White House / Consumer Privacy
On February 27th, the White House released a draft of its “Consumer Privacy Bill of Rights Act of 2015.” The proposal would require companies to provide conspicuous notice of how they use consumer data, ensure that data is being used for its intended purpose, and provide consumers with a method of having their data deleted. The bill would permit industries to develop codes of conduct that would have to be approved by the Federal Trade Commission (FTC). The bill would also empower the FTC and state attorneys general to enforce the privacy and data security policies and practices outlined in the proposal through civil penalties.
FTC / Identity Theft
On February 27th, the FTC announced that identity theft was the top consumer complaint in 2014. This is the fifteenth consecutive year that identity theft has topped the list of consumer complaints, but the FTC notes that complaints of “imposter scams” increased in 2014. According to the FTC, “[i]mposter scams – in which con artists impersonate government officials or others – moved into third place on the list of consumer complaints, entering the top three complaint categories for the first time.” Debt collection remained as the second most reported complaint. Regarding imposter scams, FTC Bureau of Consumer Protection Director Jessica Rich said in a statement that “[w]hether it’s pretending to be the IRS during tax season, or making false promises of a lottery win, scammers are increasingly sophisticated in their efforts to deceive consumers, but the FTC will continue working to shut these scammers down.”
FTC Data Security Authority
On March 2nd, the Third Circuit expressed uncertainty over the Federal Trade Commission’s (FTC) data security regulatory authority during oral arguments in the FTC’s action against Wyndham over the company’s alleged inadequate data security policies. Specifically, the Third Circuit panel questioned both the FTC and the hotel chain as to whether the FTC has authority under section 5 of the FTC Act to regulate allegedly insufficient data security practices of private companies. One judge discussed the FTC’s prosecutorial limits under the FTC Act by stating that “it looks like when you come back to the statute and, at least to the extent one puts credence in legislative history … it looks like it’s to be done in a very small set of cases.”
FTC v. Wyndham Worldwide Corp. et al., No. 14-3514 (3rd Cir., Mar. 2, 2015).
Data Security and Breach Notification
On March 25th, the House Energy and Commerce Committee’s Subcommittee on Commerce, Manufacturing and Trade approved by voice vote a draft data breach bill by Reps. Marsha Blackburn (R-TN) and Peter Welch (D-VT) entitled, the “Data Security and Breach Notification Act of 2015.” The bill would:
- Set a national standard for covered entities to implement and maintain “reasonable security measures and practices to protect and secure personal information”;
- Require covered entities that suffer a data breach to notify affected individuals “as expeditiously as possible and not later than 30 days after the covered entity has taken the necessary measures” to investigate the breach; and
- Empower the Federal Trade Commission and state attorneys general to obtain civil penalties for violations of the data security and breach notification requirements.
The Subcommittee also approved amendments to the draft bill, including two by Rep. Tony Cardenas (D-CA) that would require the Federal Trade Commission to educate small businesses about data security and to develop a website related to informing businesses on data security.
On March 18th, the Federal Trade Commission (FTC), Federal Communications Commission (FCC), and numerous House Democrats, during a hearing before the House Energy and Commerce Committee’s Subcommittee on Commerce, Manufacturing and Trade, expressed concern over a draft of the “Data Security and Breach Notification Act of 2015.” Under the draft bill, the various state data breach laws would be replaced by a single nationwide standard.
- FTC Bureau of Consumer Protection Director Jessica Rich said that the FTC is “concerned about a national standard if it would water down protections that are currently in place today.” Specifically, Rich expressed concern over the draft bill’s definition of “personal information, ” saying that it does not protect some categories of information which are currently protected under state laws.
- FCC Chief Counsel for Cybersecurity Clete Johnson expressed concern with the draft bill transferring data security and breach notification enforcement power from the FCC to the FTC. Specifically, Johnson urged that “the FCC actively enforces the data privacy and security provisions of the Communications Act and related rules, ” and added that “the draft bill would alter this legal framework and leave gaps as compared to existing consumer protections.”
- Rep. Frank Pallone (D-NJ) stated that “[t]here are clearly benefits to creating a unified system for data security and breach notification, but we must be careful that a federal law ensures that protections for consumers are not being weakened. The legislation before us does not put consumers in a better place in my opinion.”
- Rep. Jan Schakowsky (D-IL) expressed the same sentiment, finding “positive elements” with some of the draft’s provisions, but noting that it contains “several problems.” Specifically, Schakowsky stated that the draft bill “is very broad in terms of preemption of state and other federal laws, and narrow in terms of definitions of harm and personal information, ” and added that she “believes that the bill should be narrow where it is now broad and broad where it is now narrow.”
