Personal Data Notification & Protection Act
On January 12th, the White House announced proposed legislation it will offer for Congress’ consideration entitled, the “Personal Data Notification & Protection Act.” The White House intends the bill to bring “peace of mind” to consumers whose personal and financial information has been compromised due to a data breach. According to the “fact sheet” detailing the proposal, the bill “clarifies and strengthens the obligations companies have to notify customers when their personal information has been exposed, including establishing a 30-day notification requirement from the discovery of a breach, while providing companies with the certainty of a single, national standard.”
Data Security and Breach Notification
On January 13th, U.S. Senator Bill Nelson (D-FL) introduced S. 177, the “Data Security and Breach Notification Act of 2015.” The purpose of the bill is to “protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a breach of security.” Specifically, the bill would require covered entities to implement particular data security policies and procedures, including:
- A security policy with respect to the collection, use, sale, other dissemination, and maintenance of personal information;
- The designation of a “point of contact” who has responsibility for the management of information security;
- A process of investigating and assessing reasonably foreseeable vulnerabilities of the covered entity; and
- A process for taking preventive or corrective action to mitigate vulnerabilities.
Notably, the bill would provide for certain entities to be exempted from these requirements, including any “financial institution that is subject to Title V of the Gramm-Leach-Bliley Act…and is in compliance” with information security requirements under that Act. The bill would also provide certain data breach notification requirements, including the need to notify the FTC and each citizen or resident of the United States whose personal information was compromised from the breach not later than 30 days after the date of discovery. Notification methods to individuals include by writing or email. Additionally, the bill would provide the FTC with rulemaking authority related to consumer notification and enforcement authority under the FTC Act. Finally, the bill would provide the Attorney General and state attorneys general with civil enforcement authority.
The Student Digital Privacy Act
On January 12th, the White House proposed legislation entitled the “Student Digital Privacy Act” (SDPA). The SDPA intends to provide teachers and parents assurances that online educational tools that collect student information are collecting the information solely for educational purposes. Specifically, the White House stated that the bill “would prevent companies from selling student data to third parties for purposes unrelated to the educational mission and from engaging in targeted advertising to students based on data collected in school – while still permitting important research initiatives to improve student learning outcomes, and efforts by companies to continuously improve the effectiveness of their learning technology products.”
On January 12th, the White House announced that “JPMorganChase and Bank of America, in partnership with Fair Isaac Corporation (FICO), will join the growing list of firms making credit scores available for free to their consumer card customers.” USAA and State Employees’ Credit Union will also offer free credit scores to consumers, according to the announcement. Additionally, Ally Financial will soon make credit scores available to their auto loan customers. According to the announcement, these efforts will provide Americans with credit scores to better enable them to “spot identity theft through their banks, card issuers, or lenders.”
Data Breach Notification
On January 6th, U.S. Representative John Conyers (D-MI) introduced H.R. 104, the “Cyber Privacy Fortification Act of 2015.” The legislation intends to strengthen data breach notifications by, among other things:
- Imposing a fine or term of imprisonment for whoever has an obligation to provide notice of a security breach and knowingly fails to do so;
- Requiring notice of a data breach to the Secret Service and Federal Bureau of Investigation (FBI); and
- Requiring the Secret Service and FBI to annually publish in the Federal Register a list of all notifications submitted in the previous calendar year.
The bill would define sensitive personally identifiable information as electronic or digital information including:
- First and last name, or first initial and last name, or address or phone number in combination with any one of the following:
- Nontruncated Social Security number, driver’s license number, state ID number, passport number, or alien registration number;
- Unique biometric data; or
- Both mother’s maiden name and the month, day, and year of birth; or
- Financial account number, or credit or debit card number, in combination with any required security code, access code or password.
The bill would also impose requirements for privacy enforcement by the U.S. Attorney General and state authorities, as well as require federal agencies to publish privacy impact assessments as part of their rulemaking process.
Chemical Facilities / Background Checks
On January 6th, U.S. Representative Sheila Jackson Lee (D-TX) introduced H.R. 54, “A Bill to Enhance the Security of Chemical Facilities and For Other Purposes.” The bill intends “to modify and make permanent the authority of the Secretary of Homeland Security to regulate security practices at chemical facilities.” As part of the bill, the Secretary of Homeland Security would have authority to establish standards, protocols, and procedures for security vulnerability assessments and chemical facility security plans, including background check policies for employees and “ensuring appropriate credentials for unescorted visitors.” Similarly, the bill would identify “restrictions on use and maintenance of information” related to background checks, including that such information:
- May not be made available to the public;
- May not be accessed by an employee of the covered facility, except for an employee in charge of collecting the information; and
- Shall be maintained confidentially by the covered chemical facility and the Secretary.
