October 2015 Screening Compliance Update

Federal Developments

FTC Enforcement
On October 21st, the Federal Trade Commission (FTC) announced a settlement with Sprint over alleged violations of the Fair Credit Reporting Act (FCRA) by “fail[ing] to give proper notice to consumers who were placed in a program for customers with lower credit scores and charged an extra monthly fee.” According to the terms of the settlement, Sprint will pay $2.95 million in civil penalties. According to the FTC, Sprint placed customers with lower credit scores in an “Account Spending Limit (ASL) program, ” which requires customers in the program to “pay a monthly fee of $7.99 in addition to the charges for cell phone and data services.” The FTC states that “Sprint in many cases failed to provide consumers placed in the ASL program with all of the disclosures in the required notice, omitting required information that would help consumers understand the information in their credit reports, and that may have alerted them to possible errors that caused them to receive less favorable terms of credit, ” adding that a 2013 “FTC study showed credit reports often contain significant errors.”

On October 20th, the FTC announced a settlement with operators of an alleged tech support “scam” for alleged violations of the FTC Act by “trick[ing] consumers into paying millions of dollars for technical support services they did not need and software that was otherwise free.” Under the terms of the settlement, the defendants are required to turn over multiple real estate properties as well as the contents of numerous bank accounts, and to give up the leases on two luxury cars. The settlement also includes a monetary judgment of $3, 095, 037.02. According to the FTC, the defendants “cold-called consumers, pretending to be representatives of Microsoft or Facebook, ” and sold them technical support services they did not need at costs ranging from $149 to $600.

LifeLock, Inc. agreed to pay up to $116 million to settle FTC allegations that it was not in compliance with the terms of a 2010 settlement requiring the company to refrain from misrepresenting the effectiveness of its identity theft protection services.

CFPB Enforcement
The CFPB announced a settlement with two background check companies (General Information Services and its affiliate, e-Background-checks.com, Inc.) for failing to take basic steps to assure the information reported about job applicants was comprehensive. The CFPB ordered the companies to correct their practices, provide $10.5 million in relief to harmed consumers, and pay a $2.5 million civil penalty.

FTC and Consumer Protection
On October 13th, the Federal Trade Commission (FTC) and consumer protection agencies from 33 other countries unveiled an updated econsumer.gov website “aimed at gathering and sharing cross-border e-commerce complaints.” The website was originally launched in 2001. According to the FTC, updates include an improved website design and a more user-friendly complaint form. The FTC states that “[c]onsumer complaints filed through econsumer.gov are entered into Consumer Sentinel, a complaint database maintained by the FTC, and are made available to enforcers and regulators in countries with participating agencies, ” explaining that, “[t]hose agencies may use the complaints to investigate cross-border issues, uncover new scams, pursue regulatory or enforcement actions, and spot consumer trends.”

Oct. 6: The House passed HR 2091, the “Child Support Assistance Act of 2015, ” which would “amend the [FCRA] to clarify the ability to request consumer reports in certain cases to establish and enforce child support payments and awards.”

US-EU Safe Harbor
On October 8th, Senator Chris Murphy (D-CT) released a statement urging lawmakers to pass S. 1600, the Judicial Redress Act, following the European Court of Justice’s invalidation of the U.S. – EU Safe Harbor program. The bill would extend privacy protections to European allies and, according to Murphy, “provide a clear signal that we value the transatlantic relationship and seek to fully rebuild trust in U.S.-EU data flows.” According to a statement published on his website, Murphy says that “[u]nless Congress and the U.S. Department of Commerce act quickly, this…Safe Harbor ruling will be a job killer for U.S. technology companies that conduct business abroad. Our national security is also under threat, as the elimination of transatlantic information sharing agreements could ultimately threaten the law enforcement cooperation that helps keep Americans safe.”
S 1600: http://www.gpo.gov/fdsys/pkg/BILLS-114s1600is/pdf/BILLS-114s1600is.pdf

FTC and Consumer Privacy
On October 26th, the Federal Trade Commission (FTC), in conjunction with enforcement agencies from seven other countries, launched a new initiative to “boost cooperation in protecting consumer privacy.” According to the FTC, the initiative involves a new information-sharing system to better coordinate international efforts in protecting consumer privacy. The FTC describes the system, called the Global Privacy Enforcement Network Alert (GPEN Alert), as a “multilateral system that will enhance coordination by enabling participants to confidentially share information about investigations. The GPEN Alert technology is based on the FTC’s Consumer Sentinel Network, a system that enables member U.S. law enforcement agencies to access complaints that consumers provide to the FTC and other data contributors.”

