Federal Developments
CFPB Enforcement
On October 29th, the Consumer Financial Protection Bureau (CFPB) announced a settlement with “two of the largest background screening report providers, ” requiring them to pay $13 million for alleged violations of the Dodd-Frank Act and the Fair Credit Reporting Act (FCRA) by failing to maintain comprehensive information about job candidates in their reports. According to the CFPB, the “serious inaccuracies reported…potentially affected consumers’ eligibility for employment and caused reputational harm.” Under the terms of the CFPB’s Order, the defendants are required to: • Provide $10.5 million in relief to harmed consumers; • Pay a civil monetary penalty of $2.5 million; • Revise their compliance procedures; and • Develop a comprehensive audit program.
http://www.immigrationcomplianceinsights.com/2015/10/29/cfpb-enforcement-action-against-two-background-screeners/
http://www.consumerfinance.gov/newsroom/cfpb-takes-action-against-two-of-the-largest-employment-background-screening-report-providers-for-serious-inaccuracies/
EPIC Lawsuit Against DOJ
EPIC filed a lawsuit against the DOJ to obtain a “secret agreement between the United States and the European Union concerning the transfer of personal information.”
https://epic.org/2015/11/epic-sues-for-release-of-secre.html
Strengthening of Background Checks for Student Visas
Nov. 19: Rep. Gus Bilirakis (R-FL) introduced HR 4089 which would strengthen background checks for student visas and improve monitoring of foreign students.
https://www.congress.gov/bill/114th-congress/house-bill/4089?q=%7B%22search%22%3A%5B%22%5C%22hr4089%5C%22%22%5D%7D&resultIndex=1
Court Cases
FCRA
On November 2nd, the U.S. Supreme Court heard oral arguments in Spokeo v. Robins, a case brought on behalf of consumers against Spokeo for alleged violations of the Fair Credit Reporting Act (FCRA) by publishing incomprehensive information about people on its “people search” website. On October 5th, Spokeo filed a brief with the U.S. Supreme Court urging it to overturn the Ninth Circuit’s decision to revive the plaintiff’s putative class action. According to Spokeo, the plaintiff has not alleged any concrete harm, stating that “[t]he choice here is between respondent’s standard requiring only the violation of a ‘personal’ statutory right, without palpable harm to the plaintiff; and requiring palpable harm, ” contending that, “[o]nly the latter approach accords with history, separation-of-power principles and precedent.” On November 1st, Reuters reported on the case and its impact on other class actions brought against technology companies, stating that “[i]f the court rules for…Spokeo and finds that a consumer lawsuit cannot proceed when the plaintiff cannot show he is being harmed, it could curtail a recent wave of class action cases against online companies.” Spokeo, Inc. v. Thomas Robins et al., No. 13-1339 (S. Ct., Nov. 2, 2015).
Reuters: http://www.reuters.com/article/2015/11/01/us-usa-court-classaction-idUSKCN0SQ1S420151101
FCRA and Background Screening
On November 20th, Dish Network LLC (Dish) asked a New York federal court to deny class certification to a group of employees alleging that the company violated the Fair Credit Reporting Act (FCRA) in its background check procedures. In December 2012, the proposed class of satellite installers alleged that Dish obtained their credit reports without proper authorization when conducting background checks, which violated the FCRA’s disclosure requirements. However, Dish argues that the court should deny class certification because not all of the installers are able to demonstrate harm. Dish also maintains that they did not knowingly violate the FCRA’s disclosure requirements and therefore, “the court should flatly reject plaintiffs’ disingenuous claim that Dish did not care what forms were used in light of Dish’s significant efforts to ensure the third- party contractors complied with the FCRA.” Ernst et al. v. Dish Network LLC et al., case number 1:12-cv-08794, in the U.S. District Court for the Southern District of New York.
Nov. 13: A federal district court granted final approval of a $4.75 million settlement between background screening company Sterling Infosystems, Inc. and a class of Dish Network LLC satellite television installers in an action alleging violations of the FCRA by providing alleged incomprehensive information to their employer.
