+1.877.796.2559 | Investors|

April 2015 Privacy Summary

By Nicolas Dufour | May 5, 2015 | Privacy Summary

Federal Developments

FTC Settlement
On April 13th, the Federal Trade Commission (FTC) announced a settlement with two debt brokers for allegedly violating the FTC Act by “exposing highly sensitive information about tens of thousands of consumers…on a public website.” The agreements with the FTC require each company to comply with “strict new requirements to protect consumers’ sensitive information.” According to the complaints, which were filed separately in August and October 2014, the FTC alleged that the debt brokers posted “unencrypted documents online containing consumers’ names, addresses, credit card numbers, bank account numbers, and amounts the consumers allegedly owed.” The disclosure of consumer personal information, according to the FTC, exposed affected consumers to risks ranging from identity theft to “phantom debt” collection.
https://www.ftc.gov/news-events/press-releases/2015/04/debt-brokers-settle-ftc-charges-they-exposed-consumers?utm_source=govdelivery

On April 7th, TES Franchising, LLC (TES), a business coaching service, and American International Mailing, Inc., a mail delivery service, reached a settlement agreement with the Federal Trade Commission (FTC) to resolve allegations that the companies “falsely claimed” they were in compliance with the U.S.-EU Safe Harbor privacy framework when, in fact, their certifications had expired. Under the proposed settlement agreement the companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government.
https://www.ftc.gov/news-events/press-releases/2015/04/ftc-settles-two-companies-falsely-claiming-comply-international?utm_source=govdelivery

The FTC announced a settlement against two companies that “falsely claimed” they were in compliance with the U.S.-EU Safe Harbor privacy framework when, in fact, their certifications had expired.
https://www.ftc.gov/news-events/press-releases/2015/04/ftc-settles-two-companies-falsely-claiming-comply-international?utm_source=govdelivery

The FTC announced a settlement against Nomi Technologies for allegedly violating the FTC Act by misleading consumers about their opt-out choices related to Nomi’s consumer tracking and data collection.
https://www.ftc.gov/news-events/press-releases/2015/04/retail-tracking-firm-settles-ftc-charges-it-misled-consumers?utm_source=govdelivery

FCC / AT&T Data Breach
On April 8th, the Federal Communications Commission (FCC) announced a $25 million settlement with AT&T Services, Inc. (AT&T) resolving FCC allegations that the phone carrier failed to adequately secure approximately 300, 000 customers’ personal data, including names, Social Security numbers and other account-related information. According to the FCC, AT&T employees at call centers in three countries accessed and obtained records belonging to approximately 280, 000 U.S. customers without authorization, and provided that data to unauthorized third parties. FCC Chairman Tom Wheeler said in a statement that, “[a]s the nation’s expert agency on communications networks, the FCC cannot — and will not —stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud.” In addition to the $25 million penalty, the settlement requires AT&T to improve its privacy and data security practices by appointing a “senior compliance manager who is a certified privacy professional, conducting a privacy risk assessment, implementing an information security program, preparing an appropriate compliance manual, and regularly training employees on the company’s privacy policies and the applicable privacy legal authorities.” AT&T acknowledged a data breach on October 1, 2014 affecting an unspecified number of individuals.
http://www.fcc.gov/document/att-pay-25m-settle-investigation-three-data-breaches-0

Credit Reports for Minors
On March 26th, Rep. Jim Langevin (D-RI) introduced H.R. 1703, the “Protect Children from Theft Act of 2015.” The bill would amend the Fair Credit Reporting Act (FCRA) to “create protected credit reports for minors and protect the credit of minors.” The bill would require a consumer reporting agency to, “upon request by a covered guardian of a minor, create a blocked file for the minor consumer or convert a file of the minor consumer already in existence to a blocked file.” The bill also requires the Consumer Financial Protection Bureau (CFPB) to establish procedures:

  • For a credit reporting agency to properly identify the covered guardian and the minor consumer prior to creating, converting, or unblocking a blocked file for such minor consumer;
  • For a cedit reporting agency to create a blocked file for a minor consumer or to convert a file of a minor consumer already in existence to a blocked file; and
  • For a covered guardian to unblock a file.

Under the bill, a credit reporting agency would be required to “unblock a blocked file upon the request of the covered guardian or on the 18th birthday of the minor consumer.” The bill would require an “alert statement” to be present in a minor consumer’s unblocked file if the minor consumer was a “victim of fraud or identity theft” before his or her 18th birthday. The bill would charge the CFPB with determining a fee to be charged for a credit reporting agency creating, converting, or unblocking a file. Finally, the bill defines relevant terms, including “minor consumer” which means a “consumer who has not attained 18 years of age, ” and “covered guardian” which means:

  • The legal guardian of a minor child;
  • The custodian of a minor child; or
  • In the case of a child in foster care, the state agency or Indian tribe or tribal organization responsible for the child’s foster care.

http://www.gpo.gov/fdsys/pkg/BILLS-114hr1703ih/pdf/BILLS-114hr1703ih.pdf

Ban the Box
Criminal justice reform advocates are meeting with top White House advisers on Wednesday to help people who’ve done their time, Politico reports. They’re urging President Barack Obama to issue an executive order banning the government and federal contractors from asking most prospective employees questions about criminal records. The demand is commonly known as “ban the box, ” which refers to the section of job applications where employers inquire about arrests and convictions.

“People shouldn’t be penalized for their whole life for indiscretions they have made, ” a member of the activist delegation told Politico.

Some 70 million Americans have criminal backgrounds that make it harder for them to find work, according to the National Employment Law Project, which supports “ban the box” measures. People of color, who make up 60 percent of the prison population, are disproportionately impacted by criminal background inquiries, advocates point out. They also say that background checks run counter to the justice system’s goal of rehabilitation.

