Federal Developments
FBI Database
On June 1st, Uber Technologies, Inc. (Uber), Lyft, Inc. (Lyft), and various advocacy groups sent a letter to the U.S. Department of Justice (DOJ) in opposition to the Federal Bureau of Investigations’ (FBI) recently announced “Next Generation Identification” (NGI), a database of fingerprints, iris scan, photos, and other biometric information. Specifically, the groups take issue with the FBI’s request to exempt the database from certain privacy rules that give people access to their information. According to Alvaro Bedoya, Director of the Center on Privacy and Technology, “The FBI has a responsibility to make the [Next Generation Identification] database as transparent as possible. Instead, the FBI is trying to cloak that database in secrecy and legal immunity. This is a serious mistake.” In addition to the ridesharing companies, the letter was signed by groups like the American Civil Liberties Union and the Electronic Frontier Foundation. The groups point out that exempting the database from certain privacy rules is especially problematic from a discrimination perspective, as “some of the biometrics at the core of NGI, like facial recognition, may misidentify African Americans, young people, and women at higher rates than whites, older people, and men respectively.” Uber and Lyft have taken an interest in the database because of the recently passed city laws mandating that the companies use fingerprint-based background checks. In a recent blog post, Uber Chief Security Officer Joe Sullivan wrote, “We believe the right path forward is to continue to improve the level of transparency and accountability that’s built-into our service and the processes available for screening drivers.”
http://thehill.com/policy/technology/281791-uber-and-lyft-among-those-hitting-fbi-for-fingerprint-photos-database
Morgan Stanley Data Breach
The Hill reported that the SEC fined Morgan Stanley $1 million for failing to adequately protect customer information that was stolen in a data breach.
http://thehill.com/policy/cybersecurity/282712-morgan-stanley-to-pay-1m-sec-fine-for-data-breach
Cybersecurity Information Sharing Act
On June 15th, the Department of Homeland Security (DHS) and the Department of Justice (DOJ) released final guidance for the Cybersecurity Information Sharing Act (CISA). CISA, which was included in the 2016 omnibus budget bill, establishes a framework for the private and public sector to enhance cybersecurity information sharing practices to better combat cyber threats. Specifically, the legislation provides incentives for business to share data on hackers with the government. The legislation tasks DHS and DOJ with developing guidance for how nonfederal entities can share cyber threat information with the government without compromising privacy or civil liberties. According to the agencies’ final guidance, non-federal entities can only share information that “is directly related to and necessary to identify or describe a cybersecurity threat.” The guidance lists several types of “protected information” that should not be shared, which includes Protected Health Information; Human Resource Information; Consumer Information/ History, which may include credit information covered by the Fair Credit Reporting Act; Education History; Financial Information; identifying information related to an individual’s property holdings; or identifying information of children under 13 years old subject to the Children’s Online Privacy Protection Act. The guidance also addresses how to share cyber threat information with the government, as well as details several legal and regulatory exemptions when sharing cyber threat indicators. For instance, businesses will be exempt from antitrust laws and certain federal and state disclosure laws when sharing cyber threats with the government.
https://www.us-cert.gov/sites/default/files/ais_files/Non-Federal_Entity_Sharing_Guidance_%28Sec%20105%28a%29%29.pdf
Court Cases
Kroger Employees v Equifax
IAPP reported that a group of Kroger employees have filed a lawsuit against Equifax alleging that the credit reporting company failed to adequately safeguard their information following a data breach.
https://iapp.org/news/a/kroger-employees-file-class-action-against-equifax-over-w-2-breach/
Anthem Data Breach
On May 27th, a California federal judge ruled that most of the claims in the multidistrict litigation against Anthem, Inc. (Anthem) can continue. In 2015, Anthem announced a data breach that reportedly compromised approximately 80 million customers’ names, birthdates, Social Security numbers, and income data. In addition to customer data, Anthem employee data was also accessed. The judge previously dismissed several claims against the company, but plaintiffs amended their complaint. The judge accepted the plaintiffs’ arguments that the company had promised to protect customer’s personally identifiable information, allowing consumers to recover damages for “lost benefit of the bargain, loss of value of their personal information, and out-of-pocket expenses dealing with the aftermath of the breach…” The judge also accepted the plaintiffs’ claim that they never would have used Anthem’s services had they known about their allegedly poor data security practices. Specifically, the judge ruled that plaintiffs can proceed with their breach of contract, unjust enrichment and unfair competition claims. In re Anthem, Inc. Data Breach Litigation, case number 5:15-md-02617, in the U.S. District Court for the Northern District of California.
