Countries Sign NAFTA Update
On November 30th, the White House announced that the U.S., Mexico, and Canada signed the United States- Mexico-Canada Agreement (USMCA), which will replace the North American Free Trade Agreement. The USMCA includes a number of data protection and digital provisions that ensures cross-border data flows between the three countries, and limits data localization. Reported in Arnall Golden Gregory December 3, 2018 Daily Privacy & Consumer Regulatory Alert.
Bipartisan Criminal Justice Bill Closer to Becoming Law After Senate Approval
A bipartisan bill aimed at overhauling federal prisons and reducing recidivism crossed a major hurdle on Tuesday when it was overwhelmingly approved by the Senate. With the Senate’s approval and the backing of President Trump, the legislation is now on the verge of becoming law. The House, which passed a more modest version of the legislation earlier this year, is expected to take up the bill in the coming days. Republican Speaker of the House Paul Ryan has already voiced support for the legislative package, pledging that the House is “ready to get it done.” The Senate voted 87-12 in favor of the bill known as the First Step Act. The passage of the bill by the chamber is a significant victory for advocates on the left and the right, who have pressed for Congress to take action to lower the prison population.
Here are some highlights from the legislation:
Measures Focused on Changing U.S. Prisons
- Provides more access to rehabilitation and training programs that are aimed at helping prepare prisoners for life after their release. Certain prisoners would be eligible for incentives if they participate, including credits that would allow them to spend up to a year of their sentences in facilities like halfway houses or at home under supervision.
- Makes it against the law to use restraints on pregnant inmates, unless they are an immediate threat to themselves or others or a flight risk.
- Requires that prisoners be incarcerated no more than 500 miles from their primary residence.
Measures Focused on Sentencing
- Ends automatic life sentences under the three-strike penalty for drug felonies. Instead of life, a third strike would now be a mandatory 25-year sentence. The mandatory sentence for a second offense would be reduced to 15 years compared to 20 years now. This change would not be retroactive, so it would not help people already in prison serving life sentences under the three-strike rule. Some opponents of the bill have argued it does not go far enough to help people already affected by these laws.
- Expands the “safety valve” that allows judges to avoid imposing mandatory minimum sentences in certain cases.
- Addresses prisoners who were sentenced before laws were changed in 2010 to lessen disparities between the penalties for crack cocaine and powder cocaine. It would allow these prisoners to petition the courts to review their cases in light of the updated law.
CFPB Name Change
On December 17th, Consumer Financial Protection Bureau (CFPB) Director Kathy Kraninger changed the name of the Bureau back to CFPB. Former Acting Director Mick Mulvaney previously attempted to change the Bureau’s name to the Bureau of Consumer Financial Protection with the acronym BCFP. Kraninger announced that she is halting ongoing efforts to change the name and acronym on existing products and marketing materials. The Bureau will continue to use the BCFP name and acronym for official reports and legal filings. Reported in Arnall Golden Gregory December 20, 2018 Daily Privacy & Consumer Regulatory Alert.
CFPB Settlement with State Farm Bank
The CFPB announced a settlement with State Farm Bank for allegedly violating the Fair Credit Reporting Act (FCRA) and the Consumer Financial Protection Act. According to the CFPB, State Farm Bank allegedly:
- Obtained consumer reports without a permissible purpose;
- Furnished information to credit reporting agencies (CRAs) about consumers’ credit that the bank knew to be inaccurate;
- Failed to correct inaccurate or incomplete information furnished to CRAs;
- Furnished information to CRAs without notification that the information was disputed by the consumer; and
- Failed to establish and implement policies and procedures to ensure accuracy of information that the bank provides to CRAs.
As a result, State Farm Bank must implement policies and procedures to comply with the FCRA. The CFPB did not issue a monetary fine against State Farm Bank but it reserved the right to impose the maximum civil penalty if the bank violates the terms of the Consent Order.
