Cyber Security, Information Governance & Privacy

 Under the Fair Credit Reporting Act, a potential employer generally may not procure a consumer report on an applicant unless the employer provides a disclosure, in a document that consists “solely of the disclosure,” informing the applicant that a consumer report may be obtained.  In Williams v. TLC Casino Enters., the District Court for the District of Nevada has joined a growing chorus of courts finding that a plaintiff cannot bring a “solely of the disclosure” claim in federal court when he or she has suffered no actual harm separate from the perceived failure to properly format the disclosure.

Specifically, in Williams, the plaintiff alleged (on a class basis) that TLC Casino Enterprises violated the FCRA by obtaining a consumer report on her without providing her with a “stand-alone document of a legal disclosure.” According to Williams, TLC only provided her “with a written conditional offer to hire that included, inter alia, the following statement: ‘Continuation of this position and your employment is dependent upon your passing any Background Check or Drug Screen that may be required for your position.’” This document, in Williams’ view, was not a disclosure that consisted “solely of the disclosure” that a consumer report may be obtained for employment purposes.

TLC Casino Enterprises moved to dismiss Williams’ complaint for lack of standing, arguing that her claim amounted to nothing more than a bare procedural violation of the FCRA. According to the defendant, Williams could not state a claim in federal court because the bare procedural violation of a statute alone does not satisfy the injury-in-fact requirement for Constitutional standing.

The Court agreed with TLC Casino Enterprises. In its decision, it drew on the Supreme Court’s decision in Spokeo, Inc. v. Robins to conclude that Williams must allege a “concrete injury in fact” separate from the procedural violation of a statute in order to demonstrate standing.  Williams could not do that here. According to the Court, Williams framed TLC Casino Enterprises’ alleged FCRA violation as having “failed to provide the disclosure in a format required by the FCRA.” But “[a] formatting error such as this is a procedural issue that does not satisfy the requirement that plaintiff demonstrate a concrete, particularized injury.”

Although plaintiffs’ counsel often argue that disclosure claims are straightforward and easily certifiable as a purported class action, the Williams decision demonstrates that this is not the case. Indeed, courts are increasingly dismissing disclosure claims when plaintiffs allege nothing more than the violation of a procedural FCRA requirement.

We will continue to track this and other developments regarding the intersection of FCRA claims and standing to sue in federal court.

 

On July 13, 2018, in Dutta v. State Farm Mutual Automobile Insurance Company, the Ninth Circuit affirmed the district court’s decision granting summary judgment to State Farm in a putative Fair Credit Reporting Act class action. The decision presents another helpful application of the U.S. Supreme Court’s 2016 Spokeo decision. The Dutta decision highlights the importance of continuing to challenge standing at all stages of a case even in the face of a statutory violation.

Background

In Dutta v. State Farm, the plaintiff Bobby S. Dutta alleged that State Farm violated section 1681b of the FCRA, by failing to provide him with a copy of his consumer report, notice FCRA rights and an opportunity to challenge inaccuracies in the report before State Farm denied his employment application. As background, Dutta applied for employment with State Farm through the company’s Agency Career Track, or ACT, hiring program. State Farm examines the 24-month credit history of every ACT applicant, and if an applicant’s credit report indicates a charged-off account greater than $1,000, the applicant is automatically disqualified.

View full article published on Law360.

On June 21, 2018, the U.S. District Court for the District of Oregon dismissed a putative class action complaint alleging that a potential employer violated the disclosure and pre-adverse action notification requirements of the Fair Credit Reporting Act in Walker v. Fred Meyer Inc.[1] The Walker decision highlights several key lessons associated with FCRA class actions, particularly related to the disclosures employers must provide to prospective employees.

Background

Daniel Walker applied for a job with Fred Meyer Inc. As part of the application process, Fred Meyer provided Walker with separate disclosure and authorization forms regarding its intent to procure a background report on Walker. Fred Meyer presented the disclosure and authorization forms together, each in separate documents. The disclosure form mentioned both a general consumer report and an investigative consumer report.

View full article published on Law360.

In June 2018, Wired reported that Exactis, a marketing and data-aggregation firm, leaked an estimated 340 million records in what is shaping up to be one of the largest data breaches in the United States to date. 

The leak was discovered by Vinny Troia, security researcher and founder of Night Lion Security. Troia discovered Exactis’ leak while searching ElasticSearch, an internet database search engine. There he found Exactis’ database was accessible without any firewall protection. No information was provided concerning whether this leak has been accessed by unauthorized individuals. 

