Header graphic for print

Workplace Privacy, Data Management & Security Report

Postal Workers Union Complains to NLRB About Post Office Data Breach

Labor law commentary by Howard Bloom.

After being hit with a data breach, the last thing a company might want is the scrutiny of the union representing its employees affected by the incident. When the data breach potentially affecting hundreds of thousands of United States Postal Service employees was reported, it was not long after that the American Postal Workers Union filed an unfair labor practice with the National Labor Relations Board. The Union alleges that the Postal Service should have bargained with the union over the impact of the security breach. (Regarding impact, the Postal Service reportedly is offering employees a one-year of free credit monitoring through Equifax, but the union believes the Postal Service did not have the legal right to decide to offer the Equifax subscription without first offering to Bargain with the union.)

While none of the data breach notification statutes include an employee’s labor union as one of the parties entitled to notice of a breach, the APWU is making the argument that the National Labor Relations Act required the Postal Service to let it be involved in the discussions on how to address the breach and the negative consequences on employees. APWU President Mark Dimondstein acknowledged receiving a call from Postmaster General Patrick Donahoe concerning the breach, but apparently wanted to be more involved.

A primary purpose of most if not all data breach notification laws is to provide the required notice to individuals affected by the breach so they can take appropriate steps to protect their information and identity. All of the state data breach notification laws and HIPAA generally require notification be provided without unreasonable delay. Some laws provide an outside date by which notice must be provided – e.g., not more than 30, 45 or 60 days following discovery. But the rule is to provide notice as soon as possible, without unreasonable delay.

When a breach is discovered there are many steps companies must go through to be in a position to respond without unreasonable delay, a time frame that is not clearly defined and is influenced by a variety of circumstances. For instance, among many other steps, companies must immediately investigate the nature and scope of the incident which can involve a significant amount of forensics and research, stop the breach if it is continuing, determine who was affected, understand the applicable legal and compliance requirements, coordinate with law enforcement and state Attorneys General, as applicable, gather up to date contact information to the extent available, and coordinate with vendors regarding mailing letters, credit monitoring and other services for affected persons. Entering into negotiations with one or more representative unions about responding to such an incident before the notifications go out likely would be an involved process that would further delay the notice to affected persons.

However, depending on how the NLRB charge turns out, employers may have to interact more closely with their employees’ union representatives when employee personal information may have been breached. Of course, employers should expect that, as here, the union may make further the inquiry into the company’s data privacy and security practices in an effort to protect its members and seek additional leverage in negotiations. For these reasons, companies need to revisit (develop if they have not already) their data breach response plans and consider additional steps they might want to take, if any, to involve the union. Additionally, companies should take steps to ensure that employee personal data is safeguarded in accordance with applicable law and best practices.

FTC Enters Another Settlement Agreement Arising Out of Alleged Privacy Misrepresentations

The FTC recently settled a charge with True Ultimate Standards Everywhere, Inc. (“TRUSTe”) alleging that the internet privacy certification company deceived consumers about its recertification program, as well as misrepresented itself as a non-profit entity when, in fact, it had converted to a for-profit company. TRUSTe is a well-known internet privacy watchdog. Its seal is recognized as connoting a safe place for a consumer to conduct an on-line transaction. As set forth on TRUSTe’s website “[i]f you see a TRUSTe seal on that policy, you can be confident that website is transparent about its privacy practices and respects your online privacy. And if you have a privacy concern with any site that displays our privacy seal, TRUSTe will help you resolve them promptly.”

According to the FTC complaint, TRUSTe misrepresented the frequency of TRUSTe seal recertification. Specifically, the complaint alleges that from 2006 until January 2013, TRUSTe failed to conduct annual recertification over 1,000 times, despite making statements that companies holding TRUSTe Certified Privacy Seals were recertified annually. FTC also alleged that in the time since TRUSTe converted from a not-for-profit to a for-profit company, it did not require its customers to update references to TRUSTe’s nonprofit status on their websites.

The terms of the TRUSTe consent decree are not modest. In avoiding a court battle, TRUSTe has accepted a laundry list of terms from the FTC. It agrees not to misrepresent its certification procedures or the time periods for recertification. It also agrees to be transparent about its for-profit status.

In keeping with a trend in FTC consent decrees, much of the meat in the order is in the future regulatory oversight TRUSTe can expect from FTC. TRUSTe agreed, in its role as a COPPA safe harbor, to provide detailed information about its COPPA-related activities in its annual filing to the FTC, as well as maintaining comprehensive records about its COPPA safe harbor activities for ten years. These requirements will likely bring with them significant cost and administrative burden. On top of the reporting and other requirements, TRUSTe will also pay a $200,000.00 penalty.

