirement, the Ninth Circuit also held that CheckSmart’s disclosure form was not “clear and conspicuous” under either FCRA or ICRAA.

The court grudgingly found the form to be “conspicuous” (despite characterizing the font as “inadvisably” small and cramped) but held it was not “clear.” The disclosure contained language a reasonable person would not understand, the court said, and its content would confuse a reader with the combination of federal and state disclosures.

As “CheckSmart’s disclosure form was not both clear and conspicuous, the district erred in granting CheckSmart’s motion for summary judgment with regard to the FCRA and ICRAA ‘clear and conspicuous’ requirements,” the panel wrote. The Ninth Circuit reversed dismissal of Gilberg’s complaint and remanded the case to the California district court. (As of this writing, there is a petition for rehearing and rehearing en banc pending before the 9th Circuit.)

For employers, the Ninth Circuit opinion could not be more clear: ensure that the FCRA disclosure form provided to job candidates contains no extraneous or surplus language. The decision also provides an important reminder about keeping disclosures forms clear and conspicuous in order to comply with both federal and state laws.

Pursuant to the federal statute, employers who want to obtain a consumer report (commonly referred to as a background check report) on a job candidate must provide to the candidate a “clear and conspicuous disclosure” about the report in a document that consists “solely of the disclosure.” 15 U.S.C. § 1681b(b)(2)(A).

But when Desiree Gilberg applied for a job with CheckSmart Financial, she received something different. First Gilberg completed a three-page form containing an employment application, a math screening and an employment history verification. She then signed a separate form entitled, “Disclosure Regarding Background Investigation.”

The one-page form included the required FCRA disclosure as well as mandated state disclosures for California, Maine, Minnesota, New York, Oklahoma, Oregon and Washington.

Gilberg worked for CheckSmart for five months before voluntarily leaving the job. She then filed a putative class action against the company, alleging that it failed to make proper disclosures as set forth in both the FCRA and California’s Investigative Consumer Reporting Agencies Act (ICRAA).

A district court sided with the employer and dismissed the case. The judge agreed with CheckSmart that its disclosure form complied with both statutes. Gilberg appealed to the Ninth Circuit. She argued that the standalone requirement didn’t permit the combination of state and federal disclosures as CheckSmart had tried.

Considering the issue, the Ninth Circuit recalled a 2017 decision in Syed v. M-I, LLC. In that case, which also involved the standalone requirement, the federal appellate panel held that a prospective employer violated the FCRA when it included a liability waiver in the same document as the mandated disclosure. The statute means what it says, the court emphasized: the required disclosure must be in a document that “consist[s] ‘solely’ of the disclosure.”

In an effort to distinguish its disclosure from that in the Syed case, CheckSmart told the court that the additional information in its form actually furthered the FCRA’s purpose.

“We disagree,” the court wrote. “Syed’s holding and statutory analysis were not limited to liability waivers; Syed considered the standalone requirement with regard to any surplusage. Syed grounded its analysis of the liability waiver in its statutory analysis of the word ‘solely,’ noting that FCRA should not be read to have implied exceptions, especially when the exception – in that case, a liability waiver – was contrary to FCRA’s purpose. Syed also cautioned ‘against finding additional, implied exceptions’ simply because Congress had created one exception. Consistent with Syed, we decline CheckSmart’s invitation to create an implied exception here.”

Plain meaning trumps purpose, the Ninth Circuit said, rejecting the employer’s contention that its disclosure form was consistent with the intent of the FCRA. Since the surplus language included disclosures required by various state laws that were inapplicable to Gilberg, the court was unable to understand how the CheckSmart form comported with the purpose of the federal statute.

“Because the presence of this extraneous information is as likely to confuse as it is to inform, it does not further FCRA’s purpose,” the court declared.

“Syed holds that the standalone requirement forecloses implicit exceptions,” the panel wrote. “The statute’s one express exception does not apply here, and CheckSmart’s disclosure contains extraneous and irrelevant information beyond what FCRA itself requires. The disclosure therefore violates FCRA’s standalone document requirement. Even if congressional purpose were relevant, much of the surplusage in CheckSmart’s disclosure form does not effectuate the purposes of the FCRA.”

