The California Consumer Privacy Act (CCPA) has been enforced by the California Attorney General since July 1, 2020. The CCPA is designed to protect the personal information of California consumers, which is broadly defined as information that “identifies, relates to, describes, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The CCPA affects companies that store personal information on California consumers, even if they are not located in California. The threshold for falling under CCPA enforcement, in addition to obtaining or using personal information on California residents, is:
Having a minimum gross annual revenue of $25 million,
Buying, sharing or receiving data on 50,000 or more California residents, or
Deriving 50% or more of its annual revenue from selling consumers’ personal information.
With the recent election, voters in California have now approved the California Privacy Rights Act (CPRA), also referred to as CCPA 2.0. While the CPRA does not take effect until July 1, 2023, the new requirements will apply to personal information collected on or after January 1, 2022. The new CPRA takes the CCPA even further by updating the definition of a “business,” adding restrictions to the “sharing of data” and not merely the selling of personal information, establishing the California Consumer Privacy Protection Agency (CPPA), and expanding a consumer’s private right of action, among others.
There are still exceptions to the new CPRA. For example, background screening companies, who are considered Consumer Reporting Agencies (CRAs), must adhere to the Fair Credit Reporting Act (FCRA) and are strictly regulated with regard to consumer information. Operating under the FCRA exempts companies such as Hire Image from the regulations under the CCPA/CPRA when the information is provided to employers for employment purposes. Under the FCRA, CRAs must maintain strict privacy and data security policies and procedures when dealing with consumers’ personal information.
Click here for more information about the CCPA exception. Stay tuned for further updates and clarifications on California privacy in the upcoming months.
If you have any questions about your company’s role or the role of the background screening company under FCRA or the CA CCPA, please contact us to learn more.
The Court of Justice of the European Union recently found that the EU-U.S. Privacy Shield does not comply with European privacy rights and is invalid for purposes of cross-border transfers of personal data from the European Union to the United States. This action was prompted by European Privacy Rights activists, who want to prevent personal information from being sent to countries with, what they claim, less stringent restrictions.
Privacy Shield was created in 2016 as a solution to the challenge of transferring data between the EU and the U.S. For the more than 5,000 companies currently using Privacy Shield, including Facebook, Twitter, and Google, this decision brings great uncertainty and potential repercussions. However, the court provided one alternative in upholding standard contractual clauses (SCCs), composed by the European Commission, in its decision. These provisions were deemed acceptable because they allow EU regulators to intervene, if necessary.
There will be much more to come on this decision, as American and European officials attempt to negotiate another deal for the safe transfer of digital information between the countries involved. Hire Image will continue to post updates, as they become available.
When it comes to background screening, drug testing and employment verification, human resource professionals and employment attorneys must keep pace with ever-changing rules, regulations, laws and more. What are the trends facing the industry for 2016, and what will have the greatest impact on the practice of human resources and employment law?
Here are Hire Image’s top 10 predictions for what’s still “hot” from last year and why, and what’s coming down the pike that demands attention and focus for 2016:
“Ban the Box” initiatives will turn into “Fair Chance” policies
“Ban the Box” intends to create a situation where employers are required to wait until later in the hiring process before asking about an applicant’s criminal history. By removing the question about conviction history from the application, employers are unable to eliminate an applicant simply based on his or her answer and would be more likely to base the hiring decision on the applicant’s qualifications. As the movement has grown, so have its goals and requirements. Rather than simply eliminating the criminal conviction checkbox, many of the laws now go further and require that an employer wait until after a conditional offer of employment to inquire about criminal history, limit the type or age of conviction records they consider, as well as conduct an individualized assessment of the applicant’s criminal past before choosing to rescind that offer. To date, seven states and the District of Columbia have implemented laws that impact private employers, and several major cities and counties have also taken up the cause within their own jurisdictions. San Francisco and New York City have adopted more comprehensive Fair Chance policies which proponents claim support a broader agenda of community economic development, criminal justice reform and civil rights protection. New “Ban the Box” laws introduced in 2016 will all likely include Fair Chance components. It is also expected that many of the current laws will be updated to incorporate Fair Chance components, as Philadelphia has chosen to do. Employers will need to understand and comply with not only the requirements under the Fair Credit Reporting Act (FCRA) when it comes to background checks, but also the added requirements of those laws in the states, counties, or cities in which they do business.
