Employers Running Background Checks: Top 10 Tips to Avoid Joining the Fair Credit Reporting Act Litigation “Club”
What do Whole Foods, Chuck E. Cheese, Michael’s Stores, Dollar General, Panera, Publix, and K-Mart have in common? Each of these companies has faced lawsuits (including class actions) under the Fair Credit Reporting Act (“FCRA”). Although Congress passed the FCRA way back in 1970 and litigation has focused on credit reporting agencies’ duties under the law, class action plaintiff firms have recently focused on the FCRA’s employer-related provisions. Several large settlements (such as Publix’s $6.8 million class action settlement, Dollar General’s $4 million, and K-Mart’s $ 3 million) have spurred further litigation. While some of the alleged FCRA violations may appear minor or technical in nature, these “technical violations” still result in costly lawsuits. Employers should re-familiarize themselves with the FCRA to avoid becoming class action defendants.
The FCRA’s Employer-Related Provisions
Many employers understandably want to conduct background checks on prospective employees, or current employees who may be obtaining new responsibilities or accessing sensitive information. In particular, companies in the retail and restaurant sectors, whose employees have access to cash receipts and credit card account numbers, want to guard against employees whose background checks may reveal issues of concern. Further, organizations whose employees enter homes and businesses (such as service providers – e.g., carpet cleaners, plumbers, contractors) have additional concerns about potential liability.
The FCRA is usually thought of as a federal law that regulates consumer reporting agencies, like credit bureaus. However, the FCRA also prescribes certain requirements for employers who use consumer reports. The FCRA broadly defines the term “consumer reports” as information prepared by a consumer reporting agency “bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for—credit or insurance to be used primarily for personal, family, or household purposes; employment purposes” or other permitted purposes. This definition draws in more than a traditional credit report. It can include driving records, civil lawsuits, and reference checks, among other information.
Disclosure and Consent
Employers may not obtain a consumer report from a consumer reporting agency unless they first make a “clear and conspicuous” written disclosure to the prospective employee/employee. The disclosure document must consist “solely” of the disclosure that a consumer report may be obtained. The job applicant/employee must provide written permission for the employer to obtain a consumer report. The FTC has indicated the disclosure form may include a signature line for the individual’s consent. (In 2001, the FTC also issued an opinion letter stating it believes such consent can be obtained electronically, consistent with the federal E-Sign law). The employer further certifies to the consumer reporting agency that is has a permissible purpose for the report and that it has complied with the FCRA and applicable equal opportunity laws.
These steps sound simple enough, however, litigation has ensued based upon employers’ alleged failures to comply. For instance, in the Whole Foods case in federal court in California, the plaintiffs claim the online application process included a liability waiver in the disclosure form for the background check, allegedly violating the FCRA requirement that a disclosure form not include other information. In a separate case in federal court in Florida involving retailer Nine West, the plaintiff alleges he did not receive a separate form, and that the background check authorization was on a web page with various other types of information.
Adverse Action Based on Report
If the employer intends to take “adverse action” against the prospective employee/employee (based even in part on the information in the report), the FCRA requires the employer to follow certain additional steps. The term “adverse action” includes “a denial of employment or any other decision for employment purposes that adversely affects any current or prospective employee.”
Before the employer takes the adverse action, it must provide a “pre-adverse action” notice to the affected person. This notice must include a copy of the consumer report and a statutory “Summary of Rights.” (This is an updated form, required since January 2013 by the new Consumer Financial Protection Board, which now has responsibility for FCRA rulemaking). The purpose of this notice requirement is to permit the individual to discuss the report with the employer before the employer implements the adverse action.
Next, if the employer intends to take the adverse action, the FCRA requires the employer to provide an adverse action notice to the individual. This notice must contain certain information, including:this is a test one
a statement setting forth the applicant’s or employee’s right to obtain a free disclosure of his or her report from the consumer reporting agency if the individual requests the disclosure within 60 days; and
In a case involving Domino’s Pizza employees, the company settled a class action that included allegations that it took adverse employment actions against certain individuals based on information contained in consumer reports without providing those individuals the required notice and a copy of such reports in advance. K-Mart settled a class action suit based upon allegations that the statement of consumer rights provided to individuals after a background check contained outdated disclosures, among other alleged FCRA failures.
