Federal Developments
Background Checks
On August 13th, the Federal Trade Commission (FTC) issued a Statement of Principles (Statement) regarding its statutory authority to take action against “unfair methods of competition” prohibited by Section 5 of the FTC Act. The Statement, according to the FTC, explains that the agency will follow the following principles when deciding whether to enforce its “standalone” authority under Section 5 of the FTC Act to challenge unfair methods of competition:
- The FTC will be guided by the public policy underlying the antitrust laws, namely, the promotion of consumer welfare;
- The act or practice will be evaluated under a framework similar to the rule of reason, that is, an act or practice challenged by the Commission must cause, or be likely to cause, harm to competition or the competitive process, taking into account any associated cognizable efficiencies and business justifications; and
- The FTC is less likely to challenge an act or practice as an unfair method of competition on a standalone basis if enforcement of the Sherman or Clayton Act is sufficient to address the competitive harm arising from the act or practice, as listed in the Statement of Principles.
The FTC vote to approve the Statement of Principles was 4-1, with Commissioner Maureen K. Ohlhausen voting against.
https://www.ftc.gov/news-events/press-releases/2015/08/ftc-issues-statement-principles-regarding-enforcement-ftc-act?utm_source=govdelivery
US-EU Safe Harbor Enforcement Action by the FTC
On August 17th, the Federal Trade Commission (FTC) announced that thirteen companies agreed to settle FTC charges alleging that they falsely claimed to comply with the U.S.-EU or U.S.-Swiss Safe Harbor Frameworks. According to the FTC, the companies “misled consumers by claiming they were certified members of the U.S.-EU or U.S.-Swiss Safe Harbor Frameworks when their certifications had lapsed or the companies had never applied for membership in the program at all.” The Safe Harbor Frameworks permit companies to transfer consumer data between the specified countries while in compliance with each country’s laws. Under the proposed settlement agreements, the companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security Safe Harbor Framework program or any other “self-regulatory or standard-setting organization.”
https://www.ftc.gov/news-events/press-releases/2015/08/thirteen-companies-agree-settle-ftc-charges-they-falsely-claimed?utm_source=govdelivery
FTC Blog on US-EU Safe Harbor Compliance
The FTC published a blog post entitled, “U.S.-EU Safe Harbor Compliance: Don’t Run Aground.”
https://www.ftc.gov/news-events/blogs/business-blog/2015/08/us-eu-safe-harbor-compliance-dont-run-aground
FTC and Consumer Privacy Complaints
On August 14th, the FTC published a blog post encouraging consumers to report “privacy-related complaints” to the agency. In the post, the FTC focused on consumers who have had a company share their personal information without their knowledge or consent. The post directs consumers to the FTC’s “Complaint Assistant, ” an online portal for consumers to report their privacy complaints. The FTC provides examples of the types of privacy concerns a consumer may report, including:
- Their location or age being shared with a third-party without their knowledge;
- A company seemingly knowing more about the consumer than they expected; and
- Invitations from a consumer’s account being sent to their friends without the consumer’s knowledge or consent.
Additionally, the post included the following tips for consumers to help them better protect their data online:
- Before inputting data into a website, read the company’s privacy policy;
- On social network sites, check the privacy settings on their account; and
- On a mobile phone, consider turning off geo-location services until needed.
http://www.consumer.ftc.gov/blog/want-privacy-tell-us-about-it
Right to Be Forgotten
On July 31st, the Association of National Advertisers (ANA) sent a letter to the FTC criticizing Consumer Watchdog’s request that Google extend Europe’s “right to be forgotten” rule to the United States. In the letter, the ANA characterizes the group’s argument for expanding the “right to be forgotten” rule as “incomprehensive” and “dangerous to free speech.” In July, Consumer Watchdog filed a complaint with the FTC arguing that Google’s compliance with the “right to be forgotten” rule in Europe, but not the United States, violates Section 5 of the FTC Act. The ANA’s letter urges the FTC to dismiss the complaint, stating that the “fact that a company generally has privacy protections does not provide carte blanche to impose regulations on [Consumer Watchdog’s] wish list, ” adding that, “[t]his has nothing to do with Section 5.”
