Header graphic for print

Workplace Privacy, Data Management & Security Report

Checklists Not Enough When Developing a WISP, FTC Director Comments at IAPP Global Privacy Summit

This year’s IAPP Global Privacy Summit was very informative on a number of fronts, including the helpful insight provided by officials at the Federal Trade Commission (FTC) on a range of topics. A good summary of some of their comments can be found here, which includes concerns they expressed about the Consumer Privacy Bill of Rights released by the White House during the last week in February. One example of good practical guidance was offered by Jessica Rich, Director, Bureau of Consumer Protection, relating to how companies go about creating written information security programs (WISPs). She said, “No checklists.”

We did not understand Ms. Rich to be suggesting businesses not use checklists as a tool in building a WISP. Of course, well-crafted checklists can be enormously helpful for companies, particularly small and mid-sized companies, to learn about best practices and to ensure they have met the applicable compliance requirements. This is true regardless of the topic of compliance or the industry. For example, when a health care provider or one of its business associates is trying to grasp the different administrative, physical and technical standards under the HIPAA Security Rule, a checklist could be very useful in helping to understand the scope of the project and for organizing an efficient compliance effort. Similarly, when creating a data breach response plan, there are a number of legal and practical steps that need to be taken, and a checklist can help to organize those steps.

We believe Ms. Rich was emphasizing that each business must understand its particular circumstances when developing a WISP, and not rely solely on a checklist. More specifically, we understood her to be calling for businesses to dig deeper and assess their particular risks, vulnerabilities, resources, needs and other circumstances in order to move toward compliance and appropriately mitigate the risks and vulnerabilities identified. That process can be aided by one or more checklists, but the process has to be informed by the circumstances actually facing the company and the process has to be ongoing. That is, completing the checklist neither completes the WISP nor the things a business needs to be doing to ensure its WISP is appropriate for its business at any given time.

Comprehensive federal privacy legislation seems to be moving more vigorously than it has in recent years. What form it will take, if any, and what role the FTC will play is unclear at this point. What is clear is that companies in all industries have to use their best efforts to maintain the privacy and security of personal and other important data. This requires a comprehensive and deep understanding of the business, it practices, its customers, its products and services, its employees, its resources, its legal and regulatory environment, and how those factors shape its overall information risk. Checklists can help gather and analyze this information, and implement solutions, but they are no substitute for understanding the business’ risks and being able to address those risks now and in the future.

Illinois Attorney General Seeks Stronger Data Breach Notification Law, Requirement to Safeguard Personal Information

Reacting to a report that identity theft was a top concern for Illinois residents (second in a list of ten), Attorney General Lisa Madigan announced a legislative proposal to strengthen the state’s existing data breach notification law. The call for stronger breach notification laws is a trend that has emerged in other states, such as New York and Indiana, and one that has had results. Florida and California are good examples. As summarized below, AG Madigan’s proposal follows a similar pattern – add provisions that require notification to the state Attorney General, expand the definition of personal information that would trigger a notification requirement, and require reasonable safeguards to protect personal information before a breach happens. It is this last point to which companies should pay particular attention. In a state Attorney General investigation following a breach, it will be those safeguards that are examined.

Attorney General Madigan has been active in the area of identity theft, maintaining an Identity Theft Unit and Hotline that provides one-on-one assistance to victims of identity theft and data breaches. She also has testified before the U.S. Senate and the U.S. House of Representatives in recent years concerning data breaches, including her testimony last month in connection with federal data breach law being debated. She is now proposing significant changes to the law originally passed in 2005, Personal Information Protection Act (PIPA). The changes include:

  • Expanding the types of personal information that could trigger a notification requirement to include medical information, biometric data, geolocation information, sensitive consumer marketing data, contact information when combined with identifying information, and login credentials for online accounts;
  • Requiring that the Attorney General’s office be notified in the event of a breach; and
  • Mandating that businesses take “reasonable” steps to protect the personal information covered by the law.

