Category Archives: Privacy Rights

Employers Are Required to Use New Fair Credit Reporting Act (FCRA) Forms Beginning January 1, 2013

Employers must begin using new Fair Credit Reporting Act (FCRA) forms no later than January 1, 2013.  The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 transferred FCRA rulemaking authority from the Federal Trade Commission (FTC) to the newly created Consumer Financial Protection Bureau (CFPB).

The FCRA regulates employers who use background checks provided by third parties, known as Consumer Reporting Agencies (CRA), as part of the employment process.  Before an employer may obtain a background check on an applicant or employee from a CRA, the applicant or employee must be given certain information about the scope of the background check and must consent to the background check.  This is where the new forms are relevant.  The main change in the forms is that consumers must now contact the CFPB, rather than the FTC, about their rights under the FCRA.

What is confusing for employers is that the FTC’s website still has the old forms on it, and still has information about the FCRA, even though the CFPB is now the agency responsible for the FCRA and background checks.  The new forms are not easy to locate, but can be found on the government’s website at the end of a very long document.  You need to know that you are looking for Title 12, Banks and Banking Regulations, of the Code of Federal Regulations.  Go to http://www.ecfr.gov/ in order to find the forms.  Once you are at that website, find Title 12 “Banks and Banking,” and then scroll down to Part 1022, called “Fair Credit Reporting.”  The actual forms for employers and CRAs are found at Appendix K (for employers) and Appendices M and N (for CRAs).  Or you can access the new forms by using the links below.

The first of the new forms is called “A Summary of Your Rights Under the Fair Credit Reporting Act.”  Employers must provide this form to applicants and employees when issuing a pre-adverse action letter, and in some other situations.  PDFs for this form can be found here.

The second new form is called “Notice to Users of Consumer Reports: Obligations of Users Under the FCRA.”  This form must be provided by a CRA to users of their services, like employers.  PDFs for this form can be found here.

The last new form is called “Notice to Furnishers of Information: Obligations of Furnishers Under the FCRA.”  The FCRA requires CRAs to give this notice to entities that provide information under certain circumstances, such as when a consumer disputes some information in the background report.  PDFs for this form can be found here.

Takeaways:  Employers need to make certain they are using the correct “Summary of Rights” form no later than the beginning of 2013.  Employers who fail to comply with the FCRA or to use the new forms may be subject to lawsuits for actual damages, attorney’s fees, statutory damages, and possibly punitive damages, depending upon whether the failure to comply with the FCRA was negligent or willful.

Take Privacy Seriously – Why The Anne Marie Rasmusson Case Matters to Employers

The $1 million-plus settlement in the Anne Marie Rasmusson case is a costly example of why employers need to make certain that their employees do not abuse their access to confidential information.  The facts of the case are fascinating and surprising.

Anne Marie Rasmusson, a former St. Paul police officer, filed a lawsuit against numerous Minnesota cities and police officers in March of 2012.  In the lawsuit, Ms. Rasmusson alleged that her driver’s license information was improperly accessed 425 times by 104 police officers between 2007 and 2011.  Ms. Rasmusson’s complaint asserted claims arising under 42 U.S.C. § 1983, the Driver’s Privacy Protection Act of 1994, as well as claims for invasion of privacy.

In her complaint, Ms. Rasmusson alleged that she retired as a police officer in 2003.  After Ms. Rasmusson divorced in 2007, she noticed that numerous police officers began taking an unusual interest in her and asking her for dates.  The officers appeared to know where Ms. Rasmusson lived and what kind of car she drove.  Because of these circumstances, Ms. Rasmusson contacted the Department of Public Safety and inquired whether any officers had accessed her private information.  She learned that over 100 police officers from at least 18 different departments had accessed her records over 400 times since 2007.  Upon learning this information, Ms. Rasmusson’s complaint alleges that she was “horrified” and that she “became physically ill” and “vomited.”

