Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

By:  Lillian Chaves Moon

In the face of increasing incidences of and rising public concern regarding identity theft, the California Legislature is considering a bill with new personal information data disclosure requirements for California businesses and a broad definition of what constitutes personal information.

California Assembly Bill 1291, would require businesses who have customer personal information and have disclosed such information to provide each such customer with notice of the names and contact information of all third parties who received personal information from the business and provide a designated request address at which to receive requests from customers as provided for under the bill. Additionally, the business must make available, free of charge, access to or copies of all of the customer’s personal information that the business holds. Also, if the business has any online privacy policies, each privacy policy must also include a statement of the customer’s rights as provided in the legislation and a designated request address.

Personal information broadly includes, but is not limited to, any of the following: (1) identity information such as real name, alias, nickname, and user name; (2) address information, including but not limited to, postal address, e-mail, internet protocol address; (3) telephone number; (4) account name; (5) social security number or other government-issued identification number, such as a driver’s license number, identification card number, and passport number; (6) birthdate or age; (7) physical characteristic information such as height and weight; (8) sexual information, including but not limited to, sexual orientation, sex, gender status, gender identity, and gender expression; (9) race or ethnicity; (10) religious affiliation or activity; (11) political affiliation or activity; (12) professional or employment-related information; (13) educational information; (14) medical information; (15) financial information; (16) commercial information; (17) location information; (18) internet or mobile activity information; (19) content including text, photographs, audio or video recordings, or other material generated by or provided by the customer; and (20) any of the above information as it relates to the customer’s children.

Customer is defined as an individual who is a resident of California and provides personal information to a business “in the course of purchasing, viewing, accessing, renting, leasing, or otherwise using real or personal property, or any interest therein, or obtaining a product or service from the business including advertising or any other content.” Customers also include individuals for whom the business obtained personal information from another business. Accordingly, the bill would cover individuals who are not traditionally thought of as customers and may also include a business’ employees.

All businesses, including employers, with operations in California or with California customers must stay abreast of these developments and, given the breadth of personal information implicated, no such business can be exempt from the requirements. In preparation for the passing of this or a similar bill, it is important to determine how customer personal information is disclosed and set forth a compliance plan to meet the pending disclosure and access requirements.

• Email This
• Print
• Comments
• Trackbacks

The Fourth District Court of Appeal for the State of California expanded the tort of "public disclosure of private facts" under that state's common law right to privacy in a case involving a claim by an employee against her supervisor and employer. Ignat v. Yum! Brands, Inc. et al, No. G046434, (Cal. Ct. App. March 18, 2013). The plaintiff in that case suffered from bi-polar disorder and occasionally missed work due to the side effects of medication adjustments.  After returning from such an absence, the plaintiff alleged that her supervisor had informed everyone in her department about her medical condition and that, as a result, she was "shunned" and a co-worker asked if she was going to "go postal."  The plaintiff filed suit alleging a single cause of action for invasion of privacy by public disclosure of private facts. The trial court dismissed her claim on summary judgment because the disclosure of her condition was not in writing, relying on California case law from the early 1930's.

On appeal, the court reversed the dismissal, concluding that "limiting liability for public disclosure of private facts to those recorded in writing is contrary to the tort's purpose, which has been since its inception to allow a person to control the kind of information about himself made available to the public - in essence to define his public persona."  The court went on to note that, "[w]hile this restriction may have made sense in the 1890's - when no one dreamed of talk radio or confessional television - it certainly makes no sense now."

The court also clarified that the common law tort of invasion of privacy was not based on the guarantee of privacy which was added to the California Constitution in 1972 and noted that the two legal theories (common law and the State Constitution) provide "separate, albeit related ways to ensure privacy."

Different states have interpreted the common law right of privacy in the workplace in different ways. In Minnesota, for example, a district court rejected a lawsuit by an employee who claimed that her employer violated her right to privacy when it informed approximately 12 to 15 individuals that she suffered from multiple sclerosis. That court determined that because the disclosure was not "accessible to the public at large," it did not qualify as public in nature for purposes of maintaining an invasion of privacy claim. Johnson v. Cambell Mithun, 401 F. Supp.2d 964 (Minn. 2005).