Exactis’ website claims to have gathered data on over 218 million individuals. This included 110 million households across the U.S. and 3.5 billion “consumer, business, and digital records.” Troia searched dozens of names ranging from those of personal acquaintances to celebrities and found that almost every one of them existed in Exactis’ system. 

The information that Exactis had gathered and stored included identifying information such as phone numbers, home addresses, and email addresses. It also included personal information such as religion, habits, and interests, as well as the number, age, and gender of the individual’s children.  

While the information leaked did not include Social Security numbers and credit card information, the leak is significant because millions of persons were affected, and the personal information leaked could be used for nefarious purposes, including impersonation of the individuals whose information was released.

Last night, California legislators passed Assembly Bill 375 (commonly known as the “California Consumer Privacy Act”) that would grant Californians “increased control” over their data. The new Act will have substantial effects on any business that has appreciable interactions with California, in how they store, share, disclose, and engage with consumer data.  The Act will be effective as of January 1, 2020.

To comply with the new Act, businesses will need to create internal processes to properly and timely respond to consumer requests for information, requests for deletion, and requests to opt out of having their information sold. Businesses will also need to update their privacy policies and websites to provide the more stringent disclosures and methods for consumers to exercise their newly acquired rights. Vendor management and controls will also need to be updated to ensure compliance with the limitations provided for in the Act. Businesses heavily reliant upon analyzing data will need to heighten technological capabilities to ensure that personal information is de-identified

For technology companies, this Act may create additional obstacles to innovation that leverage economies of scale across different organizations either through shared platforms or technologies.  Consider companies that have created tools to permit other companies to release consumer-facing mobile applications through various APIs and SDKs. While stakeholders often start with a common set of technologies, each partner may ultimately use the tools in their own unique way.  Consumers may argue that the web of privacy policies may ultimately need to be reconciled amongst the stakeholders because the ecosystem is presented to all consumers as one comprehensive application.

Practically, all parties involved in an ecosystem will likely be affected by the conduct of the others, which is a shift from the traditional American digital paradigms. However, the basic tenets are familiar to those of us who have worked with the Fair Credit Reporting Act and other statutory schemes that build off of the Fair Information Privacy Principles.  Partners and vendors will need to be carefully vetted prior to engagement by business teams and legal counsel. Each involved party will need to understand the data that the others are collecting, sharing, and selling, and obtain representations and warranties in their agreements to protect itself from a consumer class action or regulatory enforcement. Additionally, many contractual provisions such as licensing of data and indemnity will become greater points of contention in business-to-business deals and should be carefully discussed and reviewed with legal counsel.

Below is our summary and analysis of the Act:

What is “Personal Information”? Effectively adds the following categories of information:

  • Records of personal property, products, or services, and “consuming histories or tendencies”;
  • Biometric data;
  • Clickstream and “other electronic network activity information”;
  • Geolocation data;
  • Consumer sensory information;
  • Professional or employment-related information;
  • Educational information not publicly available;
  • “Inferences drawn” from personal information.

Does not include “public information” and “de-identified information.” But public information does NOT include: (1) information that is used in a way not compatible with its original purpose, or (2) de-identified or aggregate information.

When Is Personal Information “De-Identified”? Personal information is not considered “de-identified” unless the business (1) undertakes technical and business processes to prevent re-identification, (2) has processes to prevent inadvertent release of de-identified information, and (3) makes no attempt to re-identify the information
Consent and Proportionality Adds the concept of proportionality (i.e., “reasonably necessary”) to the definition of “business purpose,” which must have been permitted.
What Is “Selling” of Personal Information? “Selling” personal information includes “releasing, disclosing, disseminating, making available” for “valuable consideration.” Does not include third party processors who receive that information for only processing.
Consumers’ Right to Request

Collectors – (1) Consumers have right to request categories of information collected, (2) from whom it was collected, (3) the specific business purposes for which it was collected, and (4) with whom it is shared.

Sellers – (1) Consumers have right to request categories of information sold, and (2) to whom it was sold. “Sellers” appear to be also “collectors.”

Both may require a verifiable request. Certain exceptions to the above apply for truly “one time” uses.

