+1.877.796.2559 | Investors|

July 2015 Screening Compliance Update

By Nicolas Dufour | Aug 3, 2015 | Screening Compliance Update

Federal Developments

Background Checks
On June 24th, Representative Donald Beyer (D-VA) introduced HR 2871, which would affect background checks for the selling of firearms “safely and responsibly.” The bill, entitled the “Keeping Guns From Criminals Act, ” would “provide an incentive for firearm owners to sell their firearms safely and responsibly.” Regarding background checks, the bill would make it an affirmative defense to the sale of a firearm to a prohibited person if the “defendant can prove by a preponderance of the evidence that, at the time of the sale or other disposition of the firearm, the National Instant Criminal Background Check System…had indicated to any person that a sale or other disposition of a firearm to the recipient would not be unlawful, or that the recipient possessed a valid permit.”
http://www.gpo.gov/fdsys/pkg/BILLS-114hr2871ih/pdf/BILLS-114hr2871ih.pdf

Federal Security Breach Statute
On July 7th, the National Association of Attorneys General sent a letter signed by 47 state attorneys general to congressional leaders urging Congress to not preempt their authority when drafting federal data breach laws. In the letter, the attorneys general argue that states can respond more quickly and efficiently to data breach concerns and, as a result, congressional lawmakers should uphold the states’ role in protecting its consumers from data breaches and identity theft. Specifically, the letter states that “[s]tate attorneys general are on the front lines responding to data breaches, ” adding that, “[p]reempting state law would make consumers less protected than they are right now.” According to the letter’s signatories, “[s]tates have been able to amend their laws and focus their enforcement efforts on those areas most affecting consumers.”
http://www.ago.wv.gov/Documents/NAAG%20Data%20Breach%20Letter.PDF

Rep. David Cicilline (D-RI) introduced HR 2977, the “Consumer Privacy Protection Act of 2015, ” which would “ensure the privacy and security of sensitive personal information, to prevent and mitigate identity theft, to provide notice of security breaches involving sensitive personal information, and to enhance law enforcement assistance, ” among other things.
http://cicilline.house.gov/press-release/cicilline-introduces-bill-protect-privacy-consumer-data

Protected Health Information
On July 10th, the U.S. House passed HR 6, the 21st Century Cures Act, which would affect the use and disclosure of protected health information. The bill would amend provisions in the Health Insurance Portability and Accountability Act (HIPAA) to permit the use of protected health information by a covered entity for research purposes. Specifically, the bill states that “[t]he Secretary [of Health and Human Services] shall revise or clarify the [HIPAA] Rule so that research activities, including comparative research activities, related to the quality, safety, or effectiveness of a product or activity that is regulated by the Food and Drug Administration are included as public health activities for purposes of which a covered entity may disclose protected health information.” Additionally, the bill would allow for patients to submit a “one-time authorization of use and disclosure of [their] protected health information for research purposes.”
http://www.gpo.gov/fdsys/pkg/BILLS-114hr6eh/pdf/BILLS-114hr6eh.pdf

Credit Reporting – Credit Access and Inclusion Act
On July 13th, Representatives Keith Ellison (D-MN) and Mike Fitzpatrick (R-PA) introduced HR 3035, the Credit Access and Inclusion Act of 2015. The bill would “amend the Fair Credit Reporting Act to clarify federal law with respect to reporting certain positive consumer credit information to consumer reporting agencies.” Similar to the bill as introduced in the 113th Congress, this bill would allow a person or the Secretary of Housing and Urban Development (HUD) to furnish the following information to a consumer reporting agency relating to a consumer’s payment history:

  • Information under a lease agreement with respect to a dwelling, including such a lease in which HUD provides subsidized payments for occupancy in a dwelling; or
  • Payments pursuant to a contract for a utility or telecommunications service.

Additionally, like the prior version of the bill, this version identifies a limitation on reporting payment information about a consumer’s usage of utility services. According to the bill, “information about a consumer’s usage of any utility services provided by a utility or telecommunication firm may be furnished to a consumer reporting agency only to the extent that such information relates to payment by the consumer for the services of such utility or telecommunication service or other terms of the provision of services to the consumer, including any deposit, discount, or the conditions for interruption or termination of the services.”

A distinction from the version introduced in the 113th Congress is a further limitation on a utility firm’s ability to report payment information to a consumer reporting agency with respect to identifying an outstanding balance as “late” under certain circumstances. Another distinction is that the current version of the legislation is silent on the reporting of a consumer’s identifying information, transactions or experiences, or public record information.