DOJ / Enforcement
On March 6th, the Department of Justice (DOJ) announced that three defendants have been charged with “one of the largest reported data breaches in U.S. history.” According to the announcement, two Vietnamese citizens and a Canadian citizen were indicted for “hacking” at least eight email service providers throughout the U.S., stealing billions of consumers’ names and emails addresses, and conspiring to unlawfully use the information to “spam” consumers. Acting U.S. Attorney John A. Horn of the Northern District of Georgia said in a statement, “[t]his case reflects the cutting-edge problems posed by today’s cybercrime cases, where the hackers didn’t target just a single company; they infiltrated most of the country’s email distribution firms.”
Mar. 9: The DOJ filed a brief with the Second Circuit responding to Microsoft Corp.’s challenge to government search warrants for data stored overseas, arguing that the Stored Communications Act applies to documents stored overseas.
Data Stored Overseas
On February 27th, Reps. Tom Marino (R-PA) and Suzan DelBene (D-WA) introduced H.R. 1174, the “Law Enforcement Access to Data Stored Abroad Act” (LEADS Act). The bill would enhance electronic communications privacy by restricting government access to such information stored overseas. Specifically, the bill states that a court may “modify or vacate a warrant if a provider makes a motion to the court and the court finds that the warrant would require the provider to violate the laws of a foreign country.” According to Marino, “[t]he legislation balances the critical needs of law enforcement and sovereignty of foreign nations with the importance of respecting privacy and personal information.” The bill is identical to S. 512 introduced in the Senate by Senator Orrin Hatch (R-UT) on February 12th. Supporters of the bill include AT&T, Apple, Cisco, and Microsoft.
Bill: , %20September%2018, %202014.pdf
ID Theft and Tax Prevention Act of 2015
Sen. Bill Nelson (D-FL) introduced S. 676, the “Identity Theft and Tax Fraud Prevention Act of 2015.”
On March 9th, eight members of Congress sent identical letters to Uber, Lyft, and Sidecar urging the ride-sharing companies to “adopt fingerprint-based background checks” for drivers. In the letter, the lawmakers expressed concern over recent reports regarding sexual assaults and potential gaps in the screening process for drivers. The signatories cite reports of assault, kidnapping, and groping of passengers in cities including San Francisco, Los Angeles, Boston, and Washington, D.C. As a result, the lawmakers urge the ride-sharing companies to “implement fingerprint-based background checks right now.”
Data Brokers / Privacy
On March 4th, Sens. Edward J. Markey (D-MA), Richard Blumenthal (D-CT), Al Franken (D-MN), and Sheldon Whitehouse (D-RI) introduced S. 668, the “Data Broker Accountability and Transparency Act of 2015.” The bill would “require data brokers to establish procedures to ensure the accuracy of collected information.” Specifically, the bill would allow consumers to access the information a data broker has collected on the consumer and to correct any incomprehensive information. Consumers would also have control over how data brokers could use, share, and sell their data for marketing purposes. Finally, the bill would empower the Federal Trade Commission (FTC) to enforce the law, permitting the agency to impose civil penalties of up to $16, 000 per violation. Markey said in a statement that, “[t]he era of data keepers has given way to an era of data reapers. We need to shed light on this ‘shadow’ industry of surreptitious data collection that has amassed covert dossiers on hundreds of millions of Americans.”
Criminal Background Checks
On March 16th, the Government Accountability Office (GAO) released a study finding, among other things, that “additional actions could enhance the completeness of [criminal history] records used for employment background checks.” The GAO conducted the study to measure the completeness of criminal history records for background checks conducted on individuals working with “vulnerable populations – such as children and the elderly.” Specifically, the report addresses how:
- States conduct Federal Bureau of Investigation (FBI) background checks for specific employment positions;
- States have improved the completeness of criminal history records, and remaining challenges that background check agencies face; and
- Private companies conduct criminal background checks.
According to the report, states have improved in the completeness of criminal history records, finding that twenty states reported that more than 75% of their arrest records contained dispositions in 2012, up from 16 states in 2006. Regarding private companies, the report found that an increase in employer demand for criminal background checks has produced an increase in the number of private companies conducting criminal record background checks. The report also addressed the enforcement practices of the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB). According to the report, from FY 2009-2014 the “FTC settled 16 complaints against private background screening companies and employers for alleged Fair Credit Reporting Act violations.” Alternatively, CFPB officials stated that they “have not received many consumer complaints regarding the use of criminal history records in employment background checks.” Lastly, the report noted that private background screening companies generally perform name-based checks, rather than fingerprint-based checks which, according to the report, can “decrease the accuracy of the information that the check produces.”
The GAO emphasized that, “[t]he Department of Justice has helped states improve the completeness of records through grant funding and other resources, but challenges remain.” For example, the GAO found that some agencies charged with improving the completeness of criminal history records – such as the FBI’s Disposition Task Force – lack “plans with time frames for completing remaining goals.” Additionally, some states lack an agency to review background check results altogether. Based on the remaining challenges, “GAO recommends, among other things, that the FBI establish plans with time frames for completing the Disposition Task Force’s remaining goals.”
