Are you using criminal background checks as part of your hiring process? If so, your use of them is subject to federal law. We can show you how to avoid some common – and dangerous – pitfalls when using background checks to safeguard your business.

Georgia law requires every employer to use “ordinary care” to ensure that its employees don’t pose an unreasonable risk of harm to others. Georgia courts have held that, at least sometimes, ordinary care will require an employer to perform a background check before hiring a potential employee. For example, in 2007 our Court of Appeals held that a home-security company that knew its salesmen would be entering customers’ homes as part of their job could be held liable for failing to run a background check on a salesman who later attacked a customer. Underberg v. Southern Alarm, Inc., 284 Ga. App. 108 (2007). Given the potential for liability, it isn’t surprising that many employers run criminal background checks on potential employees as a matter of course. But even though it might be required, running a background check on a potential hire carries its own risks if you fail to comply with applicable law governing how you procure and use background checks in the hiring process.

Before you use a background check in your hiring process, here are three things you need to know:

• Federal law governs how you obtain the background check and what you do with it;
• You have to get the potential employee’s consent before you begin; and
• You have to take certain actions both before and after you reject the potential employee.

One: Federal law applies when you run a background check on a potential employee.

Even though state law may require a company to perform a background check, federal law imposes a completely independent set of requirements. That is because of the federal Fair Credit Reporting Act (or “FCRA”). 15 U.S.C. § 1681 et seq. To judge by its name, you might think the FCRA only applies to credit reports, not criminal background checks. You would be wrong. The FCRA is worded so broadly that many other types of reports fall within its purview. The statute applies to almost any commercially prepared report about a person’s “character, general reputation, personal characteristics, or mode of living” if the report is used to determine that person’s eligibility for employment. That statutory definition includes criminal background reports. See Farmer v. Phillips Agency, Inc., 285 F.R.D. 688 (N.D. Ga. 2012).

Two: You have to get the applicant’s permission before you get the report.

The FCRA requires a company to take specific steps any time it uses a background report in the hiring process. Before you get a background check, you must:

• Tell the potential employee in writing that you intend to get a background report and get the applicant’s written permission to do so before ordering the report. And,
• Certify to the company that is providing the report that you have complied with the FCRA’s requirements that you disclosed your intent to get the report and you got the applicant’s permission before you obtained the report. You also have to certify that you will comply with the FCRA’s dispute-resolution requirements, which are described below.

Three: You have to give the applicant a chance to respond to the report before you reject the applicant, and then you have to provide additional notice once you make the decision.

Once you get the report, the FCRA controls how you use it. Before you reject an applicant based on a background report, you must give the job-seeker:

• A copy of the background report that you are relying on;
• A summary of the employee’s rights under the FCRA prepared by the federal Consumer Financial Protection Bureau (CFPB), which include the right to dispute with the reporting agency any incomplete or inaccurate information contained in the report (a copy of the summary can be found on the CFPB’s website at http://files.consumerfinance.gov/f/201410_cfpb_summary_your-rights-under-fcra.pdf); and
• Five days to raise any objection to the contents of the report.

If you have met these requirements, you can then reject the potential employee’s application. But your obligations don’t stop there. Once you have made the decision to reject the applicant, you must notify the applicant that you have declined him on the basis of the report and also provide him with:

• The name, address, and phone number of the consumer reporting agency that supplied the report (including a toll-free telephone number established by the agency if the agency compiles and maintains files on consumers on a nationwide basis);
• A statement that the consumer reporting agency that supplied the report did not make the decision to reject the applicant and cannot give the applicant the specific reasons for that decision; and
• A notice of the person’s right to dispute the accuracy or completeness of any information the consumer reporting agency furnished, and to get an additional free report from the agency if the person asks for it within 60 days.

Be aware that these requirements apply if the report has played any role in your decision to reject the applicant. The report does not have to be the only factor in your decision, or even the primary one.

If you fail to meet any of these requirements, the applicant can sue you. What’s at stake if you get sued? Potentially a lot. At a minimum, the rejected applicant can recover any actual damages that she suffered as a result of the violation. You should be aware that “damages” include the applicant’s attorneys’ fees and court costs, which often far exceed any economic damages that the applicant directly suffered. Remarkably, actual damages can also include emotional distress. So even if the applicant did not suffer any measurable economic harm, you can still face a claim for substantial damages. Even worse, if a court finds that your failure to comply with the statute was “willful,” it can impose additional penalties, including punitive damages.

These types of suits are surprisingly common – one Atlanta law firm that specializes in FCRA cases has filed over 800 of these suits on behalf of rejected job applicants. To make matters worse, any liability you face for a failure to comply with the FCRA may not be covered under your business’s general liability insurance policy. To be covered by insurance, you will almost always need a separate employment-practices liability policy, and even then you will need to confirm that your specific policy provides coverage for violations of the FCRA. At a minimum, you will need to carefully follow the procedures described in the insurance contract regarding giving notice of the claim to the insurer.

As in so many areas of the law, an ounce of prevention is worth a pound of cure. If you have any doubts about your procedures or the state of your business’s insurance coverage when it comes to the use of background checks, contact Ben Byrd at Friend, Hudak & Harris for more guidance.