Advance Auto Parts Data Breach
On June 7th, Advance Stores Company, Inc. urged a Louisiana federal court to dismiss a proposed class action seeking remedies for employees whose information was exposed to criminals during a data breach. In Advance Auto Parts’ motion to dismiss, the company argued that no employee has demonstrated “actual harm” or “concrete injury, ” citing the Spokeo Supreme Court decision. The company dismissed the plaintiffs’ argument that the stolen information could potentially be used for future acts of identity theft, stating, “Theoretical future injury – and voluntary costs to counter the risk of that theoretical injury – is the gravamen of this case.” One plaintiff claimed that his personal information was used to secure vehicle financing without his knowledge, but Advance argued that the plaintiff failed to prove how the identity theft was “proximately caused by Advance.” The company also emphasized that it had taken preventative measures to ensure the safety of their employees’ information after they were informed of the data breach, offering credit monitoring services for two years. Bradix v. Advance Stores Co. Inc., case number 2:16-cv-04902, in the U.S. District Court for the Eastern District of Louisiana.
Waffle House /Background Screening Matter
On June 13th, Waffle House, Inc. was unsuccessful in its motion to dismiss a proposed class action accusing the company of violating the Fair Credit Reporting Act. The complaint alleges that Waffle House conducted background checks on employees using public information without properly notifying candidates. The plaintiff accuses the company of denying him a job based upon a report supplied by The Source for Public Data, LP (Public Data). Public Data is not a consumer reporting agency, and advertises itself has providing a “fast and cheap alternative” by offering companies publicly available information on consumers. The plaintiff also accuses Waffle House of failing to provide him with a copy of the report. The company denied that it ever provided a report on the plaintiff, claiming that it has “no recollection or record of such a search.” The judge ruled that a reasonable juror could determine that the company had in fact used Public Data’s services for the plaintiff’s application, leading him to deny Waffle House’s motion to dismiss. William G. Jones v. Waffle House Inc. et al., number 6:15-cv-01637, in the U.S. District Court for the Middle District of Florida, Orlando Division.
On June 6th, a proposed class of Waffle House, Inc. job candidates filed a motion for class certification in Fair Credit Reporting Act (FCRA) litigation against the company. According to the complaint, Waffle House failed to disclose to candidates that it was conducting a background check, as well as failed to provide adverse action notices. The plaintiffs also take issue with third-party contractor hired by Waffle House to conduct the background checks, Public Data, which does not consider itself to be a consumer reporting agency (CRA) subject to the FCRA, making it a “fast and cheap alternative.” According to the plaintiffs’ latest motion, even though Public Data does not consider itself a CRA, the company “is aware that its customers use its reports for employment purposes and has specifically advertised to this demographic.” The motion also states that, “Waffle House knew that by using Public Data to run background checks it was playing fast and loose with the FCRA.” William G. Jones v. Waffle House Inc. et al., number 6:15-cv-01637, in the U.S. District Court for the Middle District of Florida, Orlando Division.
Petco Animal Supplies
June 13: Petco filed a motion to dismiss a proposed class action accusing the company of violating the Fair Credit Reporting Act (FCRA), citing the Supreme Court’s recent ruling in Spokeo, Inc. v. Robins. The lawsuit was brought by a former Petco employee and a Petco job candidate who accuse the company of violating the FCRA by failing to follow disclosure requirements for credit checks. Specifically, the plaintiffs claim that the company willfully hid the disclosure, as well as failed to provide job candidates the opportunity to dispute the findings of the background report. Petco argues in its latest motion that the case should be dismissed because the plaintiffs have not demonstrated actual harm and therefore do not have standing based on the Supreme Court’s Spokeo ruling. According to Petco, “In short, Plaintiffs’ complaint is full of vague, conclusory allegations without any merit or substance. This is precisely the type of complaint the United States Supreme Court has held fails to satisfy the requisite pleading standards.” Jacklyn Feist et al v. Petco Animal Supplies Inc., et al., case number 3:16-cv-01369, in the U.S. District Court for the Southern District of California.
