Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

Prepared by Alexander Nemiroff

A number of courts throughout the nation are grappling with disputes between employers and departing employees over the ownership of social media accounts. These employers are attempting to seek ownership over company Twitter and LinkedIn profiles claiming, among other things, that these contain “trade secrets.” Employees dispute these contentions by pointing out that there is nothing “secret” about social media profiles and that employers have no inherent property interests in Twitter and LinkedIn accounts.

For example, in Phonedog v. Kravitz, No. 3:11-cv-03475 (MEJ) (N.D. Cal., Nov. 8, 2011), a federal court in California denied a motion to dismiss where the employer sought damages for each Twitter follower that a departing employee took with him. The employee was given use of and maintained a Twitter account for the employer’s business during his employment. When he left, he changed the Twitter account handle and continued to use the account. Phonedog and its former employee do not have a written agreement pertaining to ownership of the disputed Twitter account. The company alleged several claims against the departing employee, including misappropriation of trade secrets, conversion, and tortious interference with prospective advantage.

Another such pending dispute is Eagle v. Morgan, No. 2:11-cv-04303 (RB) (E.D. Pa., Dec. 22, 2011). A federal court in Pennsylvania denied a motion to dismiss in a dispute over an employee’s LinkedIn account. The disputed LinkedIn account was used for company business and developed by company personnel. As in Phonedog, the parties do not have a written agreement as to ownership of the disputed LinkedIn account. Both the company and the employee brought claims against one another over use of this LinkedIn account.

The above cases are headed into prolonged discovery and extensive litigation. These disputes may have been avoidable had the parties entered into a clear written agreement at or near the inception of the employment relationship. Such an agreement was upheld in Ardis Health, LLC v. Nankivell, No. 1:11-cv-05013 (NRB) (S.D.N.Y., Oct. 19, 2011). A federal court in New York granted a preliminary injunction and required an employee to turn over access to social media sites to her employer pursuant to the obligations under the written Non-Disclosure and Rights to Work Product Agreement between the parties.

All employers who profit from their employees’ use of social media should be aware of and carefully analyze these issues. In many cases, a properly drafted agreement delineating the property interests of employee work product will save employers from time-consuming and expensive litigation over ownership of social media accounts.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Record keeping requirements in New Jersey add to the complexities multistate employers face trying to develop strong and practical record retention programs. Garden State employers must conspicuously post and distribute to employees a notice and maintain certain records according to a law, N.J.S.A. 34:1A-1.11 et seq., that went into effect on July 13, 2010.

To assist employers, the New Jersey Department of Labor and Workforce Development (“NJDOL”) published a notice entitled, “Employer Obligation to Maintain and Report Records,” that employers can post and distribute. According to the law, employers must 

1. post this notice immediately in the workplace;
2. provide each employee hired prior to November 7, 2011, a written copy of the notice no later than December 7, 2011; and
3. provide employees hired after November 7, 2011, a written copy of the notice at the time of hire. 

Click here for more information concerning the posting and other requirements of the law.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

While we do not know the exact nature and scope of the imminent HIPAA audits, we do know that HIPAA compliance and the verification of compliance (the audit) can be a very daunting process that mandates a great deal of preparation and organization. Beyond getting legally compliant, HIPAA covered entities and business associates need to consider how to practically and efficiently track and illustrate this compliance should they find an OCR investigator knocking at the door.

We have asked Alan Heyman, Managing Director of Cyber Security Auditors & Administrators LLC (CSA2) to discuss how certain applications can facilitate the response to a HIPAA audit, including minimizing the time staff needs to be involved. The following is an excerpt from Alan's discussion of this issue:

For many health care providers and other covered entities, compliance with HIPAA and other data privacy and security requirements is a multifaceted and ongoing process of assessing changing risks, policy development and implementation across various departments, conducting and tracking training of workforce members, monitoring compliance, managing vendors and vendor agreements, responding the customer complaints and so on. When an OCR auditor is on the doorstep, pulling evidence of all of these efforts together would likely sap an already thin workforce of most covered entities. When various segments of the covered entity are not coordinated, the files are incomplete, and the persons leading the effort are in disarray, the auditor is likely to suspect there are substantial deficiencies and adjust the audit accordingly.

It is not difficult to imagine the Privacy Officer having to go from department to department asking, among other things:

• Where are the current policies and procedures for your department concerning privacy and security?

• Would you please send me the training sign-in sheets for your group? Why was that group not trained?

• Where are the signed copies of the business associate agreements? Is this all of them?

• Where can I find a copy of the risk assessment for your department? Is it updated?

• How was that complaint resolved? Were there any others?

• Do you have all of the documents for the data breach that affected the radiology department?

• Can you send me your evaluation logs and what changes you have made based upon those efforts?

It is also not difficult to imagine how much easier this process would be if the covered entity's compliance efforts were tracked, maintained and documented in a single environment. An environment that would, for example

• Allow different departments/groups to log on an update their compliance efforts,

• Secure email notification/reminders for maintenance to update all required analysis, training, network architecture diagrams, etc.,

• Digital repository for all required employee affidavits, training sign-in sheets and managed with email notification for maintenance and updating,

• Maintain and track policy changes via secure email notification/reminders to all departments and employees from Privacy Officer or legal counsel,

• Track and document responses to patient complaints,

• Digitize interactive system for updating and obtaining required commentary from all required departments and Business Associates to establish and audit trail for creating “defensible position” to regulators.

• Centralize administration for permissions to all employees, advisors or Business Associates access to read only, print, edit, etc., with watermark capabilities on all printed and viewed documents.

• Centralize reporting dashboard status of all projects as well as the ability to digitally feed approved 3rd party software analytic results for centralized viewing to permission based participants with email notification of updates.

• Prepare for post-breach requirements in a pre-breach environment allowing reduction in costs of time sensitive response.

Such a tool also could be designed to permit the auditor limited access to conduct the audit with less effort on the part of the privacy officer or his or her staff. While certainly not required under HIPAA, organizing compliance in this way would simplify the compliance process and put the covered entity in a much better position to survive an OCR audit with minimal effort.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Today, the Office for Civil Rights formally announced it is implementing the audit requirement under the American Recovery and Reinvestment Act of 2009, in Section 13411 of the HITECH Act. The agency confirmed that it is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance, and that the pilot phase will begin November 2011 and conclude by December 2012.

A new page on OCR's website answers some helpful questions for covered entities and business associates... 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As previously discussed, the federal appeals court in San Francisco had reinstated an indictment charging a former employee of Korn/Ferry International, Inc., with violations of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (the “CFAA”) for trying to start a business that would compete with his former employer. Now, however, at the urging of the former employee’s counsel, by order dated October 27, the same court has agreed to rehear, en banc, its previous indictment reinstatement order.

The Ninth Circuit Court of Appeals reinstated the indictment on April 28 against former employee David Nosal on the basis of its interpretation that “an employee exceeds authorization under [the CFAA] when the employee uses that authorized access to obtain or alter information in the computer that the accesser is not entitled in that manner to obtain or alter.” The Court had reaffirmed that employers determine what access or authorization an employee has to an employer’s computer. It also pointed to specific examples of what the employer did to limit access to and authorized uses of information, including using unique usernames and passwords, requiring employees to enter into agreements that explained the limitations on the use of certain company information, and causing a notice concerning data security and confidentiality to pop up on each employee’s computer screen whenever the employee logs onto the company’s system.

