February 24, 2020
New Commercial Driver’s License Drug
& Alcohol Clearinghouse Requirements Took Effect January 6th,
Employers regulated by the Federal Motor Carrier Safety Administration (“FMCSA”) are now subject to mandatory reporting requirements under the new Drug and Alcohol Clearinghouse (“Clearinghouse”) program mandated by the Department of Transportation (“DOT”). The Clearinghouse is an update to the Omnibus Transportation Employee Testing Act passed in 1991, which requires DOT agencies, including FMCSA, to implement drug and alcohol testing in safety-sensitive workplaces. The Clearinghouse is an electronic database that grants FMCSA-regulated employers access to information about drug and alcohol violations of current and prospective employees that hold a commercial driver’s license. Additionally, the database contains information confirming whether a holder of a commercial driver’s license has completed the return-to-duty process and followed-up any testing plan to remedy his/her violation. The database was developed to create continuity and transparency in monitoring commercial driving records, and it tracks and links a holder of a commercial driver’s record from any state. The objective is to prevent a holder of commercial driver’s license who have violated the drug and alcohol DOT requirements from moving from one carrier to another without first having remedied the violation. There are no changes to the existing requirements set out in Part 40 of the Code of Federal Regulations relating to the DOT workplace drug and alcohol testing procedures. Additionally, the Clearinghouse includes violations that have occurred on or after January 6, 2020. Any violation that occurred prior to that date, and any subsequent related return to duty activity, are not included in the database and employers must continue to conduct traditional, manual inquiries with previous employers in order to comply with the 3-year timeframe requirement of § 391.23. The process will become less burdensome to employers 3 years from the effective date of the new requirements as the online database should by then fully contain the requisite commercial drivers’ records for the preceding 3-year period (Starting January 6, 2023).
Employers are now required to conduct a full query of the Clearinghouse during any pre-employment commercial driver investigation process and to conduct a limited query for every employee in its employ on an annual basis. The employee’s consent is required prior to conducting a full query. Employers are also required to report to the Clearinghouse any drug and alcohol program violations of which employers have actual knowledge and record any negative return to duty test results and the date of successful completion of a follow-up testing plan. Any violation will be recorded in the Clearinghouse for five years from the later of (i) the date of the violation determination or (ii) the date of the resolution of the return to duty process and follow-up testing plan. Employers need to review and revise their drug and alcohol policies as needed to refer to the new Clearinghouse requirements, including a sign off for employees to provide the consent required for all queries.
Ban-the-Box Law Limits Criminal
Background Inquiries by Federal Contractors Beginning in December 2021
The Fair Chance Act prohibits federal contractors from inquiring about a job applicant’s criminal background in certain cases in the initial stages of the application process. The Act will go into effect on December 20, 2021.
The Act “bans the box” by prohibiting federal contractors from asking applicants applying to work in connection with federal contracts about their criminal histories until after the contractor extends a conditional job offer. It also prohibits contractors from seeking such information from other sources.
The Act was enacted as part of the annual National Defense Authorization Act on December 20, 2019.
The Act is limited in that it does not apply to job openings unrelated to federal contract work; rather, it applies only to job openings “related to work under” a federal contract.
Further, under the Act, pre-offer criminal inquiries are allowed:
The Act directs the Office of Personnel Management to issue regulations identifying additional positions that are exempted from the law.
The Office of Personnel Management also must establish a complaint process and progressive penalties, ranging from a written warning for a first violation to payment suspension and contract termination for subsequent violations.
Other Laws, Ordinances
Currently, and after the Act goes into effect, federal contractors may need to navigate the many state and local ban-the-box laws that may apply to them. In addition, employers should keep in mind their obligations under the Fair Credit Reporting Act if they plan to obtain criminal history reports from third-party vendors. Employers also should follow best practices, such as engaging in an individualized assessment, where appropriate, of any disclosed criminal history prior to making any employment decisions.
Ban-the-box laws affect many parts of the
hiring and employment process. Employers should review and revise, if
necessary, their hiring practices, application forms, checklists, policies, and
procedures to ensure compliance. Employers also should provide periodic
training to those involved in the recruiting and hiring processes.
FTC Finalizes Settlements with Five
Companies Related to Privacy Shield Allegations
The Federal Trade Commission has finalized settlements with five companies over allegations they falsely claimed certification under the EU-U.S. Privacy Shield framework, which enables companies to transfer consumer data legally from European Union countries to the United States.
In separate actions, the FTC alleged that DCR Workforce, Inc., Thru, Inc., LotaData, Inc., and 214 Technologies, Inc. all falsely claimed in statements on their websites that they were certified under the EU-U.S. Privacy Shield framework. The FTC alleged that LotaData also falsely claimed that it was a certified participant in the Swiss-U.S. Privacy Shield framework, which establishes a data transfer process similar to the EU-U.S. Privacy Shield framework. Finally, the FTC alleged that EmpiriStat, Inc. falsely claimed it was a current participant in the Privacy Shield after allowing its certification to lapse, failed to verify annually that statements about its Privacy Shield practices were accurate, and did not affirm it would continue to apply Privacy Shield protections to personal information collected while participating in the program.