New Suffolk County, NY, Bill Bans Inquiry into Salary History
Joining New York City, Albany County, and Westchester County, Suffolk County has become the latest jurisdiction in New York to pass a bill that prevents employers from inquiring into the salary and benefits history of job applicants. Designed to establish pay equality and to “break the cycle of wage discrimination,” the Restricting Information on Salaries and Earnings Act, or RISE Act, would prohibit any employer in Suffolk County from requesting or seeking the wage history (including the current or previous salary) of a prospective “new” employee during every stage of the hiring process. The bill also prohibits employers from conducting a search of publicly available records or reports for such information. According to the bill’s Legislative Intent, using such information to establish salary or benefits for new employees perpetuates wage discrimination and the “wage gap” experienced by women, racial and ethnic minorities, and individuals who are returning to the workforce after an extended period. The legislation cites studies finding that women, along with ethnic and racial minorities, have historically encountered lower wages than their white male counterparts. If County Executive Steve Bellone signs the RISE Act, it is expected to go into effect on or about June 30, 2019.
Westchester Lawmakers ‘Ban the Box’
It will now be against the law in Westchester County to ask a job applicant if he or she has ever been convicted of a serious crime. The County Board of Legislators voted on Monday to enact the “ban the box” law for county and private business in the county. Earlier this year County Executive George Latimer signed an executive order prohibiting county job applicants from being asked if they have been convicted of a serious crime.
North Dakota Background Check Waiver
On December 10th, the North Dakota Department of Human Services was granted a waiver that will temporarily delay the requirements for fingerprint-based background checks for employees of child care providers until September 2019. Under the Child Care and Development Block Grant of 2014, all child care providers are required to conduct background checks on their employees. This requirement created a backlog of employees who were not allowed to begin work and some classrooms were forced to shut down because of low staffing levels. The North Dakota Department of Human Services is considering methods to expedite the background check process so that child care providers do not face hiring delays. Reported in Arnall Golden Gregory December 17, 2018 Daily Privacy & Consumer Regulatory Alert.
Mixed Results for Employers on Marijuana – Two Federal Courts Refuse to Find State Marijuana Laws Preempted by Federal Law
Two recent federal cases illustrate why employers—even federal contractors—must be cognizant of relevant state-law pronouncements regarding the use of marijuana (i.e., cannabis) by employees. While one case found in favor of the employer, and the other in favor of the employee, these decisions have emphasized that state law protections for users of medical marijuana are not preempted by federal laws such as the Drug-Free Workplace Act (DFWA). Employers must craft a thoughtful and considered approach to marijuana in the workplace, and in most cases should not take a zero-tolerance approach to marijuana.
Ninth Circuit Finds in Favor of Employer Who Discharged Employee for Positive Drug Test
In Carlson v. Charter Communication, LLC, the Ninth Circuit affirmed the dismissal of a lawsuit brought by an employee who alleged discrimination under the Montana Medical Marijuana Act (MMA) because he was discharged for testing positive for marijuana use. The plaintiff, a medical marijuana cardholder under Montana state law, tested positive for THC (a cannabinoid) after an accident in a company-owned vehicle. His employer, a federal contractor required to comply with the DFWA, terminated his employment because the positive test result violated its employment policy. The District Court of Montana held that the employer was within its rights to discharge the plaintiff because (1) the DFWA preempts the MMA on the issue of whether a federal contractor can employ a medical marijuana user; and (2) the MMA does not provide employment protections to medical marijuana cardholders. Indeed, the MMA specifically states that employers are not required to accommodate the use of medical marijuana, and the Act does not permit a cause of action against an employer for wrongful discharge or discrimination. The Ninth Circuit rejected this rationale. Because the MMA does not prevent employers from prohibiting employees from using marijuana and does not permit employees for suing for discrimination or wrongful termination, the Ninth Circuit held that the MMA does not preclude federal contractors from complying with the DFWA and thus found no conflict. The plaintiff asserted that the provisions of the MMA exempting employers from accommodating registered users and prohibiting such users from bringing wrongful discharge or discrimination lawsuits against employers are unconstitutional and sought certification of the question to the Montana Supreme Court. The Ninth Circuit rejected this request because, it determined, the Montana Supreme Court already decided the issue. The MMA and the specific sections challenged by the plaintiff appropriately balance Montana’s legitimate state interest in regulating access to a controlled substance while avoiding entanglement with federal law, which classifies the substance as illegal.
