Cyber Security, Information Governance & Privacy

We are pleased to announce that Troutman Sanders attorney Ron Raether will be presenting during the 33rd Annual SoCal Security Symposium in Costa Mesa, California at the Hilton Orange County Hotel. Ron will present, “Cloudy with a Chance of Legal Action: Managing Cyber Risks in an Increasingly Outsourced World,” on October 25th at 8:30 a.m. The conference offers great opportunities to network, earn CLE credits, meet vendors and stay informed on cybersecurity.

Attendees will gain knowledge through the below key takeaways of Ron’s panel:

  • What is the legal landscape relating to the Cloud
  • Lessons learned from litigation experience
  • What steps should be taken as to governance and compliance to mitigate future of Cloud risks

To register or obtain additional information, visit the ISSA Website.

In the last few years, the right to privacy debate in the United States has increased in pace and volume. One issue at the center of this long debate is how best to implement the right privacy tools in a manner that does not disrupt business and technological innovation. The current criticisms fail to appreciate that the next technological paradigm is completely dependent on both the quality and quantity of data.

As connected things (IoT) explode in popularity, they make things such as augmented reality (AR) and autonomous vehicles possible. And as interconnectivity grows, so too do the opportunities. The companies that fail to properly leverage new technologies and data opportunities may find themselves falling behind their competitors.

In venturing into these emerging paradigms, companies should stay informed of recent enforcement actions, cases, and laws to determine how their role within new ecosystems may be impacted.

This publication covers the ongoing evolution of the legal landscape for data-centric products, so that organizations can continue to succeed in their development of data-centric products.

Click here to download the report

Illinois’ Biometric Information Protection Act (“BIPA”) requires entities collecting, using, and storing biometric data (such as face scans, retina scans, and fingerprint scans) to, among other things, inform and obtain consent from the owners of the data. Private entities storing an individual’s biometric information must also use a “reasonable standard of care” and treat the information in the same manner as they treat other confidential and sensitive information.

In past articles, we identified a trend involving Article III standing in cases brought under BIPA. Courts were drawing lines between cases where the plaintiff willingly submitted her biometric information (despite the defendant’s technical violation of BIPA), see, e.g., Santana v. Take-Two Interactive Software, No. 17-303, 2017 U.S. App. LEXIS 23446 (2d Cir. Nov. 21, 2017), and cases where the plaintiff’s biometric information was not given knowingly, see, e.g., Patel v. Facebook Inc., No. 3:15-cv-03747-JD, 2018 U.S. Dist. LEXIS 30727 (N.D. Cal. Feb. 26, 2018). Most courts were finding Article III standing only in the latter category of cases. This created a hurdle for plaintiff-employees suing their employers for BIPA violations based on the collection of their biometric information for time-keeping purposes (a common activity for employers) because in such situations, employees provide their biometric information willingly.

However, a creative way has been found to clear the Article III hurdle. In Dixon v. Washington & Jane Smith Cmty., No. 17-cv-8033, 2018 U.S. Dist. LEXIS 90344 (N.D. Ill. May 31, 2018), the court found Article III standing because the complaint included allegations that plaintiff Cynthia Nixon’s employer disclosed her fingerprint information to Kronos, a third-party biometric timeclock vendor, without her notice or consent. “The allegation that [the employer] disclosed [the employee’s] fingerprint data to Kronos without informing her distinguishes this case from others in which alleged violations of BIPA were determined insufficiently concrete to constitute an injury in fact for standing purposes.” The court added, “this alleged violation of the right to privacy in and control over one’s biometric data, despite being an intangible injury, is sufficiently concrete to constitute an injury in fact that supports Article III standing.” The court employed the same logic to deny the defendants’ motions to dismiss under Fed. R. Civ. P. 12(b)(6). “Even though this may not be a tangible or pecuniary harm, it is an actual and concrete harm that stems directly from the defendants’ alleged violations of BIPA.”

