Check out the current Compliance News Flash with blurbs about:

  • The continuing partial government shutdown;
  • E-Verify (still shutdown);
  • The Federal Trade Commission (also shutdown);
  • Government background investigations and the NBIB (not shutdown);
  • The California Consumer Protection Act; and
  • A recent merger in the background screening industry.

In honor of MLK Day tomorrow:

“Darkness cannot drive out darkness: only light can do that. Hate cannot drive out hate: only love can do that.” Martin Luther King

Recently the Federal Trade Commission (FTC) issued a guide, Start with Security: A Guide for Business, which pulls from lessons learned from the 50+ data security enforcement actions that the FTC has announced.  To be clear, these actions are settlements and not court orders.  Nonetheless, the “ten lessons” they provide in the guide are worth reading and thinking about how they apply to your company.  Below top ten lessons are (literally) taken from the FTC’s guide and I then add a few summary sentences:

  1. Start with security — when it comes to data collection, use and retention, less is better.  As the guide says, “by making conscious choices about the kind of information you collect, how long you keep it, and who can access it, you can reduce the risk of data compromise down the road.”  If you don’t need driver’s license information or Social Security numbers on a particular form…don’t collect them just to collect them.
  2. Control access to data sensibly — not all employees need to have access to everything, be it paper files, the network, administrative controls.  Pull the reins on that horse, cowboy!  Limit and restrict access to data, especially sensitive data.
  3. Require secure passwords and authentication — the word “password” is not a secure password.  Enough said.  Also, implement a policy to suspend or disable accounts after repeated log in attempts to reduce the risk of an attack being successful.  Test for common vulnerabilities and widely known security flaws, such as “predictable resource location” where hackers can bypass the web app’s authentication screen and gain unauthorized access.
  4. Store sensitive personal information securely and protect it during transmission — in other words, be in it for the long haul and protect data at all stages.  Make sure your company properly implements encryption and SSL protocols, and use industry-tested methods not some $9.99 summer special.
  5. Segment your network and monitor who’s trying to get in and out — limit access and have in place strong intrusion detection and prevention tools.
  6. Secure remote access to your network — remote access is a curse and a blessing, depending on how you look at it.  It also challenges a company’s data security policies and procedures. Ensure endpoint security and have firewalls and updated antivirus software in place.  Also, limit third party access to what is needed.
  7. Apply sound security practices when developing new products — if a company is pushing out a new mobile app or software, they need to ensure their engineers are trained in secure coding practices, don’t turn off SSL certification validation and test for common vulnerabilities.  The FTC cites the Open Web Application Security Project as a resource for identifying commonly-known vulnerabilities. Finally, a big one for the FTC — do what you say you will do.  In other words, if your company’s mobile app or software features specific privacy and security settings, the product needs to live up to those features/representations.
  8. Make sure your services providers implement reasonable security measures — in other words, company’s need to police their vendors to ensure their data security practices are reasonable.  Security standards should be incorporated into the terms of service agreements and compliance should be audited.
  9. Put procedures in place to keep your security current and address vulnerabilities that may arise — have policies and procedures in place to update/patch third party software as well as to receive and act on security alerts.
  10. Secure paper, physical media, and devices — not all data is collected and maintained in electronic format.  Data security applies to hard copy documents as well and confidential information there needs to be protected every bit as much as if it is in electronic form.  When sensitive data is no longer needed, company’s should properly dispose of it by shredding, burning or pulverizing documents if paper documents.  Throwing documents with sensitive personal information in the trash can is strictly verboten.

Not rocket science, but given the enforcement actions brought by the FTC, companies suffer from these mistakes and failures.   For more details on each point above, and to learn about some of the companies impacted by these enforcement actions, click here to read the guide.

A recent blog posting by the Federal Trade Commission (FTC) on data retention and disposal practices is the genesis of this blog.  The posting talks about the importance of having a plan in place due to the potential that a natural disaster may visit your company, a hurricane or a flood, and what would happen with your online and offline customer data in the event a natural disaster?  The FTC offers the following “data minimization and disposal tips:

  • Take stock. Create an inventory of the personal information you have. That way, if your files are destroyed or lost in a natural disaster, you’ll know what information is involved.
  • Scale down. Collect only what you need. For example, if there’s no business reason why you have to have someone’s Social Security number, don’t ask for it in the first place. Keep records only as long as you have a reason to maintain them. Don’t hold onto customer credit card information unless you have a business need for it.
  • Lock it. Store personal information in the safest part of your building. If information is missing after a natural disaster, contact law enforcement. If possible – this is where your inventory helps – contact affected individuals so they can place a fraud alert on their credit reports.
  • Pitch it. Properly dispose of what you no longer need. Shred, burn or pulverize paper records before discarding. If you use consumer credit reports for a business purpose, you may also be subject to the FTC’s Disposal Rule.”

