Fair Credit Reporting Act Implicates Employer Liability for All Types of Background Checks, Not Just Credit Reports

The titles Fair Credit Reporting Act and the “Consumer Credit Reporting Reform Act” (which contains relevant amendments) are often misunderstood as being only applicable to credit reports. The truth of the matter is that the FCRA’s coverage is actually very broad. Indeed, reports prepared by consumer reporting agencies containing criminal, educational, employment history, and other types of common records checks are covered by the FCRA and require advance notice, disclosure, and consent.

As illustrated recently, employers have been forced to pay hefty settlements in class action cases where it was alleged that they failed to comply with federal law when conducting criminal background checks on prospective employees. Employers are advised to proceed with caution and follow certain procedures, detailed below, when conducting background checks on both employees and applicants.


In April, Vitran Express, Inc., a freight company, paid $2.6 million to settle Ohio class actions claims that it improperly obtained criminal background checks on job applicants. The named plaintiff in the case, Thomas Hall, alleged that Vitran ordered a criminal background report from a consumer reporting agency as part of his job application even though he had not authorized the company to do so. The report identified a different “Thomas Hall,” but someone with the same first name, middle initial, last name, and date of birth as the named plaintiff, as having 27 felony convictions. Based on that report, Vitran refused to offer Hall employment, but did not tell him why; Hall only learned of the inaccurate report when he was notified by the consumer reporting agency. In the lawsuit, Hall claimed that Vitran did not seek or receive an appropriate disclosure from applicants prior to obtaining the reports and did not provide the applicants with pre-adverse action notices, including a copy of the applicants’ criminal background report and a statement of the applicants’ rights. The class was composed of anyone who had applied with Vitran and for whom Vitran had procured a consumer report without giving written notice or obtaining authorization, regardless of whether or not they were ultimately offered employment.

Though Vitran did not admit any wrongdoing in the settlement, it did concede that a portion of the individuals seeking employment may not have been aware that it was obtaining background checks for employment purposes. Beyond the Vitran case, there has been a rash of FCRA-related class actions filed lately, such as one involving transit operator FirstGroup PLC, which, in March, agreed to pay $5.9 million to settle two class actions brought against its subsidiaries by job applicants.


To avoid the similar fate of costly FCRA litigation, employers must take certain steps to ensure that they are in compliance with federal law. Before delving into these steps, it is important to understand that the law provides for an expansive definition of a “consumer report,” which is why employers are required to give advance notice, disclosure, and consent on background checks other than just credit reports. A consumer report is a report prepared by a consumer reporting agency that consists of any written, oral, or other communication of any information by a consumer bearing on an applicant’s or employee’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected for employment purposes. This definition should be kept in mind when reviewing the below compliance recommendations.

Employer Certifications to the Consumer Reporting Agency

An employer must first certify, in writing, to the consumer reporting agency retained that it will follow the FCRA rules concerning disclosure, authorization, notice, and adverse action notices, and that it will not use information in violation of any state or federal discrimination laws.

Disclosure and Authorization

Prior to obtaining a consumer report, an employer must:

  • Provide to the employee or applicant a clear and conspicuous disclosure—in a standalone document—that a report may be requested; and
  • Secure written consent from the employee or applicant to obtain the consumer report.

When an employer requests an “investigative consumer report,” which is a type of consumer report where information is gathered through personal interviews of associates of the employee or applicant, additional protocol is to be followed. Specifically, it must be disclosed to the employee or applicant that an investigative consumer report is being requested, and the disclosure has to inform the employee or applicant of their right to request further information about the nature of the investigation. Should information be requested, an employer must respond within five days.

Providing Documents Before the Adverse Action

If the results of a consumer report influence, in whole or in part, the decision not to hire an individual or to take any adverse employment action involving a current employee, the employer must provide the following two documents to the individual before taking any such action:

  • A copy of consumer report relied upon; and
  • The Federal Trade Commission document, “A Summary of Your Rights Under the Fair Credit Reporting Act.”

Notice After the Adverse Action

If, after an employer has provided a copy of the consumer report and the FTC summary of FCRA rights, it intends to make the adverse action decision final, one more step must be taken. The employer must provide an adverse action notice, informing the employee or applicant that a final decision has been made and containing:

  • The consumer reporting agency contact information;
  • A statement that the consumer reporting agency is not the decision maker and cannot inform the individual as to why the adverse action was taken;
  • A statement of the individual’s right to obtain a free copy of the consumer report; and
  • A statement of the individual’s right to dispute with the consumer reporting agency the accuracy of any information in the report.