Under the settlements, all five companies
are prohibited from misrepresenting their participation in the EU-U.S. Privacy
Shield framework, any other privacy or data security program sponsored by the
government, or any self-regulatory or standard-setting organization. EmpiriStat
also is required to continue to apply the Privacy Shield protections to
personal information it collected while participating in the program or return
or delete the information.
New York State Releases Guidance on
Salary History Ban
New York’s salary history ban (“Law”) becomes effective today, January 6, 2020. To help employers comply with their obligations under the Law and to advise employees of their rights, the state has issued guidance (“Guidance”). The Law prohibits all New York State employers from:
New Guidance Provided for Employers
The Law is unique among other salary history bans in that it explicitly includes current employees in the restrictions noted above. The Guidance clarifies that, while employers, may not ask current employees about pay from previous jobs, employers may “consider information already in their possession for existing employees (i.e.[,] a current employee’s current salary or benefits being paid by that employer). For example, an employer may use an employee’s current salary to calculate a raise but may not ask that employee about pay from other jobs” (emphasis added). A “current employee” includes a current employee of the employer, “its parent company or a subsidiary.”
Thus, employers may consider the salary and compensation of a current employee who is applying for a new position within the same company, when deciding what compensation to offer. Employers are still prohibited, however, from using a current employee’s salary as a selection criteria in choosing to interview the candidate or provide the current employee with the new position.
Prior to the Guidance, it was unclear whether employers could use voluntarily provided salary history information to set compensation levels—the Law made clear only that such information could be used to “verify” its accuracy. The Guidance now clarifies that “[i]f an applicant voluntarily and without prompting discloses salary history information, the prospective employer may factor in that voluntarily disclosed information in determining the salary for that person.” The Guidance makes clear, however, that “‘optional’ salary history question[s] on a job application” will be considered prompting by the employer and are not acceptable.
The Guidance also states that employers may not rely on voluntarily disclosed salary history information “to justify a pay difference between employees of different or various protected classes who are performing substantially similar work,” as such reliance would violate the State’s Equal Pay Act. While perhaps implied, this specific prohibition is not expressly contained in that statute.
The Guidance further makes clear that “salary history information” includes “compensation and benefits” and that an “applicant” includes “part-time, seasonal and temporary workers, regardless of their immigration status.” Additionally, the Guidance expressly allows employers to inquire into an applicant’s salary expectations.
Notable Differences Between State and City Law
New York City’s salary history ban went into effect October 10, 2017. While the Law largely mirrors the City’s salary history ban, they differ in the following respects:
Employers Nationwide Must SHIELD Data of
New York Residents
The Act no longer covers only people and businesses who conduct business in New York; its scope now encompasses any people or businesses that own or license computerized data that includes private information of New York residents.
By March 21, 2020, all employers—not just New York employers—with private information about New York residents must be in full compliance with the new “Stop Hacks and Improve Electronic Data Security” (SHIELD) Act. The Act implements major changes in data security protections for New York residents by amending the New York General Business Law and the New York State Technology Law. While the existing statutes already provide some breach notification protections, the Act’s key updates broaden the definition of a data breach; broaden the scope of information covered under notification laws; require reasonable data security; provide standards tailored to small businesses; and broaden breach notification requirements.
Broader Definition of “Breach”
Under current New York law, a breach is defined as “unauthorized acquisition or acquisition without valid authorization of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a business.” The Act expands the law to interpret a breach to include unauthorized access or access to private information without authorization, not just acquisition. To help a business determine whether private information has been accessed, the Act lists factors including, but not limited to, “indications that the information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person.”
Broader Definition of “Private
Currently, the General Business Law protects “personal information,” defined as “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.” It also protects “private information,” defined as personal information combined with any of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that has also been acquired: (1) Social Security number; (2) driver’s license number or non-driver identification card number; or (3) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.”
The Act significantly expands this definition of “private information” to also protect:
Imposing Data Security Requirements
The Act also creates entirely new requirements for any person or business that owns or licenses computerized data that includes the private information of New York residents to “develop, implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information, including, but not limited to, disposal of data.” A person or business is considered in compliance with the Act when they implement a data security program containing several detailed administrative, technical and physical safeguards enumerated in the law. These include, but are not limited to:
Businesses are also considered compliant when they meet the data security requirements of other laws such as the Health Insurance Portability and Accountability Act (HIPAA) (protecting the privacy and security of certain health information), the Gramm-Leach-Bliley Act (requiring financial institutions to explain how they share and protect customers’ private information), and Health Information Technology for Economic and Clinical Health Act (HITECH Act) (widening the scope of privacy and security protections under HIPAA).