The substantial changes made to the Florida breach notification law last year also added a requirement for businesses to adopt and implement reasonable safeguards to protect personal information. Similar requirements exist in states such as Connecticut, California, Maryland, and Oregon. The most popular and most stringent of these state laws is the one in Massachusetts. Becoming effective almost 5 years ago to the day, March 1, 2010, the Massachusetts data security regulations flesh out one approach to providing reasonable safeguards. (Checklist available here).

Planning for a data breach is critical, but that should be part of an overall plan to safeguard personal information. If the trend of enhancements to data breach notification and safeguarding laws continues, it will not be long before most states have a statutory obligation to safeguard personal information through a set of written policies and procedures, just as 47 states today mandate notification in the event of a breach.

Peer Review Confidentiality Requirement Protects Physician Reviewers from Adverse Employment Action, New Mexico Supreme Court Rules

In this case, a hospital administrator who was present during a peer review meeting, but not as a member of the committee, later reported to the hospital’s physician practice manager her “visual memories of [the Plaintiff’s] behavior, body language, tone of voice and the way things were being said” when the plaintiff, a reviewing physician, verbally attacked his colleague. Other peer review committee members did not agree with the administrator’s characterization of the plaintiff’s actions during the peer review meeting. According to the Court’s decision, the information conveyed by the administrator about the plaintiff’s actions during the peer review meeting directly contributed to his termination.

The primary legal basis for the Court’s decision was the confidentiality mandates in the Review Organization Immunity Act (ROIA), the law regulating peer reviews in New Mexico, including the provisions at Section 41-9-5(A) which state that “[n]o person… shall disclose what transpired at a meeting of a review organization” except for the purposes listed in the statute. According to the Court, this provision creates an implied promise that the plaintiff would not suffer adverse employment action from participating in the peer review process, and that this promise is incorporated into physician-reviewer employment contracts. 

Of course, as noted by the Court, confidentiality in the peer review process is critical. Absent confidentiality, it would be difficult to promote peer review integrity and have candor and objectivity during meetings. Physicians and other medical staff would be reluctant to adhere to those principles for a variety of reasons including fears about loss of referrals, retaliation, damage to personal relationships, lawsuits, and malpractice actions based on records used during the proceedings. On the other hand, decisions like this may leave employers feeling that medical staff participating in the peer review process are immune from actions that transpire during that process. The New Mexico Supreme sought to dispel that notion.  

Our holding limits the use of peer review information for a statutory purpose, see § 41-9-5(A), and only those individuals responsible for furthering the statutory purposes of ROIA can be privy to such information. See § 41-9-5 (noting that no person can utilize peer review information except to carry out the statutorily enumerated purposes of a review organization). Eastern contends that our holding will completely immunize physician-reviewer conduct in peer reviews, “no matter how egregious.” This argument ignores the dual regulatory structure within hospitals. As will be explained, because only medical staff, not hospital administrators, are responsible for peer reviews, medical staff may utilize information concerning peer reviewer conduct to discipline reviewers.

The Court explained that its holding does not conflict with an employer’s contractual provisions enabling termination of employment for cause, it “merely prevents [employers] from using confidential peer review information in making [their] personnel decisions.” Healthcare employers, like the defendant in this case, often regulate employee-physicians both through medical staff bylaws and employment contracts. As the Court noted, those bylaws can provide that disruptive conduct may lead to a loss of privileges. An employment contract provision conditioning continued employment on maintaining privileges would, in turn, support the termination of the physician’s employment. So, the Court concludes, physicians that are disruptive during peer review are not free from discipline, they just cannot be disciplined by hospital administrators who should not be “privy to what transpires during peer review meetings.” Discipline in that case is up to the medical staff.

Hospitals in other states should consider their own processes and the state laws that apply, as many states have laws similar to the ROIA. This includes reviewing medical staff bylaws, employment contracts and long standing practices to ensure they are coordinated, provide appropriate mechanisms to impose discipline and maintain the confidentiality of the peer review process.

