Scherzer Blog

U.S. Supreme Court case offers window into CFPB’s position on the FCRA

The U.S. Supreme Court has agreed to hear a closely followed case involving the Fair Credit Reporting Act (the “FCRA”) that will have great significance on privacy law. In connection with this case, the Consumer Financial Protection Bureau (CFPB) offered a glimpse of its stance on the FCRA in an amicus brief recently filed with the U.S. Supreme Court.

In 2012, the Bureau took over the enforcement reins of the FCRA from the Federal Trade Commission (FTC). Since then, the industry has watched for signs on how the Bureau would tackle its new job, with few clues. But in an amicus brief filed jointly with the Solicitor General in Spokeo v. Robins, the CFPB weighed in, taking a consumer-friendly position on the statute.

The dispute began when Robins claimed that Spokeo ran afoul of the FCRA. The spokeo.com site allows users to obtain information about other individuals like address, phone number, employment information, and economic data such as mortgage value and investments. Robins sued after finding incorrect information about himself on the site, alleging that Spokeo was a consumer reporting agency (CRA) under the FCRA and sold “consumer reports” but failed to comply with the various statutory requirements by neglecting to assure the maximum possible accuracy of the information reported on its site and failing to provide notice of statutory responsibilities to purchasers of its reports.

Relying on Section 1681n of the FCRA, which grants consumers a cause of action against an entity that negligently or willfully violates “any requirement imposed

[under the FCRA] with respect to [that] consumer,” Robins filed a putative class action. A federal district court dismissed the suit for a lack of standing but the Ninth Circuit Court of Appeals reversed. The federal appellate panel held that Robins sufficiently alleged an injury in fact because Congress created a right of action to enforce a statutory provision, demonstrating intent to create a statutory right.

Spokeo petitioned the U.S. Supreme Court to take the case. The CFPB filed the amicus brief, siding with the plaintiff and arguing that the justices should deny the writ of certiorari. The Bureau argued to the Court that the statutorily created cause of action found in the FCRA satisfied the injury required for Article III standing. While recognizing that Congress does not have unlimited power to define the class of plaintiffs who may sue in federal court, the CFPB said the legislature “may grant individuals statutory rights that, when violated, confer standing, and the clear language of the FCRA did just that.”

“FCRA thus grants an individual consumer a statutory entitlement to be free from a CRA’s actual dissemination of inaccurate information about him when the CRA fails to employ ‘reasonable procedures’ to assure the information’s accuracy,” according to the CFPB’s brief. A CRA’s willful failure to follow reasonable procedures to ensure that an accurate report about a consumer is disseminated violates a ‘requirement imposed under [FCRA] with respect to [that] consumer.’ It is also a concrete and particularized injury to the consumer because it involves the actual, specific, and non-abstract act of disseminating information about the particular consumer.” This reading – recognizing a legally protected interest in consumer privacy – “is particularly salient in modern-day society given the proliferation of large databases and the ease and rapidity with which information about individuals can be transmitted and retransmitted across the Internet,” the CFPB added, as “public dissemination of inaccurate personal information about the plaintiff is a form of ‘concrete harm’ that courts have traditionally acted to redress, whether or not the plaintiff can prove some further consequential injury.”

Read the CFPB’s amicus brief in Spokeo v. Robins here.

Read the opinion of the U.S. Court of Appeals for the Ninth Circuit here.

|FCRA, Judgment|

New law limits credit checks for New York City employers

New York City has joined the growing list of employers placing limits on credit checks. On April 16, the City Council overwhelmingly voted in favor of a bill prohibiting the use of credit checks in most employment situations. Mayor Bill De Blasio signed the legislation on May 6, amending the city’s Human Rights Law to make the use of credit history for hiring and other employment purposes, with certain exceptions, an unlawful discriminatory practice. Set to take effect on September 3, 2015, the law will have a sizable impact on employers in New York City. A review of current policies and procedures to determine if any exceptions apply is key, while employers with a statewide presence should consider whether to continue credit checks in other locations where they remain legal.

