Workplace Privacy Counsel

New Background Check Mobile Web Application May Jeopardize FCRA Compliance Obligations

Privacy and Data Protection Practice Group — Wed, 27 Jan 2010 16:10:33 -0800

“BeenVerified” is a new mobile Web application that allows users to conduct background checks on any individual by merely entering the name or email address of the individual. Users get three free background checks monthly and unlimited checks for a monthly fee of only $8. BeenVerified has been a smashing success, with more than one million checks run to date.

HR professionals, recruiters, managers, and co-workers may find BeenVerified hard to resist. According to the application, users can check an individual’s “Criminal History, Property Records, Current Contact Info, Relatives, Neighbors, and more,” merely by entering an individual’s name. By entering an email address, the user can find out about the individual’s social networking activities and view “their online photos, websites, blog posts, and entire online presence.” All of the data is compiled into a concise report.

Despite its ease of use and apparent low cost, the BeenVerified app may expose employers to liability under the federal Fair Credit Reporting Act (FCRA) and analogous state laws. These laws prohibit background checks for employment purposes without providing notice and obtaining the subject’s prior, written authorization. The FCRA permits recovery of compensatory damages, including statutory damages for willful violations, and a fee award.

Although BeenVerified states that information obtained “should not be used for employment, tenant screening, or any FCRA related purposes,” the potential for abuse exists. HR professionals, recruiters, managers, and co-workers now have the ability to review financial, criminal, and other personal information about subordinates, co-workers, and applicants without any safeguards to protect against violations of federal and state background check laws. As a result, employers should consider implementing a policy that prohibits employees from using the application to obtain information about any other employee unless the user has complied with the FCRA’s notice and authorization requirements.

This entry was written by Philip L. Gordon and Jennifer L. Mora.

Photo credit: HelleM

Caveat Employer: Let the Employer Beware of Employee Endorsements on Social Media Websites

Employment Litigation Practice Group — Tue, 05 Jan 2010 11:30:16 -0800

Employers already face concerns about how to handle employees trash-talking about them on blogs, Facebook and other social media. Now, employers must be cautious of the converse — employee endorsements of their employers’ products and services on social media websites. The Federal Trade Commission (FTC) recently issued updated guidelines aimed at protecting consumers from misleading endorsements and advertising. As these guidelines make clear, employers whose employees use social media like blogs or Facebook to comment on their employer’s products or services face potential liability, even where the employer has not authorized or ratified the employee’s remarks.

The FTC’s revised Guides Concerning the Use of Endorsements and Testimonials in Advertising, published in the Federal Register at 16 C.F.R. Part 255 (the “guidelines”), address the application of Section 5 of the FTC Act (the “Act”) – which prohibits unfair or deceptive acts or practices and unfair competition in or affecting commerce -- to the use of endorsements and testimonials in advertising.

In the guidelines, the FTC identifies the general principles it will apply when evaluating whether endorsements and testimonials, including those given by employees about their employers’ products and services, are deceptive. The guidelines provide specific examples, and suggest that employees endorsing their employer’s products or services have a duty to disclose to their audience their relationship to an employer at the time they give the endorsement or testimonial. To be an endorsement or testimonial subject to these guidelines, the posting must be a message “that consumers are likely to believe reflects the opinions, beliefs, findings, or experiences of a party other than the sponsoring advertiser, even if the views expressed by that party are identical to those of the sponsoring advertiser. The party whose opinions, beliefs, findings, or experience the message appears to reflect will be called the endorser...” 16 C.F.R. Part 255.01(b).

The duty of disclosure applies even when the employee’s endorsement appears on a site that is not maintained by the employer or employee (such as a popular “bulletin board”) and the statement itself is not misleading. See 16 C.F.R. Part 255.5 (entitled “Disclosure of material connections”), Example 8. Failure to make such disclosure may expose the employer to liability under the Act.

If employees make misleading statements about the employer’s products and services that result in injury to consumers, the FTC may bring an enforcement action against the employer. The FTC reports that it has brought enforcement actions against employers “whose failure to establish or maintain appropriate internal procedures” had resulted in consumer injury, but the FTC suggested in comments on the guidelines that it would be unlikely to take action against an employer for the conduct of a single “rogue” employee whose conduct violated an adequate company policy.

Additionally, because postings on blogs and Facebook pages can reach wide audiences, employers may be vulnerable to large-scale liability like class-action lawsuits by consumers and/or legal action by state attorneys general.

In view of this latest possible exposure to employers from employees’ use of blogs and social websites, employers should consider reviewing their electronic communications or social media policies to ensure: (1) that they have policies addressing the use of the company’s name, trademarks, and other proprietary information in blogs and other social media; and (2) that these policies include either prohibitions or appropriate guidance regarding references to company products or services. Such prohibitions and/or guidance should no longer be limited to criticisms of the employer and its products and/or services. Endorsements, if permitted at all, should be limited to truthful and verifiable statements, or should be subject to prior approval by management. And in either event, such statements must be accompanied by an employee’s written disclosure of the employment relationship so that consumers can fairly weigh the testimonial.

This entry was written by Lisa Brauner.

Federal Courts' Disagreement Over E-Mail Privacy Highlights Employers' Need to Revisit E-Mail Policies

Privacy and Data Protection Practice Group — Mon, 21 Dec 2009 17:31:19 -0800

As the Supreme Court prepares to address the question whether public employees can expect privacy in text messages sent by government-issued phones through a service provider under contract with the government, federal district courts continue to reach conflicting results when addressing whether private employees waive the attorney-client privilege by communicating with a personal attorney using their employer’s electronic resources. With yet another federal court recently finding no waiver, employers should revisit and revise their electronic resources policies to increase their chances of winning the waiver battle.

