Data Security and Data Breach Legislation
On May 1st, Representatives Randy Neugebauer (R-TX) and John Carney (D-DE) introduced HR 2205, the Data Security Act of 2015. The bill would “protect financial information relating to consumers” and would subject retailers and financial institutions to the same breach notice requirements. Under the bill, covered entities would be required to:
- Designate at least one employee to manage safeguards;
- Conduct risk analyses;
- Regularly assess information safeguards in light of risks; and
- Update the program on a rolling basis as technology evolves.
Regarding breach notification, if a covered entity determines that a breach of their systems has occurred and could cause harm to consumers, then the covered entity must notify, without unreasonable delay:
- The appropriate federal law enforcement agency;
- Any relevant payment card network, if the breach affects payment card information;
- Each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis, if the breach involves sensitive information relating to 5, 000 or more consumer; and
- All affected consumers.
Additionally, the bill states that a “financial institution shall have no obligation under this Act for a breach of security at another covered entity involving sensitive financial account information relating to an account owned by the financial institution.”
Sponsor Statement and Bill Text: http://randy.house.gov/press-release/reps-neugebauer-carney-introduce-bipartisan-data-security-bill
On April 30th, Senator Patrick Leahy (D-VT) introduced S. 1158, the Consumer Privacy Protection Act. According to a statement by Leahy, the bill “addresses the kinds of security breaches that have affected retail stores in recent years, as well as breaches of personal email, online accounts, and cloud computing that have sent Americans’ personal information, photos and even location out into public view.” Provisions of the bill include:
- Requiring companies who store sensitive personal or financial information on 10, 000 customers or more to meet consumer privacy and data security standards to keep this information safe, and notify the customer within 30 days of a breach;
- Establishing a “broad definition of information that must be protected, ” including Social Security numbers; financial account information; online usernames and passwords; unique biometric data, including fingerprints; information about a person’s physical and mental health; information about a person’s geolocation; and access to private digital photographs and videos; and
- Requiring companies to inform federal law enforcement of all large breaches, as well as breaches that involve federal government databases, law enforcement, or national security personnel.
FTC and Identity Theft
On May 14th, the Federal Trade Commission (FTC) launched identitytheft.org, a new online resource for identity theft victims. According to the FTC, the website will make it easier for identity theft victims to report and recover from identity theft. The website will be a resource for identity theft victims by:
- Providing an interactive checklist that walks people through the recovery process and helps them understand which recovery steps should be taken upon learning their identity has been stolen;
- Offering specialized tips for specific forms of identity theft, including tax-related and medical identity theft; and
- Providing advice for people who have been notified that their personal information was exposed in a data breach.
A Spanish version of the site is also available at RobodeIdentidad.gov.
FTC and Customer Data Security
On May 18th, the Federal Trade Commission (FTC) urged the Delaware bankruptcy court to implement certain conditions in RadioShack, Inc.’s (RadioShack) bankruptcy asset sale in order to protect consumers’ personal data. Specifically, FTC Bureau of Consumer Protection Director Jessica Rich sent a letter to the court-appointed consumer privacy ombudsman in RadioShack’s bankruptcy case, reminding the ombudsman of the “promises that RadioShack made to consumers…not to sell consumers’ information or the company’s mailing list.” In the letter, Rich recommended, among other things, that:
- Consumers’ information not be sold as a standalone asset, but be bundled with other assets;
- The information be sold only to another entity that is in “substantially the same line of business as RadioShack”; and
- The buyer be bound by RadioShack’s privacy policies that were in place when the consumers’ data was collected.
Chemical Facility Safety and Security
Jun. 19: The Department of Homeland Security, Environmental Protection Agency, and Department of Labor will host a webinar on Executive Order 13650, “Improving Chemical Facility Safety and Security.”
Employment Screening /Background Checks
May 23: Texas Governor Greg Abbott (R) signed HB 1769, which will affect background checks for assisted living facility applicants.
May 15: Rep. Carolyn Maloney (D-NY) introduced HR 2380 to “require criminal background checks on all firearms transactions occurring at gun shows.”
May 14: Florida Governor Rick Scott (R) signed SB 682, which will affect background checks for employees at transitional living facilities.
