On July 5th, the Department of Homeland Security (DHS) announced that it has discovered serious security vulnerabilities in the Symantec and Norton antivirus programs used across the federal government. The vulnerabilities were detected by DHS’ EINSTEIN program, a firewall used to scan federal agency networks. According to DHS Spokesman Scott McConnell, the agency uses programs like EINSTEIN to provide, “a common baseline of security across the civilian government and [to help] agencies manage their cyber risk.” DHS officials warned in a recent alert that these antivirus programs, “are in widespread use throughout the government and industry. Exploitation of these vulnerabilities could allow a remote attacker to take control of an affected system.” The DHS Computer Emergency Readiness Team said that patches to these vulnerabilities have been developed and advised users and administrators to fix their programs as soon as possible. In some cases, this requires users to simply update their software, while in other cases it requires system administrators to manually repair the vulnerabilities.
Revised Privacy Shield Program Approved by The European Union: Department of Commerce Expected to Begin Accepting Program Participants in August
On July 12th, the European Commission gave final approval to the EU US Privacy Shield program for the transfer of personal data from the European Union to the United States by companies that voluntarily choose to participate in the new program. The U.S. Department of Commerce, which negotiated the agreement with EU officials, is expected to begin accepting companies into the program beginning August 1st. The Department of Commerce has not yet announced what fees for participating in the new program will be.
CFPB Amicus Brief
On July 11th, the Consumer Financial Protection Bureau (CFPB) filed an amicus brief in the ongoing Spokeo v. Robins legal dispute. The CFPB argued that it has a “substantial interest” in the court’s decision due to the Bureau’s authority to enforce the Fair Credit Reporting Act (FCRA). The CFPB also emphasized that the “private right of action serves as an important supplement to the Bureau’s own enforcement efforts.” The Bureau raised concerns that an “unduly narrow” interpretation of Article III standing could become a burden for consumers seeking to exercise their private right of action. The amicus brief establishes that the CFPB believes that “being the subject of an incomprehensive consumer report is a concrete injury.” The CFPB also cites congressional intent, stating that Congress enacted the FCRA to “prevent consumers from being unjustly damaged because of incomprehensive or arbitrary information in a credit report.” The CFPB also argues that Spokeo should be considered a consumer reporting agency because it compiles consumer reports as defined by the FCRA, stating, “communication of any information… bearing on a consumers creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living” used for decisions on “whether to extend consumer credit, insurance, or employment.” The CFPB also mentions that Congress, “plainly sought to curb the dissemination of false information” found in consumer reports.
FTC Warning Letter
On July 14th, the Federal Trade Commission issued a warning letter to companies that claim to participate in the Asia-Pacific Economic Cooperative’s (APEC) Cross-Border Privacy Rules (CBPR) System but lack evidence of certification. The APEC privacy system allows companies to transfer data and personal information between participating member-nations if they agree to a “voluntary but enforceable code of conduct.” Businesses that gain certification to the APEC CBPR system must remain compliant with “nine data privacy principles: preventing harm, notice, collection limitation, use choice, integrity, security safeguards, access and correction, and accountability.” The FTC’s letter urges the companies claiming APEC CBPR certification to either remove the claims from their websites and notify the Commission, or prove their certification. The FTC warns companies that if they falsely claim to be APEC CBPR certified they “may be in violation of the FTC Act.” The letter also informs the companies that the FTC recently settled its first enforcement action against a company that falsely claimed APEC CBPR certification.
U.S. to Allow Foreigners to Serve Warrants on U.S. Internet Firms
July 15: The Wall Street Journal reported that the Obama Administration is negotiating an agreement to allow foreign governments to serve warrants for data stored with U.S. tech firms.
Social Media Background Screening
On July 18th, Nextgov reported that the Defense Intelligence Agency (DIA) is conducting “market research” prior to launching a pilot program to implement social media background screening for government employees with a security clearance. The DIA may contract with a third party vendor to analyze “foreign comments and postings, foreign contacts and any information regarding: allegiance to the United States, foreign influence and/or preference, sexual behavior, personal conduct, financial, alcohol, legal and/or illegal drug involvement, psychological conditions and criminal conduct.” Nextgov reports that the DIA is “figuring out what features companies might be able to offer.” The DIA said that it would require “social media reports for routine investigations turned around within five days and two-day delivery for most ‘expedited’ social media reports.”
The FTC published a blog post announcing a webinar to learn how to help the formerly incarcerated reenter society as informed consumers.