The Ninth Circuit’s pending rehearing by the full court of the issue of unauthorized employee access to information under the CFAA puts its previous interpretation in doubt. It is clear, however, is that employers that wish to rely on the CFAA as a means of recovery against employees who steal data or take other actions to harm company computers must plan ahead. That is, employers must clearly define access rights and limitations to their information and information systems, and effectively communicate those rights and limitations to employees.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

CLICK HERE FOR UPDATED INFORMATION CONCERNING THE AUDIT PROGRAM

The Health Information Technology for Economic and Clinical Health law (“HITECH”) made a number of changes for HIPAA covered entities and business associates. One key change stems from Section 13411 of HITECH, which gives the Secretary of the Department of Health and Human Services authority to conduct “periodic audits to ensure that covered entities and business associates” comply with the privacy and security mandates under HIPAA. Susan McAndrew, the Deputy Director for Health Information Privacy at the Office of Civil Rights ("OCR"), has been speaking out about the nature, scope and timing of these audits, which are expected to begin in February 2012. A summary of reports about the audit program follows below.  

Covered entities and business associates need to be prepared and take stock of their HIPAA compliance. One hundred percent compliance can be an elusive goal, particularly in a short time frame. So, perhaps a more efficient way to prepare for the coming wave of audits it to look, at a minimum, for the low hanging fruit, such as: (i) having clear policies and procedures on topics such as access management, breach notification, discipline, passwords, managing portable data storage devices, distributing notices of privacy practices, and similar items, (ii) conducting and documenting training of workforce members, and (iii) ensuring appropriate agreements are in place with business associates and subcontractors.   

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Connecticut Attorney General George Jepsen announced on September 14, 2011, the creation of a Privacy Task Force to help educate the public about data protection requirements and to focus his Office’s response to Internet privacy concerns and data breaches that affect consumers. According to Attorney General Jepsen's press release, “Internet and data privacy have been among the biggest issues affecting the broad public interest during my first eight months in office” and nearly a dozen investigations have been initiated or pursued regarding security breaches that resulted in the loss of medical and insurance records or personal customer information.

Like nearly all states across the country, Connecticut has a data breach notification law. The State's Insurance Commissioner has also adopted rules concerning data breach notification requirements for its licensees. Among other laws, the Nutmeg state has also enacted specific protections for Social Security Numbers, employment applications, and personal information, which includes:

information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number.  

The Task Force will be responsible for all investigations of consumer privacy breaches, which we are assuming will apply to breaches of any personal information for which notification is required, including patients and employees. The Task Force will also help to educate the public and business community about their responsibilities, which include protecting personally sensitive data and promptly notifying affected individuals when breaches do occur.

Clearly a sign of increased attention to and enforcement of the state's data security and consumer protection mandates, Connecticut businesses and businesses maintaining personal information of Connecticut residents should revisit their information security programs and data breach response plans to ensure they could withstand the scrutiny of an inquiry by the Attorney General's office.  

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As we suspected, California's current governor, Edmund G. “Jerry” Brown, Jr. (D), signed into law S.B. 24, which adds some additional protections to the state's current data breach notification requirements. The champion of this law and its recent enhancements, State Sen. Joe Simitian (D-Palo Alto), has finally succeeded after a number of prior attempts to pass this measure were vetoed by then-Gov. Arnold Schwarzenegger (R).

Summary of Changes

Under S.B. 24, breaches occurring on and after January 1, 2012, that require notification to California residents will have to meet the following additional requirements:

• The notifications themselves will need to satisfy specific content requirements, such as including a description of the type of information breached, time of breach, and toll-free telephone numbers and addresses of the major credit reporting agencies;
• If more than 500 California residents are affected by a single breach, an electronic copy of the breach notification must be send to the California Attorney General;
• If the law's "substitute notice" provisions are used, notice also must be provided to the Office of Information Security or the Office of Privacy Protection. Substitute notice is permitted when the person or business required to provide the notice demonstrates that (I)(i) the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000), or (ii) that the affected class of subject persons to be notified exceeds 500,000, or (II) the person or business does not have sufficient contact information. Prior to the change, substitute notice consisted of only email notification, conspicuous posting of the notice on the person or business' website, and notification to statewide media.

Companies responding to multi-state breaches face significant challenges trying to harmonize the various state law requirements. See, for example, the recent changes to the Illinois statute. Presently, a number of bills are being considered in Congress that would preempt all of the state laws in this area, however, passage of one of these laws does not appear to be imminent. As data breaches go global, similar concerns exist as countries are enacting their own breach notification mandates.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Illinois Governor Pat Quinn approved a measure on August 22, 2011, amending his state's data breach notification law. The changes, which become effective January 1, 2012, are designed to increase protections for Illinois residents in the following ways:

New information that must be included in breach notifications:

• the toll-free numbers and addresses for consumer reporting agencies,
• the toll-free number, address, and website address for the Federal Trade Commission, and
• a statement that the individual can obtain information from these sources about fraud alerts and security freezes.

Information that may not be included in breach notifications:

• information concerning the number of Illinois residents affected by the breach.

New requirements for "data collectors" that maintain or store, but do not own or license, computerized data:

As with most breach notification statutes, entities that maintain or store certain personal information on behalf of the owner or licensee of that data also have obligations in the event of a breach of the security of that data. Generally, the obligation is to notify the owner of the breach. So, for example, a third party claims administrator or an accounting firm might perform services for ABC Corp. (the owner) requiring the administrator or accounting firm to maintain or store the personal information. If an employee of the administrator or accounting firm loses a laptop containing ABC Corp.'s personal information, or the employee or some third party impermissibly accesses or acquires the information, the administrator or accounting firm would be required to notify ABC Corp. which, in turn, would need to notify the affected individuals.  

As amended, Illinois' breach notification law requires companies that maintain or store personal information to cooperate with the owner or licensee in matters relating to the breach, by notifying the owner or licensee of: 

• the date or approximate date of the breach and the nature of the breach, and
• any steps the entity has taken or plans to take relating to the breach.

However, this cooperation shall not require either (i) the disclosure of confidential business information or trade secrets of the company that maintains or stores the information, or (ii) the notification of an Illinois resident who may have been affected by the breach.

New Mandates for Disposing of Materials Containing Personal Information 

The amended law requires "persons" (including natural persons, corporations, partnerships, associations, or other legal entities, including governmental entities) to dispose of the materials containing personal information "in a manner that renders the personal information unreadable, unusable, and undecipherable." The law provides examples of proper disposal methods: 

• Paper documents containing personal information may be either redacted, burned, pulverized, or shredded so that personal information cannot practicably be read or reconstructed.
• Electronic media and other non-paper media containing personal information may be destroyed or erased so that personal information cannot practicably be read or reconstructed.

Companies may engage third parties to carry out the disposal of personal information, provided that third parties performing these services must implement and monitor compliance with policies and procedures that prohibit unauthorized access to or acquisition of or use of personal information during the collection, transportation, and disposal of materials containing personal information. It is recommended that service contracts be carefully drafted to address these issues and appropriate steps be taken to monitor compliance.

Penalties for violations of the disposal requirements can be up to $100 for each individual with respect to whom personal information is disposed, subject to a maximum penalty of $50,000 for each instance of improper disposal.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Disclosure to management by the company’s in-house physician of an employee’s alleged “lie” (or at least significant omission) made months earlier on a post-job offer medical questionnaire violated the Americans with Disabilities Act’s confidentiality provisions, a federal District Court in Maine held last week. Blanco v. Bath Iron Works Corp., D. Me., No. 2:10-cv-00429.