Consumer Privacy
On October 20th, the House passed HR 1428, the Judicial Redress Act, which would extend privacy protections to citizens of U.S. allies. Specifically, the bill would provide certain foreign citizens the right to sue the U.S. federal government in federal court for alleged privacy violations related to data shared with the government for law enforcement purposes. The bill’s passage follows the European Court of Justice’s decision to invalidate the U.S. – EU Safe Harbor program based, in part, on the lack of privacy protections afforded to citizens of the European Union. According to one of the bill’s sponsors, Rep. Jim Sensenbrenner (R-WI), “[t]he [bill] is central to our efforts to rebuild strained relationships with our allies and to ensure privacy and security for both American and European Union citizens.”

Court Cases

On October 26th, a plaintiff filed a putative class action against Experian and TransUnion for alleged violations of the Fair Credit Reporting Act (FCRA) by failing to maintain comprehensive information and failing to correct incomprehensive information through reinvestigating disputed claims. According to the plaintiff’s complaint, the credit agencies falsely listed numerous child support payments as delinquent and failed to correct the alleged inaccuracy after notifying the credit agencies that the payments were timely paid. The complaint asserts that the credit agencies’ negligence resulted in a loss of credit and the ability to purchase and benefit from credit, in addition to the time and expense of disputing the alleged incorrect reports.
Bryan Jallo v. Experian Information Solutions, Inc. et al., No. 4:15-cv-00745 (E.D. Tex., Oct. 26, 2015).

On October 8th, a plaintiff moved for class certification in a lawsuit against Amazon.com LLC (Amazon) for alleged violations of the Fair Credit Reporting Act (FCRA) over the company’s background screening procedures. According to the plaintiff’s complaint, the plaintiff alleges that Amazon made an adverse employment decision based on the plaintiff’s alleged incomprehensive background check report that showed an incomprehensive cocaine conviction. Additionally, the plaintiff alleges that Amazon and the background check provider failed to afford him the opportunity to review the background check report prior to an adverse employment decision.
Williams v. Amazon.com, Inc. et al., No. 1:15-cv-07256 (N.D. Ill., Oct. 8, 2015).

A federal district court ruled that Genesis Healthcare LLC complied with the FCRA when it obtained a prospective employee’s criminal history report from a third party.

Data Breach
On September 25th, a plaintiff filed a putative class action against payment processor YapStone, Inc. (YapStone) over its recently announced data breach. According to the complaint, the plaintiff is suing Yapstone, a payment processor for vacation rental website VRBO, for negligence and breach of contract for failing to safeguard customer data from a possible data breach. The plaintiff alleges that YapStone did not take reasonable measures to protect customer data and failed to timely notify customers of the breach. Specifically, the plaintiff states that “[a]s a result of Defendant’s ongoing failure to notify consumers regarding what type of [personally identifiable information] has been compromised, consumers are unable to take the necessary precautions to mitigate their damages by preventing future fraud.”
Jonathan Koles v. YapStone, Inc., No. 3:15-cv-04429 (N.D. Cal., Sep. 25, 2015).

Experian/T-Mobile Data Breach
On October 5th, plaintiffs filed a putative class action against T-Mobile US, Inc. (T-Mobile) and Experian over Experian’s recently announced data breach involving up to 15 million customers’ personal information. According to separate complaints filed against both companies, the plaintiffs accuse each company of negligence and breach of contract by failing to implement proper data security policies and practices and misleading customers into believing that their data was protected by industry standards and best practices. The plaintiffs argue that the exposure of their personal information has created a “heightened and imminent risk of fraud and identity theft.”
Colin Ryan et al. v. Experian Holdings, Inc. et al., No. 8:15-cv-01595 (C.D. Cal., Oct. 5, 2015).
Brendan Moore et al. v. Experian North America, Inc. et al., No. 1:15-cv-08771 (N.D. Ill., Oct. 5, 2015).

