Category Archives: Legislation

May 6, 2013

Colorado Restricts Employers’ Use of Credit Reports

By Mark Wiletsky 

Employers using credit reports to evaluate applicants and employees take note: Colorado recently enacted the “Employment Opportunity Act” limiting the use of credit reports in employment decisions.  In passing this law, Colorado joins eight other states–California, Connecticut, Hawaii, Illinois, Maryland, Oregon, Vermont and Washington–in restricting employers from obtaining and/or using credit history information when evaluating applicants and employees.   The new Colorado law exempts certain job positions from the prohibition on the use of credit reports, but the exceptions are very fact specific.  Employers need to analyze the job responsibilities of the position at issue in order to determine if they may use credit information under this new law. 

Prohibition on the Use of Consumer Credit Information for Employment Purposes 

Effective July 1, 2013, section 8-2-126 of the Colorado Revised Statutes provides that an employer shall not use consumer credit information for employment purposes unless the credit information is substantially related to the employee’s current or potential job.  This means that Colorado employers are prohibited from using credit information in the employment context except in those limited situations where credit or financial responsibility is substantially related to the job.  The type of information prohibited under this law includes any written, oral or other communication of information that bears on a consumer’s creditworthiness, credit standing, credit capacity or credit history.  This includes a credit score, but does not include the name, address or date of birth of an employee associated with a social security number. 

“Substantially Related” Analysis Looks to Job Responsibilities 

When determining whether a particular position falls within the exception where credit information is “substantially related to the employee’s current or potential job,” employers may not rely on an informal, best-guess determination.  Instead, employers must carefully analyze whether the job in question meets the parameters detailed in the new law.  

Under Colorado’s law, “substantially related to the employee’s current or potential job” is defined to apply to positions that: 

1)         Constitute executive or management personnel or officers or employees who constitute professional staff to executive and management personnel, and the position involves one or more of the following: 

                A)    Setting the direction or control of a business, division, unit or an agency of a business;

                B)    A fiduciary responsibility to the employer;

                C)    Access to customers’, employees’, or the employer’s personal or financial information (other than information ordinarily provided in a retail transaction); or

                D)    The authority to issue payments, collect debts or enter into contracts; OR 

2)         Involves contracts with defense, intelligence, national security or space agencies of the federal government.

Consider this example:  you are hiring a human resource specialist who will administer employee benefits within your company.  May you obtain and use a credit report on applicants for this position?  Assuming this position does not involve federal defense, intelligence, national security or space agency contracts, you first must determine if this position is an executive or management position, or alternatively, if this position is considered professional staff to an executive or manager.  In our example, the employee benefits specialist position may or may not be an executive or management position at your company.  If not, the position may be considered professional staff to an executive or manager if the position reports to an HR Director, Vice President or other similar high level manager or officer.  If we assume this position meets this threshold determination, you next must analyze if the position involves one or more of the four areas of responsibilities where credit information will be deemed substantially related.  Because an employee benefits specialist is likely to have access to employees’ personal and perhaps financial information, it appears to fall within the third area of responsibility where credit information will be deemed substantially related to the job, but the answer is certainly not clear-cut.

Requesting Employee Consent to Obtain a Credit Report  

In addition to the prohibition on the use of credit information for employment purposes, the new Colorado law prohibits employers or their agents from requiring an employee to consent to a request for a credit report that contains information about the employee’s credit score, credit account balances, payment history, savings or checking account balances, or savings or checking account numbers as a condition of employment unless: 

            1) The employer is a bank or financial institution;

            2) The report is required by law; or

3) The report is substantially related to the employee’s current or potential job andthe employer has a bona fide purpose for requesting or using information in the credit report and is disclosed in writing to the employee.   

The written disclosure requirement here is a new procedural step with which most employers meeting this exception will not be familiar.  Employers meeting these criteria now need to provide applicants/employees with a notice of their business purpose for requesting credit information.

Employee May Be Allowed to Explain Circumstances Affecting Credit 

In those cases when an employer is permitted to use credit information because it is substantially related to the job, an employer may ask the employee to explain any unusual or mitigating circumstances that affected their credit history.  For example, if the credit report shows delinquent payments, the employer may inquire further allowing the employee to explain circumstances that may have caused the delinquencies, such as an act of identity theft, medical expense, a layoff, or a death, divorce or separation.   

Adverse Action Disclosure Required 

If the employer relies on any part of the credit information to take adverse action regarding the employee or applicant, the employer must disclose that fact and the particular information relied upon to the employee.  This disclosure must be made to the employee in writing but can be made to an applicant via the same medium in which the application was made (e.g., if the application was submitted electronically, this disclosure may be sent electronically). 

