European Parliament: EU-U.S. Privacy Shield Needs Further Improvement

Earlier today, the European Parliament passed a non-legislative resolution saying the EU Commission should go back to negotiating with the United States to remedy “deficiencies” in the proposed EU-U.S. Privacy Shield for EU citizens’ data which is transferred to the US for commercial purposes.

The resolution, which passed by a vote of 501-119, with 31 abstentions, acknowledged the efforts of the EU Commission and the US Administration to achieve “substantial improvements” in the Privacy Shield as compared to the EU-U.S. Safe Harbour which it is meant to replace.  However, the Members of the European Parliament (MEPs) voiced concerns about “deficiencies” including:

  • the US authorities’ access to data transferred under the Privacy Shield,
  • the possibility of collecting bulk data, in some cases, which does not meet the criteria of “necessity” and “proportionality” laid down in the EU Charter of Fundamental Rights,
  • the proposed US ombudsperson, a new institution that MEPs accept is a step forward, but believe to be neither “sufficiently independent”, nor “vested with adequate powers to effectively exercise and enforce its duty”, and
  • the complexity of the redress mechanism, which the Commission and US administration need to make more “user-friendly and effective.”

The MEPs called on the European Commission to conduct periodic “robust reviews” of its decision that Privacy Shield protections are adequate, particularly in the light of the new EU data protection rules which are to take effect in two years.

Parliament’s resolution follows, and largely supports, the April 13, 2016, opinion of the Article 29 Working Party on the Privacy Shield.   While the European Parliament’s resolution and the Article 29 Working Party’s opinion are not binding on the European Commission, both the resolution and opinion raise serious doubts as to when, if at all, the thousands of companies who relied on the invalidated EU-U.S Safe Harbour will ever be able to rely EU-U.S. Privacy Shield for their data transfer needs.

FTC Issues Guidance for Background Screening Companies

Employers regularly turn to background screening companies in order to obtain information/reports about applicants and employees.  The Fair Credit Reporting Act (FCRA) applies to companies that sell or provide these background screening reports if such a report meets the FCRA’s definition of a “consumer report.”   A consumer report is a report which serves as a factor in determining a person’s eligibility for employment, credit, insurance, housing, or other purposes and includes information bearing on an individual’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.  Organizations that sell or provide consumer reports to employers are considered “consumer reporting agencies” under the FCRA.

To assist companies that compile background information for employment purposes to understand whether they are considered a consumer reporting agency and thus subject to the requirements of the FCRA, the Federal Trade Commission (FTC) recently issued guidance entitled “What Employment Background Screening Companies Need to Know About the Fair Credit Reporting Act.”  In addition to explaining the legal requirements for consumer reporting agencies, the FTC clarified that if you compile a consumer report containing public record information which is used for employment purposes, you still have obligations under FCRA, including notifying the subject of the consumer report or maintaining strict procedures to ensure the accuracy of the public record information.

Importantly, the FTC explained that even if you do not think of your organization as a consumer reporting agency, if you provide information about applicants or employees to an employer, you may be one.


Facebook’s “Trending” Section and Human Resources Analytics

According to a recent New York Times article, “Facebook scrambled on Monday to respond to a new and startling line of attack: accusations of political bias.” Slate followed with a report that the online social networking giant became the subject of a United States Senate inquiry, with Commerce Committee Chairman John Thune wanting information about how Facebook chooses stories for its “Trending” section, among other things. According to the reports, Facebook promotes its Trending section as an algorithmic tool that identifies the stories people using the site are most interested in at a given point in time, while former “curators” of the section tell a different story, that Facebook’s Trending section is a more subjective tool than users may realize.

Either way, the controversy raises an interesting issue – if Facebook’s Trending section is primarily driven objectively by algorithms (and not curators), could the algorithms be biased politically? If so, could algorithms used in other contexts also have embedded biases, albeit unintentional ones? If algorithms were deployed in the area of human resources, could conscious or unconscious bias undermine the employer’s desired results and violate existing employment laws, such as Title VII of the Civil Rights Act of 1964, the Age Discrimination in Employment Act, and the American with Disabilities Act?

We wrote about a recent FTC report discussing some of these concerns, including the potential for liability from uses of data analytics based on “disparate treatment” or “disparate impact” theories. We noted there that facially neutral policies or practices that have a disproportionate adverse effect or impact on a protected class create a disparate impact, unless those practices or policies further a legitimate business need that cannot reasonably be achieved by means that are less disparate in their impact.

Employers and their data scientists with appropriate counsel should consider these issues carefully to ensure their enormously powerful and valuable analytics programs produce reliable results with minimal legal risk.

