Scherzer Blog

California expands privacy protections for state residents

A perennial trendsetter with regard to data security and privacy, California has updated its state law with tweaks that expand the scope of the privacy protections for state residents.

A.B. 1710 made three changes to existing law that go into effect January 1, 2015: first, businesses that maintain “personal information” about California residents must “implement and maintain appropriate and reasonable security procedures and practices” to protect the data from “unauthorized access, destruction, use, modification, or disclosure.” Personal information is defined to include an individual’s first name or first initial and last name, Social Security number, driver’s license number, as well as medical and financial account information.

Second, if a person or business was “the source” of a data breach and offers to provide identity theft prevention and mitigation services to affected individuals, the business must offer the services at no cost for at least 12 months. Some controversy has swirled around this provision, with debate on whether the language actually requires businesses to provide one year of free identity theft protection and mitigation services or if the law simply requires that if the services are offered, they last for 12 months and are provided gratis. Additional guidance may be forthcoming.

Finally, the new legislation prohibits a business from “selling, offering for sale, or advertising for sale” Social Security numbers. Limited exceptions were noted in the bill, including “if the release

[not necessarily a sale] of the Social Security number is incidental to a larger transaction and is necessary to identify the individual in order to accomplish a legitimate business purpose” or “for a purpose specifically authorized or specifically allowed by federal or state law.”

The law’s scope reaches well beyond the borders of California, as it applies to businesses that maintain any personal information about a state resident. Companies would be well advised to familiarize themselves with the new requirements.

To read AB 1710, click here.

December 3rd, 2014|Legislation, Privacy|

Pennies add up to $18.7 million in allegedly illicit gains

A bit different from the billion dollar frauds that frequently made the headlines in the years past, a complaint filed on October 5, 2014 by the justice department in the federal district court in Manhattan accuses two former New York brokers of securities fraud and conspiracy for secretly adding a few pennies to the cost of securities trades they processed to generate $18.7 million in gains. The SEC also filed civil charges against the men, and added another broker as a defendant. The SEC’s complaint alleges that from at least 2005 through at least February 2009, the defendants perpetrated the scheme by falsifying execution prices and embedding hidden markups or markdowns on over 36,000 customer transactions. According to the SEC, the defendants charged small commissions—typically pennies or fractions of pennies per share; the scheme was devious and difficult to detect because they selectively engaged in it when the volatility in the market was sufficient to conceal the fraud. One of the defendants, who was in charge of entering the prices into the trading records and playing a critical role by controlling the flow of information, already pleaded guilty to securities fraud and conspiracy.

October 15th, 2014|Criminal Activity, Fraud|

SEC new rule: ABS issuers and underwriters must disclose any third-party due diligence report

On August 27, 2014, as mandated by the Dodd-Frank Act, the Securities & Exchange Commission (the “SEC”) adopted several new rules and amendments designed to improve the quality of credit ratings and increase the accountability of Nationally Recognized Statistical Rating Organizations (“NRSROs”). The new rules, which become effective nine months after their publication in the Federal Register, significantly affect services in connection with asset-backed securities (“ABS”). Among other provisions, included is a requirement for ABS issuers and underwriters to disclose the findings and conclusions of any third-party due diligence report they obtain. The rule applies to both registered and unregistered offerings. Additionally, providers of ABS due diligence services must submit a written certification (signed by an individual who is duly authorized to make such a certification) to any NRSRO that is producing a credit rating regarding the ABS, and disclose information about the due diligence performed, along with a summary of the findings and conclusions, and identification of any relevant NRSRO due diligence criteria that the third-party intended to meet in performing the due diligence.

October 15th, 2014|Dodd-Frank|

California’s A.B. 1710 enhances privacy protections for sensitive personal information

Effective January 1, 2015, A.B. 1710 amends California’s breach notification, security procedures, and Social Security number (SSN) laws, generally outlined as follows:

provides that existing personal information data security obligations apply to businesses that maintain personal information, in addition to those who own or license the information;
provides that if the person or business issuing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, be made at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached, if the breach exposed or may have exposed SSN and driver’s license numbers;
provides that a person or entity may not sell, advertise for sale, or offer to sell an individual’s SSN, except as permitted.

October 15th, 2014|Legislation, Security|

The FFIEC issues “shellshock” vulnerability alert to financial institutions

The Federal Financial Institutions Examination Council (the “FFIEC”) issued an alert advising financial institutions about a material security vulnerability in the Bourne-again shell (Bash) system software widely used in servers and other computing devices that could allow attackers to access and gain control of operating systems. The vulnerability, nicknamed “shellshock,” could expose organizations and individuals to potential fraud, financial loss, or access to confidential information. Any financial institution that provides secure services with Linux or nix variants running a vulnerable version of the Bash shell could be at risk no matter what their vendor mix. Given the widespread use of Bash and the evolving nature of the risk, the FFIEC said that regulators expect financial institutions to perform a risk assessment and address the shellshock vulnerability not only in their own systems, but also with their third-party service providers.

October 15th, 2014|Educational Series, Security|

The SRA issues warning about a fake website

The Solicitors Regulation Authority (the “SRA”) in the United Kingdom issued a bulletin that it received a report that a website “dovernorchambers.com is operating which refers to the firm Dovernor Chambers” and that the wording on the website appears to have been cloned from the websites of genuine law firms without their knowledge or consent. The SRA says that it is identifying a new fake law firm on an almost daily basis. Some scammers reportedly are stealing a law firm’s entire web page, and then changing the contact information to redirect traffic elsewhere.

