Sweeping Changes for Those Using Massachusetts CORI Background Checks
April 3, 2012
Effective on May 4, 2012, employers in Massachusetts will need to follow some new state regulations if they conduct criminal background checks through the state’s Criminal Offender Record Information (CORI).
The state’s 2010 CORI law created a new source for employers to access criminal records, and along with that access is a new set of rules and regulations. A “Ban the Box” provision went into effect in November, privacy and data security rules in March (these provisions apply to all Mass. employers regardless if they use CORI or not), and now the next wave, relating specifically to CORI criminal background checks, goes into effect next month.
- Employers who want to access 5 or more CORI reports annually are required to have a written policydescribing the method and use of the records.
- Safe Harbor provisions for employers who use the system.
- Written notification requirements for employers who take adverse action based on the records, including a requirement to provide the applicant with a copy of the report. This requirement is regardless of whether the employer obtains the information directly, or from a third party CRA (Consumer Reporting Agency).
- Employers using a CRA must make certifications to the CRA that it is compliant with CORI including providing required disclosures.
- Employers and CRAs must register for an account on the iCORI system, and undergo training and retraining as required.
- When employers are obtaining CORI information directly, they are required to provide consent forms for each applicant, and maintain those forms for one year from the date of signature. In addition, the employer mustverify the identity of the applicant by examining a government-issued ID, and certify that the applicant was properly identified.
- Employers are subject to storage rules, and must store copies of CORI reports in a secured, locked location with limited employee access. Electronic CORI records must be password-protected and encrypted and may not be stored using public cloud storage methods.
- Employers may not retain CORI reports for longer than seven years. If an employer disseminates CORI outside of its organization, the employer must maintain a detailed log, which must be maintained for at least one year for audit purposes. Employers may be subject to audits and complaints for failure to comply with the law.
- Penalties for violations of the CORI Law include civil fines of up to $5,000 for each knowing violation of the CORI law, and some violations may lead to criminal prosecution.
More information about this new law will be distributed as the regulations are reviewed and as guidance becomes available. Please note that employers are never permitted to require an individual to provide a copy of his or her own CORI. Also note, that unless mandated to do so, employers are not forced to use the CORI system. County criminal record searches are still allowed (and recommended).