Click here for a list of all current “Ban the Box” laws.
by Ronald Raether, CIPP/US and Mark Mao, CIPT & CIPP/US, Troutman Sanders
Cyber breaches continue to demonstrate that people are the greatest vulnerability for even the most sophisticated organizations. Although it is easy to feel prepared by talking about firewalls, detection software, and encryption methods, employees continue to be the easiest means for hackers to gain access. Accounting for the human factor requires that the organization take a holistic approach. Human nature should be factored into all aspects of data management, including product planning, incident response, and breach litigation.
Yes, Your Organization Can Survive Human Error
There is an increasing appreciation for how a data breach does not necessarily imply that an organization failed to adhere to the requisite standard of care. For example, in the regulatory context, the Federal Trade Commission (FTC) announced in August 2015 that it would not take any enforcement action against Morgan Stanley for an insider cyber breach. The incident involved Morgan Stanley allegedly configuring the access controls for one limited set of reports improperly, but correcting the problem as soon as it became aware of it.
The FTC was satisfied with Morgan Stanley’s efforts, noting: “[Morgan Stanley] had a policy limiting employee access to sensitive customer data without a legitimate business need, it monitored the size and frequency of data transfers by employees, it prohibited employee use of flash drives or other devices to download data, and it blocked access to certain high-risk apps and sites.” In closing, the FTC hinted that it might not pursue further action if an organization suffers a “human error” but had reasonably appropriate policies in place.
Similarly, in Lozano v. Regents of the University of California, BC55419 (L.A. Super. Ct., filed April 9, 2013), the plaintiff sought $1.25 million in damages against the UCLA health system, arguing that her medical records were improperly accessed by the current romantic partner of her ex-boyfriend, who allegedly used the credentials of a doctor to access and then publish plaintiff’s personal health information (PHI). Plaintiff argued that the health system failed to adhere to the requisite standard of care by not requiring a second form of security for access. UCLA disagreed, arguing that it used security protocols consistent with existing standards and that it should not be held responsible for “inside jobs.”
On Sept. 3, 2015, the jury agreed with UCLA, finding it was not legally liable for the breach. In business-to-business contexts, courts have also found that a well-prepared organization may not be negligent when accounts are compromised. For example, the court in Choice Escrow & Land Title, LLC v. BancorpSouth Bank, 754 F.3d 611, 613-614 (8th Cir. 2014) found the bank’s security protocols adequate despite an alleged account takeover. The lesson of these relatively new cases is that organizations may not necessarily be legally liable just because they suffer an incident as a result of human error. Surviving The Human Factor It is the natural for people to panic and blame each other in major crisis.
A well prepared organization should not only be prepared technologically, but also for human tendencies. First, well-prepared organizations should have written information security programs (WISPs) written in plain language as a guide for their employees. Regulators ask for WISPs almost as a matter of course. However, WISPs should be as much prescriptive as they are descriptive. If the WISP does not actually describe how the organization handles data, it will not provide employees much needed guidance.
Instead, the policies should reflect the practical realities of the business and describe the requirements and controls in way which can be understood and followed by the employees. Otherwise, the policies only become a standard for how the company has failed to act reasonable by regulators and class counsel. Thus, it is critical that organizations map out their technology and take data inventory when drafting their WISPs, which should also accord with their outward-facing privacy statements.
Organizations should interview both business and IT personnel to understand how they handle data. Indeed, WISPs should be tailored to the culture of the company so that compliance can be expected. A policy using common language, as opposed to legalese, will generally be best. Too often WISPs are written entirely by just the legal department or the technologists. If written by attorneys without meaningful technological experience, a WISP can miss important technical issues. WISPs written entirely by technologists can be overly technical and difficult for others to follow. Both legal and IT should therefore participate in the drafting process.
Without meaningful engagement by all stakeholders, it is too easy for drafters to protect only their interests. In such situations, it is not uncommon to find employees admitting that they did not or could not follow WISPs when interrogated during investigations or in a deposition.
Second, sufficient training is an important factor for a sound compliance program. Recent cases demonstrate that breaches often start with some form of human error. The most frequent attack vectors remain non-technical, such as unauthorized system access, misuse of privileges, use of stolen credentials, social engineering, and bribery and embezzlement. A common example is “spear phishing.” An employee with sufficiently high security credentials becomes a target, and he receives an email for “help” from someone with the apparent name of another known employee in the organization. Once he clicks on the link provided, malware is loaded onto his computer and the hacker gains access to critical parts of the organization.
