A Sign of Things to Come for TCPA Defendants?

In a recent ruling, the Seventh Circuit abandoned its previous stance as to whether a complete offer of judgment prior to the filing of a class certification motion would moot a class action brought pursuant to the Telephone Consumer Protection Act (TCPA).

In 2009, the plaintiff, Arnold Chapman, brought a class action alleging First Index Inc. had violated the TCPA when it sent “junk faxes” without the consent of the recipients.  While Chapman’s class certification motion was pending, First Index made an offer of judgment under FRCP 68 for Chapman’s entire damages.  Thereafter, Chapman did not respond.  Following Chapman’s failure to respond, and on application from First Index, the district court dismissed Chapman’s claims as moot.

The Seventh Circuit reversed the district court’s decision, holding that Chapman’s case is only moot when it is impossible for a court to grant any effectual relief whatsoever to the prevailing party.  Using this analysis, the Circuit Court ruled Chapman’s case was not moot as the district court could award damages and/or enter an injunction.  In reaching its decision, the Circuit Court acknowledged, but refused to follow and in fact, overruled, its earlier decisions, including Damasco v. Clearwire Corp., which mooted claims when a plaintiff declines an offer that would satisfy his/her entire demand. In doing so, the Circuit Court relied on the dissent by U.S. Supreme Court Justice Elena Kagan in Genesis Healthcare Corp. v. Symczyk.

The Circuit Court’s ruling, which comes as the U.S. Supreme Court considers the impact of an offer of judgment on TCPA class actions, may provide insight into how SCOTUS will ultimately decide this issue.  In fact, the Circuit Court acknowledged this point and stated it is “best to clean up the law of this circuit promptly, rather than require Chapman and others in his position to wait another year for the Supreme Court’s decision.”

While we continue to await the decision from SCOTUS, this case provides insight into how the Seventh Circuit anticipates SCOTUS will rule.  At the same time, this decision is detrimental to TCPA defendants who sought to rely on the Seventh Circuit’s prior rulings to support a claim that a case is moot after an offer of judgment for full relief to the named plaintiff.

Credit Monitoring Services Following Data Breach NOT Taxable Income to Employees, IRS Announces

When an employer is responding to a breach of their employees’ personal information, one of the last things they may think about is whether the value of the credit monitoring or other identity protection services they make available to affected employees should be considered taxable to the employees and reported as such. In Announcement 2015-22, the Internal Revenue Service clarified that it will not consider the value of such services provided by the employer to employees to be gross income or wages to the employees. The IRS also stated it will not take the position that the employees should include the value of such services as gross income on their personal income tax returns.

Providing identity protection services is a common step companies take to mitigate harm following a data breach and, depending on the state laws triggered, can be required. In general, Section 61 of the Internal Revenue Code describes gross income very broadly to include compensation for services including fees, commissions, fringe benefits, and similar items, and pensions. However, the IRS will not be asserting that individuals affected by a data breach must include in gross income the value of the identity protection services provided by the organization that experienced the data breach. This position likely applies to the tax treatment of such services provided to individuals by any organization following a data breach.

The IRS announcement states, however, this position will not apply to cash received in lieu of identity protection services, or to identity protection services received for reasons other than as a result of a data breach, such as identity protection services received in connection with an employee’s compensation benefit package. In those cases, the cash received or the value of the services provided likely would be taxable income. The announcement also does not affect the tax treatment of proceeds received under an identity theft insurance policy which is governed by existing law.

Note that state income taxes potentially could apply, although many states “piggy-back” on federal tax law and may follow the IRS Announcement here. Organizations and individuals should confirm with their tax advisors the tax treatment for these services at the state level.


Nevada Updated Its Definition of Personal Information, Have You?

When businesses set out to safeguard “personal information,” a fundamental consideration is what that term means. Likewise, when negotiating a third-party vendor agreement, it typically is not enough to rely on the standard definition for “confidential information.” Recently, Nevada and other states have updated their definitions of personal information in connection data breaches notification and safeguarding requirements. We cannot cover all of the updates here, but particularly for organizations in multiple states, it is important to ask the question and consider exactly what elements of personal information require protection. You may end up being more protective and include more data than necessary, it may be practical to do so, but you will want to know what must be protected.