Employees are apparently gaining insight from Dixon, as some have begun to amend their complaints to add allegations that their biometric information was disclosed to third parties, often the company supplying and maintaining the employer’s fingerprint scanner, as in Barnes v. Arytza, No. 2017-CH-11312, Cameron v. Polar Tech Indus., Inc. (co-defendant ADP Inc.), No. 2018-CH-10001, Edmond v. DPI Specialty Foods, Inc. et al. (co-defendant Ceridian HCM Holding Inc.), No. 2018-CH-9573, and Battles v. Southwest Airlines Co. (co-defendant Kronos Inc.), No. 2018-CH-9376, all filed in the Chancery Division of the Circuit Court of Cook County.

It will be interesting to see if these additional allegations of third-party disclosure are enough to avoid dismissal in Illinois state courts for a lack of standing. Third parties, like Kronos or ADP, may not necessarily have accessed, or even had the ability to access, employees’ biometric data, but instead likely merely host the servers that retain the data. We have yet to see any actions alleging the selling or theft of biometric data, but at least in Dixon, the mere allegation of third-party disclosure, however minor, was enough to find Article III standing.

 Under the Fair Credit Reporting Act, a potential employer generally may not procure a consumer report on an applicant unless the employer provides a disclosure, in a document that consists “solely of the disclosure,” informing the applicant that a consumer report may be obtained.  In Williams v. TLC Casino Enters., the District Court for the District of Nevada has joined a growing chorus of courts finding that a plaintiff cannot bring a “solely of the disclosure” claim in federal court when he or she has suffered no actual harm separate from the perceived failure to properly format the disclosure.

Specifically, in Williams, the plaintiff alleged (on a class basis) that TLC Casino Enterprises violated the FCRA by obtaining a consumer report on her without providing her with a “stand-alone document of a legal disclosure.” According to Williams, TLC only provided her “with a written conditional offer to hire that included, inter alia, the following statement: ‘Continuation of this position and your employment is dependent upon your passing any Background Check or Drug Screen that may be required for your position.’” This document, in Williams’ view, was not a disclosure that consisted “solely of the disclosure” that a consumer report may be obtained for employment purposes.

TLC Casino Enterprises moved to dismiss Williams’ complaint for lack of standing, arguing that her claim amounted to nothing more than a bare procedural violation of the FCRA. According to the defendant, Williams could not state a claim in federal court because the bare procedural violation of a statute alone does not satisfy the injury-in-fact requirement for Constitutional standing.

The Court agreed with TLC Casino Enterprises. In its decision, it drew on the Supreme Court’s decision in Spokeo, Inc. v. Robins to conclude that Williams must allege a “concrete injury in fact” separate from the procedural violation of a statute in order to demonstrate standing.  Williams could not do that here. According to the Court, Williams framed TLC Casino Enterprises’ alleged FCRA violation as having “failed to provide the disclosure in a format required by the FCRA.” But “[a] formatting error such as this is a procedural issue that does not satisfy the requirement that plaintiff demonstrate a concrete, particularized injury.”

Although plaintiffs’ counsel often argue that disclosure claims are straightforward and easily certifiable as a purported class action, the Williams decision demonstrates that this is not the case. Indeed, courts are increasingly dismissing disclosure claims when plaintiffs allege nothing more than the violation of a procedural FCRA requirement.

We will continue to track this and other developments regarding the intersection of FCRA claims and standing to sue in federal court.

 

On July 13, 2018, in Dutta v. State Farm Mutual Automobile Insurance Company, the Ninth Circuit affirmed the district court’s decision granting summary judgment to State Farm in a putative Fair Credit Reporting Act class action. The decision presents another helpful application of the U.S. Supreme Court’s 2016 Spokeo decision. The Dutta decision highlights the importance of continuing to challenge standing at all stages of a case even in the face of a statutory violation.

Background

In Dutta v. State Farm, the plaintiff Bobby S. Dutta alleged that State Farm violated section 1681b of the FCRA, by failing to provide him with a copy of his consumer report, notice FCRA rights and an opportunity to challenge inaccuracies in the report before State Farm denied his employment application. As background, Dutta applied for employment with State Farm through the company’s Agency Career Track, or ACT, hiring program. State Farm examines the 24-month credit history of every ACT applicant, and if an applicant’s credit report indicates a charged-off account greater than $1,000, the applicant is automatically disqualified.

