Header graphic for print

Workplace Privacy, Data Management & Security Report

Montana to Join Growing List of States Limiting Access to Social Media?

Earlier this month, legislators in Montana gave final approval to H.B. 342 which would limit an employer’s ability to access the personal social media accounts of applicants and employees.  The bill now goes to Governor Steve Bullock’s (D) office for consideration.

If signed, Montana would join become the most recent state to join the list of 19 states which limit an employer’s access to personal social media accounts.  A similar bill was signed earlier this year in Virginia.  Like many of the other laws which have been passed on this issue, the Montana bill would prohibit:

  • An employer from requiring prospective or current employees from sharing their login credentials;
  • Requiring an individual to access the account in a supervisor’s presence;
  • Requiring any communications which the individual made through their personal account to be turned over; and
  • Companies from retaliating against applicants of employees for their refusal to disclose their personal social media information.
Notably, and unlike many of the laws already in place in other states, the proposed Montana law would permit employers to request login credentials when the employer has specific information about  the employee’s activity that indicates work-related employee misconduct, criminal defamation or the unauthorized transfer by the employee of the employer’s proprietary or confidential information, trade secrets, financial data.  Similarly, employees are required to provide login credentials if the required to ensure the employer is complying with federal laws, federal regulations or the rules of a self-regulatory organization or if an investigation is underway and the information from the employee is necessary to make a factual determination in the investigation.
As previously mentioned, it is anticipated that similar legislation will continue to be introduced throughout 2015 and into the future.

EEOC Wellness Program Regulations Offer Best Practices for Medical Record Confidentiality

As reported on our Benefits Law Advisor, the EEOC has issued proposed wellness program regulations. Much of the attention to those proposed rules understandably will be how they would affect the incentives employers have implemented to spur their employees to engage in healthier behaviors. The proposed rules also address, however, the confidentiality provisions under the Americans with Disabilities Act and, in particular, offer suggestions about steps for complying with the confidentiality requirements, along with some best practices. Interestingly, while these rules are directed at wellness programs, the EEOC’s interpretive guidance may influence changes to existing practices for safeguarding employees’ medical records (those not covered by HIPAA) beyond merely separating medical files from personnel files and limiting disclosures of such information.

Wellness Programs and Coordination with HIPAA

The EEOC’s proposed regulations apply to those wellness programs that make disability-related inquiries or medical examinations. This could include wellness programs that are part of an employer-sponsored group health plan and those programs that are not.

For those wellness programs that are part of a group health plan, the privacy, security, breach notification and certain other rules under HIPAA apply to safeguard “protected health information.”  (The Office for Civil Rights issued some FAQs last week to address this issue.) And, the EEOC acknowledged in its proposed regulations that a wellness program that is part of a HIPAA covered entity (e.g., a group health plan) “likely will be able to comply with its obligation under section 1630.14(d)(6) by complying with the HIPAA Privacy Rule.” However, for such wellness programs, the EEOC also would require employers to notify employees of the following:

  • what medical information is being obtained,
  • the purposes for which it is being obtained,
  • who gets the medical information,
  • the restrictions on how it will be disclosed, and
  • safeguards in place to prevent unauthorized disclosure.

It is unclear whether the HIPAA Notice of Privacy Practices could be used to meet this requirement. Regardless of whether the wellness program is part of a group health plan (and also subject to HIPAA), the EEOC proposed regulations would permit employers to collect medical information as part of wellness program only in aggregate form which does not disclose, and is not reasonably likely to disclose, the identity of specific individuals, except as is necessary to administer the program or as otherwise permitted under the ADA confidentiality rule. These rules also apply to agents of the employer that are administering the program for the employer.