If an employee is out on medical leave or requires an accommodation, employers may be asked what information, if any, can be disclosed to co-workers and supervisors about that employee's medical condition, and the reason for her leave or accommodation. HIPAA is probably not implicated in such situations because most employers are not covered entities in this context. Both the Americans with Disabilities Act (ADA) and the Family Medical Leave Act (FMLA), however, require employers to maintain confidentiality of medical information. See 29 C.F.R. Section 1630.14(c) (relating to ADA) and 29 C.F.R. Section 825.500 (relating to FMLA).

Employees asserting a common law claim for invasion of privacy against their employer based on the disclosure of medical information have not often been successful, but Ignat suggests the tide may be changing. The best practice is to reveal as little as possible to those with a need to know.

• Email This
• Print
• Comments
• Trackbacks

In 2012, California took significant steps to increase privacy protections for users of mobile applications (apps) which involved working with companies such as Amazon, Apple, Facebook, Google, Hewlett-Packard, and Microsoft. In July 2012, the Attorney General created the Privacy Enforcement and Protection Unit, with the mission of protecting the inalienable right to privacy conferred by the California Constitution.

These efforts led to the "Privacy on the Go" booklet published this month which sets out a range of helpful recommendations for app developers. Of course, many of the same principles discussed in this booklet would be helpful to any organization seeking to secure personal information. 

• Email This
• Print
• Comments
• Trackbacks

California Governor Jerry Brown has signed into law (AB 2674) new requirements specifying when and how employers must respond to their employees’ requests for inspection and copying of their personnel files. The new requirements become effective January 1, 2013.

Click here for more information about the new law.

• Email This
• Print
• Comments
• Trackbacks

Late last week, California Governor Jerry Brown "took to Twitter, Facebook, Google+, LinkedIn and MySpace to announce that he has signed two bills that increase privacy protections for social media users in California."

As discussed, one of the bills, A.B. 1844, updates California's Labor Code to significantly limit when employers could ask employees and job applicants for social media passwords and account information. However, the law permit employers to request an employee to divulge personal social media activity reasonably believed to be relevant to an investigation of allegations of employee misconduct or employee violation of applicable laws and regulations. This exception  applies so long as the social media is used solely for purposes of that investigation or a related proceeding.

The other bill, S.B. 1349, establishes a similar privacy policy for postsecondary education students with respect to their use of social media. While the bill prohibits public and private institutions from requiring students, prospective students and student groups to disclose user names, passwords or other information about their use of social media, it stipulates that this prohibition does not affect the institution’s right to investigate or punish student misconduct

The new laws take effect Jan. 1, 2013.

• Email This
• Print
• Comments
• Trackbacks

Updating an earlier post, California A.B. 1844 is on its way to Gov. Jerry Brown. If signed into law, the bill would update California's Labor Code to significantly limit when employers could ask employees and job applicants for social media passwords and account information. However, the law would still permit employers to request an employee to divulge personal social media reasonably believed to be relevant to an investigation of allegations of employee misconduct or employee violation of applicable laws and regulations. This exception would apply so long as the social media is used solely for purposes of that investigation or a related proceeding.

If A.B. 1844 becomes law, it would join Maryland and Illinois which have enacted similar laws.

• Email This
• Print
• Comments
• Trackbacks

Not long after Maryland enacted a law prohibiting employers from demanding passwords to employees' or prospective employees' Facebook and certain other social media accounts, the California State Assembly voted 73-0 in favor of A.B. 1844. The California bill would prohibit an employer from requiring: 

an employee or prospective employee to disclose a user name or account password to access a personal social media account that is exclusively used by the employee or prospective employee.

