+1.877.796.2559 | Investors|

August 2016 Privacy Summary

By Nicolas Dufour | Sep 6, 2016 | Privacy Summary

Federal Developments

FTC Enforcement Action
On July 29th, the Federal Trade Commission (FTC) announced that an Opinion and Final Order has been issued reversing an administrative law judge’s ruling that dismissed the FTC’s charges against LabMD, Inc., finding that the company’s data security systems and practices were in fact in violation of Section 5 of the FTC Act. The FTC’s original case against LabMD alleged that the company’s lax data security contributed to data breaches in 2009 and 2012. However, an administrative judge ruled in favor of LabMD in November of 2015, taking issue with the FTC’s reliance on the “possibility of harm.” In its challenge to the ruling, the FTC concluded that the administrative law judge incorrectly applied the legal standards for unfairness. According to the FTC’s opinion reversing the decision, “LabMD’s security practices were unreasonable, lacking even basic precautions to protect the sensitive consumer information maintained on its computer system.” The FTC found that LabMD did in fact violate the FTC Act, as “the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5(n).” The FTC’s Opinion and Final Order requires LabMD to improve its information security systems, to obtain third-party audits of its systems on a periodic basis, and to notify consumers whose information was exposed about the nature of the breach and how they can prevent identity theft.
https://www.ftc.gov/news-events/press-releases/2016/07/commission-finds-labmd-liable-unfair-data-security-practices

FTC Establishes a Low Bar for Consumer Harm in Data Security Cases: Finds LabMD Engaged in Unfair Practices
On July 29th, the Federal Trade Commission (the Commission) issued an important opinion in its long-running data security case against LabMD, finding that the company engaged in unfair practices in violation of Section 5 of the Federal Trade Commission Act (FTC Act) as a result of poor data security practices. In doing so, the Commission took an expansive view of what constitutes consumer harm in data security unfairness cases, finding that the unauthorized disclosure of sensitive health and medical information by itself constitutes a substantial injury. While health and medical information was at issue in the LabMD case, the FTC could also seek to apply the same principle to other types of sensitive data. For more information:
http://www.agg.com/ftc-establishes-a-low-bar-for-consumer-harm-in-data-security-cases-finds-labmd-engaged-in-unfair-practices/

EU-U.S. Privacy Shield
On August 15th, the Department of Commerce (DOC) reported that 36 companies are officially registered and certified as European Union (EU) – United States (U.S.) Privacy Shield compliant. Among the first companies to achieve certification are Salesforce.com, Inc. (Salesforce), Microsoft, Corp. (Microsoft), and Google, Inc. (Google). The DOC announced that the agency is currently processing over 200 applications from different companies. Google issued a press release regarding its compliance, writing, “Following the agreement, we will ensure that our products and services meet the new standards of the Privacy Shield. And, building on our work with Europe’s Data Protection Authorities over the last few years, we’re also choosing to co-operate with Europe’s Data Protection Authorities on EU-US Privacy Shield inquiries.” Cisco, Inc. (Cisco) previously published a blog post on the Privacy Shield announcing their intent to apply for certification, writing, “As much as this may feel like a big compliance headache, one thing is certain. Both sides of the Atlantic take the need to address EU privacy concerns very seriously. Ultimately, it will drive trust in business and confidence with customers, regulators and citizens alike, and that is always a good thing.” Prior to its invalidation by the EU Court of Justice (CJEU) over 4, 000 companies were certified in compliance with the Safe Harbor framework.
https://www.privacyshield.gov/list

Court Cases

FCRA Litigation
On August 22nd, a California federal judge denied Armored Investment Group, Inc.’s (Armored) motion to dismiss the proposed Fair Credit Reporting Act (FCRA) lawsuit against the company for allegedly buying a consumer report without the subject’s consent. However, the judge dismissed the Plaintiff’s complaints against the consumer reporting agencies, ruling that the Plaintiff failed to allege any harm caused by the agencies that would justify personal jurisdiction. The Plaintiff accuses Armored of violating the FCRA by purchasing consumer reports for marketing purposes which was discovered after the Plaintiff filed for bankruptcy and obtained a consumer report that revealed that Armored requested a copy, despite having no existing relationship with the Plaintiff. Janice Zellerino v. Andrew Roosen et al., case number 8:16-cv-00485, in the U.S. District Court for the Central District of California.