On November 11th, Hirease, LLC (Hirease), a background screening company, asked a federal judge to be dropped from a putative class action by drivers who were denied employment by Uber, Inc. (Uber) based on allegedly unlawful background checks. According to the plaintiffs, Uber and Hirease violated the Fair Credit Reporting Act (FCRA) for failure to provide a clear and conspicuous disclosure (Uber and Hirease) and failure to follow the pre-adverse action process (Uber). However, Hirease argues that the FCRA requires the hiring company, not the background screener, to make the proper disclosure and to provide potential employees with their results. In a statement, Hirease stated that, “the disclosure requirement in section 1681b(b)(2) belongs solely with the end-user, that is, the entity procuring the consumer report- not the [consumer reporting agency.]” Joseph Cuccinello et al. v. Uber Inc. et al., case number 2:15-cv-06604, U.S. District Court for the District of New Jersey.
Background Checks
On November 2nd, a plaintiff filed a class action against discount retail chain Big Lots Stores, Inc. (Big Lots) for alleged violations of the Fair Credit Reporting Act (FCRA) over its background check procedures. According to the complaint, the plaintiff alleges that Big Lots “systemically” violated the FCRA’s standalone background check disclosure requirement. According to the plaintiff, Big Lots’ disclosure form contained extraneous information, a violation of the FCRA. The extraneous information, according to the plaintiff, included a provision stating how the candidate “understands that all employment decisions are based on legitimate nondiscriminatory reasons.” Specifically, the plaintiff states that the “[d]efendant repeatedly and routinely uses the same unlawful document with all of its employees on whom it procured consumer reports or otherwise failed to provide them with the required stand-alone disclosure.” Aaron Abel v. Big Lots Stores, Inc., No. 151100286 (Philadelphia County Crt. of Common Pleas, Nov. 4, 2015).
Transatlantic Personal Data Transfers
On November 4th, the Electronic Privacy Information Center (EPIC) filed a lawsuit against the Department of Justice (DOJ) to obtain a “secret agreement between the United States and the European Union concerning the transfer of personal information.” According to EPIC, Congress is considering the data privacy and protection agreement, which U.S. and European officials finalized in September, but the text of the agreement has yet to be made public. Specifically, EPIC contends that “[t]he DOJ has withheld from the public the text of an agreement that is central to legislation currently pending before Congress and critical to a related negotiation between the United States and the European Union that implicates the fundamental rights of Americans and Europeans.” EPIC v. U.S. Department of Justice, No. 1:15-cv-01955 (D.D.C., Nov. 4, 2015).
California Supreme Court / Background Checks
On November 25th, the California Supreme Court announced that it will consider whether the Investigative Consumer Reporting Agencies Act (ICRAA) is “unconstitutionally vague” when applied to employee background checks because of its overlap with California’s Consumer Credit Reporting Agencies Act (CCRAA). A class of bus drivers brought forth the original case, alleging that First Student, Inc. (First Student) did not gain prior written consent necessary under the ICRAA, but not the CCRAA, when conducting background checks. A Los Angeles Superior Court ruled that the ICRAA was unconstitutionally vague and granted summary judgement to First Student. However, the Second Appellate District reversed this ruling, saying that, “the applicability of the CCRAA does not render the ICRAA unconstitutionally vague.” Connor v. First Student, case number S229428, in the California Supreme Court. http://www.immigrationcomplianceinsights.com/2015/11/30/california-law-and-background-screening/
State Developments
Starwood Data Breach
On November 20th, Starwood Hotels & Resorts Worldwide (Starwood) announced that fifty-four of its North American hotels suffered a breach of customer debit and credit card information. According to a statement from Sergio Rivera, president of the Americas for Starwood, the hotels’ payment processing system was infected with malware that collected the names, numbers, security codes, and expiration dates on consumers’ credit and debit cards. In his statement, Rivera said that Starwood is working with law enforcement and the company has “implemented additional security measures to help prevent this type of crime from reoccurring.” News of this breach comes just four days after the announcement that Marriott International, Inc. had purchased Starwood for $12.2 billion.
