Tag Archives: fcra

When Are Background Checks Not Allowed?

The Equal Employment Opportunity Commission (EEOC) has been quite active in challenging employers’ use of criminal background and credit history checks during hiring. There is still significant uncertainty as to the current standards and law about the checks of criminal and credit history. The lack solid guidance makes it difficult for employers to determine how to evaluate their current use of this information, as well as to understand the legal pitfalls and hurdles that the EEOC has placed in front of them.

EEOC Directives

The recent activity emanates from the EEOC’s recent directive and key priority (as per its December 2012 Strategic Enforcement Plan (SEP)) to eliminate hiring barriers. This priority includes challenges to policies and practices that exclude applicants based on criminal history or credit check. The EEOC has a keen interest in this area, as it believes that criminal/credit checks have a disparate impact on African American and Hispanic applicants. As the EEOC pursues the directive, expect the EEOC to scrutinize failure-to-hire claims where a criminal history or background check was conducted. Even if the background check was “facially neutral” and was uniformly given to all applicants, the EEOC may investigate to determine if the check had a “discriminatory effect” on certain applicant(s).

The EEOC asserts that criminal background checks must be “job-related” and “consistent with business necessity.” Employers are advised to consider: (1) the nature and gravity of the offense or conduct; (2) the time that has passed since the offense, conduct or completion of the sentence; and (3) the nature of the job held or sought. The EEOC stresses the need for an “individualized assessment” before excluding an applicant based on a criminal or credit record.

Local/State/Federal Laws

Employers face additional legal hurdles regarding hiring practices because of recent local and state legislative developments. These laws are commonly referred to as “ban the box” (i.e., restrictions on the use of criminal history in hiring and employment decisions). Making matters even more difficult, employers have also been subject to a surge in class action litigation under the Fair Credit Reporting Act (FCRA). The FCRA regulates the use of and gathering of criminal histories through third-party consumer reporting agencies with respect to conducting background checks on applicants or employees.

Legal Actions

In pursuit of its directive, the EEOC has filed several large-scale lawsuits against employers. We expect that the EEOC will continue to file similar lawsuits throughout 2015 and beyond. Most have been brought as failure-to-hire claims. For example, an African-American woman brought a claim alleging that she was discriminated against based on her credit history. This claim started out as a single plaintiff action, but, after the EEOC conducted its initial investigation, the EEOC dramatically expanded the scope of the initial charge, alleging that the employer was engaging in a “pattern and practice of unlawful discrimination” against: (1) African-American applicants by using poor credit history as a hiring criterion and (2) African-American, Hispanic and white male applicants by using criminal history as a hiring criterion.

Reasonable employers complain that the EEOC has placed employers in a Catch 22. Employers have to choose between ignoring criminal history and credit background, exposing themselves to potential liability for criminal and fraudulent acts committed by employees or to an EEOC lawsuit for having used this information in a discriminatory way.

Takeaway for Employers

Claims involving criminal background checks and credit checks are an EEOC priority. At this time, employers have little guidance from the courts or the EEOC as to exactly what “job-related” and “consistent with business necessity” mean and just how closely a past criminal conviction has to correspond with the duties of a particular job for an employer to legally deny employment to an applicant. Moreover, employers continue to witness expanding restrictions dealing with criminal history at the state and local level based on ban-the-box legislation, as well as with an increasing number of class action lawsuits involving background checks as required under the Fair Credit Reporting Act.

Employers are encouraged to work closely with legal counsel as to what they should and should not ask on applicants as well as how and when they can use background information they obtain. Based on this evolving area of the law, we additionally recommend that employers purchase a robust EPL policy that will defend them in the event that the EEOC or a well-skilled plaintiff’s counsel pursues a claim against them for discrimination, or for failure to hire based on criminal or credit background checks.

