Workplace Privacy, Data Management & Security Report

Whitepaper On Social Media Use By Employees

Joseph Lazzarotti — Fri, 05 Mar 2010 05:02:41 -0800

Whether it be Facebook, MySpace, LinkedIn, Twitter, YouTube or the company blog, employee presence in social media is way, way up, creating risks for employers that are proving difficult to manage without careful planning and appropriate policies.

These risks can take many forms - FTC endorsement issues, inadvertent sharing of confidential company or personal information, harassment claims, blog posts harmful to the company's reputation - to name a few. The damage can be done whether the employee is posting at home or during working hours.

This white paper (pdf), which takes into account some of our prior posts, is intended to help employers get a better handle on these issues, particulalry in three area: (1) employees’ misuse of social media; (2) monitoring and regulating employees’ social media use; and (3) basing hiring decisions on information obtained from social media.

Another Hospital Burned for Disclosing Medical Records - State Law Protections Prevail Over HIPAA

V. John Ella — Sun, 28 Feb 2010 13:43:27 -0800

In another example of a medical provider facing potential civil liability for providing medical records in response to a subpoena, a federal court in the Northern District of Ohio denied summary judgment for the Cleveland Clinic and other defendants in Turk v. Oiler, No. 09-CV-381 (N. D. Ohio Feb 1, 2010. We previously discussed the decision in Kim v. St. Elizabeth's Hosp. in which a court allowed similar claims to proceed under an Illinois law protecting mental health records. In Turk, the claims were based in part on the Ohio physician-patient privilege codified at Ohio Rev. Code Section 2317.02.

Plaintiff James Turk was a private investigator accused of possessing a weapon while under a disability in violation of Ohio law. The Cleveland Clinic received a grand jury subpoena from the Cuyahoga County Court of Common Pleas seeking Turk's medical records. The clinic complied with the subpoena and produced the records. Turk and his wife later brought suit against the clinic claiming damages for invasion of privacy, negligent disclosure of medical records, and violation of the First Amendment.

The clinic moved for summary judgment, arguing that it was required to respond to a grand jury subpoena and that Section 2317.02 was preempted by the Health Insurance Portability and Accountability Act ("HIPAA"). The federal district court denied the motion and allowed the claims to proceed, reasoning that Ohio law was not preempted by HIPAA where it provided greater protections than the federal law. The case stands for the proposition that compliance with HIPAA by itself is not enough and reinforces yet again the caution which health care providers must exercise when responding to subpoenas or other requests for medical records without a proper release.

HHS Posts On Its Website Covered Entities Reporting HIPAA Data Breaches

Joseph Lazzarotti — Mon, 22 Feb 2010 18:07:31 -0800

On February 22, 2010, the Office of Civil Rights (OCR) posted on its website its first list of covered entities that have reported breaches of unsecured protected health information affecting more than 500 individuals. OCR acknowledged the HITECH Act requires HHS to make this information public by posting it on an HHS website.

The breach notification rule became effective on September 23, 2009. In short, as we reported previously, the rule requires covered entities to provide notification of breaches of unsecured protected health information directly to the Secretary of HHS, as well as to the affected individuals. Breaches that affect 500 or more individuals must be reported to HHS within 60 days, and covered entities must provide this notification via the online form on the OCR website.

Of course, covered entities need to be aware that breaches reported to HHS will be made public on its site. Some states, such as Maryland and New Hampshire, have had a similar policy in effect for some time for breaches of personal information affecting residents of their states.

Supervisors Do Not Have Unrestricted Access to Employee E-mails

Joseph Lazzarotti — Tue, 16 Feb 2010 08:26:07 -0800

Contributed by Lillian Chaves Moon

Based partially upon an interpretation of Florida law, in Global Policy Partners, LLC, et al. v. Yessin, 2009 U.S. Dist. LEXIS 112472 (Nov. 24, 2009), a Virginia district court has ruled that an LLC’s partner does not always have the authority to access a partner’s e-mails simply by virtue of his status in the company.

Katherine and Brent Yessin, husband and wife and business partners, were feuding as part of a messy divorce and business dissolution. Mrs. Yessin, on behalf of herself and the Florida business, brought suit against Mr. Yessin for his alleged illegal access of her personal e-mails, including those containing attorney-client communications in her divorce case, stored on the company’s server in violation of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. §1030(a), and other federal and state statutes. In a motion to dismiss his wife’s complaint, Mr. Yessin argued that under Florida law, as a manager/partner in his business, he had the authority to access all e-mails stored on the business’s computer server regardless of his reason for doing so. The court disagreed.

The court found that even assuming Florida law authorized managers to access e-mail information stored on a company’s computer system, authorization is limited to carrying out the company’s business. Likewise, under the CFAA, authorization to access a computer system may not simply be based on a person’s status within the organization, but whether the person is accessing information in accordance with the “expected norms or intended use” of the computer network. Because the scope of Mr. Yessin’s authority to access his wife’s e-mails depended upon a detailed factual inquiry into his purposes for doing so, Mr. Yessin’s motion to dismiss the CFAA counts of the complaint was denied and Mrs. Yessin was allowed to proceed in her action.

Caution for employers: This decision has implications for employers in how and why managers may access employee e-mails. While an employer generally has the right to review stored e-mails on the employer’s system, regardless of whether the e-mails are an employee’s personal or business communications, the employer or employer’s agent must have a legitimate business purpose for such review, not a nefarious reason. Note, however, that, some courts have limited an employer’s ability to review an employee’s e-mails in other situations, such as when the e-mail is subject to the attorney-client privilege. Employers’ policies and procedures for accessing employee e-mails should be periodically reviewed and revised, where necessary, to ensure that the individuals who access lawfully stored e-mails not only have the appropriate status within the company, but also are doing so for legitimate business purposes.

"Cyber-Insurance" - Pushing Businesses to Protect Against the Next Data Breach?

