Understanding The Fair Credit Reporting Act
The openness of our technology has made genuine privacy impossible. With this being said, how can we be safer in the modern world? Jonathan Kraut of Net Check Investigations and Bill Stierle drill down how comprehending the Fair Credit Reporting Act can make notable differences to many. How FCRA regulates privacy has been outlined long ago by the congress. Jonathan and bill share how everyone can protect themselves from violations or risk to personal data by following the act correctly. They also touch on privacy information, permissible purpose, and correcting data. Learn more about how the integrity of the system on protecting us and companies from fake, tampered, or leaked data on today’s show.
—
Listen to the podcast here:
Understanding The Fair Credit Reporting Act
The FCRA Provides Requirements And Boundaries Regarding Background Checks And Employment And Tenant Screening
I’m here with Jonathan Kraut of Net Check Investigations, California License 215229. As a part of this show, we want to contribute to the population to understand that information is power. In the world of investigations, one of the important things is to be able to create a quality information that’s in alignment, that is legal, that follows the rule of law, as well as do things that can be used and are validated in the court of law. Jonathan, welcome to the show and I’m looking forward to get going. You have an interesting topic for us.
We do. It’s the Fair Credit Reporting Act, which is important. Every employer, every person with a credit card and a Social Security number should know what that is.
Everybody with a credit card and Social Security number need to know this? That’s like everyone. The main thing with this is that if there are seven things that we need to know about the Fair Credit Reporting Act, and we’re going to drill down into this, it seems like that’s this piece of information and having the power of this information can make a difference for people.
It’s regarding the rights of an individual and the act is supposed to protect individuals who have confidential information, which includes, in some cases your date of birth. Literally, everyone born is covered under this act.
That’s interesting because the need for safety and the need for privacy in our technology age, it’s easier to get away with things a little bit because of the openness that our technology affords us. Am I guessing that right?
Yes, our objective is to help everyone protect themselves against violations or risk to personal data and also to help employers and renter, landlords and other businesses following the act correctly so they’re not vulnerable to lawsuits and other issues.
Privacy is such an important need for us as a human being. How does that FCRA regulate privacy? What are some of the things that go into this?
In 1970, the United States Congress passed the federal act, which is called the Fair Credit Reporting Act, or we call it the FCRA. It oversees who can do what regarding transferring, disclosing or accessing private information. Every state is required by the congressional act to have a similar subordinate act of laws that follow. Every state does. Most of the states say, “We agree with the federal act and everything is fine.” A few states like California, New York, Massachusetts, and Minnesota have a little extra kick here and there and say, “In addition to the federal act, we want this or that.” Although those issues are fairly minor state by state. If you’re in a certain state, you should know what those are.
Even though we’ve got this overarching thing to regulate privacy, each state has a little different element to it if it’s affecting every person engaging in commerce. Tell us a little bit about how does the privacy information gets defined or how does this work?
For example, if you write a check, which most people don’t anymore but if you did, it has information in there. Your home address probably is printed on the check and maybe your phone number. If you use a credit card, your credit card information is protected under the act. Any commercial transaction other than cash itself and even sometimes cash. If you buy a car and they run your credit. If you are applying to rent a property and they run your background. If you want to be hired in a position and they do a screening on you. All those are related to the FCRA. Even a credit search when you go online yourself and check your own credit score, that’s regulated by the FCRA.
It’s to access consumer information and there can be breaches on these things obviously, but it’s just getting a hold of access to customer information and making sure that the privacy takes place.
Essentially, the FCRA defines what private information is and regulates the access and denial of that information.
Let’s talk about how that applies more than credit. Tell us a little bit about how this second element might work.
Number two is that the FCRA applies to more than just credit. Even though the title is the Fair Credit Reporting Act, it’s not just a credit check. A lot of people think that it is. It pertains to credit card information, for example. It pertains to employment screening and background checks where we’re going to take a date of birth and Social or where you live and find out if you have criminal records anywhere. It’s related to the protection of private information such as your name and date of birth, which is what we need to use to run a background check often. Sometimes there are other things like you want to purchase a car or vehicle and they’ll look at your creditworthiness. Are you in default? Do you have any judgments against you? Are there any bankruptcies? Are there tax liens? It has a great expansive view over all these issues. Bank account information. One thing that’s funny is a lot of times we’ve experienced a man or woman saying, “My spouse that I’m getting divorced from is hiding money. Tell me how much they have in their bank account.” We can’t do it under the FCRA. That’s very restrictive. Only under certain ways can we go in and do that without the other person’s permission.
