Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

Written by Ron Sgambati

It’s hard to miss the National Labor Relations Board’s recent activity targeting employer decisions based on workers’ use of social media - as it attempts to establish parameters in the work-life balance between social media and rights protected by the National Labor Relations Act. Just when employers understandably may feel compelled to stop basing employment decisions on social media use, a recent Advice Memorandum is giving employers hope.

The Arizona Daily Star had encouraged its reporter to use social media to reach people who might not read the paper and to drive readers to the newspaper’s website. The employee tweeted using his work computer, his company-provided cellphone and his home computer and linked his Twitter account to his Facebook and MySpace pages. Therefore, whenever he tweeted, the same message would be posted on Facebook and MySpace.

In one tweet, the employee criticized the Daily Star’s television staff. The employer warned the employee that his comments were inappropriate, but he continued to post inappropriate tweets, while commenting as a public safety reporter. The tweets included, “What?/?/?/? No overnight homicide? WTF? You’re slacking Tuscon.”

His employer suspended him then terminated his employment. He filed a charge with the NLRB Regional Office claiming he was terminated for engaging in NLRA-protected concerted activity. The Regional Office, as instructed by Office of the General Counsel’s Memorandum dated April 12, 2011, referred the charge to the Division of Advice (“Division”) because the charge involved discipline for engaging in alleged protected concerted activity using social media.
The Division did not find a violation of the NLRA. It instructed the NLRB Regional Office to dismiss the unfair labor practice charge. It determined that after opening a Twitter account and linking it to the Daily Star’s website, the employee engaged in “inappropriate and offensive Twitter postings that did not involve protected concerted activity” and was terminated for engaging in misconduct. This is an important development for employers, perhaps signaling the NLRB’s seemingly aggressive social media stance may not be one-sided.

The victory, however, has been tempered by the NLRB General Counsel’s May 9, 2011, complaint against Hispanics United of Buffalo, a nonprofit organization that provides social services to low-income clients. The complaint alleges the firing of five employees for Facebook postings that criticized working conditions was improper interference with protected concerted activity. It alleged that an employee posted a co-worker’s allegations that employees did not help the company’s clients enough and other employees responded to the post by defending their work and blaming working conditions, including staffing workload issues. The employer fired the five employees after learning of the posts because it found the comments were harassing to the employee who made the original post. A hearing has been scheduled for June 22, 2011.

These latest developments seem to show the NLRB searching for balance between the workplace and social media. The Wall Street Journal reports the Board said it had more than two dozen cases involving worker complaints aired on the social media site Facebook. Stay tuned . . . but in the mean time, employers need to think carefully before acting.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Maryland Senate recently referred Senate Bill 971 which prohibits Maryland employers from demanding that workers and job applicants turn over their passwords to specific websites or web-based accounts. 

Under the bill, employers would be prohibited from refusing to hire applicants and disciplining, terminating, or taking other adverse employment action against employees who refuse to provide their passwords. The bill also bans employers’ threats of such action.  

The bill was introduced in response to employers’ asking applicants and employees for their passwords as part of background checks to see the content posted by the individuals on social networking sites (e.g., Facebook ). S.B. 971 would, however, permit employers to require workers to disclose their passwords only to the employers’ internal computer systems.  

This proposed Maryland law, and case law from New Jersey, should alert employers that utilizing social media in their hiring, discipline, or termination decisions is under scrutiny.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

One might think that bankruptcy is a private matter, with little to no bearing on whether one can meet the qualifications for a particular job. As my colleagues report today, the U.S. Court of Appeals for the Eleventh Circuit (with jurisdiction over Alabama, Florida and Georgia) joins its sister Circuits (the Third and Fifth Circuits) in holding that it is not impermissible under the Bankruptcy Code for an employer to refuse to hire an applicant due to a prior bankruptcy. Myers v. Toojay’s Mgmt. Corp., No. 10-10774 (11th Cir. May 17, 2011). However, as discussed in their report, the Code does state that a private employer may not “terminate the employment of, or discriminate with respect to employment against” an employee due to a bankruptcy. 11 U.S.C. § 525(b).

