Federal Background Checks
On April 29th, Nextgov reported that the National Background Investigation Bureau (NBIB) is considering creating an “insider threat score” modeled on credit scores for certain federal government applicants, according to comments made at the National Security Alliance symposium. The “insider threat score” would allow for the “continuous evaluation” of employees with a federal security clearance. NBIB is the agency tasked with issuing federal security clearances following the Office of Personnel Management data breach. Director Jim Onusko stated that the agency is interested in creating a “Fair Isaac-like score” which would compile and use “court records, mortgage transactions, and – if authorized – social media posts” to continuously determine whether individuals are eligible for a federal security clearance. The current system only reevaluates employees with a security clearance every couple of years. The new system would attempt to “reverse engineer the online activities” of applicants in order to “understand the behavioral components of leakers.”
On April 28th, the Federal Trade Commission (FTC) announced an enforcement action against Expand, Inc. (Expand) for its deceptive educational lead generation practices. Expand operated the website Gigats.com (Gigats), which gathered online job postings and compiled personal information from consumers for “employment pre-screening.” According to the FTC complaint, the job postings that consumers applied for did not actually exist. Gigats would later sell the consumer data to for-profit colleges, universities, and career training programs. After Gigats collected the consumer’s personal information from job applications, “employment specialists” would contact the consumers and encourage them to enroll in educational programs. These educational programs would often pay between $22 and $125 for each consumer that the “employment specialist” successfully signed up. The FTC’s proposed court order seeks to ban Expand from “transferring consumer’s personal information to a third party without clearly disclosing that it will be transferred, and their relationship to the third party.” This is the FTC’s first enforcement action against educational lead generators. The proposed court order would require Expand to pay $360, 000 in order to avoid a fine of $90.2 million dollars.
FDIC Data Breach
On April 20th, House Committee on Science, Space and Technology Chairman Lamar Smith (R-TX) sent a letter to Martin Gruenberg, Chairman of the Federal Deposit Insurance Corporation (FDIC), about the agency’s October 2015 data breach. It was recently revealed that a former FDIC employee stole a USB flash drive containing the sensitive information of nearly 10, 000 individuals, including Social Security numbers. In his letter, Smith questions the FDIC’s “cybersecurity posture and preparedness, ” as it took the agency two months to recover the drive and four months to report the incident to Congress. According to the letter, “The FDIC’s apparent hesitation to inform Congress of the security incident not only raises concerns about the agency’s willingness to be transparent and forthcoming with Congress but raises further questions about whether additional information stored in FDIC systems has been compromised without being brought to the attention of Congress.” Smith specifically requests that Gruenberg provide him with any documents or communications related to the breach, a description of the former FDIC employee responsible for the breach, a description of all the sensitive information contained on the flash drive, and any documents related to the White House’s 2016 information security priorities and agency guidance.
FTC Enforcement Action
On May 9th, the Federal Trade Commission (FTC) announced that it has a reached a settlement with Credit Protection Association (CPA) resolving allegations that the debt collection agency violated the Fair Credit Reporting Act (FCRA). According to the FTC’s complaint, CPA violated the FCRA’s Furnisher Rule by failing to fully implement written policies and procedures regarding consumer disputes and by failing to adequately train its employees on how to handle disputed information. The FTC found that CPA employees failed to keep copies of documentation provided by consumers disputing information reported to credit bureaus and also failed to follow up after reinvestigations. In a statement, Jessica Rich, Director of the FTC’s Bureau of Consumer Protection said, “When consumers dispute potentially incorrect information in their credit reports, companies must not only investigate those disputes, but also let consumers know whether the information has been corrected… Companies that fail to live up to these obligations can expect to hear from the FTC.” Under the terms of the settlement, CPA must pay $72, 000 in civil penalties and is required to develop adequate dispute policies and procedures in order to come into compliance with the FCRA’s Furnisher Rule.
