September 5, 2018
Amendment to Fair Credit Reporting Act
S.2155, which was enacted in May of this year, amends the Fair Credit Reporting Act (FCRA) to allow consumers to request a security freeze, free of charge, from the nationwide credit reporting agencies (Equifax, Trans Union, and Experian). S.2155 also extended the length of time for initial fraud alerts from ninety (90) days to one year. As a reminder, a consumer may request an initial fraud alert from the nationwide consumer reporting agencies when they believe that they have been or about to become a victim of fraud or identity theft.
S.2155 also includes a new notice that must be provided to consumers “[a]t any time a consumer is required to receive a summary of rights required under section 609.” Therefore, as of September 21, 2018, consumer reporting agencies must provide this new consumer notice (see below) whenever the consumer is required to receive a summary of rights under Section 609 (§1681g) of the FCRA (either the federal Summary of Rights notice or the “Remedying the Effects of Identity Theft” notice). Thus, even though the requirement to place a security freeze under federal law applies only to nationwide consumer reporting agencies, all consumer reporting agencies must provide the additional notice.
The notice required by the new provision that applies to any circumstance in which the consumer is required to receive a summary of rights under Section 609 is as follows:
Consumers have the right to obtain a security freeze
You have a right to place a “security freeze” on your credit report, which will prohibit a consumer reporting agency from releasing information in your credit report without your express authorization. The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a security freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. As an alternative to a security freeze, you have the right to place an initial or extended fraud alert on your credit file at no cost. An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting 7 years. A security freeze does not apply to a person or entity, or its affiliates, or collection agencies acting on behalf of the person or entity, with which you have an existing account that requests information in your credit report for the purposes of reviewing or collecting the account. Reviewing the account includes activities related to account maintenance, monitoring, credit line increases, and account upgrades and enhancements.
California Employers Must Get Applicant OK for Background Check
California employers, lenders, and landlords must obey the tougher of two privacy laws and inform applicants before investigating their background, the state Supreme Court ruled Aug. 20. The 7-0 decision affects the thousands of credit, employment, and housing decisions made daily in California under two laws. One of them requires prior notice and authorization before certain types of background investigative reports are ordered. The other covers more consumer-oriented information that doesn’t require advance disclosure or consent. The justices upheld a lower court ruling that school bus transportation company First Student Inc., part of FirstGroup plc, failed to adequately notify and obtain consent from former Laidlaw International Inc. bus drivers and aides before it conducted background checks on 54,000 workers. The reports were ordered after First Student bought Laidlaw in 2007. First Student had to comply with the more protective Investigative Consumer Reporting Agencies Act-designed to give consumers a chance to correct information and address identity theft-regardless of the company’s compliance with the less-stringent requirements in the Consumer Credit Reporting Agencies Act, the California Supreme Court said. “The implications are that these two laws are relatively straightforward and easy to follow. So landlords, employers, banks, anyone seeking to run a background check that falls in one or both of these statutes will continue have to comply with them,” Hunter Pyle of Hunter Pyle Law in Oakland, Calif., representing plaintiff Eileen Connor, told Bloomberg Law. “Employees will have their privacy rights protected, and the worst types of abuses where entities run background checks on people without telling them will be illegal under California law,” Pyle said Aug. 20.
Compliance Consent Required
In interpreting the two laws, “we agree with the Court of Appeal and find that potential employers can comply with both statutes without undermining the purpose of either,” the Supreme Court said. Connor’s case involves a report that falls under the scope of both laws and “is simply one that contains information bearing on both a consumer’s credit worthiness and on her character. It seems to us that such a duality does not make legal compliance particularly difficult, much less impossible,” Justice Ming Ching wrote for the court. The ruling covers a single Laidlaw employee in the bellwether case for more than 1,200 former workers alleging that First Student needed their approval for the background checks. The case now returns to an appeals court and then to the Los Angeles trial court. “Finally the bus drivers and aides involved can have their cases resolved on the merits,” Catha Worthman, Feinberg Jackson Worthman & Wasow LLP partner and co-counsel for Connor, told Bloomberg Law. Violations of the Investigative Act carry a $10,000-per-violation penalty, so for the remaining 450 plaintiffs who didn’t accept settlements, that is a “potentially life changing amount” for drivers and aides, Worthman said.
