Header graphic for print

Workplace Privacy, Data Management & Security Report

Supreme Court Will Address Impact of Offer of Judgment in TCPA Class Actions

On May 18, 2015, the United States Supreme Court granted a petition for a writ of certiorari to address (1) whether a case becomes moot when the plaintiff receives an offer of complete relief on his claim and (2) whether the answer to the first question is any different when the plaintiff has asserted a class claim under Federal Rule of Civil Procedure 23, but receives an offer of complete relief before any class is certified.   The Court will also address the applicability of the doctrine of derivative sovereign immunity.

The case, Campbell-Ewald Co. v. Gomez, No. 14-857, comes before the Court on the petition of Campbell-Ewald after the Ninth Circuit ruled on September 9, 2014, that Campbell-Ewald could be held liable under the Telephone Consumer Protection Act (TCPA) for text messages it sent to approximately 100,000 individuals in connection with Navy recruitment.

In the underlying case, Campbell-Ewald offered the plaintiff, Jose Gomez, $1503 per violation of the TCPA.  The TCPA permits statutory damages ranging from $500 to $1500 per violation.  Accordingly, Campbell-Ewald’s offer would have afforded Gomez his full measure of damages available.  Gomez subsequently rejected the offer by allowing it to lapse in accordance with its terms.  Campbell-Ewald then moved to dismiss the case under Rule 12(b)(1), arguing that Gomez’s rejection of the offer mooted the personal and putative class claims.  In denying Campbell-Ewald’s motion, the Ninth Circuit held that the plaintiff’s individual claim was not mooted by the plaintiff’s refusal to accept a settlement offer under Federal Rule of Civil Procedure 68 – commonly known as the Offer of Judgment Rule.  Additionally, the Ninth Circuit held the putative class claims are not moot because an unaccepted offer of judgment – for the full amount of the named plaintiff’s individual claim and made before the named plaintiff files a motion for class certification – does not moot a class action.  In support of its motion, Campbell-Ewald argued that the Supreme Court’s holding in Genesis Healthcare Corp. v. Symczyk was controlling.  The Ninth Circuit rejected Campbell-Ewald’s assertion finding that the Genesis holding, which involved a collection action brought pursuant to the Fair Labor Standards Act, does not apply to class actions brought under Rule 23 – such as claims for violations of the TCPA.

It is expected that the Supreme Court’s decision in this case will clarify a split among the Circuit Courts as to whether a full offer of relief to the named plaintiff ends the case or not.  As we previously discussed, the Eleventh Circuit, similar to the Ninth Circuit, has held that an unaccepted offer of judgment to a named plaintiff did not moot the named plaintiff’s claims.  In contrast, the Seventh Circuit, has held that an offer of judgment to the named plaintiff, made prior to the filing of a motion for class certification, can moot the class action.  As a plaintiff’s damages under the TCPA are specified by the statute and thus easily ascertainable, this split has likely affected the defense and prosecution of TCPA claims.  In particular, the plaintiffs’ bar may prefer to bring TCPA claims in a Circuit where an offer of judgment cannot render a class action moot; while the defense bar may seek to utilize the offer of judgment to eliminate potential class claims where a limited number of plaintiffs are actually named in the suit.

The Supreme Court’s decision in this case will likely have a significant impact on TCPA claims, as well as class actions brought pursuant to Rule 23.    Should the Court agree with Campbell-Ewald, a TCPA defendant will be permitted to address a specific plaintiff’s damages without concern for a theoretical class of plaintiffs.  By contract, should the court disagree with Campbell-Ewald, defendants will need to reconsider how they defend, and seek to resolve, class action complaints brought under the TCPA.

For additional insight, please see the related post from our Class and Collective Action group.

Will Your Cyber/Breach Insurance Be There When You Need It?

The answer to this question may depend on the actions that the insured takes when it applies for coverage and during the period the policy is in force. The demand for cyberinsurance that is intended to cover exposures from data breaches, among other things, has exploded in recent years, reports The Hill. This is due in large part to the many widely reported data breaches affecting large, well-known companies. Now that more claims are coming in, carriers are looking with more scrutiny at the representations made by their policyholders when they applied for the coverage, as well as their actions during the period of coverage. Carriers consider these representations and anticipated security practices to be critical to the underwriting process and conditions on which the coverage is based. In short, inaccurate representations and failing to make good on carrying out the data security practices promised, could leave a policyholder without coverage.