New FTC Business Guidance for Employment Background Screening Companies
On May 10th, the Federal Trade Commission (FTC) released new guidance entitled, “What Employment Background Screening Companies Need to Know About the Fair Credit Reporting Act.” The guidance purports to help background screening companies understand when their activities define them as a consumer reporting agency under the Fair Credit Reporting Act (FCRA) and the obligations they must meet in order to comply with the FCRA. Specifically, the guide instructs background screening companies covered by the FCRA to ensure the accuracy of their information, to obtain certain certifications from clients that the report is being procured for a “permissible purpose, ” to provide clients and consumers with information about the FCRA, and to appropriately respond to consumer disputes and inquiries. The guide also addresses how the FCRA applies to public records information reported for employment purposes. The guidance can be found at:
The Workforce Compliance Insights Blog posted on the impact of the FTC’s FCRA guidance on background screeners conducting employment background investigations.
Criminal History Screening
On May 9th, the U.S Department of Education released a new resource guide entitled, “Beyond the Box: Increasing Access to Higher Education for Justice-Involved Individuals.” The guide encourages colleges and universities to delay inquiring about an applicant’s criminal history until later in the application process. According to U.S. Secretary of Education John B. King, Jr., “The college admissions process shouldn’t serve as a roadblock to opportunity, but should serve as gateway to unlocking untapped potential of students… We must ensure that more people, including those who were involved in the criminal justice system in the past but paid their debt to society, have the chance at high education opportunities that lead to successful, productive lives, and ultimately create stronger, safer communities.” The resource guide highlights research from the Center for Community Alternatives that shows that asking about criminal history can deter otherwise qualified individuals from even completing an application. The guide also notes many schools, like New York University, only inquire about criminal history after preliminary admissions decisions have been made. The guide also recommends that colleges and universities inquire about criminal history in “narrowly focused” questions, provide all applicants the opportunity to explain any criminal justice involvement, and train admissions staff on how to effectively analyze criminal history data.
Social Media in Federal Background Investigations
Social Media and Security Clearance On May 13th, the House Committee on Oversight and Government Reform’s Subcommittee on Government Operations and Subcommittee on National Security held a joint hearing on “Incorporating Social Media into Federal Background Investigations.” The hearing follows a proposal by the Obama administration to encourage the National Background Investigation Bureau (NBIB) to include public social media posts into its background screening process for individuals seeking security clearance. Committee Spokeswoman M.J. Henshaw defended the proposal, stating, “Useful information is already publicly available and can be accessed while respecting a reasonable expectation of privacy.” Chairman Jason Chaffetz (R-UT) has previously pressured the Office of Personnel Management (OPM) to utilize public social media posts in their background screening process, stating, “It defied common sense for the government to overlook social media data available to anyone with an internet connection.” A government survey of social media posts by individuals with security clearance found that one in five had “information relevant to eligibility for a clearance.” U.S. Chief Information Officer Tony Scott raised concerns about the feasibility of conducting social media searches, which can cost $500 to $800 per person. Congressmen were also concerned with whether the NBIB intended to store or share the social media information collected on applicants, in light of the 2015 OPM data breach. Representative Mick Mulvaney (R-SC) asked, “What do you do with the information you have on me after you have it? Because while I consent to let you go and get it, I certainly don’t consent with you giving it to other people.” and
Credit Reporting Legislation
On May 19th, Representative Maxine Waters (D-CA), the ranking member of the House Financial Services Committee, introduced H.R. 5282, entitled, “The Comprehensive Consumer Credit Reporting Reform Act of 2016.” The bill seeks to facilitate the process for reporting and disputing errors on credit reports by amending the Fair Credit Reporting Act (FCRA). The bill would require the Consumer Financial Protection Bureau (CFPB) to draft “accuracy regulations, ” creating minimum standards for data furnishers that would eliminate information from companies with high error rates. The bill would also limit the permissible use of credit information for employment purposes, by only allowing credit information to be used in employment screening when required by local, state, or federal law or for national security clearances. The proposed legislation would decrease the limits for how long adverse credit information is allowed to remain on credit reports, including limiting the reporting of all bankruptcies to seven years. The bill also seeks to end misleading advertisements by credit monitoring companies which offer free credit reports in exchange for signing up for their service. Consumer advocacy groups issued a joint press release in support of Representative Water’s bill, with over a dozen cosigners. The press release refers to the current system of reporting errors on consumer credit reports as a “Kafka-esque nightmare.” The National Consumer Law Center staff attorney Chi Chi Wu, stated, “We applaud Congresswoman Waters for introducing a bill that will vastly improve the credit reporting system, and with it, the economic lives of millions of Americans.”
