Scherzer Blog

California’s A.B. 1710 enhances privacy protections for sensitive personal information

Effective January 1, 2015, A.B. 1710 amends California’s breach notification, security procedures, and Social Security number (SSN) laws, generally outlined as follows:

provides that existing personal information data security obligations apply to businesses that maintain personal information, in addition to those who own or license the information;
provides that if the person or business issuing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, be made at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached, if the breach exposed or may have exposed SSN and driver’s license numbers;
provides that a person or entity may not sell, advertise for sale, or offer to sell an individual’s SSN, except as permitted.

|Legislation, Security|

The FFIEC issues “shellshock” vulnerability alert to financial institutions

The Federal Financial Institutions Examination Council (the “FFIEC”) issued an alert advising financial institutions about a material security vulnerability in the Bourne-again shell (Bash) system software widely used in servers and other computing devices that could allow attackers to access and gain control of operating systems. The vulnerability, nicknamed “shellshock,” could expose organizations and individuals to potential fraud, financial loss, or access to confidential information. Any financial institution that provides secure services with Linux or nix variants running a vulnerable version of the Bash shell could be at risk no matter what their vendor mix. Given the widespread use of Bash and the evolving nature of the risk, the FFIEC said that regulators expect financial institutions to perform a risk assessment and address the shellshock vulnerability not only in their own systems, but also with their third-party service providers.

|Educational Series, Security|

FTC halts high school diploma mill

As the request of the Federal Trade Commission (the “FTC”), on September 16, 2014, the U.S. District Court for the Southern District of Florida imposed a temporary restraining order to halt the business operations of Diversified Educational Resources, LLC (DER), and Motivational Management & Development Services, Ltd. (MMDS), and freeze their assets. The FTC’s lawsuit seeks a permanent injunction to stop the defendants’ deceptive practices and to return ill-gotten gains to consumers, which according to a preliminary review of bank records referenced in the lawsuit were more than $11,117,800 since January 2009.

The complaint alleges that the defendants violated the FTC Act by misrepresenting that the diplomas were valid high school equivalency credentials and that the online schools were accredited. The FTC charges that the defendants actually fabricated an accrediting body to give legitimacy to their diploma mill operation. DER and MMDS allegedly sold the diplomas since 2006 using multiple names, including jeffersonhighschoolonline.com, jeffersonhighschool.us, enterprisehighschool.us, and ehshighschool.org, which purport to describe legitimate and accredited secondary school programs such as “Jefferson High School Online” and “Enterprise High School Online.” The websites claim that consumers can become “high school graduate[s]” and obtain “official” high school diplomas by taking an online exam and paying between $200 and $300. In numerous instances, consumers who attempt to use their Jefferson or Enterprise diplomas to enroll in college, enlist in the military, or apply for jobs are rejected because of their invalid high school credentials.

|Employment Decisions, Fraud, Lawsuit|

The SRA issues warning about a fake website

The Solicitors Regulation Authority (the “SRA”) in the United Kingdom issued a bulletin that it received a report that a website “dovernorchambers.com is operating which refers to the firm Dovernor Chambers” and that the wording on the website appears to have been cloned from the websites of genuine law firms without their knowledge or consent. The SRA says that it is identifying a new fake law firm on an almost daily basis. Some scammers reportedly are stealing a law firm’s entire web page, and then changing the contact information to redirect traffic elsewhere.

|Fraud|

Class action for unauthorized disclosure of PHI is a new twist under FCRA

A recent class-action is seeking damages for the unauthorized disclosure of personal health information (“PHI”) under the Fair Credit Reporting Act (the “FCRA”). The plaintiffs claim that the defendant hospital allowed the unauthorized access of confidential records of the putative class members, including PHI, held by a third-party records vendor without their knowledge or consent and without sufficient security. Among other claims, the plaintiffs allege that the hospital violated the FCRA by failing to implement adequate safeguards to protect their personally identifiable information and PHI from a data breach suffered by the third-party vendors. The plaintiffs argue that the hospital was a CRA that created “consumer reports” containing sensitive information including names, dates of birth, Social Security numbers, billing information and confidential health records, and disseminated this information to medical service providers affiliated with the defendant, and that the defendant allowed employees of the vendor and others to gain unrestricted access to their personally identifiable information and PHI, which was allegedly misused and intentionally disclosed to third-parties for profit.

|Judgment|

District of Columbia joins ban-the-box movement

On August 22, 2014, District of Columbia’s mayor signed new legislation titled the Fair Criminal Record Screening Amendment Act of 2014 that prohibits most employers in DC from both inquiring about criminal history information during the application process and obtaining a criminal background check until after a conditional offer of employment is made to the applicant. The law, which imposes a host of other restrictions and requirements on using criminal record information for personnel decisions, will take effect following a 30-day period of Congressional review as provided in the District of Columbia Home Rule Act and publication in the District of Columbia Register.

