On February 25th, Senator Jeff Merkley (D-OR) introduced S. 2592, known as the “Medical Debt Relief Act.” The bill would amend the Fair Credit Reporting Act (FCRA) by prohibiting credit reporting agencies from considering paid off or settled medical debt when determining a consumer’s credit score. The bill would also prohibit credit reporting agencies from considering outstanding medical debt until 180 after it has become delinquent. According to Senator Bob Menendez (D-N.J.), one of the bill’s co-sponsors, “All the financial planning in the world can’t prepare our middle class families for sudden medical emergencies or unforeseen illnesses- and the bills that come with them. Yet, too many hardworking people find themselves unable to get the loan they need to buy a car or a house because their credit score has been dragged down over medical debt- and that makes no sense.” The bill’s co-sponsors also point to a study by the Consumer Financial Protection Bureau (CFPB) that found that 43 million consumers have outstanding medical debt included in their credit reports.
NCIC and NICS Index
March 18: The FBI released data on the National Instant Criminal Background Check System, which pulls information from the Interstate Identification Index, National Crime Information Center, and the NICS Index.
Economic Sanctions on State-Supported Foreign Hackers
March 29: President Obama reauthorized a provision that allows him to place economic sanctions on state-supported foreign hackers.
On February 26th, a federal judge denied TransUnion LLC’s (TransUnion) motion for sanctions against a man and his attorneys accused of “hijacking” a mediation attempt in the Fair Credit Reporting Act (FCRA) case against TransUnion and JPMorgan Chase & Co. (JPMorgan). The plaintiff’s original complaint stems from an allegedly incomprehensive credit check provided by TransUnion based on information from JPMorgan. The plaintiff also alleged that the companies did not adequately investigate his report when he disputed it. However, TransUnion claims that during mediation, the plaintiff’s wife deceived the judge by serving as representation without revealing her real name or relationship to the plaintiff. TransUnion also alleges that the plaintiff’s wife refused to sign the mediation agreement in order to conceal her identity, which the company argues could undermine the mediation’s confidentiality. The judge denied TransUnion’s motion for sanctions against the plaintiff and his representation, but did not issue an opinion.
McDonough v. JPMorgan Chase Bank NA, et al., case number 4:15-cv-00617, in the U.S. District Court for the Eastern District of Missouri.
Florida Deceptive and Unfair Trade Practices Act
On March 7th, a proposed class action was filed against ADT Corp. (ADT), a home security company, over alleged violations of the Florida Deceptive and Unfair Trade Practices Act. The plaintiff alleges that ADT deceptively marketed its products as safe and reliable, when in reality the company’s wireless signals were unencrypted, and therefore susceptible to hackers. According to the complaint, “ADT’s misleading marketing statements and omissions are particularly egregious given that they provide a false sense of security to those individuals and businesses that are most vulnerable; Individuals and businesses who are seeking the comfort of an extra level of security that a home security system provides.” The complaint also points to a 2014 article in Forbes that documented how easily the company’s systems could be hacked. The plaintiff claims that ADT should be held liable because it knew of these risks and even included a feature to prevent its signals from being intercepted, but the company “fails to activate this feature for its customers, but also conceals its very existence.”
Hernandez v. The ADT Corp., case number 9:16-cv-80335, in the U.S. District Court for the Southern District of Florida.
Home Depot Data Breach
On March 7th, a proposed $13 million settlement was reached between The Home Depot, Inc. (Home Depot) and a class of consumers claiming that the company’s inadequate data security practices contributed to its massive 2014 data breach that exposed tens of millions of customers’ payment card data. Under the terms of the proposed settlement, Home Depot would pay $13 million in compensation for class members based on out-of-pocket losses and time spent dealing with the aftermath of the breach. The company is also required to pay for 18 months of identity theft protection services for class members and to enhance its data security practices in order to better protect consumers’ personal and financial information. Specifically, the proposed settlement would require Home Depot to develop a security officer position, perform regular security assessments, implement measures to protect against risks identified by the assessments, provide consumers with disclosures about its security practices, train employees on data security and encryption best practices, and ensure vendors provide comparable security. In Re: The Home Depot Inc., Customer Data Security Breach Litigation, case number 1:14-md-02583, in the U.S. District Court for the Northern District of Georgia.
