HUD Guidelines on Background Screening
On April 4th, the U.S. Department of Housing and Urban Development (HUD) announced its guidelines for the use of criminal background checks in screening for housing. The guidance issued by HUD creates a framework for analyzing claims that screening for “criminal history violates the Fair Housing Act because it results in a discriminatory effect.” HUD emphasizes that the guidelines are only the beginning and suggests that the Department may conduct enforcement actions in the near future. The guidelines establish a “burden-shifting standard” that creates a three-step process for proving the discriminatory use of criminal history screening in housing. The first step requires a court to analyze whether a plaintiff can demonstrate disparate impact against a protected class on the grounds of criminal history. The second step would require the housing provider prove that there is “substantial, legitimate, nondiscriminatory interest” in maintaining its criminal history policy. Finally, the housing provider would also be required to demonstrate that its criminal history policy has been effective in achieving its stated goals. If a housing provider is able to successfully demonstrate these standards, then the burden will shift to the plaintiff to demonstrate that different policies or practices could have a less discriminatory effect. The guidelines also specify that housing policies must “comprehensively distinguish between criminal conduct that indicates a demonstrable risk to resident safety and/or property and criminal conduct that does not.”
Ted Dean, Deputy Assistant Secretary of the Department of Commerce’s International Trade Administration, said that that Privacy Shield data sharing agreement between the U.S. and EU will endure past President Obama’s term.
CFPB publishes its 2015 Consumer Response Annual Report which contains details and analysis of the consumer complaints received by the agency last year.
Fair Chance Business Pledge
On April 13th, U.S. Attorney General Loretta Lynch, Senior Advisor to the President Valerie Jarret, and other White House officials announced the creation of the “Fair Chance Business Pledge, ” which represents a “call-to-action” for businesses to give individuals with a criminal history the opportunity for employment. The pledge is part of President Obama’s ongoing commitment to reform the criminal justice system and to improve the outcomes of those with criminal histories. Companies to sign the pledge so far include, American Airlines, Inc.; The Coca-Cola Company; Facebook, Inc.; Google, Inc.; The Hershey Company; Starbucks Corp.; Uber Technologies, Inc.; and several others. By signing the pledge, each of these companies is committing to “creating a pathway for a second chance” by taking measures like “banning the box” on employment applications and by not discounting those with criminal records when hiring. Each company wrote their own pledge detailing the specific steps they have taken or will take in order to achieve these goals. For instance, The Coca-Cola Company pledges “not [to] engage in background screening related to criminal history until after a decision has been made. When there is a successful candidate who has a criminal history, our talent acquisition team has in place a process to review the relevancy of the history to make an informed decision.”
The GSA announced that it will start asking companies about their cybersecurity policies, products, and services.
Senate Encryption Bill
On April 13th, an official copy of the Senate Intelligence Committee’s proposed encryption bill was released. The bill was jointly drafted by Chairman Richard Burr (R-NC) and Ranking Member Dianne Feinstein (D-CA). The release of the official draft comes a week after a discussion copy was widely criticized by tech companies and privacy rights groups. The proposed measure would require companies to provide “information or data to the government in an intelligible format” if requested by a court order. The measure would also require companies to provide “technical assistance as is necessary to obtain such information or data.” This language appears to be in direct response to Apple, Inc.’s dispute with the Federal Bureau of Investigation (FBI), in which the company challenged a court order that directed it to build software to access information on an iPhone. The official draft of the bill contains several critical changes from the discussion draft, including a list of certain crimes that clarify when the government can seek court orders for technical assistance. This list is limited to crimes resulting in “death or ‘serious bodily harm, ’ federal crimes against a minor, serious violent felonies, and federal drug crimes.” The draft of the bill notably lacks any measures that specify the penalties for failing to comply with court orders. The proposed bill faces limited prospects of becoming law. Some politicians have already voiced their opposition, including Senator Ron Wyden (D-OR) who has already threatened to filibuster the measure in its current form. The White House has also stated that they are skeptical of the ability of the Senate to pass “constructive legislation.”