Medical professionals are becoming a fixture at many workplaces, whether they be occupational nurses or full scale on-site health clinics. As reported by the L.A. Times on July 3, 2011, 15% of U.S. companies with 500 or more employees had health centers last year, up from 11% the year before, and companies with 20,000 or more employees were even more likely to have clinics. However, having these resources on site can raise a range of workplace law risks, not the least of which concerns confidentiality.

In the Maine case, following his job offer, Mr. Blanco completed a pre-placement medical screening, which included filling out and signing a “Medical Surveillance History Questionnaire,” administered by the employer’s in-house physician. He did not reveal on that form that he had Attention Deficit Hyperactivity Disorder (ADHD). Mr. Blanco received good reviews for the first few months of his employment, but when he was moved to a different position, his performance began to wane. During a meeting with his manager, he attributed his poor performance to his ADHD and not long after requested a reasonable accommodation.

Mr. Blanco was referred to the same in-house physician who administered the Medical Surveillance History Questionnaire. Rather than explore the substance of his request, the physician interrogated Mr. Blanco concerning the ADHD omission on the Questionnaire. He explained that he did not understand the questions to ask about mental or emotional issues, such as ADHD. The physician refused to provide an accommodation, or even address the issue, and shortly after the physician informed management of Mr. Blanco’s omission from the Questionnaire, he was fired.

In refusing to dismiss Mr. Blanco’s complaint under the Americans With Disabilities Act and the state anti-discrimination law, the Court rejected two interesting arguments raised by the employer:

1. Employees that lie should not be able to get protection under the ADA’s medical information confidentiality protections; and,
2. As a policy matter, these kind of misstatements put in-house physicians “in a pickle.” The court allowed, “If the revealed condition places the employee and his co-workers at risk, the doctor’s conflicting loyalty would become a safety issue."

In each case, however, the Court said it didn’t matter to its decision that the employee may have lied on the medical questionnaire. The Court simply pointed to the statutory language, which it found clear and controlling. The court stated:

The Court agrees that whether he lied is not dispositive since the confidentiality provision does not apply only to truthful information. But this does not assist the Defendants. The ADA clearly protects the confidentiality of Mr. Blancos’ response if truthful and the ADA still protects its confidentiality if not. In other words, there is no prevarication exception to the ADA’s confidentiality mandate for employment entrance examinations, much less for information the company doctor perceives is inaccurate. It is the information, accurate or not, that the statute protects.

In response to the conflicting loyalty argument, the Court reasoned:

The brief answer, however, is that these policy arguments do not trump the statutory language. Congress, not this Court, is a policy-making body, and the Court is duty-bound to follow the law as enacted by Congress. Congress may or may not have considered whether to carve out a disclosure exception for instances where the employer concludes that the employee lied or misrepresented his pre- employment medical or mental condition. In any event, there is no such exception in the statute.

More than ever, businesses are realizing that comprehensive approaches to disability and leave management not only can mitigate compliance and litigation concerns, but also can enhance employee productivity and, therefore, profit margins. For these companies, on-site health clinics, occupational health clinics, and in-house physicians can be attractive options. However, as this case makes clear, employers need to be mindful of the workplace law risks. The ADA may be one source of such risks.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

One might think that bankruptcy is a private matter, with little to no bearing on whether one can meet the qualifications for a particular job. As my colleagues report today, the U.S. Court of Appeals for the Eleventh Circuit (with jurisdiction over Alabama, Florida and Georgia) joins its sister Circuits (the Third and Fifth Circuits) in holding that it is not impermissible under the Bankruptcy Code for an employer to refuse to hire an applicant due to a prior bankruptcy. Myers v. Toojay’s Mgmt. Corp., No. 10-10774 (11th Cir. May 17, 2011). However, as discussed in their report, the Code does state that a private employer may not “terminate the employment of, or discriminate with respect to employment against” an employee due to a bankruptcy. 11 U.S.C. § 525(b).

Of course, what is permissible under the Bankruptcy Code may not be under state law. As the report notes, and as reported here, a handful of states (e.g., Hawaii, Illinois, Maryland, Oregon, and Washington) have enacted limitations on an employer’s ability to acquire or use credit information in making hiring decisions. Further, any bankruptcy information acquired with respect to an applicant may include personal information that may need to be safeguarded, and as my colleagues advise, the use of that information should be based on job-related considerations to avoid Equal Employment Opportunity Commission claims based on adverse impact theories. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a report issued earlier this week, the Office of Inspector General found that the Center for Medicare and Medicaid Services' (CMS) oversight and enforcement actions were not sufficient to ensure that covered entities, such as hospitals, effectively implemented the HIPAA Security Rule.

OIG's recommendation: Continue the compliance review process (audits) that began in 2009 and implement procedures for conducting compliance reviews to ensure that HIPAA Security Rule controls are in place and operating as intended to protect ePHI at covered entities.

To reach this conclusion, OIG audited 7 hospitals throughout the country (locations in California, Georgia, Illinois, Massachusetts, Missouri, New York, and Texas).  These audits focused primarily on:

1. wireless electronic communications network or security measures the security management staff implemented in its computerized information systems (technical safeguards);
2. the physical access to electronic information systems and the facilities in which they are housed (physical safeguards); and
3. the policies and procedures developed and implemented for the security measures to protect the confidentiality, integrity, and availability of ePHI (administrative safeguards).

Significant vulnerabilities identified. The audits identified 151 vulnerabilities in the systems and controls intended to protect ePHI, of which 124 were categorized as high impact. A high vulnerability refers to one that

may result in the highly costly loss of major tangible assets or resources; may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or may result in human death or serious injury.

The report noted that outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries’ personal data and performed unauthorized acts without the hospitals’ knowledge. Although each of the seven hospitals had implemented some controls, policies, and procedures to protect ePHI from improper alteration or destruction, none had sufficiently implemented the administrative, technical, and physical safeguard provisions of the Security Rule. Clearly, mediocre compliance is not sufficient.  

Some of the more significant vulnerabilities found related to (i) wireless access; (ii) access controls, and (iii) integrity controls. In the case of wireless access problems, the report identified vulnerabilities including ineffective encryption, rogue wireless access points, no firewall separating wireless from internal wired networks, the inability to detect rogue devices intruding on the wireless network, and no procedures for continuously monitoring the wireless networks. Access control problems included inadequate password settings, computers that did not log users off after periods of inactivity, unencrypted laptops containing ePHI, and excessive access to root folders. According to the OIG, these conditions could have led to unauthorized individuals viewing or altering ePHI data on nonclinical workstations that were not automatically logged off after a period of inactivity; ePHI being compromised on lost or stolen unencrypted laptops; and unauthorized users circumventing system controls and harming system files.

The list goes on and on.

The Office of Civil Rights (OCR), the arm of HHS now charged with enforcing the HIPAA security regulations, may be listening. As reported here earlier, OCR appears to be taking steps to improve its enforcement efforts, which likely will include increasing the number of compliance reviews/audits at hospitals and health care providers around the country. These efforts include a request by the agency to increase its budget for 2012 by $5.6 million, or 13.6%, to be aimed at enforcement. 

Because HIPAA now applies to business associates, it would not be surprising to see business associates on an audit list. Accordingly, covered entities and business associates should be taking steps now to ensure compliance.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Promising a company that you will safeguard its employees’ information and then failing to do it according to Federal Trade Commission (FTC) standards likely will be viewed by the FTC as an unfair and deceptive business practice and trigger an enforcement action.