The justices rejected reasoning in a separate 2007 appellate decision in Ortiz v. Lyon Management Group Inc. involving tenants that concluded the Investigative Act was unconstitutionally vague. First Student argued that it relied on Ortiz in its decision to proceed with processing the records. The California Supreme Court, however, agreed with the appeals court in Connor’s case. Chad Saunders with Hunter Pyle Law and Genevieve Casey with Feinberg Jackson also represented Connor. Ronald Peters and Benjamin Emmert, shareholders with Littler Mendelson PC in San Jose, Calif., represented First Student. The case is Connor v. First Student Inc., Cal., No. S229428, opinion 8/20/18 (http://www.courts.ca.gov/opinions/documents/S229428.PDF)
Vermont Bans ‘No Rehire’ Clauses
Vermont is the first state to outlaw “no rehire” clauses in agreements which bar workers who settle discrimination and harassment cases from working for that employer again.
The provision is part of a law addressing sexual harassment protections for employees that went into effect last month. The law, inspired by the #MeToo movement according to its sponsor:
No rehire agreements typically extend to a company’s parent organization and affiliates as well.
Including no rehire clauses in separation agreements is fairly common across the country, said Susan Gross Sholinsky, an attorney in the New York City office of Epstein Becker Green. She said the clause is meant to protect the company from being sued again in the future by a former employee who claims retaliation for not being rehired. Former employees could potentially reapply for a job and allege retaliation for prior legal claims if they are not rehired, and a no rehire provision is not included in the settlement agreement. When signing an agreement with a no rehire clause, the employee typically agrees that employment has ended and promises not to seek reemployment with the company. In some cases, the employee agrees that their employment may be terminated immediately without any legal recourse if they are rehired by the company or any related entity. In 2016, the Equal Employment Opportunity Commission (EEOC) issued guidelines warning companies against practices that could be seen as retaliating against employees who file discrimination or harassment claims, which could include no rehire clauses. “There are EEOC interpretations, and some employment lawyers have started advising their employer clients that use of no rehire clauses could be considered retaliatory against plaintiffs,” said Cary Brown, executive director of the Vermont Women’s Commission, a nonpartisan state agency advancing rights and opportunities for women and girls. “We’re following that line of thinking and looking at this [law] as way to ensure fairness, particularly in a small state like ours,” Brown said. “The repercussions could be significant to somebody signing one of these agreements and then finding their local employment options severely curtailed. There are only so many jobs people can choose from, and only so many employers available.
District Court Dismisses FCRA Disclosure Claim Against Casino in Absence of Concrete Injury
Under the Fair Credit Reporting Act, a potential employer generally may not procure a consumer report on an applicant unless the employer provides a disclosure, in a document that consists “solely of the disclosure,” informing the applicant that a consumer report may be obtained. In Williams v. TLC Casino Enters., the District Court for the District of Nevada has joined a growing chorus of courts finding that a plaintiff cannot bring a “solely of the disclosure” claim in federal court when he or she has suffered no actual harm separate from the perceived failure to properly format the disclosure. Specifically, in Williams, the plaintiff alleged (on a class basis) that TLC Casino Enterprises violated the FCRA by obtaining a consumer report on her without providing her with a “stand-alone document of a legal disclosure.” According to Williams, TLC only provided her “with a written conditional offer to hire that included, inter alia, the following statement: ‘Continuation of this position and your employment is dependent upon your passing any Background Check or Drug Screen that may be required for your position.’” This document, in Williams’ view, was not a disclosure that consisted “solely of the disclosure” that a consumer report may be obtained for employment purposes. TLC Casino Enterprises moved to dismiss Williams’ complaint for lack of standing, arguing that her claim amounted to nothing more than a bare procedural violation of the FCRA. According to the defendant, Williams could not state a claim in federal court because the bare procedural violation of a statute alone does not satisfy the injury-in-fact requirement for Constitutional standing. The Court agreed with TLC Casino Enterprises. In its decision, it drew on the Supreme Court’s decision in Spokeo, Inc. v. Robins to conclude that Williams must allege a “concrete injury in fact” separate from the procedural violation of a statute in order to demonstrate standing. Williams could not do that here. According to the Court, Williams framed TLC Casino Enterprises’ alleged FCRA violation as having “failed to provide the disclosure in a format required by the FCRA.” But “[a] formatting error such as this is a procedural issue that does not satisfy the requirement that plaintiff demonstrate a concrete, particularized injury.” Although plaintiffs’ counsel often argue that disclosure claims are straightforward and easily certifiable as a purported class action, the Williams decision demonstrates that this is not the case. Indeed, courts are increasingly dismissing disclosure claims when plaintiffs allege nothing more than the violation of a procedural FCRA requirement.