Joseph Lazzarotti — Sat, 13 Feb 2010 12:22:47 -0800

It’s been around for a while, but could new products in the “cyber-insurance” market help companies focus on this emerging threat known as “information risk”?

The National Journal reports that for many companies online security is not a priority. Tom Risen’s article cites to a Verizon study conducted between 2004 and 2008 (pdf) that determined

75 percent of breaches were not discovered by the victimized organization, and that 87 percent could have been prevented with reasonable online protection.

Mr. Risen reports that historically cyber-insurance covered “hazards such as unauthorized Web site access, online libel, data privacy loss and repairs to company databases after system failures.” However, with the explosion of data breaches over the last 10 years or so, new, broader policies have emerged, covering costs related to responding to a data breach, such as sending notices, providing credit monitoring services, engaging legal counsel, employing a call center, and defense of claims by affected individuals and federal and state officials. Some companies in this space include Beazley, Chartis, Travelers, Chubb and others.

It may be, as Robert Parisi of Marsh suggested to Mr. Risen, that federal legislation might encourage more awareness of these issues, something we raised as well. Certainly, we are beginning to see greater attention to these issues as businesses are beginning to focus on the Massachusetts data security/identity theft regulations, which become effective March 1, 2010.

Whatever the driving force, businesses need to drill down on their data security needs and address their information risk. Preventive measures – in the form of a written information security program – are certainly necessary and appropriate. But it may not be enough. As anyone who drives knows, for example, it is not enough to drive carefully and wear a seat belt. Insurance can play a critical role in addressing risks that even the best safeguards can’t. For this reason, cyber-insurance should be considered as a part of any business’ comprehensive approach to information risk.

ADA Confidentiality: Drug Test Results May Not Be Used Against Applicant at Pre-Offer Stage

Joseph Lazzarotti — Fri, 12 Feb 2010 12:16:34 -0800

Contributed by Kathryn J. Russo.

A recent case emphasizes that employers must ensure they do not make improper medical inquiries related to pre-employment drug test results at the pre-offer stage. John Harrison v. Benchmark Electronics, Inc., No. 08-16656, 2010 App. LEXIS 632 (11th Cir. Jan. 11, 2010). Some valuable lessons for employers are discussed below.

The Eleventh Circuit Court of Appeals permitted an applicant who was not hired after testing positive for drugs used to control his epilepsy to proceed with his lawsuit asserting claims under the Americans with Disabilities Act because there were factual issues whether the employer made an improper medical inquiry and denied employment on that basis.

The Facts. John Harrison worked for Benchmark Elecs. Huntsville Inc. (“BEHI”) through a temporary employment agency and was encouraged by his supervisor to apply for permanent employment with BEHI. Soon after submitting to a pre-employment drug test, required for permanent employment at BEHI, the Human Resources Department learned Harrison’s results were positive and was awaiting review by a Medical Review Officer (“MRO”). (A Medical Review Officer is a licensed physician with expertise in analyzing drug test results, who receives and reviews drug test results on an employer’s behalf.)

Harrison’s supervisor informed Harrison that he had tested positive for barbiturates. The supervisor then called the MRO and passed the telephone to Harrison, remaining in the room the entire time Harrison spoke with the MRO. Harrison explained to the MRO that he had epilepsy since he was two years old, that he took barbiturates to control it, and stated the amount of his dosage. Based on this information, the MRO verified Harrison’s drug test as negative.

When Human Resources prepared to hire Harrison, his supervisor instructed Human Resources not to prepare the offer letter. The supervisor also instructed the temporary agency not to return Harrison to BEHI because Harrison had performance issues and an attitude problem, and because Harrison had made threats. Harrison subsequently was informed that he would not be returning to BEHI and was fired by the temporary agency.

Harrison filed suit in federal court, alleging that BEHI engaged in an improper medical inquiry in violation of the Americans with Disabilities Act ("ADA"), and that he was not hired due to a perceived disability, among other claims. The District Court dismissed the suit because Harrison had tested positive for barbiturates, which then authorized BEHI to inquire whether Harrison had a legitimate use for the medication. Harrison appealed.

Ruling. The Eleventh Circuit Court of Appeals reversed, allowing Harrison to proceed with his suit. It held that Harrison’s complaint sufficiently alleged an improper medical inquiry claim in violation of the ADA. His complaint alleged that following the pre-employment drug test, BEHI questioned him about his seizures, and he claimed damages for these allegedly prohibited medical inquiries.

Significantly, the Eleventh Circuit disagreed with the District Court’s conclusion that BEHI’s inquiries were permissible because Harrison tested positive on his drug test. The Court stated:

“While the district court correctly concluded that employers may conduct follow-up questioning in response to a positive drug test, it failed to acknowledge any limits on this type of questioning.”

The Court stressed that while it is generally permissible for employers to make inquiries following a positive pre-employment drug test, those inquiries must be lawful, e.g., “what medications have you taken that might have resulted in this positive test result? Are you taking this medication under a lawful prescription?”

The ADA’s regulations, (see 29 C.F.R. §1630.13), coupled with the EEOC’s Enforcement Guidance, ADA Enforcement Guidance: Preemployment Disability-Related Questions and Medical Examinations (EEOC Notice 915-002) (Oct. 10, 1995) (pdf) make it clear that disability-related questions still are prohibited at the pre-offer stage:

employers should know that many questions about current or prior lawful drug use are likely to elicit information about a disability, and are therefore impermissible at the pre-offer stage.

The Court stated that if Harrison’s version of the facts was believed, a jury could find that the supervisor’s presence during the phone call to the MRO constituted an impermissible attempt to elicit information about a disability in violation of the ADA’s prohibition against pre-employment medical inquiries.

