As a growing number of states pass legislation which will protect individuals’ social media accounts from employer scrutiny, they have encountered a surprising adversary – FINRA and other securities regulators.

To date, at least six states have enacted social media employee privacy laws (which were blogged about here, here, here, and here) and upwards of thirty-five states have considered legislation since the beginning of 2013. Washington State may soon join the ranks with SB 5211, a bill unanimously passed by both chambers of Washington legislature on April 27, 2013, which now awaits the Governor’s signature. Social media password protection laws, although unique to each state, generally restrict employers from requesting or requiring that employees or applicants provide their social media user names, passwords, and account information. Supporters believe the laws are necessary to protect employee and prospective employee privacy and to prevent against unlawful employer action in response to an employee’s social media use.

FINRA, the Financial Industry Regulatory Authority, fears that the new employee privacy laws may directly conflict with securities rules and threaten investor protection. With an increasing number of financial firms taking to Facebook and Twitter to interact with investors and give financial advice, FINRA has set forth various guidelines governing social media use. Under FINRA rules, securities firms must “adopt policies and procedures reasonably designed to ensure that their associated persons who participate in social media sites for business purposes are appropriately supervised,” and broker-dealers must be able to “retrieve and supervise business communications regardless of whether they are conducted from a device owned by the firm or by the associated person.” FINRA Regulatory Notice 11-39 (August 2011). According to FINRA, if the employee of a broker-dealer is engaging in business communications over a social networking site, the broker-dealer must have access to the account for general monitoring and for its records. Broker-dealers must also be able to freely follow up on red flags, or misuse of an account. FINRA fears that the adoption of social media employee privacy laws may conflict with monitoring and reporting requirements and could force some employers into a lose-lose situation—violate state law or violate a FINRA rule. FINRA worries that employers who choose the former will increase investor risk and the potential for securities fraud.

FINRA has sent letters to lawmakers in approximately ten states seeking carve-outs to social media employee privacy laws for the financial services industry. Many of the laws already include narrow exemptions, which allow for employers to require disclosure if an employee’s alleged misconduct has risen to a certain level. FINRA does not appear satisfied with these exemptions, which may be too limited for broker-dealers to be in full compliance with monitoring, recording and supervision requirements. California has rejected FINRA’s request for an exception for the financial services industry, but it remains to be seen how the states will react in general.

FINRA is not alone in its concerns that social media privacy laws are too broad. On May 6, 2013, Governor Christie of New Jersey conditionally vetoed a social media employee privacy Bill which he criticized for its over-breadth and for putting employers at increased risk.

While it is too soon to predict how this conflict between employee privacy interests and financial industry oversight will be resolved, what is apparent is the increasingly complex issue of handling privacy in the age of social media.

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published on its website a series of factsheets designed to educate consumers unfamiliar with their rights under the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules.  These four factsheets are described in detail below and are available in eight languages on OCR’s website at:  www.hhs.gov/ocr/privacy/hippa/understanding/consumers.

I.            OCR Consumer Factsheet: “Your Health Information Privacy Rights”

• OCR tells consumers that HIPAA gives them rights over their health information including the right to get a copy of their information, make sure it is correct and know who has seen it.
• OCR says that in most cases consumers must be given a copy of their medical record and other health information within 30 days.
• Consumers can ask to change any wrong information in their file if they believe that something is missing or incomplete.  OCR states, “Even if the hospital believes the test result is correct, you still have the right to have your disagreement noted in your file.”
• OCR summarizes how a consumer’s health information can be used and shared for specific reasons not directly related to the consumer’s care (i.e., “making sure doctors give good care, making sure nursing homes are clean and safe, reporting when the flu is in your area, or reporting as required by state or federal law”). 
• OCR encourages consumers to learn how their health care providers and health insurers are using and sharing their health information.
• OCR encourages consumers to let their health care providers and health insurers know if there is information that they do not want to be shared.
• OCR also tells consumers that they can make reasonable requests to direct their health care provider to contact them at a different place or in a different manner.  For example, if the doctor’s office usually sends a postcard with an appointment reminder, the consumer may request that the appointment reminder be sent in an envelope instead.

II.          OCR Consumer Factsheet: “Privacy, Security, and Electronic Health Records”

• OCR explains that electronic health records (EHRs) are electronic versions of the consumer’s paper medical record and includes health information such as medical history, notes, diagnoses, medications, lab results, and immunizations. 
• OCR tells consumers that their privacy rights are the same whether the health information is stored as paper or in an electronic form.
• In the factsheet, OCR summaries the benefits of health care providers using EHRs.  Consumers should expect “improved quality of care”, “more efficient care”, and “more convenient care.” 
• OCR summarizes certain protections that can safeguard EHR systems including access controls like passwords and PIN numbers, encrypting, and an audit trail feature.
• OCR describes for the consumers the breach notification requirement for health care providers.