Bank of America Customers Win Final OK For $1.8M FCRA Settlement
A class of Bank of America NA customers won final approval Thursday for their $1.8 million Fair Credit Reporting Act settlement over allegedly unauthorized soft credit report inquiries, with a California federal judge saying that though it offered a small $4 payout per class member, the deal was fair. Under the settlement, each class member will be entitled to a $4.06 claim. Class counsel have said the deal is “among the highest dollar settlement[s] per class member that has ever been reached” in an impermissible access…
New Jersey Federal Court: Employer Need Not Waive Drug Test for Medical Marijuana User
Despite the legalization of medical marijuana in a majority of states, marijuana remains illegal under the federal Controlled Substances Act (“CSA”), which lists cannabis as a prohibited Schedule 1 illegal drug.
What does it mean to be a Schedule 1 drug?
“Schedule I drugs, substances, or chemicals are defined as drugs with no currently accepted medical use and a high potential for abuse,” according to the U.S. Drug Enforcement Agency. In light of this federal prohibition on marijuana, employers have professed confusion over what exactly they can prohibit when so many states have legalized medical marijuana. I emphasize medical because in the employment arena, “medical” may connote a “disability” under the Americans with Disabilities Act (the “ADA”). We discussed that employers must engage in an interactive process with an employee who has, or may be perceived as having a disability, or has a record of a disability, so the critical question becomes: does the ADA require an employer to provide a reasonable accommodation to medical marijuana cardholders?
As I explained here, the ADA excludes from protection “an individual who is currently engaging in the illegal use of drugs” from its definition of an “individual with a disability,” with one very limited but significant exception. As a Schedule 1 drug under the CSA, taking marijuana excludes an employee from ADA protection.
Let’s see how one New Jersey court handled a reasonable accommodation request under the state’s medical marijuana law.
New Jersey’s Medical Marijuana Law
Like the Pennsylvania medical marijuana law, New Jersey’s Compassionate Use Medical Marijuana Act (“CUMMA”) is silent as to an employer’s obligation to make any accommodation for the use of medical marijuana on the property or premises of any place of employment. Despite cannabis’ categorization as a Schedule 1 drug under the CSA, when enacting CUMMA, the NJ legislature found that “[m]odern medical research has discovered a beneficial use for marijuana in treating or alleviating the pain or other symptoms associated with certain debilitating medical conditions.” Thus, we see the dichotomy when federal law claims the opposite of state law.
NJ Federal Court Ruling – No Reasonable Accommodation!
Anyway, so, the employee in question, a forklift operator, possessed a doctor’s recommendation for medical cannabis (and Percocet) to treat his neck and back pain. The employee had an accident at work and saw a doctor, who placed the employee on “light duty.” Upon his return, he could still perform all the essential functions of the job, but his employer required that he pass a drug and urine test. Knowing that if he failed the test he would be fired, the employee sought a waiver of the drug test as a reasonable accommodation. The employer balked and argued that CUMMA did not require such a waiver. Did the court agree and require that the employer waive its drug-testing policy as a reasonable accommodation? Not so much. In an Opinion last week, which you can read in full here. (https://secureservercdn.net/184.108.40.206/0a1.d7a.myftpupload.com/wp-content/uploads/2018/09/med-mar-2.pdf), the federal District Court stated that CUMMA does not require an employer to permit the use of medical marijuana in the workplace. Fine. Makes sense. Significantly, the court also noted that CUMMA specifically excluded employers from its scope. Then, the court sided with the employer, determining that NJ’s narrower law (in comparison to other states) did not require an employer to waive its use of a drug test as an accommodation. Judge Kugler seemed to base his holding on a “plain language of the statute argument” and a prediction, as he explained: Unless expressly provided for by statute, most courts have concluded that the decriminalization of medical marijuana does not shield employees from adverse employment actions.
