Monthly Archives:

CFPB’s takeover of FCRA enforcement requires new notices by January 1, 2013

In July 2012, the newly-created Consumer Financial Protection Bureau (“CFPB”) under the Dodd-Frank Wall Street Reform and Consumer Protection Act assumed rulemaking and enforcement authority of the Fair Credit Reporting Act (“FCRA”) from the Federal Trade Commission (“FTC”).

Although more changes are likely to come, beginning January 1, 2013, businesses, including employers, and consumer reporting agencies, will be required to provide a new version of the “Summary of Rights” form to individuals before taking any adverse action based on the contents of a consumer report. Notably, the adverse action process that must be followed under the FCRA has not changed; the revisions are generally stylistic and substitute “CFPB” for references to the FTC. There is also an updated and expanded list of contacts included at the end of the form.

To download the PDF versions of the updated Summary of Rights, and forms regarding the obligations of users and furnishers of consumer reports, click on the links below.

Summary of Rights under the FCRA.pdf

Obligations of Users of Consumer Reports under the FCRA.pdf

Obligations of Furnishers of Consumer Reports.pdf

FTC’s civil rights testimony recaps FCRA obligations and aggressive enforcement

On December 7, 2012, the Federal Trade Commission (the “FTC”), submitted its written testimony to the U.S. Civil Rights Commission on the use of criminal background checks in employment decisions. The Commission intends to apply the testimony in reviewing the EEOC’s guidance that an employer’s use of an individual’s criminal history in making employment decisions may, in some instances, violate the prohibition against employment discrimination under Title VII of the Civil Rights Act of 1964. The EEOC suggests that minorities are disproportionately likely to have criminal records, which means that when employers use criminal background reports, minorities are possibly affected more than other groups.

Notably, in its testimony, the FTC, which shares the authority for enforcing the Fair Credit Reporting Act (“FCRA”) with other federal agencies, including the Consumer Financial Protection Bureau (“CFPB”) does not say anything substantial about civil rights.

The testimony does, however, provide a good recap of the legal rights and obligations prescribed by the FCRA when consumer reports are used for employment purposes, and highlights the FTC’s law enforcement efforts in this area. As its starting point, the testimony reminds that the FCRA imposes several requirements on consumer reporting agencies (“CRAs”) that provide consumer reports to employers, which include ensuring that the employer is in fact using the report for a permissible purpose. In the employment context, permissible purposes are limited to “employment, promotion, reassignment, or retention.” Thus, employers may only obtain a consumer report about applicants or employees, and may not simply use their status as employers to get information about competitors, opposing parties in litigation, or anyone else. Relatedly, under the permissible purpose requirement, CRAs must have reasonable procedures in place to ensure that the consumer report users are who they claim.

The CRAs also must comply with certain procedural requirements, such as giving all users of consumer reports a notice that informs them of their duties under the FCRA. The CRAs must obtain certifications from the employer that: (1) it is in compliance with the FCRA; and (2) it will not use consumer report information in violation of any federal or state equal employment opportunity laws or regulations.

Further, the FCRA mandates that CRAs follow “reasonable procedures to assure maximum possible accuracy of the information

[15 U.S.C. § 1681e(b)].” It does not establish, however, a requirement of absolute accuracy and does not require that the CRAs guarantee that the reports are error-free.

If a CRA provides a report that has negative information about an applicant or employee that is based on public records — for example, tax liens, outstanding judgments, or criminal convictions — that CRA either has to notify the applicant or employee directly that it has provided the information to the employer, or has to adopt strict procedures to ensure that the information is complete and up to date [15 U.S.C. § 1681k(a)(1)-(2)]. Regardless of whether a CRA opts to provide the notice or adopt strict procedures, FCRA § 1681e(b), as noted above, requires CRAs to have “reasonable procedures to assure maximum possible accuracy.”]