In Convertino v. United States DOJ, 2009 U.S. Dist. LEXIS 115050 (D.C. Dec. 10, 2009), a case decided last week, a former federal prosecutor suing the Justice Department for an allegedly improper leak concerning an investigation into charges that he engaged in prosecutorial misconduct, sought to compel production of e-mails exchanged through the Justice Department’s e-mail system between Jonathan Tukel, a federal prosecutor involved in the investigation, and Tukel’s personal attorney. The federal District Court for the District of Columbia held that Tukel had not waived the privilege. The court determined that Tukel reasonably could expect privacy in the communications with his attorney because the Justice Department’s e-mail policy permitted personal use of its e-mail system, and Tukel stated in an affidavit that he was unaware that the Department regularly monitored his e-mail.

In contrast to this result, a federal district court in Idaho, in Alamar Ranch, LLC v. County of Boise, 2009 U.S. Dist. LEXIS 101866 (D. Idaho Nov. 2, 2009), held just six weeks earlier that an employee had waived the attorney-client privilege by exchanging e-mail with her attorney using her employer’s e-mail system. The court relied on the employer’s e-mail usage policy, which notified the employee that: (1) all e-mail was the employer’s property; (2) the employer reserved the right to monitor e-mail; and (3) employees should not assume that e-mail would be confidential. The court gave no weight to the employee’s testimony, almost identical to Tukel’s in the D.C. case, that she was unaware of the monitoring. The court found her subjective belief “unreasonable . . . in this technological age.”

Although not mentioned in the D.C. court’s opinion, the Justice Department’s e-mail usage policy most likely contains the same language that the Idaho court relied upon to find a waiver. Thus, the principal difference between the two cases appears to be the Justice Department’s express permission of some non-business use of its e-mail system. That said, employers would be short-sighted to think that prohibiting all non-business use in an e-mail policy would ensure a finding of waiver. Courts are likely to look to the employer’s de facto policy regarding non-business use, which, for virtually all employers, will be tacit permission of non-business e-mail despite an express ban on non-business use in the employer’s e-mail policy.

Given the above, employers can strengthen their position in the waiver battler by expressly stating the following in an e-mail policy with respect to non-business use of the employer’s e-mail system:

Non-business e-mails are not private and are subject to the employer’s electronic resources policy in its entirety, including the employer’s policy on monitoring;
Employees are prohibited from using the employer’s electronic resources to communicate with a personal attorney;
Employees who use the employer’s electronic resources to engage in non-business e-mail communications through a personal web-based e-mail account should be aware that duplicates of such e-mail may be stored on the employer’s electronic resources and will be subject to review by the employer in accordance with its electronic resources policy.

This entry was written by Philip L. Gordon.

Firestorm Over Change in Facebook's Privacy Settings Has Important Implications for Employers

Privacy and Data Protection Practice Group — Wed, 16 Dec 2009 09:11:03 -0800

This past week, Facebook asked each of its 350 million users whether they wanted to change their privacy settings to new settings offered by Facebook. The request ignited a firestorm among privacy advocates who believed that the changes meant less privacy for users. At the same time, the request forced users to consider their old settings and whether to change them to the new ones. The Financial Times reported that, according to Facebook, before this week’s rollout of the new settings, only 15% to 20% of users had changed their default privacy settings, but in response to the inquiry about changing their privacy settings, 50% of users — approximately 175 million users — had made changes.

Why is this massive review of Facebook privacy settings significant to employers? Facebook’s default privacy setting is, perhaps ironically, “Everyone.” In other words, job applicants and employees who do not change their default privacy settings on Facebook permit the general public, including recruiters, human resources professionals, in-house employment counsel, and employment litigators to view all information posted on their profile. Because the information is readily accessible to the general public, the law imposes no restriction on these viewers, even when their interests may be adverse to those of the applicant or employee.

Facebook’s privacy settings include an option that permits a user to restrict viewing to “Only Friends,” i.e., only those people whom the user has permitted to access her profile. While some users exercise little or no discretion in accepting friend requests and have hundreds of friends, many users restrict their friends to those whom the user can trust to further disclose information posted on the user’s profile page only with permission. Employers face significant legal restrictions on access to a user’s restricted Facebook page. One of our recent blog posts highlighted an adverse jury verdict against Houston’s restaurants where two managers who were not on the friends list of a MySpace group page, nonetheless, gained access to the page and fired two of the group’s members who were Houston’s employees based on their postings.

Even if only one-quarter of the Facebook users who recently changed their privacy settings restricted access to “Only Friends,” that change would translate into approximately 44 million users. Put another way, employers may be seeing the start of a cultural shift in which social networking users become far more careful before posting information about themselves that could be lawfully accessed without their knowledge or consent and used against them in employment-related decisions.

This entry was written by Philip L. Gordon

Image credit: DaytonChildrens

Supreme Court Review of Quon May Provide Important Guidance for Private Employers

Privacy and Data Protection Practice Group — Mon, 14 Dec 2009 14:42:46 -0800

The U.S. Supreme Court agreed, today, to review the Ninth Circuit Court of Appeal’s decision in Quon v. Arch Wireless, a case with potentially important implications for private employers. As explained in prior posts, the appellate court held that the City of Ontario Police Department violated a SWAT officer’s reasonable expectation of privacy by reviewing the content of his sexually explicit text messages, even though: (1) the messages had been sent with a Department-issued pager through a service provider under contract with the Department, and (2) the Department’s formal policy informed all SWAT officers that the Department might review their text messages. In reaching that conclusion, the Ninth Circuit relied principally on a statement by the officer in charge of the text messaging program to the SWAT officer that the Department would not review his text messages if he voluntarily paid any overage charges resulting from excessive personal use.

