The Federal Trade Commission (“FTC”) recently issued guidance applicable to background screening companies (aka consumer reporting agencies) who engage in tenant screening.  The FTC highlights four key responsibilities of background screening companies covered by the Fair Credit Reporting Act (“FCRA”), specifically:

  • “Follow reasonable procedures to ensure accuracy.
  • Get certifications from your clients.
  • Provide your clients with information about the FCRA.
  • Honor the rights of applicants and tenants.”

For background screening companies I encourage you to look at those responsibilities as described in the guidance carefully because the FTC opines on what “reasonable procedures to ensure accuracy” are and those should be read to apply to employment screening as well.  The FTC states, “[c]ertain practices may be indicators that a background screening company isn’t following reasonable procedures. For example, if a report lists criminal convictions for people other than the applicant or tenant – for instance, a person with a middle name or date of birth different from the applicant’s – that raises FCRA compliance concerns. Other examples that raise FCRA compliance concerns include screening reports with multiple entries for the same offense or that list criminal records that have been expunged or otherwise sealed.  Another indication that a company’s procedures might not be reasonable are reports that list housing court actions, but do not include the outcome of the action – for instance, that a case was resolved in the tenant’s favor.”

Background screeners–notice that the FTC calls out reports with multiple entries for the same offense, the reporting of expunged or sealed records, reports with no dispositions, and finally, the failure to use a middle name to ensure accuracy.

All wrapped up in a pretty little bow, just in time for the holidays and holiday hiring!  U.S. Citizenship and Immigration Services (“USCIS”) has finally issued the revised Employment Eligibility Verification form (“Form I-9”).  Remember, all employers must complete a new Form I-9 for each new hire within three business days of hire.

Here’s what you need to know about the revised form:

  • Employers must begin using the revised form exclusively by January 22, 2017.  Until then, employers may use the current version Form I-9 dated 03/08/2013 N. or begin using the new Form I-9 dated 11/14/2016 N.  You will note in the top right hand corner that the revised Form I-9 has an expiration date of 08/31/2019.
  • USCIS recently indicated on a stakeholder teleconference that they will be updating the M-274, Employer Handbook.  Look for that in the new year.
  • Substantively the Form I-9 remains the same as the prior version, although there are some exceptions.  Namely, there is a new Preparer and/or Translator Certification box in section 1.  There is also an “Additional Information” box in section 2 to add information such as employment authorization extensions for individuals eligible for Temporary Protected Status, information related to F-1 OPT STEM students, and CAP-GAP employees (for more on this box see page 11 of the Form I-9 Instructions).  To learn more about the new Form I-9, check out USCIS’s news release by clicking here

Final comment — it should be noted that stakeholders are having difficulty downloading the revised Form I-9 from the website, and for more on that click here.

Human Resources professionals have one more item to add to their compliance checklist – ensuring the lawful transfer of employee, consumer or customer personal data from the European Union (“EU”) to the United States. 

To unravel this compliance requirement let’s start with a hypothetical transfer of personal data from location A to location B for employment purposes.  Company based in Providence, Rhode Island has offices worldwide, including several in the EU.  Hiring is centralized in the United States and therefore all onboarding is conducted by Human Resources professionals in Providence.  As per company policy, the company sends all new hires an employee packet and several of the forms in the packet require the collection of personal data or information.  Personal data such as name, date of birth, address, email address, etc. For its new hires in the EU, they are asked to send the employee packet back to Providence electronically so that the information can be processed for employee benefits, payroll, and a background investigation.  Therefore, personal data is being transferred to the United States for processing.   The question is, is this legal?  Does the company in Providence, Rhode Island need to do anything from a compliance perspective?  The response to the first question is, maybe if the company has a permissible cross-border transfer mechanism in place.  The second response is, yes.  Bottom line is that any U.S. based company which operates globally has to factor in international privacy and data protection laws before transferring employee personal data from outside the United States to the United States.  