This was the case for Lookout Services, Inc., a company that maintains large amounts of sensitive information about the employees of its business customers, including Social Security numbers. According to an FTC announcement on May 3, 2011, Lookout claimed it would take reasonable measures to secure the consumer data it maintained, including Social Security numbers, but failed to do so.

Lookout markets a product that allows employers to comply with federal immigration laws. It stores information such as names, addresses, dates of birth and Social Security Numbers. According to the FTC’s complaint, despite the company’s claims that its system kept data reasonably secure from unauthorized access, it did not in fact provide adequate security. (Note that an FTC complaint is not a finding or ruling that a respondent, such as Lookout , actually has violated the law.) For example, unauthorized access to sensitive employee information allegedly could be gained without the need to enter a username or password, simply by typing a relatively simple URL into a web browser, the complaint asserted. In addition, the complaint charged that Lookout failed to require strong user passwords, failed to require periodic changes of such passwords, and failed to provide adequate employee training. As a result of these and other failures, it was claimed, an employee of one of Lookout’s customers was able to access sensitive information maintained in the company’s database, including the Social Security numbers of about 37,000 consumers.

The settlement agreed to by Lookout to resolve these charges is comprehensive. Among other things, the settlement order requires Lookout (i) to conduct a risk assessment, (ii) to implement a comprehensive, written information security program, (iii) to cease making misrepresentations, including misleading claims about the privacy, confidentiality, or integrity of any personal information collected from or about consumers, (iv) to obtain independent third party security audits of the program every other year for 20 years, and (v) to make the settlement order available to its current and future employees having responsibilities relating to safeguarding customer data.

For companies that maintain personal information on other businesses’ employees in the course of providing services to those businesses, this development is an important reminder: Promises made to those businesses concerning the safeguarding of personal information must be supported by comprehensive policies and procedures. In addition to this kind of enforcement exposure, which also could arise at the state level from the states’ attorneys general, the employers that these businesses serve also could have causes of action for negligence and/or breach of contract. Increasingly, state laws require businesses to contractually obligate vendors to have appropriate safeguards to protect personal information provided to the vendor to perform its services. States having such laws include California, Maryland, Massachusetts, and Texas.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In New York, the Electronic Equipment Recycling and Reuse Act (pdf) (Environmental Conservation Law, Article 27, Title 26), creates electronics recycling programs effective April 1, 2011. The new law requires free and convenient recycling of electronic waste be provided to most "consumers" (see definition below) in the state, including households, many small businesses and many not-for-profit corporations. The State's Department of Environmental Conservation has set up a detailed website providing information about this new law. As discussed below, other states are taking similar steps to deal with this new form of waste. 

New York's e-Waste Law

The new law affects consumers, retailers, and manufacturers of "covered electronic equipment" (CEE), as well as certain waste recycling, consolidation, collection and management facilities. One of the notable requirements under the new law is that beginning April 1, 2011, manufacturers of CEE are required to take back from consumers a wide range of electronic waste.

Who is a "consumer" and what equipment is covered under the law?

A "consumer" is an individual, business, corporation, limited partnership, not-for-profit corporation, the state, a public corporation, public school, school district, private or parochial school or board of cooperative educational services or governmental entity located in New York State, except when involved in a wholesale transaction between a distributor and retailer.

"Covered electronic equipment" includes:

• Computers
• Televisions
• Cathode Ray Tubes
• Small Scale Servers
• Computer Peripherals (Computer peripherals also include any cable, cord, or wiring permanently affixed to or incorporated into such product.)
  • Monitors
  • Electronic Keyboards
  • Electronic Mice or Similar Pointing Devices
  • Facsimile Machines, document scanners, and printers (only those intended for use with a computer and weighing less than 100 lbs.)
• Small Electronic Equipment (Small electronic equipment also include any cable, cord, or wiring permanently affixed to or incorporated into such product.)
  • VCRs
  • Digital Video Recorders
  • Portable Digital Music Players
  • DVD Players
  • Digital Converter Boxes
  • Cable or Satellite Receivers
  • Electronic or Video Game Consoles

"Covered electronic equipment" does not include such things as cameras, portable or stationary radios, household appliances, monitoring and control instrument or system, telephones of any type; portable digital assistant or similar device, calculator, global positioning system (GPS) receiver or similar navigation device, a server other than a small-scale server, a cash register or retail self checkout system, stand-alone storage product intended for use in industrial, and other equipment.

What is the cost?

For the basic services required under the new law, which include acceptance of CEE, for-profit businesses with fewer than 50 full-time employees and not-for-profit organizations with fewer than 75 full-time employees may not be charged for the collection, handling, recycling, or reuse of CEE. Larger organizations may be charged for these services. (Full-time employment is not defined under the law.) Note, however, the new law generally does not affect contracts consumers had with manufactures entered into prior to January 1, 2011.

In addition, any consumer may be charged for "premium services." "Premium services" are any services above and beyond the reasonably convenient acceptance methods defined in the new law. These include equipment and data security services, refurbishment for reuse by the consumer, and other custom services as may be determined by the Department of Environmental Conservation such as at-home collection (other than mail back programs), data wiping, specialized packing and preparation for collection, etc.

Does the law require e-waste to be recycled?

Not yet. However, beginning January 1, 2012, businesses, municipalities, and subdivisions of the state, including their waste collection company or service, will no longer be able to collect electronic waste for disposal, or dispose of any electronic waste in a landfill or waste-to-energy facility. A similar rule goes into effect for individuals and households on January 1, 2015.

Will recycling be performed in a secure manner?

No. The Department of Environmental Conservation's website warns:

Consumers should erase all personal and confidential data on their electronic equipment before sending it for recycling or reuse. Reformatting your hard drive or deleting files does not destroy your data. The resources listed on the right side of this page under "Offsite links," provide guidance on data wiping, etc., however, there might be other data security service resources and options available. Please note, the Department is not responsible for the contents of any offsite webpages referenced. These links are provided as a public service only (see disclaimer on the Electronic Equipment Recycling and Reuse Act main page).

This means that consumers need to take appropriate steps to safeguard data before submitting their CEE to be recycled under this program. Under New York's new law, the manual for electronic products that contain internal memory capabilities, such as a hard drive which could retain personal or other confidential information, must describe for consumers how they can destroy such data before surrendering the products for recycling or reuse.

Activity in Other States

As reported in the BNA Privacy and Security Law report, a pending law in New Jersey (A. 2975) "would require businesses and government agencies to destroy personal data stored on a digital copy machine before disposing of it." The State's Attorney General would be able to seek penalties of up to $10,000 for the first offense and up to $20,000 for subsequent violations. Similar laws are being considered in Nevada, Florida, Connecticut and Oregon.  

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Prepared by Lillian Moon

In an effort to go "green" or "paperless," employers have been rapidly moving to electronic employment application and on-boarding systems. This movement has created a cottage industry with vendors of all kinds seeking to help employers obtain the benefits of this technology.

These vendors often promise significant advantages for those making the switch, such as: (i) thousands of dollars in savings due to reduced paper and paperwork costs, (ii) simplified compliance for human resources through the use of the proper electronic forms; and (iii) increased productivity. These can be particularly attractive to businesses facing the demands for increased effectiveness and efficiency, the difficulties of managing an off-site/remote workforce, and the expectations of technologically savvy job applicants.

While going green by reducing the use of paper and moving to a web-based employment application and on-boarding system can increase efficiency and reduce costs, employers should be aware of the fresh workplace challenges such a move can present. Before jumping in, employers need to consider issues such as the privacy, security and management of personal data, compliance with various federal and state regulations governing the use of electronic media in obtaining verifiable signatures, how to provide required notices, and the implications of having employees electronically fill out required tax and other government hiring forms, among other things.

