Header graphic for print

Workplace Privacy, Data Management & Security Report

Illinois Attorney General Seeks Stronger Data Breach Notification Law, Requirement to Safeguard Personal Information

Reacting to a report that identity theft was a top concern for Illinois residents (second in a list of ten), Attorney General Lisa Madigan announced a legislative proposal to strengthen the state’s existing data breach notification law. The call for stronger breach notification laws is a trend that has emerged in other states, such as New York and Indiana, and one that has had results. Florida and California are good examples. As summarized below, AG Madigan’s proposal follows a similar pattern – add provisions that require notification to the state Attorney General, expand the definition of personal information that would trigger a notification requirement, and require reasonable safeguards to protect personal information before a breach happens. It is this last point to which companies should pay particular attention. In a state Attorney General investigation following a breach, it will be those safeguards that are examined.

Attorney General Madigan has been active in the area of identity theft, maintaining an Identity Theft Unit and Hotline that provides one-on-one assistance to victims of identity theft and data breaches. She also has testified before the U.S. Senate and the U.S. House of Representatives in recent years concerning data breaches, including her testimony last month in connection with federal data breach law being debated. She is now proposing significant changes to the law originally passed in 2005, Personal Information Protection Act (PIPA). The changes include:

  • Expanding the types of personal information that could trigger a notification requirement to include medical information, biometric data, geolocation information, sensitive consumer marketing data, contact information when combined with identifying information, and login credentials for online accounts;
  • Requiring that the Attorney General’s office be notified in the event of a breach; and
  • Mandating that businesses take “reasonable” steps to protect the personal information covered by the law.

The substantial changes made to the Florida breach notification law last year also added a requirement for businesses to adopt and implement reasonable safeguards to protect personal information. Similar requirements exist in states such as Connecticut, California, Maryland, and Oregon. The most popular and most stringent of these state laws is the one in Massachusetts. Becoming effective almost 5 years ago to the day, March 1, 2010, the Massachusetts data security regulations flesh out one approach to providing reasonable safeguards. (Checklist available here).

Planning for a data breach is critical, but that should be part of an overall plan to safeguard personal information. If the trend of enhancements to data breach notification and safeguarding laws continues, it will not be long before most states have a statutory obligation to safeguard personal information through a set of written policies and procedures, just as 47 states today mandate notification in the event of a breach.

Peer Review Confidentiality Requirement Protects Physician Reviewers from Adverse Employment Action, New Mexico Supreme Court Rules

In this case, a hospital administrator who was present during a peer review meeting, but not as a member of the committee, later reported to the hospital’s physician practice manager her “visual memories of [the Plaintiff’s] behavior, body language, tone of voice and the way things were being said” when the plaintiff, a reviewing physician, verbally attacked his colleague. Other peer review committee members did not agree with the administrator’s characterization of the plaintiff’s actions during the peer review meeting. According to the Court’s decision, the information conveyed by the administrator about the plaintiff’s actions during the peer review meeting directly contributed to his termination.

The primary legal basis for the Court’s decision was the confidentiality mandates in the Review Organization Immunity Act (ROIA), the law regulating peer reviews in New Mexico, including the provisions at Section 41-9-5(A) which state that “[n]o person… shall disclose what transpired at a meeting of a review organization” except for the purposes listed in the statute. According to the Court, this provision creates an implied promise that the plaintiff would not suffer adverse employment action from participating in the peer review process, and that this promise is incorporated into physician-reviewer employment contracts. 

Of course, as noted by the Court, confidentiality in the peer review process is critical. Absent confidentiality, it would be difficult to promote peer review integrity and have candor and objectivity during meetings. Physicians and other medical staff would be reluctant to adhere to those principles for a variety of reasons including fears about loss of referrals, retaliation, damage to personal relationships, lawsuits, and malpractice actions based on records used during the proceedings. On the other hand, decisions like this may leave employers feeling that medical staff participating in the peer review process are immune from actions that transpire during that process. The New Mexico Supreme sought to dispel that notion.  

