Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

In NASA v. Nelson, government contractors at NASA’s Jet Propulsion Laboratory (“JPL”) challenged the constitutionality of certain questions asked on the government’s Standard Form 85 and Form 42. Notably, these JPL contractors were not subject to Government background checks when they were hired, but became subject to them when a shift in federal policy mandated that all contract employees complete a standard background check by October 2007 or risk being denied access to federal facilities. The JPL contractors specifically objected to SF-85’s question about “treatment or counseling received” in connection with any recent illegal drug use and open-ended questions on Form 42 which asked the contractors’ references whether they had any reason to question the JPL contractors’ honesty or trustworthiness or had “adverse information” concerning a variety of other factors.

Writing for the Court, Justice Alito explained the long history and widespread use of employment background investigations in both public and private employment, including those which became mandatory for all government employees in 1953. Justice Alito also explained that such investigations “aid the Government in ensuring the security of its facilities and in employing a competent, reliable workforce.” Recognizing that the Government’s ability to manage its operations should not turn on formalities that separate government employees and government contractors, the Court held that “whatever the scope of [the JPL contractors’ constitutional privacy] interest, it does not prevent the Government from asking reasonable questions of the sort included on SF-85 and Form 42 in an employment background investigation that is subject to the Privacy Act’s safeguards against public disclosure.” To that end, the Court expressly rejected the contractors’ argument that the Government had a responsibility to demonstrate that its job-related questions were “necessary” or the least restrictive means of furthering its interests.

While the Court’s decision addresses only government background investigations, it underscores the legitimacy of background checks conducted by all employers seeking to ensure that their offices are staffed “by reliable, law-abiding persons who will efficiently and effectively discharge their duties.” Moreover, the decision suggests that even if prospective (or current) employees have a reasonable expectation of privacy with respect to their personal information, employers can avoid liability for privacy-related claims where there is a legitimate justification for an investigation and the investigation is conducted in a reasonable manner, which includes having safeguards in place to protect against disclosure of the results to the public.

The newly-enacted law becomes effective January 1, 2011. Notably, there are a number of exceptions. For example, banks, credit unions, insurance companies, debt collectors, and a variety of other finance-related entities are exempted from the rule.  Law enforcement officers and other state or local government agencies are also exempted. The law also does not apply in a variety of other situations—when:

• State or federal law requires bonding or other security covering an individual holding the position.
• The duties of the position include custody of or unsupervised access to cash or marketable assets valued at $2,500 or more.
• The duties of the position include signatory power over business assets of $100 or more per transaction.
• The position is a managerial position which involves setting the direction or control of the business.
• The position involves access to personal or confidential information, financial information, trade secrets, or State or national security information.
• The position meets criteria in administrative rules, if any, that the U.S. Department of Labor or the Illinois Department of Labor has promulgated to establish the circumstances in which a credit history is a bona fide occupational requirement.
• The employee’s or applicant’s credit history is otherwise required by or exempt under federal or State law.

The new Illinois law appears to be aimed at protecting individuals whose credit scores have suffered as a result of the financial downturn. The new law would protect an individual who, for example, lost his or her job and was unable to pay some of his or her bills during the period of unemployment. Although an employer could currently request access to the job applicant’s credit report, see the delinquent accounts, and refuse to hire the individual based on this information, as of January 1, 2011, the employer would be prohibited from even requesting the individual’s credit report—unless one of the many statutory exceptions applies. The legislature’s creation of a private right of action and attorneys’ fees provisions signifies the importance of an employer’s compliance with this new law.

During his examination of the computer, the bailiff noticed that the computer contained a folder titled with the employee’s initials and, within it, two sub-files, one titled “personal,” the other titled with the name of the employer’s competitor. The bailiff only opened the second sub-file, titled with the name of the competitor, where he found evidence that the employee had engaged in unfair competition against the employer.

Supported by an affidavit of the bailiff, the employee was terminated for gross fault, i.e., without any indemnity. Thereafter, the employee initiated a lawsuit against the employer for violation of his privacy.

The Court of appeals found that the bailiff should not have opened the folder titled with the employee’s initials without first informing the employee or without the employee being present.

