CIC Screening Compliance update September 2018

Federal Developments

Amendment to Fair Credit Reporting Act
S.2155, which was enacted in May of this year, amends the Fair Credit Reporting Act (FCRA) to allow consumers to request a security freeze, free of charge, from the nationwide credit reporting agencies (Equifax, Trans Union, and Experian). S.2155 also extended the length of time for initial fraud alerts from ninety (90) days to one year. As a reminder, a consumer may request an initial fraud alert from the nationwide consumer reporting agencies when they believe that they have been or about to become a victim of fraud or identity theft.

S. 2155 also includes a new notice that must be provided to consumers “[a]t any time a consumer is required to receive a summary of rights required under section 609.” Therefore, as of September 21, 2018, consumer reporting agencies must provide this new consumer notice (see below) whenever the consumer is required to receive a summary of rights under Section 609 (§1681g) of the FCRA (either the federal Summary of Rights notice or the “Remedying the Effects of Identity Theft” notice). Thus, even though the requirement to place a security freeze under federal law applies only to nationwide consumer reporting agencies, all consumer reporting agencies must provide the additional notice.

The notice required by the new provision that applies to any circumstance in which the consumer is required to receive a summary of rights under Section 609 is as follows:

Consumers have the right to obtain a security freeze

You have a right to place a ”security freeze” on your credit report, which will prohibit a consumer reporting agency from releasing information in your credit report without your express authorization. The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a security freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. As an alternative to a security freeze, you have the right to place an initial or extended fraud alert on your credit file at no cost. An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting 7 years. A security freeze does not apply to a person or entity, or its affiliates, or collection agencies acting on behalf of the person or entity, with which you have an existing account that requests information in your credit report for the purposes of reviewing or collecting the account. Reviewing the account includes activities related to account maintenance, monitoring, credit line increases, and account upgrades and enhancements.

California Employers Must Get Applicant OK for Background Check
California employers, lenders, and landlords must obey the tougher of two privacy laws and inform applicants before investigating their background, the state Supreme Court ruled Aug. 20. The 7-0 decision affects the thousands of credit, employment, and housing decisions made daily in California under two laws. One of them requires prior notice and authorization before certain types of background investigative reports are ordered. The other covers more consumer-oriented information that doesn’t require advance disclosure or consent. The justices upheld a lower court ruling that school bus transportation company First Student Inc., part of FirstGroup plc, failed to adequately notify and obtain consent from former Laidlaw International Inc. bus drivers and aides before it conducted background checks on 54,000 workers. The reports were ordered after First Student bought Laidlaw in 2007. First Student had to comply with the more protective Investigative Consumer Reporting Agencies Act-designed to give consumers a chance to correct information and address identity theft-regardless of the company’s compliance with the less-stringent requirements in the Consumer Credit Reporting Agencies Act, the California Supreme Court said. “The implications are that these two laws are relatively straightforward and easy to follow. So landlords, employers, banks, anyone seeking to run a background check that falls in one or both of these statutes will continue have to comply with them,” Hunter Pyle of Hunter Pyle Law in Oakland, Calif., representing plaintiff Eileen Connor, told Bloomberg Law. “Employees will have their privacy rights protected, and the worst types of abuses where entities run background checks on people without telling them will be illegal under California law,” Pyle said Aug. 20.

Compliance Consent Required
In interpreting the two laws, “we agree with the Court of Appeal and find that potential employers can comply with both statutes without undermining the purpose of either,” the Supreme Court said. Connor’s case involves a report that falls under the scope of both laws and “is simply one that contains information bearing on both a consumer’s credit worthiness and on her character. It seems to us that such a duality does not make legal compliance particularly difficult, much less impossible,” Justice Ming Ching wrote for the court. The ruling covers a single Laidlaw employee in the bellwether case for more than 1,200 former workers alleging that First Student needed their approval for the background checks. The case now returns to an appeals court and then to the Los Angeles trial court. “Finally the bus drivers and aides involved can have their cases resolved on the merits,” Catha Worthman, Feinberg Jackson Worthman & Wasow LLP partner and co-counsel for Connor, told Bloomberg Law. Violations of the Investigative Act carry a $10,000-per-violation penalty, so for the remaining 450 plaintiffs who didn’t accept settlements, that is a “potentially life changing amount” for drivers and aides, Worthman said.

