The Federal Trade Commission sued a Nevada data storage services company over allegations that it misled consumers about its participation in the EU-U.S. Privacy Shield framework and failed to adhere to the program’s requirements before allowing its certification to lapse.

The EU-U.S. Privacy Shield framework establishes a process to allow companies to transfer consumer data from European Union countries to the United States in compliance with EU law. The Department of Commerce administers the framework, while the FTC enforces the promises companies make when joining the program.

In a complaint, the FTC alleges that between January 2017 and October 2018, RagingWire Data Centers, Inc. claimed in its online privacy policy that the company participated in the Privacy Shield framework and complied with the program’s requirements, even though it had allowed its certification to lapse in January 2018. The Department of Commerce warned Raging Wire twice to either remove the claims or take steps to recertify its participation in the Privacy Shield program. The company, however, failed to recertify until it was contacted by the FTC in October 2018.

The FTC also alleges that while RagingWire was a participant of the Privacy Shield program, the company failed to comply with the three following Privacy Shield requirements:

  • To verify annually that it had made accurate statements about its Privacy Shield privacy practices;
  • to maintain a dispute resolution process for consumers who had privacy-related complaints about the company; and
  • to abide by the Privacy Shield requirement that companies that stop participation in the framework affirm to the Department of Commerce that they will continue to apply the Privacy Shield protections to personal information collected while participating in the program.

The complaint includes a proposed order that would prohibit RagingWire from misrepresenting its participation in the EU-U.S. Privacy Shield framework, any other privacy or data security program sponsored by the government, or any self-regulatory or standard-setting organization and would require the company to comply with FTC reporting requirements. If its certification of participation in the Privacy Shield framework lapses in the future, RagingWire also would be required to continue to apply the Privacy Shield protections to personal information it collected while participating in the program, or return or delete the information, according to the proposed order.

The Commission voted 5-0 to issue the administrative complaint.

Experian’s five data breach predictions for 2020 include:

  1. Cybercriminals will leverage text-based “smishing” identity theft techniques to target consumers participating in online communities. As more Americans continue to join like-minded groups on social media to provide financial support to social causes or political candidates, cybercriminals can solicit unsuspecting consumers with fraudulent messages via SMS text to seek bank account details or other sensitive information.
  2. Hackers will take to the skies to steal consumer data from devices connected to unsecure networks. As cities install more free public Wi-Fi systems, the more than one million drone devices operating in the U.S. today may be armed with affordable mobile hacking devices to steal sensitive data from consumers and businesses on the streets below.
  3. Cybercriminals will use deepfake technology to disrupt the operations of large commercial enterprises and create geo-political confusion. Artificial intelligence technology can manipulate C-suite executives and government leaders’ appearance and voice to blur the lines of what is real and what isn’t.
  4. Burgeoning industries, such as cannabis retailers and cryptocurrency entities will be targeted for cyberattacks as a result of online activism or “hacktivism.” As a form of protest, hackers may seek to gain access to controversial companies’ sensitive data due to their prevalence in society and increased cash flow.
  5. Cybercriminals will execute a major hack of the mobile point-of-sale platforms used to process transactions. The proliferation of mobile payment options would allow cybercriminals to access payment data over unsecured networks and target large venues such as concerts or major sporting events. 

Passing a criminal background check is a nearly universal prerequisite to securing a job or housing, yet employers and landlords are making decisions based on inaccurate reports. Broken Records Redux: How Errors by Criminal Background Check Companies Continue to Harm Consumers Seeking Jobs and Housing, a new report from the National Consumer Law Center (NCLC), finds that problems with accuracy in commercial criminal background check reports are still rampant. “Unfortunately, many background screening companies still seem to prioritize profit over accuracy, leading to reports that cost consumers’ jobs and housing,” said Ariel Nelson, National Consumer Law Center staff attorney and author of the report.

Nelson and NCLC attorney Chi Chi Wu will also be panelists at an all-day workshop on Accuracy in Consumer Reporting to be held at the Constitution Center (also available to view via live stream on the FTC website) in Washington, D.C. on Tuesday, December 10 from 9 a.m. until 4:30 p.m. sponsored by the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB).

NCLC’s research reveals that background screening companies continue to generate criminal background check reports that:

  • Mismatch the subject of the report with another person (e.g., listing criminal records belonging to someone else, often harming common-name consumers in particular);
  • Include sealed or expunged records (e.g., listing a conviction that was legally removed from the public record);
  • Omit information about how the case was resolved (e.g.., failing to report that charges were dismissed);
  • Contain misleading information (e.g., listing a single charge multiple times); and/or
  • Misclassify the offense reported (e.g., reporting a misdemeanor as a felony).

The background screening industry is now a multi-billion dollar industry, with about 94% of employers and about 90% of landlords using criminal background check reports to evaluate prospective employees and tenants. Yet there are still no registration requirements for background checking companies and no standardized criteria governing background checks.

A recent development: many screening products are designed to automate and outsource decision making to the background screener. This means that users may not individually assess or make judgment calls about applicants. Automated decision making may also mask errors and deny consumers the chance to explain why a record is inaccurate or why it should not bar housing or employment. Further, there is no common standard for predicting if an individual will be a “good” tenant or employee. As a result, applicants who otherwise would have been accepted are excluded, and employers and landlords miss out on qualified applicants.

“Background screening companies often promote their products by pointing to the advanced technologies and automated processes they use, but the automation of criminal background check reporting has come with its own serious problems,” said Nelson.

Companies use automation to generate reports by running computer searches through giant databases of aggregated criminal record data. Reports may only undergo minimal, if any, manual review,  which is especially problematic because the data is often purchased in bulk through intermediaries or obtained using web scraping technology. Thus, it often lacks key personal identifiers, information about how a case was resolved, and may not be updated frequently. Practices like these, along with the use of loose matching criteria, lead to erroneous reports that have grave consequences for consumers seeking jobs and housing.

“If Congress, federal agencies, and states don’t act to ensure that background screening companies are closely monitored and hold them accountable for their repeated mistakes due to poor policies and practices, consumers will continue to pay the price by forfeiting housing and job opportunities while employers and landlords will miss out on qualified employees and tenants,” said Nelson.

Since NCLC’s ground-breaking report in 2012, the CFPB and the FTC have brought a handful of enforcement actions against several background screening companies for violations of the Fair Credit Reporting Act (see pages 24-25 of the new report), but much more must be done.

Recommendations: The National Consumer Law Center report recommends that Congress, federal regulatory agencies, and states use their authority to clean up the criminal background screening industry once and for all, including the following steps.

  • Congress should amend the FCRA to increase protections for prospective tenants and give the Federal Trade Commission specific supervisory authority over background screening companies.
  • The Consumer Financial Protection Bureau should use its rulemaking authority to require mandatory measures to ensure greater accuracy of background check reports and require registration of background screening companies.
  • The Consumer Financial Protection Bureau and the Federal Trade Commission should continue to use their enforcement powers to investigate major background screening companies for FCRA violations. These federal agencies should also investigate nationwide employers for compliance with FCRA requirements for users of consumer reports for employment purposes.
  • States should pass legislation requiring users of background check reports to review the underlying report produced by the background screener before making employment or housing decisions. States should require companies that receive bulk data from public records sources to promptly delete sealed and expunged records and to routinely update their records. States should revoke the ability to receive data if an audit reveals that the company is not in compliance.