Fourteen states and the District of Columbia have passed “ban the box” laws. Last month, Georgia Governor Nathan Deal, who is Republican, signed an executive order to that effect.
http://www.ibtimes.com/ban-box-advocates-call-executive-order-white-house-1858786

Fair Chance Hiring Practices
The Washington Post publishes an article entitled, “Virginia Adopts Fair Chance Hiring Practices. Now It’s the Federal Government’s Turn.”
http://www.washingtonpost.com/posteverything/wp/2015/04/06/virginia-adopts-fair-hiring-practices-now-its-the-federal-governments-turn/

Federal Consumer Privacy Bill of Rights Act of 2015
Forbes reports that the White House’s “Consumer Privacy Bill of Rights Act of 2015, ” which was released in February, “sets an ominous tone for future action.”
http://www.forbes.com/fdc/welcome_mjx.shtml

Data Security and Breach Notification
On April 14th, the U.S. House Energy and Commerce Committee reported out HR 1770, the “Data Security and Breach Notification Act, ” on a party-line vote of 29-20. The bill “would require certain entities that collect and maintain personal information of individuals to secure such information and to provide notice to such individuals in the case of a breach of security.” Specifically, the bill would:

  • Set a national standard for covered entities to implement and maintain “reasonable security measures and practices to protect and secure personal information”;
  • Require covered entities that suffer a data breach to notify affected individuals “as expeditiously as possible and not later than 30 days after the covered entity has taken the necessary measures” to investigate the breach; and
  • Empower the Federal Trade Commission and state attorneys general to obtain civil penalties for violations of the data security and breach notification requirements.

The full House is expected to take the bill up next week, though the Committee continues to work on several issues, including possible breaches of non-HIPAA covered health care information.
http://docs.house.gov/meetings/IF/IF00/20150414/103337/BILLS-114pih-HR1770DataSecurityandBr.pdf

Data Security Guidance for Hospital Governing Boards
The Office of Inspector General at HHS published “guidance” for hospital governing boards on how to identify and avoid, among other things, data breaches.
https://oig.hhs.gov/newsroom/news-releases/2015/guidance-release2015.asp

Bill Regarding Prosecution of Cybersecurity Criminals
Sen. Mark Kirk (R-IL) introduced S. 1027, the “Data Breach Notification and Punishing Cyber Criminals Act.”
http://www.kirk.senate.gov/?p=press_release&id=1395

Rep. Zoe Lofgren (D-CA) and Sens. Ron Wyden (D-OR) and Rand Paul (RKY) introduced HR 1918, which would affect prosecutions of cyber criminals.
https://lofgren.house.gov/uploadedfiles/cfaa_reform.pdf

FCRA/Amendment
Rep. Bruce Poliquin (R-ME) introduced HR 2091 to amend the FCRA to “clarify the ability to request consumer reports in certain cases to establish and enforce child support payments and awards.”
https://poliquin.house.gov/media-center/press-releases/poliquin-ellison-introduce-child-support-assistance-act

State Developments

Data Security/Breach
On April 27th, American Express Company (American Express) reported a data breach involving a third party merchant and affecting an undisclosed number of customers’ names and payment card information. Specifically, American Express stated that an unidentified merchant discovered unauthorized access to their website where American Express cardholders made online purchases. American Express has not identified any misuse of information and emphasized that no cardholder’s Social Security number was compromised. American Express has “placed additional fraud monitoring” on affected customers’ cards and will contact customers regarding any unusual activity.
http://oag.ca.gov/system/files/C2015020110%20CA%20AG%20-%20Customer%20Notice_0.pdf?

Apr. 22: Freedom Smokes, Inc. reported a data breach involving an undisclosed number of customers’ names, addresses, and payment card information.
http://oag.ca.gov/system/files/Notice%20to%20CA%20Consumers_0.pdf?

On April 13th, Homebridge, Inc. (Homebridge) reported a data breach involving an undisclosed number of current and former employees’ names, addresses, and Social Security numbers. According to the breach notice, from January to March 2015 “cyber criminals deployed malicious software…on a limited number of Homebridge computers.” The affected computers contained human resource records. Upon discovering the incident, Homebridge notified law enforcement to conduct an investigation which remains ongoing. Homebridge recommends that employees monitor their credit reports and is offering affected employees credit monitoring and identity protection services for one year at no cost.
http://oag.ca.gov/system/files/Homebridge%20Data%20Security%20EE%20Notification%20Letter%2013%20April%202015_0.pdf

On April 10th, Reuters reported that Lufthansa Group (Lufthansa) confirmed that hackers gained access to travelers’ frequent flyer accounts. According to Reuters, hackers obtained a list of customers’ usernames and passwords to gain access to customers’ frequent flyer accounts, and subsequently made purchases using the miles on the account. A Lufthansa spokesman told Reuters that, upon learning of the incident, Lufthansa “blocked several hundred accounts as a result, and any miles spent by the hackers had been credited back to customer accounts.”
http://uk.reuters.com/article/2015/04/10/uk-germany-cybersecurity-lufthansa-idUKKBN0N11GG20150410

On April 10th, HSBC Finance Corp. (HSBC) reported a data breach involving an undisclosed number of customers’ names, Social Security numbers, and account information. According to the breach notification, customers’ personal information about certain mortgage accounts was “inadvertently made accessible” on the Internet at the “end of last year.” Upon learning of the incident, HSBC removed the information from the Internet. HSBC also contacted law enforcement to conduct an investigation. HSBC recommends that customers monitor their account transactions and place a fraud alert on their credit file. HSBC is offering credit monitoring services to affected customers for one year at no cost to the customer.
http://oag.ca.gov/system/files/IdGrd_1%20-%2047%20State%20B_AG_0.pdf

Apr. 10: The University of California, Riverside, reported a data breach involving an undisclosed number of students’ names and Social Security numbers.
http://oag.ca.gov/system/files/UCR%20Graduate%20Division%20Computer%20Theft%20Notification%20Draft%20Memo%20March%202015%20FINAL_0.pdf?

