By Nicolas Dufour | Feb 3, 2016 | Privacy Summary
The Federal Motor Carrier Safety Administration (FMCSA) has announced that they will be changing the random testing rates for 2016. Based on the controlled substances random test data in FMCSA’s Management Information System (MIS) for calendar years 2011, 2012, and 2013, the positive rate for controlled substances random testing fell below the 1.0 percent threshold for 3 consecutive calendar years. As a result, the Agency will lower the controlled substances minimum annual percentage rate for random controlled substances testing to 25 percent of the average number of driver positions.
FTC Chairwoman Edith Ramirez reportedly said at the Consumer Electronic Show that she believes there will be a new Safe Harbor agreement between the U.S. and the EU by the end of the month.
IRS Tax Exemption
On December 30th, the Internal Revenue Service (IRS) announced that it is now offering tax relief for employers that offer pre-breach identify protection services for employees. According to the announcement, “… Data security has become a major concern for many organizations due to data breaches. Despite heightened efforts by organizations to prevent data breaches using traditional information technology security features (such as firewalls and antivirus software), some organizations are making security decisions based on the belief that breaches of their information systems are inevitable.” Based on the response to the IRS’s August announcement establishing tax exemptions for free identity theft protections services offered post breach, the agency has now determined that the exemption should also apply to preemptive identity protection services. However, the exemption “does not apply to cash received in lieu of identity protection services [and] does not apply to proceeds received under an identity theft insurance policy; the treatment of insurance recoveries is governed by existing law.”
Federal Data Breach Legislation
On January 6th, The Hill reported that Representative Randy Neugebauer (R-Texas) plans to push forward a combination of data breach bills later this spring. In December, the House Financial Services Committee approved the “Data Security Act of 2015, ” which would create minimum security standards for businesses and would create national requirements for data breach notification, preempting the existing 47 state data breach laws. The “Data Security and Breach Notification Act of 215” is a similar data breach law originating in the House Energy and Commerce Committee. In a statement, Neugebauer said, “It’s definitely on the radar scope. We have to sit down and determine whether we’re going to try to make them two bills or one bill.” However, Neugebauer indicated that the two committees have been meeting to discuss the bills and seem hopeful that they can be combined into one bill supported by both committees. The Financial Services Committee bill has received criticism from retailers for being overly burdensome. The Energy and Commerce Committee bill, on the other hand, has faced opposition from Democrats arguing that it will weaken consumer protections offered at the state level. Cybersecurity and data breach legislation has become increasingly prevalent in both chambers as large scale breaches continue to impact both the private and public sectors.
Federal Court Ruling
LegalNewsline.com reported that companies challenging a Civil Investigative Demand issued by the CFPB can redact their names from court filings, according to a new federal court ruling.
Federal Encryption Policy
The Hill reports that the Obama administration is “poised” to release its encryption policy in response to the terrorist attacks in Paris and San Bernardino.
CFPB 2015 Enforcement Actions
On January 11th, The Wall Street Journal published an article entitled, “Consumer Financial Protection Bureau Roughly Doubled Caseload in 2015.” According to the report, in 2015 the Consumer Financial Protection Bureau (CFPB) handled 59 cases that resulted in settlements and 11 cases that resulted in lawsuits. In 2014, the CFPB only handled 23 settlements and 11 lawsuits. Tony Alexis, CFPB Director of Enforcement, attributes this increase to the agency acquiring more investigators, examiners, and administrative staff. Alexis also notes that the CFPB has improved its practices since it was founded four years ago. Further, the article reports that more than three-quarters of the CFPB’s enforcement actions in 2015 stemmed from UDAAP, or “unfair, deceptive, or abusive acts and practices, ” violations. These enforcement actions resulted in $6 billion in relief and $1 billion in restitutions during the last year. According to Alexis, the CFPB is expected to be even more active this year, as “we have muscle memory now built into our programs.”