Nebraska Amends Data Breach Notification Law

On April 13, 2016, Nebraska’s breach notification statute was amended when Governor Pete Ricketts signed LB835 into law.  The Amendment included a variety of changes, including a regulator notification requirement and broadens the definition of “personal information” in the state data breach notification statute, Neb. Rev. Stat. §87-802 – 87-804. These amendments become effective on July 20, 2016.

Specifically, the bill makes the following changes:

  • Attorney General Notification. The amendment requires notice to the State’s Attorney General concurrent with notice provided to affected individuals. These notices must be provided as soon as possible and without unreasonable delay consistent with law enforcement needs and the time necessary to determine the scope of the breach. This change follows a number of other states, such as California, Connecticut, Florida, Indiana, Maryland, Massachusetts, New Hampshire, New York, and North Carolina, which also require notification to the respective state’s Attorney General or other agency. Because the timing, form, content and manner of delivery of these notices vary state to state, organizations should take agency notifications into account when engaging in breach preparedness planning.
  • Personal Information Definition Expanded. The definition of “personal information” was amended to add a user name or email address, in combination with a password or security question and answer that would permit access to an online account, which, if acquired by an unauthorized person, would require notice. Recognizing the breadth of information consumers store online, Nebraska will become the fifth state, joining California, Florida, Nevada and Wyoming to require notification in the event of a breach of account credentials.
  • Encryption Exception Clarified. As amended, the state’s breach notification law provides that data will not be considered encrypted for purposes of avoiding notification if the breach of security includes acquisition of the encryption key or confidential encrypted method.

The notice obligations that are triggered when organizations have a breach of the security of their systems involving personal information continue to evolve. Preparedness is key so take some to develop a response plan, and practice it.

Employers Beware of Phishing Scams

On April 20, 2016, a class action lawsuit was filed in the United States District Court, Southern District of California against Sprouts Farmers Market, Inc. The lawsuit was initiated by a former employee whose W-2 was allegedly disclosed as part of a phishing scam that occurred in late March 2016 amid reports that Sprouts’ employees had their IRS tax refunds stolen. According to the complaint, the W-2s of Sprouts’ employees were disclosed to a third party as a result of the phishing scam.

This sort of internet scam, referred to as “phishing,” occurs when someone attempts to acquire sensitive or confidential information under the guise of a legitimate request. For the average internet user, phishing scams often come in the form of a fake email from a bank or other financial institution asking you to click on a link to confirm your password on a web site that looks like a legitimate web site for the business. The fake web site often uses the actual logos and branding from a legitimate site to trick the user.

In this case, the complaint alleges an email was sent to an employee in the payroll department asking for the W-2s of all Sprouts’ workers by a Sprouts executive. The employee responded to the email sending the W-2s of approximately 21,000 Sprouts employees. Unfortunately, Sprouts later discovered that the original email requesting the information was not legitimate, and notified the authorities.

The class action complaint alleges that Sprouts was negligent in its protection of private employee information, violated California Civil Code sections 1798.80 et seq. (including California’s data breach law), and engaged in unfair business practices in violation of California Business and Professions Code section 17200. The complaint alleges that while Sprouts offered credit monitoring services for 12 months for the impacted employees, the service chosen did not protect against identity theft, and only notifies the consumer after identify theft or other fraudulent activity has occurred. The complaint also alleges that Sprouts had “lax” security procedures for its employee data, and concealed that fact from its employees.

This case highlights the necessity that employers have protocols in place to protect employee information, and the risks associated with not having such protocols in place.


EEOC Files Suit Targeting Employment Application “Health History”

On March 22, 2016, the Equal Employment Opportunity Commission (“EEOC”) filed suit in the United States District Court for the Western District of Missouri against Grisham Farm Products, Inc. alleging that its employment application violated the Americans With Disabilities Act (“ADA”) and the Genetic Information Non-Discrimination Act (“GINA”). Equal Employment Opportunity Commission v. Grisham Farm Products, Inc. 16-cv-03105.  According to the EEOC’s Complaint, Grisham

violated the ADA and GINA by requiring job applicants . . . to fill out a three-page ‘Health History’ before they would be considered for a job.

Plaintiff applied for a warehouse position at Grisham. The application contained 43 “yes or no” health-related questions. The questions were ones that might be seen when visiting a physician for the first time. For example, the EEOC’s Complaint alleges that the application inquired whether in the past 10 years, the applicant had (alphabetically) allergies, arthritis, bladder infections, eating disorders, gallstones, sexually transmitted diseases, etc. The form also inquired about prior hospitalizations, HIV infection, treatment for alcoholism, and whether the applicant “consulted a doctor, chiropractor, therapist, or other health care provider in the past 24 months.”

The application’s Health History section stated in large letters that:

All question must be answered before we can process your application.