Plaintiff Wins Summary Judgment Against Employer That Rescinded Job Offer Due to Positive Test
If federal law does not preempt state law on the issue of marijuana, then in certain states, like Connecticut, employers will be more susceptible to discrimination claims from marijuana users. In Noffsinger v. SSC Niantic Operating Company, the District of Connecticut granted summary judgment to a plaintiff-employee of Bride Brook Nursing & Rehabilitation Center who used medical marijuana to treat post-traumatic stress disorder (“PTSD”) and whose offer was rescinded for testing positive for THC during a post-offer drug screen. Plaintiff filed a discrimination claim under the Connecticut Palliative Use of Marijuana Act (“PUMA”), which makes it illegal for an employer to refuse to hire a person or discharge, penalize, or threaten an employee “solely on the basis of such person’s or employee’s status as a qualifying patient or primary caregiver.” We covered a previous decision in this case, in which the court held that PUMA is not preempted by the federal Controlled Substance Act (“CSA”), the Americans with Disabilities Act, or the Food, Drug & Cosmetic Act (“FDCA”). The decision was notable then for being the first federal decision to hold that the CSA does not preempt a state medical marijuana law’s anti-discrimination provision, a departure from a previous federal decision in New Mexico. In this recent decision, the District Court again considered whether PUMA was preempted by federal law. In ruling for the Plaintiff, the court rejected Bride Brook’s argument that its practices fall within an exception to PUMA’s anti-discrimination provision because they are “required by federal law or required to obtain federal funding.” Bride Brook argued that in order to comply with DFWA, which requires federal contractors to make a good faith effort to maintain a drug-free workplace, it could not hire plaintiff because of her failed pre-employment drug-test. The court was not persuaded, concluding that the DFWA does not require drug testing, nor does it prohibit federal contractors from employing people who use illegal drugs outside the workplace. The court noted that simply because Bride Brook’s zero-tolerance policy went beyond the requirements of the DFWA does not mean that hiring the plaintiff would violate the Act. The court also rejected Bride Brook’s argument that the federal False Claims Act (“FCA”) prohibits employers from hiring marijuana users because doing so would amount to defrauding the federal government. Because no federal law prohibits employers from hiring individuals who use medicinal marijuana outside of work, employers do not defraud the government by hiring those individuals. Lastly, the court rejected the theory that PUMA only prohibits discrimination on the basis of one’s registered status and not the actual use of marijuana, as such a holding would undermine the very purpose for which the employee obtained the status.
What These Decisions Mean for Employers
These decisions are notable for the fact that the federal courts refused to find the state laws were preempted by federal law. Importantly, neither found that the DFWA preempts state law, which means that even federal contractors must be aware of and follow state law with respect to marijuana use by employees. Thus, in states in which employers may not discriminate against medical marijuana users—such as Connecticut—all employers must take care not to make adverse employment decisions based solely on off-duty marijuana use and, in certain states, must accommodate medical marijuana use. A majority of states and the District of Columbia now permit the use of medical marijuana; employers, including federal contractors, should be mindful of these statutes and consult with counsel to ensure their employment policies are compliant.
Can an outside investigation constitute a “consumer report” under FCRA? The Seventh Circuit appears skeptical.
The Seventh Circuit Court of Appeals, in the case of Rivera v. Allstate Ins. Co., 907 F.3d 1031 (7th Cir. 2018), recently wrestled with a novel question under the FCRA—whether an investigation conducted by third party into employee misconduct could be considered a consumer report under the FCRA. Ultimately, the Court did not rule on the issue, but it appeared skeptical that the FCRA would apply. In Rivera, four portfolio managers at Allstate were terminated after an investigation indicated they were timing their trades to inflate their bonuses at the expense of the portfolios they managed. Following their termination, the four employees sued Allstate for defamation and violation of the FCRA in District Court. The FCRA claim alleged that an investigation by a third-party law firm into employee misconduct constituted a “consumer report” as defined by the FCRA and should have been provided to the employees prior to their termination pursuant to Section 1681. The plaintiffs prevailed, and for their FCRA claims, were awarded statutory and punitive damages totaling $4,000 each as well as attorney’s fees and costs in the amount of $357,716.25. Allstate appealed. The Seventh Circuit overturned the FCRA verdict on Spokeo grounds, but not before expressing great skepticism for the applicability of the FCRA in these circumstances. It noted that this appeared to be a novel question of law and was an “odd application” of FCRA. Specifically, the Court questioned whether an investigation could be a “consumer report,” largely because it was conducted by a law firm which did not appear to be a “credit reporting agency.” This issue was not raised by Allstate, though, so FCRAland must wait for the first ruling on this issue.
