+1.866.723.2287

+1.866.723.2287

Scherzer Blog

California expands privacy protections for state residents

A perennial trendsetter with regard to data security and privacy, California has updated its state law with tweaks that expand the scope of the privacy protections for state residents.

A.B. 1710 made three changes to existing law that go into effect January 1, 2015: first, businesses that maintain “personal information” about California residents must “implement and maintain appropriate and reasonable security procedures and practices” to protect the data from “unauthorized access, destruction, use, modification, or disclosure.” Personal information is defined to include an individual’s first name or first initial and last name, Social Security number, driver’s license number, as well as medical and financial account information.

Second, if a person or business was “the source” of a data breach and offers to provide identity theft prevention and mitigation services to affected individuals, the business must offer the services at no cost for at least 12 months. Some controversy has swirled around this provision, with debate on whether the language actually requires businesses to provide one year of free identity theft protection and mitigation services or if the law simply requires that if the services are offered, they last for 12 months and are provided gratis. Additional guidance may be forthcoming.

Finally, the new legislation prohibits a business from “selling, offering for sale, or advertising for sale” Social Security numbers. Limited exceptions were noted in the bill, including “if the release

[not necessarily a sale] of the Social Security number is incidental to a larger transaction and is necessary to identify the individual in order to accomplish a legitimate business purpose” or “for a purpose specifically authorized or specifically allowed by federal or state law.”

The law’s scope reaches well beyond the borders of California, as it applies to businesses that maintain any personal information about a state resident. Companies would be well advised to familiarize themselves with the new requirements.

To read AB 1710, click here.

|Legislation, Privacy|

Pennies add up to $18.7 million in allegedly illicit gains

A bit different from the billion dollar frauds that frequently made the headlines in the years past, a complaint filed on October 5, 2014 by the justice department in the federal district court in Manhattan accuses two former New York brokers of securities fraud and conspiracy for secretly adding a few pennies to the cost of securities trades they processed to generate $18.7 million in gains. The SEC also filed civil charges against the men, and added another broker as a defendant. The SEC’s complaint alleges that from at least 2005 through at least February 2009, the defendants perpetrated the scheme by falsifying execution prices and embedding hidden markups or markdowns on over 36,000 customer transactions. According to the SEC, the defendants charged small commissions—typically pennies or fractions of pennies per share; the scheme was devious and difficult to detect because they selectively engaged in it when the volatility in the market was sufficient to conceal the fraud. One of the defendants, who was in charge of entering the prices into the trading records and playing a critical role by controlling the flow of information, already pleaded guilty to securities fraud and conspiracy.

|Criminal Activity, Fraud|

New York City’s new bill would restrict using credit reports for employment decisions

Last month, the New York City Council’s Committee on Civil Rights held a hearing on a bill that would amend the city’s administrative code, prohibiting employers from using consumer credit reports for personnel decisions. Although the hearing ended without a disposition, it is expected that this bill will pass in some form in the near future. The Committee is holding a separate hearing in December on a bill that would prohibit employment discrimination based on an applicant’s or employee’s criminal history.

|Employment Decisions, Legislation|

Congress proposes bill that protects regulated employers’ background checks

While the Equal Employment Opportunity Commission (the “EEOC”) is continuing its challenge of employers’ use of criminal history and credit report information in personnel decisions, and new “ban-the-box” laws are rapidly gaining momentum, on September 9, 2014, Congress proposed legislation that protects certain regulated employers from EEOC, state agency and private actions when they strive to comply with the screening laws that are particular to their industries. The Certainty in Enforcement Act of 2014 would amend Section 703 of the Civil Rights Act of 1964 (42 U.S.C. 2000e-2), and cover employers that include those engaged in “health care, childcare, in-home services, policing, security, education, finance, employee benefits, and fiduciary duties.”

|Employment Decisions, Legislation|

SEC new rule: ABS issuers and underwriters must disclose any third-party due diligence report

On August 27, 2014, as mandated by the Dodd-Frank Act, the Securities & Exchange Commission (the “SEC”) adopted several new rules and amendments designed to improve the quality of credit ratings and increase the accountability of Nationally Recognized Statistical Rating Organizations (“NRSROs”). The new rules, which become effective nine months after their publication in the Federal Register, significantly affect services in connection with asset-backed securities (“ABS”). Among other provisions, included is a requirement for ABS issuers and underwriters to disclose the findings and conclusions of any third-party due diligence report they obtain. The rule applies to both registered and unregistered offerings. Additionally, providers of ABS due diligence services must submit a written certification (signed by an individual who is duly authorized to make such a certification) to any NRSRO that is producing a credit rating regarding the ABS, and disclose information about the due diligence performed, along with a summary of the findings and conclusions, and identification of any relevant NRSRO due diligence criteria that the third-party intended to meet in performing the due diligence.