Indiana Measure to Amend Breach Notification Law Passes Senate

Late last year we reported Indiana Attorney General Greg Zoeller was seeking legislation which would better protect the online personal and financial information of Indiana residents. That legislation, S.B. 413, was unanimously passed by the Indiana Senate on February 24, 2015.  Indiana’s bill follows similar efforts in New Jersey, New York and Oregon.

As previously mentioned, the Indiana bill would amend the state’s current data breach notification law by (i) imposing stricter requirements for the   safe storage of sensitive data, (ii) reducing harm to consumers following a data breach, and (iii) increasing transparency of online privacy policies.   Importantly, S.B. 413 would expand Indiana’s existing law to include protected data in all formats, as opposed to just unencrypted computerized   data.

One of the bill’s sponsors, Sen. James Merritt (R), said “[d]ata breaches and identity theft are serious crimes and have become more common as technology advances.  By passing this legislation, we’re taking steps to ensure consumers feel confident and protected when conducting business online.”

The measure will now head to the Indiana House of Representatives for consideration.

Secretary in Germany Successfully Challenges Employer’s Monitoring…Is Your Monitoring Program Defensible?

According to a report by Deutsche Welle, the German Federal Labor Court held that employers may monitor employees only when they have concrete suspicions of wrongdoing that are based on fact. In the U.S., the standards for engaging in monitoring employees may not be quite that high, but employers should be thinking about whether a decision to take that step is reasonable and defensible.

In the case before the German court, the employer engaged a private investigator when suspicions arose concerning the reasons for the secretary’s sick leave. The suspicions were due mainly to the secretary’s change in the reasons for her leave and the healthcare providers she was using – initially she claimed bronchial ailments, and later claimed back pain. The investigator commenced video surveillance which captured the employee with her family outside her home and in her neighborhood. Evidence was presented that the employee was acting in a manner not consistent with the reasons she gave for her leave.

Nonetheless, because the court found that the employer did not have a sufficient level of suspicion to commence the surveillance in the first place, it upheld an award of damages equal to €1,000, albeit less than the €10,500 claimed. The court opined further that damages for unjustified surveillance would still be appropriate even if it was shown that the employee was lying about the basis for the leave.

In the U.S., monitoring can take place for a variety of reasons – customer service, compliance, productivity, physical and informational security, as well as whether claims under benefit plans are being paid appropriately. In some states, employees are entitled to notification of certain types of electronic monitoring (see, e.g., Connecticut and Delaware). In most cases, it is a good practice to manage employees’ expectations and let them know of the potential for monitoring, at least at the “workplace.” Of course, given the mobility of the workplace these days, that can get a little tricky.

Reasonableness is key, as is shown by a 2001 case, Dishman v. UNUM Life Ins. Co., involving facts similar to the case discussed above. There, the company’s disability insurer questioned an employee’s claim that migraines made him unable to work. The carrier engaged in extensive surveillance to investigate. According to the case, the employee claimed that the investigators –

Claim[ed] to be a bank loan officer endeavoring to verify information he had supplied; … elicited personal information about him from neighbors and acquaintances by representing that he had volunteered to coach a basketball team…sought and obtained personal credit card information and travel itineraries by impersonating him…falsely identified themselves when caught photographing his residence…repeatedly called his residence and either hung up or else dunned the person answering for information about him

The disability plan was an employee welfare benefit plan subject to the Employee Retirement Income Security Act (ERISA) and, as such, enjoyed broad protections from certain state laws that related to the plan under ERISA’s preemption doctrine. The privacy claims by the employee in this case might have been preempted by ERISA had the investigatory tactics been more reasonable and in the usual and customary course of plan administration. In this case, however, the court determined that the actions went far beyond that and did not depend on benefit claim. Accordingly, the state claims survived ERISA preemption.

Whatever the reason for monitoring, companies need to proceed cautiously, and make sure their managers are doing so as well. At a minimum, employers should have reasonable basis to commence monitoring, consider of the kinds of information the monitoring might access and collect (and whether they want that information), who should conduct the monitoring, and what tactics can and should be used. It is prudent to develop internal guidelines that prompt thinking about these and other issues.

