Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

. . . A Potential Headache for Employers of Younger Workers

Written by Lillian Moon

Retail, entertainment, hospitality and other industries that traditionally employ large numbers of younger workers may soon get dragged into criminal proceedings because of “sexting” by their younger workers. Florida has joined 20 other states — Alaska, Arkansas, California, Hawaii, Indiana, Iowa, Kansas, Mississippi, Nevada, New Jersey, New York, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Texas, and Guam — which have all enacted similar legislation addressing teen sexting. Because employees frequently transmit these materials using their employer’s networks, criminal prosecutions under these laws may require employers to respond to discovery requests and subpoenas, or permit searches pursuant to warrants obtained by law enforcement authorities, which, in turn, may unexpectedly trigger disciplinary proceedings.

On June 21, 2011, Florida Governor Rick Scott signed into law H.B.75/S.B. 888. Under this law, which will take effect beginning October 1, 2011, a minor (anyone under the age of 18) commits the criminal act of “sexting” if he or she knowingly uses a computer, cell phone, or other transmission device (1) to transmit or distribute to another minor a photograph or video of any person which depicts nudity; or (2) possesses such photograph or video which was transmitted or distributed by another minor, unless the photograph was unsolicited, the minor took reasonable steps to report the photograph or video to their legal guardian, school official, or law enforcement, and the minor did not transmit or distribute the video or photograph to a third party. A minor’s first offense is considered noncriminal and is punishable by 8 hours or community service or a $60 fine. The minor’s second offense is a misdemeanor in the first degree, punishable with imprisonment not to exceed one year or a $1,000 fine; and the minor’s third offense is a felony of third degree, punishable with up to five years’ imprisonment or a $5,000 fine.

Of course, sexting is not only an issue for minors. It is fast becoming an easy and well-utilized mechanism for sexual and other workplace harassment. Accordingly, employers should review and update their anti-harassment policies to include a prohibition of harassment via e-mail, text messaging, or use of social networking sites; and they should review their electronic communications policies to include a prohibition against using any employer-provided electronic device to transmit or retain any sexually suggestive or explicit pictures, texts, videos or any other derogatory material regarding race, ethnicity, age, disability, religion, or any other protected category. Employers should also educate and train employees on the revised policies and continue to enforce all policies in a fair and consistent manner. At the same time, employers should remain mindful of any limitations on such policies (as written or as applied) that may be imposed under the National Labor Relations Act.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On April 12, 2011, Maryland Governor Martin O’Malley signed into law S.B. 132/H.B. 87. Under this law, Maryland employers, except in limited circumstances, are prohibited from using an individual's consumer credit history for hiring or other employment purposes. 

Beginning October 1, 2011,  employers are prohibited from using credit report data to deny employment, discharge an employee, set compensation, terms, conditions, or privileges of employment, unless, after making an offer of employment to an individual, the employer has a use for such information that is “substantially job-related.”   Additionally, an employer must disclose in writing its use of such information to the employee or applicant.

While the law does not contain any individual right of action, it allows individuals to file an administrative complaint with the state Commissioner of Labor and Industry. The Commissioner is authorized to assess a civil penalty of up to $500 per initial violation and up to $2,500 for repeat violations.

Employers exempt from the new law include those required by federal law to examine credit history data, financial institutions, or entities registered with the federal Securities and Exchange Commission as investment advisors.

As we have detailed previously, several other states (Florida, Michigan, and Montana) are considering similar laws, while Hawaii, Illinois, Oregon, and Washington have already enacted laws restricting the use of credit history in employment. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In New York, the Electronic Equipment Recycling and Reuse Act (pdf) (Environmental Conservation Law, Article 27, Title 26), creates electronics recycling programs effective April 1, 2011. The new law requires free and convenient recycling of electronic waste be provided to most "consumers" (see definition below) in the state, including households, many small businesses and many not-for-profit corporations. The State's Department of Environmental Conservation has set up a detailed website providing information about this new law. As discussed below, other states are taking similar steps to deal with this new form of waste. 

New York's e-Waste Law

The new law affects consumers, retailers, and manufacturers of "covered electronic equipment" (CEE), as well as certain waste recycling, consolidation, collection and management facilities. One of the notable requirements under the new law is that beginning April 1, 2011, manufacturers of CEE are required to take back from consumers a wide range of electronic waste.

Who is a "consumer" and what equipment is covered under the law?

A "consumer" is an individual, business, corporation, limited partnership, not-for-profit corporation, the state, a public corporation, public school, school district, private or parochial school or board of cooperative educational services or governmental entity located in New York State, except when involved in a wholesale transaction between a distributor and retailer.