Key considerations and questions for employers include the following:

• Does the company have to comply with the federal Electronic Signatures in Global and National Commerce Act or a state law equivalent?
• Are there laws limiting the personal information that may be collected from applicants?
• Can the company require that employees receive notices electronically?
• Can the company require that employees make their benefit elections and receive benefit plan summaries and other benefits documents electronically?
• Is the process subject to collective bargaining?
• How must personal information collected during the process be safeguarded, retained, preserved, and, ultimately, destroyed?
• Are there special rules for government contractors?
• Are electronic consents for fitness-for-duty examinations, background checks, and drug testing valid?
• Can employees fill out I-9 forms electronically? Can the company retain only electronic copies of the I-9 forms?
• If an applicant is hired, how should the collected information about the person be transferred accurately and securely for benefit plan enrollment, payroll, personnel, and other purposes? Does the company have a plan or policy in place that not only addresses how the information is safeguarded, but how to respond if a data breach occurs?
• Are there specific ERISA (Employee Retirement Income Security Act), HIPAA (Health Insurance Portability and Accountability Act), IRS (Internal Revenue Service), and other regulations that apply to using an electronic medium? How do these regulations intersect and how do they differ?
• Do the rules change for applicants from other countries?
• Can handbooks be provided on-line as part of the on-boarding process?
• Can direct deposit forms be filled out and signed electronically?
• Can restrictive covenant agreements be signed electronically?
• Can employees be notified of and sign arbitration agreements electronically?
• Has the on-boarding vendor been vetted and shown capable of safeguarding personal data and preserving the integrity of that data? Where is the data stored by the vendor? Are appropriate contract provisions in place?

Employers implementing electronic application and on-boarding systems may realize savings of time and money. However, those savings may be short-lived if the on-line process is not designed to fit the particular company and address its particular needs and risks. Before taking this step, employers should seek appropriate guidance in navigating their way through the regulatory quagmire that is implicated by the seemingly simple act of going green.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

What is a company’s recourse when a former employee deletes e-mails and other company electronic information before he leaves? A case from Indiana provides a lesson.

When Meridian Financial Advisors began serving as Receiver for bankrupted OCMC, Inc., it took possession of a number of OCMC computers, including one belonging to Joseph A. Pence, OCMC's President and CEO. In the course of its investigation, Meridian learned that OCMC employees, including Mr. Pence, had deleted e-mails and computer documents detailing improper conduct just before leaving OCMC. Meridian filed suit against Pence and others in connection with OCMC's collapse, including a claim for civil damages under the Computer Fraud and Abuse Act (“CFAA”) for damaging OCMC’s protected computers. Meridian Fin. Advisors Ltd. v. Pence, No. 07-995 (S.D. Ind. 1/14/11).

A person violates CFAA by:

knowingly caus[ing] the transmission of a program, information, code, or
command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer. 18 U.S.C. § 1030(a)(5)(A)(i).

Civil penalty provisions under the CFAA allow for recovery of compensatory damages when the damage exceeds $5,000.

Pence argued that even if a deletion occurred there was no damage to OCMC computers and, therefore, no damage under the CFAA. The federal district court rejected this argument, pointing out that the statute defines "damage" as:

any impairment to the integrity or availability of data, a program, a system, or information 18 U.S.C. § 1030(e)(8). 

The court reasoned that a "deletion of files impairs the availability of data and, as such, is covered under the statute" (citing other cases with similar holdings, Monson v. Whitby Sch., Inc., No 3:09-CV-1096, 2010 WL 3023873, at *3 (D. Conn. Aug. 2, 2010) (under some circumstances, deletion of an employee’s own e-mail can give rise to a CFAA claim); and Condux Int’l, Inc. v. Haugum, No. 08-4824, 2008 WL 5244818, at *8 (D. Minn. Dec. 15, 2008) (same with deletion of evidence of computer use)).

The court went on to address whether Pence deleted the e-mails without authorization, a required element for recovery under the CFAA. While the courts are not in agreement on this issue, the U.S. Court of Appeals for the Seventh Circuit (which has jurisdiction over Illinois, Indiana, and Wisconsin) recognizes that previously authorized use of a computer system may become unauthorized when an employee breaches his duty of loyalty to his employer. Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420 (7th Cir. 2006). The district court in Pence followed the holding in Citrin, although a question of fact remained as to whether Pence actually deleted the e-mails. Because of the open question of fact, the court could not grant Meridian's motion for summary judgment.

Deletion of files is becoming common practice when employees, typically key employees, leave an organization. Where possible, employers should try to prevent the deletions and take steps to better manage their important data. However, when these kinds of deletions happen, in the right cases, the CFAA can be a valuable tool for employers to remedy their damages. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Written by: Lillian Moon

As employees become more savvy with electronic communications and employers face increasing challenges with controlling vast amounts of data, the circumstances in this recent San Francisco Examiner story are likely being repeated all over the country – employee takes company information to support her wrongful termination case.

As reported by the Examiner, a Human Services Agency of San Francisco employee, after being terminated for performance issues, e-mailed caseload files, containing Medi-Cal beneficiaries’ names, Social Security numbers, and other personal identifying information belonging to 2400 individuals, to her personal computer, two attorneys and two union representatives.

While the facts are not entirely clear from the report, including why the former employee still had access to her former employer’s systems following termination, such a disclosure could have triggered the breach notification requirements under the HIPAA Privacy and Security Rules, and likely did trigger California’s own breach notification laws. With breach notification mandates in almost every state, few employers are immune from the risks of a data breach or the costs that are associated with responding to a breach when it occurs.

As this situation makes clear, employers need to implement written information security programs containing privacy and security policies. These policies should include data breach detection and response procedures and mandate training for all employees. While being mindful of applicable whistle blower protections, employers should remind employees that confidential company and personal information is not to be used or disseminated, except when consistent with the employee’s assigned job responsibilities. In this case, based on the information reported, the entire incident might have been avoided had the former employee's access to the Agency’s systems been terminated.

Employers must continually assess their risks (e.g., examining what information the company has, the nature of that information, how it moves through the organization and to/from its vendors, and the company's current set of safeguards), determine the best methods of protecting the sensitive information they possess, and create a culture of data security and privacy throughout their organizations. This can only be accomplished when data security and privacy are made a priority through clear policies with frequent training and attention. And, of course, when terminating or disciplining employees, employers should expect employees might begin using and disclosing information in a manner that is not permitted, and should take steps to prevent these kinds of disclosures.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As we reported here, the Senate passed legislation to clarify the application of the "red flag" rules to "creditors."  The law, the Red Flag Program Clarification Act of 2010, made its way through the House and, on December 18, 2010, was signed into law by President Barack Obama.

The Act makes clear that the red flag rules apply to a creditor that:

regularly and in the ordinary course of business - 

(i) obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction;

(ii) furnishes information to consumer reporting agencies [defined elsewhere in the Fair Credit Reporting Ac] in connection with a credit transaction; or

(iii) advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person.

The definition of "creditor" under the Act goes on, however, to exclude those creditors that fall into item (iii) above, if the creditor advances funds for expenses incidental to a service provided by the creditor to the person. For many who believed that the red flag rules were never intended to apply to them, such as health care providers and attorneys, this language is expected to provide the relief they were seeking.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Coauthored with Jason Gavejian

California hospitals and nursing homes take note - the California Department of Public Health (CDPH) takes data breaches seriously. Since June of this year, CDPH has imposed nearly $1.5 million in fines affecting 12 California health facilities. California Health and Safety Code 1280.15(a) requires covered health facilities to prevent unlawful or unauthorized access, use or disclosure of patient medical information.