Representative Mike Pompeo (R-KS) introduced H.R.5318, which would “amend the Federal Trade Commission Act to specify certain effects of guidelines, general statements of policy, and similar guidance issued by the Federal Trade Commission.”
FTC Disclosure Initiative
On May 24th, the Federal Trade Commission (FTC) announced that it will investigate the effectiveness of consumer disclosures. The FTC issued a press release announcing that it will hold a public workshop on September 15th in order to “examine the testing and evaluation of disclosures that companies make to consumers about advertising claims, privacy practices, and other information.” The agency argued that disclosures “are critical in helping consumers make informed decisions in the marketplace, ” but often do not succeed, stating, “Privacy policies are often long and difficult to comprehend and privacy-related icons may fail to communicate information meaningfully to consumers.” A spokesperson for the agency claimed that the FTC has been experimenting with “shorter, clearer, easier-to-use privacy disclosures and consent mechanisms.”
High Court Rules Consumers Must Prove Harm In Class Actions
In the case of Spokeo Inc. v. Thomas Robins et al., (case number 13-1339), the Supreme Court ruled on Monday, May 16, 2016, in a 6-2 decision written by Justice Samuel Alito, that consumers must prove harm in class actions. In its holding the Court stated that the Ninth Circuit failed to consider both aspects of the injury-in-fact requirement (the plaintiff must show that s/he suffered an ‘invasion of a legally protected interest’ that is ‘concrete and particularized’) its Article III standing analysis was incomplete. The case has been remanded to allow the Ninth Circuit to decide if the alleged injury is “concrete” enough. Notably, in its decision the Court stated, “Article III standing requires a concrete injury even in the context of a statutory violation. For that reason, Robins could not, for example, allege a bare procedural violation, divorced from any concrete harm, and satisfy the injury-in-fact requirement of Article III.” The full decision can be retrieved at:
InsideARM published an article on how the Spokeo Supreme Court decision may limit consumer financial services litigation.
On April 27th, a proposed class action was filed in a federal court against the Southeastern Pennsylvania Transportation Authority (SEPTA) for alleged violations of the Fair Credit Reporting Act (FCRA) and Pennsylvania’s Criminal History Record Information Act (CHRIA). The named plaintiff, Frank Long, claims that he was not provided a “proper written disclosure” that SEPTA would be conducting a credit check on him as is required by the FCRA. The suit also alleges that Long was denied employment because of past criminal convictions “that do not relate to the applicants’ suitability for employment in the positions for which they applied.” Long has a prior drug possession and manufacturing charge from 1997 that was revealed during the course of the background check. Long’s complaint alleges that, “The SEPTA form was not only unclear and inconspicuous, but, in addition, it did not ‘consist solely of the disclosure’ that a consumer report may be procured for employment purposes, and instead contained numerous statements and requests in clear violation of the requirements set out by FCRA.” The class action will attempt to include all SEPTA job applicants that did not receive a “proper FCRA disclosure” or were denied a position based upon an unrelated criminal history in violation of the CHRIA. Long v. Southeastern Pennsylvania Transportation Authority, case number 2:16-cv-01991 in the U.S. District Court for the Eastern District of Pennsylvania.
Technical Violation of FCRA Enough to Continue Suit Against Employer
Reiterating the need for employers to ensure compliance with every word of the Fair Credit Reporting Act (FCRA), an Illinois judge let a suit proceed against Sprint over background checks, holding that the alleged technical violation of the statute can move forward despite the fact that the plaintiff suffered no actual harm. An applicant for a position at a Sprint store in Chicago signed a form titled, “Authorization for Background Investigation.” He then sued the company asserting a violation of Section 1681 of the FCRA, arguing that Sprint willfully ran afoul of the statute because the authorization form did not consist solely of the required disclosure. The employer responded with a motion to dismiss because the applicant suffered no actual harm.
