Conference Takeaways
- Data providers/brokers are increasingly being held to the same FCRA requirements as CRAs
- Hackers may already be living in your cyber system – you just don’t know it
- CRAs who offer adverse action services for their clients must be very careful
- Ban the Box is growing increasingly complicated in several cities and spreading to some tenant screening
In this report:
- The FBI, FTC and CFPB are working together
- Crossing state lines makes adverse action processes tricky
- Dotting “i’s” and crossing “t’s” can save you “$’s”
- Go along to get along with regulators
- “Ban the Box” is on steroids
- New ways to get sued
- New ways to protect yourself when you’re sued
- The legislative landscape
Conference Summary
The NAPBS Mid-Year Legislative Conference took place April 3-6 in Washington, DC. According to NAPBS registration records, there were 238 attendees from 153 companies, along with 130 exhibitors and sponsors representing 43 companies. The mid-year event focuses on legislative and compliance issues.
Note: All speakers at the conference participated at the request of NAPBS and do not represent the official positions of their agencies or companies. Similarly, attorneys’ presentations were intended to provide general information on various regulatory and legal issues and not intended to serve as legal advice or counsel on any particular situation or circumstance.
Opening Session
Executive takeaways:
- The FTC is monitoring big data brokers
- Several federal agencies work together to monitor and regulate the screening industry
- Cyber system attacks have increased exponentially over the past few years
- Hackers will be in your system for weeks – or months – before stealing any data
The opening keynote was a double-header with Robert Schoshinski from Federal Trade Commission and Michael Taxay with the Cyber Division of the Federal Bureau of Investigation. Schoshinski provided a general outline of the FTC’s primary areas of focus when it comes regulation, such as:
- Accuracy and the measures taken to verify that it is the correct person being searched
- Multiple reporting of the same offense
- Correct reporting of expunged records
- Reliability of information sources
Schoshinski said that the FTC is monitoring big data brokers for FCRA compliance in areas such as:
- Certifying that info being obtained is being used for permissible purposes
- Keeping consumers informed as to how information is being used
- Compliance with FCRA rules and regulations
- How (and how long) data is being stored
- The level of privacy of the data being collected
Schoshinski said that one question being asked when it comes to data providers is their level of knowledge about the ways the data they provide is being used, i.e., do they know whether it is being used for employment or tenant purposes? He acknowledged that CRAs are concerned with the myriad of regulatory agencies watching the industry (FTC, FBI and CFPB) and said that the agencies share data security concerns for different reasons and that they try to work together whenever possible and avoid duplicative efforts. He said to keep an eye out for some educational resources for screening firms from the FTC in the near future (www.ftc.gov).
Michael Taxay took over to discuss the exponential increase over the past few years in cyber system attacks. He noted that in February of 2016 alone, the FBI received 27,000 complaints about system attacks and that analysts referred about 11,000 of them for investigation/prosecution, totaling more than $180 million in losses.
“Sensitive information is a treasure trove for the bad guys,” he said. Those bad guys include not only identity thieves but also international organizations such as terrorists and foreign governments. Taxay added that those “cyber actors” are increasingly able to cloak their efforts, making it even harder for the FBI to track them down.
He walked the audience through “the anatomy of a hack”:
- Initial reconnaissance – using social media to find people who might be easy to use to compromise vulnerability within an organization
- Initial compromise of system through a password leak or fishing e-mail – “People love to click links and the next thing you know, they’ve downloaded some sort of malware”
- Escalating privileges – once in, hackers don’t immediately start sifting through data; instead, they find ways to gain administrator status and make changes so there’s no activity logging and they can start creating additional “back doors” so IT teams can’t find them
- Exfiltration of data – after they’ve set themselves up (it could be weeks or even months), they begin the data theft
He also gave examples of who the hackers are:
- Activists out to deface or embarrass in order to pursue an agenda (such as “Anonymous”)
- Sophisticated criminals out to steal information such as identities and credit card info for sale on the “Dark Web”
- Insiders – such as Edward Snowden in national security cases
- Nation-states sanctioned by foreign governments to steal data or spread false information; the People’s Republic of China is a major violator
- Data kidnappers who are able to get ransomware into law firms or hospital systems to encrypt the data so that the businesses have to pay to get it decrypted
Taxay says the scalability of the Internet has made it easier than ever for the bad guys to collaborate around the world and it emphasizes the need for best practices among data stewards.
Required State and Local Consumer Notices
Executive takeaways:
- If you’re using non-compliant processes, you will eventually get sued
- Different (and conflicting) state requirements are making adverse notice letter processes “The New Frontier” of the law
Larry Henry with Rhodes Hieronymus shared helpful insights on how lawyers will eventually catch on to non-compliant operations and posed the question to everyone in the audience: “Who wants to be sued first?”
