Background Checks, Quirky Question # 80
Quirky Question # 80:
We are a bank in Washington and would like to run background checks which include credit checks on all of our applicants. Are there any problems with this across-the-board policy?
Dorsey’s Analysis:
You ask whether your Washington bank can adopt an across-the-board policy requiring background checks for all of your applicants. Such an approach would expose your bank to potential liability under the state and federal statutory schemes. Let’s start with Washington.
In 2007, Washington Governor Christine Gregoire signed into law S.B. 5827. That bill states that “a person may not procure a consumer report for employment purposes where any information contained in the report bears on the consumer’s credit worthiness, credit standing, or credit capacity, unless the information is either: (i) substantially job related and the employer’s reasons for the use of such information are disclosed to the consumer in writing; or (ii) required by law.
With the passage of this statute, Washington joined four other states with similar restrictions on the use of credit reports – Hawaii, Pennsylvania, New York and Wisconsin.
The question for your evaluation is whether your across-the-board policy would violate the Washington statute. Assuming you also comply with your notification obligations under the Fair Credit Reporting Act (FRCA), you should assess how the Washington law impacts your liability with regard to obtaining the information you seek.
First, you must consider whether the credit worthiness, credit standing or credit capacity is information which is required to be gathered by law. This would not generally be the case for most positions. Given that, the next question to consider is whether the applicant’s credit information is “substantially job related.” The exact meaning of this phrase has not yet been interpreted by Washington courts. However, in a bank setting, it is generally agreed that employees such as tellers who directly handle monetary funds, are in the type of position where credit information is substantially job related. A person whose job entails purely administrative functions (with little or no discretion or handling of monetary funds) is, on the other hand, less likely to qualify.
Until the Washington courts interpret the meaning of “substantially job related,” we recommend you act conservatively and only obtain consumer reports containing credit information for those applicants whose job functions directly involve money or finances or have significant discretion with such sensitive information. Note too that the Washington law maintains an exception, making such limitations inapplicable to situations where the employer “has reasonable cause to believe” the employee has “engaged in specific activity that constitutes a violation of law.” This mimics the FCRA’s exception where employees suspected of misconduct are not entitled to the same notification procedures.
This law obviously applies to employers whose principal place of business is Washington, but may also apply to Washington residents who apply to out-of-state corporations.
Second, with respect to federal law, another area of concern relating to background checks has been noted by the EEOC. The EEOC has concluded that an employer’s requirement of a good credit record for job applicants has a forseeably disproportionate adverse impact upon minorities . However, an employer may avoid Title VII liability if the requirement is justified by business necessity. And, the EEOC has found that a bank’s practice of performing a credit check on successful job applicants did not unlawfully discriminate against minority applicants where the checks were done in a facially neutral manner and served a legitimate, job-related purpose, particularly in the employment of tellers. EEOC v. American Nat’l Bank, 21 Fair Empl. Prac. Cas. (BNA) 1595 (E.D. Va. 1979), aff’d in part and rev’d in part on other grounds, 652 F.2d 1176 (4th Cir. 1981). Thus, under either Washington or federal law, any background check for which credit is pulled should be justified by business necessity.
Finally, another important consideration is what you do with the information you receive from the background check agency? Make sure you dispose of it properly! As of June 1, 2005, it became critical for employers to properly dispose of consumer information or face liability for statutory fines and civil penalties as well as actual damages if an employee’s identity is stolen as a result of the employer’s failure to protect the information. The disposal obligations, found at 16 C.F.R. 682, were a part of the Fair and Accurate Credit Transaction Act of 2003 (FACTA) which amended the Fair Credit Reporting Act.
Employers are subject to the FTC’s jurisdiction under the FRCA when they obtain a consumer report as a part of background check. Every such employer is required to take “reasonable measures” to protect against unauthorized access to or use of the consumer information in connection with its disposal.
The standard for disposal is a flexible one, allowing entities to determine what is a “reasonable” measure. Factors to determine what is “reasonable” include: the sensitivity of the consumer information; the nature and size of the entity’s operations; the costs and benefits of different disposal methods; and relevant technological changes. The disposal rule provides several non-exclusive examples of methods of compliance, including : (a) implementing and monitoring policies and procedures that require the burning or shredding of papers containing consumer information so that the information cannot practicably be read or reconstructed; (b) implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media containing consumer information so that the information cannot practicably be read or reconstructed.
Failure to comply with the disposal rule can expose employers to the following liability:
- Civil fines – Fines up to $2,500 per violation can be assessed from the federal government.
- Civil liability – Employers are potentially liable up to $1,000 per employee in statutory damages.
- Actual damages – Employers are also liable for actual damages if employees’ identities are stolen as a result of the company’s failure to protect the information.
- Class action lawsuit – Employers could be subject to a class action lawsuit if multiple employees are affected.
In addition to the federal penalties associated with the disposal rule, employers can also face liability under state statutes and/or negligence claims.
Note that in December 2007, the FTC announced a settlement in its 15th case (and its first in 13 months) addressing the data security practices of companies handling sensitive consumer information. American United Mortgage Company agreed to pay a $50,000 penalty for failing to implement reasonable safeguards to protect customer information and failing to provide customers with privacy notices.
American United was the first FTC action taken pursuant to the Disposal Rule of the FACTA of 2003. The complaint filed in the Northern District of Illinois asserted that the Northbrook, Illinois-based mortgage company disposed of several dozen consumers’ personally identifying information by leaving intact hundreds of documents in a nearby unsecured dumpster, in some cases in open trash bags. Indeed, even after the FTC provided written notice to American United that disposal of documents containing consumers’ personal information in this manner created a risk of unauthorized access, “on at least two occasions, additional intact American United documents containing consumers’ personal information were found in and around the same dumpster adjacent to American United’s office.”
In addition to the fine, the stipulated judgment and order required American United to obtain an immediate third-party audit of its privacy safeguards and ongoing audits every two years for a decade. American United was also permanently enjoined from further violations of the FACTA Safeguards, Disposal, and Privacy rules. This case illustrates the potential consequences of disregarding a company’s obligations under FACTA.