Data Storage Jurisdiction Ruling
On July 14th, the Second Circuit ruled that the U.S. government cannot issue a search warrant for customer data stored in a foreign country under the Stored Communications Act (SCA). The ruling overturned the Southern District of New York’s opinion that permitted the government to compel Microsoft Corp. (Microsoft) to produce a customer’s email records stored in Ireland. The Second Circuit cited Congress’ intent when drafting the SCA, noting that, “When Congress intends a law to apply extraterritorially, it gives an ‘affirmative indication’ of that intent. . . We see no such indication in the SCA.” Tech companies and privacy advocates responded positively to the ruling, with IAPP Vice President Omar Tene stating, “Microsoft’s victory over the U.S. government is a resounding affirmation of the endurance of privacy in an age marked by constant data transfers in the cloud, Internet of Things and big data applications.” Some privacy experts remain skeptical, arguing that the case could go to the Supreme Court. Daniel Solove argued that the Court’s ruling will facilitate data sharing with other countries, writing, “The Microsoft case bodes well for the success of the Privacy Shield and the easing of some of the [European Union’s] concerns about the potency and broad reach of US surveillance powers.” In the Matter of a Warrant to Search a Certain Email Account Controlled and Maintained by Microsoft Corp., case number 14-2985, in the U.S. Court of Appeals for the Second Circuit.
Spokeo v. Robins
On July 25th, Thomas Robins urged the Ninth Circuit not to dismiss his Fair Credit Reporting Act (FCRA) putative class action against Spokeo, Inc. (Spokeo), arguing that the Supreme Court’s ruling confirms his standing. Robins alleges that Spokeo posted incorrect information about him online, damaging his job prospects. Robins argued that the Supreme Court clarified that, “The pertinent issue therefore is not…whether Robins suffered ‘real-world’ harm. The issue whether [the FCRA] protects a concrete interest. It does…” Robins also argued that Congress “determined that incomprehensive reports cause concrete harm.” Spokeo responded by dismissing his arguments citing congressional intent, stating, “Robins hints that his theory would not base standing on trivial inaccuracies, but he does not explain how to draw that line, much less where Congress recognized such a distinction.” Thomas Robins v. Spokeo Inc., case number 11-56843, in the U.S. Court of Appeals for the Ninth Circuit
On July 11th, Spokeo, Inc. (Spokeo) argued that the Plaintiff had failed to allege sufficient material harm necessary for Article III standing, following the Supreme Court’s 6-2 decision remanding the case to the Ninth Circuit. Spokeo claims to act as a “people search engine, ” offering information on individuals from various services in exchange for a fee. Thomas Robins, the Plaintiff, filed a lawsuit against the Company for allegedly violating the Fair Credit Reporting Act (FCRA) by posting incorrect information about his age, employment history, and education level. Spokeo rejected the Plaintiff’s claims, stating, “neither the statutory violations alleged. . . nor the factual allegations of the complaint demonstrate that Robins suffered the required concrete harm or faced a ‘certainly impending’ risk of harm.” Robins argued that this false information could harm his employment prospects, stating, “Employers may decide not to pursue a candidate they believe is overqualified, has a high salary expectation or may have family commitments preventing the candidate from accepting the relevant responsibilities; nor may they be inclined to pursue candidates whose reports vary from the (comprehensive) information the applicant might himself provide the employer.” Spokeo further argued that the incorrect information posted about the Plaintiff was “seemingly flattering” and “did not itself expose Robins to any injury that was ‘certainly impending.’” Thomas Robins v. Spokeo Inc., case number 11-56843, in the U.S. Court of Appeals for the Ninth Circuit.
FCRA Class Action
On July 26th, a class of job applicants that accused a background screening company of violating the Fair Credit Reporting Act (FCRA) received class certification by a California federal judge. The job applicants allege that the background screening company had illegally disclosed background information on reports sent to prospective employers that was forbidden under the FCRA, including prior criminal charges that did not lead to convictions “that were older than seven years.” U.S. District Judge William Alsup ordered that the Plaintiff had satisfied the requirements for standing, including the “concrete injury” test necessary following the Spokeo Supreme Court decision. Judge Alsup wrote, “[The Company] sent restricted information about plaintiff into the world and as such caused injury to plaintiff’s privacy interest. Plaintiff’s alleged injury is concrete; therefore plaintiff has established standing.” The Judge also recognized that intangible injuries may allow for a plaintiff to claim a concrete injury. The class consists of 4, 500 individuals who were subject to background screening reports that included allegedly “stale arrest” information. Hawkins v. S2Verify et al., case number 3:15-cv-03502, in the U.S. District Court for the Northern District of California.