Mar. 9: Sen. Rand Paul (R-KY) introduced S. 675, the “Record Expungement Designed to Enhance Employment Act of 2015.”
On March 9th, The Wall Street Journal (WSJ) published an article entitled, “Credit-Reporting Giants Agree to Overhaul.” In the article, the WSJ reported that the three largest credit-reporting agencies have agreed with the New York state attorney general, as part of a settlement, to modify the way they handle consumer disputes. Under the agreement, Equifax, Experian, and TransUnion agree to be more “proactive” in resolving consumer disputes over the accuracy of information in credit reports. According to the WSJ, the agreement requires the bureaus wait 180 days before adding medical debt to consumers’ credit reports as well as requiring the use of trained employees to review documentation submitted by consumers challenging the accuracy of their reports. The WSJ reported that the settlement represents the biggest reform for the credit-reporting industry in over a decade. Changes under the agreement are expected to be implemented within the next 39 months.
AG Office Investigation
The Connecticut Attorney General announced an investigation into Lenovo Group Ltd. and the software company Superfish over allegations of selling computers with software that make consumers vulnerable to hackers.
Data Breach Notification
Mar. 4: The Washington state House passed HB 1078, which would “strengthen the data breach notification requirements to better safeguard personal information.”
On March 2nd, the Illinois Attorney General released a report on data security and breach notification that corresponds with recently introduced legislation that would “strengthen the state’s Personal Information Protection Act.” The report outlines the Attorney General’s efforts on identity theft and data security issues, including legislative recommendations for addressing ongoing data security and breach notification challenges. According to the report, the legislative recommendations have been implemented in SB 1833, which was introduced on February 20th. The bill would, among other things:
- Require websites and mobile apps that collect personal information to display privacy policies that explain the type of information being collected and how it is being used;
- Require entities to establish “reasonable” security measures to safeguard sensitive consumer information; and
- Expand the type of information that would require a company to notify consumers of a breach.
Ban the Box
New Jersey: The New Jersey ban the box law, titled The Opportunity to Compete Act, went into effect on March 1, 2015. The law impacts both private and public employers hiring in the Garden State. Like most ban the box laws, the statute does not prohibit employers from asking candidates about their criminal past nor does it prohibit criminal background checks, but it does change the timeframe within which an employer can make an inquiry about criminal history.
Georgia: Georgia will no longer require job candidates to disclose their criminal histories on employment forms after Gov. Nathan Deal (R) signed an executive order this week aimed at smoothing the reintegration process for former inmates.
Deal’s order [pdf] applies only to those seeking work with state agencies. It would prohibit those agencies from using a prior criminal history as an automatic disqualifier for job candidates. Those candidates will have the opportunity to discuss their criminal records in person.
The policy is known as “ban the box, ” a reference to employment forms that ask about prior criminal convictions. Georgia is the 14th state to adopt the policy, along with states as diverse as Nebraska, New Mexico, California and Hawaii. Nationally, nearly 100 cities, including Washington, D.C., have adopted the same policy.
Portland-Oregon: The Portland (Oregon) City Council will consider preventing employers from asking about a job candidate’s criminal history until after making an employment offer on Wednesday.
The so-called Ban the Box ordinance is part of a national movement intended to reduce barriers to employment to those with criminal histories. Local business leaders say they support the idea, but are opposed to delaying criminal background checks until after making an employment offer.
The ordinance was introduce by Mayor Charlie Hales. He worries that people are not being hired for jobs that are qualified to perform because of prior conviction that have no relation to the work.
“Many people with criminal records can be valuable employees. Employers who have hired people with records often find that they are excellent employees who are highly motivated to create better lives for themselves, ” reads the ordinance, which says the routine use of criminal background checks by employers disproportionately affects “historically disadvantaged communities and communities of color.”
On March 23rd, state attorneys general reportedly expressed concern over the potential sale of the personal data of RadioShack Corp.’s (RadioShack) approximately 117 million customers as part of RadioShack’s bankruptcy auction. Texas Attorney General Ken Paxton filed an objection with the bankruptcy court, opposing the sale of customers’ personally identifiable information. The objection has garnished support from several states including Arizona, New York, and California. According to Paxton, “RadioShack gave customers explicit assurances it would not sell their personal information, and that [the] company’s attempts to sell this data would not only be a direct violation of the terms of its own privacy policies, but also a clear violation of Texas law.”
In re: RadioShack Corp., No. 1:15-bk-10197 (Bankr. D. Del., Mar. 23, 2015).
Paxton Statement: https://www.texasattorneygeneral.gov/oagnews/release.php?id=5000
On March 20th, Capital One reported a data breach involving an undisclosed number of account holders’ payment card and account information. According to the data breach notice, law enforcement notified Capital One that a former employee, while still employed at Capital One, shared an undisclosed number of account holders’ “information” to an unauthorized third party. Capital One recommends that individuals monitor their credit reports and is offering affected individuals credit monitoring services for two years at no cost.
