Federal Developments
FTC Settlement
On December 31st, the Federal Trade Commission (FTC) announced that it has approved a final order settling charges against Snapchat, Inc. (Snapchat) for allegedly violating the FTC Act by deceiving customers with promises about the disappearing nature of messages through the service, the amount of personal data collected, and the security measures taken to protect customer personal data from misuse and unauthorized disclosure. Among the requirements for Snapchat under the final order are that the company may not misrepresent its privacy, security, or confidentiality policies, and that Snapchat must develop a more comprehensive privacy policy that will be monitored by “an independent privacy professional” for the next 20 years.
http://www.ftc.gov/news-events/press-releases/2014/12/ftc-approves-final-order-settling-charges-against-snapchat?utm_source=govdelivery
FTC Enforcement
On December 23rd, the Federal Trade Commission (FTC) announced an enforcement action against a data broker for alleged violations of the FTC Act by selling “the sensitive personal information of hundreds of thousands of consumers…to scammers who allegedly debited millions from their accounts.” According to the FTC’s complaint, data broker LeapLab “sold consumer payday loan applications containing consumer financial account numbers, Social Security numbers, and other sensitive personal information to non-lenders, without consumers’ knowledge or consent.” Subsequently, some marketers who obtained the consumer information allegedly withdrew millions of dollars from consumers’ accounts without their authorization. “This case shows that the illegitimate use of sensitive financial information causes real harm to consumers,” Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, said. Amongst the relief sought, the FTC seeks to permanently enjoin LeapLab from its alleged unlawful practices and to compensate consumers.
http://www.ftc.gov/news-events/press-releases/2014/12/ftc-charges-data-broker-facilitating-theft-millions-dollars?utm_source=govdelivery
FTC / COPPA
On December 17th, the Federal Trade Commission (FTC) sent a letter to BabyBus Technology Co. Ltd. (BabyBus), a Chinese mobile app developer targeting children, to warn the company that its practices of collecting users’ location information without their parents’ consent appeared to violate the Children’s Online Privacy Protection Act (COPPA) Rule. In the letter, the FTC highlighted that many of BabyBus’ apps collect “precise geolocation information that is transmitted to third parties, including advertising networks and/or analytics companies.” The FTC further informed BabyBus that because its apps target children, it must comply with COPPA by posting comprehensive privacy policies and obtaining verifiable parental consent before collecting, using, or disclosing any personal information collected from children. Accordingly, the FTC urged BabyBus to review all of its apps to ensure they comply with COPPA, and stated that the FTC will review the company’s apps again in January.
http://www.ftc.gov/system/files/documents/public_statements/606451/141222babybusletter.pdf
Data Stored Overseas
On December 15th, numerous technology companies and privacy groups submitted briefs to the Second Circuit, supporting Microsoft Corp. in its challenge to search warrants that would allow the United States government to access user data stored overseas. In July 2014 a federal district court ruled the government search warrants can apply extraterritorially. In ten separate briefs, the technology companies and privacy groups argued the district court’s decision should not stand, supporting Microsoft’s arguments that the government’s attempt to use search warrants issued under the Stored Communications Act (SCA) to access user data stored overseas is not supported by the SCA and would set a dangerous legal precedent that would invite retaliation by countries where companies store data. “By increasing suspicions that information foreign customers store with U.S.-owned cloud providers in foreign countries is easily accessible by the U.S. government, the district court’s order will have a significant detrimental impact on the business of the amici and many other companies similarly situated,” Verizon said.
United States of America v. In the Matter of a Warrant to Search a Certain E-mail Account Controlled and Maintained by Microsoft Corp., No. 14-2985 (2nd Cir., Dec. 15, 2014).
