September 2015 Screening Compliance Update

Federal Developments

Furnisher Rule
On September 16th, the Federal Trade Commission (FTC) published a blog post about the Fair Credit Reporting Act’s (FCRA) Furnisher Rule. In the post, the FTC highlighted its recent enforcement action against Tricolor Auto Group (TAG), requiring TAG to pay approximately $82, 000 to resolve alleged violations of the FCRA by “fail[ing] to have written policies and procedures regarding the accuracy of reported credit information, and fail[ing] to properly investigate disputed consumer credit information.” According to the FTC, the FCRA “requires companies to have reasonable written policies and procedures in place regarding the accuracy and integrity of the consumer information they furnish to [consumer reporting agencies], ” adding that “[o]nce a consumer disputes the accuracy of that information, the Furnisher Rule requires the company to conduct a timely investigation and report back to the consumer. If it looks like the consumer is right, the company has to contact the CRA to correct the inaccuracy.”
https://www.ftc.gov/news-events/blogs/business-blog/2015/09/rearranging-furnisher

FTC Enforcement
On September 3rd, the FTC approved a Final Order against Nomi Technologies (Nomi), a retail tracking firm, for alleged violations of the FTC Act by “misleading consumers about the available choices to opt-out of the company’s mobile device tracking program.” The settlement was first announced in April 2015 and was followed by a public comment period (previously reported). The FTC alleged that Nomi “misled consumers with promises that it would provide an in-store mechanism for consumers to opt out of tracking and that consumers would be informed when locations were using Nomi’s tracking services.” The FTC’s investigation revealed, no mechanism for opting-out was put in place and consumers were not informed of where tracking was taking place. Under the terms of the settlement, “Nomi will be prohibited from misrepresenting consumers’ options for controlling whether information is collected, used, disclosed or shared about them or their computers or other devices, as well as the extent to which consumers will be notified about information practices.”
https://www.ftc.gov/news-events/press-releases/2015/09/ftc-approves-final-order-nomi-technologies-case

The FTC announced a settlement with an auto dealer, requiring the auto dealer to pay approximately $82, 000 to resolve alleged violations of the FCRA by “fail[ing] to have written policies and procedures regarding the accuracy of reported credit information, and fail[ing] to properly investigate disputed consumer credit information.”
https://www.ftc.gov/news-events/press-releases/2015/09/ftc-action-stops-scammers-who-collected-millions-phantom-payday?utm_source=govdelivery

ID Theft Monitoring Contract
Sep. 1: OPM and the DOD announced the award of a $133 million contract with Identity Theft Guard Solutions LLC to provide identity theft response services to individuals affected by OPM’s recent data breaches.
https://www.opm.gov/news/releases/2015/09/opm-dod-announce-identity-theft-protection-and-credit-monitoring-contract/

DOD Data Breach Guidelines
Sep. 2: The Identity Theft Resource Center reported on the DOD’s new data breach reporting guidelines for contractors and subcontractors.

FTC Blog
On September 8th, the Federal Trade Commission (FTC) published a blog post about company compliance with the Fair Credit Reporting Act’s (FCRA) notice, consent, and disclosure requirements regarding background checks for job candidates. In the post, the FTC focused on the applicability of the FCRA’s 603(y) provision entitled, “Exclusion of Certain Communications for Employee Investigations.” Specifically, the FTC addressed “whether screening reports about job candidates are exempt from the FCRA’s notice, consent, and disclosure requirements because of Section 603(y).” According to FTC staff, such screening reports are not exempt because Section 603(y) covers only investigations of current employees, not both current employees and job candidates. The FTC identified three reasons for their conclusion:

• The language of Section 603(y) assumes an existing employer-employee relationship;
• The legislative history of the provision refers to it as “a narrow technical correction”; and
• “Courts have established that the FCRA is ‘undeniably a remedial statute that must be read in a liberal manner in order to effectuate the congressional intent underlying it, ’” adding that “[a]pplying Section 603(y) to the background screening of candidates would allow the exception to swallow the rule.”

https://www.ftc.gov/news-events/blogs/business-blog/2015/09/why-603y-doesnt-apply