Whether or not the applicant suffered any harm was irrelevant, the court said, as the “FCRA exists to protect the privacy and economic interests of consumers.” Congress established enforceable statutory rights in the FCRA, the judge wrote, and created a remedy within the Act that was not dependent upon evidence of harm. In June 2015, Roberto Rodriguez applied for a job at a Sprint retail store in Chicago. As part of the application process, Sprint provided Rodriguez with a form seeking his authorization to perform a background check. Titled “Authorization for Background Investigation, ” the form contained “third party authorizations, a blanket release of multiple types of information from multiple types of entities, state specific information, and various statements above and beyond a disclosure that a consumer report would be procured.” Rodriguez signed the form and Sprint obtained a consumer report on him from a consumer reporting agency. Rodriguez then filed suit against Sprint in November 2015, alleging a violation of Section 1681b(b)(2)(A) of the Fair Credit Reporting Act (FCRA). That provision provides that a “person may not procure a consumer report” unless: “(i) a clear and conspicuous disclosure has been made in writing to the consumer at any time before the report is procured or caused to be procured, in a document that consists solely of that disclosure, that a consumer report may be obtained for employment purposes; and (ii) the consumer has authorized in writing (which authorization may be made on the document referred to in clause (i)) the procurement of the report by that person.” Because Sprint’s authorization form did not “consist solely of the disclosure, ” Rodriguez claimed the company committed a willful violation of the statute. The complaint requested statutory damages and punitive damages as well as costs and attorneys’ fees. Sprint offered the plaintiff $1, 000 to settle his claim. When Rodriguez let the offer lapse, the defendant moved to dismiss the suit for lack of subject matter jurisdiction based on the purported absence of a case or controversy. Relying in part upon the U.S. Supreme Court’s recent decision in Campbell-Ewald Co. v. Gomez, an Illinois federal court judge denied the motion. In that case, the Justices determined that a lapsed offer of judgment has no effect on the justiciability of a case and does not nullify a live controversy between the litigating parties. As an alternative, Sprint contended that Rodriguez lacked standing because he failed to allege any actual harm and did not seek any actual damages, leaving him without a concrete injury capable of judicial redress. While that argument would generally prevail, Congress has the power to confer standing with the creation of statutory rights, U.S. District Court Judge Matthew F. Kennelly wrote, as the Legislature did with the FCRA. “[I]t is readily apparent that Rodriguez has alleged an injury in fact sufficient to confer standing to sue under Article III, ” the court said. “The FCRA exists to protect the privacy and economic interests of consumers. The purpose of the law is to protect consumers by requiring consumer reporting agencies to meet the needs of commerce ‘in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information.’ ” One way that Congress attempted to achieve this purpose was through Section 1681b(b)(2)(A)’s disclosure provision, providing that a consumer’s private information may be disclosed only after he or she has signed a clear and decipherable authorization, the court explained. A separate provision, Section 1681n(a), established an enforcement mechanism where “[a]ny person who willfully fails to comply with any requirement imposed under this subchapter with respect to any consumer is liable to that consumer in an amount equal to … damages of not less than $100 and not more than $1, 000.” “Section 1681b(b)(2)(A) exists to ensure that consumers who authorize disclosure do so freely and knowingly, and together with the private enforcement provision in Section 1681n(a), it imposes a binding, mandatory obligation on a party in Sprint’s position, ” Judge Kennelly wrote, with harm not a necessary component of the equation. “Congress enacted the FCRA to protect consumer control over personal information the exposure of which, though often necessary in the modern economy, can result in a significant invasion of privacy and can jeopardize a consumer’s personal, reputational, and financial well-being. The statute provides that when a person or entity willfully violates a mandate of the FCRA that is designed to protect these interests, the aggrieved consumer may recover statutory damages.” The court cited similar conclusions from the Sixth, Eighth, and Ninth Circuit Courts of Appeals. Sprint’s argument that those decisions were balanced by opposite authority from the Second, Third, and Fourth Circuits—as well as the fact that the Ninth Circuit case, Robins v. Spokeo, is currently pending before the U.S. Supreme Court—did nothing to change the court’s mind. “[T]he fact that at least four Justices of the Supreme Court voted to grant certiorari in Robins says nothing about whether at least five Justices will be convinced to reverse the court below, ” the court wrote. He also distinguished the contrary authority based on the underlying statutes in those cases, the Employee Retirement Income Security Act and the Americans with Disabilities Act.