I couldn’t agree more with the above bullet points.  But let’s expand upon this topic and talk about background check reports used for employment or tenancy screening purposes and proper disposal.  These reports, defined under the federal Fair Credit Reporting Act (FCRA) as consumer reports, must be disposed of in a specific way.  Namely, they must be shredded, burned or pulverized if in hard-copy.  If electronically stored, the electronic record should be wiped so that it cannot be reconstructed or recreated.

The FCRA’s Disposal Rule (“Rule”), which became effective in 2005, states that when a company’s data retention policy allows for the disposal of consumer reports (aka background check reports) which contain sensitive personal information about employees or tenants, they must be disposed of in a manner which protects against “unauthorized access to or use of the information.”  (FCRA § 628).  The FTC enforces the Rule. The Rule covers not only the background screening companies that provide the reports, but also the employers and landlords who use them.

The Rule requires practices that are reasonable and appropriate to the type of personal information retained and being disposed of.   And I quote this directly from the FTC, “reasonable measures for disposing of consumer report information could include establishing and complying with policies to:

  • burn, pulverize, or shred papers containing consumer report information so that the information cannot be read or reconstructed;
  • destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed;
  • conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information consistent with the Rule. Due diligence could include:
    • reviewing an independent audit of a disposal company’s operations and/or its compliance with the Rule;
    • obtaining information about the disposal company from several references;
    • requiring that the disposal company be certified by a recognized trade association;
    • reviewing and evaluating the disposal company’s information security policies or procedures.”

Note that section 628 of the FCRA provides for the issuance of regulations related to the disposal of records.  If you want to read the actual Rule it can be found by clicking here, which takes you to 16 CFR Part 682.

The Federal Trade Commission (FTC) has issued an updated guide for employers regarding compliance with the federal Fair Credit Reporting Act (FCRA) when conducting background checks, as well as the Equal Employment Opportunity Commission’s (EEOC) guidance on the use of criminal history records for employment screening under Title VII of the Civil Rights Act of 1964.  Read more here.

The publications featured by the FTC are the following:

Given the amount of private litigation in this space, which I have previously discussed on this blog many times, including here and here, employers should be mindful of both the FCRA and EEOC guidance when conducting employment-related background checks.  In addition, there are state consumer protection statutes that employers should be aware of.  All of which can be successfully navigated if using the services of a reputable background screening company and working with experienced counsel.  At Arnall Golden Gregory we are happy to assist with such.

 

Yesterday the Government Accountability Office (GAO) released a report on the use of criminal background checks (GAO-15-162) tied to a congressional request.  The title of the report is, “Criminal History Records – Additional Actions Could Enhance the Completeness of Records used for Employment-Related Background Checks”.

The GAO report sought to address “to what extent (1) states conduct FBI record checks for selected employment sectors and face any challenges; (2) states have improved the completeness of records, and remaining challenges that federal agencies can help mitigate; and (3) private companies conduct criminal record checks, the benefits those checks provide to employers, and any related challenges.”  This blog will focus on what the report says about private background screening companies.  Specifically the GAO report found that:

  • The use and number of private companies conducting criminal record background checks for employment screening appears to be increasing because of employer demand;
  • Both the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB) are responsible for enforcing provisions of the Fair Credit Reporting Act (FCRA) which are applicable to background screeners, as they are considered “consumer reporting agencies” under the FCRA;
  • According to FTC officials, from FY 2009 – 2014, the “FTC settled 16 complaints against private background screening companies and employers for alleged FCRA violations” and of the 16 complaints, 4 included allegations related to the use of criminal history information for employment purposes (See page 35 of the report);
  • CFPB officials noted that “they have not received many consumer complaints regarding the use of criminal history records in employment background checks” (See page 35 ofthe report); and
  • Private background screening companies generally conduct name-based checks as opposed to fingerprint-based checks, which according to the report, can “decrease the accuracy of the information that the check produces.”  However, use of additional identifiers, such as date of birth, can help mitigate accuracy concerns (See page 38 of the report).