No Confusion
The justices rejected reasoning in a separate 2007 appellate decision in Ortiz v. Lyon Management Group Inc. involving tenants that concluded the Investigative Act was unconstitutionally vague. First Student argued that it relied on Ortiz in its decision to proceed with processing the records. The California Supreme Court, however, agreed with the appeals court in Connor’s case. Chad Saunders with Hunter Pyle Law and Genevieve Casey with Feinberg Jackson also represented Connor. Ronald Peters and Benjamin Emmert, shareholders with Littler Mendelson PC in San Jose, Calif., represented First Student. The case is Connor v. First Student Inc., Cal., No. S229428, opinion 8/20/18 (http://www.courts.ca.gov/opinions/documents/S229428.PDF)
https://www.bna.com/calif-employers-applicants-n73014481861/

District Court Dismisses FCRA Disclosure Claim Against Casino in Absence of Concrete Injury
Under the Fair Credit Reporting Act, a potential employer generally may not procure a consumer report on an applicant unless the employer provides a disclosure, in a document that consists “solely of the disclosure,” informing the applicant that a consumer report may be obtained. In Williams v. TLC Casino Enters., the District Court for the District of Nevada has joined a growing chorus of courts finding that a plaintiff cannot bring a “solely of the disclosure” claim in federal court when he or she has suffered no actual harm separate from the perceived failure to properly format the disclosure. Specifically, in Williams, the plaintiff alleged (on a class basis) that TLC Casino Enterprises violated the FCRA by obtaining a consumer report on her without providing her with a “stand-alone document of a legal disclosure.” According to Williams, TLC only provided her “with a written conditional offer to hire that included, inter alia, the following statement: ‘Continuation of this position and your employment is dependent upon your passing any Background Check or Drug Screen that may be required for your position.’” This document, in Williams’ view, was not a disclosure that consisted “solely of the disclosure” that a consumer report may be obtained for employment purposes. TLC Casino Enterprises moved to dismiss Williams’ complaint for lack of standing, arguing that her claim amounted to nothing more than a bare procedural violation of the FCRA. According to the defendant, Williams could not state a claim in federal court because the bare procedural violation of a statute alone does not satisfy the injury-in-fact requirement for Constitutional standing. The Court agreed with TLC Casino Enterprises. In its decision, it drew on the Supreme Court’s decision in Spokeo, Inc. v. Robins to conclude that Williams must allege a “concrete injury in fact” separate from the procedural violation of a statute in order to demonstrate standing. Williams could not do that here. According to the Court, Williams framed TLC Casino Enterprises’ alleged FCRA violation as having “failed to provide the disclosure in a format required by the FCRA.” But “[a] formatting error such as this is a procedural issue that does not satisfy the requirement that plaintiff demonstrate a concrete, particularized injury.” Although plaintiffs’ counsel often argue that disclosure claims are straightforward and easily certifiable as a purported class action, the Williams decision demonstrates that this is not the case. Indeed, courts are increasingly dismissing disclosure claims when plaintiffs allege nothing more than the violation of a procedural FCRA requirement.
https://www.lexology.com/library/detail.aspx?g=1d65dd34-44cf-4699-84ba-425d83b0defc&utm_source=lexology+daily+newsfeed&utm_medium=html+email+-+body+-+general+section&utm_campaign=acc+newsstand+subscriber+daily+feed&utm_content=lexology+daily+newsfeed+2018-08-02&utm_term

New Jersey Federal Court: Employer Need Not Waive Drug Test for Medical Marijuana User
Despite the legalization of medical marijuana in a majority of states, marijuana remains illegal under the federal Controlled Substances Act (“CSA”), which lists cannabis as a prohibited Schedule 1 illegal drug.

What does it mean to be a Schedule 1 drug?
“Schedule I drugs, substances, or chemicals are defined as drugs with no currently accepted medical use and a high potential for abuse,” according to the U.S. Drug Enforcement Agency. In light of this federal prohibition on marijuana, employers have professed confusion over what exactly they can prohibit when so many states have legalized medical marijuana. I emphasize medical because in the employment arena, “medical” may connote a “disability” under the Americans with Disabilities Act (the “ADA”). We discussed that employers must engage in an interactive process with an employee who has, or may be perceived as having a disability, or has a record of a disability, so the critical question becomes: does the ADA require an employer to provide a reasonable accommodation to medical marijuana cardholders?

As I explained here, the ADA excludes from protection “an individual who is currently engaging in the illegal use of drugs” from its definition of an “individual with a disability,” with one very limited but significant exception. As a Schedule 1 drug under the CSA, taking marijuana excludes an employee from ADA protection.