A Catch-22 on Hiring the Disabled

In the Missouri Court of Appeals' recent decision in Stewart v. Second Injury Fund, the facts were not in dispute: Ms. Stewart worked at Subway for a few months, suffered a moderately severe injury at work and could not return to any type of employment.

Here’s where the story becomes interesting: The claimant qualified for Social Security disability in 1997 — more than 10 years before she started working at Subway. 

Her Social Security disability was awarded based on confirmed medical conditions including arthritis, reflex sympathetic dystrophy, degenerative joint and bone disease and carpal tunnel syndrome. She continued to receive Social Security disability benefits even while she was working at Subway.

After her work injury in 2009, she filed for workers' compensation benefits, claiming that she was permanently and totally disabled.

Was the claimant permanently and totally disabled before her injury at Subway? Apparently not, because she was able to obtain that job and perform the duties associated with that job. In the absence of her injury, she would have presumably been able to continue working. 

Why would she be entitled to Social Security disability benefits if she was able to compete in the open labor market? If she was disabled in 1997, should she be entitled to more benefits when she was injured at a job that she should not have been able to obtain?

What if Subway had told the claimant during her initial job interview that she could not be hired because of her multiple disabilities? She could have sued Subway under the Americans with Disabilities Act, arguing that Subway was discriminating against her. Subway, not wanting to be sued, could have been forced to hire the claimant only to face the prospect of being liable for permanent total disability after only a few months of work.

I’m not attempting to disparage the claimant. She obtained benefits that are legally provided. My question is this: Is it fair to place employers in no-win situations where they face litigation if the employee is not hired, yet still face litigation if the employee IS hired?

This situation arises because of the myriad of state and federal laws that regulate every facet of the workplace. Every employer must wade through an alphabet soup of overlapping laws every single day (ADA, FMLA, COBRA, EFCA, EAD, ERISA, FLSA, FCRA, INA and a host of others). 

One cannot swing the proverbial dead cat without hitting five politicians giving a speech focused on creating jobs. Yet, can jobs be created by strangling the very companies that create these jobs?

Another Reason to Consider Cyber Insurance

Here a breach, there a breach, everywhere a data breach.

Verizon’s most recent 2013 Data Breach Investigations Report remarks that “[p]erhaps more so than any other year, the large scale and diverse nature of data breaches and other network attacks took center stage” this year.1 And no organization is immune from a breach. The last two years have seen some of the world’s most sophisticated corporate giants fall victim to some of the largest data breaches in history. It is clear that cyber attacks — including data breaches — are on the rise with unprecedented frequency, sophistication and scale. They are pervasive across industries and geographical boundaries. And they represent “an ever-increasing threat.”2 The problem of cyber risks is exacerbated, not only by increasingly sophisticated cyber criminals and evolving malware, but also by the trend in outsourcing of data handling, processing and storage to third-party vendors, including “cloud” providers, and by the simple reality of the modern business world, which is full of portable devices such as cellphones, laptops, iPads, USB drives, jump drives, media cards, tablets and other devices that may facilitate the loss of sensitive information.

While data breaches and other types of cyber risks are increasing, laws and regulations governing data security and privacy are proliferating. In its most recent 2013 Cost of Data Breach Study, the Ponemon Institute reports that U.S. organizations spend on average $565,020 on post-breach notification alone.3 Companies may also face lawsuits seeking damages for invasion of privacy, as well as governmental and regulatory investigations, fines and penalties, damage to brand and reputation and other negative repercussions from a data breach, including those resulting from breaches of Payment Card Industry Data Security Standards. The Ponemon Institute’s recent study reports that the average organizational cost of a data breach in 2012 was $188 per record for U.S. organizations ($277 in the case of malicious attacks) and that the average number of breached records was 28,765, for a total of $5.4 milion.4 The study does not “include organizations that had data breaches in excess of 100,000” records,5 although large-scale breaches clearly are on the rise. In the face of these daunting facts and figures, it is abundantly clear that network security alone cannot entirely address the issue; no firewall is unbreachable, no security system impenetrable.

