Washington legislators recently introduced the Washington Privacy Act (WPA). This legislation is a consumer-focused privacy law similar to the California Consumer Privacy Act (CCPA) but it also has some European Union General Data Protection Regulation (GDPR)-like concepts. The WPA protects personal data in much the same way as the CCPA, but with some significant differences.

Virtually every company that provides goods or services to the public will, at some point, have a negative review posted online by a dissatisfied consumer. While such reviews are understandably upsetting, a company should not respond in kind with negative comments about the reviewer and certainly should not reveal personal or sensitive information about them.

New Hampshire Governor Chris Sununu recently signed the New Hampshire Insurance Data Security Law, which “establishes the exclusive state standards applicable to licensees for data security, the investigation of a cybersecurity event…, and notification to the commissioner.” The law is applicable to all persons or entities licensed, authorized to operate, registered or required to be

Part of the 2018 Economic Growth, Regulatory Relief, and Consumer Protection Act (which amended the Fair Credit Reporting Act) included a provision requiring credit reporting agencies (CRAs) to provide free electronic credit monitoring services to active duty military personnel. CRAs are required by law to notify active duty military consumers about any “material” additions or

Federal legislation recently took effect that prohibits consumer reporting agencies from charging a fee to place or remove (lift) a security freeze on a consumer credit report in response to a consumer request. The “Economic Growth, Regulatory Relief, and Consumer Protection Act” (the Act) was passed on May 24, 2018. The Act includes important updates to the Fair Credit Reporting Act (FCRA) that may in turn affect the information that businesses provide to customers or clients in response to a data breach or similar security incident.
Continue Reading Federal Legislation Enables Consumers to Obtain Security Freezes on Credit Reports Free of Charge

On May 11, 2017, the Fourth Circuit Court of Appeals vacated a $12 million judgment against Experian Information Solutions, Inc. (“Experian”) in a class action against the credit reporting bureau alleging violations of the Fair Credit Reporting Act (“FCRA”). Relying on the standard set forth by the U.S. Supreme Court in Spokeo, Inc. v. Robins, the circuit court held the named plaintiff lacked constitutional standing because he suffered no “concrete” injury from the alleged statutory violation.

The claims in the lawsuit involved the FCRA requirement that credit reporting agencies must, upon request, clearly and accurately disclose to a consumer the “sources of the information” in the consumer’s file at the time of the request. 15 U.S.C. § 1681g(a)(2). As part of a background check in connection with obtaining security clearance, the lead plaintiff, Michael Dreher, obtained a series of credit reports from Experian which listed a delinquent credit card account identified as Advanta associated with his name. Unbeknownst to Dreher, Advanta has been closed since 2010 and a company named CardWorks had been appointed as a servicer for the company  acquiring Advanta’s receivables.
Continue Reading Fourth Circuit Vacates $12M FCRA Class Action Judgment Against Experian

We previously reported that 21st Century Oncology suffered a data breach in October 2015 involving an intrusion into its systems which compromised around 2 million patients’ records, including their names, Social Security numbers, physicians’ names, insurance information, treatment information and diagnoses [view related posts here and here]. As a result of the data

Last week, the decision in the Spokeo case influenced a California court’s decision to certify a class in a Fair Credit Reporting Act (FCRA) case. The class of applicants who claim that S2Verify, a background check company, unlawfully included criminal information in their reports, includes approximately 4,500 individuals who were subject to S2Verify reports from