Consumers’ Right to Delete Records Businesses that receive verifiable requests from consumers to delete their personal information, must delete, and direct any service providers to delete, such information. Compliance is not required if it is necessary for the business or service provider to maintain the personal information (such as for legal, security, or transactional needs).
Response In a “Readily [Machine] Useable Format” Disclose and deliver required information to consumer within 45 days in writing and delivered through consumer’s account, or by mail or electronically at consumer’s option if consumer does not maintain account, “in a readily useable format that allows consumer to transmit this information from one entity to another entity without hindrance.”
Forms of Disclosure Contains express form requirements for disclosures, including for opt-out notices and online webforms and links.
Consumers’ “Right to Say No,” And Opt-Outs & Opt-Ins

Consumers have a right to say no to the sale of their information at any time. Collectors have to provide an opt-out notice first before consumer information may be shared. Sellers have to obtain an “explicit notice” before they can sell information.

Minors under 16-years of age must “opt-in.”

Seller must provide clear and conspicuous link on homepage to allow consumer to opt out of sale of personal information.

Clearer exceptions for: (1) completion of the business purpose with the consumer, (2) security and debugging purposes, and (3) comply with a legal purpose.

Requirement of Privacy Statement

A privacy statement that describes:

(1) a description of consumers’ rights and the methods of submitting requests;
(2) a list of categories of information collected;
(3) a list of categories of information disclosed;
(4) a list of categories of information sold.

Discriminatory Use of Personal Information Prohibited

Requirement that business not discriminate against consumers for exercising their rights under the title, including by:

(1) Denying goods or services;
(2) Charging different prices or imposing penalties;
(3) Providing a different quality of service;
(4) Suggesting the above;

…unless the above is related to differences resulting from “the value provided to the consumer by the consumer’s data.”

Business may offer financial incentives to consumers, however, to obtain their personal information. But the practices for this entire subsection may not be “unjust, unreasonable, coercive, or usurious.”

Exceptions Exceptions:
(1) to comply with federal, state, or local laws;
(2) cooperate with law enforcement;
(3) all activities take place outside of California;
(4) HIPAA exception;
(5) FCRA exception, for generation of a consumer report;
(6) GLBA exception, for activities carried out for that purpose, “if it is in conflict with that law”;
(7) DPPA exception, for activities carried out for that purpose, “if it is in conflict with that law”;
(8) Small businesses not covered by the definition of “business.”
Enforcement

Enforcement:

(1) Private right of action by consumers for between $100-$750 per violation in statutory or actual damages, after 30-notice to cure, if it can be cured.   Consumer will then notify state AG, if any, whose action will terminate consumer action.
(2) State AG enforcement available for stiffer penalties (up to $7,500 per violation).   Also gives prescriptive authority to AG.

 

On May 22, Vermont passed the nation’s most expansive data broker legislation in an effort to provide consumers with more information about data brokers, their data collection practices, and consumers’ right to opt out.

The legislation, which in part takes effect on January 1, 2019, defines “data brokers” to mean “a business … that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” While this definition appears to be broad in scope, the controlling test to determine whether a business is a “data broker” is whether the sale or license of data is merely incidental to the business.  If the sale or license of data is merely incidental, the business would likely not be considered a data broker.

The legislation takes note of the fact that there are important differences between data brokers and businesses with whom consumers have a direct relationship.  Specifically, it finds that consumers who have a direct relationship with traditional and e-commerce businesses typically have some level of knowledge and control over the businesses’ data collection practices, including the choice to use the businesses’ products or services and the ability to opt out of certain data collection practices.  By contrast, however, consumers may not be aware that data brokers are collecting information about them or that they even exist.  As such, the new law aims to provide consumers with necessary information about data brokers, including information about their data collection activities, opt-out policies, purchaser credentialing practices, and security breaches.

Once the enacted legislation goes into effect, data brokers will be required to:

  1. Annually register with the Secretary of State and pay a registration fee of $100.00.  Notably, registration would only be required if, in the prior year, the data broker collected and licensed or sold to a third party the personal information of a Vermont consumer.
  2. Annually disclose the following information about its data collection practices:

a.  Whether the data broker permits a consumer to opt out of the data broker’s collection of brokered personal information, opt out of its databases, or opt out of certain sales of data;

b.  A statement specifying the data collection, databases, or sales activities from which a consumer may not opt out;

c.  A statement whether the data broker implements a purchaser credentialing process;

d.  The number of data security breaches experienced during the previous year, and if known, the total number of consumers affected by the breaches; and

e.  The data broker’s collection practices as it relates to minors.