The state's Senate will now need to consider the measure, where a related bill, S. 1349 (named "The Social Media Privacy Act"), would also protect students from having to disclose similar information to school officials. A hearing on S. 1349 is scheduled for May 21. Congress and a number of other states, including, Delaware, Illinois, Michigan, Minnesota, Missouri, New York, and South Carolina are considering similar measures.

Employers will need to monitor these developments carefully and consider how to advise and train their managers and human resources personnel about these new requirements.
 

• Email This
• Print
• Comments
• Trackbacks

Joining six other states, California will impose significant restrictions on an employer’s ability to obtain a credit report for employment purposes. The law becomes effective January 1, 2012.

California Assembly Bill 22, signed by Governor Jerry Brown, generally permits employers who are seeking to fill only specific, identified “exempt” positions to obtain and use credit reports to screen applicants and/or current employees. The use of the credit reports in other occupations generally is prohibited. Further, employers will be required to provide the employee or applicant with a disclosure statement setting forth the specific basis permitting the employer to obtain a credit report. 

Click here for more information about this law.

• Email This
• Print
• Comments
• Trackbacks

In a novel approach to data breach notification requirements, Texas has amended its breach notification law (Business & Commerce Code, Section 521.053) to require notification to residents of not only Texas, but to residents of each of the 50 states.  The amendment becomes effective September 1, 2012, and applies to “all persons who conduct business in the state,” without further defining what “conducting business” would entail. 

The law was amended to require notification of a breach of system security to any individual whose sensitive personal information was, or is reasonable believe to have been, acquired by an unauthorized person.  A review of the amendment reflects the legislature’s intent to expand the notification requirement by its deletion of the language “resident of this state” from the current data breach notification law. 

This law has obvious far reaching import for residents of the four states which do not currently maintain data breach notification laws (Alabama, Kentucky, New Mexico, and South Dakota).  Under Texas’ law, residents of these states whose personal information is owned, licensed or maintained by a business/employer subject to Texas law would now receive notification of a breach of their personal information. 

Additionally, Texas’ breach notification law does not include a “risk of harm trigger.”  A number of state data breach notification laws only require notification where illegal use of the breached personal information has occurred, or is reasonably likely to occur and that creates a risk of harm to a person.  However, under Texas’ law, notification is required only upon acquisition, without regard to a risk of harm.  While Texas’ amended law appears to include some limiting language on its application to states that have their own breach notification laws, as worded, it is unclear whether this would include states whose risk of harm trigger would not require notification.  Accordingly, for those entities which conduct business in Texas, notification of those affected may be required even if the individual’s home state would not have required notice in the case of low-risk breaches 

The amendment also adds civil penalties for any person who fails to take reasonable actions to comply with the notification requirements.  These penalties are compounded by the number of individuals who are not notified and for each consecutive day notification is not provided, resulting in a maximum fine of $250,000.  Additionally, the amendment makes a violation a misdemeanor, unless the breached information is protected by HIPAA, which would elevate the violation to a felony. 

Companies, especially those that maintain vast amounts of personal information for persons in multiple states, must be aware of the various state laws which potentially impact there business and amendments like those highlighted above. See also recent amendments to the breach notification statutes in California and Illinois.

• Email This
• Print
• Comments
• Trackbacks

As we suspected, California's current governor, Edmund G. “Jerry” Brown, Jr. (D), signed into law S.B. 24, which adds some additional protections to the state's current data breach notification requirements. The champion of this law and its recent enhancements, State Sen. Joe Simitian (D-Palo Alto), has finally succeeded after a number of prior attempts to pass this measure were vetoed by then-Gov. Arnold Schwarzenegger (R).