Scottrade Data Breach
On October 2nd, a plaintiff filed a putative class action against Scottrade, Inc. (Scottrade) over its recently announced data breach affecting up to 4.6 million customers’ personal information. According to the complaint, the plaintiff alleges that Scottrade was negligent by failing to implement reasonable data security policies and practices. The plaintiff also alleges that Scottrade’s breach notification email to affected customers was “woefully inadequate and vague.” Specifically, the plaintiff states that “Scottrade’s actions and/or omissions occurred despite prior warnings, including prior incursions of their network by third parties, who conducted fraudulent stock trades using Scottrade’s customer’s accounts, and even fines from government agencies concerning its system’s security procedures and oversight.”
Hine v. Scottrade, Inc., No. 3:15-cv-02213 (S.D. Cal., Oct. 2, 2015).

State Regulations

Delaware Privacy Policy Law
On August 7th, Delaware Governor Jack Markell (D) signed SB 68, the Delaware Online Privacy and Protection Act. Under the law, certain operators of commercial online sites and services are required to “conspicuously display” a privacy policy on their website. Specifically, the law states that “[a]n operator of a commercial Internet website, online or cloud computing service, online application, or mobile application that collects personally identifiable information through the Internet about individual users residing in Delaware who use or visit the operator’s commercial Internet website…shall make its privacy policy conspicuously available on its Internet website….” According to the law, an operator will be in violation if it fails to make its privacy policy conspicuously available within 30 days after being notified of noncompliance. Under the law, the privacy policy must, among other things:

  • Identify the type of information being collected;
  • List the categories of third parties with whom the information is shared;
  • Disclose how the operator responds to web browser “do not track” signals; and
  • Detail how the company notifies users of changes to the privacy policy.


California Data Breach Statute
Oct. 6: California Governor Jerry Brown signed three new data breach bills into law. The three bill package, which was developed in response to recent California hospital breaches, amends the state’s existing statute in several ways:

State Developments

T-Mobile Data Breach
T-Mobile USA, Inc. reported that a data breach at Experian affected up to 15 million T-Mobile customers’ names, addresses, birth dates, and encrypted Social Security numbers. T-Mobile USA, Inc. reported that a data breach at Experian affected up to 15 million T-Mobile customers’ names, addresses, birth dates, and encrypted Social Security numbers.

Scottrade Data Breach
Scottrade reported a data breach involving an undisclosed number of clients’ names and addresses.

Experian/T-Mobile Data Breach
On October 5th, California Attorney General Kamala Harris (D) urged T-Mobile customers to place fraud alerts on their credit reports following Experian’s data breach. Recently, Experian confirmed a data breach involving up to 15 million T-Mobile customers’ Social Security numbers, names, addresses, and birth dates (previously reported). According to Harris, “[p]lacing a fraud alert on your credit records protects consumers from identity theft by requiring that businesses verify your identity before issuing credit, ” explaining that, “[u]nlike credit monitoring, which notifies individuals when activity has occurred on their credit records, a fraud alert is a preventive measure.”

Dow Jones Data Breach
On October 9th, Dow Jones and Company, Inc. (Dow Jones) reported a data breach involving an undisclosed number of customers’ names, addresses, and payment card information. According to the breach notice, Dow Jones learned on August 9th that an unauthorized party accessed one of its servers that contained personal information of customers who subscribe to The Wall Street Journal, MarketWatch, or Barons. Upon learning of the incident, Dow Jones initiated an investigation, “identifying and closing the known access paths and have taken further steps to secure [its] systems.” Dow Jones recommends that individuals monitor their credit reports and is offering affected individuals credit monitoring and identity theft services for two years at no cost.

NorthShore Data Breach
On October 8th, NorthShore Care Supply (NorthShore) reported a data breach involving an undisclosed number of customers’ names, payment card information, and addresses. According to the breach notice, NorthShore learned on August 24th of a possible “security incident involving its online ordering website.” Upon learning of the incident, NorthShore initiated an investigation, which found that the affected period is between June 7, 2015 and August 24, 2015. As a result, payment card information used during this period may have been compromised. NorthShore recommends that individuals monitor their credit reports and is offering affected individuals credit monitoring and identity theft services for one year at no cost.