On June 7th, a putative class action accused Petco Animal Supplies, Inc. (Petco) of hiding authorizations for credit checks on its job applications. The plaintiffs accuse the company of violating the Fair Credit Reporting Act (FCRA) by failing to follow disclosure requirements for credit checks. The lawsuit was filed by a former Petco employee and a Petco job candidate who was denied a position due to their credit report. The complaint accuses the company of willfully hiding the disclosure, stating, “By embedding its purported disclosure in an employment application and including extraneous information within and around the disclosure, defendant disregarded well established case law and regulatory guidance from the FTC.” In addition, the complaint alleges that Petco failed to notify one of the plaintiffs that did not receive the job as a result of the credit check and failed to provide them with the opportunity to dispute any potential errors on the credit report. Jacklyn Feist et al. v. Petco Animal Supplies Inc., case number 3:16-cv-01369, in the U.S. District Court for the Southern District of California.
Experian
On June 21st, a New Jersey federal judge granted summary judgment to Experian Information Solutions, Inc. (Experian) in a Fair Credit Reporting Act (FCRA) lawsuit against the company. The plaintiffs originally alleged that Experian violated the FCRA by erroneously including two consumers’ Chapter 13 bankruptcies in their credit reports. The plaintiffs also claimed that Experian failed to correct their reports even after submitting a dispute form and that the name of one of the plaintiffs was misspelled. However, U.S. District Judge Renee Marie Bumb rejected the plaintiffs’ arguments, writing in her order that, “the problem with plaintiffs’ contentions that two supposed unnamed individuals are filing bankruptcies on their behalf- including the use of Plaintiffs’ correct identifying information, the paying of filing fees on their behalf, the attendance of credit counseling on their behalf, and live appearances in bankruptcy court- is not that they are bizarre. Instead, the problem with plaintiffs’ counsel’s actions in this proceeding is that he has seen fit to pursue these fanciful and farfetched claims…” The Judge also noted that the fact that the plaintiffs failed to submit a sworn document in support of their claim that the bankruptcies did not belong to them “speaks volumes and highlights the nakedness of the allegations.” Glenn M. Williams v. Experian Information Solutions Inc., case number 1:14-cv-08115, and Lorissa Williams v. Experian Information Solutions Inc., case number 1:14-cv-08116, in the U.S. District Court for the District of New Jersey.
State Developments
Louisiana Ban the Box
Background Screening On June 9th, Governor John Bel Edwards of Louisiana signed H.B. 266, which prohibits the use of certain questions regarding criminal history on initial job application forms for state employment. Governor Edwards enthusiastically supported the measure, stating, “This bill is a common-sense approach to building the diverse and competitive workforce we need in Louisiana and finding ways for previously incarcerated individuals to reintegrate into that workforce.” The bill was also supported by the National Employment Law Project which has encouraged state legislatures to pass “ban the box” laws. The measure does not prohibit the use of criminal history in hiring decisions, but prevents state employers from considering criminal history until after “the prospective employee has been given an opportunity to interview for the position” or “after the prospective employee has been given a conditional offer of employment.” The bill defines state employers as any organizational unit of the State of Louisiana. When considering criminal history, state employers are required to consider the amount of time that has passed since the criminal conduct, the specific duties required by the position of employment, and the “nature and gravity of the criminal conduct.” The bill contains exemptions to the criminal history protections for law enforcement positions or any position that is legally required to conduct a criminal background check. The law will go into effect on August 1st, 2016.
http://www.legis.la.gov/legis/ViewDocument.aspx?d=1011207 and
http://www.nola.com/politics/index.ssf/2016/06/ban_the_box_louisiana_1.html
Connecticut Bans the Box
On June 1, 2016, Connecticut Governor Dan Mallory signed the Fair Chance Employment Act (CT HB 5237) into law. The Act, a “ban-the-box” statute, prohibits covered employers from inquiring about a prospective employee’s prior arrests, criminal charges, or convictions on an initial employment application. Under the Act, “employers” are broadly defined to mean “any person engaged in business who has one or more employees, including the state or any political subdivision of the state.”