This consent decree is another in a line of FTC settlements that (1) target alleged misrepresentations to consumers about their privacy; (2) come with heavy reporting and follow up administrative burdens entangling the company with the FTC for years to come; and (3) also carry a significant financial penalty.

The lesson? Check your privacy policies, notices and other representations to consumers and employees. Are they 100% accurate? That is, are you doing what the policies say you are doing? If not, it’s time to amend your policies (or your practices) before the FTC knocks on your door.

You can read about the steps TRUSTe is taking to maintain its customers’ trust at its blog:




FCC Seeks Comment on Exemption Petition Re: Breach Notification

Many of us have likely received a notification from our bank or credit card company concerning suspected fraud or improper charges.  However, the legality of those messages is not always clear.  To this end, on October 14, 2014, the American Bankers Association (Association) filed a petition for exemption requesting that the Federal Communications Commission (FCC) exempt “certain time-sensitive information calls, placed without charge to the called parties from the Telephone Consumer Protection Act’s (TCPA)restrictions on automated calls to mobile devices.”

Specifically, the Association asked the FCC to exempt automated calls and text message alerts to wireless telephone numbers concerning:  (1) transactions and events that suggest a risk of fraud or identity theft; (2) possible breaches of the security of customers’ personal information; (3) steps consumers can take to prevent or remedy harm caused by data security breaches; (4) money transfer notifications and notifications of actions needed to arrange for receipt of pending transfers.  The Association’s petition explains that automated communications to mobile devices would be without charge and are best suited to provide quick and efficient notifications to customers in time-sensitive situations, such as in cases of data security breaches or attempted identity theft.  Additionally, the petition proposed certain conditions on these automated calls and text message alerts, if exempted.  In particular, the petition specifies that the calls or messages would not include any solicitation, telemarketing, or advertising information, and would only be sent to the telephone number of the consumer to whom the alert or notification is directed.

Under the TCPA and the FCC’s implementing rules, an entity is prohibited from using an automatic telephone dialing system or an artificial or prerecorded voice to make a call to a wireless number absent an emergency or the prior express consent of the called party.  Notably, the FCC may exempt calls to wireless numbers that are not charged to the called party and which protect consumer privacy.

In light of the petition, the FCC is now seeking comment on the issues raised, including whether the exemptions requested allow the financial services industry to reduce privacy and security risks proactively so that fraud, data security breaches, and identity theft are less likely to occur.  Comments must be submitted to the FCC by December 8, 2014 with reply comments due by December 22, 2014.

Does the Secret Service Need a BYOD Policy? Addressing Personal Device Usage in the Workplace

white houseAccording to a November 13, 2014 article in the New York Times (based on a review by the Department of Homeland Security), an intruder was able to enter the White House back in September due to a succession of performance, organizational, and technical failures.  One of the specific findings was that:

“Omar Gonzalez, the man charged in the incident, could have been stopped by a Secret Service officer who was stationed on the North Lawn with an attack dog. . . [b]ut the officer did not realize that an intruder had made it over the fence because he was sitting in his van on his personal cellphone. The officer did not have his radio earpiece in, and had left the second radio he was supposed to have in his locker.”

Wait, what? We know from the report, as well as from Clint Eastwood movies, that Secret Service members use their own communication system with ear-buds for professional duties, so there is no excuse for this agent to have been on his cell phone.

The Report suggests that the United States Secret Service either needs to adopt or enforce a robust policy prohibiting or limiting the use of personal cell phones or any personal devices (e.g. cell phones, smartphones, tablets, etc.) while on duty.  Landscapers and insurance adjusters working in the field might very well use a personal cell phone for work purposes to great efficiency pursuant to a Bring Your Own Device (“BYOD”) to work policy, although many companies restrict smart phone use while driving. For other positions, however, unrestricted use of smart phones can cause problems ranging from customer satisfaction, loss of efficiency, and sexual harassment up to life-or-death safety issues, as in the case of Omar Gonzalez and the un-named agent who, for all we know, was playing Angry Birds on the North Lawn.  One often observes restaurant hosts, receptionists, government clerks and other employees tapping on their smart phones while customers tap their feet in line. Employers are within their rights to curtail such behavior, even as members of the public obnoxiously talk into their phones while ordering a latte. It’s bad enough that employees from ticket agents to medical doctors are forced to spend more time looking at computer screens than looking people in the eye, but personal use of smart phones on the job is rampant and in certain circumstances can lead to safety issues. Proper drafting and enforcement of policies can mitigate these problems.