Lessons for Employers:

Conduct pre-employment drug testing after a conditional offer of employment has been extended. In this case, the drug test was conducted before the offer letter was sent to Harrison, making the employer’s inquiries impermissible. Some state laws require that pre-employment drug testing be conducted only after a conditional offer of employment has been extended. Employers should review their pre-employment drug testing policies to ensure that testing occurs after the conditional offer of employment.
Drug test results should not be reported to the employer until after the MRO has reviewed and verified the result. Employers should act only on drug test results that have been reviewed and verified by the MRO. (Some state laws require MRO review of drug test results.) One of the purposes of MRO review is to ensure that the employer does not take action on a positive test result that might be explained by a legitimate medical reason, as was the case with Harrison. Employers generally lack the medical expertise to make accurate conclusions about an employee’s explanation concerning his drug test result. The MRO is the only person who should discuss possible medical explanations for positive test results with applicants and employees because: (1) the MRO will keep the information provided by the applicant or employee confidential; and (2) the MRO has the medical expertise to make an appropriate conclusion about the applicant’s or employee’s potentially legitimate use of medications that may affect a drug test result. The employer’s non-participation in the MRO review process actually protects the employer from making erroneous decisions that could lead to discrimination claims, or from acquiring unnecessary knowledge of medical facts that could be the basis of later, unrelated discrimination claims.
Do not engage in discussions with applicants or employees over reasons for positive (or potentially positive) drug test results. As stated above, all discussions concerning applicants’ or employees’ use of legal medications – and their effect on drug test results – should be directed to the MRO, not to the employer. Employers should review their drug and alcohol testing policies to ensure that applicants and employees are advised to discuss their use of legal medications only with the MRO, not with the employer.

Complimentary Webinar - Massachusetts Data Security Regulations: A Plan for Compliance

Joseph Lazzarotti — Mon, 08 Feb 2010 10:22:20 -0800

Beginning March 1, 2010, businesses will be required to safeguard from identity theft and other dangers personal information about Massachusetts residents under a “written information security program” or WISP. Similar requirements exist in other states around the country, although those requirements generally are not as comprehensive as those becoming effective in the Bay state.

Our complimentary webinar is designed to help employers and businesses become compliant. The program will cover:

the emergence of data security mandates across the country,
the Massachusetts approach to data security – breach notification, data destruction, the nuts and bolts of the identity theft/data security regulations, and
best practices when creating a WISP.

We hope you enjoy the webinar.

Best Buy Counsel Speaks on Data Privacy

V. John Ella — Fri, 05 Feb 2010 14:37:58 -0800

On January 29, 2009, I had the opportunity to attend a brief presentation sponsored by Minnesota CLE entitled, “Corporate Data Privacy & Security: 10 Legal Practice Tips,” given by Brad Bolin, Senior Corporate Counsel for Best Buy, Inc. a Fortune 500 electronics retailer headquartered in Richfield, Minnesota. Bolin is a specialist in information security and privacy law. I was curious to hear what data privacy issues were on the mind of someone who monitors these issues for a living on behalf of a large corporation, especially a company that sells some of the very devices that make data privacy more challenging and which is known for its “results oriented” work environment. Many of the issues relate to topics discussed on this blog. The views expressed were strictly those of Bolin, not Best Buy. Here were his observations:

1. Work/Life Balance. Electronic connections are collapsing the distinctions between work and personal life. Employees expect to be connected 24 -7. Bolin quoted Best Buy CEO Brian Dunn as noting, “Technology is … a constant backdrop in people’s lives, at home, at work, on the road and literally in the palms of their hands. We call it the ‘connected world’ and, as exciting as it is, it’s also increasingly complex, and difficult to keep pace with.”

2. Smart Phones Part 1. Smart phones are becoming common and are a great example of how the “limited personal use” exception is swallowing the rule. He cited a survey showing that 20% of companies allow their employees to use personal devices for work, and the number is surely growing. Bolin discussed how under the old corporate model, a company that pays for an employee’s smart phone ought to take it back from the employee upon his or her departure, erase the contents and either recycle or reuse the device to prevent the disclosure of confidential corporate information. But what about the employee’s personal photographs, “apps”, movies, contacts and downloaded songs? What if the employee paid for the device but the company reimburses the cost? Securing employee-owned smart phones is not the same as securing corporate-owned devices, he emphasized.

3. Smart Phones Part 2. Bolin said that, whatever rules you choose, a departing employee should be able to take his or her personal data, while IT should be able to ensure that any corporate information has been safely removed. The process should be simple and transparent to all. Adopt simple rules that make corporate data on an employee's smart phone easier to identify and control. For example, distinguish between media files on the one hand, and xls doc, ppt, and pdf documents on the other. Have a transparent dialog with employees about the trade-offs that exist cost when placing personal phones on the corporate network. For example, an employee might be required to archive SMS text messages on his phone for e-discovery purposes.

4. Texting Issues. While e-mail typically is stored on a common server, text messages usually are stored by cell phone companies or directly on phones, and often the employer does not directly pay for their storage. Employers must have either a warrant or the employee's permission to see cell phone text messages that are not stored by the employer or by someone the employer pays for storage, Bolin said, citing Quon v. Arch Wireless, et al. 529 F.3d 892 (9th Cir. 2008), The case is now under review by the United States Supreme Court.

5. TMI = Too much information. An embedded Global Positioning System (GPS) feature is great for supporting and measuring effectiveness of a mobile sales force, but it raises the danger of collecting information about employees regarding the personal part of their life.

6. Social Networking. Much has been made of social networking, he says, but this is not different in kind from past employee disclosure concerns, only in degree. Most policies on employee's social networking tend to be recitations of or references to standard confidentiality, acceptable use, and other policies. He suggests guidelines like:

a. Disclose your affiliation with your employer.

b. State that it’s your opinion, not the employer’s.

c. Protect yourself – be careful of disclosing personal information on line.

d. Act responsibly end ethically.

e. Respect diversity and honor policies against discrimination.

