Tag Archives: background check

When Are Background Checks Not Allowed?

The Equal Employment Opportunity Commission (EEOC) has been quite active in challenging employers’ use of criminal background and credit history checks during hiring. There is still significant uncertainty as to the current standards and law about the checks of criminal and credit history. The lack solid guidance makes it difficult for employers to determine how to evaluate their current use of this information, as well as to understand the legal pitfalls and hurdles that the EEOC has placed in front of them.

EEOC Directives

The recent activity emanates from the EEOC’s recent directive and key priority (as per its December 2012 Strategic Enforcement Plan (SEP)) to eliminate hiring barriers. This priority includes challenges to policies and practices that exclude applicants based on criminal history or credit check. The EEOC has a keen interest in this area, as it believes that criminal/credit checks have a disparate impact on African American and Hispanic applicants. As the EEOC pursues the directive, expect the EEOC to scrutinize failure-to-hire claims where a criminal history or background check was conducted. Even if the background check was “facially neutral” and was uniformly given to all applicants, the EEOC may investigate to determine if the check had a “discriminatory effect” on certain applicant(s).

The EEOC asserts that criminal background checks must be “job-related” and “consistent with business necessity.” Employers are advised to consider: (1) the nature and gravity of the offense or conduct; (2) the time that has passed since the offense, conduct or completion of the sentence; and (3) the nature of the job held or sought. The EEOC stresses the need for an “individualized assessment” before excluding an applicant based on a criminal or credit record.

Local/State/Federal Laws

Employers face additional legal hurdles regarding hiring practices because of recent local and state legislative developments. These laws are commonly referred to as “ban the box” (i.e., restrictions on the use of criminal history in hiring and employment decisions). Making matters even more difficult, employers have also been subject to a surge in class action litigation under the Fair Credit Reporting Act (FCRA). The FCRA regulates the use of and gathering of criminal histories through third-party consumer reporting agencies with respect to conducting background checks on applicants or employees.

Legal Actions

In pursuit of its directive, the EEOC has filed several large-scale lawsuits against employers. We expect that the EEOC will continue to file similar lawsuits throughout 2015 and beyond. Most have been brought as failure-to-hire claims. For example, an African-American woman brought a claim alleging that she was discriminated against based on her credit history. This claim started out as a single plaintiff action, but, after the EEOC conducted its initial investigation, the EEOC dramatically expanded the scope of the initial charge, alleging that the employer was engaging in a “pattern and practice of unlawful discrimination” against: (1) African-American applicants by using poor credit history as a hiring criterion and (2) African-American, Hispanic and white male applicants by using criminal history as a hiring criterion.

Reasonable employers complain that the EEOC has placed employers in a Catch 22. Employers have to choose between ignoring criminal history and credit background, exposing themselves to potential liability for criminal and fraudulent acts committed by employees or to an EEOC lawsuit for having used this information in a discriminatory way.

Takeaway for Employers

Claims involving criminal background checks and credit checks are an EEOC priority. At this time, employers have little guidance from the courts or the EEOC as to exactly what “job-related” and “consistent with business necessity” mean and just how closely a past criminal conviction has to correspond with the duties of a particular job for an employer to legally deny employment to an applicant. Moreover, employers continue to witness expanding restrictions dealing with criminal history at the state and local level based on ban-the-box legislation, as well as with an increasing number of class action lawsuits involving background checks as required under the Fair Credit Reporting Act.

Employers are encouraged to work closely with legal counsel as to what they should and should not ask on applicants as well as how and when they can use background information they obtain. Based on this evolving area of the law, we additionally recommend that employers purchase a robust EPL policy that will defend them in the event that the EEOC or a well-skilled plaintiff’s counsel pursues a claim against them for discrimination, or for failure to hire based on criminal or credit background checks.

Stop Drowning in Big Data; Use It Right

What’s the big deal about big data?

Big data is an enormously appealing subject these days. However, many companies miss the big picture when collecting it — or drowning in it. There is an idea that the more data, the better. In fact, the focus should be on determining the right data to help improve the overall customer experience.

Raining Big Data
Big data is like the weather — we’re talking about it, but we haven’t quite figured out how to do anything about it. Even fewer know how to leverage it. There are lots of questions but few answers. For example, who’s familiar with the 3Vs?

But don’t be afraid to get wet. Data can be used to improve many things for many people – including your employees and customers. I say “can” because, before you do anything, you need to make sure you are using the right data — and not just the random troves collected throughout the years. Mining the right data can lead you to the right customer problems, which can then be solved, creating a better customer experience.