Bill: http://www.gpo.gov/fdsys/pkg/BILLS-114hr3035ih/pdf/BILLS-114hr3035ih.pdf
Statement: https://ellison.house.gov/media-center/press-releases/reps-ellison-fitzpatrick-introduce-bipartisan-credit-access-and

FTC Enforcement
On July 21st, the Federal Trade Commission (FTC) announced an enforcement action against LifeLock alleging that the company violated its 2010 settlement with the agency by “continuing to make deceptive claims about its identity theft protection services” and “failing…to protect its users’ sensitive personal data.” The accusations stem from a 2010 settlement with the FTC, which required “LifeLock to take more stringent measures to safeguard the personal information it collects from customers, ” among other things. However, according to court documents filed by the FTC, from at least October 2012 through March 2014, LifeLock violated the 2010 settlement by:

  • Failing to establish and maintain a comprehensive information security program to protect its users’ sensitive personal data, including credit card, social security numbers, and bank account numbers;
  • Falsely advertising that it protected consumers’ sensitive data with the same high-level safeguards as financial institutions; and
  • Failing to meet the 2010 order’s recordkeeping requirements.

According to the FTC, “LifeLock failed to live up to its obligations under the 2010 settlement, and asked the court to impose an order requiring LifeLock to provide full redress to all consumers affected by the company’s order violations.”
https://www.ftc.gov/news-events/press-releases/2015/07/ftc-takes-action-against-lifelock-alleged-violations-2010-order

Consumer Reporting Accuracy
On July 15th, Senator Sherrod Brown (D-OH) introduced S. 1773, the Consumer Reporting Fairness Act of 2015. The bill would “require creditors to inform consumer reporting agencies that certain debts have been discharged in bankruptcy cases.” Specifically, the bill states that “[i]f a creditor has provided or furnished to a consumer reporting agency…any item of information pertaining to an account based on a debt discharged in a case under this title, the creditor shall inform the consumer reporting agency that the debt has been discharged in bankruptcy and has a zero balance.” The bill would also permit consumers to take legal action against creditors that fail to report a discharged debt that is no longer owed. Under the bill, “[a]n individual injured by any willful violation of this section:

  • Shall recover actual damages, including costs and attorneys’ fees; and
  • In appropriate circumstances, may recover punitive damages.”

http://www.gpo.gov/fdsys/pkg/BILLS-114s1773is/pdf/BILLS-114s1773is.pdf

Credit Reports
Sen. Brian Schatz (D-HI) introduced S. 1847 to “enhance the accuracy of credit reporting and provide greater rights to consumers who dispute errors in their credit reports.”
http://www.schatz.senate.gov/press-releases/senators-schatz-warren-mccaskill-colleagues-introduce-legislation-to-protect-consumers-from-credit-report-errors

Expungement and Sealing of Youth Criminal Records
Rep. Sheila Jackson Lee (D-TX) introduced HR 3156 to “provide for the expungement and sealing of youth criminal records.” The bill’s text has yet to be released.

State Regulations

Background Checks and Credit Reports
On June 29th, the New Jersey state Senate passed S. 524 which would “prohibit[] employers from obtaining, requiring, or discriminating on the basis of credit reports.” According to the bill, employers would be prohibited from requiring credit checks on prospective employees, and known violations could result in employers facing fines ranging from $2, 000 to $5, 000. However, the bill makes an exception for certain professions, including law enforcement positions, security jobs, or jobs involving the management of personal belongings or financial information. Additionally, employers can request credit information if employees demonstrate suspicious financial activity. According to bill’s sponsor, Senator Nia H. Gill (D), “[u]sing credit checks to screen applicants for employment is unacceptable and unfairly punishes those who have found themselves in difficult financial positions for any number of reasons, be it a layoff, a divorce or a family crisis.”
http://www.njleg.state.nj.us/2014/Bills/S1000/524_U1.PDF

Connecticut Data Breach Notification
On June 30th, Connecticut Governor Dannel Malloy (D) signed SB 949 to “improve[e] data security and agency effectiveness.” The law establishes new data security and breach notification requirements for state agencies and state contractors. The law requires, among others things, that a state agency require a state contractor that would have access to “confidential information” to:

  • At its own expense, “protect…any and all confidential information that it comes to possess or control, wherever and however stored or maintained, in accordance with current industry standards”;
  • Implement and maintain a “comprehensive data-security program for the protection of confidential information”; and
  • Limit access to confidential information to the authorized contractor employees with “legitimate interests related to the purpose for which the data was shared by the state contracting agency or as necessary for the completion of the contracted services.”

In the event that a contractor suffered a data breach, the contractor must, among other things:

  • Notify the Attorney General as soon as practical, but not later than twenty-four hours after the contractor becomes aware of or suspects that it has suffered a data breach;
  • Cease all use of the data provided by the state agency or developed internally by the contractor; and
  • Not later than three business days after the breach notification, submit to the state Attorney General and the state contracting agency either a report detailing the breach and steps taken to mitigate its impact, or a report detailing why a breach has not occurred.

