Posted on February 17, 2011 by Bret Cohen

Supreme Court Defers on Constitutional Right to Information Privacy; Scalia Predicts Increased Litigation

On January 19, the Supreme Court decided NASA v. Nelson, a case brought by NASA contractors alleging that questions asked by the federal agency in a background check violated their constitutional right to information privacy -- i.e., a constitutional privacy interest in the government "avoiding the disclosure of personal matters" recognized in a pair of 1977 cases, Whalen v. Roe and Nixon v. Administrator of General Services.  At issue were questions asking whether the contractors received "any treatment or counseling" regarding illegal drug use within the previous year (as a follow up to a question regarding whether they used, possessed, supplied, or manufactured illegal drugs within that year), and questions directed toward references for information bearing on "suitability for government employment or security clearance," including any "adverse information" about a contractor's "honesty or trustworthiness," "violations of the law," "financial integrity," "abuse of alcohol and/or drugs," "mental or emotional stability," "general behavior or conduct," or "other matters."

In an 8-0 opinion (Justice Kagan recused herself), the Court held that even assuming the existence of a constitutional right to information privacy mentioned in Whalen and Nixon, such a right would not prevent NASA's ability as an employer to ask "reasonable, employment-related inquiries" about the backgrounds of its employees that "further the Government's interests in managing its internal operations," commenting that the questions at issue were "of the sort used by millions of private employers."  The Court noted that the federal Privacy Act, which restricts government disclosure of personal information, provided additional assurance that the information collected, though sensitive, would not be disclosed.

In so holding, the opinion was very similar to the Court's much-anticipated (but ultimately narrow) decision in City of Ontario v. Quon about six months prior.  In Quon, the Court assumed for the sake of argument that a public employee has a reasonable expectation of privacy in text messages sent from a pager issued by a government employer.  Nevertheless, as we observed when Quon was decided, the decision made clear that even in areas in which public employees have constitutional rights, if a government employer infringes on that right to accomplish a legitimate business objective, the government action is unlikely to be deemed unconstitutional.

Like Quon, the decision in Nelson only applies to public, and not private, employers.  Also like Quon, the Nelson opinion included some sparring between judges in the majority and Justice Scalia, who concurred in both opinions, regarding its scope.  In Nelson, Scalia lamented that the majority's decision, in assuming for the purposes of argument that a constitutional right existed, would "dramatically increase the number of lawsuits claiming violations of the right to informational privacy."  Though Scalia's concern involved lawsuits against government entities, his admonition merits further scrutiny going forward, as rulings in constitutional privacy cases have a tendency to be cited in lawsuits against private entities.

Still, private employers can be heartened that the Supreme Court has found that the methods of conducting background checks at issue in Nelson are sufficiently "reasonable" to trump even a constitutional right.  Nevertheless, all employers should be careful to conduct all background checks in compliance with all applicable federal and state law, including the Fair Credit Reporting Act.
Tags: , , ,
Posted on October 28, 2010 by Elizabeth Khalil

CFTC Proposes Rules on Affiliate Marketing, Data Disposal, and GLBA Privacy

On October 27, the Commodity Futures Trading Commission (CFTC) published two Notices of Proposed Rulemaking (NPRMs) proposing privacy rules under the Gramm-Leach-Bliley Act (GLBA) and affiliate marketing and data disposal rules under the Fair Credit Reporting Act (FCRA)

The rulemakings were prompted by the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act).

The CFTC, an independent federal agency, maintains oversight over the commodity and financial futures and options markets.  The Dodd-Frank Act creates two new categories of entities that are subject to CFTC jurisdiction:  “swap dealers” and “major swap participants.”  Thus, the CFTC has proposed that those two types of entities would explicitly be subject to the CFTC’s existing GLBA privacy rules, first issued in 2001. Those rules impose certain obligations regarding the treatment of consumers' nonpublic personal information - in particular, restricting the ability of a covered entity to disclose such information to a party not affiliated with that entity. 

The CFTC’s second NPRM proposes to implement sections of FCRA dealing with affiliate marketing and data disposal.  The CFTC's proposed affiliate marketing rule would closely resemble the affiliate marketing rules issued by the Federal Trade Commission and the federal banking agencies in late 2007. While the CFTC has joined those agencies in other rulemakings, it did not join that particular rulemaking.  However, the Dodd-Frank Act specifically authorizes the CFTC to issue rules implementing the affiliate marketing and data disposal provisions of FCRA.