While technology controls (such as intrusion detection devices or sound access controls) can limit what the hacker can do, without appropriate privacy policies and proper training, even employees in organizations with strong technological safeguards may be criticized for the unauthorized access and possibly create legal exposure.
Third, compliance needs to be tested and audited. Testing and auditing will serve as a regular reminder to employees and create awareness of emerging trends and threats. Auditing should include tests and practice runs, so that key personnel and employees can act rather than react when a real cyber incident occurs. Without meaningful practice, employees may be more inclined to blame each other, finger-point or attempt to hide facts which may implicate them rather than doing what is best for the company. Employees should get familiar with how to isolate incidents, preserve electronic evidence, handle public inquiry, and defer to responsible personnel.
Regular audits will remind employees to stay current on their training and obligations, and be mindful of potential threats. As Morgan Stanley demonstrated, a wellmanaged breach contributed to the FTC deciding to not take an enforcement action.
The question for most organizations these days is not whether they will be breached, but when. As the cases teach us, even the best prepared organizations cannot prevent malicious insiders and human error. However, when intruders breach an organization well-equipped with proper policies, training, and technology, it will be much more difficult for plaintiffs to claim that the organization should have any legal liability.
Every organization – from a small nonprofit to a large corporation – keeps sensitive personal information in their files that identifies customers and employees. This “personal identifying information” can include names, Social Security numbers, credit card, license, and account data.
But if sensitive data – even as simple as someone’s name – falls into the wrong hands, it can lead to fraud, embezzlement, identity theft, and other crimes that harm either the customer and employee or your business. Losing the trust of your customers or defending yourself or your company against a lawsuit is at stake, and what business can afford that risk?
It’s no surprise that identity theft topped the FTC’s national ranking of consumer complaints for the 15th consecutive year. Fake debt collection and imposter scams (particularly about the IRS) round out the top three. A business of any size has legal obligations to protect data from a breach and, depending on the industry in which you operate, must follow rules (Red Flags Rule, the COPPA Rule, FTC’s Disposal Rule), regulations (Gramm-Leach-Bliley Act) and specific industry guidelines to do the same.
How can you protect your business from a data breach? Here are five steps to take:
1. Conduct background checks. A well-trained and screened workforce is the best defense against identity theft and data breaches. Check references and do background checks before hiring employees and contractors who will have access to sensitive data. Investigate the background screening company of your choice to ensure that they are accredited by the National Association of Professional Background Screeners. Such accredited firms will utilize data security practices that meet the highest possible standards.
2. Shred and pare down your records. Dispose of credit reports, receipts, CDs and any paperwork with sensitive data printed on it, as many data compromises happen the old-fashioned way – through lost or stolen paper documents. This is not to say that electronic security is preferred, but an encrypted, e- security system managed by an independent professional is recommended.
3. Follow state law. Because there are no federal standards or guidance for protecting personal identifying information, you should comply with your state law. Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private, governmental or educational entities to notify individuals of security breaches of personal identifying information. Many require a risk-based information security program be in place, and outline the proper notification steps. See this link for data breach notification laws in your state.The laws are always changing so use this as a guide, but always check the latest laws directly with your state and/or your privacy attorney.
4. Be pro-active. Put measures in place now, as though you were defending yourself and your company from a lawsuit due to a security breach. Planning and reacting on paper without having to face the stress of an actual breach makes sense, when emotions are not running wild. Assess the vulnerability of any foreseeable attacks, breaches and issues and determine the steps necessary to protect your physical and electronic records at all times. From locking file cabinets and restricting employee access to running anti-spyware programs and securing electronic information in transit over the Internet, don’t leave any stone unturned – even if it’s a basic or obvious protection step.
5. Train your staff. Your information security plan is only as strong as the employees who will implement it. Initial and periodic training will help place an importance on everyday behaviors in keeping personal information secure and confidential. Consider limiting access to personal information to employees on a “need to know” basis. Be sure to have a procedure in place for what to do when workers leave your employment, such as terminating passwords, collecting keys and ID cards.
Creating a culture of security is vital to protecting your business from data breaches and other problems associated with ‘leaking’ personal information. Taking steps now to safeguard such information before any breaches occur is smart and demonstrates a deep, value-based sense of professionalism and integrity in your business operations.
Source: Federal Trade Commission, “Protecting Personal Information: A Guide for Business.” For a free booklet, email firstname.lastname@example.org or call Hire Image at (888) 433-0090