Amazon Class Action Lawsuit Says Background Checks Target Minorities
A group of drivers say minorities are unfairly targeted under Amazon’s current background check policy, particularly Latino and black drivers, leading to their termination with the company. The policy doesn’t take into account their performance and leads to the firing of drivers based on their background check, the Amazon class action states. The lead plaintiffs allege that they were each hired as delivery drivers for Amazon, pending a background check. Each, according to the Amazon driver class action lawsuit, were fired based on information from their background check, despite their great performance record and without a deeper look into their individual circumstances. According to the Amazon employee class action lawsuit, this policy discriminates against minorities who are hit with extra police scrutiny and traffic enforcement.
The Amazon delivery driver class action lawsuit points out guidance from the Equal Employment Opportunity Commission that outlines the negative impact of relying on background checks in hiring on black and Latino workers.
The Commission’s guidance says that companies should take additional factors into consideration when hiring, like current performance. Amazon ignored the federal regulatory authority’s guidance, instead it fires drivers with good performance records based on information in their background checks, the Amazon.com class action alleges. The Amazon Background Check Class Action Lawsuit is Andrews, et al. v. Amazon Inc., Case No. 1884CV03702E, in the Suffolk Superior Court for the Commonwealth of Massachusetts.
Reminder: Confusing Background Check Disclosures Can Get an Employer in FCRA Hot Water
On November 29, 2018, the Ninth Circuit Court of Appeals issued a decision in Mitchell v. Winco Foods, No. 17-35998, 2018 U.S. App. LEXIS 33483 (9th Cir. Nov. 29, 2018); a Fair Credit Reporting Act (“FCRA”) case on appeal after the U.S. District Court for the District of Idaho granted the defendant’s motion to dismiss the case for lack of standing. The Ninth Circuit agreed with the lower court that Mitchell did not establish the requisite standing because she alleged that WinCo’s job application forms were not FCRA-compliant, but did not articulate how those alleged violations harmed, or presented a material risk of harm to, her protected interests. The Court opined that Mitchell might have intended to allege that she was confused by the FCRA waiver and authorization on the forms but that the facts were not sufficiently plead, even for the lower court to reach an inference of confusion. Still, the Ninth Circuit remanded on the basis that it was error for the lower court not to grant Mitchell leave to amend the operative complaint. The opinion itself is very succinct; at first glance, almost banal. Another case about Article III standing? However, there is a subtle-yet-important reminder lurking for those of us in FCRAland. Employers can, and do, get dinged for FCRA violations when the disclosures they provide on a job application are confusing. Confusion, as well all know, is a subjective standard and that can be dangerous, especially in a proposed class action like the one Mitchell filed. In briefly discussing the possibility that Mitchell was confused, the Ninth Circuit referenced its own decision in Syed v. M-I, LLC, 853 F.3d 492, 499-500 (9th Cir. 2017). In Syed, the Court held that “the [FCRA] disclosure requirement at issue, 15 U.S.C. § 1681b(b)(2)(A)(i), creates a right to information by requiring prospective employers to inform job applicants that they intend to procure their consumer reports as part of the employment application process.” Id. at 499. 15 U.S.C. § 1681b(b)(2)(A)(i) prohibits a consumer report from being procured, for employment purposes with respect to any consumer, unless a clear and conspicuous disclosure has been made in writing to the consumer at any time before the report is caused to be procured, in a document that consists solely of the disclosure, that a consumer report may be obtained for employment purposes. Further, the authorization requirement found in section 1681b(b)(2)(A)(ii), creates a right to privacy by enabling applicants to withhold their permission to obtain the report from the prospective employer, and a concrete injury when applicants are deprived of their ability to meaningfully authorize the credit check. Id. The implication here is, if the disclosures are confusing, the information is not getting to the consumer and the consumer cannot make an informed privacy decision about whether to allow the procurement of the report. That lack of information is sufficient, the Ninth Circuit held, to establish Article III standing.