Data Breach Class Action Lawsuit
21st Century Oncology was served with a class action lawsuit from patients of the company whose information was stolen during a data breach.
Massachusetts AG announces new Consumer Advocacy and Response Division
March 3, Massachusetts AG Healey announced a new Consumer Advocacy and Response Division (CARD) intended to protect Massachusetts consumers from alleged fraud, unfair business practices, and consumer abuse. The CARD staff will assist consumers with issues such as (i) auto purchasing and financing; (ii) data security and identity theft; (iii) debt collection; and (iv) foreclosure prevention. In 2015, AG Healey’s office handled more than 2, 600 consumer complaint cases, resolving issues related to debt collection, auto lending, and securing refunds for disputed charges with cellular phone carriers.
Data Breach Statute
March 28: Tennessee amended its data breach notification statute, which will now require notifying any affected resident of Tennessee within 45 days and removes the previous notification exemption for encrypted information.
EU-US Safe Harbor
The Hill published an article entitled, “US, EU Face Blowback on Data Deal.”
The Article 29 Working Party, the EU’s committee of member data protection authorities, issued a statement on the recently published details of the EU-US. Privacy Shield arrangement.
March 14: EU Digital Commissioner Gunther Oettinger spoke at the CeBIT trade fair and said that the EU-U.S. Privacy Shield is expected to take effect in June.
On February 29th, the European Commission released the full draft of the Privacy Shield data sharing agreement between the European Union (EU) and the United States. The agreement replaces the Safe Harbor data sharing pact that was stuck down by an October 2015 European Court of Justice ruling that found the U.S. did not adequately protect the data of European citizens (previously reported). The new agreement creates a “last-resort arbitration panel” to address complaints from EU citizens that American companies mishandled their data. The agreement also establishes an ombudsman within the U.S. Department of State to address complaints of EU citizens that U.S. intelligence agencies accessed their data without permission or just cause. However, privacy advocates have already expressed doubt that the agreement will provide adequate redress for EU citizens, namely because the arbitration panel can only offer “non-monetary” relief. Of the new agreement, European privacy advocate Max Schrems said, “They tried to put ten layers of lipstick on a pig, but I doubt the Court and the [data protection authority regulators] now suddenly want to cuddle with it.” Federal Trade Commission (FTC) Chairwoman Edith Ramirez issued a more positive statement on the agreement, saying, “The EU-U.S. Privacy Shield Framework supports the growing digital economy on both sides of the Atlantic, while ensuring the protection of consumers’ personal information. In providing an important legal mechanism for transatlantic data transfers, if benefits both consumers and business in the global economy.” The draft agreement must now be reviewed by the EU data protection authorities.
The EU and US have announced another agreement requiring US companies to self certify that they are compliant with certain data privacy principles in order to conduct transatlantic data transfers. This agreement is called the EU-US Privacy Shield (“ Privacy Shield”) and is similar to its predecessor Safe Harbor program, but requires US companies to conform to more stringent data privacy standard. Although EU-US have announced this deal, the Privacy Shield has not yet been finalized or enacted, as the authorities are still negotiating a final version of this agreement. During this interim, US Companies should consider adopting the Privacy Shield’s published Privacy Principles into their business practices in order to commit to doing business long-term in Europe. If they do so, then they would not only put themselves on a fast track to self-certification under the Privacy Shield, but they would also be minimizing their exposure to data privacy/breach liability in the US. Under the first published draft of the Privacy Shield, US companies must adopt and implement certain Privacy Principles in order to collect, store and transfer EU personal data. These Privacy Shield’s Privacy Principles are generally good data privacy and security policies and procedures, that when implemented, would help a company minimize its exposure to data breach liability here in the United States (e.g., Section 5 of the Federal Trade Commissions Act, the Fair Credit and Reporting Act, the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act of 1996 (HIPAA), state data breach notification laws, etc.). For more details, please see:
On March 14th, the U.K. Information Commissioner’s Office (ICO) released a 12-step guide for companies to comply with the European Union’s (EU) General Data Protection Regulation (GDPR). The GDPR, which takes effect in 2018, replaces the EU’s 1995 Directive with a more uniform regulation that imposes stricter requirements on the use and sharing of consumers’ data. According to Steve Wood, director of the ICO’s policy delivery department, “The new law will enhance the rights of data subjects and place more obligations on organizations to be accountable for their use of personal data. These 12 points are intended to be a helpful starting point, to help break down the legislation- which can appear daunting- into practical areas for action.” The guide instructs businesses to ensure that everyone in their organization is aware that the law is changing, as well as to hire a data protection officer to handle the implementation and oversight of their data security programs. The guide also advises businesses to evaluate what kind of data they maintain and their current procedures in light of the changing data breach notification, information requests, and consent requirements under the GDPR. Wood emphasized in a recent blog post that ICO is not “answering specific questions at this stage, ” as “the final text of the reforms hasn’t been agreed yet.”
