Federal Developments
FTC / Identity Theft
On January 28th, the Federal Trade Commission (FTC) announced, in recognition of Data Privacy Day, that it has made enhancements to its identity theft website to allow victims of identity theft to file responses and receive assistance more quickly. The website, IdentityTheft.gov, is integrated with the FTC’s consumer complaint system, and for the first time ever will allow consumers to receive personalized guidance on what to do in the event of identity theft, which often includes placing a security freeze on their credit report and notifying law enforcement. Consumers will input details about their situation into the website, which will then automatically generate affidavits and pre-fill letters and forms to be sent to credit bureaus, law enforcement, debt collectors, and the Internal Revenue Service (IRS). According to FTC Chairwoman Edith Ramirez, “Our hope is that this is going to make it much easier for consumers to start on their road to recovery. Having one easy set of steps to understand what [the recovery process] entails and getting a plan that is tailored to their own specific situation can be very helpful and really shorten the time it takes to recover from identity theft.” Identity theft is an increasingly prevalent crime- the FTC received over 490, 000 consumer complaints about identity theft during 2015 alone, a 47 percent increase from 2014.
https://www.ftc.gov/news-events/press-releases/2016/01/ftc-announces-significant-enhancementsidentitytheftgov
9th Circ. Asks Gov’t If Ariz. ID Theft Laws Are Preempted
The Ninth Circuit on Friday asked the U.S. government to comment on whether two Arizona identity theft statutes are preempted by federal immigration law and invited it to appear at oral arguments in a class action later this month.
http://www.law360.com/privacy/articles/753302?nl_pk=b14f4c91-6e5c-4e22-832d-ef92edafbeed&utm_source=newsletter&utm_medium=email&utm_campaign=privacy
US-EU Safe Harbor
On February 2nd, European Union (EU) Commission officials Andrus Ansip and Vera Jourova announced that the European Commission and the U.S. Department of Commerce have reached a new transatlantic data transfer agreement between the EU and the United States. In October 2015 the European Court of Justice invalidated the Safe Harbor pact between the EU and the U.S., ruling that the U.S. did not adequately safeguard the data of EU citizens (previously reported). In his announcement of the agreement, Ansip said, “The EU and U.S. are the closest allies, and on a topic as important as this, we had to find common solutions. I believe this new arrangement… is what Europe needs. Both our citizens and our businesses will benefit from this.” Ansip also indicated that the new agreement, known as the “EU-U.S. Privacy Shield, ” addresses the EU’s concerns about U.S. intelligence surveillance of European data, a major point of contention during the negotiations. According to Ansip, “The U.S. has clarified that they do not carry out indiscriminate surveillance of Europeans.” However, the agreement does allow for a “national security exception” for surveillance. Other provisions of Privacy Shield include a “redress scheme” that allows EU citizens who believe their data has been misused to seek redress with the Department of Commerce and the Federal Trade Commission, as well as the creation of an ombudsman within the State Department who will address complaints related to intelligence surveillance. Jourova announced that the agreement also includes an annual review process to allow “real-time adjustments” to Privacy Shield. The deal must now be approved by the 28 EU member states and the European Parliament, a process which could take three months.
http://thehill.com/policy/cybersecurity/267878-us-eu-reach-long-awaited-data-flow-agreement
http://www.agg.com/new-eu-us-privacy-shield-announced-as-a-replacement-for-the-eu-us-safe-harbor-program-02-02-2016/
The European Commission releases the full draft of the Privacy Shield data sharing agreement between the EU and the U.S.
http://europa.eu/rapid/press-release_IP-16-433_en.htm?locale=en
- FTC Chairwoman Edith Ramirez releases a statement on the Privacy Shield agreement. https://www.ftc.gov/news-events/press-releases/2016/02/statement-ftc-chairwoman-edith-ramirez-eu-us-privacy-shield-0
- The Hill publishes an article about the agreement entitled, “New Transatlantic Data Deal Draws Fire From Privacy Advocates.” http://thehill.com/policy/cybersecurity/271126-new-transatlantic-data-deal-draws-fire-from-privacy-advocates
Bill to Extend US Privacy Rights to EU Citizens
The U.S. House of Representatives on Wednesday passed legislation that would give European Union citizens the right to sue over U.S. privacy violations related to information shared with the U.S. for law enforcement purposes, unanimously agreeing to a recently tacked-on amendment.
