Employers taking advantage of increased access to criminal offender record information must comply with strict information-dissemination and recordkeeping guidelines.

The final slate of changes implemented by the 2010 Massachusetts Criminal Offender Record Information (CORI) reform legislation—signed into law by Governor Deval Patrick on August 6, 2010—will take effect on Friday, May 4, 2012. Like the “ban the box” provision implemented in 2010 that prohibited employers from asking about an applicant’s criminal history on an initial employment application, a number of the soon-to-be-effective requirements impact Massachusetts employers that seek criminal records information or conduct criminal background checks. In addition to the law, the Department of Criminal Justice Information Services (DCJIS), the state agency responsible for administering the CORI statute, appears poised to issue final regulations, as the comment period for the proposed regulations ended on April 19.  

Changes to CORI Access

The 2010 CORI reform provides greater access to criminal record information maintained by DCJIS. Before May 4, 2012, an employer had to be certified by DCJIS to receive CORI from the state agency. Beginning May 4, once they have registered with DCJIS, all employers will have “standard access” to CORI for current and prospective employees, including full- and part-time employees, contract employees, interns, and volunteers. See Mass. Gen. Laws ch. 6, § 172(a)(3) (2012). Standard access will allow employers to view (i) all pending criminal charges, including cases continued without a finding of guilt until such charges are dismissed; (ii) all felony convictions for 10 years following the date of disposition or release from incarceration, whichever is later; (iii) all misdemeanor convictions for five years following the date of disposition or release from incarceration, whichever is later; and (iv) all convictions for murder, voluntary manslaughter, involuntary manslaughter, and sex offenses punishable by a term of incarceration in state prison, unless such conviction has been sealed. In the event that any criminal conviction qualifies for inclusion in a CORI report pursuant to these criteria, an individual’s prior misdemeanor and felony conviction record also will be available, regardless of when the conviction or convictions occurred. See Mass. Gen. Laws ch. 6, § 172(a)(3) and (a)(30)(b). The regulations also set forth additional levels of access for employers with statutory obligations (such as the Department of Early Education and Care, long-term care facilities, children’s camps, and schools) to evaluate more extensive criminal records.  

Requirements for Employers Accessing CORI

In addition to annual registration, employers must comply with certain procedures when obtaining CORI. Employers must obtain a signed CORI Acknowledgment Form from affected candidates or employees. Employers must also verify the subjects’ identities by examining their government-issued IDs.  

Any employer that conducts more than five criminal record checks per year must maintain a written CORI policy regardless of whether CORI itself is utilized. This policy must be given to each individual against whom an employer takes an adverse employment action based on CORI. Employers considering taking adverse employment actions based on CORI must also comply with state and local laws and regulations; notify the subject in person or by telephone, fax, or electronic or hard copy correspondence of the potential adverse employment action; provide the subject with a copy of his or her CORI; identify the information in the CORI that is the basis for the potential adverse action; provide the subject with the opportunity to dispute the accuracy of the information contained in the CORI; provide the subject with a copy of DCJIS information regarding the process for correcting CORI; and document all steps taken to comply with these requirements. See 803 Mass. Code Regs. § 2.16 2012).

Employers that utilize CORI also must adhere to strict information-dissemination and recordkeeping guidelines. Employers only may share CORI among individuals in the organization with a need to evaluate the information in making an employment decision. Employers must also maintain a dissemination log for one year from the date they disseminate criminal history information outside their organizations. The log must include the subject’s name; the subject’s date of birth; the date and time of dissemination; the name of the person to whom the CORI was disseminated along with the name of the organization for which the person works, if applicable; and the specific reason for the dissemination. See id. Finally, employers may not retain CORI for more than seven years from the date of a subject’s initial employment (or the employer’s employment decision). While CORI is retained, it must be securely stored, with access limited to authorized personnel only.

Use of Credit Reporting Agencies

Although the revised CORI statute does not address the use of third-party credit reporting agencies (CRAs), the proposed regulations address CRAs’ access to CORI. When using a CRA to obtain criminal record information on individuals, employers should keep in mind that the use of a CRA does not release an employer from complying with the registration requirements. Indeed, a CRA requesting CORI on an employer’s behalf will need to provide that employer’s registration number before DCJIS will disseminate the requested CORI.

Often, CRAs will obtain criminal information from sources other than DCJIS. In these instances, the law does not require the CRA or the employer to register with DCJIS. However, the law does require employers and CRAs taking adverse employment actions based on this information to adhere to notice and due process procedures similar to those of the Fair Credit Reporting Act.


It is still unclear when DCJIS will issue its final regulations and what form the regulations will take. Until that time, employers should proceed in compliance with the law and regulations as proposed.