FCRA

FTC says data brokers willing to sell consumer information and disregard FCRA

On May 7, 2013, the Federal Trade Commission (the “FTC”) announced the results of its testing operation, revealing that 10 companies out of the 45 that the FTC approached seemed to be willing to sell consumer information without complying with the Fair Credit Reporting Act (“FCRA.”) The FTC reported that its staffers asked the companies about buying the information for purposes such as determining creditworthiness, suitability for employment or eligibility for insurance.

Six of the 10 companies appeared willing to sell consumer information for employment purposes, two for insurance decisions and two for pre-screened lists of consumers to use in making firm offers of credit. The data brokers were contacted again by the FTC, but this time in the form of letters, warning that their practices may violate the FCRA. The warning letters are part of an ongoing international effort spearheaded by the Global Privacy Law Enforcement Network, an informal group of consumer protection and privacy agencies.

May 9th, 2013|Criminal Activity, Educational Series|

Most service providers are not subject to Red Flags Rule

The Federal Trade Commission (the “FTC”) interim final rule which became effective February 11, 2013 confirms that most service providers are not subject to the Red Flags Rule. The rule clarifies the meaning of “creditor” ensuring that its definition is consistent with the revised definition of that term in the amended Fair Credit Reporting Act (the “FCRA”). A “creditor” must develop and implement a written identity theft prevention program premised on identifying “red flags” of identity theft only if in the ordinary course of business, the “creditor” regularly: 1) obtains or uses consumer reports in connection with a credit transaction; 2) furnishes information to consumer reporting agencies in connection with a credit transaction; or 3) advances funds to or on behalf of a person, in certain cases.

However, any entity collecting consumer data must remain vigilant in how it collects, uses and safeguards that data. The FTC may pursue enforcement actions under the FTC Act when a company does not take reasonable privacy protection measures scaled to the risk level of their business practices.

March 29th, 2013|Educational Series, Legislation|

CFPB’s takeover of FCRA enforcement requires new notices by January 1, 2013

In July 2012, the newly-created Consumer Financial Protection Bureau (“CFPB”) under the Dodd-Frank Wall Street Reform and Consumer Protection Act assumed rulemaking and enforcement authority of the Fair Credit Reporting Act (“FCRA”) from the Federal Trade Commission (“FTC”).

Although more changes are likely to come, beginning January 1, 2013, businesses, including employers, and consumer reporting agencies, will be required to provide a new version of the “Summary of Rights” form to individuals before taking any adverse action based on the contents of a consumer report. Notably, the adverse action process that must be followed under the FCRA has not changed; the revisions are generally stylistic and substitute “CFPB” for references to the FTC. There is also an updated and expanded list of contacts included at the end of the form.

To download the PDF versions of the updated Summary of Rights, and forms regarding the obligations of users and furnishers of consumer reports, click on the links below.

Summary of Rights under the FCRA.pdf

Obligations of Users of Consumer Reports under the FCRA.pdf

Obligations of Furnishers of Consumer Reports.pdf

January 7th, 2013|Legislation|

FTC’s civil rights testimony recaps FCRA obligations and aggressive enforcement

On December 7, 2012, the Federal Trade Commission (the “FTC”), submitted its written testimony to the U.S. Civil Rights Commission on the use of criminal background checks in employment decisions. The Commission intends to apply the testimony in reviewing the EEOC’s guidance that an employer’s use of an individual’s criminal history in making employment decisions may, in some instances, violate the prohibition against employment discrimination under Title VII of the Civil Rights Act of 1964. The EEOC suggests that minorities are disproportionately likely to have criminal records, which means that when employers use criminal background reports, minorities are possibly affected more than other groups.

Notably, in its testimony, the FTC, which shares the authority for enforcing the Fair Credit Reporting Act (“FCRA”) with other federal agencies, including the Consumer Financial Protection Bureau (“CFPB”) does not say anything substantial about civil rights.

The testimony does, however, provide a good recap of the legal rights and obligations prescribed by the FCRA when consumer reports are used for employment purposes, and highlights the FTC’s law enforcement efforts in this area. As its starting point, the testimony reminds that the FCRA imposes several requirements on consumer reporting agencies (“CRAs”) that provide consumer reports to employers, which include ensuring that the employer is in fact using the report for a permissible purpose. In the employment context, permissible purposes are limited to “employment, promotion, reassignment, or retention.” Thus, employers may only obtain a consumer report about applicants or employees, and may not simply use their status as employers to get information about competitors, opposing parties in litigation, or anyone else. Relatedly, under the permissible purpose requirement, CRAs must have reasonable procedures in place to ensure that the consumer report users are who they claim.

