Judicial Redress Act
Sens. Christopher Murphy (D-CT) and Orrin Hatch (R-UT) introduced S.1600, the “Judicial Redress Act of 2015, ” which would affect the ability for European citizens to seek redress in U.S. courts when their privacy rights are violated.
Commercial Data Sharing US-EEU FTC
Reuters published an article entitled, “U.S. Expects Commercial Data-sharing Deal With EU ‘Very Soon.’”
FTC and Safe Harbor
On May 29th, the Federal Trade Commission (FTC) approved final Orders in two previously announced U.S.-EU Safe Harbor cases. Specifically, following a formal comment period, the FTC approved final orders against TES Franchising LLC (TES Franchising) and American International Mailing, Inc., resolving FTC allegations that the defendants deceived consumers about their participation in international privacy frameworks. According to the complaints, the FTC alleged that the companies’ “websites indicated they were currently certified under the U.S.-EU Safe Harbor Framework and, in the case of TES Franchising, the U.S.-Swiss Safe Harbor Framework, when in fact their certifications had lapsed years earlier.” The FTC also alleged that TES Franchising, in particular, deceived consumers about its dispute resolution policies. According to the terms of the final orders, the “companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization, ” and TES Franchising specifically is prohibited from misrepresenting its alternative dispute resolution process.
Ban the Box on Federal Job Applications FTC
A group of U.S. representatives wants the president to sign an executive order to ban federal contractors from asking if potential job seekers have been convicted of crimes. The “box” in question is one that appears on federal hiring applications, asking job seekers if they have a criminal record. As part of an effort to reduce mass incarceration, many around the country have rallied for local governments and workplaces to “ban the box” from their hiring forms. Now Congress is getting in on the action-by asking President Obama to take action. “One in four Americans has a conviction history, which often excludes them from the workforce and from housing, creating new layers of crisis for our communities, ” said Rep. Danny Davis (D-Ill.) in a statement released Thursday.
Pressure Builds for Feds to Ban the Box
Seventeen states and Washington, D.C. have passed laws making it easier for ex-offenders to find jobs in the labor market. Now civil rights and community groups that advocate for returning citizens are pushing the White House to do the same. Even though politicians on both sides of the aisle have warmed up to criminal justice reform and smarter sentencing policies, an estimated 70 million adults in the United States have arrests or conviction records and 9 in 10 employers conduct criminal background checks, according to a report by the National Employment Law Project (NELP), a workers’ rights group. The Sentencing Project, a group that has advocated for criminal justice reform nearly 30 years, called the United States “the world’s leader incarceration with 2.2 million people currently in the nation’s prisons or jails – a 500% increase over the past thirty years.”
OPM Intent to Award Internet & Social Media Contract
Jun. 11: OPM published a notice stating its intent to award a contract to Social Intelligence, a California-based tech company, to assist the agency in compiling “publicly available electronic information reports” on prospective hires.
On June 1st, the U.S. House passed by voice vote H.R. 1168, the Native American Children’s Safety Act. The bill would “amend the Indian Child Protection and Family Violence Prevention Act to require background checks before foster care placements are ordered in tribal court proceedings.” The Senate version, S. 184, passed in the Senate without amendment by unanimous consent. Specifically, the bill would require that, prior to a foster care placement or approval of a foster care license, the tribal social services agency:
- Complete a criminal records check of each covered individual who resides in the household or is employed at the institution in which the foster care placement will be made; and
- Conclude that each covered individual…meets such [background check] standards as the Indian tribe shall establish.
The bill would require that standards must include, among other things:
- Fingerprint-based checks of national crime information databases;
- Checks on any abuse registries by the Indian tribe; and
- Checks in any child abuse and neglect registry maintained by the State in which the covered individual resides.
FDCPA and FCRA Enforcement
On June 18th, the Consumer Financial Protection Bureau (CFPB) announced an enforcement action against a medical debt collector, Syndicated Office Systems (SOS), for allegedly violating the Fair Debt Collection Practices Act (FDCPA) and the Fair Credit Reporting Act (FCRA) by “mishandling consumer credit reporting disputes and preventing consumers from exercising important debt collection rights.” Specifically, the CFPB alleges that SOS violated the FDCPA and FCRA by:
- Failing to respond to more than 13, 000 consumer credit report disputes within the 30-day timeframe required by law; and
- Failing to send debt validation notices to more than 10, 000 consumers, while continuing to collect over $2 million from consumers who did not receive the notices.