Background Checks
Always define before measuring. What does great customer experience look like in your industry? Figure out what you need to do to wow customers and then compare that with the reality of your business as it stands now.

I’ve utilized customer journey mapping, net promoter scores and voice of the customer metrics with great results. You can even provide customers incentives to help you out with input.

Here’s a smart way to do that. Start by checking the leading survey on customer experience, the Forrester Customer Experience Index, to see where your organization lands. It might surprise you.

Reliable Friends Are Powerful Friends
Right data helps organizations do many things, including:

• Anticipate what customers want before they ask for it
• Identify customer pain points and resolve them
• Create new business value
• Improve customer service interactions
• Develop more effective marketing and better products
• Improve operational efficiencies

Take Southwest Airlines. It’s using speech analytics to extract data-rich info from live-recorded interactions between customers and personnel to get a better understanding of customers.

Or read about Avis Budget’s data-driven growth model. It uses big data to identify the most valuable customers today and tomorrow.

How, you ask?

By examining a broad range of data sources, including structured information like purchase histories, CRM data and intelligence from industry partners, as well as unstructured information like social media, blogs and videos. Sorting through the data has helped all customers be treated like VIPs.

These are only two examples of forward-thinking leaders using the right data to create actionable insights that monetize their data. There are many more. What about your competitors? How far along are they down the big data road? And are they using the right data?

ERISA Bonding Reminder

Employers And Plan Fiduciaries Reminded To Confirm Credentials And Bonding For Internal Staff, Plan Fidiciaries And Vendors Dealing With Benefits

Businesses sponsoring employee benefit plans — along with officers, directors, employees and others acting as fiduciaries with respect to these employee benefit plans — should take steps to confirm that all of the appropriate fiduciary bonds required by the Employee Retirement Income Security Act of 1974, as amended (ERISA) are in place. They should also confirm that all employee benefit plans sponsored are appropriately covered, and that all individuals serving in key positions requiring bonding are covered and appropriately qualified to serve in that capacity under ERISA and the terms of the bond.

Adequate attention to these concerns not only is a required component of ERISA's fiduciary compliance, it also may provide invaluable protection if a dishonesty or other fiduciary breach results in a loss or other exposure.

ERISA generally requires that every employee benefit plan fiduciary, as well as every other person who handles funds or other property of a plan (a “plan official”), be bonded if they have some discretionary control over a plan or the assets of a related trust. While some narrow exceptions are available to this bonding requirement, these exceptions are very narrow and apply only if certain narrow criteria are met.

Plan sponsors and other plan fiduciaries should take steps to ensure that all of the bonding requirements applicable to their employee benefit plans are met at least annually. Monitoring these compliance obligations is important not only for the 401(k) and other retirement plans typically associated with these requirements, but also for self-insured medical and other ERISA-covered employee benefit plans.

This process of credentialing persons involved with the plan and auditing bonding generally should begin with adopting a written policy requiring bonding and verification of credentials and that appropriate bonds are in place for all internal personnel and outside service providers.

Steps should be taken to ensure that the required fiduciary bonds are secured in sufficient amounts and scope to meet ERISA’s requirements. In addition to confirming the existence and amount of the fiduciary bonds, plan sponsors and fiduciaries should confirm that each employee plan for which bonding is required is listed in the bond and that the bond covers all individuals or organizations that ERISA requires to be bonded.

For this purpose, the review should verify the sufficiency and adequacy of bonding in effect for both internal personnel as well as outside service providers. In the case of internal personnel, the adequacy of the bonds should be reviewed annually to ensure that bond amounts are appropriate.

Unless a service provider provides a legal opinion that adequately demonstrates that an ERISA bonding exemption applies, plan sponsors and fiduciaries also should require that third party service providers provide proof of appropriate bonding as well as to contract to be bonded in accordance with ERISA and other applicable laws, to provide proof of their bonded status or documentation of their exemption, and to provide notice of events that could impact on their bonded status.

When verifying the bonding requirements, it also is a good idea to conduct a criminal background check and other prudent investigation to reconfirm the credentials and suitability of individuals and organizations serving in fiduciary positions or otherwise acting in a capacity covered by ERISA’s bonding requirements.