III.        OCR Consumer Factsheet: “Understanding the HIPAA Notice”

• OCR provides a four step process for consumers to follow to make sure that they understand the “Notice of Privacy Practices” and their rights under HIPAA.
• Step 1: OCR encourages consumers to “Get a Copy of the Notice of Privacy Practices”
• Step 2: OCR encourages consumers to “Read the Notice”
  • The Notice explains how the health care provider or insurer is allowed to use or share their information
  • Explains the consumers’ privacy rights
  • Explains the doctor or insurer’s legal duties to protect consumers’ health information
  • Provides the contact information about the doctor or insurance company’s privacy polices.
• Step 3: OCR encourages consumers to “Ask Questions about the Notice or Your Rights”
• Step 4: OCR encourages consumers to “Know What You are Signing”
  • HIPAA requires the consumer’s doctor, hospital, or other health care provider to ask for written proof that he or she received the Notice of Privacy Practices acknowledgement of receipt. 
  • Consumers are not required to sign the acknowledgment of receipt; however providers must keep a record that the consumer decided not to sign the form.  Providers must still care for consumers who do not sign the acknowledgment of receipt. 

IV.         OCR Consumer Factsheet: “Sharing Health Information with Family Members and Friends”

• OCR summarizes and provides examples of when a health care provider or health plan may share relevant information with family members or friends involved in the consumer’s health care or payment for health care.
• OCR states that under HIPAA, a health care provider may share a consumer’s information face-to-face, over the phone, or in writing … if:
  • The consumer gives the provider or plan permission to share the information.
  • The consumer is present and does not object to sharing the information.
  • The consumer is not present, and the provider determines based on professional judgment that it is in the consumer’s best interest.
• OCR provides frequently occurring examples for each of these scenarios. 
  • The consumer’s hospital may discuss the consumer’s bill with his or her daughter who is with the consumer and has a question about the charges, if the consumer does not object.
  • The consumer’s doctor may discuss the drugs the consumer needs to take with the consumer’s health aide who has accompanied the consumer to his or her appointment.
  • The consumer had emergency surgery and is still unconscious.  The consumer’s surgeon may tell the consumer’s spouse about his or her condition, either in person or by phone, while the consumer is unconscious.
  • A doctor may not tell a consumer’s friend about a past medical problem that is unrelated to the consumer’s current condition.

Finally, OCR provides information to consumers on who to contact if their HIPAA rights are being denied or their health information is not being protected.

The Securities and Exchange Commission (the “SEC”) and Commodity Futures Trading Commission (the “CFTC”) recently adopted rules requiring entities subject to their respective enforcement authorities to adopt and implement programs to detect and respond to indicators of possible identity theft, as required by the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (the “Dodd-Frank Act”). The SEC rules apply to entities such as broker-dealers, investment companies and investment advisers, while the CFTC’s rules apply to entities such as futures commission merchants, commodity trading advisors and commodity pool operators.

 The Dodd-Frank Act requirement shifted rulemaking responsibility and enforcement authority for identity theft rules governing such entities to the SEC and CFTC from the six federal agencies that had jointly adopted identity theft rules under the Fair Credit Reporting Act in 2007.

 The rules adopted by the SEC and the CFTC specify: (1) which financial institutions and creditors must develop and implement a written identity theft prevention program; (2) the objectives of such program; (3) the elements that the program must contain; and (4) the steps financial institutions and creditors need to take to administer the program. The rules do not contain any requirements that were not already in the rules established in 2007, nor do they expand the scope of those rules to include new categories of entities that the rules did not already cover.  However, the rules and the related adopting release contain examples and minor language changes that are designed to help guide entities with compliance.

 The rules will become effective 30 days after publication in the Federal Register, and the compliance date will be six months after that effective date.

Are social media companies based in the United States subject to European data privacy laws?  Two recent judicial decisions – one in France and the other in Germany – arrived at different answers.  The Civil Court of Paris held that Twitter, based in California, was obligated under the French Code of Civil Procedure to reveal the identity of its users in France who posted racist tweets.  In Germany, on the other hand, an administrative court held that Facebook, also based in California, was not subject to a German law that would have prohibited Facebook from requiring users to register under their real names. 