  1. Develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards appropriate for the size, scope, and type of business of the data broker.  Notably, a violation of the legislation’s information security requirements will constitute an “unfair and deceptive act” for which the Attorney General is authorized to bring an enforcement action.

Attorney General T.J. Donovan applauded lawmakers for the passage of the law and stated that “the state has a strong public safety interest in transparency, data security, and consumer protection generally with respect to commercial interests that elect to engage in the business of buying and selling consumer data without the consumer’s knowledge.”  And while “transparency of information is great when it comes to government,” said Vermont Secretary of State Jim Condos, it is not “for individuals and their personal information.”

On Wednesday, June 6, from 3 – 4 pm ET, Troutman Sanders attorneys, Ronald Raether and Jonathan Yee will present a webinar discussing vendor risk.

Business interconnectivity is nothing new. With the rise of the cloud, vendor management came into focus. Companies continue to engage outside vendors and third-party services providers to assist with key aspects of their operations including payment platforms, customer relations management, information technology, and data storage, to name a few. With the cloud, many companies believed that their data would be safer. However, those involved in security for years (decades) knew better. So, now after some hard lessons, many businesses still fail to account for the use of these third-parties and their access to sensitive company and consumer information in their respective cybersecurity programs. Join us for an informative look at emerging laws and guidelines which provide best practices that companies should consider to minimize cyber risk from vendors and third-party service providers and to work towards a stronger position to assert compliance with cybersecurity regulations.

Covered Topics

  • Overview of cyber risks associated with vendors and third-party service providers
  • Steps to develop a vendor cybersecurity compliance program
  • How regulations should inform on policies including a look at the NYDFS Cybersecurity Regulation and DFAR
  • Industry best practices

Registration

Click here to register. Scheduling conflict? Register anyway to receive the recording after the event.

We are pleased to announce that Troutman Sanders attorney Ron Raether will be presenting during the NetDiligence Cyber Risk Summit Conference at the Bellevue Hotel in Philadelphia, PA. This conference features two full days of panel discussions by leading cyber experts who will share their insights on hot topics, trends, and cybersecurity concerns.  Ron will be speaking on a panel discussing “Improving Insurance Industry and Government Collaboration” on July 13, 2018 at 11:20 a.m.

Attendees will:

  • Gain valuable tips and advice on Cyber Risk Security
  • Discuss and Learn top issues that are happening now in the Cyber world
  • Connect with leaders in cyber risk and private liability and learn from their experiences on current and emerging concerns in the ever- changing cyber landscape

To register or obtain additional information, visit the NetDiligence Website.

Last week, the National Institute of Standards and Technology released version 1.1 of the Framework for Improving Critical Infrastructure Cybersecurity—more commonly known as the Cybersecurity Framework.

The first version of Cybersecurity Framework was initially issued in February 2014 as voluntary guidance for critical infrastructure organizations to better manage and reduce cybersecurity risk. Although it was designed specifically for companies that are part of the U.S. critical infrastructure, many other organizations, both from the public and private sector, have since then relied on the Cybersecurity Framework. The Framework has been used for a variety of purposes, including to raise cybersecurity awareness and to communicate with stakeholders within their organization, and as a strategic planning tool to assess cybersecurity risks and current practices.

As noted by NIST, the Cybersecurity Framework was, and continues to be, developed through ongoing engagement with stakeholders in government, industry, and academia. Version 1.1 in particular was the result of “eight public workshops, multiple Requests for Comment or Information, and thousands of direct interactions with stakeholders from across all sectors of the United States along with many sectors from around the world.” This collaboration has undoubtedly contributed to the framework’s popularity and success, as exemplified by the framework’s widespread adoption by organizations globally.

Version 1.1 of the Cybersecurity Framework provides new details on authentication and identity management, self-assessing cybersecurity risk, managing cybersecurity within the supply chain, and vulnerability disclosure. Additionally, as explained by Matt Barrett, NIST’s program manager for the Cybersecurity Framework, Version 1.1 was written to “refine and enhance the original document and to make it easier to use.” The update, Barrett notes, “is fully compatible with the original framework, and the framework remains voluntary and flexible to adaptation.”