The report concludes on page 39 by saying that “employers’ increasing use of criminal history record checks to determine applicants’ suitability for employment, licensing, or volunteering underscores the need for accurate and complete criminal records–including the final disposition of any criminal charges–and assurances that applicants have an opportunity to challenge or correct potentially inaccurate records.”  The report lays out three recommendations for executive action involving the FBI and states, and those are listed on page 40 of the report.

Plaintiffs’ counsel have targeted a wide range of employment and tenant screening firms’ operations practices in recent litigation, alleging violations of state and federal requirements for user onboarding, report accuracy, file disclosures, data obsolescence, and data privacy requirements. Meanwhile, Federal Trade Commission enforcement actions and amicus briefs reveal important clues to agency thinking on obsolescence, privacy, and other requirements.

To stay ahead of the curve, how do smart CRAs and Resellers learn from these developments in reviewing their operations practices?

Join me and Jay Harris, Senior Director, National Background Data, for a complimentary webinar to learn more this Wednesday, September 10th at 1 p.m. EST.  Click here and then click on Webinars to register.

The Federal Trade Commission (FTC) will host a public workshop entitled “Big Data: A Tool for Inclusion or Exclusion?” in Washington, D.C. on September 15, 2014, to further explore the use of “big data” and its impact on American consumers, including low income and underserved consumers.    This is one in a series of workshops the FTC has held this year.

I will be a speaker on Panel 3: Surveying the Legal Landscape.  Our panel will  review various antidiscrimination and consumer protection laws and discuss how they may apply to the use of big data, and whether there may be gaps in the law.  Other panels will consider the current environment and uses of big data and how these uses impact consumers, benefits and harms of the uses of big data on particular populations of consumers, and best practices for the use of big data to protect consumers.  The FTC’s goal with this workshop is to address the following issues:

  • “How are organizations using big data to categorize consumers?
  • What benefits do consumers gain from these practices? Do these practices raise consumer protection concerns?
  • What benefits do organizations gain from these practices? What are the social and economic impacts, both positive and negative, from the use of big data to categorize consumers?
  • How do existing laws apply to such practices? Are there gaps in the legal framework?
  • Are companies appropriately assessing the impact of big data practices on low income and underserved populations? Should additional measures be considered?”

The workshop is free and the day is filled with interesting panels.  Chick here to view the agenda.

 

Join us tomorrow for DPRCRA Live: Privacy at MidYear to learn about the latest developments in the privacy field. Tomorrow’s webinar is another in a series of webinars hosted by my firm, Arnall Golden Gregory LLP, and the Privacy & Consumer Regulatory Practice Group.  This month we will review and discuss some of the biggest events that have occurred in the privacy field to date in 2014.  This webinar will cover the following major events and developments:

  • The FTC’s new Data Broker Report;
  • Wyndham and LabMD – the battle over the FTC’s authority;
  • Updates on data privacy in the European Union and the “right to be forgotten”;
  • EU Safe Harbor;
  • The FTC Spring Privacy Series, including discussions on: mobile device tracking and alternative scoring products;
  • Debt collection in light of the FTC’s settlement with Consumer Portfolio Services; and
  • An update on the past six months on Capitol Hill.

Join AGG Privacy attorneys Montserrat Miller, Joseph Rubin, Kevin Coy and Kelly Gordon Zemil for this one-hour, complimentary webinar. A live Q&A session will follow the discussion.

To Register please click this link.

 

 

Two companies have agreed to settle Federal Trade Commission (FTC) charges that they violated the Fair Credit Reporting Act (FCRA) as consumer reporting agencies.  The FTC alleged that Instant Checkmate, Inc. and InfoTrack Information Services (InfoTrack) violated the FCRA by providing reports to employers and landlords without taking reasonable steps to make sure that they were accurate and without making sure their users had a permissible purpose to have them.  Both companies have agreed to pay civil penalties — $525,000 against Instant Checkmate and $1 million against InfoTrack and its owner (due to their inability to pay, all but $60,000 of the penalty imposed is suspended against InfoTrack and its owner).

