In this issue:
- Curtailing the Use of Credit Checks in the Hiring Process – Employers Beware! by Tina M. Maiolo, Esq. and Joseph E. Hainline, Esq.
- Security Breaches and Cyber Liability by Paul J. Maloney, Esq. and Kristine M. Ellison, Esq.
- Are Property Owners Liable for Criminal Acts by Third Parties? by Tracy Scott, Esq.
Curtailing the Use of Credit Checks in the Hiring Process – Employers Beware!
By: Tina M. Maiolo, Esq. and Joseph E. Hainline, Esq.
Employers of all kind understand the costs associated with making an uninformed hiring decision. The risk of negligent hiring, among others, serves as a rational basis for an employer’s desire to utilize various pre-employment screening procedures in an attempt to thoroughly evaluate prospective employees. At a minimum, employers want to know the type of person with whom they are dealing prior to entrusting them with business making decisions. Despite these valid concerns, the modern trend among lawmakers and regulating agencies is to disfavor blanket pre-employment screening policies that do not consider the type of job the applicant is seeking. In light of this growing trend, employers’ interests in vetting prospective employees must defer to state and federal laws regulating this practice.
Recently, the EEOC and many state legislatures have sought to reign in employers’ use of credit checks during the hiring process. It is alleged that this practice, when conducted without regard to the type of job the applicant seeks, negatively affects minority groups more so than others. As a result of this alleged disparate impact, employers conducting such checks must proceed with caution. See infra.
This article will highlight the status of the law in Maryland, District of Columbia, and Virginia with respect to an employer’s use of a job applicant’s credit report for pre-employment screening purposes.
Direction of the Law and Current EEOC Guidelines:
As of December 2011, there were sixty one bills in twenty nine states and the District of Columbia that were introduced or pending in the 2011 legislative session seeking to prohibit or restrict the use of credit information in an employer’s hiring decision. Heather Morton, Use of Credit Information in Employment 2011 Legislative Session, Nat’l Conf. of State Legislatures (Dec. 19, 2011) available at http://www.ncsl.org/issues-research/banking/use-of-credit-information-in-employment-2011-legis.aspx. Currently, there are seven states that have laws in place limiting an employers’ use of credit information in the pre-employment screening process; California, Connecticut, Hawaii, Illinois, Maryland, Oregon and Washington. Id.
In comparison, as of December 2009, the total number of states that had introduced or passed legislation on this issue was fourteen. Heather Morton, Use of Credit Information in Employment 2009 Legislative Session, Nat’l Conf. of State Legislatures (Nov. 24, 2009), available at http://www.ncsl.org/issues-research/banking/use-of-credit-information-in-employment-2009-legis.aspx. There is also a proposed federal bill, the Equal Employment For All Act, H.R. 3149, that was introduced to Congress in 2009, but has since stalled in the House Committee on Financial Services. H.R. 3149, 111th Cong., 1st Sess. (2009).
On October 20, 2010 the EEOC held a public meeting to discuss the use and impact of conducting credit history checks during the pre-employment screening process. It was alleged, and the EEOC appeared to agree, that such use, without being justified by a business necessity, has the potential to have a disparate impact on protected minority applicants. Such a disparate impact, if proven, would be a violation of Title VII of the Civil Rights Act of 1964. 42 U.S.C. § 2000e et seq.
On April 25, 2012, the EEOC was scheduled to vote on updated enforcement guidelines concerning the use of credit history information in the hiring process, but it failed to do so. Despite the EEOC’s failure to update their guidelines, the clear trend is to restrict employers from engaging in this practice. Currently, the EEOC sets forth the following guidelines:
“Inquiry into an applicant’s current or past assets, liabilities, or credit rating, including bankruptcy or garnishment, refusal or cancellation of bonding, car ownership, or bank accounts generally should be avoided because they tend to impact more adversely on minorities and females. Exceptions exist if the employer can show that such information is essential to the particular job in question.” EEOC Laws Reg’s & Guidance, Prohibited Practices, Pre-Employment Inquiries and Credit Rating or Economic Status, available at http://www.eeoc.gov/laws/practices/inquiries_credit.cfm.