The Usual Suspects

In states that have enacted data breach notification laws or affirmative obligations to protect personal information, you can count on personal information including the usual suspects: Social Security number (SSN), drivers’ license number or state identification number, and financial account numbers and payment card numbers with access codes. Why? Well, in general, these are the data elements believed to be the ones most likely used in the commission of identity theft. Note a few states, like Nevada, make clear the law does not apply to the last four digits of some of these numbers, including the SSN.

But, of course, state laws are not the only source for law on the classes of personal information that warrant protection. Depending on the nature of your business, federal and international laws can also play a significant role in shaping the definition of personal information in your policy, as can contractual obligations.

Casting a Wider Net

One of the few states with an encryption mandate, Nevada recently expanded the scope of personal information subject to that mandate. Prior to the amendment, the state law (NRS 603A.040) defined personal information as noted above: Social Security number, drivers’ license number or state identification number, and financial account numbers and payment card numbers with access codes. Massachusetts, which also has encryption mandate, uses a similar definition. With the enactment of Assembly Bill No. 179, which becomes effective July 1, 2015 (though compliance is not require until July 1, 2016), “personal information” also includes:

  • driver authorization card number;
  • a medical identification number;
  • a health insurance identification number; and
  • a user name, unique identifier or electronic mail address in combination with a password, access code or security question and answer that would permit access to an online account.

A quick survey of some of the 47 state data breach notification laws reveals, in addition to the elements above, other elements of personal information that could trigger a notification requirement in certain states, such as:

  • biometric data, such as a fingerprint, retina or iris image;
  • date of birth;
  • maiden name;
  • an identification number assigned by an employer; and
  • digitized or other electronic signature.

As noted, classifications of personal information requiring protection are not solely a function of state law.

From a consumer protection standpoint, the Federal Trade Commission takes a broad view of personal information that needs to be secured and protected. In a decision concerning whether a company adequately safeguarded customer information, the FTC defined that term to include the following elements:

  • first and last name;
  • home or other physical address;
  • e-mail address or other online contact information, such as an instant messaging user identifier or a screen name;
  • telephone number;
  • Social Security number;
  • driver’s license or other state-issued identification number;
  • financial institution account number;
  • credit or debit card information;
  • persistent identifier, such as a customer number held in a “cookie,” a static Internet Protocol (“IP”) address, a mobile device ID, or processor serial number;
  • precise geolocation data of an individual or mobile device, including GPS-based, WiFi-based, or cell-based location information;
  • an authentication credential, such as a username and password; or,
  • any other communications or content that is input into, stored on, captured with, accessed, or transmitted through a covered device, including but not limited to contacts, e-mails, text messages, photos, videos, and audio recording.

For covered entities and business associates under HIPAA, “protected health information” encompasses health information, including demographic information, about an individual (and which does or can reasonably identify the individual) that relates to the (i) past, present, or future physical or mental health or condition of an individual, (ii) the provision of health care to an individual, or (iii) the past, present, or future payment for the provision of health care to an individual.

For employers, federal statutes like the Genetic Information Nondiscrimination Act (GINA) can be a trap for the unwary. It requires genetic information be safeguarded and not disclosed, except under certain circumstances. It may seem unusual, but one example of genetic information is information about the manifestation of disease in the spouse of an employee.

If you are charged with preparing your company to be compliant with safeguarding personal information, it is worth spending some time thinking about what personal information you need to protect. This requires knowing your business, where you do business, where your employees and customers reside, who you do business with, what youe contractual obligations are, and a number of other factors. The answers may surprise you.

The Hololens From Microsoft – Help Can Be Right Under…Over Your Nose

The saying – never let them see you sweat – soon may be more difficult to accomplish with Microsoft’s Hololens. Like Google Glass, the Hololens is worn as a headset. But this device has a “plurality” of sensors that gather a range of biometrics parameters (heart rate, perspiration, etc.) which determine along with other information if the wearer needs help with something, and then tries to provide that help. Referred to in Microsoft’s patent application approved earlier this year as an “augmented reality help system,” the device’s applications and implications can be far reaching, as it is not hard to see, for example, why companies might want to adopt this technology to benefit their business.

