As employers who do business in Massachusetts are aware, on August 6, 2010, Governor Patrick signed into law a bill that overhauled the Commonwealth's Criminal Offender Record Information (CORI) law. The first round of amendments, which went into effect on November 4, 2010, focused on a "ban the box" provision that prohibits employers from asking about an applicant's criminal history on an initial written application except in limited circumstances. Many employers have revised their written applications or altered their procedures to comport with this portion of the amended statute.
Round two of the CORI reform legislation is slated to go into effect on May 4, 2012, and includes numerous other requirements targeted at Massachusetts employers that conduct criminal background checks. In addition, the Department of Criminal Justice Information Services (DCJIS), the agency responsible for administering the CORI statute, recently issued proposed regulations related to the second round of requirements. DCJIS held a public hearing on the proposed regulations on March 30, 2012, and will accept written comments until April 19, 2012. Most provisions of the regulations provide clarification and guidance to employers with respect to their new obligations and also directly address the role of Consumer Reporting Agencies (CRAs) in conducting background checks in Massachusetts.
The following summary is designed to provide employers with an understanding of the requirements imposed by the new Massachusetts CORI law, the additional requirements imposed by the proposed regulations, and the steps employers need to take to ensure compliance with the CORI law.
Ban The Box
Effective November 4, 2010, the CORI law makes it unlawful for an employer to request criminal history information on an "initial written application." M.G.L. c. 151B, § 4(9½). This provision amends a portion of the Massachusetts Fair Employment Practices Law, M.G.L. c. 151B, § 4(9), which bars employers from asking questions of job applicants about arrests that did not result in convictions and convictions for certain misdemeanors.1 As previously reported (click here), the Massachusetts Commission Against Discrimination, the agency responsible for enforcing this provision of the CORI law, has interpreted this "ban the box" requirement to prohibit employers from requesting criminal history information on any written application or form "prior to an interview." By passing this law, Massachusetts joined Hawaii and became the second state to prohibit asking about criminal history on an application. Haw. Rev. Stat. § 378-2. Many other states have additional restrictions on questions that employers may ask on an employment application. Given this trend in state law, as well as the EEOC's anticipated guidance (occurring likely in April 2012) that the use of criminal history has a disparate impact on protected groups, employers are encouraged to evaluate their employment applications as well as if, and when, they will ask about criminal history in the hiring process.
The CORI law includes two exceptions to the blanket prohibition against requesting criminal history on an initial written application. An employer may ask about criminal convictions if: (i) the applicant is applying for a position for which a federal or state law or regulation creates a mandatory or presumptive disqualification based on a conviction; or (ii) the employer is subject to an obligation under a federal or state law or regulation not to employ persons who have been convicted of certain offenses. M.G.L. c. 151B, § 4(9½). It is important to note that employers such as banks or healthcare facilities, who are exempt from the "ban the box" provision of the CORI law, are not exempt from the other provisions of the law discussed below.
Requesting & Using CORI
Increased Access to Criminal History Information Obtained Through DCJIS
Under the CORI law, most employers will have greater access to criminal record information maintained by DCJIS. Prior to May 4, 2012, most private sector employers had to be certified by DCJIS in order to receive CORI from the agency. Beginning May 4, 2012, all employers may obtain "Standard Access" to CORI for the purpose of evaluating current and prospective employees, including full and part-time employees, contract employees, interns and volunteers. M.G.L. c. 6, § 172(a)(3).
Standard Access to CORI through DCJIS will allow employers to obtain criminal record information about: (i) all pending criminal charges, including cases continued without a finding of guilt until such charges are dismissed; (ii) all felony convictions for 10 years following the date of disposition or release from incarceration, whichever is later; (iii) all misdemeanor convictions for 5 years following the date of disposition or release from incarceration, whichever is later; and (iv) all convictions for murder, voluntary manslaughter, involuntary manslaughter, and sex offenses punishable by a term of incarceration in state prison, unless such conviction has been sealed. In the event that any criminal conviction qualifies to be included on a CORI report pursuant to these criteria, an individual's prior misdemeanor and felony conviction record will also be available, regardless of when the conviction or convictions occurred. M.G.L. c. 6, § 172(a)(3) and (a)(30)(b).
