U.S. / EU Safe Harbor
On December 17th, the United States and the European Union (EU) will begin final negotiations to develop a new agreement to replace the “safe harbor” pact that was nullified by the European Court of Justice (ECJ). Citing privacy concerns, the ECJ struck down the “safe harbor” agreement earlier this year that allowed companies to transfer data between the EU and the U.S. In an interview with an Austrian newspaper, EU Justice Commissioner Vera Jourova said that the European Commission hopes to finalize the new agreement by January 2016. Jourova also said that the European Commission wants to involve “European privacy watchdogs” in the upcoming agreement. According to a report from Reuters, an unnamed source said that the increased role of privacy watchdogs will allow citizens to “complain directly to their national authorities.” Jourova said in the interview that, “The main problem is the responsibilities of the European data protection authorities and of the U.S. counterpart, the Federal Trade Commission: they should implement the requirements and deal with the complaints of citizens.”
CFPB Settlement Agreement with Clarity Services, Inc.
On December 3rd, the Consumer Financial Protection Bureau (CFPB) announced an enforcement action against Clarity Services, Inc. (Clarity), a consumer reporting agency, over alleged violations of the Fair Credit Reporting Act (FCRA). According to the CFPB, Clarity illegally obtained consumer credit reports and failed to resolve consumer disputes in accordance with the FCRA. The CFPB also alleges that Clarity sold tens of thousands of consumer reports to third parties for marketing purposes. In a statement, CFPB Director Richard Cordray said that, “Credit reporting plays a critical role in consumers’ financial lives. Clarity and its owner mishandled important consumer information… Today, we are holding them accountable for cleaning up the way they do business.” Under the terms of the order, Clarity must modify its practices for obtaining credit reports, implement policies to ensure the reports contain comprehensive data from furnishers, and pay a civil monetary penalty of $8 million.
Congress passed H.R. 22, the five-year $305 billion highway bill, with a financial services amendment that includes:
- H.R. 2091, the “Child Support Assistance Act” that amends the FCRA;
- H.R. 601, the “Eliminate Privacy Confusion Act” that amends the Gramm Leach Bliley Act.
FTC Enforcement Action
On December 4th, the Federal Trade Commission (FTC) asked a federal judge to grant a $4 million default judgment against a data broker over alleged violations of the FTC Act. According to the FTC’s complaint, Sitesearch Corp., which did business as LeapLab Corp. (LeapLab), allegedly sold consumer payday loan applications containing financial information and Social Security numbers to scammers who stole more $4 million from consumers. The FTC claims that it served the company with a summons and complaint over a year ago with no response, which satisfies the procedural requirements for a default judgment. In a statement, representatives from the FTC said that, “The gravity and scope of LeapLab’s violations and the ease with which is almost evaded detection warrant strong and sufficiently broad injunctive provisions to protect against future unlawful collection and sale of sensitive consumer information.” Federal Trade Commission v. Sitesearch Corp. et al., case number 2:14-cv-02750, in the U.S. District Court for the District of Arizona.
Wyndham Settles FTC Charges It Unfairly Placed Consumers’ Payment Card Information At Risk
The FTC reaches a settlement with Wyndham Hotels and Resorts over the company’s security practices.
FTC v. Lifewatch
On December 14th, the CEO of Lifewatch, Inc. (Lifewatch) asked an Illinois federal judge to deny the request of the Federal Trade Commission (FTC) to temporarily ban his business from telemarketing its products. On June 30th, the FTC filed a lawsuit against Lifewatch for alleged violations of the TCPA by using third party telemarketers to place deceptive calls to senior citizens, promising thousands of dollars in coupons and claiming false endorsements from the American Heart Association and the AARP. The FTC also alleges that the telemarketers falsely told consumers that a loved one had already bought an emergency alert device for them, and then roped them into $40 a month maintenance fees. Lifewatch CEO Evan Sirlin told the U.S. District Judge that his company has no intention of deceiving consumers, and that the third party telemarketers who sent the illegal calls violated the terms of their contact. However, the FTC argues that Lifewatch scripted the telemarketers’ calls and knew about the deceptive practices all along. In February, the Ninth Circuit ruled against Lifewatch in another case involving the conduct of the company’s telemarketers, saying that “The district court did not buy this story of telemarketers-gone-rogue, and neither do we.” Federal Trade Commission et al. v. Lifewatch Inc. et al., case number 1:15-cv-05781, in the U.S. District Court for the Northern District of Illinois.