View full article published on Law360.

On June 21, 2018, the U.S. District Court for the District of Oregon dismissed a putative class action complaint alleging that a potential employer violated the disclosure and pre-adverse action notification requirements of the Fair Credit Reporting Act in Walker v. Fred Meyer Inc.[1] The Walker decision highlights several key lessons associated with FCRA class actions, particularly related to the disclosures employers must provide to prospective employees.

Background

Daniel Walker applied for a job with Fred Meyer Inc. As part of the application process, Fred Meyer provided Walker with separate disclosure and authorization forms regarding its intent to procure a background report on Walker. Fred Meyer presented the disclosure and authorization forms together, each in separate documents. The disclosure form mentioned both a general consumer report and an investigative consumer report.

View full article published on Law360.

In June 2018, Wired reported that Exactis, a marketing and data-aggregation firm, leaked an estimated 340 million records in what is shaping up to be one of the largest data breaches in the United States to date. 

The leak was discovered by Vinny Troia, security researcher and founder of Night Lion Security. Troia discovered Exactis’ leak while searching ElasticSearch, an internet database search engine. There he found Exactis’ database was accessible without any firewall protection. No information was provided concerning whether this leak has been accessed by unauthorized individuals. 

Exactis’ website claims to have gathered data on over 218 million individuals. This included 110 million households across the U.S. and 3.5 billion “consumer, business, and digital records.” Troia searched dozens of names ranging from those of personal acquaintances to celebrities and found that almost every one of them existed in Exactis’ system. 

The information that Exactis had gathered and stored included identifying information such as phone numbers, home addresses, and email addresses. It also included personal information such as religion, habits, and interests, as well as the number, age, and gender of the individual’s children.  

While the information leaked did not include Social Security numbers and credit card information, the leak is significant because millions of persons were affected, and the personal information leaked could be used for nefarious purposes, including impersonation of the individuals whose information was released.

Last night, California legislators passed Assembly Bill 375 (commonly known as the “California Consumer Privacy Act”) that would grant Californians “increased control” over their data. The new Act will have substantial effects on any business that has appreciable interactions with California, in how they store, share, disclose, and engage with consumer data.  The Act will be effective as of January 1, 2020.

To comply with the new Act, businesses will need to create internal processes to properly and timely respond to consumer requests for information, requests for deletion, and requests to opt out of having their information sold. Businesses will also need to update their privacy policies and websites to provide the more stringent disclosures and methods for consumers to exercise their newly acquired rights. Vendor management and controls will also need to be updated to ensure compliance with the limitations provided for in the Act. Businesses heavily reliant upon analyzing data will need to heighten technological capabilities to ensure that personal information is de-identified

For technology companies, this Act may create additional obstacles to innovation that leverage economies of scale across different organizations either through shared platforms or technologies.  Consider companies that have created tools to permit other companies to release consumer-facing mobile applications through various APIs and SDKs. While stakeholders often start with a common set of technologies, each partner may ultimately use the tools in their own unique way.  Consumers may argue that the web of privacy policies may ultimately need to be reconciled amongst the stakeholders because the ecosystem is presented to all consumers as one comprehensive application.

Practically, all parties involved in an ecosystem will likely be affected by the conduct of the others, which is a shift from the traditional American digital paradigms. However, the basic tenets are familiar to those of us who have worked with the Fair Credit Reporting Act and other statutory schemes that build off of the Fair Information Privacy Principles.  Partners and vendors will need to be carefully vetted prior to engagement by business teams and legal counsel. Each involved party will need to understand the data that the others are collecting, sharing, and selling, and obtain representations and warranties in their agreements to protect itself from a consumer class action or regulatory enforcement. Additionally, many contractual provisions such as licensing of data and indemnity will become greater points of contention in business-to-business deals and should be carefully discussed and reviewed with legal counsel.