As defined by the law, “consumer credit history” means an individual’s credit worthiness, credit standing, credit capacity, or payment history, as indicated by: (a) a consumer credit report; (b) credit score; or (c) information an employer obtains directly from the individual regarding (1) details about credit accounts, including the individual’s number of credit accounts, late or missed payments, charged-off debts, items in collections, credit limit, prior credit report inquiries, or (2) bankruptcies, judgments or liens. The law further provides that “a consumer credit report shall include any written or other communication of any information by a consumer reporting agency that bears on a consumer’s creditworthiness, credit standing, credit capacity or credit history.”

Importantly, employers are prohibited not just from the request or use of credit history for applicants, but also from using credit history as a factor in employment decisions for current employees in “compensation, or the terms, conditions or privileges of employment.”

When initially introduced, the proposal featured no exceptions to the ban on credit checks. But over the course of the past year, limited exceptions were added to the bill. As enacted, the legislation permits the use of credit checks for prospective employees of broker-dealers who must register with the Financial Industry Regulatory Authority (FINRA) as well as for police officers and other public officials in a position involving a “high degree of public trust.” Additional exceptions allow a review of credit history when required by state or federal law or regulations; for positions when an employee must possess a security clearance or has “regular access” to intelligence or national security information; for non-clerical positions with access to “trade secrets;” for computer security positions when the employee’s duties include the ability to modify digital security systems; and for employees with signing authority over third-party funds or assets greater than $10,000 or fiduciary responsibility to an employer with the authority to enter into financial agreements of $10,000 or more.

The law permits individuals to file a complaint of discrimination with the New York City Commission on Human Rights within a one-year period or a complaint in court, with a three-year statute of limitations. Remedies include back pay, reinstatement, compensatory and punitive damages, and attorney’s fees and costs.

New York City joins 12 other jurisdictions that have prohibited credit checks in employment-related decisions, including the city of Chicago as well as California, Colorado, Connecticut, Hawaii, Illinois, Maryland, Nevada, Oregon, Vermont, and Washington.

Read the New York City legislation here.

|Legislation|

EEOC loses – again – in challenge to background checks

In the latest blow to the Equal Employment Opportunity Commission’s (the “EEOC”) attempts to regulate employers’ use of background checks, the Fourth U.S. Circuit Court of Appeals threw out a case in a scathing opinion that expressed disappointment in the agency’s litigation conduct.

The controversy began in April 2012, when the EEOC released guidance on the issue of criminal background checks for employers. The “Consideration of Arrest and Conviction Records in Employment Decisions Under Title VII of the Civil Rights Act of 1964” emphasized that while the use of criminal history does not violate the statute per se, an employer may run afoul of the law if the checks result in systemic discrimination based on a protected category like race, color, national origin, religion, or sex.

As an alternative, the agency suggested employers strive to perform individualized assessments of prospective employees, and consider factors such as the nature of the crime and its relation to the potential job, as well as the individual’s rehabilitation efforts and the length of time that has passed since the conviction.

The EEOC then followed up with multiple lawsuits alleging that certain employers engaged in the discriminatory use of background checks, disproportionately screening out African-American workers in cases filed against BMW Manufacturing in South Carolina, Dollar General in Illinois, Kaplan Higher Education Company in Ohio, and Freeman Company in Maryland.

To date, all of the lawsuits have been dismissed and the agency has faced criticism about its efforts to pursue such cases from both industry and lawmakers. The most recent critic: the Fourth Circuit.

In the agency’s case against Freeman Company, the EEOC alleged the company’s use of criminal background checks for all applicants and credit checks for “credit sensitive” positions had an unlawful disparate impact on black and male job applicants. To support its case, the agency produced expert reports by an industrial/organizational psychologist. But the federal district court granted summary judgment for Freeman, finding the psychologist’s reports “rife with analytical errors” and “completely unreliable.”