Liability and Enforcement
Plaintiffs can pursue a private right of action against employers for negligently or willfully violating the FCRA. Claims regarding negligent violations allow actual damages and reasonable attorneys’ fees and costs. Willful violations can result in actual damages or statutory damages ranging between $100 and $1,000, plus punitive damages and attorneys’ fees and costs. The Federal Trade Commission (“FTC”) has also brought actions against employers for FCRA violations.
10 Steps to Avoid Becoming a FCRA Defendant When Using Employment Background Checks
1. Review your current background check practices for prospective and current employees, including any online application materials.
2. Review disclosure/consent forms for compliance. Ensure you are presenting applicants or current employees with a simple, one page disclosure form. The form should inform individuals that you intend to obtain a consumer report for employment purposes.
3. You must obtain consent from the prospective employee/employee. You may include a line on the disclosure form for the individual to acknowledge and grant consent. Do not include other material, such as liability waivers, confirmation of at-will employment, or seek other consents.
4. If your application process is online, ensure the disclosure/consent is displayed separately, on one screen, without other content.
5. If you intend to conduct background checks periodically during an individual’s employment, state that in the disclosure and consent form.
6. Do not seek consent verbally. FCRA requires “written” consent (though FTC has stated it may be electronic).
7. Maintain backup of the disclosure and consent forms for at least 5 years from the date they were provided. (Lawsuits must be brought by the earlier of two years after the date of the plaintiff’s discovery of the violation, or five years after the date on which the violation occurred).
8. If you intend to take adverse action based on information in the consumer report, you should be providing the individual with a pre-adverse action notice, a copy of the consumer report, and the “Summary of Rights.” Ensure you are using the most updated “Summary of Rights.”
9. You should wait a reasonable amount of time (at least 5 days) before issuing an adverse action notice. Your company’s adverse action notice must contain the information required under the FCRA (see bulleted information, above).
10. Check state law regarding background checks for the states in which you operate/solicit employees. Some states have similar requirements to FCRA; others may further restrict the types of information you can request.
* * *
The FTC/EEOC have issued a joint statement on background checks. While many employers need to conduct background checks to avoid liability and risks to their businesses, employers also need to follow the FCRA’s mandates to avoid the deep end of litigation “pool.”
The credit reporting industry – dominated by Experian, Equifax and Transunion – maintains a precarious balance of obligations: On the one hand, these companies bear a responsibility to banks and other businesses at large to retain reliable information to ensure that the credit scores they report are a fair representation of the individual’s credit-worthiness. On the other hand, federal law, including the Fair Credit Reporting Act, imposes an obligation upon the credit reporting agencies and other related companies to conduct reasonable investigations to address disputes about errors in individuals’ credit files. In both instances, the companies bear a weighty responsibility.
For this reason, companies in the credit reporting industry are subject to intensive regulatory scrutiny – historically by the Federal Trade Commission and, more recently, by the Consumer Financial Protection Bureau. Both agencies have issued reports on their studies of the way in which credit reporting companies handle the information entrusted to them, and how they respond to consumer disputes.
This past Sunday, CBS’s 60 Minutes – a show that most people associate with responsible news reporting – ran a segment that unfairly distorted these reports about credit reporting agencies’ compliance with their obligations. The show, which was largely based on an advance copy of an FTC study, relied upon selective interpretation of the data in that study, throwing out snippets of information without being specific on what the data meant.
The vast majority of the story can hardly be viewed as unbiased: interviews with a politically motivated state attorney general, two plaintiffs’ attorneys who spend their careers suing the credit reporting agencies, a handful of dissatisfied consumers, and several disgruntled former call center employees whose role in addressing consumer complaints was never really explained in a meaningful way. The result was a show clearly intended to convey a message that the credit data retained by these companies is riddled with errors, and that the credit reporting agencies fail to comply with their legal obligations to take steps when there is a claim of an inaccuracy.
In fact, as the Consumer Data Industry Association has pointed out, the FTC study shows that 98 percent of credit reports are materially accurate. In this regard, 60 Minutes missed the most critical point in the research – that the measure of accuracy is tied to the question of whether an error has consequences for consumers and not just whether there is an error that has little or no impact on credit scores. The FTC study actually concluded that only 2.2 percent of credit reports have an error that would lead to higher-priced credit for the consumer.
