As you are likely aware, employers who use third parties to perform background checks (e.g., driving record, credit reports, criminal background, etc.) must comply with the Fair Credit Reporting Act (“FCRA”) rules in that regard, including providing the subject consumers (applicants and employees) with notice of their rights. You may not be aware that those rights—and the required notice of them—recently changed.

The Bureau of Consumer Financial Protection (“CFPB”) issued an interim final rule last fall updating its “Summary of Consumer Rights” and “Summary of Consumer Identity Theft Rights” model forms to include notice of a consumer’s new right to implement a “national security freeze,” commonly referred to as a credit freeze. This update reflects changes made to the FCRA through legislation that became effective in the fall of 2018.

All employers that use a third-party background service in connection with their hiring and employment decisions should ensure that their FCRA disclosure forms are updated to include information from CFPB’s model forms, which can be found at the links above.

Background and Analysis

In May 2018, Congress passed the Economic Growth, Regulatory Relief, and Consumer Protection Act (“Act”) in response to increasing concerns about the severity and prevalence of data security breaches. The Act amends the FCRA and requires that credit reporting agencies such as Experian and Equifax place “national security freezes” and/or fraud alerts on consumers’ credit reports upon request by the consumer and at no cost to the consumer.

A national security freeze restricts the credit reporting agency from disclosing the contents of a consumer report to any person requesting the consumer report unless the agency is given express authorization by the consumer. The freeze remains in place until it is released by consumer request or it is determined the freeze was placed by mistake.

Consumers still have the option of requesting a fraud alert be placed on their file, a less severe alternative under which a lender who runs the report and sees the alert is required to verify the consumer’s identity before extending new credit. The duration of an initial fraud alert was lengthened from 90 days to one year under the Act, and victims of identity theft can request an extended alert lasting seven years.

By creating additional access barriers to background reports and credit information, the Act aims to reduce identity theft by misappropriation of personal information. These changes have a small but very important effect on employers.

The FCRA includes job applicants and employees within its definition of a “consumer” for purposes of employment-related activities. Thus, the FCRA applies to employers using consumer reporting agencies to procure a background check or “consumer report” on a particular employee or applicant.

To comply with the FCRA, employers seeking a consumer report through a third party need to:

  • Disclose to the applicant or employee that the employer is procuring a consumer report;
  • Notify the applicant or employee that the employer may use the information for decisions relating to employment or continued employment[1];
  • Obtain written consent from the applicant or employee to procure the report; and
  • Provide the applicant or employee with a Summary of Consumer Rights form.

The updated Summary of Consumer Rights model form includes, among other things, notice to consumers about their right to request a national security freeze. Notably, while employers still need to obtain written consent to procure the report, there is a security freeze exception that allows employers to access frozen consumer credit reports without consumers’ express authorization to the credit reporting agency when the information is used for employment or background screening purposes. So, although employers must update their disclosures in response to the new law, they should not need to update their processes.

Practical Takeaways

September 21, 2018 was the effective date for the national security freeze right, notice requirement and extended duration for initial fraud alerts. If they haven’t done so already, health care entities and other employers should update their FCRA disclosure forms as soon as possible to integrate the new information from CFPB’s model forms or simply replace their disclosure forms with the model forms. Now is a good time for hiring managers to double check that hiring packets and practices are otherwise compliant with the Act and the FCRA as well.

If you discover that your organization used an old disclosure form after the effective date of the new law, check with legal counsel to determine the best course of action to remedy the situation.

If you have any questions or would like additional information about this topic, please contact:

[1] In addition to providing this notice, employers must wait a “reasonable period of time” before terminating the employee or taking another adverse action.