Maryland Law Limiting the Use of Credit Reports in Pre-Employment Screening:
On October 1, 2011, the Maryland Job Applicant Fairness Act, Md. Code Ann., Lab. & Empl. § 3-711, went into effect. The law generally prohibits most employers from using credit reports or history to deny employment to a job applicant.1 Md. Code Ann., Lab. & Empl. § 3-711(b)(1).
There are, however, two important exceptions to the general prohibition. First, the law does not apply to employers who are federal, financial institutions; credit unions approved by the Maryland Commissioner of Financial Regulation; investment advisors registered with the United States Securities and Exchange Commission; or otherwise required by Federal of State law to check credit reports of job applicants. Id. at § 3-711(a)(1-4). Second, the law does not preclude employers from using credit reports in pre-employment screening if they have a “bona fide purpose” for using the information that is “substantially job related” and “disclosed in writing to the . . . applicant”. Id. at § 3-711(c)(1)(ii)(1-2).
An employer has a “bona fide purpose” that is “substantially job related” if the job applicant is seeking a position that is, managerial in nature; involves access to customer, employee, or employer personal information; involves a fiduciary responsibility regarding payments, money, or contracts; would have an expense account; or would have access to trade secrets or other confidential business information. Id. at § 3-711(c)(2)(i-v).
A violation of this statute subjects an employer to a civil penalty of up to $500 for a first violation and up to $2,500 for a repeat violation. Id. at § 3-711(d)(4)(i).
District of Columbia Proposed Legislation:
In 2011, District of Columbia Councilmember Jim Graham reintroduced legislation that would prohibit a prospective or current employer from using information in a credit report as the basis for a negative employment decision. D.C. B19-38, Equal Access to Employment for All Act of 2011 (Jan. 28, 2011). Similar to the Maryland statute, the proposed legislation is not a blanket prohibition against employers’ use of credit history in the hiring process. Prospective employees seeking a position requiring national security or FDIC clearance; with a State or local government agency which otherwise requires use of a consumer report; that is managerial in nature at a financial institution; or when otherwise required by law, may be subject to a credit check during the hiring process. Id. at B19-38(c)(1-4).
This bill is currently pending.
As of the date of this article, Virginia has neither a law nor a proposed bill prohibiting or limiting the use of credit reports in pre-employment screening. Virginia employers, however, must be mindful of the provisions of the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 et seq., when using a credit report to aid them in the hiring process. Federal law requires, inter alia, that an employer first obtain written authorization from an applicant before conducting a credit check. Further, if an employer makes an adverse employment decision based in whole or in part on the applicant’s credit report, the employer is required to provide pre-adverse action notification to the applicant and offer a reasonable amount of time for the applicant to respond. Failure to do so may subject the employer to actual and punitive damages. 15 U.S.C. § 1681m(b)(2).
What Does This Mean for Employers?:
Notwithstanding the clear trend at the state and federal level to limit the ability of employers to use credit reports in pre-employment screening, employers maintain substantial interests in thoroughly vetting prospective employees. Due to the increasing number of newly enacted and/or proposed legislation, and the very real threat of civil litigation, employers must be well versed in the laws governing this practice, as well as the EEOC’s evolving interpretation of Title VII.
For example, in 2010 the EEOC filed a lawsuit against Kaplan Higher Education Corporation “alleging that Kaplan’s use of credit history in its hiring procedures constituted a pattern or practice of unlawful discrimination.” Adele L. Abrams & Justin M. Winter, Lawyers Can Be Employers, Too, 45 Md. B. J. 22, May-June 2012. Specifically, the EEOC alleged that Kaplan’s use of credit history in its hiring process had a discriminatory impact on African-American job applicants and was neither job-related nor justified by business necessity.” Id. (citing Complaint, EEOC v. Kaplan Higher Educ. Corp., 2010 WL 5157837 (N.D. Ohio Dec. 21, 2010). Similarly, in 2011, a proposed class alleged that the University of Miami’s practice of using credit checks in the pre-employment screening process discriminated against Latinos and African Americans. The University settled these claims for an undisclosed sum. See Appolon v. Univ. of Miami, et al., No. 1:20-cv-24166 (S.D. Fla. Nov. 22, 2010).