March 10th, Aurora Health Care (Aurora) reported a data breach involving an undisclosed number of current and former caregiver account login information and payment card information. According to the breach notice, on January 27, 2015 Aurora was the target of a “criminal cyber attack” that infected company Daily Privacy & Consumer Regulatory Alert computers with malicious software designed to capture caregivers’ personal information. Upon discovering the incident, Aurora notified law enforcement, who conducted an investigation and found no evidence of any misuse of caregiver information. However, Aurora recommends that caregivers monitor their credit reports and are offering affected individuals credit monitoring and identity theft services for one year at no cost.
On March 9th, Krebsonsecurity.com reported that NEXTEP Systems (NEXTEP), a vendor of point-of-sale solutions for foodservice venues, has “potentially” suffered a “wide-ranging credit card breach.” According to Brian Krebs, law enforcement has notified NEXTEP that sources within the financial industry have discovered a pattern of fraud on credit cards recently used at one of NEXTEP’s “biggest” venues, Zoup, a chain of soup eateries across the United States and Canada. In an email statement obtained by Krebs, NEXTEP President Tommy Woycik confirmed the security breach at Zoup, but emphasized that there is no evidence that all of NEXTEP’s clients have been affected. According to Woycik, “we are not certain of the extent of the breach, and are working around the clock to ensure a complete resolution.”
Mar. 9: Bistro Burger, Inc. reported a data breach involving an undisclosed number of customers’ names and payment card information.
On March 3rd, Kraft Music Ltd. (Kraft) reported a data breach involving an undisclosed number of customers’ names, addresses, and payment card information. On February 3, 2015, Kraft learned that unauthorized individuals installed malicious software on its website that was able to extract user information when customers purchased items from the website. An investigation revealed that the affected period is December 2014 and February 2015. Since the discovery, Kraft removed the malicious software and installed new security patches to better protect user information. Kraft recommends that customers monitor their credit reports and is offering affected customers credit monitoring and identity theft protection services for one year at no cost.
Mar. 2: Amedisys, Inc. reported a data breach involving an undisclosed number of patients’ names, addresses, Social Security numbers, and birthdates.
Feb. 27: Ziprick & Cramer, LLP reported a data breach involving an undisclosed number of unspecified client information.
On February 27th, Uber Technologies, Inc. (Uber) reported a data breach involving approximately 50, 000 current and former drivers’ names and license numbers. According to Uber, on September 17, 2014, Uber learned that one of its databases was accessed by a third party. Upon learning of the incident, Uber began an investigation which revealed that an unauthorized third party accessed Uber’s database on May 13, 2014, which compromised the information of approximately 50, 000 drivers. Uber has not received evidence of any misuse of driver information, but recommends drivers monitor their credit reports. Uber is also offering affected individuals credit monitoring and identity theft protection services for one year at no cost.
Uber Statement: http://blog.uber.com/2-27-15
Uber’s Breach Notice to California Attorney General:
On February 27th, Toys “R” Us, Inc. (Toys R Us) reported a data breach involving an undisclosed number of customers’ member account information. According to its breach notice, Toys R Us learned an intruder gained unauthorized access to “a small percentage of Rewards ‘R’ Us accounts” from January 28, 2015 to January 30, 2015. Toys R Us “suspect[s] this activity was due to large breaches at other companies…where user login names and passwords were stolen and then used for unauthorized access to other accounts…where a user may use the same login name and/or password.” Toys R Us recommends that customers change their account password and provides suggestions on how to protect their member account.
Feb. 19: The University of Chicago Biological Sciences Division reported a data breach involving an undisclosed number of individuals’ names, Social Security numbers, employee identification numbers, and emails.
Krebsonsecurity.com reports that grocery chain Natural Grocers is investigating a payment card data breach.
TalkTalk Telecom Group PLC confirmed a data breach involving an undisclosed number of customers’ names and account numbers.
Valley Community Healthcare reported a data breach involving an undisclosed number of patients’ names and birthdates.
Premera Blue Cross reported a data breach involving an undisclosed number of members’ names, addresses, birthdates, Social Security numbers, medical claims information, and bank account information.
Law Enforcement Targets, Inc. reported a data breach involving an undisclosed number of customers’ names, mailing addresses, payment card information, phone numbers, and email addresses.
Privacy and Data Security
Mar. 27: Nite Ize, Inc. reported a data breach affecting 309 customers’ names, account usernames and passwords, email addresses, and payment card information.