Privacy Policy / Data Collection and Retention
On December 15th, Uber Technologies, Inc. (Uber) responded to Senator Al Franken’s (D-MN) privacy concerns that he raised in a letter addressed to Uber on November 19th. Uber’s response discussed various aspects of the ridesharing company’s privacy policies, noting that “Uber collects basic information from riders – information necessary to provide the service.” Regarding retention of rider account data, Uber stated “they are maintained as long as a rider has an account. If a rider cancels his or her account, the records will be retained until the account is settled and there is no longer a business need to retain them.” Uber also noted that the company’s privacy policies address the instances in which Uber discloses rider information pursuant to service provider agreements and valid law enforcement requests.
Court Cases
Background Checks
On December 9th, a federal district court judge ordered the United States Equal Employment Opportunity Commission (EEOC) to disclose its own background check policies to BMW Manufacturing Co. LLC (BMW), reversing a previous U.S. magistrate judge’s order on the issue. The EEOC filed the lawsuit alleging that BMW’s use of criminal background checks for hiring has a disparate impact on black job candidates, in violation of Title VII of the Civil Rights Act of 1964. BMW argued that the EEOC’s background check policies impact its defense in the case and, thus, requested the Agency’s policies. The EEOC argued that its background check policies were not relevant to the dispute. BMW “is entitled to discovery on this issue as it relates to [its] defenses,” the federal district court’s order said. Consequently, “[t]he court finds that the magistrate judge’s order should be set aside.” Notably, while the federal district court compelled the EEOC to disclose its background check policies, the judge emphasized that he had not made a determination that the policies will be admissible, and that the EEOC’s policies may, in fact, prove not to be relevant.
United States Equal Employment Opportunity Commission v. BMW Manufacturing Co. LLC, No. 7:13-cv-01583 (D.S.C., Dec. 9, 2014).
On December 9th, Michaels Stores, Inc. (Michaels) was charged in a proposed class action lawsuit alleging violations of the Fair Credit Reporting Act (FCRA) and the state’s consumer protection laws by “failing to obtain the proper authorization to conduct background checks” for prospective employees. The complaint alleges that Michaels’ notice that the company will obtain background checks is included at the end of the online job application “in a series of paragraphs which appear on the same web page as numerous other pieces of extraneous information.” Plaintiffs allege that under the FCRA, companies must provide “a On December 9th, Michaels Stores, Inc. (Michaels) was charged in a proposed class action lawsuit alleging violations of the Fair Credit Reporting Act (FCRA) and the state’s consumer protection laws by “failing to obtain the proper authorization to conduct background checks” for prospective employees. The complaint alleges that Michaels’ notice that the company will obtain background checks is included at the end of the online job application “in a series of paragraphs which appear on the same web page as numerous other pieces of extraneous information.” Plaintiffs allege that under the FCRA, companies must provide “a document that consists solely of the disclosure, that a consumer report may be obtained for employment purposes.” “Defendant’s conduct unambiguously violates the FCRA. First, it is evident that a stand-alone disclosure cannot be part of a larger job application, but must be an entirely separate document,” the complaint states. It goes on to state, “[s]econd, it is evident that a stand-alone disclosure cannot contain anything other than the disclosure and an authorization for a consumer report to be procured.”
Graham v. Michaels Stores, Inc., No. 2:14-cv-07563 (D.N.J., Dec. 9, 2014).
On November 26th, two employment agencies were sued in a proposed class action alleging that they violated the Fair Credit Reporting Act (FCRA) by using background checks on job candidates to make hiring decisions without providing candidates with copies of the background check reports. The complaint specifies that the Plaintiff was working at UnitedHealthcare, Inc. through Aerotek, Inc. (Aerotek), one of the two employment agencies Plaintiff interviewed with, when he received notice from Aerotek that his employment contract had been terminated based on his criminal history which the plaintiff alleges contained incomprehensive information. “Specifically, the report contained two felonies and three misdemeanors, in addition to numerous items of personal information, which belong to at least two other unrelated persons,” the complaint alleges. According to the complaint, the Plaintiff never received notice from the employment agencies that they intended to take adverse action against him based on a consumer report and, thus, violated the FCRA.