According to the EEOC, after answering the first question, plaintiff stopped. Plaintiff had medical conditions and disabilities he would have revealed had he fully and completely answered each question. The EEOC claims that the plaintiff believed he did not have to reveal his medical history to any potential employer. As such, he telephoned Grisham Farm and a company representative with whom he spoke said that if the health history was not fully completed, it would not accept his Application. Accordingly to the Complaint, Sullivan refused to complete the health history.

In addition to requesting a permanent injunction against Grisham Farm from making any pre-employment medical inquiries, the EEOC suit seeks monetary and punitive damages for the plaintiff.

In a statement issued in conjunction with the filing of the Complaint, the EEOC referred to the health form as being “among the most egregious we have seen.” This case should serve as a reminder to employers that pre-employment health inquiries can be made only after a conditional offer has been made, if the inquiries are made to all applicants for that job category, and provided the inquiries are job-related and consistent with business necessity.

Tennessee Amends Breach Notification Statute

On March 24, 2016, Tennessee’s breach notification statute was amended when Governor Bill Haslam signed into law S.B. 2005.

Under the amendment, notification of a data breach must now be provided to any affected Tennessee resident within 45-days after discovery of the breach (absent a delay request from law enforcement).  Previously, and like the vast majority of states, Tennessee’s statute required disclosure of a breach to be made in the most expedient time possible and without unreasonable delay.  Florida, like the Volunteer State, previously amended its breach notification statute to also require notification within a set time period.

Perhaps even more important than the specific timing requirement for notice, S.B. 2005 also amends Tennessee’s statute to remove the provision in the existing statute requiring notice only in the event of a breach of unencrypted personal information.  Accordingly, by expanding this provision, it appears Tennessee will be the first state in the country to require breach notification regardless of whether or not the information subject to the breach was encrypted.

Lastly, the bill also amends the statute to specify an “unauthorized person” includes an employee of the information holder who is discovered to have obtained personal information and intentionally used it for an unlawful purpose.  This amendment is likely focused on entities which failed to provide notification of data incidents which were the result of improper access by employees.

The law takes effect July 1, 2016.

FCC Chair Proposes New Broadband Rules

One year ago, in March 2015, the Federal Communications Commission (“FCC”) reclassified broadband Internet access service as a common carrier Telecommunications Service subject to regulation under Title II of the Communications Act.  At that time, however, the FCC recognized that the then-current rules were not well suited to broadband privacy.  On March 10, 2016, the FCC’s Chairman Tom Wheeler circulated for consideration by the full Commission a Notice of Proposed Rulemaking (“NPRM”) that effectively represents the start of the process of adopting rules suitable to broadband service.

The proposed rules would be built on three core principles: Customer choice, transparency, and data security.

Choice – Internet Service Providers (“ISPs”) would be required to provide customers with varying degrees of choice (i.e., no consent required, opt-out or opt-in), depending on how the customer’s personal information is used.

Transparency — ISPs would be required to disclose in “an easily understandable and accessible manner” the types of information they collect, how they use that information, and the circumstances in which they will share customer information with third parties.

Security — The proposal would require broadband providers to take reasonable steps to safeguard customer information from unauthorized use or disclosure. And, at a minimum, the proposal would require broadband providers to adopt risk management practices; institute personnel training practices; adopt strong customer authentication requirements; identify a senior manager responsible for data security; and take responsibility for use and protection of customer information when shared with third parties.

In order to encourage ISPs to protect the confidentiality of customer data, and to give consumers and law enforcement notice of failures to protect such information, the Chairman’s proposal includes common-sense data breach notification requirements. Specifically, in the event of a breach, providers would be required to notify:

  • Affected customers of breaches of their data no later than 10 days after discovery.
  • The Commission of any breach of customer data no later than 7 days after discovery.
  • The Federal Bureau of Investigation and the U.S. Secret Service of breaches affecting more than 5,000 customers no later than 7 days after discovery of the breach.

The proposed rule would apply exclusively to providers of broadband Internet access service and not to providers such as Amazon and Facebook or other operators of social media websites.

The proposal will be voted on by the full Commission on March 31, and, if adopted, would be followed by a period of public comment.

Check Your Spam Filter, You Might Have Been Selected for a HIPAA Audit!

Yesterday, the federal Office for Civil Rights (OCR) announced Phase 2 of its HIPAA Audit Program (Program). In its announcement, the OCR reports that the Program is underway and provides some helpful FAQs for covered entities and business associates about the Program. Preparation is critical and there are some key points covered entities and business associates should focus on.

Every covered entity and business associate is eligible for an audit. So, don’t think that because you are a small health care provider or sponsor a group health plan for employees you will be out of the Program’s reach. Auditee selection will be based on a number of criteria including include size of the entity, affiliation with other healthcare organizations, the type of entity and its relationship to individuals, whether an organization is public or private, geographic factors, and present enforcement activity with OCR. The OCR appears to be looking to examine a healthy cross-section of covered entities and business associates. On the bright side, OCR stated it will not commence an audit under the Program where there is an open complaint investigation or a current compliance review.