During discovery, many police officers who accessed Ms. Rasmusson’s data acknowledged that they did not have legitimate reasons to do so.  One supervisor admitted that he encouraged subordinate officers to look up Ms. Rasmusson’s data “because she was very attractive and so they could see that she’s changed and she’s got a new look.”

The overall theme of Ms. Rasmusson’s lawsuit was that the various police departments and officers involved allowed a culture to develop in which her private data was not protected and was routinely accessed for illegitimate reasons.

Recently, many of the parties involved in the lawsuit entered into large settlements with Ms. Rasmusson.  The City of St. Paul agreed to pay Ms. Rasmusson $385,000.  The City of Minneapolis agreed to pay her $392,000.  Various other cities agreed to pay her $280,000.  Overall, Ms. Rasmusson has already recovered settlements in excess of $1 million.  For more information about the case, click here.

Takeaways:  While most employers do not have employees who have access to driver’s license data, many employers have employees who have access to other private and confidential data – such as data protected under the Health Insurance Portability and Accountability Act (“HIPAA”), the Family and Educational Rights and Privacy Act (“FERPA”), or other records for which a reasonable expectation of privacy may exist.  The Anne Marie Rasmusson case is a somewhat unusual and extreme case, but it shows that employers who do not have strong policies and procedures in place to prevent employee abuse of confidential data may be subject to significant liability.

How To Minimize Potential Liability For Employment References in Minnesota

Minnesota law provides protection to employers who disclose certain types of information in response to requests for employment references.  If an employer stays within the confines of the statute, a current or former employee must make a heightened evidentiary showing to prevail on a lawsuit against the employer related to the disclosure.

The types of information that employers can generally disclose under Minnesota’s employment reference law without an employee’s authorization are:

  1. Dates of employment;
  2. Compensation and wage history;
  3. Job description and duties;
  4. Training and education provided by the employer; and
  5. Acts of violence, theft, harassment, or illegal conduct documented in the personnel record that resulted in disciplinary action or resignation and the employee’s written response, if any, contained in the employee’s personnel record.  (Note: For this type of disclosure to qualify for protection under the statute, the disclosure must be in writing with a copy sent contemporaneously by regular mail to the employee’s last known address).

If the employer has a written authorization from the employee, the employer may also disclose the following types of information about the employee:

  1. Written employee evaluations conducted before the employee’s separation from the employer, and the employee’s written response, if any, contained in the employee’s personnel record;
  2. Written disciplinary warnings and actions in the five years before the date of the authorization, and the employee’s written response, if any, contained in the employee’s personnel record; and
  3. Written reasons for separation from employment.

See  Minn. Stat. § 181.967.

With limited exceptions, in order to maintain a cause of action against an employer for disclosure of the above-listed information, a current or former employee must be able to prove by clear and convincing evidence that:  (i) the information was false and defamatory; and (2) the employer knew or should have known the information was false and acted with malicious intent to injure the current or former employee.

Takeaway:  Employers can minimize potential liability for employment references by limiting their disclosures to include only the information that is authorized under the statute.

Proposed Legislation Would Prohibit Minnesota Employers From Requesting Social Networking Passwords

On March 26, 2012, Representative Mary Franson proposed legislation that would make it illegal for employers in Minnesota to require applicants or employees to provide passwords or other account information related to their social networking websites.  The text of the proposed legislation is as follows:

No person, whether acting directly or through an agent, shall require, as a condition for consideration of employment, that any employee or prospective employee provide any password or other related account information in order to gain access to the employee’s or prospective employee’s account or profile on a social networking Web site.

See H.F. 2963.

The practice of employers asking employees or applicants for the passwords to their social networking sites, like Facebook or LinkedIn, has been criticized heavily in the press recently.  Even if the proposed legislation regarding this topic does not become law, there are some circumstances under which the practice could arguably raise invasion of privacy or Stored Communications Act concerns.

Takeaways:  Even if the proposed legislation prohibiting employers from requiring employees or applicants to provide access to their social networking sites does not become law, there are potential legal risks with this practice.  As a practical matter, the practice may also lead to negative media attention for employers.  Employers should consult with counsel if they have further questions about this topic.