It’s using the privately gathered information as a part of this too. It can extend to that direction too.
Remember, the credit agencies are gathering private information, like your utility bill, your credit card payments, your rent agreements or lease agreements and your business activity. It’s all privately gathered but even so, it doesn’t mean that it can be given out to anybody. It regulates who can give out what to who.
That leads us to number three. What is a permissible purpose? Tell us a little bit about this third tip to make sure that we know about it.
I alluded to the bank account access. The permissible purpose is a specific definition that basically states there has to be a reason why someone would violate or interfere with someone’s privacy. Let’s say that you’re an employer, you want to hire someone to bring them into your office setting or your business setting. You have a right to determine if the individual will enhance, detract or play safety. You have a right to do a background check because the safety of other people is important or even have clients or customers on-site. You have access to commercial information if there’s a transaction being considered. For example, renting a property, buying a vehicle or even the utility wants to know what your credits are like. That’s a permissible purpose. If there’s a commercial idea of being pursued.
Permissible purpose states there has to be a reason why someone would violate or interfere with someone's privacy. Share on XI’m looking and the fourth activated my mind a little bit, an active criminal case. That means if there’s a criminal case going on, then there are some permissible purposes to go across the privacy piece and information that might be needed, as well as some of these other six items. The commercial information and the customer’s safety through background check.
You can break the privacy piece if there’s something going on like a domestic, criminal, civil or family case is filed. You can’t go back into someone’s background or into their credit history or bank account information just because you want to. There has to be something going on that meets the permissible purpose definition.
A subpoena could do it too.
The court orders you to go and look, that’s a permissible purpose.
That would lead us to number four. Who can access the private data? Tell us a little bit about number four out of the seven. What happens with accessing it?
Once the permissible purpose is established, which is a primary step, not everybody can go in and check on other people’s stuff. What’s important here is that everyone should know that a credit reporting agency known as a CRA, Credit Reporting Agency, has the right or the availability to go in if the permissible purpose has been established. You can’t do it. You can’t go look up someone’s bank account if you’re suing them. It has to be performed by a certain agency, a CRA, that is licensed to do so.
It sounds like there are other agencies also that they can do it too.
Private investigator firms are licensed. The Credit Reporting Agencies are licensed. There are other entities. Law enforcement agencies can do this. Financial institutions can do this. When there are commercial transactions, there’s something called a due diligence search to make sure the person is who they are sure. The Social belongs to them, that the credit line is there and it’s available. There’s no way of releasing money. When you have this observation of a third party’s private data, there has to be something signed or communicated that memorialized with this. For example, if an attorney calls me and says, “Go look and see what bank accounts you find on this person. I’ve got a case.” He’s now established permissible purpose, but I want him to send that to me by email. I have something in writing or a client will sign a release of their own information that I can go and look at this stuff, even though I can just go on the computer and look at it. My license says I can go get it. I’ve got arrangements with different database companies that say, “You’re licensed. You can look at it,” I still have to have something signed or created that I can put in the file and say, “Here’s my permission to access.” That’s separate from defining permissible purpose.
As I think about this access to private data, it gets me to understand there are people that can’t do it. Family, the curious, potential daters, neighbors. You can’t get access to it. It has to be through these certain institutions.
I’ll give you two examples of what the FCRA protects from happening. Let’s say that a mother-in-law doesn’t like her son-in-law. She says, “I’m the mother-in-law. I have a right to know all about his credit, his finance, his properties, his liens and judgments. I have the right to know everything about him. I want to know about all these things.” That’s not meeting permissible purpose. There’s no case filed. There was no case being considered, so we have to say no. Even if the daughter knew about it, it probably wouldn’t matter. She’s married to the guy, so what?
Another example is we had a guy who said, “I think my neighbors are drug dealers. I want to know everything about them. Give me their names, dates of birth and Social. I want to know who their family members are. I want to know where they work. I want to know what cars they own and drive. I want to know about their bank accounts.” He’s a neighbor. Law enforcement can do that. If there’s a civil or criminal case, we could do that. If he’s curious and he wants to know doesn’t mean we have the right to go invade a third person’s privacy and just provide him data. He was very disappointed when we told him no.
That’s bad news but he’s still trying to get his need for either protection or truth met.
If we run a database search using a credit agency, all the credit agencies have ways that licensed investigators can go and tap into that. We can’t just take their word for it. If they say there’s a lien in judgment in a county, in some state, we’re going to go with a county and check and make sure it’s not a mistake. If they find a criminal case, there’s a case number, we can’t assume that there was a conviction. We have to go in with the local law enforcement agency or county clerk and check and make sure. We just can’t assume that we put in a name, get a data report and that it’s accurate. We’ve got to verify that independently to make sure it’s true, which applies to liens and bankruptcy. We’ve got to go back to the source. A lot of times the information is not true. It protects the consumer, the renter or the job applicant from being discriminated against incorrectly. That’s what it does.