The Fourth Circuit affirmed the ruling, identifying “an alarming number of errors and analytical fallacies” in the reports, “making it impossible to rely on any of his conclusions.” Freeman provided complete background screening logs for thousands of applicants to the EEOC but the psychologist “cherry-picked” data, the court said, omitting information from half of the company’s branch offices while purporting to analyze all the background checks, and further failed to utilize an appropriate sample size, selecting the vast majority of data to focus on before October 14, 2008.

Although the relevant time period extended to August 31, 2011 and Freeman conducted over 1,500 criminal checks and more than 300 credit reviews between October 14, 2008 and August 31, 2011, the psychologist used data from only 19 applicants during that time, just one of whom passed the check.

A “mind-boggling number of errors and unexplained discrepancies” existed in the psychologist’s database, the panel added, rejecting the EEOC’s argument that the mistakes originated in Freeman’s data. The psychologist introduced the errors, the court said, and further managed to introduce fresh errors when he tried to supplement his original reports with corrections.

“The sheer number of mistakes and omissions in the analysis renders it “outside the range where experts might reasonably differ,” the three-judge panel wrote. One of the panelists added a concurring opinion expressing concern with the “EEOC’s disappointing litigation conduct” and continued efforts to defend the psychologist’s work despite other courts reaching similar conclusions about his reports.

“The Commission’s conduct in this case suggets that its exercise of vigilance has been lacking,” according to the concurring opinion. “It would serve the agency well in the future to reconsider how it might better discharge the responsibilities delegated to it or face consquences for failing to do so.”

With public criticism, zero litigation victories, and a counterargument from one defendant that its background check procedures are the same as those conducted by the agency itself, the Fourth Circuit’s decision does not bode well for the future of EEOC challenges to background checks. That said, employers should still be cautious and utilize background reports in a non-discriminatory manner.

Read the EEOC guidance.

Read the opinion in EEOC v. Freeman.

|Employment Decisions|

No number, no lawsuit

Tossing a lawsuit alleging religious discrimination, the Sixth U.S. Circuit Court of Appeals found that an applicant could not sue after refusing to provide his Social Security number to a prospective employer. The plaintiff, an applicant for a position with an energy company, claimed that he had no number because he “disclaimed and disavowed it” on account of his sincerely held religious beliefs.

The company’s refusal to hire the plaintiff violated Title VII and Ohio state law, the complaint charged, requesting both injunctive relief in the form of a job and monetary damages. A federal district court judge dismissed the lawsuit, and the federal appellate panel affirmed.

Courts considering the issue apply a two-step analysis, the Sixth Circuit explained. First, the court determines whether the plaintiff established a “prima facie case of religious discrimination,” which requires proof that the plaintiff “(1) holds a sincere religious belief that conflicts with an employment requirement; (2) has informed the employer about the conflicts; and (3) was discharged or disciplined for failing to comply with the conflicting employment requirement.” If the plaintiff manages to establish a prima facie case, the burden shifts to the employer to show it could not “reasonably accommodate” the religious beliefs without “undue hardship.”

This suit failed under the first step, the panel said, because the Internal Revenue Code mandates that employers collect and provide the Social Security numbers of their employees. Because the company’s collection of the plaintiff’s number was a “requirement imposed by law” and not an “employment requirement,” the court had no need to consider the sincerity of the plaintiff’s beliefs.

The panel also noted that every other federal appellate court to consider the issue has concluded “that Title VII does not require an employer to reasonably accommodate an employee’s religious beliefs if such accommodation would violate a federal statute,” citing decisions from the Fourth, Eighth, Ninth, and Tenth Circuits, as well as federal district courts in Michigan and Virginia.