On March 23rd, Advantage Dental (Advantage) reported a data breach involving an undisclosed number of patients’ names, Social Security numbers, addresses, and phone numbers. On February 26th, Advantage learned that an unauthorized person accessed Advantage’s database that contained patient personal information. According to the breach notice, the unauthorized person may have had access from February 23rd and February 26th. Upon learning of the breach, Advantage began protecting its database. Advantage recommends that patients monitor their credit reports and is offering affected individuals credit monitoring and identity theft protection services for two years at no cost.
On March 12th, Connecticut Attorney General George Jepsen announced the creation of the “Department on Privacy and Data Security” (Department) within the Office of the Attorney General. According to the announcement, the Department will work “exclusively on investigations and litigation related to privacy and data security.” The Department will also assist the Privacy Task Force, appointed by Jepsen in 2011, to educate the public about data protection and Internet privacy concerns. Jepsen said in a statement that the “[f]ormation of a dedicated Privacy and Data Security Department within my office will maintain Connecticut’s standing as a national leader on this important topic and ensure that this work will continue with equal importance and emphasis to that done by other departments within the office.”
Krebsonsecurity.com reports that Kreditech “is investigating a data breach that came to light after malicious hackers posted thousands of candidates’ personal and financial records online.”
On March 16th, the Arkansas state House referred to its Public Health, Welfare and Labor Committee HB 1876, which would require a student entering into a medical professional education program to undergo a criminal background check during the application process and before licensure. Specifically, the bill states three requirements for individuals applying to a medical education program or school:
- The candidate shall undergo a state and federal criminal background check;
- The student shall be responsible for payment for the state and federal criminal background check; and
- The medical program or school shall establish criteria by which the passage of the criminal background check is determined based upon the medical profession criteria for licensure.
Mar. 10: The Arizona state House Government and Higher Education Committee reported out HB 2647, which would establish minimum data security standards for state and local government agencies.
Mar 10, the Arkansas state House Public Health, Welfare and Labor Committee reported out HB 1618, an act to limit the use of criminal background check information and to increase employment opportunities for persons with criminal records. Specifically, the bill states that “[a]n employer shall not inquire into or consider the criminal record of an candidate for employment until the employer has extended a conditional offer of employment to the candidate.” Once an offer has been extended, the bill would permit an employer to consider the candidate’s criminal record if:
- The candidate has been convicted of a felony within the past ten years from the date of the background check request; or
- The candidate has been convicted of a misdemeanor within the past five years.
The bill states that “[a]n employer shall not withdraw an offer…based on an offense that bears no rational relationship to the duties and responsibilities of the position.” Additionally, the bill provides factors for an employer to consider in deciding whether to withdraw an offer, including:
- The nature of the candidate’s offense;
- Whether the prospective job provides an opportunity for the commission of a similar offense; and
- Information pertaining to the degree of rehabilitation and good conduct of the candidate.
Feb. 27: The Virginia state House and Senate reported out SB 1032, which would create the Virginia Alcoholic Beverage Control Authority and require its directors to submit to background checks.
The Illinois Attorney General released legislation that would “strengthen the state’s Personal Information Protection Act.”
The Arkansas state House Public Health, Welfare and Labor Committee reported out HB 1239, which would affect background checks of social workers.
On March 13th, the Arkansas state House Education Committee reported out HB 1828, which would ensure that personally identifiable information (PII) of students is protected. The bill would limit disclosure or access to PII of students. Specifically, the bill would require any “audit, evaluation, compliance, or enforcement action” related to a state or school district educational program that requires access to student PII to be conducted by “an entity that is under the direct control of the [state’s Department of Education].” The bill would also restrict the Department of Education or school district from disclosing personal information of students with contractors, consultants, or other third parties without written consent from the student or the student’s parent or guardian unless, among other factors, the contractors, consultants, or other third parties:
- Have limited internal access to educational records containing PII of a student;
- Use encryption technologies to protect data; and
- Destroy or return all PII of students in its custody upon request and at the termination of the contract.
On March 24th, the Iowa state House passed HF 394, which would affect background check policies for “transportation network companies, ” also known as ride-sharing companies. The bill would require prospective drivers to apply for a driving position and be subject to a local and national criminal background check. The ride-sharing company would be required to search the national sex offender registry database and review a “driving history research report” on the candidate. The bill would require a ride-sharing company to disqualify driver candidates who, among other things:
- Have had more than three moving violations in the prior three-year period;
- Have been convicted in the prior seven-year period of any crime involving fraud, a sexual offense, theft, or an act of violence;
- Is registered on the national sex offender registry database; or
- Is not at least nineteen years of age.
On March 19th, the Alabama state House Boards, Agencies, and Commissions Committee reported out HB 9, which would affect background checks for polygraph examiners. Specifically, the bill states that it would “require [a polygraph examiner] candidate to provide two sets of fingerprints to the Board of Polygraph Examiners to forward to the State Bureau of Investigations for a state and national background check of the candidate.” Additionally, the bill would require the candidate to provide written consent for the release of the background check to the Board of Polygraph Examiners and that the costs associated with the background check are paid by the candidate. Finally, the bill states that information obtained pursuant to the background check would be kept confidential, “except that such information received and relied upon in denying the issuance of a license in [the] state may be disclosed as may be necessary to support the denial or when subpoenaed from a court.”