On May 6th, New York City Mayor Bill de Blasio (D) will hold a hearing on Int. 261-A, the Stop Credit Discrimination in Employment Act. The bill passed the New York City Council on April 16th (previously reported). Under the bill, certain employers would be banned from using credit histories to screen prospective employees. Specifically, the bill would make it “an unlawful discriminatory practice for an employer to use an individual’s consumer credit history in making employment decisions.” The bill would exempt “an employer, or agent thereof, that is required by state or federal law or regulations or by a self-regulatory organization…to use an individual’s consumer credit history for employment purposes.” Additionally, the bill would exempt certain individuals, allowing employers to consider the individual’s credit history in screening the applicant. Individuals include:
- Police officers;
- Peace Officers; and
- Law enforcement personnel at the Department of Investigation.
The bill awaits action by the Mayor, who scheduled a hearing in relation to the bill for May 6th. No further information has been provided regarding the hearing.
On May 5th, the Kansas state Senate voted 96-25 to override Governor Sam Brownback’s (R) veto of SB 117, which will affect background checks for ride-sharing companies. Under the bill, before ride-sharing companies permit an individual to act as a driver, the company must “obtain a local and national criminal background check on the individual, conducted by the Kansas Bureau of Investigation.” The background check must include:
- Fingerprint analysis, utilizing the records of the Kansas Bureau of Investigation and the Federal Bureau of Investigation; and
- A state and national criminal history records check which conforms to applicable federal standards.
The bill also requires ride-sharing companies to review the prospective driver’s driving history report. The bill prohibits drivers from being employed if the individual, among other things:
- Has three or more moving violations in the preceding three years;
- Is listed in a national sex offender registry database; or
- Does not possess a valid driver’s license.
On the same day, Reuters reported that “Uber…ceased operations in Kansas after the state legislature decided to override [Governor Brownback’s] veto.”
Reuters Article: http://www.reuters.com/article/2015/05/06/us-uber-kansas-idUSKBN0NR01720150506
May 5: Indiana Governor Mike Pence (R) signed HB 1278, which will affect driver background checks for ride-sharing companies.
Apr. 30: The Texas state Senate passed SB 1003, which would affect background checks for individuals seeking school district teaching permits.
Apr. 29: Montana Governor Steve Bullock (D) signed HB 472, which will affect background checks for prospective employees and volunteers of the Office of the Child and Family Ombudsman.
On April 23rd, Washington Governor Jay Inslee (D) signed HB 1078, which will “enhance the protection of consumer financial information.” The law will “strengthen the data breach notification requirements to better safeguard personal information, prevent identity theft, and ensure that the attorney general receives notification when breaches occur so that appropriate action may be taken to protection consumers.” Under the law, a covered entity must notify affected individuals of a breach no more than forty-five calendar days after the breach was discovered, unless law enforcement determines that notification would “compromise the investigation.” However, the law states that “notice is not required if the breach of the security of the system is not reasonably likely to subject consumers to a risk of harm.” According to the law, notification must:
- Be in writing; and
- Include, at a minimum, the name and contact information of the reporting entity, a list of compromised information, and contact information of the major credit reporting agencies if the breach exposed personal information.
On April 30th, Governor Inslee named the state’s first Chief Privacy Officer.
Chief Privacy Officer Announcement: http://www.governor.wa.gov/news-media/inslee-announces-hire-alex-alben-state%E2%80%99s-first-chief-privacy-officer
Data Breach Notification
On April 29th, Montana Governor Steve Bullock (D) signed HB 123, which would affect data breach notification requirements. According to the law, when a state agency learns of a data security breach and the agency maintains individuals’ personal information in their data system, then the agency must make efforts to notify any person whose personal information may have been compromised. “The notification must be made without unreasonable delay, consistent with the legitimate needs of law enforcement…or with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.” Similarly, a third party who receives personal information from a state agency without authorization must notify the state agency, as well as make “reasonable efforts” to notify affected individuals. According to the law, a state agency that is notified of a breach by a third party “has no independent duty to provide notification of the breach if the third party has provided notification of the breach.” Additionally, a state agency or third party that has to notify an individual of a data breach must “simultaneously submit to the state’s Chief Information Officer at the Department of Administration and to the Attorney General’s Consumer Protection Office an electronic copy of the notification and a statement providing the data and method of distribution of the notification.”
Ban the Box
The Oregon House has advanced legislation to ban employers to ask about criminal convictions on their initial job applications. The 33-27 vote Wednesday, largely on party lines and taken after a 90-minute debate, moved House Bill 3025 to the Senate. About one-third of the states have similar legislation known as “ban the box, ” according to the National Employment Law Project. Most of those laws apply only to government employment, but six states extend it to all employers. Portland and Multnomah County have such bans applying to government employment. A work group set up by the Portland City Council is considering how the city ordinance, originally adopted last year, may extend to private employers.
