Recently the Federal Trade Commission (FTC) issued a guide, Start with Security: A Guide for Business, which pulls from lessons learned from the 50+ data security enforcement actions that the FTC has announced.  To be clear, these actions are settlements and not court orders.  Nonetheless, the “ten lessons” they provide in the guide are worth reading and thinking about how they apply to your company.  Below top ten lessons are (literally) taken from the FTC’s guide and I then add a few summary sentences:

  1. Start with security — when it comes to data collection, use and retention, less is better.  As the guide says, “by making conscious choices about the kind of information you collect, how long you keep it, and who can access it, you can reduce the risk of data compromise down the road.”  If you don’t need driver’s license information or Social Security numbers on a particular form…don’t collect them just to collect them.
  2. Control access to data sensibly — not all employees need to have access to everything, be it paper files, the network, administrative controls.  Pull the reins on that horse, cowboy!  Limit and restrict access to data, especially sensitive data.
  3. Require secure passwords and authentication — the word “password” is not a secure password.  Enough said.  Also, implement a policy to suspend or disable accounts after repeated log in attempts to reduce the risk of an attack being successful.  Test for common vulnerabilities and widely known security flaws, such as “predictable resource location” where hackers can bypass the web app’s authentication screen and gain unauthorized access.
  4. Store sensitive personal information securely and protect it during transmission — in other words, be in it for the long haul and protect data at all stages.  Make sure your company properly implements encryption and SSL protocols, and use industry-tested methods not some $9.99 summer special.
  5. Segment your network and monitor who’s trying to get in and out — limit access and have in place strong intrusion detection and prevention tools.
  6. Secure remote access to your network — remote access is a curse and a blessing, depending on how you look at it.  It also challenges a company’s data security policies and procedures. Ensure endpoint security and have firewalls and updated antivirus software in place.  Also, limit third party access to what is needed.
  7. Apply sound security practices when developing new products — if a company is pushing out a new mobile app or software, they need to ensure their engineers are trained in secure coding practices, don’t turn off SSL certification validation and test for common vulnerabilities.  The FTC cites the Open Web Application Security Project as a resource for identifying commonly-known vulnerabilities. Finally, a big one for the FTC — do what you say you will do.  In other words, if your company’s mobile app or software features specific privacy and security settings, the product needs to live up to those features/representations.
  8. Make sure your services providers implement reasonable security measures — in other words, company’s need to police their vendors to ensure their data security practices are reasonable.  Security standards should be incorporated into the terms of service agreements and compliance should be audited.
  9. Put procedures in place to keep your security current and address vulnerabilities that may arise — have policies and procedures in place to update/patch third party software as well as to receive and act on security alerts.
  10. Secure paper, physical media, and devices — not all data is collected and maintained in electronic format.  Data security applies to hard copy documents as well and confidential information there needs to be protected every bit as much as if it is in electronic form.  When sensitive data is no longer needed, company’s should properly dispose of it by shredding, burning or pulverizing documents if paper documents.  Throwing documents with sensitive personal information in the trash can is strictly verboten.

Not rocket science, but given the enforcement actions brought by the FTC, companies suffer from these mistakes and failures.   For more details on each point above, and to learn about some of the companies impacted by these enforcement actions, click here to read the guide.

I recognize this is a few days late, but the content is still timely.  Last month I attended the NAPBS Mid-Year Conference in Washington, DC both as an attendee and speaker. One session of particular interest to me was Maneesha Mittal’s presentation.  Maneesha is the Associate Director of the Division of Privacy and Identity Protection at the Federal Trade Commission (FTC).  Her team is the team that would bring an enforcement action against a background screening company for non-compliance under the Fair Credit Reporting Act (FCRA).

Below are the take-away points I found most helpful for purposes of my day to day practice advising background screening companies on their compliance with the FCRA:

  • Reasonable security of data – Maneesha stressed the importance of “knowing your customer” when transacting with them and provided examples of companies who failed to maintain appropriate data security through reasonable procedures, and failed to ensure a permissible purpose to the reports (e.g., ACRAnet, Inc., SettlementOne Credit Corporation, Statewide Credit Services).
  • The FCRA applies equally to social media when used for background screening purposes and she gave as examples the FTC letter to Social Intelligence Corporation and the ongoing Spokeo v. Robins case.  For the Spokeo case, note that the U.S. Supreme Court granted cert. and will take up this important case next year.  The Spokeo case goes to the issue of whether a plaintiff has to show actual injury in fact in order to have Article III standing, or whether a mere violation of the statute is sufficient to bring suit.  Let’s hope the former and not the latter.
  • Companies cannot disclaim liability under the FCRA and then proceed to sell information to employers which could be used for background screening purposes.  As an example she cited the settlement against Filiquarian Publishing LLC, Choice Level LLC and their CEO for alleged failure to ensure that the information they sold was accurate and could only be used for a permissible purposes.   In this matter, the maker of the mobile app claimed that users could use the app to conduct criminal background searches on individuals but used disclaimers stating that they were not FCRA complaint and that the products should not be used for employment screening purposes.
  • Accuracy of the reports – reports with multiple entries listing the same offense are not acceptable. Basically, a data dump is not acceptable as it does not comply with the FCRA requirement to maintain maximum possible accuracy.  As an example she cited the HireRight Solutions enforcement action and settlement.
  • Consumer disclosures — have adequate staff to respond to consumer requests for their reports.
  • Use of section 603(y) of the FCRA as a defense to litigation is on the rise.  It is the FTC ‘s opinion that this section of the FCRA, which relates to investigations of suspected employee misconduct, is only intended to cover current employees and not job applicants.  Stay tuned for potential guidance from the FTC on this point.
  • U.S. based background screening companies doing background checks on international employees – the FCRA would apply.
  • Regarding the amicus brief in Moran v. The Screening Pros tied to section 605 of the FCRA and the obsolescence rule for dismissals, this is an FTC “opinion” and not just a staff view as the Commission approved the FTC’s participation in the amicus brief.

The Federal Trade Commission (FTC) has issued an updated guide for employers regarding compliance with the federal Fair Credit Reporting Act (FCRA) when conducting background checks, as well as the Equal Employment Opportunity Commission’s (EEOC) guidance on the use of criminal history records for employment screening under Title VII of the Civil Rights Act of 1964.  Read more here.

The publications featured by the FTC are the following:

Given the amount of private litigation in this space, which I have previously discussed on this blog many times, including here and here, employers should be mindful of both the FCRA and EEOC guidance when conducting employment-related background checks.  In addition, there are state consumer protection statutes that employers should be aware of.  All of which can be successfully navigated if using the services of a reputable background screening company and working with experienced counsel.  At Arnall Golden Gregory we are happy to assist with such.

 

What do these have in common?  The fact that a federal district court judge believes that a plain reading of the Fair Credit Reporting Act (FCRA) requires background screeners obtain from an employer a certification that the person “has complied” with section 604(b)(1) each and every time before providing a background report.  Meaning no use of one-time prospective blanket certifications.   In the judge’s Memorandum and Order RE: Motion to Dismiss, he grants the employer’s motion to dismiss on the FCRA disclosure and authorization allegation, but does not agree to the same with respect to the background screening company and the 604(b)(1) allegation.

With respect to the allegation against the background screening company, the plaintiff argues that there is a violation of the FCRA because a consumer report was provided by the screener “without first obtaining a certification from M-I stating that M-I ‘has complied’ with its statutory obligations ‘with respect to the consumer report'” pursuant to 604(b)(1).  The judge agrees that in fact this could be the case and that there is no FTC guidance or case law which would allow for a background screener to rely on a one-time prospective blanket certification from employers prior to providing a consumer report under section 604(b)(1).

This is a case to follow if you are a background screening company conducting employment related background checks.  The case number is 1:14-cv-00742 and the plaintiff is Sarmad Syed.  It is pending in the U.S. District Court, Eastern District of California.

If you have any questions about your current practice, please do not hesitate to contact me and the Privacy & Consumer Regulatory practice group at Arnall Golden Gregory LLP.

The Federal Trade Commission (FTC) will host a public workshop entitled “Big Data: A Tool for Inclusion or Exclusion?” in Washington, D.C. on September 15, 2014, to further explore the use of “big data” and its impact on American consumers, including low income and underserved consumers.    This is one in a series of workshops the FTC has held this year.

I will be a speaker on Panel 3: Surveying the Legal Landscape.  Our panel will  review various antidiscrimination and consumer protection laws and discuss how they may apply to the use of big data, and whether there may be gaps in the law.  Other panels will consider the current environment and uses of big data and how these uses impact consumers, benefits and harms of the uses of big data on particular populations of consumers, and best practices for the use of big data to protect consumers.  The FTC’s goal with this workshop is to address the following issues:

  • “How are organizations using big data to categorize consumers?
  • What benefits do consumers gain from these practices? Do these practices raise consumer protection concerns?
  • What benefits do organizations gain from these practices? What are the social and economic impacts, both positive and negative, from the use of big data to categorize consumers?
  • How do existing laws apply to such practices? Are there gaps in the legal framework?
  • Are companies appropriately assessing the impact of big data practices on low income and underserved populations? Should additional measures be considered?”

The workshop is free and the day is filled with interesting panels.  Chick here to view the agenda.