Summary of Changes

Under S.B. 24, breaches occurring on and after January 1, 2012, that require notification to California residents will have to meet the following additional requirements:

• The notifications themselves will need to satisfy specific content requirements, such as including a description of the type of information breached, time of breach, and toll-free telephone numbers and addresses of the major credit reporting agencies;
• If more than 500 California residents are affected by a single breach, an electronic copy of the breach notification must be send to the California Attorney General;
• If the law's "substitute notice" provisions are used, notice also must be provided to the Office of Information Security or the Office of Privacy Protection. Substitute notice is permitted when the person or business required to provide the notice demonstrates that (I)(i) the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000), or (ii) that the affected class of subject persons to be notified exceeds 500,000, or (II) the person or business does not have sufficient contact information. Prior to the change, substitute notice consisted of only email notification, conspicuous posting of the notice on the person or business' website, and notification to statewide media.

Companies responding to multi-state breaches face significant challenges trying to harmonize the various state law requirements. See, for example, the recent changes to the Illinois statute. Presently, a number of bills are being considered in Congress that would preempt all of the state laws in this area, however, passage of one of these laws does not appear to be imminent. As data breaches go global, similar concerns exist as countries are enacting their own breach notification mandates.

• Email This
• Print
• Comments
• Trackbacks

In distinct efforts to strengthen data security requirements, the California and Massachusetts legislatures recently passed bills affecting data breach notification requirements and data security notification, respectively.  

On April 14, 2011, the California senate approved S.B. 24, requiring California businesses and agencies to notify the state attorney general if more than 500 California residents are notified of a data breach. The California bill also would require certain information be included in the notices.

While similar attempts to modify California’s data breach law have been vetoed by then-Gov. Arnold Schwarzenegger (R), the state’s new governor, Edmund G. “Jerry” Brown, Jr. (D) may likely sign S.B. 24. The bill also would amend the substitute notice provisions for breaches to require placing a notice that a breach has occurred on the business’s website and in major statewide media and notifying the California Office of Privacy Protection. 

While California’s current breach notice statute does not specify the information that must be included in an individual breach notification, S.B. 24 would mandate the notice include, among other things, the type of information breached, the time of the breach, and a toll-free telephone number of major credit reporting agencies.

On April 13, 2011, Massachusetts H.B. 3360 was referred for committee consideration. Under the bill, vendors of photocopiers in Massachusetts that fail to adequately notify purchasers of potential data security risks would be subject to a civil fine of up to $50,000 and could be sued by customers whose personal information is subsequently compromised.  Also, Massachusetts businesses that sell photocopiers must tell customers if a particular machine is equipped with a hard drive capable of retaining information from copied documents. Vendors must provide a notice stating that "the photocopier does or does not contain an eraser that deletes and destroys any previously captured picture from the copier's hard drive.” The notice must “inform the user of the risk of retention of such private data or images.” In addition, if a machine is such a “digital copier,” the vendor also must place a “conspicuous,” written data-security warning on the top of the copier.

H.B. 3360 also authorizes the state attorney general to enforce the law by filing a civil action seeking a fine of up to $50,000. Additionally, the bill would permit a lawsuit by customers who did not receive the required notification and warnings and whose private data was subsequently “misused.”

• Email This
• Print
• Comments
• Trackbacks

Coauthored with Jason Gavejian

California hospitals and nursing homes take note - the California Department of Public Health (CDPH) takes data breaches seriously. Since June of this year, CDPH has imposed nearly $1.5 million in fines affecting 12 California health facilities. California Health and Safety Code 1280.15(a) requires covered health facilities to prevent unlawful or unauthorized access, use or disclosure of patient medical information.

Violations of this requirement can result in penalties of up to $25,000 per patient and up to $17,500 per subsequent occurrences of unlawful or unauthorized access, use or disclosure of that patients medical information. 

In its most recent wave of penalties, announced November 19, 2010, CDPH assessed fines totaling $792,500 against six hospitals and one nursing home that it determined failed to prevent unauthorized access to confidential patient medical information. In one case, a health facility was fined $310,000:

• $60,000 because the facility failed to prevent unauthorized access and disclosure of one patient’s medical information by two employees on three occasions.
• $250,000 because the facility failed to prevent the theft of 596 patients’ medical information

The larger penalty resulted in part when laboratory reports of 596 patients were lost. In its investigation, CDPH learned that the staff employee at the facility responsible for running and storing laboratory reports, and who had signed the facility's confidentiality statement, placed lab reports in an outside locker, but did not lock the locker because the lock was not working and the locker door was broken. This staff member told CDPH the locker had been broken for several months, although he did not report it. The lab reports that were lost included patient names, Social Security numbers and laboratory results, among other personal information. 