Although there are some differences in the privacy standards applicable to public sector and private employers, the standards are sufficiently similar that the Supreme Court’s decision likely will provide important guidance for employers on at least three issues. First, the law is relatively well settled that private employers can review any communications stored on a corporate e-mail server when the employer notifies employees of the monitoring, typically through an electronic resources policy. Quon is one of the first cases to address whether the same rule applies when the employee’s communication is transmitted through a third-party service provider under contract with the employer. The issue has gained increasing importance as an increasingly large number of employees use text messaging during the work day. (A case currently under consideration by the New Jersey Supreme Court, Stengart v. Loving Care, addresses an employee’s privacy expectations in copies of e-mail stored on a company-issued laptop that were sent through the employee’s personal e-mail account to her attorney.)

Second, the Supreme Court’s decision likely will address how a formal employment policy that otherwise would defeat an employee’s privacy expectation could be countermanded by an informal representation to a specific employee. Here, private employers likely will receive guidance on the types of informal statements that could be sufficient to countermand a formal policy as well as the degree of authority of the person making the informal statement necessary to override the formal policy.

Third, the Supreme Court also granted review on the question whether the senders of text messages to the SWAT officer had a reasonable expectation that his government employer would not read them. This question raises an issue that often is overlooked in cases revolving around an employer’s review of employee e-mail, i.e., the privacy interests of the sender. Without further development, it is difficult to anticipate the extent to which the Supreme Court’s ruling on this issue might affect private employers and what that affect might be.

Notably, the Supreme Court denied the service provider’s request for review of the Ninth Circuit’s ruling that the provider violated the federal Stored Communications Act by disclosing the SWAT officer’s text messages to the Department without his consent. Under the Act, a communications service provider, such as an ISP or cell phone provider, generally cannot disclose stored communications without the sender’s or recipient’s consent. An exception permits disclosure to the subscriber — the Department in the Quon case — when the provider is a “remote computing service.” The Ninth Circuit ruled that a “remote computing service” is akin to an electronic filing cabinet. Because the provider in the Quon case was a facilitator of communications, it was not a “remote computing service” and, therefore, could not take advantage of the exception. With the growing prevalence of “cloud computing” services, the proper definition of a “remote computing service” has become increasingly important. The Supreme Court’s decision to forego review of this issue leaves the Ninth Circuit’s ruling on this issue intact.

At bottom, Quon reflects the dynamic nature of the law governing technology in the workplace as communications technology rapidly moves beyond e-mail, and societal expectations change.

This entry was written by Philip L. Gordon

Photo credit: Niklas Bildhauer

New Hampshire Security Incident Demonstrates Importance of Documenting Any Decision to Forego Security Breach Notification

Privacy and Data Protection Practice Group — Mon, 14 Dec 2009 11:27:58 -0800

The New Hampshire Attorney General and the federal Center for Medicare and Medicaid Services are investigating Wentworth-Douglass Hospital’s decision not to notify patients or the Attorney General of a security incident that occurred more than two years ago. The security incident, which lasted from May 2006 until July 2007, involved a former hospital employee who became disgruntled after being transferred from the pathology lab. The former employee gained unauthorized access to pathology reports on nearly 2,000 occasions and changed reports involving more than 1,100 patients. The hospital investigated the incident and determined that neither New Hampshire’s notice law nor HIPAA required notification.

The matter might have ended there but for the hospital’s termination of its contract with the pathology group that worked in the lab. The pathologists allege that the contract termination constituted retaliation for their pushing the hospital to disclose the incident. It appears that after the contract termination, the pathologists reported the incident to government officials.

While we do not question the motives of the New Hampshire pathologists, this incident demonstrates the importance for employers of documenting any decision not to provide security breach notification when a security incident occurs. Under many state security breach notification laws as well as HIPAA’s new security breach notification requirements, notice is required only if a security incident poses a material risk of harm to the individuals whose information has been compromised. Whether a material risk of harm exists often is a judgment call.

An employee who is aware of a security incident and a related decision not to provide notice could easily second guess that decision after being disciplined or terminated. As in the New Hampshire incident, a complaint about a decision not to notify could trigger an investigation by federal or state authorities months or years after the incident occurred. Without contemporaneous and thorough documentation of the decision-making process, an employer could have difficulty responding to an investigator’s demands for an explanation of the decision not to notify affected individuals or, where required, state or federal agencies.

This entry was written by Philip L. Gordon

Defeating Liability For Employees' Off-Duty Internet Activity

Privacy and Data Protection Practice Group — Mon, 30 Nov 2009 09:55:11 -0800

Sometimes cases with disgusting facts provide good law for employers. A case recently decided by the Wisconsin Court of Appeals proved that point in reversing a $1.4 million judgment on claims for negligent training and supervision against a security company based on the off-duty Internet activities of one of its employees.

As security manager at a Polaris Industries facility, Troy Schmidt an employee of Polaris’ security provider, was responsible for creating identification badges of Polaris employees using photographs stored on a Polaris database. Schmidt copied the photographs of approximately thirty, female Polaris employees to a flash drive, printed them at home, ejaculated on them, and posted the adulterated photographs on an adult website that he created through Yahoo!.

Polaris promptly took control of the efforts to reverse the harmful effects of Schmidt’s bizarre conduct. Polaris took the following steps:

Investigated and determined that Schmidt was the likely perpetrator;
Contacted Yahoo! to request the removal of the photographs;
Met with Schmidt and obtained his admission to the conduct;
Obtained Schmidt’s agreement to de-activate the website;
Obtained confirmation from Yahoo! that Schmidt had de-activated the website;
Met with police personnel (who declined to prosecute).

After learning of the matter from Polaris, Schmidt’s employer, the security company, offered to provide assistance, participated in the interview of Schmidt, and fired him shortly after hearing his admission. Notably, the ten plaintiffs sued only the security company and not Polaris.

In reversing the large judgment against the security company, the Wisconsin Court of Appeals pronounced a rule that should provide a measure of relief for all employers: “[E]mployers have no duty to supervise employees' private conduct or to persistently scan the world wide web to ferret out potential employee misconduct.”