7. Monitoring Electronic Communications. Bolin says the “old news” is having an electronic communications policy addressing employee expectations of privacy when using company email. The “new news” is that companies have to have a governance policy in place regarding how the company may and will use such information, and it needs to follow it. Tools to gather emails and other electronic information today are immensely powerful, and very easy to use. The temptation will be great to pursue investigations without adequate cause, or without sufficient protective boundaries in place. Bolin cited the Hewlett Packard pretexting scandal of 2006.

8. HITECH Act (HIPAA Redux). HIPAA is still HIPAA, Bolin says, but HITECH ups the ante by requiring breach notification to government and affected consumers of Protected Health Information (‘PHI”), and placing enforcement powers in the hands of the states attorneys general. Covered entities must promptly notify affected individuals, Health and Human Services (“HHS”) and the media in cases where a breach affects more than 500 individuals, and report ALL breaches on an annual basis. Bolin noted that the “hysteria” that has arisen around recent credit card breach notifications could well develop around PHI breach notifications.

9. Employee Privacy in Europe. Privacy is fundamental human right in the European Union and, unlike in United States, can't be waived, Bolin emphasized. If a company wishes to transmit data concerning EU employees to the U.S., he noted, “you'll be required to bring your game up” and enact policies to take advantage of the safe harbor provision.

I think he gives us all some good points to consider.

e-Discovery Traps (and Significant Sanctions) for the Unwary

Joseph Lazzarotti — Thu, 04 Feb 2010 11:58:25 -0800

Effectively managing company data means more than HIPAA compliance and avoiding data breaches. As two of my colleagues Brett Anders and Cliff Atlas would tell us, failing to preserve electronic evidence can jeopardize a company’s litigation strategy. Their recent article discusses a new decision that illustrates the kind of sanctions litigants could suffer even where the failure to preserve appropriate information was not the result of an intentional act, but was merely negligence.

The Hon. Shira Scheindlin, whose decisions have been perhaps the most influential in the area of e-discovery, wrote the decision in Pension Committee of the Univ. of Montreal Pension Plan v. Banc of America Securities, LLC, No. 05 Civ. 9016 (S.D.N.Y. Jan. 15, 2010) (pdf). The plaintiffs in the case failed to issue litigation hold notices until 2007, even though the litigation commenced in February 2004. The sanctions were significant:

attorney’s fees and costs incurred by the defendants in bringing their motion,
costs of discovery relating to uncovering the facts of the wrongdoing, and
a jury instruction highlighting certain of the plaintiffs’ gross negligence in complying with discovery and explaining how the jury can conclude that an adverse inference should be drawn against those plaintiffs.

So, not only was there a direct monetary sanction, but the court made it more difficult for the plaintiffs to win their case. Brett and Cliff provide the following tips for managing e-discovery obligations, which they expand upon in their article:

For plaintiffs, anticipate litigation well before the case is filed and take appropriate steps then to preserve the appropriate information.
Cast a wide preservation net so that you collect records from all employees, even those with only a passing encounter with the issues in the litigation.
Back up tapes can be critical when “they are the sole source of relevant information or when they relate to key players, if the relevant information maintained by those players is not obtainable from readily accessible sources.”
Make sure those preserving the data understand what they need to do and are appropriately supervised.
Maintain a litigation hold policy and plan ahead!

Dealing with Data Breaches: Health Net Suit Highlights Need for Effective Security Incident Procedures and Training

Jason C. Gavejian — Tue, 02 Feb 2010 15:04:29 -0800

As we have discussed before, data breach notification is one of the most rapidly emerging areas of law. Good security incident procedures as well as effective training can help avoid the risk of data breach. (Sample data breach training).

A case in point: Connecticut's Attorney General has filed a civil action against Health Net of the Northeast Inc. (“Health Net”) for failing to secure approximately 446,000 individuals’ patient information on a missing portable computer disk drive, and for failing to provide prompt notice of the breach. Among other things, the suit alleges Health Net violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, when it failed to provide prompt notice, failed to encrypt the data, failed to provide for and implement appropriate policies to safeguard the information, and failed to supervise and train its workforce on safeguarding protected health information and personal information.

As this suit demonstrates, state Attorneys General will use the authority granted by HITECH to enforce the privacy and security protections of HIPAA for protected health information, as many breaches involving such information may not be covered by state data breach laws. Such enforcement will only add to the cost of a data breach, which, according to the 2009 Ponemon Institute Annual Cost of a Data Breach study, continues to rise.

While a company’s first line of defense always should be a comprehensive data security policy, preparation should include an effective security incident procedure. Several key questions, some of which will form the foundation for any good security incident procedure, must be answered immediately following a breach:

How did the breach occur?
Are measures in place to contain the breach?
What information was compromised?
Whose information was compromised?
Will the local authorities be alerted?
What potential breach notice laws are implicated?
Does notice of the breach have to be provided?
If so, to whom and how will notice be provided?
Does the company have applicable insurance to cover the notification process?
Will any monitoring service be provided for affected individuals?
Are measures in place for public relations implications?

However, a security incident procedure is only as strong as the awareness you create among your employees as to what constitutes a data breach and who to notify in the event of a possible breach. Therefore, in addition to an effective security incident procedure, it is essential that training, like the sample above, be provided to employees on a regular basis.

Happy Data Privacy Day!

Joseph Lazzarotti — Thu, 28 Jan 2010 05:49:16 -0800

While most are not taking the day off, January 28 is recognized internationally as Data Privacy Day - a day for people to become more aware of and promote data privacy related issues.

Many organizations support these initiatives and some have created and contributed to a website to promote this day and data privacy and security generally. This website provides a wealth of information and resources related to data privacy in all facets of our lives.

Of course, our focus is on employers and we encourage all employers to use this day as an opportunity to focus on this emerging issue and create awareness in their organizations.

Data Security, Destruction and Encryption Leads the Way for States in 2010

Jason C. Gavejian — Tue, 26 Jan 2010 13:08:05 -0800

Less than one month into 2010 the trend to address data security, destruction, and encryption has continued among state lawmakers. Specifically, Florida, Michigan, Kentucky, Kansas, Pennsylvania, and New York all have introduced, reintroduced, or amended legislation of this kind.