On April 10th, Sweaty Bands, LLC (Sweaty Bands) reported a data breach involving an undisclosed number of customers’ names, addresses, and payment card information. On March 18, 2015, Sweaty Bands learned that an unauthorized person gained access to the servers hosting its website’s payment processing software and installed malicious software on its systems to obtain customers’ payment information. The affected period, according to the breach notice, is between March 14 and March 18, 2015. Since discovering the incident, Sweaty Bands removed the malicious software from its systems. Sweaty Bands recommends that customers monitor their credit reports and consider placing a fraud alert on their credit file.
http://www.ago.vermont.gov/assets/files/Consumer/Sweaty%20Bands%20SBN%20to%20Consumer.pdf

On April 8th, White Lodging Services Corporation (White Lodging), a hotel management company, reported a data breach involving an undisclosed number of customers’ names and payment card information. According to the breach notification, White Lodging suffered a data breach involving its point of sales systems at food and beverage outlets between July 3, 2014 and February 6, 2015. According to White Lodging, ten of their properties were affected, including food and beverage outlets located at the:

  • Chicago Marriott Midway Airport;
  • Austin Marriott South Airport;
  • Boulder Marriott; and
  • Indianapolis Marriott Downtown.

Upon learning of the incident, White Lodging contacted law enforcement to conduct an investigation which remains ongoing. White Lodging recommends that customers monitor their payment transactions and is offering affected individuals fraud resolution and identity protection services for one year at no cost to the customer. White Lodging previously announced a similar breach of customer payment card information in February 2014 (previously reported).
http://www.prnewswire.com/news-releases/white-lodging-releases-information-about-data-breach-investigation-at-select-food-and-beverage-outlets-300062065.html

On April 6th, Intuit, Inc. (Intuit) reported a data breach involving an undisclosed number of customers’ TurboTax accounts and affecting information contained on customers’ tax returns. According to the notice, Intuit learned that an individual accessed customers’ TurboTax accounts without authorization. Intuit confirmed that customer usernames and password information for such accounts were not obtained from any Intuit system and that the login information must have been obtained from “other sources.” Intuit recommends customers check their computers for viruses and is offering affected customers credit monitoring and identity theft protection services for one year at no cost.
http://oag.ca.gov/system/files/Sample%20Consumer%20Notification%20Letter_0.pdf

On April 2nd, Auburn University (AU) reported a data breach involving an undisclosed number of current, former and prospective students’ names, addresses, Social Security numbers, birthdates, and academic information. According to the breach notice, students’ information was “inadvertently accessible on the internet since September 2014.” AU states that they corrected the “internal issue” on the day they learned of the incident. AU is unaware of any misuse of student information, but recommends students monitor their credit reports. AU is offering affected students free credit monitoring services for two years.
http://oag.ca.gov/system/files/Auburn%20-%20notice%20sample_0.pdf

AT&T reported a possible data breach involving an undisclosed number of customers’ account information.
http://oag.ca.gov/system/files/CS_California_0.pdf?

State Legislation

Background Checks
Apr. 23: The Colorado state House passed HB 1328, which would affect background checks for youth sports organizations.
http://www.leg.state.co.us/clics/clics2015a/csl.nsf/fsbillcont3/20FC782C7305B6AE87257DE800557407?open&file=1328_eng.pdf

On April 17th, the Illinois state House passed HB 1665, which would affect background checks for school bus drivers. According to the bill, Illinois’ Secretary of State would be charged with issuing school bus driver permits to applicants who fulfill all the requirements of the application and screening process to “insure the welfare and safety of children who are transported on school buses” throughout the state. The background check would consist of the applicant submitting their fingerprints to the Department of State Police to conduct a criminal background check on information available in the state system and through the Federal Bureau of Investigation’s databases. The cost of the background check would be charged to the applicant.
http://www.ilga.gov/legislation/99/HB/PDF/09900HB1665lv.pdf

On April 16th, the Texas state House passed HB 2145, which would affect background checks for “certain individual insurance license applicants to act as insurance agents.” According to the bill, the state may issue a “provisional permit” to insurance agent applicants upon the receipt of, among other things:

  • A written application for a provisional permit;
  • A properly completed license application; and
  • A certificate signed by the appointing agent, insurer, or health maintenance organization stating that, among other things, the appointing agent, insurer, or health maintenance organization completed a background check on the applicant that did not show any felony convictions.

http://www.legis.state.tx.us/tlodocs/84R/billtext/pdf/HB02145E.pdf#navpanes=0

On April 9th, Arizona Governor Doug Ducey (R) signed HB 2135, which will affect background checks for ride-sharing companies. Specifically, the bill directs transportation network companies, otherwise known as ride-sharing companies, to conduct, or hire a third party to conduct, a local and national criminal background check for any prospective drivers. The bill specifies that any pre-employment background check on a driver must include the following:

  • A multijurisdictional criminal records locator;
  • A validated commercial nationwide database; and
  • A national sex offender registry database.