Additionally, under the law, the state’s Secretary of the Office of Policy and Management must establish policies and procedures to protect and ensure the security, privacy, confidentiality and administrative value of data collected and maintained by the executive agencies. The law became effective on July 1, 2015.
http://www.cga.ct.gov/2015/TOB/s/pdf/2015SB-00949-R00-SB.pdf

Ban the Box
The Tacoma City Council voted 9-0 to pass Resolution 39228, which supports removing the question “Have you been convicted of a felony within the last 10 years?” on applications for municipal government jobs with the City of Tacoma. They took this action in support of the national movement to “Ban the Box”, which refers to the check box on applications asking whether applicants have criminal records. “As a longtime advocate for marginalized communities, I know firsthand how obstacles and barriers to employment can change the course of people’s lives for the worse, ” said Council Member Victoria Woodards, who introduced the legislation. “As we continue to move Tacoma forward and realize our vision for the future, ensuring all our residents have economic opportunities is paramount to our city’s success. I am proud of the City of Tacoma for doing its part to conduct its hiring practices in a fairer and more equitable way.”
http://www.cityoftacoma.org/cms/One.aspx?portalId=169&pageId=84913

The City of Daytona Beach officially implemented its Fair Chance / Ban the Box Policy during a regular commission meeting this month. The policy went into effect on July 1 and eliminates applicant requirements to disclose criminal backgrounds during the preliminary phase of job applications. According to Sexton, the policy is not an elimination of the background process but a “timing issue” of when the department will ask for applicants to reveal their criminal background. No one will be hired for City of Daytona Beach employment without that disclosure. Commissioners were provided copies of the revised city application, which reflected the change. Sexton reiterated that the policy has exceptions, including individuals applying for positions of trust and/or confidentiality such as the fire and police departments. A criminal record immediately disqualifies applicants for those jobs. Once an application for other sectors of city employment has been completed, it is submitted to the appropriate department’s hiring managers who will have “zero idea about an applicant’s criminal history.” Following the review and interview phase, including drug and medical screening, conditional employment is offered to those who qualify. At that time, applicants will be asked to disclose their criminal background records on an appropriate form. “For those who have already applied for a job and are on the eligibility list, we will ‘redact’ that portion of the application, ” Sexton explained. “Let’s just say we have 47 applicants for Maintenance Worker III. Instead of trying to track down every prospect and requesting they fill out a new application, we will place a sheet of paper over that portion of the application. Following department review and a conditional offer, we will already have their disclosure.”
http://daytonatimes.com/2015/07/ban-the-box-is-official-in-daytona/

Background Checks
On July 27th, Oregon Governor Kate Brown (D) signed HB 2250, relating to criminal records checks. Under the law, the Department of Human Services, the Oregon Health Authority (Authority), and the Employment Department (Department), for purposes of requesting a state or nationwide criminal record check, may require the fingerprints of a person:

  • Who is employed by or is applying for employment with either the Department or the Authority; or
  • Who provides or seeks to provide services to either the Department or the Authority as a contractor, subcontractor, vendor, or volunteer, among other individuals.

Additionally, the law requires that a “home health agency…conduct a criminal background check before hiring or contracting with an individual and before allowing an individual to volunteer to provide services on behalf of the home health agency, if the individual will have direct contact with a patient of the home health agency.”
https://olis.leg.state.or.us/liz/2015R1/Downloads/MeasureDocument/HB2250/Enrolled

On July 6th, Washington Governor Jay Inslee (D) signed HB 1491, which will affect background checks for individuals working at early childhood education and assistance programs. The law requires that, by January 1, 2016, the state’s Department of Early Learning adopt rules “requiring early childhood education and assistance program employees who have access to children to submit to a fingerprint background check.” Under the law, the state’s Department of Early Learning and the Department of Health Services “shall share federal fingerprint-based background check results, ” adding that, “[t]he purpose of this provision is to allow both departments to fulfill their joint background check responsibility of checking individuals who may have unsupervised access to vulnerable adults, children, or juveniles.” The law also states that neither department may share the federal background check results with any other state agency or person.
http://lawfilesext.leg.wa.gov/biennium/2015-16/Pdf/Bills/House%20Passed%20Legislature/1491-S2.PL.pdf

Court Cases

FTC Authority
Jun. 30: Wyndham Worldwide Corp. sent a letter to the Third Circuit’s court clerk arguing that the Supreme Court’s recent ruling on the ACA supports their argument that the FTC does not have authority to regulate unfair data security practices.