The Florida and Michigan laws would amend personal data destruction rules for companies.
The New York law would mandate data security and encryption measures.
The Kentucky bill would require government agencies to protect all personal data under the Gramm-Leach-Bliley Act.
The Michigan bill includes a state version of the Federal Trade Commission's Red Flags Rule and would require creditors in the state to implement programs aimed at spotting “red flags” of possible identity theft and put in place mitigation measures. Michigan is also considering a number of other measures.
The Kansas law would require state agencies to engage in periodic network security reviews.
The Pennsylvania bill would require public agencies to notify state residents of a breach of their personal information within seven days of the discovery of the breach.

While 5 states remain without data breach notice bills (Alabama, Kentucky, Mississippi, New Mexico, and South Dakota), Congress is considering legislation, the Data Accountability and Trust Act (DATA) (H.R. 2221), that would preempt all state notification laws and instead establish a national breach notice standard.

As we have previously mentioned, we anticipate data privacy and security legislation and case law to be at the forefront of legal issues in 2010. Employers should begin by reading the Data Security Primer and consider implementing comprehensive data security policies and procedures that would allow them to comply with the various state laws that may impact their business.

While we have highlighted the main points of each of the proposed laws, a more detailed analysis of the laws put forth in Michigan, Florida, and New York is set forth below.

Michigan

The new Michigan data destruction bill would ease existing personal data disposal requirements outlined in the state's Identity Theft Protection Act mandating that companies and agencies removing information from a database destroy only “unencrypted, unredacted personal information” and only such personal information related to state residents.

Another bill would require businesses with 50 or more employees that are “engaged in extending credit in the form of covered accounts to residents of this state” to implement and identity theft mitigation programs similar to those required under the federal Fair and Accurate Credit Reporting Act Red Flags Rule. Companies that have complied with the federal Red Flags Rule would be exempt from the state law.

Michigan is also considering various other measures which would establish an Identity Theft Commission; make technical changes to the law; add misleading a law enforcement or court official about one's identity to the list of violations of the law; and authorize the state attorney general to seek civil fines of up to $10,000 per incident for identity thieves.

Michigan is also considering a bill which would make businesses and agencies that adopt comprehensive data security safeguards to protect personal data in any form immune from civil liability for damages due to data breaches. The proposed law would provide breach liability immunity in an effort to encourage entities to adopt such safeguards.

Florida

Florida has introduced bills (S.B. 586 and H.B. 279) which would require companies to follow federal guidelines when disposing of personal data. The bills would require businesses and government agencies to follow the “Guidelines for Media Sanitization” set by the National Institute of Standards and Technology to make all personal data disposed of by companies and agencies inaccessible. In addition, state agencies would also be required to submit samples of allegedly sanitized storage media to an independent third party vendor to verify the destruction of the personal data.

New York

A New York data security bill would establish a general encryption standard as a safe harbor for entities seeking to avoid giving breach notice to individuals under the state's data breach notice law. The bill, would also require businesses and state agencies to: Implement and maintain reasonable security safeguards, appropriate to the nature of the information, to prevent unauthorized access to or unauthorized destruction, use, modification, or disclosure of the private information.

Unlike the data security regulations issued under Massachusetts breach notification law, the N.Y. bill does not authorize the promulgation of rules, but rather sets out the encryption standard in the text of the proposed law.The bill would also mandate notification of certain breaches to the state attorney general. Another New York bill would provide tax breaks for businesses that invest in data security.

Haiti Charity Fraud - FBI Guidelines To Donate With Care

Joseph Lazzarotti — Sun, 17 Jan 2010 06:15:24 -0800

We all are deeply saddened by the tragic situation in Haiti. Many are motivated to help in any way they can, which usually means donating to charities that are able to more effectively bring relief to the suffering. At the same time, many see this as an opportunity to commit identity theft.

CBS News and TBG Fraud Solutions remind us to be aware of charity fraud and donate carefully.

In connection with the earthquake with in Haiti, the FBI suggests the following steps to avoid charity fraud:

Do not respond to any unsolicited (spam) incoming e-mails, including clicking links contained within those messages.
Be skeptical of individuals representing themselves as surviving victims or officials asking for donations via e-mail or social networking sites.
Verify the legitimacy of nonprofit organizations by utilizing various Internet-based resources that may assist in confirming the group’s existence and its nonprofit status rather than following a purported link to the site.
Be cautious of e-mails that claim to show pictures of the disaster areas in attached files because the files may contain viruses. Only open attachments from known senders.
Make contributions directly to known organizations rather than relying on others to make the donation on your behalf to ensure contributions are received and used for intended purposes.
Do not give your personal or financial information to anyone who solicits contributions: Providing such information may compromise your identity and make you vulnerable to identity theft.

Health Care Employees Fired For Improperly Accessing Patient's Electronic Health Records

Nick Beermann — Fri, 08 Jan 2010 14:46:44 -0800

As reported by the December 23 Rochester, Minnesota Post Bulletin, the Mayo Clinic has terminated two medical professionals, a physician and another staff member, after determining that they had inappropriately accessed a patient’s confidential electronic health records (EHRs).

The access highlights what should be a growing concern for health care industry employers: the increased availability EHRs provide about patients’ private information that is otherwise protected by HIPAA. As reported in the Bulletin, according to the President of the Minnesota-based Citizens’ Council on Health Care, “the development of the electronic medical record has allowed all sorts of people to have access” that they would not have had before the advent of EHRs.

As previously reported here, the risks of data breaches and misuses of personal information rise significantly when the information is in electronic format. The trend toward putting more information in electronic format will only continue given the significant cost savings through technological advancements and, for health information, federal subsidies for the adoption of EHRs. Despite protections mandated by law, the portability and availability of EHRs nevertheless facilitate the improper viewing or misuse patients’ protected health information.