http://www.law360.com/privacy/articles/757453?nl_pk=b14f4c91-6e5c-4e22-832d-ef92edafbeed&utm_source=newsletter&utm_medium=email&utm_campaign=privacy
Furnishers of Consumer Information
The CFPB publishes a compliance bulletin in the Federal Register that “highlights existing obligations under the Fair Credit Reporting Act (FCRA) for furnishers of consumer information to consumer reporting agencies.”
https://www.federalregister.gov/articles/2016/02/04/2016-01987/compliance-bulletin-the-fcras-requirement-that-furnishers-establish-and-implement-reasonable-written?utm_campaign=subscription+mailing+list&utm_medium=email&utm_source=federalregister.gov
OPM / Background Check Contractors
On February 5th, Nextgov reported that the Office of Personnel Management (OPM) has released a draft request for proposals outlining the requirements for contractors that conduct background checks for the federal government. According to OPM spokesman Sam Schumach, the draft proposal is “intended to provide industry advanced notice of the pending solicitation as well as an opportunity to provide comments, feedback and recommendations that government can consider prior to finalizing the solicitation.” Under the proposal, contractors would be required to encrypt data “at rest and in transit throughout contractor networks, and on host and client platforms.” Contractors would also be required to develop policies to deal with cybersecurity incidents, as well as provide cybersecurity training to all employees prior to gaining access to the Information Technology (IT) systems at OPM. Contractors would be required to report all security incidents “immediately upon becoming aware, ” or within 30 minutes or less. Finally, the proposal would require contractors to use “personal identity verification cards” to access OPM’s IT systems, as well as gain approval from OPM’s Chief Information Officer before using commercial Cloud service providers.
http://www.nextgov.com/cybersecurity/2016/02/contracting-docs-opm-tighten-it-security-backgroundinvestigation-companies/125741/?oref=ng-channelriver
FTC Enforcement Action
On February 23, the Federal Trade Commission (FTC) announced that it had reached a settlement with AsusTek Computer, Inc. (Asus), resolving allegations that the computer hardware maker violated Section 5 of the FTC Act. Specifically, the FTC alleged that Asus’ routers did not provide adequate security and their cloud services exposed consumers’ sensitive information. According to the complaint, the company advertised its routers as delivering several security mechanisms that could “protect computers from any unauthorized access, hacking and virus attacks” and “protect [the] local network against attacks from hackers.” The FTC found that, in reality, Asus did not provide the level of security as advertised, and failed to notify consumers’ of these shortcomings even after a hacker gained access to consumers’ connected storage devices in 2014. In a statement, Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, said, “The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks. Routers play a key role in securing those home networks, so it’s critical that companies like Asus put reasonable security in place to protect consumers and their personal information.”
https://www.ftc.gov/news-events/press-releases/2016/02/asus-settles-ftc-charges-insecure-home-routerscloud-services-put
- The FTC also published a blog post about the settlement entitled, “ASUS Case Suggests 6 things to Watch for in the Internet of Things.” https://www.ftc.gov/news-events/blogs/business-blog/2016/02/asus-case-suggests-6-things-watch-internet-things
Sen. Dems. Want Paid-Off Medical Debt Out Of Credit Scores
Democrats have introduced a bill in the U.S. Senate that would alter the Fair Credit Reporting Act to prevent paid or settled medical debt from affecting consumers’ credit scores, in line with settlements by the New York attorney general and a 2015 bill in the House of Representatives.