We have discussed the challenges by companies in creating the proper incentives for the development of sound cybersecurity practices. Initially, industry looked to certifications as a measure of compliance, such as PCI audits. Data breach events such as that experienced by retailer Target in 2012 exposed the inherent limits in an event-based system dependent on third-party audits. Indeed, it completely ignored the reality that cybersecurity is an iterative process – a cat-and-mouse game – as we must react to defend against the ever-developing tactics of hackers. It also ignored the practical necessity of creating direct accountability of the company and its employees, or in other words, the need to create a culture of sound security practices, recognizing security as a fundamental precept of a profitable company, rather than just a cost center. A Framework based on honest self-assessment applied to specified domains with measurable goals and a thoughtful governance structure invests the company in cybersecurity and continual improvement.

NIST actively encourages all businesses – regardless of size, industry, or sector – to review and consider the Framework as a helpful tool in managing cybersecurity risks. To explain the updates made in Version 1.1, NIST will be hosting a free public webcast explaining Version 1.1 in detail on April 27, 2018, at 1:00 p.m. EDT.

Attorneys general from thirty-one states have signed a letter urging Congress to scrap a proposed federal breach notification law that was introduced by Rep. Blaine Lukemeyer (R-Mo.) and Rep. Carolyn Maloney (D-N.Y.) in an effort to create a national data breach notification and security standard.  The proposed law, known as the Data Acquisition and Technology Accountability and Security Act (the “Draft Bill”), if passed, would require covered entities to, among other things:

  1. Conduct preliminary investigations of data breaches – If a covered entity believes that a breach of data security containing personal information occurred, the covered entity would be required to conduct an immediate investigation (“Preliminary Investigation”) to determine, among other thing, if personal information has or is likely to have been acquired without authorization.
  2. Notify agencies in the event of reasonable risk – If, after conducting the Preliminary Investigation, a covered entity determines that there is a reasonable risk that the data breach resulted in or will result in identity theft, fraud, or economic loss to consumers, the covered entity would be required to notify certain governmental entities, such as the Secret Service, the Federal Bureau of Investigation, and other agencies, if the data breach involved personal information relating to 5,000 or more consumers.
  3. Notify consumers in the event of harm – If, after conducting the Preliminary Investigation, a covered entity determines that there is a reasonable risk that a data breach resulted in identity theft, fraud, or economic loss to consumers, the covered entity would be required to notify all impacted consumers.

With respect to state enforcement rights, the Draft Bill indicates that state attorneys general may bring civil actions against covered entities for certain violations of the Draft Bill, provided that: (1) the covered entity is not a financial institution, and (2) the attorney general provides prior written notice of any action to the FTC and provides the FTC with a copy of its complaint, except in certain circumstances where such notice may not be feasible.  Additionally, the Draft Bill indicates that the FTC shall have the right to intervene in all state actions and that no state attorney general can bring an action against a covered entity if the FTC has already done so.

Lastly, and likely most controversially, Section 6 of the Draft Bill indicates that the act would “preempt any law, rule, regulation, requirement, standard, or other provision having the force and effect of any law of any state … with respect to securing information from unauthorized access or acquisition, including notification of unauthorized access or acquisition of data … .”

So, what is the big deal?  Having a national data breach notification law is a good thing, right?  Well, no … not according to the thirty-two attorneys general who signed the letter to Congress released on March 19.  As explained by these attorneys general, there are several issues of concern with the draft bill, including that it:

  1. “[T]otally preempts all state data breach and data security laws that require notice to consumer and state attorneys general of data breaches,” which would include the states’ consumer data breach notification laws that, as of March 28, 2018, have been enacted by all fifty states.
  2. “Allows entities suffering breaches to determine whether to notify consumers of a breach based on their own judgment of whether there is ‘a reasonable risk’ that the breach of data security has resulted in identity theft, fraud, or economic loss to any consumers.”  This, as they noted, is insufficient and too late, and will result in less transparency to consumers as fewer notifications to consumers will be sent.  It also permits entities that have suffered a data breach to notify consumers after the harm to them has occurred, which limits consumers’ opportunity to take proactive steps to protect themselves from identity theft before it happens.
  3. Fails to acknowledge the fact that data breaches come in all sizes by only addressing large, national breaches affecting 5,000 or more consumers, and prevents attorneys general from learning of or addressing breaches that are smaller in scale but nonetheless victimize residents in their states.
  4. Places consumer reporting agencies and financial institutions out of states’ enforcement reach, which would prevent State attorneys general from pursuing these companies after a security incident.

Considering themselves to be the “chief consumer protection officials” in their respective states, the attorneys general note that there is a place for both state and federal agencies to protect consumers’ personal information, and therefore, recommend that the Draft Bill not preempt state data security and breach notification laws.