Shaping the Obligations Under the ADA Confidentiality Rule

As noted above, for wellness programs that are part of a group health plan, complying with the HIPAA rules likely will be sufficient to meet some of the confidentiality requirements under the ADA. However, the EEOC’s interpretive guidance notes that employers must take steps to “protect the confidentiality of employee medical information” provided as part of a wellness program. The guidance goes on to reference steps that are required by law, as well as to suggest certain best practices. These include:

  • Proper training of individuals who handle medical information in the requirements of the HIPAA Rules, the ADA, and any other applicable privacy laws. Of course, privacy training is already required under HIPAA and some state laws, and is no doubt a best practice.
  • Employers also should have clear privacy policies and procedures concerning the collection, storage, and disclosure of medical information.
  • On-line systems and other technology should guard against unauthorized access, such as through use of encryption for medical information stored electronically.
  • Individuals who handle medical information that is part of a wellness program should not be responsible for making decisions related to employment. However, the guidance seems to acknowledge that for some employers that may not be practical and suggests that adequate firewalls be in place to prevent unintended disclosures.
  • Companies should be prepared to investigate and respond to breaches of confidentiality, and that discipline be imposed for workers who breach confidentiality. Likewise, in the case of third party vendors that breach confidentiality, the company should consider terminating its relationship with the vendor.

Again, while the EEOC’s proposed wellness program regulations are directed at wellness program, they include guidance that may be looked to when assessing whether an employer has adequately met its ADA confidentiality requirements concerning employee medical information, whether or not in connection with a wellness program. As the rules continue to strengthen for maintaining sensitive personal information confidentially and securely, employers should consider revisiting their approach to compliance with the ADA confidentiality rule with respect to their wellness programs and generally.

Next Step in U.S. Postal Service Breach – NLRB Sues Postal Service

As discussed in an earlier post, shortly after the United States Postal Service reported a data breach potentially affecting hundreds of thousands of  employees, the American Postal Workers Union filed an unfair labor practice with the National Labor Relations Board alleging the Postal Service should have bargained with the union over the impact and response to the security breach. That UPL has led to a complaint filed by the NLRB Regional Director for Region 5 in Baltimore, Maryland, claiming that the Postal Service was wrong for not bargaining with the Union as requested.

It remains to be seen whether the Postal Service had a duty to bargain with the Union under the circumstances in this case. As we discussed earlier, however, entering into negotiations with one or more representative unions about the nature and extent of the response to such an incident likely would be an involved process, undoubtedly delaying notice to affected persons, along with the kinds of monitoring and other services typically provided to affected members and intended to help safeguard them from harm.  Such a delay is precisely counter to a key purpose of all of the breach notification laws – provide speedy notice. So what is a company to do that has workers represented by a union?

Businesses are beginning to see that data breaches are a real threat, and can affect any organization, large or small. Purchases of cyber insurance are up, and companies are beginning to take steps to be prepared. For example, many are vetting their policies and procedures to make sure they understand and have reasonably addressed their risks and vulnerabilities in order to minimize a breach in the first place. In addition to addressing risk through insurance, some companies will undergo “tabletop” exercises, a helpful tool that typically involves gathering key members of management together to run through various data breach scenarios and assess how prepared they really are.

Businesses with employees represented by unions have an additional challenge – is it better to risk a claim for undue delay in breach notification and mitigation by an employee or federal or state enforcement agency on account of union negotiations, or a charge by the union representing the employees that the company did not bargain with the union about the response. In addition to the steps referenced in the paragraph above, these businesses may want to consider including data breach response and related benefits as part of their overall labor relations strategies. That is, where possible, reach some agreement ahead of time with the union on how the company will respond to a breach in the event one occurs, and incorporate that agreement into the company’s data breach response planning. This will help the company be in a position to respond timely under the applicable breach notification law(s), and hopefully avoid confrontation with the union.

Virginia Joins List of States Limiting Employer Access to Social Media Accounts

Recently, Virginia Gov. Terry McAuliffe (D) signed a bill that limits employer access to the personal social media accounts of employees and job applicants.  The law, which takes effect on July 1, 2015 prohibits employers in Virginia from requiring, requesting, or causing a current or prospective employee to disclose the username and password to the individual’s social media account.  Additionally, the law also prohibits employers from requiring an employee to add another employee, a supervisor, or an administrator to the list or contacts associated with the individual’s social media account or changing the privacy settings.  We have prepared a detailed article discussing the new law.

In 2012, Maryland was the first state to prohibit employers from demanding social media passwords.  In a trend that is likely to continue, Virginia now becomes the 19th state to implement a workplace social media password privacy law.