Due to the sensitive nature of its work, a BYOD policy allowing the use of personal cell phones while on duty would probably not work for the Secret Service.  Many private employers, however, have found great success in limiting the use of personal devices by allowing employees to utilize their own devices for work purposes and adopting BYOD policies to address such use.  BYOD policies may properly address not only who will pay for a smart phone, access to organizational systems, and how to protect company information, but also when employees may access smart phones while on the job.

Protective Order Can Limit Disclosure of Company’s Non-Public Information in Employment Dispute

Written by David Kight

When involved in litigation, a company’s non-public information, such as trade secrets, can be prevented from becoming public information by a court-granted protective order. While a blanket protection is unlikely to be granted by a court, early consideration of information potentially sought by a plaintiff would allow a company to limit what becomes public and provide all parties a clear understanding of the level of protection required for key non-public information disclosed.

An employment case from a Kansas federal district court illustrates how a company can protect itself. The court rejected the plaintiff’s arguments that judicial proceedings should be open and available to the public and that the employer’s requested protective order was designed to increases costs and time. Azim v. Tortoise Capital Advisors, LLC, 13-2267-DDC (D. Kan. Nov. 5, 2014). The court granted the employer a protective order limiting access to the employer’s non-public data.

Plaintiff Arshad Azim sued his former employer, Tortoise Capital Advisors, LLC, its parent company, and several executives alleging that during his employment, his employer made misrepresentations to become certified as a minority business enterprise, made fraudulent representations to gain potential investments and investors, and made false filings with the Securities and Exchange Commission. Azim claimed he was retaliated against after reporting these violations and was discriminated against and terminated from employment.

The employer, objecting to the plaintiff’s pre-trial discovery of confidential business information such as tax, medical and other non-public information of the executives and the company, requested the information disclosed be protected by a protective order. Azim primarily argued that the protections sought were unnecessary and designed to drive up the time and expense of the case. Azim also argued against many of the protections sought given the “presumption in favor of open and public judicial proceedings.”

Chief among Azim’s objections was that the employer’s inclusion of “proprietary business information” was too broad and would lead to Tortoise using the broad definitions to create “roadblocks in discovery.” Tortoise countered that the phrase was necessary to protect the nature of the information potentially sought. The court agreed with Tortoise, finding that the inclusion of the phrase “proprietary business information” would not curtail Azim’s right to receive the information and would limit only the use of the information if disclosed.

Azim also objected to Tortoise’s proposed steps to keep the information confidential, including submission of redacted copies of documents, submission of documents for the court’s in camera review when necessary, and seeking to file documents under seal. Azim objected that all of the measures were “overkill,” designed to drive up the time and expense of litigation. Noting that the steps proposed were taken from its Guidelines for Protective Orders, the court disagreed, finding that there needed to be some manner for the parties to address confidentiality of information during the course of the case.

OCR Issues Ebola Guidance on HIPAA Privacy

According to the New York Times, Bellevue Hospital Center patient Craig Spencer, the first New Yorker to be infected with Ebola, is scheduled to be released today. And while the intense reporting about Ebola has subsided, perhaps indicating a lowering of the perceived threat of Ebola spreading further in the U.S. (although many continue to be under surveillance) companies should remain vigilant and be sure they are prepared. To that end, the agency responsible for enforcing the HIPAA privacy and security regulations, the Office for Civil Rights, issued a bulletin – HIPAA Privacy in Emergency Situations.

In emergency situations, uncertainty and a lack of preparedness can inhibit a health care provider or health plan’s ability to act. That uncertainty can include concerns about whether certain information can be used or disclosed. The OCR’s Bulletin provides helpful guidance for providers and plans, as well as business associates, so that they can be prepared to act in accordance with the HIPAA privacy requirements, which the Bulletin affirms is not suspended during a public health or other emergency. The Bulletin reminds covered entities and business associates that “protected health information” CAN be disclosed in connection with treatment without the authorization of the individual. It also provides a short summary of the rules for making disclosures in connection with certain public health activities, such as disclosures to public health authorities.

Responding to media inquiries is a significant concern for providers, and the bulletin addresses that. It reiterates that a hospital or other health care facility can, upon request for information about a particular patient by name, disclose limited facility directory information to acknowledge an individual is a patient at the facility and provide basic information about the patient’s condition in general terms. This is the case so long as the patient has not objected to or restricted the release of such information or, if the patient is incapacitated, the disclosure is believed to be in the best interest of the patient and is consistent with any prior expressed preferences of the patient. However, except in limited cases, affirmative reporting to the media or the public at large about an identifiable patient, or the disclosure to the public or media of specific information about treatment of an identifiable patient, may not be done without the patient’s written authorization (or the written authorization of the patient’s personal representative).