FCRA
Jul. 28: The New York Supreme Court ordered Navigators Insurance Co. to provide coverage for two lawsuits against Sterling Infosystems, Inc. claiming damages under the FCRA despite the insurer’s policy excluding penalties. The court said statutory damages for willful violations have to be considered compensatory damages rather than penalties because holding otherwise wouldn’t jibe with the fact that the law separately provides for punitive damages. “Interpreting the FCRA statutory damages as punitive forces the court to reconcile the illogical result in which punitive damages may be added to the punitive statutory damages, but actual damages may not be added to those same punitive statutory damages, ” the court said. Navigators is now on the hook for a $4.75 million settlement in a class action brought by a Dish Network LLC employee who was fired because of outdated information Sterling provided and has to defend and indemnify Teletech Services Corp. in a similar case. Though not a party in the Teletech suit, Sterling agreed to provide that company with a defense, according to the opinion. Faced with competing motions for summary judgment, the court’s decision boiled down to its interpretation of a single line added to the FCRA in a 1996 amendment that outlines damages owed to consumers for willful violations of the law. The insurer argued that Congress meant for those damages to be penalties since they were linked to willful violations, while Sterling said the damages were compensatory and that the policy’s vague language should be interpreted in its favor. The court said that categorizing damages “is not always so clear-cut, ” particularly since statutory damages for the FCRA and similar laws are designed to quantify damages that can’t be calculated. Bearing that in mind, the court ruled that since the minimal actual damages provided by the FCRA are compensatory, the statutory damages that often take their place must therefore also be compensatory. “Interpreting the statutory damages as compensatory results in a more harmonious reading of the FCRA’s overall damages structure, ” the court said. In one of the underlying complaints, Dish contractor Scott Ernst said he lost his job when Sterling provided the company with a report detailing a 20-year-old arrest that didn’t lead to any charges. The parties reached a $4.75 million settlement that won preliminary approval in New York federal court in April. In the Teletech suit, Joshua J. Eisner said his job offer with that company was revoked due to information that came up in his background check, but he was never provided with a copy of the report to check it for inaccuracies in violation of the FCRA. Eisner and Teletech reached a settlement in that case in February, the terms of which were not disclosed.

Jul. 17: Numerous tech companies filed amicus briefs with the U.S. Supreme Court expressing concern over the possibility that the Court will support the revival of a putative class action against Spokeo, Inc. for allegedly violating the FCRA by publishing false information about individuals. Eight state attorneys general also filed an amicus brief expressing their concern over the possible revival of Spokeo’s FCRA suit.

On July 7th, a federal district court approved a proposed settlement in a putative class action brought by Chuck E. Cheese’s job applicants alleging that the entertainment and restaurant chain Chuck E. Cheese’s violated the Fair Credit Reporting Act (FCRA) by failing to properly notify prospective employees that it would procure credit reports on individuals as part of its background check process. Specifically, the complaint alleges that Chuck E. Cheese’s “preauthorization form” for obtaining prospective employees’ credit reports was included within the multipage employment application and contained extraneous information, a violation of the FCRA according to the plaintiff. Under the proposed settlement, the 28, 500 class members would automatically be entitled to receive $38 without having to submit a claim. Within the class, there is a group of 405 individuals who allege that adverse action was taken from the use of the improper background checks, and the settlement would entitle these individuals to approximately $63. The judge who preliminarily approved the settlement stated that, “[g]iven the risks of litigation and the potential statutory damages, the amount offered in the settlement is fair and reasonable, and this factor weighs in favor of settlement.”

Jun. 30: A federal district court denied Home Depot USA, Inc.’s motion to dismiss a putative class action alleging violations of the FCRA by failing to provide proper notice to prospective employees that background check reports would be procured.

A California worker has filed two Fair Credit Reporting Act class action lawsuits against the popular ride share companies Uber and Lyft, alleging that by not providing clear background check disclosures to prospective employees, these companies violated the Fair Credit Reporting Act (FCRA), the Investigative Consumer Reporting Agencies Act (ICRAA), and the Consumer Credit Reporting Agencies Act (CCRAA). Plaintiff Michael Nokchan has filed two FCRA class action lawsuits against his former employers Uber Technologies Inc. and Lyft Inc., claiming that these two companies routinely violate FCRA statutes by performing undisclosed background checks on their job applicants. FCRA standards require that a background check disclosure is provided to all prospective employees in a clear, stand-alone document. The plaintiff claims that both Lyft and Uber provide background check disclosures, but that these disclosures are buried underneath extraneous information in other hiring paperwork.
http://topclassactions.com/lawsuit-settlements/lawsuit-news/60729-uber-lyft-hit-with-improper-background-check-class-actions/

Neiman Marcus Data Breach
Jul. 24: The IAPP published an article about the Seventh Circuit’s recent decision involving plaintiffs’ standing to sue in a putative class action against Neiman Marcus over a data breach suffered by the retailer.
https://iapp.org/news/a/neiman-marcus-may-open-the-floodgates-for-breach-lawsuits/