The bill also requires ride-sharing companies to review the prospective driver’s driving history report. The bill prohibits drivers from being employed if the individual, among other things:

  • Has three or more moving violations in the preceding three years;
  • Is listed in a national sex offender registry database; or
  • Does not possess a valid driver’s license.

http://www.azleg.gov/legtext/52leg/1r/bills/hb2135s.pdf

On April 6th, Arkansas Governor Asa Hutchinson (R) signed HB 1650, which will affect background checks for “licensed personnel and classified employees of public schools.” The bill amends current law on background checks for employees of educational institutions. According to the bill, “an educational entity that is initiating a criminal records check…shall subscribe to and initiate both the state and federal criminal records check on the Department of Arkansas State Police (DASP) online system.” Additionally, the bill would require that, starting July 1, 2016, “all fingerprints shall be taken by an electronic fingerprinting method approved by the [DASP].”
http://www.arkleg.state.ar.us/assembly/2015/2015R/Bills/HB1650.pdf

On April 6th, Idaho Governor Butch Otter (R) let HB 262 become law without his signature. The law will affect driver background checks for ride-sharing companies. Specifically, the law will require that the transportation network company (TNC), otherwise known as ride-sharing companies, conduct, or have a third party conduct, a local and national criminal background check for any prospective drivers. The background check for each prospective driver, according to the law, shall include:

  • A multistate/multi-jurisdictional criminal records locator; and
  • A national sex offender registry database.

The law also requires ride-sharing companies to review the prospective driver’s driving history report. The law prohibits drivers from being employed if the individual, among other things:

  • Has more than three moving violations in the preceding three years;
  • Is listed in a national sex offender registry database; or
  • Does not possess a valid driver’s license.

The law specifically states that TNC drivers “shall not be required to register the vehicle that the driver uses for TNC services as a commercial or for-hire vehicle or to obtain a commercial driver’s license.”
http://www.legislature.idaho.gov/legislation/2015/H0262.pdf

Apr. 6: Arkansas Governor Asa Hutchinson (R) signed SB 145 which will affect background checks for the Arkansas State Board of Massage Therapy.
http://www.arkleg.state.ar.us/assembly/2015/2015R/Bills/SB145.pdf

On April 2nd, Oklahoma Governor Mary Fallin (R) signed SB 115, which will affect background checks for employees working at foster homes. The current law requires employers to request that the Oklahoma State Bureau of Investigation conduct a criminal history background check on any individuals seeking to provide health-related services at the foster care facility. The bill amends the current law by expanding the definition of “employer” to include “any facility approved and annually reviewed by the United States Department of Veterans Affairs as a medical foster home in which care is provided exclusively to three or fewer veterans.” The bill will become effective November 1, 2015.
http://webserver1.lsb.state.ok.us/cf_pdf/2015-16%20ENR/SB/SB115%20ENR.PDF

Apr. 1: The Arkansas state legislature sent to the Governor SB 807, which would affect who may view a criminal background checks.”
http://www.arkleg.state.ar.us/assembly/2015/2015R/Bills/SB807.pdf

Mar. 31: Utah Governor Gary Herbert (R) signed HB 300, which will affect background checks related to concealed weapons permits.
http://le.utah.gov/~2015/bills/hbillenr/HB0300.pdf

Mar. 30: Arizona Governor Doug Ducey (R) signed SB 2086, which will add and modify background check requirements for state agencies.
http://www.azleg.gov/legtext/52leg/1r/bills/hb2086s.pdf

Mar. 30: The Texas legislature passed SB 219, which would affect the state’s Health and Human Services background check policies for prospective caregivers.
http://www.azleg.gov/legtext/52leg/1r/bills/hb2086s.pdf

On March 30th, Idaho Governor Butch Otter (R) signed HB 190, which “amends existing law to revise a fee for undergoing a criminal history check.” Specifically, the bill changes the amount that the state’s Department of Education may charge individuals for conducting a criminal history check from $40 to a fee “necessary to cover the cost of undergoing” the criminal history check.
http://legislature.idaho.gov/legislation/2015/H0190.pdf

Mar. 27: Utah Governor Gary Herbert (R) signed HB 145, which will “amend[] provisions relating to the Department of Human Services’ background check procedures.”
http://le.utah.gov/~2015/bills/hbillenr/HB0145.pdf

An Ohio Assemblyman introduced HB 147, which would affect background checks for concealed handgun licenses.
https://www.legislature.ohio.gov/legislation/legislation-documents?id=GA131-HB-147

The Texas state House passed HB 1769, which would affect background checks for assisted living facility license applicants.
http://www.capitol.state.tx.us/tlodocs/84R/billtext/pdf/HB00896E.pdf#navpanes=0

Oklahoma Governor Mary Fallin (R) signed HB 2179, which will affect background checks for operators of commercial motor vehicles.
http://webserver1.lsb.state.ok.us/cf_pdf/2015-16%20ENR/hB/HB2179%20ENR.PDF

State of Texas-New Offence for Breach of Computer Security
The Texas state House passed HB 896, which would “create a criminal offense regarding the breach of computer security.”
http://www.capitol.state.tx.us/tlodocs/84R/billtext/pdf/HB00896E.pdf#navpanes=0

Breach Notification
On March 2nd, Wyoming Governor Matthew Mead (R) signed SF 35, which establishes security breach notification requirements. The Governor also signed SF 36, which amends the definition of personally identifying information (PII).

  • Under SF 35, breach notification must be “clear and conspicuous” and must include, at a minimum:
    • The type of potentially compromised information;
    • A description of the breach incident;
    • Steps taken by the breached entity to prevent subsequent breaches; and
    • Advice to affected individuals to review account statements and monitor credit reports.
  • Under SF 36, the definition of PII is expanded to include:
    • An individual’s username or email address when combined with a password or security question and answer;
    • A birth or marriage certificate;
    • Medical and health insurance information; and
    • Unique biometric data.

Both bills will go into effect on July 1, 2015.
SF 35: http://legisweb.state.wy.us/2015/Enroll/SF0035.pdf
SF 36: http://legisweb.state.wy.us/2015/Enroll/SF0036.pdf

Data Breach Notification
On February 27th, Montana Governor Steve Bullock (D) signed HB 74, which amends the state’s data security and breach notification law. The bill adds the following types of information to the definition of “personal information”:

  • “Medical record information, ” defined as information related to “an individual’s physical or mental condition, medical history, medical claims history, or medical treatment” and “obtained from a medical professional or medical care institution, from the individual, or from the individual’s spouse, parent, or legal guardian”; and
  • Identity protection personal identification numbers issued by the Internal Revenue Service.

