On September 15th, Representative Ed Perlmutter (D-CO) introduced H.R. 6032, entitled, “The Data Breach Insurance Act.” The bill would provide a 15% tax credit to companies that purchase data breach insurance coverage and are in compliance with the National Institute for Standards and Technology (NIST) Cybersecurity Framework. Representative Perlmutter argues that the bill would incentivize companies to respond to the increasing risk of data breaches, citing statistics from the Ponemon Institute revealing that the average cost of a data breach is over $3.8 million. According to Perlmutter, “As more and more businesses become targets of cyber-attacks, it is more important than ever for them to be protected. That’s why I’m introducing this legislation to help do more to prevent massive data breaches that compromise millions of American’s private and personal information.” Perlmutter also praised the bill’s requirement for compliance with the NIST’s Cybersecurity Framework, writing, “With the adoption of a cybersecurity framework preventing breaches on the front end and insurance to protect businesses on the back end, this legislation provides a two-pronged approach helping businesses take the necessary steps to address this growing threat.”
FTC Blog on Data Breaches
The FTC Consumer Information Blog published a post on data breaches, encouraging consumers to check their credit scores every year.
On September 7th, Dish Network, LLC (Dish) agreed to a $1.75 million settlement resolving allegations that the company violated the Fair Credit Reporting Act (FCRA). The Plaintiffs accused the company of soliciting background reports on technicians, hired as contractors, without providing disclosure forms. The Plaintiffs also accused the company of prohibiting “high-risk” technicians from working on certain Dish projects, without allowing technicians the opportunity to verify or correct information included in their background check reports. The settlement will offer $480 to the 9, 000 contractors that Dish labeled “high-risk” and offer $80 to the 38, 000 contractors that Dish failed to provide disclosures to. The complaint accused Dish of being aware of its FCRA obligations but intentionally choosing to ignore disclosure requirements. Ernst v. Dish Network LLC et al., case number 1:12-cv-08794, in the U.S. District Court for the Southern District of New York.
On September 7th, a Pennsylvania federal judge declined Johnson & Johnson, Inc. (JNJ) and Kelly Services, Inc.’s (Kelly) motion to compel arbitration with a Plaintiff accusing them of violating the Fair Credit Reporting Act (FCRA). The Plaintiff alleges that JNJ rescinded his job offer after discovering a criminal record on his background report, despite never providing the Plaintiff with a copy of the report or his rights under the FCRA. The Plaintiff also claims that the criminal record listed on the background report was incorrect, improperly listing four misdemeanors. The Defendants argued that the Plaintiff signed an arbitration agreement when applying for the job through Kelly’s staffing service. The judge rejected this argument, writing, “the Court finds that evidence submitted in response to Defendant’s motion is ‘not insubstantial’ and constitutes more than a ‘naked assertion’ that Plaintiff did not intend to be bound by the arbitration agreement.” Noye v. Johnson & Johnson et al., case number 1:15-cv-02382, in the U.S. District Court for the Middle District of Pennsylvania.
On September 1st, a Virginia federal judge denied the Plaintiffs’ motion for class certification in a Fair Credit Reporting Act (FCRA) lawsuit against CoreLogic National Background Data, LLC (CoreLogic or NBD). The Plaintiffs accused CoreLogic of FCRA violations for allegedly including incorrect criminal history information in background reports purchased by potential employers. The judge found that the Plaintiffs failed to prove that these were not isolated incidents, writing, “They have chosen to pursue class certification, rather than individual actions, and their proposed class is premised on the assumption that NBD never furnished a complete report, yet they have refused to limit the class to reports that were incomplete or outdated in a specific, objective, and verifiable way.” The judge further added that, “There is no indication that Plaintiffs have acted in bad faith.” CoreLogic previously argued that it was not a consumer reporting agency subject to the FCRA because it actually sold information to background screeners. The judge rejected CoreLogic’s arguments, writing, “The undisputed documentary evidence from NBD establishes that, in practice, NBD has freely recognized that the background checks that it provides are indeed ‘consumer reports’ pertaining to individual consumers within the meaning of the FCRA.” Tyrone Henderson and James O. Hines Jr., on behalf of themselves and others similarly situated v. CoreLogic National Background Data LLC f/k/a National Background Data LLC, case number 3:12-cv-00097, in the U.S. District Court for the Eastern District of Virginia.