IAPP published another article in its series on the E.U.’s General Data Protection Regulation (GDPR) entitled “Top 10 operational impacts of the GDPR: Part 10 – Consequences for GDPR Violations.”
Hotel Data Breach On March 9th, The Hill reported that Rosen Hotels & Resorts (Rosen) suffered a data breach of its payment card processing systems. According to the report, Rosen discovered malware had infiltrated its payment card software that was able to collect the names, numbers, expiration dates, internal verification codes, and other information contained on customers’ credit and debit cards. In a statement, Frank Santos, Rosen’s Chief Financial Officer, said, “Together with our cybersecurity firm, we have worked tirelessly to contain and address the incident. Additionally, enhanced security measures have been implemented to help prevent this from happening again.” Breaches of hotels’ payment card systems are becoming increasingly more common. Last year, other chains like Hilton Worldwide, Starwood Hotels & Resorts, Trump Hotel Collection, and Hyatt Hotels Corporation also suffered similar data breaches.
On March 6th, KrebsOnSecurity.com reported that Seagate Technology (Seagate), a data storage company, has suffered a data breach of thousands of employees’ W-2 tax forms. According to Eric DeRitis, a spokesman for the company, “On March 1, Seagate Technology learned that the 2015 W-2 tax form information for current and former U.S.-based employees was sent to an unauthorized third party in response to [a] phishing email scam. The information was sent by an employee who believed the phishing was a legitimate internal company request.” Phishing scams for W-2 information are becoming increasingly more prevalent, as W-2 forms contain all the information necessary to file fraudulent tax returns. According to the Internal Revenue Service (IRS), scammers stole the W-2 information of over 330, 000 people last year directly from the agency’s website. A report from the Federal Trade Commission (FTC) indicated that 50 percent of consumer identity theft stems from tax refund fraud. In response to the incident, Seagate has notified authorities and offered their employees two years of identity theft protection services.
Premier Healthcare in Bloomington, Indiana reported a data breach exposing the information of over 200, 000 patients.
The Hill reports that hackers stole the information of an estimated 1.5 million customers from Verizon Enterprise Solutions.
- This story was first reported by Krebs on Security who found the Verizon customer data being sold online at the rate of $10, 000 per 100, 000 users’ records.
March 18: Privacy groups expressed concerns about new Amazon software that would allow payments to be verified through facial recognition technology.
March 22: TransUnion and Temenos have announced that they will be sharing TransUnion’s CreditVision debt collection and recovery scoring model.
Mishandling of Private Data
The New York Times reported that Focused Technologies Imaging Services, a New York based contractor with the State Division of Criminal Justice Services, will have to pay $3.1 million in damages for mishandling private data.
Please Note: Some of the information contained herein is a monthly summary of the daily information provided by Arnall Golden Gregory LLP, an Atlanta firm servicing the business transactions and litigation needs of background check companies. The information described is general in nature, and may not apply to your specific situation. Legal advice should be sought before taking action based on the information contained herein. For more information about Arnall Golden Gregory LLP, please visit www.agg.com or contact Bob Belair at 202.496.3445 or [email protected]