On August 22nd, Waffle House, Inc. (Waffle House) announced that it will appeal a Florida federal judge’s decision not to dismiss the proposed Fair Credit Reporting Act (FCRA) class action against the company. The Plaintiff accuses the company of violating the FCRA by obtaining background reports for use in employment decisions from Public Data LP (Public Data) without notifying job applicants or allowing them to verify the information. The judge rejected Waffle House’s claims that they had “no recollection or record” of using Public Data to perform a background check. The Plaintiff accused Waffle House of using Public Data because it was a “fast and cheap alternative to the standard consumer-reporting agencies, ” despite knowing that it was not in compliance with the FCRA. In its notice of appeal, Waffle House argues that the Plaintiff signed an arbitration agreement when applying for the job and requested that the judge compel arbitration. Following the judge’s refusal to dismiss the lawsuit, Waffle House announced that it would seek an appeal to the Eleventh Circuit, citing failures of the Florida court to follow the Federal Arbitration Act. William G. Jones v. Waffle House Inc. et al., case number 6:15-cv-01637, in the U.S. District Court for the Middle District of Florida, Orlando Division.

On August 9th, a Wisconsin federal judge dismissed a proposed class action against Time Warner Cable, Inc. (Time Warner) for allegedly violating the Fair Credit Reporting Act (FCRA). The original complaint alleged that Time Warner violated the law by running credit checks on job applicants without their prior express consent. However, Time Warner argued that the case should be dismissed because the Plaintiff has applied to over 562 jobs over the past two years with no intention of actually working for them and has gone on to threaten 50 of these companies with FCRA litigation, resulting in $230, 000 in settlements thus far. The judge ultimately ruled in Time Warner’s favor, dismissing the case because the Plaintiff was unable to demonstrate “concrete harm” in line with the Supreme Court’s ruling in Spokeo, Inc. v. Robins. The judge also denied the Plaintiff’s motion to seal some of the case documents referencing his other lawsuits, writing that the Plaintiff, “sued the defendant on a cause of action for which he has sued a number of other companies, and yet he argues that those other suits are irrelevant to this one. In essence, he indicates that while he wants to be able to file suit against the defendant in federal court, he wants to prevent the defendant from enquiring into similar suits that he has filed against other companies for the same alleged conduct. That is not an appropriate basis for the court to seal.” Cory Groshek v. Time Warner Cable, Inc., case number 2:15-cv-00157, in the U.S. District Court for the Eastern District of Wisconsin.
http://www.workforcecomplianceinsights.com/2016/08/12/serial-fcra-plaintiff-falls-short/?utm_source=Workforce+Compliance+Insights+-++Arnall+Golden+Gregory&utm_campaign=49e7de61f8-RSS_EMAIL_CAMPAIGN&utm_medium=email&utm_term=0_f47b41811b-49e7de61f8-71327165

On August 9th, a California federal judge approved Social Finance, Inc.’s (SoFi) $2.4 million settlement resolving a class action lawsuit that accused the company of violating the Fair Credit Reporting Act (FCRA). The Plaintiff alleged that SoFi had consistently run “hard pull” credit inquiries on consumers’ credit scores, despite claiming to use “soft pull” inquiries, negatively impacting consumers’ scores in the process. The $2.4 million settlement will be divided among the 10, 700 consumers whom SoFi ran “hard pull” inquiries on between November 2013 and August 2014. SoFi’s Counsel argued that, “Given that there is a disagreement about whether injunctive relief is even available to private plaintiff under the FCRA, this accomplishment is remarkable, and may achieve more for class members than could have ever been achieved in litigation.” The settlement will also require SoFi to request that the consumer reporting agency retroactively reclassify its “hard pull” credit inquiries into “soft” inquiries. Shawn Heaton v. Social Finance Inc., case number 3:14-cv-05191 in the U.S. District Court of the Northern District of California.