As a result, the CFPB has ordered SOS take the following actions:
- Provide over $5 million in relief to harmed consumers;
- Correct errors on credit reports;
- End illegal credit reporting and debt collection practices; and
- Pay a civil monetary penalty of $500, 000.
FTC and Auto Dealer Privacy Polices
Jun. 19: NIST published its “Final Guidelines” for protecting sensitive government information held by contractors.
Jun. 16: NIST updated its “technical specifications and guidance for the next generation of ‘smart’ identity cards used by the federal government’s workforce.”
EPIC Files FTC Complaint
On June 22nd, the Electronic Privacy Information Center (EPIC) filed an FTC complaint against Uber alleging that their future practice of collecting users’ “personal contact information and detailed location data” could constitute an unfair and deceptive trade practice under the FTC Act. According to the complaint, EPIC is concerned with proposed changes in the “business practices” of Uber. Specifically, EPIC alleges that “[i]n less than four weeks, Uber will claim the right to collect personal contact information and detailed location data of American consumers, even when they are not using the service.” In its complaint, EPIC cites previous instances of Uber’s “misus[e] of customer data” as a reason for the FTC to investigate Uber’s data collection practices. According to EPIC, “these [business] changes ignore the FTC’s prior decisions, threaten the privacy rights and personal safety of American consumers, ignore past bad practices of the company involving the misuse of location data, pose a direct risk of consumer harm, and constitute an unfair and deceptive trade practice subject to investigation by the [FTC].”
Proposed Plan to Implement Credit Inquiry
Jun. 22: Senator Charles Schumer (D-NY) announced a “new plan that directs the three national credit reporting agencies to implement a ‘credit inquiry alert’ that would immediately notify consumers whenever access to their credit is requested.”
Jun. 27: CNN reported that the DOJ is investigating an ATF executive for his alleged involvement in a possible employee data breach.
Nevada Consumer Reporting Disclosures
On June 11th, Nevada Governor Brian Sandoval (R) signed SB 409, which will “revise provisions governing the disclosure of certain information by a [consumer] reporting agency, ” including changes to Nevada’s obsolescence rules. The law amends the state’s current consumer reporting law to read, in relevant part, “[a] reporting agency shall periodically purge from its files and after purging shall not disclose…any other civil judgment, a report of criminal proceedings, or other adverse information, excluding a record of a conviction of a crime, which precedes the report by more than 7 years.” As a result, the law extends the obsolescence for criminal convictions reported by consumer agencies by permitting the disclosure of convictions that precede the consumer report by more than seven years.
Additionally SB 409 specifically allows gaming operators and employers to conduct more thorough background checks on prospective employees by allowing consumer reporting agencies to prepare a report at the request of the gaming licensee which may include bankruptcy information older than 10 years and certain other potentially adverse information older than 7 years.
The law became effective upon the governor’s signature.
Ban the Box Plus type of Measure
On June 10th, the New York City Council passed Int. No. 318-A, the Fair Chance Act, and Mayor Bill de Blasio (D) is expected to sign the legislation. The bill would affect private employers in New York City by amending the city’s administrative code to prohibit employment discrimination based on one’s arrest record or criminal conviction. Specifically, the bill would, among other things:
- Make it an unlawful discriminatory practice for any “employer, employment agency or agent thereof” to deny employment or take adverse action against any employee due to criminal convictions;
- Make it an unlawful discriminatory practice potentially to deny employment or act adversely with respect to an employee based on an arrest;
- Include Ban the Box language in that an employer cannot make any inquiry, including on any form of application, regarding arrest or criminal accusation which does not lead to a conviction; and
- Require a conditional offer of employment before any inquiry or statement related to a pending arrest or criminal conviction record can be made and requires that if an adverse employment action is going to be taken, the individual must be provided a written analysis for the adverse action akin to an individualized assessment.
Ore. – Ban the Box
On June 25 Oregon Governor Kate Brown signed House Bill 3025, making Oregon the latest state to enact “ban-the-box” legislation. Beginning on January 1, 2016, an employer in Oregon may not require an applicant to disclose a criminal conviction on an employment application or at any time prior to an initial interview. If the employer does not conduct an interview, then the employer may not require the applicant to disclose a criminal conviction prior to making a conditional offer of employment.