Court Cases
Wells Fargo Rescinded Job Offer Based On Faulty Data: Suit
A woman is suing Wells Fargo for rescinding a job offer based on a background check that falsely reported termination from her previous job at Bank of America for committing fraud, according to a proposed class action filed Friday in New Jersey federal court.
http://www.law360.com/privacy/articles/753467?nl_pk=b14f4c91-6e5c-4e22-832d-ef92edafbeed&utm_source=newsletter&utm_medium=email&utm_campaign=privacy
FCRA
On February 18th, an Illinois federal judge denied Sprint Corp.’s (Sprint) motion to dismiss a putative class action accusing the company of violating the Fair Credit Reporting Act (FCRA). According to the original complaint, Sprint presented job candidates with unlawful background check disclosure forms that said candidates were required to give the company access to private data held by the government, healthcare providers, and schools. Sprint moved to dismiss the case based on lack of consumer harm. However, the judge denied Sprint’s motion and ruled that, “Congress enacted the FCRA to protect consumer control over personal information the exposure of which, though often necessary in the modern economy, can result in a significant invasion of privacy and can jeopardize a consumer’s personal, reputational and financial wellbeing. The statute provides that when a person or entity willfully violates a mandate of the FCRA that is designed to protect these interests, the aggrieved consumer may recover statutory damages.” Rodriquez Jr. v. Sprint Corp et al., case number 1:15-v-10641, in the U.S. District Court for the Northern District of Illinois.
On February 12th, Dave & Busters, Inc. (Dave & Busters) sought to move a proposed class action accusing the company of violating the Fair Credit Reporting Act (FCRA) from Florida state court to federal court. According to the complaint, Dave & Buster’s rescinded the plaintiff’s offer of employment based on the outcome of a background check conducted by a consumer reporting agency. However, the plaintiff contends that Dave & Buster’s violated the FCRA by failing to provide him with a copy of the report that was the basis of the adverse decision, as well as the opportunity to dispute the report’s findings. Specifically, the complaint said, “This practice violates one of the most fundamental protections afforded to employees under the FRCA, and also runs counter to longstanding regulatory guidance.” The proposed class seeks punitive and statutory damages, which the plaintiff said should be between $100 and $1000 per violation. Alvarez v. Dave & Buster’s Inc., case number 6:16-cv-00252, in the U.S. District Court for the Middle District of Florida.
On January 29th, a New York federal judge stayed the proceedings in the Fair Credit Reporting Act (FCRA) lawsuit against Dish Network, LLC (Dish). According to the 2012 complaint brought by Dish satellite technicians, Dish violated the FCRA by obtaining their credit reports without proper authorization prior to conducting background checks. The technicians also claim that Dish violated the law when it did not provide notice before taking adverse action based on the content of the reports. However, the judge granted Dish’s motion for a stay pending the Supreme Court’s ruling in Spokeo, Inc. v. Robins. According to the judge’s order, “The Supreme Court’s decision in Spokeo will likely clarify whether or not the named plaintiffs and potential class members in this case have Article III standing. The definitions for each of the plaintiffs’ three proposed classes premise membership on Dish’s alleged violations of various FCRA provisions. Similar to Spokeo’s arguments before the Supreme Court, defendants argue that two of the three named plaintiffs ‘neither alleged to have suffered, nor actually suffered, any concrete harm other than a purported violation of their rights under the [FCRA].’” In response to the judge’s order, plaintiffs’ counsel stated, “Plaintiffs believe the likelihood that Spokeo will affect the federal court’s jurisdiction in this case is small, and even if it does, plaintiffs intend to pursue their claims against Dish in state court. What corporate defendants fail to recognize in these cases is that, whatever the Supreme Court decides in Spokeo, the decision case will not operate as a get-out-of-jail-free card for corporations who break the law. Rather, even the most extreme possible decision in Spokeo will simply mean that plaintiffs cannot sue in federal court.” Ernst et al. v. Dish Network LLC et al., case number 1:12-cv-08794, in the U.S. District Court for the Southern District of New York.