Here’s why.  In the EU it is generally prohibited to collect, use, transfer, disclose or otherwise process an individual’s personal data without justification.  In case you are wondering, what’s the European Union?  The EU is made up of 28 member countries in Europe.  It includes countries such as Austria, Belgium, France, Germany, Greece, Ireland, Italy, Spain and the United Kingdom (until they depart due to Brexit).  For a full list of member countries, click here.  

What do American companies need to do?  First, if you have offices, operations or otherwise transfer someone’s personal data from the EU to the United States you need to know that. We privacy professionals call that, mapping the data flows.  In other words, are your employees, customers, consumers sending you personal data from the EU to the United States, what data and for what purpose. 

Why should American companies care?  Because in the EU they are serious about privacy and data protection.  The Europeans would argue that they are far more serious and protective of their citizen’s privacy than the Americans.  They can and will bring enforcement actions against companies that transfer personal data outside the EU without having a permissible onward transfer mechanism.  See the most recent action by German data protection authorities by clicking here.

What’s a permissible onward transfer mechanism?  In the EU, there is a general legal framework under which companies operate which is the EU Directive 95/46/EC (“EU Directive”) and it describes how organizations can lawfully “process” personal data, meaning how they can collect, use, transfer, share, store, etc. personal data.   Generally speaking—and please note that I’m focusing only on cross-border transfers of personal data in this article—an organization cannot transfer an individual’s personal data from the EU to the United States without a lawful mechanism.   That’s right, you can’t just transfer personal data without having a plan in place.  Also, not to throw in a monkey wrench, but the EU Directive will be replaced by the General Data Protection Regulation (“GDPR”)  effective 2018, which will have stricter requirements on U.S. companies with operations in the EU, including requirements related to data breaches.

What options do American companies have to lawfully transfer personal data to the United States?  A few, actually.  One is by self-certifying with the Department of Commerce’s EU-U.S. Privacy Shield program,  instituting model contract clauses or binding corporate rules, or meeting one of the other derogations described in Article 26 of the EU Directive, such as consent of the data subject to the cross-border transfer.   There are pros and cons to each of these options and that is the subject of another discussion and greater legal analysis.  This article is intended as a primer to flag the issue of cross-border transfers of personal data from the EU to the United States and compliance considerations around such.   

If your organization transfers personal data from the EU to the United States and you would like to discuss what your legal requirements or obligations may be I am happy to have that conversation with you.  The privacy team at my firm, Arnall Golden Gregory LLP, advises companies on cross-border transfers of personal data and we would be happy to assist.


Please join me on a free webinar next week to learn helpful information on risk mitigation for your organization related to consumer and customer personal data, including must have policies and procedures around collection and use of personal data, the importance of privacy policies, preventing data breaches, steps to take if a data breach occurs, the impact of the EU – U.S. Privacy Shield on your organization, and more. The webinar is hosted by Hire Image and I will be the featured presenter (my bio).

Click here to register.

Date: November 9 (Wednesday) from 3:00 to 4:00 pm EST

Cost: Free

HR Certification Institute Credit: The webinar has been approved for 1 hour (general) recertification credit toward California, GPHR, HRBP, PHR and SPHR recertification with the HR Certification Institute.

Background checks for employment screening purposes may contain different information.  Most common would be the use of criminal history information, but there are times when an employer requests that their background screening vendor also provide credit history information for a job applicant or employee.

Employers who request credit history information be included in background investigations must, in addition to complying with the requriements of the Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.), be aware of state restrictions on the use of credit information for employment screening purposes.  States like Illinois, California and Maryland (and others) restrict the use of credit by employers, as do cities such as New York City and Philadelphia.  Generally, these laws restrict the use of credit unless there is a basis for the use of credit history information tied to the position for which a job applicant has applied.

A recent case in Illinois highlights the struggles employers face in those states where there are restrictions.

In a lawsuit against Neiman Marcus, a job applicant alleged that the retailer discriminated against her when it ran a credit check for a position as a sales associate.  Mind you, the plaintiff did apparently have a credit history to report (e.g., judgments, collections) but she alleged that Neiman Marcus violated the Illinois Employee Credit Privacy Act (820 ILCS 70/1 et seq.) and that the job-based exemption they claimed did not exempt them from the requirements of the law.