CFPB Constitutional Challenge
On July 13th, the U.S. District Court Judge Ellen Segal Huvelle issued an order delaying the State National Bank, Inc. (State National) case challenging the constitutionality of the Consumer Financial Protection Bureau’s (CFPB) single-director structure. Judge Huvelle’s order delays the proceedings until after a decision is reached in PHH Corp.’s (PHH) similar case challenging the CFPB’s structure. State National filed a motion in November 2015, arguing that CFPB Director Richard Cordray’s appointment was unconstitutional due to the agency’s lack of presidential oversight. State National also argued that all of Director Cordray’s actions as the interim head of the CFPB, prior to his recess appointment, should be ruled “unlawful.” State National announced that it plans to appeal Judge Huvelle’s order.
Data Breach Litigation
On July 12th, the National Association of Consumer Advocates (NACA) filed an amicus brief in support of reviving the proposed class action lawsuit against Paytime, Inc. (Paytime) over its 2014 data breach. The NACA brief argues that the Spokeo Supreme Court decision establishes that “constitutionally sufficient harms may be difficult to measure or even prove, ” but both tangible and intangible harms can establish Article III standing. NACA asserted that the Paytime data breach constitutes actual harm, writing, “First, employees’ injury is particularized, their [information] has been stolen and is in the hands of malicious hackers, personally affecting employees. Second, employees’ injury is concrete, their data was stolen by hackers, making it ‘plausible to infer a substantial risk of harm from the data breach because a primary incentive for hackers is sooner or later to make fraudulent charges or assume those consumers’ identities.” Storm et al. v. Paytime Inc., case number 15-3690, in the U.S. Court of Appeals for the Third Circuit.
CriminalBackgroundRecords.com issues a press release to PRWeb regarding the FCRA lawsuit against Waffle House.
On July 15th, Equifax Information Systems, LLC urged a Texas federal judge to dismiss a proposed Fair Credit Reporting Act (FCRA) class action lawsuit against the company, citing the Spokeo Supreme Court decision. The plaintiffs allege that Equifax violated the FCRA when it provided the Texas Comptroller’s Office with consumer reports in order to facilitate the collection of taxes. The plaintiffs argued that this use of consumer reports is forbidden by the FCRA and violates congressional intent. Equifax responded by claiming that the plaintiffs lacked Article III standing since they only alleged procedural violations of the FCRA, without demonstrating particularized or concrete injury. Following the Spokeo decision, the plaintiffs amended their complaint to claim that their privacy was violated, constituting an injury based on the Supreme Court’s ruling. Equifax rejected this argument, stating, “The [Plaintiffs] do not, and cannot, allege that they suffered any actual harm, such as a financial inquiry, emotional or reputational damage, or an adverse employment action, as a result of Equifax’s providing their credit reports to the Texas comptroller.” Equifax elaborated, “The mere disclosure of personal information, without more, is not an Article III injury.” Perrill et al. v. Equifax Information Services LLC, case number 1:14-cv-00612, in U.S. District Court for the Western District of Texas.
On July 22nd, Trans Union, LLC urged a California federal judge to decertify the Fair Credit Reporting Act (FCRA) class action against the company, citing the Spokeo Supreme Court decision. TransUnion argued that the lead Plaintiff failed to allege “actual harm” or “concrete injury.” The Plaintiff filed the lawsuit against TransUnion over its alleged policy that fails to allow consumers to challenge the accuracy of “criminal and terrorist reports sent to landlords.” The Plaintiff filed suit after a landlord who used TransUnion’s “SmartMove Report” denied his rental application. The landlord later testified that the report did not play a role in his decision. TransUnion argued that the Plaintiff’s failure to suffer “concrete injury” should prevent him from filing the complaints on behalf of the entire class. TransUnion also pointed out that only 21 percent of the class members claimed that their rental application was denied. Patel v. Trans Union LLC et al., case number 3:14-cv-00522, in the U.S. District Court for the Northern District of California.