https://www.ana.net/blogs/show/id/36098
On July 30th, Google, Inc. (Google) published a blog post rejecting a French court’s Order requiring the company to apply Europe’s “right to be forgotten” rule globally. According to Google, no one country should be able to determine the accessibility of certain Internet content for someone in another country. Google emphasized that it has complied with the European high court’s May 2014 Order permitting European citizens to submit requests to remove certain links that violate their privacy; however, the company believes expanding the rule globally could be a “troubling development that risks serious chilling effects on the Web.” According to Google, “[w]hile the right to be forgotten may now be the law in Europe, it is not the law globally, ” adding that, “there are innumerable examples around the world where content that is declared illegal under the laws of one country, would be deemed legal in others.”
http://googlepolicyeurope.blogspot.com/2015/07/implementing-european-not-global-right.html
Cybersecurity
On July 30th, the White House Office of Management and Budget (OMB) published in the Federal Register (80 FR 45555) a notice and request for comment on improving cybersecurity protections in federal acquisitions. According to the OMB, there is a need to improve cybersecurity measures of third-party vendors who manage federal agency data, especially in light of the massive OPM breach earlier this year. According to Tony Scott, administrator for the Office of E-Government and Information Technology, “the increase in threats facing federal information systems demand that certain issues regarding security information on these systems is clearly, effectively and consistently addressed in federal contracts.”
http://www.gpo.gov/fdsys/pkg/FR-2015-07-30/pdf/2015-18747.pdf
FTC and Credit Reports
On August 3rd, the Federal Trade Commission (FTC) published a blog post entitled, “How to Dispute Credit Report Information That Can’t Be Confirmed.” In the post, the FTC focuses on what consumers can do when a debt collector reported a debt to a credit reporting agency and then went out of business. The post cites an FTC enforcement action against Crown Funding Company (Crown), a debt collection company the FTC sued for deceptive practices, which resulted in the company shutting down its business. According to the FTC, “[f]ederal law says that, when consumers dispute information on a credit report, the credit reporting agencies must investigate it. If the credit reporting agency can’t confirm the information with the company that reported the debt — and in the case of Crown, it can’t — it must delete the information from the consumer’s credit report, usually within 30 days of receiving the consumer’s dispute.” The blog includes a list of steps consumers can take in contacting a credit reporting agency to correct their credit report, as well as a sample letter to assist consumers disputing items in their credit report.
http://www.consumer.ftc.gov/blog/how-dispute-credit-report-information-cant-be-confirmed
FCRA and Consumer Credit Checks
On August 5th, Senator Elizabeth Warren (D-MA) introduced S. 1981, the Equal Employment for All Act of 2015. The bill would “amend the Fair Credit Reporting Act (FCRA) to prohibit the use of consumer credit checks against prospective and current employees for the purposes of making adverse employment decisions.” Under the bill, “a person, including a prospective employer or current employer, may not use a consumer report or investigative consumer report, or cause a consumer report or investigative consumer report to be procured, with respect to any consumer where any information contained in the report bears on creditworthiness, credit standing, or credit capacity of the consumer:
- For employment purposes; or
- For making an adverse action.”
The bill highlights two exceptions where an employer may use a consumer report which includes credit information:
- When the consumer applies for, or currently holds, employment that requires national security clearance; or
- When otherwise required by law.
Bill: http://www.warren.senate.gov/files/documents/Equal_Employment_for_All_Act_of_2015.pdf
Statement: http://www.warren.senate.gov/?p=press_release&id=917
DOJ Settlement Agreement with US Investigations Services
The DOJ announced that US Investigations Services, the background check firm that vetted Edward Snowden and Washington Navy Yard shooter Aaron Alexis, has agreed to pay $30 million to settle allegations that it violated the False Claims Act for “conduct” involving a contract for background investigations the company had with OPM.
http://www.justice.gov/opa/pr/us-investigations-services-agrees-forego-least-30-million-settle-false-claims-act-allegations
Drug Free Commercial Driver Act of 2015
Aug. 24: American Trucking Associations President and CEO Bill Graves sent a letter to congressional lawmakers expressing its support for HR 1467/S.806, the “Drug Free Commercial Driver Act of 2015, ” which would affect background screening for prospective truck drivers.