Insurance can play a vital role in a company’s efforts to mitigate cyber risk. This fact has the attention of the Securities and Exchange Commission. In the wake of “more frequent and severe cyber incidents,” the SEC’s Division of Corporation Finance has issued guidance on cybersecurity disclosures under the federal securities laws. The guidance advises that companies “should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents” and that “appropriate disclosures may include” a “[d]escription of relevant insurance coverage.”6

While some companies carry policies that are specifically designed to afford coverage for cyber risk, most companies have various forms of traditional insurance that may cover cyber risks, including Insurance Services Office (ISO)7 standard-form commercial general liability (CGL) policies. There may be significant coverage under CGL policies, including for data breaches that result in disclosure of personally identifiable information (commonly termed “PII”) and other claims alleging violation of a right to privacy. For example, there is significant potential coverage under the “Personal and Advertising Injury Liability” coverage section (Coverage B) of the standard-form ISO CGL policy, which currently states that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury.’”8 “Personal and advertising injury” is defined to include a list of specifically enumerated offenses, which include “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy.”9 Coverage disputes generally focus on whether there has been a “publication” that violates the claimant’s “right of privacy”—both terms are left undefined in standard-form ISO policies, and courts generally have construed the language favorably to insureds and have found coverage for a wide variety of claims alleging misuse of customer information and breach of privacy laws and regulations.10 There may also be coverage under the “Bodily Injury and Property Damage” section of the standard CGL form (Coverage A), which states that the insurer “will pay those sums that the insured becomes legally obligated to pay as damages because of ‘bodily injury’” that “occurs during the policy period.”11

As courts have found coverage for various types of cyber risks, however, ISO has added limitations and exclusions purporting to cut off CGL lines of coverage. For example, in response to a number of cases upholding coverage for breach of the Telephone Consumer Protection Act, the Fair Credit Reporting Act and other privacy laws, the current ISO standard form contains the following exclusion, which is applicable to both Coverage A and Coverage B:

This insurance does not apply to:

Recording And Distribution Of Material Or Information In Violation Of Law

“Personal and advertising injury” arising directly or indirectly out of any action or omission that violates or is alleged to violate:

  1. The Telephone Consumer Protection Act (TCPA), including any amendment of or addition to such law;
  2. The CAN-SPAM Act of 2003, including any amendment of or addition to such law;
  3. The Fair Credit Reporting Act (FCRA), and any amendment of or addition to such law, including the Fair and Accurate Credit Transactions Act (FACTA); or
  4. Any federal, state or local statute, ordinance or regulation, other than the TCPA, CAN-SPAM Act of 2003 or FCRA and their amendments and additions, that addresses, prohibits or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.12

Insurers have raised this exclusion, among others, in recent privacy-breach cases.13

More sweepingly, as part of its April 2013 revisions to the CGL policy forms, ISO introduced an endorsement, titled “Amendment Of Personal And Advertising Injury Definition,” which entirely eliminates the key “offense” of “[o]ral or written publication, in any manner, of material that violates a person’s right of privacy” (found at Paragraph 14.e of the Definitions section of Coverage B):

With respect to Coverage B Personal And Advertising Injury Liability, Paragraph 14.e. of the Definitions section does not apply.14

And the latest: ISO has just filed a number of data-breach exclusionary endorsements for use with its standard-form primary, excess and umbrella CGL policies. These are to become effective in May 2014. By way of example, one of the endorsements, titled “Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability – Limited Bodily Injury Exception Not Included,” adds the following exclusion to Coverage A:

This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information And Data-related Liability

Damages arising out of:

(1) Any access to or disclosure of any person's or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information; or

(2) The loss of, loss of use of, damage to, corruption of, inability to access or inability to manipulate electronic data.

This exclusion applies even if damages are claimed for notification costs, credit-monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of that which is described in Paragraph (1) or (2) above.15

The endorsement also adds the following exclusion to Coverage B: This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information

“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit-card information, health information or any other type of nonpublic information.