In the event that an employer needs criminal record information beyond what the "Standard Access" includes to comply with a particular statute, regulation, or accreditation requirement, DCJIS will grant the "required" level of access needed. The proposed regulations specify four different levels of Required Access depending on the underlying legal basis mandating that the employer obtain CORI. 803 CMR 2.05(3)(b). The regulations do not provide detail as to how DCJIS will determine which employers may obtain information that is subject to the various levels of Required Access or how employers will become certified to obtain Required Access. Instead, the regulations state only that Required Access will be provided "depending on the language of the statutory, regulatory or accreditation requirement that mandates obtaining CORI." Id.
Nothing in the CORI law prohibits an employer from seeking criminal history from a source other than DCJIS. As discussed below, however, the CORI law imposes obligations on employers seeking such information.
Where an employer utilizes a CRA to obtain criminal record information, the CRA will have the same level of access to CORI from DCJIS as the client on whose behalf the CRA is performing the CORI check. 803 CMR 11.04(1)(b). The proposed regulations also establish guidelines for the type of criminal history information a CRA can disseminate to its clients which closely mirror the federal Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 et. seq.; 803 CMR 11.11.
Finally, employers should be aware that the CORI law makes it unlawful to require a person to provide a copy of his or her own criminal offender record when applying for employment. M.G.L. c. 6, § 172(d).
Documentation and Record-Keeping Requirements For Employers Who Request CORI Information From DCJIS
The new CORI law requires employers to follow certain procedures in order to access an individual's criminal record through DCJIS. Before an employer conducts a criminal record check, it must have the subject of the criminal check sign a CORI Acknowledgment Form authorizing the employer to obtain his or her record and verify the subject's identity by reviewing a form of government-issued identification. M.G.L. c. 6, § 172(a)(30)(c). Pursuant to the proposed regulations, acceptable types of government-issued identification include: (i) a state-issued driver's license; (ii) a state-issued identification card with a photograph; (iii) a passport; or (iv) a military identification. 803 CMR 2.09(3). The proposed regulations require the employer's representative to sign and date the CORI Acknowledgment Form certifying that the subject was properly identified. In the event that an employer is unable to verify an individual's identity and signature in person, the proposed regulations allow the individual to sign an Acknowledgement Form before a notary public. 803 CMR 2.09(5). CORI Acknowledgment Forms must be maintained by the employer for at least one year.2 M.G.L. c. 6, § 172(a)(30)(c).
To obtain CORI from DCJIS, the individual requesting the record must provide DCJIS with information identifying the subject (name, date of birth, and first six digits of social security number) and certify under oath that: (i) he or she is the authorized designee of the employer; (ii) the request is for the purpose of evaluating an applicant or current employee; (iii) the applicant or employee has signed an acknowledgement form authorizing the employer to obtain criminal record information; and (iv) the requestor has verified the identity of the applicant or employee by reviewing a form of government-issued identification. M.G.L. c. 6, § 172(a)(30)(c). Although not specified in the statute, the proposed regulations state that the employer must submit the subject's executed CORI Acknowledgment Form to DCJIS. 803 CMR 2.09(1)(a).
The proposed regulations also provide that the Acknowledgment Form is valid for one year from the subject's having signed the form or until the subject's employment ends, whichever occurs first. 803 CMR 2.09(9). An employer that submits a new CORI request within one year of the subject's having signed the original Acknowledgment Form must provide the subject with written notice at least 24 hours prior to submitting the request. 803 CMR 2.09(9)(a). If the employee revokes his or her authorization upon receiving such notice, the employer may not request the employee's CORI. 803. CMR 2.09(9)(c).3
Employers should be aware that DCJIS will maintain a log of all requests for criminal records, which includes the name of the requesting entity, the date of the inquiry, and the certified purpose of the inquiry. An individual may request a "self-audit" and obtain information from DCJIS regarding requests for the individual's own CORI. M.G.L. c. 6, § 172(g); 803 CMR § 2.24.