On August 8, Sprint Corp. (Sprint) agreed to an undisclosed settlement resolving allegations that the company illegally asked job applicants to waive their privacy rights. The Plaintiff accused Sprint of using an illegal background check authorization form that gave the company permission to access his private health and educational information in violation of the Fair Credit Reporting Act (FCRA). The complaint claims that the authorization form allowed Sprint “a vast and limitless release of information.” The lawsuit sought to represent a class of all job applicants that signed the form, which has been in use since 2013. Sprint previously attempted to dismiss the case by offering the Plaintiff the maximum penalty under the FCRA, which the plaintiff rejected. The settlement occurred before the Plaintiff was able to certify the nationwide class of job applicants. Rodriguez Jr. v. Sprint Corp et al., case number 1:15-cv-10641, in the U.S. District Court for the Northern District of Illinois.

On August 2nd, Plaintiffs seeking to represent Rite Aid, Inc. (Rite Aid) job applicants urged a Pennsylvania federal judge to certify their class. The Plaintiffs allege that Rite Aid violated the Fair Credit Reporting Act (FCRA) by failing to provide job applicants with a copy of background checks and not providing applicants the opportunity to dispute the accuracy of consumer reports. The proposed class action stems from the lead Plaintiff’s accusations that she was denied a job after a consumer report deemed her “non-competitive, ” claiming that she had stolen $60 of merchandise from a previous job. The Plaintiff disputes those claims but allegedly only received the consumer report after being removed from consideration for the position at Rite Aid. The Plaintiff also accused Rite Aid of including “confusing and misleading” information about consumers’ FCRA rights on its disclosure form. The Plaintiff seeks to certify thousands of Rite Aid job applicants that were deemed “non-competitive” due to adverse results of a background report purchased by the company. The Plaintiff argues that class certification is essential, writing, “This case fits perfectly within the requirements of Rule 23. Thousands of ascertainable individuals were scored Non-Competitive by Rite Aid based on purchased background reports.” Moore v. Rite Aid Corp. et al., case number 2:13-cv-01515, in the U.S. District Court for the Eastern District of Pennsylvania.

A Wisconsin federal judge dismissed a proposed class action against Time Warner Cable alleging that the company violated the FCRA for checking job applicants’ credit without their consent, citing the Supreme Court’s Spokeo.

Data Breach Litigation
On August 19th, The Wendy’s Company, Inc. (Wendy’s) filed a motion to dismiss the proposed class action against the company over its January data breach, arguing that the Plaintiff lacks standing. The company’s data breach exposed the information of consumers that used payment cards at over 1, 000 store locations across the country. The Plaintiff accuses the company of failing to enact adequate cybersecurity measures to protect customer information. Wendy’s argues that the lack of fraudulent charges proves that the proposed class has “not met their burden of pleading facts sufficient to prove that they suffered an actual, concrete injury of the sort required to invoke this court’s jurisdiction.” Wendy’s further argued that, “None of the Plaintiffs allege that they incurred any out-of-pocket expenses as a result of the alleged data breach.” Wendy’s also argued that the Plaintiff’s accusations that the company had negligent data security practices are misguided, because, “Wendy’s does not owe Plaintiffs a common law duty to safeguard their information from the criminal ‘hackers’ who perpetrated the data breach.” The company also rejected the Plaintiffs’ arguments that Wendy’s violated consumer protection statutes because the Plaintiffs do not allege that the company engaged in deceptive and abusive acts or practices. Torres v. The Wendy’s Co., case number 6:16-cv-00210, in the U.S. District Court for Florida’s Middle District.

On August 10th, a District of Columbia federal judge dismissed the putative class action lawsuit against CareFirst BlueCross BlueShield, Inc. (CareFirst) over its 2014 data breach. The judge dismissed the complaints, which sought to represent the 1.1 million customers whose information was exposed, opining that Plaintiffs lacked Article III standing. The judge ruled that, “Absent facts demonstrating a substantial risk that stolen data has been or will be misused in a harmful manner, merely having one’s personal information stolen in a data breach is insufficient to establish standing…” Chantal Attias et al. v. CareFirst Inc., case number 1:15-cv-00882, in the U.S. District Court for the District of Columbia.