Health Data Security
On June 10th, the California state Senate Health Committee will hold a public hearing on SB 514, which would affect the sharing of consumers’ personal health information. Under SB 514, the state’s health exchange would be prohibited from disclosing consumer personal information to any third-party contractor, such as an insurance agent or certified enrollment counselor, unless the consumer “indicate[d] in an application for health care coverage” that they would like assistance from an insurance agent or enrollment counselor. The bill’s sponsor said in a statement that “[t]his bill is a bipartisan effort to close [a] loophole so that consumers may shop free from fear of losing their privacy to unknown, outside entities.”
Media Report: http://stateofreform.com/news/industry/exchanges/2015/05/ca-health-committee-to-consider-coveredca-data-security-bill/
On May 27th, American Express Company (American Express) reported a data breach involving a third party merchant and affecting an undisclosed number of customers’ names and payment card information. Specifically, American Express stated that an unidentified merchant discovered unauthorized access to their website where American Express cardholders conduct online purchases. American Express has not identified any misuse of information and emphasized that no cardholder’s Social Security number was compromised. American Express has “placed additional fraud monitoring” on affected customers’ cards and will contact customers regarding any unusual activity.
On May 27th, Copart, Inc. (Copart), a provider of online vehicle auction and remarketing services, reported a data breach involving an undisclosed number of customers’ names, addresses, driver’s license numbers, and Copart account information. According to the breach notice, on March 31, 2015, Copart learned that an unauthorized individual gained access to its computer network. Upon learning of the breach, Copart blocked any further unauthorized access to its network and hired a third-party cybersecurity forensic expert to investigate the incident. Copart has taken steps to safeguard customers’ accounts, including requiring all members to change their password for their Copart.com account.
On May 22nd, LifeView Outdoors (LifeView), a retailer of outdoor gear and apparel, reported a data breach involving an undisclosed number of customers’ names and credit card information. According to the breach notice, between January 1, 2015, and April 18, 2015, an unauthorized user gained access to LifeView’s payment processing system. “Upon discovery, [the] system was…shut down, reviewed, and has since been replaced with a new system having additional security measures.” LifeView recommends that customers monitor their financial accounts and check their credit reports periodically.
May 21: Coffee Bean & Tea removed to federal district court a proposed class action alleging violations of the FCRA by failing to adequately inform prospective employees about its background check policies, including the procurement of consumer reports.
On May 4th, Sally Beauty Holdings, Inc. (Sally) reported that it is “investigating” a possible data breach affecting an undisclosed number of customers’ payment card information. Sally’s breach notice states that it has previously received reports of “unusual activity” involving payment cards used at some of its U.S. retail stores. Since obtaining the reports, Sally notified law enforcement and its credit card processor and has launched an investigation, which remains ongoing. On the same day, krebsonsecurity.com (Krebsonsecurity) reported on Sally’s data breach. According to Krebsonsecurity, the data breach would be the second breach suffered by Sally within a year. Krebsonsecurity also reported that the previous data breach from March 2014 reportedly affected 25, 000 payment card accounts.
Sally Statement: https://sallybeautyholdings.com/potential-data-incident-information/may-4-2015-statement.aspx
Krebs Article: http://krebsonsecurity.com/2015/05/sally-beauty-card-breach-part-deux/
On May 1st, Partners HealthCare System, Inc. (Partners) reported a data breach involving an undisclosed number of patients’ names, addresses, Social Security numbers, and birthdates. According to the breach notice, on November 25, 2014, Partners learned that several of its employees received “phishing” emails and had provided information in response to the emails believing they were legitimate. Responding to the “phishing” emails permitted unauthorized individuals to access the employees’ email accounts within Partners network. Upon learning of the incident, Partners secured the email accounts and notified law enforcement. Partners emphasized that electronic medical records were not compromised. To prevent the incident from occurring, Partners has re-enforced employee education regarding “phishing” emails and are “enhancing” technical safeguards to protect patient information.
