Privacy & Information Security Law Blog

On August 8, 2012, the Federal Trade Commission announced a settlement agreement with employment screening company HireRight Solutions, Inc. (“HireRight”). In its first enforcement action against an employment background screening company for Fair Credit Reporting Act (“FCRA”) violations, the FTC alleged that HireRight functioned as a consumer reporting agency, but failed to comply with certain FCRA requirements. The proposed consent order imposes a $2.6 million penalty on HireRight and requires the company to remedy the alleged FCRA violations, create and retain certain records and submit reports to demonstrate compliance.

As reported in the Hunton Employment & Labor Perspectives Blog:

The National Labor Relations Board ("NLRB") has again asserted its willingness to encroach upon employers’ long standing legitimate employment policies in a non-unionized workforce. In Banner Health System, 358 NLRB No. 93 (July 30, 2012), the Board held that a blanket policy prohibiting an employee from discussing an ongoing investigation violates section 8(a)(1) of the National Labor Relations Act.

Earlier this year, the Consumer Financial Protection Bureau (“CFPB”) published a Bulletin signaling its intent to regulate and exercise enforcement authority over service providers to financial institutions. Pursuant to Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act and its implementing regulation, Regulation P, the CFPB has authority over certain large banks, credit unions and other consumer financial services companies. The Bulletin notes that the CFPB’s goal is to ensure compliance with “[f]ederal consumer financial law,” which includes the Gramm-Leach-Bliley Act and its implementing regulations, the Privacy Rule and the Safeguards Rule.

In recent months we have seen a dismissal and two settlements in class action suits alleging violations of the Telephone Consumer Protection Act (“TCPA”) by companies that used text messaging as part of advertising campaigns. The TCPA is a federal privacy law that imposes restrictions on telephone solicitations, including telemarketing calls and text messages.

On August 1, 2012, the Federal Trade Commission announced that it is seeking public comments on additional proposed modifications to the Children’s Online Privacy Protection Rule (“COPPA Rule” or “Rule”). According to the FTC, the second-round revisions modify certain COPPA Rule definitions to “clarify the Rule’s scope and strengthen its protections for the online collection, use, or disclosure of children’s personal information.” The FTC developed these new definitions after reviewing the 350 public comments submitted in response to the Commission’s September 2011 proposal to amend the Rule.

On July 10, 2012, the Federal Financial Institutions Examination Council (“FFIEC”) released a statement on outsourced cloud computing activities. The statement, which was prepared by the FFIEC Information Technology Subcommittee, discusses key risk considerations associated with using third-party vendors to implement cloud computing solutions, and identifies applicable risk mitigation considerations contained in the various booklets that comprise the FFIEC IT Examination Handbook. The statement indicates that the FFIEC agencies “consider cloud computing to be another form of outsourcing with the same basic risk characteristics and risk management requirements as traditional forms of outsourcing.” The paper focuses on addressing key risks of outsourced cloud computing identified in existing guidance. Key points include the following:

On July 24, 2012, a bipartisan group of eight members of Congress sent letters to nine major data brokerage companies requesting information on how the companies collect, assemble and sell consumer information to third parties. Representatives Ed Markey (D-MA) and Joe Barton (R-TX), who serve as co-chairmen of the Bipartisan Congressional Privacy Caucus, are leading the inquiry. The Privacy Caucus, which is an ad hoc group rather than a formally constituted congressional committee, is comprised of members who have a common interest in privacy issues. The Caucus cannot call formal hearings, compel production of materials or pass legislation.

On July 26, 2012, acting U.S. Secretary of Commerce Rebecca Blank announced that APEC’s Joint Oversight Panel has approved the United States’ request to participate in the APEC Cross-Border Privacy Rules System. The panel also approved the Federal Trade Commission’s participation as the system’s first privacy enforcement authority. The next step will be for the United States to nominate one or more accountability agents for the panel’s approval. Accordingly, the Department of Commerce will publish a Federal Register Notice in the coming days to provide guidance on how potential accountability agents may seek recognition. Once a U.S. accountability agent has been approved, American companies will be able to submit their cross-border privacy rules to be recognized as meeting the APEC standard.

As reported in BNA’s Privacy & Security Law Report,on June 25, 2012, a federal district court in California ruled that the California Supreme Court’s 2011 Pineda decision, which held that requesting and recording zip codes during credit card transactions violates the state’s Song-Beverly Credit Card Act, applies retrospectively to OfficeMax’s collection of zip codes from its customers. The Plaintiffs in Dardarian v. OfficeMax had filed a class action lawsuit against OfficeMax over the company’s collection of ZIP code information from customers at the point of sale, a practice that OfficeMax ended the day the Pineda decision was handed down.

On July 19, 2012, California Attorney General Kamala Harris announced the formation of a new Privacy Enforcement and Protection Unit (“Privacy Unit”) within the state’s Department of Justice. The new unit will centralize existing Department of Justice efforts to protect privacy, educate consumers and forge partnerships with relevant industry players. According to the Attorney General’s press release, the broad mission of the Privacy Unit will include enforcing laws on issues such as cyber privacy, health privacy, financial privacy, identity theft, government ...