All of the courts have arrived “at the same, sensible conclusion: ‘

[A]n employer is not liable under Title VII when accommodating an employee’s religious beliefs would require the employer to violate federal … law,” the Sixth Circuit wrote. “This conclusion is consistent with Title VII’s text, which says nothing that might license an employer to disregard other federal statutes in the name of reasonably accommodating an employee’s religious practices.”

For employers, the decision provides even greater peace of mind. With five federal appellate courts in agreement that a religious discrimination claim will not stand against an employer that complies with federal requirements to collect an applicant’s Social Security number, companies do not have to worry about the merits of a Title VII lawsuit under such circumstances.

Read the opinion.

|Employment Decisions, Judgment, Legislation|

Do you know about specialty consumer reports?

Credit reports are a part of life, whether applying for a credit card or purchasing a home. But what about specialty consumer reports?

Many people are unaware that dozens of other types of consumer reports exist, filled with information about medical and prescription history, for example, or insurance claims. Specialty consumer reports gather data from a wide variety of sources including information provided by consumers on applications (such as an apartment lease or a wireless phone contract) as well as public documents like criminal records and marriage licenses.

The reports provide information geared for a specific industry. A truck driving company might purchase reports that detail a job applicant’s driving record and motor vehicle insurance claims while an insurer will review a report with claims filed by a homeowner to check an individual’s historic use of insurance policies. Other niche reports provide data on loan balances, information about any bounced checks, and bank account history for lenders; another company tracks consumers’ product returns and will alert large retailers for fraud prevention purposes.

The Fair Credit Reporting Act (the “FCRA”) entitles consumers to one free report per year from any nationwide credit or specialty reporting agency (plus another free report if an adverse action has been taken, or the consumer disputes an item in the report that was corrected).

Recently, consumer rights group Consumer Action focused on the issue of specialty consumer reports in an “Insider’s Guide to Specialty Consumer Reports: A Guide to Obtaining, Understanding and Managing Your Information,” complete with a directory of furnishers. Staffers went through the process of requesting their own reports to help provide information for consumers about the types of reports available and their rights to request reports or correct errors.

Access the Consumer Action guide.

Read the directory of specialty consumer report furnishers.

|FCRA, Fraud|

Financial regulators focus on vendor due diligence

In the wake of the economic crisis, financial institutions have faced a wave of new rules and regulations. From the Dodd-Frank Wall Street Reform and Consumer Protection Act to regulators stepping up their enforcement efforts, regulated entities must ensure compliance with a host of new requirements.

The rules and heightened oversight go beyond banks themselves, and are increasingly focused on their third-party vendors. In many cases, vendors are not allowed to work with regulated entities unless they can demonstrate their compliance with various data security and privacy requirements.

Last year, New York’s Department of Financial Services (the “DFS”) sent letters to banks nationwide expressing concern about the state of their cybersecurity practices with regard to third-parties. DFS Superintendent Benjamin Lawsky requested that recipients disclose “any policies and procedures governing relationships with third-party service providers” as well as “any due diligence processes used to evaluate” all types of providers, including accountants and law firms. “It is abundantly clear that, in many respects, a firm’s level of cybersecurity is only as good as the cybersecurity of its vendors,” Lawsky wrote.

In “A Resource Guide to the U.S. Foreign Corrupt Practices Act,” the Securities and Exchange Commission (the “SEC”) and the Department of Justice (the “DOJ”) state that the agencies “assess whether the company has informed third-parties of its compliance program and commitment to ethical and lawful business practices, and where appropriate, whether it has sought assurance from third-parties, through certifications and otherwise, of reciprocal commitments.” To avoid regulatory action, the SEC and DOJ also suggest that regulated banks and financial institutions consider providing training to vendors.

The Office of the Comptroller of the Currency (the “OCC”) released new guidance in October 2013, advising banks to take a “life cycle” approach to managing third-party relationships (such as security providers, affiliates, consultants, joint ventures, and payment processors) from planning and due diligence to ongoing monitoring and termination.