The bill is a watered-down version from what lawmakers first proposed. The original House Bill 3025 would have prohibited employers from conducting a background check before a conditional job offer while the amended and enacted version allows them to discuss an applicant’s criminal record at an interview. The measure passed the House in April by a 33-27 vote while the Senate approved it by a 21-8 margin in June.
The law provides exceptions:
- where federal, state, or local law (including applicable rules and regulations) requires consideration of an applicant’s criminal history;
- for law enforcement agencies;
- for employers in the criminal justice system; and
- for employers seeking a nonemployee volunteer position.
The state’s Commissioner of the Bureau of Labor and Industries is charged with enforcement authority of the new law. Oregon joins 17 other states that have passed some version of “ban-the-box” legislation.
Georgia Public Records Requirements
Georgia HB 328 goes into effect on July 1, 2015. Of relevance, this bill enacts similar protections offered consumers under Section 613 of the FCRA.
Relevant provisions of the bill are at page 2 and 3 and read as follows:
(b) A consumer reporting agency which furnishes a consumer report for employment purposes and which for that purpose compiles and reports items of information on consumers which are matters of public record and are likely to have an adverse effect upon a consumer’s ability to obtain employment shall:
(1) At the time such public record information is reported to the user of such consumer report, notify the consumer of the fact that public record information is being reported by the consumer reporting agency, together with the name and address of the person to whom such information is being reported; or
(2) Maintain strict procedures designed to ensure that whenever public record information which is likely to have an adverse effect on a consumer’s ability to obtain employment is reported it is complete and up to date. For purposes of this paragraph items of public record relating to arrests, indictments, and convictions shall be considered up to date if the current public record status of the item at the time of the report is reported.
(c) A consumer reporting agency shall be considered to be conducting business in this state if it provides information to any individual, partnership, corporation, association, or any other group however organized that is domiciled within this state or whose principal place of business is within this state.
(d) A consumer reporting agency that provides a consumer report for employment purposes that is in compliance with the federal Fair Credit Reporting Act in existence on March 11, 2015, shall be deemed to have complied with this Code section.
Link to legislation: http://www.legis.ga.gov/legislation/en-US/Display/20152016/HB/328
This bill is part of the Georgia Governor’s efforts to assist ex-offender community secure employment. This is in line with the ban the box legislation recently enacted in the State of Georgia applicable to state employment.
Health Data Security
On May 21st, Oregon Governor Kate Brown (D) signed HB 2551 “relating to individually identifiable health information.” Under the law, a health care facility must file with the Oregon Health Authority a “protection of health information report” no later than 120 days following the close of each fiscal year. The report may be in the form of a letter, must be signed by the chief executive officer of the facility and must, among other things:
- State the responsibility of the health care facility’s management to establish and maintain adequate safeguards and procedures for protecting the confidentiality of personally identifiable and protected health information;
- Contain an assurance that there is ongoing evaluation and monitoring of the effectiveness of the safeguards and procedures in protecting the confidentiality of personally identifiable and protected health information; and
- Contain assurances that the signing officer has disclosed to the governing board of the facility:
- All significant deficiencies in the entity’s recordkeeping systems;
- Any breaches of the security of personally identifiable and protected health information; and
- All steps taken to address known deficiencies in the entity’s recordkeeping systems.
Connecticut Data Breach Notification
On June 1st, the Connecticut state House passed SB 949 to “improv[e] data security and agency effectiveness.” The bill previously passed the Connecticut state Senate and awaits action by the governor. The bill would establish new data security and breach notification requirements for state agencies and state contractors. The bill would require, among others things, that a state agency require a state contractor that would have access to “confidential information” to:
- At its own expense, “protect…any and all confidential information that it comes to possess or control, wherever and however stored or maintained, in accordance with current industry standards”;
- Implement and maintain a “comprehensive data-security program for the protection of confidential information”; and
- Limit access to confidential information to the authorized contractor employees with “legitimate interests related to the purpose for which the data was shared by the state contracting agency or as necessary for the completion of the contracted services.”
In the event that a contractor suffered a data breach, the contractor must, among other things:
- Notify the Attorney General as soon as practical, but not later than twenty-four hours after the contractor becomes aware of or suspects that it has suffered a data breach;
- Cease all use of the data provided by the state agency or developed internally by the contractor; and
- Not later than three business days after the breach notification, submit to the state Attorney General and the state contracting agency either a report detailing the breach and steps taken to mitigate its impact, or a report detailing why a breach has not occurred.