On July 20th, the Seventh Circuit revived a putative class action against Neiman Marcus Group LLC (Neiman Marcus) over a 2013 data breach. According to the Seventh Circuit, the plaintiffs whose payment card information was exposed during Neiman Marcus’ data breach suffered enough harm to establish standing to move forward with the litigation. According to the Seventh Circuit, by experiencing fraudulent charges on their credit reports and needing to pay for credit monitoring and identity theft protection services, plaintiffs suffered enough harm to establish standing. The decision sets precedent on a frequently debated issue in data breach litigation over whether a consumer’s risk of harm constitutes enough harm to grant standing, permitting the consumer to file a lawsuit against the breached entity. According to the Seventh Circuit, the Supreme Court decision at issue, Clapper v. Amnesty International USA, addressed “speculative harm based on something that may not even have happened, ” adding that, “it is important not to overread Clapper.” As a result, the Seventh Circuit held that plaintiffs in the Neiman Marcus case have standing, stating that “it is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach, ” adding that, “[w]hy else would hackers break into a store’s database and steal consumers’ private information?”
Remijas et al. v. The Neiman Marcus Group LLC, No. 14-3122 (7th Cir., July 20, 2015).

FTC Enforcement
On July 24th, the Federal Trade Commission (FTC) told the Third Circuit that the Seventh Circuit’s recent decision establishing plaintiffs’ standing to sue Neiman Marcus over the retailer’s data breach supports the FTC’s argument that it sufficiently alleged consumer harm to establish standing to sue Wyndham. According to the FTC, the Seventh Circuit’s decision granting plaintiffs standing to sue based on consumers’ risk of harm in the Neiman Marcus action upends Wyndham’s argument that the FTC failed to plead facts showing consumer harm as a result of the Wyndham data breach. Specifically, the FTC argues that the Seventh Circuit “held that even though the victims were reimbursed for fraudulent charges, plaintiffs had alleged ‘identifiable costs associated with the process of sorting things out, ’ including ‘the aggravation and loss of value of the time needed to set things straight, to reset payment associations after credit card numbers are changed, and to pursue relief for unauthorized charges, ’” adding that, “[t]hose alleged harms were sufficient to give plaintiffs standing.”
FTC v. Wyndham Worldwide Corp. et al., No. 14-3514 (3rd Cir., July 24, 2015).

Data Security
On July 17th, plaintiffs filed a putative class action against Experian Data Corp. (Experian) for alleged violations of the Fair Credit Reporting Act (FCRA) and California consumer protection laws by selling consumers’ personal information to a convicted identity thief, who then resold the information to other identity thieves. According to the complaint, an identity thief posed as a private investigator and paid an Experian subsidiary $15, 000 a month to obtain access to up to 200 million U.S. citizens’ personal information including Social Security numbers, addresses, birth dates, and bank account information. The complaint asserts that Experian “facilitated in the illicit operation” by failing to perform a “basic” investigation into the identity thief’s business and continuing to “reap[] the financial benefits” from the thief. Specifically, the complaint states that “Experian’s data breach response guide emphasizes the importance of implementing an effective notification program. Experian’s failure to take its own advice to rectify a serious situation that it created, is willful, reckless, and designed to forestall the investigation and obstruct justice.”
Patton et al. v. Experian Data Corp., No. 8:15-cv-01142 (C.D. Cal., July 17, 2015).

California Investigative Consumers Reporting Agencies Act
On July 10th, plaintiffs appealed a decision by a California district court granting summary judgment to defendant First Student, Inc. (First Student) in an action alleging that First Student violated the state’s Investigative Consumer Reporting Agencies Act (ICRAA) by failing to obtain plaintiffs’ consent before conducting a background check. According to the district court, the state law which plaintiffs allege First Student violated, the ICRAA, is unconstitutionally vague due to overlap with California’s Consumer Credit Reporting Agencies Act. Plaintiffs are appealing the lower court’s decision, arguing that the two laws do not conflict with each other and even if two statutes overlap with each other, it does not make one unconstitutional. According to plaintiffs’ counsel, “[t]hese statutes certainly were created to be mutually exclusive.”
Eileen Connor et al. v. First Student, Inc. et al., No. B256075 (Cal. Ct. App., July 10, 2015).

EEOC
On July 10th, the U.S. Equal Employment Opportunity Commission (EEOC) filed a lawsuit against Crothall Services Group, Inc. (Crothall), a nationwide provider of janitorial and facilities management services, for allegedly violating Title VII of the Civil Rights Act of 1964 by “fail[ing] to make and keep required records…that will disclose the impact that its criminal history assessments have on persons identifiable by race, sex or ethnic group.” According to the EEOC’s complaint, Crothall conducts criminal background checks and criminal history assessments on prospective employees and uses the information to make hiring decisions. However, according to the EEOC, Crothall does not create and maintain records indicating the impact that the background checks and assessments have in the company’s hiring decisions. According to Regional Attorney Debra Lawrence of EEOC’s Philadelphia District Office, “[f]ederal record-keeping requirements ensure that certain employers make and keep records that disclose the impact of their selection procedures, ” adding that, “EEOC’s enforcement of the record-keeping requirements is important to the agency’s commitment to eliminating discriminatory barriers in the workplace.”
http://www.eeoc.gov/eeoc/newsroom/release/7-10-15e.cfm

