Federal Developments
Healthcare.gov
On January 30th, U.S. Representative Don Young (R-AK) introduced H.R. 633, the “Protecting Rights Online to Ensure Consumer Trust Act, ” which would prohibit the sharing of Healthcare.gov information with third parties. The bill follows recent media reports revealing that certain third parties have access to information on Healthcare.gov. Specifically, the bill would prohibit officials of the federal government from sharing personally identifiable information collected through the website healthcare.gov for any type of commercial marketing.
http://donyoung.house.gov/uploadedfiles/h.r._633_protect_act.pdf
Health Care Data Breach Notification
On February 11th, U.S. Representative Joseph Pitts (R-PA) introduced H.R. 903, which would require notification to individuals about breaches of personally identifiable information through health exchanges under the Patient Protection and Affordable Care Act. The bill, entitled the “Health Exchange Security and Transparency Act, ” would require that a covered health exchange notify individuals within two days of discovering a data breach that “resulted in personally identifiable information of an individual being stolen or unlawfully accessed.” The bill is being reintroduced after passing the House in 2014, although it was not taken up in the Senate.
Transportation Worker ID Credential Assessment Act
Feb. 10: The House passed H.R. 710, Rep. Sheila Jackson Lee’s (D-TX) bill entitled, “Essential Transportation Worker Identification Credential Assessment Act.”
https://www.congress.gov/114/bills/hr710/BILLS-114hr710rfs.pdf
Law Enforcement Access to Data Stored Abroad
Sen. Orrin Hatch (R-UT) introduced S. 512, the “Law Enforcement Access to Data Stored Abroad (“LEADS”) Act.”
, %20February%2012, %202015.pdf
State Developments
Breach Notification
On January 30th, Wyoming state senators introduced S.B. 35, an act which would provide “notice requirements to consumers affected by breaches of personal identifying information.” The bill would expand upon current requirements under Wyoming’s current data breach notification law. The bill specifies the types of required information that a notice to affected individuals would have to provide, including:
- The potentially compromised information;
- A description of the breach incident;
- Steps taken by the breached entity to prevent subsequent breaches;
- Advice to affected individuals to review account statements and monitor credit reports; and
- Free identity theft prevention and mitigation services to affected individuals.
The bill, if signed, would go into effect on July 1, 2015.
http://legisweb.state.wy.us/2015/Introduced/SF0035.pdf
Data Breach and Bankruptcy
On February 8th, Altegrity, Inc. (Altegrity) filed for Chapter 11 protection citing a “state-sponsored” cyberattack as a reason for its financial problems. In August 2014, Altegrity, a risk information service company known for its vetting of National Security Agency contractor Edward Snowden, suffered a data breach to its federal background check division, U.S. Investigative Services (USIS). The bankruptcy papers filed with the Delaware bankruptcy court specifically noted the data breach as an “unforeseen business disruption” that, in part, created the company’s financial problems. As a result of the data breach, the federal government suspended its contract with USIS, which Altegrity declared was “an extraordinary measure in the context of other cyberattacks or data breaches associated with government vendors, ” according to its chapter 11 papers.
In re: Altegrity, Inc. et al., No.1:15-bk-10226 (Bankr. D. Del., Feb. 8, 2015).
Ban the Box
Fla. – Tampa Won’t Make City Vendors Ban the Box -After being warned that it risked losing a lawsuit, the City Council declined Thursday to expand its “ban the box” job application policy to include companies doing business with City Hall. But the council still hopes to nudge private employers toward eliminating questions on initial job applications about candidates’ criminal history.
http://www.tampabay.com/news/localgovernment/tampa-wont-make-city-vendors-ban-the-box-on-job-applications/2218321
Data Breach
Feb. 22: Media reported that the University of Maine is investigating a breach affecting 941 past and present students that resulted from a stolen faculty laptop.
On February 20th, media reported that Lone Star Circle of Care (TX), a non-profit clinic, suffered its second data breach in as many years, affecting 8, 700 individuals, including 6, 300 patients. The more recent breach, which Lone Star discovered on January 9th, occurred when the clinic’s website operator on July 31st placed a backup file of sensitive information on the website, which an unspecified number of individuals accessed an unspecified number of times. Potentially compromised personal information includes patient names, addresses, phone numbers, dates of birth, and, for five affected individuals, full or partial Social Security numbers.