Circle K Class Action Says Employee Background Checks Violate FCRA
A class action lawsuit filed by a Circle K job applicant claims that the company’s employee background check forms violate the Fair Credit Reporting Act. Plaintiff Ernesto Limon says he worked for the Circle K convenience store in California from June 29, 2018 through July 31, 2018. He alleges that during the application process, he was required to fill out the company’s standard “Fair Credit Reporting Act Consent” form permitting the company to obtain a consumer report verifying his background and experience, more commonly known as conducting a “background check.” Limon says that he signed the form on June 21, 2018. Allegedly, he was confused by the standard disclosure and authorization form, and as a result, did not understand that Circle K would be requesting “consumer reports,” as they are defined by the Fair Credit Reporting Act, or FCRA. The Circle K background check class action lawsuit argues that Circle K violates the FCRA by putting more information in their disclosure and authorization form than is legally allowed. Allegedly, the FCRA only allows the disclosure and authorization form to contain information about the disclosure and authorization, and no extraneous details. Limon claims that Circle K’s disclosure and authorization form included extraneous information not allowed by law. Allegedly, the extra details were aimed at releasing the company from any liability for obtaining this information. The Circle K class action states that the disclosure and authorization form read “I authorize, without reservation, any person or entity contacted by Circle K Stores Inc. or its agent(s) to furnish the above stated information, and I release any such person or entity from any liability for furnishing such information.” Allegedly, the company hired Limon after procuring his consumer report after having him sign the form. Limon says that this form is standard for the company, and all applicants for employment with the company must sign the form. The Circle K Consumer Report Class Action Lawsuit is Ernesto Limon v. Circle K Stores Inc., Case 1:18-at-00883, in the U.S. District Court for the Eastern District of California.
Smith v. Mutual of Omaha
A small step toward important clarity—court holds screening reports on independent contractors not subject to the exacting FCRA requirements for employment background checks.
A court in the United States District Court for the Southern District of Iowa recently ruled the protections applicable when consumer reports are obtained for “employment purposes” under the Fair Credit Reporting Act (“FCRA”) do not extend to reports obtained for independent contractors. This issue has been unsettled and both employers and background screening companies alike have lacked clear guidance with respect to background reports for independent contractors. The decision becomes part of a small but growing body of law providing clarity on this recurring issue of importance. The case is Smith v. Mutual of Omaha Insurance Company, No. 4:17-cv-00443 (S.D. Iowa Oct. 4, 2018). A copy of the opinion can be found at: https://files.constantcontact.com/0401b957001/2f468abb-4bb8-4269-961d-e36bfcbfe1ea.pdf.
Requirements for Reports Used for “Employment Purposes”
Some of the FCRA’s most litigated protections apply when a consumer report is obtained for “employment purposes.” 15 U.S.C. § 1681b(b). This includes obtaining the consumer’s written authorization in a “stand-alone disclosure” and providing a pre-adverse action notice and summary of rights if the consumer report will be used, in whole or in part, to make an adverse employment decision. Importantly, these steps are only required if the report is obtained for employment purposes. “Employment purposes” is defined by the FCRA as “a report used for the purpose of evaluating a consumer for employment, promotion, reassignment or retention as an employee.” 15 U.S.C. § 1681a(h). It’s these last three words that have caused confusion. Given the strict requirements, employers often find themselves defending lawsuits—including class action lawsuits—under this provision of the FCRA. Some courts have even been willing to extend the requirements to consumer reporting agencies under certain circumstances. Claims based on alleged violations of these requirements have led to many multi-million-dollar settlements. Yet, the courts have not reached a consensus on whether these requirements apply equally to reports obtained for independent contractors.