When conducting due diligence – commensurate with the level of risk and complexity presented by the relationship – financial institutions should not rely on prior knowledge or experience of the third-party, the OCC said. Instead, they must conduct an “objective, in-depth assessment of the third-party’s ability to perform the activity in compliance with applicable laws and regulations and in a safe and sound manner” including a review of the third-party’s financial conditions (like any pending litigation or audited financial statements), reference checks, and evaluation of the entity’s legal and regulatory compliance.

Contracts should specify compliance with the regulations of relevant law, such as the Gramm-Leach-Bliley Act, the OCC added, and provide the financial institution with the power to conduct compliance reviews of the third-party.

Not to be outdone, the Consumer Financial Protection Bureau (the “CFPB”) followed up in January 2015 with the latest addition to its loosely-sewn patchwork of vendor management best practices and requirements. Compliance Bulletin 2015-01 which, among other directives, puts CFPB-supervised entities on notice that they may not invoke non-disclosure agreements to avoid complying with requests from the CFPB to produce a third-party’s confidential information.

For nonbanks and service providers still coming up-to-speed on the CFPB’s supervision and enforcement, confidentiality obligations, audit rights, vendor training responsibilities, and remedies for vendor breaches are among the more thorny agreement provisions that may need to be enhanced in light of developing trends.

Read OCC Bulletin 2013-29.

Read the SEC’s and DOJ’s “A Resource Guide to the U.S. Foreign Corrupt Practices Act“.

Read CFPB Compliance Bulletin 2015-01

|Legislation|

Securities class actions remain popular

For regulated entities, an enforcement action by a government agency is practically guaranteed to result in a parallel consumer class action.

Nowhere is that more clear than for publicly traded companies regulated by the Securities and Exchange Commission (SEC). Securities class actions were considered to be so rampant that in 1995, Congress enacted the Private Securities Litigation Reform Act (PSLR) to curb what the industry believed were abusive practices.

While the statute raised the bar for private enforcement actions, it certainly did not close the courtroom doors to plaintiffs. Although there are fewer suits brought today, complaints are still filed lockstep with an agency enforcement action and in significant enough numbers to keep companies on their toes.

Industry watchers predicted that a seminal case decided by the U.S. Supreme Court last term, Halliburton Co. v. Erica P. John Fund (Halliburton II), would result in a decrease in class actions filed. That case involved a popular theory known as “fraud on the market,” where plaintiffs were not required to demonstrate that each individual class member relied on any allegedly misleading statements if the security at issue could be shown to be “efficient,” or with a market price reflecting all of its publicly available information.

While the Court did not toss the theory, the justices held that defendants can rebut the presumption prior to class certification. The June decision appeared to have little impact on the figures for 2014 filings. For example, NERA Economic Consulting reported that 221 securities class actions were filed last year, compared to 222 in 2013 and 212 in 2012.

Interestingly, although the number of complaints in securities class actions has not fluctuated much over the last few years, the aggregate amount of investor losses has declined, NERA found. 2014 saw a drop to $154 million from $159 million in 2013, down significantly from $243 million in 2012 and $248 in 2011. Are certain industries facing more lawsuits than others? NERA reported that one quarter of all of the securities class actions were filed against companies in the health technology and services area. Other major players: the finance industry, in second place with 19 percent of the suits, followed by the electronic technology and service sector with 13 percent.

Securities class action plaintiffs are also continuing a trend of settling prior to trial. Of all the pending and newly filed cases in 2014, just one lawsuit was actually tried to verdict (resulting in a plaintiff victory). Almost half of the cases ended on the defendant’s motion to dismiss (48 percent last year with an additional 21 percent dismissed in part), NERA found; 75 percent of the cases that survived settled prior to the class certification stage of litigation.

Read the U.S. Supreme Court’s opinion in Halliburton II.

|Lawsuit|

Asset searches: who can get bank information and why

Accessing bank account information can be vitally important, particularly for those engaged in a lending transaction seeking to fulfill due diligence requirements. But getting your hands on the information can be a challenge.