Our holding limits the use of peer review information for a statutory purpose, see § 41-9-5(A), and only those individuals responsible for furthering the statutory purposes of ROIA can be privy to such information. See § 41-9-5 (noting that no person can utilize peer review information except to carry out the statutorily enumerated purposes of a review organization). Eastern contends that our holding will completely immunize physician-reviewer conduct in peer reviews, “no matter how egregious.” This argument ignores the dual regulatory structure within hospitals. As will be explained, because only medical staff, not hospital administrators, are responsible for peer reviews, medical staff may utilize information concerning peer reviewer conduct to discipline reviewers.

The Court explained that its holding does not conflict with an employer’s contractual provisions enabling termination of employment for cause, it “merely prevents [employers] from using confidential peer review information in making [their] personnel decisions.” Healthcare employers, like the defendant in this case, often regulate employee-physicians both through medical staff bylaws and employment contracts. As the Court noted, those bylaws can provide that disruptive conduct may lead to a loss of privileges. An employment contract provision conditioning continued employment on maintaining privileges would, in turn, support the termination of the physician’s employment. So, the Court concludes, physicians that are disruptive during peer review are not free from discipline, they just cannot be disciplined by hospital administrators who should not be “privy to what transpires during peer review meetings.” Discipline in that case is up to the medical staff.

Hospitals in other states should consider their own processes and the state laws that apply, as many states have laws similar to the ROIA. This includes reviewing medical staff bylaws, employment contracts and long standing practices to ensure they are coordinated, provide appropriate mechanisms to impose discipline and maintain the confidentiality of the peer review process.

Indiana Measure to Amend Breach Notification Law Passes Senate

Late last year we reported Indiana Attorney General Greg Zoeller was seeking legislation which would better protect the online personal and financial information of Indiana residents. That legislation, S.B. 413, was unanimously passed by the Indiana Senate on February 24, 2015.  Indiana’s bill follows similar efforts in New Jersey, New York and Oregon.

As previously mentioned, the Indiana bill would amend the state’s current data breach notification law by (i) imposing stricter requirements for the   safe storage of sensitive data, (ii) reducing harm to consumers following a data breach, and (iii) increasing transparency of online privacy policies.   Importantly, S.B. 413 would expand Indiana’s existing law to include protected data in all formats, as opposed to just unencrypted computerized   data.

One of the bill’s sponsors, Sen. James Merritt (R), said “[d]ata breaches and identity theft are serious crimes and have become more common as technology advances.  By passing this legislation, we’re taking steps to ensure consumers feel confident and protected when conducting business online.”

The measure will now head to the Indiana House of Representatives for consideration.

Secretary in Germany Successfully Challenges Employer’s Monitoring…Is Your Monitoring Program Defensible?

According to a report by Deutsche Welle, the German Federal Labor Court held that employers may monitor employees only when they have concrete suspicions of wrongdoing that are based on fact. In the U.S., the standards for engaging in monitoring employees may not be quite that high, but employers should be thinking about whether a decision to take that step is reasonable and defensible.

In the case before the German court, the employer engaged a private investigator when suspicions arose concerning the reasons for the secretary’s sick leave. The suspicions were due mainly to the secretary’s change in the reasons for her leave and the healthcare providers she was using – initially she claimed bronchial ailments, and later claimed back pain. The investigator commenced video surveillance which captured the employee with her family outside her home and in her neighborhood. Evidence was presented that the employee was acting in a manner not consistent with the reasons she gave for her leave.

Nonetheless, because the court found that the employer did not have a sufficient level of suspicion to commence the surveillance in the first place, it upheld an award of damages equal to €1,000, albeit less than the €10,500 claimed. The court opined further that damages for unjustified surveillance would still be appropriate even if it was shown that the employee was lying about the basis for the leave.

In the U.S., monitoring can take place for a variety of reasons – customer service, compliance, productivity, physical and informational security, as well as whether claims under benefit plans are being paid appropriately. In some states, employees are entitled to notification of certain types of electronic monitoring (see, e.g., Connecticut and Delaware). In most cases, it is a good practice to manage employees’ expectations and let them know of the potential for monitoring, at least at the “workplace.” Of course, given the mobility of the workplace these days, that can get a little tricky.