60 Minutes compounded its error by repeatedly asserting that it was “nearly impossible to expunge” an error in a credit report, and providing a forum for a state attorney general and two plaintiffs’ attorneys to assert that the credit reporting companies do not comply with their obligations under federal law. This one-sided treatment does not square with a 2011 study from the Political and Economic Research Council that showed that consumers were satisfied with the resolution of their disputes in 95 percent of the cases. It also does not square with the results of a year-long study of the dispute process by the FTC in which the agency found no violations of law.
It is not hard to understand what motivated 60 Minutes to run this story: Because everyone has a credit score, an inflammatory story about credit scores is likely to get everyone’s attention. But the one-sided and distorted way in which 60 Minutes presented this information was a disservice to the public. And even if credit reporting agencies are not perfect, they deserve better treatment at the hands of those who have the public’s ear.
This week the Federal Trade Commission entered into a consent decree with Certegy Check Services, one of the nation’s check authorization service companies, pursuant to which Certegy has agreed to pay $3.5 million to settle charges that it violated the Fair Credit Reporting Act (FCRA). This massive penalty – the second largest ever – reinforces the perception that the FTC will continue vigorous enforcement against what it perceives as violations of that venerable statute, first passed in 1970.
The FCRA establishes obligations not only for the three big consumer reporting agencies (CRAs) – Experian, Transunion, and Equifax – but also for “nationwide specialty consumer reporting agencies”. These are CRAs that compile and maintain files on consumers on a nationwide basis relating to medical records or payments, residential or tenant history, check writing history, employment history, or insurance claims. Certegy, which falls within this latter category of entities subject to the FCRA, was obligated to “follow reasonable procedures to assure maximum possible accuracy” in the reports it provided concerning consumers’ financial information, and was also obligated to investigate any consumer dispute regarding such informationwithin a reasonable period of time, to report back to the consumer, and to delete any information that is inaccurate, incomplete, or unverifiable.
While Certegy is not as well known to consumers as the big three credit reporting agencies, it plays an important role in consumer transactions. When people want to pay by check, many businesses rely on Certegy for a check authorization recommendation that is based in part on information in its files about consumers’ check writing history. Certegy also furnishes information to other credit reporting agencies, which may multiply the effect of any inaccuracies.
The FTC alleged in its complaint that Certegy failed to comply with many of its obligations as a nationwide specialty consumer reporting agency. Among other things, the FTC asserted that Certegy would not undertake the required reinvestigation of allegedly inaccurate information, and would place unfair burdens on consumers in connection with requests for such reinvestigations. The FTC states that this is its first case alleging a violation of the so-called “Furnisher Rule” relating to regulations governing such entities that furnish credit report information on consumers.
The stipulated order will certainly change the way that Certegy does business but, perhaps even more important, the $3.5 million penalty should attract the attention of other entities whose businesses are subject to the FCRA. Such businesses would be wise to revisit their policies and procedures to ensure that they comply with the obligations under the statute and related regulations to ensure that they will not be the next target of FTC enforcement in this area.
According to a recent NBC News report, Equifax, one of the three largest American credit reporting agencies, has assembled an enormous database containing employment and salary information for more than 190 million U.S. adults. Very few people knew of the existence of the database, but the information in it allegedly is being sold to third parties without consumers’ consent.
According to the report, an Equifax-owned company, The Work Number obtains substantial information– through the assistance of human resources departments and other sources around the country including government agencies and Fortune 500 companies. The Work Number then sells this information. According to The Work Number’s website, payroll information comes from over 2,000 employers. Reports have stated that the database is so detailed that for many individuals it has weekly pay information, as well as other sensitive information such as the identity of the individual’s health care provider and whether the individual has ever filed a claim for unemployment benefits.
Seven members of Congress recently wrote a letter to Equifax asking for more information on the legality of The Work Number. “What is most concerning to us is that this massive database appears to generate revenue using consumers’ sensitive personal information for profit,” the letter states.