The Bulletin also reminds the reader that HIPAA only applies to covered entities and business associates. It does not apply to employers. However, employers need to be mindful of other federal and state laws that protect the confidentiality of employee medical information, such as the Americans with Disabilities Act and the Genetic Information Nondiscrimination Act.

The Bulletin could provide a helpful training or refresher resource for covered entities and business associates to help their workforce members be prepared for all emergency situations, not just another Ebola case.

California District Court – “Under TCPA Autodialer Must Generate Numbers”

One of the most complex issues under the Telephone Consumer Protection Act (TCPA) is determining whether the technology utilized qualifies as an “automatic telephone dialing system” (ATDS) or “autodialer.”  The TCPA prohibits using an ATDS to make calls to cell phone numbers, absent prior consent of the called party.  An ATDS  is generally define as equipments which has the capacity to store or generate telephone numbers randomly or sequentially and dial those numbers.
The U.S. District Court for the Southern District of California recently held that the electronic platform for sending promotional text messages was not an autodialer because it could not generate random or sequential numbers.  While guidance from the Federal Communications Commission, as well as decisions at the district and circuit court level, have focused on whether a system has the capacity to generate and dial numbers without human intervention (even if the numbers came from a defined list, as opposed to randomly generated), the Court here distinguished such reasoning.
Here, the plaintiff joined defendant’s fitness center in 2012.  The defendant utilized a 3rd-party, web-based platform to then send promotional text messages to members and prospective members on their cell phones.  The system utilized could enter numbers manually; by collecting numbers individuals entered on the defendant’s website, or by collecting numbers when individuals responded via text message to marketing campaigns.  The plaintiff allegedly received 3 unwanted text message and brought suit.  Thereafter, the defendant moved for summary judgment asserting that the platform used with not an ATDS and the Court agreed.
Despite FCC guidance which states that equipment that can generate and dial numbers without human intervention would qualify as an ATDS, whether or not the numbers are randomly or sequentially generated, the Court found that the definition of ATDS within the statute is clear and unambiguous and the FCC does not have rule making authority.  Agreeing with some other cases which have addressed this issue, the Court found that “capacity” means the systems current capabilities, not its “potential.”  The Court said that focusing on “capacity” would subject a wide array of devices to the TCPA (e.g. all computers and smartphones).
As the defendant’s platform required human intervention, it was not an ATDS and thus the Court granted summary judgment in defendant’s favor.

Negligence Claims for Breach of Patient Privacy Not Preempted by HIPAA, Connecticut Supreme Court Holds

Healthcare providers continue to have challenges with responding to attorney requests for information and subpoenas. We highlighted some of these last year, along with some issues providers should be considering to help meet those challenges.  In this case, after the patient advised the provider not to disclose her PHI to her significant other, the provider received a subpoena in connection with a paternity suit that was sent on behalf of the significant other seeking the patient’s medical file. According to the Supreme Court’s decision, the provider “did not alert the plaintiff of the subpoena, file a motion to quash it or appear in court. Rather, the defendant mailed a copy of the plaintiff’s medical file to the court.” Without deciding whether Connecticut’s common law recognizes a negligence cause of action arising from this situation, the Court agreed with the patient, concluding such an action is not preempted by HIPAA and, further, that the HIPAA regulations may be used to establish the providers standard of care. Byrne v. Avery Center for Obstetrics and Gynecology, P.C., No. 18904.

As part of its reasoning supporting the decision, the Court pointed to language in the preamble to the final HIPAA privacy regulations discussing preemption. Specifically, the Court noted that commentators had raised the issue of whether “a private right of action is a greater penalty, since the proposed federal rule has no comparable remedy.” Standards for Privacy of Individually Identifiable Health Information, 65 Fed.Reg. 82,462, 82,582 (December 28, 2000). The Department of Health and Human Services responded:

the fact that a state law allows an individual to file [a civil action] to protect privacy does not conflict with the HIPAA penalty provisions

(While the Department’s view is not binding, the Court noted that “[w]here an agency has authoritatively interpreted its own rule, courts generally defer to that reading unless it is plainly erroneous or inconsistent with the regulation.”) The Court went on to list a number of decisions holding that HIPAA does not preempt causes of action that exist as a matter of state common or statutory law and arise from health care providers’ breaches of patient confidentiality in a variety of contexts. The Court also mentioned some of these cases permitted HIPAA to inform the relevant standard of care in such actions.