Below is our summary and analysis of the Act:

What is “Personal Information”? Effectively adds the following categories of information:

  • Records of personal property, products, or services, and “consuming histories or tendencies”;
  • Biometric data;
  • Clickstream and “other electronic network activity information”;
  • Geolocation data;
  • Consumer sensory information;
  • Professional or employment-related information;
  • Educational information not publicly available;
  • “Inferences drawn” from personal information.

Does not include “public information” and “de-identified information.” But public information does NOT include: (1) information that is used in a way not compatible with its original purpose, or (2) de-identified or aggregate information.

When Is Personal Information “De-Identified”? Personal information is not considered “de-identified” unless the business (1) undertakes technical and business processes to prevent re-identification, (2) has processes to prevent inadvertent release of de-identified information, and (3) makes no attempt to re-identify the information
Consent and Proportionality Adds the concept of proportionality (i.e., “reasonably necessary”) to the definition of “business purpose,” which must have been permitted.
What Is “Selling” of Personal Information? “Selling” personal information includes “releasing, disclosing, disseminating, making available” for “valuable consideration.” Does not include third party processors who receive that information for only processing.
Consumers’ Right to Request

Collectors – (1) Consumers have right to request categories of information collected, (2) from whom it was collected, (3) the specific business purposes for which it was collected, and (4) with whom it is shared.

Sellers – (1) Consumers have right to request categories of information sold, and (2) to whom it was sold. “Sellers” appear to be also “collectors.”

Both may require a verifiable request. Certain exceptions to the above apply for truly “one time” uses.

Consumers’ Right to Delete Records Businesses that receive verifiable requests from consumers to delete their personal information, must delete, and direct any service providers to delete, such information. Compliance is not required if it is necessary for the business or service provider to maintain the personal information (such as for legal, security, or transactional needs).
Response In a “Readily [Machine] Useable Format” Disclose and deliver required information to consumer within 45 days in writing and delivered through consumer’s account, or by mail or electronically at consumer’s option if consumer does not maintain account, “in a readily useable format that allows consumer to transmit this information from one entity to another entity without hindrance.”
Forms of Disclosure Contains express form requirements for disclosures, including for opt-out notices and online webforms and links.
Consumers’ “Right to Say No,” And Opt-Outs & Opt-Ins

Consumers have a right to say no to the sale of their information at any time. Collectors have to provide an opt-out notice first before consumer information may be shared. Sellers have to obtain an “explicit notice” before they can sell information.

Minors under 16-years of age must “opt-in.”

Seller must provide clear and conspicuous link on homepage to allow consumer to opt out of sale of personal information.

Clearer exceptions for: (1) completion of the business purpose with the consumer, (2) security and debugging purposes, and (3) comply with a legal purpose.

Requirement of Privacy Statement

A privacy statement that describes:

(1) a description of consumers’ rights and the methods of submitting requests;
(2) a list of categories of information collected;
(3) a list of categories of information disclosed;
(4) a list of categories of information sold.

Discriminatory Use of Personal Information Prohibited

Requirement that business not discriminate against consumers for exercising their rights under the title, including by:

(1) Denying goods or services;
(2) Charging different prices or imposing penalties;
(3) Providing a different quality of service;
(4) Suggesting the above;

…unless the above is related to differences resulting from “the value provided to the consumer by the consumer’s data.”

Business may offer financial incentives to consumers, however, to obtain their personal information. But the practices for this entire subsection may not be “unjust, unreasonable, coercive, or usurious.”

Exceptions Exceptions:
(1) to comply with federal, state, or local laws;
(2) cooperate with law enforcement;
(3) all activities take place outside of California;
(4) HIPAA exception;
(5) FCRA exception, for generation of a consumer report;
(6) GLBA exception, for activities carried out for that purpose, “if it is in conflict with that law”;
(7) DPPA exception, for activities carried out for that purpose, “if it is in conflict with that law”;
(8) Small businesses not covered by the definition of “business.”
Enforcement

Enforcement:

(1) Private right of action by consumers for between $100-$750 per violation in statutory or actual damages, after 30-notice to cure, if it can be cured.   Consumer will then notify state AG, if any, whose action will terminate consumer action.
(2) State AG enforcement available for stiffer penalties (up to $7,500 per violation).   Also gives prescriptive authority to AG.