While the law generally prohibits employers from inquiring into candidates’ prior criminal history on initial employment applications, it does provide two exceptions if:
- The employer is required to do so by an applicable state or federal law; or
- A security or fidelity bond or an equivalent bond is required for the position.
Once the initial application has been completed, employers may then inquire into candidates’ criminal histories (e.g., during an interview). The Connecticut Labor Commissioner’s Office is tasked with reviewing complaints that may be filed by individuals alleging an employer’s violation of the law. The law does not provide aggrieved individuals with a private right of action against a covered employer.
The law also updates the already existing requirements for consumer reporting agencies (CRAs) that provide consumer reports used for employment purposes. Each CRA that issues a consumer report to be used for employment purposes and that includes criminal history information concerning a consumer must:
- At the time the CRA issues a report to a person other than the consumer who is the subject of the report, the CRA must provide the consumer who is the subject of the consumer report (i) notice that the CRA is reporting such information, and (ii) the name and address of the person to whom the consumer report is being issued; and
- Maintain procedures designed to ensure that any criminal history information reported is complete and up-to-date as of the date the consumer report is issued.
The new law will become effective on January 1, 2017.
Vermont Ban the Box Update
On May 10, 2016, the State of Vermont enacted its own “ban-the-box” statute which prohibits all Vermont employers in the state from inquiring about an candidate’s criminal history on an initial employment application. Pursuant to the Act, employers may inquire about criminal history during an interview or “once the prospective employee has been deemed otherwise qualified for the position.” The law establishes several exceptions to the ban-the-box prohibition, namely if the candidate is applying for a position that any federal or State law or regulation creates a mandatory or presumptive disqualification based on a conviction for one or more types of criminal offenses, or if the employer or an affiliate of the employer is subject to a legal obligation (either federal or State) not to employ an individual who has been convicted of one or more types of criminal offenses. In either situation, the questions on the application form must be limited to the types of criminal offenses creating the disqualification or obligation. If an employer inquires about an candidate’s criminal history, the candidate must be given the chance to explain the information and the circumstances regarding any convictions, including post-conviction rehabilitation that may be relevant. Any violations of the new law, which becomes effective on July 1, 2017, are punishable by a civil penalty of up to $100 per violation.
Alaska Security Freeze Bill
On June 20th, Governor Bill Walker of Alaska signed S.B. 121, introduced by Senator Kevin Meyer, which amends the Personal Information Protection Act to permit parents, legal guardians, or conservators to request a consumer credit report security freeze on behalf of a minor, incapacitated person, or protected person under their legal care. If a minor does not already have an existing credit report the law requires companies to generate a credit report in order to place a security freeze. The law borrows existing state definitions of conservator, incapacitated person, protected person, and minor. Senator Meyer claimed that the bill was necessary for consumer protection, stating, “According to a 2012 Child Identity Theft Report, children are 35 times more likely to be subject to identity theft than adults, increasing the possibility that a parent or the minor would not catch such a crime until reported to a collection agency…” Senator Meyer also claims that “11 other states have passed or are in the process of passing legislation to do the same.”
http://www.legis.state.ak.us/basis/get_bill.asp?session=29&bill=SB121
Uber Background Screening
On June 21st, Uber Technologies, Inc. (Uber) announced its support for a New Jersey Senate bill that would establish statewide safety standards for ride-sharing businesses so long as a fingerprinting requirement is not added to the measure. New Jersey Senate Bill 2179 was introduced by Paul Sarlo (D-Bergen) and Joe Kryillos (R-Monmouth) and is intended to unify requirements for ride-sharing companies across the state with regards to background checks, driver tracking, fees, and insurance liability coverage. The bill would also authorize the New Jersey Motor Vehicle Commission and the Division of Consumer Affairs to oversee compliance. The bill was recently amended by the Senate Budget and Appropriations Committee to instruct the Attorney General to submit proposed rules regarding the type of background checks that should be conducted for all ride-sharing drivers. In response to the amendment, Uber released a statement saying, “The Senate has recognized the need to pass statewide ride-sharing regulation that keeps Uber in New Jersey. We support the Senate’s proposal even though it requires major compromises on our part. We don’t want to prejudice the Attorney General’s work, but the bottom line is that any fingerprinting requirement would force Uber out of New Jersey.” Uber has left several cities that have adopted fingerprint background check requirements, most recently in Austin, Texas.