On May 1st, American Express Company (American Express) reported a data breach involving an unspecified third-party payment processing services company and affecting an undisclosed number of consumers’ names and payment card information. According to the breach notice, the company that provides payment processing services to “numerous merchants” notified American Express that there has been unauthorized access to its processing system that may have compromised cardholders’ account information. American Express states that it is working with the payment processor to determine the impact of the unauthorized access. American Express emphasizes that cardholders’ Social Security numbers were not compromised as a result of the breach. American Express has “placed additional fraud monitoring” on affected customers’ cards and will contact customers regarding any unusual activity.
Apr. 29: Cities Services LLC reported a data breach involving 613 customers’ names, addresses, and payment card information.
Pennsylvania State University reported a data breach affecting up to 17, 933 individuals’ unspecified personal information.
CareFirst reported a data breach affecting an undisclosed number of customers’ names, email addresses, and birth dates.
The IRS reported a data breach involving up to 100, 000 taxpayers’ Social Security information, birth dates, and street addresses.
A federal district court dismissed a proposed class action lawsuit against eBay, Inc. over a data breach the company suffered in 2014.
May 19: Home Depot, Inc. paid $7 million in costs related to a September 2014 data breach during the first quarter of 2015, according to the company’s first quarter statement.
On May 18th, plaintiffs filed a proposed class action against Dollar Tree Stores, Inc. (Dollar Tree) for allegedly violating the Fair Credit Reporting Act (FCRA) by failing to adequately inform prospective employees about their background check procedure for obtaining consumer reports. According to the complaint, Dollar Tree failed to properly disclose in a separate document that it would obtain prospective employees’ consumer reports as part of their background checks. The complaint states that the absence of a single document, solely for the purpose of procuring consumer reports is a violation of the FCRA and “flies in the face of unambiguous case law and regulatory guidance from the FTC.”
Walker v. Dollar Tree Stores, Inc., No. 8:15-cv-01170 (M.D. Fla., May 18, 2015).
On May 1st, a federal district court ordered Flowers Hospital and a putative class of patients suing over a data breach the hospital suffered to provide a supplemental briefing on the issue of whether plaintiffs have standing to sue under the Fair Credit Reporting Act (FCRA) without proving actual injury. Flowers Hospital, in an October 2014 motion to dismiss, argued that plaintiffs failed to allege facts that establish they suffered an injury-in-fact as a result of the data breach. The plaintiffs responded by arguing that the violations of the FCRA, alone, are sufficient to establish standing under the statute. The court, in its order requesting a supplemental briefing, stated that the parties “brush over the question of whether plaintiffs have suffered an actual injury in favor of asserting or denying the risk of future harm, ” adding that “neither party addresses whether the plaintiffs’ complaint makes sufficient allegations of injury-in-fact under the FCRA to confer standing.”
Smith et al. v. Triad of Alabama LLC d/b/a Flowers Hospital, No. 1:14-cv-00324 (M.D. Ala., May 1, 2015).
On April 29th, a federal district court denied Whole Foods Market Group, Inc.’s (Whole Foods) attempt to stay a proposed class action lawsuit alleging violations of the Fair Credit Reporting Act (FCRA) until the Supreme Court decides Spokeo, Inc.’s (Spokeo) FCRA action. On April 28th, the Supreme Court agreed to hear Spokeo’s challenge to a Ninth Circuit decision to revive an FCRA suit against Spokeo for allegedly publishing incomprehensive information about the plaintiff on the company’s search engine (previously reported). The complaint against Whole Foods alleges that the grocery chain’s background check disclosure policies violate the FCRA. Whole Foods, in its motion to stay, argued that the Supreme Court’s decision in the Spokeo case would affect the plaintiff’s standing to pursue his claims related to Whole Food’s background check policies. However, the federal court rejected the company’s argument, stating that a “grant of certiorari by the Supreme Court does not change the law and does not constitute new law, that a stay of these proceedings to await a decision from the Supreme Court in Spokeo is not warranted.”
Colin Speer v. Whole Foods Market Group, Inc., No. 8:14-cv-03035 (M.D. Fla., Apr. 29, 2015).
Equifax, Experian, and TransUnion agreed to pay a total of $6 million to 31 states to settle alleged violations of the FCRA relating to customer disputes over credit report errors, fraud, and identity theft.
The Connecticut Supreme Court upheld a lower court’s decision to deny IBM’s insurance claim involving a data breach affecting approximately 500, 000 employees’ personal information.
Constitutionality of CFPB
May 1: The D.C. Circuit Court of Appeals affirmed the dismissal of an action Morgan Drexen brought against the CFPB challenging the constitutionality of the CFPB.
