Pending Social Media-Related Cases at All 52 NLRB Regional Offices

Posted on June 22, 2011 by Joseph Lazzarotti

Written by Ron Sgambati

NLRB Acting General Counsel Lafe E. Solomon offered some insight into the NLRB’s interest in Social Media earlier this month when he spoke at the Annual Conference on Labor at New York University. During his presentation, Solomon revealed that every one of the 52 NLRB regional offices across the country has at least one pending case presenting issues about employee use of Social Media or an employee’s policy concerning the use of Social Media.

Solomon noted that his work had reached a higher profile than his predecessor, and he credited it in large part to the NLRB’s attention to social media. Solomon said that the “good part” about the intense publicity the NLRB has received over the past year has been that he has had the “rare privilege” of using media appearances and interviews to explain the rights of employees under the National Labor Relations Act (“NLRA”), which had been unfamiliar or unknown to many Americans.

Solomon’s comments make it apparent he enjoys having the NLRB in the spotlight. His comments also explain what may be the motivation behind the NLRB focus on Social Media - the topic of Social Media provides the Board with an always-available platform from which to reach a public which may not otherwise be interested in hearing what the Board has to say about the NLRA.

Due to the pervasiveness of Social Media cases at all 52 regional offices, it appears certain that the summer months will heat-up with discussion of Social Media issues at the workplace.

Tags: , ,

Rep. Mary Bono Circulates Draft Data Breach and Data Security Law

Posted on June 14, 2011 by Joseph Lazzarotti

Reuters and other news outlets are reporting that Representative Mary Bono Mack has circulated draft legislation in response to the steady stream of data breaches that have occurred this year. According to the report, Senate Majority leader Harry Reid also has asked four Senate committees to pull together a comprehensive cybersecurity bill, hoping it will be brought to the floor by late summer. After years of failed attempts at data breach legislation, the federal government could be poised to enact broadly applicable requirements for safeguarding data and responding to data breaches. 

Some key provisions of the draft legislation would require covered entities (basically, any person engaged in interstate commerce) to:

  • establish and implement policies and procedures to protect personal information (defined in a manner similar to most current state breach notification laws) to include, without limitation, designating a point person to manage information security, and having a process for identifying and assessing foreseeable vulnerabilities;
  • erase personal data that is no longer needed and otherwise take steps to minimize the amount of personal information maintained;
  • notify law enforcement within 48 hours of a data breach, and if data could be used to steal a customer's identity, notify the Federal Trade Commission within 48 hours and begin contacting the affected persons; and
  • provide 2 years of credit reporting services or credit monitoring services to individuals affected by a covered data breach.

The law would be enforceable by state attorneys general and the Federal Trade Commission with maximum penalties running into the millions of dollars. The law would generally preempt similar state laws, but would not permit private lawsuits. 

Of course, companies should not be waiting to see if any action is taken at the federal level. There are a number of states with similar laws already on the books. In addition, exposure from a data breach, particularly when there were no safeguards in place to prevent the breach, should be sufficient motivation to take steps to safeguard personal data.

Tags: , , , , ,

Is your computer a "bot" or part of a "botnet"?

Posted on June 10, 2011 by Joseph Lazzarotti

An article in Bloomberg tells a harrowing story of computers that have secretly come under the control of hackers. This can happen to company and personal computers alike that download certain embedded malware - such as when downloading an email attachment. These computers become known as "bots," and part of a "botnet." The consequences can be crippling.

Accordingly to the article:

The enslaved “bots,” as the infected computers are known, have become so pervasive they now threaten the security of the Internet, said Gunter Ollmann, head of research at Atlanta-based Damballa Inc., which tracks botnet activity. At least 18 percent of home computers are now under remote command of cyber-thieves without their owners’ knowledge, according to Damballa’s research. 

For corporate computers, which are usually protected by expensive security measures, around seven percent are controlled by such malware, which is hidden from the user and controlled via the Internet, Ollmann said.

When this happens, companies can find themselves in uncomfortable and potentially dangerous circumstances . . . consider the following exchange described in the Bloomberg article:

“I’m sure we can settle on control of bots,” a LulzSec hacker called Ninetales told Hijazi, according to a computer log of their interaction provided to Bloomberg News by Hijazi.

When Hijazi said he didn’t want to face extortion, another hacker named hamster_nipples replied: “Unfortunately, you have little choice at this point.”

Hijazi, who declined to identify his corporate clients, refused to comply with LulzSec’s demands and rejected a separate request for money. The hackers posted the company’s e-mails on the Internet June 3.

The harm that can result is significant. The Bloomberg article cites to one example of hackers controlling a botnet who sought to transfer nearly $1 million from one company. In other cases, hackers were successful in removing tens of thousands of dollars from bank accounts of affected companies.