Twins, family members, mistakes by the court. The big thing is to clean up the information and how the data’s sitting there.
We have cases where someone’s coming in for a job position, maybe nothing complicated like a cashier’s job. They say, “That’s not me. That’s my twin.” The first thing we say is all right, but then they do have a twin. Once we do check it out, it was the twin. That happened. The court will make a mistake. For example, there was a case where we filed, they somehow input it as a conviction and the case was dismissed. It’s rare, but it does happen. I’d say we might do 100,000 background checks a year at our agency and maybe one a year we’ll come up with a mistake. That’s not a lot but that individual’s entitled to us giving them an opportunity to contradict it. That’s called a pre-adverse letter. The FCRA says you need to have a pre-adverse letter that says, “We might deny you from this purchase, this lease, this job because of this. You’ve got three days to let us know if you think this is an error.” Usually, we give them five or ten. We give an adverse letter that says, “You were not hired, leased or did not purchase the property because of this.” They still have more time to fix the record if it’s wrong and we’ll help them do that.
We’ll tell them what they can do. We’ll provide a copy of the report if they want it of whatever we found. We can give it to them. Maybe not to the person running the background, the lease or the credit check, which is the individual. We can give them what we have and help them fix it. We can run it again once it’s fixed and clear them. We can’t change the data ourselves. We’ve got to let the organization that has the data to do that.
This whole ability to challenge and correct the data, is that a very hard fight for people to do?
It is. The courts especially are putting in thousands of cases a day. In LA County, the county processes 10,000 criminal cases a week. There’s bound to be a mistake. Nobody knows who put in the data wrong. You need to show up with your driver’s license at the window and say, “Here’s what this credit reporting agency found on me, their PI firm, you can call them. Is it accurate? It’s not accurate. I was never arrested and convicted.” You’ve got to fight with the court a little bit. Credit agencies, you can send them by email or request to remove something. It takes a few weeks or a few months, but if you don’t fix it, it will still be there and that’s not fair.
You can't go back into someone's background or into their credit history or bank account information just because you want to. Share on XOur PI firm and this is like a joke, two weeks before Valentine’s Day, early February, we get lots of phone calls from mostly men that say, “I’m trying to find so-and-so. I lost their information. Can you tell me where they live or where they are?” I don’t know why Valentine’s Day, but they’re trying to reconnect with somebody. The first thing we do is we say, “Even if we find them, we have to have them contact you. We can’t tell you where they are. If they want to reach out to you, they can.” Typically we get a hang-up and we never hear from them again. They’re shopping every PI firm in the state trying to find one that will do it. We all know we can’t do that. What we can do is we can find an individual and then have them contact the person if they want to. We stay out of it. We cannot even tell the inquiring person if we found them or not. We’re going to be completely quiet on that and say, “We didn’t find that person.” They’re going to pay the fee and not get a refund because we’re going to do the work. They’re not paying for an address, they’re paying for the search. There are times where we find the person and they say, “We have a restraining order against this guy from doing it and will you provide us his information so we can prosecute him?” We do.
The stalking or the secret most romantic person, it backlashes on them if they come and ask you because the big part of the Fair Reporting Act is about protection and privacy.
If somebody violates an order of protection or restraining order and we are a party to that and we understand what’s going on, that request is a violation of that court order. We’re going to cooperate with the victim, even if the abuser paid us to find them. They didn’t disclose to us that they’re not allowed to do it. We’ve had a few cases like that where we go testify and say, “This guy called us. Here’s his email, here’s the information he provided, here’s his payment.” We found the person and they said, “This guy has an order against doing that,” and we help prosecute. If someone’s out there and wants to do that, PI firms are not the way to do it. We’re not going to help you.
The proper way to do this, especially an employer hiring somebody, is to do every two years, maybe every year, a recheck. It should be automatically done on everybody let’s say the second anniversary of their employment and you’re not targeting as an employer a certain person you don’t like. You can’t pick them out and say, “This person has something on them. I’m going to find out if they do and let them go.” You’ve got to check everybody fairly and equally under the same policy. What we’re doing is reverifying information. The FCRA forbids certain targeted activity and is trying to protect the rights of everybody equal.
When there’s a release of information, it’s predetermined. Tell me what are the predetermined qualities of this releasing information?