Judicial Redress Act
On January 28th, the Senate Judiciary Committee advanced H.R.1428, the Judicial Redress Act of 2015, which “would grant European citizens certain privacy rights by allowing people from specific countries, designated by the U.S. attorney general, to sue in U.S. court if their personal data is mishandled.” According to a report from The Hill, the passage of the bill could help U.S. negotiators as they try to develop a new Safe Harbor agreement with the European Union (EU). According to Senator Orrin Hatch (R-Utah), “It is vital that Congress pass this bill to provide assurance to our European allies that the United States respects data privacy. I am pleased that the Judiciary Committee reported the bill this morning and encourage prompt passage by the full senate.” Majority Whip John Cornyn (R-Texas) introduced an amendment to the bill in the markup in order to address some Republicans’ concerns. The amendment requires European countries covered by the bill to allow commercial data transfers with the U.S. The amendment also stated that the bill cannot interfere with national security interests. Of his amendment Cornyn said, “U.S. companies should not have to endure regulatory threats in an attempt to change our policy or laws. This amendment lays down these important markers.”
The Equal Employment Opportunity Commission has filed numerous lawsuits against employers who take adverse actions against applicants and employees who use prescription medications. In accordance with that trend, EEOC filed suit against an employer who purportedly refused to hire a recovering drug addict using methadone, alleging violations of the Americans with Disabilities Act. Employers should be careful not to discriminate against applicants or employees who use prescription drugs such as methadone to treat their heroin addiction (as well as other prescription medications for other medical conditions). Instead, employers should consider on a case-by-case basis whether the applicant or employee can perform the essential functions of the job with or without a reasonable accommodation and without posing a direct threat of harm to themselves or others in the workplace.
Employee Failed to Show that Positive Drug Test Result For Barbiturates Was Discriminatory
A federal court in Georgia rejected an employee’s claim that his termination after a positive drug test result for barbiturates was discriminatory. Roman worked in a safety-sensitive position and tested positive for phenobarbital, which is a barbiturate. Roman claimed that the positive test result was a false positive, and stated that he used Dilantin to treat epilepsy. His employer did not know that he had epilepsy prior. The certifying scientists at the employer’s drug testing company stated that Dilantin would not cause a positive test result for phenobarbital. Roman’s employment therefore was terminated. The court noted that the employer had a legitimate, non-discriminatory reason for the discharge – the positive drug test result. This case highlights the importance of using a Medical Review Officer to review positive drug test results. Without a lawful prescription for a medication that could have caused a positive test result, the employee could not show that he had been discharged due to his purported disability.
Jan. 4: Hirease, a background check company, asked a federal court to drop them from a putative class action lawsuit, arguing that the FCRA requires employers, in this case Uber, to disclose the background check to applicants, not consumer reporting agencies.
Criminal History / Employment
On December 30th, Pennsylvania’s lowest appellate court unanimously ruled that the Older Adult Protective Services Act’s (OAPSA) lifetime employment ban for those convicted of certain crimes is unconstitutional. According to the court, OAPSA violates the due process rights of law-abiding citizens who have prior convictions. The court also asserted that a lifetime ban on employment is not “substantially related” to the “stated objective” of OAPSA, which “is to protect an older adult at risk.” Judge Mary Hannah Leavitt of the Commonwealth Court wrote that the law “makes no provision for any other factor, such as the nature of the crime, the facts surrounding the conviction, the time elapsed since the conviction, evidence of the individual’s rehabilitation, and the nature and requirements of the job. The employee’s criminal history is the single and overriding factor that a potential employer may consider.” The case was brought by five rehabilitated ex-offenders whose crimes included writing a bad check, drug possession, and disorderly conduct occurring between 15 and 34 years ago. The court’s decision is being praised by advocates in the movement to provide more opportunities for housing and employment to rehabilitated criminals.
Jan. 1: The “Delaware Online Privacy and Protection Act” (DOPPA), which requires Internet service operators to make their privacy policies publicly available on their websites if they collect personal information about Delaware residents, went into effect.