Reasonableness is key, as is shown by a 2001 case, Dishman v. UNUM Life Ins. Co., involving facts similar to the case discussed above. There, the company’s disability insurer questioned an employee’s claim that migraines made him unable to work. The carrier engaged in extensive surveillance to investigate. According to the case, the employee claimed that the investigators –

Claim[ed] to be a bank loan officer endeavoring to verify information he had supplied; … elicited personal information about him from neighbors and acquaintances by representing that he had volunteered to coach a basketball team…sought and obtained personal credit card information and travel itineraries by impersonating him…falsely identified themselves when caught photographing his residence…repeatedly called his residence and either hung up or else dunned the person answering for information about him

The disability plan was an employee welfare benefit plan subject to the Employee Retirement Income Security Act (ERISA) and, as such, enjoyed broad protections from certain state laws that related to the plan under ERISA’s preemption doctrine. The privacy claims by the employee in this case might have been preempted by ERISA had the investigatory tactics been more reasonable and in the usual and customary course of plan administration. In this case, however, the court determined that the actions went far beyond that and did not depend on benefit claim. Accordingly, the state claims survived ERISA preemption.

Whatever the reason for monitoring, companies need to proceed cautiously, and make sure their managers are doing so as well. At a minimum, employers should have reasonable basis to commence monitoring, consider of the kinds of information the monitoring might access and collect (and whether they want that information), who should conduct the monitoring, and what tactics can and should be used. It is prudent to develop internal guidelines that prompt thinking about these and other issues.

ACA Information Reporting Creates Data Privacy and Security Issues

During this year, businesses will be hearing a lot about the Affordable Care Act’s (ACA’s) information reporting requirements under Code Sections 6055 and 6056. Information gathering will be critical to successful reporting, and there is one aspect of that information gathering which employers might want to take action on sooner rather than later – collecting Social Security numbers (SSNs), particularly when required to do so from the spouses and dependents of their employees. There are, of course, ACA implications for not taking this step, as well as data privacy and security risks for employer and their vendors. We address the latter here.

Under the ACA, providers of “minimum essential coverage” (MEC) must report certain information about that coverage to the Internal Revenue Service (IRS), as well as to persons receiving that MEC. Employers that sponsor self-insured group health plans are providers of MEC for this purpose, and in the course of meeting the reporting requirements, must collect and report SSNs to the IRS. However, this reporting mandate requires those employers (or vendors acting on their behalf) to transmit to the IRS the SSNs of employee and their spouses and dependent covered under the plan, unless the employers either (i) exhaust reasonable collection efforts described below, (ii) or meet certain requirements for limited reporting overall.

Obviously, employers are used to collecting, using and disclosing employee SSNs for legitimate business and benefit plan purposes. Collecting SSNs from spouses and dependents will be an increased burden, creating more risk on employers given the increased amount of sensitive data they will be handling, and possibly from vendors working on their behalf. The reporting rules permit an employer to use a dependent’s date of birth, only if the employer was not able to obtain the SSN after “reasonable efforts.” For this purpose, reasonable efforts means the employer was not able to obtain the SSN after an initial attempt, and two subsequent attempts.

From an ACA standpoint, employers with self-insured plans that have not collected this information should be engaged in these efforts during the year (2015) to ensure they are ready either to report the SSNs, or the DOBs. At the same time, collecting more sensitive information about individuals raises data privacy and security risks for an organization regarding the likelihood and scope of a breach. Some of those risks, and steps employers could take to mitigate those risks, are described below.

  • Determine whether the information is subject to HIPAA. Employers will need to consider whether this information, collected for ACA group health plan reporting requirements, is protected health information under HIPAA (PHI) or within the HIPAA “employment records” exception.
  • Implement appropriate safeguards. For an employer that determines the information collected for this purpose is PHI, it will need to ensure the appropriate steps are taken under the HIPAA privacy and security rules. Either way, employers need to take steps to safeguard this data. A number of states, such as California, Connecticut, Florida, Maryland, Massachusetts, New York, Oregon require reasonable safeguards be in place to protect such information. Examples of good practices include: (i) design forms to collect only the information needed; (ii) direct responses to the requests for the information to go to a single location; (iii) if collected online, make sure the connection is secure; (iv) limit who has access to the information; and (v) after the information is captured and input, destroy all copies of the information other than as needed for appropriate documentation.
  • Ensure your vendors will protect this information. The IRS reporting regulations permit the use of third party vendors to assist employers in the reporting process. Whether the vendor is a “business associate” under HIPAA or a third-party service provider under state law, employers should be sure the vendor is contractually bound to maintain and implement appropriate privacy and security practices, including data breach preparedness.

