As part of Governor Baker’s continued push for CORI reform, the Secretary of State recently issued a number of revised regulations governing the CORI background check process. These regulations, propagated by the Massachusetts Department of Criminal Justice Information Services (“DCJIS”), require that employers revisit their CORI policies, forms, and procedures to ensure continued compliance. The following regulatory changes are of particular relevance for employers:
- Employers may now store CORI reports and acknowledgement forms on the cloud. Employers must have a written agreement with the cloud storage provider, and must provide such agreement to DCJIS upon request. The cloud storage must be password-protected and encrypted.
- Employers will be required to maintain a “need-to-know” list of employees authorized to access CORI reports. Employers must update the list “periodically,” but not less than every six months, and must make the list available to DCJIS upon request. Employers may also disseminate the list to the CORI subject upon request.
- Employers are now required to destroy CORI acknowledgment forms as well as the CORI reports themselves. Specific guidelines for the destruction of CORI documents are addressed in the revised regulations.
Expanded Employee Protections:
- The definition of employee has been expanded to include subcontractors, contractors, and vendors. This very expansive definition of employee places these regulations at odds with the definitions of employee found in other state and federal laws.
- CORI will no longer include information about convictions before age 18, unless the person was adjudicated as an adult.
- Before an employer may ask an employee questions about – or make an employment decision based upon – information contained in the CORI, the employer must still provide the employee with a copy of their CORI report, but it must now also disclose the source of the problematic criminal history information.
- The CORI regulations continue to require employers to verify the identity of the subject of the background check. However, the regulations now require employers to verify using photo identification whenever possible. Tribal documents and “other forms of documentation as determined by the DCJIS” are now acceptable forms of identification, and, where proper photo identification is lacking, employers may now verify the subject’s identity using a birth certificate or social security card.
- When renewing the annual CORI acknowledgement form, employers must re-verify the subject’s identity, unless the information on the new acknowledgement form “exactly matches” the information from the previous form. Depending on how much risk they are willing to tolerate, employers may choose to simply re-verify all identifications annually.
- Employers may now run a subsequent background check, prior to the expiration of the CORI acknowledgement form, without providing 72 hours of advance notice to the employee. However, in order to do this, employers must notify the employee in the initial acknowledgement form, at the time of signing, that a subsequent check may be run prior to the form’s one-year expiration.
- Employers may now collect CORI acknowledgement forms electronically, and as early as the application process. Note that employers collecting acknowledgment forms electronically are subject to the same record-keeping requirements as employers who obtain hard-copy forms.
- The DCJIS removed its own requirement to provide a model CORI policy on its website, while simultaneously codifying the requirement that it maintain model acknowledgement forms on its website. The purpose of these two actions is unclear, but the model CORI policy is still currently available here.
- Employers utilizing Consumer Reporting Agencies (”CRA”) will face additional registration hurdles before the CRA can run CORI on the employer’s behalf. Additionally, employers are now required to furnish a statement to the CRA if the position for which the subject is being considered has a salary of over $75,000.
- Going forward, all users must sign a yet-to-be-released iCORI Agency Agreement to access to the online iCORI system. While the full contents of the Agreement are not yet known, at a minimum it will require employers and their agents to: comply with CORI laws and regulations; maintain an up to date “need-to-know” list (as described above); provide all staff that request, review, or receive CORI reports with CORI training materials; request only the level of CORI access authorized by law or the DCJIS; and to acknowledge that both the entity and individual employees may be liable for violations of CORI laws or regulations.
In light of these changes, employers should revisit their CORI policies, forms, and procedures to ensure they are compliant with the new regulatory scheme.