Alabama Seeks To Become 48th State To Enact Breach Legislation

Alabama recently introduced a bill (S.B. 106) which would require notification in the event of a breach affecting the personal information of an Alabama resident.  While 47 states currently have laws requiring breach notification — most recently joined by Kentucky — New Mexico, South Dakota, and Alabama are the only states that do not.

Notably, the proposed legislation includes a number of novel provisions.  Specifically, the bill includes an expansive definition of “personal information” including some data elements which many other jurisdictions do not currently define as “personal information.”  In particular (and in additional to more traditional data elements such as name, social security number and state identification number) the bill’s definition of “personal information” includes:

  • Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;
  • An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual;
  • A user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.

Further, if enacted the law would: apply to paper and/or unencrypted electronic personal information; require notification to affected individuals within 30 days after a breach determination; and include a risk of harm trigger providing that notice need not be provided if “the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed.”  If notice is not provided however, the decision must be documented in writing and maintained for 5 years.  Oddly, a copy of the determination not to provide notice would still need to be provided to the Attorney General notwithstanding the fact the bill only calls for Attorney General notification in the event of a breach affecting 500 or more residents of Alabama.

Lastly, and to address the growing number of payment card industry breaches, the proposed law requires businesses to not retain credit and debit card security code data, PIN verification numbers, or the full contents of any magnetic stripe data.  Entities who do experience a payment card data breach would be required to “reimburse the financial institution that issued any access devices affected by the breach for the costs of reasonable actions undertaken by the financial institution as a result of the breach in order to protect the information of its cardholders or to continue to provide services to cardholders.”

The bill was sent to the Alabama Senate’s Judiciary Committee for consideration.

Employee Apps = Employer Data Risk?

Many mobile app developers do not place a high priority on data security, as illustrated by a recent IBM/Ponemon study:

  • Fifty percent of mobile app developers have no budget for security.
  • Forty percent of companies don’t scan mobile app codes for vulnerabilities.
  • The average company tests less than half of the apps it builds for security issues.
  • Thirty-three percent of companies never test any apps for security.

Such vulnerabilities have contributed to over one billion personal data records being compromised last year alone.  In addition, studies show that 11.6 million mobile devices being affected by malware at any given time.

The risk involved with mobile apps is extended to employers when employees access or maintain company electronic information using their personal devices. Many employers have a “Bring Your Own Device” program, others do not and may not realize how much of their data is stored on their employees’ personal devices. In either case, the company’s data is at risk. According to the same IBM/Ponemon study, a majority of employees (over fifty-five percent) define themselves as heavy app users yet indicate that their employer does not have a policy which defines the acceptable use of mobile apps in the workplace.  An even larger majority of employers (67%) do not review or vet the downloading of mobile apps in the workplace.  Most employers allow employees to use and download business apps on their personal devices without monitoring for potential security issues.

Employee use of their own devices in the workplace can bring increased productivity and morale, but also raises a number of risks. Developing and implementing a comprehensive BYOD program can help to mitigate those risks, including those that apps present. Many employers are probably not even aware of this potential “app” risk to electronic company information.  Employers are advised to move quickly to address potential security risks to company confidential information, including those created by the use of mobile apps.

The Data Security and Breach Notification Act of 2015

On March 25, 2015, the United States House of Representative, Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade approved draft legislation which would replace state data breach notification laws with a national standard.  This draft legislation comes on the heels of the President’s call for a national data breach notification law.  The proposed legislation is identified as the “Data Security and Breach Notification Act of 2015.”

The overview of the draft provides that “Data breaches are a growing problem as e-commerce evolves and Americans spend more of their time and conduct more of their activities online. Technology has empowered consumers to purchase goods and services on demand, but it has also empowered criminals to target businesses and steal a host of personal data. This costs consumers tens of billions of dollars each year, imposes all kinds of hassles, and can have a lasting impact on their credit.”  Like many existing state laws, the proposal would require companies to secure the personal data they collect and maintain about consumers and to provide notice to individuals in the event of a breach of security involving personal information.