Henry addressed what he called the “The New Frontier” and discussed how there are several states that have varying notice requirements. He said it is a common situation that the consumer is from state “A”, the end user is from state “B”, but the consumer will work in state “C.” Understanding the differences between states and the conflict of laws were spelled out while also helping the session attendees understand how employment laws are applicable to the state where each applicant works.
He said that some general rules for conflict of laws – but definitely not safe harbors – are:
- State of residence: irrelevant
- State where record exists: irrelevant
- State where end user is headquartered: irrelevant
- Where consumer works: relevant
- Where consumer physically hired: relevant
Henry also addressed when an FCRA notice should be given by the CRA to the consumer and why these particular instances are important.
Contracts, Contracts, Contracts – Key Clauses That May Protect Your Company and Reduce the Threat of Litigation and Demand Letters
Executive takeaways:
- Small-detail mistakes can be costly
- You should fully understand your indemnification responsibilities
This session featured a panel group: Montserrat Miller, Henry Chalmers, and Lisa Payrow, all with Arnall Golden Gregory LLP. They helped attendees understand what makes sense when it comes to considering your contracts. Proper execution and paying attention to details help you leverage each of your accounts and can help you to avoid costly mistakes.
The session also addressed the obligations for indemnification and recommended that you discuss your policy with your insurance broker to make sure you understand the specifics of what is covered. It was also pointed out that “termination’’ comes with many meanings and the presenters helped to break it down in lay terms.
The session wrapped with some miscellaneous points focused around:
- Website or portal access
- Audit rights
- Fees & payment (or non-payment)
- Force Majeure
Regulatory Enforcement – A View from the Inside
Executive takeaways:
- There are 2 primary enforcers of the FCRA: the FTC & CFPB
- You need to establish a good Compliance Management System and follow it
- It’s a good idea to “cooperate to de-escalate”
This informative session had a panel of 3 attorneys: Ashley Taylor with Troutman Sanders LLP, along with and Joel Winston and Jennifer Sarvadi from Hudson Cook LLP. They helped the group understand the “regulators’’ and who they are. Joel Winston took time to help everyone understand the differences between the FTC & CFPB and how they have different approaches.
The session then turned to Ashley Taylor, former Deputy Virginia AG, who explained how AG’s across the country work. He shared that in the past, the AG has been viewed as the State’s council, but now they are engaging in a multistage paradigm and shared thoughts and resources on nationwide cases.
They said these are not defenses in the FTC’s eyes:
- You didn’t harm consumers
- You didn’t intend to violate the law
- You received no advance warning
- You stopped the violations
- You were doing same thing as your competitors
- You didn’t receive any complaints from consumers
- You relied on your lawyer’s advice
The session concluded by the panel encouraging the attendees to stay in touch with the regulators via trade associations in order to stay current. In addition, they said it’s not uncommon to have the FTC reach out and if they do, it’s important to “cooperate to de-escalate.”
Ban the Box: What CRAs Need to Know
Executive takeaways:
- CRAs need to be aware in the change of tone surrounding BtB
- BtB requirements are more complex in “progressive” cities
- You can’t simply remove criminal history from applications to make the issue go away
Christine Cunneen from Hire Image LLC, and Kelly Uebel from Info Cubic LLC head the Ban the Box Task Force for NAPBS. Cuneen brought up that the language and entire tone has changed around this issue. What used to be called “ex-offenders” are now “people with criminal past” or something similar – all in an attempt to more “humanize” the reference. Likewise, “Ban the Box” is now referred to as the “Fair Chance Act” in places. She said CRAs need to be aware of this change in tone.
Uebel added that NAPBS does not oppose “standard” BtB laws and would in fact support a uniform standard BtB. Right now, there are “standard” BtB laws on the books, as well as BtB “on steroids” with a myriad of regulations that can run contrary to each other. The speakers noted that pending BtB legislation for federal employees/contractors may lead to more uniform statutes.
Particularly challenging jurisdictions include what might be called “more progressive’ cities such as NYC, Philadelphia and San Francisco.
They said that simply removing criminal history section from applications won’t solve all of your BtB issues and it’s not inconceivable that large employers may try to contractually shift responsibility for some of these requirements to CRAs in the future. They cited the National Employment Law Project (www.nelp.org) as a great web site as a resource to keep up with what’s going on with BtB.
Cutting Edge FCRA Compliance Issues
Executive takeaways:
- Data wholesalers may be subject to the same requirements of a CRA
- Pre- and adverse action notices may also be applicable to independent contractors
- Some FCRA class action suits may be put on hold while waiting for the Spokeo Supreme Court decision
David Anthony with Troutman Sanders LLP led this packed room session dealing with increasingly novel claims against screening companies. He noted that thousands of FCRA cases are filed every year and that the FCRA has become a favorite vehicle for putative class actions, with FCRA class claims often threatening outsized liability, even when a plaintiff’s chance of success on the merits is slim.