Asset searches are not illegal. However, certain methods to obtain bank or investment account information can be, such as pretext calling. The simplest way to obtain financial information is via the account holder, a designated representative, or a party with a valid court order. The first two options are unlikely to be forthcoming. As for the third choice, obtaining a court order to access such information can be time-consuming and costly.

Access to financial information is regulated by both federal and state laws. For example, the Gramm-Leach-Bliley Act (GLBA) prohibits obtaining customer information from a financial institution under false pretenses and imposes an obligation on financial institutions to protect customer information. Generally, a “customer” is defined as an individual consuming goods or services for personal or household use, although some authorities have included sole proprietors, partnerships of five or fewer, and other small businesses to receive the same privacy protections. For businesses, the issue of data protection is governed by contract. While the consumer protection provisions of laws like the GLBA would not apply, it does not mean that financial institutions can freely share their information.

International asset searches present their own set of problems. Other countries – particularly those in the European Union – have strict data privacy laws that prohibit any access to personal information as well as the transfer of data across national borders. Federal law also comes into play, with the Foreign Corrupt Practices Act presenting potential liability issues if an entity searching for asset information obtained the information by illegal means (such as bribing a banking or government official).

What about judgments? While a judgment cannot by itself force a bank or brokerage firm to disclose account information, it allows a creditor to use the court to seize the debtor’s assets. With a judgment in hand, a creditor can file for an order of examination which will require the debtor to disclose – under oath – the location of assets, details about income, or other relevant information. However, the judicial process of obtaining a judgment reveals the intent of the creditor and can give the debtor time to empty an account or move assets prior to the court entering an order. Judgments can also be tricky to enforce. State law governs judgments with specifics varying in each jurisdiction. In California, a creditor must obtain a writ of execution directing a levying officer (usually a sheriff) to serve the writ on the named institution. The institution must then freeze the specific account(s) or, in certain situations, turn over the balance in the account. Serving a writ of execution in California was recently simplified to allow service on a “central location” designated by a bank with nine or more locations in the state or accept service at any branch without such a designated office.

Long-arm statutes can be used to reach accounts in a jurisdiction other than where the judgment originated. A debtor can object to the attempt and courts typically impose a test of whether the debtor or third party (like the bank or brokerage holding the assets) has connections with the court or creditor, which, at a minimum, can delay the process and make it more expensive.

For assets like stocks, bonds, and commodities, creditors can again obtain a court order that can liquidate the account into cash to be turned over to the creditor. It should be noted that certain types of accounts (notably retirement accounts) cannot be reached, even in cases of fraud. To preserve an account balance, a creditor can serve a levy on a brokerage in order to put a hold on the account while waiting for a court order.

Public records – ranging from property records to litigation – can also help locate or confirm a debtor’s assets. One important consideration: it is essential to vet any company that purports to be able to obtain financial account information. Many misleading claims and offers about obtaining such information can be found on the Internet and creditors should ensure that any data obtained was in accordance with applicable law and regulations.

|Criminal Activity, Employment Decisions, Guidance|

Going global: international background checks

As the business world increasingly goes global, even small or medium-sized companies may have international outposts or employees located beyond the U.S. border. In addition, with security – both physical and digital – an important issue, employers want to know everything they can about their employees.

Many employers are turning to international background checks. But a criminal record or a credit report like those used in the United States can get lost in the translation.

First up: cultural norms. What may seem perfectly routine and acceptable in the United States may confuse or offend those in other countries. For example, things like credit checks and drug tests are virtually unheard of abroad and cultural differences may yield what might by American standards be unusual answers in a personality test. A second important consideration: the law. Just as the U.S. has the Fair Credit Reporting Act (FCRA) and other regulations setting the boundaries of background checks, foreign jurisdictions have their own laws of the land. The French Labor Code, for example, requires that its “works council” review employment screening procedures prior to an employer’s use.