EEOC / Background Screening
On September 8th, the U.S. Equal Employment Opportunity Commission (EEOC) announced that BMW Manufacturing Co., LLC (BMW) entered into a consent decree, requiring BMW to pay $1.6 million to settle EEOC allegations that the car manufacturer discriminated against African American logistics employees through application of criminal background checks which had a disparate impact and lead to said employees’ termination. Under the consent decree, BMW is enjoined from use of the criminal background check guidelines which were in effect. Additionally, the consent decree lays out key requirements for BMW and its logistics provider, including:

• They agree not to decline to hire any job candidate or otherwise disqualify any individual in a logistics position because of “criminal arrests or charges of any type if such arrests or charges did not result in a conviction.”
• They can, however, postpone an offer of employment if there is a pending charge, pending resolution of the charge.
• They must conduct an individualized assessment if they seek to disqualify any job candidate based on criminal history. Meaning they must provide written notice to the job candidate describing the criminal history which is at issue, and an offer to the candidate to explain the conviction and their appropriateness for employment.
• Above notice must be delivered by “reasonable means” and must afford the job candidate a period of at least 21 days during which time they can contact BMW or the logistics provider before an adverse employment decision is finalized.
• They must appoint an official to review all final decisions to decline to hire or otherwise disqualify an candidate due to criminal history.

http://www.immigrationcomplianceinsights.com/2015/09/08/bmw-signs-consent-decree-background-screening/
U.S. Equal Employment Opportunity Commission v. BMW Manufacturing Co., LLC, Sept. 8, 2015 (7:13-cv-01583).

Federal Ban the Box
On September 10th, Rep. Elijah Cummings (D-MD) introduced HR 3470, the Fair Chance Act, which would “prohibit federal agencies and federal contractors from requesting that an candidate for employment disclose criminal history record information before the candidate has received a conditional offer.” Sen. Cory Booker (D-NJ) introduced the Senate version, S. 2021. According to a statement published on the House Oversight and Government Reform Committee’s website, the bill would assist formerly incarcerated individuals in obtaining a “fairer chance at securing employment.” In the statement, the sponsors of the legislation highlight “Ban the Box” policies that have been implemented in “eighteen states and over 100 cities, ” adding that “companies such as Walmart, Koch Industries, Target, Home Depot, and Bed, Bath & Beyond have embraced these ‘Ban the Box’ policies to more fairly assess job candidates.” The statement says that the Fair Chance Act would, among other things:

• Ban the federal government—including the executive, legislative, and judicial branches—from requesting criminal history information from candidates until they reach the conditional offer stage;
• Prohibit federal contractors from requesting criminal history information from candidates for positions within the scope of federal contracts until the conditional offer stage; and
• Include important exceptions for positions related to law enforcement and national security duties, positions requiring access to classified information, and positions for which access to criminal history information before the conditional offer stage is required by law, as listed in the statement.

OPM Data Breach
On September 3rd, the Office of Personnel Management’s (OPM) Inspector General sent an interim status report to OPM’s Acting Director Beth Cobert regarding the agency’s response to recent data breaches. In the status report, Inspector General Patrick McFarland criticized OPM for not implementing his office’s recommendations for improving the information technology (IT) infrastructure of the agency following recent data breaches that affected approximately 20 million current and former federal employees’ personal information. Specifically, the report addressed the recent resignation of former OPM Director Katherine Archuleta and Congress’ unwillingness to fund OPM’s IT improvement project, stating that “[i]n such a turbulent environment, there is an even greater need for a disciplined project management approach to promote the best possibility of a successful outcome.”

Use of Credit for Employment Screening Purposes
On September 16th, Representative Steve Cohen (D-TN) introduced HR 3524, the Equal Employment for All Act. The Senate version, S. 1981, is sponsored by Senator Elizabeth Warren (D-MA) and was introduced August 5th (previously reported). The bill would “amend the Fair Credit Reporting Act to prohibit the use of consumer credit checks against prospective and current employees for the purposes of making adverse employment decisions.” According to a statement on Cohen’s website, HR 3524 seeks to “protect job seekers from unfair discrimination from employers based on credit ratings that are often incomprehensive and bear little to no correlation to job performance or ability to succeed in the workplace.” Specifically, Cohen’s statement asserts that the bill “would protect prospective employees from being forced to disclose their credit history as part of an employer’s application process.” According to the text of S. 1981, “a person, including a prospective employer or current employer, ” may not use a consumer report or procure a consumer report on any consumer that contains information on the consumer’s creditworthiness, credit standing, or credit capacity:

• For employment purposes; or
• For making an adverse action, as listed in the bill.