On March 19th, the New Jersey Assembly Transportation and Independent Authorities Committee held a hearing on A. 3765, which would require background checks for ride-sharing companies. A similar bill is pending in California, AB 24. Under the New Jersey bill, ride-sharing companies would be required to conduct, “either directly or by a third party, a criminal history record background check on an candidate” and conduct subsequent background checks every three years. Companies would also be required to conduct a driver’s license record check. The bill would expressly prohibit the employment of drivers who have been convicted of certain crimes. On March 18th, Uber Technologies, Inc. (Uber) responded, stating that “the bill…would drive Uber out of New Jersey.” The California bill is similar to the New Jersey bill; however, the California bill would “require a driver…to submit to the [state’s] Department of Justice fingerprint images and related information for the purpose of obtaining information as to the existence and content of state convictions and state arrests.” The bill would also subject drivers to mandatory drug and alcohol testing.
New Jersey Bill: http://www.njleg.state.nj.us/2014/Bills/A4000/3765_U1.HTM
Uber Statement: http://www.nj.com/politics/index.ssf/2015/03/fighting_nj_taxi_industry_over_regulation_uber_tak.html
Privacy / Social Media Accounts
On March 23rd, Virginia Governor Terry McAuliffe (D) signed HB 2081, which will affect an employer’s ability to access employees’ social media accounts. The bill prohibits employers from requiring current or prospective employees to:
- Disclose usernames and passwords for their social media accounts; or
- Add an employee, supervisor, or administrator to the list of contacts associated with the current or prospective employee’s social media account.
According to the bill, if an employer “inadvertently” obtains the usernames or passwords to current or prospective employee’s social media accounts, the employer will not be held liable, however, the employer may not access the account using the information. The bill also states that it does not prohibit an employer from viewing information on social media accounts that is publicly available.
Kan. – House Adds Fingerprints to Senate’s K-12 Background Check Bill
A House committee amended a bill approved by the Senate requiring more than 60, 000 public school district employees in direct contact with students to undergo fingerprint and criminal background checks every five years.
The Senate prefers educators and support staff pay the $50 fee, while the House Education Committee voted to give local school boards the option of picking up the tab.
In addition, the Senate version mandates Kansas’ one-half dozen “innovative” school districts, which don’t have to abide by state laws and regulations, pay the fee rather than teachers. The House panel concluded Thursday all 35, 000 certified educators and 27, 000 nonlicensed employees working in districts statewide should be treated the same.
“I think it’s a good bill, ” said Rep. Marc Rhoades, a Newton Republican on the House committee. “It certainly shores up the employee factor.”
Background Screening / Privacy
On March 26th, the Arkansas state Senate failed to pass H.B. 1087, which would have amended the state’s 2013 social media privacy law. The bill, which passed the state’s House of Representatives in February, would have required current and prospective employees for certain jobs to add their employer to their social media accounts upon the employer’s request. State law currently bars employers from demanding access to a current or prospective employee’s social media accounts. According to the bill’s sponsor, the bill sought to enhance background screening measures for individuals seeking to work in positions that serve “vulnerable populations, ” such as the elderly or minors.
On March 26th, a federal district court dismissed a putative class action lawsuit against Paramount Picture Corp. (Paramount) over alleged violations of the Fair Credit Reporting Act (FCRA) by obtaining credit reports on current and prospective employees without providing a separate release form. The plaintiff filed the lawsuit in January 2015 after applying to Paramount for employment and not receiving a separate disclosure form specifying that the company would run a credit report on the plaintiff. Instead, the plaintiff alleged Paramount included the disclosure and authorization form within the employment application, a violation of the FCRA. Paramount argued that its inclusion of the disclosure form, along with another application document that required a signature, did not violate the FCRA. The court agreed with Paramount, stating that it is not “plausible that Paramount violated the FCRA by obtaining the credit checks pursuant to the release found elsewhere in its employment application.”
Peikoff v. Paramount Pictures Corp., No. 3:15-cv-00068 (N.D. Cal., Mar. 26, 2015).
Plaintiffs in a putative class action lawsuit against Food Lion LLC’s parent company, who alleged the grocery chain violated the FCRA for inadequate background check procedures, asked a federal district judge to approve a settlement that would require Food Lion to pay approximately $3 million.
Plaintiffs in a putative class action lawsuit against Whole Foods Market Group, Inc., who allege violations of the FCRA for inadequate background check disclosure policies, responded to the grocery chain’s motion to dismiss, arguing that the requirements outlined in FCRA and FTC guidelines are clear.