Target Alleged FCRA Violation
On May 12th, Judge Donovan W. Frank dismissed with prejudice a putative class action lawsuit against Target Corp. (Target) which accused the company of violating the Fair Credit Reporting Act (FCRA). The case focused on the requirement in the FCRA that the disclosure to an employee advising them of a background check “consist solely of that disclosure and authorization.” The plaintiff alleged that Target’s background check authorization contained extraneous language on its form, including language stating that the company has “the right to end your employment at any time for any reason.” The class action sought to include all individuals that Target requested background reports on over the last five years. Target’s background check disclosure and authorization notice also included language requiring its employees commit to “dedication, trust and above all, honesty.” Target argued in its motion to dismiss that “any additional details merely enhanced the disclosure in a clear and conspicuous way.” Target also maintained that it is not “objectively unreasonable” that its reading of the statute could allow for additional information to be included on the background check disclosure. Judge Frank agreed with Target’s arguments, finding that the company “didn’t willfully fail to comply with the FCRA based on its objective reading of the statute.” Thomas J. J
Vermont Ban the Box
In order to help people with criminal convictions find employment and build successful lives, Governor Peter Shumlin has signed a bill to remove questions about criminal records from the very first part of job applications in Vermont. “Banning the box” will give those with criminal records a fair chance at a good job and reduce the risk of recidivism and incarceration. The law follows a 2015 Executive Order signed by Governor Shumlin to implement a “ban the box” hiring policy for state jobs. The bill (H.261), prohibits employers from asking questions about prior criminal convictions on an initial job application, allowing applicants to be judged on their work history and qualifications rather than on a mistake made in their past. Employers will still be allowed to ask questions in later stages of the hiring process and the law provides exemptions for certain positions where a criminal conviction would automatically disqualify an applicant due to state or federal law. “Too many Vermonters with criminal records are unable to successfully re-enter their communities due to lack of employment. Banning the box is all about breaking down barriers and giving those Vermonters who have paid their debt to society a fair chance at finding a good job, ” Gov. Shumlin said. “Nobody wins when Vermonters are trapped in a cycle of unemployment and incarceration.”
Connecticut Ban the Box
“An Act Concerning Fair Chance Employment” prohibits Connecticut employers from inquiring about an applicant’s criminal history, including prior arrests and criminal charges or convictions, on a job application. Passed by the Connecticut legislature on May 4, 2016, the “Ban the Box Bill” is expected to be signed by Governor Dannel Malloy. If signed, the bill will take effect on January 1, 2017, and Connecticut will become the latest state to limit inquiries into an applicant’s criminal history. The bill adds the following to Section 31-51i of the general statutes:
[n]o employer shall inquire about a prospective employee’s prior arrests, criminal charges or convictions on an initial employment application, unless (1) the employer is required to do so by an applicable state or federal law, or (2) a security or fidelity bond or an equivalent bond is required for the position for which the prospective employee is seeking employment.
The new provision applies to all employers regardless of size, including both state and local public entities. The bill also allows employees and prospective employees to file complaints with the state Labor Commissioner.
On May 7th, , voters in Austin, Texas rejected a proposal by Uber Technologies, Inc. (Uber) and Lyft, Inc. (Lyft) to self-regulate their drivers. The measure, known as Proposition One, was opposed by 56 percent of Travis County voters, despite the ride-sharing companies’ $8 million campaign effort. Uber and Lyft introduced Proposition One after the Austin City Council passed an ordinance in December 2015 requiring ride sharing companies to conduct fingerprint background checks on their drivers. The companies threatened to leave Austin when the ordinance was passed, as they have in other cities with similar regulations, claiming that fingerprint checks are too burdensome on their businesses. According to Austin Mayor Steve Adler, “The people have spoken tonight loud and clear. Uber and Lyft are welcome to stay in Austin, and I invite them to the table regardless.” On May 9th, the companies announced that they were temporarily halting business in Austin in light of the failure of Proposition One. In a statement, Uber’s Austin General Manager Christ Nakutis said, “Disappointment does not begin to describe how we feel about shutting down operations in Austin. We hope the City Council will reconsider their ordinance so we can work together to make the streets of Austin a safer place for everyone.”
NY Data Breach
On May 4th, the New York Attorney General’s office issued a press release announcing that data breach notifications had increased 40% over the same period last year. The New York State Information Security Breach and Notification Act requires that companies report data breaches that meet certain requirements. The press release states that the Attorney General’s office received 459 data breach notifications between January 1st and May 2nd of 2016, compared with 327 reports received during the same period last year. In response to the report, New York Attorney General Eric T. Schneiderman declared, “I am committed to stemming the data breach tide. Making notification to my office easier for companies who have experienced a data breach means quicker notifications and quicker resolution for New York’s consumers.” The office claimed that data breaches cost the State of New York $1.37 billion in 2013 alone. Schneiderman previously proposed reforms to the state’s data security laws which would “broaden the scope of information that companies would be responsible for protecting; requires stronger technical and physical security measures for protecting information; and create a safe harbor for companies who meet certain security standards.”