On February 19th, grocer Schnuck Markets Inc. (“Schnucks”) filed in federal district court a motion to dismiss a complaint brought by a putative class of banks to recover charges incurred for customers affected by the retailer’s 2013 data breach that affected 2.4 million individuals (previously reported). Schnucks asserted that it bears no legal responsibility for reimbursing the banks, who themselves reimbursed affected customers for fraudulent charges and incurred further costs in reissuing payment cards. Schnucks restated the banks’ claims as asserting negligence-based theories and an equitable doctrine, and argued that “courts have repeatedly rejected these claims in cases exactly like this one.” “By bringing this action, ” Schnucks continued, “the bank is attempting to bypass the contractual bargains it made and, through tort law, make Schnucks an insurer of the bank’s payment card business.”
Community Bank of Trenton, et al. v. Schnuck Markets, Inc., No. 3:14-cv-01361 (S.D. Ill., Feb. 19, 2015).
On February 13th, Intuit, Inc. (Intuit) reported a data breach involving an undisclosed number of customers’ TurboTax accounts and affecting information contained on customers’ tax returns. According to the notice, Intuit learned on January 29th that “criminals” accessed customers’ TurboTax accounts without authorization. Intuit confirmed that customer usernames and password information for such accounts were not obtained from any Intuit system and that the login information must have been obtained from another source such as “security breaches elsewhere.” Intuit recommends customers check their account for viruses and is offering affected customers credit monitoring and identity theft protection services for one year at no cost.
On February 13th, Big Fish Games, Inc. (Big Fish), a producer and distributer of online mobile games, reported a data breach involving an undisclosed number of customers’ names, addresses, and payment card information. According to the data breach notice, on January 12th, Big Fish discovered that an “unknown criminal” installed malware on its website’s billing and payment pages that compromised customers’ payment information. The affected period was between December 24, 2014 and January 8, 2015. Upon discovering the breach, Big Fish notified law enforcement and began taking steps to remove the malware. Big Fish recommends that customers monitor their credit reports and is offering affected customers credit monitoring and identity protection services for one year at no cost.
http://oag.ca.gov/system/files/BFG%20-%20MULTI-STATE%20NOTIFICATION%20LETTER_Proof_1.pdf
Feb. 5: Phoenix House Foundation, Inc. reported a data breach involving an undisclosed number of employees’ names, addresses, Social Security numbers, salaries, and benefits information.
http://oag.ca.gov/system/files/PHOENIX%20HOUSE_%20INDIVIDUAL%20NOTIFICATION%20VERSION%201_WPP-REVISED_0.PDF?
On February 4th, Anthem, Inc. (Anthem) announced a data breach that reportedly compromised approximately 80 million customers’ names, birthdates, Social Security numbers, and income data. In addition to customer data, Anthem employee data was also accessed. Anthem’s President and CEO Joseph Swedish noted that, so far, there is no evidence that credit card or medical information were compromised. Upon discovery of the breach, Anthem notified law enforcement and began to secure vulnerabilities to its network. Anthem will notify affected individuals directly and provide them with free credit monitoring and identity theft services.
Anthem Announcement: http://www.anthemfacts.com/
Media Report: http://www.usatoday.com/story/tech/2015/02/04/health-care-anthem-hacked/22900925/
On January 30th, the University of Massachusetts Memorial Medical Group (UMass Memorial) reported a data breach involving potentially 14, 000 patients’ payment card information, Social Security numbers, birthdates, and medical record numbers. Media reported that UMass Memorial released a statement saying it learned on April 9, 2014 that a former employee allegedly accessed patient billing information without authorization. UMass Memorial notified law enforcement to conduct an investigation, which remains ongoing. According to UMass Memorial, law enforcement gave it permission to disclose the breach on January 28, 2015.
http://www.telegram.com/article/20150130/NEWS/301309587/1116
Jan. 30: CICS Employment Services, Inc. reported a data breach involving an undisclosed number of candidates’ names, addresses, birthdates, and Social Security numbers.
http://oag.ca.gov/system/files/Notice_N095_v01_0.PDF?
Target Corp. reported that it spent approximately $145 million in data breach expenses according to an SEC filing.