Additionally, under the bill, the state’s Secretary of the Office of Policy and Management must establish policies and procedures to protect and ensure the security, privacy, confidentiality and administrative value of data collected and maintained by the executive agencies.
If signed by the governor, the bill would go into effect on July 1, 2015.
Jun. 24: Rep. Donald Beyer (D-VA) introduced HR 2871, which would affect background checks for the selling of firearms “safely and responsibly.”
Jun. 18: Texas Governor Greg Abbott (R) signed SB 206, which will affect background checks for caregivers of foster children.
On June 17 Pennsylvania House members overwhelmingly approved PA House Bill 1276, legislation which if passed by the senate would exempt more people who work or volunteer with children from background check requirements mandated by the Child 2014 Protective Services Law (also known as PA Act 153). The volunteer requirements under the Act become effective July 1, 2015. The act was passed in response to the child sex abuse case against former Penn State assistant coach Jerry Sandusky and scandals involving church clergy.
Unfortunately, the Senate is not expected to pass 1276, limiting the scope and adding clarification to who must be screened. The intent of 1276 passed by the House is to make background checks mandatory for volunteers and employees at schools, child care facilities and similar places who have direct and routine interaction with children, rather than all workers and the vast majority of volunteers. House bill 1276 also would exempt infrequent volunteers if they work near somebody who has passed the checks. 1276 was drafted and passed in the House in response to concerns about the costs and inconvenience the background checks had generated and were approved by a 180-9 vote in the House.
Pennsylvania Governor Tom Wolf recently took action to waive some background clearance fees for volunteers seeking to work with children. The move cut out the $10 Pennsylvania Child Abuse History Clearance fee and also reduced the Pennsylvania State Police criminal record check from $10 to $8 starting July 25. The $27.50 FBI criminal background check for anyone who has not been a Pennsylvania resident for at least 10 years will remain unchanged.
On June 8th, the Pennsylvania state House Children and Youth Committee reported out HB 1276, which would affect background checks for people who work with children. Specifically, the bill seeks to make background checks less burdensome for organizations that need to conduct checks on individuals who work with children. Under the bill, background checks would apply to a broader scope of positions that work with children, so employees, whether they are paid or unpaid, would not require an additional background check. The bill would also limit checks to positions that have “direct contact with children” and “routine[ly] interact with children.”
The New Jersey state Senate passed S. 524, which would “prohibit employers from obtaining, requiring, or discriminating on the basis of credit reports.”
Data Breach Notification
On June 10th, Oregon Governor Kate Brown (D) signed SB 601, “relating to enforcement of notification requirements for breaches of security involving personal information.” The law will amend the state’s current data breach notification law to expand the definition of “personal information” to include:
- Images of an individuals’ fingerprint, retina, or iris;
- A consumer’s health insurance policy number or health insurance subscriber identification number in combination with any other unique identifier that a health insurer uses to identify the consumer; or
- Any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer.
Additionally, the law will require a breached entity to directly notify affected consumers in the “most expeditious…time manner possible, and without unreasonable delay.” The breached entity will also have to report the data breach to the state’s attorney general, either in writing or electronically, if the number of affected consumers exceeds 250.
On June 19th, Connecticut Governor Dannel Malloy (D) signed HB 6403, “concerning security freezes on children’s credit reports.” Under the law, “the parent or legal guardian of a minor child may place a security freeze on the credit report of a minor child by submitting a written request to the credit rating agency…and by providing the credit rating agency with proper identification and sufficient proof of authority to act on behalf of the minor child.” After such a request is made, the credit reporting agency must place the security freeze on the credit report of the minor child not later than five business days after receipt of the request. Under the law, a “minor child” is defined as “an individual under eighteen years of age at the time a request for placement of a security freeze is submitted.” Additionally, “sufficient proof of authority” is defined as “documentation showing that a parent or legal guardian has authority to act on behalf of a minor child, including, but not limited to, a court order, an original copy of the minor child’s birth certificate or a written notarized statement expressly describing the authority of the parent or legal guardian to act on behalf of the minor child.” A parent may request the removal of a security freeze on a minor child’s credit report by submitting a written request and sufficient proof of authority to act on the minor child’s behalf. The credit rating agency will then have fifteen days upon receipt of the request to remove the security freeze from the minor child’s credit report.