OPM Data Breach
On July 15th, a plaintiff filed a putative class action against the Office of Personnel Management (OPM) over the agency’s recently announced data breaches, arguing that OPM failed for years to address vulnerabilities in its cybersecurity. According to the complaint, the plaintiff, a former U.S. attorney’s office employee, argues that OPM disregarded known deficiencies in its security systems made apparent by its Office of Inspector General, which resulted in data breaches that exposed approximately 21.1 million current, former, and prospective federal employees. Specifically, the plaintiff states that, “[s]ince at least 2007, the OPM has been on notice of significant deficiencies in its cyber security protocol, ” adding that, “[d]espite the fact that the OPM handles massive amounts of private, sensitive, and confidential information of federal applicants and related non-applicants, the OPM failed to take steps to remedy those deficiencies.”
Woo v. Office of Personnel Management et al, No. 6:15-cv-01220 (D. Kan., July 15, 2015).

Class Action against Uber Technologies
A federal district court stayed a proposed class action, permitting Uber Technologies, Inc. to appeal the court’s decision to reject mandatory arbitration, in a case alleging that the ridesharing company violated the FCRA over its background check policies.

UCLA Health Data Breach
On July 21st, a plaintiff filed a putative class action against UCLA Health System (UCLA Health) over its recently announced data breach (previously reported). According to the complaint, UCLA Health failed to implement security measures that would have prevented the data breach, which involved up to 4.5 million patients’ medical information. Specifically, the complaint states that “[d]ue to defendants’ failure to take the basic steps of encrypting patients’ data, it was much easier for cyber thieves to interpret the information, use it to steal the identities of defendants’ patients, or sell to others who would use defendants’ patients’ personal and health information, ” adding that the “[d]efendants knew or should have known of the risks inherent in maintaining their customers’ nonpublic personal and health information, and if such information was stolen, it would have dire consequences for those customers.”
Allen v. UCLA Health Systems Auxiliary et al, No. 2:15-cv-05487 (C.D. Cal., July 21, 2015).

Equifax Violation of the FCRA
Plaintiffs, who are suing Equifax for alleged violations of the FCRA by sending consumers’ credit reports to Texas tax authorities without their consent, filed a motion agreeing with Equifax to stay the action until the Supreme Court makes a decision in Spokeo, Inc. v. Robins.

CFPB
Jul. 24: The U.S. Court of Appeals for the DC Circuit revived a lawsuit challenging the constitutionality of the CFPB and the recess appointment of CFPB Director Richard Cordray.

FCRA
On July 24th, a plaintiff filed a putative class action against Big Lots Stores, Inc. (Big Lots) for allegedly violating the Fair Credit Reporting Act (FCRA) by running background checks on current and prospective employees without their consent. According to the complaint, the plaintiff alleges that Big Lots failed to issue a “standalone” disclosure stating that the company will procure consumer reports on applicants from a third-party consumer reporting agency, which is required under the FCRA. Specifically, the plaintiff alleges that Big Lots “routinely and systematically violates the FCRA’s basic protections by failing to provide required disclosures or to obtain written authorization prior to procuring background reports on applicants and employees.” The plaintiff seeks to represent a class of prospective and current employees who applied to Big Lots and had background checks run on them in the past two years without the FCRA-required disclosure, in addition to a separate class for individuals who did not provide Big Lots with their written consent to conduct a background check on them. The plaintiff seeks statutory damages of $100 to $1, 000 for each alleged FCRA violation.
Robrizine v. Big Lots Stores, Inc., No. 15CH11064, (Cir. Ct. of Cook County, Ill., July 24, 2015).

On July 17th, a federal district court provided insight into the interpretation of the Fair Credit Reporting Act’s (FCRA) section 613 notice requirement for consumer reporting agency’s when reporting public record information for employment purposes. In Rodriguez v. Equifax Information Services, LLC, the plaintiff had applied for a position with the Office of Personnel Management (OPM), was granted the security clearance, but allegedly never received notice about the reporting of public records under Section 613 of the FCRA. In finding that Equifax implemented an appropriate process for providing notice to consumers, the district court addressed the ambiguity in the FCRA’s “at the time” notice requirement. According to the district court, there is “more than one reasonable interpretation of what that requirement means, ” adding that, “Congress did not impose a ‘same time’ requirement with respect to the receipt of the notice; and in 2000, the [FTC] interpreted the ‘at the time’ requirement to permit the mailing” of such a notice.”
http://www.immigrationcomplianceinsights.com/2015/07/24/notice-versus-strict-procedures-section-613/
Rodriguez v. Equifax Information Services, LLC, No. 1:14-cv-01142 (E.D. Va., July 17, 2015).

