prepare a memo discussing all potential privacy-related issues in Peter’s case


Peter Smith is the Chief Compliance Officer for “TransExperian” (TE), a major nationwide credit reporting bureau in the United States. In the past few years, certain decisions relative to TE’s compliance obligations have caused some concern with the Board of Directors. Peter has come to your law firm asking for help in assessing all potential risk associated with TE’s recent actions.

TE core business is compiling vast amounts of consumer financial data, including loan balances, payment history and defaults. This information is particularly useful for businesses, because the data goes back several years, sometimes up to 15 years. However, since TE maintains so much information, it often has difficulty maintaining accurate data. Some of the inaccurate data would be deleted, but the rest would stay on file. Nonetheless, TE remained very profitable since the financial information it collected proved to be reasonably accurate in predicting an individual’s future behavior.

Two years ago, Peter was approached by TE’s Strategic Product Development Team (SPDT) about compiling new types of data which could potentially create a new income stream for TE. Specifically, the SPDT wanted to begin collecting information related to an individual’s personal characteristics and market that information to prospective employers. Peter felt this was a good idea because employers were willing to pay big money to identify individuals who had no prior history of drug use, fraud or any other activity that may potentially harm the business’s reputation. The business could use that information to identify likely candidates and then reach out to those employees to inquire about their interest in working for the company. In addition, Peter felt that compliance obligations would be more lax because TE would likely not be considered within scope of the FCRA because the information was not financial in nature. After working out some kinks, the product was launched a year ago and has enjoyed a great amount of success.As part of his duties as Chief Compliance Officer, Peter implemented a robust annual privacy notice mailing process for TE. The process currently sends a privacy notice to all individuals that TE maintains nonpublic personal information on, currently 30 million individuals. The privacy notice provides a description of TE’s information collection and sharing practices, but does not mention the individual’s ability to restrict disclosure of nonpublic personal information to other entities. A large number of TE’s shareholders criticized Peter’s costly decision to implement such a process because many believed that TE had no legal obligation to provide an annual privacy policy to those individuals who TE maintained information on. Some of the shareholders have even threatened to file a shareholder derivative suit for Peter’s actions.
When TE’s profits took a turn for the worse 6 months ago, Peter decided to hack into a competitor’s database to gain a competitive advantage. Peter ended up stealing 5 files containing various intellectual property documents, each valued at $1,000. Peter felt that there was little risk in doing this pursuant to the Computer Fraud and Abuse Act because TE still had to reverse engineer the source code stolen from the competitor.

Your supervising attorney asks you to prepare a memo discussing all potential privacy-related issues in Peter’s case. You are to advise your supervising attorney on the likely outcome of each issue, citing appropriate authorities.