Beyond that pronouncement, the court emphasized several other factors. Schmidt’s conduct was “bizarre and unexpected,” indeed “unimaginable.” The security company had trained Schmidt in sexual harassment, employee theft, and his duty to comply with Polaris’ computer usage policy. The security company had no reason to know that Schmidt might engage in Internet abuse. The security company cooperated in Polaris’ response to the incident to the extent permitted by Polaris.

The court’s rejection of a duty to monitor employees’ off-duty Internet activities appears to provide employers with an unbeatable defense in cases like this one. Still, the result might have been different had Schmidt’s employer not provided training, or if Polaris and the security company had not acted promptly once the offending conduct became known. Consequently, when there is a tight nexus between an employee’s job duties and an employee’s off-duty Internet abuse, employers should consider taking some of the proactive measures that Polaris and the security company took. Such measures might not only help to defeat liability but prevent the filing of a lawsuit in the first place.

This entry was written by Philip L. Gordon.

Photo Credit: Matthew Bowden

GINA Becomes Effective November 21, 2009: Are You Ready?

Privacy and Data Protection Practice Group — Wed, 18 Nov 2009 13:33:54 -0800

The Genetic Information Nondiscrimination Act (GINA) takes effect on November 21, 2009. How does GINA impact employers? GINA does the following: (a) prohibits employers from discriminating against an employee based upon genetic information, (b) places broad restrictions on an employer’s deliberate acquisition of genetic information, (c) mandates confidentiality for genetic information that employers lawfully collect; (d) strictly limits disclosure of such information, and (e) prohibits retaliation against employees who complain about genetic discrimination.

Some of the more obvious violations of this new law occur when an employer requires a worker to take a genetic test or fires the worker based on information about such a test. However, employers can run afoul of GINA in a number of other ways they may not anticipate because the Act broadly defines “genetic information” to include not only genetic test results but also any information about the manifestation of a disease or disorder in a family member, such family medical history. For example, employers should tell health care providers who conduct post-offer, pre-employment medical examinations not to disclose to the employer the results of any family medical history or other genetic information. This example highlights the attention employers must now pay to GINA, violations of which subject employers to the same remedies as violations of Title VII of the Civil Rights Act of 1964.

The EEOC had a deadline of May 21, 2009, to issue final regulations interpreting GINA’s employment-related provisions. With the Act’s effective date less than one week away, the EEOC still had not published final regulations. Further guidance on GINA’s requirements will be provided when the EEOC issues its final regulations. In the meantime, employers will find below a number of suggestions for complying with GINA.

Have You Taken These Steps to Comply with GINA Yet?

• Train human resources personnel, managers and recruiters about compliance with GINA, especially the provisions generally prohibiting deliberate acquisition of genetic information.

• Post a new EEO nondiscrimination poster prohibiting information based on genetic information.

• Revise EEO policies to include prohibitions against discrimination based on genetic information and associated retaliation.

• Discontinue requests to applicants and employees for family medical history except in the limited circumstances permitted in connection with a wellness or disease management program. (See Littler’s recent ASAP, which explains this exception.)

• Whenever requesting an employee to have medical professionals provide documentation, such as in connection with a fitness-for-duty exam or a request for a reasonable accommodation or leave, add a statement that family medical history or other genetic information should not be provided.

• Inventory personnel records--such as FMLA certifications seeking leave for the serious illness of a family member--that contain genetic information about an employee, store those records in a confidential medical file, and strictly limit access to those with a need to know.

• Implement procedures to prevent the disclosure of genetic information in response to a subpoena or civil discovery and to permit disclosure only when specifically required to comply with a court order.

This entry was written by Ilyse Schuman and Philip Gordon.

Photo by Jonathan Lenz.

Lawyers Also Can Be Snared by Privacy Rules

Privacy and Data Protection Practice Group — Mon, 02 Nov 2009 09:19:57 -0800

Identity theft is a booming business. Each year, millions of Americans fall victim to identity theft or have their personal privacy otherwise compromised through unlawful means. Whether it comes in the form of a lost or stolen credit card, or computer hackers accessing social security numbers from employment records, financial institutions, medical records, or government agencies, the costs are staggering. Studies demonstrate that victims spend anywhere from a few hours to, in some cases, literally thousands of hours working to repair damage done by identity theft. Investigations related to identity theft often take months – or sometimes years – to resolve. Reports have estimated that hundreds of billions of dollars per year are lost by businesses worldwide due to identity theft. Individual victims sometimes lose thousands of dollars in wages resolving their cases, and can spend several hundred (sometimes thousands) of dollars in various expenses related to their case.

In an effort to combat ID theft, more than thirty states (including California, New York, Illinois, and Pennsylvania) have enacted laws restricting certain uses and disclosure of social security numbers. The federal judiciary has taken note – and is following suit. Recent revisions to the Federal Rules of Civil Procedure (FRCP) now require attorneys to redact certain personal identifying information of individuals involved in litigation when filing documents in federal court – either electronically or in traditional paper format.

Revised FRCP 5.2(a) reads:

Unless the court orders otherwise, in an electronic or paper filing with the court that contains an individual’s social-security number, taxpayer-identification number, or birth date, the name of an individual known to be a minor, or a financial-account number, a party or nonparty making the filing may include only:
(1) the last four digits of the social-security number and taxpayer identification number;
(2) the year of the individual’s birth;
(3) the minor’s initials; and
(4) last four digits of the financial-account number.

Last month, the federal district court in Minnesota imposed a $5,000 fine against an attorney who violated FRCP 5.2(a) by including personal information in a court filing. The court also ordered the attorney to contact each of the 179 individuals whose private information had been improperly disclosed in the non-compliant court filing and to offer each of them, at the attorney’s expense, individualized credit reports and a year’s worth of quarterly credit monitoring services. Furthermore, the court ordered the sanctioned attorney to appear in court next year to report on the status of the credit reports. In the opinion, the court noted that it was “deeply concerned with the harmful and widespread ramifications associated with negligent and inattentive electronic filing of court documents.”