Providing Individualized Standards
For small businesses meeting any of the following criteria—fewer than 50 employees, less than $3 million in gross revenues in each of the last three fiscal years, or less than $5 million in year-end total assets—the Act contains certain relaxed data security program standards. A small business’s security program complies with the Act if it “contains reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.” By contrast, all other covered businesses must implement the specified safeguards enumerated in the statute, as previously discussed, such as designating employees to coordinate the program, requiring contractual safeguards from service providers, and so forth.
Broadening Breach Notification
The Act no longer covers only people and businesses who conduct business in New York; its scope now encompasses any people or businesses that own or license computerized data that includes private information of New York residents. In the event of a breach triggering notification requirements, as identified under the Act, notification must be made to affected New York residents, in addition to the New York Attorney General, the New York Department of State, and the New York State Police. When over 5,000 residents are affected by the breach, notification must also be made to consumer reporting agencies.
Notably, notice of a breach is not required if the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and the person or business reasonably determines such exposure will not likely result in misuse or harm.
While the Act does not establish a private right of action, the Attorney General may bring an action to enjoin violations of the Act and to obtain civil penalties. For violations of the reasonable safeguards requirements, courts may impose penalties of no greater than $5,000 per violation.
For knowing or reckless violations of the notification provisions, courts may impose a penalty of the greater of $5,000 or up to $20 per instance of failed notification, the latter of which is capped at $250,000. For notification provision violations that are not knowing or reckless, courts may award damages for actual costs or losses incurred by a person entitled to notice, if notice was not provided.
What This Means for Employers
Employers should act immediately and thoroughly to ensure their businesses meet the Act’s new standards. Any employer who handles data including the private information of New York residents, even if such employer does not conduct business in New York, must be in compliance with the Act.
Covered employers must adopt a breach
notification policy consistent with the Act’s requirements. Additionally, among
a number of other steps, employers should consult counsel to determine whether
their data security programs contain the proper safeguards suited for their
business as enumerated in the Act. If not already compliant pursuant to another
statutory requirement, employers should take steps such as designating an
employee to coordinate their security programs; training and managing employees
in their security program practices and procedures; and reviewing service
provider contracts to ensure the appropriate safeguards are contained in such
agreements, among numerous other steps. While the March 21, 2020, deadline may
seem far away, compliance may be a time-consuming and lengthy process.
Iowa Drug Testing Statute Provides
Exclusive Remedy for Violations; Separate Wrongful Discharge Claim is Barred
Addressing a matter of first impression, the Iowa Supreme Court determined that “when a civil cause of action is provided by the legislature in the same statute that creates the public policy to be enforced, the civil cause of action is the exclusive remedy for violation of that statute.” Ferguson v. Exide Technologies, Inc., et al, Case No. 18-1600 (Iowa Dec. 13, 2019). Therefore, a plaintiff who brings a claim for a violation of the Iowa drug testing statute cannot also bring a wrongful discharge claim based on the same conduct.
The employee, a wet formation operator (who was required to lift 2300 car and tractor batteries in a single shift), sustained workplace injuries associated with repetitive lifting. After the employee was diagnosed with “tennis elbow” in both arms, the employer requested that she submit to a drug test pursuant to the employer’s drug testing policy. The employee refused to take the test. The employer terminated the employee’s employment the next day. The employee subsequently filed a lawsuit alleging violation of the Iowa drug testing statute and a claim for wrongful discharge in violation of public policy. The employer admitted violating the drug testing statute but denied liability (the employee was reinstated). On summary judgment, the employer argued that the wrongful discharge claim was preempted by the Iowa drug testing statute. The district court disagreed and granted summary judgment in favor of the employee on both claims. The case proceeded to a jury trial on damages. A jury awarded the employee nearly $46,000 in back pay, $12,000 in emotional distress, and $35,000 in attorneys’ fees (associated only with the Iowa drug testing statute claim. Under the Iowa drug testing statute, an aggrieved employee only can recover back pay and attorneys’ fees. The employee could not have recovered emotional distress without the wrongful discharge claim.
On appeal, the Iowa Supreme Court reversed the district court, holding that the drug testing statute could not serve as the basis for a wrongful discharge claim. The Court analyzed its prior decisions involving wrongful discharge claims based on statutes that provide a remedy. The Court made a distinction between statutes that provide for administrative remedies and those that provide civil remedies, reasoning that administrative remedies “do not provide the level of protection, control and the right to process involved in the court system.” The Court explained that the original purpose of the common law claim for wrongful discharge was to “provide a court remedy to enforce legislatively declared public policy.” If the legislature has already “weighed in on the issue” by providing a civil remedy in a statute, the wrongful discharge claim becomes “unnecessary.”