The Mayo Clinic terminations come on the heels of a string of employee terminations in 2008 by the UCLA Medical Center, which, through investigations dating back to 2004, found that at least 127 employees had improperly accessed the medical records of celebrities. One employee was even indicted in 2009 after she was found to have purposefully removed the social security numbers of celebrity patients and recorded actor Farah Fawcett’s medical records. Farah Fawcett subsequently sued her.

While most medical providers are well-aware of HIPAA’s requirements, the interest in all things celebrity may be too much for some to resist. We expect that the American Recovery and Reinvestment Act of 2009 (ARRA) [pdf] may only increase the risk of privacy breaches for it provides incentives to health care-related businesses to develop even more extensive uses of electronic health records. However, even famous celebrities have privacy rights under HIPAA, and health care employers should revisit their policies, procedures and training in the area of maintaining patient privacy and more closely monitor the use of electronic medical records.

FTC Endorsement Rules Provide For Employer Liability for Employees' Online Conduct

Jason C. Gavejian — Wed, 06 Jan 2010 15:46:41 -0800

According to the newly revised Federal Trade Commission (“FTC”) Guides, employers may face liability for employees’ commenting on their employer’s services or products on “new media,” such as blogs or social networking sites, if the employment relationship is not disclosed. Potential liability may exist even if the comments were not sponsored or authorized by the employer.

The revised Guides took effect December 1, 2009. They address the application of Section 5 of the FTC Act (15 U.S.C 45) to the use of endorsements and testimonials in advertising and provide examples of the application of Section 5, including examples that could lead to potential employer liability. One such example specifies liability for an employee’s blog posting concerning his employers’ product, where the employment relationship is not previously disclosed:

An online message board designated for discussions of new music download technology is frequented by MP3 player enthusiasts. They exchange information about new products, utilities, and the functionality of numerous playback devices. Unbeknownst to the message board community, an employee of a leading playback device manufacturer has been posting messages on the discussion board promoting the manufacturer’s product. Knowledge of this poster’s employment likely would affect the weight or credibility of her endorsement. Therefore, the poster should clearly and conspicuously disclose her relationship to the manufacturer to members and readers of the message board.”

In comments to the proposed revisions, the Commission agreed that the establishment of appropriate procedures governing “new media” would be a factor in its determination as to whether law enforcement action is appropriate. Tellingly, the Commission stated that it has brought enforcement actions against companies “whose failure to establish or maintain appropriate internal procedures” had resulted in consumer injury. However, the Commission refused to spell out the procedures companies should put in place to monitor compliance with the principles set forth in the Guides, leaving companies to determine for themselves the process that would best fulfill their responsibilities.

In light of the FTC’s clear recognition of “new media” and enforcement goal, employers should adopt social media and blogging policies as soon as possible. Employers should consider policies and procedures which address employee use of blog or social networking sites. Those policies, like this sample policy, should articulate the types of disclosure employees must include when they discuss their employers or their employers’ products or services.

FTC Investigates Cloud Computing

Joseph Lazzarotti — Tue, 05 Jan 2010 11:15:45 -0800

Last month, we briefly discussed "cloud computing," along with some issues that should be considered when deciding whether to adopt this new technology. Our post focused on data privacy and security issues.

As reported by Kim Hart, of The Hill's Technology Blog, a December 9, 2009, Federal Communications Commission filing states that the Federal Trade Commission is in the process of investigating "cloud computing" to address some of the same concerns noted in the post referenced above - privacy and security concerns.

Companies operating in the cloud, or thinking of moving in that direction, ought to be on the lookout for regulation or guidance that could come from the FTC's investigation.

Addressing Information Risk in 2010

Joseph Lazzarotti — Fri, 01 Jan 2010 06:41:12 -0800

Like individuals, businesses have resolutions/goals for 2010, perhaps even this new decade. As information risk, such as HIPAA or the occurrence of a data breach, continues threaten companies and put individuals’ personal identities, finances and medical information in jeopardy, addressing this issue in the coming years is a worthy resolution for any business. With this January 28, 2010, being the second National Data Privacy Day, January is as good a time as any to begin thinking about your organization’s information risk. The following list, which is by no means exhaustive, provides ten critical areas businesses will need to consider when addressing this issue.