On August 9th, a consumer whose information was exposed by Banner Health, Inc.’s (Banner) recent data breach filed a putative class action against the company. The Plaintiff accuses Banner of negligent data security practices and failing to protect consumers’ private health information, writing, “This data breach is the direct result of Banner Health’s failure to implement adequate cybersecurity measures commensurate with the duties it undertook by storing large amounts of customer information on its computer servers.” The data breach exposed 3.7 million patients’ records including names, addresses, Social Security numbers, medical information, and birthdates. The Plaintiff also accuses Banner of not taking the data breach seriously, writing, “Other than confirming that Banner Health’s servers have been compromised, Banner Health has failed to provide any indepth or detailed information as to the actual extent of this compromise, such as the security vulnerabilities that led to the breach, what (if any) measures have been implemented to prevent subsequent data breaches…” The complaint specifically accuses Banner of violating the Arizona Consumer Fraud Act in addition to unjust enrichment and negligence charges. The class action seeks to represent all 3.7 million individuals whose information was exposed. Kendra Clark v. Banner Health, case number 2:16-cv-02696, in the U.S. District Court for the District of Arizona

On August 4th, an Alabama federal judge denied Innovak International, Inc.’s (Innovak) motion to dismiss the proposed class action lawsuit alleging that the company failed to secure its cybersecurity systems despite being informed of their weaknesses. The lead Plaintiff sued Innovak after learning that her tax information, payroll information, Social Security number, address, contact information, and birthdate were exposed due to a cyberattack in April. Innovak filed a motion to dismiss the case, arguing that the Plaintiff’s claims were ambiguous and failed to meet the requirements for class certification. According to the judge’s order rejecting Innovak’s motion to dismiss, “Innovak’s only argument on this point is that Plaintiffs’ complaint does not specify what measures or steps Innovak should have taken to prevent the data security breach.” The judge also wrote, “The factual allegations are neither vague nor ambiguous. Plaintiffs specifically identify the grounds for their relief such that Innovak is in a position to prepare its answer.” Melissa Bohannan v. Innovak International Inc, case number 1:16-CV-272-WKW in U.S. District Court for the District of Alabama.

Background Screening Class Certified in Obsolete Information Case
On July 26, a Northern District of California judge certified a class of applicants who claimed that S2Verify, a background check company, included obsolete criminal information on their background reports in violation of the Fair Credit Reporting Act. In certifying the class, the Court found that the alleged harm was sufficient under the U.S. Supreme Court’s ruling in Spokeo. Plaintiff filed the proposed class action alleging that the background report provided to his prospective employer included past arrests that did not result in a conviction that were older than seven years, in violation of 15 U.S.C. § 1681c(a)(2). Plaintiff claimed that as a result of the obsolete information included in the report, he was denied employment with the company where he applied to be a security guard. During discovery, S2Verify admitted that during the time frame at issue, it made exceptions to the FCRA prohibition on reporting obsolete information for clients who were placing employees in “sensitive” positions by giving those clients access to the stale data until March 2014. While the FCRA allows this type of “obsolete information” to be included where a consumer report is prepared in connection with “the employment of any individual at an annual salary which equals, or which may reasonably be expected to equal $75, 000, or more, ” there is no exception provided based on the type of position for which an employee applies. The Court certified the class finding that the lawsuit met the numerosity, commonality, typicality, and adequacy requirements for granting class certification. The Court also ruled that the claim asserted by Plaintiff satisfied the concreteness test for purposes of standing since he was able to demonstrate that S2Verify “sent restricted information about plaintiff into the world and as such caused injury to plaintiff’s privacy interest.” The national class of approximately 4, 500 includes individuals who were the subject of an S2Verify report for nine different companies from June 2013 through February 2014 and whose reports included any arrests, charges, or indictment information that did not result in a conviction that were older than seven years.