Using Consumer Reporting Agencies (CRAs) to Conduct Criminal Background Checks
While the amended CORI statute does not discuss the use of third-party consumer reporting agencies, the proposed regulations delineate how and when CRAs can access CORI information, specify a CRA's responsibilities under the law, and provide that employers may outsource decision-making functions to CRAs.4 Generally, these requirements track those of the FCRA, with some minor differences. 803 CMR 2.21.
The proposed regulations specifically contemplate that employers may use a third party CRA to request CORI information from DCJIS either through iCORI or in paper format.5 Similar to the FCRA, before a CRA can request CORI on an employer's behalf, the employer must: (i) notify the applicant in writing in a document consisting "solely" of such notice of its intent to obtain CORI, and (ii) obtain the applicant's written authorization to obtain this information. 803 CMR 2.21(1)(a)(1), (2). This requirement may differ from the FCRA, however, because the proposed regulations require that the written authorization be "separate" from the notice. Interpreting the FCRA, the Federal Trade Commission (FTC) has opined that although the FCRA also requires that an employer provide a disclosure consisting "solely" of the disclosure, such disclosure can be on the same form as the authorization. See FTC Opinion Letter (Steer, Oct. 21, 1997). The regulations prohibit an employer from substituting a CORI Acknowledgement Form for the authorization required by the FCRA. 803 CMR 2.21(1)(a)(2).
Employers utilizing a CRA must also certify to the CRA that they are in compliance with the FCRA. Additionally, the employer must provide "accurate identifying information" for the individual about whom any CORI is requested6 and the purpose for which the information is being requested. The proposed regulations reiterate the FCRA requirement that employers must not misuse any information in the consumer report in violation of federal or state laws or regulations. 803 CMR 2.21(b). It is unclear from the proposed regulations whether an employer certification need only contain the representation that the employer is in compliance with the FCRA, or must also include a certification with respect to the other provisions set forth in this paragraph.
As discussed below, under both the FCRA and the proposed regulations, regardless of the source of the information (DCJIS or other), an employer must comply with a detailed set of procedures before taking adverse action toward an individual based on criminal history information.
Requirements For Taking Adverse Action Based on Criminal History Information
The amended CORI statute does not prohibit employers from asking an individual about his criminal history (after the initial application), nor does it prohibit an employer from deciding not to hire a person or taking other adverse action based on a person's criminal history. M.G.L. c. 6, § 171A. In many respects, the CORI requirements on this point are very similar to the requirements under the FCRA. Similar to the FCRA, prior to questioning an applicant about his or her criminal history, the CORI statute requires that the employer provide the applicant with a copy of the criminal history record, whether obtained from DCJIS or any other source. M.G.L. c. 6, § 172(c). If an employer chooses to take adverse action based on a criminal record, the employer must notify the applicant about the potential adverse decision and provide: (i) a copy of the applicant's criminal record; (ii) a copy of the employer's criminal background check policy; and (iii) information concerning the process for correcting a criminal record.7 The above information must be provided to an applicant regardless of the source used to obtain the criminal history information and regardless of whether a CRA was used to obtain the information. If the employer provided the applicant with his or her criminal record prior to questioning the applicant, the employer does not need to provide the record again in connection with an adverse action decision. M.G.L. c. 6, § 172(c). Unlike the FCRA, CORI requires the additional step of providing the employer's policy and specific information on how an individual can correct his or her CORI record. As such, employers are well advised to provide a copy of the DCJIS document entitled "Information Concerning the Process in Correcting a Criminal Record" with the FCRA pre-adverse action letter.