http://www.pressofatlanticcity.com/news/uber-ok-with-new-jersey-attorney-general-deciding-onbackground/article_8d01a9ba-37c5-11e6-a7d3-a76c878e072c.html
On June 15th, former Attorney General Eric Holder sent letters to local and state regulators in defense of Uber Technologies, Inc.’s (Uber) background screening policies. The letters were sent to Atlanta Mayor Kasim Reed, Deputy Majority Leader of the New Jersey Senate Paul Sarlo, and Chicago Alderman Anthony Beale. Holder is currently employed by the law firm Covington & Burling, which maintains Uber as a client. The letters urged local regulators against introducing requirements that would compel Uber to conduct fingerprint-based background screenings. Holder argued that fingerprint-based background screenings would have a discriminatory impact on communities of color and “impose unnecessary burdens on individuals reentering society.” Holder also argued that the Federal Bureau of Investigation’s (FBI) Criminal Justice Information System (CJIS) was never intended for employment usage, claiming, “It was not designed to be used to determine whether or not someone is eligible for a work opportunity. Relying on it for that purpose is both unwise and unfair.” The letter also emphasizes that using CJIS would only reflect job candidates’ arrest records and not whether individuals were charged or convicted of a crime. Uber continues to advocate for “name-based background screening, ” which it argues has appropriate protections for job candidates.
http://thehill.com/policy/technology/283662-eric-holder-goes-to-bat-for-uber
International Developments
UK Data Protection
On June 23rd, the United Kingdom voted to leave the European Union (EU) in a referendum. Privacy professionals have largely speculated that the United Kingdom’s exit from the EU would not significantly affect the country’s privacy and data protection laws. Cybersecurity Online hypothesized that the country will presumably maintain the General Data Protection Regulations (GDPR) because it will be implemented before the United Kingdom leaves the EU. According to Article 50 of the Lisbon Treaty, the United Kingdom will be subject to EU treaties for two years after it declares its intention to exit. This process has been further delayed by Prime Minister David Cameron’s resignation, which means that October 2018 is the earliest date when the United Kingdom is not subject to EU data protection laws. This could allow the EU-U.S. Privacy Shield to be fully implemented before the United Kingdom leaves the EU.
http://www.csoonline.com/article/3088212/data-protection/why-the-uks-vote-to-leave-the-eu-will-have-little-effect-on-its-data-protection-rules.html
Privacy Shield
On June 24th, Reuters reported that the European Union (EU) and United States sent a revised version of the EU-U.S. Privacy Shield agreement to member countries. The revised version contains measures to restrict American surveillance of EU citizens. European Commission officials have stated that the new draft will include “a number of additional clarifications and improvements” to the principles that businesses have to follow when they comply with the agreement. Unnamed sources informed Reuters that the vote on the proposed agreement will be held in early July.
http://www.reuters.com/article/us-eu-dataprotection-usa-idUSKCN0ZA1QT
On May 30th, European Data Protection Supervisor (EDPS) Giovanni Buttarelli released his formal opinion on the draft EU-U.S. Privacy Shield. As expected, Butterelli was critical of the agreement, expressing concerns that it will not withstand “legal scrutiny.” Buttarelli also noted that while it was an improvement on the previously invalidated data transfer agreement, “progress compared to the earlier Safe Harbor Decision is not in itself sufficient.” Buttarelli noted that Privacy Shield permits several limitations based on national security and law enforcement, as well as limitations “if a statute, regulation or case law creates conflicting obligations or explicit authorizations, without any limitation on the purpose of such access.” Buttarelli notes that such limitations are the reason that the European Court of Justice struck down Safe Harbor in the first place. Buttarelli recommends strengthening the redress and oversight provisions of the agreement. According to the opinion, “the role of the Ombudsperson should also be further developed, so that she is able to act independently not only from the intelligence community but also from any other authority.” Buttarelli also expressed concerns about potential inconsistencies between Privacy Shield and the General Data Protection Regulation. Many are seeing the EDPS opinion as another sign that the agreement will not hold up and that further negotiations between the European Union and the U.S. are necessary
https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2016/16-05-30_Privacy_Shield_EN.pdf
EU-U.S. Data Transfer
On June 13th, Austrian privacy advocate Max Schrems announced that the U.S. Department of Justice (DOJ) is attempting to intervene in his ongoing legal dispute with Facebook, Inc. (Facebook) before the Irish High Court. The case revolves around Facebook’s use of model clauses to transfer data out of the European Union (EU) following the European Union Court of Justice’s (CJEU) invalidation of the Safe Harbor agreement. Schrems argues that the use of model clauses “does not remedy the fact that Facebook is still subject to US mass surveillance laws and programs, which the CJEU already found to be conflicting with EU law.” According to a report from Ars Technica, Schrems believes that DOJ will file an amicus curiae (friend of the court) brief in order “to defend its surveillance laws before the European Courts.” Schrems’ press release also indicates that the American Chamber of Commerce and the Business Software Alliance will attempt to file their own briefs in support of Facebook. The outcome of the case will likely have a significant impact on the U.S.-EU Privacy Shield Agreement.