JCrew Motion to Dismiss Class Action Lawsuit
Plaintiffs urged a federal district court to deny J. Crew Group, Inc.’s motion to dismiss a proposed class action lawsuit alleging that the clothing retailer violated the Fair and comprehensive Credit Transaction Act by printing more than five digits of credit card numbers on receipts for more than ten years.
Sale of Customer Data (Radio Shack)
On May 20th, Texas Attorney General Ken Paxton announced a settlement regarding RadioShack Corp.’s (RadioShack) proposed sale of its customers’ personally identifiable information. In March 2015, Paxton, along with 38 state attorneys general, filed motions in opposition to RadioShack selling its customer data as part of the retailer’s bankruptcy asset sale. According to the announcement, “[u]nder the terms of the settlement agreement reached after mediation, the overwhelming bulk of RadioShack’s consumer data will be destroyed, and no credit or debit card account numbers, social security numbers, dates of birth or even phone numbers will be transferred.” Accordingly, the settlement announcement states that General Wireless, the winning bidder for RadioShack’s intellectual property, will be limited by the settlement reached with the state attorneys general.
In re: RadioShack Corp., No. 1:15-bk-10197 (Bankr. D. Del., May 7, 2015).
FTC and Data Security
On May 8th, the Federal Trade Commission (FTC) urged an administrative law judge to deny LabMD, Inc.’s (LabMD) latest attempt to dismiss the FTC’s lawsuit over LabMD’s data security practices. The FTC filed the action against LabMD in 2013, accusing the company of inadequate data security practices, a violation of Section 5 of the FTC Act. According to the FTC, LabMD’s motion to dismiss improperly accuses the agency of misconduct throughout the action’s proceedings, hoping to distract from the “voluminous evidence” the FTC has introduced in support of its enforcement action. In its motion in opposition, the FTC said that because the agency presented “overwhelming evidence” establishing a violation of Section 5, the case should not be dismissed.
In the Matter of LabMD, Inc., No. 9357 (FTC, May 8, 2015).
On May 5th, a federal district court denied DolGenCorp LLC’s (Dollar General) attempt to access the U.S. Equal Employment Opportunity Commission’s (EEOC) policies regarding its own use of criminal background checks in employment decisions. The EEOC filed the suit against Dollar General in 2013, alleging that the company’s use of criminal background checks for prospective employees is discriminatory because it has a disparate impact on African-American applicants. During the litigation, Dollar General filed a motion to compel the EEOC to produce its policies regarding the use of background checks in making employment decisions. The EEOC argued that such document requests were irrelevant. The court agreed with the EEOC, ruling that the EEOC need not produce its background check policies for its own employees because Dollar General failed to show that “the functions performed by its employees are in any way comparable to those undertaken by the EEOC’s employees.”
EEOC v. DolGenCorp, LLC d/b/a Dollar General, No. 13-CV-4307 (N.D. Ill. May 5, 2015).
The FTC announced a settlement against Ashworth College over alleged FTC Act violations by misleading students about career training and credit transfers.
On May 8th, Reuters reported that the European Union (EU) and the U.S. are “close to completing negotiations on a deal protecting personal data shared for law enforcement purposes.” Both the EU and the U.S. have been negotiating since 2011 over a framework that would protect individuals’ personal data transmitted between the police and judicial authorities in the course of investigations. However, according to Reuters, negotiations have been “hampered” due to the inability of European citizens who do not reside in the U.S. to sue in U.S. courts if they believe their data has been compromised or misused. Reuters reported that the “EU has repeatedly insisted that until such a ‘right to judicial redress’ is enshrined in law, the agreement cannot be signed.” As a result, on March 18th Rep. Jim Sensenbrenner (R-WI) introduced HR 1428, the Judicial Redress Act of 2015, which would provide European citizens the right to sue over data privacy concerns in the U.S., regardless of where they reside.
Australia/Privacy Management Framework
May 3: The Australian Office of the Information Commissioner published its “Privacy Management Framework.”
Please Note: The information contained herein is a monthly summary of the daily information provided by Arnall Golden Gregory LLP, an Atlanta firm servicing the business transactions and litigation needs of background check companies. The information described is general in nature, and may not apply to your specific situation. Legal advice should be sought before taking action based on the information contained herein. For more information about Arnall Golden Gregory LLP, please visit www.agg.com or contact Bob Belair at 202.496.3445 or firstname.lastname@example.org.