ACA Information Reporting Creates Data Privacy and Security Issues

During this year, businesses will be hearing a lot about the Affordable Care Act’s (ACA’s) information reporting requirements under Code Sections 6055 and 6056. Information gathering will be critical to successful reporting, and there is one aspect of that information gathering which employers might want to take action on sooner rather than later – collecting Social Security numbers (SSNs), particularly when required to do so from the spouses and dependents of their employees. There are, of course, ACA implications for not taking this step, as well as data privacy and security risks for employer and their vendors. We address the latter here.

Under the ACA, providers of “minimum essential coverage” (MEC) must report certain information about that coverage to the Internal Revenue Service (IRS), as well as to persons receiving that MEC. Employers that sponsor self-insured group health plans are providers of MEC for this purpose, and in the course of meeting the reporting requirements, must collect and report SSNs to the IRS. However, this reporting mandate requires those employers (or vendors acting on their behalf) to transmit to the IRS the SSNs of employee and their spouses and dependent covered under the plan, unless the employers either (i) exhaust reasonable collection efforts described below, (ii) or meet certain requirements for limited reporting overall.

Obviously, employers are used to collecting, using and disclosing employee SSNs for legitimate business and benefit plan purposes. Collecting SSNs from spouses and dependents will be an increased burden, creating more risk on employers given the increased amount of sensitive data they will be handling, and possibly from vendors working on their behalf. The reporting rules permit an employer to use a dependent’s date of birth, only if the employer was not able to obtain the SSN after “reasonable efforts.” For this purpose, reasonable efforts means the employer was not able to obtain the SSN after an initial attempt, and two subsequent attempts.

From an ACA standpoint, employers with self-insured plans that have not collected this information should be engaged in these efforts during the year (2015) to ensure they are ready either to report the SSNs, or the DOBs. At the same time, collecting more sensitive information about individuals raises data privacy and security risks for an organization regarding the likelihood and scope of a breach. Some of those risks, and steps employers could take to mitigate those risks, are described below.

  • Determine whether the information is subject to HIPAA. Employers will need to consider whether this information, collected for ACA group health plan reporting requirements, is protected health information under HIPAA (PHI) or within the HIPAA “employment records” exception.
  • Implement appropriate safeguards. For an employer that determines the information collected for this purpose is PHI, it will need to ensure the appropriate steps are taken under the HIPAA privacy and security rules. Either way, employers need to take steps to safeguard this data. A number of states, such as California, Connecticut, Florida, Maryland, Massachusetts, New York, Oregon require reasonable safeguards be in place to protect such information. Examples of good practices include: (i) design forms to collect only the information needed; (ii) direct responses to the requests for the information to go to a single location; (iii) if collected online, make sure the connection is secure; (iv) limit who has access to the information; and (v) after the information is captured and input, destroy all copies of the information other than as needed for appropriate documentation.
  • Ensure your vendors will protect this information. The IRS reporting regulations permit the use of third party vendors to assist employers in the reporting process. Whether the vendor is a “business associate” under HIPAA or a third-party service provider under state law, employers should be sure the vendor is contractually bound to maintain and implement appropriate privacy and security practices, including data breach preparedness.

Employers navigating through ACA compliance and reporting requirements have many issues to be considered. How personal information or protected health information is safeguarded in the course of those efforts is one more important consideration.

Employer FAQs: Responding to the Anthem Breach

The first massive data breach of 2015 hit one of the country’s largest insurance issuers, Anthem, Inc., including Anthem Blue Cross and Blue Shield and other related entities (Anthem). The incident reportedly affected over 80 million persons who are or were covered under a policy or program insured or serviced by Anthem. The personal note from Anthem’s CEO, Joseph R. Swedish, and the Anthem Facts (or FAQs), seek to provide helpful information to the millions of individuals affected. These communications address what is known about the incident, describe the kinds of information compromised, warn affected persons about potential email attacks, and advise that there is more information coming.