Risk Assessment. Many businesses remain unaware of how much personal and confidential information they maintain, who has access to it, how it is used and disclosed, how it is safeguarded, and so on. Getting a handle on a business' critical information assets must be the first step, and is perhaps the most important step to tackling information risk. You simply can’t adequately safeguard something you are not aware exists.
Develop a Written Information Security Program. Even if adopting a written information security program (WISP) to protect personal information is not an express statutory or regulatory mandate in your state, having one is critical to addressing information risk. Not only will a WISP better position a company when defending claims related to a data breach, but it will help the company manage and safeguard critical information, and may even help the company avoid whistleblower claims from employees. For companies, a WISP can be a competitive advantage. Of course, in states like Massachusetts, Maryland, Oregon, Connecticut and others, a WISP in one form or another is required.
Vendors/Business Partners. Businesses addressing their information risk cannot stop at their information systems, buildings, and employees. Very often, vendors of the business maintain significant amounts of sensitive company and personal information of that business. This list of vendors can be long and include service providers such as: employee benefits consultants/administrators/brokers, accountants, lawyers, record storage/destructions companies, office cleaning services, professional employer organizations, payroll companies, cloud computing or other information service providers, and so on. Businesses that turn over sensitive information to a vendor need to take steps to ensure the vendor has implemented appropriate safeguards to protect the information. If this information is personal information, a number of states mandate contract provisions requiring the vendor to safeguard the information.
HIPAA. The recent changes by the HITECH Act, under the American Recovery and Reinvestment Act of 2009, will drive increased focus on HIPAA in 2010, particularly for business associates which for the first time become directly subject to many of the same privacy and security requirements as covered entities. The addition of a HIPAA breach notification requirement, effective September 23, 2009, and the growth of electronic health records, already are driving covered entities to amend their business associate agreements. Plan sponsors, health care providers and business associates all need to refocus their attention on HIPAA in 2010.
Insurance. Like many other risks, information risk can be addressed in part through insurance. More carriers are developing products dealing with personal information risk, and specifically data breach response. This kind of coverage should be a part of any CIO, privacy officer or risk manager’s plan for safeguarding information.
Identify “Red Flags”. Identifying “red flags” is the next step after implementing a WISP, beyond safeguarding sensitive information. The concept of “red flags” is to have policies and procedures designed to detect, prevent, and mitigate instances of identity theft – that is, with safeguards already in place, businesses need to be able to identify circumstances (“red flags”) which indicate incidents of identity theft could be occurring, and then take steps to prevent the identity theft or mitigate its effects. After a number of extensions, on June 1, 2010, the Federal Trade Commission will begin enforcing its “red flag” regulations that apply to financial institutions and creditors.
Training. A necessary component of any WISP and a required element under most federal and state laws mandating data security, training deserves special mention if only to remind businesses to remind employees how powerful the small devices are that they carry around.
Develop a Plan for Responding to a Breach Notification. All state and federal data breach notification requirements currently in effect require notice be provided as soon as possible. Delays in notification viewed as unreasonable could trigger an inquiry by the state’s Attorney General, or in the case of HIPAA protected health information, the Office of Civil Rights.
Carefully Integrate New Technologies. As businesses look for new technologies to increase productivity, cut costs, and gain a competitive advantage, how those technologies address information risk must be a factor in the decision whether to adopt the technology. For example, cloud computing is fast becoming a popular tool used by businesses to enhance their computing capabilities, at substantially reduced costs in some cases, but it raises a number of issues concerning information risk.
Watch for New Legislation. Today, managing data and ensuring its privacy, security and integrity is critical for businesses and individuals, and is increasingly becoming the subject of broad, complex regulation. It seems to be only a matter of time before U.S. companies are subject to a national law requiring the protection of personal information. Companies therefore need to stay tuned in order to continue to remain compliant and competitive in this regard.

Public Employers Wrestle With Data Breaches

V. John Ella — Thu, 31 Dec 2009 10:15:48 -0800

The State of Minnesota has been smacked with a number of privacy-related district court lawsuits recently.

The most recent dispute arose after the state of Minnesota hired a Texas-based company, Lookout Services to perform E-Verify services for state employees as part of a U.S. Department of Homeland Security program to ensure that all employees of the state and its contractors have Social Security numbers and are authorized to work in the United States. A reporter for Minnesota Public Radio, Sasha Aslanian, discovered confidential data from state officials posted on the company's Web site, and reported the story along with a recitation of other recent privacy blunders by the state. The story triggered a mandatory notification of a potential data breach under Minnesota law. In response, Lookout Services filed a lawsuit against both the state and Minnesota Public Radio alleging that Aslanian hacked into the site in violation of the Computer Fraud and Abuse Act.

A state agency, the Minnesota Department of Human Rights ("MDHR"), was the target of another district court action brought by a teacher who had been named as a witness in an action by the MDHR against the Anoka-Hennepin school district. The MDHR charge alleged in part that the teacher singled out a student for harassment because the student was gay. The MDHR settled the case, to which the teacher was not a party, with the school district and featured a description of the case as its “case of the month” on its website. The teacher sued and successfully obtained a temporary restraining order, in part requiring the MDHR to take her name off the website and amend it to refer only to a “female teacher.” The case is captioned Cleveland v. Minnesota Department of Human Rights.

In the third case, a state court dismissed a claim that the Minnesota Department of Health violated the Minnesota Genetic Privacy Act (GPA) by gathering and storing blood specimens from newborn babies and sharing them with medical facilities without the parents’ consent. The GPA prohibits collection or use of genetic information without informed consent, “unless otherwise expressly provided by law.” In an 11-page order, Hennepin County judge found that the blood samples were biological samples, not genetic information and, regardless, the state’s Newborn Screening Law was a statutory exception to the GPA. Bearder, et al v. State of Minnesota. This is a rare example of a private lawsuit under a genetic privacy law, but we can expect to see more as new legislation is enacted in this area, such as the Federal Genetic Information Nondiscrimination Act.

The last case involves the neighboring state of Wisconsin and comes to us from lawyer Peter Nickitas who recently obtained a $40,000 jury verdict in federal court against Dunn County Wisconsin for violation of Wisconsin’s Open Records Laws. The case, Sheffler v. County of Dunn, involved a Minnesota citizen who was arrested in Madison, Wisconsin and spent time in the Dunn County Jail. A few weeks later he requested copies of video footage from his time in jail. The County failed to respond to his request in a timely fashion and the footage was copied over before it could be produced. Plaintiff Troy Scheffler represented himself pro se in defeating the County’s motion for summary judgment and Nickitas represented him at trial.

"These cases all demonstrate that private employers are not alone in facing the complexities and exposure of managing personal information about individuals, particularly employees", observes Joe Saccomano, head of the Jackson Lewis public sector practice group.

New Hampshire Enacts Strict Data Breach Notification Law Affecting Health Care Providers and Business Associates

Joseph Lazzarotti — Tue, 29 Dec 2009 09:16:48 -0800

New Hampshire’s new breach notification law builds on the breach notification requirements under the HITECH Act by requiring health care providers and business associates to notify individuals of disclosures of their protected health information that are prohibited by New Hampshire law, even if such disclosures are permitted under HIPAA or other federal law. This new health information protection was enacted with other measures relating to privacy of electronic medical records and allowing individuals to opt out of sharing their names, addresses, and protected health care information with e-health data exchanges.

H.B. 619 becomes effective for data breaches occurring on and after January 1, 2010. Individuals may sue for violations of the notification requirement and, significantly, seek damages of not less than $1,000 per violation. The law also expressly requires business associates to cover the costs of notification if the use or disclosure triggering notification was made by the business associate.