Fla. – Legislature Considers Banning the Box on State Job Applications
Cities like Orlando and Daytona Beach have acted to remove questions about criminal history from job applications and now the state is considering doing the same. The “ban the box” measure would open up possibilities for thousands of people, Florida state Rep. Randolph Bracy said. Bracy is a co-sponsor of the bill to remove the questions from state job applications.
Ohio Tax Information Breach
On December 31 st, Ohio’s Regional Income Tax Agency (RITA) announced that the backup tax information of more than 50, 000 individuals has been missing since October. RITA, which provides tax collection services for more than 250 municipalities across Ohio, said that a “backup DVD” with the information cannot be located. According to Amy L. Arrighi, an agency attorney, “Nothing in our investigations indicates that the DVD was stolen, or that there has been any misuse of information. Our investigation to locate the missing DVD led us to the conclusion that it was most likely destroyed.” RITA will send notifications and free credit monitoring services from Experian for one year to those affected. In a written statement, the agency said that, “The privacy and protection of customer information is a top priority for RITA… As part of its commitment to protect the privacy and security of taxpayer information, RITA continues to evaluate ways to improve its processes and systems to prevent this type of incident from occurring in the future.”
Uber Background Checks On January 13th, The Wall Street Journal published an article entitled, “Uber Eases Screening Rules, ” about the company’s recent decision to modify its driver background check requirements in California. According to Chief Security Officer Joe Sullivan, Uber, Inc. (Uber) will no longer reject applicants in California with certain nonviolent or nonsexual offenses. Uber will also inform all applicants when they are denied employment because of criminal convictions about steps they can take under Proposition 47, a law that gives non-violent offenders the means to reduce their convictions from felonies to misdemeanors. Uber has previously come under fire for its driver screening practices and is currently involved in litigation. According to the suits brought by the district attorneys of Los Angeles and San Francisco, there are “systematic failures” in Uber’s background check practices that have allegedly permitted registered sex offenders and convicted murderers to be hired by the company as drivers. However, Uber maintains that their background check procedures are equal or better than those used by taxi companies.
Dec. 22: The IAPP published an article entitled, “NIS + GDPR = A New Breach Regime in the EU.”
Dec. 18: The IAPP reported that TRUSTe is now offering resources to help businesses comply with the EU’s new General Data Protection Regulation (GDPR).
The IAPP published an article entitled, “Post-Safe Harbor: What happens on Feb. 2?”
EU Data Protection
On January 7th, the European Data Protection Supervisor (EDPS) released a list of goals for 2016, which designates the completion of a European Union (EU) data protection regulation as a top priority. Supervisor Giovanni Buttarelli said that a “coherent legal framework for data protections” was necessary as final negotiations to create a reform package comprised of the General Data Protection Regulation (GDPR) and law enforcement and judicial directives come to a close. The GDPR, which was agreed upon by the European Parliament and Council in December 2015, creates new obligations for EU members on matters like data consent, data anonymization, data breach notification standards, trans-border data transfers, and appointment of data protection officers, among other things. According to the supervisor’s list, “We will devote substantial resources to the revision process, notably in order to ensure that the principles in the GDPR are also applicable to EU institutions, bodies, offices and agencies.” The list also indicates that another top priority will be international data transfers, specifically between the U.S. and the EU in what he called the “post-Safe Harbour” context. Specifically, Buttarelli wrote, “The EDPS is also following closely the process aiming at the adoption of an international agreement between the EU and the US on the ‘protection of personal data when transferred and processed for the purpose of preventing, investigating, detecting, or prosecuting criminal offenses, including terrorism, in the framework of police cooperation and judicial cooperation in criminal matters.’”
Interxion Data Breach
The European data center company Interxion notified customers of a data breach of its customer relationship management (CRM) system that exposed up to 23, 000 contacts.
U.S.-EU Safe Harbor
Jan. 18: Reuters reported that he EU Justice Commissioner Vera Jourova said that the EU needs to ensure there are limits on the U.S.’s ability to request people’s personal information from companies in order to finalize a new EU-U.S. Safe Harbor agreement.