Additionally, the bill requires the Secretary of Homeland Security to develop a list of covered chemical facilities based on factors that determine if the facility is a sufficient security risk, including whether the potential threat or likelihood that the facility will be targeted by terrorists and the proximity of the chemical facility to large population centers.
FTC Act / Telemarketing Sales Rule
On January 13th, the Federal Trade Commission (FTC) announced a settlement with Cream Group, Inc. (Cream Group) over alleged violations of the FTC Act and the Telemarketing Sales Rule (TSR) for targeting Spanish-speaking women with false promises and charging advanced fees. According to the complaint, the FTC alleged that Cream Group charged hundreds of dollars up-front to consumers who would send Cream Group their off-brand products, promising the consumer more money after Cream Group resold the product. “These defendants preyed on people who were just trying to make an honest living, ” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “Consumers are better off now that the defendants are out of the telemarketing business.” As part of the settlement, the court imposed a $5, 170, 953 judgment against Cream Group, Inc., equal to the total revenues of their telemarketing scheme.
Reform and Improve Security Clearance
Jan. 22: Rep. Stephen Lynch (D-MA) introduced H.R. 490, “To provide for a strategic plan to reform and improve the security clearance and background investigation processes of the Federal Government, and for other purposes.”
FTC Enforcement Action
The FTC announced a settlement with two online “diploma mills” for alleged violations of the FTC Act by deceiving consumers into purchasing their “official and accredited high school diplomas” to use for applying to college and jobs. The principal owners of two Florida-based online diploma mills are permanently banned from marketing and selling academic degrees under settlements with the Federal Trade Commission (Alexander Wolfram and IDM Services, LLC, and Maria Garcia)
The FTC announces a settlement with car title lenders for alleged violations of the FTC Act for deceptively advertising the cost of their loans (First American Title Lending of Georgia, LLC, and Finance Select, Inc.)
Jan. 30: UMass Memorial Medical Group reported a data breach involving potentially 14, 000 patients’ payment card information, Social Security numbers, birthdates, and medical record numbers.
On January 26th, Piech Sales Company, LLC (d/b/a ValuePetSupplies.com) reported a data breach involving an undisclosed number of customers’ names, addresses, payment card information, phone numbers, and account passwords. On or about November 25th, 2014, ValuePetSupplies learned it suffered a cyberattack after unauthorized individuals accessed its servers and installed malicious software. An investigation revealed that the malicious software targeted consumers’ personal information entered on its website during purchases. ValuePetSuppplies believes the affected period is between November 25th and December 29th. Since discovering the cyberattack, ValuePetSupplies engaged professionals to remove the malicious software and has taken additional steps to prevent similar data breaches. ValuePetSupplies recommends that customers place a fraud alert on their credit files, monitor their credit reports, and change their account passwords.
Jan. 26: Greers Professional Fabricare Services reported a data breach involving an undisclosed number of customers’ names and payment card information.
On January 15th, OneStop Parking reported a data breach involving an undisclosed number of customers’ names, addresses, and credit card information. Brian Krebs originally reported on the breach on December 30th (previously reported). According to the data breach notice, on December 25th OneStop Parking learned that “hackers” may have penetrated their online payment information to gain access to customer personal information. Upon discovery of the possible vulnerability, OneStop Parking hired an outside firm to ensure its website no longer contains vulnerabilities that may have been exploited by hackers. OneStop Parking does not have evidence that any information was misused, but recommends customers consider placing a fraud alert on their credit file.
On January 14th, Piech Slaes Company, LLC, d/b/a ValuePetSupplies.com, reported a data breach involving an undisclosed number of customers’ names, addresses, and credit card information. On November 25th, ValuePetSupplies.com learned of a cyberattack on its website that involved the use of malicious files to capture customer personal information entered into the website when customers attempted to purchase items. According to the notice, the affected time period is between November 25th and December 29th. ValuePetSupplies.com worked with outside firm to remove the malicious software from its servers and contacted law enforcement to investigate. ValuePetSupplies has no evidence that any information has been misused. However, the company recommends customers monitor their credit report and place a fraud alert on their credit file.