Credit Scores On April 20th, Representative Steve Cohen (D-TN) introduced H.R. 5010, entitled, The Fair Access to Credit Scores Act of 2016. The bill has several cosponsors, including Eleanor Holmes Norton (D-DC), John Conyers (D-MI), and Raul Grijalva (D-AZ). The bill would allow consumers to access their credit score that is used by lenders. Cohen argues that his measure is an expansion of the Dodd-Frank Wall Street Reform and Consumer Protection Act requirement that consumers are provided with a free copy of their score if they receive an adverse decision. The Congressman stated that this would play an important role in empowering consumers, saying, “Unfortunately, many Americans may find monitoring their credit scores to be difficult and expensive because gaining access to reliable and affordable information about their credit scores is not nearly as easy as it should be. The Fair Access to Credit Scores Act would require that a consumer’s credit score be included with their annual free credit report.” Cohen also stated that many consumers are tricked into paying for “free” credit scores from agencies that offer credit monitoring services. Representative Cohen previously introduced this legislation in 2013 and it was referred to the House Financial Services Committee, where it was never voted on.
Data Breach Litigation
On April 18th, the Electronic Privacy Information Center (EPIC) filed an amicus brief in support of workers suing Paytime, Inc. (Paytime) over its 2014 data breach. The plaintiffs allege that Paytime, a payroll company, violated its contracts by not adequately securing its data, which resulted in a massive data breach that revealed the workers’ Social Security numbers, bank account information, and birth dates. A lower court dismissed the case, ruling that the plaintiffs’ lacked standing because there was no evidence that their data had been misused, a ruling the workers’ have since appealed. EPIC argues in its amicus brief that the plaintiffs have standing based on the fact that their sensitive information was improperly accessed. According to the brief, “In data breach cases, the legal injury is the very fact- undisputed in this and other data breach cases- that third parties stole plaintiffs’ sensitive personal information, a violation of their legally protected interest. Whether defendants are liable for the downstream consequences caused by that breach, and how those consequences should be quantified, are simply irrelevant to the standing analysis.” Storm et al., v. Paytime Inc., case number 15-3690, in the U.S. Court of Appeals for the Third Circuit.
On April 14th, the Seventh Circuit Court of Appeals reversed a lower court’s decision to dismiss the proposed class action lawsuit against P.F. Chang’s China Bistro, Inc. (P.F. Chang’s) for its June 2014 data breach. The Appellate Court found that a “substantial risk of harm” can be inferred from a data breach because hackers will most likely use the stolen information to steal consumer’s identities or commit fraud. The Court previously ruled in Remijas et al. v. The Neiman Marcus Group, LLC (Neiman Marcus), that customers that had their credit card information stolen have standing to sue for damages if they felt that it was necessary to purchase fraud prevention services. Prior to the Neiman Marcus case, both plaintiffs claimed the cost of their meals purchased at P.F. Chang’s as injury, arguing that they would not have gone to P.F. Chang’s had they known about the company’s flawed data security. The lawsuit will now resume in the lower courts. John Lewert and Lucas Kosner v. P.F. Chang’s China Bistro, Inc., case number 14-3700, in the U.S. Court of Appeals for the Seventh Circuit.
March 30: A putative class action was filed against 21st Century Oncology over its data breach that compromised the information of 2.2 million patients.
On March 30th, the employees of Lamps Plus, Inc. (Lamps Plus) filed a class action suit against the company for negligence, breach of implied contract, invasion of privacy, violations of California’s consumer records law, and violations of the Fair Credit Reporting Act. Lamps Plus is the largest lighting retailer in the country. The class action stems from a recent data breach where employee tax records were stolen from the company. The employees allege that the company did not take adequate measures to insure that their personal information would be kept safe. Many of the employees have now had fraudulent tax returns filed by criminals using information stolen during the breach. Over 1, 300 employees have joined the class action. In response to the breach, the company has offered one year of credit monitoring and identity counseling to its employees. Frank Varela et al. v. Lamps Plus Inc. et al., case number 5:16-cv-00577, in the U.S. District Court for the Central District of California, Eastern Division – Riverside.
April 1: Intuit, the maker of TurboTax, urged a California federal court to dismiss the consolidated litigation accusing the company of failing to secure its data, resulting in criminals filing fraudulent tax returns.
Wendy’s asked a judge to dismiss a proposed class action against the company for its alleged poor data security practices.
CareFirst-Blue Cross Blue
Blue Cross and Blue Shield Association and CareFirst Blue Cross Blue Shield requested that charges against them related to the Anthem, Inc. data breach be dropped.
On April 7th, Uber Technologies, Inc. (Uber) reached a $25 million settlement with the County of Los Angeles and the County of San Francisco. The settlement ends a lawsuit filed by the two counties accusing Uber of misleading consumers about their safety and the company’s background check procedures. Uber will now be required to change their marketing materials, which previously advertised the service as the “safest ride on the road.” The company has also described its background checks on employees as the “gold standard.” These advertising materials continued to be promoted even after it was revealed that criminals had successfully made it through the company’s background screening process. The settlement is comprised of a $10 million civil penalty along with a $15 million additional penalty if the company fails to make the necessary changes to its marketing materials within two years. San Francisco District Attorney George Gascon made it clear that this case was a warning to Silicon Valley companies, stating, “It sends a clear message to all businesses, and to startups in particular, that in the quest to quickly obtain market share, laws designed to protect consumers cannot be ignored.”
