Here's the conclusion of my outline of the Sedona Conference's Data Privacy Primer, which I last blogged about on January 22, 2017.
B. Fair Credit Reporting Act
a. Enacted in 1970 to regulate consumer reporting industry such as Equifax, TransUnion, Experian, and others.
2. Duties of Consumer Reporting Agencies
(2) Disclosure [all information in the file]
(3) Investigation [must conduct investigation when consumer questions accuracy]
(4) Free Consumer Reports [at least once a year];
(5) Permissible Uses
i. court order or subpoena
ii. to person who the report pertains
iii. use report in connection with extension of credit, employment, insurance underwriting, licensing or conferring of government benefits, legitimate business need.
iv. capacity to pay child support.
v. agency administering child support plan
vi. to FDIC or NCUA
c. Individual can opt out of sharing of information with affiliate.
3. Furnishers of Information to CRAs
Individuals can dispute accuracy of information furnished to the CRA and the furnisher must notify the CRA.
4. Users of Consumer Reports
The FCRA provides that a person may not procure a consumer report for employment purposes unless the employer or potential employer discloses in writing to the consumer that a report is to be obtained and the consumer authorizes in writing that a report can be obtained.
5. Limitations on Information Contained in Credit Reports
No CRA can make a consumer report containing any of the following information:
1. Bankrupcty cases more than 10 years old.
2. Civil suits older than 7 years, or those for which the statute of limitations has expired.
3. Tax liens older than 7 years.
4. Accounts placed for collection older than 7 years.
5. Any other adverse information other than a conviction record which is more than 7 years old.
6. Contact information for any medical information furnisher.
These restrictions are not applicable in credit transactions for more than $150,000; insurance agreements with a face amount of $150,000; and jobs with a salary of more than $75,000.
6. Private Rights of Action and Damages
Consumers have a private remedy against “negligent or willful misconduct by a furnisher” of consumer credit information, this right only arises once the furnisher has received a notice from the CRA disputing the accuracy or completeness of the information provided. The FCRA’s statute of limitations extends to two years after the date when plaintiff discovers the violation or five years af-ter the date of the violation, whichever occurs earlier.
7. Rulemaking and Enforcement
FCRA is enforced by the FTC and the CFPB.
C. Right to Financial Privacy Act of 1978
Individual had no individual right of privacy in his or her financial records (United States v. Miller) according to court decisions, so Congress enacted Right to Financial Privacy Act of 1978.
1. Overview of RFPA
Only applies to federal agencies. Covers card issuers. Companies of more than five individuals are not covered.
2. Obligations of RFPA
(a) Limitations on Federal Government Requests
Must state specific basis for request. Can't transfer to other federal agency except for law enforcement purposes and intelligence.
(b) Financial Institution's Obligations
Upon receipt of government request, financial institution must obtain individual consent, and can't make this consent on condition on which it will do business with the individual.
3. Civil Penalties for Non-Compliance
Liability can equal $100 regardless of the number of records; actual damages; punitive damages; and costs of the action. Financial institutions have immunity for disclosures made for reports such as the Suspicious Activity Report (SAR) with Financial Crimes Enforcement Network.
VII. WORKPLACE PRIVACY
A. Legal Framework
1. Regulatory Protections
Electronic Communications Privacy Act prohibits interception of communications while in transit or stored on computers. Business can monitor employee communications on a business provided device.
2. U.S. Constitution
A pivotal determination in cases involving governmental invasion of privacy is whether the government employee has a reasonable expectation of privacy in relation to the conduct of the governmental employer.
3. State Issues
Connecticut and Delaware require employers to give notice before monitoring employee communications.
B. Use of Computer Equipment and Email
City of Ontario v. Quon (U.S. 2010)- government search of employee texts was reasonable since measures were reasonably related to methods, and was justified at its inception. Many court decisions have found that employers can monitor communications on company provided devices. In addition to ownership of the device, courts consider the existence and scope of a company’s computer usage policy, steps taken by the employee to maintain the privacy of personal emails, the use of the company-owned computer system, and the content of the communication at issue.
C. Bring Your Own Device Policies
Rajaee v. Design Tech (S.D. Tex 2014) employee who used his own phone for business could not bring claim under ECPA after data (including personal data) was wiped on his private device by his employer.
D. Social Media Privacy
Costly and protracted risks associated with social media.
1. Passwords and Other Login Information
19 states have passed laws that prevent employers from requiring employees to hand over login information for social media sites.
2. Content Monitoring
Ehling v. Monmouth (D.N.J. 2013) Stored Communications Act was not violated when employer uses private data on Facebook as grounds for suspension that it only had access to through employee's Facebook friend. NLRB concluded that Costco was in violation of the National Labor Rela-tions Act (NLRA) by maintaining and enforcing a rule prohibiting employees from electronically damaging the company or any employee’s reputation.
VIII. STUDENT PRIVACY
A. Family Educational Rights and Privacy Act
Educational records cannot be transferred without student or parental consent. Rights transfer at 18. However institutions can disclose directory information.
Consent not required when all PII has been removed that student cannot be identified.
Children's Online Privacy Protection Act (COPPA) - 1998 - governs online collection of data about children. - FTC says under COPPA service providers can accept educational institution has obtained consent when collecting information.
Institutions must provide access to records to students within 45 days of the receipt of a request. No private right of action for a violation; must file a compliant with the Family Policy Compliance Office.
B. Protection of Pupil Rights Amendment
Prevents schools and third parties from learning certain information about students. The PPRA requires institutions that receive Department of Education funding to develop policies on parents' right to inspect surveys; right to inspect instructional material; opt out of non-emergency physical exams; opt out of collection of information for marketing purposes.
PPRA does not provide a private right of action. Must file compliant with Family Policy Compliance Office within Department of Education.
C. State Laws
In 2015, 14 states enacted legislation addressing the privacy rights of students.