The FCRA also places specific obligations upon employers to provide certain disclosures to the applicants or employees, and obtain their written authorization before using consumer reports. If an employer intends to take an adverse action based either in whole or in part on the information in a consumer report, such as denying a job application, reassigning or terminating an employee, or denying a promotion, the employer must provide the applicant or employee with a pre-adverse action notice before taking the action. The pre-adverse action notice must include a copy of the consumer report on which the employer is relying and a summary of rights under the FCRA. The form, which recently was reissued by the CFPB, describes the consumers’ rights under the FCRA, including the right to obtain copies of their consumer reports and dispute information.

Once the employer has taken the adverse action, it must give the applicant or employee a notice that the action was based on information in the consumer report.  This adverse action notice must include the name, address, and phone number of the CRA that supplied the report, and must inform the applicant or employee of his or her right to dispute the accuracy or completeness of any information in the report, and the right to obtain a free report from the CRA upon request within 60 days. Even though a consumer has the right to dispute errors, the CRAs and furnishers of information to the CRAs typically are allowed thirty days to investigate the consumer’s dispute, and the information may not be corrected in time to affect the consumer’s consideration for a particular job.

The FTC points out that it has pursued an aggressive law enforcement program to ensure that CRAs, furnishers, and consumer report users (including employers) comply with their responsibilities under the FCRA, providing details of recent lawsuits for FCRA violations that resulted in civil penalties against CRAs ranging from $800,000 to $2.6 million. Its recent actions against employers included charges against railroad contractors for failing to provide pre-adverse action and adverse action notices to employees who were fired and job applicants who were rejected based on information in their consumer reports. Under negotiated settlement orders, the companies were required to pay penalties in the amount of $1,000 per violation, and are subject to specific injunctive, record-keeping, and reporting requirements to ensure compliance with the FCRA.

The FTC’s enforcement actions and the latest wave of class action lawsuits enforce that FCRA compliance must be a priority for employers, CRAs and furnishers of information alike.

No shortcuts to assuring maximum possible accuracy under the FCRA

When Congress formulated the Fair Credit Reporting Act (“FCRA”) more than 30 years ago, it noted that the law was enacted in order to protect consumers against “the trend toward…the establishment of all sorts of computerized data banks

[that placed a consumer] in great danger of having his life and character reduced to impersonal ‘blips’ and key punch holes in a stolid and unthinking machine which can literally ruin his reputation without cause [116 Cong. Rec. 36570].” This intent has been clearly supported by the amendments that followed allowing greater and more effective protection. But despite the leaps and bounds in legislation, much controversy still exists about the level of protection that this law provides to consumers.  And confusion abounds about the compliance requirements for consumer reporting agencies (“CRAs”) on whom the FCRA places “grave” compliance obligations. “There is a need to insure that consumer reporting agencies exercise their ‘grave’ responsibilities with fairness, impartiality, and a respect for the consumer’s right to privacy [15 U.S.C. § 1681(a)(4) (2006)].”

The FCRA mandates that “[w]henever a consumer reporting agency prepares a consumer report it shall follow reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the report relates [15 U.S.C. § 1681e(b)].” So what does this mean? Courts have taken two positions in interpreting the language of this section. The “consumer-friendly” version holds CRAs liable for reports that are technically accurate, but may be misleading or incomplete. (Koropoulos v. Credit Bureau, Inc., 734 F.2d 37, 40; D.C. Cir. 1984: “Congress did not limit the Act’s mandate to reasonable procedures to assure only technical accuracy; to the contrary, the Act requires reasonable procedures to assure maximum accuracy.”) The “business friendly” interpretation requires only technical accuracy in the CRA’s reporting.  [Todd v. Associated Credit Bureau Servs., Inc., 451 F. Supp. 447, 449 (E.D. Pa. 1977)].

While this case law is helpful in understanding the CRA’s liability under the statute, there is no doubt that a comprehensive guidance on the methodology to assure maximum accuracy is still much needed especially in view of the proliferation of the so-called “national databases” in the recent years. But despite the lack of clear guidance, a reputable CRA knows that “to assure” means “to earnestly inform or tell positively; state with confidence.” And reporting a record that was identified by name only or relying solely on private database record information in an employment background check does not pass the reasonable procedures test by any standard.