FCRA / Background Checks
On April 7th, a putative class action was filed against J.B. Hunt Transport, Inc. (J.B. Hunt), a trucking company, for allegedly violating the Fair Credit Reporting Act (FCRA) in its background check procedures. The plaintiff claims that J.B. Hunt did not disclose to him and other prospective employees that it was obtaining a copy of their credit reports during the hiring process. The plaintiff also alleges that J.B. Hunt failed to provide candidates the opportunity to dispute the findings after making an adverse hiring decision. According to the complaint, J.B. Hunt “violated the FCRA by not obtaining proper authorization from named plaintiffs and those similarly situated to procure consumer reports and by not providing them with proper disclosure of their rights after defendant made an adverse employment decision based wholly or in part on consumer reports.” The plaintiff seeks statutory damages of between $100 and $1, 000 per class member. Stanley Napier v. J.B. Hunt Transport Inc., case number 1:16-cv-01955, in U.S. District Court for the District of New Jersey.
Data Breach Covered Under Traditional Policy, 4th Circ. Says
On April 11th, the Fourth Circuit upheld a Virginia district court ruling that required Travelers Indemnity Co. of America (Travelers) to cover the defense of its policy holder Portal Healthcare Solutions LLC (Portal) in the proposed class action brought by consumers’ whose sensitive medical information was exposed in a data breach. The original complaint was brought against Portal in April 2013 by consumers who claim that the company failed to adequately safeguard their confidential medical records, as two of the patients claim that they were able to see their full records online through a Google search. Portal then sued Travelers when the insurer denied covering its defense costs. In August 2014, a U.S. district judge ruled in favor of Portal, citing the personal and advertising injury provision contained in Traveler’s general liability policy. The Fourth Circuit affirmed the ruling less than a month after hearing oral arguments in the case, writing that the lower court’s opinion “concluded that the class action complaint ‘at least arguably’ alleges a ‘publication’ of private medical information by Portal that constitutes conduct covered under the policies.” Travelers Indemnity Co. of America v. Portal Healthcare Solutions LLC, case number 14-1944, in the U.S. Court of Appeals for the Fourth Circuit. Payment Processor
On April 8th, YapStone, Inc. (YapStone), a payment processor, filed a motion to dismiss a proposed class action brought by customers of vacation rental website VRBO over YapStone’s data breach that exposed their information. The original complaint was filed in September 2015 after YapStone, which provides payment processing services for VRBO, informed customers that personal information associated with their VRBO accounts was exposed to unauthorized parties. The plaintiffs allege that YapStone failed to adequately protect consumers’ personal information and to notify them of the breach in a timely fashion. The plaintiffs specifically request that the court order YapStone to implement appropriate data security policies, pay for three years of credit monitoring services, send customers individualized notifications about the breach, and to recover damages related to the breach. However, in its latest filing, YapStone argues that the case should be dismissed because the information compromised in the breach, which includes email and bank account information, was not “personally identifiable” under the law. According to YapStone’s motion, “What plaintiffs are requesting of the Court would lead to dangerous precedence, where businesses and individuals are sued for the tradition of using checks over the counter as if they were cash. Checks with contact and bank account information are routinely exchanged over the counter and in the open, without any additional regard, as if cash was being exchanged.” In re YapStone Data Breach, case number 4:15-cv-04429, in the U.S. District Court for the Northern District of California.
April 8: A proposed class action was filed against J.B. Hunt Transport for allegedly violating the FCRA for obtaining prospective employees’ credit reports without their consent.
No Harm, No Foul, No Standing In Data Breach Row, IRS Says
Taxpayers who sued the Internal Revenue Service in a proposed class action over a data breach last year that exposed the information of some 330, 000 people have not shown that they were harmed by the incident, the IRS told a District of Columbia federal court Friday.