Mitchell v. Aerotek Inc et al., No. 1:14-cv-03691 (D. Md., Nov. 26, 2014).
FCRA
On December 4th, Whole Foods Market Group, Inc. (Whole Foods), was charged in a proposed class action lawsuit alleging the company used consumer reports while screening prospective workers in a way that violates the Fair Credit Reporting Act (FCRA). According to the complaint, Whole Foods did not provide employees with a separate document informing the employee that the company may obtain a consumer report about them. Additionally, the complaint argues Whole Foods “unlawfully inserted liability release provisions into forms purporting to grant [Whole Foods] authority to obtain and use consumer report information for employment purposes.” The plaintiff seeks a jury trial, statutory damages and a declaration from the court that Whole Foods had acted “willfully or [in] reckless disregard of Plaintiffs rights and its obligations under the FCRA.”
Speer v. Whole Foods Market Group, Inc., No. 8:14-cv-03035 (M.D. Fla., Dec. 4, 2014).
ECPA / Data Collection
On December 8th, Microsoft Corp. (Microsoft) urged the Second Circuit to reverse a federal district court’s ruling allowing the government to use search warrants to obtain customer data stored outside the United States In July 2014, a federal district court judge upheld the magistrate judge’s warrant permitting the government to obtain data from Microsoft stored in Dublin, Ireland. In its brief to the Second Circuit, Microsoft argued that Congress never intended for the Electronic Communications Privacy Act (ECPA) to reach overseas. “[C]ourts presume that federal statutes do not apply extraterritorially unless Congress expresses a clear intent for them to do so,” Microsoft emphasized in its brief. “Nor did Congress express any intention to allow the government to ignore established avenues for international cooperation, such as Mutual Legal Assistance treaties, to obtain such evidence.”
In the Matter of a Warrant to Search a Certain E-mail Account Controlled and Maintained by Microsoft Corp., No. 14-2985 (2nd Cir., Dec. 8, 2014).
Call Recording/ Collection
On December 5th, the Ninth Circuit rejected a preliminary injunction request against Verizon Wireless LLC (Verizon) seeking to block Verizon from recording calls with noncustomers without their consent. A proposed class action was filed in June 2012, alleging that Verizon violated the California Invasion of Privacy Act by recording debt collection calls without consumers’ knowledge or consent. In March 2014, a federal district court rejected Verizon’s motion to dismiss the case, but also denied the plaintiff’s motion for a preliminary injunction that would have barred Verizon and Collecto, Verizon’s collection agency, from continuing to record calls without obtaining permission. Subsequently, the plaintiff appealed the denial of the preliminary injunction request to the Ninth Circuit, arguing that he “demonstrated a prima facie case of irreparable harm.” The Ninth Circuit rejected this argument, stating that Verizon has “revised its…policy to require its debt collectors to disclose on every outgoing call that the call is being recorded.” The Ninth Circuit also stated that Verizon produced evidence that Collecto has blocked future calls to the plaintiff. Consequently, the Ninth Circuit found that the plaintiff “failed to carry his burden of demonstrating a likelihood of irreparable harm.”
John Lofton v. Verizon Wireless, No. 14-15694 (9th Cir., Dec. 5, 2014).
State Developments
Privacy
On January 1st, California S.B. 568, the “Online Eraser” law, will take effect, requiring websites and other online service operators to remove upon request certain content posted by minors. The law also prohibits websites from sharing minors’ personal information to third parties for the purpose of marketing a list of specified products or services to the minor. Specifically, websites and online service operators “shall not Daily Privacy & Consumer Regulatory Alert knowingly use, disclose, compile, or allow a third party to use, disclose, or compile, the personal information of a minor with actual knowledge that the use, disclosure, or compilation is for the purpose of marketing or advertising products or services to that minor for a product.” The bill also states that websites should take “reasonable actions in good faith” to not publish advertisements for 19 specified categories of products and services, including—products such as lottery tickets, tobacco, alcoholic beverages, firearms or handguns, and aerosol spray paint capable of defacing property.
