Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
As privacy professionals know too well, organizations that handle personal information, especially personal information that can trigger security breach notification obligations, have an overwhelming need to screen out untrustworthy applicants from positions that permit access to such data. One tool that many organizations have used for years is straightforward enough—asking applicants to check a box in response to the following question on an employment application: “Have you ever been convicted of a crime?”
However, a legislative trend aimed at reintegrating millions of ex-offenders into the workforce has picked up so much steam over the past year that this practice is now illegal in some jurisdictions, forcing employers to rethink whether they should ask the question at all. Privacy professionals must understand the issues surrounding the “ban-the-box” movement so that they can participate knowledgeably in their organization’s inevitable re-examination of the continued viability of the criminal history questions on their organization’s job application.
The Need To Screen Out Malicious Insiders vs. The Need To Find Jobs for Ex-Offenders
A report published by Forrester Research in October 2013 documents the link between malicious insiders and data breaches. According to “Understand the State of Data Security and Privacy,” 25 percent of respondents who experienced a data breach during the 12 months preceding the report described abuse by a malicious insider as the cause. The Privacy Rights Clearinghouse Chronology of Data Breaches reports 483 data breaches between 2005 and 2013 that compromised 32,557,431 records—a startling average of 67,400 compromised records per breach—that occurred when “[s]omeone with legitimate access intentionally breache[d] information—such as an employee or contractor.”
Given the risk posed by a malicious insider and the potentially heightened risk created by someone previously convicted of identity theft and similar offenses, it should be no surprise that many employers have used criminal history to screen out ex-offenders at the earliest stages of the hiring process. Although no empirical data is available, it is possible that many ex-offenders simply refrain from applying for jobs when confronted with the criminal history question on a job application. The criminal history question also can provide a legitimate justification for terminating the employment of ex-offenders. In Rocha v. Coastal Carolina Neuropsychiatric Crisis Services the employer terminated the employment of the plaintiff after discovering that he had intentionally concealed his criminal history by responding in the negative to the criminal history question on the job application. In rejecting the plaintiff’s discrimination claims, the court concluded that his omission was a material misrepresentation that provided a legitimate, non-discriminatory reason for firing him.
While organizations clearly have legitimate business reasons for including the criminal history question on the job application, lawmakers nationwide are addressing the countervailing societal interest in finding jobs for ex-offenders. According to legislative findings by Newark, New Jersey’s City Council, 65 million Americans, or 1 in 4 adults, have a criminal record. Philadelphia’s City Council has found “that approximately one-fifth of Philadelphia’s population has some type of [c]riminal [r]ecord.” The size of the ex-offender population in the U.S. has become so alarming that the country’s top law enforcement official, Attorney General Eric Holder, announced in a speech to the American Bar Association in August 2013, “It’s clear —as we come together today—that too many Americans go to too many prisons for far too long, and for no truly good law enforcement reason.”
The Rise of “Ban-The-Box” Legislation and Other Legal Restrictions on the Criminal History Question
As of 2011, only three jurisdictions—Hawaii, Massachusetts and Philadelphia, PA—had enacted legislation, commonly referred to as “ban-the-box” legislation, that prohibits employers from asking the criminal history question on the job application. Then, in a nine-month period between September 2012 and June 2013, Buffalo, NY, Minnesota, Newark, NJ, Rhode Island and Seattle, WA, swelled the ranks. Many similar bills are pending.
This legislative trend is remarkable not only because of its accelerated pace, but also because it is highly unusual to see municipalities taking the lead in enacting legislation with such a material impact on employers.
While these ban-the-box laws uniformly prohibit employers from inquiring into criminal history in the job application, they otherwise create a complex, legislative patchwork. Massachusetts and Seattle permit an inquiry into criminal history after the initial application. In Buffalo, Minnesota and Rhode Island, employers can ask about an applicant’s criminal history at the first interview. In Philadelphia, employers must wait until after the first interview to ask about an applicant’s criminal history. Finally, in Hawaii and Newark, employers must wait until after a conditional offer of employment has been made to inquire about criminal history.
In addition to these procedural restrictions on the timing of the criminal history question, at least eleven states—California, Georgia, Hawaii, Massachusetts, Michigan, Nebraska, Nevada, New York, Ohio, Pennsylvania and Washington—and one city, Newark, impose restrictions on the substantive scope of the criminal history question. For example, California and Ohio prohibit inquiries into certain, petty marijuana-related offenses; Hawaii and Washington prohibit inquiries into criminal convictions that are more than ten years old; Massachusetts generally prohibits inquiries into misdemeanor convictions that are more than five years old, and Newark’s ordinance imposes five- and eight-year limits depending on the type of criminal history. Many of these restrictions have been enacted in the past three years.
For multi-state employers, these procedural and substantive restrictions have turned what was once a straightforward question on the employment application into an ever-expanding list of caveats and warnings to applicants from varying jurisdictions about whether they should respond to the question at all and, if so, what they should and should not disclose. In the face of this quagmire, it is not surprising that multi-state employers are starting to throw up their hands. On October 29, 2013, The New York Times reported that Target Corporation, one of the largest employers in the United States, announced it would no longer ask about criminal history on any of its job applications, not just those in the company’s home state of Minnesota where the ban-the-box law becomes effective on January 1, 2014.
Given the strong likelihood that states and municipalities will enact new procedural and substantive restrictions on the criminal history question, many employers likely will feel compelled to evaluate whether they should do the same.
Implications for Privacy Professionals
Mitigating the insider threat is a critical component of any information security program, and pre-employment screening is an effective tool towards attaining that objective. At the same time, the new legislative trend to ban the box and to impose other restrictions on the criminal history question raises the risk that an organization’s pre-employment screening program is illegal. Consequently, privacy professionals should now discuss with their colleagues in the human resources and legal departments whether the time has come to remove the criminal history question from their organization’s employment application.
While doing so may result in some increased burden as organizations are required to interview applicants whom they otherwise might not have considered because of self-elimination or criminal history disclosed on the job application, organizations still will be able to learn about an applicant’s criminal history by conducting a lawful pre-employment background check. Indeed, evaluating a candidate’s criminal history with the additional context provided by a job interview and other information learned during the hiring process should put the organization in a better position to evaluate the risk to data security posed by an applicant who is an ex-offender.
Those organizations that decide not to drop the criminal history question from their job application should take two steps to reduce the risk of liability. First, they should carefully review relevant laws in all jurisdictions where they recruit to confirm that the criminal history question as posed continues to be lawful. Second, they should closely track legislative developments, at both the state and municipal level, to make sure that their criminal history question continues to be lawful for as long as it remains on the job application.
This post originally ran in the IAPP’s Privacy Tracker blog