Australia – Criminal Activity Background Check
While it may appear obvious that an employer is entitled to hire and fire employees with reference to criminal conduct, both the Australian Human Rights Commission Act 1986 (Cth) (AHRC Act) and recent unfair dismissal cases make clear that employers should proceed with caution before making any prejudicial decision based on these factors. There are a number of laws that make it mandatory for certain employers to screen their employees by means of a criminal record check, a common example being those employees who will work closely with children. However, in the absence of a mandatory requirement, many employers still request potential employees to provide police clearances or authority for the employer to conduct a criminal history check. If upon receiving this information the employer chooses not to employ an individual, they are potentially engaging in unlawful discrimination in contravention of the AHRC Act. The AHRC Act covers employers and employees in all states and territories and while it is the focus for this article, it is also worth keeping in mind an employer may be in breach of state and territory laws as well. For the full article click on following link see:
On May 4th, the Official Journal of the European Union published the full text of the General Data Protection Regulation (GDPR). The GDPR replaces the European Data Protection Directive which was established in 1995. The regulation will grant companies two years in order to come into compliance, with the law coming into effect on May 25th, 2018. Companies that fail to comply with the GDPR may face fines of up to 4% of their annual global revenue. The GDPR requires companies to report data breaches to a European Union Data Protection Commissioner within 72 hours and notify affected users “without undue delay.” The regulation also expands the “right to be forgotten” to data created when the user was a child. The GDPR also contains provisions that require certain companies to hire Data Protection Officers, which has left some concerned that there will not be a sufficient supply of certified data professionals available within the specified timeframe.
EU-US Privacy Shield
On May 26th, the European Parliament passed a non-binding resolution calling on the European Commission to renegotiate the EU-US Privacy Shield agreement. The vote to approve the resolution was overwhelming, with 501 lawmakers voting for the measure and 119 voting against. Debate focused around whether the proposed Privacy Shield would withstand judicial scrutiny, with one lawmaker stating, “There is only one yardstick: is this or is this not Schrems proof? It seems to me the Commission is prepared to make a decision knowing that it will not stand in court, ” referring to Max Schrems, the data privacy activist who filed the lawsuit which resulted in the invalidation of the Safe Harbor agreement. The European Parliament resolution also, “Calls on the Commission to implement fully the recommendations expressed by the Article 29 Working Party…”
On May 24th, European Data Protection Supervisor (EDPS) Giovanni Buttarelli delivered his office’s annual report and announced that he would soon be releasing an official opinion on the EU-U.S. Privacy Shield. During his presentation, Buttarelli indicated that his forthcoming opinion will echo many of the sentiments expressed in the Article 29 Working Party’s opinion. According to Buttarelli, “We have serious concerns. But now our task is not simply to copy and paste or repeat what our colleagues have said. We would like to be more proactive by focusing on potential solutions.” Like the Working Party, Buttarelli suggested that he does not think the agreement adequately protects the data of EU citizens or provide adequate redress to those who believe that their data has been mishandled by U.S. intelligence agencies. However, Buttarelli said that his opinion will focus more on how to achieve “essential equivalence” between the U.S. and the EU’s standards for data transfers, a main issue in the European Court of Justice case that invalidated the former Safe Harbor agreement. Buttarelli also said that the final Privacy Shield agreement should be consistent with General Data Protection Regulation, which goes into effect in 2018, so companies do not have “to change their privacy policies every year.”
May 20: IAPP published a blog post on the Article 31 working committee and their failure to reach an agreement on the EU-US Privacy Shield.
European Data Protection Supervisor Giovanni Buttarelli announced that he would be releasing an opinion on the new Privacy Shield data sharing agreement, indicating that he is skeptical of the validity of the agreement.