Companies state that they agree to sign up for The Work Number because it gives them a simple way to outsource employment verification of former employees. Companies provide their human resources information to The Work Number and The Work Number automates the process. There is no longer a need for companies to spend the time to verify a former employee’s work history.
In 2009, according to the NBCNews.om report, Equifax said that the data The Work Number had amassed covered 30 percent of the working U.S. population, and the database is now adding 12 million records annually according to NBCNews.com.
It is not entirely clear what Equifax is doing with the data, where it is selling it, and what can be sold without consent. In a statement after NBCNews.com broke the story Equifax said, “The Work Number does not provide debt collectors with salary/pay rate/income information. They can request only employment verification data which The Work Number will provide if there is permissible purpose as detailed by the Fair Credit Reporting Act.” Equifax also denied reports that the salary information is sold to debt collectors.
Equifax did confirm that “pay rate” information is shared with third parties including mortgage, automobile, and other financial services companies — as authorized under the Fair Credit Reporting Act.
Since the data is considered a credit report, consumers are entitled to one free report every year, which shows the data contained in the reports and what entities have requested the data.
Companies that collect and share data will continue to face scrutiny from state and federal government agencies that have shown a consistent effort focused on protecting consumers’ privacy rights. Consumer protection laws continue to evolve and provide individuals with specific rights as well as restrictions on companies regarding information that can be shared. All companies that deal with consumer information need to take a proactive approach to make sure that they are in compliance with all governing laws. The FTC, in particular, has shown a willingness and focus to utilize laws such as the Fair Credit Reporting Act to take enforcement action against companies offering employment and credit data.
As we cautioned in a September post, the FTC is stepping up enforcement actions against mobile app developers for failure to comply with consumer protection principles. This month, the FTC took another major step in that direction with a groundbreaking settlement applying the Fair Credit Reporting Act (FCRA) to app developers Filquarian Publishing, LLC, Choice Level, LLC, and Joshua Linsk.
The FCRA is a consumer protection statute designed to regulate the collection, dissemination, and use by companies of consumer information. Filquarian markets mobile apps that run background checks using criminal records obtained from Choice Level, and Linsk is the owner and sole officer of both companies.
Although this was the first time that the FTC has applied the FCRA to a mobile app developer, the prospect has been on the horizon for quite some time. Last February, the Commission issued a press release announcing that it had issued official warning letters to marketers of six mobile apps for background screening. The warnings were explicit: “If you have reason to believe that your background reports are being used for employment or other FCRA purposes,” both you and those customers must comply with the FCRA. Additionally, the FTC posted a “Word of Warning” on its Business Center Blog, informing the public about the warning letters and cautioning app marketers that “disclaimers or not, the FCRA would still apply.”
According to the FTC, Linsk and his companies failed to heed these conspicuous warnings. As detailed in the FTC complaint, since at least 2010, Filquarian had been specifically targeting employers with ads like this one: “Are you hiring somebody and wanting to quickly find out if they have a record? Then Texas Criminal Record Search is the perfect application for you.” Instead of attempting to comply with the FCRA, the FTC’s complaint said, Filquarian and Choice Level posted a disclaimer stating that the companies were not complaint with the FCRA, that their reports were not to be considered screening products for the various FCRA-proscribed purposes, and that the users of their reports assume sole responsibility for FCRA compliance.
The complaint against them cited numerous FCRA violations: (i) regularly furnishing reports to individuals who did not have a permissible purpose to use them, (ii) failing to maintain any procedures for assuring maximum possible accuracy of information provided in the reports, and (iii) failing to provide required notices to users of the consumer reports. The agency concluded that the disclaimers were not enough to absolve the company of FCRA liability, especially when the disclaimer directly contradicts express representations in the company’s advertisements.
Again, we urge all mobile app developers to be aware of the following principles to reduce the likelihood of an FTC enforcement action: (i) an app is no different from an Internet website, which is no different from a print ad, (ii) you’d be smart to pay attention to the FTC’s warnings to other companies and their enforcement actions, and (iii) disclaimers are important but often they simply aren’t enough to avoid liability. Also, the FTC has definitely shown that it will use its broad statutory authority and apply existing laws and regulations – including the 1970s -era FCRA — to mobile apps and other online offerings.