Business insurance reported last week that a cyber insurance carrier is asking a California court whether it has to pay out on a $4.1 million data breach settlement under a policy issued to one of its policyholders. The carrier’s reasoning – an exclusion in the policy that states it does not have to pay if the insured failed to meet the “minimum required practices” that the insured claimed it would follow when it completed its insurance application.

According to Business Insurance, the breach allegedly occurred when the insured (or one of its third party vendors) had “stored medical records on a system that was fully accessible to the Internet but failed to install encryption or take other security measures to protect” the data. The class action lawsuit against the insured that followed the incident settled for $4.1 million, which the insured likely believed would be covered all or in part under the policy. However, the carrier is claiming the insured failed take the measures it promised to take in its insurance application, such as not implementing data security controls, failing to check and maintain security patches, not regularly assessing risks and not having systems in place to identify and address security incidents.

This certainly is not the first case involving a carrier’s challenge to the amount it has to pay under a data breach policy, and it will not be the last. But for companies that have purchased a policy, it is an important reminder that insurance policies are essentially contracts, and if the company seeking the coverage does not meet its end of the bargain (beyond just paying the premiums) the insurer may not have to meet its obligations, leaving the policyholder with an unexpected exposure.

Many companies that purchase data breach coverage often have to complete lengthy applications and questionnaires that delve into the companies’ data security practices and procedures. These applications and questionnaires need to be responded to carefully because as seen from the case above, they can be used by the carrier to deny coverage which is not an uncommon practice regardless of the type of coverage. Additionally, these applications and questionnaires often reflect not only a snapshot of a company’s data security risk and practices, but policies and procedures that carriers expect will continue to be in place as a condition of the coverage.

So, the message is clear, companies that purchase data breach insurance and expect to benefit under the policy should a breach occur will need to carefully review and abide by the conditions for coverage under the policy. In particular, when it comes to the applications and questionnaires that must be completed as part of the underwriting process, they should be reviewed and considered by various departments throughout the company in order to be sure the responses accurately reflect the data security practices in place at the time of underwriting. Additionally, steps need to be taken to ensure that these practices are being implemented during the policy period. The underlying message is that insurance cannot be the only thing that addresses an organization’s information risk. And, of course, this is important from a compliance perspective since many of the data security practices referenced in these questionnaires and applications are practices that are required to one degree or another by various federal or state laws.

SEC’s Division of Investment Management Issues Cybersecurity Guidance

In Guidance Update No. 2015-02, the Division of Investment Management (Division) of the Securities and Exchange Commission (SEC) issued some high-level suggestions concerning the importance of cybersecurity for registered investment companies and registered investment advisers. The guidance outlines a number of measures these entities should consider for addressing cybersecurity risks. Of course, while some of these and other measures may have specific application to certain sectors of the financial services industry, many of these measures can and should be applied in most organizations, regardless of industry.

Increasingly, companies are realizing the need to tighten their policies and practices concerning information risk, but not sure about where to start or what framework to follow. There are, for sure, industry specific rules and regulations, such as the HIPAA privacy and security regulations that apply to healthcare providers, healthcare clearinghouses, health plans and their respective business associates, as well as state law mandates, such as the data security regulations in Massachusetts. The endnotes in this Guidance discuss and provide helpful links to more specific SEC rules concerning the safeguarding of personal information, such as the Red Flag rules. But among these standards are a number of common threads, many of which are contained in the Division’s guidance referred to above. These include:

  • Conduct a risk assessment designed to help the company understand the “nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses” as well as the effectiveness of its governance structure to ensure appropriate controls are in place. This should be done regularly, perhaps annually. It also should be done when there are material changes in the business that are reasonably likely to alter the risks to sensitive data.
  • Develop access management policies. Not everyone in an organization should have access to all of its data. The first step is finding out who has access to what. See first bullet above…you might be surprised by what you find; scale back from there.
  • Prepare a written information security program that addresses necessary and appropriate administrative, physical and technical safeguards that you have implemented.
  • Strengthen perimeter defenses – maintain up-to-date firewalls, malware, and virus protections. The federal Office for Civil Rights claimed a healthcare provider failed to do this, and it cost the company $150,000.
  • Get control of mobile storage devices and consider whether a more formal “Bring Your Own Device” program is needed.
  • Address whether and under what circumstances encryption is warranted. Some applications may slow down operations, but that level of protection may help the company avoid a significant exposure.
  • Develop and practice an incident response plan. Writing down a plan for responding to a data breach is a good start, but for the members of your team that would be called upon to carry out the plan, a few dry runs would be beneficial.
  • Don’t leave your staff in the dark about what you have done – train your employees and create security awareness throughout the organization.
  • Make sure the third party service providers that the company relies upon are taking similar steps to safeguard data on your behalf.