The Court affirmed the district court’s award of attorneys’ fees but remanded the case with a direction to enter judgment in favor of the employer on the employee’s wrongful discharge claim, vacate the portions of the jury’s damage award that would be available under a common law tort theory, and uphold those portions authorized by the Iowa drug testing statute. The Court’s decision is significant for Iowa employers. Wrongful discharge claims can expose an employer to back pay, emotional distress and punitive damages. An employee can also request a jury trial on a wrongful discharge claim, which is not available under some statutes, such as the drug testing law. This combination can have a tremendous impact on employers in Iowa, as six-figure emotional distress jury awards have become more commonplace throughout the state.
It is now clear that employees cannot
double dip—when a statute provides for civil remedies, those remedies are
exclusive. And, an employer’s risk under the notoriously complex Iowa drug
testing law will not include emotional distress or punitive damages.
Data Broker Registration for California
Welcome to 2020. The California Consumer Privacy Act (“CCPA”) is now in effect, and your business has probably spent significant time and expense preparing for the law. With so much focus on CCPA preparations, it’s important to recall that the CCPA isn’t the only California privacy law to become effective this year. California will now also require any business that meets the definition of a data broker during a given year to register as a data broker with the California Attorney General’s Office on or before January 31st of the following year. Although the law is not clear whether it retroactively applies to business practices in 2019, the California Office of the Attorney General has issued a press statement on data broker registration and posted a registration page, which strongly indicates that the AG expects qualifying businesses to register by January 31, 2020. Under California law, a “data broker” is a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. The definition does not include entities already regulated by the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, or California’s Insurance Information and Privacy Protection Act. California’s data broker registration requirement may look familiar because it is very similar to Vermont’s data broker registration requirement, which took effect in January 2019. However, a major difference between the laws is that California’s definition of data broker is far more expansive due to the broad definitions of “sell” and “personal information” under the CCPA. Even if you believe your business does not sell personal information in the traditional sense, you should evaluate whether your business meets the definition under the CCPA. California’s data broker registration process is currently as follows. A business representative must create an account with the California Office of the Attorney General. Once registered, the representative must then fill out a registration form, which asks for the data broker’s name, email address, website URL, and physical address. The form also includes optional fields regarding how a consumer may opt out of sale or submit requests under the CCPA, how victims of abuse or elected or appointed officials can demand deletion of their information posted online, and any additional information that the business wants to provide about its data practices. Upon completion of the process, the representative pays a fee and the data broker is added to the California registry, where the data broker’s information is publicly available and can be exported via an Excel file. As of the date of this posting, the registry is empty, although we expect that to change as we draw closer to January 31st. Data brokers that fail to register with the California Office of the Attorney General may be subject to an injunction and liable for penalties of up to $100 for each day they failed to register, unpaid registration fees, and costs associated with an enforcement action brought by the AG.
New Jersey WARN Act Radically Expanded
On January 21, 2020, Governor Phil Murphy signed into law Senate Bill 3170. This bill radically expands employers’ advance notice and severance pay obligations under the Millville Dallas Airmotive Plant Job Loss Notification Act (NJ WARN), making the New Jersey statute the most burdensome and costly reduction-in-force law in the country.
Effective immediately, the following changes to NJ WARN are in force:
“Ban the Box” Set to Apply to Employers
in the City of St. Louis
Joining the many cities that restrict criminal-history inquiries in the hiring process, the City of St. Louis Board of Aldermen unanimously passed Board Bill Number 120. Beginning January 1, 2021, all employers (1) located within the City of St. Louis, (2) with 10 or more employees will be prohibited from asking about an applicant’s criminal history until after an applicant is determined to be otherwise qualified for the position and has been interviewed.
Once the law takes effect, such employers may not do any of the following:
Employers who are hiring for positions where federal or state laws and regulations or City Ordinances prohibit employers from employing individuals with certain criminal histories are permitted to publish job advertisements or put forth applications that exclude applicants based on criminal history, are permitted to ask applicants about their criminal history on a job application, and are permitted to seek out all publicly available information on an applicant’s criminal history. All employers are also permitted to ask about an applicant’s criminal history if all applicants in a final selection pool from which the position will be filled are asked.
Any alleged violation of the Ordinance will be referred to and investigated by the Civil Rights Enforcement Agency for the City of St. Louis. Violations can then be recommended to the Office of the License Collector for employer compliance. Penalties for violating the Ordinance range from a warning to a revocation of an employer’s business license. Employers could also potentially be assessed civil penalties to be determined by the Office of the License Collector at a later time.
Employers in the City of St. Louis should
evaluate their hiring practices and make necessary changes to their
applications to remove any requirement to disclose prior criminal history for those
positions the Ordinance addresses. Employers should also modify policies
concerning the timing of inquiries regarding criminal history, as such
inquiries can be made only after interviews have been completed and must be
directed at all applicants within the final selection pool. Finally, employers
should be mindful that the Ordinance applies to promotional decisions as well
as to new applicants.