To be subject to French data protection laws, a data controller must be either established on French territory or use a means of processing data that is located on French territory.  However, Article 145 of the French Code of Civil Procedure does not include such geographical limitations and allows parties, upon application to the court, to seek evidence before a case has been formally instituted whether there is a legitimate reason to preserve or establish the evidence.

In October 2012, the Union of French Jewish Students (“UFJS”) filed a summary action under Article 145 to require Twitter to identify individuals who had posted anti-Semitic tweets (a criminal offense).  On January 24, 2013, the court ruled that while Twitter was not subject to French data protection laws, it was nevertheless obligated to hand over the identities of users in France who post racist tweets.

Twitter has yet to hand over the authors’ identities, however, and the UFJS is taking further legal action against Twitter, claiming $50 million in damages.  Twitter has appealed the decision.

In Germany, the Düsseldorfer Kries (ULD), Germany’s consortium of state data protection regulators, issued an opinion against Facebook’s real-name policy, which requires users to register accounts under their real names and remove fake accounts.  This policy is central to Facebook’s business model, but the ULD argued it violates users’ online privacy.  German data protection laws provide for the right to anonymous use of social media.

Facebook appealed to a German administrative court, arguing that because it processes the relevant data in Ireland (which does not have a right to anonymous use of social media), and not in Germany, it was not subject to the German law.  The court agreed, though the ULD has announced it plans to appeal.

These two decisions illustrate the patchwork of local laws that social media companies may face when conducting business in the EU.  We will continue to monitor this issue, as well as these cases as they go up on appeal.

California Assembly Member, Bonnie Lowenthal, recently introduced the “Right to Know Act of 2013″ (AB 1291), which would require any company that retains a  California resident’s personal information to provide a copy of that information to that person, free of charge, within 30 days of the request. The company would also have to disclose a list of all third parties with whom it has shared the resident’s data during the previous 12 months, the contact information of such third parties, and the types of personal information that was shared. In contrast to the existing Shine the Light Act, this legislation would not be limited to data sharing for direct marketing purposes, and would not provide exceptions for companies that maintain an opt-in or opt-out policy for data sharing.  Moreover, the legislation’s definition of “personal information” is broader, and includes data such as online usage information. Also, the legislation would apply to businesses even if they do not have a direct relationship with the California resident, such as data aggregators and online ad networks.  Additional requirements also exceed what is present in the existing law.  If a company does not comply, California residents would be empowered to file a civil suit to force compliance. The law does not distinguish between brick-and-mortar businesses and online companies.

Although the Right to Know Act contains certain provisions intended to prevent abuse, it provides for an unprecedented level of data access for California residents. Under CA Civil Code § 1798.83 (better known as the Shine the Light Act), California residents may request from a company an accounting of disclosures made to third parties for direct marketing purposes, as well as general facts about the types of data disclosed. The Right to Know Act would allow California residents to know all of the ways that their personal information is being shared – including via online interactions – with the exception only of data sharing with service providers who are only permitted to use the information to provide service to the company.

The Right to Know Act provides that in lieu of responding to individual California resident requests, a company can provide a California resident with a notice about what data will be disclosed and to whom— prior to or immediately following a disclosure. In addition, a company would only have to provide each California resident with the required information once every 12 months.

The bill is expected to be debated by California legislators within the next few months.

On April 5, 2013, New Mexico joined six other states (including, among others, Utah, Maryland and California) in passing a new law prohibiting employers from requesting or requiring that a prospective employee provide access to his or her social networking accounts.  Proskauer’s Labor & Employment group has discussed the new law here. 

The French, Italian, British, German, Spanish and Dutch Data Protection Authorities announced on April 2, 2013 that each will launch investigations and enforcement actions against Google on the grounds that its privacy policy is not compliant with the European Directive on Data Protection, available at http://eur-lex.europa.eu/en/index.htm, (the “Directive”).

The first year of existence of Google’s new privacy policy has been eventful

Google’s new privacy policy has been under the scrutiny of the European Data Protection Authorities since its launch was announced by Google at the end of January 2012.

The Article 29 Working Party, whose members are the Data Protection Authorities of the 27 Member States, immediately expressed concerns about the compliance of Google’s privacy policy with the European Directive on Data Protection, and requested in February 2012 that Google delay the implementation of the new policy, which Google refused (which we blogged about here: http://privacylaw.proskauer.com/2012/03/articles/online-privacy/googles-new-privacy-policy-being-scrutinized-by-the-french-data-protection-authority

The French Data Protection Authority (CNIL) took the task of reviewing and assessing Google’s privacy policy on behalf of all European Data Protection Authorities. After several months of exchanges between the CNIL and Google, the Article 29 Working Party rendered in October 2012 its findings and requested that Google make changes to its privacy policy:http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2012/20121016_google_privacy_policy_recommendations_cnil_en.pdf

The findings of the European Data Protection Authority on Google’s Privacy Policy

Google’s new privacy policy unified more than 60 different privacy policies across Google’s services and apps under one single privacy policy that covers almost every Google product and service. In addition, it allowed Google to combine data collected in every service into a single detailed user profile. To give an example, if a user searches for cooking recipes through the Google search engine, Google can use this information to suggest cooking videos on YouTube!.