Peppermill Casinos Data Breach
On October 13th, Peppermill Casinos, Inc. (Peppermill) reported a data breach involving an undisclosed number of customers’ names and payment card information. According to the breach notice, Peppermill learned in April 2015 that “criminal hackers” gained unauthorized access to its network and improperly obtained customers’ payment card information used at Peppermill’s front desk for transactions between October 12, 2014 and February 16, 2015. Upon learning of the incident, Peppermill initiated an investigation and has since “implemented new policies and procedures aimed at preventing future security incidents.” Peppermill recommends that customers monitor their credit and debit card statements.

E-Trade Data Breach
On October 9th, The Washington Post reported that E-Trade notified 31, 000 customers that their contact information may have been compromised in a 2013 data breach. According to the article, E-Trade sent out notices indicating that the scope of the breach was limited to email addresses and mailing addresses. The Washington Post obtained a copy of E-Trade’s notification, which reportedly stated that E-Trade has “no evidence that any sensitive customer account information, including passwords, Social Security numbers, or financial information was compromised.” According to the article, despite the breach occurring in 2013 it was only recently that law enforcement informed the company of evidence that customer contact information may have been breached and that it should notify the customers “out of an abundance of caution.”

Service Systems Associates, Inc. Data Breach
On October 13th, Service Systems Associates, Inc. (SSA), a payment processing provider, reported a data breach involving an undisclosed number of customers’ payment card information. According to the breach notice, SSA learned that malware was installed in its point-of-sale systems used by gift shops in 10 zoos between March 24, 2015 and May 20, 2015. Since discovering the incident, SSA initiated an investigation and removed the malware from its point-of-sales systems, and “took several steps to improve security and prevent future attacks.” SSA recommends that individuals monitor their credit reports and is offering affected individuals credit monitoring and identity theft services for one year at no cost.

Food.com Data Breach
Oct. 16: Food.com reported a data breach involving an undisclosed number of customers’ log-in credentials and birth dates.

NextBus Data Breach
Oct. 16: NextBus, Inc. reported a data breach involving an undisclosed number of customers’ log-in credentials, email addresses, and phone numbers.

ABA Data Breach
On October 22nd, the American Bankers Association (ABA) reported a data breach involving “at least” 6, 400 customers’ emails, user names, and passwords used for online purchases. According to the breach notice, the ABA is currently working with a cybersecurity forensics company to determine the nature and scope of the data breach. Currently, the ABA is unaware of any fraudulent activity associated with the compromised data. The ABA recommends that users reset their passwords, including resetting other account passwords that use the same credentials as their ABA account.

Other Developments

Cross Border Data Transfers
On October 20th, Microsoft Corp. (Microsoft) President and Chief Legal officer Brad Smith wrote a blog post urging U.S. and European lawmakers to develop a new privacy framework to replace the invalidated U.S. – EU Safe Harbor program. According to Smith, consumers should not lose privacy protections when their data is transferred overseas. Specifically, Smith stated that “[i]f we’re going to find a long-term sustainable approach, we need to think afresh, ” adding that, “[t]he approaches that were developed 15 years before the 20th century are simply not adequate 15 years after the 21st century began.” As a result, Smith urged lawmakers to ensure that individuals’ privacy protections move with their data, stating that “[t]his is a straightforward proposition that would require, for example, that the U.S. government agree that it will only demand access to personal information that is stored in the United States and belongs to an EU national in a manner that conforms with EU law, and vice versa.”

Payment Card Industry Security Standards
The Payment Card Industry Security Standards Council issued new guidance on responding to a data breach.

International Developments

The European Court of Justice issued a judgment expanding the enforcement reach of national data protection regulators in the EU.

Safe Harbor Industry
Oct. 15: The Hill published an article entitled, “Tech Giants Urge Congress to Give Privacy Rights to EU Citizens.”