Court Cases
OPM Data Breach
On July 29th, the DOJ urged the U.S. Judicial Panel on Multidistrict Litigation to consolidate three lawsuits against the Office of Personnel Management (OPM) in relation to OPM’s massive data breaches. According to the DOJ, “the pending cases involve two overlapping putative classes, common factual allegations, and assert similar causes of action.” Additionally, the DOJ claims that moving all three cases to Washington, D.C. is prudent as it is the location where the breaches were discovered. The cases were brought by unions and individual workers earlier this year after OPM revealed that the data of over 21 million government employees had been compromised in the U.S. government’s largest data breach in history.
American Federation of Government Employees et al v. United States Office of Personnel Management et al, No. 1:15-cv-01015, (D.D.C., July 29, 2015).
National Treasury Employees Union, et al v. Archuleta, No. 3:15-cv-03144 (N.D. Cal., July 29, 2015).
Woo v. Office of Personnel Management et al, No. 6:15-cv-01220 (D. Kan., July 29, 2015).
Medical Informatics Engineering Data Breach
On July 29th, a plaintiff filed a putative class action against Medical Informatics Engineering, Inc. (MIE) over the company’s recent data breach involving approximately four million Americans’ medical information. According to the complaint, MIE had a duty to protect patients’ personal health information; however, MIE’s cybersecurity policies and practices were not sufficient to prevent the data breach. Specifically, the plaintiff states that the data breach is “particularly egregious…because not only does it involve personal information like Social Security numbers, it also involves medical records, ” adding that, “[u]nlike Target, whose main business is selling products to consumers, electronic data is what they do.” The complaint also alleges that MIE was slow in providing notice to patients regarding the data breach and that class members are entitled to $1, 000 or treble damages.
Young v. Medical Informatics Engineering, Inc., No. 1:15-cv-00197 (N.D. Ind., July 29, 2015).
Data Breach
On August 12th, Medical Informatics Engineering, Inc. (MIE) was named in a third putative class action over the company’s recently announced data breach affecting approximately 4 million patients’ medical and personal information. According to the complaint, the plaintiff alleges that MIE took too long to both discover the data breach and notify affected patients. The complaint asserts that MIE took three weeks to discover the breach and two months to notify affected individuals. Specifically, the complaint states that “[a]lthough MIE was aware of the breach by May 26, 2015, it waited until July 17, 2015, to begin mailing notice to those affected, ” adding that, “[h]ad it notified affected persons sooner, plaintiff and other putative class members might have been able to mitigate their harm.”
Pool v. Medical Informatics Engineering, Inc., No. 1:15-cv-00209 (N.D. Ind., Aug. 12, 2015).
UCLA Data Breach
On August 11th, plaintiffs filed a putative class action against UCLA Health System (UCLA) over its recently announced data breach (previously reported). According to the complaint, approximately 4.5 million patients’ personal information may have been compromised as a result of the breach. Specifically, the complaint alleges that UCLA violated the Health Insurance Portability and Accountability Act (HIPAA) by failing to take “basic steps” to safeguard patients’ data. According to the plaintiff’s counsel, “UCLA had the responsibility to take the steps necessary to protect their patients’ sensitive information and comply with HIPAA guidelines, ” adding that, “[i]t’s not clear why a university of UCLA’s size and notoriety would not do more to secure their patients’ most private information.”
Ortiz v. UCLA Health System et al., No. BC589327 (Super. Ct. Cal., Aug. 11, 2015).
FTC and Data Security
On August 10th, the FTC, in its action against LabMD, Inc. (LabMD) over the company’s data security practices, told an administrative law judge that the testimony of LabMD’s witness undermines the company’s claim that cybersecurity firm Tiversa, Inc. (Tiversa) stole the company’s information. According to the FTC, LabMD’s witness testified that a certain file, referred to as “file 1718, ” containing personal information of thousands of people was accessible to anyone who used the file-sharing program LimeWire. Specifically, the FTC argued that “LabMD’s unreasonable security practices resulted in the 1718 file — a clear-text document containing the most sensitive personal information of 9, 300 consumers — being maintained in a file designated for sharing on a LabMD computer on which LimeWire had been installed, ” adding that, “[a]s a result, it was freely available from that computer along with other LabMD files to LimeWire users.”