The first area of discussion was the application of FCRA to wholesalers/public record vendors. Anthony said that “Wholesaler” is not defined under FCRA. Usually the determination deals with whether it simply assembles or evaluates data transmitted to 3rd parties. Even if such entities are classified as CRAs, Anthony said there is a potential defense based on the unmatched nature of the information returned. This area of regulation is changing every day via court rulings. The second area was the “application of FCRA employment purpose” provision to independent contractors. He said companies should make sure that their independent contractors meet the applicable legal requirements for such a distinction in their state. Third was the status of law as to adverse action notices and background screening companies. Anthony said that If you make employment decisions on behalf of your client, FCRA compliance review in this regard is warranted. The fourth area dealt with duplicate public records. He said that reasonable procedures can provide a defense mechanism. Have a process.
The fifth area dealt with file disclosure issues with respect to “sources” of data Under Sections 1681G(A). Many cases challenge the failure of CRAs to disclose the identity of all the “sources” of information in their files upon a consumer’s record. “What exactly is a source?” he asked. Finally, he discussed Article III Standing and Spokeo. Is the mere violation of a statute an injury or do you have to have real harm, especially as it pertains to class action suits? The Supreme Court heard arguments and some thought we might hear a decision during the conference (we didn’t). Other cases may be on hold while we wait for this ruling. Anthony said the volume of Article III class action suits is clogging the courts – and judges don’t like it.
Advanced Blocking and Tackling
Executive takeaways:
- On-demand and staffing firms are under the FTC microscope
- Data providers are being brought into FCRA lawsuits
- Regular analysis and accuracy checks can help provide a defense in a lawsuit
Pam Devata with Seyfarth Shaw LLP looked at foundational compliance procedures as well advanced areas of attack that every CRA should be aware given the current legal, regulatory, and legislative landscape. She also offered some tips which may help if you’re ever caught up in a lawsuit.
She started by noting that an FTC/CFPB Sweep of the Industry happens every few years. This time around, on-demand and staffing companies are getting regulators’ attention. She said those agencies are also asking CRAs for “access letters” after class action lawsuits and they’re paying particular attention to data providers’ analytics and scoring models. She also noted that automated processes should have some safeguards. Her tips included:
- Require middle names and/or suffixes
- Analyze your metrics for disputed information cases
- Perform regular audits of non-disputed information
- Perform regular salting and vetting of your data providers with searches with known hits
- Set up policies for expunged records
- Set up a process to keep obsolete information from making it into reports (7 years)
- Set procedure so that end-user must acknowledge consumer reporting restrictions prior to initiating search (additional button push)
- Add similar certification language to bulk orders
(Editor’s note: these functionalities are available in the Accio Data platform)
Legislative Update
Executive takeaways:
- It’s one-step forward, two steps back with state legislation
- Federal Ban the Box measures may set the stage for state rules
- Ridesharing is becoming a bigger issue
Jamie Tucker with Akin Gump provided an overview of legislation taking place at state and federal levels.
He said trends at the state level include access restrictions in many states, lower priority for data providers, and higher access and copy fees. On the plus side, he said Kansas and Oklahoma are actually expanding access and Massachusetts and Rhode Island among states passing comprehensive sunshine bill or public records reforms.
Tucker said Ban the Box is a continuing trend with varying degrees of applicability to public/private sector jobs and is also being used in some tenant screening. He urged members to pass along any developments in their own states and cities to NAPBS.
At the federal level, Tucker explained that President Obama’s Criminal Justice Initiative is designed to include Ban the Box for federal employees; in fact, it’s already being done by many agencies. He said the President also wants the Justice and Labor Departments to create a “Clean Slate Clearinghouse” database.
Tucker said that ridesharing has seen rapid expansion and just about every state has addressed it in some fashion during 2015 or 2016. He said that NAPBS has made some good progress in helping lawmakers with common language for legislation urging screening rather than the simple fingerprint solution used for cabs.
Tucker also said that the Education Bill was a big win for NAPBS. That legislation tried to tie federal funding for school districts to teacher background checks. It didn’t end up with language requiring FBI check, but it did end up with “don’t pass the trash” language to keep teachers from moving between school districts with known criminal backgrounds.
Other session topics at the conference:
- (Sue Weaver) CAUSE for Coffee
- Tenant Screening: A Session for Everyone
- EU Privacy Shield Update
- The Future of Data Breach Risk Management: Response & Recovery
- IT Security Vulnerability
- Legalized Marijuana: Legislative Updates and the Impact to Background Screening
- “Little Mistakes” Can Add Up To Big Class Actions
- Verification: Best Practices to Increase Profits
The conference wrapped with about 70 NAPBS members heading to Capitol Hill to meet with various members of Congress and provide insight on the industry and its issues.
NAPBS will hold its 2016 Annual Conference Sept. 18-20 in Palm Desert, CA.