AI Hiring BiasAI Hiring Algorithms Present Big Questions About Accountability and Liability

AI Hiring Algorithms Present Big Questions About Accountability and Liability

As artificial intelligence (AI) becomes an increasingly prevalent human resources tool, the algorithms powering those hiring and staffing decisions have come under increased scrutiny for their potential to perpetuate bias and discrimination.

Are There Any Federal Laws or Regulations Governing the Use of AI in Hiring?

Under Title VII of the Civil Rights Act of 1964, the United States Equal Opportunity Commission (“EEOC”) is responsible for enforcing federal laws that make it illegal to discriminate against job applicants or employees because of their membership in a protected class.  For decades, attorneys have relied on the jointly issued Employment Tests and Selection Procedures by the Civil Service Commission, Department of Justice, Department of Labor and EEOC.  See generally 28 CFR § 50.14; see also Fact Sheet on Employment Tests and Selection Procedures, EEOCNevertheless, the current form of the Employment Tests and Selection Procedures fail to provide any guidance on the use of AI tools in the hiring process.   

That isn’t to say Federal regulators and legislators aren’t keen on regulating this area.  On December 8, 2020, ten United States Senators sent a joint letter to the EEOC regarding the EEOC’s authority to investigate the bias of AI driving hiring technologies.  In relevant part, the letter poses three questions:  

  1. Can the EEOC request access to “hiring assessment tools, algorithms, and applicant data from employers or hiring assessment vendors and conduct tests to determine whether the assessment tools may produce disparate impacts?
  2. If the EEOC were to conduct such a study, could it publish its findings in a public report?
  3. What additional authority and resources would the EEOC need to proactively study and investigate these AI hiring assessment technologies?  Id.

As of the current date, the EEOC has yet to respond to the letter.  Nevertheless, given the questions above, the current political climate, and the lack of current guidance from the EEOC, we anticipate future guidance, regulation, and potential enforcement actions in this area. 

How Are States Handling AI Hiring Bias? 

Illinois was first state to legislate in the area of the use of AI in hiring.  On August 9, 2019, Illinois enacted the Artificial Intelligence Video Interview Act (“AIVIA”), imposing strict limitations on employers who use AI to analyze candidate video interviews.  See 820 ILCS 42 et seq.  Under AIVIA, employers must: 

  1. Notify applicants that AI will be utilized during their video interviews;
  2.  Obtain consent to use AI in each candidate’s evaluation;  
  3. Explain to the candidates how the AI works and what characteristics the AI will track with regard to their fitness for the position; 
  4. Limit sharing of the video interview to those who have the requisite expertise to evaluate the candidate; and
  5. Comply with a candidate’s request to destroy his or her video within 30 days.  Id

Illinois was quickly followed up by Maryland, which on May 11, 2020 enacted legislation prohibiting an employer from using certain facial recognition services during a candidate’s interview for employment unless the candidate expressly consents.  See Md. Labor and Employment Code Ann. § 3-717.  The Maryland law specifically requires the candidate to consent to the use of certain facial recognition service technologies during an interview by signing a waiver which contains: 

  1. The candidate’s name;
  2. The date of the interview;
  3. that the candidate consents to the use of facial recognition during the interview;
  4. and that the candidate has read the waiver.  Id.

As with AIVIA, the emerging nature of the Maryland law does not provide much insight into how the law will be interpreted or enforced.

There are a number of other jurisdictions which have bills in different states of progress.  On February 20, 2020 a bill was introduced into the California legislature which would limit the liability of an employer or a purveyor of AI assisted employment decision making software under certain circumstances.  See 2019 Bill Text CA S.B. 1241.  This Californian bill “would create a presumption that an employer’s decision relating to hiring or promotion based on a test or other selection procedure is not discriminatory, if the test or procedure meets specified criteria, including, among other things, that it is job related and meets a business necessity” and “that the test or procedure utilizes pretested assessment technology that, upon use, resulted in an increase in the hiring or promotion of a protected class compared to prior workforce composition.”  Id. The bill would also require the employer to keep records of the testing or procedure and submit them for review to the California Department of Fair Employment and Housing, upon request, in order to qualify for the presumption and limit their liability.  Id