Court Rejects FDCPA Claim Based on Allegedly
Inaccurate Credit Reporting
The U.S. District Court for the Middle District of Florida has awarded summary judgment in favor of a furnisher on a consumer’s claims brought under the Fair Debt Collection Practices Act. The dispute arose out of credit reporting on the account. The plaintiff asserted that the furnisher violated credit reporting standards by inaccurately identifying the “original creditor”; the Court rejected the theory that an inaccurate credit reporting violated the FDCPA and dismissed the claim. Plaintiff Kerry Koehler received cable and/or internet service from Bright House Networks, and then fell behind on her payments. Bright House was subsequently acquired by Charter Communications, which entered into an agreement with Waypoint Resource Group to collect on unpaid accounts, including the debt at issue. Waypoint sent Koehler a collection letter and electronically reported the unpaid debt to a credit bureau through a Metro 2 Format. Waypoint identified the creditor in the “Original Creditor” data field as “Charter Communications” rather than Bright House. Koehler sued Waypoint for a single count under the FDCPA, claiming that the reporting of the debt under the name of Charter Communications instead of Bright House Networks constituted a false and misleading representation and unfair practice. The facts were undisputed, and the parties filed summary judgment motions. The Court specifically found persuasive an existing line of cases in the Middle District finding that “allegations that a creditor did not follow industry standards or otherwise erroneously reported information to a CRA [credit reporting agency] are insufficient to state a claim under the FDCPA.” In other words, inaccurate credit reporting, without more, is not actionable under the FDCPA. The reasoning in these cases can be an important tool for furnishers seeking to prevent attempts by plaintiffs’ counsel to bootstrap FDCPA claims onto credit-reporting disputes when there is no viable claim under the Fair Credit Reporting Act.
A copy of the Order can be
accessed at https://www.consumerfinancialserviceslawmonitor.com/wp-content/uploads/sites/501/2019/12/Koehler-v-Waypoint-1.pdf.
Different Standards Apply to Equal Pay
Act and Title VII Pay Discrimination Claims
The U.S. Court of Appeals for the Second Circuit held that a plaintiff does not need to establish a violation of the Equal Pay Act in order to maintain a pay discrimination claim under Title VII. As the Second Circuit noted in Lenzi v. Systemax, Inc., although both laws prohibit pay differentials based on sex, they are subject to different standards. Under the EPA, a plaintiff is entitled to equal work for equal pay, which requires a showing that the plaintiff performed equal work to an employee of the opposite sex but received unequal pay. Under Title VII, however, the plaintiff must show that they were subject to discrimination in pay because of sex—which does not necessarily require a showing that there were comparators of the opposite sex in substantially equal positions. Although the Second Circuit noted that an employer could discriminate against a female employee by paying her less than male peers performing equal work, that is not the only way to effect discrimination under Title VII. The Second Circuit offered the example of a female employee hired for a unique position who is paid less than she would have been paid if she were male. As the Second Circuit stated, “a claim for sex-based wage discrimination can be brought under Title VII even though no member of the opposite sex holds an equal but higher paying job, provided that the challenged wage rate is not based on seniority, merit, quantity or quality of production or any other factor other than sex.” (Internal quotations omitted).
In the current case, the female plaintiff
showed that she was paid below market rate for her position while male
executive peers were paid above market rate. The Second Circuit found that
“these statistical differences permit an inference of discrimination.” Moreover,
the plaintiff offered evidence that her supervisor, who was the CFO, made
pervasive disparaging remarks about his ex-wife and females, which also
suggested a discriminatory motive. Taken together, these circumstances were
enough to support a claim for pay discrimination under Title VII.
Eleventh Circuit Affirms $250K
Compensatory Damages Award and Allows a $1 Million Punitive Damages Award in
Individual Mixed-File FCRA Action
On January 9, 2020, the United States Court of Appeals for the Eleventh Circuit issued its decision in Williams v. First Advantage Lns Screening Solutions, a case watched closely by the background screening industry. In Williams, the Court affirmed a $250,000 compensatory damages award and reduced a $3.3 million punitive damages award to $1 million in an individual mixed-file claim brought pursuant to 15 U.S.C. § 1681e(b) of the Fair Credit Reporting Act (FCRA). The decision addressed a basic legal requirement in the background screening industry: connecting background information to common names. The matching procedures involved in Williams are similar to those recently scrutinized by the CFPB in another notable FCRA action that we highlighted in the Southern District of New York. In that action, the CFPB also addressed procedures in attributing public records to persons with common names when other definitive unique identifiers, particularly a Social Security number, are absent, coming to similar conclusions as the Williams court.