Cohen Statement: http://cohen.house.gov/press-release/cohen-warren-bill-protect-job-seekers-credit-based-discrimination-introduced-house
S. 1981: http://www.gpo.gov/fdsys/pkg/BILLS-114s1981is/pdf/BILLS-114s1981is.pdf

EU-U.S. Safe Harbor
On September 28th, the United States responded to a recent nonbinding opinion of the Advocate General of the European Court of Justice, which criticized the U.S.-EU Safe Harbor program. Last week, Advocate General Yves Bot’s released an opinion urging the European Commission to “invalidate” the Safe Harbor program because of the “mass, indiscriminate surveillance” practices of U.S. intelligence agencies (previously reported). According to the U.S. Mission to the European Union (EU), the Advocate General relied on incomprehensive or obsolete facts in his opinion. Specifically, the U.S. states that it “does not and has not engaged in indiscriminate surveillance of anyone, including ordinary European citizens, ” adding that, “the advocate general’s opinion fails to take into account that — particularly in the last two years — President Obama has taken unprecedented steps to enhance transparency and public accountability regarding U.S. intelligence practices, and to strengthen policies to ensure that all persons are treated with dignity and respect, regardless of their nationality or place of residence.”

On September 23rd, the European Court of Justice’s Advocate General recommended that the court invalidate the European Union’s (EU) decision finding that the Safe Harbor program provides “adequate” privacy protection under EU law. According to Advocate General Yves Bot, the agreement fails to prevent US intelligence agencies from obtaining unfettered access to European citizens’ personal data. Specifically, Bot stated that “[t]he access of the United States intelligence services to the data transferred covers, in a comprehensive manner, all persons using electronic communications services, without any requirement that the persons concerned represent a threat to national security, ” explaining that, “[s]uch mass, indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference with the rights guaranteed by Articles 7 and 8 of the Charter.” The court is expected to rule on the matter later this year.
http://curia.europa.eu/juris/document/document.jsf?text=&docid=168421&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=326249

The United States and European Union reached a deal in early September giving EU citizens the right to sue if their personal information is misused in the U.S. “Robust cooperation between the EU and U.S. to fight crime and terrorism is crucial to keep Europeans safe, ” EU Commissioner Vera Jourova said. “But all exchanges of personal data such as criminal records, names or addresses need to be governed by strong data protection rules.” The deal, called the data protection Umbrella Agreement, says data transfers between European and American law enforcement officials can be shared only for the purpose of fighting or investigating crime, including terrorism. It says if a third party should get its hands on this data for “incompatible purposes, ” European citizens can sue in a U.S. court. Americans currently have the same legal right.

Reuters published an article entitled, “EU-U.S. Data-Sharing Deal Faces Major Challenge in EU Court.”
http://www.reuters.com/article/2015/09/21/us-ireland-eu-privacy-idUSKCN0RL15K20150921

The European Court of Justice’s Advocate General recommended that the court invalidate the EU’s decision finding that the Safe Harbor program provides “adequate” privacy protection under EU law.
http://curia.europa.eu/juris/document/document.jsf?text=&docid=168421&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=326249

The Wall Street Journal published an article entitled, “EU to Rule on European, U.S. Data Pact Next Week.”
http://www.wsj.com/articles/eu-to-rule-on-european-u-s-data-pact-next-week-1443525688?mod=WSJ_TechWSJD_moreTopStories

Court Cases

FCRA
Sep. 18: Nationwide Mutual Insurance Co. customers pressed the Sixth Circuit to revive their putative class action against Nationwide alleging violations of the FCRA by failing to implement reasonable data security policies and practices.