As with the other agencies' affiliate marketing rules, under the proposed rule an entity generally could not use a consumer's "eligibility information" received from an affiliate to make marketing solicitations to that consumer unless the consumer had first been given notice that such marketing may occur, a reasonable opportunity to opt-out of such use, and had not opted out. 

The disposal rule would require entities subject to CFTC jurisdiction that possess or maintain consumer information to develop and implement written policies and procedures for the proper safeguarding and disposal of such information.  The policies and procedures would be required to address, among other things, administrative, technical, and physical safeguards for consumer information, including protections against unauthorized access to or use of such information in connection with its disposal.  Such requirements are similar to the disposal rules issued by the FTC and federal banking agencies in 2004.

The CFTC is proposing to make the rules effective on July 21, 2011, the planned "transfer date" on which certain authority over consumer protection matters is to be transferred from other federal agencies to the Consumer Financial Protection Bureau created by Dodd-Frank. 

Public comments are due on each proposal by December 27, 2010.

Tags: , , , , , , , ,
Posted on June 16, 2010 by Bret Cohen

Regulations Imposing New Obligations on Entities Furnishing Information to Consumer Reporting Agencies Go into Effect on July 1

On July 1, 2010, final regulations will go into effect that impose new obligations on entities that furnish information about individuals (“data furnishers”) to consumer reporting agencies (“CRAs”) for use in reports about those individuals.  These regulations require data furnishers to institute reasonable policies and procedures that (1) ensure the accuracy and integrity of furnished information and (2) allow individuals to formally dispute the correctness of certain information that is furnished about them to CRAs directly with the data furnisher.

What Is a CRA, and Who Is a Data Furnisher?

The regulations were issued on July 1, 2009 jointly by a number of federal agencies pursuant to the Fair and Accurate Credit Transactions Act of 2003, which amended the Fair Credit Reporting Act (“FCRA”).  Under the FCRA, a CRA is generally defined as an entity that regularly engages in assembling any information about individuals for the purpose of providing a report to a third party bearing on the individual’s creditworthiness, character, general reputation, personal characteristics, or mode of living, where such a report is expected to be used as a factor in establishing the individual’s eligibility for personal credit, insurance, or employment purposes.  As the name sounds, the most common type of CRA is a credit bureau, but companies that perform background checks for employment purposes, or compile such information about a company’s employees to report for employment purposes, are also considered CRAs.

Accuracy and Integrity Rules and Guidelines

The accuracy and integrity rules within the new regulations require data furnishers to “establish and implement reasonable written policies and procedures regarding the accuracy and integrity of the information relating to consumers that it furnishes to a consumer reporting agency.”  “Accuracy” means that information furnished about an individual correctly:

  1. reflects the terms of the relationship with the individual;
  2. reflects the individual’s performance and other conduct with respect to the relationship; and
  3. identifies the appropriate individual.

“Integrity” means that information furnished about an individual:

  1. is substantiated by the data furnisher’s records at the time it is furnished;
  2. is furnished in a form and manner that is designed to minimize the likelihood that the information may be incorrectly reflected in a report about the individual; and
  3. includes any information in the furnisher’s possession that the Federal Trade Commission (“FTC”) has determined the absence of which would likely be materially misleading in evaluating the individual.  Regarding the last category, the FTC only has determined an individual’s credit limit with the furnisher, if applicable, must be reported, but it is possible that in the future the FTC could require furnishers to provide other categories of information.

Although this mandate is worded broadly, the regulation also specifically requires that data furnishers “consider” detailed guidelines (which are appended to the regulations) and “incorporate those guidelines that are appropriate.”  By requiring data furnishers to “consider” and “incorporate” these guidelines, the regulation requires data furnishers to conduct an audit of their current furnishing policies and procedures.  Moreover, the guidelines contain a list of specific components of policies and procedures that a furnisher “should address,” making these components de facto requirements of any written policies and procedures that result.  These components include:

  • Using standard data reporting formats and standard procedures for compiling and furnishing data, where feasible, such as the electronic transmission of information about individuals to CRAs.
  • Maintaining records for a reasonable period of time in order to substantiate the accuracy of any information about an individual that is subject to a direct dispute by the individual.
  • Establishing and implementing appropriate internal controls to ensure accuracy and integrity, such as by implementing standard procedures and verifying random samples of information furnished to CRAs.
  • Training staff that participates in activities related to data furnishing.
  • Providing for appropriate and effective oversight of relevant service providers whose activities may affect the accuracy or integrity of furnished data.
  • Deleting, updating, and correcting information in internal records, as appropriate, to avoid furnishing inaccurate information.
  • Conducting reasonable investigations of disputes.
  • Designing technological and other means of communication with CRAs to prevent duplicative reporting, erroneous association of information with the wrong individual(s), and other occurrences that may compromise the accuracy or integrity of data furnished.
  • Providing CRAs with sufficient identifying information about each individual about whom information is furnished to enable the CRA to properly identify the individual.
  • Conducting a periodic evaluation of internal practices, CRA practices of which the furnisher is aware, investigations of disputed information, corrections of inaccurate information, means of communication, and other factors that may affect the accuracy or integrity of data furnished.

The regulation also specifies that policies and procedures must be appropriate to the nature, size, complexity, and scope of each furnisher’s activities.  In addition, the regulation requires that furnishers review their policies and procedures “periodically” and update them as necessary to ensure their continued effectiveness.

Direct Dispute Rules

In addition to the accuracy and integrity rules, the new regulations also contain rules requiring data furnishers in most cases to investigate disputes that individuals submit directly to them regarding the accuracy of information that the furnishers reported to a CRA.  Previously, the law encouraged individuals to submit their disputes through a CRA, rather than directly to data furnishers.

The new rules require data furnishers to conduct “a reasonable investigation” of any such dispute initiated by an individual over furnished data.  Data furnishers do not need to conduct such an investigation, however, if any of a number of exceptions apply, including if the dispute is about the consumer’s identifying information; the identity of past or present employers; inquiries or requests for a consumer report; information derived from public records; information related to fraud alerts or active duty alerts; or information provided to a CRA by another furnisher.

The rules require a data furnisher to respond to disputes received at any business address, unless the furnisher has previously specified an address to the individual submitting the dispute or a specific address is listed on the report of the CRA incorporating the disputed information.  After receiving a valid dispute notice from an individual, the data furnisher must conduct and complete an investigation within thirty days (unless the disputer provides additional information within that period).  If the investigation finds that the information reported was inaccurate, the data furnisher must promptly notify and provide corrections to each CRA to which the furnisher provided inaccurate information.

Compliance Steps

At minimum, data furnishers must establish written policies and procedures regarding the accuracy and integrity of the information relating to its employees that it provides to CRAs.  This will involve conducting a review of existing policies and procedures, both formal and informal, to determine if they comply with the guidelines appended to the regulations, and making modifications as needed.  Data furnishers also must consider the specific components of policies and procedures listed in the guidelines appended to the regulations, and include those specific components in written policies and procedures if applicable.  Further, data furnishers must adopt a process to review these policies and procedures periodically and update them as necessary to ensure their continued effectiveness.

To comply with the direct dispute rules, data furnishers should determine if they furnish any information to CRAs which is not subject to any of the exceptions in the regulation, and if they do, they must establish formal policies and procedures to ensure that they conduct a “reasonable investigation” of all direct disputes about individuals’ information provided CRAs.
Tags: , , , ,
Posted on May 28, 2010 by Timothy Tobin

FTC Red Flags Rule Enforcement Delayed Again (and New Legal Challenge)

The FTC announced today that it is delaying enforcement of its FACTA Red Flags Rule yet again, this time through December 31, 2010. This is the fifth time the FTC has delayed enforcement of its beleaguered red flag rule, which it originally had planned to enforce beginning November 1, 2008. This latest delay, just like the previous one, comes at the request of members of Congress who plan to amend the FACTA red flag provisions to narrow the scope of the entities that are covered. On May 25, 2010, members of Congress introduced S. 3416, which would exclude health care, accounting and law practices with fewer than 20 employees as well as certain other small businesses. 

 

 

The further delay comes as FTC Chairman Leibowitz acknowledges the agency’s Rule’s shortcomings: “Congress needs to fix the unintended consequences of the legislation establishing the Red Flags Rule – and to fix this problem quickly.”