Other Developments

Data Breach
On July 27th, the Daily Dot reported that Planned Parenthood suffered a data breach involving an undisclosed number of employees’ names and email addresses. The Daily Dot obtained a statement from one of the “hackers” who stated that the cyberattack was politically motivated, explaining that “[o]bviously what [Planned Parenthood] does is a very ominous practice. It’ll be interesting to see what surfaces when [Planned Parenthood] is stripped naked and exposed to the public.” In a statement emailed to the Daily Dot, Executive Vice President Dawn Laguens of Planned Parenthood’s U.S. federation stated that the organization has “seen the claims around attempts to access our systems, ” adding that, “[i]t’s unsurprising that those opposed to safe and legal abortion are participating in this campaign of harassment against us and our patients, and claiming to stoop to this new low.” According to the article, the hackers plan to decrypt and release Planned Parenthood emails “soon.”
http://www.dailydot.com/politics/planned-parenthood-hacked-anti-abortion-3301/

On July 24th, Healthfirst, Inc. (Healthfirst) reported a data breach involving approximately 5, 300 current and past members’ names, addresses, birth dates, and health insurance information. According to the breach notice, members’ data may have been compromised as part of a “criminal fraud scheme” perpetrated against Healthfirst. Healthfirst emphasized that Social Security numbers and credit card information were not affected. According to Healthfirst, on May 27, 2015, the Department of Justice notified Healthfirst that an “individual who perpetrated a fraud against Healthfirst may have stolen information about Healthfirst’s patients” from the healthcare provider’s online portal. Upon learning of the incident, Healthfirst launched an investigation and learned on July 10, 2015, that the perpetrator gained access to members’ information between April 11, 2012, and March 26, 2014. Healthfirst recommends that individuals monitor their credit reports and is offering affected individuals credit monitoring and identity theft services for one year at no cost.
http://healthfirst.org/blog/healthfirst-provides-notice-of-data-security-incident/

Jul. 17: UCLA Health System reported a data breach involving approximately 4.5 million patients’ names, addresses, and Social Security numbers.

Jul. 17: CVSphoto.com reported that its vender who manages and hosts CVSPhoto.com may have suffered a data breach involving an undisclosed number of customers’ payment card information.
http://www.cvsphoto.com/

On July 13th, Insurance Services Office, Inc. (ISO), a provider of information and analytics to the property and casualty insurance industry, reported a data breach involving an undisclosed number of policyholders’ contact information, birth dates, Social Security numbers, insurance policy numbers, and driver’s license numbers. According to the breach notice, the County Prosecutor’s office in the State of New Jersey and the National Insurance Crime Bureau investigated an incident regarding suspected unauthorized use of insurance data. The investigation revealed that certain personal information may have been viewed by unauthorized individuals. No further information was provided regarding the breach. ISO recommends that individuals monitor their credit reports and is offering affected individuals credit monitoring services for one year at no cost.
http://oag.ca.gov/system/files/ISO%20Template%20Notification_0.pdf

On July 10th, The Hill reported that Office of Personnel Management (OPM) Director Katherine Archuleta resigned from her position as head of the agency. On July 9th, OPM updated its data breach notice on the agency’s website, stating that “sensitive information…of 21.5 million individuals was stolen from the background investigation databases.” According to the updated announcement, “hackers” obtained individuals’ names, birth dates, Social Security numbers, mental health records, financial histories, among other information. According to OPM, for individuals who “underwent a background investigation through OPM in 2000 or afterwards…it is highly likely that [they] are impacted by the incident involving background investigations, ” adding that, even individuals who “underwent a background investigation prior to 2000…may be impacted, but it is less likely.”
The Hill Article: http://thehill.com/policy/cybersecurity/247513-opm-director-resigns-over-hack
OPM Breach Update: https://www.opm.gov/news/releases/2015/07/opm-announces-steps-to-protect-federal-workers-and-others-from-cyber-threats/

Jul. 10: Rep. Eleanor Holmes Norton (D-DC) introduced HR 3029 to “require the [OPM] to provide complimentary, comprehensive identity protection coverage to all individuals whose personally identifiable information was compromised during recent data breaches at federal agencies.” The bill’s text has yet to be released.