The court’s ruling should serve as a wake-up call to attorneys that they too must be careful to comply with privacy and data protection rules aimed at reducing the risk of identity theft.

This entry was written by Richard L. Sloane.

Photo credit: Kameleon007

New York Suspends Mandatory Flu Shots

Privacy and Data Protection Practice Group — Fri, 23 Oct 2009 10:43:38 -0800

Less than one week after a state court judge halted New York state’s emergency regulation requiring mandatory H1N1 flu shots for most health care workers, Governor Paterson announced that the State Health Commissioner is suspending the requirement due to a limited supply of vaccine - approximately 23% of the anticipated amount. Available vaccines will instead be used for populations most at risk of serious illness or death, e.g., pregnant women and young people between the ages of 6 months and 24 years.

This entry was written by Philip L. Gordon.

New York Judge Halts Mandatory Flu Shots

Privacy and Data Protection Practice Group — Wed, 21 Oct 2009 13:45:03 -0800

In response to the swine flu pandemic sweeping the nation, New York in August 2009 became the only state in the United States to adopt an emergency regulation requiring most health care workers who come into contact with patients to get annual vaccinations for both seasonal and swine flu (H1N1) by no later than November 30, 2009. The regulation, issued by the New York State Commissioner of Health, provides a limited exemption for workers with “medical contraindications,” but not for those with a religious or ideological opposition to the vaccination.

In response to the emergency regulation, several unions and other groups filed suit in New York, challenging the mandatory vaccinations and the authority of the New York State Health Commissioner to institute mandatory vaccinations.

On October 16, 2009, New York State Supreme Court Justice Thomas J. McNamara issued a temporary restraining order in one of the lawsuits filed in Albany, proscribing the mandatory vaccination. The New York State Commissioner of Health and the New York State Hospital Review and Planning Council plan to vigorously defend the suit and the Commissioner’s authority to mandate vaccinations. The court scheduled an October 30 hearing regarding whether the restraining order should be lifted.

The temporary restraining order prohibits enforcement of New York’s mandatory vaccination law, but does not prevent employers from voluntarily offering influenza vaccinations to their employees. In addition, the temporary restraining order does not apply to employers outside the health care sector or to health care employers outside of New York. Nonetheless, employers should be cautious before implementing a mandatory immunization requirement. The EEOC recently issued guidance suggesting that mandatory immunizations might violate the ADA in certain circumstances. We will be publishing shortly additional recommendations in light of the EEOC’s recent guidance.

This entry was written by Philip L. Gordon.

Multinationals Certified to the U.S.-E.U. Safe Harbor Agreement Beware: The Federal Trade Commission Has Bared Its Enforcement Teeth

Privacy and Data Protection Practice Group — Tue, 13 Oct 2009 10:49:05 -0800

Since its inception in the year 2000, the U.S.-E.U. Safe Harbor Agreement has attracted nearly 2,000 multinationals seeking to establish a lawful basis to transfer to the U.S. the personal data of their consumers and employees who reside in the European Union (E.U.). To obtain the benefits of the Safe Harbor, these organizations are required to (a) certify to the U.S. Department of Commerce that they have implemented the seven Safe Harbor principles, (b) post for their employees and/or customers (depending upon the type of personal data being imported from the E.U.) a Safe Harbor privacy policy that embodies those principles, and (c) implement policies and procedures to ensure that the organization processes personal data received from the E.U. in compliance with the privacy policy. The Safe Harbor certification must be updated annually.

Until just a few weeks ago, the Federal Trade Commission (FTC), which enforces the Safe Harbor, had not commenced a single enforcement action in the nine years that the Safe Harbor has been in effect. Last week, the FTC requested public comment on six separate settlements of complaints alleging that multinationals had violated the Safe Harbor by representing to the public that they were current members of the Safe Harbor even though their certification was not up-to-date. Notably, the settlements do not include any monetary penalties, but instead would enjoin the targets from future misrepresentations about their Safe Harbor status.

The lessons learned include the following:

Multinationals must take compliance with all of the Safe Harbor’s requirements seriously; there is now some enforcement risk.

The nature of the enforcement risk is uncertain. The FTC’s charges required virtually no enforcement resources. The agency had to do nothing more than compare the target’s statements in their publicly posted Safe Harbor privacy policy against the certification records maintained by the Commerce Department. These settlements do not (at least yet) reflect the agency’s intention to perform on-site audits to determine whether the multinational’s internal process for handling personal data actually conforms to the seven Safe Harbor principles embodied in the organization’s Safe Harbor privacy policy.

The next, most likely enforcement step would be the FTC’s request to review the mandatory, annual self-assessment or third-party assessment of Safe Harbor compliance. The FTC would not have to expend any resources to “look behind” the assessment to find a violation. The failure to conduct the required annual assessment itself would be a violation.

Given the above, multinationals certified to the Safe Harbor should promptly confirm that their certification is current and conduct an assessment of their compliance with the Safe Harbor if they have not performed one during the preceding year. To the extent the assessment reveals any gaps in compliance, the gaps should be closed.

This entry was written by Philip L. Gordon.

Photo Credit: S. Solberg J.

New Regulations Create Potential Privacy Risk in Corporate Transactions

Privacy and Data Protection Practice Group — Wed, 07 Oct 2009 17:43:21 -0800

Today, the Department of Labor issued regulations to enforce Title I of the Genetic Information Non-Discrimination Act of 2008 (GINA). Title I regulates self-insured group health plans and health insurance issues, among others. Title I prohibits group health plans from "collecting" any "genetic information." "Collection" means requesting, requiring or purchasing. "Genetic information" includes a family medical history. Title II of GINA, which governs employment discrimination based on genetic information, has parallel provisions but the EEOC has not yet issued regulations. The anticipated regulations, however, likely will track those issued by the Department of Labor.