The bill also requires that a breached entity submit to the Attorney General’s Consumer Protection Office—or the state insurance commissioner, where applicable—a copy of the notification to affected individuals as well as a statement that includes both the number of affected individuals and the date and method of distributing such notice. The bill will take effect on October 1st.
http://leg.mt.gov/bills/2015/sesslaws/ch0062.pdf

Ban the Box
On April 3rd, Virginia Governor Terry McAuliffe (D) signed an Executive Order (Order) affecting state hiring practices by removing questions regarding criminal history from employment applications. Specifically, the Order requires the state’s Department of Human Resources Management to, among other things:

  • Amend the state employment application to “ban the box”, removing those questions relating to convictions and criminal history;
  • Inform all hiring authorities within the executive branch that state employment decisions will not be based on the criminal history of an individual unless demonstrably job-related and consistent with business necessity, or state or federal law prohibits hiring an individual with certain convictions for a particular position; and
  • Provide guidance to ensure that any criminal history background check is only conducted after a candidate has (a) signed the appropriate waiver authorizing release, (b) been found otherwise eligible for the position, and (c) is being considered for a specific position.

The Order states that it applies to all agencies, boards and commissions within the executive branch, and “also encourages similar hiring practices among private employers operating within the Commonwealth and state government contractors.”
https://governor.virginia.gov/newsroom/newsarticle?articleId=8131

Student Data Security
On April 13th, New Jersey Assembly members introduced A4354, which would require employees of a private entity that has access to student information and that is under contract with the state’s Department of Education (DOE) to undergo a criminal background check. According to the bill’s sponsors, the bill would help protect the privacy and personal data of students by applying existing standards related to criminal background checks for public school employees to determine whether a contractor employee could access student data. Under the bill, the DOE would not be required to enter into a contract with a private entity if the criminal history record check of the employees who would have access to student information contains a record of conviction for any disqualifying crime or offense.
http://www.assemblydems.com/Article.asp?ArticleID=9477

NY Data Security Act
Apr. 8: New York Assemblymen referred to the Consumer Affairs and Protection Committee A 06866 to “amend the general business law and the state technology law in relation to the data security act.”
http://assembly.state.ny.us/leg/?default_fld=&bn=A06866&term=2015&Summary=Y&Actions=Y&Text=Y

Biometric Information
On April 15th, Massachusetts state lawmakers referred to the Senate Consumer Protection and Professional Licensure Committee S. 124, which would protect biometric information under the state’s security breach law. The bill would amend the state’s current data breach law to explicitly invoke a duty to report known security breaches that involve “biometric indicator[s].” The bill would define “biometric indicator” as “any unique biological attribute or measurement that can be used to authenticate the identity of an individual, including but not limited to fingerprints, genetic information, iris or retina patterns, facial characteristics or hand geometry.”
https://malegislature.gov/Bills/189/Senate/S124

Misc. Matters
Apr. 22: The Illinois state Senate passed SB 1833, the “Personal Information Protection Act.”
http://www.ilga.gov/legislation/99/SB/PDF/09900SB1833lv.pdf

Apr. 13: Arizona Governor Doug Ducey (R) signed HB 2220, which will affect credit reporting agencies placing a ”security freeze” on certain peoples’ credit reports.
http://www.azleg.gov/legtext/52leg/1r/laws/0280.pdf

Apr. 6: California state lawmakers “re-referred” to the Utilities and Commerce Committee AB 866, which would limit the personal information that ride-sharing companies can request or require from customers.
http://www.leginfo.ca.gov/pub/15-16/bill/asm/ab_0851-0900/ab_886_bill_20150226_introduced.pdf

Credit Reporting Agencies
On April 13th, Arizona Governor Doug Ducey (R) signed HB 2220, which will affect credit reporting agencies placing a “security freeze” on certain individuals credit reports. According to the law, credit reporting agencies will be required to place a security freeze on a protected person’s credit report, provided that the following occurs:

  • The credit reporting agency receives a security freeze request from the protected person’s representative; and
  • The protected persons’ representative does all of the following:
    • Submits the request to the credit reporting agency at the agency’s address or other point of contact in a manner specified by the agency;
    • Provides sufficient proof of identification for both the protected person and the representative;
    • Provides sufficient proof of authority to act on the protected persons’ behalf; and
    • Pays a fee to the credit reporting agency.

The law defines a “protected person” as an individual who:

  • Is under 16 years of age at the time a request for the placement of a security freeze is made; or
  • Is an incapacitated person or a protected person for whom a guardian or conservator has been appointed.

The law also establishes requirements for removing a security freeze from a protected person’s credit report, including proof that the protected person’s representative no longer has authority to act on his or her behalf. The law will take effect on December 31, 2015.
http://www.azleg.gov/legtext/52leg/1r/laws/0280.pdf

Court Cases

Supreme Court / FCRA
On April 27th, U.S. Supreme Court has agreed to hear Spokeo, Inc.’s (Spokeo) challenge to a Ninth Circuit decision to revive a Fair Credit Reporting Act suit against Spokeo for allegedly publishing inaccurate information about the plaintiff on the company’s search engine. The issue in the case is whether websites that collect consumer personal data can be sued for publishing inaccurate information, even if the errors do not cause any actual harm. Spokeo has argued that a fear that potential employers would rely on inaccurate information to make decisions on prospective employees does not amount to actual harm. The decision to hear the case comes after the U.S. Solicitor General filed a brief with the Court last month urging the Court to deny certiorari.
Spokeo, Inc. v. Thomas Robins et al., No. 13-1339 (S. Ct., Apr. 27, 2015).
The Washington Post Article: http://www.washingtonpost.com/business/technology/high-court-to-consider-lawsuits-over-personal-data/2015/04/27/614a712c-ece3-11e4-8050-839e9234b303_story.html