Oct. 13: The IAPP published an article entitled, “Solving the Unsolvable on Safe Harbor—The Role of Independent DPAs.”

On October 6th, the European Court of Justice issued a judgment invalidating the U.S. – EU Safe Harbor program, finding that it violates the privacy rights of Europeans. The court agreed with a recent nonbinding opinion released by the court’s Advocate General Yves Bot, ruling that the U.S. – EU Safe Harbor fails to provide adequate protections for EU citizens’ personal data. Specifically, the court stated that, “[n]ational security, public interest and law enforcement requirements of the United States prevail over the safe harbor scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements, ” adding that, “the United States safe harbor scheme thus enables interference, by United States public authorities, with the fundamental rights of persons.” The court also found that the Safe harbor program lacked privacy protections for EU citizens by failing to offer a judicial means of redress in U.S. courts if they believe their privacy has been violated.

AGG Summary of the current situation: http://www.agg.com/european-court-of-justice-invalidates-safe-harbor-adequacy-finding-organizations-should-re-evaluate-their-basis-for-eu-us-data-transfers-10-07-2015/

Media reported that European Data Protection Supervisor Giovanni Buttarelli, during a privacy briefing hosted by DataGuidance and Sidley Austin LLP, urged multinational companies to refrain from engaging in “creative” solutions to the invalidated U.S. – EU Safe Harbor program.

The New York Times published an article entitled, “As U.S. Tech Companies Scramble, Group Sees Opportunity in Safe Harbor Decision.”

U.S. – EU Safe Harbor
On October 26th, European Commissioner Vera Jourova, during prepared remarks before the civil liberties committee, said that EU and U.S. representatives have agreed in principle on a new data-sharing pact. The announcement follows an October 6th European Court of Justice (ECJ) decision invalidating the U.S. – EU Safe Harbor agreement. According to Jourova, the European Commission resumed discussions with U.S. representatives following the ECJ ruling to address transparency and enforcement concerns raised by the ECJ. Specifically, Jourova stated that “[t]here is agreement on these matters in principle, but we are still discussing how to ensure that these commitments are binding enough to fully meet the requirements of the court.” Jourova noted that the new agreement would implement more oversight rather than self-regulation, stating that the possible agreement “will transform the system from a purely self-regulating one to an oversight system that is more responsive as well as proactive, and backed up by significant enforcement, including sanctions.”

On October 16th, the Article 29 Working Party released a statement urging representatives of the U.S. and European Union to develop a data sharing agreement by January 2016 to replace the Safe Harbor program. The statement follows the recent European Court of Justice’s decision that invalidated the U.S. – EU Safe Harbor program. In its statement, the Article 29 Working Group urged each side to negotiate another agreement that addresses the concerns raised by the European Court of Justice, namely that the Safe Harbor agreement did not do enough to protect the privacy rights of European citizens. According to the Article 29 Working Group, “[i]f by the end of January 2016, no appropriate solution is found with the U.S. authorities … EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.”

The Hill reported on the possible data-sharing agreement.

Israel and Data Protection
On October 19th, Israel’s data protection authority released a statement revoking its prior agreement for data transfers from Israel to the United States. According to the Israeli Law, Information and Technology Authority (ILITA), multinational companies cannot rely on the safe harbor framework recently invalidated by the European Court of Justice. Specifically, the ILITA stated that data transfers were based on companies self-certifying their compliance with regulations of the safe harbor framework, however, “pursuant to the European decision, it is no longer permissible to rely on the safe harbor as a basis for transfers of personal data from Israel to the U.S.”

Germany Data Protection Authority
Oct. 28: The Hill reported about Germany’s data protection authority investigating Google and Facebook regarding their data transfers to the U.S.

Please Note: The information contained herein is a monthly summary of the daily information provided by Arnall Golden Gregory LLP, an Atlanta firm servicing the business transactions and litigation needs of background check companies. The information described is general in nature, and may not apply to your specific situation. Legal advice should be sought before taking action based on the information contained herein. For more information about Arnall Golden Gregory LLP, please visit www.agg.com or contact Bob Belair at 202.496.3445 or robert.belair@agg.com.

Let’s start a conversation

contact Contact