One of the examples in the Title I regulations states as follows:

Issuer A acquires Issuer B. Issuer A requests Issuer B's records and tells Issuer B that it does not want to receive any genetic information and that Issuer B should remove all genetic information from the production. Issuer B gathers the requested medical records and removes all medical information but inadvertently produces some family medical histories. Issuer A does not violate GINA's prohibition on collection because its receipt of the family medical histories falls within the incidental collection exception to the general prohibition.

The Key Point: This hypothetical suggests by negative implication that acquiring companies must make a point of telling the acquired company not to provide the acquiring company with any "genetic information" when the acquired company turns over personnel records to the acquiring company. If the acquiring company fails to do so and receives any family medical histories — for example, one given in connection with a health risk assessment, the acquiring company has "collected" genetic information, apparently in violation of GINA. Notably, GINA does not include an exception for collection with the consent of the individual, so it appears that obtaining the subject employee's authorization would not defeat potential liability.

The Labor Department’s regulations go into effect on December 7, 2009.

This entry was written by Philip L. Gordon.

For further information and analysis, see "Genetic Antidiscrimination Law Creates New Compliance Challenges for Employers" by Philip L. Gordon and Jennifer L. Mora and "Proposed Regulations Under Federal Genetic Information Nondiscrimination Act (GINA) Suggest Employer Action Now" by Margaret Hart Edwards.

The Legal Perils of Social Media & Social Networking: Questions & Answers

Privacy and Data Protection Practice Group — Mon, 05 Oct 2009 14:47:32 -0800

On September 29, 2009, Littler Mendelson presented a webinar, hosted by HR.com, entitled, “Legal Perils of Social Media & Social Networking: What Every Employer Needs to Know.” Several of the attendees submitted questions by e-mail that could not be answered during the time allotted for the webinar. The answers to those questions are below.

Question: Because of the sketchy and inconsistent nature of HR policy around this topic, it seems reasonable for employees to ask for definition from their employers regarding use of social media to avoid being surprised should there be a potential issue. Would you agree?

Response: I would agree. The intersection of social networking sites and work is so new that accepted etiquette, custom, or norms have not yet developed. Employers can address this problem by establishing a policy that provides easily understood guidelines for employees’ social media activities whether authorized by the employer or not. Training also is very important in this area. Employers need to train managers and employees on how to respond to and handle the many complicated issues raised by the intersection of work and social media activity.

Question: What if employees are using their cell phones for social networking, not utilizing company technology? And what if they are doing it on their own times: breaks and lunch?

Response: Employers can establish guidelines for employees’ off-duty social media activities even if employees are using their own cell phones, laptops, desktops, or other personal devices. As discussed in the webinar, there are several laws that might restrict an employer’s ability to take adverse action based upon an employee’s off-duty social networking activities. These laws include, for example, the National Labor Relations Act, state laws that prohibit adverse action based on an employee’s lawful off-duty activities, the First Amendment for public employers, and anti-discrimination laws.

Question: Can you expand upon the scope of First Amendment protections and the Connecticut law that you mentioned during the webinar?

Response: One common misconception is that the First Amendment protects all employees against adverse action based on their speech. In fact, the First Amendment protects only public employees. However, Connecticut has an unusual law (Conn. Gen. Stat. 31-51q) that extends First Amendment protections to private employees. A private employer violates the law by terminating a Connecticut employee on account of that employee's exercise of rights guaranteed by the First Amendment--provided such activity does not substantially or materially interfere with the employee's bona fide job performance or the working relationship between the employee and the employer.

Question: Can employees assume that because the company hasn't blocked a social site from being accessed that it must be okay for them to use it during the day?

Response: Employees might make that assumption if the employer does not have any policy addressing Internet use generally or social media use in particular, or if a general Internet policy permits incidental non-business use of the employer’s Internet access. An employer can defeat the assumption without blocking access to social media sites by specifically informing employees in a policy that use of the employer’s electronic resources to access social media sites for non-business purposes is prohibited. For the policy to eliminate an assumption like this one, management and human resources professionals need to communicate about, and consistently enforce, the policy. In this regard, HR and managers should work together to remain well versed on best practices and ongoing developments in this area.

This entry was co-written by Philip L. Gordon and Kevin P. O'Neill.

To Recommend or Not To Recommend: The LinkedIn Conundrum

Privacy and Data Protection Practice Group — Tue, 08 Sep 2009 13:54:02 -0800

Several employment lawyers recently have debated whether employers should permit their employees to “recommend” a former employee on LinkedIn. The debate began after a National Law Journal article quoted two management-side attorneys who counseled against permitting such recommendations. According to these lawyers, a positive recommendation arguably could provide evidence of pretext in a discrimination lawsuit if the former employee who is the subject of the recommendation had been terminated for poor performance. The contrarians in the debate contend that this scenario is unlikely to occur and even if it did, the LinkedIn recommendation would not be particularly persuasive evidence of pretext.

Both sides have their points, but, in my view, neither side has the answer. Experienced employment litigators know that in the “wrong case” a positive LinkedIn recommendation could result in the denial of summary judgment — or worse, an adverse jury verdict — and accompanying recriminations for not having advised the defendant to prohibit such recommendations. At the same time, implementing a policy to avoid the unusual case where a manager is willing to make positive public proclamations about a litigious poor performer denies the employer the benefit of whatever good will might result from these LinkedIn recommendations.

The answer, however, does not have to be a Manichean one. Rather, employers can choose from a range of options, depending upon corporate culture and risk tolerance. Some policy options, ranging from most to least restrictive, include the following:

Prohibit all LinkedIn recommendations;
Prohibit LinkedIn recommendations by anyone who has formally evaluated the performance of the person making the request;
Permit LinkedIn recommendations only of former employees who voluntarily left the organization;
Permit all LinkedIn recommendations by anyone of anyone but subject to the following guidelines: (a) If you have anything negative to say about the person, reject the recommendation request; (b) If you have something positive to say, be accurate, complete, and truthful; and (c) Do not exaggerate or overstate.