On January 15th, the U.S. Chamber of Commerce, BusinessEurope, DigitalEurope, and the Information Technology Industry Council sent a joint letter to President Obama, European Commission President JeanClaude Juncker, and the 28 European heads of state about the pending negotiations to establish a new Safe Harbor agreement between the U.S. and the European Union (EU). In October 2015, the European Court of Justice struck down the safe harbor agreement that allowed companies to transfer data between the EU and the U.S, citing privacy concerns (previously reported). The EU data protection authorities have given the EU and the U.S. until the end of January to develop a new agreement. In their letter, the four trade groups warn of the “enormous” consequences if a new data pact is not reached by the end of the month. According to the letter, “This issue must be resolved immediately or the consequences could be enormous for the thousands of businesses and millions of users impacted.” The trade groups also request that companies be given a transition period to comply with any new requirements, especially for small businesses that previously relied entirely on Safe Harbor.
On January 7th, Bloomberg Business published an article entitled, “Amazon’s Pitch to Europe: Your Data is Safe From American Spies.” The article discusses the impact of the October 2015 European Court of Justice decision that invalidated the safe harbor agreement between the U.S. and the European Union (EU). While many expected the decision to have a negative impact on cloud service providers who rely on the global movement data, it actually produced the opposite effect, according to Bloomberg. Technology companies like Amazon, Microsoft, VMware and others say that the demand for their cloud services has only increased in Europe since the decision. According to Bloomberg, this is largely because technology companies “are luring customers with pledges to keep data far from the prying eyes of American spies by sequestering it in Europe.” For instance, Microsoft is currently contesting a U.S. search warrant for e-mails stored in its Irish data servers. These companies are also advertising their services using “EU-suggested contract language” and are working to ensure their standards are in line with the most stringent EU privacy laws. However, Daniele Catteddu, director of Europe, Middle East and Africa for the Cloud Security Alliance, notes that, “Until the U.S. has a corresponding data protection authority and a venue where European citizens can file a complaint it their right to privacy is not respected in the U.S., then data transfers there are going to continue to be a problem.”
EU Data Sharing
On January 19th, the European Commission announced a proposal that would allow national prosecutors and judges to exchange criminal records and fingerprints of non-European Union (EU) citizens who were convicted in the EU bloc. The proposal is part of the EU’s increased data-sharing efforts following the Paris terrorist attacks. The existing system, known as the European Criminal Records Information System, only allows authorities to search records of EU citizens. The European Commission’s proposal would update the database to include records of non-EU citizens convicted in the bloc, which numbered 688, 345 in 2014. According to EU Justice Commissioner Vera Jourova, “The Paris attacks in November confirmed the urgent need for more robust and seamless judicial cooperation throughout the EU. By including the fingerprints of non-EU citizens we will have a strong tool to tackle the use of false identities.” The proposal will be addressed by the 28 justice ministers at their next meeting on January 26th in Amsterdam.
Israel-US Data Transfer
Jan. 4: The Israeli Law, Information and Technology Authority (ILITA) issued a set of updates and clarifications on its stance on data sharing with the U.S. post-Safe Harbor, stating that “for the time being” it will not “initiate enforcement actions in connection with data transfers” from Israel to the U.S. based on the Safe Harbor arrangement.