On September 16th, a plaintiff filed a putative class action against Chipotle Mexican Grill, Inc. (Chipotle) alleging violations of the Fair Credit Reporting Act (FCRA) over its background check disclosure practices. According to the complaint, the plaintiff alleges that Chipotle improperly procured prospective employees’ background checks after failing to adequately disclose the company’s background check procedures. According to the plaintiff, Chipotle’s background check disclosure was not a stand-alone document consisting solely of information on the company’s background check procedures, a violation of the FCRA. Specifically, the plaintiff said that “[u]nder the FCRA, it is unlawful to procure or cause to be procured, a consumer report or investigative consumer report for employment purposes, unless the disclosure is made in a document that consists solely of the disclosure and the consumer has authorized in writing the procurement of the report.”
Mejia v. Chipotle Mexican Grill, Inc. et al., No. 5:15-cv-01911 (C.D. Cal., Sep. 16, 2015).

On September 15th, a federal district court approved a settlement between Whole Foods Market Group, Inc. (Whole Foods) and a class of employees in an action alleging the grocery chain violated the FCRA with its background check notification methods. The lead plaintiff filed the class action in December 2014 alleging that Whole Foods’ background check disclosure forms violated the FCRA by not providing prospective employees with a clear and conspicuous stand-alone document explaining the company’s background check procedures. Under the terms of the settlement, Whole Foods has agreed to pay a total of approximately $803, 000 to roughly 20, 000 class members, granting each member about $24 after other expenses. The class is comprised of both current and prospective employees who were subject to a consumer report procured by Whole Foods within five years of the filing of the class action.
Colin Speer v. Whole Foods Market Group, Inc., No. 8:14-cv-03035 (M.D. Fla., Sep. 15, 2015).

On September 14th, a plaintiff filed a lawsuit against Experian for alleged violations of the Fair Credit Reporting Act (FCRA) and California’s Credit Reporting Agencies Act by selling reports containing incomprehensive information on the plaintiff. According to the complaint, the plaintiff alleges that Experian sold reports indicating that the plaintiff is “deceased, ” which has made it “practically impossible” for him to obtain credit. The complaint further alleges that Experian has refused to allow him to update his information and that the credit reporting agency does not take steps to verify that an individual is dead prior to identifying them as “deceased.” Specifically, the complaint states that “[d]efendants have no independent procedure to change an erroneous deceased status on its own and will merely parrot their furnishing source in the case of a reinvestigation into the accuracy of the deceased status upon a consumer’s report, ” explaining that “[e]ven in instances where the purportedly deceased consumer communicates directly with the defendants, defendants employ no procedures which assure that a consumer with a ‘deceased’ mark on his/her report is, in fact, deceased.”
Perstin v. Experian Information Solutions Inc. et al., No. 8:15-cv-01480 (C.D. Cal., Sep. 14, 2015)

Sep. 9: Numerous state attorneys general filed an amicus brief with the U.S. Supreme Court in Spokeo, Inc. v. Robins arguing that that consumers should have the ability to sue a company under the FCRA for “disseminat[ing] incomprehensive personal information that is used to make decisions about credit, housing, insurance or employment.

On September 8th, fifteen law professors filed an amicus brief with the U.S. Supreme Court in Spokeo, Inc. v. Thomas Robins et al., urging the Court to not dismiss the plaintiff’s lawsuit against Spokeo, Inc. (Spokeo) for violations of the FCRA after allegedly publishing incomprehensive information about him. According to the professors, the Ninth Circuit properly rejected Spokeo’s argument that its “people search engine” did not cause actual harm to the plaintiff to establish standing. Additionally, the professors express concern over how consumer reporting agencies would react if the Ninth Circuit decision were reversed. According to the amicus brief, “[t]he FCRA’s consumer transparency requirements and remedial provisions were designed to encourage steady improvement in consumer reporting practices and to relieve pressure on public enforcement authorities, ” adding that, “[Spokeo’s] claim that [the plaintiff] cannot pursue it for its violations of the FCRA would unravel that bargain, preserving consumer reporting agencies’ broad immunity from suit while diminishing incentives to handle data fairly.”
Spokeo, Inc. v. Thomas Robins et al., No. 13-1339 (S. Ct., Sep. 8, 2015).