http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201320140SB568
Data Breach
On December 26th, Stagecoach Transportation, Inc. (Stagecoach) reported a data breach to the Vermont Attorney General involving an undisclosed number of unspecified individuals’ Social Security numbers and addresses. Stagecoach learned that between mid-October and November 13th a company desktop computer went missing containing individuals’ personal information. The computer was used by Stagecoach since November 2013 for the company’s accounting. Stagecoach emphasized that the accounting software was password protected. Stagecoach recommends that individuals review their bank and payment card statements, monitor their credit reports, and consider placing a fraud alert on their credit files.
On December 26th, Physicians Skin and Weight Centers, Inc. (PSWC) reported a data breach to the California Attorney General involving an undisclosed number of patients’ names, banking information, payment card information, Social Security numbers, birthdates, and addresses. PSWC learned that on November 4th an employee’s vehicle was broken into and a company laptop and external hard drive were stolen from the vehicle. The laptop contained patient personal information, but was password protected and PSWC states that there is no evidence that any patients’ information has been used. However, PSWC recommends that patients monitor their credit reports and offered affected patients free credit monitoring and identity protection services for one year.
http://oag.ca.gov/system/files/Physicians%20Skin%20Notice_0.pdf
On December 26th, Empi, Inc./DJO, LLC (DJO), a medical device producer, reported a data breach to the California Attorney General involving an undisclosed number of patients’ names, phone numbers, diagnosis information, surgery dates, health insurer names, and doctor information. On November 7th, DJO discovered that a consultant’s laptop was stolen from a locked car in Roseville, Minnesota. The laptop contained patient personal information, but was password protected and did not contain patients’ Social Security numbers, health insurance numbers, or credit card information, according to the data breach notice. An investigation revealed that the patient information was accessible on the laptop from November 7th to November 21st. DJO states that there is no evidence of any misuse of patients’ information, but recommends that patients monitor their credit reports, place a fraud alert on their credit file, and be aware of calls requesting credit card information or any other personal information.
http://oag.ca.gov/system/files/California%20Notices%20Template%2012.24.14_0.pdf
On December 24th, Lokai Holdings, LLC (Lokai) reported a data breach to the California Attorney General involving an undisclosed number of customers’ names, addresses, payment card information, and mylokai.com usernames and passwords. On October 28th, Lokai discovered that an unauthorized individual gained access to the server that hosts Lokai’s website and “installed a program that was designed to record information entered by customers.” An investigation revealed that customers’ personal information submitted to the Lokai website between July 28th and October 28th could have been affected. Passwords for Lokai accounts have already been reset and Lokai recommends that customers monitor their financial statements.
http://oag.ca.gov/system/files/Notice_M978_v01_0.pdf
On December 23rd, Boersma Bros. LLC, dba DutchWear, a clothing store and coffee chain, reported a data breach to the California Attorney General involving an undisclosed number of customers’ names, addresses, phone numbers, and credit card information. On December 6th, DutchWear discovered unauthorized access to its website that exposed payment information of its customers. According to the data breach notice, customer personal information may have been intercepted during purchase transactions between November 7th and December 6th. DutchWear emphasized that only the e-commerce site was compromised, and that purchases made at retail locations were not affected. DutchWear continues to work with law enforcement and is taking steps to prevent future breaches, including building a new website with new security features and protocols. DutchWear recommends that customers monitor their credit reports and consider placing a fraud alert on their credit file.
