In guidance released last week, the New York State Office of the Attorney General urged businesses to incorporate safeguards to detect and prevent credential-stuffing attacks in their data security programs. The guidance stemmed from the AG’s finding that 1.1 million customer accounts at “well-known” companies appeared to have been compromised in credential-stuffing attacks.
Credential stuffing
A California jury in federal court ruled on Tuesday, June 20, that TransUnion violated the Fair Credit Reporting Act (FCRA) by erroneously linking certain consumers with similarly named terrorists and criminals in the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC’s) database. The jury awarded statutory and punitive damages in excess of $60
On September 27th, the Senate Committee on Commerce, Science, and Transportation held a general oversight hearing of the FTC, which covered a multitude of major policy issues and included testimony from Chairwoman Edith Ramirez, Commissioner Maureen Ohlhausen, and Commissioner Terrell McSweeny. Chairman John Thune (R-SD) convened the hearing, joined by Senator Richard Blumenthal (D-CT) who sat in for Ranking Member Bill Nelson (D-FL), who was not in attendance. Several other Committee members also participated in the hearing, cycling through as schedules permitted on what appeared to be a jam-packed day. Members in attendance included: Senators Dean Heller (R-NV), Amy Klobuchar (D-MN), Brian Shatz (D-HI), Jerry Moran (R-KS), Steve Daines (R-MT), Dan Sullivan (R-AK), Edward Markey (D-MA), Tom Udall (D-NM), Kelly Ayotte (R-NH), Maria Cantwell (D-WA), and Deb Fischer (R-NE).
The Comm
issioners’ opening statements focused on key issues related to the agency’s mandate including enforcement, policy development, business education, and competition promotion. But for members and Commissioners alike, privacy and data security were the clear headline issues of the day. A variety of related topics were also raised, including protecting children online, the Internet of Things (IOT), tourism, credit reports, telecommunications, and deceptive claims. A brief summary of these issues follows.
Continue Reading Senate Commerce Committee Members Air Laundry List of Pressing Issues Including Privacy, Data Security, and FTC Enforcement
While the sudden death of Supreme Court Justice Antonin Scalia creates an immediate vacancy on the bench, it also likely leaves the high court’s docket in limbo on a number of key consumer class actions awaiting the Court’s decision.
Many predict that President Obama will not be able to replace Scalia before the 2016 Presidential election, meaning that the seat may be vacant for the remainder of the term. Democrats have been urging the President to immediately nominate a successor, with Republicans imploring the President to give that right to the next Commander-in-Chief. Senate Majority Leader Mitch McConnell has stated that the Senate should not confirm a replacement until after the 2016 election.
Until a successor is confirmed, it means that the Supreme Court will be comprised of four reliable liberals, three reliable conservatives, and one Justice Kennedy, who typically leans to the right but has often acted as the Court’s swing vote. With only eight justices, it is likely that we will see a number of important cases end in a 4-to-4 split this year, including several key cases relating to consumer class actions. In the case of a tie, the appeals court decision will be upheld, no precedent will be set, and the Supreme Court traditionally will not issue an opinion.
Here’s a brief rundown of how Scalia’s passing may affect three key consumer class actions in front of the Court this term.
Case: Spokeo Inc. v Robins (Docket No. 13-1339)
Issue: Whether Congress may confer Article III standing upon a plaintiff who suffers no concrete harm, but alleges a private right of action based on a bare violation of a federal statute.
Outcome in a split: Plaintiff’s win – would make a bare violation of a federal statute sufficient to confer Article III standing, thereby making it easier for plaintiffs to move forward in litigating cases alleging statutory violations.
Continue Reading Scalia’s Death Leaves High Court in Limbo on Three Key Consumer Class Actions
The CFPB recently initiated an enforcement action against General Information Services (GIS) and its affiliate, e-Background-checks.com, Inc. (BGC) for allegedly violating the Fair Credit Reporting Act (FCRA) by failing to implement required safeguards while providing background screening reports to employers about job applicants. The CFPB found that certain background screening reports provided by GIS and
The FTC announced today that Certegy Check Services, Inc. will pay $3.5 million to settle allegations that Certegy violated the Fair Credit Reporting Act (FCRA) by failing to follow proper dispute procedures and failing to use reasonable procedures to maximize the accuracy of consumer report information. Certegy is one of the nation’s largest check authorization
Today the Federal Trade Commission (“FTC”), Consumer Financial Protection Bureau (“CFPB”), and Department of Justice (“DOJ”) filed a brief supporting the constitutionality of the Fair Credit Reporting Act (“FCRA”). FCRA limits the use of credit report information, protecting the privacy of the information, and establishes procedures for correcting mistakes in credit reports. The brief addresses
Earlier this week, the Federal Trade Commission (“FTC”) and the Federal Reserve Board issued proposed amendments to the Risk-Based Pricing Rule (“Rule”) that would require creditors to disclose credit score information when a credit score is used to set or adjust credit terms. The proposed changes would implement provisions of the Dodd-Frank Wall Street Reform
FTC Commissioner Julie Brill spoke about the new Consumer Financial Protection Bureau (“CFPB”) during a keynote address she delivered at the International Association of Privacy Professionals Second Annual Conference on December 7th. While describing how Congress enacted the Fair Credit Reporting Act (“FCRA”) to protect consumers’ personal information, Brill stated that the FTC and CFPB
In Andrews v. Equifax Information Services LLC, No.: C-08-0817, 2010 U.S. Dist. Lexis 38020 (W.D. Wash. Mar. 30, 2010), plaintiff filed suit against Equifax after it allegedly “mixed up” her information with that of another individual of the same name and disseminated that information to third parties. Plaintiff alleges that this “mix up” was caused by Equifax’s failure to follow reasonable procedures to ensure maximum possible accuracy of the information it reported as well as its failure to re-investigate her disputes, both of which are required by FCRA.
FCRA requires claims to be brought within two years after the plaintiff discovers the violation or within five years after the date the violation occurs. Invoking the former provision, Equifax argued that it was entitled to dismissal because the plaintiff had discovered the alleged violations more than two-years before she filed suit in May 2008. Equifax cited record evidence that plaintiff had called in 2004 and 2005 to dispute information in her credit file that she believed was inaccurate. Equifax contended further that it sent plaintiff the results of its investigation into her disputes on three occasions, the last of which was in late November 2005. According to Equifax, because these results contained the inaccurate information forming the basis of her FCRA allegations, plaintiff had discovered the violation more than two years before filing suit.
The Western District of Washington denied the motion, rejecting the argument that plaintiff’s knowledge of inaccurate information in her credit report put her on notice of Equifax’s alleged FCRA violation. “FCRA is not a strict liability statute,” said the court. Indeed, a credit reporting agency can escape liability under FCRA for an inaccurate credit report as long as it shows it followed reasonable procedures in generating it. Therefore, inaccurate information in a credit report, standing alone, cannot violate FCRA. According to the court, to obtain dismissal, Equifax had to show something more. Specifically, it had to produce sufficient evidence tying the investigation reports it provided to the plaintiff with plaintiff’s discovery of the precise violations alleged in the lawsuit. This, according to the court, it failed to do.