http://www.wsj.com/articles/starwood-reports-payment-information-data-breach-1448033469
Georgia Voter Data Breach
On November 17th, a proposed class action was filed against Georgia Secretary of State Brian Kemp over his office’s recently announced data breach. Kemp’s office maintains Georgia voter registration files and regularly sends information from the database, including voter names, affiliation, address, gender, and ethnicity, to political parties and the media. However, Kemp’s staff inadvertently included sensitive personal data of 6 million voters, including social security numbers, in 12 discs sent out in October. In a statement on November 19th, Kemp said that, “My staff has verified with the media outlets and political parties that received these discs that they have not copied or otherwise disseminated confidential voter data to outside sources.” In their suit, the plaintiffs allege that Kemp violated Georgia’s Personal Identity Protection Act of 2007 in his delayed response to the incident. Elise Piper et al. v. Brian Kemp, case number 2015CV268170, in the Superior Court of Fulton County, Georgia.
Hilton Data Breach
The Wall Street Journal reported that Hilton Worldwide has suffered a security breach of customer payment card data.
http://www.wsj.com/articles/hilton-hotel-chain-reports-data-breach-1448404248
International Developments
IAPP
Oct. 30: The IAPP published an article entitled, “After Safe Harbor: The Role of the DPA.”
https://iapp.org/news/a/after-safe-harbor-the-role-of-the-dpa/
EU Safe Harbor
On October 29th, European Union (EU) Justice Commissioner Vera Jourova, during an Amsterdam privacy conference, delivered prepared remarks about the status of the data-sharing agreement that will replace the U.S.-EU Safe Harbor. According to Jourova, EU and U.S. officials are in the midst of “intense” discussions, but “more clarity” is needed about EU citizens’ privacy protections from U.S. intelligence agencies. Jourova stated that “[s]ince any new arrangement has to live up to the standard of the [recent high court] ruling, we need more clarifications from our U.S. counterparts on a number of points, in particular to show that there is a substantially equivalent level of protection, ” adding that, “[o]nly a comprehensive framework with commitments and enforcement by the U.S. authorities can ensure in practice the level of data protection Europeans deserve and are entitled to under EU data protection law.
http://europa.eu/rapid/press-release_SPEECH-15-5949_en.htm
Transatlantic Personal Data Transfers
On November 13th, U.S. and European consumer advocacy and privacy groups sent a letter to the U.S. Department of Commerce and its European counterpart urging them to enhance privacy measures in a new data transfer agreement. According to the letter’s signatories, an agreement that resembles the previous Safe Harbor program would be inadequate. The letter was sent a week prior to a scheduled meeting later this week between U.S. Commerce Secretary Penny Pritzker and European Union Commissioner Vera Jourova. Specifically, the letter states that “[d]ata protection is the foundation of trust for the Internet economy, ” adding that, “[i]t is for this reason that a ‘Safe Harbor 2.0’ per se will not provide a viable framework for future transfers of personal information.”
http://thepublicvoice.org/EU-US-NGO-letter-Safe-Harbor-11-15.pdf
On November 6th, the European Commission (Commission) released “guidance” to the European Parliament and the Council regarding transatlantic data transfers. According to the Commission, a “renewed and stronger” data sharing agreement is expected to be completed within three months. According to the Commission, since the European Court of Justice’s November 6th ruling it “has immediately resumed and stepped up its talks with the U.S. government in order to ensure that any new arrangement for transatlantic transfers of personal data fully complies with the standard set by the court.” According to a fact sheet released by the Commission, European Union and United States officials have already agreed in principle on 11 of13 recommendations on transparency, redress, and enforcement. However, the Commission emphasized that the parties are “still discussing how to ensure that these commitments are binding enough to fully meet the requirements of the court.”
http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/files/eu-us_data_flows_communication_final.pdf
Please Note: The information contained herein is a monthly summary of the daily information provided by Arnall Golden Gregory LLP, an Atlanta firm servicing the business transactions and litigation needs of background check companies. The information described is general in nature, and may not apply to your specific situation. Legal advice should be sought before taking action based on the information contained herein. For more information about Arnall Golden Gregory LLP, please visit www.agg.com or contact Bob Belair at 202.496.3445 or [email protected].