 

On May 22, Vermont passed the nation’s most expansive data broker legislation in an effort to provide consumers with more information about data brokers, their data collection practices, and consumers’ right to opt out.

The legislation, which in part takes effect on January 1, 2019, defines “data brokers” to mean “a business … that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” While this definition appears to be broad in scope, the controlling test to determine whether a business is a “data broker” is whether the sale or license of data is merely incidental to the business.  If the sale or license of data is merely incidental, the business would likely not be considered a data broker.

The legislation takes note of the fact that there are important differences between data brokers and businesses with whom consumers have a direct relationship.  Specifically, it finds that consumers who have a direct relationship with traditional and e-commerce businesses typically have some level of knowledge and control over the businesses’ data collection practices, including the choice to use the businesses’ products or services and the ability to opt out of certain data collection practices.  By contrast, however, consumers may not be aware that data brokers are collecting information about them or that they even exist.  As such, the new law aims to provide consumers with necessary information about data brokers, including information about their data collection activities, opt-out policies, purchaser credentialing practices, and security breaches.

Once the enacted legislation goes into effect, data brokers will be required to:

  1. Annually register with the Secretary of State and pay a registration fee of $100.00.  Notably, registration would only be required if, in the prior year, the data broker collected and licensed or sold to a third party the personal information of a Vermont consumer.
  2. Annually disclose the following information about its data collection practices:

a.  Whether the data broker permits a consumer to opt out of the data broker’s collection of brokered personal information, opt out of its databases, or opt out of certain sales of data;

b.  A statement specifying the data collection, databases, or sales activities from which a consumer may not opt out;

c.  A statement whether the data broker implements a purchaser credentialing process;

d.  The number of data security breaches experienced during the previous year, and if known, the total number of consumers affected by the breaches; and

e.  The data broker’s collection practices as it relates to minors.

  1. Develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards appropriate for the size, scope, and type of business of the data broker.  Notably, a violation of the legislation’s information security requirements will constitute an “unfair and deceptive act” for which the Attorney General is authorized to bring an enforcement action.

Attorney General T.J. Donovan applauded lawmakers for the passage of the law and stated that “the state has a strong public safety interest in transparency, data security, and consumer protection generally with respect to commercial interests that elect to engage in the business of buying and selling consumer data without the consumer’s knowledge.”  And while “transparency of information is great when it comes to government,” said Vermont Secretary of State Jim Condos, it is not “for individuals and their personal information.”

On Wednesday, June 6, from 3 – 4 pm ET, Troutman Sanders attorneys, Ronald Raether and Jonathan Yee will present a webinar discussing vendor risk.

Business interconnectivity is nothing new. With the rise of the cloud, vendor management came into focus. Companies continue to engage outside vendors and third-party services providers to assist with key aspects of their operations including payment platforms, customer relations management, information technology, and data storage, to name a few. With the cloud, many companies believed that their data would be safer. However, those involved in security for years (decades) knew better. So, now after some hard lessons, many businesses still fail to account for the use of these third-parties and their access to sensitive company and consumer information in their respective cybersecurity programs. Join us for an informative look at emerging laws and guidelines which provide best practices that companies should consider to minimize cyber risk from vendors and third-party service providers and to work towards a stronger position to assert compliance with cybersecurity regulations.

Covered Topics

  • Overview of cyber risks associated with vendors and third-party service providers
  • Steps to develop a vendor cybersecurity compliance program
  • How regulations should inform on policies including a look at the NYDFS Cybersecurity Regulation and DFAR
  • Industry best practices

Registration

Click here to register. Scheduling conflict? Register anyway to receive the recording after the event.