What Is Invasion of Privacy?

“Invasion of privacy” is an umbrella term for tort claims based on violations of an individual’s privacy rights.  The Restatement (Second) of Torts identifies four separate causes of action that qualify as invasion of privacy:  (1) intrusion upon seclusion; (2) appropriation; (3) publication of private facts; and (4) false light publicity.

Minnesota law recognizes three of the four types of invasion of privacy claims:  (1) intrusion upon seclusion; (2) appropriation; and (3) publication of private facts.  Minnesota does not recognize a claim for false light publicity.  In Lake v. Wal-Mart Stores, Inc., the Minnesota Supreme Court refused to recognize false light publicity claims because they are similar to defamation claims and because of potential tension with First Amendment rights.  582 N.W.2d 231 (Minn. 1998).  However, the Minnesota Supreme Court in Lake recognized the other three types of invasion of privacy claims and described them as follows:

  1. Intrusion Upon Seclusion:  Intrusion upon seclusion occurs when one person intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or upon his or her private affairs or concerns, and the intrusion would be highly offensive to a reasonable person.
  2. Appropriation:  Appropriation protects an individual’s identity.  This tort occurs when one person appropriates to his or her own use or benefit the name or likeness of another.
  3. Publication of Private Facts:  Publication of private facts occurs when one person gives publicity to a matter concerning the private life of another, and the matter publicized is of a kind that:  (a) would be highly offensive to a reasonable person; and (b) is not of legitimate concern to the public.

Takeaway for Employers:  Invasion of privacy claims can sometimes arise in the employment context.  Familiarity with the three types of invasion of privacy claims recognized in Minnesota should help employers avoid potential liability.

What Employers Should Know about the Supreme Court’s Decision Concerning GPS Privacy Rights

In United States v. Jones, the United States Supreme Court addressed the question of whether the government violated the Fourth Amendment’s prohibition against unreasonable searches and seizures when it attached a Global Positioning System (GPS) tracking device on a vehicle registered to a criminal defendant’s wife and monitored the vehicle’s movements for four weeks.  All nine Supreme Court justices agreed that the government’s use of the GPS device without a valid warrant violated the defendant’s Fourth Amendment rights, but they disagreed as to why.

The Trespass Analysis:  Justices Scalia, Roberts, Kennedy, Thomas, and Sotomayor determined that the installation of a GPS device on the defendant’s vehicle constituted a physical “search” under the Fourth Amendment.  Those justices held that it was unnecessary to analyze whether the defendant had a “reasonable expectation of privacy” with respect to the underbody of the vehicle where the GPS device was attached or with respect to the public roads where the defendant drove the vehicle.  They reasoned that the physical intrusion of attaching the GPS device to the defendant’s vehicle was a trespass sufficient to invoke the Fourth Amendment’s protections.  Therefore, attaching the GPS device to the vehicle without a valid warrant violated the Fourth Amendment.

The Expectation-of-Privacy Analysis:  Justices Alito, Ginsburg, Breyer, and Kagan determined that the government’s use of the GPS device violated the defendant’s Fourth Amendment rights because it violated a reasonable expectation of privacy.  While the justices stated that “relatively short-term monitoring of a person’s movements on public streets” may not violate privacy expectations, longer periods of monitoring likely impinge on reasonable privacy expectations.  Therefore, the government’s use of GPS to monitor the defendant’s movements for four weeks without a valid warrant violated the defendant’s Fourth Amendment Rights.

Takeaway for Employers:  Private employers are not subject to the Fourth Amendment’s prohibition against unreasonable searches and seizures.  However, employees of private employers could potentially cite the United States v. Jones decision in support of an invasion-of-privacy claim to argue that GPS monitoring violated their reasonable privacy expectations.  To prevent this type of claim, employers who monitor employees with GPS (whether via cell phones, company vehicles, or other GPS devices) should adopt policies to notify those employees about the GPS monitoring and that they should not have an expectation of privacy while using company property with GPS capabilities.