Will following just these points mean you are 100% compliant with all of the company’s regulatory and contractual obligations pertaining to privacy and data security. Probably not. But they certainly will get you a lot closer and minimize a substantial amount of risk.

Supreme Court to Examine Standing Under FCRA

The U.S. Supreme Court recently decided to hear a case brought under the Fair Credit Reporting Act (“FCRA”) to determine whether individual consumers have standing to sue a consumer reporting agency for statutory violations of the FCRA when no “actual damages” were suffered by the consumer.

The FCRA, like other privacy laws, imposes monetary damages against consumer reporting agencies for statutory violations. When Congress enacted the FCRA, it also created a private cause of action for “consumers” against “consumer reporting agencies” for statutory violations, but it did not require a consumer to allege that the violation caused any harm as a result of the violation.

The Supreme Court will likely approach the issue within the context of analyzing Congressional authority to confer Article III standing. The resolution of this separation of powers argument could have significant consequences for companies and employers covered by the FCRA and other privacy laws.

In Spokeo, Inc. v. Robins, the plaintiff consumer alleged that Spokeo, a website that aggregates personal data from public records and other online sources, failed to maintain procedures to assure the “maximum possible accuracy” of any consumer report it creates. According to the complaint, the consumer report for the plaintiff that was produced by Spokeo was not accurate and interfered with the plaintiff’s ability to obtain employment. The Ninth Circuit determined that while there may not be any consequential damages resulting from the inaccurate information, the harm to the plaintiff is inferred by the FCRA’s creation of a private cause of action for such violation.

This case could have a significant impact on class action lawsuits because those plaintiffs who may have otherwise been excluded for failing to allege actual damages would be included as class members.

Montana to Join Growing List of States Limiting Access to Social Media?

Earlier this month, legislators in Montana gave final approval to H.B. 342 which would limit an employer’s ability to access the personal social media accounts of applicants and employees.  The bill now goes to Governor Steve Bullock’s (D) office for consideration.

If signed, Montana would join become the most recent state to join the list of 19 states which limit an employer’s access to personal social media accounts.  A similar bill was signed earlier this year in Virginia.  Like many of the other laws which have been passed on this issue, the Montana bill would prohibit:

  • An employer from requiring prospective or current employees from sharing their login credentials;
  • Requiring an individual to access the account in a supervisor’s presence;
  • Requiring any communications which the individual made through their personal account to be turned over; and
  • Companies from retaliating against applicants of employees for their refusal to disclose their personal social media information.
Notably, and unlike many of the laws already in place in other states, the proposed Montana law would permit employers to request login credentials when the employer has specific information about  the employee’s activity that indicates work-related employee misconduct, criminal defamation or the unauthorized transfer by the employee of the employer’s proprietary or confidential information, trade secrets, financial data.  Similarly, employees are required to provide login credentials if the required to ensure the employer is complying with federal laws, federal regulations or the rules of a self-regulatory organization or if an investigation is underway and the information from the employee is necessary to make a factual determination in the investigation.
As previously mentioned, it is anticipated that similar legislation will continue to be introduced throughout 2015 and into the future.

EEOC Wellness Program Regulations Offer Best Practices for Medical Record Confidentiality

As reported on our Benefits Law Advisor, the EEOC has issued proposed wellness program regulations. Much of the attention to those proposed rules understandably will be how they would affect the incentives employers have implemented to spur their employees to engage in healthier behaviors. The proposed rules also address, however, the confidentiality provisions under the Americans with Disabilities Act and, in particular, offer suggestions about steps for complying with the confidentiality requirements, along with some best practices. Interestingly, while these rules are directed at wellness programs, the EEOC’s interpretive guidance may influence changes to existing practices for safeguarding employees’ medical records (those not covered by HIPAA) beyond merely separating medical files from personnel files and limiting disclosures of such information.

Wellness Programs and Coordination with HIPAA

The EEOC’s proposed regulations apply to those wellness programs that make disability-related inquiries or medical examinations. This could include wellness programs that are part of an employer-sponsored group health plan and those programs that are not.