Potential auditees will be screened. OCR may send a questionnaire to covered entities asking them to identify their business associates and provide their contact information. OCR warns that if it does not receive responses to these requests it will use publically available information to create its audit pool, and nonresponsive entities still may be selected for an audit or subject to a compliance review. In fact, OCR informs covered entities and business associates that it expects them to check their junk or spam email folders for OCR communications about the Program.

…we expect you to check your junk or spam email folder for emails from OCR

The Program will include Desk Audits, followed by On-site Audits. The first stage of the Program will involve desk audits for covered entities, followed by desk audits for business associates, all of which will be completed by year end. After that, audits will be onsite and will examine a broader scope of requirements from the HIPAA Rules than desk audits. Some desk auditees may be subject to a subsequent onsite audit. The audits will examine compliance with specific requirements of the HIPAA Privacy, Security, or Breach Notification Rules. So, for example, OCR might want to look at your documented risk assessment, or your breach notification response plan. Auditees will be notified of the subject(s) of their audit in a document request letter, but OCR confirmed the audits will not cover compliance with state privacy laws.

Consider the audit process and timeline. Covered entities and business associates selected for a desk audit should expect to receive an email informing them of the selection and requesting documents and other data. Auditees will be able to submit documents on-line via a secure audit portal on OCR’s website. OCR expects that the documents and data will be provided within 10 business days of the request.

After submitting the documents and data, auditees will receive draft findings from OCR. Auditees will then have 10 business days to review and return written comments to the auditor. Auditees should expect to receive a final audit report within 30 business days.

Onsite audits will follow a similar process. The auditors will schedule an entrance conference to discuss the audit, which can be expected to take place over three to five days onsite, depending on the size of the entity. These will be more comprehensive and cover a wider range of requirements from the HIPAA Rules. Like the desk audit, entities will have 10 business days to review the draft findings and provide written comments, and they will be provided a final audit report.

Don’t want to respond? Entities that do not respond to OCR communications still may be selected for audit or be subject to a compliance review. As noted, the agency will use public means to find you.

We’ve been audited, now what? OCR states that the Program is primarily a “compliance improvement” activity, through which it can better understand compliance efforts, and determine what types of technical assistance should be developed and what types of corrective action would be most helpful. Of course, if OCR finds a serious compliance issue, it may initiate further investigation.

There may be publicity surrounding audits. OCR states that it will not post a list of audited entities or the findings of an individual audit identifying the audited entity. However, OCR reports that it will comply with Freedom of Information Act (FOIA) requests which could make the results of your audit public.

For now, covered entities and business associates should be on the look-out for communications from OCR and be prepared to respond. It goes without saying that they also should use this as an opportunity to assess their compliance and take steps now to address any gaps.

Should We Train Our Employees About Good Data Privacy and Security Practices?

Yes! It is the law in more places and circumstances than you suspect.

Late last year, The Wall Street Journal reported on a survey by the Association of Corporate Counsel (“ACC”) that found “employee error” is the most common reason for a data breach. CSOOnline reported on Experian’s 2015 Second Annual Data Breach Industry Forecast, stating:

“Employees and negligence are the leading cause of security incidents but remain the least reported issue.”

According to Kroll, in 31% of the data breach cases it reviewed in 2014, the cause of the breach was a simple, non-malicious mistake. These incidents were not limited to electronic data – about one in four involved paper or other non-electronic data.

No business wants to send letters to individuals – employees or customers – informing them about a data breach. Businesses also do not want to have their proprietary and confidential business information, or that of their clients or customers, compromised. Unfortunately, no “silver bullet” exists to prevent important data from being accessed, used, disclosed or otherwise handled inappropriately – not even encryption. Companies must simply manage this risk though reasonable and appropriate safeguards. Because employees are a significant source of risk, steps must be taken to manage that risk, and one of those steps is training.

It is a mistake to believe that only businesses in certain industries like healthcare, financial services, retail, education and other heavily regulated sectors have obligations to train employees about data security. A growing body of law coupled with the vast amounts of data most businesses maintain should prompt all businesses to assess their data privacy and security risks, and implement appropriate awareness and training programs.

Data privacy and security training can take many forms. Here are some questions to ask when setting up your own program, which are briefly discussed in the report at the link above:

  • Who should design and implement the program?
  • Who should be trained?
  • Who should conduct the training?
  • What should the training cover?
  • How often should training be provided?
  • How should training be delivered?
  • Do we need to document the training?

No system is perfect, however, and even a good training program will not prevent data incidents from occurring. But the question you will have to answer for the business is not why didn’t the company have a system in place to prevent all inappropriate uses or disclosures. Instead, the question will be whether the business had safeguards that were compliant and reasonable under the circumstances.