Background check company comprehensive Background Inc. was hit with a proposed class action in California federal court Thursday alleging the company performed consumer background checks for employment purposes in violation of federal consumer protection law. Named plaintiff Donald Evans says in the complaint that comprehensive has repeatedly violated the Fair Credit Reporting Act by failing to obtain the certifications required under a provision of the law before furnishing consumer reports to employers.
http://www.law360.com/privacy/articles/755625?nl_pk=b14f4c91-6e5c-4e22-832d-ef92edafbeed&utm_source=newsletter&utm_medium=email&utm_campaign=privacy
FCRA / Background Screening
On February 18th, U.S. District Judge Robert E. Payne rejected a motion for summary judgment filed by CoreLogic National Background Data LLC (CoreLogic) in the proposed class action lawsuit accusing the company of violating the Fair Credit Reporting Act (FCRA). According to the plaintiff, his job offer was rescinded based on incomprehensive information provided by a search result from CoreLogic. CoreLogic, however, argued that the FCRA claims do not apply to it because it does not provide search results on specific people and therefore does not provide “consumer reports.” CoreLogic also argued that it is not governed by the FCRA because it does not provide information directly to employers, instead selling information from its database to background screening companies who then sell background checks to employers. The judge rejected CoreLogic’s arguments, concluding, “It would be illogical and unrealistic to conclude that the purpose for which a report was furnished depends entirely on whether the report goes through a ‘middleman.’ Under [CoreLogic’s] proposed reading, any credit reporting agency could relieve itself of all responsibility under the FCRA merely be ensuring that its reports moved through an intermediary.” Tyrone Henderson and James O. Hines Jr., on behalf of themselves and others similarly situated v. CoreLogic National Background Data LLC f/k/a National Background Data LLC, case number 3:12-cv-00097, in the U.S. District Court for the Eastern District of Virginia.
Spokeo v. Robins
On February 13th, U.S. Supreme Court Justice Antonin Scalia unexpectedly passed away and his absence on the bench could have an important impact on upcoming cases. Specifically, Scalia’s vote could have been the tipping point that would reverse the Ninth Circuit’s ruling in Spokeo, Inc. v. Robins. According to Robins’ original complaint, Spokeo violated that Fair Credit Reporting Act (FCRA) by allegedly publishing incomprehensive information about Robins on the company’s search engine. The Ninth Circuit ruled in favor Robins, concluding that plaintiffs did not have to demonstrate actual harm in order to have standing. During the oral arguments before the Supreme Court in November, it was clear that the Court was divided on whether to uphold the Ninth Circuit ruling, with Justice Anthony Kennedy in the middle of the split vote. However, without Scalia’s vote, there would be no conservative majority and the Ninth Circuit ruling could be confirmed by an evenly divided court. According to many legal experts, the question of plaintiffs’ standing in this case has important implications for businesses, with one attorney stating, “This is a question that is becoming more significant across the country, with pretty substantial businesses facing these issues, and a split will result in them being stuck in the same spot that they have been in for years.” However, there is still a possibility that the Court postpones the case for re-argument next term in order for consideration from a full bench of justices. Spokeo Inc. v. Thomas Robins et al., case number 12-1339, in the Supreme Court of the United States.
State Developments
Texas – Uber, Lyft Fingerprinting Rules Top Austin City Council Agenda
February 11- Decision day in Austin on the rules for Uber and Lyft.The City Council must decide today whether to undo the mandate it passed in December requiring the drivers with such ride-hailing apps to undergo fingerprint-based background checks, or whether to let voters make that call May 7. In the weeks after the council passed that ordinance, Ridesharing Works for Austin gathered enough petition signatures for an alternative measure that would strike the fingerprinting requirement, which Uber and Lyft have said is onerous, unnecessary and would compel them to leave Austin. The successful petition drive forces the council to either adopt the alternative measure or place it on the ballot of the next available election.