Home Depot Data Breach
On June 1st, Home Depot, Inc. (Home Depot) urged a federal district court to dismiss a multidistrict litigation over the retailer’s 2014 data breach, arguing that the plaintiffs lack standing. Home Depot’s memorandum in support of its motion to dismiss argues that the plaintiffs have failed to allege any claims of actual financial damages that may be linked to the retailer’s 2014 data breach. Specifically, according to Home Depot, “[a]ll of the claims alleged in the complaint suffer from the same fatal defect found in the vast majority of other breach cases — plaintiffs lack Article III standing because they have suffered no actual or imminent economic injury that is fairly traceable to Home Depot’s alleged conduct.”
In Re: The Home Depot, Inc., Customer Data Security Breach Litigation, No. 1:14-md-02583 (N.D. Ga., June 1, 2015).
Home Depot – Alleged Violation of FCRA
Home Depot USA, Inc. urged a federal district court to dismiss a putative class action alleging that Home Depot violated the FCRA by improperly notifying job applicants of its background check procedures.
Zappos.com Data Breach
On June 1st, a federal district court dismissed a multidistrict litigation against Zappos.com, Inc. over a 2012 data breach that compromised approximately 24 million customers’ names, payment card information, and phone numbers. According to the court, the plaintiffs failed to prove that they faced an immediate threat of actual harm or financial loss. The plaintiffs argued that they had standing based on the increased risk of becoming a victim of identity theft, among other things. However, the court rejected plaintiffs’ argument, stating that “[t]he years that have passed without plaintiffs making a single allegation of theft or fraud demonstrate that the risk is not immediate, ” adding that, “[t]he possibility that the alleged harm could transpire in the as-of-yet undetermined future relegates plaintiffs’ injuries to the realm of speculation.”
In re: Zappos.com Inc. Customer Data Security Breach Litigation, No. 2357 (D. Nev., June 1, 2015).
Advocate Health and Hospitals Corp. Data Breach
Jun. 2: An Illinois appellate court affirmed the dismissal of two putative class actions against Advocate Health and Hospitals Corp. over a data breach, ruling that the plaintiffs failed to alleged actual injury that resulted from the breach.
On May 27th, a federal district court dismissed a lawsuit filed by a group of for-profit schools challenging regulations that require higher-education institutions to show that their students are paying-off their student loans. The Association of Proprietary Colleges (APC) argued that U.S. Department of Education (DOE) regulations set to go into effect on July 1, 2015, will violate private colleges’ procedural due process rights. According to court documents, the regulations will limit federal financial aid funding to institutions where their graduates are making loan repayments at unaffordable debt levels compared to their salaries. The court rejected the APC’s argument, finding that the DOE “has a strong interest in ensuring that students…attend schools that prepare them adequately for careers sufficient for them to repay their taxpayer-financed student loans.”
Customer Data Privacy
On June 5th, the Delaware Bankruptcy court granted final approval of RadioShack Corp.’s (RadioShack) $26 million asset sale, which includes the potential transfer of customer data. The approval finalized that Standard General LP (Standard General), which also bought 1, 700 of RadioShack’s stores in March 2015, was the winning bidder at RadioShack’s May 2015 bankruptcy asset sale auction. According to the Order, “[t]he debtors and the buyer have agreed to limit the information to be transferred to the buyer…with respect to [personally identifiable information] for which email addresses are available, the buyer will arrange for an email communication to be sent to those persons prior to the transfer.” The asset sale agreement permits RadioShack to sell email addresses provided by customers who had requested product information within the past two years; however, those customers will have an opportunity to opt out before their email addresses are transferred to Standard General.
In re: RadioShack Corp., No. 1:15-bk-10197 (Bankr. D. Del., June 5, 2015).
On June 9th, a plaintiff filed a putative class action lawsuit against Kohl’s Department Stores, Inc. (Kohl’s) for allegedly violating the Fair Credit Reporting Act (FCRA) by failing to properly notify prospective employees that it would procure credit reports on them as part of the hiring process. According to the complaint, Kohl’s conducted an improper background check on the plaintiff, which included obtaining the plaintiff’s credit reports, between October 2012 and June 2013. The plaintiff argues that Kohl’s employment application conceals the authorization for such background checks. Specifically, the complaint argues that “[b]ecause the purported disclosures are embedded within extraneous information and are not clear and unambiguous disclosures in stand-alone documents, they do not meet the requirements under the [FCRA].”
Coleman v. Kohl’s Department Stores, Inc., No. 3:15-cv-02588 (N.D. Cal., June 9, 2015).
