Companies are increasingly faced with class actions for alleged violations of one of the “big three” —the Telephone Consumer Protection Act (TCPA), Fair Debt Collection Practices Act (FDCPA), or the Fair Credit Reporting Act (FCRA). Although several thousand of these claims are filed each year, FCRA claims related to background checks is the only category that has grown since last year.
Most attorneys are well aware of statutory obligations that require private and governmental entities to notify individuals of data breaches that involve the loss or disclosure of personally identifiable information. An area that may be less clear, however, is what ethical obligations attorneys have to guard against data breaches involving client information and what steps attorneys must take when a data breach occurs.
Our client, we’ll call them Company X, provides installation, connection, upgrades and repairs for one of the country’s largest providers of residential and commercial television, telephone and Internet service. We’ll call their customer Company Y. Pursuant to their contractual agreement, our client (Company X) retained a third party vendor to conduct civil and criminal background checks on job applicants. However, in the last year Company Y was purchased by Company Z, an even larger provider of television, telephone and Internet services. Company Z requires our client to utilize a different third-party vendor for conducting background checks.
This summer, several automakers, including Tesla, Toyota, General Motors, Ford, and Volkswagen learned that their closely held trade secrets were readily available on the internet. The source? An unprotected back-up server. The rub? The server did not belong to any of the car manufacturers. Instead, the server belonged to a vendor of industrial automation services, Level One Robotics and Control (“Level One”), who had performed work for each of the manufacturers.
On July 13, 2018, over 50 civil liberties groups, technology companies and associations submitted a joint letter to Congress in support of the Email Privacy Act (EPA), which was recently included in the House- passed version of the National Defense Authorization Act (NDAA) for Fiscal Year 2019. The list of signatories included such tech giants as Google, Facebook, Amazon, Dropbox, Cisco Systems and Adobe. The EPA, if passed, would amend the Electronics Communications Privacy Act (ECPA) by requiring law enforcement and other government agencies to obtain a search warrant, based upon a showing of probable cause, before seizing emails, texts, and other information stored in the cloud. The EPA has been proposed, yet failed to pass, in prior legislative sessions, but proponents of the bill are hopeful that the time is right for these privacy protections to be put into place.
In an alert sent to banks on August 10th, the FBI warned banks that it had “obtained unspecified reporting indicating cyber criminals are planning to conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an ‘unlimited operation’.”
Most companies perform background checks on employees at the outset as part of the application / new hire process. A number of background check companies are now offering “continuous screening” or re-screening services as a risk management tool where background checks are performed on all employees annually or semi-annually. Continuous background checks are gaining popularity among employers. In theory, this will catch items that were missed during the new hire process as well as criminal events that have transpired since the employee was hired. This is viewed as a risk management tool to protect against employee theft, embezzlement, fraud, violence, etc.
On May 29, 2018, Governor Hickenlooper signed HB—1128 into law. Importantly, the Bill amends the State’s data breach notification law to require that affected Colorado residents be notified within 30 days of a data breach, and specifies the information that must be included in the data breach notice. The new law, which takes effect September 1, 2018, applies to “covered entities,” (if your business maintains, owns, or licenses information of Colorado residents, regardless of where the business or data is based, it is a “covered entity”), also sets forth certain data security requirements, and adds requirements regarding the disposal of personal identifying information.
The California Senate narrowly passed a bill earlier this week that would allow businesses to be sued for data breaches without proof of any injury. As this bill moves to the Assembly, there is already talk among legislators about amending it to include a safe harbor provision. But will any safe harbor address opponents’ concerns?