Consider a manufacturing or IT employee having trouble trying to install a new piece of equipment or assemble a piece of flat-pack furniture, a chore that drives some of my own biometrics parameters. Hololens may be able to help. The patent application states:

A person may experience stress that is related to a situation or current context. For example, a person may have difficulty performing a task and grow frustrated as the number of unsuccessful attempts at completing the task grows…

Experiencing stress may also inhibit clear thinking and increase the difficulty of successfully managing a task or situation. Additionally… seeking help from electronic devices would impose inconvenient burdens on the person, or may be impractical or even impossible given the person’s current context…

To address the above issues, an augmented reality help system [would] determine that the user is experiencing a stress response [and] present help content to the user via the head-mounted display device.

So, Hololens can be a valuable tool for an individual trying to overcome complicated tasks at work by using various sensors to simultaneously collect and analyze a wide range of biometric and other data points that determine whether the individual needs some help doing his or her job or a particular task. The device then provides information to the wearer through holographic images to help resolve the problem. These sensors include:

  • a heart rate monitor to measure heart rate,
  • a pulse oximeter sensor to measure hemoglobin saturation,
  • an electrodermal response sensor to monitor the skin’s electrical resistance,
  • an electroencephalographic (EEG) monitor to monitor brainwave activity, and
  • a perspiration sensor to detect sweat.

The descriptions of the device in the patent application, news outlets and reports point to various applications and uses for Hololens. A device like this might have substantial productivity benefits and one can envision lower training costs and fewer errors, among other advantages. However, like many new technologies, implementation would need to be handled carefully not only to assess whether the device will work for the application intended, but will it be worth the investment and effort given the legal and other risks. Hololens adds to the long list of technologies and devices already on the market which legislatures and courts are grappling to understand and regulate.

Privacy and data security considerations are among the many legal considerations and, of course, critical as the device collects a range of health-related data that would seem to be able to paint a detailed, albeit incomplete, picture of an individual’s physical and/or mental health condition. Would an employee realize how much data is being collected and to whom that information is made available? Labor relations is another consideration as employers would certainly have to bargain with the union before they would be able to require represented employees to use Hololens for the purposes contemplated herein. An employer also would have to consider, for example, whether the gathering of biometric and other medical data constitutes a disability-related inquiry under the Americans with Disabilities Act and how the U.S. Equal Employment Opportunity Commission (EEOC) might view that activity. Whether the rules the EEOC proposed earlier this year concerning workplace wellness programs will address wearables and perhaps shed light on the agency’s view of such devices, such as Hololens, remains to be seen.

Once the information is collected, how will it be used? Managers oversee and monitor their employees regularly. A plant manager might observe assembly line operations for workers causing delays, or that need additional help, or that simply are not performing sufficiently. Devices like Hololens would increase dramatically the information available to managers to assist in making these determinations. But will that information be the kind managers should be using, will the use of the information increase the likelihood of disparate impact claims? These are just a few of the questions that need to be considered. Assuming such data can be collected and used for certain work-related purposes, companies already face challenges safeguarding personal information. Will they be able to maintain the security of the sensitive health data captured and transmitted by these devices?

Hololens has not been released for sale yet, but there already is speculation about its release date, some are saying 2016. If true, it may not be long before someone at your company says, “Hey, we need this!” At that point, and maybe even before, businesses need to be carefully thinking through the benefits and risks of introducing this or similar devices into the workplace, or allowing employees to use them.

6 Best Practices For Avoiding TCPA Violations As The Scope Of Liability Under The Statute Swells

As we have previously discussed, the Federal Communications Commission (the “FCC”) recently issued a Declaratory Ruling (“Declaratory Ruling”) that, among other things, likely exposes companies to even greater liability under the Telephone Consumer Protection Act (the “TCPA”).

The TCPA regulates communications, from companies to their consumers, that utilize an automatic telephone dialing system (“ATDS”).  Under the TCPA, before contacting a consumer via an ATDS, a company must obtain prior express consent.  (If the communication is for “telemarketing” purposes, the company must obtain this prior consent in writing.)  TCPA lawsuits have been brought not only against predictable defendants, such as telemarketing firms and debt collectors, but also against social networking companies, sports franchises, schools and universities, pharmaceutical companies, travel and entertainment companies, retailers, and online service providers.  Companies that outsource their telemarketing services to third-party vendors, it is important to note, are not immune from TCPA liability and, in fact, may be held directly liable for their vendors’ TCPA violations.  Faced with the prospect of staggering, uncapped statutory damage liability, companies have routinely settled TCPA class actions for tens of millions of dollars.