Plaintiffs filed a putative class action against Avis Budget Car Rental LLC for allegedly violating the FCRA by using consumer reports to make employment decisions without giving the prospective employees sufficient notification.
Plaintiffs filed a putative class action against The Hertz Corp. for allegedly violating the FCRA by failing to properly warn applicants that it would obtain a consumer report on the individual during the hiring process.
Sony Data Breach
On June 15th, a federal district court denied Sony Picture Entertainment, Inc.’s (Sony) motion to dismiss a lawsuit alleging that the company’s negligence caused its 2014 data breach. In its motion to dismiss, Sony argued that the plaintiffs failed to prove that they suffered any injury as a result of the data breach. The court rejected Sony’s argument, finding that the plaintiffs have adequately supported their negligence claim by offering evidence that the plaintiffs have had to purchase credit monitoring and identity theft protection services following the breach.
Michael Corona et. al v. Sony Pictures Entertainment, Inc., No. 2:14-cv-09600 (C.D. Cal., June 15, 2015).
Uber Data Breach
On June 18th, Uber Technologies, Inc. (Uber) urged a federal district court to dismiss a putative class action over a data breach involving approximately 50, 000 Uber drivers’ unspecified information. According to its motion to dismiss, Uber argues that the plaintiff failed to show he was harmed from the data breach, stating that the plaintiff claimed only “a laundry list of hypothetical and generic harms.” Specifically, Uber contends that the “[p]laintiff has not alleged that any sensitive personal information was stolen, or that this was a sophisticated, well-planned attack aimed at accessing and misappropriating drivers’ sensitive personal data, ” adding that, “[p]laintiff has only alleged, at best, that his name and driver’s license number may have been disclosed to an unknown third party, which simply provides no basis for claiming a tangible injury.”
Sasha Antman v. Uber Technologies, Inc., No. 3:15-cv-01175 (N.D. Cal., June 18, 2015).
Supreme Court Rules in Texas Department of Housing and Community Affairs v. Inclusive Communities Project, Inc.
Texas Department of Housing and Community Affairs v. Inclusive Communities Project, Inc., decided by the Supreme Court yesterday, held that lawsuits can challenge housing policies or practices based on their disparate impact. Subject to restrictions discussed below, the Court found that housing discrimination claims can be based on the discriminatory effect of a law or practice without needing to show intent to discriminate. While the Supreme Court had not yet weighed in on this question, the Court’s decision matches the nine federal courts of appeals that have considered the question, which may limit the decision’s consequences. The 5-4 decision included a majority opinion by Justice Kennedy and dissents by Justices Thomas and Alito.
The Fair Housing Act (FHA) prohibits housing discrimination, including actions that “otherwise make unavailable or deny, a dwelling to any person because of race, color, religion, sex, handicap, familial status, or national origin.” 42 U.S.C. § 3605(a). Laws permit disparate-impact claims when the text refers to the consequences of actions and not just to the mindset of actors and where a disparate-impact interpretation would be consistent with the law’s purpose. The Court found persuasive that Congress retained the description of housing discrimination in amending the FHA in 1988, despite knowing that all nine Courts of Appeals that had considered the question then had found that the wording permitted disparate-impact claims. Finally, the Court found that recognition of disparate-impact claims was consistent with the FHA’s purpose to “eradicate discriminatory practices within a sector of our Nation’s economy.” Slip Op. at 17.
The latter part of the Court’s opinion set out strong limits on disparate-impact claims under the FHA that will be helpful to those defending against FHA lawsuits. A challenged policy must create “artificial, arbitrary, and unnecessary barriers” to be struck down. Slip Op. at 21. Policymakers should be allowed to explain the valid (non-discriminatory) interests supporting their policies. If practices are necessary to achieve valid interests, the Court indicated that they should be upheld. The Court did not limit the range of acceptable interests but explained that zoning officials could consider cost, traffic patterns, and preserving historic architecture. The Court also limited disparate-impact claims with a “robust causality requirement.” Slip Op. at 20. The Court indicated that courts should quickly dismiss claims that cannot show a causal connection between the policy and the disparity in housing and emphasized that government or a private party’s mere awareness of race would not be sufficient for a claim.
The Supreme Court’s decision does not resolve this case. It will return to the lower court for review. The Texas development tax credit scoring system challenged in the case may survive this review, particularly since the Court described the case as presenting “a novel theory of liability.” Slip Op. at 18.