But there is not much information at this point for employers that are plan sponsors of group health plans and other welfare plans serviced by Anthem either as an insurance issuer or a third party claims administrator (TPA). To assist employers, we prepared some FAQs that can be accessed at the link below, along with some key considerations and action items.

Click here for Employer FAQs concerning the Anthem breach. 

Ethics Case Alleging Improper Social Media Access May Proceed

As we previously reported, sending a “friend” request to access information on an individual’s Facebook page that is not publicly available may have serious ethical implications.  Specifically, the New Jersey Office of Attorney Ethics (OAE) alleges John Robertelli and Gabriel Adamo violated the Rules of Professional Conduct, including those governing communications with represented parties, when they caused a paralegal to “friend” the plaintiff in a personal injury case so they could access information on the plaintiff’s Facebook page.

In an attempt to end the disciplinary action against them, the attorneys brought a declaratory judgment action against the state ethics authorities for lack of subject matter jurisdiction.  Today, an appeals panel upheld the dismissal of that declaratory judgment action, finding that only the New Jersey Supreme Court can decide the appropriateness of bringing an ethic’s case.  As such, the matter returns to the OAE for decision and/or further proceedings.

This case highlights the need for care when conducting investigations into an adverse party and the limits on accessing truly non-public information contained in social media.

NJ Amends Do Not Call Law

Last week, New Jersey’s Governor, Chris Christie (R), signed a bill which will allow telemarketing companies to make sales calls to mobile devices when the call is made to a customer with whom an existing relationship exists or in response to the customer’s written request.

While many companies focus on complying with the Telephone Consumer Protection Act (TCPA), companies who conduct outgoing calling campaigns cannot overlook states law which may be more restrictive that the TCPA.  New Jersey’s law for example, applies to all telemarketing calls, regardless of the whether or not an automatic dialing system is utilized.  As we have previously detailed, to fall within the TCPA, companies need to utilize automatic telephone dialing systems to make the calls in question.

The signed bill (S.1382) immediately amends N.J. Stat. Ann. § 56:8-130, New Jersey’s do not call law, to prohibit only unsolicited telemarketing calls to mobile devices.  Prior to the amendment, all telemarketing calls to mobile devices, regardless of whether an automatic telephone dialing system was used, were prohibited unless the call was from a commercial mobile service company to its customers and related to the company’s mobile services.

New York Attorney General Seeks Stonger Data Breach Notification Law and Data Security Safeguards

Written by Jeffrey M. Schlossberg

Earlier this month, the New York Attorney General Eric T. Schneiderman announced a legislative proposal that would strengthen protections for private information by expanding the state’s breach notification law to cover e-mails, passwords and health data, require companies to implement data security measures, and notify consumers and employees in the event of a breach. If passed, the Attorney General said that the “new law will be the strongest, most comprehensive in the nation.” In announcing the proposal, the Attorney General cited his 2014 report finding that the number of reported data security breaches in New York more than tripled between 2006 and 2013.

The proposal would be a significant change to the state’s current definition of what constitutes private information (which has not been updated since 2005), which includes a person’s social security number; driver’s license number or non-driver identification card number; or account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. The proposed law would expand the definition of protected personal information to include medical history and health insurance information.

Additionally, and similar to the approach taken in Florida when it rewrote its breach notification law, the proposed bill would require all companies to have reasonable data security measures, including administrative, technical, and physical safeguards and to obtain independent data security certification. As an incentive for adopting strong data security standards, the law would provide companies with some protection from liability in civil lawsuits if they can demonstrate having taken adequate steps to protect private information from being hacked or inadvertently released.

The Attorney General will need sponsors in the New York State legislature to introduce a bill that would advance his agenda, although the New York Assembly has already introduced Bill A10190 which would amend the Empire State’s existing breach notification law to require entities which conduct business in the state, and which own or license computerized data which includes private information to develop, implement, and maintain a comprehensive information security program. However, whether or not either effort is successful, these attempts together with President Obama’s call for a national standard for data breach notification and efforts in other states indicate the heightened attention being given to data privacy and the impact of data breaches.