As privacy professionals know too well, organizations that handle personal information, especially personal information that can trigger security breach notification obligations, have an overwhelming need to screen out untrustworthy applicants from positions that permit access to such data. One tool that many organizations have used for years is straightforward enough—asking applicants to check a box in response to the following question on an employment application: “Have you ever been convicted of a crime?”

However, a legislative trend aimed at reintegrating millions of ex-offenders into the workforce has picked up so much steam over the past year that this practice is now illegal in some jurisdictions, forcing employers to rethink whether they should ask the question at all. Privacy professionals must understand the issues surrounding the “ban-the-box” movement so that they can participate knowledgeably in their organization’s inevitable re-examination of the continued viability of the criminal history questions on their organization’s job application.

The Need To Screen Out Malicious Insiders vs. The Need To Find Jobs for Ex-Offenders
A report published by Forrester Research in October 2013 documents the link between malicious insiders and data breaches. According to “Understand the State of Data Security and Privacy,” 25 percent of respondents who experienced a data breach during the 12 months preceding the report described abuse by a malicious insider as the cause. The Privacy Rights Clearinghouse Chronology of Data Breaches reports 483 data breaches between 2005 and 2013 that compromised 32,557,431 records—a startling average of 67,400 compromised records per breach—that occurred when “[s]omeone with legitimate access intentionally breache[d] information—such as an employee or contractor.”

Given the risk posed by a malicious insider and the potentially heightened risk created by someone previously convicted of identity theft and similar offenses, it should be no surprise that many employers have used criminal history to screen out ex-offenders at the earliest stages of the hiring process. Although no empirical data is available, it is possible that many ex-offenders simply refrain from applying for jobs when confronted with the criminal history question on a job application. The criminal history question also can provide a legitimate justification for terminating the employment of ex-offenders. In Rocha v. Coastal Carolina Neuropsychiatric Crisis Services the employer terminated the employment of the plaintiff after discovering that he had intentionally concealed his criminal history by responding in the negative to the criminal history question on the job application. In rejecting the plaintiff’s discrimination claims, the court concluded that his omission was a material misrepresentation that provided a legitimate, non-discriminatory reason for firing him.

While organizations clearly have legitimate business reasons for including the criminal history question on the job application, lawmakers nationwide are addressing the countervailing societal interest in finding jobs for ex-offenders. According to legislative findings by Newark, New Jersey’s City Council, 65 million Americans, or 1 in 4 adults, have a criminal record. Philadelphia’s City Council has found “that approximately one-fifth of Philadelphia’s population has some type of [c]riminal [r]ecord.” The size of the ex-offender population in the U.S. has become so alarming that the country’s top law enforcement official, Attorney General Eric Holder, announced in a speech to the American Bar Association in August 2013, “It’s clear —as we come together today—that too many Americans go to too many prisons for far too long, and for no truly good law enforcement reason.”

The Rise of “Ban-The-Box” Legislation and Other Legal Restrictions on the Criminal History Question
As of 2011, only three jurisdictions—Hawaii, Massachusetts and Philadelphia, PA—had enacted legislation, commonly referred to as “ban-the-box” legislation, that prohibits employers from asking the criminal history question on the job application. Then, in a nine-month period between September 2012 and June 2013, Buffalo, NY, Minnesota, Newark, NJ, Rhode Island and Seattle, WA, swelled the ranks. Many similar bills are pending.

This legislative trend is remarkable not only because of its accelerated pace, but also because it is highly unusual to see municipalities taking the lead in enacting legislation with such a material impact on employers.

While these ban-the-box laws uniformly prohibit employers from inquiring into criminal history in the job application, they otherwise create a complex, legislative patchwork. Massachusetts and Seattle permit an inquiry into criminal history after the initial application. In Buffalo, Minnesota and Rhode Island, employers can ask about an applicant’s criminal history at the first interview. In Philadelphia, employers must wait until after the first interview to ask about an applicant’s criminal history. Finally, in Hawaii and Newark, employers must wait until after a conditional offer of employment has been made to inquire about criminal history.

In addition to these procedural restrictions on the timing of the criminal history question, at least eleven states—California, Georgia, Hawaii, Massachusetts, Michigan, Nebraska, Nevada, New York, Ohio, Pennsylvania and Washington—and one city, Newark, impose restrictions on the substantive scope of the criminal history question. For example, California and Ohio prohibit inquiries into certain, petty marijuana-related offenses; Hawaii and Washington prohibit inquiries into criminal convictions that are more than ten years old; Massachusetts generally prohibits inquiries into misdemeanor convictions that are more than five years old, and Newark’s ordinance imposes five- and eight-year limits depending on the type of criminal history. Many of these restrictions have been enacted in the past three years.