On April 12th, District of Columbia Circuit Judges Brett Kavanaugh and Raymond Randolph heard arguments in the case of PHH Corp. (PHH) against the Consumer Financial Protection Bureau (CFPB). Judge Kavanaugh criticized the CFPB’s single-director structure and claimed that “there are very few precedents” for agencies to be organized in a similar manner. The statements made during the trial follow PHH’s arguments that the agency is organized unconstitutionally, with unprecedented powers under limited control, an argument that appears to be well-received by the Court. The case is the result of a CFPB enforcement action filed against PHH for violating the Real Estate Settlement Procedures Act. CFPB Director Richard Cordray increased a Court issued penalty from $6.4 million to $109 million, leading PHH to sue the CFPB. According to those in attendance, the judges were very “forceful” in their questioning of the CFPB’s counsel, Lawrence DeMille-Wagman. In compliance with a request by the Court, DeMille-Wagman offered a potential remedy to the constitutionality of the Bureau’s structure. DeMille-Wagman recommended that legislators remove specific language from the Consumer Protection Act that limits the President’s authority to fire CFPB Director only “for cause.” If the judges accept PHH’s arguments, other companies hit with CFPB enforcement actions will likely challenge the Bureau’s previous rulings on similar constitutional grounds.
Kansas Security Freeze
March 31: The Kansas state legislature enacted H.B. 2134, which authorizes “consumer credit report security freezes for individuals less than 18 years old.”
Data Breach Notification Law
On March 24th, Governor Bill Haslam of Tennessee signed Senate Bill 2005, which amends the state’s data breach notification statute and will take effect on July 1st. Under the new provision, companies suffering a data breach will be compelled to notify customers that are Tennessee residents within 45 days of the breach. The previous data breach statute did not specify a specific period of time for notification, but required companies to inform consumers within the “most expedient time possible.” The law does allow for an exception to this timeline for law enforcement purposes. The new amendment to the data breach statute also requires that all data breaches be reported, regardless of whether the data is encrypted. Finally the bill redefines “unauthorized person” to include employees that use personal information for illegal purposes.
On April 13th, Nebraska enacted L.B. 835 entitled “An Act Relating to Consumer Protection.” The measure amends the states Credit Report Protection Act, simplifying the process for requesting security freezes from credit reporting agencies. It also lowers the age under which one is considered a “protected consumer” from 19 to 16. The act amends the state’s data breach notification statutes to include a requirement that companies inform the Nebraska State Attorney General if existing law requires that they notify affected state residents. The law adds an exemption to the “Encryption Harbor” to require companies to notify users of a data breach, even if the data was encrypted, if there is a reasonable chance that the encryption key was stolen as well. The data breach portion of L.B. 835 also increases the type of user data that qualifies as “Personal Information” to include usernames or email addresses “in combination with a password or security question.” The measure was signed by the signed by Governor Pete Ricketts (R) after being presented to him on April 7th.
April 1: IAPP published an editorial on the role of states in protecting data privacy and cybersecurity for their residents.
European Data Protection Authorities
The Hill reported that the working group of European data protection authorities will issue their opinion on the US-EU privacy shield next week.
Microsoft Gives Boost To US-EU Data Accord
Microsoft Corp. on Monday came out in full support of a sweeping data transfer pact between the U.S. and the European Union, hailing the deal for its commitment to privacy and vowing to fully implement the agreement once it takes effect.
On April 13th, the Article 29 Working Party, which is comprised of the data protection authorities from each of the European Union (EU) member states, released a statement on the Privacy Shield data sharing agreement between the EU and the United States. The Working Party believes that Privacy Shield offers “significant improvements” to the former Safe Harbor agreement. However, the Working Party still has “strong concerns” about several aspects of the deal. Specifically, the Party says that the agreement fails to provide “sufficient details” about restricting the U.S. government’s ability to conduct surveillance on European citizens. The Working Party also argues that Privacy Shield fails to adequately reflect important data protection laws already in place in the EU. The statement also notes that Privacy Shield will need to be revaluated in 2018 when the EU’s General Data Protection Regulation goes into effect. The Working Party also takes issue with the fact that Privacy Shield is contained in a series of letters and legal documents, instead of a unified document, which they say “contributes to an overall lack of clarity.” The Working Party expressed approval for the creation of an ombudsman within the U.S. Department of State to handle complaints from EU citizens. However, the group is concerned that the ombudsman is “not sufficiently independent” and is unable to offer adequate redress to consumers. The opinion concludes that the European Commission needs to address the Working Party’s concerns to “ensure the protection offered by the Privacy Shield is indeed essentially equivalent to that of the EU.”