In the Matter of LabMD, Inc., No. 9357 (FTC, Aug. 10, 2015).
On August 24th, the Third Circuit upheld a federal district court’s decision allowing the Federal Trade Commission (FTC) to pursue its case against Wyndham Worldwide Corp. (Wyndham) over the company’s data security practices, ruling that the FTC has authority to regulate cybersecurity. The FTC’s lawsuit against Wyndham was filed after three data breaches the company suffered in 2008 and 2009, resulting in hundreds of thousands of consumers’ personal and financial information being compromised, according to the opinion. According to the FTC, Wyndham failed to safeguard consumers’ personal information with proper data security policies and practices. Wyndham argued that the FTC has no authority to regulate a business’ data security practices. However, the Third Circuit rejected Wyndham’s argument, stating that Wyndham’s cybersecurity practices are covered under Section 5’s unfairness prong of the FTC Act. Specifically, the Third Circuit wrote that, in drafting the FTC Act, “[t]he takeaway is that Congress designed the term as a ‘flexible concept with evolving content, ’ and ‘intentionally left [its] development…to the [FTC].’” FTC Chairwoman Edith Ramirez reportedly said in a statement that the “decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data, ” adding that, “[i]t is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”
FTC v. Wyndham Worldwide Corp. et al., No. 14-3514 (3rd Cir., Aug. 24, 2015).
Data Security
On July 31st, Wyndham Worldwide Corp. (Wyndham) told the Third Circuit that the FTC has misinterpreted the Seventh Circuit’s ruling in the Neiman Marcus data breach suit regarding plaintiff’s standing to sue based on risk of harm. According to the company, “the FTC’s argument that Wyndham consumers suffered unreimbursed fraud loss is implausible because- after investigating the cyberattacks against Wyndham for nearly five years and contacting hundreds of consumers- the FTC admitted that it has not identified a single individual consumer who suffered unreimbursed fraud loss.” The Seventh Circuit ruled last month that customers impacted by the breach have grounds to sue Neiman Marcus for fraud protection and credit monitoring services. According to the FTC, the decision implies that customers still experienced harm in the time and money it took to resolve unauthorized charges, despite Wyndham’s reimbursement. Wyndham refutes this interpretation and points to previous Third Circuit rulings in which potential harm from breaches was considered “too speculative.”
FTC v. Wyndham Worldwide Corp. et al., No. 14-3514 (3rd Cir., July 31, 2015).
Reuters reports that the Third Circuit upheld a federal district court’s decision allowing the FTC to pursue its case against Wyndham Worldwide Corp. over the company’s data security practices, ruling that the FTC has authority to regulate cybersecurity.
http://www.reuters.com/article/2015/08/24/wyndham-ftc-cybersecurity-idUSL1N10Z0YS20150824
Hospital not a CRA subject to the FCRA
On August 10th, the Seventh Circuit dismissed a putative class action against Advocate Health and Hospitals Corp. (AHHC) alleging that the hospital violated the Fair Credit Reporting Act (FCRA) by failing to protect patients’ medical information, ruling that the hospital is not a consumer reporting agency. According to the Seventh Circuit, a hospital such as AHHC is not considered a consumer reporting agency under the FCRA because it does not get paid for gathering information on patients. In response to the plaintiffs’ argument that such a ruling would limit the FCRA’s reach to the three major credit bureaus, the Seventh Circuit said, “[o]ther entities…may act in ways that satisfy the statutory definition of ‘consumer reporting agency, ’” offering a staffing agency as one example.
Tierney et al. v. Advocate Health and Hospitals Corp., No. 14-3168 (7th Cir., Aug. 10, 2015).