Neiman Marcus argued that as a sales associate the plaintiff would have access to credit card applications which contained sensitive personal information and accordingly the credit check was acceptable as a “bona fide occupational requirement of a particular position.”  Neiman Marcus also argued that they were exempt from the Employee Credit Privacy Act due to access to cash and signatory power.  The lower court agreed Neiman Marcus acted appropriately when it ran a credit check, but the state appellate court said not so fast.  (Ohle v. The Neiman Marcus Group, Case No. 1-14-1994, Illinois Court of Appeals, First District, Second Division, Sept. 27, 2016)

Illinois law synopsis — the legislative intent behind the Employee Credit Privacy Act is that it “prohibits employers from inquiring about or using an employee’s or prospective employee’s credit history as a basis for employment.”   The law lists several industry specific exemptions for, for instance, banking and financial industry positions or law enforcement positions. And it also states that where a “bona fide occupational requirement” for a particular position exists (and the law lists specific examples) then the employer would be exempt from the law’s requirements as well.

The bottom line is that if you are in a state which restricts the use of credit for employment screening purposes and you in fact request credit history from your background screening vendor, you need to be aware of not only state restrictions but also local restrictions regarding its use.

Keeping tabs on the revised Form I-9 that U.S. Citizenship and Immigration Services (USCIS) is due to release, USCIS updated its website to provide important dates.  I previously wrote about the revised Form I-9 here and how it has been cleared for publication.

This week USCIS posted on its website that they must release the revised Form I-9 by November 22, 2016 and that employers may continue to use the current version of the Form I-9 until January 21, 2017.  The current version of the Form I-9 has a revision date of 03/08/2013 N.

Recap — we still don’t have the revised Form I-9 but for now and until January 21, 2017, employer should continue to use the current version of the Form I-9 available on USCIS’s website.

For those employers anxiously awaiting the “new” Form I-9 (the Employment Eligibility Verification Form) the wait continues but we are getting closer.  On August 25th the Office of Management and Budget (OMB) cleared the revised Form I-9.  For now, employers should continue to use the Form I-9 on U.S. Citizenship and Immigration Services (USCIS) website with the expiration date of 3/31/16 listed on the top right hand corner. Per information on the USCIS website, employers are to continue using this version of the Form I-9 until the new and revised version is posted.  Remember, all U.S. based employers must complete a Form I-9 for any new hire within three business days of hire.

When will the new and revised Form I-9 be available to the public?  Later this year.  According to the OMB clearance notice, USCIS has 90 days from August 25th to post the new version of the Form I-9 (along with the instructions on completing the form) on its website.  Employers are provided a 150 day grace period to continue using the current version of the Form I-9.

The new and revised Form I-9 will feature some new bells and whistles, including for instance more instructions, a requirement to confirm whether a preparer or translator was used to complete the Form I-9, a QR code presumably to be used by Immigration and Customs Enforcement during audits, and some “smart” features to assist in completing the Form I-9 but only if completing it in PDF format.

Stay tuned….

After a battle of motions between the parties, on August 9th a Wisconsin federal judge dismissed a proposed class action for alleged violations under the Fair Credit Reporting Act (FCRA) against Cory Groshek. Why is this important?  Well, some of you may be familiar with Mr. Groshek as he is a noted (some may say serial) plaintiff who has filed multiple lawsuits and/or sent demand letters to employers alleging violations of the FCRA. 

It appears that Mr. Groshek’s master plan was to apply for employment and get to the point where the hiring entity would provide him with the FCRA required disclosure and authorization as part of the background check/investigation.  From there, the alleged FCRA violations began either in the form of a lawsuit or a demand letter. Our firm handled one such demand letter by Mr. Groshek.