The proposed regulations expand on the requirements regarding the use of CORI and make a distinction between employers who obtain CORI from DCJIS and employers who obtain criminal history information from a source other than DCJIS. Specifically, in addition to providing the information specified above, and similar to the FCRA, before taking adverse action, all employers must provide the applicant with an opportunity to dispute the accuracy of the information contained in the criminal record regardless of the source of information. 803 CMR 2.17(1), (6). But, where an employer takes adverse action based on information obtained from DCJIS, the employer must apprise the affected individual of the information in the applicant's CORI that is the basis for the decision. 803 CMR 2.17(5). Where an employer takes adverse action based on information from a source other than DCJIS, the employer does not have to provide such a basis, but must identify the source from which the criminal history information was obtained. 803 CMR 2.18(3). Finally, the proposed regulations require that employers "document all steps taken to comply" with the regulatory requirements.
Additionally, if an employer uses a CRA to obtain CORI, the employer must also follow the requirements of the FCRA, which include providing the individual the FTC's document entitled "A Summary of Your Rights Under the Fair Credit Reporting Act" with the pre-adverse action notice.8
Policy & Training Requirements
Employers Who Conduct Five or More Criminal Background Investigations Per Year Must Have a Policy
The CORI statute requires employers that annually conduct five or more criminal background investigations to maintain a written criminal offender record information policy. M.G.L. c. 6, § 171A. This requirement applies to employers whether they obtain criminal record information directly from DCJIS or through another source - including through a CRA. In addition to any obligations required by the regulations, a CORI policy must provide that the employer will: (i) notify the applicant if a potentially adverse decision may be made based on the criminal record information; (ii) provide the applicant a copy of the criminal record information obtained and a copy of the employer's criminal record policy; and (iii) provide information concerning the process for the applicant to correct his or her criminal record. Id.
The proposed regulations do not contain any additional requirements that employers must include in a policy, but do state that DCJIS will maintain a model CORI policy on its website. 803 CMR 2.15. The model policy currently on the DCJIS web-site includes the requirements set forth above, but is broader in scope. Employers should closely review their current policy or seek guidance in creating a policy that comports with the new CORI law, as well as the FCRA, and also accurately reflects their practices.
Training Required to Receive CORI from DCJIS
In conjunction with the new CORI law, DCJIS developed an internet-based system to access criminal offender record information, called iCORI. An employer must register for an iCORI account with DCJIS in order to obtain CORI from DCJIS. 803 CMR 2.04. Employers will be able to register for access to iCORI beginning on May 4, 2012. To complete registration for an iCORI account as an employer, the employer must designate an individual to complete iCORI training and agree to all iCORI terms and conditions. 803 CMR 2.04(2)(b). All iCORI registrations are valid for one calendar year. 803 CMR 2.04(6). Employers must re-register for an iCORI account each year, and the individual user must repeat the mandatory iCORI training annually. 803 CMR 2.04(6). The proposed regulations state that a registration fee may be required, but does not specify an amount. 803 CMR 2.04(2)(c) and (6)(b). Employers can allow third-party CRAs to access CORI on their behalf, but the employer still must register and maintain its own iCORI account in order to do so. 803 CMR 11.04.
Disseminating CORI Records
The new law limits an employer's right to disseminate criminal history information both within the employer's organization and to outside entities. An employer can disseminate criminal information as directed by the subject, to individuals within the employer's organization who have a need to review the information to evaluate the applicant or employee, and to certain governmental agencies charged with overseeing, supervising, or regulating the employer. M.G.L. c. 6, § 172(f). If an employer disseminates criminal history information outside of its organization, it must maintain a secondary dissemination log for one year following the dissemination which includes: (i) the subject's name, (ii) the subject's date of birth; (iii) the date of each dissemination; (iv) the name of the person to whom the information was disseminated; and (v) the purpose of the dissemination. Id. The proposed regulations specify that where criminal history information is shared with an organization, the dissemination log must include the name of the organization and the name of the individual to whom the information was disseminated. 803 CMR 2.16(2)(d). Dissemination logs may be maintained either electronically or on paper. 803 CMR 2.16(3). Employers that maintain and communicate criminal history information in the usual course of their business, such as staffing companies and recruiters, should pay particular attention to this new requirement.