Is Your Company’s Social Media Launch Ahead Of Its Compliance Program

Many businesses are still coasting along enjoying the marketing advantages of social media without making sure they have a good compliance program in place. For every company with a Facebook fan page or Twitter account roughly 65 percent would admit they do not have a social media policy. For companies with a social media policy, many of those policies have been lifted from online samples that may be over broad, and include provisions that have been challenged with some success in court.

“Penny wise and pound foolish,” companies are not having their social media business practices reviewed by knowledgeable legal counsel. Companies invest time and money putting together a Facebook fan page that is promoted throughout the company without training their employees on the Do’s and Don’ts of posting comments on the fan page, or using social media in general.

Another risk of social media was highlighted by settlements that the FTC reached with Twitter and Google concerning shortcomings in their privacy guidelines. The consent decrees reached by each of the companies highlight how seriously the FTC takes the safeguarding of consumer information. In the case of Twitter, the FTC put the responsibility for hackers gaining administrative access to Twitter personal accounts on Twitter. One hacker gained access to non-public information such as users email addresses and mobile phone numbers. The same hacker changed the passwords for approximately 45 high profile Twitter users including President Obama and sent phony tweets from those accounts.

The hacker found his way into the system because Twitter did not have a feature that is commonly used with online stock brokerage accounts where the system will lock you out after a few unsuccessful attempts to enter the correct password. The hacker used an automated password guessing tool which submitted thousands of guesses until finding the correct password. The FTC identified other shortcomings in Twitter’s security system including: (1) Not requiring that passwords be unique and different from what a Twitter employee, who also had administrative control of the Twitter system, used to access third-party programs and networks; (2) not requiring periodic changes of administrative passwords; and (3) not requiring that Twitter passwords in personal email accounts be stored encrypted instead of the plain text that some Twitter employees used.

The FTC framed the complaint as Twitter not living up to its representations to consumers on its security practices. Twitter’s privacy policy stated, “Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.”

Twitter settled with the FTC and agreed, among other things, to establish and maintain a comprehensive information security program so that nonpublic consumer information cannot be hacked into. This security information program will be assessed by an independent third-party auditor every other year for the next ten years. Twitter must also maintain records regarding its privacy practices and policies. Each violation of the settlement order may result in a civil penalty up to $16,000.

The recent Google Buzz settlement is a perfect example of a company forgetting to read and take into account its own privacy policy. Google’s Gmail privacy policy assured users of its email service that the information was being stored for the user’s purposes, and that Google would seek permission in advance of using the user’s personal information for a different purpose.

In launching Google Buzz, a social networking platform that Google hoped would compete with Facebook, the FTC alleged that Google tried to create instant networks of friends for its users by pulling from their email contact lists without considering this information may be very sensitive to the individual users (imagine, clients of therapists and attorneys, abusive ex-husbands, children and job recruiters).

As a result, Google has had to enter into a comprehensive settlement that goes beyond the current regulatory requirements, and will likely hamstring Google’s efforts to compete with Facebook and other social networking sites that are not subject to similar restrictions. Among other things, Google must get affirmative consent to any new or additional uses of previously collected data. Google must also implement a comprehensive privacy program that is reduced to writing, and includes an employee designated to manage the privacy program; and implement privacy controls and procedures with regular audits to make sure it is effective. Every two years, Google must have an independent auditor review the privacy program and prepare a written report. Google must comply with this comprehensive privacy program for 20 years, and that time period can be extended if Google violates the settlement consent order.

These FTC consent orders underscore the importance of making sure companies have their social media practices reviewed by knowledgeable legal counsel, risks identified and addressed, employees trained on correct usage, and new social media marketing strategies coordinated with legal counsel.

Time To Review Your Company’s Consumer Disclosures?

A series of recent federal court decisions highlight the importance of making sure your company’s online consumer disclosures are robust and accurate. If done properly, they just might help you avoid a class-action lawsuit.

In Berry v. Webloyalty.com, Inc., the court dismissed a putative nationwide consumer class action, concluding that the company’s business practices were not unfair or misleading as a matter of law because of the company’s disclosures. Slip Opinion, No. 10-1358 (S.D. Cal. Apr. 11. 2011).