Wash. – State Database Missing Some Criminal Information Used in Background Checks
Criminal information on thousands of cases is missing from a state database often used to perform background checks for employment and volunteer positions, the state Auditor’s Office said in a report released Monday. The 26-page report said a check of records from 2012 showed a third of the dispositions for charges that were supposed to be entered into the Washington State Identification System (WASIS) is missing. The information missing from the State Patrol-run database includes fingerprints and conviction records for mostly DUIs, third-degree thefts and fourth-degree assaults – all gross misdemeanors, said Thomas Shapley, spokesman for the Auditor’s Office. Eighty-nine percent of the information missing from WASIS stems from misdemeanor cases and the remaining 11 percent is for felony cases, including homicides and rapes, the report said.
Experian Data Breach Resolution Policy Paper Provides Insight into Data Breach Legislation
Experian Data Breach Resolution released a white paper on the current state of data breach legislation that shapes how companies must prepare for and respond to a data breach. In the wake of several recent high-profile data breaches, the discussion around data breaches is heating up, and impending changes have companies waiting for how that will impact their incident response at the state, federal and global levels. Currently, companies face a segmented system of state- and sector-specific data breach laws. At the same time, policymakers in the European Union (EU), Australia and Brazil are considering new approaches to data breach notification that could impact businesses that engage in global commerce.
The New York Times reported that TransUnion executed an initial public offering on the New York Stock Exchange.
On June 19th, Dungarees, LLC (Dungarees), a clothing retailer, reported a data breach involving an undisclosed number of customers’ names and payment card information. According to the breach notice, on May 15, 2015, Dungarees learned that it was a “victim of an illegal hack from a foreign entity.” Dungarees stated that hackers “manipulated” its website, which may have compromised customers’ payment card information during purchases made between March 26, 2015 and June 5, 2015. Dungarees recommends that customers monitor their credit reports and is offering affected customers credit monitoring and identity protection services for one year at no cost.
On June 12th, Krebsonsecurity.com reported that Fred’s, Inc. (Fred’s), a discount general merchandise and pharmacy chain, is investigating a potential data breach involving an undisclosed number of customers’ payment card information. According to Krebs, Fred’s operates 650 stores in more than twelve states. Krebs reported that it is “unclear how many Fred’s locations were affected, but…the pattern of fraudulent charges [can be] traced back to Fred’s stores across the company’s footprint in the midwest and south.” Krebs obtained a statement from Fred’s, stating that it “recently became aware of a potential data security incident and immediately launched an internal investigation to determine the scope of the issue.” According to the statement obtained by Krebs, Fred’s hired an outside third-party forensics firm to examine its data security systems.
On June 5th, Eataly NY LLC (Eataly) reported a data breach involving an undisclosed number of customers’ payment card information. According to the breach notice, “criminals” hacked Eataly’s network systems and installed malware designed to capture customers’ payment card data during transactions. Eataly states that only its New York retail location suffered the breach and that the affected period is from January 2015 to April 2015. Since learning of the incident, Eataly removed the malware from its point-of-sales (POS) systems and “additional security measures have been put in place” to further secure the POS systems. Eataly will contact affected individuals and recommends that customers who shopped at the store during the affected period monitor their bank account activity. Eataly is offering affected individuals credit monitoring and identity theft services for one year at no cost.
On June 3rd, AeroGrow International, Inc. (AeroGrow) reported a data breach involving an undisclosed number of customers’ names, addresses, and payment card information. According to the breach notice, on May 5, 2015, AeroGrow leaned that a “hacker” may have used malicious software to gain access to its online servers. The affected period, according to AeroGrow, is October 2014 to April 2015. Upon learning of the incident, AeroGrow hired outside third party experts to investigate the incident and remove the malicious code that permitted the hackers to gain access to the servers. AeroGrow is offering affected customers credit monitoring and identity theft services for one year at no cost.
On May 29th, Beacon Health System (Beacon) reported a data breach involving an undisclosed number of individuals’ names, Social Security numbers, birthdates, and certain medical information. According to the breach notice, on March 25, 2015, Beacon discovered unauthorized access to email accounts of some of its employees. Beacon notes that the affected period is between November 2013 and January 2015. Upon learning of the incident, Beacon notified the Federal Bureau of Investigation and the Department of Health and Human Services, as well as state regulators. Based on an investigation, Beacon reported that there is no evidence that patient information was accessed or misused. However, Beacon recommends that individuals monitor their credit report and is offering affected individuals credit monitoring and identity theft services for one year at no cost.