On January 13th, Park ‘N Fly (PNF) reported a data breach involving an undisclosed number of customers’ names, email addresses, phone numbers, and payment card information. According to PNF, data from certain payment cards that were used to make reservations through PNF’s e-commerce website may have been compromised. Upon learning of the incident, PNF notified law enforcement and data forensic experts to assist with an investigation, which is ongoing. PNF recommends that customers protect their identity and financial information, and offered affected customers identity monitoring and protection services for one year at no cost. PNF also suggests that customers consider placing a fraud alert on their credit files.
On January 12th, the Law Offices of David A. Krausz, PC (Krausz), a California personal injury law firm, reported a data breach involving an undisclosed number of clients’ names, Social Security numbers, and birthdates. On January 6th, Krausz learned that a firm laptop was stolen that contained the client personal information. The theft of the laptop was reported to law enforcement. Although Krausz has no evidence that any information was misused, Krausz recommends that clients place a fraud alert on their credit file.
On January 9th, New Jersey Governor Chris Christie (R) signed S-562, “An Act Concerning the Security of Certain Personal Information and Supplementing P.L. 1960, c.39.” The bill will require health insurance companies in New Jersey to protect client information by encrypting the data or “by any other method or technology rendering it unreadable, undecipherable, or otherwise unusable by an unauthorized person, ” according to the legislation. The bill follows a series of data breach incidents in New Jersey involving stolen laptops containing policyholder information.
Riverside County Regional Medical Center reported a data breach involving an undisclosed number of patients’ demographic information, Social Security numbers, and clinical information.
Krebsonsecurity.com reports that Book2Park.com “appears” to have suffered a data breach involving customers’ payment card information. This would be the third parking service hacked in recent months.
Jan. 30: Wyoming state senators introduced S.B. 35, an act “specifying notice requirements to consumers affected by breaches of personal identifying information.”
Jan. 23: Washington state senators introduced S.B. 5550, which addresses commercial transportation services and driver background checks.
Jan. 15: Arizona House lawmakers introduced H.B. 2086, which “makes various changes to statutes relating to fingerprinting for employment.”
Dec. 11: The New Jersey legislature’s Judiciary Committee passed A1662, which would “authorize the court to order the deletion, sealing, labeling, or correction of certain personal information in government records.”
Jan. 26: The Eleventh Circuit was urged to review its prior ruling that held Experian Information Solutions, Inc. did not violate the FCRA by not further investigating a consumer’s dispute over his credit report.
On January 20th, Whole Foods Market Group, Inc. (Whole Foods) argued that a former employee’s complaint alleging that the grocery chain violated the Fair Credit Reporting Act’s (FCRA) requirements on employment background checks is “blatantly false, ” requiring the case to be dismissed. The plaintiff’s complaint alleges that Whole Foods fails to provide proper consumer report disclosure documentation to prospective employees during the application process. Whole Foods filed a motion to dismiss, arguing that the claims are false and that Whole Foods, in fact, provided disclosure forms that complied with the FCRA and offered copies of its Daily Privacy & Consumer Regulatory Alert disclosure release form as evidence. “Whole Foods’ Disclosure Statement…fully complies with all of the foregoing FCRA disclosure requirements, ” Whole Foods said in its motion to dismiss. “And, by way of his signature, plaintiff signified receipt of this disclosure statement on March 11, 2011.”
Colin Speer v. Whole Foods Group Market, Inc., No. 8:14-cv-03035 (M.D. Fla., Jan. 20, 2015).
On January 12th, Michaels Stores, Inc. (Michaels) was named in a proposed class action lawsuit alleging violations of the Fair Credit reporting Act (FCRA) for improperly notifying prospective employees that the company conducts background checks. Specifically, the plaintiff alleges that Michaels does not supply a separate document outlining that the retailer may obtain consumer reports on prospective employees, a violation of the FCRA. “Defendant did not provide plaintiff or putative class members with a clear and conspicuous disclosure in writing in a document that consists solely of the disclosure that a consumer report may be obtained for employment purposes, ” the lawsuit said. The plaintiff seeks to represent a class of individuals who filled out a Michaels’ employee applications during the previous two years and submitted to background checks as a result.
Raini Burnside v. Michaels Stores Inc., No. 6:15-cv-03010 (W.D. Mo., Jan. 12, 2015).