http://oag.ca.gov/system/files/Dutch%20Indiv_0.pdf
On December 23rd, Public Architecture, a charitable organization, reported a data breach to the California Attorney General involving an undisclosed number of members’ usernames, passwords, and contact information. On December 8th, Public Architecture discovered that a website it operates, theonepercent.org, was “hacked.” The incident resulted in the deletion of files essential to the site’s operation and the hacker may have stolen personal information of the site’s members. Public Architecture notified law enforcement and is working to restore the site as soon as possible. Public Architecture recommends that members monitor their email addresses and accounts for suspicious activity.
http://oag.ca.gov/system/files/Hacker%20announcement_0.pdf
On December 22nd, Nvidia Corporation (Nvidia), a global technology company, reported a data breach to the California Attorney General involving an undisclosed number of employees’ usernames and passwords. On December 1st, Nvidia learned that there was unauthorized access to its network that holds employee personal information. Since discovering the breach, Nvidia has taken steps to prevent future breaches, including requiring employees to reset their passwords. Although Nvidia stated it has no indication that employee information has been accessed, Nvidia recommended that employees regularly review bank and credit card statements, as well as their credit reports.
http://oag.ca.gov/system/files/Notice%2C%2012-17-2014_0.pdf
On December 22nd, IDParts.com (IDParts) reported a data breach to the Vermont Attorney General involving an undisclosed number of customers’ payment card information. On October 28th, IDParts discovered that in January 2014 malicious code was inserted into the functions that process customer payment information through its website, which resulted in the taking of customers’ credit card information when they made online purchases. According to the data breach notice, the customer information was emailed to an unknown third party. Also, IDParts emphasized that it does not appear that any customer names, addresses, or phone numbers were compromised. Upon discovery of the breach, IDParts disabled the malicious code on its website and changed the passwords on all system accounts associated with the company’s domain. IDParts recommends that customers monitor their credit report and consider placing a fraud alert on their credit file.
On December 20th, BolderImage, a website design and mobile development firm, reported a data breach to the Vermont Attorney General involving an undisclosed number of customers’ names and credit card information. On October 24th, BolderImage discovered suspicious activity on a website it hosts for a company it operates called, Custom Accessories, Inc. As a result, the intruder may have viewed a database file containing confidential customer order information, according to the notice. Upon discovery, BolderImage deleted the malicious code, blocked access from the intruder’s IP address, and reset all user account passwords. BolderImage recommends that customers monitor their credit card statements.
On December 17th, Ascena Retail Group, Inc. (Ascena) reported a data breach to the New Hampshire Attorney General involving an undisclosed number of employees’ email addresses and Social Security numbers. On November 13th, Ascena learned by its payroll and benefits provider, ADP, that an error in ADP’s system permitted a different client of ADP to view information about “a small number of Ascena’s employees.” The error occurred when the other ADP client ran an ADP report on its own employees, but the report included Ascena employee information as well. According to Ascena, the report did not include individuals’ full names, addresses, or any other personal information. ADP notified Ascena that the report was deleted and was not used, copied, or shared. Ascena’s data breach letter states that ADP offered affected individuals a free one-year membership to a credit monitoring service.
On December 16th, ex-employees of Sony Pictures Entertainment, Inc. (Sony) filed a proposed class action lawsuit against Sony alleging the company “breach[ed] a legal duty to maintain reasonable and adequate security measures to secure [plaintiffs’] personal identifying information” in connection with Sony’s recent data breach (previously reported). The plaintiffs argued that “Sony failed to secure its computer systems, servers and databases despite weaknesses it has known about for years.” The complaint also noted that “[Sony’s] most sensitive data, including over 47, 000 Social Security numbers, employment files including salaries, medical information, and anything else that their employer Sony touched, has been leaked to the public, and may even be in the hands of criminals.” Sony offered affected individuals free credit monitoring and identity protection services for one year, but the complaint argues this is not enough. Consequently, among the requested relief sought by plaintiffs are more substantial protections, including credit card monitoring and identity protection services for five years.
Corona et al v. Sony Pictures Entertainment, Inc., No. 2:14-cv-09600 (C.D. Cal., Dec. 16, 2014).