Philadelphia Fair Practices Ordinance
On January 28, 2016, Philadelphia City Council Member William Greenlee and Council President Darrell Clarke introduced legislation pertaining to the use of credit history in employment decisions. The bill would amend Chapter 9-1100, “Fair Practices Ordinance: Protections Against Unlawful Discrimination, ” and would prohibit an employer from obtaining, requesting or using an individual’s credit information in connection with hiring, discharge, tenure, promotion, discipline or consideration of anything else to do with an employment relationship. The bill defines “credit information” to be “Any written, oral, or other communication of information regarding a person’s: debt; credit worthiness, standing, capacity, score or history; payment history; charged-off debts; bank account balances or other information; or bankruptcies, judgments, liens, or items under collection.” Despite its restrictive nature, the bill does contain a number of exceptions to the prohibition, stating that it shall not apply to law enforcement agencies, the City of Philadelphia with respect to efforts to collect taxes or other debts owed to the City, financial institutions, if the position requires the employee to be bonded or is a supervisory role overseeing a business or division of a business, if credit information must be obtained pursuant to state or federal law, or if the position involves significant financial responsibility or access to sensitive financial or proprietary information. The bill would take effect 30 days from the date of enactment. The measure is currently pending before the City Council, and we will continue to keep NAPBS members apprised of any further developments
International Developments
U.S. / EU Safe Harbor
On January 28th, Federal Trade Commission (FTC) Commissioner Julie Brill and the European Commission’s Director for Fundamental Rights Paul Nemitz participated in a panel discussion and addressed the ongoing Safe Harbor negotiations between the U.S. and the European Union (EU) at the Computers, Privacy, and Data Protection Conference in Brussels, Belgium. According to Nemitz, “We’re working very hard to find an agreement that will withstand the judicial review… We have been given very clear criteria from the judgment in Schrems.” Nemitz also indicated that Vera Jourova of the European Commission will inform the European Parliament and member states about the outcome of the negotiations on Monday evening. Brill responded by saying, “I think we need to take it one step at a time. My view is that there are a lot of good proposals on the table… There is absolutely a path to yes and need to get to yes. I don’t have a crystal ball, but I do think we ought to get to yes, and we ought to get to yes rather quickly.” Omer Tene, IAPP Vice President of Research and Education, said that while the details of the negotiations are still unknown, “I would assume that given the GDPR [General Data Protection Regulation] has already passed, the Safe Harbor will have to incorporate not only the rights under the 95 Directive, but also the new rights under the GDPR- like, for example, the right to be forgotten and data portability.”
https://iapp.org/news/a/new-data-transfer-deal-could-come-by-monday/
EU’s Article 29 Working Party
Feb. 11: The EU’s Article 29 Working Party released an action plan outlining the implementation of the General Data Protection Regulation, which is scheduled to take effect in the Spring of 2018.
https://iapp.org/news/a/article-29-working-party-lays-out-gdpr-action-plan/
The EU’s Article 29 Working Party, which comprises data protection authorities from each EU member state, gave a press conference and asked the European Commission to provide more details on Privacy Shield by the end of the month.
https://iapp.org/news/a/eu-dpas-respond-to-privacy-shield-bcrs-are-a-go-for-now/
UK
Feb. 4: The UK Parliament announced that it will opt-out of Article 43a of the EU’s General Data Protection Regulation, which “governs the international transfers of data via binding corporate rules.”
http://www.parliament.uk/business/publications/written-questions-answers-statements/written-statement/Lords/2016-02-04/HLWS500/
Germany
The Hill publishes an article entitled, “Germany Set to Fine Three US Firms Over Data Transfers.”
http://thehill.com/policy/cybersecurity/270912-germany-set-to-fine-three-us-firms-over-data-transfers
Miscellaneous
Hacking
A hacker published the information of nearly 10, 000 DHS employees online, and has now threatened to also publish the information of 20, 000 FBI employees.
http://thehill.com/policy/cybersecurity/268594-hacker-dumps-10k-dhs-employees-data-threatens-fbi-next
Biometric Privacy Guidelines
On February 2nd, the Biometric Institute released a revised version of its “Biometric Privacy Guidelines, ” which, according to the organization, “provide a guide for suppliers, end users, researchers, managers and purchasers of biometric systems.” The Biometric Institute is an independent non-profit research organization whose 190 member organizations include biometric users like banks, airlines, governments, law enforcement, and other research groups. According to the Institute, the guidance addresses how biometrics “connect beyond national boundaries and across different filed as diverse health records, border controls, retail… finance and banking.” Terry Aulich, head of the organization’s Privacy Expert Group, said in a statement, “The guidelines recognize that biometrics are applied in many varying use cases around the world under a wide variety of regulatory regimes. It is not intended to be a replacement for international standards or regulatory requirements. It is a recommendation providing direction for the responsible use of biometrics.”