Employers must understand that following the dictates of state statutes governing the use of credit checks may not completely insulate them from federal scrutiny. Pre-employment inquires that are not job-related may violate Title VII, according to the EEOC, due to the alleged disparate impact on minority job applicants. Id.; see Griggs v. Duke Power Co., 401 U.S. 424, 431 (1971).
The conscientious employer will ensure that their pre-employment screening procedures are limited to accessing job-related information only, absent application of one of the specifically enumerated exceptions set forth in the relevant state or federal statutory schemes. Failure to do so could, and likely will, result in state sanctions as well as costly and time-consuming litigation.
1. Maryland’s Department of Legislative Services has indicated that the law does not apply to employers that are units of the government.
Security Breaches and Cyber Liability
By: Paul J. Maloney, Esq. and Kristine M. Ellison, Esq.
In the last six months security breaches have occurred at several major businesses which possess sensitive personal information about their customers. In March, Mastercard, Visa, American Express and Discover suffered a data-security breach involving a third-party service provider Global Payments, Inc. In early June, LinkedIn, e-harmony, and CBS’s Last.fm were hacked to the extent that they directed their users to change their passwords immediately. As businesses in all industries continue to take advantage of technological developments aimed at storing their customers’ information in electronic form, they simultaneously open themselves up to claims of what is being termed “cyber liability.”
Cyber liability exposure may call for both corporations and their insurance companies to take aggressive action. The difficulties for businesses and insurance companies, however, involve not only determining the value of personal identifying information, but also estimating the actual cost to a business when this information is stolen or compromised. Looking to the online black market is unlikely to be helpful as a recent report from Bloomberg’s Tech Blog suggests that the stolen LinkedIn passwords sold for as little as $1 each. The same report contrasted that price with banking passwords which purportedly range from $15 to $850 on the black market.
Another difficulty that businesses and insurance companies face is navigating through each individual state’s law on these issues. For example, Virginia law defines “personal identifying information” as including but not limited to: “(i) name; (ii) date of birth; (iii) social security number; (iv) driver’s license number; (v) bank account numbers; (vi) credit or debit card numbers; (vii) personal identification numbers (PIN); (viii) electronic identification codes; (ix) automated or electronic signatures; (x) biometric data; (xi) fingerprints; (xii) passwords; or (xiii) any other numbers or information that can be used to access a person’s financial resources, obtain identification, act as identification, or obtain money, credit, loans, goods or services.” Va. Code §18.2-186.3(C). A recent decision in California added ZIP codes to that list. See Pineda v. Williams-Sonoma, 54 Cal. 4th 524 (2011).
Several pieces of legislation currently introduced in Congress may give nationwide guidance on what categories of information qualify as “personal identifying information.” One version of the legislation, entitled the Data Accountability and Trust Act, H.R. 1707, § 5(7)(A) defines “personal information” to mean:
an individual’s first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual:
(i) Social Security number.
(ii) Driver’s license number, passport number, military identification number, or other similar number issued on a government document used to verify identity.
(iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.
Of the four versions of this legislation currently introduced, two use this identical language while two others include minor differences. H.R. 1841 modifies subsection (ii) to apply to “Driver’s license number or other State identification number” while H.R. 2577 adds an additional section to specifically exclude application of this section when the identifying information is public record information. S. 1207 uses the same language verbatim from H.R. 1707.
The following subsection in all versions, however, suggests that the definition will remain subject to change by rulemaking to “accommodate changes in technology or practices” or to “accomplish the purposes of the Act,” so long as the changes “will not unreasonably impede interstate commerce.” H.R. 1707, § 5(7)(B). In this section, only one of the versions differs in its language substantially, H.R. 2577 precludes changes that would “unreasonably impede technological innovation” along with allowing a change “if the [Federal Trade] Commission determines that access to or acquisition of the additional data elements in the event of a breach of security would create an unreasonable risk of identity theft, fraud, or other unlawful conduct.” Id. at §5(7)(C)(i)-(ii).