http://arstechnica.co.uk/tech-policy/2016/06/eu-facebook-schrems-case-us-government-amicus-curiae/
Umbrella Agreement
On June 2nd, the Department of Justice (DOJ) issued a press statement on the meeting between the United States Attorney General Loretta Lynch and several government ministers of the European Union (EU). Their meeting focused on the “commitment to closer cooperation, especially in the context of evolving and shared challenges that affect the security and rights of citizens on both sides of the Atlantic.” The press statement announced the signing of the “Umbrella Agreement, ” which regulates the transfer of personal data between the U.S. and EU for criminal investigations, labelled as a “major step forward for EU-US relations.” The Umbrella Agreement will be sent to the European Parliament while awaiting approval. In a speech made at Leiden University, Attorney General Lynch referred to the Umbrella Agreement as a sign, “Which shows our joint commitment to protect both the safety and the privacy of our citizens on both sides of the Atlantic.”
https://www.justice.gov/opa/pr/joint-eu-us-press-statement-following-eu-us-justice-and-home-affairs-ministerial-meeting
Safe Harbor
On June 6th, Hamburg Data Commissioner Johannes Caspar announced that his office has fined three companies for failing to update their data transmission practices in light of the invalidation of the Safe Harbor agreement between the European Union (EU) and the U.S. In October 2015, the European Court of Justice struck down the fifteen year old data sharing agreement, finding that it did not adequately protect European citizen’s data, especially with regards to U.S. surveillance activities. According to a report from Reuters, the German data commissioner fined Adobe Systems, Inc., Punica (a subsidiary of PepsiCo), and Unilever, N.V. a total of $32, 000 for illegally transmitting data to the U.S. in accordance with the outdated agreement. The fines are the result of the Commissioner’s investigation of 35 different companies’ data transmission policies. When it was discovered that the three companies were not in compliance, they promptly resolved the issues. In a statement, Caspar said, “That the companies did eventually create a legal basis for their transmissions was considered favorably in the level of the fines. A stricter standard will certainly be applied to any future violations.”
http://www.reuters.com/article/us-germany-dataprotection-usa-idUSKCN0YS23H
State of International Data Laws and Privacy Regulations
June 2: IAPP published an article on the current state of international data laws and privacy regulations.
https://iapp.org/news/a/untying-the-global-dataflows-mess/
German Privacy Regulator
The Hill reports that a German privacy regulator issued fines to three companies for continuing to operate under the invalidated Safe Harbor agreement.
http://thehill.com/policy/cybersecurity/282453-germany-privacy-regulator-fines-adobe-others-over-defunct-data-transfer
(U.K.) Criminal Convictions
There is nothing to prevent an employer from asking prospective employees about their criminal record history during the recruitment process, although ideally, this should be done once a successful candidate has been chosen and the employer wishes to offer employment subject to satisfactory background checks in order to ensure compliance with the Data Protection Act 1988. Although voluntary disclosure might be the easiest way of asking about a person’s criminal record, the following should be borne in mind:
- While an employer may ask about a person’s criminal record, the candidate is entitled not to disclose spent convictions (unless the vacancies satisfy the Exceptions Order). If the vacancy is not covered by the Exceptions Order and the candidate inadvertently discloses the existence of spent convictions, the employer is not permitted to act on this information.