More options most likely will be developed over time. Employers should not be shoehorned into a one-site-fits-all solution.

This entry was written by Philip L. Gordon.

Employers and Health Care Providers Receive New Guidance on HIPAA Security Breach Notification

Philip Gordon — Tue, 25 Aug 2009 19:54:31 -0800

The Health Information Technology for Economic and Clinical Health Act (HITECH Act), one small legislative portion of the massive economic stimulus bill enacted on February 17, 2009, mandates that employers and health care providers provide notice of any “breach” of “unsecured” protected health information (PHI) to affected individuals; the U.S. Department of Health and Human Services (HHS); and, in certain circumstances, “prominent media outlets.” The quoted terms and many others in the HITECH Act are either undefined or raise a multitude of unanswered questions. HHS has recently published interim final regulations and accompanying commentary that clarifies many of the Act’s ambiguities.

For an in-depth discussion and guidance on this development, see Littler ASAP, Employers and Health Care Providers Receive New Guidance on HIPAA Security Breach Notification, by Philip L. Gordon.

Massachusetts Agency Revises Information Security Regulations -- Yet Again

Philip Gordon — Wed, 19 Aug 2009 09:52:10 -0800

In what appears to be an on-going effort to find the right balance between information security and burdens on businesses, Massachusetts’ Office of Consumer Affairs and Business Regulation (OCABR) has materially revised—for a second time—regulations that were initially promulgated in October 2008, and has extended the compliance deadline for a third time. We have discussed the regulations in detail in prior blog posts. Consequently, we will only focus on the most recent revisions, which are described below:

New Compliance Deadline: The compliance deadline has been extended from January 1, 2010, until March 1, 2010.

Third-Party Service Providers: While the regulations still require that employers expressly address information security in their contracts with vendors who create or receive personal information on the employer’s behalf, employers now have until March 1, 2012, to negotiate amendments to vendor agreements entered into before the March 1, 2010 compliance deadline. Vendor agreement entered after that date must require that vendors implement and maintain “appropriate security measures to protect [Massachusetts] personal information” in a manner that is consistent with the regulations and applicable federal law.

Break For Small Businesses: The prior regulations applied equally to businesses of all seizes. The revised regulations are scalable. In other words, the “appropriate” administrative, technical and physical safeguards may vary depending on (a) “the size, type and scope of business” involved; (b) the business’ available resources; (c) “the amount of stored data”; and (d) “the need for security and confidentiality of both consumer and employee information.”

Elimination Of Several Onerous Requirements: OCABR has completely deleted requirements that data owners (a) collect only the minimum necessary personal information, (b) retain such information for only as long as is necessary to achieve the purpose for which the information was collected, (c) restrict access to personal information to those with a need to know, and (d) identify all locations and devices where personal information is stored. These requirements were among the most burdensome in the regulations as previously drafted.

Less Prescription: The revised regulations eliminate several provisions which specified how certain safeguards should be accomplished. First, the requirement to provide physical safeguards previously mandated “a written procedure that sets forth the manner in which access to . . . records [containing personal information] is restricted.” The revised regulations merely require “[r]easonable restrictions upon physical access to records containing personal information. Second, the previous regulations required that data owners restrict terminated employees’ access to personal information “by immediately terminating their physical access and electronic access to such records, including deactivating their passwords and user names,” whereas the revised regulations eliminates the quoted language. Third, rather than requiring a “comprehensive, written information security program,” the revised regulations now require a comprehensive information security program “that is written in one or more readily accessible parts.” Finally, the definition of “encryption” no longer requires “the use of an algorithmic process” so long as the process results in “the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key.”

California Supreme Court's Ruling that Hidden Video Surveillance Did Not Violate Employees' Privacy Rights Provides Useful Guidance for Conducting Lawful Investigations

Philip Gordon — Wed, 05 Aug 2009 16:49:27 -0800

On Monday, the California Supreme Court reversed the lower court decision in Hernandez v. Hillsides, a closely watched case involving video surveillance of employees. The court held that the defendant, Hillsides, Inc., a residential facility for neglected and abused children, did not violate two employees’ privacy by surreptitiously installing a concealed video camera in their shared office. Hillsides determined that one of the computers in the office had been used late at night to view pornography, and installed the camera in the hopes of catching the perpetrator.

The court’s opinion is particularly instructive for employers who are considering similar tactics to uncover workplace misconduct. To begin with, the court found that both employees had a reasonable expectation of privacy in their office even though (a) the office was shared, (b) several co-workers and supervisors had a key to the office, and (c) a “doggy door” at the bottom of the office door had no flap to prevent peeking into the office. The court relied on the facts that the office was not accessible to the general public; the employees could pull down the blinds to obscure public view through the office’s windows; the employees could lock the office door; and when the blinds were down and the door was locked, the employees would change clothes in the office and otherwise act as though the office were a private place. These circumstances prevail in many office settings. Consequently, employers, especially those in California, need to carefully consider whether a particular office setting is “private” before installing surveillance equipment there.

Notably, despite its finding concerning the private nature of the office, the court held that the employees had no claim because the employer did not act in a manner that would be considered “highly offensive to a reasonable person,” the second essential element of a privacy claim. The court based that conclusion on the following key findings:

• Hillsides had a legitimate business reason for installing the video camera;
• the camera was activated only at night, when the perpetrator might be present;
• the surveillance was directed only at the computer that had been used for unauthorized viewing of pornography;
• the surveillance was disclosed only to four individuals; and
• the video equipment was locked in a storage closet with limited access.

In sum, even when employers do need to intrude upon an employee’s privacy to conduct an investigation, they will not be subject to liability as long as the investigation is legitimate, narrowly tailored and tightly controlled.

For further discussion of this decision, see Littler ASAP California Supreme Court Provides Useful Guidance for Employers Engaging in Video Surveillance and Other Workplace Searches by Philip L. Gordon and Gregory G. Iskander.