This exclusion applies even if damages are claimed for notification costs, credit-monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by you or others arising out of any access to or disclosure of any person's or organization's confidential or personal information.16

ISO states that “when this endorsement is attached, it will result in a reduction of coverage due to the deletion of an exception with respect to damages because of bodily injury arising out of loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data” and that “[t]o the extent that any access or disclosure of confidential or personal information results in an oral or written publication that violates a person's right of privacy, this revision may be considered a reduction in personal and advertising injury coverage.”17 While acknowledging that coverage for data breaches is currently available under its standard forms, ISO explains that “[a]t the time the ISO CGL and [umbrella] policies were developed, certain hacking activities or data breaches were not prevalent and, therefore, coverages related to the access to or disclosure of personal or confidential information and associated with such events were not necessarily contemplated under the policy.”18 The scope of this exclusion ultimately will be determined by judicial review.

Although it may take some time for the new (or similar) exclusions to make their way into general liability policies, and the full reach of the exclusions remains unclear, they provide another reason for companies to carefully consider specialty cyber insurance products. Even where insurance policies do not contain the newer limitations or exclusions, insurers may argue that cyber risks are not covered under traditional policies. The legal dispute between Sony and its insurers concerning the PlayStation Network data breach highlights the challenges that companies can face in getting insurance companies to cover losses arising from cyber risks under CGL policies. Sony argues that there is data breach coverage because “[t]he MDL Amended Complaint… alleges that plaintiffs suffered the ‘loss of privacy’ as the result of the improper disclosure of their ‘Personal Information’ [which] has been held to constitute ‘material that violates a person’s right of privacy’.”19 However, the insurers seek a declaration that there is no coverage under the CGL policies at issue, among other reasons, on the basis that the underlying lawsuits “do not assert claims for … ‘personal and advertising injury’.”20 The Sony coverage suit does not represent the first time that insurers have refused to voluntarily pay claims resulting from a network security breach or other cyber-related liability under CGL policies. Nor will it be the last. Even where there is a good claim for coverage, insurers can be expected to continue to argue that cyber risks are not covered under CGL or other traditional policies.

As far as data breaches are concerned, cyber policies usually provide some form of “privacy” coverage. This coverage would typically provide defense and indemnity coverage for claims arising out of a data breach that actually or potentially compromises PII. By way of example, the AIG Specialty Risk Protector specimen policy21 states that the insurer will “pay … all Loss” that the “Insured is legally obligated to pay resulting from a Claim alleging … a Privacy Event.” “Privacy Event”22 includes:

  1. any failure to protect Confidential Information (whether by “phishing,” other social engineering technique or otherwise) including, without limitation, that which results in an identity theft or other wrongful emulation of the identity of an individual or corporation;
  2. failure to disclose an event referenced in Sub-paragraph (1) above in violation of any Security Breach Notice Law; or
  3. violation of any federal, state, foreign or local privacy statute alleged in connection with a Claim for compensatory damages, judgments, settlements, pre-judgment and post-judgment interest from Sub-paragraphs (1) or (2) above.23

“Confidential Information” is defined as follows:

“Confidential Information” means any of the following in a Company’s or Information Holder’s care, custody and control or for which a Company or Information Holder is legally responsible:

  1. information from which an individual may be uniquely and reliably identified or contacted, including, without limitation, an individual’s name, address, telephone number, Social Security number, account relationships, account numbers, account balances, account histories and passwords;
  2. information concerning an individual that would be considered “nonpublic personal information” within the meaning of Title V of the Gramm-Leach Bliley Act of 1999 (Public Law 106-102, 113 Stat. 1338) (as amended) and its implementing regulations;
  3. information concerning an individual that would be considered “protected health information” within Health Insurance Portability and Accountability Act of 1996 (as amended) and its implementing regulations;
  4. information used for authenticating customers for normal business transactions;
  5. any third party’s trade secrets, data, designs, interpretations, forecasts, formulas, methods, practices, processes, records, reports or other item of information that is not available to the general public[.] 