On July 22nd, Umpqua Bank urged a Washington federal court to dismiss a putative class action against the financial institution for allegedly violating the Fair Credit Reporting Act (FCRA). The lead Plaintiff filed a lawsuit against Umpqua accusing the company of obtaining a consumer report from a background screening vendor using a disclosure containing “distracting” language. Umpqua argued that the Plaintiff failed to allege a “concrete injury” or “actual harm” as required for establishing Article III standing following the Spokeo Supreme Court decision. Umpqua also disputed the Plaintiff’s complaint, writing, “Nowhere does it assert that she was deprived of any information required under the statute when authorizing Umpqua to obtain her credit report. Instead, [Plaintiff] simply takes the position that the invasion of privacy and deprivation of information injuries that she now identifies are self-evident. This is precisely the type of position that is foreclosed under Spokeo.” Sarah Connolly v. Umpqua Bank et al., case number 2:15-cv-00517, in the U.S. District Court for the Western District of Washington.
July 7: The Massachusetts State Senate will consider S.2394, which would prohibit employers from requesting a credit report in order to make a hiring decision.
Indiana’s New Background Check for Healthcare Employers
Changes to State Statute IC 16-27-2 has expanded the requirements for criminal history checks on employees and owners of home healthcare and personal services facilities in Indiana. As of July 1, 2016, employers must complete an expanded or national criminal history check on all new hires, and no employee without the check can serve patients in their residences. Owners are also subject to the criminal history check requirement and conviction for specific offenses prohibiting anyone from owning a facility or providing services to a patient in his or her home. Employers must request an expanded or national criminal history check within three days of a new employee’s commencement of work, and owners cannot employ someone to provide services in a patient’s residence for more than 21 days without receipt of the results of the check. Prior to the changes, the law required only a limited criminal history check, which only includes felonies and class A misdemeanor arrests within Indiana. The expanded criminal history check includes history of all counties in Indiana where the individual resided and those of any other state where the individual lived. In addition, owners, officers, managers and alternate managers of the agency are also subject to the expanded or national criminal history check provision. Any changes in the holders of these positions must be reported to the Indiana Department of Health on company letterhead with the results of the check for the new officer attached. In all cases, the history check must cover an individual’s lifetime and is not limited to a certain time period or number of years. Any individual convicted of rape, exploitation of an endangered adult or criminal deviate conduct at any time in their lives are excluded from owning a facility or working in patient care. The same exclusion applies to anyone convicted of theft within the last 10 years or of failure to report battery, neglect or exploitation of an endangered adult at any time. If the convictions occurred outside of Indiana, the same exclusion applies for equivalent offenses in the relevant jurisdiction. The requirement applies to all employees regardless of hire date.
On July 12th, the Pennsylvania Department of Revenue (DOR) announced that employees’ laptops containing the personal information of 865 taxpayers were stolen in late June. The incident occurred when thieves smashed the windows and robbed a DOR vehicle while employees were conducting an audit. DOR sent letters to all affected individuals, offering free credit monitoring services with Experian, Inc. (Experian) and fraud protection. In a press release, the Department acknowledged that one employee might not have followed data security procedures, potentially exposing the laptop’s contents. Revenue Secretary Eileen McNulty apologized for the incident, stating, “Safeguarding the information of taxpayers is a top priority for the department. We are taking proactive steps to help those who could be potentially impacted and to ensure this does not happen again.”
Fingerprint Background Screening Ordinance
On July 10th, the City of Austin, Texas issued a “follow-up” ordinance creating fines for ride-sharing companies that fail to comply with its fingerprint background check requirements for drivers. The measure creates a daily fee of $500 for companies that fail to turn in monthly reports listing the number of drivers that passed background checks. If a company fails to certify that 99% of its drivers have passed fingerprint background checks by February 2017, the city will remove its license to operate.
EU Data Breach Notification Requirements.
Infosecurity Magazine reported that the EU adopted cybersecurity laws creating data breach notification requirements.
U.K.’s implementation of the GDPR
July 5: The U.K. Minister for Data Protection indicated that the country’s decision to leave the EU might prevent the U.K.’s implementation of the GDPR.
IAPP published a blog post on the Minister’s comments.