The draft legislation contains several key provisions:

  • Companies would be required to implement and maintain reasonable security measures and practices to protect and secure personal information;
  • The definition of personal information is more expansive than most state breach notification laws, including home address, telephone number, mother’s maiden name, and date of birth as data elements;
  • Companies are not required to provide notice if there is no reasonable risk of identity theft, economic loss, economic harm, or financial harm;
  • Companies would be required to provide notice to affected individuals within 30 days after discovery of a breach;
  • The law would preempt all state data breach notification laws;
  • Enforcement would be by the Federal Trade Commission (FTC) or state attorneys general; and
  • No private right of action would be permitted.

The measure must now be formally introduced in the House of Representatives before further action can be taken.  Notably, similar measures introduced in the past in an effort to nationalize data breach response have all failed.  However, given the number of individuals affected by, or likely to be affected by, a data breach and the fact identity theft has topped the FTC’s ranking of consumer complaints for the 15th consecutive year, support for a national data breach notification law has never been stronger.

Email Autofill Error Exposes Personal Information of G20 World Leaders

With breaches caused by payment card thieves and hackers dominating the news, it is easy for mid-sized and small companies to think that data breaches are unfortunate events that affect only large companies. Not only is this sentiment misguided, but in relative terms the information contained in exposed emails can cause far more damage to an organization than the loss of customer payment card data. In this case, as reported by CNET, the inadvertent error was caused by a staff member of Australia’s Department of Immigration whose email blunder disclosed to an unauthorized party the personal passport information (e.g., passport number, date of birth) of all of the G20 leaders, including President Obama.

Embarrassing no doubt, but it looks like potential harm was mitigated as the recipient (someone at the Local Organizing Committee of the Asian Cup international soccer tournament) confirmed the email was immediately deleted and not forwarded or copied to a backup system. For sure, the G20 leaders have teams of people able to track down and secure such a transmission. Most businesses will not have the same good fortune, nor the same resources to track and secure such an errant email.

Company email and other electronic communications systems can tell a very comprehensive story about an organization, the details of which even management may not be fully aware. There will, of course, be emails and attachments that contain sensitive personal information about employees, customers and other individuals. Consider, for example, the employee relations nightmare that could erupt if a spreadsheet containing names, SSNs and salary information of all company employees and executives is inadvertently sent company-wide. The same would be true for email communications containing details of a workplace affair or establishing evidence of systemic workplace discrimination.

However, companies also maintain critically important trade secret information, intellectual property and strategic business planning data that is communicated through email and other systems. Such data, if disclosed to or accessed by the wrong person(s), could severely hamper the company’s business. The same would be true if a similar error, albeit unintentional, resulted in the disclosure of important information belonging to the company’s clients.

It should go without saying that the autofill feature is not the only risk to confidential information in electronic communication systems. These systems could be hacked, synched and unencrypted devices could be lost, and rouge employees could remove vast amounts of files containing a wealth of damaging data. In either case, the potential harm could take many forms beyond the typical payment card breach. Indeed, customer payment card information could be included in email. However, in the case of a professional services firm, for example, sensitive client information included in the breach could result in the loss of key clients, the cost of which could be difficult to overcome, as would be the cost to regain that client’s trust. Emails included in the group could expose a sordid affair involving the company’s chief executive, damaging the company’s position in the community. The same incident also could result in the loss of key intellectual property that undermines the business’ competitive advantage. The list could go on.

No set of safeguards will reduce to zero the risk of these kinds of incidents. That does not mean efforts to reduce the risks should be ignored. Limiting data collected and transmitted in electronic communications systems, a closely followed record retention and destruction policy, reasonable monitoring of systems, and creating a culture of privacy and security are all steps a company can take to reduce this exposure. But, that is not all. Businesses also must plan for the inevitability that breaches involving the loss of confidential information of many different varieties can and will occur. Key members of management should be thinking through different scenarios, developing appropriate plans to respond, and practicing those plans.

Checklists Not Enough When Developing a WISP, FTC Director Comments at IAPP Global Privacy Summit

This year’s IAPP Global Privacy Summit was very informative on a number of fronts, including the helpful insight provided by officials at the Federal Trade Commission (FTC) on a range of topics. A good summary of some of their comments can be found here, which includes concerns they expressed about the Consumer Privacy Bill of Rights released by the White House during the last week in February. One example of good practical guidance was offered by Jessica Rich, Director, Bureau of Consumer Protection, relating to how companies go about creating written information security programs (WISPs). She said, “No checklists.”