In addition to ruling that the district court erred in concluding that the employer’s disclosure form satisfied the FCRA’s standalone document requirement, the Ninth Circuit also held that CheckSmart’s disclosure form was not “clear and conspicuous” under either FCRA or ICRAA.

The court grudgingly found the form to be “conspicuous” (despite characterizing the font as “inadvisably” small and cramped) but held it was not “clear.” The disclosure contained language a reasonable person would not understand, the court said, and its content would confuse a reader with the combination of federal and state disclosures.

As “CheckSmart’s disclosure form was not both clear and conspicuous, the district erred in granting CheckSmart’s motion for summary judgment with regard to the FCRA and ICRAA ‘clear and conspicuous’ requirements,” the panel wrote. The Ninth Circuit reversed dismissal of Gilberg’s complaint and remanded the case to the California district court. (As of this writing, there is a petition for rehearing and rehearing en banc pending before the 9th Circuit.)

For employers, the Ninth Circuit opinion could not be more clear: ensure that the FCRA disclosure form provided to job candidates contains no extraneous or surplus language. The decision also provides an important reminder about keeping disclosures forms clear and conspicuous in order to comply with both federal and state laws.

March 2nd, 2019|Employment Decisions, Judgment|

Independent contractors and the FCRA

Must employers provide the protections required by the Fair Credit Reporting Act (FCRA) to prospective independent contractors? 

Not according to a new decision from an Iowa court (see Smith v. Mutual of Omaha Insurance Company, No. 4:17-cv-00443 (S.D. Iowa Oct. 4, 2018)) which grappled with the question in the context of a lawsuit filed by an individual against an insurance company where he applied to contract as a salesperson but was rejected because of a falsely reported felony in his background check. The plaintiff accused the insurance company of violating the FCRA by failing to provide him with the statutorily required prior notice that the background check resulted in his not being hired.    

The insurance company asked the court to dismiss the lawsuit, claiming that the FCRA only requires such notice when an applicant seeks to be hired as an employee, and not as an independent contractor. Since the plaintiff applied for an independent contractor position, he was not entitled to the protections of the statute, the insurance company argued. 

The plaintiff countered that he was applying to be an employee of the insurance company and that it was too early to dismiss the case, as further discovery was needed. In the alternative, he argued that the FCRA should still govern his relationship even as an independent contractor.

In ruling on the FCRA issue, Judge John Jarvey began with the language of the law. The FCRA is a broad statute, Judge Jarvey said, and some of its most stringent protections apply when a background check is being obtained “for employment purposes.” 

The definitions section of the FCRA, at 15 U.S.C. § 1681a(h), states that “

[t]he term ‘employment purposes’ when used in connection with a consumer report means a report used for the purpose of evaluating a consumer for employment, promotion, reassignment or retention as an employee.” This text “makes clear that the pre-adverse action notice requirement only applies when a consumer report is used for employment purposes,” Judge Jarvey wrote. “The meaning of ‘employment purposes’ is specifically defined in the statute, and it is defined as being ‘used for the purpose of evaluating a consumer for employment, promotion, reassignment or retention as an employee.’”  District courts in Ohio and Wisconsin have reached the same conclusion, Judge Jarvey noted, citing the decisions for support. 

Notably, the Federal Trade Commission (FTC) in its 2011 staff report entitled “40 Years of Experience with the Fair Credit Reporting Act” provided a seemingly contrasting interpretation. The FTC stated that “the term ‘employment purposes’ is interpreted liberally to effectuate the broad remedial purpose of the FCRA and may apply to situations where an entity uses individuals who are not technically employees to perform duties. Thus, it includes a trucking company that obtains consumer reports on individual drivers who own and operate their own equipment; a title insurance company that obtains consumer reports on individuals with whom it frequently enters into contracts to sell its insurance, examine title, and close real property transactions; or a nonprofit organization staffed in whole or in part by volunteers.” 