September 19th, 2014|Fraud|

Class action for unauthorized disclosure of PHI is a new twist under FCRA

A recent class-action is seeking damages for the unauthorized disclosure of personal health information (“PHI”) under the Fair Credit Reporting Act (the “FCRA”). The plaintiffs claim that the defendant hospital allowed the unauthorized access of confidential records of the putative class members, including PHI, held by a third-party records vendor without their knowledge or consent and without sufficient security. Among other claims, the plaintiffs allege that the hospital violated the FCRA by failing to implement adequate safeguards to protect their personally identifiable information and PHI from a data breach suffered by the third-party vendors. The plaintiffs argue that the hospital was a CRA that created “consumer reports” containing sensitive information including names, dates of birth, Social Security numbers, billing information and confidential health records, and disseminated this information to medical service providers affiliated with the defendant, and that the defendant allowed employees of the vendor and others to gain unrestricted access to their personally identifiable information and PHI, which was allegedly misused and intentionally disclosed to third-parties for profit.

September 19th, 2014|Judgment|

Reminder: San Francisco’s tough ordinance that restricts asking about and using criminal records in employment and housing decisions starts August 13, 2014

Effective August 13, 2014, the Fair Chance Ordinance (the “FCO”) (see also the FCO FAQs) requires covered employers, contractors, and housing providers to review an individual’s qualifications before inquiring about his/her criminal history and follow strict rules for using the information.

The FCO applies to private employers that are located or doing business in the city and county of San Francisco, and employ 20 or more persons worldwide. This 20-person threshold includes owner(s), management, and supervisory personnel. The FCO covers positions (including contractor and other status) located within San Francisco, regardless of where the employer is located, as long as the position is “in whole, or in substantial part, within the city.” San Francisco’s Office of Labor Standards Enforcement (the “OLSE”) interprets “in substantial part” to mean an average of eight hours of work performed per week in San Francisco.

Along with banning inquiries about a criminal history or pending charges on the job application or during the first live interview, the FCO prohibits asking about six categories of criminal record information altogether, and mandates significant measures for individualized assessment, including considering only “directly-related convictions that have a direct and specific negative bearing on the

[applicant’s] ability to perform the duties or responsibilities necessarily related to the position,” the time elapsed since the conviction, evidence of inaccuracy, evidence of rehabilitation and/or other mitigating factors.

An aspect of the ordinance that is especially noteworthy is that employers are prohibited from inquiring about or considering convictions that are more than seven years old, with “the date of conviction being the date of sentencing.” Under California law, there already is a seven-year limitation on such records, but the look-back period starts from the date that a person is released from custody. Also of note is that before taking any adverse action based on a criminal record, the ordinance requires that the employer wait seven days (from the date of the potential adverse action notice) before taking such action. If during the seven-day waiting period the individual gives the employer notice, orally or in writing, of evidence of an inaccuracy, rehabilitation, or any other mitigating factor, the employer must delay the adverse action for a “reasonable” time to reconsider the action.

Employers must also ensure that criminal background inquiries later in the process comply with the notice guidelines published by the OLSE, as well as with the already existing background check disclosure/authorization requirements under California’s ICRAA and the FCRA. Highlighted below are the ordinance’s more significant notice requirements:

Covered employers must post, in a conspicuous place at every workplace, including a temporary site, or other location in San Francisco under the employer’s control where applicants or employees visit, a notice of rights provided by the OLSE. The notice must be posted in English, Spanish, Chinese, Tagalog and any other language spoken by 5% or more of the employees in the workplace, job site, or other location. (Translations of the notice in Chinese, Spanish, and Tagalog are available on the OLSE website.)
Employers must state in all job solicitations or advertisements that are reasonably likely to reach potential applicants seeking employment in San Francisco that the employer will consider qualified individuals with a criminal history.
Employers mustsendthe notice toeachlaborunionorrepresentative withwhomtheemployerhasacollectivebargainingagreementorotheragreementthatisapplicabletoemployeesinSanFrancisco.
Prior to any criminal history inquiry, including from procuring or conducting a background check, an employer must provide this notice to an applicant or employee when he/she is given the required FCRA/ICRAA disclosure and authorization form to sign.

August 8th, 2014|Legislation|

FINRA wants to increase awareness of its BrokerCheck and make more information public

FINRA’s online investor tool for researching the professional backgrounds of firms and brokers, the BrokerCheck, is accessible to all members of the public from the front page of its website. In a revised proposal, which includes changes made in response to comments regarding a prior proposal to amend FINRA Rule 2267 (Investor Education and Protection), firms would be required to include a readily apparent reference and hyperlink to the BrokerCheck on each website that is available to retail investors, and in online retail communications with the public that include a professional profile of, or contact information for, an associated person, subject to specified conditions and exceptions.

FINRA is also seeking comments (until September 2, 2014) on a proposal to make publicly available, through FINRA’s website, a repository of Form 211 information. Firms are required to complete this form to demonstrate compliance with the specific information review requirements under SEA Rule 15c2-11 prior to initiating a quotation in a non-exchange-listed security.

July 9th, 2014|Educational Series|

Class-action against U.S. Census Bureau alleges race-bias in using criminal background checks

On July 1, 2014, a magistrate judge in the U.S. District Court for the Southern District of New York certified as a class-action an unprecedented lawsuit brought under Title VII of the Civil Rights Act of 1964, that alleges the U.S. Census Bureau’s process of using criminal background checks when selecting temporary workers for the 2010 census unlawfully screened out approximately 250,000 African-Americans. Filed in April 2010, the complaint charges that in hiring nearly a million temporary workers, most of whom went door-to-door seeking information from residents, the Bureau erected unreasonable and largely insurmountable hurdles for applicants with arrest records, regardless of whether the arrests were decades old, were for minor charges, or led to criminal convictions.

July 9th, 2014|Judgment, Lawsuit|