The Article 29 Working Party determined that Google’s privacy policy does not comply with the Directive’s obligation to precisely inform the user of the type of data collected, its purposes and its recipients because the policy is too general. As a result, a user is unable to determine which categories of data are processed in the service that is used and for which purpose they are processed. In addition, the Article 29 Working Party stated that the combination of data requires the unambiguous consent of the user and that this large combination of data is disproportionate and creates high risks to the privacy of the user. Finally, Google has not specified the retention periods for the data it processes, in breach of the Directive.

National Enforcement Actions in Six EU Countries

Google decided not to implement the Article 29 Working Party’s recommendations.

Following a meeting with Google on March 19^,, 2013 the national Data Protection Authorities of 6 of the 27 EU Member States announced that each will launch investigations and enforcement procedures against Google. Unlike the initial assessment phase that was coordinated by the CNIL on behalf of the other EU authorities, these investigations and enforcement procedures are not being jointly pursued. Indeed, each national Data Protection Authority has its own procedures, powers and sanctions.

Although the authorities have announced that they will cooperate together, Google will nevertheless face six distinct national procedures, and should they result in divergent decisions, there is no system to reconcile them. One goal of EU data protection reform is to establish a new system of supervision when data processing has an EU-wide impact. Under the proposition for a new EU data protection regulation made by  the European Commission in January 2012 [http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf] and currently under review before the European Parliament, only the  Data Protection Authority of the EU country where the company has its main establishment  would be in charge of taking legally binding decisions against a non-compliant company (one-stop shop). In addition, mandatory cooperation between national authorities, as well as a consistency mechanism at the EU level, would be implemented to ensure consistency across investigations and enforcement procedures.

Following a growing trend among states, on March 26, 2013, the Utah legislature passed the Internet Employment Privacy Act, which prohibits employers from requesting that job applicants or employees disclose passwords protecting their personal internet accounts.  Proskauer’s Labor & Employment group has discussed the new law here.

In a recent ruling arising from certain certified questions in Tyler v. Michaels Stores, Inc., Civ. No. 11-10920-WGY (D. Mass. Jan. 6, 2012, the Massachusetts Supreme Court interpreted “personal identification information” under Mass. Gen. Laws, ch. 93, § 105(a) Section 105(a) to include a consumer’s ZIP code and determined that collecting such personal information is a violation of state privacy law for which the consumer can sue (see slip opinion).

By way of background, the plaintiff, Tyler, alleged she was making a credit card purchase at Michaels (an arts and crafts retailer) when a cashier asked her for her ZIP code.  Tyler provided her ZIP code.  Tyler alleged her ZIP code was later used by Michaels to find Tyler’s mailing address and telephone numbers and send her unwanted and unsolicited marketing materials.  Tyler filed a class action complaint against Michaels claiming unjust enrichment and seeking a declaratory judgment that collecting ZIP codes is a violation of Section 105(a).  The Massachusetts District Court found that Tyler’s complaint sufficiently alleged a violation of Section 105(a); however, the District Court found the complaint did not allege a cognizable injury under the statute (see our blog post here).  Further, the district court judge opined that the statute was meant to protect identity fraud and was not, as Tyler argued, for the protection of consumer rights.  At the judge’s invitation Tyler filed a motion to certify the following three questions to the Massachusetts Supreme Court, each regarding the proper interpretation of Section 105(a):

1) Under Section 105(a), is a ZIP code “personal identification information” because such a ZIP code may be required by the credit card issuer to complete the transaction? Yes, the Supreme Court answered, because regardless of whether the ZIP code was explicitly defined in the statute as personal identification information, it could be used to obtain such information.

2) Under Section 105(a), can a consumer bring an action for a privacy right violation even without identity fraud? Yes, the Supreme Court answered, disagreeing with the District Court judge, because they found no reason to limit the statute’s application to only identity fraud, especially when the title of the statute is “Consumer Privacy in Commercial Transactions.”