- There is no guarantee that the answers are honest and, unless the employer is going to carry out a DBS check (which they may not be legally entitled to do) there will be no way of verifying this information.
http://www.lexology.com/library/detail.aspx?g=5c4cd8ec-46d3-4a34-bec6-dacd0fceb5c5
GDPR consent model
IAPP published a blog post on the subtle differences between “explicit” and “unambiguous” under the GDPR’s consent model
https://iapp.org/news/a/lee-gdpr-consent-models-have-subtle-differences/
Miscellaneous
Google
Nextgov reports that Google has launched a new program known as “Project Abacus, ” which will eliminate traditional passwords and allow Android smartphones to identify users based on their typing, location, facial recognition and other biometric markers.
http://www.nextgov.com/cybersecurity/2016/06/google-plans-kill-passwords-tech-scandinavia-way-ahead-it/128721/?oref=ng-channeltopstory
PCI DSS Letter
On June 2nd, the National Retail Federation (NRF) sent a letter to the Federal Trade Commission (FTC) requesting that the agency investigate the Payment Card Industry Data Security Standards (PCI DSS) for violations of anti-trust laws. The NRF accuses the PCI DSS of failing, “to meet any of the principles adopted by the federal government for voluntary standard-setting organizations.” The complaint also criticizes the data security standards of the PCI DSS, stating, “We urge the FTC not to rely on PCI DSS for any purpose, particularly not as an example of industry best practices nor as a benchmark in determining what may constitute responsible data security standards in the payment system or any other sector.” The FTC is currently collecting information on payment card data security compliance, which the NRF fears will lead them to adopt the PCI DSS as an example of “best-practices.” The NRF also criticizes the organizational structure of PCI, stating, “PCI is not an open organization built on consensus or maximizing results. PCI is a proprietary organization formed and controlled by a single industry sector – the major card networks (e.g., Visa, MasterCard) – with motivations that conflict with the interests of businesses and consumers who use the payment card system, including retailers and their customers. Further PCI’s standards are not voluntary. Instead, they are set by networks with market power and are forced upon business owners that cannot refuse to accept credit and debit cards.” The letter was also sent to leaders of the Senate Commerce Committee and House Energy and Commerce Committee.
False Data Breach Reports
On June 2nd, KrebsOnSecurity.com reported that the cloud storage service Dropbox, Inc. (Dropbox) was falsely accused of being the victim of a data breach. The rumor was started when a Dropbox user posted a comment on the Dropbox Community Forum claiming that his identity monitoring service had contacted him in regards to his Dropbox username and password being discovered on several black market websites. After investigating the user’s claims, KrebsOnSecurity discovered that LifeLock, Inc. had sent security alerts to Dropbox users. Dropbox has continued to deny that any data breach took place, stating, “An initial investigation into these reports has found no evidence of Dropbox accounts being impacted. We’re continuing to look into this issue and will update our users if we find evidence that Dropbox accounts have been impacted.” KrebsOnSecurity discovered that the data security alert was a false positive caused by usernames and passwords being reused by consumers for different services.
http://krebsonsecurity.com/2016/06/dropbox-smeared-in-week-of-megabreaches/
Data Breach
On June 27th, the Hard Rock Hotel & Casino in Las Vegas (Hard Rock) announced that it had suffered a data breach after “receiving reports of fraudulent activity associated with payment cards used” at the resort. The data breach was caused by malware that was discovered on the company’s card processing software. The data breach exposed cardholder names, numbers, expiration dates, and internal verification codes. Hard Rock claims that the data breach occurred between October 2015 and March 2016. The company encouraged customers to review their credit reports, monitor their accounts for unauthorized activity, and potentially issue security freezes. The investigation began on May 13th, 2016 according to the company’s data breach notification filed with the California Attorney General’s office.