Of course, what is permissible under the Bankruptcy Code may not be under state law. As the report notes, and as reported here, a handful of states (e.g., Hawaii, Illinois, Maryland, Oregon, and Washington) have enacted limitations on an employer’s ability to acquire or use credit information in making hiring decisions. Further, any bankruptcy information acquired with respect to an applicant may include personal information that may need to be safeguarded, and as my colleagues advise, the use of that information should be based on job-related considerations to avoid Equal Employment Opportunity Commission claims based on adverse impact theories. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a report issued earlier this week, the Office of Inspector General found that the Center for Medicare and Medicaid Services' (CMS) oversight and enforcement actions were not sufficient to ensure that covered entities, such as hospitals, effectively implemented the HIPAA Security Rule.

OIG's recommendation: Continue the compliance review process (audits) that began in 2009 and implement procedures for conducting compliance reviews to ensure that HIPAA Security Rule controls are in place and operating as intended to protect ePHI at covered entities.

To reach this conclusion, OIG audited 7 hospitals throughout the country (locations in California, Georgia, Illinois, Massachusetts, Missouri, New York, and Texas).  These audits focused primarily on:

1. wireless electronic communications network or security measures the security management staff implemented in its computerized information systems (technical safeguards);
2. the physical access to electronic information systems and the facilities in which they are housed (physical safeguards); and
3. the policies and procedures developed and implemented for the security measures to protect the confidentiality, integrity, and availability of ePHI (administrative safeguards).

Significant vulnerabilities identified. The audits identified 151 vulnerabilities in the systems and controls intended to protect ePHI, of which 124 were categorized as high impact. A high vulnerability refers to one that

may result in the highly costly loss of major tangible assets or resources; may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or may result in human death or serious injury.

The report noted that outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries’ personal data and performed unauthorized acts without the hospitals’ knowledge. Although each of the seven hospitals had implemented some controls, policies, and procedures to protect ePHI from improper alteration or destruction, none had sufficiently implemented the administrative, technical, and physical safeguard provisions of the Security Rule. Clearly, mediocre compliance is not sufficient.  

Some of the more significant vulnerabilities found related to (i) wireless access; (ii) access controls, and (iii) integrity controls. In the case of wireless access problems, the report identified vulnerabilities including ineffective encryption, rogue wireless access points, no firewall separating wireless from internal wired networks, the inability to detect rogue devices intruding on the wireless network, and no procedures for continuously monitoring the wireless networks. Access control problems included inadequate password settings, computers that did not log users off after periods of inactivity, unencrypted laptops containing ePHI, and excessive access to root folders. According to the OIG, these conditions could have led to unauthorized individuals viewing or altering ePHI data on nonclinical workstations that were not automatically logged off after a period of inactivity; ePHI being compromised on lost or stolen unencrypted laptops; and unauthorized users circumventing system controls and harming system files.

The list goes on and on.

The Office of Civil Rights (OCR), the arm of HHS now charged with enforcing the HIPAA security regulations, may be listening. As reported here earlier, OCR appears to be taking steps to improve its enforcement efforts, which likely will include increasing the number of compliance reviews/audits at hospitals and health care providers around the country. These efforts include a request by the agency to increase its budget for 2012 by $5.6 million, or 13.6%, to be aimed at enforcement. 

Because HIPAA now applies to business associates, it would not be surprising to see business associates on an audit list. Accordingly, covered entities and business associates should be taking steps now to ensure compliance.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A registered nurse terminated from employment for posting on Facebook while dispensing medication to a patient could not collect unemployment benefits in Pennsylvania. Chapman v. Unemployment Comp. Bd. of Review. This case is another example why it is critical to have clear, written electronic communication and social media policies in place that are reasonable and enforced consistently. Without the policy in place, this employer surely would have had a more difficult time defending the unemployment claim.

In this case:

• the employer's policies provided that (i) it may immediately discharge an employee who engages in conduct that could cause a life threatening situation and (ii) cell phone usage is prohibited while on duty;
• the employee was aware of these policies and had previoulsy been warned about them;
• while on duty and dispensing medicine to patients, the employee used her personal cell phone to post comments on her Facebook page about an unpleasant and embarrasing incident experienced by a coworker;
• the nursing director heard other nurses speaking about the Facebook posts in the hall and asked one of the nurses to show them to her; and
• the employer terminated the nurse who made the posts on grounds that her conduct could cause a life threatening situation to patients.  