EU-U.S. Privacy Shield
On July 26th, the Article 29 Working Party, comprised of the data protection authorities (DPA) of European Union (EU) member-states, issued a statement on the adoption of the EU-U.S. Privacy Shield Agreement. The statement commended the agreement for its improvements from an earlier draft that the Working Party had publicly condemned. However, the Article 29 Working Party still took issue with some aspects of the final version, writing, “A number of these concerns remain regarding both the commercial aspects and the access by U.S. public authorities to data transferred from the EU.” The Working Party claims that it would have “expected stricter guidelines concerning the independence and powers of the Ombudsperson mechanism.” The Article 29 Working Party highlights the future “First Joint Annual Review” as an important moment for determining the “robustness and efficiency” of the agreement. The group claims that it will “assess if the remaining issues have been solved” during this review process. Until the first annual review, the Article 29 Working Party will work towards protecting European citizens’ data “under the Privacy Shield mechanism.” The Article 29 Working Party also said that it will not challenge the legality of the agreement during its first year.
On July 8th, the Article 31 committee approved the Privacy Shield Agreement between the European Union (EU) and the United States (U.S.). The Article 31 committee is comprised of representatives from EU member states who voted “overwhelmingly” in favor of the deal. EU and U.S. officials are expected to meet on Tuesday, July 12th to formally sign the agreement. European Commission Vice President Andrus Ansip praised the deal, stating, “The EU-U.S. Privacy Shield will ensure a high level of protection for individuals and legal certainty for business.” Early drafts of the Privacy Shield raised concerns that it would not sufficiently protect Europeans’ privacy rights. These concerns were dismissed by EU Commissioners who claimed that the agreement provides, “clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice.” The agreement will also place data security requirements on U.S. businesses that seek to handle European citizens’ information, under the supervision of the Department of Commerce and the Federal Trade Commission (FTC). Privacy Shield will also create a “privacy ombudsman for national security, ” tasked with handling complaints about data misuse and indiscriminate mass surveillance. The European Commission remained confident that the EU-U.S. Privacy Shield would hold up to legal scrutiny, stating, “Both consumers and companies can have full confidence in the new arrangement, which reflects the requirements of the European Court of Justice.”
July 8: The Future of Privacy Forum published a blog post entitled, “EU Approves Privacy Shield: The Agreement Will Benefit Companies and Individuals in the US and Europe.”
EU Cybersecurity Rules
On July 6th, the European Union (EU) adopted cybersecurity rules that will establish the Directive of Security of Network and Information Systems (NIS). The Directive will require countries to adopt “national strategies” aimed at improving their cybersecurity. The national strategies will include “risk management and incident reporting obligations for operators of essential services and digital service providers.” Each member-state will be required to designate “one or more national competent authorities” that will interact with the NIS Directive and monitor the country’s progress towards achieving its cybersecurity goals. The EU cybersecurity rules also compel each member-state to create a Computer Security Incident Response Team (CSIRT) that will monitor cybersecurity threats and assist in “responding to incidents.” The rules specify that essential services, defined as “private businesses or public entities with an important role for the society or economy, ” will be required to undertake efforts to minimize cybersecurity risks and notify “serious incidents to the relevant national authorities.”
Model Contract Clauses
On July 19th, the Irish High Court granted the United States’ (U.S.) application to be joined to privacy advocate Max Schrems’ case against Facebook Ireland, Inc. (Facebook Ireland) regarding its use of model contract clauses. Justice Brian McGovern agreed that the United States has a “significant and bona fide interest in the outcome of these proceedings, ” permitting the U.S. to “defend the country’s surveillance laws before a European court.” The Court also approved the applications of the tech industry lobbying firms and privacy rights organizations.
On July 26th, Kimpton Hotels & Restaurants, Inc. (Kimpton) reported that they are investigating their payment card processing system for a potential data breach. The company issued a press release, stating, “Kimpton was recently made aware of a report of unauthorized charges occurring on cards that were previously used legitimately at Kimpton Properties. As soon as we learned of this, we immediately launched an investigation and engaged a leading security firm to provide us with support.” Kimpton operates a “boutique hotel brand that includes 62 properties across the United States.” Kimpton was informed of the potential data breach by cybersecurity investigator Brian Krebs, who theorized that the information was likely stolen from a point-of-service system containing malicious software.
FCRA and workplace background check violations
Inside Counsel publishes an article on the FCRA and workplace background check violations.
Please Note: Some of the information contained herein is a monthly summary of the daily information provided by Arnall Golden Gregory LLP, an Atlanta firm servicing the business transactions and litigation needs of background check companies. The information described is general in nature, and may not apply to your specific situation. Legal advice should be sought before taking action based on the information contained herein. For more information about Arnall Golden Gregory LLP, please visit www.agg.com or contact Bob Belair at 202.496.3445 or [email protected]