The CRAs also must comply with certain procedural requirements, such as giving all users of consumer reports a notice that informs them of their duties under the FCRA. The CRAs must obtain certifications from the employer that: (1) it is in compliance with the FCRA; and (2) it will not use consumer report information in violation of any federal or state equal employment opportunity laws or regulations.

Further, the FCRA mandates that CRAs follow “reasonable procedures to assure maximum possible accuracy of the information

[15 U.S.C. § 1681e(b)].” It does not establish, however, a requirement of absolute accuracy and does not require that the CRAs guarantee that the reports are error-free.

If a CRA provides a report that has negative information about an applicant or employee that is based on public records — for example, tax liens, outstanding judgments, or criminal convictions — that CRA either has to notify the applicant or employee directly that it has provided the information to the employer, or has to adopt strict procedures to ensure that the information is complete and up to date [15 U.S.C. § 1681k(a)(1)-(2)]. Regardless of whether a CRA opts to provide the notice or adopt strict procedures, FCRA § 1681e(b), as noted above, requires CRAs to have “reasonable procedures to assure maximum possible accuracy.”]

The FCRA also places specific obligations upon employers to provide certain disclosures to the applicants or employees, and obtain their written authorization before using consumer reports. If an employer intends to take an adverse action based either in whole or in part on the information in a consumer report, such as denying a job application, reassigning or terminating an employee, or denying a promotion, the employer must provide the applicant or employee with a pre-adverse action notice before taking the action. The pre-adverse action notice must include a copy of the consumer report on which the employer is relying and a summary of rights under the FCRA. The form, which recently was reissued by the CFPB, describes the consumers’ rights under the FCRA, including the right to obtain copies of their consumer reports and dispute information.

Once the employer has taken the adverse action, it must give the applicant or employee a notice that the action was based on information in the consumer report. This adverse action notice must include the name, address, and phone number of the CRA that supplied the report, and must inform the applicant or employee of his or her right to dispute the accuracy or completeness of any information in the report, and the right to obtain a free report from the CRA upon request within 60 days. Even though a consumer has the right to dispute errors, the CRAs and furnishers of information to the CRAs typically are allowed thirty days to investigate the consumer’s dispute, and the information may not be corrected in time to affect the consumer’s consideration for a particular job.

The FTC points out that it has pursued an aggressive law enforcement program to ensure that CRAs, furnishers, and consumer report users (including employers) comply with their responsibilities under the FCRA, providing details of recent lawsuits for FCRA violations that resulted in civil penalties against CRAs ranging from $800,000 to $2.6 million. Its recent actions against employers included charges against railroad contractors for failing to provide pre-adverse action and adverse action notices to employees who were fired and job applicants who were rejected based on information in their consumer reports. Under negotiated settlement orders, the companies were required to pay penalties in the amount of $1,000 per violation, and are subject to specific injunctive, record-keeping, and reporting requirements to ensure compliance with the FCRA.

The FTC’s enforcement actions and the latest wave of class action lawsuits enforce that FCRA compliance must be a priority for employers, CRAs and furnishers of information alike.

January 7th, 2013|Educational Series, Legislation|

No shortcuts to assuring maximum possible accuracy under the FCRA

When Congress formulated the Fair Credit Reporting Act (“FCRA”) more than 30 years ago, it noted that the law was enacted in order to protect consumers against “the trend toward…the establishment of all sorts of computerized data banks

[that placed a consumer] in great danger of having his life and character reduced to impersonal ‘blips’ and key punch holes in a stolid and unthinking machine which can literally ruin his reputation without cause [116 Cong. Rec. 36570].” This intent has been clearly supported by the amendments that followed allowing greater and more effective protection. But despite the leaps and bounds in legislation, much controversy still exists about the level of protection that this law provides to consumers. And confusion abounds about the compliance requirements for consumer reporting agencies (“CRAs”) on whom the FCRA places “grave” compliance obligations. “There is a need to insure that consumer reporting agencies exercise their ‘grave’ responsibilities with fairness, impartiality, and a respect for the consumer’s right to privacy [15 U.S.C. § 1681(a)(4) (2006)].”