Now, when New Hampshire health care providers and business associates experience a possible data breach, they will have to consider a number of laws to determine the appropriate response. These include H.B. 619, the state’s general breach notification statute, and the breach notification rules under the HITECH Act and implementing regulations. This is even more complex for health care providers and business associates operating in multiple states as at least five other states (Arkansas, California, Delaware, Missouri, Texas) and Puerto Rico require notification in the event some form of medical information is breached.

Unlike New Hampshire’s general data breach notification statute, this law applies only to health care providers and business associates. H.B. 619 incorporates the definitions of “business associate” and “protected health information” under the HIPAA privacy regulations, but the term “health care provider” includes:

any person, corporation, facility, or institution either licensed by this state or otherwise lawfully providing health care services, including, but not limited to, a physician, hospital, office, clinic, health center or other health care facility, dentist, nurse, optometrist, pharmacist, podiatrist, physical therapist, or mental health professional, and any officer, employee, or agent of such provider acting in the course and scope of employment or agency related to or supportive of health care services.

Of course, health care providers and business associates remain subject to the state’s general breach notification law. That law requires all businesses to notify state residents of an unauthorized acquisition of computerized data that compromises the security or confidentiality of personal information maintained by the business. The general notification law contains a “risk of harm” trigger – that is, no notice is required by covered entities that have determined misuse of the information has not occurred or is not reasonably likely to occur. H.B. 619 contains no such “risk of harm” trigger.

Texting & Sexting - Supreme Court to Consider Employees' Expectation of Privacy in Text Messages

Jason C. Gavejian — Tue, 22 Dec 2009 07:13:51 -0800

The U.S. Supreme Court’s recent grant of certiorari in City of Ontario, Ontario Police Department, and Lloyd Scharf v. Jeff Quon, et al. highlights the effects new technologies continue to have on workplace privacy issues. One issue the Court will consider is whether a California police department violated the privacy of one of its officers when it read the personal text messages on his department issued pager. The U.S. Court of Appeals for the Ninth Court sided with the police officer when it ruled that users of text messaging services “have a reasonable expectation of privacy” regarding messages stored on the service provider’s network.

The underlying suit was filed by police Sgt. Jeff Quon, his wife, his girlfriend, and another police sergeant after one of Quon’s superiors audited his messages and found that many of them were sexually explicit and personal in nature. Among the defendants were the City of Ontario, the Ontario Police Department, and Arch Wireless Operating. Co. Inc. Plaintiffs sought damages for alleged violation of their privacy rights.

While this case involves a public sector entity, its outcome is likely to affect electronic communications policies and practices across the country, whether by public or privacy employers.

Arch Wireless contracted with the employer, the City of Ontario, California, to provide text-messaging services using pagers. The City distributed the pagers to various employees, including Jeffery Quon, a Sergeant in the Ontario Police Department. Quon, along with other employees, signed an "Employee Acknowledgment" of the City’s general "Computer Usage, Internet, and E-mail Policy" which stated that the City reserved the right to "monitor and log all network activity including e-mail and Internet use, with or without notice," and that "[u]sers should have no expectation of privacy or confidentiality when using these resources." Quon also attended a meeting during which a police Lieutenant stated that pager messages "were considered e-mail, and that those messages would fall under the City's policy as public information and eligible for auditing." While each pager was allotted a certain number of characters per month, Quon exceeded his allotment on several occasions. The Lieutenant attempted to determine whether the overages were business-related and obtained transcripts of text messages for the employees with overages. After auditing the transcripts provided by Arch Wireless the matter was referred to the City's Internal Affairs agency, which determined that Quon exceeded his monthly character allotment and many of his messages were personal and not business-related.

While the district court ruled that the plaintiffs had a reasonable expectation of privacy in their text messages, it held a trial on the issue of the employer's intent in conducting the search. If the search was to uncover misconduct rather than to determine character allotment overages, it would be a violation of the plaintiffs' privacy rights. The jury found that the employer's intent was to determine character allotment overages, and the court entered judgment in favor of the employer. The plaintiffs appealed.

The Court of Appeals for the Ninth Circuit, addressing whether Quon had a reasonable expectation of privacy in the text messages, held that he did because the City:

· had a practice of not reviewing the messages if employees paid the overage charges, and

· did not review Quon's messages even though he exceeded the character allotment several times.

Significantly, the court held that the City's practice trumped its own written policy, its employees' acknowledgements that they had no privacy interest in electronic communications, and its statements in staff meetings that it viewed text messages as e-mail.

To determine if the search was reasonable, the court evaluated whether the search was "justified at its inception, and whether it was reasonably related in scope to the circumstances which justified the interference in the first place." Although the appellate court agreed that there were reasonable grounds for conducting the search, it found the scope of the search unreasonable. The court found overbroad the City's review of the actual messages to determine the number of characters used. Because the City reviewed the content of all the messages, the search was excessively intrusive and violated the plaintiffs' Fourth Amendment rights and rights under the California Constitution, the court held.

The Supreme Court will examine whether the Ontario Police Department’s employees should expect privacy for personal text messages they send and receive on police pagers and whether the Department’s official “no-privacy” policy conflicts with its informal policy of allowing some personal use of pagers. The Supreme Court will also look at whether the Circuit Court’s decision bypassed Supreme Court precedents and created a circuit conflict when it analyzed whether police brass could have used “less intrusive methods” of reviewing the officer’s text messages.

Estimates are that 100 million people will utilize text messages in 2010. As a first step, employers must be prepared with comprehensive computer and electronic equipment usage policies. Further, as this case illustrates, it is critical that practices and policies be consistent, and that policies reflect current technologies. Employers also should consider requiring employees to acknowledge receiving and reviewing these and similar policies and procedures, particularly as new technologies are introduced.. While this area of the law remains unsettled, a well drafted policy will serve to lower an employee’s expectation of privacy when using employer owned equipment, although it remains to be seen what the Court will hold.