Meeting the Compliance Challenges of a Reinvigorated HIPAA and the Genetic Information Non-Discrimination Act of 2009

Philip Gordon — Fri, 31 Jul 2009 09:35:40 -0800

On July 23, 2009, Littler Mendelson hosted a webinar, entitled “Meeting the Compliance Challenges of a Reinvigorated HIPAA and the Genetic Information Non-Discrimination Act of 2009.” Participants asked several questions to which we could not respond because of time. Below are the questions and the answers:

Q: Could you give a real life example of how an employer might experience an internal HIPAA violation?

A: We explained during the webinar that not all employee health information is protected by HIPAA. In fact, the universe of employee health information which HIPAA protects is relatively small. Protected health information (PHI) is limited to individually identifiable health information created or received by, or on behalf of, a group health, dental, or vision plan; health care reimbursement flexible spending account; employee assistance program; long-term care plan; or pharmacy benefits plan. HIPAA would be violated when, for example, a benefits administrator notices that an employee has submitted claims to an employer’s health plan for services related to an abortion, AIDS, or cancer and gossips with the employee’s manager about the employee’s condition.

Q: Do the HIPAA security breach requirements that you discussed during the webinar apply to employers who have fully insured plans or only to employers who have self-insured plans?

A: Most employers with fully insured plans receive only summary health information and enrollment and disenrollment information from the health insurer. This information is considered protected health information (PHI); however, given the very small amount of PHI that an employer with a fully insured plan receives, the likelihood of a breach involving that information is low. Also, because the insurance company that provides the health insurance is not acting as the employer’s agent, the insurance company, not the employer, would be required to provide the notice for a breach of PHI maintained by the insurer. Fully insured employers should keep in mind that if they do offer a health care reimbursement flexible spending account, they are likely to have a significant amount of PHI on-site, and if a third-party administrator suffers a breach, the employer would be ultimately responsible for ensuring that the plan participants are notified.

Q: How do the HIPAA regulations define the term “business associate,” and what are the requirements for the employer or health care provider if a business associate experiences a security breach?

A: A business associate is a vendor who provides services for a health plan or health care provider using PHI. Some examples of business associates include billing services, debt collection agencies, third-party administrators, insurance brokers, pharmacy benefits managers, accountants, attorneys, and auditors. An employer or health care provider can disclose PHI to a business associate without the subject’s prior authorization but only if there is a written agreement (known as a “business associate agreement”) in place with the business associate. The business associate agreement is required to include at a minimum certain provisions listed in the HIPAA regulations that are intended to protect the confidentiality of PHI and ensure that individuals can exercise their HIPAA-mandated rights with respect to their PHI.

If a business associate experiences a breach, the business associate is required to notify the employer/health plan or the health care provider and identify the plan participants or patients whose PHI has been compromised. Employers and health care providers should consider supplementing this statutory notice requirement through contractual provisions in the business associate agreement that require the business associate to provide additional information about the breach, such as the date it occurred, the date it was discovered, what happened, what steps the business associate took to end the breach, and what steps the business associate will take to prevent a recurrence.

Q: Should we have a business associate agreement with the company that we use to shred protected health information (PHI)? Also, our payroll provider houses information on contributions for our healthcare reimbursement flexible spending account. Should we have a business associate agreement with them?

A: Your organization should have a business associate agreement with that shredding company. Information on contributions to a health care reimbursement flexible spending account is PHI, so your organization also should have a business associate agreement with the payroll provider.

Q: Is de-identified protected health information (PHI) subject to the breach notification requirements?

A: No. Once PHI has been de-identified, the information no longer is protected by HIPAA. As a result, a security breach involving de-identified PHI does not trigger a breach notification obligation. You should note, however, that HIPAA establishes a very high standard for de-identification. The regulations require the removal of all identifiers — including, for example, residential address, telephone number, e-mail address, Social Security number, driver’s license number, health insurance number, and medical records number — not only of the employee or patient but also of the employer and family members.

Q: Does the Genetic Information Non-Discrimination Act of 2009 (GINA) to permit the collection of family medical history for a health risk assessment that is part of an employee wellness program?

A: As we discussed during the webinar, family medical history is “genetic information” subject to GINA. Under GINA, an employer generally is prohibited from deliberately acquiring genetic information, including family medical history. However, GINA does have an exception that permits the collection of genetic information for an employer-provided wellness program. The following requirements must be met for this exception to apply: (a) the employee provides prior, knowing, voluntary, written authorization; (b) only the employee and the license health care professional or certified genetic counselor receives the results of the health risk assessment; (c) the results of the health risk assessment are used only for purposes of the wellness program; and (d) the results are not provided to the employer.

This entry was written by Philip L. Gordon.

DOT Regulation on Observed Return-to-Work and Follow-Up Drug Testing Goes into Effect August 31, 2009

Privacy and Data Protection Practice Group — Wed, 29 Jul 2009 11:32:37 -0800

After a lengthy public comment period and legal challenges, a U.S. Department of Transportation (DOT) drug testing regulation requiring employees of aviation, railroad, motor carrier, mass transit, pipeline and maritime industries who previously failed a drug test to partially disrobe and be directly observed during return-to-work and follow-up tests will go into effect August 31, 2009. Until then, observed collections are required only if a donor is suspected of attempting to adulterate or tamper with a test sample.

The requirement sat in limbo after the U.S. Court of Appeals for the D.C. Circuit, stayed enforcement in November 2008 pending a legal challenge. However, as previously discussed, in May 2009 the court held the regulations valid and lifted the stay on July 1, 2009.

Accordingly, the DOT has announced starting August 31, 2009, employees subject to DOT return-to-work and follow-up testing must be directly observed when providing a urine sample. Additionally, before the collection begins, shirts must be raised above the waist and clothing lowered to expose genitals in order to allow the observer to verify the absence of any cheating devices.

This entry was written by Nancy N. Delogu.