For those wellness programs that are part of a group health plan, the privacy, security, breach notification and certain other rules under HIPAA apply to safeguard “protected health information.”  (The Office for Civil Rights issued some FAQs last week to address this issue.) And, the EEOC acknowledged in its proposed regulations that a wellness program that is part of a HIPAA covered entity (e.g., a group health plan) “likely will be able to comply with its obligation under section 1630.14(d)(6) by complying with the HIPAA Privacy Rule.” However, for such wellness programs, the EEOC also would require employers to notify employees of the following:

  • what medical information is being obtained,
  • the purposes for which it is being obtained,
  • who gets the medical information,
  • the restrictions on how it will be disclosed, and
  • safeguards in place to prevent unauthorized disclosure.

It is unclear whether the HIPAA Notice of Privacy Practices could be used to meet this requirement. Regardless of whether the wellness program is part of a group health plan (and also subject to HIPAA), the EEOC proposed regulations would permit employers to collect medical information as part of wellness program only in aggregate form which does not disclose, and is not reasonably likely to disclose, the identity of specific individuals, except as is necessary to administer the program or as otherwise permitted under the ADA confidentiality rule. These rules also apply to agents of the employer that are administering the program for the employer.

Shaping the Obligations Under the ADA Confidentiality Rule

As noted above, for wellness programs that are part of a group health plan, complying with the HIPAA rules likely will be sufficient to meet some of the confidentiality requirements under the ADA. However, the EEOC’s interpretive guidance notes that employers must take steps to “protect the confidentiality of employee medical information” provided as part of a wellness program. The guidance goes on to reference steps that are required by law, as well as to suggest certain best practices. These include:

  • Proper training of individuals who handle medical information in the requirements of the HIPAA Rules, the ADA, and any other applicable privacy laws. Of course, privacy training is already required under HIPAA and some state laws, and is no doubt a best practice.
  • Employers also should have clear privacy policies and procedures concerning the collection, storage, and disclosure of medical information.
  • On-line systems and other technology should guard against unauthorized access, such as through use of encryption for medical information stored electronically.
  • Individuals who handle medical information that is part of a wellness program should not be responsible for making decisions related to employment. However, the guidance seems to acknowledge that for some employers that may not be practical and suggests that adequate firewalls be in place to prevent unintended disclosures.
  • Companies should be prepared to investigate and respond to breaches of confidentiality, and that discipline be imposed for workers who breach confidentiality. Likewise, in the case of third party vendors that breach confidentiality, the company should consider terminating its relationship with the vendor.

Again, while the EEOC’s proposed wellness program regulations are directed at wellness program, they include guidance that may be looked to when assessing whether an employer has adequately met its ADA confidentiality requirements concerning employee medical information, whether or not in connection with a wellness program. As the rules continue to strengthen for maintaining sensitive personal information confidentially and securely, employers should consider revisiting their approach to compliance with the ADA confidentiality rule with respect to their wellness programs and generally.

Next Step in U.S. Postal Service Breach – NLRB Sues Postal Service

As discussed in an earlier post, shortly after the United States Postal Service reported a data breach potentially affecting hundreds of thousands of  employees, the American Postal Workers Union filed an unfair labor practice with the National Labor Relations Board alleging the Postal Service should have bargained with the union over the impact and response to the security breach. That UPL has led to a complaint filed by the NLRB Regional Director for Region 5 in Baltimore, Maryland, claiming that the Postal Service was wrong for not bargaining with the Union as requested.

It remains to be seen whether the Postal Service had a duty to bargain with the Union under the circumstances in this case. As we discussed earlier, however, entering into negotiations with one or more representative unions about the nature and extent of the response to such an incident likely would be an involved process, undoubtedly delaying notice to affected persons, along with the kinds of monitoring and other services typically provided to affected members and intended to help safeguard them from harm.  Such a delay is precisely counter to a key purpose of all of the breach notification laws – provide speedy notice. So what is a company to do that has workers represented by a union?

Businesses are beginning to see that data breaches are a real threat, and can affect any organization, large or small. Purchases of cyber insurance are up, and companies are beginning to take steps to be prepared. For example, many are vetting their policies and procedures to make sure they understand and have reasonably addressed their risks and vulnerabilities in order to minimize a breach in the first place. In addition to addressing risk through insurance, some companies will undergo “tabletop” exercises, a helpful tool that typically involves gathering key members of management together to run through various data breach scenarios and assess how prepared they really are.