As previously covered in the Chronicle, the last delay occurred on October 30, 2009 when the FTC announced it would not begin enforcing the rule until June 1, 2010. That delay followed U.S. District Court for the District of Columbia's ruling that the Red Flags Rule does not apply to lawyers (for analysis of that decision, click here). It also followed the House of Representatives' unanimous passage in late October of HR 3763, which proposes to amend FCRA to exempt certain small businesses from the Red Flags Rule. Subsequently, in November 2009, the American Institute of Certified Public Accountants (AICPA) filed a lawsuit against the FTC challenging the applicability of the Red Flag Rule to Certified Public Accountants

Now the Red Flag Rule is facing a new legal challenge. On May 21, 2010, the American Medical Association (AMA), the American Osteopathic Association and the Medical Society of the District of Columbia filed a lawsuit against the FTC in the U.S. District Court for the District of Columbia challenging the Red Flag Rule and citing the court’s earlier decision regarding the applicability of the Rule to lawyers. In the latest lawsuit, these medical organizations argue that the Rule, which is applicable to financial institutions and creditors, unjustifiably "treats physician practices like banks, credit card companies and mortgage lenders."

 
Tags: , , , , , , , , , , , , , , , , , ,
Posted on October 30, 2009 by Timothy Tobin

FTC Delays Enforcement of Red Flags Rule for Fourth Time

The Federal Trade Commission (FTC) announced today that it is delaying enforcement of its FACTA Red Flags Rule until June 1, 2010 “[a]t the request of Congress.”  This is the fourth time the FTC has delayed the controversial red flags rule and it follows shortly on the heels of the U.S. District Court for the District of Columbia's ruling that the Red Flags Rule does not apply to lawyers.  It also follows the House of Representatives' unanimous passage last week of HR 3763, which proposes to amend FCRA to exempt certain small businesses from the Red Flags Rule.  The FTC's Red Flags Rule has been marred by confusion and uncertainty since it was proposed in July 2006.

Tags: , , , , , , , , , ,
Posted on September 30, 2009 by Mark Paulding

Recently Introduced Federal Legislation May Expand Regulation of Data Brokers

The Personal Data Privacy and Security Act (“PDPSA”), recently reintroduced by Sen. Patrick Leahy (D-VT) and referred to the Senate Judiciary Committee proposes comprehensive federal regulation of data broker services.  While enactment of the PDPSA remains uncertain, the draft legislation may presage future legislative and regulatory trends.

Comprehensive Federal Regulation of “Data Brokers”

Title II of the PDPSA would introduce significant new regulation for data brokers, which are defined as

“a business entity which for monetary fees or dues regularly engages in the practice of collecting, transmitting, or providing access to sensitive personally identifiable information on more than 5,000 individuals who are not the customers or employees of that business entity or affiliate primarily for the purpose of providing such information to nonaffiliated third parties on an interstate basis.” 

PDPSA § 3(5).  Entities that are already regulated under the Fair Credit Reporting Act (“FCRA”), Gramm-Leach-Bliley Act (“GLBA”), or Health Insurance Portability and Accountability Act (“HIPAA”) are not subject to the data broker requirements of the PDPSA as currently drafted.  See PDPSA § 201(b)(1)-(3).  Notably, the PDPSA requirements would apply to the use of any form of sensitive personally identifiable information ("SPII"), unlike the FCRA which is limited to information used in consumer reports. 

Data Broker Provisions are Substantially Similar to the FCRA

The obligations the draft legislation places on data brokers largely mirror those contained in the FCRA.  For example, under the proposed legislation data brokers must make records containing personally identifiable information (“PII”) maintained for disclosure to third parties available to consumers upon request at a reasonable fee. See PDPSA § 201(c).  Such disclosures must include instructions for correcting inaccurate information.  In addition, the proposed law would obligate users of data broker services to provide notice to individuals when they take any adverse actions based upon data broker records. See PDPSA § 201(d).  Adverse action notices would include contact information for the data broker and instructions on the steps needed to correct inaccurate information.    

FTC and State Attorneys General Authorized to Pursue Civil Enforcement Actions

The draft legislation authorizes the Federal Trade Commission (“FTC”) and state Attorneys General to bring civil enforcement actions against entities that violate the data broker requirements.  See PDPSA § 202.  The civil remedies set forth in the bill include equitable relief and monetary penalties of up to $1,000 per violations up to a maximum of $250,000.  The FTC also would be able to seek double monetary penalties for violations that demonstrated to be willful or intentional.
Tags: , , , , , ,