On March 20th, Grocery chain Schnuck Market, Inc. (Schnuck Market) urged a federal district court to dismiss a putative class action lawsuit over a 2012 data breach, arguing that the plaintiffs’ claims of harm lack specificity. On March 30, 2013, Schnuck Market reported a data breach that dated back to December 2012. Subsequently, 206 customers joined in a lawsuit alleging the grocery chain violated federal and state privacy laws for its insufficient data security standards, among other things. However, Schnuck Market, in its motion to dismiss, argued that plaintiffs failed to specifically state the harm suffered as a result of the breach, adding that “knowing which plaintiffs suffered which losses is particularly important because, as a matter of law, many of the harms that plaintiffs allege were suffered by the group as a whole are not cognizable under Illinois law.”
Allen et al. v. Schnuck Markets, Inc., No. 3:15-cv-00061 (S.D. Ill., Mar. 20, 2015).
On March 12th, Uber Technologies, Inc. (Uber) was named in a putative class action lawsuit over a data breach the ride-sharing company suffered last month (previously reported), alleging that Uber failed to secure drivers’ names and license numbers. On February 27th, Uber reported that it suffered a data breach in March 2014 involving the personal information of approximately 50, 000 current and former drivers. The lawsuit alleges that Uber was negligent in its care of drivers’ personal information and took too long in notifying drivers about the breach. According to the complaint, the “hackers” gained access to Uber’s database using a “security key” that was “publicly accessible via the Internet.” The plaintiff seeks to represent the approximately 50, 000 current and former drivers affected by the breach.
Sasha Antman v. Uber Technologies, Inc., No. 3:15-cv-01175 (N.D. Cal., Mar. 12, 2015).
Premera Data Breach
On March 26th, Premera Blue Cross (Premera) was named in a putative class action lawsuit accusing the health insurer of negligence in connection with a data breach that potentially compromised the personal information of up to 11 million customers. According to the complaint, the plaintiffs allege that Premera was negligent in its delayed notification to consumers regarding the data breach. The complaint states that Premera waited six weeks after it learned of the breach before announcing it in February. The plaintiffs also allege that the breach occurred shortly after an audit from the U.S. Office of Personnel Management that revealed the health insurer needed to “promptly install important updates” to its cybersecurity. The plaintiffs seek to represent a class of current and former Premera members affected by the breach, dating back to 2002.
Tennielle Cossey et al. v. Premera Blue Cross, No. 2:15-cv-00472 (W.D. Wash., Mar. 26, 2015).
Dismissal of Class Action Lawsuit against Paramount
Mar. 26: A federal district court dismissed a putative class action lawsuit against Paramount Picture Corp. over alleged violations of the FCRA by obtaining credit reports on current and prospective employees without providing a separate release form
Class Action Lawsuit against Anthem, Inc.
Mar. 4: Plaintiffs, in separate putative class action lawsuit against Anthem, Inc. over its recent data breach urged the Judicial Panel on Multidistrict Litigation to consolidate the actions, but disagreed on where the litigation should take place.
On March 19th, the Associated Press (AP) reported that a federal district court has approved a settlement requiring Target Corp. (Target) to pay $10 million to settle its class action lawsuit related to Target’s 2013 data breach. Under the proposal, Target would deposit the $10 million into an escrow account to pay affected individuals up to $10, 000 with proof of their losses. The AP reported that the proposal would also require Target “to appoint a chief information security officer, keep a written information security program and offer security training to its workers.“
The solicitor general urged the U.S. Supreme Court to deny Spokeo, Inc.’s petition for a writ certiorari in a proposed class action lawsuit alleging violations of the FCRA for the search engine publishing false information about the plaintiff. Facebook, eBay, Google, and Yahoo have filed amicus briefs supporting Spokeo.
Challenge to FTC’s Authority to Regulate Personal Health Information
LabMD filed a petition with the Eleventh Circuit criticizing its decision to dismiss LabMD’s lawsuit against the FTC challenging the agency’s authority to regulate personal health information.
On March 13th, a federal district court in Pennsylvania dismissed two putative class action lawsuits over a data breach suffered by Paytime, Inc. (Paytime), ruling that the plaintiffs failed to prove that any of their compromised data was misused. In April 2014, Paytime suffered a data breach involving approximately 233, 000 individuals’ names, Social Security numbers, and payment card information. The judge found that the plaintiffs lacked standing. According to the judge, “[p]laintiffs do not allege that they have actually suffered any form of identity theft as a result of the data breach — to wit, they have not alleged that their bank accounts have been accessed, that credit cards have been opened in their names, or that unknown third parties have used their Social Security numbers to impersonate them and gain access to their accounts.” As a result, the judge concluded that there was no “misuse” of plaintiffs’ data and that plaintiffs suffered no harm as “their credit information and bank accounts look the same today as they did prior to Paytime’s data breach in April 2014.”