Sep. 8: The Center for Democracy and Technology filed an amicus brief with the U.S. Supreme Court in Spokeo, Inc. v. Robins arguing that the “private right of action is a vital part of [the] FCRA.”
https://cdt.org/blog/cdt-brief-in-spokeo-v-robins-supports-individual-claims-for-privacy-violations/

On September 8th, the CFPB filed an amicus brief with the U.S. Supreme Court in Spokeo, Inc. v Robins, a lawsuit alleging that Spokeo, Inc. (Spokeo) violated the Fair Credit Reporting Act (FCRA) by publishing incomprehensive information on the plaintiff. At issue is whether a plaintiff who cannot show actual harm from a violation of the FCRA still has standing to sue under Article III. In its brief, the CFPB expressed support for the plaintiff’s standing to sue, arguing that a plaintiff can show the “injury in fact” requirement for Article III standing “by demonstrating an invasion of his own legally protected interests” as long as the plaintiff can show the invasion was “actual and concrete.” The Supreme Court is scheduled to hear oral arguments in the case on November 2, 2015.
http://files.consumerfinance.gov/f/201509_cfpb_amicus-brief_spokeo-merits-stage.pdf

On September 3rd, a federal district court granted Trans Union’s motion to stay in an action alleging that Trans Union violated the Fair Credit Reporting Act (FCRA) by not permitting consumers to challenge criminal and terrorist alerts on their credit reports. According to Trans Union, the case should be stayed while the Supreme Court rules on two FCRA class actions against Spokeo, Inc. and Tyson Foods, Inc., which will determine whether a plaintiff can allege FCRA violations without suffering actual harm. In the Trans Union case, the plaintiff alleges that the credit bureau incomprehensively included criminal and terrorist alerts in credit reports and then furnished those reports to prospective employers and landlords without the consumers’ knowledge. Counsel for Trans Union said that “it’s far from clear that [the plaintiff] has suffered any actual harm.”
Patel v. Trans Union LLC et al., No. 3:14-cv-00522 (N.D. Cal., Sep. 3, 2015).

On September 3rd, plaintiffs filed a putative class action against Uber Technologies, Inc. (Uber) and a contractor for alleged violations of the FCRA over the ridesharing company’s employment screening practices. According to the complaint, the plaintiff alleges that Uber and its contractor denied prospective employees the opportunity to dispute incomprehensive information on their consumer reports and failed to provide a stand-alone background check disclosure form as required under the FCRA. Specifically, the complaint states that the “purpose of the stand-alone disclosure is to inform the consumer job candidate that a background report will be procured about him or her, not to provide the employer an opportunity to obtain the prospective employee’s signature on a form filled with confusing language and self-serving protections for the employer or waivers of the employee’s rights, ” adding that “ Congress included in the statutory scheme a series of due-process-like protections that impose strict procedural rules on ‘users of consumer reports, ’ such as Uber.”
Joseph Cuccinello et al. v. Uber, Inc. et al., No. 2:15-cv-06604 (D.N.J., Sep. 3, 2015).

On September 1st, a putative class action was filed against Universal Studios Orlando (Universal) for alleged violations of the Fair Credit Reporting Act (FCRA) over its background check procedures. According to the complaint, the plaintiff alleges that Universal failed to properly disclose that it would procure the plaintiff’s credit report as part of the company’s background check procedures for prospective employees. Specifically, the complaint states that Universal “procured consumer reports on Plaintiff and other putative class members for employment purposes, without first making proper disclosures in the format required by the statute, ” adding that the FCRA requires such disclosures to be in a “document solely consisting of Universal’s disclosure that it may obtain a consumer report on any person for employment purposes.”
Mendez v. Universal City Development Partners, Ltd., No. 6:15-cv-0142 (M.D. Fla., Sep. 1, 2015).