State Developments

Criminal Risk-Assessment Software
On July 28th, IAPP reported that the Wisconsin Supreme Court has upheld the use of a risk-based software, known as COMPAS, used by court systems to calculate the likelihood that someone will commit a crime. The software uses an algorithm that examines a variety of different data points to assign a person a risk score, which is then used by judges to aid in sentencing decisions. The original case involved a Defendant named Eric Loomis who was accused of being the driver in a drive-by-shooting. The court found him guilty of the charges, based in part on the findings of a Presentence Investigation Report, which incorporated a COMPAS score. The COMPAS software assigned Loomis a high risk score based on his status as a registered sex offender. Loomis then appealed the ruling, arguing that the use of such software violated his right to due process. The Wisconsin Supreme Court rejected Loomis’ appeal, finding that his due process rights were not violated because the lower court did not rely on the COMPAS score alone in its ruling. However, the Wisconsin Supreme Court did acknowledge how the software can be problematic and referenced a ProPublica investigation into COMPAS that found evidence of racial bias. In a concurring opinion, Justice Patience Drake Roggensack described the Court’s uneasiness with the software (despite the Court’s decision to uphold the ruling), writing, “Reliance would violate due process protections. Accordingly, I write to clarify our holding in the majority opinion: consideration of COMPAS is permissible; reliance on COMPAS for the sentence imposed is not permissible.”
https://iapp.org/news/a/wisconsin-supreme-court-upholds-use-of-criminal-risk-assessment-software/
https://www.propublica.org/article/machine-bias-risk-assessments-in-criminal-sentencing

Ohio State
On August 1st, Employee Screening Resources reported that the Office of the Ohio Attorney General Mike Dewine agreed to a $10.8 million contract to address shortcomings in the state’s criminal background check infrastructure. DPCRA previously reported that Ohio’s system had repeatedly failed to meet basic standards, with The Columbia Dispatch writing, “The current system erroneously informed some employers that criminals had clean records, while other convictions did not flow into the system for months.” It was also revealed last year that some Ohio state courts failed to report criminal convictions to the background check system. The system is required to run over 1.3 million background checks each year and will cost $1.18 million annually to maintain. Employees with the Ohio State Attorney General’s office described the background check system as “cobbled together” or “running on borrowed time.”
http://www.esrcheck.com/wordpress/2016/08/01/ohio-paying-nearly-11-million-to-replace-criminal-background-check-system/

Salary History Legislation
On August 1st, Massachusetts Governor Charlie Baker signed S.2119, entitled, “An Act to Establish Pay Equity.” The legislation is intended to prevent wage discrimination, with Governor Baker stating, “I am pleased to sign bipartisan legislation to create a more level playing field in the Commonwealth and ensure that everyone has the opportunity to earn a competitive salary for comparable work.” The bill also prohibits employers from seeking “the salary history of any prospective employee from a current or former employer.” The salary history of prospective employees can only be provided following “any offer of employment with compensation” and with the employee’s written authorization.
https://malegislature.gov/Bills/189/Senate/S2119
http://www.esrcheck.com/wordpress/2016/08/04/massachusetts-pay-equity-law-prohibits-employers-from-asking-applicants-about-salary-history-before-job-offer/

State Legislatures now focusing on Salary History
Recently, several state legislatures have introduced bills that seek to prohibit employers from seeking or inquiring about an applicant’s past salary history. The intent of these bills is to prevent wage discrimination between workers who perform equal job functions, namely workers of opposite sexes. Under many current state laws, employers may justify a difference in wages for equal positions based on several factors, such as merit-based pay systems or commission- or production-based wage systems. By prohibiting prospective employers from inquiring about an applicant’s previous salary history, the bills seek to clarify that an applicant’s prior salary may not be used as justification for paying the applicant a lower wage for doing comparable work. Two of these salary history bills were introduced this year in California and Massachusetts. Massachusetts Senate Bill 2119 (https://malegislature.gov/Bills/189/Senate/S2119/History) , which was enacted on August 1, 2016, makes it unlawful to “screen job applicants based on their wage, including benefits or other compensation or salary histories… or request or require as a condition of being interviewed, or as a condition of continuing to be considered for an offer of employment, that an applicant disclose prior wages or salary history.” While the California Assembly bill 1676 (https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201520160AB1676) was amended to remove the prohibition against seeking salary history information, it includes language that clarifies that prior salary “shall not, by itself, justify any disparity in compensation.” The Massachusetts bill will become effective on July 1, 2018.