We did not understand Ms. Rich to be suggesting businesses not use checklists as a tool in building a WISP. Of course, well-crafted checklists can be enormously helpful for companies, particularly small and mid-sized companies, to learn about best practices and to ensure they have met the applicable compliance requirements. This is true regardless of the topic of compliance or the industry. For example, when a health care provider or one of its business associates is trying to grasp the different administrative, physical and technical standards under the HIPAA Security Rule, a checklist could be very useful in helping to understand the scope of the project and for organizing an efficient compliance effort. Similarly, when creating a data breach response plan, there are a number of legal and practical steps that need to be taken, and a checklist can help to organize those steps.

We believe Ms. Rich was emphasizing that each business must understand its particular circumstances when developing a WISP, and not rely solely on a checklist. More specifically, we understood her to be calling for businesses to dig deeper and assess their particular risks, vulnerabilities, resources, needs and other circumstances in order to move toward compliance and appropriately mitigate the risks and vulnerabilities identified. That process can be aided by one or more checklists, but the process has to be informed by the circumstances actually facing the company and the process has to be ongoing. That is, completing the checklist neither completes the WISP nor the things a business needs to be doing to ensure its WISP is appropriate for its business at any given time.

Comprehensive federal privacy legislation seems to be moving more vigorously than it has in recent years. What form it will take, if any, and what role the FTC will play is unclear at this point. What is clear is that companies in all industries have to use their best efforts to maintain the privacy and security of personal and other important data. This requires a comprehensive and deep understanding of the business, it practices, its customers, its products and services, its employees, its resources, its legal and regulatory environment, and how those factors shape its overall information risk. Checklists can help gather and analyze this information, and implement solutions, but they are no substitute for understanding the business’ risks and being able to address those risks now and in the future.

Illinois Attorney General Seeks Stronger Data Breach Notification Law, Requirement to Safeguard Personal Information

Reacting to a report that identity theft was a top concern for Illinois residents (second in a list of ten), Attorney General Lisa Madigan announced a legislative proposal to strengthen the state’s existing data breach notification law. The call for stronger breach notification laws is a trend that has emerged in other states, such as New York and Indiana, and one that has had results. Florida and California are good examples. As summarized below, AG Madigan’s proposal follows a similar pattern – add provisions that require notification to the state Attorney General, expand the definition of personal information that would trigger a notification requirement, and require reasonable safeguards to protect personal information before a breach happens. It is this last point to which companies should pay particular attention. In a state Attorney General investigation following a breach, it will be those safeguards that are examined.

Attorney General Madigan has been active in the area of identity theft, maintaining an Identity Theft Unit and Hotline that provides one-on-one assistance to victims of identity theft and data breaches. She also has testified before the U.S. Senate and the U.S. House of Representatives in recent years concerning data breaches, including her testimony last month in connection with federal data breach law being debated. She is now proposing significant changes to the law originally passed in 2005, Personal Information Protection Act (PIPA). The changes include:

  • Expanding the types of personal information that could trigger a notification requirement to include medical information, biometric data, geolocation information, sensitive consumer marketing data, contact information when combined with identifying information, and login credentials for online accounts;
  • Requiring that the Attorney General’s office be notified in the event of a breach; and
  • Mandating that businesses take “reasonable” steps to protect the personal information covered by the law.

The substantial changes made to the Florida breach notification law last year also added a requirement for businesses to adopt and implement reasonable safeguards to protect personal information. Similar requirements exist in states such as Connecticut, California, Maryland, and Oregon. The most popular and most stringent of these state laws is the one in Massachusetts. Becoming effective almost 5 years ago to the day, March 1, 2010, the Massachusetts data security regulations flesh out one approach to providing reasonable safeguards. (Checklist available here).

Planning for a data breach is critical, but that should be part of an overall plan to safeguard personal information. If the trend of enhancements to data breach notification and safeguarding laws continues, it will not be long before most states have a statutory obligation to safeguard personal information through a set of written policies and procedures, just as 47 states today mandate notification in the event of a breach.