FTC v. LifeLock
On December 17th, LifeLock, Inc. (LifeLock) agreed to a $100 million settlement with the Federal Trade Commission (FTC) over accusations that the company made deceptive claims about its identity theft protection services. This is the largest settlement ever to result from an FTC enforcement action. According to the FTC’s original complaint, LifeLock failed to properly deliver the identity theft services it advertised, which included preventing the misuse of private records and preventing illegal access to credit accounts. The FTC also alleged that LifeLock failed to properly encrypt consumer data and did not have sufficient internal security measures in place to protect data. LifeLock settled with the FTC in 2010, but on July 21st of this year, the FTC announced another enforcement action against LifeLock for violating the terms of the settlement agreement. According to FTC Chairwoman Edith Ramirez, “This settlement demonstrates the commission’s commitment to enforcing the orders it has in place against companies, including orders requiring reasonable security for consumer data.” Under the terms of the agreement, LifeLock will pay $68 million to consumers who took action against LifeLock in a class action. The remaining $32 million will go towards additional settlements with state attorneys general and to the FTC. Federal Trade Commission v. LifeLock Inc. et al., case number 2:10-cv-00530, in the U.S. District Court for the District of Arizona.
OPM Rulemaking/ Background Checks
On December 15th, the Office of Personnel Management (OPM) published in the Federal Register a notice and request for comment “proposing modifications to its rules to better ensure that applicants from all segments of society, including those with prior criminal histories, receive a fair opportunity to compete for Federal employment.” Specifically, the proposed regulations would prohibit federal employers from conducting background checks “until the best qualified candidates are referred to a hiring manager.” The proposal is in response to President Obama’s recently announced “Rehabilitation and Reintegration for the Formerly Incarcerated” initiatives that call on Congress and federal agencies “to pass meaningful criminal justice reform.” One of the President’s long term initiatives is for Congress to pass a national “ban the box” law for federal hiring. However, in the meantime the President called on OPM to modify its regulations on criminal background checks. Other Presidential initiatives for the formerly incarcerated include education grants, technology training programs, supportive housing, increased access to health care, and increased access to employment. Federal Register Notice:
White House Announcement: https://www.whitehouse.gov/the-press-office/2015/11/02/fact-sheet-president-obama-announces-new-actions-promote-rehabilitation
Equifax agreed to remove all Virginia state court judgments from its consumer database and to pay $3 million to settle a class action alleging FCRA violations.
FCRA / Background Checks: Kelly Services and Johnson and Johnson
On December 14th, a putative class action was filed against Johnson & Johnson (J&J) and staffing company Kelly Services, Inc. (Kelly Services) for allegedly violating the Fair Credit Reporting Act (FCRA). According to the plaintiff, J&J and Kelly Services denied him employment based on a criminal conviction in his consumer report without properly disclosing to him the report’s employment purposes. According to the complaint, “Plaintiff contends that defendants systematically violate… the FCRA by using consumer reports to make adverse employment decisions without, beforehand, providing the person who is the subject of the report sufficient and timely notification and a copy of the report and summary of rights under the FCRA…” The plaintiff also alleges that the background report mislabeled some of his offenses as misdemeanors information that he never had a chance to review and dispute in accordance with the FCRA. The plaintiff seeks to represent “thousands” of individuals in the U.S. who were denied employment by J&J under similar circumstances. Noye v. Johnson & Johnson et al., case number 1:15-cv-02382, in the U.S. District Court for the Middle District of Pennsylvania.
Medical Informatics Data Breach
On December 10th, the U.S. Judicial Panel on Multidistrict Litigation (JPML) relocated three lawsuits against Medical Informatics Engineering, Inc. (MIE) over their massive data breach to the Northern District of Indiana. On June 25th, the healthcare information technology firm reported a data breach involving 3.9 million people’s personal information, including Social Security numbers, medical conditions, lab results, and other sensitive medical information. According to a notice from Indiana Attorney General Greg Zoeller, the breach affected about 1.5 million Indiana residents. The JPML agreed with one of the plaintiffs that three different suits should be relocated to the Northern District of Indiana, where the company is headquartered and where majority of the lawsuits are pending. In their decision, the JPML said, “Relevant documents and witnesses thus are likely located within or near the district. Also, given this Midwestern tilt, the Northern District of Indiana presents a convenient and accessible forum with the necessary judicial resources and expertise to manage this litigation efficiently.” According to the plaintiff’s request to relocate the cases, 40 percent of all class members are from Indiana, with most of the lawsuits against MIE alleging that the company’s lax security systems contributed to the breach. In Re: Medical Informatics Engineering, Inc., Customer Data Security Breach Litigation, case number 2667, before the U.S. Judicial Panel on Multidistrict Litigation.