Connecticut Ban the Box
The Fair Chance Employment law was signed in June 2016 and is effective January 1, 2017. The law prohibits employers from inquiring about an applicant’s criminal background history on an employment application. There are two exceptions to the rule and employers may ask questions about criminal history on applications where: (1) required to do so by law; or (2) a security or fidelity bond or equivalent bond is required for the position. In addition, employers may not at any time ask about criminal records that have been “erased” by statute.
https://www.cga.ct.gov/asp/cgabillstatus/cgabillstatus.asp?selBillType=Bill&which_year=2016&bill_num=HB5237

Ga. – New Law Aims to Protect Seniors Receiving Care at Home
Finding care for an aging loved one is always difficult, but senior advocates and care providers said it may become easier, thanks to a bill passed into law during the Georgia General Assembly’s last session. House Bill 1037, which took effect July 1, changes documentation for certified nursing assistants. CNAs work in a variety of settings, from hospitals and nursing homes to private residences. They help patients will many tasks, including dressing, bathing and eating. Patients or their family members can search a database of CNAs, which will inform them if a CNA has been accused of abuse or neglect in the past. But prior to the bill’s passage, the database did not contain information on CNAs who worked in private homes. This meant transgressions, including abuse and theft, were invisible to families researching care providers who did not work in a nursing home or hospital.
http://www.mdjonline.com/neighbor_newspapers/new-law-aims-to-protect-seniors-receiving-care-at-home/article_1b5096e0-60bb-11e6-b97c-aba6d082682d.html

International Developments

EU-U.S. Privacy Shield
On August 4th, the International Association of Privacy Professionals (IAPP) reported that the Hamburg Data Protection Authority (DPA) may consider challenging the legality of the European Union (EU) – United States (U.S.) Privacy Shield Agreement. Hamburg DPA Johannes Casper claims that the new Privacy Shield Agreement, which replaced the invalidated Safe Harbor agreement, will fail to survive legal scrutiny in the EU Court of Justice (CJEU). Casper argues that legal changes in Germany “will make it possible for the country’s DPAs to challenge adequacy decisions as soon as next year.” Caspar criticized the Privacy Shield Agreement, writing, “I have serious doubts whether this adequacy decision meets the legal requirements of the principle of proportionality and judicial redress in the CJEU’s Safe Harbor judgement.” Casper also views a legal challenge of the agreement as inevitable, writing, “It is expected that sooner or later the CJEU will assess whether the access by public U.S. authorities to personal data transferred under the Privacy Shield is limited to what is strictly necessary and proportionate in a democratic society. If there is a legal way to seek reference to the CJEU… we will take all appropriate steps for getting a ruling on the validity of the Commission’s decision.”
https://iapp.org/news/a/hamburgs-dpa-aiming-to-challenge-privacy-shield/

On August 1st, the Department of Commerce began accepting applications for self-certification for the European Union (EU) – United States (U.S.) Privacy Shield Agreement. The European Commission also published a series of guidelines for European citizens explaining how the agreement will protect their data. EU Commissioner for Justice Vera Jourova praised the agreement, writing, “The Privacy Shield ensures easier redress for individuals in case of any complaints. I am therefore confident that the Privacy Shield will restore the trust of Europeans in the way their personal data are transferred across the Atlantic and processed by companies there. I encourage companies to sign up and I invite citizens to find out about their rights under the Privacy Shield in the ‘citizens’ guide’ we are publishing today.” The EU plans on offering consumers a free “alternative dispute resolution” for complaints against companies. Department of Commerce Secretary Penny Pritzker also released a statement in support of the agreement, writing, “With the Privacy Shield in place, businesses will be able to protect privacy and truly seize the opportunities offered by the transatlantic digital economy. More than $260 billion in digital services trade is already conducted across the Atlantic Ocean annually, but there is significant potential for this figure to grow, resulting in a stronger economy and job creation. The Privacy Shield opens a new era in data privacy that will deliver concrete and practical results for our citizens and businesses.”
http://ec.europa.eu/justice/data-protection/document/citizens-guide_en.pdf
https://www.commerce.gov/news/press-releases/2016/08/us-secretary-commerce-penny-pritzker-statement-eu-us-privacy-shield