Storage of Criminal Offender Record Information
Unlike the federal FCRA, the proposed CORI regulations set out stringent standards relating to the storage of CORI. 803 CMR 2.11. It is unclear from the proposed regulations whether this provision applies only to CORI received from DCJIS or criminal history information obtained by an employer from any source. The proposed regulations require that all hard copies of CORI be stored in a separate, locked and secure location, such as a file cabinet. Employers must limit access to the locked and secure location to employees who have been approved by the employer to access CORI. 803 CMR 2.11(1). Accordingly, CORI information will need to be segregated from all other personnel record information and the employer will need to clearly designate who is permitted access to this information.
With respect to electronically-stored CORI, an employer must password protect and encrypt all CORI. In addition, the employer must limit password access to only those employees whom it has approved to access CORI. 803 CMR 2.11(2). The proposed regulations also prohibit employers from using "public cloud storage" methods to store CORI, although what constitutes "public cloud storage" is not defined. 803 CMR 2.11(4).
Retention/Destruction of CORI Records
No entity may maintain a copy, in any format including electronic, of criminal offender record information obtained from DCJIS for more than seven years from the last date of employment or from the date the employer makes a final decision regarding the subject, whichever is longer. M.G.L. c. 6, § 172(f). Although the statutory language specifically limits this requirement to "criminal offender record information obtained from the department," the proposed regulations refer to an obligation not to retain "CORI" for more than the specified 7-year period. Id.; 803 CMR § 2.11(3). Accordingly, there is some ambiguity as to whether this requirement applies only to information obtained from DCJIS or to all criminal history information obtained from any source. Employers should evaluate their document retention/destruction process in light of this new requirement.
The proposed regulations also address the methods an employer must use to destroy CORI in its possession. Similar to the federal Fair and Accurate Credit Transactions Act (FACTA), employers are required to destroy all hard copies by "shredding or otherwise" prior to disposal. 803 CMR 2.12(1). With respect to electronic copies, employers must delete all copies from the hard drives on which the information is stored and from any system used to back up the CORI information. 803 CMR 2.12(2). Additionally, an employer must appropriately clean all information by electronic or mechanical means before disposing of or repurposing a computer used to store CORI. 803 CMR 2.12(3).
Penalties for Violations of the CORI Law
The law establishes a criminal record review board (CRRB) within DJCIS that can hear complaints and investigate incidents alleging violations of the CORI law, including allegations that an employer failed to provide an individual copies of his criminal record prior to questioning the individual about the record or in deciding to take adverse action based on the record. The CRRB's authority includes, but is not limited to, the ability to issue summonses to compel the attendance of witnesses, require employers to produce documents, and conduct hearings. In the event that an employer is found to have violated the statute, the CRRB may impose civil fines up to $5,000 for each knowing violation. The CRRB may also refer a complaint for criminal prosecution. M.G.L. c. 6, § 168(b).
Certain violations of the CORI law can carry criminal sanctions for an individual or an entity, including: (i) knowingly requesting, obtaining, or attempting to obtain criminal record information from DCJIS under false pretenses; (ii) knowingly communicating or attempting to communicate criminal record information to any other individual or entity not in accordance with the law; (iii) knowingly falsifying criminal record information; and (iv) requesting or requiring a person to provide a copy of his or her own criminal record except as authorized by the law. A conviction for these crimes is punishable by imprisonment for not more than one year and/or a fine of not more than $5,000 for each offense. In the case of an entity that is not a natural person, the amount of the fine may be up to $50,000 for each violation. M.G.L. c. 6, § 178.