In an Internet marketplace that touts instant results, a CRA’s practice of sending searchers to the courthouse, pulling dozens of cases, and reviewing legal documents to ascertain correct subject identification and record information may be counterintuitive for many employers. And it takes time and money to assure the most accurate and up-to-date results. On the other hand, in a world of over a million people, is a quick and cheap database background search of any real value?

California limits social media use by employers and educational institutions

Effective January 1, 2013, California will join Maryland and Illinois in significantly restricting employers’ access to their employees’ and job applicants’ social media accounts. Signed into law by Governor Jerry Brown on September 27, 2012 and fittingly announced via Twitter, AB 1844 provides that an employer cannot require or request an employee or applicant to do any of the following:

  • disclose a username or password for the purpose of accessing personal social media;
  • access personal social media in the presence of the employer;
  • divulge any personal social media, except as provided in subdivision.

The law also prohibits an employer from discharging, disciplining, or otherwise retaliating against an employee or applicant for not complying with a request or demand by the employer that violates these provisions. However, an employer is not prohibited from terminating or taking an adverse action against an employee or applicant if otherwise permitted by law.

The law does preserve an employer’s rights and obligations to request that an employee divulge personal social media information reasonably believed to be relevant to an investigation of allegation(s) of employee misconduct or violation of applicable laws and regulations, provided that the information is used solely for purposes of that investigation or a related proceeding. An employer is also not precluded from requiring or requesting that an employee disclose a username or password for the purpose of accessing an employer-issued electronic device.

A companion law, AB 1349 that establishes similar requirements for postsecondary education institutions in regard to their students also goes into effect on January 1, 2013.

Broker-dealers fall short in knowing their clients

It looks like broker-dealers are failing in their due diligence efforts on clients, as required by FINRA’s new Rule 2090. (FINRA is the largest non-governmental regulator of all securities firms doing business in the United States, and handles nearly every aspect of securities-related matters, from registering and educating industry participants, to writing and enforcing rules and the federal securities laws.)

According to several industry reports, the most violated rule this year has been a failure by broker-dealers to comply with FINRA’s know-your-customer obligations, now under Rule 2090 issued in July 2012. The rule, which is generally modeled after the former NYSE Rule 405(1), requires firms to use reasonable diligence regarding the opening and maintenance of every account in order to “know the essential facts concerning every customer.” The rule explains that “essential facts” are those required to:

  • effectively service the customer’s account;
  • act in accordance with any special handling instructions for the account;
  • understand the authority of each person acting on behalf of the customer; and
  • comply with applicable laws, regulations, and rules.

The know-your-customer requirements arise at the beginning of the relationship and do not depend on whether the broker has made a recommendation. Unlike the former NYSE Rule 405, Rule 2090 does not specifically address orders, supervision or account opening, which are areas that are explicitly covered by other rules.

In conjunction with this know-your-customer rule, FINRA has adopted transaction suitability Rule 2111, framed after the former NASD Rule 2310, which requires that a firm or associated person “have a reasonable basis to believe that a recommended transaction or investment strategy involving a security or securities is suitable for the customer, based on the information obtained through the reasonable diligence of the member or associated person to ascertain the customer’s investment profile.” According to FINRA, the measures constituting a reasonable diligence will vary depending on, among other factors, the complexity of and risks associated with the security or investment strategy and the firm’s or associated person’s familiarity with the security or investment strategy.

Rule 2111 further defines a customer’s investment profile, specifying that it includes, but is not limited to, the customer’s age, other investments, financial situation and needs, tax status, investment objectives, investment experience, investment time horizon, liquidity needs, risk tolerance, and any other information the customer may disclose to the member or associated person in connection with such recommendation. Accordingly, a broker must attempt to obtain and analyze a broad array of customer-specific factors, and also determine quantitative suitability if the broker has actual or de facto control over a customer account.

FINRA now makes it clear that a broker must have a firm understanding of both the product and the customer, and that the lack of such an understanding itself violates the suitability rule.

State laws restricting the use of criminal records gain momentum

By now, most employers are familiar with the EEOC’s April 2012 updated enforcement guidance on the use of arrest and conviction records for employment decisions under Title VII of the Civil Rights Act of 1964. And related state and local laws are quickly gaining momentum. More than 30 cities and at least 26 states now limit the type of criminal background information that employers can obtain or when they can request it.