Data Breaches
On April 6th, a federal district court dismissed a putative class action lawsuit against Horizon Healthcare Services, Inc. (Horizon) alleging that the company failed to protect approximately 840, 000 customers’ personal information following a data breach in 2013, ruling that the plaintiffs did not establish they suffered harm. The complaint alleged that Horizon failed to update its data security policies and practices after a previous data breach in 2008. According to the plaintiffs, the failure to update its data security practices resulted in the 2013 data breach involving two stolen laptops that did not have safeguards in place to protect members’ personally identifiable information, including names, birthdates and Social Security numbers. However, the court found that the plaintiffs did not “suffer[] any monetary losses…or that they have sustained any other injuries such as identity theft, identity fraud, medical fraud, or phishing, ” adding that the plaintiffs “have not alleged an ‘economic injury’ sufficient for standing.”
In re: Horizon Healthcare Services Inc. Data Breach Litigation, No. 2:13-cv-07418 (D.N.J., Apr. 6, 2015).

Mar. 31: Tiversa Holding Corp. denied allegations brought by LabMD, Inc. that it hacked LabMD’s computers and misled the FTC into believing that LabMD made certain patient information publicly available online.

Data Security
On April 24th, RadioShack Corp. (RadioShack) responded to objections from numerous state attorneys general regarding its bankruptcy asset sale involving the potential disclosure of customer data, arguing that it has provided additional details about the information that is up for sale. On March 26th, state attorneys general, led by Texas Attorney General Ken Paxton, filed a motion urging the Delaware bankruptcy court to deny RadioShack’s planned asset sale, stating that more details need to be disclosed regarding the type of customer data that is up for sale (previously reported). In its response, RadioShack emphasized that it has not “ignored” the objections raised by the state attorneys general and has provided additional details about the customer data in “numerous conversations with the State of Texas.”
In re: RadioShack Corp., No. 1:15-bk-10197 (Bankr. D. Del., Apr. 24, 2015).

On April 15th, Texas Attorney General Ken Paxton filed a second motion with the Delaware federal bankruptcy court urging it to deny Radioshack Corp.’s (Radioshack) planned asset sale that consists of millions of customers’ personal information. In his motion, Paxton expressed concern that Radioshack has not provided any details into the type of personal information that would be included as a part of the asset sale. Paxton also noted that 35 other state attorneys general have expressed support for Texas’ Daily Privacy & Consumer Regulatory Alert

On April 3rd, media reported that RadioShack’s bankruptcy proceedings will consider whether a company’s privacy commitments made to customers continue after the company no longer exists. On March 23rd, Texas Attorney General Ken Paxton (R) filed an objection letter with the Delaware bankruptcy court, expressing concern over the bankruptcy proceedings possibly resulting in the sale of up to 117 million customers’ personal data (previously reported). Numerous state attorneys general have backed Paxton’s concern since the objection was filed. As a result of the objections by the state attorneys general, commentators believe that the bankruptcy court will have to consider how a change in corporate ownership or bankruptcy could affect promises or statements made by a company to consumers regarding the privacy of their personal data.
In re: RadioShack Corp., No. 1:15-bk-10197 (Bankr. D. Del., Apr. 3 2015).

Andrew Vara, acting U.S. Trustee, filed an objection in Delaware’s federal bankruptcy court opposing the sale of RadioShack Corp.’s customer data.

FCRA / Hospital Data Breach
On March 31st, plaintiffs urged the Seventh Circuit to revive a data breach lawsuit against Advocate Health and Hospitals Corp. (Advocate Health) for alleged violations of the Fair Credit Reporting Act (FCRA), arguing that the law extends to hospitals and not just consumer reporting agencies. Last year, a federal judge dismissed the FCRA claims, ruling that a hospital is not a covered entity under the FCRA. Plaintiff’s counsel argued that the FCRA is “broad, ” adding that “this statute was designed to cover the very conduct that occurred here.” Counsel for Advocate Health argued that the FCRA must be narrowly construed and that the hospital is not a consumer reporting agency as defined under the statute. The Seventh Circuit panel took the case under advisement following oral arguments.
Tierney et al. v. Advocate Health and Hospitals Corp., No. 14-3168 (7th Cir., Mar. 31).

Privacy – Biometrics
On April 1st, Plaintiffs filed a putative class action lawsuit against Facebook, Inc. (Facebook) alleging that the social media company’s facial recognition software violates state privacy laws by scanning users’ pictures and collecting “facial feature data” without their consent. Specifically, the plaintiff’s complaint alleges that Facebook’s “tag suggestions” feature, which permits Facebook users to identify their friends in uploaded photos, “uses proprietary facial recognition software” that “extract[s] unique biometric identifiers associated with their faces, and determine[s] who they are.” The plaintiff alleges that Facebook’s biometric data collection practices are not properly disclosed in Facebook’s privacy policy and does not ask for users’ consent to collect such data. According to the plaintiff, “[w]ith millions of users in the dark about the true nature of this technology, Facebook secretly amassed the world’s largest privately held database of consumer biometrics data.”
Licata v. Facebook, Inc., No. 2015CH05427 (Cir.Ct.Ill., Apr. 1, 2015).