The FCRA mandates that “[w]henever a consumer reporting agency prepares a consumer report it shall follow reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the report relates [15 U.S.C. § 1681e(b)].” So what does this mean? Courts have taken two positions in interpreting the language of this section. The “consumer-friendly” version holds CRAs liable for reports that are technically accurate, but may be misleading or incomplete. (Koropoulos v. Credit Bureau, Inc., 734 F.2d 37, 40; D.C. Cir. 1984: “Congress did not limit the Act’s mandate to reasonable procedures to assure only technical accuracy; to the contrary, the Act requires reasonable procedures to assure maximum accuracy.”) The “business friendly” interpretation requires only technical accuracy in the CRA’s reporting. [Todd v. Associated Credit Bureau Servs., Inc., 451 F. Supp. 447, 449 (E.D. Pa. 1977)].

While this case law is helpful in understanding the CRA’s liability under the statute, there is no doubt that a comprehensive guidance on the methodology to assure maximum accuracy is still much needed especially in view of the proliferation of the so-called “national databases” in the recent years. But despite the lack of clear guidance, a reputable CRA knows that “to assure” means “to earnestly inform or tell positively; state with confidence.” And reporting a record that was identified by name only or relying solely on private database record information in an employment background check does not pass the reasonable procedures test by any standard.

In an Internet marketplace that touts instant results, a CRA’s practice of sending searchers to the courthouse, pulling dozens of cases, and reviewing legal documents to ascertain correct subject identification and record information may be counterintuitive for many employers. And it takes time and money to assure the most accurate and up-to-date results. On the other hand, in a world of over a million people, is a quick and cheap database background search of any real value?

January 7th, 2013|Employment Decisions|

Agencies jointly support that FCRA Section 1681c does not violate first amendment

On May 3, 2012, the Federal Trade Commission (FTC) joined the Department of Justice (DOJ) and the Consumer Financial Protection Bureau (CFPB) in filing a memorandum brief in support of the constitutionality of the Fair Credit Reporting Act (FCRA), established in 1970 to protect credit report information privacy and to ensure that the information supplied by consumer reporting agencies (CRAs) is as accurate as possible.

In the case of Shamara T. King vs. General Information Services, Inc. (GIS), the CRAs address a provision of the FCRA that balances the Act’s dual purposes, i.e., to protect consumers from privacy invasions caused by the disclosure of sensitive information and to ensure a sufficient flow of information to allow the CRAs to fulfill their vital role.) The provision, Section 1681c, bars CRAs from disclosing arrest records or other adverse information that is more than seven years old, in most cases.

The agencies brief refutes GIS’s argument that this FCRA protection is an unconstitutional restriction of free speech, pointing out that the recent U.S. Supreme Court case law that GIS cites to support its argument, Sorrell v. IMS Health Inc., “does not change the settled First Amendment standards that apply to commercial speech, nor does it suggest that restrictions on the dissemination of data for commercial purposes

[such as those by CRAs] must satisfy stricter standards.” Therefore, the brief concludes, the court should not invalidate the FCRA provision, as it “directly advances the government’s substantial interest in protecting individuals’ privacy” while also accommodating the interest of businesses. The case is pending.

May 21st, 2012|Judgment|

Mobile apps may violate Fair Credit Reporting Act

On February 6, 2012, the Federal Trade Commission (FTC) issued warning letters to the marketers of six mobile applications that provide background screening apps that they may be violating the Fair Credit Reporting Act (FCRA.) The FTC said that if the background reports are being used for employment or other FCRA purposes, then the marketers and their clients must comply with the FCRA.

According to the warning letters, the FTC has not made a determination whether the companies indeed are violating the FCRA, but encourages them to review their apps, and their related policies and procedures. The FCRA is designed to protect the privacy of consumer report information and ensure that the information provided by consumer reporting agencies is accurate. Consumer reports are communications that include information about an individual’s character, reputation, or personal characteristics, and are used or expected to be used for purposes such as employment, housing or credit.