Beyond that, California health facilities should be reminded of Cal. Health and Safety Code § 1280.15, which requires covered facilities to notify CDPH and affected individuals of “unlawful or unauthorized access to” personal health data within five business days after discovery of a breach. Late notices can result in fines of $100 per day for each patient affected, up to maximum of $250,000. Of course, health care providers also need to take into account the interim final rules, promulgated under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and enforced by the Department of Health and Human Services (“HHS”), which require entities covered by the Health Insurance Portability and Accountability Act (“HIPAA”) to report similar incidents.  Under the HIPAA rules, notice must be provided without "unreasonable delay."

As the number of data security incidents in the health care industry continue to mount, CDPH's enforcement activity should urge covered health facilities in California to pay greater attention to data security. As the incident above makes clear, simply requiring an employee to sign an acknowledgment of complying with facility data security policy will not be enough. Health facilities, including hospitals and nursing homes, need to continually assess their risks in this area and create a culture of data privacy and security across their organizations. This can only be accomplished through clear policy and frequent training and attention to the issue. 

• Email This
• Print
• Comments
• Trackbacks

In the name of vehicle safety, California Assembly Bill 1942 will permit among other things “driver cams” to be mounted on vehicle windshields beginning on January 1, 2011. Formally known as “video event recorders,” these devices can continuously record audio, video, and G-force levels in a digital loop in order to help identify bad driver habits or other factors that lead to vehicle accidents. Well intended, the new law certainly will create a range of privacy issues for employers, particularly those in the transportation and delivery business.

Specifically, the law will permit the monitoring of driver performance through video event recorders so long as the following are satisfied:

• Size limitation – The recorder must be mounted either (i) in a seven-inch square in the lower corner of the windshield farthest removed from the driver, (ii) in a five-inch square in the lower corner of the windshield nearest to the driver and outside of an airbag deployment zone, or (iii) in a five-inch square mounted to the center uppermost portion of the interior of the windshield.
• Notice requirement – A notice must be posted in a visible location informing passengers that their conversations may be recorded.
• Length of recording – No more than 30 seconds may be recorded before or after a triggering event, e.g., a collision.
• Driver for hire rights – Employers that install a video event recorder in vehicles of their employees driving for hire must provide those employees with unedited copies of the recordings upon the request of the employee or the employee’s representative. These copies must be provided free of charge to the employee and within five (5) days of the request.

There are a number of obvious issues that face employers interested in utilizing video event recorders, such as not knowing what information will be captured by these devices and how to discipline employees who violate policy as shown in the recording. There are other less obvious issues which employers should consider when deciding to implement this technology.

For example, the law does not provide a period after which employees can no longer request a copy of the recording. This raises the question of how long recordings must be maintained. Another concern is whether information captured in a recording could be used against the employer, such as in a wage and hour class actions or violations of common carrier or vehicle safety requirements. Because the law is designed to address vehicle safety, a question exists as to whether the law implies a training requirement on employers aware of bad driving habits of employees from the recordings.

For these and other reasons, employers ought to think carefully before implementing this technology.

• Email This
• Print
• Comments
• Trackbacks

Update - On September 29, 2010, Governor Arnold Schwarzenegger for the third time vetoed S.B. 1166.

California led the way in 2002 when it enacted the nation’s first data breach notification law. Last week, the State’s lawmakers sent Governor Arnold Schwarzenegger S.B. 1166 (pdf), which would mandate that data breach notification communications include more detailed information about the breach and that businesses experiencing data breaches affecting more than 500 Californians notify the State’s Attorney General.