There are numerous specialty cyber products on the market that generally respond to data breaches. A policy offering the privacy coverage will often offer coverage for civil, administrative and regulatory investigations, fines and penalties and, importantly, will commonly offer “remediation coverage” (sometimes termed “crisis management” or “notification” coverage) to address costs associated with a security breach, including:

•     costs associated with post-data breach notification

•     credit-monitoring services

•     forensic investigation to determine cause and scope of a breach

•     public relations efforts and other “crisis management” expenses

  • legal services to determine an insured’s indemnification rights where a third party’s error or omission has caused the problem.

Cyber insurance policies offer other types coverages, as well, including media liability coverage (for claims for alleging, for example, infringement of copyright and other intellectual property rights and misappropriation of ideas or media content), first party property and network interruption coverage, and cyber extortion coverage. The cyber policies can be extremely valuable. But selecting and negotiating the right cyber insurance product presents a real and significant challenge. There is a dizzying array of cyber products on the marketplace, each with their own insurer-drafted terms and conditions, which vary dramatically from insurer to insurer—even from policy to policy underwritten by the same insurer. Because of the nature of the product and the risks that it is intended to cover, successful placement requires the involvement and input, not only of a capable risk management department and a knowledgeable insurance broker, but also of in-house legal counsel and IT professionals, resources and compliance personnel—and experienced insurance coverage counsel.

ERISA Bonding Reminder

Employers And Plan Fiduciaries Reminded To Confirm Credentials And Bonding For Internal Staff, Plan Fidiciaries And Vendors Dealing With Benefits

Businesses sponsoring employee benefit plans — along with officers, directors, employees and others acting as fiduciaries with respect to these employee benefit plans — should take steps to confirm that all of the appropriate fiduciary bonds required by the Employee Retirement Income Security Act of 1974, as amended (ERISA) are in place. They should also confirm that all employee benefit plans sponsored are appropriately covered, and that all individuals serving in key positions requiring bonding are covered and appropriately qualified to serve in that capacity under ERISA and the terms of the bond.

Adequate attention to these concerns not only is a required component of ERISA's fiduciary compliance, it also may provide invaluable protection if a dishonesty or other fiduciary breach results in a loss or other exposure.

ERISA generally requires that every employee benefit plan fiduciary, as well as every other person who handles funds or other property of a plan (a “plan official”), be bonded if they have some discretionary control over a plan or the assets of a related trust. While some narrow exceptions are available to this bonding requirement, these exceptions are very narrow and apply only if certain narrow criteria are met.

Plan sponsors and other plan fiduciaries should take steps to ensure that all of the bonding requirements applicable to their employee benefit plans are met at least annually. Monitoring these compliance obligations is important not only for the 401(k) and other retirement plans typically associated with these requirements, but also for self-insured medical and other ERISA-covered employee benefit plans.

This process of credentialing persons involved with the plan and auditing bonding generally should begin with adopting a written policy requiring bonding and verification of credentials and that appropriate bonds are in place for all internal personnel and outside service providers.

Steps should be taken to ensure that the required fiduciary bonds are secured in sufficient amounts and scope to meet ERISA’s requirements. In addition to confirming the existence and amount of the fiduciary bonds, plan sponsors and fiduciaries should confirm that each employee plan for which bonding is required is listed in the bond and that the bond covers all individuals or organizations that ERISA requires to be bonded.

For this purpose, the review should verify the sufficiency and adequacy of bonding in effect for both internal personnel as well as outside service providers. In the case of internal personnel, the adequacy of the bonds should be reviewed annually to ensure that bond amounts are appropriate.