The Court’s Decision
Plaintiff alleged he had applied to contract with Mutual of Omaha as an insurance salesperson but had not been hired due to a falsely reported felony on his background check. He alleged Mutual of Omaha failed to provide him with the statutorily-mandated pre-adverse action notice that the background check had led to his non-hiring. Mutual of Omaha moved to dismiss the claim on the basis that Smith was only applying to work as a contractor and, therefore, the FCRA’s pre-adverse action notice requirement did not apply. Plaintiff responded that he was actually applying as an employee and, even if he was a contractor, the FCRA’s requirements applied to contractors as well as employees. In finding the FCRA’s pre-adverse action requirement did not apply to reports obtained for independent contractors, the Court first noted how the question was “altogether separate from the question of whether Smith himself would have been an employee.” The Court looked at the plain language of the statute as being limited to reports used for “evaluating a consumer…as an employee.” Finding this “unambiguous,” the Court concluded “the FCRA’s requirement of pre-adverse action notice only applies when an applicant applies to be an employee.” In reaching this conclusion, the Court followed the reasoning of the Northern District of Ohio in Johnson v. Sherwin-Williams Co., 152 F. Supp. 3d 1021 (N.D. Ohio 2015) and the Eastern District of Wisconsin in Lamson v. EMS Energy Marketing Service, Inc., 868 F. Supp. 2d 804 (E.D. Wis. 2012). Although the Court decided the FCRA did not apply to independent contractors, it ordered limited discovery on the issue of whether Smith qualified as an employee or independent contractor, rather than granting outright Mutual of Omaha’s Motion to Dismiss with prejudice.
An Unsettled Issue
While Judge Jarvey in the Southern District of Iowa took a common-sense approach in reading the statute, some support exists for reading “employment purposes” to encompass independent contractors. Indeed, the Federal Trade Commission noted in its 2011 staff report, 40 Years of Experience with the Fair Credit Reporting Act, that “employment purposes is interpreted liberally” and it “may apply to situations where an entity uses individuals who are not technically employees to perform duties.” This theoretically could include independent contractors, agents, and volunteers, so long as the relationship is substantively analogous to employment. This interpretation seems largely based on a 1975 decision from the Fourth Circuit, Hoke v. Retail Credit Corp., 521 F.2d 1079 (4th Cir. 1975), which noted in dicta the FCRA could apply to independent contractors under some circumstances because courts “are not constrained to limit its application by the common-law concept of master and servant.” This expansive interpretation could be reconciled with Judge Jarvey’s approach by the view that whether the FCRA requirements apply depends on the facts and circumstances of a given relationship, rather than the formal designation of someone as an independent contractor.
Although one district court decision does not carry the day on this issue, it is beneficial to be aware of current case law impacting the industry. And note that other courts may read “employment purposes” broadly and impose the FCRA’s requirements for reports on independent contractors, and that personnel formally denominated an “independent contractor” may not be treated as such in court but rather could be deemed an employee for FCRA purposes, depending on the circumstances. As with all legal and risk mitigation decisions, work with your legal counsel to identify the right approach for your organization.
Eastern District of Pennsylvania Dismisses FCRA Claims for Lack of Standing
A Pennsylvania district court recently dismissed a complaint due to the plaintiff’s lack of standing to assert violations of the Fair Credit Reporting Act. In Harmon v. RapidCourt, LLC, Case No. 17-5699 (E.D. Pa. Nov. 20, 2018), consumer plaintiff Icarus Harmon asserted violations based on a stale criminal history that RapidCourt had provided to a consumer reporting agency. As part of the job application process, Harmon’s prospective employer sought the job applicant’s consumer report, using a consumer reporting agency to obtain it. The consumer reporting agency in turn contracted with RapidCourt to obtain Harmon’s criminal history. RapidCourt provided information on criminal charges more than seven years old and which did not result in criminal convictions. The consumer reporting agency, however, did not include this information in Harmon’s consumer report provided to the prospective employer. Harmon did not allege that he was denied employment as a result of the information provided; rather, he alleged that he suffered embarrassment, frustration, fear of future reports to other employers that contained this criminal information, and time spent to clear his consumer report file. These injuries stemmed from RapidCourt’s purported unlawful disclosure of criminal history information to the consumer reporting agency, not to the prospective employer. Relying on the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins, the Court found that these allegations were insufficient to confer standing “because the disclosure of information to another consumer reporting agency, without more, does not constitute a concrete harm.” The Court assumed, without finding, that RapidCourt itself was a consumer reporting agency, but was “unwilling to find that the transmission of allegedly prohibited information from one consumer reporting agency to another is a concrete injury that is ‘real and not abstract.’” The Court further noted that Harmon, in alleging injuries, was “merely winging it in an attempt to manufacture an injury in fact.” While the FCRA recognizes the alleged injuries, when these injuries arise from the disclosure of information from one consumer reporting agency to another, they are insufficient to confer Article III standing. The Court found that to hold otherwise would “neither advance the FCRA’s purpose nor comport with well-reasoned case law.”