On August 31st , Plaintiff Thomas Robins filed a brief with the U.S. Supreme Court arguing that he has standing to sue Spokeo, Inc. (Spokeo) in a putative class action for alleged violations of the Fair Credit Reporting Act (FCRA) by publishing incomprehensive information about him. According to Spokeo, the plaintiff lacks standing because he has not suffered a “real-world” or actual injury based on Spokeo publishing incomprehensive information on the plaintiff. The plaintiff, however, relied on “centuries of common-law precedent” to argue he has standing. According to the plaintiff, “this court’s standing decisions, and separation-of-powers principles all disprove Spokeo’s claim that a ‘bare’ statutory violation without additional ‘real-world’ harm is not a cognizable injury, ” adding that “[n]o decision of this court holds that Article III bars Congress from creating personal legal rights and fashioning monetary relief to redress them in federal court.” Regardless, the plaintiff argues he suffered the exact type of “real-world” harm that the statute is designed to protect, stating that “[a]s soon as Spokeo willfully invaded [the plaintiff’s] legal rights under the FCRA by creating a false report about him without using procedures mandated by the statute, he was entitled to statutory damages, ” explaining that “[h]is claim for those damages created a classic legal dispute over whether one party (here, Spokeo) owes another ([the plaintiff]) a fixed sum of money. Spokeo’s failure to compensate [the plaintiff] is a monetary — or wallet — injury.”
Spokeo Inc. v. Thomas Robins et al., No. 13-1339 (S. Ct., Aug. 31, 2015).

On August 28th, a plaintiff, who filed a putative class action against Kohl’s Department Stores (Kohl’s) alleging that the retailer violated the Fair Credit Reporting Act (FCRA) over its background check disclosures, filed a response criticizing the retailer’s motion to dismiss arguing that it relies on a faulty interpretation of the law. According to Kohl’s motion to dismiss, the plaintiff filed the putative class action after the two-year statute of limitations had passed under the FCRA. However, the plaintiff argues that the statute of limitations is five years and claims that the period starts the date the plaintiff discovered the possible violation. Specifically, the plaintiff states that she “could not have discovered the violations underlying her FCRA claims until she learned that defendant had actually procured a consumer report on her, ” adding that, “the confusing nature of the forms, including the fact that plaintiff was required to sign multiple forms at the same time, only compounded plaintiff’s confusion surrounding the forms and their resultant unlawful nature.”
Coleman v. Kohl’s Department Stores, Inc., No. 3:15-cv-02588 (N.D. Cal., Aug. 28, 2015).

On August 19th, a federal district court denied Wells Fargo Bank, N.A.’s (Wells Fargo) motion for summary judgment in a putative class action alleging violations of the Fair Credit Reporting Act (FCRA) by not properly informing the plaintiff that the bank would procure a background check on him and by coding the plaintiff as “ineligible” before providing him with a pre-adverse action notice, a copy of the background check report, and a summary of his rights. According to the federal district court, the plaintiff has standing to sue under the FCRA provision that the background check disclosure form be in a document that solely consists of the disclosure and that a triable issue exists as to whether Wells Fargo coding the plaintiff as “ineligible” constitutes an adverse action under the FCRA that required notice to the prospective employee prior to the action.
Manuel v. Wells Fargo Bank, N.A., No. 3:14cv238 (E.D. Va., Aug. 19, 2015).

EEOC
On September 8, BMW Manufacturing Co. LLC’s reached a $1.6 million settlement with the EEOC over the alleged disparate impact the company’s criminal background checks had on African-American job candidates. The settlement shows that employers looking to avoid legal liability should take efforts to avoid overly broad or “blanket” background screening policies. When BMW switched contractors handling the company’s logistics at its Spartanburg, S.C., plant in 2008, it required the new contractor to perform a criminal background screening on all existing logistics workers who reapplied to keep their jobs. A large number of African-American workers were not allowed to keep their jobs because, at the time, BMW’s criminal background screening guidelines barred employment to people with convictions in some types of crimes regardless of when the employee had been convicted or the severity of the conviction, according to the agency’s suit. The agency’s suit sought relief for 56 of those people. The key terms of the settlement include BMW agreeing to pay $1.6 million in monetary relief to fifty-six claimants and to offer those claimants who want to return, the opportunity to return to work at the facility. The consent decree sets forth key requirements under which:

• BMW and its logistics provider may not decline to hire any job candidate or otherwise disqualify any individual in a logistics position because of “criminal arrests or charges of any type if such arrests or charges did not result in a conviction.”
• They can, however, postpone an offer of employment if there is a pending charge, pending resolution.
• BMW and its logistics provider must conduct an individualized assessment if they seek to disqualify any job candidate based on criminal history. Meaning they must provide written notice to the job candidate describing the criminal history which is at issue and an offer to the candidate to explain the conviction and their appropriateness for employment.
• The above notice must be delivered by “reasonable means” and must afford the job candidate a period of at least 21 days during which time they can contact BMW or the logistics provider before an adverse employment decision is finalized.
• BMW and its logistics provider must appoint an official to review all final decisions to decline to hire or otherwise disqualify an candidate due to criminal history.