CareFirst Data Breach
On August 7th, plaintiffs filed a putative class action against CareFirst BlueCross BlueShield (CareFirst) over a June 2014 data breach (previously reported). According to the complaint, the plaintiffs allege that CareFirst failed to prevent the cyberattack through proper data security policies and practices. Specifically, the plaintiffs wrote that they “had and have a reasonable expectation that their confidential [personal information] and confidential health information would remain private and confidential, ” adding that, “[a]s a result of CareFirst’s deficient practices, plaintiffs and the class members have been damaged, and have lost or are subject to losing money and property as a result of CareFirst’s substandard security practices.” The data breach resulted in the compromise of approximately 1.1 million plan members’ personal information.
Chambliss et al v. CareFirst, Inc. et al., No. 1:15-cv-02288 (D. Md., Aug. 7, 2015).
Background Checks
On August 12th, a California appeals court reversed a state district court’s ruling to strike down California’s Investigative Consumer Reporting Agencies Act (ICRAA) as unconstitutionally vague, stating that it disagreed with the precedent used by the lower court to declare the law “unconstitutionally vague.” The lawsuit was brought by two bus drivers against First Student, Inc. alleging that the company violated the ICRAA when it ran background checks on them without their consent. The state district court struck down the law, calling it unconstitutionally vague due to overlap with California’s Consumer Credit Reporting Agencies Act. However, the appeals court reversed this decision, disagreeing with the precedent used in the decision and saying that “[t]here is nothing in either law that precludes application of both acts to information that relates to both character and creditworthiness, ” adding that, “[t]herefore, we conclude the ICRAA is not unconstitutionally vague as applied to such information.”
Eileen Connor et al. v. First Student, Inc. et al., No. B256075 and B256077 (Cal. Ct. App., Aug. 12, 2015).
Uber Data Breach
On August 10th, Uber Technologies, Inc. (Uber) told a federal district court during an action involving a data breach suffered by the ridesharing company that the lead plaintiff cannot claim they were injured because their Social Security number was not exposed. According to the plaintiff, someone tried to open a credit card in his name following the company’s data breach. However, Uber maintains that this event is not connected to the breach because the only information compromised was Uber drivers’ names and driver license numbers. In a recent statement, Uber said that, “[o]btaining individuals’ names and drivers’ license numbers could be useful to a competitor of Uber, but not to an identity thief or fraudster, since such information is insufficient—standing alone—to make fraudulent purchases or steal an identity.” Uber filed a motion to dismiss the suit in June based on the 2013 Supreme Court ruling in Clapper v. Amnesty International USA which held that risk of future is harm is insufficient to establish standing.
Sasha Antman v. Uber Technologies, Inc., No. 3:15-cv-01175 (N.D. Cal., Aug. 10, 2015).
IRS Data Breach
On August 20th, plaintiffs filed a lawsuit against the Internal Revenue Service (IRS) over its recently reported data breach affecting approximately 330, 000 taxpayers’ personal information (previously reported). According to the complaint, the plaintiffs allege that the IRS disregarded previous reports urging the agency to improve its cybersecurity and, thus, failed to properly safeguard consumers’ personal information with sufficient cybersecurity policies and practices. Specifically, the complaint highlights reports released by the Government Accountability Office and the Treasury Inspector General for Tax Administration advising the IRS to improve its cybersecurity. In their complaint, the plaintiffs state that “[a]s custodians of taxpayer information, the IRS has an obligation to protect the confidentiality of sensitive information against unauthorized access or loss.”
Welborn v. IRS Agency & IRS Commissioner, No. 1:15-cv-01352 (D.D.C., Aug. 20, 2015).
State Regulations
New York City Limits the Use of Credit and Criminal History in Employment Decisions
New York City Mayor Bill de Blasio recently signed into law two bills that limit the information employers can rely on in making employment decisions. On May 6, 2015, Mayor Bill de Blasio signed into law a bill that prohibits employers, labor organizations, and employment agencies from discriminating against an candidate or employee based on their credit history, and on June 29, 2015, he signed into law the Fair Chance Act, the latest “ban the box” law that seeks to prevent employers from discriminating against job candidates based on a record of prior arrests or criminal convictions. The credit history law prevents employers from inquiring or considering an employee’s or job candidate’s consumer credit history for employment purposes. The New York City Council passed the law on April 16, 2015 and the law, which amended the City’s Human Rights Law, takes effect September 3, 2015. The Fair Chance Act delays the stage of hiring at which employers may inquire about an candidate’s criminal history, and specifically prohibits employers from inquiring about an candidate’s criminal record before making a conditional offer of employment.