FCRA/LinkedIn
On April 14th, a federal district court granted LinkedIn Corp.’s (LinkedIn) motion to dismiss a putative class lawsuit alleging Fair Credit Reporting Act (FCRA) violations by allowing businesses to check prospective employees’ references without the applicants’ knowledge. LinkedIn argued that reference searches on LinkedIn profiles cannot be considered “consumer reports under the FCRA and that it, as a company, was not acting as a “consumer reporting agency.” The court agreed with LinkedIn, stating that “the facts alleged in plaintiffs’ complaint…support the inference that LinkedIn gathers the information about the employment histories of the subjects of the reference searches not to make consumer reports but to ‘carry out consumers’ information-sharing objectives.’”
Sweet et al. v. LinkedIn Corporation, No. 5:14-cv-04531 (N.D. Cal., Apr. 14, 2015).

Class Action/Breach of Contract
Apr. 3: Plaintiffs in a putative class action lawsuit against Google urged a federal district court to deny Google’s motion to dismiss, arguing that the tech company breached its contract with users by releasing customers’ data to third parties that has an “objectively quantifiable value.”

Furnisher of Information
Apr. 3: Dun & Bradstreet urged a federal district court to dismiss four proposed class action lawsuits brought against it alleging that the company negligently included inaccurate information on plaintiffs’ credit reports.

Class Action/Violation of FCRA
Apr. 7: Plaintiffs filed a putative class action lawsuit against Amazon.com, Inc., alleging violations of the FCRA over the company’s background check procedures.

Apr. 6: A federal district court dismissed certain claims against DHA Group, Inc., leaving allegations that the DHA Group violated the FCRA by unlawfully obtaining the plaintiff’s credit report.

FCRA / Amazon
On April 7th, plaintiffs filed a putative class action lawsuit against Amazon.com, Inc. (Amazon), alleging violations of the Fair Credit Reporting Act (FCRA) over the company’s background check procedures. According to the complaint, the plaintiff was denied a position at Amazon after the company obtained a criminal background check on him and failed to provide him with the results of the background check. The plaintiff alleges that the background check, in fact, contained a felony conviction for cocaine possession “which did not belong to Plaintiff.” The alleged failure to provide a copy of the background check violates the FCRA, according to the complaint. The plaintiff seeks to represent a nationwide class of individuals who had sought employment at Amazon within the past five years and did not receive a copy of their background check as required by the FCRA.
Gregory Williams v. Amazon.com, Inc. et al., No. 2:15-cv-00542 (W.D. Wash., Apr. 7, 2015).
http://oag.ca.gov/system/files/IdGrd_1%20-%2047%20State%20B_AG_0.pdf?

Class Action Lawsuit against Equifax
A federal district court certified a class of individuals in an action alleging that Equifax Information Services LLC violated the FCRA by publishing inaccurate reports after consumers told Equifax of a change in the status of certain court judgments against the consumer.

Target Settlement with MasterCard
Target announced that it has agreed to a $19 million settlement with MasterCard over the retailer’s 2013 data breach.
http://pressroom.target.com/news/target-announces-settlement-agreement-with-mastercard;-estimated-costs-already-reflected-in-previously-reported-results

Ontario Canada
Apr. 16: Plaintiffs filed a putative class action lawsuit in Ontario superior court against Bell Mobility and Virgin Mobile seeking $750 million in damages for allegedly violating the Canadian Telecommunications Act and breaching consumer privacy over the companies’ targeted advertising efforts.

FCRA/HomeDepot
On April 21st, Home Depot USA, Inc. (Home Depot) agreed to pay at least $1.8 million to settle a putative class action lawsuit for allegedly violating the Fair Credit Reporting Act (FCRA) over its background check policies. According to the terms of the settlement stated in the plaintiffs’ motion for preliminary approval, Home Depot would be required to pay between $15 and $100 to eligible members of the settlement class, which Home Depot estimates to be approximately 120, 000. The initial complaint alleged that Home Depot’s background check disclosure forms contained extraneous information other than a disclosure that the company would conduct a background check and obtain a credit report on the individual, a violation of the FCRA according to the plaintiff.
Fernandez v. Home Depot USA, Inc., No. 8:13-cv-00648 (C.D. Cal., Apr. 21, 2015).

EEOC
Apr. 23: The EEOC urged a federal district court to deny BMW Manufacturing Co. LLC’s attempt to compel the agency to turn over its analysis of BMW’s background check policy in a racial discrimination lawsuit.

Event services company Freeman urged a federal district court to award it attorneys’ and expert fees after its successful defense of an EEOC background check suit.

Cybersecurity Cases/Class Action Lawsuit against Intuit
Plaintiffs filed a putative class action lawsuit against Intuit, Inc. accusing it of negligently failing to protect customers from identity theft by not safeguarding customer personal data.

Misc Class Action Lawsuits
Apr. 22: Plaintiffs filed a putative class action lawsuit against Alorica, Inc., a national call center operator, for allegedly violating the FCRA by unlawfully obtaining the credit reports of its employees and taking adverse action based on the information.

Adobe Systems, Inc. agreed to settle a putative class action lawsuit over its alleged failure to safeguard users’ personal data from a data breach.

Miscellaneous

FICO Scores
On April 1st, The Wall Street Journal (WSJ) reported that Fair Isaac Corp. (FICO) is expected to announce a “new credit score aimed at consumers regarded as too risky by lenders.” The new metric, according to the WSJ, has been tested with credit-card issuers since November 2014 and remains in a “pilot phase, ” but FICO is reportedly set to announce the new metric as soon as next week. According to the WSJ, “[t]he new score is largely a response to banks’ desire to boost lending volumes by increasing loan originations to borrowers who otherwise wouldn’t qualify, many of whom tend to be charged more for loans.” The WSJ notes that, as a result of the new metric, banks may experience more losses by lending to more risky borrowers; “however, “banks stand to earn more in interest revenue from riskier borrowers.” The WSJ reported that the new score will be calculated based on consumers’ payment history including, payment of:

  • Cable;
  • Cellphone; and
  • Electric and gas bills.