Companies need to be more aware of these developments and take appropriate steps to protect their systems. While there are federal and state laws that require steps be taken to safeguard against these kinds of risks, the extent of damage that a botnet can cause to an entity's business can be far more damaging. 

Tags: , , , ,

HHS Announces Proposed Changes to HIPAA Privacy Rule

Posted on June 1, 2011 by Joseph Lazzarotti

Prior to the Health Information Technology for Economic and Clinical Health (HITECH) Act becoming law, the HIPAA Privacy Rule required covered entities to provide individuals with an accounting of certain disclosures of their protected health information (PHI). HITECH enhances these accounting rules and requires that individuals be able to know who has accessed their electronic PHI. The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) is proposing changes to the Privacy Rule to implement these new requirements and is seeking comments from the public to help shape the law so as to provide the greatest transparency for individuals with respect to access to and disclosures of their PHI, while minimizing the burden on covered entities and business associates. Remember, under HITECH, business associate are subject to nearly all of the requirements under the HIPAA Privacy and Security Rules as covered entities. The discussion below touches on some of the key proposals.

HHS' Notice of Proposed Rulemaking would enhance the rules concerning the obligation to provide an accounting of certain disclosures of PHI and fleshes out the right of individuals to get a report on who has electronically accessed their PHI. These two rights, to an accounting of disclosures and to an access report, would be distinct but complementary. The right to an access report would provide information on who has accessed electronic PHI in a designated record set (including access for purposes of treatment, payment, and health care operations), while the right to an accounting would provide additional information about the disclosure of designated record set information (whether hard-copy or electronic) to persons outside the covered entity and its business associates for certain purposes (e.g., law enforcement, judicial hearings, public health investigations). The intent of the access report is to allow individuals to learn if specific persons have accessed their electronic designated record set information.  In contrast, the intent of the accounting of disclosures is to provide more detailed information (a “full accounting”) for certain disclosures that are most likely to impact the individual.

In general, designated record sets include the medical and health care payment records maintained by or for a covered entity, and other records used by or for the covered entity to make decisions about individuals. See the definition of “designated record set” at 45 CFR § 164.501. An example of PHI that is outside the designated record set are transcripts of customer calls that are used only for purposes of customer service review, rather than to make decisions about the individual.

HHS believes the access report requirement will not present an unreasonable burden on covered entities and business associates because by limiting the access report to information maintained in an electronic designated record set, the report will include information that a covered entity is already required to collect under the HIPAA Security Rule. That is, under §§ 164.308(a)(1)(ii)(D) and 164.312(b) of the HIPAA Security Rule, a covered entity is required to record and examine activity in information systems and to regularly review records of such activity. Access reports would cover a three-year period, and would provide the individual with information about who has accessed the individual's electronic PHI held by a covered entity or business associate. They would not distinguish between “uses” and “disclosures,” and thus, would apply when any person accesses an electronic designated record set, whether that person is a member of the workforce or a person outside the covered entity. The report would be required to identify the date, time, and name of the person (or name of the entity if the person's name is unavailable) who accessed the information, and potentially a description of the protected health information that was accessed and the user's action, if that information is available.

The right to an accounting of disclosures would encompass disclosures of both hard copy and electronic PHI that is maintained in a designated record set. It would cover a three-year period (down from the current six year period), and would require a covered entity and its business associates to account for the disclosures of PHI believed to be of most interest to individuals. That is, the proposed rule explicitly lists the types of disclosures that are subject to the accounting requirement, rather than the previous approach of listing the types of disclosures for which an accounting was not required. In general, the proposed rule would continue to include in the accounting requirement, without limitation, disclosures for public health activities (except those involving reports of child abuse or neglect), for judicial and administrative proceedings, for law enforcement activities, to avert a serious threat to health or safety, for military and veterans activities, for the Department of State's medical suitability determinations, to government programs providing public benefits, and for workers' compensation.  Also, covered entities will continue to be required to account for disclosures that are impermissible under the Privacy Rule, even if those disclosures did not amount to a "breach" under the Breach Notification Rule at § 164.404.

While the proposed rules referenced above may vary when made final, they will require covered entities to re-examine their current practices to comply with the new rules. In addition, covered entities and business associates may need to make modifications to business associate agreements (as well as agreements with subcontractors and other vendors).  The Notice of Privacy Practices also will require modification to explain to individuals these new and modified rights concerning their PHI.

In regard to when action is needed, the rules propose that covered entities (including small health plans) and business associates comply with the modifications to the accounting of disclosures requirement beginning 180 days after the effective date of the final regulation (240 days after publication). As for the right to an access report, the rules propose that covered entities and business associates be prepared to make this available beginning January 1, 2013, for electronic designated record set systems acquired after January 1, 2009, and beginning January 1, 2014, for electronic designated record set systems acquired as of January 1, 2009.

Tags: , , , , ,