Employers navigating through ACA compliance and reporting requirements have many issues to be considered. How personal information or protected health information is safeguarded in the course of those efforts is one more important consideration.

Employer FAQs: Responding to the Anthem Breach

The first massive data breach of 2015 hit one of the country’s largest insurance issuers, Anthem, Inc., including Anthem Blue Cross and Blue Shield and other related entities (Anthem). The incident reportedly affected over 80 million persons who are or were covered under a policy or program insured or serviced by Anthem. The personal note from Anthem’s CEO, Joseph R. Swedish, and the Anthem Facts (or FAQs), seek to provide helpful information to the millions of individuals affected. These communications address what is known about the incident, describe the kinds of information compromised, warn affected persons about potential email attacks, and advise that there is more information coming.

But there is not much information at this point for employers that are plan sponsors of group health plans and other welfare plans serviced by Anthem either as an insurance issuer or a third party claims administrator (TPA). To assist employers, we prepared some FAQs that can be accessed at the link below, along with some key considerations and action items.

Click here for Employer FAQs concerning the Anthem breach. 

Ethics Case Alleging Improper Social Media Access May Proceed

As we previously reported, sending a “friend” request to access information on an individual’s Facebook page that is not publicly available may have serious ethical implications.  Specifically, the New Jersey Office of Attorney Ethics (OAE) alleges John Robertelli and Gabriel Adamo violated the Rules of Professional Conduct, including those governing communications with represented parties, when they caused a paralegal to “friend” the plaintiff in a personal injury case so they could access information on the plaintiff’s Facebook page.

In an attempt to end the disciplinary action against them, the attorneys brought a declaratory judgment action against the state ethics authorities for lack of subject matter jurisdiction.  Today, an appeals panel upheld the dismissal of that declaratory judgment action, finding that only the New Jersey Supreme Court can decide the appropriateness of bringing an ethic’s case.  As such, the matter returns to the OAE for decision and/or further proceedings.

This case highlights the need for care when conducting investigations into an adverse party and the limits on accessing truly non-public information contained in social media.

NJ Amends Do Not Call Law

Last week, New Jersey’s Governor, Chris Christie (R), signed a bill which will allow telemarketing companies to make sales calls to mobile devices when the call is made to a customer with whom an existing relationship exists or in response to the customer’s written request.

While many companies focus on complying with the Telephone Consumer Protection Act (TCPA), companies who conduct outgoing calling campaigns cannot overlook states law which may be more restrictive that the TCPA.  New Jersey’s law for example, applies to all telemarketing calls, regardless of the whether or not an automatic dialing system is utilized.  As we have previously detailed, to fall within the TCPA, companies need to utilize automatic telephone dialing systems to make the calls in question.

The signed bill (S.1382) immediately amends N.J. Stat. Ann. § 56:8-130, New Jersey’s do not call law, to prohibit only unsolicited telemarketing calls to mobile devices.  Prior to the amendment, all telemarketing calls to mobile devices, regardless of whether an automatic telephone dialing system was used, were prohibited unless the call was from a commercial mobile service company to its customers and related to the company’s mobile services.

New York Attorney General Seeks Stonger Data Breach Notification Law and Data Security Safeguards

Written by Jeffrey M. Schlossberg

Earlier this month, the New York Attorney General Eric T. Schneiderman announced a legislative proposal that would strengthen protections for private information by expanding the state’s breach notification law to cover e-mails, passwords and health data, require companies to implement data security measures, and notify consumers and employees in the event of a breach. If passed, the Attorney General said that the “new law will be the strongest, most comprehensive in the nation.” In announcing the proposal, the Attorney General cited his 2014 report finding that the number of reported data security breaches in New York more than tripled between 2006 and 2013.