In Williams v. First Advantage, Plaintiff Richard Williams sued Defendant First Advantage for alleged violations of the FCRA in connection with twice attributing the criminal background information of another individual to Plaintiff. In two criminal background reports developed a year apart, Defendant reported to Plaintiff’s potential employers criminal background information related to a “Ricky Williams.” In its description of the background of the case, the Williams Court focused heavily on Defendant’s procedures for connecting criminal background information with individuals with common names. In order to attribute criminal background information to an individual with a similar name, Defendant’s employees preparing the report were required to attempt to locate three identifiers, such as name, date of birth, Social Security number, or a driver’s license number. Where the employee was unable to locate a third identifier, he or she must note that they were unable to do so and obtain approval by a supervisor prior to releasing the report. Evidence at trial showed that in both instances, Defendant’s employees preparing Williams’s reports relied on only two identifiers. Further, Plaintiff disputed the criminal information contained in the first report, which was later removed. However, different criminal background information related to “Ricky Williams” appeared on Plaintiff’s second criminal background report developed a year later. Importantly, the employees who developed the second report lacked access to information pertaining to the disputed criminal history in the first. At trial, Plaintiff argued that he suffered lost wages of $78,272 and suffered additional emotional and reputational harm as a result of the reporting. The jury found Defendant willfully failed to follow procedures to assure the maximum accuracy of the information in Plaintiff’s consumer report, as required by § 1681e(b) of the FCRA. The jury awarded Plaintiff $250,000 in compensatory damages and an astonishing $3.3 million in punitive damages. After the trial court entered judgment in favor of Plaintiff, Defendant filed a motion for judgment as a matter of law, which the trial court subsequently denied. Defendant appealed.
Defendant raised three arguments on appeal. The first two arguments related to its motion for judgment as a matter of law. First, it argued that the jury’s award of $250,000 should be vacated because the Plaintiff failed to show reputational harm. Second, it argued that Plaintiff had failed to establish a willful violation of the FCRA. Third, Defendant argued that the $3.3 million punitive damages award was unconstitutional under the Due Process Clause. In a brief analysis, the Court affirmed the district court’s denial of Defendant’s motion for judgment as a matter of law with respect to Plaintiff’s showing of reputational harm and willfulness under the FCRA. The Court’s analysis with respect to willfulness is particularly notable, considering the extent to which Defendant’s procedures were scrutinized. The Court recognized that despite having a policy requiring use of a third identifier for screenings involving common names absent supervisor approval for use of two, evidence in the case indicated this did not occur in common practice. Defendant’s Vice President of Operations stated at trial that locating a third identifier was “king of aspirational.” The Court understood this to infer that Defendant consciously disregarded a known risk of violating the FCRA. The Court further pointed out Defendant failed to follow its own procedure during the preparation of both reports related to Plaintiff. Finally, the Court looked to Defendant’s lack of a procedure for flagging disputed criminal background information to avoid repeat occurrences. It found this evidence sufficient to support a willful violation of the FCRA. The Court spent the majority of its seventy-seven-page opinion analyzing the constitutionality of the jury’s $3.3 million punitive damages award. The ratio of punitive damages to compensatory damages in Williams was 13:1. The Court noted the Supreme Court has previously found an award of punitive damages with a 4:1 ratio is “close to the line” of unconstitutionality, and an award that exceeds a single-digit ratio is likely a violation of the Due Process Clause. However, after a lengthy review of relevant case law, the Court determined in candor that it is “ultimately up to the reviewing court to eyeball the punitive damages award and, after weighing the egregiousness of the particular misconduct and the harm it caused, decide whether the award is grossly excessive.”
In the end, the Court ruled that a 4:1 ratio was appropriate in this case and reduced the jury’s punitive damages award to $1 million based on the amount of compensatory damages awarded and its assessment of the reprehensibility of Defendant’s conduct. The Court’s reprehensibility analysis focused primarily on Defendant’s use of only two identifiers when attributing the criminal history of Ricky Williams to Plaintiff, as well as its failure to flag this information once alerted to its inaccuracy to avoid future mispairing.
Based on two concurring opinions filed
with the majority decision, the $1 million award was a compromise by the
three-judge panel. One judge on the panel would have affirmed the $3.3 million
award, while another opined that $500,000 was the proper figure. As one of the
judges noted, “[t]he only way to resolve such a disagreement is to meet in the
middle—as we have done.” In its punitive damages analysis, the Court noted the
tension between competing analyses of Defendant’s error rate with respect to
mispairing individuals with criminal background history and the extent to which
this placed Defendant on notice of its conduct. Based on evidence at trial, the
national rate for all errors in reporting raised through Defendant’s dispute
resolution process between 2010 and 2013 was .38%—less than one half of one
percent. In mitigating the alleged reprehensibility of its conduct, Defendant
argued that this figure was rather low. Plaintiff, on the other hand, argued
that based on the high number of reports issued by Defendant, errors still
affected some 13,000 individuals. Importantly, however, Plaintiff did not show
the extent to which those 13,000 individuals had similar experiences to the
Plaintiff. The Court concluded that the extent to which the Court could
determine that Defendant was on notice was limited because Plaintiff “failed to
bore down into the numbers.” Indeed, the court expressly stated that a high
frequency of related experiences would be something the “Plaintiff should have
seized on and proved at trial if he wanted to justify an award of
extraordinarily high punitive damages.” The decision comes on the heels of a
Complaint filed by the CFPB against Sterling Infosystems, Inc. in the United
States District Court for the Southern District of New York alleging violations
under the FCRA and a simultaneously filed Proposed Stipulated Final Judgment
and Order. In the Complaint, the CFPB appeared to stake out a position that matching
a criminal record to an individual with a common name based solely on a first
and last name and date of birth was inadequate. Challenges to matching
procedures utilized by the background screening industry continue to be an area
of focus in FCRA litigation. The Eleventh Circuit’s Williams decision
represents a noteworthy development on that front.