Reversing an earlier decision that would have allowed the employee to receive unemployment because her actions did not constitute "willful misconduct," Pennsylvania's Unemployment Compensation Board of Review noted that the nurse "was aware of the employer's policy prohibiting the use of cell phones while on duty, yet she violated that policy despite having been previously warned for doing so.” The Pennsylvania Commonwealth Court agreed.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Today the White House issued a Cybersecurity Legislative Proposal. The proposed legislation focuses on protecting the American people, the nation’s critical infrastructure, and the federal government's computers and networks.  While legislation of this nature would simplify the breach reporting process for businesses, and overall streamline cybersecurity laws, a number of legislative attempts to do this have previously failed.  It is important to note that while this proposal sets forth some guidelines, the specific details of how each provision would be instituted are not yet clear

Our critical infrastructure – such as the electricity grid, financial sector, and transportation networks that sustain our way of life – have suffered repeated cyber intrusion, and cyber crime has increased dramatically over the law decade. The President has thus made cybersecurity an Administration priority. 

1.  To protect the American people, the proposed legislation calls for a national data breach reporting law which would simplify and standardize the existing patchwork of 47 state laws that contain these requirements. Additionally, the proposal calls for penalties for computer criminals and clarifies the penalties for computer crimes, synchronizes them with other crimes, and sets mandatory minimums for cyber intrusions into critical infrastructure.
2. To protect our nation’s critical infrastructure the proposal calls on legislative changes to fully protect this infrastructure. Specifically, proposal will enable the Department of Homeland Security (DHS) to quickly help a private-sector company, state, or local government when that organization asks for its help. It also clarifies the type of assistance that DHS can provide to the requesting organization.

Additionally, the proposal permits businesses, states, and local governments to share information about cyber threats or incidents with DHS. To fully address these entities’ concerns, it also provides them with immunity when sharing cybersecurity information with DHS. At the same time, the proposal mandates robust privacy oversight to ensure that the voluntarily shared information does not impinge on individual privacy and civil liberties.

Further, the proposal emphasizes transparency to help market forces ensure that critical-infrastructure operators are accountable for their cybersecurity.

Finally, the proposal requires DHS to work with industry to identify the core critical-infrastructure operators and to prioritize the most important cyber threats and vulnerabilities for those operators. Critical infrastructure operators would then take steps to address cyber threats, develop risk mitigation plans, and permit DHS to modify the processes which are implemented if they are insufficient. 

3.  To protect federal government computers and networks the legislative proposal includes: an update to the Federal Information Security Management Act (FISMA) as well as formalizing DHS’ current role in managing cybersecurity for the Federal Government’s civilian computers and networks, in order to provide departments and agencies with a shared source of expertise; giving DHS more flexibility in hiring highly-qualified cybersecurity professionals; the permanency of DHS’s authority to oversee intrusion prevention systems for all Federal Executive Branch civilian computers while codifying strong privacy and civil liberties protections, congressional reporting requirements, and an annual certification process; and preventions on states requiring companies to build their data centers in that state, as opposed to in the cloud, except where expressly authorized by federal law.

The Administration’s proposal also attempts to ensure the protection of individuals’ privacy and civil liberties through a framework designed expressly to address the challenges of cybersecurity. Some of these provisions include: requiring federal agencies (and likely federal contractors) to follow privacy and civil liberties procedures; limitations on monitoring, collecting, using, retaining, and sharing of information; requiring efforts to remove identifying information unrelated to cybersecurity threats; as well as immunity provisions for those business which comply with the proposal’s requirements.  

As the proposal concludes: 

Our Nation is at risk… [t]he Administration has responded to Congress’ call for input on the cybersecurity legislation that our Nation needs, and we look forward to engaging with Congress as they move forward on this issue.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

NBC's Bob Sullivan reported on a rising trend of identity thieves targeting children. Why? Well, having no real credit history, most children’s credit is clean and good. Also, children, particularly younger children, are not going to be needing or looking at their credit for some time. These factors make children more attractive targets of identity theft.

Mr. Sullivan’s colleague Jeff Rossen and the "TODAY" show dig into this issue and provide some valuable information for parents about the problem and how to safeguard their children.