"Covered electronic equipment" includes:

• Computers
• Televisions
• Cathode Ray Tubes
• Small Scale Servers
• Computer Peripherals (Computer peripherals also include any cable, cord, or wiring permanently affixed to or incorporated into such product.)
  • Monitors
  • Electronic Keyboards
  • Electronic Mice or Similar Pointing Devices
  • Facsimile Machines, document scanners, and printers (only those intended for use with a computer and weighing less than 100 lbs.)
• Small Electronic Equipment (Small electronic equipment also include any cable, cord, or wiring permanently affixed to or incorporated into such product.)
  • VCRs
  • Digital Video Recorders
  • Portable Digital Music Players
  • DVD Players
  • Digital Converter Boxes
  • Cable or Satellite Receivers
  • Electronic or Video Game Consoles

"Covered electronic equipment" does not include such things as cameras, portable or stationary radios, household appliances, monitoring and control instrument or system, telephones of any type; portable digital assistant or similar device, calculator, global positioning system (GPS) receiver or similar navigation device, a server other than a small-scale server, a cash register or retail self checkout system, stand-alone storage product intended for use in industrial, and other equipment.

What is the cost?

For the basic services required under the new law, which include acceptance of CEE, for-profit businesses with fewer than 50 full-time employees and not-for-profit organizations with fewer than 75 full-time employees may not be charged for the collection, handling, recycling, or reuse of CEE. Larger organizations may be charged for these services. (Full-time employment is not defined under the law.) Note, however, the new law generally does not affect contracts consumers had with manufactures entered into prior to January 1, 2011.

In addition, any consumer may be charged for "premium services." "Premium services" are any services above and beyond the reasonably convenient acceptance methods defined in the new law. These include equipment and data security services, refurbishment for reuse by the consumer, and other custom services as may be determined by the Department of Environmental Conservation such as at-home collection (other than mail back programs), data wiping, specialized packing and preparation for collection, etc.

Does the law require e-waste to be recycled?

Not yet. However, beginning January 1, 2012, businesses, municipalities, and subdivisions of the state, including their waste collection company or service, will no longer be able to collect electronic waste for disposal, or dispose of any electronic waste in a landfill or waste-to-energy facility. A similar rule goes into effect for individuals and households on January 1, 2015.

Will recycling be performed in a secure manner?

No. The Department of Environmental Conservation's website warns:

Consumers should erase all personal and confidential data on their electronic equipment before sending it for recycling or reuse. Reformatting your hard drive or deleting files does not destroy your data. The resources listed on the right side of this page under "Offsite links," provide guidance on data wiping, etc., however, there might be other data security service resources and options available. Please note, the Department is not responsible for the contents of any offsite webpages referenced. These links are provided as a public service only (see disclaimer on the Electronic Equipment Recycling and Reuse Act main page).

This means that consumers need to take appropriate steps to safeguard data before submitting their CEE to be recycled under this program. Under New York's new law, the manual for electronic products that contain internal memory capabilities, such as a hard drive which could retain personal or other confidential information, must describe for consumers how they can destroy such data before surrendering the products for recycling or reuse.

Activity in Other States

As reported in the BNA Privacy and Security Law report, a pending law in New Jersey (A. 2975) "would require businesses and government agencies to destroy personal data stored on a digital copy machine before disposing of it." The State's Attorney General would be able to seek penalties of up to $10,000 for the first offense and up to $20,000 for subsequent violations. Similar laws are being considered in Nevada, Florida, Connecticut and Oregon.  

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Prepared by Lillian Moon

In the face of increasing unemployment, in March 2011, Florida, Michigan, and Montana joined the ranks of approximately fifteen other states that are considering bills limiting employers’ ability to use credit checks for employment purposes.

Florida. Florida’s Senate Bill 1562, introduced on March 3, would prohibit employers from using an applicant’s personal credit history as hiring criteria, except where a review of credit history is legally required. The proposed Florida law allows an employer to request credit history during the “application process if such history is shown to be directly related to the position sought by the applicant.” However, the credit history cannot be used as the “determining factor” in the hiring decision.

Michigan. Michigan’s House Bill 4363, introduced March 2, would prohibit employers from making hiring decisions based on an individual’s credit history and from inquiring about a job applicant’s or potential applicant’s credit history, unless good credit history is “an established bona fide occupational requirement of the particular position or employment classification.” Individuals cannot waive any right or protection under the proposed act and aggrieved individuals would be able to bring civil suit for damages or injunctive relief.