Pennsylvania’s Medical Marijuana Act at
Issue in Recently Filed Complaint
In 2016, Pennsylvania enacted its “Medical Marijuana Act” (MMA), which permits individuals suffering from certain conditions to use marijuana for medicinal use. Several provisions in the MMA impact employers. For instance, the MMA makes it unlawful for an employer to “discharge, threaten, refuse to hire or otherwise discriminate or retaliate against an employee regarding an employee’s compensation, terms, conditions, location or privileges solely on the basis of such employee’s status as an individual who is certified to use medical marijuana.” In other words, taking adverse action against an employee based solely on the individual’s status as a medical marijuana cardholder would likely be considered discrimination under the MMA. The law does not, however, require employers to accommodate the use of medical marijuana at work or to “commit an act that would put the employer or any person acting on its behalf in violation of federal law.” The MMA also allows employers to take action against those who are “under the influence” of medical marijuana while at work. Specifically: Nothing in this Act shall require an employer to make an accommodation of the use of medical marijuana on the property or premises of any place of employment. This Act shall in no way limit an employer’s ability to discipline an employee for being under the influence of medical marijuana in the workplace or for working while under the influence of medical marijuana when the employee’s conduct falls below the standard of care normally accepted for that position. This might suggest that an employer may always discipline an employee for being under the influence of medical marijuana while working. That said, another interpretation is that employers can always discipline an employee for being under the influence in the workplace, but if the employee is outside of the workplace (such as an outside sales position), employers may only discipline such an employee for being under the influence if their performance falls below the standard of care normally accepted for that position. It remains to be seen whether the courts will decide which reading is correct.
A separate section of the law addresses safety sensitive roles. Specifically, the MMA provides that qualifying patients may not “operate or be in physical control of any of the following while under the influence with a blood content of more than 10 ng/ml: (1) chemicals which require a permit issued by the federal government, state government, federal agency or state agency; or (2) high-voltage electricity or any other public utility.” Moreover, it also allows employers to prohibit employees from doing any of the following while under the influence of medical marijuana, regardless of whether the employees are in the workplace or their conduct falls below the standard of care for their position:
Many have wondered: what does it mean for an employee to be “under the influence” of marijuana? Notably, the law is silent as to whether an employer can rely upon a positive drug test as a reason for an adverse employment action in itself, or as evidence of impairment. And, while a manager or supervisor’s observations might be helpful, this doesn’t necessarily mean that the cause of impairment has been or even can be identified. Further, while drug tests might show recent marijuana use, they can’t definitively state the employee’s level of impairment at the time of the test. Hopefully, the Pennsylvania courts will answer these lingering questions.
And on that point, on December 2, 2019, a former worker at a city water and sewer authority filed a state court complaint against the authority alleging a claim for unlawful termination in violation of public policy after he was terminated for testing positive for marijuana during a random drug test. The plaintiff worked as a customer service representative and claimed to have suffered from post-traumatic stress disorder (PTSD). At the time he learned of the positive test result, he advised the authority that he had a valid medical marijuana card. He alleged that his termination violated public policy because he was never required to perform any of the safety sensitive duties set out in the MMA, described above. The crux of the plaintiff’s claim is that he was terminated “solely because he lawfully used medical marijuana to treat his PTSD outside the workplace.” It remains to be seen whether this case might provide clarity as to what Pennsylvania employers can do when faced with an employee who tests positive for marijuana and claims to be a lawful medical marijuana user but does not perform safety sensitive duties. As noted above, the MMA has separate sections that address an employer’s rights and responsibilities under the statute. That the plaintiff in the complaint alleges that he did not perform safety sensitive duties might not end the inquiry. We will continue to monitor this case and report any important developments.
In the meantime, Pennsylvania employers
should consider reviewing their drug testing and other substance abuse policies
to ensure compliance with the MMA and any other state medical marijuana law
that applies to their workers.
Another GDPR fine and important
considerations for housing associations
A recent decision of the Hellenic Data Protection Agency (HDPA), the Greek equivalent of the Information Commissioner’s Office (ICO) confirms that employers who seek to rely on employee consent as the basis for processing employee data risk being in breach of the GDPR, and potentially liable to fines and enforcement action.