On April 5th, Isabelle Falque-Pierrotin, who chairs the Article 29 Working Party comprised of the European Union’s (EU) data privacy authorities, participated on a panel at the Global Privacy Summit of the International Association of Privacy Professionals (IAPP). During her remarks, Falque-Pierrotin assured the audience that the Working Party’s forthcoming opinion on the proposed Privacy Shield data sharing agreement will provide more clarity to stakeholders, not confusion, saying, “I get the impression that the opinion of the Working Party 29 is going to increase the uncertainty, but I think it’s going to do exactly the opposite. If the Working Party 29 expresses now an opinion, it will aim at reducing the legal uncertainty by saying the Shield is okay or the Shield needs to be complemented in order to prevent further legal uncertainty in front of the court.” U.K. Information Commissioner Christopher Graham also participated on the panel and said that any predictions on the Working Party’s opinion, which expected to be released next week, were “highly speculative, ” and that “there’s no point in rehearsing it all now.”
The Article 29 Working Group recommended that the European Commission reject the Privacy Shield unless substantial changes are made to the national security data collection provisions.
- The Hill reported on Chairwoman Isabelle Falque-Pierrotin’s concerns about the lack of a privacy ombudsman within the U.S. government. http://thehill.com/policy/cybersecurity/276122-eu-privacy-watchdogs-raise-surveillance-concerns-with-us-data-deal
- Some tech groups have criticized the Working Group for not recommending approval of the Privacy Shield, citing their fears about a decrease in trade between Europe and the U.S. http://thehill.com/policy/cybersecurity/276174-tech-hits-back-at-eu-privacy-regulators
- The Future of Privacy Forum congratulated the Working Group on their report and recommendations. https://fpf.org/2016/04/13/eu-us-privacy-shield-gets-nuanced-review-by-eu-privacy-regulators/
- IAPP published a detailed analysis of the concerns outlined in the Working Group’s report. https://iapp.org/news/a/wp29-says-privacy-shield-needs-improvements/
Cybersecurity Talks with China
On March 31st, President Barack Obama and Chinese President Xi Jinping discussed cybersecurity during the ongoing Nuclear Security Summit in Washington, D.C. China has been accused of using state-sponsored hackers that attack U.S. businesses and steal trade secrets. U.S businesses claim that Chinese hacking has cost the American economy “hundreds of billions of dollars each year.” China is thought to have been the perpetrator of the Office of Personnel Management data breach, which resulted in over 20 million people’s data being stolen by hackers. The last meeting between the two leaders that focused on cybersecurity created an agreement to end corporate hacking and draft guidelines for defining cyberwarfare.
On April 14th, the European Parliament voted to approve the General Data Protection Regulation (GDPR). The successful vote by the European Parliament means that the GDPR will be sent to the parliaments of each European Union member state. The vote to approve the GDPR provides the European Union (EU) member states two years to pass the legislation in their own countries. The GDPR is designed to empower consumers to “be able to decide for themselves which personal information they want to share, ” according to Jan Philipp Albrecht, a Member of the European Parliament. The legislation would require businesses to inform customers on how their information is being shared. The measure also creates a single supervisory authority for data protection that businesses will have to interact with, instead of the patchwork of data protection authorities that currently exists in the EU. The GDPR sets steep penalties for failing to comply with the EU’s data privacy laws, potentially as high as 4% of a company’s global revenue. The European Parliament also approved an attached measure, called the Passenger Name Record plan, which stores the personal data of airplane passengers for six months for use by law enforcement. The process to pass the GDPR began four years ago, when it was proposed by EU Justice Commissioner Viviane Reding.
Verizon Data Breach
April 1: Verizon Enterprise Solutions might be the victim of another data breach as a new database of consumer information was recently discovered.
On April 15th, The Hill reported that a newly discovered malware called the GozNym virus has attacked 22 financial institutions in the United States and Canada. The virus has already allowed hackers to steal $4 million since the beginning of April. Security experts speculate that the virus originates from organized crime groups in Eastern Europe. GozNym works by installing itself onto victim’s computers that have clicked fraudulent links. After downloading the malware, it remains dormant until the victim logs onto their bank account, and then it records their password and personal information. The consumer’s personal information is then used to purchase untraceable digital currencies, which prevent financial institutions and law enforcement from holding the criminals accountable. No banks that have been affected have been publicly named yet.
Please Note: Some of the information contained herein is a monthly summary of the daily information provided by Arnall Golden Gregory LLP, an Atlanta firm servicing the business transactions and litigation needs of background check companies. The information described is general in nature, and may not apply to your specific situation. Legal advice should be sought before taking action based on the information contained herein. For more information about Arnall Golden Gregory LLP, please visit www.agg.com or contact Bob Belair at 202.496.3445 or email@example.com.