Violations of this requirement can result in penalties of up to $25,000 per patient and up to $17,500 per subsequent occurrences of unlawful or unauthorized access, use or disclosure of that patients medical information. 

In its most recent wave of penalties, announced November 19, 2010, CDPH assessed fines totaling $792,500 against six hospitals and one nursing home that it determined failed to prevent unauthorized access to confidential patient medical information. In one case, a health facility was fined $310,000:

• $60,000 because the facility failed to prevent unauthorized access and disclosure of one patient’s medical information by two employees on three occasions.
• $250,000 because the facility failed to prevent the theft of 596 patients’ medical information

The larger penalty resulted in part when laboratory reports of 596 patients were lost. In its investigation, CDPH learned that the staff employee at the facility responsible for running and storing laboratory reports, and who had signed the facility's confidentiality statement, placed lab reports in an outside locker, but did not lock the locker because the lock was not working and the locker door was broken. This staff member told CDPH the locker had been broken for several months, although he did not report it. The lab reports that were lost included patient names, Social Security numbers and laboratory results, among other personal information. 

Beyond that, California health facilities should be reminded of Cal. Health and Safety Code § 1280.15, which requires covered facilities to notify CDPH and affected individuals of “unlawful or unauthorized access to” personal health data within five business days after discovery of a breach. Late notices can result in fines of $100 per day for each patient affected, up to maximum of $250,000. Of course, health care providers also need to take into account the interim final rules, promulgated under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and enforced by the Department of Health and Human Services (“HHS”), which require entities covered by the Health Insurance Portability and Accountability Act (“HIPAA”) to report similar incidents.  Under the HIPAA rules, notice must be provided without "unreasonable delay."

As the number of data security incidents in the health care industry continue to mount, CDPH's enforcement activity should urge covered health facilities in California to pay greater attention to data security. As the incident above makes clear, simply requiring an employee to sign an acknowledgment of complying with facility data security policy will not be enough. Health facilities, including hospitals and nursing homes, need to continually assess their risks in this area and create a culture of data privacy and security across their organizations. This can only be accomplished through clear policy and frequent training and attention to the issue. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

We've written extensively here on the importance of safeguarding personal information. We've also made clear that the safeguarding of data should not stop with individually identifiable personal information. In fact, many times a company's most sensitive information, data critical to the survival of its business, is its corporate trade secrets, proprietary information, and its clients' information. My partner, Patricia Diulus-Myers, in our Pittsburgh office, drives this point home during a Q&A session with the Smart Business Network.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As reported by the American Bar Association and PHIprivacy.net, lawyers, accountants, health care providers and others soon may get some clarity as to whether the "red flag" rules apply to them. The United States Senate voted unanimously to pass the Red Flag Program Clarification Act of 2010. Under the Act, according to statements from Sen. Christoper Dodd (D) of Connecticut:

lawyers, doctors, dentists, orthodontists, pharmacists, veterinarians, accountants, nurse practitioners, social workers, other types of health care providers and other service providers will no longer be classified as “creditors” for the purposes of the Red Flags Rule just because they do not receive payment in full from their clients at the time they provide their services, when they don’t offer or maintain accounts that pose a reasonably foreseeable risk of identity theft.

After the Red Flags Rule became final, many businesses indicated that they were not aware that they would be covered by this rule. Despite the Federal Trade Commission delaying enforcement of the rule several times to allow these entities time to come into compliance, a number of professional organizations, including the American Bar Association and the American Medical Association, sued the FTC for taking the position that professionals were “creditors” when they allowed consumers to pay later, and would have to comply with its Red Flags Rule. On May 28, 2010, the FTC announced that it would delay enforcing its Red Flags Rule through December 31, 2010 and asked Congress to pass legislation that would resolve any questions about which entities should be covered as “creditors” and to obviate the need for further enforcement delays.

Presently, only the Senate has acted on this request. The measure will need to be approved by the House of Representatives and signed by President Obama. Still, this is encouraging news for many concerned about compliance with this new mandate.  

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Welcome to the next advancement in the delivery of health services -

monitoring patients and promoting healthy behavior through mobile phones and other portable devices

The Washington Post reported today about a service offered through Voxiva whereby expectant mothers receive free text messages concerning prenatal health advice. The pilot program has been in place since February and since then more than 100,000 expectant mothers are reported to have participated in the program. These technologies clearly are in line with initiatives in this country to move to electronic health records. However, whether these methods for delivering health care take hold remains to be seen. As the WP notes, while these technologies are attractive, there are challenges:

• As noted by WP reporter Steven Overly, communicating to a wide variety of patients through a "wide variety of mobile devices, operating systems and network speeds" raises significant challenges. 
• Another issue, of course, is HIPAA and how these communications and devices will meet the privacy and security requirements under those regulations.
• Human error easily could cause the wrong messages to be sent to the wrong patients creating data breach, malpractice and other risks.
• One of our more recent posts highlights the concern about information maintained on cellphones and other mobile devices and what happens to that information when the phones are discarded. 
• Employers who provide phones to their employees and have the right to review text messages, see recent U.S. Supreme Court decision in Quon v. City of Ontario, can easily find themselves with access to all kinds of medical information of employees and possibly their dependents who give their doctors their cell phone number. This risks here could be significant.   

As with the adoption of any new technology or new application of technology, companies and employers should be careful to think through all of the issues and take appropriate preventive steps toward minimizing risks.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In March 2010, we reported on a decision by the U.S. District Court for the District of New Jersey that allowed an employee's retaliation claim to proceed to trial under the New Jersey Conscientious Employee Protection Act (“CEPA”) on the ground that he was engaged in protected whistle blowing activity - voicing concerns regarding his employer’s handling of data security. A California Appellate Court recently adopted a similar line of reasoning. 

Rather than addressing an employee’s concerns, a company fired the employee for questioning whether the company’s networks and information systems adequately protected HIPAA patient information contained on those systems. Cutler v. Dike, 2010 WL 3341663 (Cal. Ct. App. Aug 26, 2010) (unpublished). Based on his employment contract, the employee reasonably believed that his job included acting as the company’s privacy officer. As the court found, the employee also reasonably believed:

the database used to test the company’s . . . software contained confidential patient information which would be exposed in violation of HIPAA, because [the company president] had told him it was patient information . . . [and that] confidential patient data would be used in the future as the program was implemented.

The employee had refused to participate in configuring the computer system as directed and voiced his objections that doing so would violate HIPAA rules and regulations. In response, the company president recommended that the employee resign or risk being fired “since you have chosen to be very negative about issues in the organization.” The employee sued the employer for wrongful termination and the jury found against the employer. The employer appealed the jury verdict.

The court began by citing the relevant section of the California Labor Code (Section 1102.5), which states:

[a]n employer may not retaliate against an employee for refusing to participate in an activity that would result in a violation of state or federal statute, or a violation or noncompliance with a state or federal rule or regulation.

The court went on to hold, “[T]he protection of confidential patient information is clearly the type of general public interest that supports a cause of action for wrongful termination in violation of public policy.” Accordingly, the court upheld the jury’s finding of liability against the employer for wrongful termination in violation of public policy.