On September 4, U.S. District Judge in the District of Maryland ordered the EEOC to pay legal fees of nearly $1 million to a company it accused of conducting discriminatory background checks after the agency submitted expert testimony riddled with errors but still pursued the case. These most recent developments pertaining to a suit the EEOC filed in 2009 represent a victory for employers who rely on background screening to ensure they do not hire individuals whose backgrounds present significant questions as to their qualifications for employment. In EEOC v. Freeman, the EEOC claimed that Freeman’s use of criminal and credit background checks in connection with its hiring practices had a disparate impact against African-American, Hispanic, and male job candidates. To support its claims, the EEOC proffered expert testimony purporting to support their disparate impact analysis. In 2012 Freeman filed a motion for summary judgment and a motion to preclude the EEOC’s expert testimony which the court granted. In that August 9, 2013 decision Judge Titus blasted both the EEOC’s theory and the multiple flaws in the analysis of its experts, concluding that the EEOC’s lawsuit was “a theory in search of facts to support it.” The decision issued on September 4 requires the EEOC to pay legal fees to Freeman

Biometric Data Security
On September 1st, a putative class action was filed against Facebook, Inc. (Facebook) for alleged violations of Illinois’ Biometric Information Privacy Act (BIPA) by collecting individuals’ facial recognition data from user uploaded photos. According to the complaint, the plaintiff alleges that Facebook’s facial recognition feature violates BIPA by scanning an individual’s photo and collecting facial recognition data of the user without their consent. The plaintiff asserts that Facebook “has created, collected and stored over a billion ‘face templates’ (or ‘face prints’) – highly detailed geometric maps of the face – from over a billion individuals.” The plaintiff argues that Facebook implements such facial recognition technology, but fails to make public its policy of collecting and maintaining geometric data to create face templates for use by Facebook.
Gullen v. Facebook, Inc., No. 1:15-cv-07681 (N.D. Ill., Sep. 1, 2015).

Neiman Marcus Data Breach
On September 17th, the Seventh Circuit declined to rehear an appeal filed by Neiman Marcus over the company’s 2013 data breach. By not rehearing the case, the Seventh Circuit ruling remains, holding that plaintiffs can sue for the costs associated with preventing fraud on their financial accounts. The plaintiffs filed the suit in March 2014, alleging that Neiman Marcus failed to properly safeguard customers’ data and implement proper data security practices that could have mitigated or prevented the data breach. The federal district court dismissed the suit in September 2014, ruling that plaintiffs lacked standing because they failed to show actual harm. The Seventh Circuit overturned the district court’s decision in July 2015, ruling that preventative costs such as credit monitoring and identity theft protection services “easily” qualify as injuries to establish standing. In August 2015, Neiman Marcus urged the Seventh Circuit to rehear the suit, which the appellate panel denied on September 17th.
Remijas et al. v. The Neiman Marcus Group LLC, No. 14-3122 (7th Cir., Sep. 17, 2015).

Excellus Data Breach
On September 18th, plaintiffs filed a putative class action against Excellus BlueCross BlueShield (Excellus) over a recently announced data breach involving up to 10.5 million customers. The plaintiffs allege that Excellus and its parent company, Lifetime Healthcare, Inc., failed to implement proper data security practices and waited too long in notifying affected customers of the breach. Specifically, the plaintiffs state that “[a]lthough the information in defendants’ system was encrypted, this traditional safeguard was largely irrelevant because the hackers went undetected for so long, ” adding that, “defendants have acknowledged that because hackers gained access to their network, they would have been able to circumvent its encryption, likely accessing decryption keys available to administrators on the system.” Regarding the delay in notifying customers of the breach, the plaintiffs state that the “[d]efendants have yet to fully and comprehensively inform those affected of the scope of the compromise or the nature of the risks associated with identity theft, ” explaining that, “[i]n a data breach situation, it is incumbent upon the breached company to provide comprehensive and complete information to those at risk so they may immediately move to protect themselves and their families from further harm.”
Fero et al. v. Excellus Health Plan, Inc. et al., No. 6:15-cv-06569 (W.D.N.Y., Sep. 18, 2015).