The FTC’s view can be reconciled with that of Judge Jarvey’s by taking the approach that the applicability of FCRA’s requirements depends on the facts and circumstances of the particular relationship, rather than the formal designation of someone as an independent contractor. 

Given the still remaining disputed issue of whether or not the plaintiff would have been an employee or an independent contractor for the insurance company, the court ordered limited discovery on the issue and declined to dismiss the suit. 

January 2nd, 2019|Employment Decisions, FCRA, Judgment|

New Draft Guidelines Attempt to Clarify Territorial Scope of the GDPR

Since the adoption of the General Data Protection Regulation (GDPR) by the European Union (EU) in May 2018, businesses established outside of the EU have grappled with the question of whether the GDPR’s strict rules apply to them. Many commentators have noted that the GDPR provisions and recitals do not have an easy answer. The European Data Protection Board (EDPB) recently attempted to provide some clarification by publishing draft guidelines that include a commentary on the territorial scope of the GDPR. The EDPB’s guidelines also address the related issue of whether a non-EU company subject to the GDPR must have an EU-based representative.

GDPR’s Targeting Criteria

Arguably the most significant change to the regulatory landscape affecting an individual’s data privacy is the territorial scope of the GDPR’s Article 3 (2). Generally described as the GDPR’s “targeting criteria,” your business must be GDPR compliant if it engages in processing activities of an EU individual’s data (data subject) related to (1) offering goods or services to data subjects, or (2) monitoring data subjects’ behavior. Although the EDPB’s guidelines state that the targeting criteria is applied on a case-by-case basis, the guidelines provide several examples showing how the targeting criteria can be applied that clarify some basic points, such as:

  1. The data subject’s nationality or citizenship is irrelevant. The GDPR protects data subjects geographically located within the EU, without regard to the data subject’s nationality or citizenship. Conversely, data subjects outside of the EU, including EU citizens, are not protected by the GDPR.
  2. Geographic allocation and timing are critical. For purposes of applying the GDPR, thedata subject’s geographic location is assessed atthe moment when your activity occurs; e.g., when your goods or services are offered, or your monitoring of the datasubject’s behavior begins.
  3. Charging for services is irrelevant. The GDPR protects data subjects regardless of whether your services are free.
  4. Cookies are considered monitoring. TheGDPR protects data subjects that your business profiles or undertakes someanalysis by using cookies or similar technologies.

GDPR Compliance and an EU-based Representative

A significant point clarified by the EDPB’s guidelines is that a non-EU company subject to the GDPR must appoint an EU-based representative, even though the not have a physical location within the EU. A company’s Data Protection Officer, who can be an existing employee of the company under the GDPR, cannot fulfill the requirements for an EU-based representative. The purpose of the requirement is to ensure that a qualified individual or entity is located within the EU to whom regulatory authorities can address compliance issues. The guidelines also make clear that the EU-based representative can even be held liable for any non-compliance, including being fined or otherwise sanctioned.

Consultation Period

The territorial scope and appointment of an EU-based representative poses two of the most critical issues that a non-EU based company faces regarding GDPR compliance. The EDPB’s draft guidelines address several other GDPR issues in addition to these, and a full version of the guidelines can be found here. The EDPB is taking public comments on the draft guidelines until January 18, 2019. Comments should be sent to the EDPB at EDPB@edpb.europa.eu.

December 12th, 2018|Educational Series, International, Legislation, Social Media|

California’s overlapping background check laws

For many years, employers have struggled with California’s overlapping statutes governing the use of background checks. Now, the state’s highest court has weighed in, ruling that compliance with the requirements of both laws is mandatory, even where the laws overlap.

A little history is necessary to understand the situation. In 1970, Congress passed the Fair Credit Reporting Act (FCRA). The law defined the term “consumer report” to include an individual’s “credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.” The FCRA distinguished between consumer reports that contained information obtained by personal interviews and consumer reports gathered by other means.

The California legislature responded with two state analogues in 1975: the Investigative Consumer Reporting Agencies Act (ICRAA) and the Consumer Credit Reporting Agencies Act (CCRAA). Modeled on the FCRA, the statutes had similar purposes and were intended to serve complementary goals.