3) Under Section 105(a), does the term “credit card transaction form” apply to both paper and electronic credit card transactions? Yes, the Supreme Court answered, because limiting the statute to only paper transactions would render the statute obsolete in the age of electronic transactions.

The Supreme Court also found that possible injuries resulting from a violation of Section 105(a), such as where the merchant uses the information for its own business purposes by sending the customer unwanted marketing materials or by selling the information for profit, are injuries distinct from violation of the statute itself and are recognizable under the law.

So what’s next?  This case will now be sent back to the District Court for further proceedings.

Given the Massachusetts Supreme Court ruling, more law suits in Massachusetts and other states with similar consumer privacy statutes are likely to follow.  Therefore, other retailers and businesses may want to review their policies regarding credit card transactions and how their employees request consumer information.  In particular, retailers and other businesses may want to reconsider whether their employees should request a ZIP code, even if provided by consumers voluntarily, when such information is not required by the credit card issuer.

As announced during the 2013 State of the Union Address, President Obama recently signed an Executive Order on cybersecurity.  The primary goals of the Executive Order are to (a) improve communication between private companies and the federal government about emerging cyber threats and (b) safeguard the nation’s critical infrastructure against cyber attacks by developing and implementing baseline cybersecurity standards. Critical infrastructure refers to those systems and assets, both physical and virtual, so vital to our nation that any cyber attacks upon them would have a debilitating impact on national security, economic security, and/or public health or safety. 

According to a report issued by the Department of Homeland Security (the “DHS”) in December 2012, there were 198 cyber attacks on the nation’s critical infrastructure last year, several of which were successful.  One such successful attack involved highly sophisticated malware found on critical engineering workstations at a power generation facility.  According to the DHS’ Industrial Control Systems Cyber Emergency Response Team Monitor, an “ineffective or failed cleanup would have significantly impaired” the power plant’s operations.  Critical infrastructure systems ranging from air traffic control systems, highways, and hospitals to electrical grids, water systems, power plants and financial systems all have virtual components that are vulnerable to cyber attack.  Over the past year, the need for stronger defenses against cyber attacks has gained traction in the public eye, as hackers have successfully targeted numerous high profile companies, including major newspapers, banks, and federal agencies. 

President Obama’s Executive Order on cybersecurity comes in the wake of proposed cybersecurity legislation, which was stalled in Congress last year. The Executive Order relies heavily on a voluntary program that encourages private companies operating critical infrastructure to adopt baseline cybersecurity standards, which the federal government will develop with industry assistance.

 The main points of the Executive Order are as follows:

• Cybersecurity Information Sharing:  The government will increase the volume, timeliness, and quality of cyber threat information shared with private sector entities.  This will enable private companies to better protect and defend themselves against cyber threats.  Federal agencies will timely disseminate unclassified reports of cyber threats targeting specific entities to the targets and will distribute classified reports to those critical infrastructure entities authorized to receive them.
• Cybersecurity Framework:  The National Institute of Standards and Technology, an agency of the Department of Commerce, will work with critical infrastructure operators to develop a framework of baseline standards designed to strengthen the digital security of the nation’s critical infrastructure (the “Framework”).  Existing standards and industry best practices will be incorporated into the Framework to the fullest extent possible.  To account for organizational differences and allow for technological innovation, the Framework will provide technology-neutral guidance. 
• Voluntary Critical Infrastructure Cybersecurity Program:  Federal agencies will establish a voluntary program to encourage critical infrastructure operators to adopt the Framework.  The DHS will spearhead the effort, working with sector-specific agencies and industry council to implement the Framework’s best practice standards and to incentivize participation in the voluntary program.  Various federal agencies will assess the effectiveness of incentives and whether there is sufficient authority under existing legislation to provide them.
• Privacy and Civil Liberties Protections:  Federal agencies must ensure that privacy and civil liberties protections are incorporated into their activities under the Executive Order.

Some have lauded President Obama’s efforts, opining that the voluntary standards could become quasi-mandatory in practice, by essentially setting a new negligence bar for cybersecurity.  Others have been more skeptical, arguing that without intervention by Congress, the Executive Order may have little practical effect.  President Obama himself has emphasized the need for bipartisan action on the cybersecurity front, stating during the 2013 State of the Union Address that “[n]ow Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks.”

“We know hackers steal people’s identities and infiltrate private e-mail.  We know foreign countries and companies swipe our corporate secrets.  Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions and our air traffic control systems,” the President stated.  Given the constant headlines about hackers from abroad gaining access to and disrupting the workings of large corporations and government agencies, the President’s Executive Order comes as a welcome first step towards strengthening the nation’s cybersecurity.