New Amendment May Soon Affect FCRA Pre-Adverse Action Notice Requirements

Update: On September 12, 2018, just 10 days ahead of the date that the amendments become effective, the Consumer Financial Protection Bureau (CFPB) issued an interim final rule that includes an updated version of the publication entitled, “A Summary of Your Rights Under The Fair Credit Reporting Act.”

Fair Credit Reporting Act (FCRA) class action lawsuits against employers are reaching epidemic proportions as class-wide settlements encourage more lawyers to move into this niche practice area.1  Because most of the opinions tend to come from trial courts, definitive guidance for employers is lacking.  What’s more, the plaintiff’s bar may attempt to use a new amendment to the FCRA to argue that employers have additional duties under the FCRA’s “pre-adverse action” notice provisions (15 U.S.C. § 1681b(b)(3)).  However, on closer scrutiny, as described below, this argument appears to be “creative” at best. 

The New Security Freeze Notice

The federal Economic Growth, Regulatory Relief and Consumer Protection Act (“the Act”) made many changes to existing laws, one of which was to amend the FCRA effective September 21, 2018.  Specifically, Section 301 of the Act amends the section of the FCRA pertaining to the obligations of background check vendors (also known as consumer reporting agencies or CRAs) to take certain actions when they are notified that a consumer has been or is about to become the victim of fraud or identity theft (15 U.S.C § 1681c-1).  It adds a new subsection to Section 1681c-1 that addresses consumers’ right to obtain a “security freeze” under certain circumstances.  A “security freeze” is a restriction that prohibits a CRA from disclosing the contents of a consumer report to someone requesting the report.  The law provides for a new notice entitled “Consumers Have The Right To Obtain A Security Freeze” (“Security Freeze Notice”) to be provided in certain circumstances.2 Even if a security freeze is effective, though, the Act provides that the freeze does “not apply to the making of a consumer report for use of . . . [a]ny person using the information for employment, tenant, or background screening purposes.”  Thus, at a high level, it appears that the Act’s FCRA amendments should not impact employers.

Potential Argument Employers Must Provide Security Freeze Notice

With a skewed reading of the Act, however, members of the plaintiff’s bar may argue that the Act requires the employer to also provide the new Security Freeze Notice. The middle part of the Act’s amendments state that the Security Freeze Notice must be provided “[a]t any time a consumer is required to receive a summary of rights required under section 1681g” of the FCRA.  The section is phrased in the passive voice and does not specifically say exactly who must provide the new required notice, though the inference is CRAs, since the rest of Section 1681c-1 and the Act’s amendments concern CRA obligations.  The obvious question, then, is when is a consumer “required to receive a summary of rights required under section 1681g”?

Like Section 1681c-1 of the FCRA, Section 1681g is also directed to CRAs, not employers.  Section 1681g largely deals with CRA obligations to provide certain disclosures to consumers upon request.  Section 1681g, though, is also the section of the FCRA that empowers the Federal Trade Commission (and now Consumer Financial Protection Bureau) to create the form consumer summary of rights that employers are familiar with, entitled “A Summary of Your Rights Under The Fair Credit Reporting Act” (“Summary of Rights”).  The Summary of Rights must be provided to consumers when an employer contemplates taking adverse employment action, commonly known as the “pre-adverse action notice,” under 15 U.S.C. § 1681b(b)(3)(A)(ii)).  The argument from plaintiffs’ lawyers could be that because Section 1681g authorizes the creation of the FCRA Summary of Rights, and because the Summary of Rights is required to be provided with the pre-adverse action notice, employers, too, must now also provide the Security Freeze Notice at the same time. 

Next Steps

The better reading of the Act is that it creates no new employer obligations.  After all, Section 1681g itself does not “require” any consumer to receive the FCRA summary of rights from an employer.  And, by the plain terms of the Act, the Security Freeze Notice is only required where Section 1681g requires the consumer receive a copy of a notice of rights.  But with the backdrop of many “technical violation” class action FCRA claims pending against employers,3 the most conservative approach is for employers to consider anticipating this potential plaintiffs’ argument and including the Security Freeze Notice as an enclosure with the pre-adverse action notice, even though employers would likely be technically correct that the change in the law should not affect them.  Indeed, the last time that the FCRA Summary of Rights was changed,4 some employers faced class actions arguing that the employers had not properly updated the FCRA Summary of Rights in pre-adverse action notices, so the risk is concrete.

Other prudent measures to help mitigate the risk of liability under the FCRA include: (1) confirming that the company is using a compliant and up to date disclosure and authorization form; (2) training personnel, including recruiters, on FCRA compliance, including best practices for managing the pre-adverse action notice process; and (3) partnering with the CRA to ensure a clear understanding of how the company and CRA are complying with the FCRA with regard to any tasks the company has outsourced to the CRA, such as mailing the pre-adverse action and adverse action notices.  In addition, employers should be mindful of the ever-growing list of jurisdictions with related “ban the box” laws and ordinances.5

See Footnotes

See Rod Fliegel, Alison Hightower, and Allen Lohse, High Alert for California Employers and Employers Nationwide for the Second Wave of FCRA Class Actions, Littler Insight (Oct. 19, 2017); see also Rod Fliegel, Jennifer Mora, and William Simmons, The Swelling Tide of Fair Credit Reporting Act (FCRA) Class Actions: Practical Risk-Mitigating Measures for Employers, Littler Report (Aug. 2, 2014).

The full text of the Security Freeze Notice is:

Consumers Have the Right To Obtain a Security Freeze

You have a right to place a 'security freeze' on your credit report, which will prohibit a consumer reporting agency from releasing information in your credit report without your express authorization. The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a security freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit.

As an alternative to a security freeze, you have the right to place an initial or extended fraud alert on your credit file at no cost. An initial fraud alert is a 1-year alert that is placed on a consumer's credit file. Upon seeing a fraud alert display on a consumer's credit file, a business is required to take steps to verify the consumer's identity before extending new credit. If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting 7 years.

A security freeze does not apply to a person or entity, or its affiliates, or collection agencies acting on behalf of the person or entity, with which you have an existing account that requests information in your credit report for the purposes of reviewing or collecting the account. Reviewing the account includes activities related to account maintenance, monitoring, credit line increases, and account upgrades and enhancements.

3 See, e.g., Jennifer Mora and Rod Fliegel, Ninth Circuit is the First Appellate Court to Rule on “Extraneous Text” in a FCRA Background Check Disclosure, Littler Insight (Jan. 25, 2017).

This is the second such recent change. See Rod Fliegel and Jennifer Mora, Employers Must Update FCRA Notices for Their Background Check Programs Before January 1, 2013, Littler Insight (Sept. 4, 2012).

See Rod M. Fliegel and Allen P. Lohse, Impending Necessary Ban-the-Box Updates for Criminal Record Inquiries in Massachusetts and San Francisco, Littler ASAP (Apr. 24, 2018); Rod M. Fliegel and Allen P. Lohse, San Francisco is Likely to Amend its Ban-the-Box Law, Littler ASAP (Mar. 29, 2018).

Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.