Businesses need to be in tune to this as well. All of the country’s data breach notification laws (46 states, plus other jurisdictions), as well as the laws requiring safeguards for personal information apply to “individuals,” not adults or persons over a certain age.

Some companies may believe they do not have personal information about children, but most companies do. For example, companies sponsoring medical, dental or vision coverage for employees, or health and dependent care flexible spending accounts maintain (or require vendors to maintain) personal information about children of covered employees. This kind of information also could be contained in retirement or life insurance plan beneficiary designation records, as well as records supporting leaves of absence and other matters.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Minneapolis Star Tribune has reported that two hospitals in Anoka County, Minnesota, terminated a combined total of 32 employees for unauthorized access of electronic medical records on May 6, 2011.  The two hospitals, Unity Hospital in Fridley, Minnesota and Mercy Hospital in Coon Rapids, Minnesota, are both part of the Allina Health System.  In April, the Minnesota Court of Appeals, in an unemployment compensation decision, upheld the enforcement of Allina's "zero-tolerance policy" with regard to unauthorized access to medical records.  Allina relied on the same policy in the latest firings.

The records leading to the mass termination related to a tragic incident involving 11 teenagers and young adults who were hospitalized after overdosing on synthetic drugs after a party on March 17.  One of them, a 19-year old, died and murder charges have been brought against a Blaine, Minnesota, man who allegedly provided the drugs.

Allina stated that it has the ability to track any employee's access of electronic medical records and, because these patients were involved in a "high profile case," the hospital conducted a review of their audit trails and discovered that 32 employees had accessed the records without authorization. 

The increasing use of electronic medical records make these types of audits easier and more important than ever before.  Although the high number of employees involved is unusual, according the Star Tribune report, it is not the largest on record - in 2007 more than 100 employees were suspended from another Minnesota medical provider for similar concerns. 

 The HIPAA security regulations require that covered entities be able to audit activities on information systems containing electronic protected health information.  With increasing agency enforcement, health care providers and other covered entities and business associates should revisit this aspect of the HIPAA policies and procedures.

 Update: read the Star Tribune editorial justifying the firings.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Bypassing the media attention that often accompany high-dollar penalties and settlements, the Department of Health and Human Services (HHS) has quitely reported a settlement concerning the HIPAA privacy and security rules that highlights the increasing cooperation of federal government agencies to enforce a steadily expanding and complex compliance environment. 

Late in 2009, HHS opened an investigation of Management Services Organization Washington, Inc. (MSO) following a referral from the HHS Office of Inspector General (OIG) and Department of Justice, Civil Division (DOJC), which had been investigating MSO and its owner for violations of the
federal False Claims Act (FCA). During the course of its investigation, OIG discovered that MSO's owner also owns Washington Practice Management, LLC (WPM) that earns commissions by marketing and selling Medicare Advantage plans.

According to the HHS Resolution Agreement with the company, the tip from OIG and DOJC led HHS to find that MSO:

• impermissibly disclosed electronic protected health information (ePHI) of numerous individuals to WPM without a valid authorization, for WPM'S purpose of marketing Medicare Advantage plans to those individuals; and
• did not have in place and did not implement appropriate and reasonable administrative, technical, and physical safeguards to protect the privacy of the ePHI.

Without acknowledging a HIPAA violation, MSO agreed to a resolution payment of $35,000 and to a two-year "Corrective Action Plan," which includes, among other things:

• adopting written policies and procedures to be reviewed and approved by HHS;
• obtaining a signed certification from all workers concerning the policies and procedures;
• changing its policies and procedures only with HHS approval; and
• conducting monitoring reviews every 180 days, which include performing unannounced interviews of workforce members.

It is not uncommon for companies considering compliance measures to assess the likelihood of a government audit or inquiry. Any illusion an organization may hold that it is operating “under the radar” of regulators should be shattered in the current compliance environment. Governmental agencies are increasingly able to efficiently coordinate with one another in matters of enforcement. Should HHS receive the additional $5.6 million it is seeking to enforce the HIPAA privacy and security regulations in its 2012 budget, flying under the radar will become more difficult.  

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Written by Ron Sgambati

Seemingly intent on making sure it is perceived as current, if not trendy, today’s National Labor Relations Board (NLRB) has continued to demonstrate an avid interest in social media. Not only is it paying attention to new media in all its forms, but it is also actively participating, with a Facebook page, a YouTube channel and a Twitter feed.