On December 16th, the U.S. Judicial Panel on Multidistrict Litigation (JPML) consolidated two proposed class action lawsuits brought by consumers against SuperValu Inc. (SuperValu), a grocery chain, over a July 2014 data breach in Minnesota. Both lawsuits allege that plaintiffs’ credit card information was exposed because SuperValu failed to secure consumers’ personal financial information by not complying with industry security standards. The separate proposed class actions were brought in Illinois and Minnesota. According to the JPML, the Minnesota plaintiffs argued for centralization in either Minnesota or Idaho, while the Illinois plaintiffs opposed centralization. SuperValu supported centralization in Idaho, where more actions are expected to be filed. However, the JPML decided to centralize in Minnesota, where SuperValu is headquartered and is also “convenient and accessible for the majority of the parties.”
SuperValu, Inc. Customer Data Security Breach Litigation, No. 2586 (J.P.M.L., Dec. 16, 2014).
Data Security
On December 16th, Krebsonsecurity.com reported that “[m]ultiple financial institutions say they are seeing a pattern of fraud that indicates an online credit card breach has hit Park-n-Fly, an Atlanta-based offsite airport parking service.” According to Brian Krebs, if the incident is confirmed, it would add to a “string” of security incidents involving parking services nationwide. Krebs obtained an email statement from Michael Robinson, Park-n-Fly’s senior director of information technology, stating that “[w]hile we believe that our systems are very secure…we have recently engaged multiple outside security firms to identify and resolve any possible gaps in our systems and as always will take any action indicated.” The statement goes on to mention that Park-n-Fly is unable to find a breach of its systems. “Nevertheless, two different banks shared information with KrebsOnSecurity that suggests Park-n-Fly — or some component of its online card processing system — has indeed experienced a breach,” Krebs stated.
http://krebsonsecurity.com/2014/12/banks-park-n-fly-online-card-breach/
International Developments
Onward Transfer
On December 15th, the Dutch Data Protection Authority (Dutch DPA) accused Google, Inc. of violating the country’s Personal Data Protection Act (Act) by collecting unsuspecting users’ personal data without their consent. The Dutch DPA claims Google’s most recent, 2012 privacy policy has been violating the Act since 2012 when Google unveiled their new privacy policy. Specifically, the Dutch DPA alleges that Google “combines personal data of internet users…to display personalized adds,” further noting that the data collection is done “without Google adequately informing users in advance and without the company asking for consent,” according to a Dutch DPA announcement. “Google catches us in an invisible web of our personal data without telling us and without asking us for our consent. This has been ongoing since 2012 and we hope our patience will no longer be tested,” Jacob Kohnstamm, chairman of the Dutch DPA, highlighted. Google is facing up to €15 million ($18.6 million) in fines under the Dutch DPA action.
https://cbpweb.nl/en/news/cbp-issues-sanction-google-infringements-privacy-policy
On November 26th, the European Union’s Article 29 Working Party (Working Party) announced a new “co-operation procedure,” adopted through a working document, to enable companies to better assess contractual clauses in efforts totransfer data between multinational companies. According to the Working Party’s “co-operation procedures,” a company may seek confirmation that its contractual clauses are in compliance with the European Commission’s model clauses governing international data transfers by requesting a Data Protection Authority (DPA) that the company “believes is entitled to act as the lead DPA” to review its contract in order to “obtain a common point of view.” The Working Party’s announcement highlights criteria for selecting a DPA and the DPA’s review process.
http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp226_en.pdf
Please Note: The information contained herein is a monthly summary of the daily information provided by Arnall Golden Gregory LLP, an Atlanta firm servicing the business transactions and litigation needs of background check companies. The information described is general in nature, and may not apply to your specific situation. Legal advice should be sought before taking action based on the information contained herein. For more information about Arnall Golden Gregory LLP, please visit www.agg.com or contact Bob Belair at 202.496.3445 or [email protected].