Background Checks
Feb. 13: The Mississippi state Senate passed SB 2394, which would require background checks for renewing firearm licenses.
http://billstatus.ls.state.ms.us/documents/2015/pdf/SB/2300-2399/SB2394PS.pdf
Feb. 12: The Arizona state legislature’s House Banking and Financial Services Committee reported out HB 2169, which would require candidates for a loan originator license to be subject to a background check.
http://www.azleg.gov/legtext/52leg/1r/bills/hb2169h.pdf
Feb. 12: The Mississippi state Senate reported out SB 2695, which would require schools to conduct background checks on its employees.
http://billstatus.ls.state.ms.us/documents/2015/pdf/SB/2600-2699/SB2695PS.pdf
Feb. 11: West Virginia state lawmakers sent to the House Judiciary Committee S.B. 357, which would affect background checks for coal miners.
http://www.legis.state.wv.us/Bill_Text_HTML/2015_SESSIONS/RS/bills/SB357%20SUB1%20eng.pdf
On February 3rd, Arizona state lawmakers introduced S.B. 1432, which would require background checks for all hotel employees. Specifically, the bill states that “before a hotel or motel owner or manager allows a hotel or motel employee to have access to the room of a registered guest, the owner or manager must check the Internet sex offender website…and the United States Department of Justice National Sex Offender public website.” The bill would prohibit anyone who appears on either list from accessing the room of a registered guest.
http://www.azleg.gov/legtext/52leg/1r/bills/sb1432p.pdf
On January 23rd, Washington state senators introduced S.B. 5550, which would require commercial transportation companies to retain drivers’ criminal history records as part of the companies’ background check process. The bill is in response to recent reports involving Lyft, Inc. and Uber Technologies, Inc. not having adequate background screening procedures for its drivers. Under the bill, companies would be required to maintain criminal history records of its drivers for five years from the date the record was made. The bill also identifies particular offenses that would not permit a candidate to be employed as a driver, including:
- An offense involving fraud;
- A sex offense; or
- Burglary, trespass, extortion, or possession of stolen property.
Mississippi state lawmakers referred to the Senate Veterans and Military Affairs Committee HB 1224, which would require a background check for renewing a concealed weapons permit.
http://billstatus.ls.state.ms.us/documents/2015/pdf/HB/1200-1299/HB1224PS.pdf
The Boston Globe reports that the Massachusetts Interscholastic Athletic Association will implement criminal background checks for referees.
http://www.bostonglobe.com/sports/2015/02/26/miaa-require-criminal-checks-for-referees/EfPm9XS4nR33E6Qhq2dZuL/story.html
Ga. – Macon-Bibb County May “Ban the Box”
Convicted felons applying for a job in Macon-Bibb County may no longer have to check a box on the application that asks about their criminal history.
It’s part of a new proposal sponsored by Commissioner Al Tillman. He says by removing the question, there’d be less room for discrimination against convicted felons, who may have committed a crime decades ago. Tillman emphasizes background checks would still be required.
However, he thinks everyone, even those who have made mistakes, deserves a second chance.
http://www.13wmaz.com/story/news/local/macon/2015/02/03/ban-the-box-job-applications/22835595/
State Legislation
On February 17th, Virginia Governor Terry McAuliffe (D) signed HB 1662, which implements new rules for ridesharing companies regarding driver background checks. The new law sets rules for Transportation Network Companies (TNCs), such as Uber and Lyft, that operate in Virginia. Specifically, the law charges the state’s Department of Motor Vehicles (DMV) with overseeing the operations of TNCs, including their driver background check process. The law requires for TNCs to, among other things:
- Ensure drivers are at least 21 years old;
- Conduct a criminal background check on all drivers; and
- Confirm the driver is insured and is registered with the DMV for TNC purposes.
Feb. 17: New York state senator Kevin Parker (D) introduced S3803, which would prohibit using social media for the purposes of debt collection.
http://open.nysenate.gov/legislation/bill/S3803-2015
The Indiana legislature’s Homeland Security and Transportation Committee passed S.B. 347, which would require background checks and motor vehicle insurance for drivers of rideshare companies.
The Wyoming state senate voted against S.F. 41, which would have prohibited an employer from requesting or requiring access to the personal internet account of an employee or prospective employee.
http://legisweb.state.wy.us/2015/Introduced/SF0041.pdf
The Virginia legislature’s Agriculture, Chesapeake and Natural Resources Committee passed H.B. 1277, which would require the Department of State Police to conduct state and national fingerprint-based criminal history background checks on any person applying for a license to grow industrial hemp.
http://lis.virginia.gov/cgi-bin/legp604.exe?151+ful+HB1277EH1
The law states that the background check must include a Multi-state/Multi-jurisdictional Criminal Records Database search, and a search of the Sex Offender and Crimes Against Minors Registry and the U.S. Department of Justice’s Sex Offender public website. The person conducting the background check must be accredited by the National Association of Professional Background Screeners (NAPBS) or a comparable entity. A driver will be disqualified from working with the TNC if they are found on any sex offender registry or has been convicted of a “violent felony, ” amongst other criteria.