Illinois Credit Litigation
On September 27th, an Illinois Court of Appeals ruled that Neiman Marcus Group, Inc. (Neiman Marcus) violated the Illinois Employee Credit Privacy Act (ECPA) by running credit checks on all job applicants. The Plaintiff argued that Neiman Marcus’ decision to run credit checks on entry-level positons violated her privacy rights under the ECPA after she was denied a job based on the findings in the report. Neiman Marcus argued that sales associates were required to handle customer credit card applications, allowing the company to conduct credit checks. The Appeals Court rejected Neiman Marcus’ explanation, writing, “In reviewing the record, the parties’ briefs and the discovery on file, we find that sales associates are neither managers nor select few employees who Neiman Marcus trusts with personal and confidential information such to exempt the sales associate position from the protections of the act.” The panel cited legislative intent in its ruling, quoting an Illinois Assembly Member who argued that the ECPA “prohibits employers from inquiring about or using an employee’s or prospective employee’s credit history as a basis for employment.” The panel also recognized that if Neiman Marcus’ arguments were correct, all retail employees in the state would be exempt from the ECPA’s protections. Ohle v. The Neiman Marcus Group, case number 1-14-1994, in the Illinois Court of Appeals, First District, Second Division.
Data Breach Litigation
On September 28th, an Illinois federal judge dismissed the proposed class action by financial institutions against Schnucks Markets, Inc. (Schnucks) over its 2013 data breach. The judge ruled that the Plaintiffs failed to demonstrate actual harm or concrete injury, calling their claims “highly general.” The data breach exposed the payment card information of 2.4 million customers. The judge cited the Seventh Circuit’s precedent requiring that plaintiffs “give enough details about the subject-matter of the case to present a story that holds together, ” finding that the Plaintiffs failed to meet this standard. The judge claimed that there was a distinct difference between recently successful data breach litigation brought forward by consumers and litigation by financial institutions, writing, “The concrete fraud charges on customer payment cards and the familiar expectations of a store customer make the claims in those cases hold together to illustrate a plausible story.” The judge allowed the Plaintiffs the opportunity to revise their complaints and refile their claims with “more substantial pleadings.” Community Bank of Trenton et al. v. Schnuck Markets Inc., case number 3:15-cv-01125, in the U.S. District Court for the Southern District of Illinois.
Massachusetts Act to Establish Pay Equity
As previously announced, a bill was passed in Massachusetts to establish pay equity (https://malegislature.gov/Bills/189/Senate/S2119?elq_mid=649&elq_cid=508362). Lawmakers believe disclosing of salary histories put women at a disadvantage, and they may be offered lower salaries than men in their first jobs even when education and field are taken into consideration. Salary negotiations are also another area where women may be penalized and men get the advantage. A pattern of salary discrimination can continue if the next employer bases a salary on the previous salary a woman was earning. The state of Massachusetts took a stand by passing the most vigorous equal pay law in the country. The Senate Bill prohibits employers from asking prospective hires about their salary histories until after they make a job offer that includes compensation, unless the applicants voluntarily disclose the information. This means employers are only allowed to obtain a verification of income after a job offer that includes compensation has been offered rather than at the early stages of the interview process. Massachusetts’s new law also mandates that employers pay men and women the same, not just when they do the exact same work, but when their work is “comparable”. The state defines comparable work as being “substantially similar” in skill, effort, responsibility, and working conditions — not just based on job titles or descriptions. The new law also bans salary secrecy, blocking employers from keeping their employees from talking about pay with each other. The new law will take effect on January 1, 2018. Several other states have passed their own equal pay laws aimed at closing the gender wage gap.
California Data Breach Notification Law
On September 13th, Governor Jerry Brown of California signed Assembly Bill No. 2828 which amends the state’s data breach law. The bill compels businesses to issue data breach notifications even when encrypted personal information is compromised if the encrypted data is exposed along with the “encryption key or security credential.” The law already requires businesses or individuals that own or license “computerized data” to disclose unencrypted data breaches to California residents “in the most expedient time possible and without unreasonable delay.