|Employment Decisions, Legislation|

New Jersey’s new ban-the-box law goes into effect March 1, 2015

Signed into law last month, The Opportunity to Compete Act will effect March 1, 2015, preventing many private employers in New Jersey from asking job candidates about their criminal history on the initial job application. In “banning the box” for private employers, New Jersey joins the District of Columbia, Hawaii, Illinois, Massachusetts, Minnesota, Rhode Island, and cities of Philadelphia (PA), Newark (NJ), Buffalo (NY), Seattle (WA), San Francisco (CA), Baltimore (MD), and Rochester (NY)) in postponing inquiries about criminal record information until later in the hiring process, and imposing other requirements on the use of such records in employment decisions.

|Employment Decisions, Legislation|

Reminder: San Francisco’s tough ordinance that restricts asking about and using criminal records in employment and housing decisions starts August 13, 2014

Effective August 13, 2014, the Fair Chance Ordinance (the “FCO”) (see also the FCO FAQs) requires covered employers, contractors, and housing providers to review an individual’s qualifications before inquiring about his/her criminal history and follow strict rules for using the information.

The FCO applies to private employers that are located or doing business in the city and county of San Francisco, and employ 20 or more persons worldwide. This 20-person threshold includes owner(s), management, and supervisory personnel. The FCO covers positions (including contractor and other status) located within San Francisco, regardless of where the employer is located, as long as the position is “in whole, or in substantial part, within the city.” San Francisco’s Office of Labor Standards Enforcement (the “OLSE”) interprets “in substantial part” to mean an average of eight hours of work performed per week in San Francisco.

Along with banning inquiries about a criminal history or pending charges on the job application or during the first live interview, the FCO prohibits asking about six categories of criminal record information altogether, and mandates significant measures for individualized assessment, including considering only “directly-related convictions that have a direct and specific negative bearing on the

[applicant’s] ability to perform the duties or responsibilities necessarily related to the position,” the time elapsed since the conviction, evidence of inaccuracy, evidence of rehabilitation and/or other mitigating factors.

An aspect of the ordinance that is especially noteworthy is that employers are prohibited from inquiring about or considering convictions that are more than seven years old, with “the date of conviction being the date of sentencing.” Under California law, there already is a seven-year limitation on such records, but the look-back period starts from the date that a person is released from custody. Also of note is that before taking any adverse action based on a criminal record, the ordinance requires that the employer wait seven days (from the date of the potential adverse action notice) before taking such action. If during the seven-day waiting period the individual gives the employer notice, orally or in writing, of evidence of an inaccuracy, rehabilitation, or any other mitigating factor, the employer must delay the adverse action for a “reasonable” time to reconsider the action.

Employers must also ensure that criminal background inquiries later in the process comply with the notice guidelines published by the OLSE, as well as with the already existing background check disclosure/authorization requirements under California’s ICRAA and the FCRA. Highlighted below are the ordinance’s more significant notice requirements:

Covered employers must post, in a conspicuous place at every workplace, including a temporary site, or other location in San Francisco under the employer’s control where applicants or employees visit, a notice of rights provided by the OLSE. The notice must be posted in English, Spanish, Chinese, Tagalog and any other language spoken by 5% or more of the employees in the workplace, job site, or other location. (Translations of the notice in Chinese, Spanish, and Tagalog are available on the OLSE website.)
Employers must state in all job solicitations or advertisements that are reasonably likely to reach potential applicants seeking employment in San Francisco that the employer will consider qualified individuals with a criminal history.
Employers mustsendthe notice toeachlaborunionorrepresentative withwhomtheemployerhasacollectivebargainingagreementorotheragreementthatisapplicabletoemployeesinSanFrancisco.
Prior to any criminal history inquiry, including from procuring or conducting a background check, an employer must provide this notice to an applicant or employee when he/she is given the required FCRA/ICRAA disclosure and authorization form to sign.

|Legislation|

FINRA wants to increase awareness of its BrokerCheck and make more information public

FINRA’s online investor tool for researching the professional backgrounds of firms and brokers, the BrokerCheck, is accessible to all members of the public from the front page of its website. In a revised proposal, which includes changes made in response to comments regarding a prior proposal to amend FINRA Rule 2267 (Investor Education and Protection), firms would be required to include a readily apparent reference and hyperlink to the BrokerCheck on each website that is available to retail investors, and in online retail communications with the public that include a professional profile of, or contact information for, an associated person, subject to specified conditions and exceptions.

FINRA is also seeking comments (until September 2, 2014) on a proposal to make publicly available, through FINRA’s website, a repository of Form 211 information. Firms are required to complete this form to demonstrate compliance with the specific information review requirements under SEA Rule 15c2-11 prior to initiating a quotation in a non-exchange-listed security.

|Educational Series|

Class-action against U.S. Census Bureau alleges race-bias in using criminal background checks

On July 1, 2014, a magistrate judge in the U.S. District Court for the Southern District of New York certified as a class-action an unprecedented lawsuit brought under Title VII of the Civil Rights Act of 1964, that alleges the U.S. Census Bureau’s process of using criminal background checks when selecting temporary workers for the 2010 census unlawfully screened out approximately 250,000 African-Americans. Filed in April 2010, the complaint charges that in hiring nearly a million temporary workers, most of whom went door-to-door seeking information from residents, the Bureau erected unreasonable and largely insurmountable hurdles for applicants with arrest records, regardless of whether the arrests were decades old, were for minor charges, or led to criminal convictions.

|Judgment, Lawsuit|