Same thing happened in the instant case, Mr. Groshek alleged “that he applied for employment with the defendant, and that in the course of considering his application, the defendant obtained a consumer report on him ‘without first providing [him] a clear and conspicuous written disclosure, in a document consisting solely of the disclosure, that a consumer report may be obtained for employment purposes.'” (Decision and Order at 4).  Here though, the judge put the brakes on this case noting that nowhere in plaintiff’s complaint did he allege any concrete harm suffered as a result of the alleged violation. The court also stated that while allegations of a statutory violation satisfy the particularized injury prong of the injury-in-fact requirement for standing discussed in Spokeo, that in and of itself does not satisfy the concreteness requirement. (Decision and Order at 5).  One damaging statement by Mr. Groshek that the court noted is that during a deposition, when he was asked by defense counsel if he was aware of anything that might entitle him to actual damages he stated, “‘I do not know of any actual damages that I am claiming nor do I believe I’ve ever actually claimed actual damages….'” (Decision and Order at 6).

In the instant case the court granted Time Warner’s motion to dismiss the case, stating that the complaint is dismissed for lack of subject matter jurisdiction.

Ironically, Mr. Groshek requested that the court “seal various portions of his desposition transcipts, supplemental answers to discovery, and any other document that might make mention of any settlement agreement between him and ‘another party.'” (Decision and Order at 7).  I’m thinking that’s because he has brought similar claims under the FCRA against at least 40 companies and his master plan may be unraveling.  The court denied his request stating, “…plaintiff’s argument [to seal records] ignores the fact that he came to the court–a public forum–and instituted this lawsuit. He sued the defendant on a cause of action for which he has sued a number of other companies, and yet he argues that those other suits are irrelevant to this one. In essence, he indicates that while he wants to be able to file suit against the defendant in federal court, he wants to prevent the defendant from enquiring into similar suits that he has filed against other companies for the same alleged conduct. That is not an appropriate basis for the court to seal documents from public view.”  (Decision and Order at 9-10).

Cory Groshek v. Time Warner Cable, Inc., case number 2:15-cv-00157, in the U.S. District Court for the Eastern District of Wisconsin.

Colorado-based employers know that when they onboard an employee one of the compliance related items that must be completed relates to the Employment Eligibility Verification form (Form I-9) and the Colorado Affirmation Form.  The Form I-9 is a federal requirement and the affirmation form is a state requirement, which many argued is somewhat duplicative of the Form I-9. Currently, Colorado’s Employment Verification Law (8-2-122, C.R.S.) requires both public and private employers who transact business in Colorado, and for employees hired on or after January 1, 2007, to complete the Colorado Affirmation Form within 20 days of hire as well as keep copies of documents presented for purposes of the Form I-9.

Effective August 10, 2016 Colorado employers will no longer need to complete the Colorado Affirmation Form thanks to passage of House Bill 16-1114 by Colorado’s legislature. The legislation was signed by Governor Hickenlooper on June 8, 2016.

To be clear, until August 10, 2016 Colorado based employers must continue to complete the Colorado Affirmation Form and maintain copies of documents presented with the Form I-9.

Yesterday I attended an interesting webinar regarding Fair Credit Reporting Act (FCRA) developments.  Susan Camp Stocks from the Consumer Financial Protection Bureau (CFPB) and Katherine Ripley White from the Federal Trade Commission (FTC) participated, along with my colleagues Bob Belair and Kevin Coy. The speakers covered a fair amount of ground on different FCRA issues, including the importance of furnishers of information having written policies and procedures.  However, I want to focus on what they said about the background screening industry.

FTC Comments

  • They are focusing on background screening and in particular the use of criminal history records in employment screening
  • Accuracy of the reports is essential
  • Red flags that background screeners should review/consider when reporting public records — different names or DOBs, multiple entries for the same offense, and the reporting of expunged cases
  • They are working with the Federal Interagency Reentry Council to address accuracy related issues in the criminal justice system
  • They will turn their attention to focus on tenant screening in the next year and it is likely that we will see revised guidance in this area

CFPB Comments

  • Among their policy priorities is consumer reporting
  • It appeared that there is a belief that there is weak oversight of public record providers and that they believe more audits of such providers should be conducted to address accuracy issues
  • Accuracy of the reports is very important to them and they spoke about the enforcement action against General Information Services and to illustrate the point