FCRA Obligations Still Apply 

Employers who are permitted to obtain and use credit reports under the Colorado law must also comply with the requirements of the Fair Credit Reporting Act (FCRA) in order to obtain a credit report from a consumer reporting agency.  These additional FCRA duties include: 

1)         Providing a clear and conspicuous written disclosure to the applicant/employee before the report is obtained, in a document that consists solely of the disclosure, that a consumer report may be obtained;

2)         Getting written authorization from the applicant/employee before obtaining the report;

3)         Certifying to the consumer reporting agency that the above steps have been followed, that the information being obtained will not be used in violation of any federal or state equal opportunity law or regulation, and that, if any adverse action is to be taken based on the consumer report, a copy of the report and a summary of the consumer's rights will be provided to the consumer;

4)         Before taking an adverse action, providing a copy of the report and a summary of FCRA consumer rights to the applicant/employee; and

5)         After an adverse action is taken, sending an adverse action notice to the employee/applicant containing certain FCRA-required statements. 

Credit Check Compliance 

Colorado employers need to review and update their background check policies as they relate to conducting credit checks on applicants and existing employees.  In addition to FCRA obligations, employers wishing to use credit reports have additional restrictions and duties under state law.   

Employers now must analyze whether each position for which they wish to obtain credit reports meets the “substantially related to the employee’s current or potential job” criteria.  If the position meets that criteria and the employer wishes to obtain a credit report on an applicant or existing employee, the employer first must provide a written disclosure to the applicant/employee describing the bona fide purpose of obtaining the credit information.  If the credit report reveals questionable or negative information, the employer may (but is not required to) ask the applicant/employee to explain any unusual circumstances that may have led to the unfavorable credit information.  If the employer rejects the applicant/employee for the position based in any way on the credit report, the employer must provide the required FCRA adverse action notices as well as a written explanation of the particular information in the report that led to the employer’s decision. 

Multi-state employers face unique challenges when obtaining and using credit reports for employment purposes as they must comply with various state laws that now restrict such use.  Given the intricacies of complying with the FCRA and applicable state laws, employers are wise to consult with their counsel to review and update their credit check policies. 

 

April 25, 2013

Tips for Complying with Utah’s Internet Employment Privacy Act

By Elizabeth Dunning

Effective May 14, 2013, Utah employers may not request employees or applicants to disclose information related to their personal Internet accounts.  The Internet Employment Privacy Act(IEPA), recently signed into law by Utah Governor Gary R. Herbert, prohibits employers from asking an employee or applicant to reveal a username or password that allows access to the individual’s personal Internet account.  In addition, employers may not penalize or discriminate against an employee or applicant for failing to disclose a username or password.  A similar restriction applies to higher educational institutions through passage of the Internet Postsecondary Institution Privacy Act. 

With enactment of the IEPA, Utah becomes the fifth state to pass legislation that limits an employer’s access to social media accounts, joining California, Illinois, Maryland and Michigan.  New Mexico passed a similar law shortly after Utah and New Jersey’s law passed the legislature and is awaiting the governor’s signature.  A bill introduced in February in the U.S. House of Representatives called the Social Networking Online Protection Act (H.R. 537) is stuck in committee. 

Public Online Accounts Are Fair Game under the IEPA 

The IEPA does not restrict or prohibit employers from viewing or using online information about employees and applicants that the employer can obtain without the employee’s username or password.  Any online information that is available to the public may be accessed and viewed by employers without violating the IEPA.  Consequently, individuals who set privacy settings on their online accounts to allow “public” access effectively opt themselves out of any protections offered by this new law. 

Utah Restriction Applies to Accounts Used Exclusively for Personal Communication 

In prohibiting employers from requiring disclosure of online usernames and passwords, the IEPA draws a distinction between personal Internet accounts and those used for business related communications.  The law only restricts employer access to personal online accounts that are used by an employee or applicant exclusively for personal communications unrelated to any business purpose of the employer.  It does not, however, restrict access to accounts created, maintained, used or accessed by an employee or applicant for business related communications or for a business purpose of the employer.  

In practice, the line between personal and business related accounts may be blurred as many employees use their personal online presence to network and communicate for business reasons.  Consider the sales person who uses his or her LinkedIn account to communicate with potential buyers within a particular industry, or the CPA who posts tax reminders on his or her Facebook page.  Are those accounts accessible under the IEPA since they are not used “exclusively” for personal communications?  A plain reading of the law suggests that may be the case, thereby watering down the potential protections offered by the IEPA to applicants and employees.   