Firms Holding Personal Info on Canadians Must Meet New Standard
Organizations subject to Canadian privacy law were forced to comply with new rules in relation to privacy breaches as of Nov. 1. Here are six key considerations for organizations seeking to comply.
1. Identify all the rules that may apply.
The new PIPEDA rules will be directly applicable to most private-sector organizations operating in Canada or that process information about Canadians. Canadian privacy regulators have frequently taken jurisdiction over foreign-based organizations in the context of privacy breaches, including where organizations do not have any local presence or operations but held personal information about Canadian residents. Where there exists a “real and substantial” connection to Canada, PIPEDA will normally be considered to apply. Questions remain about how the rules will apply in British Columbia, Alberta and Quebec, which have enacted privacy laws that supplant the application of PIPEDA in many cases. In addition, foreign breach notification rules and industry-specific notification rules may be applicable in some cases — of particular significance are European Union and California breach notification rules described below.
In the European Union, under the General Data Protection Regulation (GDPR), controllers have the duty to report data breaches to the appropriate supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of the incident. When the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller should communicate as soon as possible the personal data breach to the affected individuals under certain circumstances.
In California, any business that operates in the state and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
The disclosure shall be made in the most expedient time possible and without unreasonable delay. Breaches of confidentiality that affect more than 500 California residents must also be reported to the California attorney general. The California Consumer Privacy Act, which will come into force in 2020, does not provide for any additional obligations to these requirements.
2. Assess breach detection capabilities.
Proactive auditing and detection measures have previously been encouraged by the Office of the Privacy Commissioner of Canada as part of the safeguarding obligation under PIPEDA: Evolving Cybersecurity Regulatory Guidance — Key Finding from Privacy Commissioner of Canada. In order to ensure that potential privacy breaches will be identified for appropriate action, organizations should assess and update their incident detection capabilities as needed. In addition to the use of data-loss prevention tools and related technical measures to prevent and flag potential breaches, organizations should consider how audits and detailed privacy training programs can help identify privacy breaches. Privacy training programs should be updated to educate employees about breaches, their responsibilities, and the new rules.
3. Update incident response plans.
Organizations should update their incident response plans to help ensure effective incident response and compliance. Incident response plans should provide a clear roadmap for employees to escalate privacy incidents so that designated decision-makers can address any necessary actions under PIPEDA. This roadmap should include communication protocols and rules to protect legal privilege. Organizations should also consider updating incident response plans to reflect a breach recordkeeping strategy and relevant insurance considerations, highlighted below, and other matters.
4.Implement a breach record keeping strategy.
Pursuant to the new rules, organizations are required to retain for 24 months a record of every privacy breach, no matter how insignificant the breach may appear. The record must contain sufficient information to enable the commissioner to verify compliance with the breach notification requirements in PIPEDA.
Organizations should adopt a considered approach to recordkeeping, bearing in mind privilege, business objectives and the limits of PIPEDA. Organizations should consider whether to maintain PIPEDA breach records in a stand-alone file and refrain from creating such records in respect of: suspected or potential breaches, information that is not under the organization’s control and breaches affecting employee personal information if the organization is not a federal work, undertaking or business under PIPEDA.
5. Review service-provider relationships.
Where an organization engages a service-provider to process personal information on its behalf, that organization remains accountable under PIPEDA and is considered to remain in control of the information.