Instant Checkmate offered an online service allowing consumers to request background reports which it obtained from public records and which were used to determine eligibility for employment or housing.  InfoTrack sold reports for employment screening purposes. In a statement by Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, she stated, “Data brokers that operate as consumer reporting agencies have a responsibility to ensure the accuracy of the information they sell for decisions about whether to hire someone, extend them credit, rent them an apartment, or insure them.”

Allegations against Instant Checkmate for FCRA violations include:

  • Failing to maintain reasonable procedures to ensure that those using its reports had permissible purposes for accessing them — FCRA § 607(a);
  • Furnishing reports to users that it did not have reason to believe had permissible purposes to access them — FCRA § 604;
  • Failing to follow reasonable procedures to assure that its reports were as accurate as possible — FCRA § 607(b); and,
  • Failing to provide FCRA-mandated user notices — FCRA § 607(d).

Disclaimer Language – Instant Checkmate included disclaimers on its website stating that it was not a consumer reporting agency for purposes of the FCRA and that individuals could not use the company’s background reports for FCRA purposes. Anyone who follows my blog knows what I have to say about that.  Such disclaimers are meaningless in the eyes of the FTC and in fact, likely only to encourage the FTC to further scrutinize the website.

Allegations against InfoTrack for FCRA violations include:

  • Failing to use reasonable procedures to assure maximum possible accuracy of consumer report information obtained from sex offender registry records – FCRA § 607(b);
  • Failing to provide FCRA-required notices to users and furnishers – FCRA § 607(d); and,
  • Failing to provide written notices to consumers of the fact that InfoTrack reported public record information to prospective employers, when that information was likely to adversely affect consumers’ ability to obtain employment – FCRA § 613(a)(1) and (a)(2).

Searches and Identifiers – With respect to accuracy of the reports provided to employers, InfoTrack allegedly searched the National Sex Offender Registry using name and date of birth, however, there were instances in which they would report “possible matches” to employers based on name-only searches. The FTC alleged that their practices and procedures resulted in furnishing reports with this information for individuals that could not have been the subject of the inquiry (see page 5 of the Complaint).

The complaints and proposed consent orders were filed in the following courts: 1) Instant Checkmate: U.S. District Court for the Southern District of California; 2) InfoTrack Information Services: U.S. District Court for the Northern District of Illinois. The proposed consent decrees are subject to court approval.

 

In a recent amicus brief before the U.S. Court of Appeals for the Ninth Circuit, the Federal Trade Commission (“FTC”) and Consumer Financial Protection Bureau (“CFPB”) – double the pleasure – teamed up to provide their interpretation of section 605(a) of the Fair Credit Reporting Act (“FCRA”), the reporting of “other adverse items of information” and the seven year reporting period.

The matter, Moran v. The Screening Pros LLC (Case No. 12-57246), involves a consumer report used for tenant screening purposes.  The report, made in 2010, listed a 2000 misdemeanor drug charge that was dismissed in 2004.  This is the key fact and this is where the FTC and CFPB claim that the Plaintiff is correct in saying that the consumer report provided to the propery manager should not have included the misdemeanor drug charge as the information was outside the seven year window.

For brevity sake, the issue at hand is the FCRA restriction on a consumer reporting agency (“CRA”) from including obsolete information in a report.  Enter section 605(a) of the FCRA.  Long and short of it, the FTC and CFPB take the position that the FCRA restricts the reporting of “any other adverse item of information…which antedates the report by more than seven years.”  Page 11 of the amicus brief states:

 “An adverse item, when it occurs, starts the seven-year period.  Later related events that are not in themselves adverse do not reopen the period.  Thus, in the case of a criminal charge that is eventually dismissed, the dismissal is not an adverse item that starts its own seven-year reporting period.  It is simply the disposition of a truly adverse item, the underlying criminal charge.”

The FTC and CFPB made an analogy in their position to obsolete debts and the fact that later, non-adverse events relating to the debt, do not extend the period in which a CRA may report the fact that the debt was referred to collection.

Word to the Wise – CRAs should review their practice with respect to the reporting of dismissals pursuant to section 605(a).  While this is just an amicus brief that does not carry the weight of law, it may nonetheless portend to future events given that the CFPB has rulemaking authority under the FCRA.

If you would like a copy of the amicus brief, please contact me by email at montserrat.miller@agg.com.