State Developments

Data Breach
On September 22nd, YapStone, also known as VacationRentPayment, a provider of payment services, reported a data breach involving an undisclosed number of customers’ names, emails, Social Security numbers, birth dates, and bank account information. According to the breach notice, customer personal information provided to YapStone may have been accessible to unauthorized persons through its website between July 15, 2014, and August 5, 2015. Upon learning of the incident, YapStone retained outside experts to investigate the scope and impact of the breach. YapStone states that it has no evidence that any information has been or will be misused. Yapstone recommends that individuals monitor their credit reports and is offering affected individuals free credit monitoring and identity theft services for two years at no cost.

Sep. 18: Plaintiffs filed a putative class action against Excellus BlueCross BlueShield over a recently announced data breach involving up to 10.5 million customers.

Sep. 17: Costco Photo Center reported a data breach involving an undisclosed number of customers’ names, addresses, payment card information, and phone numbers.

On September 17th, Rite Aid Pharmacy (Rite Aid) reported a data breach involving third party service provider PNI Digital Media (PNI), which hosts Rite Aid’s photo center, and affecting an undisclosed number of customers’ names, addresses, phone numbers, and payment card information. According to the breach notice, malware was installed on PNI’s servers that enabled an unauthorized party to obtain customer information between August 20, 2014, and July 14, 2015. Based on an investigation of the incident, Rite Aid has no evidence that any of its customers’ information has been misused as a result of the incident. Rite Aid recommends that individuals monitor their credit reports and is offering affected individuals free credit monitoring and identity theft protection services for one year at no cost.
http://ago.vermont.gov/

On September 11th, CVS Pharmacy, Inc. (CVS) reported a data breach involving an undisclosed number of customers’ names, payment card information, phone numbers, and addresses (previously reported). According to the breach notice, in July 2015 CVS learned of “unusual activity” involving its payment cards used on its CVSPhoto.com website, hosted by third party vendor PNI Digital Media (PNI). According to CVS, between June 2014 and July 2015 PNI’s systems experienced unauthorized intrusions, which “potentially resulted in the unauthorized acquisition of” users’ data on CVSPhoto.com. CVS emphasized that the incident occurred only within PNI’s network, and that the incident “did not impact financial transactions on CVS.com or in-store.” CVS is offering affected individuals credit monitoring and identity theft services for one year at no cost.
http://oag.ca.gov/system/files/Payment%20Card%20Customer%20Notification%20Letter_0.pdf

Sep. 1: UCLA Health Systems reported a data breach involving 1, 200 patients’ names and health information.
http://oag.ca.gov/system/files/Final%20IDExperts%20letter_0.pdf?

International Developments

US-EU Data Sharing Deal
Sep. 6: Reuters published an article entitled, “EU, US Clinch Data-Sharing Deal for Security, Terrorism Cases: Document.”
http://www.reuters.com/article/2015/09/06/us-eu-usa-dataprotection-idUSKCN0R60VS20150906?feedType=RSS&feedName=worldNews

Data Privacy
On September 25th, European Data Protection Supervisor Giovanni Buttarelli published an opinion criticizing a European Parliament proposal which would permit the collection of airline passengers’ personal information on all flights to, from, and within the EU. According to Buttarelli, there is no national security threat that would justify collecting the personal information of airline passengers flying to, from, or within the EU. Specifically, Buttarelli recognizes the importance of national security and the treat of terror, stating that “Europe is facing serious terrorist threats and we fully recognise the need for appropriate action.” However, Buttarelli emphasizes that “according to the available information, no elements reasonably substantiate the need for the default collection of massive amounts of the personal information of millions of travellers.”
https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/PressNews/Press/2015/EDPS-2015-08-EDPS_PNR_EN.pdf

Please Note: The information contained herein is a monthly summary of the daily information provided by Arnall Golden Gregory LLP, an Atlanta firm servicing the business transactions and litigation needs of background check companies. The information described is general in nature, and may not apply to your specific situation. Legal advice should be sought before taking action based on the information contained herein. For more information about Arnall Golden Gregory LLP, please visit www.agg.com or contact Bob Belair at 202.496.3445 or [email protected].