For the full article see: http://www.lexology.com/library/detail.aspx?g=ab2843d1-4ddb-40c4-b1eb-79e4d617a5ab
Illinois Credit Freeze
Aug. 17: Illinois Governor Bruce Rauner (R) signed HB 3425, which will require credit reporting agencies to implement a credit freeze at no cost to military personnel and veterans.
http://www.ilga.gov/legislation/99/HB/PDF/09900HB3425lv.pdf
State Developments
LA Attorney General Office Issues Consumer Alert
Louisiana Attorney General Buddy Caldwell issued a “consumer alert” providing advice to consumers on how to protect against credit card fraud.
Data Breach
On August 6th, Bloomberg reported that Sabre Corp. (Sabre), a travel technology company that processes hundreds of airlines reservations and thousands of hotel reservations, confirmed a cyberattack on its systems. American Airlines Group, Inc. (American Airlines) is also “investigating whether hackers had entered its computers.” The article highlights that “China-linked hackers” who were responsible for data breaches at Anthem, Inc. and the U.S. Office of Personnel Management, are also reportedly responsible for the attacks involving the airline industry. According to Bloomberg, “Sabre…is a potentially rich target for state-sponsored hacks because of the company’s role as a central repository of what it says are records on more than a billion travelers per year across the globe.” Regarding American Airlines, Bloomberg reported that the company is investigating whether “hackers moved from Sabre’s systems into its own computers.”
http://www.bloomberg.com/news/articles/2015-08-07/american-airlines-sabre-said-to-be-hit-in-hacks-backed-by-china
On August 4th, Mama Mio US, Inc. (Mio) reported a data breach involving an undisclosed number of customers’ names, emails, addresses, and payment card information. According to the data breach notice, on July 28, 2015, Mio learned of a cyber attack on its website that may have compromised the payment card information of customers during online purchases. Upon discovering the attack, Mio hired a third party computer forensic team to locate and remove the installed malware. According to Mio, the affected period is from April 29, 2015, to July 28, 2015. Mio recommends that individuals monitor their credit reports and cancel the payment card used for purchasing Mio products online.
http://oag.ca.gov/system/files/MM%20US%20letter%20to%20customers%20-%20data%20breach_0.pdf
On August 4th, a plaintiff filed a putative class action against a health care data company for alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) by having “inadequate” data security practices. The complaint also alleges that the defendant waited too long, approximately three years, to notify millions of potentially affected patients of a data breach. Specifically, the plaintiff argues that, due to the defendant’s “wholly inadequate policies concerning the handling and security of plaintiff’s and the class’s sensitive information, an employee — without authorization — was able to systematically access potentially millions of patient records and put that data directly into the hands of thieves.” The complaint states that the employee gained access to potentially millions of patients’ records as early as June 2012, however, the defendant did not notify affected individuals of the incident until a post on its website in late 2014. The plaintiff seeks to represent a class of individuals whose information was accessed by the unauthorized employee in 2012.
Weinberg v. Advanced Data Processing, Inc. et al, No. 0:15-cv-61598 (S.D. Fla., Aug. 4, 2015).
On July 31st, the Orange County Employees Association (OCEA) reported a data breach involving an undisclosed number of current and former members’ names, addresses, Social Security numbers, birth dates, and dental, vision, life and disability enrollment information. According to the breach notice, on July 23, 2015, OCEA learned that it suffered a cyber attack on its network, which may have started as early as June 5, 2015. Upon discovering the incident, OCEA notified federal law enforcement and outside cybersecurity experts to investigate the cyber attack, which remains ongoing. OCEA recommends that individuals monitor their credit reports and is offering affected individuals credit monitoring and identity theft protection services for one year at no cost.