Businesses with employees represented by unions have an additional challenge – is it better to risk a claim for undue delay in breach notification and mitigation by an employee or federal or state enforcement agency on account of union negotiations, or a charge by the union representing the employees that the company did not bargain with the union about the response. In addition to the steps referenced in the paragraph above, these businesses may want to consider including data breach response and related benefits as part of their overall labor relations strategies. That is, where possible, reach some agreement ahead of time with the union on how the company will respond to a breach in the event one occurs, and incorporate that agreement into the company’s data breach response planning. This will help the company be in a position to respond timely under the applicable breach notification law(s), and hopefully avoid confrontation with the union.

Virginia Joins List of States Limiting Employer Access to Social Media Accounts

Recently, Virginia Gov. Terry McAuliffe (D) signed a bill that limits employer access to the personal social media accounts of employees and job applicants.  The law, which takes effect on July 1, 2015 prohibits employers in Virginia from requiring, requesting, or causing a current or prospective employee to disclose the username and password to the individual’s social media account.  Additionally, the law also prohibits employers from requiring an employee to add another employee, a supervisor, or an administrator to the list or contacts associated with the individual’s social media account or changing the privacy settings.  We have prepared a detailed article discussing the new law.

In 2012, Maryland was the first state to prohibit employers from demanding social media passwords.  In a trend that is likely to continue, Virginia now becomes the 19th state to implement a workplace social media password privacy law.

Alabama Seeks To Become 48th State To Enact Breach Legislation

Alabama recently introduced a bill (S.B. 106) which would require notification in the event of a breach affecting the personal information of an Alabama resident.  While 47 states currently have laws requiring breach notification — most recently joined by Kentucky — New Mexico, South Dakota, and Alabama are the only states that do not.

Notably, the proposed legislation includes a number of novel provisions.  Specifically, the bill includes an expansive definition of “personal information” including some data elements which many other jurisdictions do not currently define as “personal information.”  In particular (and in additional to more traditional data elements such as name, social security number and state identification number) the bill’s definition of “personal information” includes:

  • Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;
  • An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual;
  • A user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.

Further, if enacted the law would: apply to paper and/or unencrypted electronic personal information; require notification to affected individuals within 30 days after a breach determination; and include a risk of harm trigger providing that notice need not be provided if “the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed.”  If notice is not provided however, the decision must be documented in writing and maintained for 5 years.  Oddly, a copy of the determination not to provide notice would still need to be provided to the Attorney General notwithstanding the fact the bill only calls for Attorney General notification in the event of a breach affecting 500 or more residents of Alabama.

Lastly, and to address the growing number of payment card industry breaches, the proposed law requires businesses to not retain credit and debit card security code data, PIN verification numbers, or the full contents of any magnetic stripe data.  Entities who do experience a payment card data breach would be required to “reimburse the financial institution that issued any access devices affected by the breach for the costs of reasonable actions undertaken by the financial institution as a result of the breach in order to protect the information of its cardholders or to continue to provide services to cardholders.”

The bill was sent to the Alabama Senate’s Judiciary Committee for consideration.

Employee Apps = Employer Data Risk?

Many mobile app developers do not place a high priority on data security, as illustrated by a recent IBM/Ponemon study:

  • Fifty percent of mobile app developers have no budget for security.
  • Forty percent of companies don’t scan mobile app codes for vulnerabilities.
  • The average company tests less than half of the apps it builds for security issues.
  • Thirty-three percent of companies never test any apps for security.

Such vulnerabilities have contributed to over one billion personal data records being compromised last year alone.  In addition, studies show that 11.6 million mobile devices being affected by malware at any given time.

The risk involved with mobile apps is extended to employers when employees access or maintain company electronic information using their personal devices. Many employers have a “Bring Your Own Device” program, others do not and may not realize how much of their data is stored on their employees’ personal devices. In either case, the company’s data is at risk. According to the same IBM/Ponemon study, a majority of employees (over fifty-five percent) define themselves as heavy app users yet indicate that their employer does not have a policy which defines the acceptable use of mobile apps in the workplace.  An even larger majority of employers (67%) do not review or vet the downloading of mobile apps in the workplace.  Most employers allow employees to use and download business apps on their personal devices without monitoring for potential security issues.

Employee use of their own devices in the workplace can bring increased productivity and morale, but also raises a number of risks. Developing and implementing a comprehensive BYOD program can help to mitigate those risks, including those that apps present. Many employers are probably not even aware of this potential “app” risk to electronic company information.  Employers are advised to move quickly to address potential security risks to company confidential information, including those created by the use of mobile apps.