On May 25th, the Irish Data Protection Commissioner referred a case to the European Union Court of Justice (CJEU) involving Facebook, Inc.’s (Facebook) use of standard contractual clauses for international data transfers. Facebook began using standard contractual clauses, or “model clauses, ” as their legal basis for transferring data out of the European Union after Safe Harbor was invalidated in October 2015. A spokesperson from Facebook defended the company’s practices, stating, “Thousands of companies transfer data across borders to serve their customers and users… While there is no immediate impact for people or businesses who use our services, we of course will continue to cooperate with the Irish Data Protection Commission in its investigation. Standard Contractual Clauses remain valid, and Facebook has other legal methods in place to transfer data between countries.”
Payment Card Security
On April 28th, the Payment Card Industry Security Standards Council (PCI SSC) announced that it has increased its Data Security Standards (DSS). The PCI SSC is a non-governmental self-regulating coalition of over 700 credit and debit card companies, including American Express Co., Discover Financial Services, JCB International, MasterCard, Inc., and Visa, Inc. The new security standards will require that card administrators use at least two passwords to identify themselves when attempting to view cardholder data. According to PCI SSC Chief Technology Officer Troy Leach, “A password alone should not be enough to verify the administrator’s identity and grant access to sensitive information.” The organization also suggested that they may begin to test company’s compliance with the standards, citing that “PCI DSS compliance trends reveal that many organizations view PCI DSS compliance as an annual exercise and do not have processes in place to ensure that PCI DSS security controls are continuously enforced.” Payment card issuers will also be required to report “failures of critical security systems” and conduct biannual cybersecurity testing. The new PCI DSS requirements will become effective on October 1st, 2016
Ban the Box Goes to College
The long-running “Ban the Box” campaign is now gaining ground at colleges and universities. The movement aims to protect job, and now student, applicants from being asked about their criminal histories and was recently bolstered by President Obama, who is taking executive action to ban the practice at federal agencies. Campus officials say the background question helps them learn as much as possible about prospective students and allows them to take steps to keep everyone on campus safe. But opponents say the question-which requires prospective students to check a box if they have criminal histories-is an undue barrier that harms certain groups of students. Some colleges routinely ask an optional criminal-background question; some schools are compelled to ask it by the state in which they’re located; and, whether intentional or not, more than 600 colleges and universities ask simply because they use Common App to streamline the admissions process. This year, 920, 000 unique applicants used Common App to submit 4 million applications, or 4.4 applications per student, according to the organization. For the full article click on following link:
Payment Card Industry Security Standards Council Revises Data Security Standards
On April 28, 2016, the Payment Card Industry’s Security Standards Council (PCI) published its new Data Security Standards (DSS). PCI sets debit/credit card security standards updates and clarifies existing standards to reflect changes in the business and technical landscape. The new revisions, PCI DSS 3.2, will go live in October 2016. The updated rules address two topics. First, the revised rules will require card administrators to use multi-factor authentication to identify themselves when accessing sensitive cardholder data, regardless of whether they are accessing their systems onsite or remotely. Previously, administrators only needed multi-factor authentication when they were on an untrusted network. Going forward, that requirement will extend to all networks – onsite as well as remote. Troy Leach, PCI Security Standards Council CTO, justified the revisions: “We’ve seen an increase in attacks that circumvent a single point of failure, allowing criminals to access systems undetected, and to compromise card data.” He added that “a password alone should not be enough to verify the administrator’s identity and grant access to sensitive information.” Second, the April 2016 update added criteria that instruct companies to apply and maintain the PCI standards as an everyday/continuing practice, rather than an annual compliance exercise event associated with an audit or self-assessment. Leach noted that compliance trends indicate that many organizations view PCI compliance as an annual exercise but that it is important for companies to prioritize PCI compliance as an ongoing effort around-the-clock rather than as a “one-off” event. Key Takeaways: (i) Requires multi-factor authentication for card administrators to access sensitive card data on all networks and (ii) Companies should prioritize PCI compliance as a continuing practice
Note: The current version of the standards – PCI DSS 3.1 – will expire six months after the release of PCI DSS 3.2 (i.e., October 31, 2016). All revised/upgraded SAQ forms/procedures included with PCI DSS 3.2 should be used beginning November 1, 2016. PCI DSS 3.12 will not be a requirement by February 2018, in order to provide companies sufficient time to implement the new standards.