Unless a service provider provides a legal opinion that adequately demonstrates that an ERISA bonding exemption applies, plan sponsors and fiduciaries also should require that third party service providers provide proof of appropriate bonding as well as to contract to be bonded in accordance with ERISA and other applicable laws, to provide proof of their bonded status or documentation of their exemption, and to provide notice of events that could impact on their bonded status.

When verifying the bonding requirements, it also is a good idea to conduct a criminal background check and other prudent investigation to reconfirm the credentials and suitability of individuals and organizations serving in fiduciary positions or otherwise acting in a capacity covered by ERISA’s bonding requirements.

ERISA generally prohibits individuals convicted of certain crimes from serving, and prohibits plan sponsors, fiduciaries or others from knowingly hiring, retaining, employing or otherwise allowing these convicted individuals during or for the 13-year period after the later of the conviction or the end of imprisonment, to serve as:

  • An administrator, fiduciary, officer, trustee, custodian, counsel, agent, employee, or
    representative in any capacity of any employee benefit plan;
  • A consultant or adviser to an employee benefit plan, including but not limited to any entity whose activities are in whole or substantial part devoted to providing goods or services to any employee benefit plan; or,
  • In any capacity that involves decision-making authority or custody or control of the moneys, funds, assets, or property of any employee benefit plan.

Because ERISA’s bonding and prudent selection of fiduciaries and service provider requirements, breach of its provisions carries all the usual exposures of a fiduciary breach.

Bonding exposures can arise in audit or as part of a broader fiduciary investigation. The likelihood of discovery in an audit or investigation by the Labor Department in the course of an audit is high, as review of bonding is a standard part of audits and investigations. The Employee Benefit Security Administration (EBSA) Enforcement Manual specifies in connection with the conduct of a fiduciary investigation or audit:

… the Investigator/Auditor will ordinarily determine whether a plan is in compliance with the bonding, reporting, and disclosure provisions of ERISA by completing an ERISA Bonding Checklist … These checklists will be filled out in fiduciary cases and retained in the RO workpaper case file unless violations are uncovered, developed, and reported in the ROI.

In the best case scenario, where the bonding noncompliance comes to light in the course of an EBSA audit where no plan loss resulted, the responsible fiduciary generally runs at least a risk that EBSA will assess the 20 percent fiduciary penalty under ERISA Section 502(l).

If the bonding lapse comes to light in connection with a fiduciary breach that resulted in damages to the plan by a fiduciary or other party, the bonding insufficiency may be itself a breach of fiduciary duty resulting in injury to the plan and where this breach left the plan unprotected against an act of dishonesty or fiduciary breach by an individual who should have been bonded, may spread liability for the wrongful acts of the wrongdoer to a plan sponsor, member of management or other party serving in a fiduciary role who otherwise would not be liable but for deficiencies in the bonding or other credentialing responsibilities.

Under ERISA Section 409, a fiduciary generally is personally liable for injuries to the plan arising from his own breach (such as failure to properly bond) or resulting from breaches of another co-fiduciary who he knew or should have known through prudent exercise of his responsibilities.

Of course, in the most serious cases, such as embezzlement or other criminal acts by a fiduciary of ERISA, the consequences can be quite dire. Knowing or intentional violation of ERISA’s fiduciary responsibilities exposes the guilty fiduciary to fines of up to $10,000, imprisonment for not more than five years, or both. Even where the violation is not knowing or willful, however, allowing disqualified persons to serve in fiduciary roles can have serious consequences such as exposure to Department of Labor penalties and personal liability for breach of fiduciary duty for damages resulting to the plan if it is established that the retention of services was an imprudent engagement of such an individual that caused the loss.

When conducting such a background check, care should be taken to comply with the applicable notice and consent requirements for conducting third party conducted background checks under the Fair Credit Reporting Act (FCRA) and otherwise applicable law. As such background investigations generally would be conducted in such a manner as to qualify as a credit check for purposes of the FCRA, conducting background checks in a manner that violates the FCRA credit check requirements itself can be a source of significant liability.