Traditionally, FICO scores were developed from data pulled from the three major credit reporting agencies – Equifax, Experian, and TransUnion. The new score, according to the WSJ, will be calculated by pulling data from a “separate database of telecommunications and utilities providers maintained by Equifax” as well as data maintained by LexisNexis.
http://www.wsj.com/articles/new-metric-aids-weak-credit-risks-1427861478

TransUnion IPO
On March 31st, Forbes reported that TransUnion, one of the three major credit reporting bureaus, filed for an initial public offering (IPO). TransUnion initially filed for an IPO three years ago, but withdrew after it was sold to Advent International and Goldman Sachs. According to Forbes, TransUnion looks to raise up to $100 million in the IPO, based on its filings with the Securities and Exchange Commission.
http://www.forbes.com/sites/laurengensler/2015/03/31/credit-bureau-transunion-ipo-filing/

Cyber Security
Apr. 16: The National Association of Insurance Commissioners published new cybersecurity regulatory “guidance, ” which outlines 12 principles aimed at advancing industry members’ cybersecurity practices.
http://www.naic.org/Releases/2015_docs/naic_cybersecurity_task_force_adopts_regulatory_principles.htm

Other Developments

Insurance Industry Cybersecurity Guidelines
On April 16th, the National Association of Insurance Commissioners (NAIC) published new cybersecurity regulatory “guidance, ” which outlines 12 principles aimed at advancing industry members’ cybersecurity practices. In its press release, NAIC indicated that state regulators are urging insurers to “strengthen[] [their] defenses against attacks.” The guidance highlight 12 principles that regulators “expect” insurers will implement to better protect consumers from cybersecurity breaches. According to NAIC, “[t]he twelve principles adopted direct insurers, producers, and other regulated entities to join forces in identifying risks and adopting practical solutions to protect information entrusted to them.” The guidance includes the following principles:

  • Personally identifiable consumer data that is collected by an insurer must be “appropriately safeguarded”;
  • Cybersecurity regulatory guidance for insurers and insurance producers must be flexible, scalable, practical and consistent with nationally recognized standards; and
  • Planning for incident response is an essential component to an effective cybersecurity program.

http://www.naic.org/Releases/2015_docs/naic_cybersecurity_task_force_adopts_regulatory_principles.htm

Ban the Box
USA Today publishes an article entitled, “Koch Industries Drops Criminal history Question From Job Applications.”
http://www.usatoday.com/story/news/2015/04/27/koch-industries-criminal-justice-job-applications/26325929/

International Developments

Voice Authentication
The Times of India reports that the Industrial Credit and Investment Corporation of India Bank will soon implement voice authentication to identify account holders when they call into the bank.
http://timesofindia.indiatimes.com/business/india-business/ICICI-Bank-to-roll-out-voice-authentication/articleshow/46818823.cms

Data Stored Overseas
On April 8th, Microsoft Corp. (Microsoft) filed a brief with the Second Circuit arguing that Congress, not federal courts, should decide whether law enforcement may access companies’ data stored overseas. Microsoft is challenging the government’s use of search warrants for data stored overseas. According to Microsoft, “Congress never intended to reach, nor even anticipated, private communications stored in a foreign country when it enacted” the Electronic Communications Privacy Act of 1986. Similarly, on April 9th, Microsoft general counsel Brad Smith published a blog post stating that “[u]ntil U.S. law is rewritten, we believe that the court in our case should honor well-established precedents that limit the government’s reach from extending beyond U.S. borders.”
In the Matter of a Warrant to Search a Certain Email Account Controlled and Maintained by Microsoft Corp., No. 14-2985 (2nd Cir., Apr. 8, 2015).

German Data Protection Authority
Apr. 8: A state-level German data protection authority reportedly ordered Google to revise its privacy policies following an investigation into how the tech company collects users’ private data and develops a user profile with the data.
http://www.pcworld.com/article/2907612/google-ordered-by-german-authority-to-change-privacy-practices.html

Berlin Strikes Compromise on Privacy
The Wall Street Journal published an article entitled, “Berlin Strikes Compromise on Privacy, Security With New Data Guidelines.”
http://blogs.wsj.com/digits/2015/04/15/berlin-strikes-compromise-on-privacy-security-with-new-data-guidelines/

Austrian Court Dismiss Class Action Lawsuit
Facebook, Inc. urged an Austrian court to dismiss a putative class action lawsuit alleging that it violated EU privacy laws by promoting privacy policies that enable government surveillance and collection of users’ data.

IAPP
Apr. 10: The IAPP published an article entitled, “FTC v. Wyndham: Has the
FTC Declared Unreasonable Security ‘Unfair’?”
https://privacyassociation.org/news/a/ftc-v-wyndham-has-the-ftc-really-declared-unreasonable-security-unfair/

EU Data Protection Reform
Over sixty NGOs send a letter to President Juncker of the European Commission expressing concern over possible changes to Europe’s “data protection reform package.”
https://edri.org/files/DP_letter_Juncker_20150421.pdf

Twitter Privacy Policy
April 17: Twitter, Inc. updated its privacy policy putting “Twitter International Co., ” a unit the company based in Ireland, in charge of handling data that belongs to any user who resides outside the U.S.
https://twitter.com/privacy?lang=en

Please Note: The information contained herein is a monthly summary of the daily information provided by Arnall Golden Gregory LLP, an Atlanta firm servicing the business transactions and litigation needs of background check companies. The information described is general in nature, and may not apply to your specific situation. Legal advice should be sought before taking action based on the information contained herein. For more information about Arnall Golden Gregory LLP, please visit www.agg.com or contact Bob Belair at 202.496.3445 or robert.belair@agg.com.