Employers across the country generally are prohibited from retaliating against employees for refusing to participate in activities that are impermissible under state or federal law or regulations. This includes retaliating against employees that raise concerns under the HIPAA privacy and security regulations, or other data security mandates under federal or state laws, such as those in Massachusetts, Connecticut, or New Jersey. Employers may find themselves responding to more of these kinds of concerns from employees as employees are more aware of breaches reported in the media over the past few years and become anxious over their own sensitive personal information in their employer’s possession.

An employer should avoid reacting to an employee’s complaint of weaknesses in its data system by firing or disciplining the employee. Shooting the messenger is not acceptable. The company should investigate the issues which have been raised and, if necessary, address them appropriately. Employers are better served by employees who feel secure enough to come forward with unpleasant news, than by suppressing such reports and enduring embarrassing and costly disclosures later. Of course, vulnerabilities can be minimized by taking the preventive steps required under many state and federal laws to safeguard personal and confidential information.  

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Federal contractors are subject to numerous requirements under federal law and, as we have previously highlighted here, need to keep pace with changes in law and regulation. 

Under the Federal Information Security Management Act of 2002 (FISMA) each federal agency is required to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. Accordingly, FISMA provides authority for the imposition of requirements on those companies which qualify as federal contractors. 

By way of example, the Centers for Medicare and Medicaid Services (CMS), as well as the Department of Veterans Affairs impose specific requirements on their contractors.   

Adding new data protection requirements for federal contractors who use or handle U.S. Department of Defense (DOD) information, the DOD earlier this year issued an advanced notice of proposed rulemaking regarding amendments, 75 F.R. 9563, to the Defense Federal Acquisition Regulation Supplement (DFARS). 

The proposed amendments require “adequate security,” defined as “protection measures … commensurate with the risks of loss, misuse, or unauthorized access to or modification of information,” and have three main subparts; basic safeguarding, enhanced safeguarding, and cyber intrusion reporting. 

Basic safeguards, required for any unclassified DOD information, include:

• Designating  the level of access and dissemination of informationProtecting DOD information on public computer or Web sites
• Transmitting electronic information using technology and processes that provide the best level of security and privacy
• Transmitting voice and fax information on with reasonable assurances that access is limited
• Protect information by at least one physical or electronic barrier
• Sanitize media in accordance with the National Institute of Standards and Technology (NIST) before external release or disposal
• Provide protection against computer intrusions and the unauthorized release of data. 

In addition to the basic safeguards outlined above, contractors are required to implement enhanced safeguards to certain types of data. The enhanced safeguards include:

• Encryption/Storage controls
• Network intrusion protection
• Implement information security controls

Additionally, a reporting requirement has now been proposed, requiring contractors to report to the DOD within 72 hours of any cyber intrusion event that affects DOD information resident on or transiting the contractor’s unclassified information systems.

The new proposed DOD amendments, along with the various other federal contractor requirements, including those imposed by CMS and the Department of Veterans Affairs, highlight the necessity for companies that qualify as federal contractors to be up to date on their legal obligations or risk loss of their federal contractor status. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A UK law firm may find itself subject to significant penalties following reports of a data breach affecting thousands of people.  The recent 2010 ABA Annual Meeting in San Francisco devoted two sessions to the topic, specifically dealing with “cloud computing,” and the risks and ethical issues it raises for law firms. As data privacy and security risks mount for all businesses, they are perhaps even more critical for law firms. 

Law schools in the United States teach their students about a long-standing and fundamental tenet of the legal profession – the attorney-client privilege. It is indeed the general obligation of attorneys to keep client communications confidential. Law schools generally do not teach, at least not nearly to the same degree, how lawyers as law firm business owners ought to protect the personal information of their clients from unauthorized acquisition or access, without hampering their practice.

This primer is intended to provide a brief discussion of the key issues for law firms and some helpful steps for developing a plan to safeguard such information.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The most frequent question we hear from clients who want to develop or tighten their data privacy and security policies and procedures: Where do we start?

In most cases, the first step for the group charged with this task is to understand the organization's "information risk." This means, in short, examining what information the company has, the nature of that information, how it moves through the organization and to/from its vendors, and the company's current set of safeguards. The process for gaining this understanding is generally referred to as a risk assessment. 

Click here for a power point presentation on key features of a risk assessment.

Risk assessments come in many forms and should be designed to fit your particular organization. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On August 18, 2010, the Connecticut Insurance Commissioner issued Bulletin IC-25 which mandates that entities within its jurisdiction notify the Department of Insurance of any "information security incident." This post provides a brief summary of this new requirement.

Who must provide the notice?

The Bulletin applies to all licensees and registrants of the Department. This generally means all entities regulated by the Insurance Department, including, insurance producers, public adjusters, bail bond agents, appraisers, certified insurance consultants, casualty claim adjusters, property and casualty insurers, life and health insurers, health care centers, fraternal benefit societies, captive insurers, utilization review companies, risk retention groups, surplus line companies, life settlement companies, preferred provider networks, pharmacy benefit managers, and medical discount plans.

Additionally, in cases where the information security incident happens at a vendor or business associate, the Department expects to be notified of the incident as well as how the

licensee or registrant is managing the vendor's/business associate's activities and what protections and remedies are being put in place by the vendor/business associate for the Connecticut consumers.

What is an "information security incident"? 

Under this Bulletin, an information security incident is:

any unauthorized acquisition or transfer of, or access to, personal health, financial, or personal information, whether or not encrypted, of a Connecticut insured, member, subscriber, policyholder or provider, in whatever form the information is collected, used or stored, which is obtained or maintained by a licensee or registrant of the Insurance Department, the loss of which could compromise or put at risk the personal, financial, or physical well being of the affected insureds, members, subscribers, policyholders or providers.

Thus, unlike the general Connecticut data breach notification statute which requires notification only with respect to computerized personal information, this mandate applies to paper documents which includes personal health, financial or personal information. Also, encrypted data is not exempt from this notification requirement.

What is personal health, financial, or personal information?

The Bulletin does not define this term and, therefore, is unclear in this regard. However, in discussing its authority to impose the requirement, the Department cites to Conn. Gen. Stat. §42-471, which defines "personal information" to mean:

information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number, and does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.

This definition, however, may not be as broad as how the Department views the term "personal health, financial or personal information." Licensees and registrants should be careful here and err on the side of being more inclusive when deciding whether an incident needs to be handled in accordance with this Bulletin.

When must notification be provided?

The Bulletin requires licensees and registrants of the Department to notify it of the incident as soon as the incident is identified, but no later than five (5) calendar days after the incident is identified.

Where should notice be sent?

Notification should be sent to the Insurance Commissioner in writing via first class mail, overnight delivery service or electronic mail.

What must the notice include?

Notification should include as much information as is known concerning the incident. The Bulletin provides the following list of items of information to be reported to the Department:

• Date of the incident
• Description of incident (how information was lost, stolen, breached)
• How discovered
• Has lost, stolen, or breached information been recovered and if so, how
• Have individuals involved in the incident (both internal and external) been identified
• Has a police report been filed
• Type of information lost, stolen, or breached (equipment, paper, electronic, claims, applications, underwriting forms, medical records etc)
• Was information encrypted
• Lost, stolen or breached information covers what period of time
• How many Connecticut residents affected
• Results of any internal review identifying either a lapse in internal procedures or confirmation that all procedures were followed
• Identification of remedial efforts being undertaken to cure the situation which permitted the information security incident to occur.
• Copies of the licensee/registrants Privacy Policies and Data Breach Policy.
• Regulated entity contact person for the Department to contact regarding the incident. (This should be someone who is both familiar with the details and able to authorize actions for the licensee or registrant)
• Other regulatory or law enforcement agencies notified (who, when)

One of the items on this list to note is a Data Breach Policy which all entities should consider adopting even if not subject to this Bulletin.