Not to be outdone, a bill was introduced into the New York City Counsel on February 27, 2020 with the purpose of regulating the sale of automated employment decision making tools.  See Int. No. 1894.  The New York City Council bill broadly defines automated employment decision making tool as “any system whose function is governed by statistical theory, or systems whose parameters are defined by such systems, including inferential methodologies, linear regression, neural networks, decision trees, random forests, and other learning algorithms, which automatically filters candidates or prospective candidates for hire or for any term, condition or privilege of employment in a way that establishes a preferred candidate or candidates.”  Id.  The bill seeks to prohibit the sale of automated employment decision making tools if they were not the subject of an audit for bias in the past year prior to sale, were not sold with a yearly bias audit service at no additional cost, and were not accompanied by a notice that the tool is subject to the provisions of the New York City Council’s bill.  Id.  The bill would require any person who uses automated employment assessment tools for hiring and other employment purposes to disclose to candidates, within 30 days, when such tools were used to assess their candidacy for employment, and the job qualifications or characteristics for which the tool was used to screen.  Id.  Finally, the bill is not without bite, as violator are subject to “a civil penalty of not more than $500 for that person’s first violation and each additional violation occurring on the same day as the first violation, and not less than $500 nor more than $1,500 for each subsequent violation.”  Id.

What Can My Business Do Now to Prepare for Potential Liability Related to the Use of AI in Hiring?

As the current political and legal landscape continues to be in flux, one of the best things your business can do is stay on top of current statutes.  Your business could also audit both internal and external use of AI in hiring to validate and confirm the absence of bias in the system; however, testing external systems may require your vendors to open their proprietary technology and information to their customers, something that most are hesitant to do.  Finally, your business should consider conducting a thorough review of any and all indemnification provisions in its vendor agreements to see how risk might be allocated between the parties.

Beckage is a law firm focused on technology, data security, and privacy. Beckage has an experienced team of attorneys and technologists who can advise your business on the best practices for limiting its liability related to the use of AI in hiring.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our Newsletter.

FingerprintBiometric Litigation Continues To Rise As Businesses Work To Minimize Risk

Biometric Litigation Continues To Rise As Businesses Work To Minimize Risk

In 2008, Illinois enacted the Illinois Biometric Information Privacy Act (“BIPA”) with the purpose of recognizing a person’s privacy right to their “biometric information” and “biometric identifiers”.  BIPA was enacted in response to the growing use of biometrics by businesses.   

In part because of its private right of action, by which plaintiffs may bring suit against businesses directly, BIPA litigation remains at the forefront of the data privacy litigation landscape as businesses continue to collect the biometric identifiers of their employees.  Recent BIPA class action settlements with major tech companies like Facebook and TikTok have been in the hundreds of millions of dollars, but the majority of BIPA litigation is brought against small and medium sized enterprises who collect biometric information in employee timekeeping or for access controls to physical spaces.   

To date, defendants have found courts to be generally unwilling to dismiss BIPA litigation at early motion practice.  Two recent cases, Thornley v. Clearview AI and Barton v. Swan Surfaces, demonstrate that there are some potential limits to BIPA litigation. 

Thornley  v. Clearview AI 

In Thornley, Melissa Thornley accused Clearview AI of scaping publicly available photos from her social media accounts for facial recognition purposes and selling her biometric information to third parties without her consent.  Thornley v. Clearview AI, Inc., 984 F.3d 1241, 1242-1243 (7th Cir. 2021).  Thornley initially filed a complaint in Illinois state court, alleging as a class representative, that Clearview violated § 15(c) of BIPA, which requires in relevant part, that “[n]o private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person’s or a customer’s biometric identifier or biometric information.”  Id. at 1246.  Clearview removed the case to federal court on the basis that the allegation of a statutory violation gave rise to a concrete and particularized injury-in-fact that is necessary for Article III standing.  Id. at 1243.  Under the Constitution, a plaintiff must have Article III standing to sue in federal court, which requires that the plaintiff prove: (1) an injury in fact; (2) causation of the injury by the defendant; and (3) that the injury is likely to be redressed by the requested relief.  See Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016).  In Spokeo, the Supreme Court of the United States held that a statutory violation could be sufficient to constitute an injury in fact; however, it did not provide any analysis as to which types of statutory violations necessarily implicate concrete and particularized injuries in fact.  Id.   

The district court held that Clearview alleged violation of § 15(c) of BIPA was “only a bare statutory violation, not the kind of concrete and particularized harm that would support standing”, the case must be remanded to the state court.  Thornley., 984 F.3d at 1242.  Clearview then appealed to the Seventh Circuit, who concurred with the District Court and remanded the case back to the Illinois State Court for much the same lack of standing.  Id.  Clearview has now petitioned the Supreme Court of the United States to take its case.  See Porter Wells, Clearview AI Will Take BIPA Standing Challenge to Supreme Court. 