Steps for Complying with the IEPA 

Utah employers should review their HR forms, policies and practices to ensure that they do not ask applicants and/or employees to provide a username or password to their personal Internet accounts.   Train supervisors and managers not to ask for this information as well.  In fact, take the opportunity to remind supervisors and managers not to “friend” subordinates on personal online platforms, such as Facebook.  In addition, reinforce that employees and applicants may not be penalized or treated adversely for failing to provide a username or password for personal online accounts.   

Remember, too, that even though the IEPA does not prohibit accessing an employee’s or applicant’s public social media accounts, viewing such information creates other risks.  Employers may view information regarding the individual’s religion, race, national origin, disability, age, or other protected group status that could give rise to a discrimination claim.  Furthermore, online information is unreliable and ever-changing, meaning that employers should not rely on what they see online when making employment decisions.  To stay out of trouble, consult with legal counsel before viewing or using social media in the employment context.

For more information about permissible actions and potential damages under the Utah Internet Employment Privacy Act, please see our Client Alert.

April 10, 2012

Maryland Protects Employees’ Social Media

By Mark Wiletsky

According to various blogs, including a post by the ACLU, Maryland has become the first state to ban employers from requiring employees or applicants to provide access to their otherwise protected social media accounts.  I have not yet seen the text of the bill that Maryland passed, but the new law is not entirely surprising in light of the furor that recently erupted–which gained national media attention–based on reports of a few employers demanding access to applicants' or employees' Facebook and other social media accounts. Whether Maryland's law protecting employees' social media accounts is the first of many state laws, or even a new federal law, remains to be seen.  Regardless, this is yet another indication to employers to be cautious about social media.  Employees' use of and access to social media–both inside and away from the workplace–raises novel issues that courts and legislatures will have to address.  Until more definitive guidance is provided, be aware that your practices may need to modified and reviewed regularly to address this evolving area of the law. 

March 27, 2012

Furor Over Facebook Continues

By Mark Wiletsky    

Following up on my post last week, the flap over employers asking applicants to turn over their passwords to social media accounts, such as Facebook, rages on.  Two senators–Sens. Richard Blumenthal (D-Conn.) and Charles Schumer (D-N.Y.)–on March 25 asked the Department of Justice and the EEOC to investigate this practice (http://blumenthal.senate.gov/newsroom/press/release/blumenthal-schumer-employer-demands-for-facebook-and-email-passwords-as-precondition-for-job-interviews-may-be-a-violation-of-federal-law-senators-ask-feds-to-investigate).  Facebook joined the fray by warning employers about this practice, and of course the ACLU has raised concerns as well (http://www.cnn.com/2012/03/23/tech/social-media/facebook-employers/index.html?hpt=hp_t3).  Is this issue being overblown?  Other than media reports about a couple of public entities, it is unclear how many employers are demanding applicants turn over passwords to social media accounts as a condition of employment (or consideration for employment).  Still, the heightened media attention is a good reminder for employers to review their hiring practices and their social media policies.  If you have not yet read the NLRB's January 25, 2012 Operations Management Memo (http://www.nlrb.gov/news/acting-general-counsel-issues-second-social-media-report), I recommend doing so.  Even though I disagree with certain aspects of the Memo, it provides some good examples of things to avoid in both social media policies and discipline/termination situations involving social media–for Union and non-Union work environments.   

March 23, 2012

Hiring and Social Media: Beware

By Mark Wiletsky

Should you require prospective employees to provide you with access to their Facebook page and other social media accounts, as a condition of being considered for the job?  Some public agencies apparently are doing so.  But Richard Blumenthal, a Democratic senator from Connecticut, is writing a bill to prohibit the practice.  (Not surprisingly, you can find more information about his proposed bill by visiting his Facebook page: http://www.facebook.com/dickblumenthal).  Relying on social media for hiring decisions can be risky, but it happens.  People Google a candidate’s name, check LinkedIn profiles, browse a Facebook page, or surf the web to see if they can learn some information about the candidate.  It’s so easy to do, and there is so much information about people on the web that it is hard to resist.  The problem is that the information on the Internet may or may not be relevant to the job.  The information also might disclose protected characteristics that you would not otherwise know from simply reviewing a job application (e.g., a person’s race, a disability, etc.).  My own thought is that for most private employers, it is not a good idea to require candidates to turn over passwords to their social media accounts.  Regardless of whether the candidate agrees to do so, it is clearly not a voluntary decision, and it raises a host of potential problems for private employers, beyond even the typical problem of not hiring someone due to a protected characteristic, e.g., what happens if someone at the company loses the password, abuses it, or protects it but is later accused of being responsible for hacking into the account?  The law in this area continues to evolve, but I would avoid becoming a “test case” for having gone too far.