On April 12, 2011, the NLRB General Counsel issued a memorandum (pdf) to NLRB Regional Directors updating the list of matters that must be submitted to the Division on Advice. Included on the list are cases involving:

employer rules prohibiting or discipline of employees for engaging in, protected concerted activity using social media, such as Facebook or Twitter.

This is expected to allow the Board to have an earlier and more uniform oversight of matters involving social media.

The directive comes after the Board’s recent involvement in matters concerning possible protected concerted activity on Facebook and Twitter. In late 2010, the NLRB challenged a company’s Social Media/Facebook policies which the company maintained were lawful. The case settled with the company agreeing to make suggested changes to its policies.

In April, 2011, the NLRB targeted another social medial resource – Twitter. According to the New York Times,  the NLRB had warned a New York news agency that it planned to file a complaint accusing the company of illegally reprimanding a reporter over her criticism of company management in a Twitter posting. The Board asserted the company violated the reporter’s right to discuss working conditions with other employees. The matter was resolved when the union and company - which had been negotiating a new contract - reached a tentative contract on April 28, 2011. According to the New York Times,  the company has agreed to negotiate a new social media policy that would include language that will protect employees’ speech and the right to engage in other concerted activity about working conditions.

The Board again focused on Facebook after issuing its directive. On April 27, 2011, the NLRB reported it had approved a settlement in a case involving a California web-based home improvement retailer. A former employee had claimed she was terminated from her employment in retaliation for having posted comments about the company and possible state labor code violations on Facebook. The case was resolved and as part of the settlement the company agreed to post a notice at the workplace for 60 days stating that employees have the right to post comments about terms and conditions of employment on their social media pages and that they will not be terminated or otherwise punished for such conduct.

It is only a matter of time before there is a litigated case and a court’s ruling addressing these very real and reoccurring issues. Employers should exercise care in how they handle social media issues from a labor relations perspective and treat the recent NLRB scrutiny as an invitation to revisit their own social media policies.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Promising a company that you will safeguard its employees’ information and then failing to do it according to Federal Trade Commission (FTC) standards likely will be viewed by the FTC as an unfair and deceptive business practice and trigger an enforcement action.

This was the case for Lookout Services, Inc., a company that maintains large amounts of sensitive information about the employees of its business customers, including Social Security numbers. According to an FTC announcement on May 3, 2011, Lookout claimed it would take reasonable measures to secure the consumer data it maintained, including Social Security numbers, but failed to do so.

Lookout markets a product that allows employers to comply with federal immigration laws. It stores information such as names, addresses, dates of birth and Social Security Numbers. According to the FTC’s complaint, despite the company’s claims that its system kept data reasonably secure from unauthorized access, it did not in fact provide adequate security. (Note that an FTC complaint is not a finding or ruling that a respondent, such as Lookout , actually has violated the law.) For example, unauthorized access to sensitive employee information allegedly could be gained without the need to enter a username or password, simply by typing a relatively simple URL into a web browser, the complaint asserted. In addition, the complaint charged that Lookout failed to require strong user passwords, failed to require periodic changes of such passwords, and failed to provide adequate employee training. As a result of these and other failures, it was claimed, an employee of one of Lookout’s customers was able to access sensitive information maintained in the company’s database, including the Social Security numbers of about 37,000 consumers.

The settlement agreed to by Lookout to resolve these charges is comprehensive. Among other things, the settlement order requires Lookout (i) to conduct a risk assessment, (ii) to implement a comprehensive, written information security program, (iii) to cease making misrepresentations, including misleading claims about the privacy, confidentiality, or integrity of any personal information collected from or about consumers, (iv) to obtain independent third party security audits of the program every other year for 20 years, and (v) to make the settlement order available to its current and future employees having responsibilities relating to safeguarding customer data.