Under the FCRA, entities/operations that assemble or evaluate information to provide to third parties qualify as consumer reporting agencies (CRAs.) Mobile apps that supply such information also may qualify as CRAs under the Act. CRAs must take reasonable measures to ensure the user of each report has a ‘permissible purpose’ to use the report, take reasonable steps to ensure the maximum possible accuracy of the information conveyed in the report, and provide users of its reports with information about their obligations under the FCRA. In employment-purpose consumer reports, for example, CRAs must provide employers with information regarding their obligation to give notice to employees and applicants of any adverse action taken on the basis of a consumer report.

February 7th, 2012|Judgment|

Paying for ambiguity: the myths of instant background checks and national databases

The cottage industry of data-collection agencies that provide inexpensive background information is flourishing even in this tough economy. Many prospective employers with tight budgets believe they can save money by relying on the “national” records that are spewed out within minutes of entering a credit card number. So just what do you get for $19.99? Not much. Or a lot…a lot of worthless data, that is. Unverified name-match only records come up by the hundreds if the name is fairly common. And it is nearly impossible to determine case details or duplicate filings, as the cryptic printouts often require specialized knowledge that is specific to each state, municipality or records venue.

Many subjects who are flagged as criminals in these databases have never been convicted of a crime. In fact, according to the U.S. Bureau of Justice statistics for felony defendants in large urban counties, one-third of felony arrests never lead to a conviction. And there is no standardized process for reporting arrests and dispositions or updating the records at the various court levels. Some reported offenses are not actually violations of the criminal code in the particular state, but may still show up in these databases.

There are few regulations governing the use of background information beyond the provisions of the Fair Credit Reporting Act (FCRA). The Federal Trade Commission (FTC) does not mandate that data aggregators provide guidance on how to properly interpret their records. The only possible value of these so-called national databases is to serve as an indicator that a record may exist, and use the search results to supplement a full investigation. Since the FCRA requires that all “reasonable procedures to assure maximum possible accuracy of the information are followed” and that “the information is complete and up-to-date,” searches for employment purposes must be conducted either manually or through direct access in the particular court where the record is filed.

Employment experts at a July 2011 Equal Employment Opportunity Commission (EEOC) hearing urged the Commission to consider the comprehensive recommendations put forth by the National Employment Law Project (NELP) in its report on the effect of criminal background checks in employment decisions. Among its recommendations, the NELP suggested that the EEOC revise its now 20-year-old guide on conviction records in view of the “intervening proliferation of instant computerized background information…” The EEOC should also address the “use of arrest records and third-party databases that are considered a part of the hiring process.”

October 17th, 2011|Educational Series|

Controversy abounds in employment decisions based on social media searches

In May 2011, the Federal Trade Commission (FTC) ruled that companies providing social media information to employers – and employers who use the reports – must follow the same Fair Credit Reporting Act (FCRA) regulations that apply to more traditional sources. The FTC also stated that postings on any social media site can be saved by on-line background screening companies for up to seven years.

According to the FTC’s letter dated May 9, 2011 to a company that sells information from social networking sites for employment purposes, such a company is considered a Consumer Reporting Agency (CRA) and thus must take reasonable steps to ensure the accuracy of the information obtained from online social networks (as well as other sources) and positively identify it with the subject. It also must comply with other FCRA provisions, such as providing a copy of the report to the subject and maintaining an established protocol if the subject disputes the reported information. As with “traditional” background investigations, employers who use a report prepared by a CRA must certify to the CRA that the report will not be used in violations of federal or state equal employment opportunity laws or regulations. Additionally, both the CRA and the employer have a legal obligation to keep and dispose of the reports securely and properly. (For more information, see the FTC blog, “The Fair Credit Reporting Act & Social Media: What Businesses Should Know.”)

Social media legal experts and various literature point to a multitude of issues and risks faced by both the CRA and the employer who uses social media checks, which include, but are not limited to:

Problems under FCRA section 607(b) in exercising “reasonable procedures to assure maximum possible accuracy” of the information.
Since the information on social media sites is self-reported and can be changed at any time, it is often difficult if not impossible to ascertain that the information is accurate, authentic and belongs to the subject. Online identity theft is not uncommon, as are postings under another person’s name for the purpose of “cyber–slamming” (which refers to online defamation, slander, bullying, harassment, etc.)