http://www.biometricupdate.com/201602/biometrics-institute-revises-its-biometrics-privacy-guidelines
Hospital Data Breaches
On February 12th, Hollywood Presbyterian Medical Center in Los Angeles, California declared an “internal emergency” after discovering a ransomware attack on their computer systems. Ransomware is malicious software that prevents users from accessing their computers unless they pay a ransom. According to an anonymous physician at the hospital, the hackers are demanding a payment of $3.6 million in order to restore the computer system. Until the system is unlocked, the hospital is relying on paper charts and many of the hospital’s computer-backed technologies, including CT scans, are disabled. Patients have even been transferred to other hospitals during the outage. According to Craig Spiezle, Executive Director and President of Online Trust Alliance, ransomware is on the rise and “much like surge pricing for taxis, cybercriminals now target and calculate their ransomware pricing based on company size, market value and much more. Cybersurge pricing of corporate data is becoming widespread, increasing the impact and costs for businesses and their employees worldwide.” CryptoWall, one of the most common types of ransomware, has reportedly collected $325 million in damages.
http://www.csoonline.com/article/3033160/security/ransomware-takes-hollywood-hospital-offline-36mdemanded-by-attackers.html
On February 9th, Jackson Health System, a taxpayer-supported hospital network in Florida, reported a data breach of 24, 188 patient records. According to a memo from CEO Carlos Migoya, “a rogue Jackson employee” is believed to have been stealing sensitive patient information since 2005, potentially exposing patients’ names, birthdays, Social Security numbers, and addresses. The employee, who worked as a unit secretary, has been placed on administrative leave. Migoya indicated that Jackson Health System is currently in the process of upgrading its security systems and that the hospital’s employees recently completed patient privacy training. Jackson Health System announced another data breach just four days earlier, in which two employees were fired for leaking information about New York Giants player Jason Pierre Paul, who received treatment at the hospital.
http://www.miamiherald.com/news/health-care/article59339038.html
IAPP
The IAPP publishes an article entitled, “Scalia’s Privacy Impact Will Be Felt For Years to Come.” https://iapp.org/news/a/scalias-privacy-impact-will-be-felt-for-years-to-come/
Credit Scores / Big Data
On February 17th , The Wall Street Journal published an article entitled, “Bosses Tap Outside Firms to Predict Which Workers Might Get Sick.” According to the report, companies like Wal-Mart Stores, Inc. are hiring companies to gather data on their employees in order to predict which workers are likely to incur healthcare costs. For instance, companies like Castlight Healthcare, Inc. could gather data to determine which employees are at risk for diseases like diabetes, and then send them personalized messages encouraging healthier lifestyles. According to Harry Greenspun, Director of Deloitte LLP’s Center for Health Solutions, “I bet I could better predict your risk of a heart attack by where you shop and where you eat than by your genome.” Dr. Greenspun also said that credit scores can be used as a determinate of health outcomes. For instance, people with low credit scores are less likely to fill prescriptions or attend follow-up appointments. Many privacy advocates have expressed concerns about these practices; however, employees generally have the opportunity to opt-out and employers are not usually permitted access to the data gathered on specific employees.
Please Note: Some of the information contained herein is a monthly summary of the daily information provided by Arnall Golden Gregory LLP, an Atlanta firm servicing the business transactions and litigation needs of background check companies. The information described is general in nature, and may not apply to your specific situation. Legal advice should be sought before taking action based on the information contained herein. For more information about Arnall Golden Gregory LLP, please visit www.agg.com or contact Bob Belair at 202.496.3445 or [email protected].