Regardless of the potential for the definition to change, all versions of the Act are clear and in agreement on the Act’s preemptive effect once it becomes law. It will supersede any state law that “requires information security practices and treatment of data containing personal information similar to any of those required under [another section]; and . . . requires notification to individuals of a breach of security resulting in unauthorized access to or acquisition of data in electronic form containing personal information.” H.R. 1707 at § 5(6)(a). The Act states specifically that it should not be construed to limit enforcement of any State consumer protection law by any state attorney general, nor should it be construed to preempt the applicability of “(1) State trespass, contract, or tort law; or (2) other State laws to the extent that those laws relate to acts of fraud.” Id. at §5(6)(b)(2)-(c)(2). Additionally, the Act makes clear that “No person other than a person specified in section 4(c) [state attorney general] may bring a civil action under the laws of any State if such action is premised in whole or in part upon the defendant violating any provision of this Act.”
Although navigating individual state laws on this issue poses a problem currently for businesses and their insurers, they should keep their eyes on these bills as they make their way through Congress and eventually become federal law.
Are Property Owners Liable for Criminal Acts by Third Parties?
By Tracy Scott, Esq.
Negligent security, or inadequate security litigation, is an outgrowth of premises liability law. Inadequate security cases are asserted by individuals who are injured from criminal activity on the property of a business, such as an apartment complex, shopping center, hotel and motel, and restaurant. Generally, there is no duty to protect against harm caused by the criminal act of a third party. See Hemmings v. Pelham Wood Ltd. Liab. Ltd. P’ship, 375 Md. 522 (2003). However, the law imposes a duty on property owners and managers to protect certain individuals against harm when such criminal acts are foreseeable.1 Id.
Negligent security cases adhere to the same legal concepts used in any premises liability case. Therefore, in order to recover for negligence in security, a plaintiff must establish that 1) he or she was owed a duty, 2) there was a breach of that duty, 3) that the alleged negligence was the proximate cause of the plaintiff’s injury, and 4) that there was a resulting harm to the plaintiff. See Powell v. District of Columbia, 634 A.2d 403, 406 (D.C.1993); Levy v. Schnabel Found. Co., 584 A.2d 1251, 1255 (D.C.1991). Consequently, a person is “liable to another only when he owes him some duty of care.” Lipnick v. United States, 717 F.Supp. 902, 904 (D.D.C.1989). In negligent security cases, similar to premises liability cases, the plaintiff must show and that the injury was reasonably foreseeable.
With regard to duty, the defendant’s duty to the plaintiff can vary considerably depending on how the plaintiff is classified. There are three general classifications of plaintiffs that are recognized in premises-liability cases: an invitee, a licensee, and a trespasser. While licensees and trespassers are not typically afforded any duty under the law, an invitee is owed a duty of reasonable care.
An invitee or business visitor is a person invited or permitted to enter or remain upon the property for a purpose connected with or related to the business of the occupant. Appiah v. Hall, 416 Md. 533 (2010); Baltimore Gas and Elec. Co. v. Flippo, 348 Md. 680 (1998); Sherman v. Suburban Trust Co., 282 Md. 238. A property owner owes an invitee a duty to use reasonable and ordinary care to keep the premises safe, and will be liable for injuries sustained in consequence of a failure to do so. Rhaney v. University Of Maryland Eastern Shore, 388 Md. 585, (2005); Richardson v. Nwadiuko, 184 Md. App. 481(2009); Maans v. Giant Of Maryland, L.L.C., 161 Md. App. 620 (2005); Kelly v. McCarrick, 155 Md. App. 82 (2004).
Unlike the business visitor, licensees and trespassers take the property as he or she finds it, and the owner or person in charge of the property owes no duty to keep the property in a safe condition or to warn him or her. An owner or person in charge of property only owes the licensee and trespasser a duty to refrain from willfully or wantonly injuring that person. Common examples of licensees are door-to-door salespersons, or persons allowed to walk across the property of another for a shortcut. If a “no entry” sign were posted on the lawn by the property owner in the prior example, both the door-to-door salesperson and the person using the shortcut would be trespassers.
In terms of foreseeability, whether a criminal act was foreseeable will depend on the facts of the case. Past incidents of similar criminal activity on or near the property can be viewed by the court as notice to the property owner and manager that the plaintiff’s injury was foreseeable; however, prior criminal acts do not automatically cause the property owner and manager to be liable for subsequent criminal acts. Additionally, problems such as inadequate lighting, broken locks, continuous loitering and overgrown shrubbery may signal the potential for criminal activity and may be used by the plaintiff to show that some criminal act was foreseeable based on poor safety measures. These safety concerns also reflect negatively on property management and owners.
Maryland courts have held that once a landowner is aware of criminal activity on the premises, the property owner and manager must take reasonable measures to eliminate or correct the condition. See Hemmings, 375 Md. at 540. In Hemmings, a tenant sued the owner and manager (“landlord”) of her apartment complex after her husband was murdered in their apartment by an intruder, who broke into the apartment through a door located in a dark area behind the apartment complex. The Court of Appeals of Maryland held that a landlord has a duty to repair a known dangerous or defective condition to prevent a third-party’s attack on a tenant, and that once a landlord takes reasonable security measures to eliminate conditions that contribute to crime on the premises, it has a continuing obligation to maintain those security measures. In this case, the court noted that the landlord had provided exterior lighting at the apartment complex as a security measure and therefore had a duty to maintain that lighting adequately. Their failure to do so made them liable in the death.
Similarly, courts in the District of Columbia have held that a landowner may be liable for harm caused by the criminal act of another if the crime was foreseeable. See Sigmund v. Starwood Urban Retail VI LLC, 617 F.3d 512 (D.C. Cir. 2010); Kline v 1500 Massachusetts Ave. Apartment Corp., 439 F.2d 477 (D.C. Cir. 1970). In Kline, a seminal case establishing the foreseeability rule, a tenant was assaulted in the hallway of her apartment. The tenant sued the property owner for failing to provide adequate security. The trial court entered judgment for the landlord. On appeal, however, the court held that, because there was evidence that the landlord had notice, both actual and constructive, that tenants were being subjected to crimes in the area of the hallways, the landlord was under a duty to protect the tenant. In reaching its decision, the court highlighted that, for the period just prior to the time of the assault on the tenant, the apartment building was undergoing a rising wave of crime which established that the landlord was aware of conditions creating a likelihood that further criminal attacks on tenants would occur.
Although Virginia courts have also adopted the foreseeability standard, Virginia case law reflects that the standard is only applicable if a “special relationship” exists between the plaintiff and the defendant or between the plaintiff and the perpetrator of the crime. See Thompson v. Skate Am., Inc., 261 Va. 121, 128 (2001); Taboada v. Daly Seven, Inc., 271 Va. 313 (2006). A special relationship exists under Virginia law in the context of this article, between an innkeeper and its guests, and a business owner and its invitees. Id. In Taboada, the court reversed the trial court’s grant of summary judgment against a hotel guest suing the hotel for damages based on an assault by a third party in the hotel’s parking lot, where the proprietor was allegedly aware of multiple recent, violent crimes committed on the hotel premises but failed to take steps to protect guests. Even if a special relationship exists, Virginia courts have ruled that a landlord does not have a duty to warn an invitee unless the landlord knows that criminal assaults against persons are occurring or are about to occur on the premises which indicate an imminent probability of harm to the invitee. See Yuzefovsky v. St. John’s Wood Apartments, 261 Va. 97 (2001).
In light of the fast-growing numbers of claims made against them, property owners and managers alike need to examine their contracts, written policies, and guidelines regarding their security programs. Please contact us if you are interested in having us discuss steps you can take to help mitigate liability.
1. The duties owed by a legal owner of land, and an occupier who exercises control over the land, are the same. Restatement (Second) of Torts § 328 (1965).