Effective July 1, 2012, Indiana will join the roster of the restricting states. Its  SB 1033 will, in part, ban certain pre-employment inquiries, limit the types of criminal record information that employers and consumer reporting agencies (CRAs) can obtain from Indiana courts, and restrict criminal history information that CRAs can provide in background reports.

This law also provides that Indiana residents with restricted or sealed criminal records may legally state on an “application for employment or any other document” that they have not been adjudicated, arrested or convicted of the offense specified in these records. Covered employers (the term “employer” is not defined) will be prohibited from asking an “employee, contract employee, or applicant” about such records.

Limiting the scope that can be included in a background report, the law further prohibits courts from disclosing information pertaining to alleged infractions where the individual:

  • is not prosecuted or if the action is dismissed;
  • is adjudged not to have committed the infraction;
  • is adjudged to have committed the infraction and the adjudication is vacated; or
  • was convicted of the infraction and satisfied any judgment attendant to the infraction conviction more than five years ago.

Criminal history providers, such as CRAs, that obtain criminal history information from the state may only furnish information pertaining to criminal convictions, and are prohibited from including the following in background reports:

  • an infraction, an arrest or a charge that did not result in a conviction;
  • a record that has been expunged;
  • a record indicating a conviction of a Class D felony if the Class D felony conviction has been entered as or converted to a Class A misdemeanor conviction; and
  • a record that the criminal history provider knows is inaccurate.

Among other significant mandates, criminal history information obtained from the state by CRAs may not include any Indiana criminal record information in an assembled report unless the CRA updates the information to reflect changes to the official record occurring 60 days or more before the date the criminal history report is delivered.

Regulatory focus on corporate social responsibility

Corporate social responsibility (CSR) policies that promote good citizenship are being implemented or revised at a record pace. In response to concerns about labor exploitation in the developing world, many companies have joined the Ethical Trade Initiative (ETI), which has established corporate codes of practice implementing human rights, ethical labor practices and environmental protection standards. Many also have adopted the United Nations Global Compact “ten universally accepted principles in the areas of human rights, labor, environment and anti-corruption.”

High on the CSR priority list for SEC-listed companies that use conflict minerals “in the functionality of production” of a manufactured product is developing a compliance program that will meet the requirements of Section 1502 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”). Due from the SEC within the next few weeks, the final rule will have a direct impact on reporting requirements for about half of all publicly traded companies in the United States, mandating them to disclose in 10-K, 20-F, and 40-F filings whether they manufacture products containing conflict minerals (specified as gold, wolframite, casserite, columbite-tantalite and their derivative metals, which include tin, tungsten, and tantalum, that are mined in the DCR or its adjoining countries). These metals are used in a broad array of products, including electronics, jewelry, tools, engines, medical equipment, chemicals, packaging, etc. And although the regulation technically applies to public companies only, it will have a significant bearing on any company anywhere in the world, public or private that is within the public company’s supply chain.

Under the rule as proposed, among other requirements, the affected SEC-listed companies must conduct certain due diligence, as outlined below.

  1. Determine if conflict minerals/metals are used to make their products.
  2. Determine if the metals originated in the DRC or in neighboring countries. If they did not, a report must be issued on how the metals’ origins were determined.
  3. If the metals were from DRC or adjoining countries, if the source is unknown or if it is from scrap or recycled sources, a supply chain due diligence to determine the source(s) must be performed and the results provided in an independently audited report.

The rule is expected to require the above-noted first and second steps regardless of the metals’ origin. The third step, i.e., the disclosure of the products manufactured and facilities where DRC materials may have been used, etc. must be completed only if the DRC is identified as a source or if the source cannot be determined. If applicable, in addition to specific annual report disclosures and the inclusion of a conflict minerals report as an exhibit, the companies will have to indicate on their websites whether or not they use conflict minerals in their products or in those contracted to be manufactured on their behalf.