Barton v. Swan Surfaces, LLC 

In Barton, a unionized employee of Swan Surfaces, LLC (“Swan”) was required to clock in and out of her employer’s manufacturing plant using her fingerprints as part of company protocol.  Barton v. Swan Surfaces, LLC, No. No. 20-cv-499-SPM, 2021 WL 793983 at *1 (S.D. Ill March 2, 2021).  On May 29, 2020 Barton filed a complaint in the United States District Court for the Southern District of Illinois alleging that she represented a class of individuals who “while residing in the State of Illinois, had their fingerprints collected, captured, received, otherwise obtained and/or stored by Swan”.  Id. at *2.  Barton asserted Swan violated BIPA in: (1) failing to institute, maintain, and adhere to publicly available retention schedule in violation of 740 ILCS 14/15(a); and (2) failing to obtain informed written consent and release before collecting biometric of information.  Id.  On July 31, 2020, Swan filed a Motion to Dismiss, asserting in relevant part, that Barton’s BIPA claims were preempted by § 301 of the Labor Management Relations Act (“LMRA”).  Id.  

On March 2, 2021, the court held that as Barton was a unionized employee, her Collective Bargaining Agreement (“CBA”), which contained a management rights clause and grievance procedure, controlled and as such Barton’s BIPA claims were preempted by § 301 of the LMRA.  In coming to its conclusion, the court heavily relied on the courts holding in Miller v. Southwest Airlines, Inc., 926 F.3d 898 (7th Cir. 2019). Id. at *6. In Miller, the Seventh Circuit held an adjustment board had to resolve the employees’ dispute over the airline’s fingerprint collection practices because their unions may have bargained over the practice on their behalf.  Miller, 926 F.3d 898.  The court in Barton noted that the United States “Supreme Court has held that the RLA preemption standard is virtually identical to the pre-emption standard the Court employs in cases involving § 301 of the LMRA” and therefore the same outcome should apply.  Barton, 2021 WL 793983 at *4. 

Key Takeaway 

While these cases demonstrate the potential to circumvent or limit BIPA litigation, the increased volume of biometric information being used by companies and the push for biometric policies that govern the use of these technologies and promote safeguards for consumers will undoubtedly continue.  

With many states looking to implement biometric privacy laws similar to BIPA, it is important to have legal tech counsel to address compliance with these emerging laws. Beckage attorneys, who are also technologists and former tech business owners, have years of collective experience with new technologies, like artificial intelligence, biometric data, facial recognition technology. We have a team of highly skilled lawyers that stay up to date on all developments in case law on BIPA and who can help your company best defense given the current legal landscape. Our team can help assist your company in assessing and mitigating risks associated with emerging technologies. 

*Attorney Advertising: Prior results do not guarantee a similar outcome. 

Subscribe to our newsletter. 

WebsiteWebsite Accessibility Under the ADA: What You Need to Know

Website Accessibility Under the ADA: What You Need to Know

Many of us are familiar with the Americans with Disabilities Act, otherwise known as the ADA. It is a landmark civil rights legislation that was signed into law by President George H.W. Bush in 1990. It works to guarantee that individuals with disabilities have equal opportunities to participate in mainstream American life, from finding employment opportunities to shopping at the mall or entering a public library.  But “mainstream” life has changed a lot over the past 30 years, especially with the tremendous growth we have seen with the advent of the internet. More and more companies with or without brick and mortar stores have some type of online presence. As such, the past few years there has been a tremendous amount of litigation surrounding how the ADA should be applied to websites.  

Current Status of the ADA

When the ADA was first enacted, Congress could not have anticipated just how far the internet would reach into everyday life. As a result, the ADA focuses on accessibility and discrimination issues that would happen in person—for example, standards for accessibility for brick-and-mortar business locations and employment setting. The ADA does not specifically provide guidance regarding the accessibility standards applicable to internet or online businesses nor does it expressly exclude online businesses either.  

Title III of the ADA requires that every owner, lessor, or operator of a “place of public accommodation” provide equal access to users who meet ADA standards for disability. Over more recent years, the argument arose that this concept applied to websites, prompting a wave of litigation by plaintiff’s claiming that accessibility barriers experienced on a website violated the ADA because it denied them full access to and equal enjoyment of the goods, services, and accommodations of the website. But with no formal guidelines or laws in place outlining what online ADA compliance actually means for online businesses (with or without a connection to a brick-and-mortar business), it has been largely left up to the courts to decide what compliance looks like.  

As we reported at the end of last year, the United States Supreme Court denied a petition filed by the pizza conglomerate Domino’s, sending a relatively clear statement that Title III of the ADA does in fact apply to websites. But the Supreme Court’s denial of cert still leaves businesses hoping for actual guidelines in limbo, waiting for either another case to reach the Supreme Court or the Department of Justice to issue guidance in this area.