This Court predicts that the New Jersey judiciary would reach a similarly obvious conclusion: the LAD does not require an employer to accommodate an employee’s use of medical marijuana with a drug test waiver. Although no court has expressly ruled on this question, New Jersey courts have generally found employment drug testing to be unobjectionable in the context of private employment.
Wait, what happened to the interactive process? Isn’t that a requirement? Didn’t the employer have to engage in a discussion with the employee to determine whether an alternative accommodation existed to accommodate the employee’s disability? Apparently not, and that process is not referenced in the Opinion (perhaps because it was not pleaded in the complaint). What does this tell us?
How these cases are treated may depend on your state. Under similar circumstances, courts in other states have determined that an exception to an employer’s drug policy could constitute a reasonable accommodation, but in any event, the employer was required to engage in the interactive process to determine whether there were any alternatives for the employee’s medical marijuana use.
New Jersey law does not require private employers to waive drug tests for users of medical marijuana. Will it in the future? Judge Kugler thinks it unlikely, but, just in case, employers may want to consider initiating the interactive process to determine if a reasonable accommodation or an alternative to its drug-free policy exists.
Biometric Data Privacy Act Class Action Dismissed for Lack of Actual Injury
A federal district court in the Northern District of Illinois dismissed a putative class action alleging violations of the Illinois Biometric Information Privacy Act—known as the BIPA—holding that the allegation of a mere procedural violation of the statute did not establish Article III standing. The July 30 ruling in Johnson v. United Airlines furthers the split among trial courts on whether allegations of technical violations of BIPA allege the concrete injury necessary for federal subject matter jurisdiction. Ultimately, Illinois’ highest court will take up the issue and its decision will likely substantially impact pending and future BIPA litigation.
Illinois Biometric Information Privacy Act
BIPA is the nation’s toughest law regulating the collection and use of biometric information. Under BIPA, a “biometric identifier” is defined as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” BIPA requires organizations to provide written notice prior to their biometric information collection, storage and use practices, and to obtain written consent before collecting an individual’s biometric data. The notice must include the purpose of the collection and the duration that the organization will use or retain the data. Once an organization has collected biometric data, BIPA requires that the data be protected in the same manner as other sensitive and confidential information using the reasonable standard of care in the organization’s industry. BIPA also requires organizations to have a publicly available written policy stating how long the organization will retain the data and rules governing its destruction. Unlike other state biometric data laws, BIPA provides a private right of action to any “person aggrieved” by a violation of the law.
The plaintiff, David Johnson, is a baggage handler for United Airlines. Johnson and other United employees are subject to a collective bargaining agreement between United and International Association of Machinists and Aerospace Workers. Under the CBA, United requires fingerprint scans as a condition of employment and mandates that its employees swipe their fingerprints as a means of clocking in and out and for timekeeping purposes. Johnson filed a putative class action in Illinois state court challenging United’s collection and use of his fingerprints as a violation of BIPA. Specifically, Johnson alleged that United had failed “to obtain consent from its workers prior to capturing and collecting their biometric information and similarly failed to provide workers and the public with a retention schedule and detention policies which detailed how and when Defendants would retain and then destroy their workers’ biometric information and/or biometric identifiers.” United removed the action to the Northern District of Illinois on the basis of federal question jurisdiction pursuant to the Railway Labor Act, and the diversity of the parties. United then moved to dismiss Johnson’s complaint for lack of subject matter jurisdiction.
The district court dismissed Johnson’s complaint, holding that Johnson’s BIPA claim was preempted by the RLA and that, even if it was not, Johnson had failed to establish an injury sufficient to establish standing.