Ride-Sharing Background Checks
On September 28th, California Governor Jerry Brown signed A.B. 1289, requiring ride-sharing services to conduct criminal background checks on all drivers. The law will go into effect on January 1st and prevents Uber Technologies, Inc. (Uber) or Lyft, Inc. (Lyft) from hiring drivers with violent criminal histories. California regulators previously required the ride-sharing services to only conduct background checks for the last seven years. The legislation might require the companies to retroactively run background checks on thousands of drivers, if past background checks were not in compliance with the new law. The bill’s sponsor Assemblyman Jim Cooper argued that it was necessary for consumer safety, writing, “These drivers are picking people up from their homes – it wasn’t sufficient to have anything but the most comprehensive checks.” The measure does not require that the companies use fingerprint-based background check services.
Privacy Shield Report
On September 1st, the International Association of Privacy Professionals (IAPP) and Ernst & Young published their annual Privacy Governance report, which found that only 34% of privacy professionals expect their company to seek certification under the European Union (EU) – United States (U.S.) Privacy Shield Agreement. The report claims that many companies certified under the invalidated Safe Harbor Agreement are skeptical of the new EUU.S. Privacy Shield. IAPP Vice President of Research Omar Tene argues that companies may be concerned that Privacy Shield will also be struck down by the EU Court of Justice, writing, “Companies might be thinking… it may not be worth going through the exercise to begin with.” IAPP found that 81% of firms surveyed claimed that their company is continuing to transfer data across the Atlantic using “standard contractual clauses.” Another skeptical respondent was quoted as stating, “Given the current uncertainty, many are considering a wait-and-see approach or evaluating other means for fear that the Privacy Shield will only last until the one-year grace period afforded by the local data authorities before [it’s challenged].”
U.K. GDPR Implementation
On September 6th, the Japanese Foreign Ministry issued statements urging the United Kingdom (U.K.) to continue its implementation of the European Union’s (EU) General Data Protection Regulation (GDPR) despite the Brexit vote. The ministry wrote that, “It is imperative for the UK and the EU to regain the confidence of the world and ensure their unwavering competitiveness by increasing the predictability of the Brexit process, ensuring the outcome is free of unpleasant surprises and reducing the risks emanating from uncertainty.” Japan also encouraged the U.K. to ensure “maintenance of the current level of information protection and the free transfer of data.”
European Court of Justice
On September 12th, the Austrian Supreme Court referred privacy advocate Max Schrems’ data protection lawsuit against Facebook, Inc. (Facebook) to the European Court of Justice (CJEU). Schrems is well-known for previously filing a lawsuit in the CJEU that invalidated the Safe Harbor framework allowing the transfer of data between the United States (U.S.) and European Union (EU). Scrhems’ most recent lawsuit accuses Facebook of failing to adequately protect their handling of personal data. Facebook rejected Schrems’ claims as baseless and unlikely to proceed any further, writing, “Mr. Schrems’s claims have twice been rejected on the grounds that they cannot proceed as a ‘class action’ on behalf of other consumers in Austrian Courts.” Facebook argues that Schrems lacks standing to sue because he has become a “professional litigant” following his 2015 legal victory that invalidated the Safe Harbor agreement.
Errors in Credit Reports
Sept. 8: The Washington Post published a story entitled, “How the careless errors of credit reporting agencies are ruining people’s lives.”
CFPB Managing Counsel joining Arnall Golden Gregory (AGG is the industry Counsel to ClearStar)
BusinessWire reported that former CFPB Managing Counsel Thomas B. Pahl has joined Arnall Golden Gregory LLP as a partner.
ACA International publishes an article on Arnall Golden Gregory LLP and former CFPB Managing Counsel Thomas Pahl.
Financial Impact of Data Breaches
Sept. 20: The San Diego Union-Tribune published an article claiming that the financial impact of data breaches is often overstated, citing a recent RAND Corporation study.
EU-U.S. Privacy Shield
Infosecurity Magazine reports that Dropbox and Microsoft are officially compliant with the EU-U.S. Privacy Shield.
Please Note: Some of the information contained herein is a monthly summary of the daily information provided by Arnall Golden Gregory LLP, an Atlanta firm servicing the business transactions and litigation needs of background check companies. The information described is general in nature, and may not apply to your specific situation. Legal advice should be sought before taking action based on the information contained herein. For more information about Arnall Golden Gregory LLP, please visit www.agg.com or contact Bob Belair at 202.496.3445 or firstname.lastname@example.org.