Recommended Steps for Addressing Website Accessibility  

In the meantime, Beckage has proactively monitored this area of the law over the past few years and recommends clients take intentional and protective measures to address website accessibility sooner rather than later. As either part of litigation defense strategy or proactive website remediation measures, we generally recommend implementing a comprehensive, phased approach to website accessibility, including the following measures:  

Working with Beckage or a trusted third-party vendor that we together vet and retain to perform an independent website-accessibility audit for conformance with the Web Content Accessibility Guidelines (WCAG 2.1), the prevailing set of guidelines that set forth website accessibility standards.  

Implementing a forward-facing website accessibility notice that is prominently and directly linked from the website home page that provides individuals with disabilities who are experiencing technical difficulties the ability to request assistance. Those staffing the phone line and receiving e-mails regarding this should be knowledgeable about the statement and be trained on how to help users that are experiencing technical difficulties navigating the website.

Deploying an internal website accessibility policy that guides the organization’s decision making and processes and procedures for designing, developing, and procuring accessible content on the website. Most websites are regularly updated and modified and accordingly there should be procedures in place as part of this internal policy for regularly reviewing the website for new accessibility barriers.  

We also recommend regularly testing your website with assistive technology used by the disability community to access your content such as the JAWS screen reader. This process can provide valuable intel on potential and unforeseen barriers that may occur to users.  

Even without specific guidelines or a clear understanding of what compliance looks like, there are several low-cost, high impact steps companies can take to address website accessibility.  We recommend clients work on website accessibility alongside their larger public-facing disclosure compliance work, such as regularly updating their Website Privacy Policy and Terms of Use to comply with the evolving paradigm of privacy legislation and regulations such as the California Consumer Protection Act (CCPA) and GDPR.  While the legal standards of website accessibility are still murky, the technology to support accessibility online is only getting stronger. Beckage’s Accessibility Team, made up of web developers and a former web design business owner, is here to help you navigate ADA website compliance and make your online presence more welcoming and accessible to everyone. From litigation defense to proactive website remediation, our experienced team is uniquely positioned to partner with your business and assist with your ADA compliance efforts.  

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

Home OfficeWhat We Have Learned About Remote Workforce Safeguards During COVID-19

What We Have Learned About Remote Workforce Safeguards During COVID-19

Beckage lawyers have been working with businesses to put them in a legally defensible position in pivoting their workforce to a distributed workforce. We have learned a few things from our work and watching what is happening around the globe.

Technical Safeguards Have Had To Quickly Pivot:

Companies are working to narrow their threat surface.

Organizations are working toward making their workforce 100% remote to safeguard employees but with that advantage there is an increase in exposure of company assets “in the wild.” With this increased risk it becomes necessary for those responsible to implement technical safeguards to offset this increased risk. Where preventative controls are not realistic, an organization should look to implement detective controls.

Beckage has evaluated various control options for access management. A few of these are:

• Shortening screensaver times

• Session lockout times

• Tiered approach for modifying user access to high risk platforms, applications, and, where possible, data

• Multi-factor authentication for email and high-risk applications/systems

• VPN and Virtual Desktop Infrastructure

With so many tech vendors selling a variety of services and products, companies are getting lost in the hype and simply want to know how they balance it all as part of a larger game plan.

Organizations Valuing Importance Of Administrative Safeguards:

Companies are realizing how essential it is to have more administrative safeguards in place.

Beckage has reviewed the most relevant policies and procedures that relate to remote workforce. Organizations should analyze if those policy and procedures contain steps or tasks that require key stakeholders to be present.

Additionally, organizations need to confirm that their Incident Response, Disaster Recovery, and Business Continuity Plan are all sustainable with a remote workforce. They should verify that such policies and procedures (including call-trees and responsible party contact lists) are accessible to those who need access. Beckage has suggested that organizations look at cloud-based solutions for storing their policies and procedures. This would enable workforce to access documents even if their network is down.

Physical Safeguards Are Very Important:

With buildings becoming vacant, physical safeguards will become more indispensable than ever. If an organization’s facility is going to have a skeleton crew then there are several questions which need to be addressed such as:

• Who will be responsible for safeguarding assets onsite?

• Does this person(s) have an intimate knowledge of the protocols in the event there is a breach or other criminal activity?

• Does the workforce understand what steps to take in the event they lose a device while working remotely?

• Is the procedure documented and has it been distributed?

• Has the organization walked through the process to commission and decommission devices remotely?