BlueCross BlueShield Data Breach
On December 10th, a plaintiff filed a potential class action against Excellus BlueCross BlueShield (Excellus) and Lifetime Healthcare, Inc. in the U.S. District Court for the Western District of New York over the company’s data breach. On September 9th, Excellus reported a data breach involving approximately 10.5 million customers’ names, birthdates, Social Security numbers, addresses, phone numbers, and banking information (previously reported). According to the plaintiff, Excellus did not implement adequate security measures to protect consumers’ information, especially in light of recent attacks on BlueCross BlueShield affiliates, namely Anthem, Inc.’s breach affecting 80 million people. According to the plaintiff’s complaint, “Despite these clear warnings, Excellus failed to take necessary steps to secure and protect the personal information of its customers, or even to detect the data breach until approximately 20 months after it began.” The plaintiff also argues the credit monitoring service offered by the company will do “nothing to prevent unauthorized charges made to existing accounts.” Fuller v. Lifetime Healthcare, Inc. et al., case number 6:15-cv-06739, in the U.S. District Court for the Western District of New York.
Home Depot Data Breach Litigation
On December 14th, a federal judge granted The Home Depot, Inc. (Home Depot) permission to send information to absent class members about potential settlements with MasterCard and Visa. On December 8 th, financial institutions in the data breach case against Home Depot asked a federal judge to stop the company from sending absent class members messages that are “misleading and coercive” about potential settlements with the payment card processors. The financial institutions, which include 50 banks and 17 credit unions, argued that the communications undermined the litigation and should involve class counsel (previously reported). However, the Georgia federal judge ruled in favor of Home Depot, but provided certain requirements for the communications, which include disclosing the consumers’ right to participate in the lawsuit and informing them that they might receive more compensation from the lawsuit than under the proposed settlement. According to the judge’s order, “While not required, an order governing certain communications with putative class members by both sides regarding settlement offers and release of claims asserted in this litigation is appropriate moving forward.” In re: The Home Depot Inc. Customer Data Security Breach Litigation, case number 1:14-md-02583, in the U.S. District Court for the Northern District of Georgia.
On December 15th, a proposed class of satellite installers asked a federal court not to postpone their case against Dish Network LLC (Dish) pending the Supreme Court’s ruling in Spokeo, Inc. v. Robins. In December 2012, the proposed class alleged that Dish obtained their credit reports without proper authorization when conducting background checks, in violation of the Fair Credit Reporting Act (FCRA). Then on December 4th, Dish asked a federal judge to postpone the class action, arguing that the ruling in Spokeo, Inc. v. Robins could affect the proposed class’s standing (previously reported). In response to Dish’s request, the satellite installers maintain that their class has standing regardless of the outcome of Spokeo. According to the memorandum of opposition, this case involves a “consumer’s right to sue over a failure to provide information as required by law, ” which, the class argues, was already decided by the Supreme Court in FEC v. Akins in 1998. The installers ultimately contend that the impact of Spokeo on their case is “attenuated and nebulous, ” because, “unlike the issue in Spokeo, the injuries here- failing to provide consumers with a specific disclosure to which they have a statutory right before procuring consumer reports on them, as well as failing to provide notice and a copy of the report before taking adverse action- are substantially more concrete.” Ernst et al. v. Dish Network LLC et al., case number 1:12-cv-08794, in the U.S. District Court for the Southern District of New York.
EU Data Protection Regulation
As part of the General Data Protection Regulation negotiations, the EU has decided to increase fines for data protection violations.