ERISA generally prohibits individuals convicted of certain crimes from serving, and prohibits plan sponsors, fiduciaries or others from knowingly hiring, retaining, employing or otherwise allowing these convicted individuals during or for the 13-year period after the later of the conviction or the end of imprisonment, to serve as:

  • An administrator, fiduciary, officer, trustee, custodian, counsel, agent, employee, or
    representative in any capacity of any employee benefit plan;
  • A consultant or adviser to an employee benefit plan, including but not limited to any entity whose activities are in whole or substantial part devoted to providing goods or services to any employee benefit plan; or,
  • In any capacity that involves decision-making authority or custody or control of the moneys, funds, assets, or property of any employee benefit plan.

Because ERISA’s bonding and prudent selection of fiduciaries and service provider requirements, breach of its provisions carries all the usual exposures of a fiduciary breach.

Bonding exposures can arise in audit or as part of a broader fiduciary investigation. The likelihood of discovery in an audit or investigation by the Labor Department in the course of an audit is high, as review of bonding is a standard part of audits and investigations. The Employee Benefit Security Administration (EBSA) Enforcement Manual specifies in connection with the conduct of a fiduciary investigation or audit:

… the Investigator/Auditor will ordinarily determine whether a plan is in compliance with the bonding, reporting, and disclosure provisions of ERISA by completing an ERISA Bonding Checklist … These checklists will be filled out in fiduciary cases and retained in the RO workpaper case file unless violations are uncovered, developed, and reported in the ROI.

In the best case scenario, where the bonding noncompliance comes to light in the course of an EBSA audit where no plan loss resulted, the responsible fiduciary generally runs at least a risk that EBSA will assess the 20 percent fiduciary penalty under ERISA Section 502(l).

If the bonding lapse comes to light in connection with a fiduciary breach that resulted in damages to the plan by a fiduciary or other party, the bonding insufficiency may be itself a breach of fiduciary duty resulting in injury to the plan and where this breach left the plan unprotected against an act of dishonesty or fiduciary breach by an individual who should have been bonded, may spread liability for the wrongful acts of the wrongdoer to a plan sponsor, member of management or other party serving in a fiduciary role who otherwise would not be liable but for deficiencies in the bonding or other credentialing responsibilities.

Under ERISA Section 409, a fiduciary generally is personally liable for injuries to the plan arising from his own breach (such as failure to properly bond) or resulting from breaches of another co-fiduciary who he knew or should have known through prudent exercise of his responsibilities.

Of course, in the most serious cases, such as embezzlement or other criminal acts by a fiduciary of ERISA, the consequences can be quite dire. Knowing or intentional violation of ERISA’s fiduciary responsibilities exposes the guilty fiduciary to fines of up to $10,000, imprisonment for not more than five years, or both. Even where the violation is not knowing or willful, however, allowing disqualified persons to serve in fiduciary roles can have serious consequences such as exposure to Department of Labor penalties and personal liability for breach of fiduciary duty for damages resulting to the plan if it is established that the retention of services was an imprudent engagement of such an individual that caused the loss.

When conducting such a background check, care should be taken to comply with the applicable notice and consent requirements for conducting third party conducted background checks under the Fair Credit Reporting Act (FCRA) and otherwise applicable law. As such background investigations generally would be conducted in such a manner as to qualify as a credit check for purposes of the FCRA, conducting background checks in a manner that violates the FCRA credit check requirements itself can be a source of significant liability.

Cyber Risk

Understanding your exposure to technology and implementing baseline controls should always come before you consider insuring those risks.

What is a firewall? What would I do with a privacy policy? What is encryption and why would my company need to encrypt any of our data? How would I implement an incident response plan? How many personal health records do we have in our database? Do we do background checks? Who has access to our server room? Why do I need to answer so many questions just to get a proposal for insurance?

These are the types of questions that come up during the cyber insurance application process, and this is often the first time someone outside of the IT department has had to answer them. With the growth of the cyber insurance industry, now estimated to be almost $1,000,000,000 in gross written premium for 20111, risk managers, insurance agents and boards of directors are wondering why they now also have to talk to the IT department when discussing risk management and their insurance renewal.

A vendor mistake, administrator's misconfigured firewall or even an improperly negotiated cloud contract can pose a systemic risk to your corporation.

As regulatory expectations continue to be set higher (due to increased enforcement of the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act, attention of 46 different state notification laws that are enforced by State Attorney Generals, Fair and Accurate Credit Transactions Act) and consumer opinion is constantly being expressed in the form of class action suits, these situations continue to get more difficult to mine through.

Plaintiff attorneys' allegations addressing monetary damages as a result of privacy or security breaches are consistently being brought. Not having adequate controls is the common focus of such suits that follow a breach. Additionally, the bad actors that are trying to improperly gain access to your information will consistently focus on firms who lack simple/intermediate controls.