http://oag.ca.gov/system/files/AG%20Sample%20Notice%20073115_0.pdf
On July 30th, Indiana Attorney General Greg Zoeller released a statement urging “all Hoosiers to freeze their credit in the wake of the recent data breach at…Medical Informatics Engineering and its subsidiary NoMoreClipboard.” It is estimated that the breach could impact 1.5 million people in the state and 3.9 million people nationwide. Medical Informatics Engineering and NoMoreClipboard provide electronic medical records to healthcare organizations, and the breach could compromise patients’ Social Security numbers and sensitive medical information. The Attorney General is urging those affected to register for a free credit freeze with each of the three credit reporting agencies and to monitor their financials closely. Medical Informatics Engineering is offering two years of free credit monitoring services to affected individuals. Investigations into the sources of the breach are ongoing.
http://www.in.gov/activecalendar/EventList.aspx?view=EventDetails&eventidn=222333&information_id=217385&type=&syndicate=syndicate
The Colorado Department of Health Care Policy and Financing reported a data breach involving an undisclosed number of individuals’ names, addresses, state identification numbers, and Medicaid case numbers.
https://www.colorado.gov/pacific/sites/default/files/Client%20Correspondence%20Breach%20-%208-17-15.pdf
The Wall Street Journal reported that Web.com confirmed a data breach involving up to 93, 000 customers’ payment card information.
http://www.wsj.com/articles/web-com-says-breach-may-have-compromised-credit-card-data-of-93-000-customers-1439933373
International Developments
US-EU Safe Harbour
On August 5th, Reuters published an article entitled, “EU Close to Sealing Deal With United States on Data-Sharing.” In the article, Reuters stated that the European Commission (Commission) and representatives of the United States are working on the “final details” of the Safe Harbour negotiations that began in January 2014. The data-sharing agreement dates back to 2000, but the Commission sought review of the agreement following news reports about the National Security Agency’s bulk phone data collection program. Reuters reported that the Commission has “demanded guarantees from the United States that the collection of EU citizens’ data for national security purposes would be limited to what is necessary and proportionate.” According to Reuters, the new Safe Harbour provisions will create “stricter rules” for U.S. registered companies that share data with third parties.
http://www.reuters.com/article/2015/08/05/us-usa-eu-data-idUSKCN0QA1XB20150805
China Cybersecurity Police
On August 5th, Reuters published an article entitled, “China to Put Security Teams in Major Internet Firms, Websites.” In the article, Reuters reported that China’s Ministry of Public Security released a statement saying that the Chinese government plans to establish “network security offices” for Internet companies and websites, so that government authorities can better handle improper online behavior. Improper online behavior includes “pornography, scams, rumors or politically sensitive content, ” according to Reuters. It remains unclear as to whether the “network security offices” will apply to international tech companies operating in China or only domestic companies. Notably, Facebook, Inc. and Google, Inc. do not operate in China.
http://www.reuters.com/article/2015/08/05/us-china-internet-security-idUSKCN0QA0G020150805
Data Breach in the UK
The UK’s Information Commissioner’s Office announced that it is investigating a data breach of mobile phone carrier Carphone Warehouse that may have exposed up to 2.4 million customers’ phone data.
Miscellaneous
Spotify Privacy Policy
On August 21st, Spotify CEO Daniel Ek published a blog post apologizing for its privacy policy “caus[ing] a lot of confusion” about what kind of information the company accesses and what it does with the information. According to the blog post, Ek promises to update the company’s privacy policy “in the coming weeks” and apologizes for any “confusion.” Specifically, Ek wrote that new terms of the privacy policy will “ask for express permission” before accessing users’ data, emphasizing that “[i]f you don’t want to share this kind of information, you don’t have to.” According to Ek, Spotify “should have done a better job in communicating what these policies mean and how any information you choose to share will — and will not — be used.”
Please Note: The information contained herein is a monthly summary of the daily information provided by Arnall Golden Gregory LLP, an Atlanta firm servicing the business transactions and litigation needs of background check companies. The information described is general in nature, and may not apply to your specific situation. Legal advice should be sought before taking action based on the information contained herein. For more information about Arnall Golden Gregory LLP, please visit www.agg.com or contact Bob Belair at 202.496.3445 or [email protected].