On July 10th, the Army National Guard (ANG) reported a data breach involving an undisclosed number of former and current members’ names, Social Security numbers, birth dates, and home addresses. The data breach notice on the ANG’s website does not specify a date when the ANG discovered the breach. According to the statement, “[a]ll current and former Army National Guard members since 2004 could be affected by this breach because files containing personal information was inadvertently transferred to a non-Department of Defense-accredited data center by a contract employee.” The breach, according to the ANG, is unrelated to the data breaches reported at the Office of Personnel Management. Major Earl Brown, a spokesman for the National Guard Bureau, said in a statement that the “issue was identified and promptly reported, and we do not believe the data will be used unlawfully.”
http://www.nationalguard.mil/News/ArticleView/tabid/5563/Article/607769/army-national-guard-announces-data-breach-establishes-call-center.aspx

On July 10th, Mandarin Oriental (Mandarin) reported a data breach involving approximately 2, 835 guests’ names and payment card information. According to the breach notice, on February 25, 2015, Mandarin learned of a potential “malware attack” on its payment card systems and notified law enforcement and credit card companies to investigate the incident. An investigation revealed that the “hacker” used malware to gain access to the payment systems of a “number of Mandarin hotels.” Mandarin emphasized that it has no evidence that any information has been misused. However, Mandarin recommends that individuals monitor their credit reports and is offering affected individuals credit monitoring and identity theft services at no cost for one year.
http://oag.ca.gov/system/files/CHI-%232933532-v1Mandarin_State_Regulator_Breach_Notification_CA_0.pdf

On July 9th, Senators Benjamin Cardin (D-MD), Barbara Mikulski (D-MD), Mark Warner (D-VA), and Tim Kaine (D-VA) introduced S. 1746, the Reducing the Effects of the Cyberattack on [Office of Personnel Management (OPM)] Victims Emergency Response Act of 2015 (RECOVER Act). The bill would require OPM to “provide complimentary, comprehensive identity protection coverage to all individuals whose personally identifiable information was compromised during recent data breaches at Federal agencies.” Under the bill, affected individuals of the OPM data breach would receive lifetime coverage and not less than $5 million of identity theft insurance. According to a statement by Cardin, “[o]ff-the-shelf solutions are not good enough. We need to plug the holes in the federal network and make sure our workers, their families and all those who have been violated are held harmless from any damage that may be done.”
http://www.cardin.senate.gov/newsroom/press/release/cardin-mikulski-warner-kaine-call-for-stronger-protections-for-the-millions-affected-by-the-recent-opm-data-breaches

Jul. 9: AeroGrow International reported a data breach involving an undisclosed number of customers’ names, addresses, and payment card information.
http://ago.vermont.gov/assets/files/Consumer/Security_Breach/2015-07-09%20AeroGrow%20International%20SBN%20to%20Consumer.pdf

On July 6th, Automotive Recovery Services, Inc. (ARS), a vehicle donation processing center, reported a data breach involving an undisclosed number of customers’ names, Social Security numbers, email addresses, phone numbers and driver’s license numbers. According to the breach notice, ARS discovered that between July 2012 and May 2015 unauthorized individuals gained access to its “systems.” ARS emphasized that there is no indication that any information has been misused, stolen or compromised. However, ARS recommends that individuals monitor their credit report and is offering affected customers credit monitoring and identity theft protection services for one year at no cost.
http://oag.ca.gov/system/files/KAR_Sample%20Consumer%20Breach%20Notification%20Letter_0.pdf

International Developments

Cybersecurity
On July 6th, the Securities and Exchange Board of India (SEBI) released a statement urging the country’s financial institutions to enhance their cybersecurity. According to the SEBI, financial institutions in India must improve their cybersecurity by limiting who may access their data and monitoring cyberthreats against their networks. The SEBI hopes that improved cybersecurity practices will prevent data breaches from occurring, or at least mitigate damages caused by unavoidable breaches. According to the SEBI, “[n]o person by virtue of rank or position should have any intrinsic right to access confidential data, applications, system resources or facilities, ” adding that, “[a]ny access to [financial institutions’] systems, applications, networks, databases, etc., should be for a defined purpose and for a defined period.”
http://www.sebi.gov.in/cms/sebi_data/attachdocs/1436179654531.pdf

South Africa
CV Fraud in South Africa at Record High. A background screening company says that 2015 is proving to be a record year for credentials cheats, with criminal record checks for prospective employees now topping 12%. This is marginal rise from 12% over the prior year, according to checking firm, EMPS. Kirsten Halcrow, the managing director of EMPS, said what was even more disturbing was the fact that 38% of the candidates who tested positive for a criminal record were repeat offenders, with some job applicants having up to 20 convictions.
http://businesstech.co.za/news/business/93030/cv-fraud-in-south-africa-at-record-high/

Miscellaneous

Health IT Outcomes reports that “two-thirds of healthcare organizations had significant data breaches” in the past year.
http://www.healthitoutcomes.com/doc/two-thirds-healthcare-organizations-significant-data-security-breaches-0001

Please Note: The information contained herein is a monthly summary of the daily information provided by Arnall Golden Gregory LLP, an Atlanta firm servicing the business transactions and litigation needs of background check companies. The information described is general in nature, and may not apply to your specific situation. Legal advice should be sought before taking action based on the information contained herein. For more information about Arnall Golden Gregory LLP, please visit www.agg.com or contact Bob Belair at 202.496.3445 or robert.belair@agg.com.