Employers operating in Massachusetts are already aware of the Commonwealth’s Criminal Offender Record Information (CORI) law.1 CORI refers to the database of criminal information maintained by the Department of Criminal Justice Information Services (DCJIS). CORI records are limited to crimes investigated and prosecuted by the Commonwealth and do not include information related to federal crimes or crimes committed in other states. In 2012, the DCJIS issued regulations providing employers with access to the DCJIS’s database of information, which is referred to as the iCORI system. These regulations imposed obligations on both users of CORI and employers acquiring criminal history information from private sources—namely, consumer reporting agencies or background check companies.

The DCJIS recently issued amended regulations. These regulatory changes primarily impact iCORI users—i.e., those employers that obtain criminal records provided by the DCJIS itself. The new regulations appear to have minimal impact on employers that order background checks sourced directly from court records, which remain excluded from CORI. Below we summarize the changes to the regulations.

Records Obtained from Courts are not CORI

“Criminal Offender Record Information” was not specifically defined under the 2012 regulations, leading to a degree of uncertainty as to what was or was not CORI. But the 2012 regulations listed certain exclusions from CORI, such as public records of and maintained by courts. The 2017 regulations now define CORI and, importantly, continue to exclude records obtained from courts:

Records and data in any communicable form compiled by a Massachusetts criminal justice agency which concern an identifiable individual and relate to the nature or disposition of a criminal charge, an arrest, a pre-trial proceeding, other judicial proceedings, previous hearings conducted pursuant to M.G.L. c. 276, § 58A where the defendant was detained prior to trial or released with conditions under M.G.L. c. 276, § 58A(2), sentencing, incarceration, rehabilitation, or release.

This definition refers only to records compiled by the DCJIS and the amended regulations continue to list “published records of a public court or administrative proceeding” as excluded from CORI. Therefore, if an employer orders a background check from a CRA sourcing from court records, this is not CORI.

In fact, most consumer reporting agencies (CRAs) will not provide employers with CORI. This is because the regulations prohibit CRAs from storing CORI results unless the employer authorizes the CRA to be the “decision maker” on whether to hire the individual. Because CRAs typically do not want this responsibility, they will instead obtain criminal records directly from the courts—a practice not subject to the CORI regulations. But if an employer is obtaining CORI from a CRA, the employer must now provide the CRA with the annual salary for the position of the individual being screened. The new regulations set forth access requirements and restrictions depending on whether this salary is above or below $75,000.

Also, if an employer obtains information from the DCJIS (whether on its own or through a CRA), the regulations clarify that CORI includes arrest records, criminal pre-trial proceedings and hearing and records of incarceration and rehabilitation. In addition, the new regulations state that an employer cannot consider criminal proceedings initiated before the individual turned 18 unless the person was tried as an adult. Under the prior regulations, that age was 17.

Coverage is Expanded for iCORI Users

iCORI users must also be aware that the new regulations have expanded coverage. “Employee” is now defined to include “volunteers, subcontractors, contractors, [and] vendors, and special state, county and municipal employees.” Volunteers, contractors and vendors are not “employees” in the true legal sense of the term. But for purposes of CORI, the legislature has now included them in its definition. This means employers are free to conduct background checks on these individuals through the DCJIS. But it also means that any such checks are subject to regulations that consider these individuals “employees.” Because this characterization is at odds with how “employee” is typically defined under state and federal law, this could create potential issues for employers.

Interviewing and Taking Adverse Actions

Under the 2012 regulations, prior to questioning an applicant about criminal history or making an adverse decision based on criminal history, employers were required to provide the applicant with his or her CORI or “criminal history information” from sources other than the DCJIS. The prior regulations also required pre-adverse action notices before making an adverse decision based on CORI or outside criminal information, as well as the opportunity for the applicant to dispute the accuracy of the criminal information.

All of this is still true under the amended regulations. However, there is an additional requirement. The employer must now “identify the information in the subject’s CORI or criminal history information that is the basis for the potential adverse action. (something fairly common with the “ban the box” laws in general). Under the prior regulations, the requirement to specifically identify the disqualifying information did not apply to criminal records obtained from sources other than the DCJIS. Finally, if CORI is to provide the basis for a potential adverse action, the employer must provide the individual with a copy of the DCJIS’s information on the process for correcting CORI, which is available on the DCJIS’s website. But note that there is no longer any requirement to provide the individual with information on how to correct criminal history obtained from other sources.

CORI Acknowledgment Forms

To access records through the iCORI, employers must obtain a signed acknowledgment form from the employee or applicant authorizing the employer to view the records. The DCJIS has made several changes to the regulations on authorization forms. Under the prior regulations, the acknowledgment form was valid for one year after signing, and the employer could submit new requests for CORI within that period if it provided the individual with a written notice at least 72 hours before the request. The CORI acknowledgment form remains valid for one year, but there is no longer any requirement to provide notice of future requests during this year period. In addition, the new regulations set forth the identification verification procedure employers must follow if the individual does not have a suitable government-issued identification. Also, employers may now collect CORI acknowledgment forms electronically, including during an electronic application process. The DCJIS has provided revised “Model CORI Acknowledgment Forms” that employers can use or incorporate into their own forms. These forms are available on the DCJIS’s website.

iCORI Agency Agreement

The new regulations require employers to enter into an “iCORI Agency Agreement” for continued access to the database. This agreement requires the employer to (1) certify ongoing compliance with CORI laws and regulations; (2) maintain an up-to-date “need to know” list of employees who will request and review CORI; (3) confirm that the employer will only request an authorized level of CORI access; and (4) acknowledge that the employer (including individual users of the account) may be liable for violations of the rules and regulations.

With regard to the “need to know” list, this must include all staff that have been authorized to request, receive or review CORI. The list must be updated at a minimum every six months, and it must be made available to the DCJIS. Upon request, the employer must also provide the “need to know” list to the individual being screened or that person’s attorney.

Storage

Consistent with the prior regulations, employers may not maintain CORI records for more than seven years after the employee’s last date of employment or the date of the final decision not to hire an applicant. Hard copies of CORI must still be stored in locked and secured locations, and electronic copies must be password-protected and encrypted. However, the new regulations now permit cloud storage methods. If CORI is to be stored in the cloud, the employer must: (1) have a written agreement with the cloud storage provider setting forth the minimum security requirements published by the DCJIS; and (2) ensure the cloud method provides encryption and password protection of all CORI.

Conclusion

Employers currently accessing CORI, or those intending to utilize the iCORI system, should review and update their policies to ensure compliance with the amended regulations. The use of criminal history information in employment is a rapidly developing area of the law. In addition to the U.S. Equal Employment Opportunity Commission's continued interest in systemic discrimination,2 a growing number of states and municipalities have recently proposed or enacted legislation restricting employers from accessing and using criminal history information during the hiring process.3 Employers must exercise caution in this area and are advised to consult experienced employment counsel to review hiring and background investigation policies to ensure compliance with all applicable laws. As before, the Fair Credit Reporting Act (FCRA) remains a staple of the plaintiff’s bar to assert claims against employers. Therefore, consultation with experienced counsel is particularly recommended given the hyper-technical requirements of the FCRA.4