Personal data must be processed in accordance with one or more of the conditions for processing, and in line with the data protection principles, including transparency, fairness and accountability. Although consent is one of several potential processing conditions, it is problematic for employers, because where there is an imbalance of power between the data controller (employer) and data subject (employee), consent may not be able to be freely given, and might cause difficulties if withdrawn. Employers, however, can rely on other legitimate conditions for processing employee data, such as it being necessary for the performance of the employment contract, being processed in compliance with legal obligations, and/or being necessary for the legitimate interests of the data controller (in the private sector: slightly different rules apply for public authorities). The ICO has already made its position clear on this front and since the inception of the GDPR employers have been advised not to use consent as the basis for processing employee data.
In this case, the Big Four consultancy firm, PwC was held to have breached its GDPR obligations and received a fine of 150,000 Euros. It relied on employee consent in order to process employee data, and asked employees to sign their agreement to this effect. Although PwC could have processed the data lawfully, on the grounds suggested above, it was held to have given employees a false impression as to the basis of processing their data and violated the principles of accountability and transparency.
Housing employers should check what information is given to employees about the basis for processing their data and update their privacy notices and employment contracts and/or handbooks to reflect the true reasons for processing, if consent is relied on, either solely or as a “sweep up” reason.
Finally—a brief update on time limits for
responding to data subject access requests. The ICO has clarified that the “one
month” for responding to a request should be counted from the date of receipt
of the request, rather than the following day (which had previously been their
position): e.g. a request made on 3 September needs to be responded to by 3
October. Ideally requests should be dealt with as expeditiously as possible,
but housing employers should be aware that there is now slightly less time to
Can an Employer Implement a Nicotine-Free
Hiring Policy? It Depends on State Law.
Nicotine products are highly addictive and have been linked to a variety of serious health issues, including lung cancer and other respiratory illnesses. In addition to the numerous health risks associated with nicotine use, there is also a causal connection between employee nicotine use and lower productivity in the workplace, as well as higher healthcare costs for employers. In response to these issues, and in an effort to promote and empower a healthy workforce, more employers are enacting health-conscious workplace policies and anti-smoking/vaping initiatives.
In fact, over the last decade, employers—particularly hospitals and businesses in the medical field—have adopted anti-smoking/vaping policies in those states in which it is lawful to do so, with the goal of encouraging a healthier work environment, as well as to increase worker productivity and reduce healthcare costs. On December 30, 2019, U-Haul International announced a new nicotine-free hiring policy that will go into effect in 21 states on February 1, 2020. Although U-Haul subsidiaries operate in all 50 U.S. states and 10 Canadian provinces, due to legal restrictions in some jurisdictions, the policy will be implemented only in the following 21 U.S. states: Alabama, Alaska, Arizona, Arkansas, Delaware, Florida, Georgia, Hawaii, Idaho, Iowa, Kansas, Maryland, Massachusetts, Michigan, Nebraska, Pennsylvania, Texas, Utah, Vermont, Virginia, and Washington. Prospective employees in those states will see statements regarding the nicotine-free hiring policy on application materials and will be questioned about nicotine use. Further, to be considered for employment in states where nicotine testing is allowed, applicants will be required to consent to submit to nicotine screening in the future. U-Haul employees hired prior to February 1, 2020 will not be affected by the new policy.
U-Haul will be the first major company in its field to refuse to hire applicants who are nicotine users, and the new policy has caused some to question whether companies which, like U-Haul, are deeply invested in the well-being of their employees, are allowed to enact such policies. The answer to that question depends on the jurisdiction in which the company operates. Nicotine users are not a “protected class” under any federal anti-discrimination law, and thus state law governs this issue. In each of the 21 states in which U-Haul companies will implement its policy, there are no laws that protect the rights of nicotine-users or prohibit employers from declining to hire applicants due to their engaging in otherwise lawful conduct outside the workplace. Therefore, a policy refusing to hire nicotine users is perfectly legal in those jurisdictions, and employers in those states are free to enact nicotine-free hiring policies if they so choose.
However, employers who are considering
implementing such nicotine-free hiring policies should tread carefully. The
rest of the 29 states where U-Haul subsidiaries are not implementing its policy
(and the District of Columbia) have various anti-discrimination or employee
privacy laws preventing employers from enacting such policies. These states
provide varying degrees of protection to employees. For example, some states
broadly forbid employers from discriminating against applicants or employees
based on the use of “lawful products” or for “lawful conduct,” whereas other
state laws specifically protect an applicant’s or employee’s right to smoke or
use other tobacco products. Although these states are generally more
employee-friendly in this context, in some of these jurisdictions, employers
can require smokers to pay higher health insurance premiums, so long as the
additional amount reflects the actual differential cost to the employer.
Further, employers can still regulate and limit an employee’s on-site smoking
and can typically offer financial incentives for employees who participate in
wellness programs to help them quit smoking.
This information has been prepared by Validity Screening Solutions for informational purposes only and is not legal advice. The content is intended for general information purposes only, and you are urged to consult a lawyer concerning your own situation and any specific legal questions you may have.