According to Verizon, 96% of attacks were not highly difficult and 97% of breaches were avoidable through simple or intermediate controls.2 Your own data (account lists, legal documents, vendor agreements, price lists, R&D information, trade secrets) and client/patient information (personally identifiable information/health records) are what the hackers want.

Implementing baseline controls is the first element of fixing your cyber problems.

Several states have enacted laws that expect these baseline controls to be in place to protect their consumers. In Massachusetts, for example, there is a regulation (WISP3) that expects a legal entity holding personal information about a Massachusetts resident, to develop and implement a written information security program to protect that personal information. If this standard is not met, on top of $5,000 civil penalties of up to $5,000 per violation, the corporation could also encounter negligence based on litigation.

Like every state notification law that exists today, the law is based on the location of the consumer, not the corporation's place of domicile. In Nevada, since 2008, businesses have been required to use encryption when transmitting a customer's personal information externally(aside from fax)4. Additionally, PCI (Payment Card Industry) has required all corporations involved in a credit-card transaction to be compliant with varying degree of requirements based on size. For additional information, refer to https://www.pcisecuritystandards.org/merchants/how_to_be_compliant.php.

This is an important step for those companies dealing with credit cards. The 2012 Verizon Data Breach Investigations Report also found that 96% of victims subject to PCI Data Security Standards had not achieved compliance. This statistic shows the important of security controls being taken seriously.

Once your organization takes cyber security controls seriously and understands even the best controls don't isolate them from the exposures that exist, you should than take the time to discuss the insurance implications. Your insurance agent or broker can provide input on how current insurance coverage(s) could respond but also can get you in touch with over 30 insurance markets' underwriters who have dedicated cyber products and submission processes and are able to design coverage specific to your company. Additionally, most markets can help with loss control and ensure that you stay abreast of the current threat environment.

With adequate controls, a general understanding of the regulatory implications of a privacy breach and knowing the insurance consequences, you will be much better prepared if a problem with your company's technology does happen.

1 Cyber Betterley Report 2012

2 Verizon 2012 Data Breach Investigations Report

3 Massachusetts 201 CMR 17

4 Nev Revised Stat 597.970(1)2005

If You Don't Do This, It Can Cost You Big Money

This is the third article in a five-part series on risk management. Additional articles in this series can be found here: Part 1, Part 2, Part 4, and Part 5.

In our last segment, we discussed how important the “Pre-Hire” process was to your bottom line relating to various “on-boarding” activities companies should consider when hiring new employees.

The second step in the “4P” plan is known as the “Post-Offer” step. At this stage, you should be asking yourself this question, “What should we be doing after we've offered someone a job?”

That question leads to another very important question: Does your company use a Post Offer Health Questionnaire and a Conditional Offer of Employment letter after you've made an offer of employment?

If your answer was no, please realize you're setting your company up for potentially large losses to your profits. A manufacturing company offered a job to a 34-year-old male without using these two documents which ended up costing them an additional $76,178 in insurance premiums and $2,158,742 in lost revenue.

By having an applicant sign a Conditional Offer of Employment letter before putting them on the job, you at least give yourself time to conduct your background checks that should be done on all applicants. You're putting your new hire on notice of the various procedures you conduct during your hiring process. In having the new hire complete a Medical Health Questionnaire, they are documenting their past medical history that should show any issues that might be a red flag that could keep them from fulfilling their job description safely. You may want to consider having your applicant take a “Physical Abilities Test” to ensure they are able to fulfill all the physical requirements of the job safely.

Let me explain the importance of why the use of the medical health questionnaire is so important. In 1961, an important case known as “Martin Company vs. Carpenter” set the precedent which later became statute in 1994 (in Florida). It gives your insurance company the ability to deny workers’ compensation benefits if an applicant commits fraud in their employment documentation and did not disclose material information.

In the case study above, the manufacturing company did not use the questionnaire which would have given the applicant the opportunity to share that he had back surgery 3 months prior, and due to his limitations, would have not qualified for the job and its physical requirements. The new employee re-injured his back which required more surgery which cost their company significant profits.

If an applicant were to commit fraud, the carrier has the ability to deny the claim. If the applicant were to disclose his previous injury, you’ll need to evaluate the situation to see if accommodations can be made or if they are physically able to do their job safely.

As another point, please make sure you keep an applicant’s medical questionnaire in a separate filing cabinet away from routine paperwork in order to be in compliance with HIPPA laws.

In our next post, we’ll look at the third part of the “4P” plan — yhe Pre-Claim process and its importance to your profitability.