EU Data Protection Law
On December 13th, The Wall Street Journal published an article about the European Union’s (EU) forthcoming privacy law. According to the report, the European Parliament is expected to agree upon a data protection law tomorrow evening. This law has been in the works for nearly four years and would cover the entire EU, supplanting the existing 28 national laws. In a statement, a European Commission official said that, “We’re quite happy with what’s on the table. Our line has always been that we cannot accept lower protections of users’ data [from the current rules].” However, technology companies have taken issue with many of law’s most stringent provisions. Alexander Whalen, a senior policy manager for Digital Europe, which represents companies like Microsoft and Google, said that, “The risk is that it pushes companies to say it isn’t worth the risk to innovate in Europe.” Specifically, technology companies have expressed concern that the law will “extend responsibility for privacy breaches beyond just the companies that collect and use personal data.” There is also concern about a provision that would increase the age of consent for use of personal data to 16 years old. Lastly, many executives are worried about a provision that would require companies to employ a data-privacy officer, as well as the inclusion of the “right to be forgotten” concept, allowing people to request that companies like Facebook and Google delete their personal data.
On December 15th, European Union officials reached an agreement on a new data protection regulation, “which consists of both a directive for the police and criminal justice sector as well as regulation that has been closely watched by businesses.”
- The Hill published an article about the agreement entitled, “EU Privacy Deal Sows US Fears of Cross-Atlantic Chill.” http://thehill.com/policy/international/263355-eu-privacy-deal-sows-us-fears-of-cross-atlantic-chill
- The IAPP also publishes an article on the agreement entitled, “Why Europe’s New Privacy Reg Is a Business-Critical Issue.” https://iapp.org/news/a/why-europes-new-privacy-reg-is-a-business-critical-issue/
U.S. Attorney General on EU Privacy
On December 9th, U.S. Attorney General Loretta Lynch delivered a speech in London on counterterrorism and international cooperation and was critical of recent privacy developments in Europe. Specifically, Lynch addressed the European Court of Justice’s October decision to invalidate the U.S.-EU Safe Harbor pact, as well as recent data privacy legislation up for debate in the European Parliament. In her remarks, Lynch called the Safe Harbor decision “particularly disappointing, ” and said that it was based on “incomprehensive and outdated media reports.” Lynch also called pending EU data privacy legislation “highly concerning, ” as it would potentially create more restrictions on data sharing. According to Lynch, “[The legislation is] a step that not only ignores the critical need for information sharing to fight terrorism and transnational crime, but also overlooks the enormous steps forward that the Obama administration and Congress have taken to protect privacy.” Lynch discussed several measures the U.S. was taking to promote international cooperation, while still respecting civil liberties and privacy. These measures include the upcoming data privacy agreement between the U.S. and the EU that will replace the Safe Harbor pact, as well as the “truly unprecedented” passage of the Judicial Redress Act in the House of Representatives. The bill, which is now before the Senate, would allow people from countries with a data sharing pact with the U.S. to sue in U.S. Courts “for privacy breaches related to information shared for law enforcement purposes.”
Dec. 22: The IAPP published an article entitled, “NIS + GDPR = A New Breach Regime in the EU.”
Dec. 18: The IAPP reported that TRUSTe is now offering resources to help businesses comply with the EU’s new General Data Protection Regulation (GDPR).
MacKeeper Data Breach
On December 14th, MacKeeper, controversial anti-virus software for Mac users, confirmed a data breach that exposed the usernames, passwords, and other information of more than 13 million consumers. Chris Vickery, a security researcher, discovered the breach when browsing a specialized search engine called Shodan, and immediately informed Zeobit, the maker of MacKeeper. The company quickly closed its website and released a public statement thanking Zickery for reporting the breach. The company also stated that, “We fixed this error within hours of the discovery. Analysis of our data storage system shows only one individual gained access performed by the security researcher himself.” Zeobit has assured its customers that their payment card information is safe, as the company contracts with a third-party payment processor. According to Business Insider, MacKeeper has come under fire in the past, with many users claiming the software does not work as advertised. Earlier this year, the company had to pay $2 million to settle claims that they exaggerated security concerns to Mac users and deceived consumers into purchasing the full license for the software.
Please Note: Some of the information contained herein is a monthly summary of the daily information provided by Arnall Golden Gregory LLP, an Atlanta firm servicing the business transactions and litigation needs of background check companies. The information described is general in nature, and may not apply to your specific situation. Legal advice should be sought before taking action based on the information contained herein. For more information about Arnall Golden Gregory LLP, please visit www.agg.com or contact Bob Belair at 202.496.3445 or [email protected]