Of course, this Dodd-Frank provision is not the only regulatory effort that addresses the elimination of child and forced labor, slavery, and human trafficking within supply chains. Public pressures over these atrocities have led to related policymaking within U.S. local and state governments, and around the world. For example, in 2011, California enacted SB 861 which requires issuers that do business with the state to fulfill the public reporting obligations outlined in the upcoming SEC rules. Issuers that fail to meet these obligations will be prohibited from seeking procurement contracts with the state. In Maryland, a similar “conflict minerals” law under SB 551 will become effective October 1, 2012. Rhode Island and Massachusetts are considering parallel legislation.

Other U.S. efforts include California’s SB 657, known as the California Transparency in Supply Chains Act, which effective January 1, 2012, mandates retail sellers and manufacturers doing business in California with annual gross receipts exceeding $100 million to conspicuously and clearly disclose their efforts and policies for ensuring that their supply chains are free from human trafficking and slavery. On a municipal level, the City of Pittsburgh calls on companies from all sectors to favor in their electronics purchasing decisions products that have been verified as being free of conflict minerals. And among several major worldwide endeavors, is the European Commission’s support of the United Nations and Organization for Economic and Cooperation Development (OECD) due diligence guidelines and recommendations for responsible supply chain management.

Strong corporate responsibility policies are here to stay. A 2011 U.S. State Department press release urges companies to “…begin to exercise due diligence immediately in order to ensure a viable and conflict free supply chain…”

“Misspelling to defraud,” a case study from our files

The subject’s biography provided along with our client’s request for due diligence in connection with a private equity funding transaction was ridden with misspellings. And it did not say much, apart from boasts of professional accomplishments and financial success, and the subject’s self-description of being a “people-person who likes to travel.” But even with the biography’s vague statements and typos, our research quickly found that the subject’s company, which contained a transposed letter in its name, was affiliated with a Mexican multi-level marketing operation whose executives were recently arrested or are wanted by authorities for setting up allegedly fake websites whereby they defrauded investors for millions of dollars. As our research continued, we located media reports and online documents which indicated that the fraud spanned across three continents, and involved at least four other entities closely held by the subject, whose names were not listed in the biography. And according to various government sources, there is also mounting evidence of money laundering. Our client, although somewhat surprised by our findings, immediately halted the funding transaction.

Business identity theft: a crime that often goes unreported

According to the Federal Trade Commission (FTC) data from its Consumer Sentinel Network (CSN), an online database of consumer complaints available only to law enforcement, identity theft was the top consumer complaint in 2011, accounting for 17% or 287,232 complaints of the 1.8 million received; 990,242 of these cases involved fraud.

There are no reliable federal or state statistics that specifically track business identity theft, but various studies suggest that businesses do not report the crime because of the stigma attached to it. The company’s credibility and trust of its clients may never recover if they admit to being a victim.

Business identity theft comes in many forms. Posing as a look-alike or sound-alike business, and impersonating owners, officers or employees to illegally get cash, credit, and loans, is just one example. Thieves typically steal a business’ identity by gaining access to its bank accounts and credit cards, or by stealing sensitive company information, such as its tax identification number (TIN) and the owners’ personal information. Elaine Marshall, North Carolina’s Secretary of State, sees an increasing number of cases involving falsified documents. Marshall says that “the easiest targets are dissolved corporations, because whoever ran those defunct businesses usually no longer pays attention. Somebody comes 20 years later and reinstates it, and it looks like it’s a 40-year-old corporation. And if it was in good standing financially when it was dissolved, then

[the thief] will capitalize on that good standing.”

Indeed businesses have become easy targets for identity theft. Almost anyone can obtain a business’ tax identification number. A merchant’s basic financial information, including bank account numbers, may be known to hundreds of its customers and suppliers. Data access can be exploited by employees and insider theft, and fraud is often difficult to detect, especially when carried out by trusted employees. Many businesses do not review their own credit information for fraud and may be lax in shredding or disposing of documents. Although more businesses are conducting background checks on employees and suppliers, only a few ensure the integrity of their commercial shredding contractors and even fewer conduct background checks on in-house or contracted cleaning staff. And many companies are simply complacent in data security.