The proposal would be a significant change to the state’s current definition of what constitutes private information (which has not been updated since 2005), which includes a person’s social security number; driver’s license number or non-driver identification card number; or account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. The proposed law would expand the definition of protected personal information to include medical history and health insurance information.

Additionally, and similar to the approach taken in Florida when it rewrote its breach notification law, the proposed bill would require all companies to have reasonable data security measures, including administrative, technical, and physical safeguards and to obtain independent data security certification. As an incentive for adopting strong data security standards, the law would provide companies with some protection from liability in civil lawsuits if they can demonstrate having taken adequate steps to protect private information from being hacked or inadvertently released.

The Attorney General will need sponsors in the New York State legislature to introduce a bill that would advance his agenda, although the New York Assembly has already introduced Bill A10190 which would amend the Empire State’s existing breach notification law to require entities which conduct business in the state, and which own or license computerized data which includes private information to develop, implement, and maintain a comprehensive information security program. However, whether or not either effort is successful, these attempts together with President Obama’s call for a national standard for data breach notification and efforts in other states indicate the heightened attention being given to data privacy and the impact of data breaches.

Top 15 for 2015 – Happy National Data Privacy Day

In honor of National Data Privacy Day, we provide the following “Top 15 for 2015.”  While the list is by no means exhaustive, it does provide some hot topics for businesses to consider in 2015.