Even in single-plaintiff cases, damages under the TCPA can accumulate in a hurry.  In a recently decided case, a U.S. District Court granted partial summary judgment in favor of a TCPA plaintiff, awarding her $229,500 in damages.  Beyond the high damages figure, the case raises concern for companies that utilize ATDS because it demonstrates the breadth of TCPA liability.  In this case, Plaintiff alleged that Defendant made over 163 automated or prerecorded calls to her mobile phone without her consent.  Defendant moved to stay trial, arguing that the Court should await interpretive guidance from the FCC on the definition of “called party” under the TCPA.  This definition is significant, Defendant argued, because, although it ultimately called Plaintiff, it had intended to call the previous owner of Plaintiff’s number – a customer who had consented to receive calls regarding his past due account balance.  The Court denied Defendant’s motion, holding that “called party” unequivocally refers to the party actually called.  Defendant’s intent, the Court held, was only relevant on the issue of willfulness.

The Court also rejected Defendant’s argument that the system it used to call Plaintiff was not an ATDS because it did not generate numbers to dial at random or in sequence, but instead made a list of customers that met certain criteria – in this instance, customers who were behind on their bills – and dialed them.  Whether Defendant’s system actually dialed Plaintiff’s number randomly, however, the Court found, was irrelevant.  Because the system had the capacity to dial numbers at random, it was an ATDS.  Period.

Defendant’s next argument – that it was only liable for the 70 calls it made that were connected – was likewise unavailing.  Defendant, the Court held, “violated the statute each time it placed a call using its ATDS without consent, regardless of whether the call was answered by a person, a machine, or not at all.”

Although it resulted in only a nominal victory for Defendant, the Court drew an important distinction in the area of consent.  Between July 3 and October 3, 2013, Defendant placed 10 calls to Plaintiff via its ATDS.  Plaintiff was not the intended recipient of these calls – the prior owner of Plaintiff’s number was.  Following the tenth call, Plaintiff informed Defendant that she had assumed ownership of the number previously held by the customer that Defendant was attempting to reach, and asked Defendant to stop calling her.  Defendant did not do so, but instead called Plaintiff an additional 153 times.  The Court found that the first 10 calls – those preceding Plaintiff’s request that Defendant cease calling her – were covered by the broad consent given to Defendant under its Service Agreement (“We may call you . . . for any purpose . . .”), and thus were not violative of the TCPA.   Once Plaintiff requested that Defendant stop calling her, however, she effectively revoked her consent, and all calls thereafter violated the TCPA.  The Court held that Defendant’s violation of the TCPA was knowing and willful because it had ignored Plaintiff’s request that it cease calling her.  The Court thus awarded Plaintiff treble damages.

Had the Court issued its decision after the Declaratory Ruling was released, it likely would have tagged Defendant with an additional nine TCPA violations.  To encourage businesses to institute new and/or better safeguards against calling reassigned numbers, the Declaratory Ruling limits companies to one call following reassignment before liability begins to accrue.  To avail itself of even this narrow safe haven, a company must have a reasonable basis for believing that its one call was consented to.

In sum, the Declaratory Ruling has opened the door to even greater liability under the TCPA.  Additionally, as we covered back in May, the U.S. Supreme Court will soon decide the fate of a valuable strategy to limit TCPA liability – offers of judgment under Rule 68 of the Federal Rules of Civil Procedure.  If the Court rules that TCPA defendants may no longer utilize this tool, the settlement leverage of TCPA plaintiffs will be dramatically enhanced, and the plaintiff’s bar will be emboldened in its search for TCPA plaintiffs.  In light of the present breadth of liability under the TPCA, and the possibility that it may soon become even more expansive, companies should strongly consider the following preventative measures, among others:

  1. Review the policies and practices of third party vendors to ensure that they are not sending communications violative of the TCPA;
  2. Either obtain written consent for all ATDS communications, or be sure to carefully delineate between telemarketing and non-telemarketing campaigns, obtaining written consent prior to sending any ATDS communication in connection with the former;
  3. Utilize consent forms that are conspicuous and easily understood, thereby mitigating the risk that the form will be deemed invalid;
  4. Maintain all consent records for at least four years (the statute of limitations period for TCPA claims);
  5. Assess the efficacy of current safeguards against calling reassigned numbers and, if necessary, improve or replace those safeguards; and
  6. Provide consumers user-friendly mechanisms– such as texting “STOP” or “UNSUBSCRIBE” – to opt-out of receiving TCPA-covered communications.


Connecticut State Contractors, Health Insurance Industry Businesses Subject to Enhanced Significant Data Security Mandates

In June, Connecticut’s governor signed into law Senate Bill 949 which amended the State’s breach notification statute. The requirement that covered businesses must provide one year of identity theft protection services for certain breaches, easily the most popular aspect of the legislation, may have diverted attention from some significant aspects of this new law. Senate Bill 949 established expansive data security requirements for entities contracting with state agencies and entities in the health insurance and administration business (e.g., health insurance insurers, pharmacy benefits managers, and third-party administrators). See a more complete discussion of the law here, and some highlights below.

Contractors Must Implement a Data Security Program

Entities that have contracts with the state and receive “confidential information” from state agencies are required to implement and maintain a “comprehensive data-security program,” including the use of security policies, annual reviews of such policies, access restrictions, and mandatory security awareness training for employees beginning July 1, 2015.

Some of the requirements include:

  • Policies must restrict access to confidential information only to authorized employees.
  • There must be security and breach investigation procedures.
  • The data security program must be reviewed annually.
  • When applicable, contractors must provide the state Attorney General and the contracting agency a report detailing breaches or suspected breaches, including mitigation plans or why the contractor believes no breach occurred.
  • Contractors cannot store confidential information on stand-alone computers or notebooks or portable storage devices, such as USB drives. This provision has limited exceptions.
  • Contractors may not copy, reproduce, or transmit confidential information except as necessary to complete the contracted services.

Because of the way many businesses perform their services today (e.g., utilizing flash drives and allowing employees to work from home, perhaps with their own computers), the new mandates may require significant changes in current practices. Contractors that are “business associates” of a state agency as defined under HIPAA may have to do more than comply with the HIPAA privacy and security regulations, and should revisit their HIPAA policies and procedures to ensure compliance with the state mandates. The contracts themselves also could impose additional security obligations.

Health Insurance Businesses Must Step Up Data Security

Beginning October 1, 2017, any health insurer, health care center, pharmacy benefits manager, third-party administrator, utilization review company, or entity that is licensed to do health insurance business in Connecticut must implement and maintain a “comprehensive information security program to safeguard the personal information of insureds.” Examples of the safeguards the program must include are:

  • secure computer and Internet user authorization protocols;
  • secure access control measures that include, but are not limited to, restriction of access to personal information only to those who require such data to perform their job duties, passwords that are not default passwords and are reset at least every six months, encryption of all personal information while being transmitted on a public Internet network or wirelessly, encryption of all personal information stored on a laptop computer or other portable device, and monitoring of company security systems for breaches of security;
  • designation of one or more employees to oversee the security program;
  • identification and assessment of reasonably foreseeable internal and external risks to the security of the personal information; and
  • annual review of the scope of the secure access control measures.

Many of these entities either are covered entities or business associates under HIPAA. They should take note, however, that some of these new requirements could go beyond basic HIPAA regulatory mandates. For example, the Connecticut law requires passwords be changed at least every six months. The Connecticut law also requires encryption of all personal information while being transmitted on a public Internet network or wirelessly and when stored on a laptop or other portable device. Beginning October 1, 2017, covered health insurance businesses must certify annually to the Insurance Department, under penalty of perjury, that they maintain a comprehensive information security program that complies with the law’s requirements.


Businesses covered by the new requirements must take stock of their current operations, policies, and procedures to determine whether they are in compliance. The law also has implications beyond the businesses to which it applies directly. Consider professional service providers working with covered state contractors or health insurance businesses. Their services might involve the need to access the same confidential information triggering these requirements. These and similarly situated businesses will need to be prepared.

Getting compliant will take time and only after careful assessment and analysis. Turning this task over entirely to the company’s “IT guy” is likely not the best approach. The role of IT is no doubt critical, but these mandates require consideration of administrative and physical safeguards, as well as technical safeguards. They envision careful assignment of access to personal data based on particular need. They seek broad awareness of the safeguards throughout an organization that is accomplished through training and other measures. They mandate incident response planning, a function involving key decision makers in an organization so they know what to expect and their responsibilities in the event of a breach. They require organizations to obligate their third-party service providers to adhere to similar standards. In short, they contemplate a wholesale, enterprise-wide, regularly reviewed approach to securing confidential information that changes and develops with the organization.


FCC Settles First Data Security Action

UPDATE:  The Federal Communications Commission (FCC) has reached a settlement with two telecom companies in connection with allegations the telecom companies violated the law regarding the privacy of phone customers’ personal information.

As we previously reported and discussed, in October 2014 the FCC initiated its first data security case against TerraCom, Inc. and YourTel America, Inc.  Originally, the FCC had proposed a $10 million fine, which at the time made it the largest privacy action in the FCC’s history.  Ultimately, the FCC and the telecom companies reached agreement on a $3.5 million settlement.

According to the consent decree, the companies allegedly breached the personal information of over 300,000 consumers through lax security practices, despite the privacy policies for the two companies stating that they had in place technology and security features to safeguard the privacy of your customer specific information from unauthorized access or improper use.

In addition to the $3.5 million settlement, the companies are also required to provide notification to all customers whose information was subject to the breach, provide credit monitoring to each individual, and improve privacy and data security by taking a number of additional steps.  Those steps include, by way of example:

While the settlement is significantly lower than the initial proposed fine, this matter demonstrates the significant liability associated with the failure to adequately safeguard information and/or to implement safeguards consistent with a company’s statements regarding same.

FCC Releases TCPA Omnibus Declaratory Ruling

As anticipated, on July 10, 2015, the Federal Communications Commission (FCC) released its Telephone Consumer Protection Act (TCPA) Omnibus Declaratory Ruling which had previously been approved on June 18, 2015.  The Declaratory Ruling takes effect immediately.

In short, the Declaratory Ruling provides numerous rulings including:

  • Dialing equipment that simply has the capacity to store or produce, and dial random or sequential numbers meets the TCPA’s definition of “autodialer.”
  • Predictive dialers meet the definition of “autodialer.”
  • Callers cannot avoid obtaining consent by dividing ownership of pieces of dialing equipment that work in concert among multiple entities.
  • App developers do not make or initiate calls when one of the app users sends an invitational message using the app.
  • App developers do not make or initiate a text when an individual merely uses its service to set up auto-replies to incoming voicemails.
  • A called party may revoke consent at any time and through any reasonable means.
  • A calling party may not limit the manner in which revocation may occur.
  • If a question arises as to whether prior express consent was provided, the burden is on the calling party to prove that it obtained the necessary prior express consent.
  • The TCPA requires the consent not of the intended recipient of a call, but of the current subscriber (or non-subscriber customary user of the phone) and caller best practices can facilitate detection of number reassignment before calls are made.
  • Callers who make calls without knowledge of reassignment and with a reasonable basis to believe they have valid consent to make the call are permitted to initiate one call after reassignment as an opportunity to gain actual or constructive knowledge of the reassignment and cease future calls to the new subscriber.
  • For telemarketing calls, prior-express-written-consent requirements apply for each call made to a wireless number, rather than to a series of calls to wireless numbers made as part of a marketing or advertising campaign as a whole.
  • Nothing in the Communications Act or the FCC’s rules or orders prohibits carriers or VoIP providers from implementing call-blocking technology that can help consumers to stop unwanted robocalls.

In connection with the release of the Declamatory Ruling, FCC Chairman Tom Wheeler, who previously proposed the rulings said:

The American public has asked us – repeatedly – to do something about unwanted robocalls. Today we help Americans hang up on nuisance calls.

The text of the Declaratory Ruling makes it clear that the FCC’s interpretation of the TCPA is extremely broad, with the intent of protecting those who are called — often to the detriment of companies which are trying to reach their customers/clients, potential customers/clients, or other interested parties, often with no ill intent.