This case should be a strong reminder to covered entities, and their business associates, to be more careful when responding to requests for protected health information under HIPAA. Often documents seeking protected health information look official and threatening, but they may be nothing more than an attorney’s request for PHI, which without more generally will not justify disclosure. The fact that a private right of action does not exist under the HIPAA privacy or security regulations is not the end of the inquiry. Providers and business associates have to consider the layers of other laws that potentially could provide a patient a remedy for a questionable disclosure of the patient’s medical records, such as state health laws and regulations, common law torts, and other measures.

Liability for Providing Too Little Information?

Written By Christopher E. Hoyme

Most employers are well aware that potential liability lurks if unauthorized information is disclosed to third parties. Obvious examples would include unauthorized employee or applicant health or financial information or personal information such as social security numbers and the like.

In an interesting twist, the Minnesota Supreme Court considered whether liability could be created when disclosure of requested information was incomplete.

In Larson v. The Northwestern Mutual Life Insurance Company, CMInformation Specialists, Inc., Minnesota Supreme Court, No. A13-0186, October 22nd, 2014, Larson sued Northwestern Mutual for death benefits related to her deceased husband’s life insurance policy. Northwestern Mutual denied death benefits on the grounds that her husband had not been forthcoming regarding a prior heart-related condition when he completed the life insurance application years earlier. Northwestern Mutual maintained it would not have written the policy if it had been aware of the cardiac condition.

Larson sued CMInformation Specialist because they had been retained by Northwestern Mutual to gather all relevant medical records related to Larson’s husband during the policy application process. Apparently, the records gathered by CMI were incomplete as the cardiac-related medical records were not provided to Northwestern Mutual. Larson claimed that had CMI provided all of the requested records, Northwestern Mutual would have been made aware of the heart condition and therefore would not have been in a position to deny the death benefits at issue.

Larson sued CMI on the specific legal grounds that it had violated a Minnesota statute relating to the authorized production of a patient’s medical records. CMI argued that the Minnesota statute in question imposed liability only for the unauthorized disclosures of medical records and therefore did not provide a cause of action when an entity gathering medical records fails to disclose all of the records authorized for release.

Ultimately, the Court found in favor of CMI, holding that no unauthorized records had been disclosed. The Court held that liability under the specific Minnesota statute only arose when the disclosing entity actually discloses an unauthorized health record.

Although no liability for an incomplete disclosure was found in this case, it does not take a stretch of logic to apply this question to other situations. What if an employer does not provide all requested information or records in regard to a reference request that is accompanied by a consent? What if an employer provides incomplete responses to a payroll information request from a lending institution? What if an employer does not provide all requested information to a subpoena in a collateral legal proceeding? Generally, employers are most concerned about providing more information than is authorized. Employers should be cautioned to consider that in some instances, not providing complete information in response to requests may also create liability as well.

California Minors Gain Privacy Rights in the Online World

Written by Jennifer Hodur

Thanks to a new state law enacted to protect minors from the modern follies of youth, minors in California can ring in the New Year by permanently deleting their regrettable online posts. This so-called “Online Eraser Law” – signed by Governor Jerry Brown on September 23, 2013 – will take effect on January 1, 2015.

The “Online Eraser Law” provides protections to minors, defined as California residents under age 18, including affording minors the right to “erase” content or information they post online. The new law imposes specific obligations on operators of Internet websites, online services, online applications, or mobile applications that are either directed to minors or with respect to which the operators have actual knowledge that a minor who is a registered user of the website or application is using. Such operators specifically will be required to permit minors to remove, or request and obtain removal of, such content or information; provide notice to minors of their rights to do so; provide clear instructions to minors about how to exercise these rights; and notify minors that removal of such content or information does not ensure complete removal.

This “Online Eraser Law” is not likely to be a foolproof method of achieving the goal of protecting minors from themselves. While it provides a means to remove content or information they personally posted, it does not apply to content or information posted or shared by others.

This law also contains protections for minors from certain marketing practices, including protecting them from being targeted by marketing of an enumerated list of products and services, such as alcohol, tobacco, drugs, firearms, tattoos, and other things deemed inappropriate for minors.

Although the law is not targeted specifically to employers, its seemingly broad application may have a far-reaching impact. Employers therefore need to determine whether they fall within the scope of the law and, for those who do, must ensure policies and practices are in place to comply with its requirements and constraints. A thorough review of online privacy policies and procedures is recommended.