  1. Inside Threats for Healthcare Providers and Business Associates.  While news reports of security risks often focus on hackings and breaches caused by individuals, terror groups or even countries around the world, many organizations, including healthcare providers and business associates, face a significant and perhaps more immediate risk with an organization’s workforce members.  However, these organizations are not without recourse and can take several steps to reduce their risk for a data breach, reputational      harm, investigation by federal and state agencies, and litigation.
  2. The Telephone Consumer Protection Act (TCPA).  According to data cited by the U.S. Chamber of Commerce, TCPA suits have increased 30% in the past year, with many of those suits being filed as class actions.  Notably, many of these suits are not just aimed at large companies.  Instead, these suits are often focused on small businesses who may unknowingly violate the TCPA.  With statutory damages ranging from $500 to $1500 per violation (e.g. per fax/text sent or call made) these suits often result in potential damages in the hundreds of thousands, if not millions, of dollars.  Understanding the FAQs for the TCPA is a great first step as we enter 2015.
  3. Location Based Tracking As the utilization of GPS enable devices becomes more and more prevalent, employers are often faced with the  difficult decision of just how much information they may obtain about an employee’s whereabouts.  This is particularly true when an employee is absent from work, is traveling for business, or makes a representation as to their location which the employer questions for one reason or another.  The case law in this area is evolving rapidly, and both the public and private sector can expect to continue to face this issue in the future.
  4. Company Budgets with Respect to Technology.  With each passing year, we see an increase in the amount of technology available to businesses and their employees.  While many tech initiatives are focused on increasing employee productivity or company profits, business also must be prepared to appropriately increase their IT      and data security budgets accordingly.  As more company information is shifted to the cloud or available to employees remotely, budgetary constraints will not provide a justification for poor tech support or data security.      
  5. “HIPAA Litigation.”  While HIPAA does not provide for a private cause of action, cases were brought in 2014 which utilized the HIPAA rules as an element in common law tort claims.  By way of example, the Connecticut Supreme Court held that HIPAA did not preempt a negligence claim in connection with the healthcare provider’s disclosure of patient information in response to a subpoena.  While it remains unclear whether liability will ultimately be determined, these cases will likely give potential plaintiffs legal precedent to file these types of actions and the outcome of these actions should be monitored closely throughout 2015.
  6. BYOD More and more businesses are realizing the risks of allowing employees to utilize their own electronic devices in the workplace and are turning to Bring Your Own Device (“BYOD”) programs to diminish some of these risks.  Additionally, 2014 saw some companies shy away from BYOD and return to a strict company owned device policy.  Businesses considering BYOD should review our comprehensive BYOD issues outline.
  7. User Generated Health Data.  The transformation of health information into electronic format has been well documented and will continue into the  future.  However, one of the biggest concerns for 2015 is health data which an individual voluntarily provides to track or chart their own health or fitness.  Devices such as Nike Fuelband, Fitbits, or      similar devices or applications continue to allow individuals to enter and store more and more health information about themselves electronically.  However, the privacy or security of this information is largely up for debate.
  8. Risk Assessment. As we have previously mentioned, many businesses remain unaware of how much personal and confidential information they maintain, who has access to it, how it is used and disclosed, how it is safeguarded, and so on. Getting a handle on a business’ critical information assets must be the first step, and is perhaps the most      important step to tackling information risk. It is logically impossible to adequately safeguard something you are not aware exists. In fact, failing to conduct a risk assessment may subject the business to penalties under federal and/or state law.
  9. Develop a Written Information Security Program. Even if adopting a written information security program (WISP)      to protect personal information is not an express statutory or regulatory mandate in your state (as it is in MA, MD, TX, CT, etc.), having one is critical to addressing information risk. Not only will a WISP, and      associated training, better position a company when defending claims      related to a data breach, but it will help the company manage and safeguard critical information, potentially avoid a breach from occurring in the first place, and may even help the company avoid whistleblower claims from employees.
  10. Dealing with Vendors.  One area of high risk for company data is its use or access by a company’s vendors during the course of the vendor services.  Companies need to be aware of the legal requirements concerning the company owned data in this scenario as well as how to negotiate confidentiality and security provisions in the applicable services agreement.
  11. Develop a Plan for Breach Notification. All state and federal data breach notification requirements currently in effect require notice be provided as soon as possible. Failing to respond appropriately could result in significant liability.  This is true even when the number of individuals affected is relatively small.  As we have seen this past year, a data breach can not only harm a company’s bottom line, but also can negatively impact the company’s reputation in the marketplace.  Developing a breach response plan is not      only prudent but also may be required under federal or state law.  A proactive approach is often the simplest, and cheapest way, to avoid liability.
  12. Federal Trade Commission (FTC) & Federal Communications Commission’s (FCC) Enforcement Re: Data Security.  2014 saw the FTC continue to regulate      company data security practices by bringing enforcement actions against many types of businesses.  In one of the most significant cases of FTC enforcement, LabMD challenged the FTC’s authority to engage in enforcement activity related to its data security practices absent specific statutory authority to do so.  In a recent ruling, the Eleventh Circuit sided with the FTC and held that companies that find themselves subject to regulatory investigation cannot seek judicial aid in avoiding FTC jurisdiction until the FTC’s actions are      final. Practically speaking, the Eleventh Circuit’s decision means that companies will find no relief from a court until the FTC issues a final agency action.  Similarly, 2014 saw      the FCC issue its first fines against a telecommunications carrier for the carrier’s alleged failure to reasonably secure their customer’s personal information in violation of the companies’ statutory duty under the Communications Act.  We anticipate 2015 will see additional action by the FTC & FCC, as well as legal challenges to any enforcement by either agency.
  13. Investigating Social Media.  Social media continues to grow on a global scale, and the content available on a user’s profile or account is often being sought in connection with litigation.  In fact, failure to preserve relevant information in social media may have dire consequences.  Further, while public content may generally be utilized without issue, if private content is accessed improperly, serious repercussions can follow.
  14. Watch for New Legislation.   Today, managing data and ensuring its privacy, security and integrity is critical for businesses and individuals, and is increasingly becoming the subject of broad, complex regulation. This is especially true given the number of significant data breaches that occurred throughout 2014.  While no national law requiring them protection of personal information has yet to be passed in the U.S., President Obama has stated that data security is one of the top issues for legislation in 2015.  In the      interim, companies are left to navigate the constantly evolving web of growing state legislation. Companies therefore need to stay tuned in order to continue to remain compliant and competitive in this regard.
  15. Jackson Lewis Webinar Series.  Given the numerous developments in the world of data privacy and security, Jackson Lewis will be hosting a comprehensive webinar series to address these issues and how they may impact your business.  We hope you can join us.