District Court Decision
The district court began by noting that Congress had enacted the RLA to “promote stability in labor-management relations by providing a comprehensive framework for resolving labor disputes.” It held that any dispute between labor and management whose resolution required interpretation of the collective bargaining agreement between the parties fell within the scope of the RLA and was subject to preemption. Because Johnson’s BIPA claim required interpreting the CBA to determine whether United’s use of fingerprint scanning for a timekeeping system fell within the scope of the CBA, the court held the BIPA claim was preempted. In addition, Johnson’s claim that United failed to obtain a written release before using its employees’ fingerprints also required interpreting the CBA to determine if it provisions directly contradicted BIPA’s requirements. Thus, the district court found that the RLA stripped it of subject matter jurisdiction. The district court next addressed Johnson’s standing to bring his BIPA claims, finding that “[n]ot only does preemption support dismissal in the underlying matter, but so too does the issue of Article III standing.” It held that “although injuries may be intangible harms or purely statutory procedural harms, the harm alleged by Johnson fails to rise to the level of an injury-in-fact without more.” The district court found that “notice and consent violations do not without more create a risk of disclosure,” and “Johnson alleges a statutory violation based entirely on United’s failure to obtain consent but provides no factual basis to show there was any subsequent disclosure that would form the injury.” Accordingly, the district court granted United’s motion to dismiss for lack of subject matter jurisdiction.
Although BIPA limits private actions to individuals who are “aggrieved” by a violation, the law does not define that term. This omission has led to conflicting decisions concerning whether an injury beyond a procedural violation is required for statutory standing. In McCollough v. Smarte Carte (N.D. Ill. Aug. 1, 2016) and Santana v. Take-Two Interactive Software (2d Cir. Nov. 21, 2017), BIPA actions were dismissed because there was no actual injury separate and distinct from the alleged procedural statutory violation. In contrast, in Monroy v. Shutterfly (N.D. Ill. Sept. 15, 2017) and in re: Facebook Biometric Information Privacy Litigation (N.D. Cal. Apr. 16, 2016), the courts found that allegations of a BIPA violation without an actual injury were still sufficient to establish standing. The United Airlines decision weighs in firmly on the side of those courts requiring an actual injury for standing in BIPA cases and provides defendants with additional ammunition to challenge BIPA plaintiffs whose claims only include a technical or procedural violation of the statute.
However, it should be noted that the BIPA case of Rosenbach v. Six Flags Entertainment which directly addresses whether an actual injury is required in BIPA cases is currently pending before the Illinois Supreme Court. In Rosenbach, the plaintiff alleged that the theme park violated BIPA by collecting fingerprints in connection with the purchase of a season pass and not obtaining written consent or disclosing how the collected fingerprint scans would be used, stored, and/or destroyed. The Appellate Court of Illinois found that a plaintiff who alleges only a technical violation of the statute without also alleging some injury or adverse effect is not an aggrieved person under BIPA. How the Illinois Supreme Court rules will likely decide the issue and substantially impact pending and future BIPA litigation.
Privacy Shield Guidance When Personal Data Transferred from the EU to the U.S. for Processing Purposes
If you operate as a processor under the Privacy Shield Program, you should familiarize yourself with the guidance released by the Privacy Shield Framework related to processors’ access obligations, which can be retrieved at https://www.privacyshield.gov/article?id=Processing-FAQs. The document provides guidance with regard to the following questions:
Brazil General Data Protection Law
August 14, 2018, Brazil approved the General Data Protection Law (in Portuguese). The law will come into effect after its 18th adaptation period, in early 2020. The LGPD creates a new legal framework for the use of personal data in Brazil, both online and offline, in the private and public sectors. It is important to note that the country already has more than 40 legal norms at the federal level that directly and indirectly deal with the protection of privacy and personal data in a sector-based system. However, the LGPD is replacing and/or supplementing this sectoral regulatory framework, which was sometimes conflictive, marshy, without legal certainty and made the country less competitive in the context of an increasingly data driven society. These are the main points of the new law: