New Maryland Statute Further Complicates Patchwork of "Credit Privacy" Laws

by Philip L. Gordon

Maryland state sealWhen Maryland enacted its law (pdf) restricting the use of credit history for employment purposes on April 12, 2011, it became the fifth state – joining Hawaii, Illinois, Oregon, and Washington – to enact a credit privacy law. Maryland’s law transforms what was a mildly complicated compliance challenge for multi-state employers into an expanding morass. With credit privacy bills currently pending in more than twenty states, multi-state employers should expect that it will become increasingly difficult to establish company-wide policies on the use of credit history for employment purposes.

The core issue for employers who use credit checks for employment purposes (other than financial institutions which are carved out from each of the laws) is the scope of the exception to the general prohibition against using credit checks for employment purposes. At first blush, there appears to be uniformity because all five states permit employers to use credit checks for employment purposes when the check is “substantially related” to the applicant’s or employee’s job responsibilities.

The crux of the problem is the near total discordance over how “substantially related” should be defined. To begin with, the laws in Washington and Oregon provide no definition at all of “substantially related.” Oregon’s Bureau of Labor and Industry (BOLI), by regulation, defines “substantially related” to mean that an essential function of the job require access to financial information, but the regulations do not define the term “financial information.” Illinois’ law also permits credit checks for positions that “involve access to . . . financial information.” However, it is not clear whether the access must be an essential job function (as is the case in Oregon). Furthermore, Illinois narrowly defines “financial information” to mean “non-public information on the overall financial direction of an organization, including, but not limited to, company taxes or profit and loss reports.” At least as of now, employers have no way of knowing whether Oregon’s BOLI intended to define “financial information” more broadly than Illinois’ legislature.

Three states — Hawaii, Illinois, and Maryland — consider credit checks on managers or supervisors to be “substantially related” to employment, but the commonality ends there. Illinois’ law applies only to managers whose job involves “setting the direction or control of the business.” Maryland’s law appears to sweep more broadly, applying not only to those with authority over the business but also to those with authority over “a department, division, unit, or agency of a business.” Hawaii’s similar exception is even more expansive, encompassing not only the direction setters included in the Illinois and Maryland laws, but also those who have authority to “hire, transfer, suspend, lay off, recall, discharge, assign, reward, or discipline other employees” as well as those who “adjust grievances.”

As a third example, only Maryland and Illinois define “substantially related” to include positions that involve access to certain categories of sensitive information, but those categories differ between the two states. Maryland’s law includes the “personal information ... of a customer, employee, or employer,” whereas Illinois’ law includes “sensitive information of a customer or client of the employing organization,” but not of an employee. In addition, Maryland defines “personal information” to mean Social Security number, driver’s license number, financial account number, or Taxpayer Identification Number. By contrast, Illinois defines “sensitive information” to mean information that “the employer entrusts only to managers and a select few employees; or that is stored in some repositories not accessible by the public or low-level employees.” Similarly, both laws define “substantially related’ to encompass positions involving access to trade secrets and other confidential business information, but the two laws define “trade secrets” and “confidential business information” differently.

Not surprisingly, there also is no consistency among these laws in terms of their remedial schemes. Maryland’s law appears to permit only the filing of an administrative complaint and the imposition of a $500 penalty for the first violation and a $2,500 penalty for repeat violations. The remaining four states permit individuals to file an action in court. However, in Hawaii and Oregon, monetary damages are limited to no more than two years’ back pay, whereas Illinois and Washington permit an award of all actual damages caused by the violation.

Starting to pull your hair out? Just wait until a few of the pending bills are enacted into law. Although no one can predict exactly what those laws will provide, they ineluctably will broaden and deepen the credit check quagmire that Hawaii, Illinois, Maryland, Oregon, and Washington already have managed to create. Perhaps intentionally, the states are effectively forcing multi-state, and especially national, employers to address the fundamental question: Do the benefits of credit checks for employment purposes warrant the compliance burden? Given the difficulty of effectively using credit checks for employment purposes – as explained in our article entitled, “Incipient Legislative Trend Toward ‘Credit Privacy’ Compels Restraint in the Use of Credit Checks for Employment Purposes,” (pdf) BNA's Privacy & Security Law Report, Vol. 9, No. 27, (July 5, 2010) – for many employers the answer likely will be “no.”

Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.