|Dodd-Frank|

California’s A.B. 1710 enhances privacy protections for sensitive personal information

Effective January 1, 2015, A.B. 1710 amends California’s breach notification, security procedures, and Social Security number (SSN) laws, generally outlined as follows:

  • provides that existing personal information data security obligations apply to businesses that maintain personal information, in addition to those who own or license the information;
  • provides that if the person or business issuing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, be made at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached, if the breach exposed or may have exposed SSN and driver’s license numbers;
  • provides that a person or entity may not sell, advertise for sale, or offer to sell an individual’s SSN, except as permitted.
|Legislation, Security|

The FFIEC issues “shellshock” vulnerability alert to financial institutions

The Federal Financial Institutions Examination Council (the “FFIEC”) issued an alert advising financial institutions about a material security vulnerability in the Bourne-again shell (Bash) system software widely used in servers and other computing devices that could allow attackers to access and gain control of operating systems. The vulnerability, nicknamed “shellshock,” could expose organizations and individuals to potential fraud, financial loss, or access to confidential information. Any financial institution that provides secure services with Linux or nix variants running a vulnerable version of the Bash shell could be at risk no matter what their vendor mix. Given the widespread use of Bash and the evolving nature of the risk, the FFIEC said that regulators expect financial institutions to perform a risk assessment and address the shellshock vulnerability not only in their own systems, but also with their third-party service providers.

|Educational Series, Security|

FTC halts high school diploma mill

As the request of the Federal Trade Commission (the “FTC”), on September 16, 2014, the U.S. District Court for the Southern District of Florida imposed a temporary restraining order to halt the business operations of Diversified Educational Resources, LLC (DER), and Motivational Management & Development Services, Ltd. (MMDS), and freeze their assets. The FTC’s lawsuit seeks a permanent injunction to stop the defendants’ deceptive practices and to return ill-gotten gains to consumers, which according to a preliminary review of bank records referenced in the lawsuit were more than $11,117,800 since January 2009.

The complaint alleges that the defendants violated the FTC Act by misrepresenting that the diplomas were valid high school equivalency credentials and that the online schools were accredited. The FTC charges that the defendants actually fabricated an accrediting body to give legitimacy to their diploma mill operation. DER and MMDS allegedly sold the diplomas since 2006 using multiple names, including jeffersonhighschoolonline.com, jeffersonhighschool.us, enterprisehighschool.us, and ehshighschool.org, which purport to describe legitimate and accredited secondary school programs such as “Jefferson High School Online” and “Enterprise High School Online.” The websites claim that consumers can become “high school graduate[s]” and obtain “official” high school diplomas by taking an online exam and paying between $200 and $300. In numerous instances, consumers who attempt to use their Jefferson or Enterprise diplomas to enroll in college, enlist in the military, or apply for jobs are rejected because of their invalid high school credentials.

|Employment Decisions, Fraud, Lawsuit|

The SRA issues warning about a fake website

The Solicitors Regulation Authority (the “SRA”) in the United Kingdom issued a bulletin that it received a report that a website “dovernorchambers.com is operating which refers to the firm Dovernor Chambers” and that the wording on the website appears to have been cloned from the websites of genuine law firms without their knowledge or consent. The SRA says that it is identifying a new fake law firm on an almost daily basis. Some scammers reportedly are stealing a law firm’s entire web page, and then changing the contact information to redirect traffic elsewhere.

|Fraud|

Class action for unauthorized disclosure of PHI is a new twist under FCRA

A recent class-action is seeking damages for the unauthorized disclosure of personal health information (“PHI”) under the Fair Credit Reporting Act (the “FCRA”). The plaintiffs claim that the defendant hospital allowed the unauthorized access of confidential records of the putative class members, including PHI, held by a third-party records vendor without their knowledge or consent and without sufficient security. Among other claims, the plaintiffs allege that the hospital violated the FCRA by failing to implement adequate safeguards to protect their personally identifiable information and PHI from a data breach suffered by the third-party vendors. The plaintiffs argue that the hospital was a CRA that created “consumer reports” containing sensitive information including names, dates of birth, Social Security numbers, billing information and confidential health records, and disseminated this information to medical service providers affiliated with the defendant, and that the defendant allowed employees of the vendor and others to gain unrestricted access to their personally identifiable information and PHI, which was allegedly misused and intentionally disclosed to third-parties for profit.

|Judgment|
© 2012- SCHERZER INTERNATIONAL | ALL RIGHTS RESERVED
Go to Top