Since the new PIPEDA rules apply to the organization with “control” of personal information that is breached, that organization should consider the full range of contractual and other measures necessary to manage risk arising out of service-provider breaches. Contractual measures may include provisions requiring the service provider to notify the organization of all suspected breaches, cooperate to investigate breaches and provide all information necessary to meet the new PIPEDA rules.
6. Understand insurance coverage and requirements.
Organizations have increasingly turned to cyber insurance to transfer the potentially staggering costs and liability that can be associated with privacy breaches. The new PIPEDA rules are expected to exacerbate such risks, further increase an already active class-action litigation environment in Canada for privacy breaches, and further drive the evolution of the cyber insurance market.
Organizations must clearly understand the scope of coverage and requirements under their insurance policies in the context of a breach.
Danish Data Protection Act
On December 18th, the International Association for Privacy Professionals (IAPP) published an article explaining the Danish Data Protection Act (DPA), which aligns Danish law with the EU General Data Protection Regulations (GDPR). Debate over whether public authorities are allowed to process data for purposes other than for which it was collected stalled the passage of the Act in the Danish Parliament until May 23rd, 2018. The DPA applies to all processing by controllers or processes established in Denmark and to all processing outside of Denmark if done in connection with offering goods or services to people in Denmark. According to the IAPP article, the areas that the DPA covers beyond the GDPR include: (i) Manual disclosure of personally identifiable information between administrative authorities; (ii) Information on legal persons when processing is carried out by credit information agencies; (iii) Video surveillance; and (iv) Information about deceased persons, usually until ten years after death. Reported in Arnall Golden Gregory December 20, 2018 Daily Privacy & Consumer Regulatory Alert.
Failing to Properly Conduct Background Checks Continues To Be a Million-Dollar Mistake
Employers failing to strictly comply with FCRA requirements in conducting background checks continue to face expensive consequences. On November 16, 2018, the United States District Court for the Southern District of California approved a $1.2 million settlement of a class action lawsuit alleging violations of the FCRA filed against the popular pet supplies chain Petco.
The FCRA requires employers conducting background checks on job applicants and employees to provide a written disclosure stating that a consumer report may be obtained for employment purposes, and to obtain written authorization from the job applicant or employee to obtain the report. The disclosure must be made “in a document that consists solely of the disclosure,” which is commonly known as the “stand-alone” disclosure requirement.
If after obtaining a consumer report the employer decides to take an adverse employment action (such as declining to hire a job applicant or firing an employee) because of the report, the employer must, prior to taking any adverse action, provide the person subject to the adverse action with a copy of the consumer report and a written summary of consumer rights. After the employer gives the person an opportunity to respond, it must, among other things, give notice of the adverse action and the person’s right to dispute the accuracy of the consumer report.
The Petco settlement applied to two categories of employees and prospective employees. The “Disclosure Class” consisted of more than 37,000 people who completed job applications that allegedly did not comply with the FCRA “stand-alone” disclosure requirement. The disclosure form on the application contained so-called extraneous information other than the disclosure and was allegedly embedded within the employment application. Within the Disclosure Class was the “Adverse Action Subclass,” which consisted of approximately 52 people who alleged that Petco took an adverse employment action after obtaining a consumer report without providing the required notice, a copy of the consumer report, and an opportunity to cure any inaccuracies.
Of the $1.2 million Petco agreed to pay to settle the case, about $20 will be paid to each member of the Disclosure Class, an additional $150 will be paid to each member of the Adverse Action Subclass, $10,000 will be paid to the lead plaintiffs as an incentive award, and the remaining amount of approximately $430,000 will cover attorneys’ fees, costs, and payment to the settlement administrator.
Employers should review their background check procedures and ensure compliance with all disclosure, authorization, and notice requirements under the FCRA to avoid significant legal and financial consequences. An individual bringing a private right of action against an employer may be entitled to actual damages, a fine of up to $1,000 per violation, attorneys’ fees, court costs, and punitive damages. The FTC or other federal agencies may also bring an action to enforce the FCRA against an employer. Civil penalties for violations in actions brought by the FTC are currently $3,895 per violation.