Does the Department require that credit monitoring be offered in the event of an information security incident?

It looks like the Department may require credit monitoring in some circumstances. The Bulletin states that:

Depending on the type of incident and information involved, the Department will also want to have discussions regarding the level of credit monitoring and insurance protection which the Department will require to be offered to affected consumers and for what period of time. 

In addition, the Department wants to review the draft letters informing individuals of the information security incident.

Will the Department impose penalties?

The Bulletin states that the Department will evaluate each incident independently based on the applicable circumstances, and notes that some situations may warrant imposition of administrative penalties. The Department urges licenses and registrants to follow these procedures in order to minimize the possibility for penalties.

Licenses and registrants surely will need to review this guidance and incorporate it into their information security programs. Other entities should take note of this development and recognize the increasing efforts by federal and state agencies to safeguard personal information.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Update - On September 29, 2010, Governor Arnold Schwarzenegger for the third time vetoed S.B. 1166.

California led the way in 2002 when it enacted the nation’s first data breach notification law. Last week, the State’s lawmakers sent Governor Arnold Schwarzenegger S.B. 1166 (pdf), which would mandate that data breach notification communications include more detailed information about the breach and that businesses experiencing data breaches affecting more than 500 Californians notify the State’s Attorney General.

Since California enacted its data breach notification law, lawmakers have been trying to make changes to it, with mixed results. Assembly Bill 1298 ("A.B. 1298"), which became effective January 1, 2008, expanded the application of the existing law to include medical and health information. However, to date, attempts to add content requirements to the notice and require notification to the State’s Attorney General have failed, despite similar requirements in the laws of a number of other states, such as Massachusetts, New York, North Carolina.

S.B. 1166 marks the third attempt by Senator Joe Simitian to amend the law in this manner. Both prior attempts were vetoed by the Governor Schwarzenegger. In addition to requiring notice to the State’s Attorney General for certain breaches, his current effort would require notices stating:

• a general description of the breach incident;
• the type of information breached;
• the date and time of the breach;
• whether the notification was delayed because of a law enforcement investigation; and
• a toll-free number of major credit reporting agencies if the breach exposed Social Security numbers, driver's license numbers, or state identification card numbers.

Because many states have similar content requirements and there are a number of websites that report on data breaches, passage of S.B. 1166 should not impose a significant burden in breaches involving individuals in multiple states. Nonetheless, companies should be alert to developments in California and be prepared to update their California data breach notification policies should the measure pass.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On August 5, 2010, U.S. Senators Mark Pryor (D-AR) and John D. (Jay) Rockefeller IV (D-WV)  introduced legislation to require businesses and nonprofit organizations that store consumers’ personal information to put in place strong security features to safeguard sensitive data, alert consumers when this data has been breached, and provide affected individuals with the tools they need to protect their credit and finances, including credit monitoring services.

More specifically, the "Data Security and Breach Notification Act of 2010" would require entities that own or possess data containing personal information to establish reasonable security policies and procedures to protect that data. If a security breach occurs, entities would have to notify each individual whose information was acquired or accessed as a result of the breach within 60 days. Affected consumers would be entitled to receive consumer credit reports or credit monitoring services for two years, as well as instructions on how to request these services.

In support of the new law, the press release issued by the Senate Committee on Commerce, Science, and Transportation notes that data security breaches and identity theft are a growing problem in the United States. In 2009, the business industry experienced the greatest number of data breaches (41.8%), followed by government/military (18.1%) and education sectors (15.7%).

Of course, passage of this measure is possible, but, given the number of prior efforts to pass a national data breach notification law, passage seems unlikely. This outcome is made more likely by the inclusion of the credit monitoring mandate, the cost of which could be considerable to businesses affected by a data breach. Businesses should stay tuned . . .

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Rite Aid Corporation and its affiliates have agreed to pay $1 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, the U.S. Department of Health and Human Services (HHS) announced today. At the same time, Rite Aid signed a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act.

The lesson to be learned from this case:

Disposing of individuals’ health information in an industrial trash container accessible to unauthorized persons is not compliant with several requirements of the HIPAA Privacy Rule and exposes the individuals’ information to the risk of identity theft and other crimes.

The Office of Civil Rights, which enforces the HIPAA Privacy and Security Rules, opened its investigation of Rite Aid after television media videotaped incidents in which pharmacies were shown to have disposed of prescriptions and labeled pill bottles containing individuals’ identifiable information in industrial trash containers that were accessible to the public. These incidents were reported as occurring in a variety of cities across the United States. Rite Aid pharmacy stores in several of the cities were highlighted in media reports.

The investigation also indicated other potential concerns about Rite Aid's policies related to safeguarding patient information during the disposal process, training employees, and a related sanction policy.

The Director of OCR noted:

It is critical that companies, large and small, build a culture of compliance to protect consumers’ right to privacy and safeguard health information. OCR is committed to strong enforcement of HIPAA.

The corrective action Rite Aid has agreed to includes improving policies and procedures to safeguard the privacy of its customers' health information, and applies to all of its nearly 4,800 retail pharmacies. More specifically, the settlement requires Rite Aid to take a number of steps including

• Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them;
• Training workforce members on these new requirements;
• Conducting internal monitoring; and
• Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS and FTC.

The HHS corrective action plan will be in place for three years; the FTC order will be in place for 20 years. The length and scope of these plans show the seriousness these agencies are taking concerning compliance with requirements to safeguard personal information.  

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Guest Post from Pat Yu* of Accero. We are happy to make Mr. Yu's insights available to our readers as they are important considerations for companies considering alternative data and systems management strategies. Enjoy this post: 

To host or not to host . . . That’s ultimately the critical question when it comes to major internal system deployments, such as human capital management (HCM) solutions. To help you move toward a smart, strategic decision, here is a high-level overview of each model:

Licensed

Still widely used by most companies, licensed software delivery often provides user’s more control. You purchase a license, install the software and use your internal resources to manage and configure or customize the solution. When companies purchase licenses for a major software solution, they are ultimately responsible for all aspects of application management, including: installing upgrades, troubleshooting issues and hardware maintenance.

Hosted
 

Hosting is most often provided today in the form of Software as a Service, or SaaS. In this model, the vendor hosts the solution and users access it via the web. One of the key benefits of selecting a hosted model, besides the scalability and convenience of 24x7 web access, is the fact that the software provider is responsible for:

• Managing both the software and hardware components of the application
• Network issues such as redundancy, data backup and disaster recovery planning
• Managing the data center or centers that deliver the application
• Upgrading the software automatically for customers on a regular schedule

A checklist for decision makers

Hosting in and of itself is simply a delivery model. A software application must meet your business requirements; how it is delivered (licensed vs. SaaS) may be part of your requirement, but it should not be the primary factor. Follow the checklist below to help your organization determine which solution best fits your needs:

• Clearly define your business requirements
• Inventory solution providers (licensed and hosted)
• Evaluate systems to ensure they meet your high priority requirements
• Consider growth strategies and make sure the solution will scale to match
• Prepare a minimum four-year cost analysis to evaluate cost of ownership (this should include the cost to host the solution in house if you are considering a traditional license – and the IT resources needed to manage it)
• Review implementation timeframe (SaaS is often faster to deploy)
• Consider other costs – IT resources, hardware, software, time, etc.

*Pat Yu is the Director of Product Development at Accero, a Payroll, Human Resources and Human Capital Management software and service provider. Visit www.accero.com or call 800.429.2674.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link