For companies that maintain personal information on other businesses’ employees in the course of providing services to those businesses, this development is an important reminder: Promises made to those businesses concerning the safeguarding of personal information must be supported by comprehensive policies and procedures. In addition to this kind of enforcement exposure, which also could arise at the state level from the states’ attorneys general, the employers that these businesses serve also could have causes of action for negligence and/or breach of contract. Increasingly, state laws require businesses to contractually obligate vendors to have appropriate safeguards to protect personal information provided to the vendor to perform its services. States having such laws include California, Maryland, Massachusetts, and Texas.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Written by Nick Beerman

The federal appeals court in San Francisco has reinstated an indictment charging a former employee of Korn/Ferry International, Inc., with violations of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (the “CFAA”) in trying to start a business that would compete with his former employer. .

The indictment in United States v. Nosal, which a lower court dismissed, alleged that the employee, David Nosal, “knowingly and with intent to defraud” exceeded his authorized access to his employer’s computer system for the purpose of setting up a competing business. Nosal was an executive at Korn/Ferry and subject to a non-competition agreement. After leaving the company, he started a competing business, soliciting the help of three Korn/Ferry employees to provide him with source lists, names, and contact information from a Korn/Ferry proprietary and confidential database. Employee access to the database was specifically restricted, except for legitimate Korn/Ferry business.

The Ninth Circuit Court of Appeals reinstated the indictment on April 28 against Nosal on the basis of its interpretation that “an employee exceeds authorization under [the CFAA] when the employee uses that authorized access to obtain or alter information in the computer that the accesser is not entitled in that manner to obtain or alter.” The Court reaffirmed that employers determine what access or authorization an employee has to an employer’s computer, and pointed to specific examples of steps the employer in this case took to limit access to and authorized uses of information. These examples include the use of unique usernames and passwords, requiring employees to enter into agreements that explained the limitations on the use of certain company information, and causing a notice concerning data security and confidentiality to pop-up on each employee's computer screen whenever the employee logged on to the company's system.  

Joining the Fifth and Eleventh Circuits, the Court ruled that as long as an employee has knowledge of an employer’s limitations on authorized use of a computer system, the employee will exceed authorized access under the CFAA whenever he or she violates those limitations or goes beyond his or her authorized access with an “intent to defraud” by an action that “furthers the intended fraud and obtains anything of value. It is as simple as that.”
 

The message to employers from this case is that if you want to be able to effectively use the CFAA as a means of recovery when employees steal data or take other actions to harm company computers or data, you will need to plan ahead. That is, employers will need to clearly define access rights and limitations to their information and information systems, and effectively communicate those rights and limitations to employees.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In distinct efforts to strengthen data security requirements, the California and Massachusetts legislatures recently passed bills affecting data breach notification requirements and data security notification, respectively.  

On April 14, 2011, the California senate approved S.B. 24, requiring California businesses and agencies to notify the state attorney general if more than 500 California residents are notified of a data breach. The California bill also would require certain information be included in the notices.

While similar attempts to modify California’s data breach law have been vetoed by then-Gov. Arnold Schwarzenegger (R), the state’s new governor, Edmund G. “Jerry” Brown, Jr. (D) may likely sign S.B. 24. The bill also would amend the substitute notice provisions for breaches to require placing a notice that a breach has occurred on the business’s website and in major statewide media and notifying the California Office of Privacy Protection. 

While California’s current breach notice statute does not specify the information that must be included in an individual breach notification, S.B. 24 would mandate the notice include, among other things, the type of information breached, the time of the breach, and a toll-free telephone number of major credit reporting agencies.

On April 13, 2011, Massachusetts H.B. 3360 was referred for committee consideration. Under the bill, vendors of photocopiers in Massachusetts that fail to adequately notify purchasers of potential data security risks would be subject to a civil fine of up to $50,000 and could be sued by customers whose personal information is subsequently compromised.  Also, Massachusetts businesses that sell photocopiers must tell customers if a particular machine is equipped with a hard drive capable of retaining information from copied documents. Vendors must provide a notice stating that "the photocopier does or does not contain an eraser that deletes and destroys any previously captured picture from the copier's hard drive.” The notice must “inform the user of the risk of retention of such private data or images.” In addition, if a machine is such a “digital copier,” the vendor also must place a “conspicuous,” written data-security warning on the top of the copier.

H.B. 3360 also authorizes the state attorney general to enforce the law by filing a civil action seeking a fine of up to $50,000. Additionally, the bill would permit a lawsuit by customers who did not receive the required notification and warnings and whose private data was subsequently “misused.”

• Email This
• Print
• Comments
• Trackbacks
• Share Link