Let’s see how one New Jersey court handled a reasonable accommodation request under the state’s medical marijuana law.

New Jersey’s Medical Marijuana Law
Like the Pennsylvania medical marijuana law, New Jersey’s Compassionate Use Medical Marijuana Act (“CUMMA”) is silent as to an employer’s obligation to make any accommodation for the use of medical marijuana on the property or premises of any place of employment. Despite cannabis’ categorization as a Schedule 1 drug under the CSA, when enacting CUMMA, the NJ legislature found that “[m]odern medical research has discovered a beneficial use for marijuana in treating or alleviating the pain or other symptoms associated with certain debilitating medical conditions.” Thus we see the dichotomy when federal law claims the opposite of state law.

NJ Federal Court Ruling – No Reasonable Accommodation!
Anyway, so, the employee in question, a forklift operator, possessed a doctor’s recommendation for medical cannabis (and Percocet) to treat his neck and back pain. The employee had an accident at work and saw a doctor, who placed the employee on “light duty.” Upon his return, he could still perform all the essential functions of the job, but his employer required that he pass a drug and urine test. Knowing that if he failed the test he would be fired, the employee sought a waiver of the drug test as a reasonable accommodation. The employer balked and argued that CUMMA did not require such a waiver. Did the court agree and require that the employer waive its drug-testing policy as a reasonable accommodation? Not so much. In an Opinion last week, which you can read in full here. (https://images.law.com/contrib/content/uploads/documents/399/14598/med-mar.pdf), the federal District Court stated that CUMMA does not require an employer to permit the use of medical marijuana in the workplace. Fine. Makes sense. Significantly, the court also noted that CUMMA specifically excluded employers from its scope. Then, the court sided with the employer, determining that NJ’s narrower law (in comparison to other states) did not require an employer to waive its use of a drug test as an accommodation. Judge Kugler seemed to base his holding on a “plain language of the statute argument” and a prediction, as he explained: Unless expressly provided for by statute, most courts have concluded that the decriminalization of medical marijuana does not shield employees from adverse employment actions.

This Court predicts that the New Jersey judiciary would reach a similarly obvious conclusion: the LAD does not require an employer to accommodate an employee’s use of medical marijuana with a drug test waiver. Although no court has expressly ruled on this question, New Jersey courts have generally found employment drug testing to be unobjectionable in the context of private employment.

Wait, what happened to the interactive process? Isn’t that a requirement? Didn’t the employer have to engage in a discussion with the employee to determine whether an alternative accommodation existed to accommodate the employee’s disability? Apparently not, and that process is not referenced in the Opinion (perhaps because it was not pleaded in the complaint). What does this tell us?

How these cases are treated may depend on your state. Under similar circumstances, courts in other states have determined that an exception to an employer’s drug policy could constitute a reasonable accommodation, but in any event, the employer was required to engage in the interactive process to determine whether there were any alternatives for the employee’s medical marijuana use.

Employer Takeaway
New Jersey law does not require private employers to waive drug tests for users of medical marijuana. Will it in the future? Judge Kugler thinks it unlikely, but, just in case, employers may want to consider initiating the interactive process to determine if a reasonable accommodation or an alternative to its drug-free policy exists.
https://www.lexology.com/library/detail.aspx?g=2662b882-a5dd-493c-bd57-89fe802225df&utm_source=lexology+daily+newsfeed&utm_medium=html+email+-+body+-+general+section&utm_campaign=acc+newsstand+subscriber+daily+feed&utm_content=lexology+daily+newsfeed+2018-08-17&utm_term

Privacy Shield Guidance When Personal Data Transferred from the EU to the U.S. for Processing Purposes
If you operate as a processor under the Privacy Shield Program, you should familiarize yourself with the guidance released by the Privacy Shield Framework related to processors’ access obligations, which can be retrieved at https://www.privacyshield.gov/article?id=Processing-FAQs. The document provides guidance with regard to the following questions:

• When personal data is transferred from the European Union (EU) to the United States for processing purposes only, what contractual requirements are mandated by the Framework(s)?
• How can a Privacy Shield participant acting as a processor adhere to the Frameworks’ Notice Principle?
• How can a Privacy Shield participant acting as a processor adhere to the Frameworks’ Choice Principle?
• How can a Privacy Shield participant acting as a processor adhere to the Frameworks’ Data Integrity and Purpose Limitation Principle?

How can a participant acting as a processor adhere to the Frameworks’ Access Principle?