Montana. Montana’s House Bill 601, introduced March 1, would prohibit employers from using credit history information for employment purposes unless the employee’s current or potential position is one “for which credit is issued in goods, a line of credit is provided, or a fiduciary responsibility is owed to the employer,” or the position allows for use of such data when done in compliance with the Fair Credit Reporting Act, 15 U.S.C. §§1681(b)(2)(C) and (b)(4). Misuse of credit data or other violations of this proposed act would be punishable as a misdemeanor with fines up to $500.

Similar bills are also being considered in numerous jurisdictions such as: California, Connecticut, Georgia, Indiana, Kentucky, Maryland, Missouri, Nebraska, New Jersey, New Mexico, New York, Ohio, Pennsylvania, Vermont, and Texas. Illinois, Oregon, and Washington already have such laws in place.

“Employers with multi-state operations, in particular, must remain abreast of these developments and ensure any background check program involving credit checks complies with applicable state law. Further, due to EEOC initiatives in this area, credit checks should be limited to positions in which credit history can be deemed job-related and individualized analysis of each applicant’s history should be the goal,” counsels Richard Greenberg, a partner with Jackson Lewis LLP in New York.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On April 16, 2010, Florida Attorney General Bill McCollum announced a settlement (pdf) with Certegy Check Services, Inc. over how the company secures consumer records. The Attorney General’s enforcement action stems from a massive data breach by a former Certegy employee who stole personal identification information from approximately 5.9 million consumer files.

According to the Attorney General’s press release, Certegy promptly notified the Attorney General and consumers of the data thefts, and cooperated with the Attorney General’s investigation. In addition to agreeing to maintain a comprehensive information security program, under the settlement, Certegy will contribute $125,000 to the Attorney General’s “Seniors vs. Crime Program” for educational, investigative and crime prevention programs for the benefit of senior citizens and the community. Further, it will pay $850,000 for the state’s investigative costs and attorney’s fees.

Massachusetts and some other states have specific statutory provisions requiring the safeguarding of personal information. No similar law exists in Florida. The Attorney General commenced its action against Certegy under the State’s deceptive and unfair trade practices statutes. Businesses with data security safeguards that can be viewed as subpar, therefore, cannot depend on the absence of specific state statutes to shield them from state action in case of a data breach or allegations that personal information is not being adequately safeguarded.

In addition to the nearly one million dollars Certegy will pay the State of Florida, the company agreed to

maintain a comprehensive “Information Security Program” that assesses internal and external risks to consumers’ personal information, implements safeguards to protect that consumer information, and regularly monitors and tests the effectiveness of those safeguards. Certegy and its related entities will also adhere to payment card industry data security standards as those standards continue to evolve.

Significantly, the settlement requires Certegy to conduct initial and annual assessments of its policies and procedure.

The settlement with the Attorney General followed a class action settlement in U.S. District Court in Tampa. Under that settlement, Certegy made certain monitoring services available to affected consumers, who also were able to seek reimbursement of certain out-of-pocket costs incurred or identity theft expenses. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Less than one month into 2010 the trend to address data security, destruction, and encryption has continued among state lawmakers. Specifically, Florida, Michigan, Kentucky, Kansas, Pennsylvania, and New York all have introduced, reintroduced, or amended legislation of this kind. 

• The Florida and Michigan laws would amend personal data destruction rules for companies.
• The New York law would mandate data security and encryption measures.
• The Kentucky bill would require government agencies to protect all personal data under the Gramm-Leach-Bliley Act.
• The Michigan bill includes a state version of the Federal Trade Commission's Red Flags Rule and would require creditors in the state to implement programs aimed at spotting “red flags” of possible identity theft and put in place mitigation measures. Michigan is also considering a number of other measures. 
• The Kansas law would require state agencies to engage in periodic network security reviews.
• The Pennsylvania bill would require public agencies to notify state residents of a breach of their personal information within seven days of the discovery of the breach.

While 5 states remain without data breach notice bills (Alabama, Kentucky, Mississippi, New Mexico, and South Dakota), Congress is considering legislation, the Data Accountability and Trust Act (DATA) (H.R. 2221), that would preempt all state notification laws and instead establish a national breach notice standard.

As we have previously mentioned, we anticipate data privacy and security legislation and case law to be at the forefront of legal issues in 2010. Employers should begin by reading the Data Security Primer and consider implementing comprehensive data security policies and procedures that would allow them to comply with the various state laws that may impact their business. 

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link