Bookmark and Share


Massachusetts DCJIS Issues Final Regulations Governing Criminal Background Checks By Employers

[June 29, 2012] The Massachusetts Department of Criminal Justice Information Services (“DCJIS”) recently issued Final Regulations interpreting the Massachusetts Criminal Offender Record Information Reform Law of 2010 (the “CORI Reform Law”). (As we previously reported, the CORI Reform Law went into full effect on May 4, 2012, even though the interpretive regulations had not yet been issued.)

The Final Regulations provide important guidance in connection with a wide variety of topics encompassed by the CORI Reform Law, including written CORI policies, the new DCJIS CORI database, the use of consumer reporting agencies in obtaining CORI, and employers’ maintenance and dissemination of CORI records. We summarize the most pertinent provisions of the Final Regulations below.

Expanded CORI Policy Requirement

The Final Regulations provide that any employer “that annually conducts five or more criminal background investigations, whether CORI is obtained from DCJIS or any other source, shall maintain a written CORI policy.” Notably, this language differs from the earlier, proposed regulations, which stated that “[a]ny employer . . . that submits five or more CORI requests annually shall maintain a CORI policy.” (Emphasis added.) While the language of the proposed regulations could be read as applying only to employers that obtain CORI through the DCJIS, the broader language of the Final Regulations suggests that all employers carrying out at least five criminal history checks per year must adopt a written CORI policy, regardless of how the criminal background information is obtained.

The Final Regulations also state that a required CORI policy “must meet the minimum standards of the DCJIS model CORI policy,” which is available on the DCJIS website. Notably, this model policy appears to go well beyond the literal requirements of the CORI Reform Law, as it covers such matters as (i) which personnel should be given access to CORI, (ii) providing CORI training for authorized personnel, and (iii) the use of CORI in hiring decisions.

Procedures Required Only If CORI Is Obtained From Sources Other Than DCJIS

The Final Regulations include certain requirements that apply only to Massachusetts employers that obtain criminal background information through sources other than the DCJIS, such as third-party consumer reporting agencies (“CRAs”). Specifically, before making an adverse decision based on criminal history information received from a source other than the DCJIS, an employer must:


  • Notify the applicant (in person or by telephone, fax, or electronic or hard-copy correspondence) of the potential adverse employment action;
  • Provide the applicant with (1) a copy of his or her criminal history information, including the source of the information, (2) a copy of the employer’s CORI policy, if applicable, and (3) information published by the DCJIS regarding the process for correcting criminal records;
  • Provide the applicant with an opportunity to dispute the accuracy of the criminal history information; and
  • Document all steps taken to comply with these requirements.

These obligations are in addition to any obligations imposed by the federal Fair Credit Reporting Act (“FCRA”) and similar state laws, and may be duplicative of the requirements of those laws (for instance, the FCRA also requires employers to notify applicants of a potential adverse employment action).

Obligations Applicable To Employers Obtaining CORI From DCJIS

Many of the requirements set forth in the Final Regulations affect only employers that obtain criminal history information directly from DCJIS:

  • Method of Accessing CORI Records. Employers may register for online access to CORI via the DCJIS’ new iCORI website. An employer must designate an individual user, who must complete online iCORI training.
  • Taking Adverse Action Based On CORI. Before making an adverse decision based on CORI obtained directly from DCJIS, an employer must:
    • Notify the applicant (in person or by telephone, fax, or electronic or hard-copy correspondence) of the potential adverse employment action;
    • Provide the applicant with (1) a copy of his or her CORI report, (2) a copy of the employer’s CORI policy, if applicable, and (3) information published by the DCJIS regarding the process for correcting criminal records;
    • Identify the information in the applicant’s CORI report that is the basis for the potential adverse decision;
    • Provide the applicant with an opportunity to dispute the accuracy of the CORI; and
    • Document all steps taken to comply with these requirements.
  • Consumer Reporting Agency Access to CORI. The Final Regulations permit employers to use CRAs to obtain CORI from the DCJIS. A CRA has the same level of access to CORI as the employer on whose behalf the CRA performs a CORI check (However, the employer must also register with DCJIS and maintain its own iCORI account.) Similar to the requirements of the FCRA, before a CRA may request CORI on an employer’s behalf, the employer must: (1) notify the applicant in writing, in a document consisting “solely” of such notice, of its intent to obtain CORI, and (2) obtain the applicant’s “separate written authorization” to obtain the information. Notably, in addition to securing such a “separate written authorization,” an employer must also obtain a separate, signed CORI Acknowledgement Form from the applicant before the CORI check is performed. (Note: the Final Regulations do not specify whether this “separate written authorization” may consist of the same authorization form that is required under the FCRA. Thus, at least until further guidance has been provided on this issue, it may be prudent for an employer to use separate authorization forms for purposes of the CORI Reform Law and the FCRA.)
  • Consumer Reporting Agency Decision-Making. The Final Regulations specify that an employer may designate a CRA to obtain CORI from the DCJIS and use that information to decide, on the employer’s behalf, whether an individual is eligible for employment. In such circumstances, the CRA must fulfill all of the requirements that the employer would be required to follow under both the FCRA and the CORI Reform Law, including the Final Regulations. For instance, before notifying an applicant of a potential adverse decision based on the individual’s CORI report, the CRA must provide the individual with an FCRA-mandated pre-adverse action disclosure and summary of rights, as well as a copy of any applicable CORI policy, as required by the CORI Regulations. (Note: given the legal complexities involved in basing employment decisions on criminal history information, an employer should give careful consideration to whether it is appropriate to delegate this authority to a CRA.)
  • Additional CORI Checks Within One Year of Acknowledgment. Under the Final Regulations, an individual’s signed CORI Acknowledgment Form is valid either (i) for one year from the subject’s signing the form or (ii) until his or her employment ends, whichever occurs first. An employer may submit a new CORI request to the DCJIS within one year of the employee’s execution of the original Acknowledgment Form, so long as the employee is given written notice at least 72 hours prior to submission of the request. If the employee objects to the new CORI request, the Acknowledgement Form is rendered invalid. (However, an employer is not prohibited from making an adverse employment decision based on such an objection.)
  • Secondary Dissemination Log. The Final Regulations specify that if an employer disseminates CORI outside of its organization, the employer must document the dissemination in a special “secondary dissemination log” for a period of one year following the dissemination. The log must include: (1) the subject’s name; (2) the subject’s date of birth; (3) the date and time of the dissemination; (4) the name of the person to whom the information was disseminated and, if applicable, the name of that individual’s employer; and (5) the specific reason for the dissemination. Logs may be maintained either electronically or on paper.
  • Maintenance of CORI. The Final Regulations require that all hard copies of CORI be stored in a separate, locked and secure location, such as a file cabinet. Electronically-stored CORI must be password-protected and encrypted. Whether CORI is stored in hard copy or electronically, employers must limit access to employees who have been authorized by the employer to access CORI. The Final Regulations also prohibit employers from using “public cloud storage” methods to store CORI.
  • DCJIS Audits. Employers accessing the iCORI website are required to cooperate with DCJIS audits of compliance with the CORI Reform Law. The Final Regulations provide that an employer’s failure to cooperate with an audit may result in immediate revocation of CORI access and/or initiation of a formal complaint with the Criminal Record Review Board (“CRRB”) (the enforcement division of the DCJIS). A DCJIS audit may encompass such matters as whether an employer: (1) has appropriately registered with the DCJIS; (2) is properly completing and retaining CORI Acknowledgment Forms; (3) is requesting CORI in compliance with the Final Regulations; (4) is appropriately storing and safeguarding CORI; (5) is properly maintaining a secondary dissemination log; (6) is screening only those individuals permitted by law; and (7) has a CORI policy that complies with DCJIS requirements. An employer found not to be in compliance may be referred to the CRRB or state or federal law enforcement agencies.

Recommendations For Massachusetts Employers

In light of the issuance of the Final Regulations, we recommend that all Massachusetts employers that conduct criminal history checks (or plan to do so in the future) take the following steps:


  • Update their background check and criminal history information policies to comply with the CORI Reform Law and Final Regulations;
  • Conduct comprehensive training to ensure that all managers, supervisors and human resources personnel involved in hiring or tasked with obtaining or reviewing criminal background information are aware of their legal obligations;
  • Ensure that insofar as criminal history checks are carried out through CRAs, such checks are conducted in compliance with the FCRA and its Massachusetts equivalent, the Massachusetts Fair Credit Reporting Act; and
  • Ensure that employment decisions made on the basis of criminal history information are determined in a consistent, non-discriminatory manner. In this regard, we recommend that, in consultation with counsel, employers create a formal, internal policy and guidance for assessing information obtained through criminal history checks.

* * *

Please do not hesitate to contact us if you have questions about the Final Regulations, the CORI Reform Law or criminal background checks generally. Our attorneys have extensive experience in this developing area of the law, and we would be happy to help.