Struggle In Addressing Pandemic & Complying With New Laws:

In the middle of the pandemic, companies have still had to meet the compliance milestones of the NY SHIELD Act and California’s Consumer Protection Act (CCPA), especially where the Attorney Generals responsible for enforcing them have not provided extensions of time to comply despite the organizational disruption of the pandemic.

***

Beckage attorneys, who are also technologists, former CISO and current Certified Information Systems Auditor (CISA) are available to answer any questions you have about the foregoing safeguards and their impact and compliance with NY SHIELD Act, the CCPA, the

European Union’s General Data Protection Regulation (GDPR) or any other privacy or data security statute. Visit us at Beckage.com or call us at 716 898 2102.

Beckage is proud to be the only firm in 2019 named for its “Technology Transactions” practice in Upstate New York Super Lawyers and routinely cited by Law.com for our insights in this fast-moving arena, along with several other awards and recognition in tech and law. We thank you for your business and encourage you to visit our blog regularly for updates on this area of law and others.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

Modern office with panelled glass wallsPreparing for New York’s New Sexual Harassment Laws

Preparing for New York’s New Sexual Harassment Laws

In the wake of the #MeToo movement and widespread attention on sexual harassment in the workplace, on April 12 Governor Cuomo passed into law the 2019 Budget, which included a package of laws aimed at combating sexual harassment.  These laws apply to employers of all sizes – even those with only one employee and obligates employers, among other things, to 1) distribute a written sexual harassment policy, and 2) perform annual sexual harassment training.  Now is the time to revisit your anti-sexual harassment programs and policies and make the necessary changes to ensure compliance with these laws. Here are a few key elements employers need to know.  

Sexual Harassment Policy:
By Oct. 9, every employer in New York state must have a written sexual harassment prevention policy in place and distribute it to its employees.

Employers can use the model policy created by the New York State Department of Labor and the New York State Division of Human Rights, or they can create their own policy provided that it equals or exceeds the minimum standards set forth in the model policy.   

Some key elements the policy must include:  

  • A statement prohibiting sexual harassment;  
  • Examples of prohibited conduct that would constitute unlawful sexual harassment;
  • Information concerning the federal and state statutory provisions concerning sexual harassment, remedies available and a statement that there may be applicable local laws;
  • A standard complaint form;
  • A prohibition on retaliation;  
  • A procedure for the timely and confidential investigation of complaints and ensure due process for all parties;
  • An explanation to employees of their rights of redress and all available forums for adjudicating sexual harassment complaints administratively and judicially; and
  • A statement that sanctions will be enforced against those who engage in sexual harassment and managers and supervisors who knowingly allow sexual harassment.  

A sexual harassment policy can be provided to employees in hard copy or electronically but must also be accessible and printable during working hours.  Employers are required to prepare and distribute a compliant written policy by October 9, 2018.  

Mandatory Sexual Harassment Training:
Beginning Oct. 9, every New York state employer must provide sexual harassment prevention training to all employees on an annual basis. Employers can either use the model sexual harassment prevention training program created by the New York State Department of Labor and the New York State Division of Human Rights or establish their own training program that equals or exceeds the minimum standards provided by the model.  While it hasn’t been officially confirmed, it seems likely that this training can be given online provided it is interactive. The training must include the following:

  • An interactive component;
  • An explanation and examples of prohibited sexual harassment;
  • Information on federal and state statutes prohibiting sexual harassment;
  • Remedies and rights of redress under the applicable statutes; and
  • An explanation of added responsibilities for supervisory employees.

Employers may satisfy the “interactive” training requirement by: (1) asking questions of the employees as part of the program; (2) including question and answer portion to accommodate employee questions; (3) using a live trainer to conduct the training or making a live-trainer available to answer questions; or (4) requiring employee feedback about the training. Employers should implement as many of the above interactive components as is feasible. All employees must receive a compliant sexual harassment training on or before October 2019.

New hires must receive a compliant sexual harassment training within 30 calendar days of hire.  

Special Provisions for New York City Employers:
Beginning April 1, 2019, all New York City employers with 15 or more employees must provide interactive (but not necessarily live) sexual harassment prevention training to all full- and part-time employees and interns annually, and to new employees within 90 days of hire.

The NYC Commission on Human Rights will create an interactive training module that will be available to employers free of charge.  While these government-created training programs will meet minimum legal requirements, employers should consider providing more detailed, in-person sexual harassment and anti-discrimination training programs.

Beckage attorneys are available to help employers navigate these new sexual harassment laws, including drafting and reviewing sexual harassment policies as well as offering webinars and interactive training programs to ensure compliance with the new laws.    

DISCLAIMER: This client advisory is for general information purposes only. It does not constitute legal advice, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem. Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.

1 2