This applies to employment. You want their background check agreement as an employer to make sure that they have permission to routine re-verification and rescreening built into their initial agreement. Let’s say if you hire someone at the pharmacy and they’re convicted of embezzlement and drug fraud in another state after they were hired. A live scan only handles the one state you’re in. You would not, as an employer, know that they were convicted in another state. Let’s say it’s across the river. We want to rescreen that person probably every year and we find it. You want to have the employee’s permission to do so without having them re-sign an agreement every year to do it.
Let’s say that you have an apartment building and there are children there. Is it reasonable to determine if your potential renter has child abuse charges against them or is a sexual predator? It’s reasonable. You want to look for that. Let’s say you’re in a retirement home. Is it reasonable to make sure that the person that you bring in as an employee is not guilty or suspected of frequent elder abuse? It’s reasonable. You want to try to take a measure that matches what relates to the requests. The request is for safety and privacy or for financial stability. You want to look in that area and not just do a basic search or a data search that has a broad scope that’s not specific.
That definitely leads into the periodic rescreening, the signing of the report and to these other items that you’re having here. There are a lot of failures that are possible if the employer or the individual doesn’t know how this is going to take place.
Ideally, the CRA, which in our case would be the PI firm, would have an individual sign the report so that one it’s admissible in the court. If you have a printout and you printed it, you can’t bring the computer into court and testify. You want an individual design report or at least email with their name on it that says this is the report so that we can go back and ask that person what happened or how did you do the search? The issue is through our federal state and other issues related to reputation to damages like, “I was not allowed to be hired in a position and they turned me down. I didn’t have a chance to challenge it. I didn’t have a CRA contact to call and talk to them about it. You didn’t provide me a report. I asked for it. You didn’t verify the information you found in a database at the site because it’s inaccurate. I never got a pre-adverse letter or adverse letter.” Data breaches, for example, providing private information without permissible purpose through someone other than a CRA could be considered a crime. Sometimes there are civil consequences as well or restricting someone’s rights under the Fair Credit Reporting Act could be a crime and have civil consequences.
There’s a little bit of subjectivity, but the objectivity to it is that here’s how you color between the lines. That’s a big part of our talk around these seven different things in order to talk about FCRA in a way that’s supportive to the audience.
It’s a protective act. When it was first drafted in 1970, no one knew how big the internet and the flow of information would be. Nobody knew about data breaches, scamming and all that stuff going on. It’s evolved into a great mechanism to protect people to provide rights, limit and restrict access of information. It very cleanly defines a lot of these things that without it, we would be in chaos.
If somebody brings in chaos to your work, you’ve got to have some remedy or some evidence to work with it. It sounds like having a licensed person is to get this established permissible purpose in place with your CRA. Have the signed document on file to keep a confidential copy of the report that you’re protecting. Allow for corrections with different individuals so you can broaden the perspective. Finally, good procedures allows the focus on service, not lawsuits. It’s a very subtle shift. How can I provide service to the clients and customers by doing some form of due diligence and moving forward?
They just walk through the process. The seven steps that we talked about defined what it is, who can do it and what you need to do it. What does it look like when it’s right? What does it look like when there are issues? How do you resolve it? Doing those things will allow an organization to do the work that they’re designed to do, either as a service company, manufacturing, production or even farming. Whatever it is that you need to do, do that. Don’t be strapped by lawsuits. Hopefully, our explanation will help avoid making decisions that are not thought out or that are illegal.
We invite anyone with questions that wants more definition. Obviously, this is a broad overview. I’m not an attorney but after 30 years, I feel like I have a good handle on it. The old joke, there are two attorneys and three answers but still, the guidance that was provided is a good starting point. Anything specific that a client may want to or someone may have a question, call us. If we don’t know, we’ll find out. There are some things that are pretty complex and we need help too. We want to do that and we want everyone to remember that Information is Power. Good decisions start with great information. We’re a resource for everyone, even if it’s just a phone call. We like to help. We want everyone to be treated fairly to be safe, to be prosperous.
The guidelines to get that. If we live all by this, it will tend to go better. Jonathan, this has been wonderful to go through this with you. I can’t wait to go over the next piece that can make a big difference for us. Any ideas on that topic about what you’d like to talk about next?
What we do is we put out episodes based on what clients are asking about. We have two or three possibilities and I’m sure that in time we’ll cover them all.
I look forward to the next step of our journey here on getting the Net Check Investigations information out to the world, as well as providing great service to the reader and to the fellow employees. That sounds wonderful.
Thank you, Bill.
Thanks.