On January 7th, Paramount Pictures Corp. (Paramount) was named in a putative class action lawsuit alleging the company violated the Fair Credit Reporting Act (FCRA) by obtaining credit reports from current and prospective employees without adequate disclosure. Specifically, the plaintiff argues that, while applying for a position with the company in 2011, he was provided a disclosure and authorization form as part of his application saying that plaintiff gave permission to previous employers to provide Paramount with “any and all information concerning my previous employment and any other pertinent information.” However, Paramount never provided a separate disclosure solely for procuring a credit report, a violation of the FCRA. “Any reasonable employer or consumer reporting agency knows about or can easily discover these obligations, ” the complaint said. “Despite knowing of these legal obligations, Paramount intentionally and/or recklessly acted consciously in breaching its known duties and depriving plaintiff and other class members their rights under the FCRA.” The plaintiff seeks to represent a class whose consumer reports were also obtained by Paramount without a clear and conspicuous disclosure.
Peikoff v. Paramount Pictures Corporation, No. 3:15-cv-00068 (N.D. Cal., Jan. 7, 2015).
Jan. 7: Genesis Healthcare LLC was named in a putative class action lawsuit alleging violations of the FCRA by taking adverse employment actions based on consumer reports without providing prospective employees copies of the reports.
A federal district court tentatively ruled that The Walt Disney Co. cannot avoid a putative class action lawsuit alleging violations of the FCRA by using criminal background checks to make employment decisions without providing copies to prospective employees.
Plaintiffs in a proposed class action lawsuit against The Container Store, Inc. asked a federal district court to approve a settlement in an action alleging that the company violated state privacy and marketing laws by requesting customers’ ZIP codes during credit card payment transactions and using the information for marketing purposes.
A federal district court granted preliminary approval to Target Corp.’s second attempt to settle a class action lawsuit alleging violations of the Junk Fax Prevention Act for sending hundreds of unsolicited faxes to pharmacies.
Michaels Stores, Inc. was named in a putative class action lawsuit alleging the clothing retailer violated the FCRA by failing to provide adequate notice of its use of background checks for prospective employees. This is the second FCRA-related lawsuit against Michaels in recent weeks.
FTC Enforcement Authority
On January 20th, the Eleventh Circuit dismissed LabMD, Inc.’s (LabMD) latest action against the FTC alleging that the agency lacks authority to regulate companies’ data security practices, ruling that the Eleventh Circuit does not have jurisdiction to evaluate the case until a final determination is made in a parallel administrative proceeding. In August 2013, the FTC filed an administrative complaint against LabMD over the company’s alleged insufficient data security policies and practices. LabMD filed its complaint against the FTC in federal district court in March 2014, alleging, among other things, that the FTC’s administrative action against LabMD is arbitrary and capricious and that the FTC lacks authority to regulate protected health information. Affirming the federal district court’s May 2014 determination, the Eleventh Circuit said, “[t]he FTC is best suited to develop the factual record, continue to evaluate its positions on the issue and apply its expertise to complete the proceeding. All of this will allow for more robust appellate review by this court when the [administrative] action concludes.”
LabMD, Inc. v. Federal Trade Commission, No. 14-12144 (11th Cir., Jan. 20, 2015).
LabMD, Inc. filed a complaint against Tiversa Holding Corp. alleging Tiversa hacked its computers and fraudulently misled the FTC into believing sensitive patient information was accessible outside of LabMD’s network.
Jan. 12: Eddie Bauer LLC was named in a putative class action lawsuit alleging the clothing retailer violated California state law by recording customer phone calls without providing notice.
Jan. 9: The United States sued seven New Yorkers for their alleged involvement in an identity theft scheme that involved minors’ personal information and costing the U.S. Treasury millions of dollars.
Jan. 7: The Pennsylvania Attorney General announced that Pennsylvania and eight other states reached a settlement with Zappos.com, Inc. involving an investigation by the attorneys general regarding the company’s cybersecurity practices following a 2012 cyber attack.
Jan. 2: The FTC opposed LabMD Inc.’s attempt to introduce in their data security case, documents related to the House Oversight and Government Reform Committee’s investigation into a company that provided evidence to the FTC against LabMD.
Please Note: The information contained herein is a monthly summary of the daily information provided by Arnall Golden Gregory LLP, an Atlanta firm servicing the business transactions and litigation needs of background check companies. The information described is general in nature, and may not apply to your specific situation. Legal advice should be sought before taking action based on the information contained herein. For more information about Arnall Golden Gregory LLP, please visit www.agg.com or contact Bob Belair at 202.496.3445 or [email protected]