June 17: IAPP reported that Verizon’s 2016 Data Breach Investigations Report found that over 63% of recent data breaches can be attributed to weak passwords.
https://techcrunch.com/2016/06/16/how-data-thieves-hook-victims-and-how-to-beat-them/
On June 3rd, KrebsOnSecurity.com reported that CiCi’s Pizza, Inc. (Cici’s), a nationwide fast-food restaurant chain with over 500 locations, suffered a data breach which exposed consumer credit card information to computer hackers. Brian Krebs was first notified of the data breach after several banking industry sources discovered a “pattern of fraud” on cards that were used at Cici’s locations within the past few months. Upon investigating, Krebs discovered that the
data breach might be related to Cici’s point-of-sale provider, Datapoint Co. (Datapoint). The investigation also revealed that the hackers may have accessed the payment card information by impersonating Datapoint technicians.
http://krebsonsecurity.com/2016/06/banks-credit-card-breach-at-cicis-pizza/
Enterprise Security Score
On June 14th, The Wall Street Journal reported that Fair Isaac Corp., the company that produces FICO credit scores, has purchased cybersecurity firm QuadMetrics, Inc. (QuadMetrics). QuadMetrics helps companies understand their network’s security risks by analyzing over 250 data points and inputting the information into predictive risk models based on a database of past breaches and cyberincidents. According to the report, FICO will use QuadMetrics’ expertise in order to develop an “enterprise security score, ” which will provide chief information officers and other information technology professionals an “easy-to-understand” metric to gauge digital risks. Doug Clare, FICO’s Vice President of Cybersecurity Solutions, issued a statement on the acquisition, saying, “Just as the FICO Score gave credit markets a single metric for understanding credit risk, this product will give the industry a common view of enterprise security risk.”
http://blogs.wsj.com/cio/2016/06/14/fico-to-offer-enterprise-security-scores/
Cost of a Data Breach
On June 15th, the Ponemon Institute released a report, entitled, “2016 Cost of Data Breach Study: United States.” The report found that the average cost of a data breach rose to $7.01 million, reflecting an increase of 7% since last year. The study highlights several “megatrends, ” finding that the largest cost associated with data breaches is lost business. The report advocates for the cost of data breaches to be viewed as a permanent expense factored into data protection strategies. Regulated industries like healthcare or finance featured the most expensive data breach responses, due to higher penalties and rates of lost business. The Ponemon Institute reported that data breaches cost approximately $221 per compromised record. The study found that 50% of data breach incidents reported were the result of malicious efforts by third parties while 23% were caused by employee negligence. The remainder of the data breaches were caused by a combination of failed IT or data security practices. Costs associated with data breach notifications increased slightly along with other post-data breach expenses since last year.
IBM Security and the Ponemon Institute release a report finding that the average cost of a data breach is now $4 million, a nearly 30 percent increase over the past three years.
http://www-03.ibm.com/security/data-breach/
Data Breach Litigation
On June 26th, The Wall Street Journal published an article about the rise in data breach litigation and the issue of whether companies should compensate consumers whose payment card and personal information is exposed. The article notes that many data breach cases brought against companies are dismissed based on lack of demonstrable harm. However, some judges in places like Illinois and California are letting these suits proceed based on “risk of injury.” For instance, Judge Diane Wood of the Seventh Circuit ruled in favor of consumers alleging risk of harm in a data breach lawsuit against Neiman Marcus Group, Inc. According to Wood, “Why else would hackers break into a store’s database and steal consumers’ private information. Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assumer those consumers’ identities.” The article also notes that only 5% of data breaches in the United States result in lawsuits, none of which have gone to trial. Most of these cases are dismissed and many are settled, including the cases against Target Corp. and The Home Depot, Inc. The costs of these settlements and of the litigation can be steep, though, which means, according to Veta Richardson of the Association of Corporate Counsel, that, “companies are seeing [these customer lawsuits] as an increasing threat.”
New Set of Facial Recognition Best Practices
June 22: The International Biometrics & Identity Association announced its approval of a new set of facial recognition best practices created by the Department of Commerce’s National Telecommunications and Information Administration.
http://www.planetbiometrics.com/article-details/i/4639/desc/ibia-endorses-new-ntia-face-recognition-best-practices/
Please Note: Some of the information contained herein is a monthly summary of the daily information provided by Arnall Golden Gregory LLP, an Atlanta firm servicing the business transactions and litigation needs of background check companies. The information described is general in nature, and may not apply to your specific situation. Legal advice should be sought before taking action based on the information contained herein. For more information about Arnall Golden Gregory LLP, please visit www.agg.com or contact Bob Belair at 202.496.3445 or [email protected].