The Internet carries the highest perpetration of criminal theft and fraud. Since 2002, the FBI has recorded an 84% increase in the number of computer intrusion investigations. Cyber thieves use the web to obtain goods, services, and money while exploiting time-lags in discovery and investigation. They also prowl for valuable non-ID specific business data including confidential e-mails, customer and marketing data, bid and pricing sheets, and trade-secrets. In the financial services sector, the vast majority of transactions, including credit cards and debit cards, and even mortgage funding, occur online in virtual anonymity without the risks associated with in-person transactions. Because such identity theft crimes take place in cyber-space, police often must coordinate with other state, federal, or international agencies. And even when jurisdictional issues are resolved, often only high-profile offenders actually face criminal prosecution.

In this complex and dangerous environment, a proactive approach to preventing business identity theft is critical, and should include:

  • Security policies based on the highest reasonably assessed risk, including limiting the number of persons with a valid need to access sensitive information;
  • Corporate governance which advocates strong security planning;
  • System audits and tests to ensure detection of inappropriate usage and other vulnerabilities;
  • Background checks of all employees, key vendors, and contractors including document shredding entities, cleaning personnel, etc.;
  • Annual reviews of Secretary of State and other public filings;
  • Annual or more frequent reviews of Dun & Bradstreet reports, and if applicable, small business reports with Equifax, Experian and TransUnion;
  • Practice of excluding sensitive personal or business information in public filings;
  • Shredding or destroying business records as applicable;
  • Securing paper documents in locked cabinets in restricted areas;
  • Using privacy screens with smart phones, laptops, etc., when accessing sensitive information while traveling; and
  • Obtaining business insurance that covers potential business identity theft losses.

There are many online information and action resources for identity theft. The FTC provides comprehensive guidelines for prevention and recovery from identity theft, along with complaint forms. The Identity Theft Resource Center also contains excellent reference materials, including links to state and local agencies, as do the Privacy Rights Clearinghouse and the National Consumers League. 

Overview of identity theft related crime laws

Below is an overview of federal laws in connection with identity theft crimes.

  • The Identity Theft and Assumption Deterrence Act (the “ITADA”)

The ITADA, passed in 1998, makes identity theft a distinct crime from wire fraud, covers theft of data (as well as documents), and encompasses businesses and persons that seek access to personal records through banks, state and federal agencies, or insurance companies. The ITADA mandates significant fines and imprisonment even for first offenders. The federal criminal jurisdiction requires an underlying felony (such as fraud or conspiracy) and involvement of an “identification document” that: (a) is purportedly issued by the United States, (b) is used or intended to defraud the United States, (c) is sent through the mail, or (d) is used in a manner that affects interstate or foreign commerce.

  • The Fair and Accurate Credit Transactions Act (the “FACTA”)

The FACTA was established as a national detection system to deter fraud resulting from identity theft in its early stages with or without subsequent law enforcement investigation. The FACTA, among other rights, allows victims to alert all three major credit rating agencies of suspected criminal use of their financial data or accounts affecting a credit rating. The FACTA created the rights to “free” annual credit reports, and requirements that mortgage lenders provide actual FICO credit scores (not just credit account data) if that score is used to determine interest rates for a housing loan. The FACTA also mandates that merchants show only the last five digits of credit card numbers on receipts. The FACTA further is responsible for developing a system to “red flag” suspicious requests for consumer data, and allows military personnel to “freeze” credit files when they are deployed overseas.

Under the FACTA, consumer “red flags” include fraud alerts from a reporting business that has identified a data breach, unusual patterns in credit usage, suspicious documentation, credit usage after long periods of inactivity, known mail drop addresses, and other anomalies.

The FACTA also requires employers to shred documents containing employee data; any business that supplies or facilitates consumer credit must secure or destroy consumer information. This “disposal rule” requires reasonable and appropriate destruction of all information derived from a consumer credit report, prior to its disposal. Failure to comply with destruction requirements (i.e. shredding) carries penalties of up to $2,500 per violation. There is an implied obligation within the FACTA disposal rule to conduct due diligence for hiring or contracting data disposal personnel, which includes reference checking, physical inspection of licenses or certificates, and audits.