Miscellaneous

Pre-Employment Credit Checks
BizCommunity.com published an article on the relevance of pre-employment credit checks.
http://www.bizcommunity.com/Article/196/610/148780.html

Data Breach
On August 3rd, Banner Health, Inc. (Banner) issued a press release announcing that the company suffered a data breach, potentially exposing the information of 3.7 million people. Banner claimed that the data breach was caused by a cyberattack on its payment card systems but spread to also include computer systems containing private healthcare information. Banner first identified the data breach in early July. The hackers were able to access cardholder names, card numbers, expiration dates, verification codes, health insurance numbers, birthdates, addresses, claims information, and Social Security numbers. Banner has offered all affected consumers one year of free identity monitoring services. The company claims that it “worked quickly to block the attackers and is working to enhance the security of its systems in order to prevent this from happening in the future.” Banner further elaborated, “The security of our patients’ information is a top priority. We are taking proactive steps to address this incident.”
https://www.bannerhealth.com/news/2016/08/banner-health-identifies-cyber-attack
http://www.csoonline.com/article/3104107/security/banner-health-alerts-37m-potential-victims-of-hack-of-its-computers.html

On August 2nd, a hacker is attempting to sell a database containing 200 million Yahoo, Inc. (Yahoo) account credentials on a “darknet” cyber-crime forum. The hacker, who claimed to steal the accounts, has also claimed responsibility for the recent LinkedIn, Inc. and Tumblr, Inc. attacks. The cybercriminal is offering to sell the entire database to users for $1, 824. Yahoo responded to press inquiries claiming that it was “aware” that the database was offered online but it would not verify whether it was genuine. Yahoo also responded, “Our security team is working to determine the facts.” Security experts have speculated that the data was from a cyber-attack on Yahoo that occurred in 2012. Motherboard reported that the data is genuine after testing a small sample of the account credentials, but found that many of the accounts had “been disabled or discontinued.” The data contains usernames, passwords, and dates of birth.
http://www.csoonline.com/article/3103464/security/200m-yahoo-accounts-go-up-for-sale-on-digital-black-market.html
https://www.rt.com/news/354245-yahoo-hack-dark-web/
http://www.bbc.com/news/technology-36952257

Credit Report Dispute
Yahoo! Finance published an article on what consumers can do if their credit report dispute is denied.
http://finance.yahoo.com/news/help-credit-report-dispute-got-103000769.html

Article on Ban the Box Legislation
On August 15th, CBS 58, a local news station for the greater Milwaukee area, published comments by CriminalBackgroundRecords.com, Inc. (CBR) on recent legislative efforts for states and municipalities attempting to “ban-the-box.” The article quotes CBR President Adam Almeida who argues that “ban-the-box” laws are well-intentioned but misguided. Almeida cites statistics from a new University of Virginia study that found “ban-the-box” laws disproportionately hurt minority communities, finding that “black men were on average 5.1% less likely to be employed after ban the box than before… Hispanic men were 2.9% less likely.” Almeida argued that recent studies should encourage lawmakers to move cautiously, writing, “These studies show the challenges faced by individuals seeking to reintegrate into society and get a good job, but the results also clearly indicate the potential struggles employers will continue to have with their hiring policies.” Peter Cappelli, Professor of Management at the Center for Human Resources at the University of Pennsylvania, calls the phenomenon the “ban-the-box paradox.” Cappelli argues that by eliminating the use of criminal history in employment decisions, “We swapped one form of discrimination for another. It wasn’t supposed to work that way.”

CriminalBackgroundReports.com publishes its response to a recent study conducted on “ban-the-box” legislation.
http://www.cbs58.com/story/32758609/criminalbackgroundrecordscom-comments-on-recent-study-on-ban-the-box-and-opines-on-implications-in-background-screening

Please Note: Some of the information contained herein is a monthly summary of the daily information provided by Arnall Golden Gregory LLP, an Atlanta firm servicing the business transactions and litigation needs of background check companies. The information described is general in nature, and may not apply to your specific situation. Legal advice should be sought before taking action based on the information contained herein. For more information about Arnall Golden Gregory LLP, please visit www.agg.com or contact Bob Belair at 202.496.3445 or robert.belair@agg.com.