Storm et al. v. Paytime, Inc. and Holt et al. v. Paytime, Inc., No. 1:14-cv-01138 (M.D. Pa., Mar. 13, 2015).
FTC Case against Wyndham Hotels
Mar. 27: The FTC and Wyndham Hotels presented oral arguments before the Third Circuit over whether a federal court may hear a data security case prior to the agency first determining that unreasonable cybersecurity practices are unfair under the FTC Act.
Class Action Against PF Chang
Mar. 27: A federal district court dismissed a putative class action lawsuit alleging that PF Chang’s China Bistro, Inc. was negligent in its failure to prevent a data breach that compromised customers’ payment card information, ruling that the plaintiffs failed to prove they suffered any harm.
Class Action Cases against Premera Blue Cross
Media reported that Premera Blue Cross is named in at least five separate putative class action lawsuits over its recent data breach.
Whole Food Motion to Dismiss Class Action Lawsuit
A federal district court denied Whole Foods Market Group, Inc.’s motion to dismiss a putative class action lawsuit alleging that the grocery chain violated the FCRA over its background check disclosure policies.
The Atlantic reports on whether taxis are safer than Uber and the “limitations” of background checks.
The Wall Street Journal reported that Apple Pay’s increase in fraud involves “credit-card data stolen in retailer breaches.”
Reuters published an article entitled, “CFPB Arbitration Study a Powerful Vindication of Consumer Class Actions.”
Verizon Communications, Inc. releases a report on payment card data security.
The National Journal reports that “background checks for [TSA’s] Pre-Check candidates face questions from lawmakers and privacy advocates.”
The Hill reports that Anthem, Inc. refused a “security check” to be scheduled for the summer of 2015 from the inspector general for the Office of Personnel Management.
On March 11th, a Dutch court invalidated the country’s Telecommunications Data Retention Act, ruling that the law violated the privacy rights of European citizens established in the European Union Charter of Fundamental Rights. The law requires telecommunications companies to retain its customers’ data for at least six months, and at most twelve months to assist law enforcement investigating crimes. However, according to the court, the law’s objective does not outweigh the privacy risks of requiring companies to retain data for at least six months. The court addressed the possible impact of invalidating the law on criminal investigations, stating that “[t]he judge is aware that the failure of the [law] can have profound implications for the investigation and prosecution of criminal offenses, [but] that does not justify that the aforementioned infringement persists.”
Privacy First Foundation et al. v. the State of the Netherlands, No. C-09/480009/KG ZA 14/1575 (District Court of The Hague, Mar. 11, 2015).
EU Parliament to Visit US Lawmakers
Politico reports that members of the European Parliament will visit with U.S. lawmakers and State Department representatives this week to discuss data protection reform and the White House’s proposed Consumer Privacy Bill of Rights.
On March 13th, the Council of the European Union (EU Council) expressed support for amendments to proposed regulations for data security reform that would permit national data protection authorities (DPA) to object to decisions against multinational companies made by any jurisdiction in Europe, not just companies headquartered within its borders. The previous version of the reform consisted of a “one-stop shop” measure that permitted only the DPA of the company’s home state to challenge their data security practices. The amended regulations supported by the EU Council would not eliminate the “one-stop shop” measure, but afford greater cooperation and joint decision-making between the lead DPA and other “concerned” DPAs in “important cross-border cases.”
Data Retention Law
A Bulgarian court invalidated the country’s data retention law that aims at assisting law enforcement investigations, offering no immediate explanation as the full text of the decision will be published at a later date.
Vendor management Program
The IAPP publishes an article entitled, “Monitoring Third-Party Vendors Means
Managing Your Own Risk: Chapter Seven.”
FTC / Data Security
On March 9th, the Federal Trade Commission (FTC) signed a memorandum of understanding (MOU) with the Dutch Data Protection Authority (Dutch DPA) “to enhance information sharing and enforcement cooperation on privacy-related matters.” The MOU, signed by FTC Chairwoman Edith Ramirez and Dutch DPA Chairman Jacob Kohnstamm, is similar to agreements the FTC has entered into with data protection authorities in Ireland and the United Kingdom. According to the FTC announcement, “[t]he MOU recognizes the need for increased cross-border enforcement cooperation and sets out the two agencies’ intent regarding mutual assistance and the exchange of information for investigating and enforcing against privacy violations.”
EU Data Privacy Laws
The Wall Street Journal publishes an article entitled, “EU Seeks to Tighten Data Privacy Laws.”
Please Note: The information contained herein is a monthly summary of the daily information provided by Arnall Golden Gregory LLP, an Atlanta firm servicing the business transactions and litigation needs of background check companies. The information described is general in nature, and may not apply to your specific situation. Legal advice should be sought before taking action based on the information contained herein. For more information about Arnall Golden Gregory LLP, please visit www.agg.com or contact Bob Belair at 202.496.3445 or [email protected]