As originally enacted, the ICRAA applied to consumer reports that included character information obtained only through personal interviews. It defined an “investigative consumer report” as one “in which information on a consumer’s character, general reputation, personal characteristics, or mode of living is obtained through any means.” The statute requires that the person procuring the report provide the consumer a “clear and conspicuous disclosure in writing” and that the consumer in turn provide a written authorization for the report’s procurement.

Lawmakers took a slightly different approach with CCRAA, which defined a “consumer credit report” as “any written, oral or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, or credit capacity, which is used or is expected to be used … for … employment purposes.” The definition excluded “any report containing information solely on a consumer’s character, general reputation, personal characteristics, or mode of living which is obtained through personal interviews with neighbors, friends, or associates of the consumer reported on, or others with whom he is acquainted or who may have knowledge concerning any such items of information.”

In 1998, the California legislature amended ICRAA to eliminate the personal interview limitation and expand the statute’s scope to include character information obtained under CCRAA or “obtained through any means.”

Since then, CCRAA continues to govern consumer reports that include character information obtained from a source other than personal interviews, as long as those reports contain information “bearing on a consumer’s credit worthiness, credit standing, or credit capacity.”

What does all this mean for employers? And how did the California Supreme Court get involved?

The two statutes came to the attention of the court when a group of current and former school bus drivers filed suit against their employers, First Student and First Transit, as well as the investigative consumer reporting agency (ICRA) that conducted background checks on the drivers. Eileen Connor led the class action.

After First Student acquired the company where Connor worked as a driver, it requested that the ICRA run background checks to confirm that Connor and the other workers were properly qualified to perform their job duties. The background reports elicited information about the employees’ criminal records, sex offender registries, address history, driving records and employment history.

Prior to conducting the background checks, First Student sent Connor a “Safety Packet” booklet. The booklet included an “Investigative Consumer Report Disclosure and Release” that provided authorization for the ICRA to prepare a consumer report or investigative consumer report. The notice included a checkbox that generally described Connor’s rights under ICRAA, informed her that she could check the box if she wanted to receive a copy of the report and released First Student from all claims and damages arising out of or relating to its background investigation if the box was checked.

Connor filed suit, arguing that the notice failed to satisfy ICRAA’s specific requirements and that First Student neglected to obtain her written authorization to conduct the background check, as required by ICRAA.

First Student asked the court to dismiss the suit, arguing that ICRAA is unconstitutionally vague as applied to the lawsuit because it overlaps with CCRAA and that the notice satisfied CCRAA.

The California Supreme Court found that while the statutes overlap to some degree, achieving compliance with both did not render ICRAA unconstitutional. The two statutes were not intended to be exclusive of each other, the court said, and potential employers can comply with both statutes without undermining the purpose of either.

“If an employer seeks a consumer’s credit records exclusively, then the employer need only comply with CCRAA,” the court explained. “An employer seeking other information that is obtained by any means must comply with ICRAA. In the event that any other information revealed in an ICRAA background check contains a subject’s credit information and the two statutes thus overlap, a regulated party is expected to know and follow the requirements of both statutes, even if that requires greater formality in obtaining a consumer’s credit records.”

First Student complained that because the ICRAA and CCRAA cover the same subject matter, it was unclear which statute applied in the context of employment background checks. But the court disagreed. Connor’s report, for example, fell within the scope of both statutes and “such a duality does not make legal compliance particularly difficult, must less impossible,” the court said.

“Any partial overlap between the statutes does not render one superfluous or unconstitutionally vague,” the court wrote. “They can coexist because both acts are sufficiently clear and each act regulates information that the other does not.”

The California Supreme Court opinion was a loss for First Student and the ICRA, as the court found the defendants had no excuse for not complying with both statutes. For employers more generally, the decision sends an important message: compliance with the requirements of both ICRAA and CCRAA is mandatory, even where the two statutes overlap.

October 1st, 2018|Employment Decisions, Legislation|
© 2012- SCHERZER INTERNATIONAL | ALL RIGHTS RESERVED
Go to Top