One huge legal complication can be found in the area of privacy law. The European Union imposes restrictions on obtaining information about employees or applicants, the way in which such information can be used, and how the information can be shared or transmitted. To alleviate some of the liability concerns, the U.S. has entered into a Safe Harbor framework with the European Commission, which requires compliance with seven principles of data security. And while the EU leads the pack, other countries (like Australia, Canada, Hong Kong, and Japan) also pose challenges with their strict regulation of privacy.

Having an applicant sign a consent form to release information may be of little help as several EU countries also recognize a presumption against enforcement of such agreements on the basis that employees and applicants have limited bargaining power in the employment context. Alternatively, employers may have better luck by having applicants do the work themselves, providing their own background information to avoid implicating data privacy laws. Of course, this raises authentication and accuracy questions.

The collection of criminal information can also present logistical challenges. Many countries do not have an organized court system, and records, if available, may have to be searched on a regional or town-by-town basis, or at multiple agencies (like the police, the court venue and a government agency, for example). Certain countries offer what is known as a “police certificate” which will confirm the information about an applicant found in police records. Some countries, like Poland, have banned the collection of criminal records altogether; Spain prohibits the possession of records but an applicant could, in theory, show an employer his or her record.

If the screening is being conducted by a consumer reporting agency located in the United States, the FCRA requirements also come into play. International background checks are not impossible, but they do pose a number of legal and cultural risks that can be tackled with the right planning and professional assistance from an experienced background screening company.

|Criminal Activity, Educational Series, Employment Decisions, Fraud|

Privacy laws gain momentum in Congress

President Barack Obama has made data security a priority in recent weeks.

Speaking at the Federal Trade Commission (FTC) in January, the President announced three pieces of legislation: the Student Digital Privacy Act (which would prohibit the sale of sensitive student data for non-education purposes), the codification of the Consumer Privacy Bill of Rights issued by the White House in 2012, and the Personal Data Notification & Protection Act.

Implicating businesses across the country, the Data Notification Act would establish nationwide, uniform data breach notification rules that would preempt the existing collection of 47 different state laws. Criminal penalties for hackers would also be strengthened and companies would be required to notify consumers of a breach within 30 days.

Broader than prior proposals of federal data breach notification bills, the Act defines “sensitive personally identifiable information” to include a range of data, like an individual’s first and last name or initial and last name in combination with two other items like a home address or telephone number, birthdate, or mother’s maiden name, a Social Security number by itself, and a user name or e-mail address in combination with a password or security question answer that would permit access to an online account.

The notice provisions allow companies to inform consumers of a breach by mail, telephone, and e-mail, under certain conditions. When more than 5,000 individuals are affected in a single state, media notice is required; if more than 5,000 total individuals (regardless of residence) are impacted, the company must also notify credit reporting agencies and the federal government.

Although the bill designates the FTC as the primary enforcement agency, with the authority to promulgate rules pursuant to the law, the measure also requires the agency to coordinate with the Consumer Financial Protection Bureau (CFPB) where a data breach relates to “financial information or information associated with the provision of financial products or services.”

Some exemptions are included in the proposed bill. A business that does not access, store, or use covered data for more than 10,000 individuals during a 12-month period is exempt from the individual notice requirements. Safe harbor is also provided for companies that conduct a “risk assessment” that determines the data breach did not result in – and will not result in – harm to affected individuals. The business must notify the FTC of its “risk assessment” results and affirmatively indicate its intent to invoke the safe harbor.

A few days after he presented the proposal, President Obama reiterated his intent to pass data security measures in his State of the Union address, sending a message that he is focused on cybersecurity and privacy in the coming legislative session. Recent high-profile cyberattacks and data breaches (think Sony and Target) have also led to support from lawmakers and consumers, giving the bill momentum, but the question of its passage remains uncertain.

Learn more about Personal Data Notification & Protection Act

|Legislation|

Previous 353637 Next