July 2011

Subcommittee approves legislation to protect consumers against data theft

On July 20, 2011, the Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade approved legislation to protect consumers from cyber attacks and identity theft. The Secure and Fortify Electronic Data Act (H.R. 2577), or SAFE Data Act now moves to the full Energy and Commerce Committee for consideration.

The Act would require all businesses that maintain personal information to implement security programs, which, among other mandates, would include a protocol to notify affected individuals of an information security breach. Preempting over 45 existing state information security and breach notification laws, the Act would task the Federal Trade Commission with developing the security rules.

According to its author, Chairman Bono Mack, the Act will enhance protection of personal information by establishing uniform national standards for data security and data breach notification. The preemption provision also would provide certainty for businesses in addressing information security breaches that now are subject to the multitude of state requirements.

Some legislators and advocates have criticized the proposed law as too narrow, as it would require breach notifications only when an individual’s name, telephone number or credit card number is compromised along with a Social Security number, driver’s license number or other government-issued ID. With some state laws requiring notification when, for example, a credit card number, financial account number, Social Security number, or biometric data alone (without the individuals name) is compromised, the practical notification threshold under current state breach notification laws may be significantly lower than that proposed by the Safe Data Act.

|Educational Series, Legislation|

Challenges of international background investigations

Many transactions today, whether they involve an employment hiring decision or a new business relationship, are cross-border or have an international component. The need for effective risk management both in the U.S. and abroad has vastly expanded in recent years with the passing of legislation and increased enforcement actions. Behind just about every business decision, there is a widening range of stakeholders — from regulators to shareholders to board members — who expect that the due diligence process will minimize unlawful activities.

International background investigations, which are essential for a comprehensive approach to due diligence, present special challenges since each country has its own laws, customs, and procedures. Language barriers, name variations and transliterations, limited information and technology, broad definitions of crimes, and proliferation of fraudulent educational and accreditation institutions, are just some of the factors that add to the complexity of these investigations.

As a general rule, in most European countries, criminal records are not available to the public. In Asia, public accessibility to most court filings is limited. In South America, public records vary greatly from country to country. South Africa provides some disclosure of police records and warrants to the public, along with civil filings. Canada’s public records availability differs by province, and only a few permit criminal records release. India and Australia have the most searchable records, similar to the U.S.

For employment purposes, the Fair Credit Reporting Act (FCRA) imposes certain obligations for international background screening performed by a U.S. Consumer Reporting Agency (CRA), including mandating reasonable procedures to ensure the accuracy of the information it reports. If a public record such as a criminal conviction is found, the CRA must ascertain that the information is correct, up-to-date, and reported in a way that does not violate data or privacy protection rules.

In 2000, an agreement between the U.S. Department of Commerce and the European Commission established privacy and data protection guidelines, the “Safe Harbor Principles,” to enable U.S. companies to satisfy a requirement under European Union law for adequate protection of personal information transferred from the European Economic Area (the 25 member states of the European Union plus Iceland, Liechtenstein and Norway.) In addition to these principles, the Gramm-Leach-Bliley Act (GLBA) requires financial institutions and businesses that receive personal information to establish safeguards for the handling and disclosure of that information. And the Fair and Accurate Credit Transactions Act (FACTA), a federal legislation, also contains provisions to help reduce identity theft and obligates the proper disposal of personal consumer information.

The cost of an international background investigation typically is higher than domestic searches, and varies with each country, the type of information that needs to be obtained and the purpose of the investigation. When performed by a reputable firm with qualified foreign contacts, an international background investigation can reduce negligent hiring liability, and prevent a catastrophic investment or reputational damage.

|Educational Series, Legislation|

Dodd-Frank Act amendment for credit scores took effect July 21, 2011

The Federal Reserve Board and the Federal Trade Commission (FTC) issued final rules to implement the credit score disclosure requirements of the Dodd-Frank Wall Street Reform and Consumer Protection Act. If a credit score is used in setting material terms of credit or in taking adverse action, the statute requires creditors to disclose credit scores and related information to consumers in notices under the Fair Credit Reporting Act (FCRA).

The final rules amend Regulation V (Fair Credit Reporting) to revise the content requirements for risk-based pricing notices, and to add related model forms that reflect the new credit score disclosure requirements. These rules also amend certain model notices in Regulation B (Equal Credit Opportunity), which combine the adverse action notice requirements for Regulation B and the FCRA.

For employers, this means that if a consumer report that includes a credit score is used to determine eligibility for employment, the employer will be required to disclose to the subject the usage of the credit score in an adverse employment decision and to provide information about the credit score, including the score itself, up to four key adverse factors in the score, and the identity of the agency that provided the score.

For credit transactions, creditors, including banks, credit unions, credit card issuers, and utilities, that extend credit on terms that are less favorable than those offered to other consumers because of information contained in a credit report, or if other adverse action is taken, will have to provide to the subject a “risk-based pricing notice” which discloses the credit scores and related information. Such notice will include: 1) the numerical credit score used by the creditor in making the decision; 2) the range of possible scores under the model used by the creditor; 3) the key factors that adversely affected the credit score; 4) the date on which the credit score was created, and 5) the name of the entity that provided the score.

In certain cases, such as for applications for a mortgage, auto loan, or another type of credit, a lender will have to furnish to the subject a “credit score notice” that lists the credit score and how the score compares to other consumers’ scores regardless of the credit terms offered. If no credit score is available for a consumer, the lender’s notice will identify the particular credit bureau which reported this information. Additionally, if a consumer’s annual percentage rate (APR) on an existing credit account is increased based on a review of a credit report, the creditor will have to provide an “account review notice.”

The Board and the FTC have stated that it is imperative to have the regulations and revised model forms in place as close as possible to July 21, 2011. This will help ensure that consumers receive consistent disclosures of credit scores and related information, and facilitate uniform compliance when Section 1100F of the Dodd-Frank Act becomes effective.

|Dodd-Frank, Legislation|

Consumer Financial Protection Bureau seeks input on non-bank entities

On June 23, 2011, the Consumer Financial Protection Bureau (CFPB) released a Notice and Request for Comment seeking public input on a key element of its non-bank supervision program — the statutory requirement to define who is a “larger participant” in certain consumer financial markets.

Created by the Dodd-Frank Act, the CFPB has been empowered to regulate non-bank financial entities. But exactly what is a “non-bank?” Various literature generally defines “non-bank” as a company that offers consumer financial products or services, but does not have a bank, thrift, or credit union charter and does not take deposits. Products from non-banks have a significant share of the overall consumer financial marketplace. Under Dodd-Frank, many of these non-banks will be subject to a federal supervision program for the first time.

In its Notice and Request for Comment, the CFPB has identified the following markets for potential inclusion in an initial rule: debt collection, consumer reporting, consumer credit and related activities, money transmitting, check cashing and related activities, prepaid cards, and debt relief services. The larger participant rule will not impose substantive consumer protection requirements. Instead, the rule will enable CFPB to begin a supervision program for larger participants in certain markets.

The issues for discussion in the Notice include:

What criteria to use to measure a market participant;
Where to set the thresholds for inclusion;
Whether to adopt a single test to define larger participants in all markets (measure the same criteria and use the same thresholds) or to use tests designed for specific markets;
What data is available to use for these purposes;
What time period to use to measure the size of a market participant;
How long a participant is to remain subject to supervision after initially meeting the larger participant threshold, and if it subsequently falls below the threshold; and
What consumer financial markets to include in the initial rule.