Since California enacted its data breach notification law, lawmakers have been trying to make changes to it, with mixed results. Assembly Bill 1298 ("A.B. 1298"), which became effective January 1, 2008, expanded the application of the existing law to include medical and health information. However, to date, attempts to add content requirements to the notice and require notification to the State’s Attorney General have failed, despite similar requirements in the laws of a number of other states, such as Massachusetts, New York, North Carolina.

S.B. 1166 marks the third attempt by Senator Joe Simitian to amend the law in this manner. Both prior attempts were vetoed by the Governor Schwarzenegger. In addition to requiring notice to the State’s Attorney General for certain breaches, his current effort would require notices stating:

• a general description of the breach incident;
• the type of information breached;
• the date and time of the breach;
• whether the notification was delayed because of a law enforcement investigation; and
• a toll-free number of major credit reporting agencies if the breach exposed Social Security numbers, driver's license numbers, or state identification card numbers.

Because many states have similar content requirements and there are a number of websites that report on data breaches, passage of S.B. 1166 should not impose a significant burden in breaches involving individuals in multiple states. Nonetheless, companies should be alert to developments in California and be prepared to update their California data breach notification policies should the measure pass.
 

• Email This
• Print
• Comments
• Trackbacks

Keystroke logging (or “keylogging”) is the noting (or logging) of the keys struck on a computer keyboard. Typically, this is done secretly, so  the keyboard user is unaware his activities are being monitored.

Several cases throughout the country have examined an employer’s use of keylogging.  Recently, the Criminal Court of the City of New York held in New York v. Klapper  that an employer who installed keylogging software on office computers and subsequently monitored an employee's e-mail activity did not, absent some showing of contrary e-mail protections or acceptable use policies, access a computer “without authorization” in violation of New York law. 

In some of the strongest language against the premise of e-mail privacy to date, the Court stated in its April 28, 2010 opinion:

[t]he concept of internet privacy is a fallacy upon which no one should rely. It is today’s reality that a reasonable expectation of internet privacy is lost, upon your affirmative keystroke. 

The Court found that e-mails are more akin to a postcard than a letter, as they are less secure and can easily be viewed by a passerby. An employee who sends an e-mail from a work computer sends a communication that will travel through the employer's central computer and will be commonly stored on the employer's server even after it is received and read. Once stored on the server, the employer can easily scan or read all stored e-mails or data. The same holds true once the e-mail reaches its destination, as it travels through the Internet via an Internet service provider. Accordingly, this process diminishes an individual's expectation of privacy in e-mail communications.

In contrast to the strong language from New York, the U.S. District Court for the Northern District of California ruled in Brahmana v. Lembo that a plaintiff could proceed to trial in his case alleging his employer committed an impermissible “interception” under the Electronic Communications Privacy Act (ECPA) by using keylogging to discover the password to his personal e-mail account, and using the logged password, accessed his personal e-mail.  However, another California District Court found in United States v. Ropp that because the keylogger recorded the keystroke information in transit between the keyboard and the CPU, the system transmitting the information did not affect interstate commerce as the required by the ECPA.  Further complicating the issue, a federal court in Ohio questioned Ropp, suggesting in Porter v. Havlicek that it read the statute too narrowly by requiring the communication to be traveling in interstate commerce as opposed to merely “affecting interstate commerce.”

Because of the numerous issues arising from the use of electronic communications, and the varying court opinions on these questions, employers would do well to reexamine their use of keystroke monitoring or logging technology on a regular basis.

• Email This
• Print
• Comments
• Trackbacks

As highlighted by many news sources, including CNN.com and MSNBC.com, the United States Supreme Court listened to oral argument (pdf) today in the case of City of Ontario v. Quon today. This is the case involving a police officer who claimed his employer violated his privacy when it read the personal text messages (which happened to be sexually explicit in nature) which he sent and received using his department issued pager.  For further information concerning this case, see our prior analysis, as well as the discussion at Inc.com. Stay tuned for an update following the Supreme Court's decision. 