Law: http://lis.virginia.gov/cgi-bin/legp604.exe?151+ful+HB1662ER+pdf
Governor Statement: https://governor.virginia.gov/newsroom/newsarticle?articleId=7746
The Arizona legislature’s Education Committee reported out HB 2207, which would affect background checks for school employees.
http://www.azleg.gov/legtext/52leg/1r/bills/hb2207h.pdf
Court Cases
FCRA
On February 6th, Uber Technologies, Inc. (Uber) filed a motion to compel arbitration in a putative class action lawsuit alleging the ridesharing company violated the Fair Credit Reporting Act (FCRA) by failing to obtain the plaintiff’s consent prior to procuring his background check information. The lawsuit was filed in federal district court; however, Uber argues that plaintiff signed a contract with Uber agreeing to arbitrate any disputes with the company, and that cases would be handled on an individual basis, rather than as a class of individuals. According to Uber, “[e]ach of the foregoing claims is encompassed by the broad terms of the arbitration provisions in the agreements that plaintiff executed with defendants.” As a result, “Plaintiff refused to abide by their terms by filing the instant action.”
Mohamed v. Uber Technologies, Inc. et al., No. 3:14-cv-05200 (N.D. Cal., Feb. 6, 2015). Daily
Jan. 30: Michaels Stores, Inc. filed a motion to dismiss in an action alleging the retailer violated the FCRA by not adequately notifying prospective employees that it will procure background checks, arguing that the plaintiff agreed to a clickwrap agreement that gave plaintiff’s consent and absolved Michaels from liability.
Jan. 30: A federal district court dismissed a plaintiff’s complaint alleging Donna Kara International, Inc. violated the Fair and comprehensive Credit Transaction Act by printing a portion of customers’ payment card information on receipts.
A federal district judge dismissed a proposed class action alleging that Alere Inc. violated the FCRA in its 2012 breach of patient information.
FTC Enforcement Action
Feb. 6: The FTC announced it approved final orders in an action alleging PaymentsMD, LLC and its former CEO violated consumers’ privacy by collecting their medical information without their consent.
http://www.ftc.gov/news-events/press-releases/2015/02/ftc-approves-final-orders-paymentsmd-privacy-case?utm_source=govdelivery
EEOC/Background Checks
On February 20th, the Fourth Circuit affirmed a district court grant of summary judgment against the Equal Employment Opportunity Commission (EEOC) in its suit against Freeman, a nationwide event planning firm, alleging that its use of credit reports for hiring had a disparate impact on blacks and males. The Fourth Circuit found that the EEOC’s expert witness produced so many “mistakes and omissions” that the testimony is “‘outside the range where experts might reasonably differ.’” Judge Agee filed a concurring opinion to express “concern with the EEOC’s disappointing litigation conduct.” Agee wrote, “it troubles me that the [EEOC] continues to proffer expert testimony from a witness whose work has been roundly rejected in our sister circuits for similar deficiencies to those we observe here. It is my hope that the [EEOC] will reconsider pursuing a course that does not serve it or the public interest well.”
EEOC v. Freeman, No. 13-2365 (4th Cir., Feb. 20, 2015).
Miscellaneous Cases
Feb. 23: LinkedIn reportedly settled in a federal district court a class action alleging “weak” password security.
http://bits.blogs.nytimes.com/2015/02/23/linkedin-settles-class-action-suit-over-weak-password-security/?ref=technology&_r=3
Anthem, Inc. was named in two putative class action lawsuits over the cyberattack it suffered that exposed personal information of approximately 80 million customers and employees.
The U.S. Judicial Panel on Multidistrict Litigation consolidated five class action lawsuits against Community Health Systems, Inc. over a data breach it suffered that exposed the personal information of approximately 4.5 million customers.
The plaintiff in a putative class action lawsuit against Michaels Stores, Inc., who alleged violations of the FCRA for its inadequate background check disclosure forms, sought class certification.
Miscellaneous
Gemalto, a Dutch digital security company, reportedly states that its SIM cards are secure after last week disclosing possible hacking by the NSA and the UK GCHQ.
http://www.cnet.com/news/sim-card-maker-gemalto-says-its-cards-are-secure-despite-hack/
Please Note: The information contained herein is a monthly summary of the daily information provided by Arnall Golden Gregory LLP, an Atlanta firm servicing the business transactions and litigation needs of background check companies. The information described is general in nature, and may not apply to your specific situation. Legal advice should be sought before taking action based on the information contained herein. For more information about Arnall Golden Gregory LLP, please visit www.agg.com or contact Bob Belair at 202.496.3445 or [email protected].