For multi-state employers, these procedural and substantive restrictions have turned what was once a straightforward question on the employment application into an ever-expanding list of caveats and warnings to applicants from varying jurisdictions about whether they should respond to the question at all and, if so, what they should and should not disclose. In the face of this quagmire, it is not surprising that multi-state employers are starting to throw up their hands. On October 29, 2013, The New York Times reported that Target Corporation, one of the largest employers in the United States, announced it would no longer ask about criminal history on any of its job applications, not just those in the company’s home state of Minnesota where the ban-the-box law becomes effective on January 1, 2014.

Given the strong likelihood that states and municipalities will enact new procedural and substantive restrictions on the criminal history question, many employers likely will feel compelled to evaluate whether they should do the same.

Implications for Privacy Professionals
Mitigating the insider threat is a critical component of any information security program, and pre-employment screening is an effective tool towards attaining that objective. At the same time, the new legislative trend to ban the box and to impose other restrictions on the criminal history question raises the risk that an organization’s pre-employment screening program is illegal. Consequently, privacy professionals should now discuss with their colleagues in the human resources and legal departments whether the time has come to remove the criminal history question from their organization’s employment application.

While doing so may result in some increased burden as organizations are required to interview applicants whom they otherwise might not have considered because of self-elimination or criminal history disclosed on the job application, organizations still will be able to learn about an applicant’s criminal history by conducting a lawful pre-employment background check. Indeed, evaluating a candidate’s criminal history with the additional context provided by a job interview and other information learned during the hiring process should put the organization in a better position to evaluate the risk to data security posed by an applicant who is an ex-offender.

Those organizations that decide not to drop the criminal history question from their job application should take two steps to reduce the risk of liability. First, they should carefully review relevant laws in all jurisdictions where they recruit to confirm that the criminal history question as posed continues to be lawful. Second, they should closely track legislative developments, at both the state and municipal level, to make sure that their criminal history question continues to be lawful for as long as it remains on the job application.

Written By

Philip Gordon


If you want to comment on this post, you need to login.

  • Wondering Nov 13, 2013

    Do these "ban the box" laws include exceptions for certain categories of employment or employers?  For instance, it's hard to believe that a state correctional system in one of those jurisdictions would be prohibited from asking the criminal hx question or required to wait until after a certain phase of the application process when much time has been invested (wasted) when such persons would and should be disqualified from employment.  Same issue for school districts or other areas with a high degree of public trust.  The logic regarding private employers is somewhat easy to grasp but if employers like Target simply employ no-to-little screening, it seems as if they are merely shifting their risk from internal threat/loss prevention to external tort/criminal liability if they've hired a bad actor.
  • Phil Gordon Nov 26, 2013

    Thanks for your comment.  The ban-the-box laws discussed in the Privacy Tracker apply only to private employers.  Many state and municipal governments have enacted ban-the-box laws applicable to their own hiring practices. Those laws likely contain carve outs for schools, law enforcement agencies and correctional institutions, but I am not familiar with the details of those laws.  As far as your second point goes, I don’t think organizations that drop the criminal history question are necessarily shifting the risk as you suggest.  Rather, they are relying more heavily on the background check and other aspects of the application process to weed out bad candidates.  You are right that there is some increased cost associated with that decision, but it becomes a business judgment call whether that increased cost is worth foregoing the risk and administrative burden (resulting from complying with a patchwork of laws) of asking the criminal history question.
  • Wondering Dec 30, 2013

    Thanks for the clarification.  As to the latter point re: not asking the criminal history question, in my experience, the question is not asked to discover prior misdeeds per se, but is designed to be an "integrity checker".  A good LE check (with luck) will find the history but you really want to know if the applicant/potential employee is honest and upfront about it.  An employer can forgive prior bad acts based on a recent good conduct and work history; what can't be overlooked is lying about your past.  In my workplace, we've hired folks despite some prior minor misdeeds because they were forthcoming about them.  And we've fired folks because their lack of honesty about their background was later discovered due to follow-up.  In Target's case, I would think that integrity is a key factor, as employee fraud and theft are two of the biggest risks to their bottom line.  (According to a Hayes International study, "On a per case average, dishonest employees steal 5.5 times the amount stolen by shoplifters ($715.24 vs $129.12)".


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»