Performing Background Checks on Minors Can be Major Issue
A client in the hospitality industry asked whether it had to obtain parental or legal guardian consent to conduct background checks and drug screens on its minor employees. Unfortunately, many employers mistakenly use the same hiring materials regardless whether the employee is a minor or has reached the age of majority. Thus, the employers ask their minor employees to sign the required consent forms. But do these minor employees have the legal capacity to execute these forms? Just like Jim Carrey’s client in Liar Liar, minor employees don’t have the legal capacity to consent to background checks and drug screens. Employers hiring minors should ensure that their new hire packets include appropriate parental or legal guardian consent forms and that the forms are signed and returned. Without such consent, employers may unintentionally be breaking various state and federal laws applicable to these areas
Ohio Employers Need Not Be Knowledgeable About Marijuana in the Workplace
Every employer in Ohio and surrounding states must now begin to develop workplace controls to fully address the legalization of marijuana in Ohio. To be most effective and legally defensible, these controls should be more expansive than simple revisions to current drug-free workplace and testing policies. Key to these efforts is understanding that marijuana, medical or recreational, is still illegal under federal law. Ohio’s legalization does not provide a recognized legal defense to investigation or enforcement actions by the U.S. Department of Justice, but, should issue 3 pass into the state’s constitution, any type of regulation a company sets could be legally challenged by an employee if adverse employment action takes place. It is now critical for businesses to develop policies and practices that will minimize the chance of ending up in court.
TWC Data Breach
On January 6th, Time Warner Cable (TWC) announced that hackers may have gained access to the email account passwords of 320, 000 of its customers. According to the announcement, the Federal Bureau of Investigations (FBI) recently notified the company that “some of our customers’ email addresses, including account passwords, may have been compromised.” In an email to affected consumers, TWC said, “Our understanding is that the compromise had nothing to do with TWC’s systems or processes. TWC has found no evidence of a breach in its systems that operate and secure email accounts for our customers.” A spokeswoman for the company notes that the email addresses and passwords may have been obtained through malware downloaded during phishing attacks or through data breaches of other companies that have access to TWC customer information. Phishing occurs when hackers send emails directing people to a website that prompts them to provide personal information. The TWC spokeswoman said that hackers can use the stolen passwords to access private information from people’s email accounts and advises all TWC customers potentially affected by the breach to change their email passwords.
Dell Data Breach
CIO.com published an article entitled, “Scammers Target Dell Customers After Apparent Data Breach.”
TransUnion announces the launch of its “Government Information Solutions” division that will provide fraud, benefits eligibility verification, identity authentication, data breach response, and investigation services to local, state, and federal government agencies.
On January 12th, The Wall Street Journal published an article entitled, “Startups Give FICO Low Scores.” According to the article, “a new generation of lenders is challenging the usefulness of one of the bedrocks of the modern financial system: the FICO score.” Social Finance, Inc. (SoFi), a company that offers student-loan refinancing, among other things, has decided to no longer consider FICO scores when making credit decisions. According to CEO Mike Cagney, “We just don’t think the score itself is a real driver to credit performance.” Other notable Silicon Valley-backed companies to turn away from FICO include Affirm, Inc., Avant, Inc., and Earnest, Inc. Many of these companies are developing internal systems that will “cast a wider net for customers, ” which will appeal to millennials and the “underbanked.” SoFi in particular estimates that their internal system, which will be announced this week, will allow them to approve 10% more applicants. SoFi has administered more than $6 billion loans since 2011, a fact that makes the company’s leadership believe they have enough data to determine a consumers’ creditworthiness. SoFi also argues that FICO scores are too “backward looking.” According to Cagney, “There are lots of situations where we see very high FICO scores but [the borrowers] don’t have the cash flow, and we can’t underwrite them.” James Wehmann, an executive vice president at Fair Isaac Corp., maintains that FICO’s long history is what gives it an edge: “It’s really been hard to outperform a really rich credit-bureau file that’s got years and years of payment history.” Representatives from Fair Isaac Corp. also argue that their data can analyze performance during economic booms and bust, unlike new companies like SoFi. William Lansing, Fair Isaac Corp.’s chief executive concludes, “There’s virtually nothing that they do that we can’t do.”
Please Note: Some of the information contained herein is a monthly summary of the daily information provided by Arnall Golden Gregory LLP, an Atlanta firm servicing the business transactions and litigation needs of background check companies. The information described is general in nature, and may not apply to your specific situation. Legal advice should be sought before taking action based on the information contained herein. For more information about Arnall Golden Gregory LLP, please visit www.agg.com or contact Bob Belair at 202.496.3445 or firstname.lastname@example.org.