Finally, individuals also have a private right of action available to them which provides for actual damages, plus attorney's fees and costs. In addition, if the individual can establish that the violation is willful, he is also entitled to exemplary damages in the amount of $100 to $1,000 for each violation. M.G.L. c 6, § 177. This is similar to the damages available for violations of the FCRA, except that punitive damages are not specifically identified.
Audits by DCJIS to Ensure Compliance
The CORI law states that certain information maintained by an employer with respect to CORI shall be subject to audit by DCJIS. M.G.L. c. 6, § 172(c), (f). The proposed regulations set forth the employer's obligations with respect to responding to an audit and the authority of DCJIS to conduct such audits. The proposed regulations require employers to respond to, and participate in, audits conducted by DCJIS. Failure to cooperate or respond may result in immediate revocation of CORI access. 803 CMR 2.22(2)(a). In addition, DCJIS may also initiate a complaint with the CRRB against an employer for failure to respond or participate in an audit. 803 CMR 2.22(2)(d).
During an audit, an employer is obligated to provide DCJIS with access to inspect certain CORI-related documents, including, but not limited to: (i) completed CORI Acknowledgment Forms; (ii) secondary dissemination logs; (iii) the employer's CORI policy; and (iv) documentation of adverse employment decisions based on CORI. 803 CMR 2.22(3). During an audit, DCJIS will assess whether an employer is in compliance with the CORI law and regulations, including, but not limited to, whether: (i) the employer is registered for the appropriate level of CORI access and provided DCJIS correct registration information; (ii) the employer is properly completing and retaining CORI Acknowledgment Forms; (iii) the employer is properly requesting CORI; (iv) the employer is properly storing and safeguarding CORI; (v) the employer is properly maintaining a secondary dissemination log; (vi) the employer is screening only those individuals permitted by law; and (vii) the employer has a CORI policy that complies with DCJIS requirements. 803 CMR 2.22(4). Audit results may be published by DCJIS. 803 CMR 2.22(5). If you are contacted about an audit, we urge you to seek legal counsel before responding.
If DCJIS determines that an employer is not in compliance with statutory or regulatory CORI requirements, it may initiate a complaint with the CRRB or refer the audit results to state or federal law enforcement for criminal investigation. 803 CMR 2.22(6), (7).
Defenses to Claims of Negligent and Discriminatory Hiring if Criminal Record Information is Obtained From DCJIS
The law contains some protections for employers related to their use of and reliance on CORI records, provided that the employer made an employment decision within 90 days of obtaining the criminal record information and followed the procedures for verifying the subject's identity as required by the statute. M.G.L. c. 6, § 172(e). First, employers will not be liable for negligent hiring where the employer relied solely on criminal record information obtained from DCJIS and did not perform additional criminal history background checks, unless otherwise required to do so by law. Id. Second, employers will not be liable for failure to hire a person on the basis of a CORI report that contains erroneous information provided by DCJIS, if the employer would not have been liable if the information had been accurate. Id.
Employers should be aware that the Massachusetts Fair Employment Practices Law does not expressly prohibit employers from refusing to hire individuals or taking adverse action based on information contained in an individual's criminal record. Some have asserted that state and federal discrimination laws may provide a cause of action where an employer's screening practices have a disparate impact on individuals in a protected classification, however. As set forth above, the law does make it an unlawful practice to ask current or prospective employees to furnish certain criminal information on a written application or in response to an oral inquiry or to take adverse action against an individual based on information obtained in violation of this provision. M.G.L. c. 151B, § 9.
Given the broad scope of the new CORI law and proposed interpretive regulations, Massachusetts employers and employers outside of Massachusetts seeking criminal history information about applicants or employees in the Commonwealth would be wise to review their background screening policies and procedures relating to how criminal history information is obtained, stored, retained, disseminated and used.