October 24th, 2018
The Freeze Is On: Employers Must Immediately Update Background Check Forms
There is a little-known provision from a new federal law that will most likely impact your hiring practices and your standard hiring documents—and it kicks in today. As of September 21, all employers must update their background check forms to advise applicants and employees of the ability of a “national security freeze,” allowing them additional protections from identity theft. This change could require you to make an immediate change to your standard hiring methods: what do you need to do in order to comply?
Background Regarding New Law
As concerns over data breaches and security become more prevalent, the laws regarding data protection are working to keep pace. In May 2018, Congress passed the Economic Growth, Regulatory Relief, and Consumer Protection Act, which requires nationwide consumer reporting agencies to provide a “national security freeze” free of charge to consumers. The national security freeze restricts prospective lenders from obtaining access to an individual’s background report, which in turn makes it more difficult for identity thieves to misappropriate the individual’s personal information.
At first glance, it might appear that this new law would not impact employers. However, the law also states that whenever the Fair Credit Report Act (FCRA) requires a “consumer” to receive a Summary of Consumer Rights, a notice regarding the availability of a security freeze must be included. And because applicants and employees are considered “consumers” for purposes of certain employment-related activities, this law could have a direct impact on your hiring practices.
As a result, when you consider using information procured through a consumer report—such as a criminal background check—to refuse to hire an applicant or terminate a current employee, you must now provide that applicant or employee with a notice that includes information on the availability of a security freeze. Effective September 21, 2018, the Bureau of Consumer Financial Protection (CFPB) updated its model Summary of Consumer Rights to comply, which may be accessed here.
Employment Background Reports That Trigger Additional Obligations
As a reminder, an employer triggers FCRA obligations when it requests a “consumer report” on an applicant or employee, a term which includes a broad category of reports such as driving records, criminal records, credit reports, and many other reports procured from a third-party, consumer reporting agency such as a credit-reporting company, a record-checking company, or an investigative firm. Before requesting the report, you must issue a standalone document to the applicant or employee disclosing your intent to procure the report for employment purposes, and obtain the applicant’s or employee’s signed authorization.
If the report contains information that you may use as a basis for taking adverse action—for example, not hiring an applicant or terminating a current employee—you must give the applicant or employee a copy of the report, as well as a copy of the Summary of Consumer Rights. You must then wait a “reasonable period of time” before actually taking adverse action. While the “reasonable period” is not defined and will necessarily vary according to a number of factors (including industry, business needs, and past practices), at least five business days will typically suffice.
What Should Employers Do Now?
There is an easy fix to ensure you comply with the new law. Simply replace your old Summary of Consumer Rights with the CFPB’s revised model form. Make sure your hiring managers are aware of the new form and integrate the updated document into your hiring packets and practices. If you discover that your organization used the old form after the September 21 implementation date, check with legal counsel to determine the best course of action to remedy the situation.
For additional information about your background check obligations under the FCRA or state law, contact your Fisher Phillips attorney or any attorney in our Data Security and Workplace Privacy Practice Group.