• Email This
• Print
• Comments
• Trackbacks

Over the past few months, many businesses, particularly in the Northeast Region, have been focusing on creating a written information security program (WISP) to comply with Massachusetts identity theft regulations that went into effect March 1, 2010. For many, this has been a significant effort, reaching most, if not all, parts of their organizations. However, it is important to remember that although Massachusetts may be the state with the most comprehensive set of rules for securing personal data, other states have enacted similar protections, and compliance with Massachusetts does NOT necessarily mean compliance with other states.

Consider the following examples:

California. The Civil Code in California states a business that owns or licenses personal information about a California resident must:

implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

For purposes of this requirement, “personal information" means:

an individual's first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
(A) Social security number.
(B) Driver's license number or California identification card number.
(C) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
(D) Medical information.

Similar pretections for medical information exist in Arkansas, but that information is not covered by the rules in Massachusetts. Illinois requires safeguards for certain biometric information, a classification of data also not covered by the Massachusetts regulations.

Oregon. Oregon’s Consumer Identity Theft Protection Act lays out safeguards similar to those in Massachusetts, with some relief for small businesses (those manufacturing businesses with 200 employees or fewer and all other forms of business having 50 employees or fewer). Key is the requirement to implement an “information security program” that contains administrative, technical and physical safeguards.

Administrative safeguards include, for example: 

1. designating one or more employees to coordinate the program;
2. identifying reasonably foreseeable internal and external risks;
3. assessing the sufficiency of data safeguards;
4. training employees in the program’s practices and procedures;
5. limiting outside service providers to those maintaining adequate data security safeguards; and
6. adjusting the program according to business changes or new circumstances.

In New Jersey, regulations are pending that would create similar obligations.

Connecticut. Without specifying the kinds of safeguards, Connecticut requires any person in possession of personal information of another person to:

safeguard the data, computer files and documents containing the information from misuse by third parties, and [ ] destroy, erase or make unreadable such data, computer files and documents prior to disposal.

For purposes of this law, “personal information” includes:

information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number.

Similar requirements were enacted in other states, including Arkansas, North Carolina, Rhode Island, Texas, and Utah. But note the definition in Connecticut goes beyond the elements of data protected under the Massachusetts regulations.

Service contracts. Some states go a step further, requiring certain provisions be included in contracts between entities and their service providers when the contracts involve the disclosure of a state resident’s personal information from the owner of the information to the service provider. For example, such contracts in Nevada and Maryland must include a provision requiring the person to whom the information is disclosed to implement safeguards to protect that information.

The emergence of state mandates fueled by the continued rapid advancement and increased use of technology suggest a trend that is sure to become a fact of life for businesses operating anywhere in the U.S. Whether the technology is “cloud computing” or “peer-to-peer” software, businesses need to take appropriate steps to protect personal information maintained throughout their organizations.

• Email This
• Print
• Comments (3)
• Trackbacks

The U.S. Supreme Court’s recent grant of certiorari in City of Ontario, Ontario Police Department, and Lloyd Scharf v. Jeff Quon, et al. highlights the effects new technologies continue to have on workplace privacy issues. One issue the Court will consider is whether a California police department violated the privacy of one of its officers when it read the personal text messages on his department issued pager. The U.S. Court of Appeals for the Ninth Court sided with the police officer when it ruled that users of text messaging services “have a reasonable expectation of privacy” regarding messages stored on the service provider’s network.

The underlying suit was filed by police Sgt. Jeff Quon, his wife, his girlfriend, and another police sergeant after one of Quon’s superiors audited his messages and found that many of them were sexually explicit and personal in nature.   Among the defendants were the City of Ontario, the Ontario Police Department, and Arch Wireless Operating. Co. Inc. Plaintiffs sought damages for alleged violation of their privacy rights.

While this case involves a public sector entity, its outcome is likely to affect electronic communications policies and practices across the country, whether by public or privacy employers.  

• Email This
• Print
• Comments
• Trackbacks