Wisconsin – Criminal Penalties for Improper GPS Use

As of July 2, 2015, Wisconsin law makes it a Class A misdemeanor for any individual to place a GPS device on another individual’s vehicle without the consent of the vehicle’s owner.    Based on comments from the bill’s sponsors, it appears as though the goal of the new law is to protect potential victims or harassment or stalking.  Given the advancements in technology, including the ability for anyone to purchase such a GPS device, measures like this are necessary to protect individual privacy rights.

While many employers may contemplate the use of GPS technology to track their employees, care must be given to jurisdictional laws which may be impacted by such use.  This is particularly true when the employer does not own the vehicle or device on which the GPS technology is installed.  As we have previously discussed, employers who utilize GPS tracking technology should be cognizant of potential legal issues which may arise when tracking employees during non-work hours as the employer may gain private information about an employee that may be considered an invasion into the employee’s personal privacy.  Similarly, the information obtained when tracking an employee (e.g. an employee’s religious denomination based on attendance at group services; an employee’s treatment for a medical issue based on travel to and from a treatment facility, etc.) could potentially lead to employee claims of discrimination or wrongful termination based upon off-duty conduct.

Importantly, the Wisconsin law does contain a number of exemptions from liability.  Specifically, the law exempts an employer or business owner acting to track the movement or location of a motor vehicle owned, leased, or assigned for use by the employer or business owner.  As such, employers tracking their own vehicles, even when utilized by an employee, would not be subject to liability under the Wisconsin law.

While GPS technology may have numerous benefits for an employer, consideration should be given to potential issues, many of which may not be readily apparent, prior to implementing the use of such technology.

State Attorneys General Tell Congress – Don’t Preempt Our Breach Notification Laws!

In the wake of recent, large-scale data breaches, one being the breach at the Office of Personnel Management (OPM) affecting millions of federal employees, a number of bills have been battling their way through Congress to address breach notification and data security requirements at the federal level. There has been an ongoing pattern for years – big breaches, flurry of bills in both houses of Congress, bills die… big breaches, flurry of bills in both houses of Congress, bills die…

A sticking point for this legislation now and in past years is whether a federal law should preempt state notification laws. In a letter signed by the Attorneys General of just about every state with a data breach notification law (47 states have such a law), the National Association of Attorneys General tells Congress to let states continue to address this issue. It does not appear that the NAAG is necessarily opposed to a federal data breach notification law or data security standard, it just prefers that “a federal law must not diminish the important role states already play protecting consumers from data breaches and identity theft.”

However, many consider the matrix of state laws to be confusing and a barrier to a streamlined notification process that a uniform federal standard might bring. There is some merit to this. For example, the notification law in Massachusetts prohibits businesses from describing the circumstances of the breach in the notification letter. However, the notification laws in many other states require the letter contain a brief description. Also, some states such as New Jersey require notification to a state agency before notification is made to affected individuals, while other states do not have such a requirement. A third example is that many state laws have a “risk of harm” trigger; that is, a provision that says, in essence, notification is not required if there is not a significant risk of harm to the affected persons. The language in these provisions, however, varies considerably, making it difficult for a business to apply those provisions in a multi-state breach.

The debate certainly will continue. But what is important for businesses large and small is that they have a plan to respond to a breach, and practice that plan. Most companies will experience a data breach affecting personal information and, whether driven by federal and/or state laws, will likely have to notify affected persons. Preparation is critical, and here are some questions businesses, particularly small and mid-sized businesses should be asking:

  • Who are the key people in the organization that would be in the best position to drive the breach response?
  • Do employees know what a data breach is and where to report one?
  • Does the company have vendors lined-up in the event there is a breach?
  • Does our IT team have the appropriate expertise – they manage our systems, and IT equipment, but do they know data security, forensics, etc.
  • Who should we call first if we suspect we have had a breach?
  • Do we have to bargain with the union about our plans for dealing with breaches involving employee data?
  • Is there an insurance policy that might cover some of the costs?
  • Do we have a plan for addressing media attention?
  • Do we have any contractual obligations in connection with a breach? Will this affect our government contract? Have we met our payment card obligations (PCI compliance)?
  • Are we prepared to have our data privacy and security safeguards and written policies scrutinized by a federal or state agency?
  • What steps should we be prepared to take to mitigate potential harm following a breach?