 

  • The Fair Credit Reporting Act (the “FCRA”)

The FCRA requires consumer reporting agencies (CRAs) to adopt reasonable procedures to maintain and report consumer data with confidentiality, accuracy, relevancy, and reasonable security. CRAs must ensure “reasonable procedures to assure maximum possible accuracy of the information concerning the subject of the report.”

Victims may sue for willful or negligent failure to verify the accuracy of disputed information or correct inaccurate information resulting from a stolen identity. Consumers who report errors or fraudulent transactions are entitled to a “reasonable investigation” and an expectation that errors will be corrected and reported back promptly. The statute provides for attorney’s fees and punitive damages for willful violations. Under the FCRA, identity theft victims may authorize law enforcement agencies to obtain their credit reports and other records without obtaining a subpoena and at no personal cost. The FCRA imposes a two-year statute of limitations that begins when an inaccurate disclosure or report is filed, not when the consumer actually becomes aware of inaccuracies.

The FCRA also includes a “disposal rule” requiring any business that has access to or which utilizes consumer reporting information to dispose of this sensitive information properly.  The FCRA’s disposal rule is broader than FACTA’s in that it targets any company that complies, sells or purchases reports containing private personal or medical information. This includes employment agencies, banks, private investigators, landlords, auto dealers, insurance agents and others. The FCRA disposal rule applies to any information, in any format, and mandates that the disposal method must render the documents or information unreadable and incapable of being reconstructed.

  • The Gramm-Leach-Bliley Act (the “GLBA”)

The GLBA directs eight federal regulatory agencies and the states to administer and enforce the Financial Privacy Rule and the Safeguards Rule to ensure that financial institutions prevent unauthorized disclosure of consumer financial information, including fraudulent access, by implementing appropriate policies, procedures and controls. Also known as the Financial Services Modernization Act of 1999, the GLBA defines financial institutions as a “business significantly engaged in providing financial services or products for personal, family, or household use.” The GLBA is relevant to traditional banks and credit unions, and also includes check-cashing and payday loan services, non-bank lenders, real estate appraisers, tax preparers, debt collectors, financial advisors, and insurance agents and brokers.

  • The Right to Financial Privacy Act (the “RFPA”)

The RFPA falls under the ambit of the FDIC and targets industrial loan companies, trust companies, savings associations, credit unions and consumer finance institutions. The RFPA creates statutory Fourth Amendment protection for personal bank records by providing that ‘no government authority

[state or federal] may have access to or obtain copies of, or the information contained in the financial records of any customer from a financial institution unless the financial records are reasonably described and the customer authorizes access; there is an appropriate administrative subpoena or summons; there is a qualified search warrant; there is an appropriate judicial subpoena, or there is a written request from an authorized government authority.

The RFPA prohibits banks and other covered entities from requiring customers to release financial records as a condition of doing business, and mandates banks to provide customers with access to records of all disclosures made to third parties.

  • The Health Insurance Portability and Accountability Act (the “HIPAA”)

The HIPAA, which is administered by the U.S. Department of Health and Human Services (HHS), establishes nationwide security standards for electronic health care information. This ‘security rule’ requires all covered entities to be compliant with specific administrative, technical, and physical security standards and procedures for electronic data. HIPAA rules apply not only to doctors, clinics, hospitals, pharmacies, and laboratories, but may also apply to certain collection agencies, health insurers, and lawyers, and also to any businesses that maintain self-insured employee health care plans.

In addition to federal laws, each state has its own law regarding identity theft or impersonation. Twenty-nine states, Guam, Puerto Rico and the District of Columbia have specific restitution provisions for identity theft. Five states—Iowa, Kansas, Kentucky, Michigan and Tennessee—have forfeiture provisions for identity theft crimes. Eleven states—Arkansas, Delaware, Iowa, Maryland, Mississippi, Montana, Nevada, New Mexico, Ohio, Oklahoma and Virginia—have created identity theft passport programs to help victims from continuing identity theft.

Thirty-four states have introduced or have pending legislation regarding identity theft during the 2012 legislative session, including Louisiana which enacted its Business Identity Theft Prevention Act. For more information on state laws, visit the website of National Council of State Legislatures.

Go to Top