On May 28th, Sally Beauty Holdings, Inc. (Sally) confirmed a data breach involving an undisclosed number of customers’ names and payment card information. On May 4th, the company reported that it was investigating a possible data breach (previously reported). According to Sally’s statement confirming the data breach, “criminals used malware believed to have been effectively deployed on some of its point-of-sale systems at varying times between March 6th and April 17th, 2015.” Since learning of the breach, Sally’s removed the malware from its point-of-sale systems. Sally is offering affected customers credit monitoring services for an unspecified period at no cost.
Federal Government Data Breach
On June 4th, the U.S. Office of Personnel Management (OPM) reported a data breach involving up to four million current and former government employees’ unspecified personally identifiable information. According to the breach notice, in April 2015, OPM detected a “cyber-intrusion affecting its information technology systems and data.” Upon learning of the incident, OPM partnered with the U.S. Department of Homeland Security and the Federal Bureau of Investigation to investigate the incident. Since the intrusion, OPM has implemented “additional network security precautions, ” including a review of all connections to ensure that only legitimate business connections have access to the internet and deploying anti-malware software across the network to protect and prevent the deployment or execution of tools that could compromise the network. OPM states that it will send notifications to approximately four million individuals who may have been affected by the breach. OPM recommends that, among other things, individuals monitor their financial account statements and is offering affected individuals credit monitoring and identity theft protection services for 18 months at no cost.
City Law- Challenge for Employers
The decision by Los Angeles officials to increase the minimum wage in the city to $15 an hour by 2020 is just another example of a growing trend of municipal activism in the area of employment law. Let’s be clear: This is a new phenomenon and a big problem for employers. Multistate employers must already comply with a robust body of federal law on everything from discrimination to wage and hour requirements. And they must also follow the varying laws of 50 states, which address these same issues in different ways. And because cities across the country from Tacoma, Wash., to Trenton, N.J., are also passing local ordinances that impact employers in areas like paid sick leave and minimum wage, employers now have to comply with three levels of regulation and the added complexity that comes with it.
Ontario is introducing new legislation that would, if passed, eliminate unnecessary barriers to employment, education and volunteer opportunities resulting from the inappropriate release of non-conviction or mental health information disclosed during a police record check. The new standards for police record checks will implement the advice of the Minister’s Table on Policing and Civil Liberties and will build on the consensus achieved through the creation of the 2014 Law Enforcement and Records Managers Network (LEARN) Guideline. The guideline was developed by a broad spectrum of policing, civil liberties, human rights, community safety, mental health, and non-profit groups in Ontario in response to concerns about the lack of standardization of police record checks. The proposed Police Record Checks Reform Act, 2015, to be introduced today, would set the province’s first clear, consistent and comprehensive set of standards for how police record checks are requested, conducted, and disclosed.
Canada Data Breach Notification
On June 18th, Canada’s Bill S-4, the Digital Privacy Act, went into effect, which amends the country’s Personal Information Protection and Electronic Documents Act (PIPEDA) to require data breach notification. Specifically, section 10 of the law adds a clause to the PIPEDA that requires companies that suffer a data breach, producing a “real risk of significant harm” to one or more individuals, to make certain breach notification measures including:
- Reporting the incident to the Privacy Commissioner of Canada;
- Notifying affected individuals of the breach and of any steps they can take to minimize harm, with sufficient detail so that individuals understand the significance of the breach to them;
- Notifying any other organizations or government entities of the breach if it believes that such action may reduce the risk of harm; and
- Maintaining a record of every security data breach and making such records available to the Privacy Commissioner on request.
Under the law, “real risk of significant harm” may be determined by examining, among other things, the sensitivity of the personal information exposed in the data breach. Additionally, “significant harm” is defined as including “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identify theft, negative effects on the credit record and damages to or loss of property.” The law exempts companies that disclose customer personal information if the disclosure is part of a business transaction and the company receiving the data uses it solely for purposes of the business transaction.
Please Note: The information contained herein is a monthly summary of the daily information provided by Arnall Golden Gregory LLP, an Atlanta firm servicing the business transactions and litigation needs of background check companies. The information described is general in nature, and may not apply to your specific situation. Legal advice should be sought before taking action based on the information contained herein. For more information about Arnall Golden Gregory LLP, please visit www.agg.com or contact Bob Belair at 202.496.3445 or [email protected]