Information may be discriminatory to job candidates or employees, or in violation of anti-retaliation laws.
Social sites and postings may reveal protected concerted activity under the National Labor Relations Act (NLRA,) and protected class information under Title VII of the Civil Rights Act and other federal laws, such as race, age, creed, nationality, ancestry, medical condition, disability, marital status, gender, sexual preference, labor union affiliations, certain social interests, or political associations. And while the information may have no impact on the employment decision, the fact that the information was accessed may support claims for discrimination, retaliation or harassment.

Accessing the information may be in violation of the federal Stored Communications Act (SCA).
To the extent that an employer requests or requires an employee’s login or password information, searches of social networking sites may implicate the SCA (18 U.S.C. § 2701) and comparable state laws which prohibit access to stored electronic communications without valid authorization. A California court recently ruled that the SCA also may protect an employee’s private information on social networking sites from discovery in civil litigation.

Assessing the information may violate terms of use agreements and privacy rights.
While certain social media sites have stricter privacy controls than others, most if not all limit the use of their content. The terms of use agreements typically state that the information is for “personal use only” and not for “commercial” purposes. Although the definition of “commercial” in connection with employment purposes is interpretive, most legal experts indicate that employment screening fits that scope.

Information may be subjective and irrelevant to the employment decision.
Blogs, photos and similar postings often do not provide an objective depiction of the subject or predict job performance. The California Labor Code, for example, specifically provides that an employer is prevented from making employment-related decisions based on an employee’s legal off-duty conduct. Employers may use such information only if the off-duty conduct is illegal, if it presents a conflict of interest to the business or if it adversely affects the employee’s ability to do his/her job. And the evidence of such activities must be clear.

The popularity of employment-related background checks that include social media searches is growing rapidly. But the unreliable and unverifiable information from these sources is a potential landmine of legal liabilities.

August 8th, 2011|Employment Decisions|

Challenges of international background investigations

Many transactions today, whether they involve an employment hiring decision or a new business relationship, are cross-border or have an international component. The need for effective risk management both in the U.S. and abroad has vastly expanded in recent years with the passing of legislation and increased enforcement actions. Behind just about every business decision, there is a widening range of stakeholders — from regulators to shareholders to board members — who expect that the due diligence process will minimize unlawful activities.

International background investigations, which are essential for a comprehensive approach to due diligence, present special challenges since each country has its own laws, customs, and procedures. Language barriers, name variations and transliterations, limited information and technology, broad definitions of crimes, and proliferation of fraudulent educational and accreditation institutions, are just some of the factors that add to the complexity of these investigations.

As a general rule, in most European countries, criminal records are not available to the public. In Asia, public accessibility to most court filings is limited. In South America, public records vary greatly from country to country. South Africa provides some disclosure of police records and warrants to the public, along with civil filings. Canada’s public records availability differs by province, and only a few permit criminal records release. India and Australia have the most searchable records, similar to the U.S.

For employment purposes, the Fair Credit Reporting Act (FCRA) imposes certain obligations for international background screening performed by a U.S. Consumer Reporting Agency (CRA), including mandating reasonable procedures to ensure the accuracy of the information it reports. If a public record such as a criminal conviction is found, the CRA must ascertain that the information is correct, up-to-date, and reported in a way that does not violate data or privacy protection rules.

In 2000, an agreement between the U.S. Department of Commerce and the European Commission established privacy and data protection guidelines, the “Safe Harbor Principles,” to enable U.S. companies to satisfy a requirement under European Union law for adequate protection of personal information transferred from the European Economic Area (the 25 member states of the European Union plus Iceland, Liechtenstein and Norway.) In addition to these principles, the Gramm-Leach-Bliley Act (GLBA) requires financial institutions and businesses that receive personal information to establish safeguards for the handling and disclosure of that information. And the Fair and Accurate Credit Transactions Act (FACTA), a federal legislation, also contains provisions to help reduce identity theft and obligates the proper disposal of personal consumer information.

The cost of an international background investigation typically is higher than domestic searches, and varies with each country, the type of information that needs to be obtained and the purpose of the investigation. When performed by a reputable firm with qualified foreign contacts, an international background investigation can reduce negligent hiring liability, and prevent a catastrophic investment or reputational damage.

July 25th, 2011|Educational Series, Legislation|

Previous 345 Next