Payroll Data Breach
On May 3rd, KrebsOnSecurity.com reported that payroll management company ADP suffered a data breach. According to the report, identity thieves stole tax and salary information by signing up for accounts using the names and other information of employees at over a dozen companies. U.S. Bancorp (U.S. Bank) was one such company, and reported the incident to employees last week, saying, “Since April 19, 2016, we have been actively investigating a security incident with our W-2 provider, ADP. During the course of the investigation we have learned that an external W-2 portal, maintained by ADP, may have been utilized by unauthorized individuals to access your W-2, which they may have used to file a fraudulent income tax return under your name.” In response to news of the breach, ADP Chief Security Officer Roland Cloutier emphasized that fraudsters need several pieces of information about an individual, including name, date of birth, and Social Security number, to actually register an account in someone’s name. Cloutier also stated that the information the fraudsters used to create the accounts did not come from ADP’s system and was most likely obtained from another breach. However, the issues arose when certain companies posted ADP enrollment codes online, making it easier for fraudsters to create fake accounts with relatively limited information. According to Dana Ripley of U.S. Bank, “We viewed the code as an identification code, not as an authentication code, and we posted it to a Web site for the convenience of our employees so they could access their W-2 information. We have discontinued that practice.”
Verizon’s annual data breach report claims that over half of confirmed data breaches involved criminals exploiting weak or reused passwords.
On May 24 th, Society for Worldwide Interbank Financial Telecommunications (SWIFT) CEO Gottfried Leibbrandt delivered remarks at the European Financial Services Conference and discussed the company’s plan to update its security systems in light of recent cyberattacks. Earlier this month, SWIFT announced that at least two banks that use its platform suffered a malware attack in which cybercriminals were able to make fraudulent money transfer requests resulting in $81 million in theft. During his remarks, Leibbrandt assured the audience that SWIFT’s network and its software have not been compromised and that it was the individual banks’ information technology systems that were breached. According to Leibbrandt, “While we (and other providers) give tools and software to our customers, our customers run these in their own environment and need to keep them secure. We cannot secure our customers’ environments and cannot assume responsibility for that.” Leibbrandt also said that SWIFT would be implementing a five-point plan to increase its customers’ security, which includes improved guidelines and audit frameworks, updated pattern controls in order to identify suspicious activity, and certification requirements for third-party providers. Leibbrandt concluded that, “The cyber challenge is huge, and demands action, and change, by all stakeholders. And change is hard. Sometimes it takes a crisis.”
May 12: SWIFT, the communication application used by many financial institutions, announced that a second bank has been hacked due to vulnerabilities in its software.
SWIFT CEO Gottfried Leibbrandt delivered a speech at the European Financial Services Conference and discussed the company’s five-point plan to improve its security in light of its recent cyberattacks.
Ecuadorean Bank Is 3rd Caught Up In Hack Of SWIFT Users
The number of banks hit by a malware attack that has affected users of the Society for Worldwide Interbank Financial Telecommunication platform has grown to three, with an Ecuadorean bank revealing in court documents unearthed Friday that cybercriminals had stolen about $12 million from it.
LinkedIn Data Breach
On May 17, 2016, LinkedIn became aware that data stolen from LinkedIn in 2012 was being made available online. It was not a new security breach or hack. LinkedIn took steps to invalidate the passwords of all LinkedIn accounts that they believed could have been be at risk. These were accounts created prior to the 2012 breach that had not reset their passwords since that breach. The information that was involved was the member email addresses, hashed passwords, and LinkedIn member IDs (an internal identifier LinkedIn assigns to each member profile) from 2012. LinkedIn invalidated passwords of all LinkedIn accounts created prior to the 2012 breach that had not reset their passwords since that breach. In addition, LinkedIn is using automated tools to attempt to identify and block any suspicious activity that might occur on LinkedIn accounts. LinkedIn also engaged with law enforcement authorities. LinkedIn has taken significant steps to strengthen account security since 2012. For example, LinkedIn now uses salted hashes to store passwords and enable additional account security by offering its members the option to use two-step verification.
Please Note: Some of the information contained herein is a monthly summary of the daily information provided by Arnall Golden Gregory LLP, an Atlanta firm servicing the business transactions and litigation needs of background check companies. The information described is general in nature, and may not apply to your specific situation. Legal advice should be sought before taking action based on the information contained herein. For more information about Arnall Golden Gregory LLP, please visit www.agg.com or contact Bob Belair at 202.496.3445 or [email protected]