The case involved “post-transaction marketing,” the practice of presenting a consumer with an offer from a third party after the primary transaction has been completed. This type of marketing generally involves a data-sharing arrangement, where the company completing the primary transaction passes data to a second company for marketing purposes. After the consumer takes some further action (e.g., entering an email address, checking a box and clicking “yes”), the second company charges the consumer for a new product or service using the payment information provided to the first company.

This practice has been criticized by certain legislators and officials at the Federal Trade Commission. Last December, Congress passed and the President signed the Restore Online Shoppers’ Confidence Act into law, targeting online post-transaction marketing; the law now requires additional disclosures to be made and prohibits third-party sellers from charging consumers for goods or services without the consumer’s express consent and from receiving certain financial information obtained during the initial transaction.

Notwithstanding any public debate over the propriety of these marketing practices, several federal courts have granted motions to dismiss in post-transaction marketing cases based on the companies’ disclosures. The most recent example is Berry, where the court took judicial notice of the company’s disclosures and ultimately dismissed the case, concluding that no reasonable consumer could have been misled, given the disclosures that were made.

After reviewing the online disclosures and terms of service, the court in Berry held that “the explicit and repeated disclosures that defendants made in their enrollment page suffices to defeat” all of the plaintiffs’ claims, including fraud, invasion of privacy and violations of the Electronic Communications Privacy Act, Electronic Funds Transfer Act and California’s Unfair Competition Law. Slip Op’n at 9. The court explained that by completing his transaction after receiving such disclosures, plaintiff had consented to the conduct about which he complained. Id. Although the plaintiff claimed he did not understand he would be charged for the third party’s product (here a membership club providing discounts on products and services), the court emphasized that the enrollment page disclosed more than five times that, by signing up, plaintiff would be charged $12 per month after an initial thirty-day trial period. Id. at 10.

Bsed on these disclosures, the court granted the defendants’ motion to dismiss, thus ending the case and potentially saving the companies millions in discovery costs and other expenditures.

Other federal courts have reached similar conclusions. In Baxter v. Intelius, Inc., No. 09-1031, (C.D. Cal. Sept. 16 2010), the court granted a motion to dismiss, concluding that “[t]he disclosures combined with the affirmative steps for acceptance are sufficient that, as a matter of law, the webpage is not deceptive.” Similarly, in In re Vistaprint, Marketing and Sales Practices Litigation, No. 08-1994 (S.D. Tex. Aug. 31, 2009), aff’d, No. 09-20648 (5th Cir. Aug. 23, 2010), the court held that a “consumer cannot decline to read clear and easily understandable terms that are provided on the same webpage in close proximity to the location where the consumer indicates his agreement to those terms and then claim that the webpage, which the consumer has failed to read, is deceptive.”

A key factor in each of these cases was the courts’ willingness to examine the company’s online disclosures in connection with a motion to dismiss. In each case, the plaintiffs opposed any review of the disclosures, arguing that they were outside the four corners of the complaint and may not be authentic. In Baxter and Vistaprint, the court rejected the argument because plaintiffs came forward with nothing to challenge the authenticity of the disclosures. In Berry, the court took the extraordinary step of allowing discovery on the authenticity and accuracy of the disclosures before ruling on the motion to dismiss. When the plaintiffs were unable to offer any evidence that the disclosures were not authentic, the court considered them in connection with the motion to dismiss and granted the motion.

These cases highlight two strategies that could help your company reduce the risk of class-action lawsuits.

First, the cases demonstrate that, even for controversial business practices, robust consumer disclosures may provide an effective defense against a consumer class-action lawsuit.

Action Step: Consider conducting a comprehensive review of your company’s consumer disclosures to evaluate whether your company is adequately protected and in compliance with existing law.

Second, the cases demonstrate the importance of being able to provide a court with accurate copies of the disclosures individual consumers saw and in a form that is subject to judicial notice in connection with a motion to dismiss.

Litigating a class action can be incredibly expensive and risky. One effective way to mitigate the risk is to have a strategy for defeating them at the earliest stages of the case, preferably on a motion to dismiss. But if you cannot provide accurate copies of the actual disclosures made to the named plaintiff, the court may be unwilling to consider them on a motion to dismiss and you may have lost one of your company’s most effective weapons against class actions.

Action Step: Consider reviewing your company’s systems for documenting consumer transactions to ensure you can provide accurate copies of consumer disclosures for any given transaction.