Until this case, the case law was unclear on whether folders or files located on an employee’s work computer but titled with the employee’s name or initials would be afforded privacy protection under workplace privacy laws. However in this ruling, the French Supreme Court made clear that all files created by an employee on an employer’s computer belong to the employer unless they are expressly identified as personal. By adopting this position, the French Supreme Court was consistent with the French Data Protection Agency (CNIL) which, since 2002, has advised that employees should be cautious when using their work computers for personal purposes.

This decision is most helpful in that it clearly informed French companies of the privacy rules that apply to folders and files that employees store on their work computers. If the employee has clearly identified the files as personal, the employer has no choice but to either obtain the employee’s prior consent before opening the files, or to go before a Court to get a Court injunction allowing the employer to open the files.

By way of background, on June 6, 2008, then-President George W. Bush signed Executive Order 13,465, which instructs that “Executive departments and agencies that enter into contracts shall re-quire, as a condition of each contract, that the contractor agree to use an electronic employment eligibility verification system designated by the Secretary of Homeland Security to verify the employment eligibility of: (i) all persons hired during the contract term by the contractor to perform employment duties within the United States; and (ii) all persons assigned by the contractor to perform work within the United States on the Federal contract.” President Bush also commanded that the Federal Acquisition Regulation (“FAR”), which governs the acquisition of supplies and services by all federal agencies, be amended to incorporate the foregoing requirement. Three days later, then-Secretary of Homeland Security Michael Chertoff signed a notice designating E-Verify as the electronic employment eligibility verification system to be used by federal contractors and subcontractors.

On June 12, 2008, the agencies responsible for issuing the FAR published a proposed rule to implement Executive Order 13,465 and solicited comments on the proposed rule’s text. On November 14, 2008, a final rule was published in the Federal Register with an effective date of January 15, 2009.

In addition to responding to numerous comments attacking the legality of Executive Order 13,465 and the proposed rule, the final rule explained that “[s]everal commenters suggested that E-Verify has ongoing system security problems that jeopardize the privacy and security of individuals’ personal information.” The final rule also explained that “[m]any commenters stated a concern that E-Verify’s inability to prevent identity theft leaves employers that use E-Verify vulnerable to sanctions.” Ultimately, however, the final rule rejected these privacy-related concerns. For example, the final rule asserted that “security measures in place [to protect employees’ personal information transmitted though E-Verify] include among other things both strong and limited access controls, transmission encryption, and extensive audit logging.”

On December 23, 2008, the Chamber of Commerce of the United States of America—joined by the Associated Builders and Contractors, Inc.; the Society for Human Resource Management; the American Council on International Personnel; and the HR Policy Association—filed a Complaint for Declaratory and Injunctive Relief in the United States District Court for the District of Maryland. In addition to challenging the substance of the final rule, the plaintiffs contested the Executive Order, claiming it was unconstitutional and that it was an unlawful attempt to circumvent existing immigration laws. The plaintiffs also challenged the expansion of E-Verify to require the re-authorization of existing workers.

Shortly after the plaintiffs filed their complaint, the parties reached an agreement to delay implementation of the final rule until February 20, 2009, in order to allow expedited briefing on cross-motions for summary judgment. The plaintiffs’ motion for summary judgment was filed on January 14, 2009, the same day that a notice appeared in the Federal Register delaying the final rule’s enforcement until February 20, 2009.

On January 27, 2009—one day before the Federal Government’s deadline for responding to the plaintiffs’ motion for summary judgment—the parties reached an agreement delaying the applicability date of the final rule until May 21, 2009. A notice to this effect is scheduled to be published in the Federal Register on January 30, 2009. In addition, the Federal Government filed an emergency motion with the district court asking it to stay judicial proceedings for 90 days “in order to allow the newly-inaugurated Administration of President Barack Obama to review the [regulations] at issue in this case.” On January 28, 2009, the district court issued an order granting the Federal Government’s emergency motion.

Given the significant burdens the final rule would have imposed on federal contractors and subcontractors, this most recent delay in the final rule’s enforcement represents another intermediate victory for federal contractors and subcontractors throughout the United States. In addition, the Obama Administration’s pledge to review the final rule may mean that privacy concerns raised by commenters will be given greater weight.