Here's the conclusion of my outline of the Sedona Conference's Data Privacy Primer, which I last blogged about on January 22, 2017.

B. Fair Credit Reporting Act

1. Overview

a. Enacted in 1970 to regulate consumer reporting industry such as Equifax, TransUnion, Experian, and others.

2. Duties of Consumer Reporting Agencies

(1) Accuracy

(2) Disclosure [all information in the file]

(3) Investigation [must conduct investigation when consumer questions accuracy]

(4) Free Consumer Reports [at least once a year];

(5) Permissible Uses

i. court order or subpoena

ii. to person who the report pertains

iii. use report in connection with extension of credit, employment, insurance underwriting, licensing or conferring of government benefits, legitimate business need.

iv. capacity to pay child support.

v. agency administering child support plan

vi. to FDIC or NCUA

c. Individual can opt out of sharing of information with affiliate.

3. Furnishers of Information to CRAs

Individuals can dispute accuracy of information furnished to the CRA and the furnisher must notify the CRA.

4. Users of Consumer Reports

The FCRA provides that a person may not procure a consumer report for employment purposes unless the employer or potential employer discloses in writing to the consumer that a report is to be obtained and the consumer authorizes in writing that a report can be obtained.

5. Limitations on Information Contained in Credit Reports

No CRA can make a consumer report containing any of the following information:

1. Bankrupcty cases more than 10 years old.

2. Civil suits older than 7 years, or those for which the statute of limitations has expired.

3. Tax liens older than 7 years.

4. Accounts placed for collection older than 7 years.

5. Any other adverse information other than a conviction record which is more than 7 years old.

6. Contact information for any medical information furnisher.

These restrictions are not applicable in credit transactions for more than $150,000; insurance agreements with a face amount of $150,000; and jobs with a salary of more than $75,000.

6. Private Rights of Action and Damages

Consumers have a private remedy against “negligent or willful misconduct by a furnisher” of consumer credit information, this right only arises once the furnisher has received a notice from the CRA disputing the accuracy or completeness of the information provided. The FCRA’s statute of limitations extends to two years after the date when plaintiff discovers the violation or five years af-ter the date of the violation, whichever occurs earlier.

7. Rulemaking and Enforcement

FCRA is enforced by the FTC and the CFPB.

C. Right to Financial Privacy Act of 1978

Individual had no individual right of privacy in his or her financial records (United States v. Miller) according to court decisions, so Congress enacted Right to Financial Privacy Act of 1978.

1. Overview of RFPA

Only applies to federal agencies. Covers card issuers. Companies of more than five individuals are not covered.

2. Obligations of RFPA

(a) Limitations on Federal Government Requests

Must state specific basis for request. Can't transfer to other federal agency except for law enforcement purposes and intelligence.

(b) Financial Institution's Obligations

Upon receipt of government request, financial institution must obtain individual consent, and can't make this consent on condition on which it will do business with the individual.

3. Civil Penalties for Non-Compliance

Liability can equal $100 regardless of the number of records; actual damages; punitive damages; and costs of the action. Financial institutions have immunity for disclosures made for reports such as the Suspicious Activity Report (SAR) with Financial Crimes Enforcement Network.

VII. WORKPLACE PRIVACY

A. Legal Framework

1. Regulatory Protections

Electronic Communications Privacy Act prohibits interception of communications while in transit or stored on computers. Business can monitor employee communications on a business provided device.

2. U.S. Constitution

A pivotal determination in cases involving governmental invasion of privacy is whether the government employee has a reasonable expectation of privacy in relation to the conduct of the governmental employer.

3. State Issues

Connecticut and Delaware require employers to give notice before monitoring employee communications.

B. Use of Computer Equipment and Email

City of Ontario v. Quon (U.S. 2010)- government search of employee texts was reasonable since measures were reasonably related to methods, and was justified at its inception. Many court decisions have found that employers can monitor communications on company provided devices. In addition to ownership of the device, courts consider the existence and scope of a company’s computer usage policy, steps taken by the employee to maintain the privacy of personal emails, the use of the company-owned computer system, and the content of the communication at issue.

C. Bring Your Own Device Policies

Rajaee v. Design Tech (S.D. Tex 2014) employee who used his own phone for business could not bring claim under ECPA after data (including personal data) was wiped on his private device by his employer.

D. Social Media Privacy

Costly and protracted risks associated with social media.

1. Passwords and Other Login Information

19 states have passed laws that prevent employers from requiring employees to hand over login information for social media sites.

2. Content Monitoring

Ehling v. Monmouth (D.N.J. 2013) Stored Communications Act was not violated when employer uses private data on Facebook as grounds for suspension that it only had access to through employee's Facebook friend. NLRB concluded that Costco was in violation of the National Labor Rela-tions Act (NLRA) by maintaining and enforcing a rule prohibiting employees from electronically damaging the company or any employee’s reputation.

VIII. STUDENT PRIVACY

A. Family Educational Rights and Privacy Act

Educational records cannot be transferred without student or parental consent. Rights transfer at 18. However institutions can disclose directory information.

Consent not required when all PII has been removed that student cannot be identified.

Children's Online Privacy Protection Act (COPPA) - 1998 - governs online collection of data about children. - FTC says under COPPA service providers can accept educational institution has obtained consent when collecting information.

Institutions must provide access to records to students within 45 days of the receipt of a request. No private right of action for a violation; must file a compliant with the Family Policy Compliance Office.

B. Protection of Pupil Rights Amendment

Prevents schools and third parties from learning certain information about students. The PPRA requires institutions that receive Department of Education funding to develop policies on parents' right to inspect surveys; right to inspect instructional material; opt out of non-emergency physical exams; opt out of collection of information for marketing purposes.

PPRA does not provide a private right of action. Must file compliant with Family Policy Compliance Office within Department of Education.

C. State Laws

In 2015, 14 states enacted legislation addressing the privacy rights of students.