Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

Co-Author:  Joseph J. Lazzarotti

The pervasiveness of social media in professional and everyday communication is a hot button issue (discussed at length here), particularly for private and public employers and organizations.  In fact, many organizations have adopted, or are considering adopting, social media policies for employees and providing training for how employees should interact in cyberspace.  But what should those policies say and what should the training focus on?

To answer those questions, organizations should, among other things, develop and shape their policies, training and discipline concerning social media with an eye toward their particular businesses, regulatory environments, and whether they are in the public or private sectors. A number of recent developments show why this is critical:

·         Two recent Third Circuit opinions handed down on June 13, 2011-- J.S. v. Blue Mountain School District and Layshock v. Hermitage School District (discussed below)-- illustrate the importance of educating employees (teachers and administrators) about student’s First Amendment rights concerning social media and when discipline is appropriate,

·         FTC’s guidelines for endorsement of products or services are important for businesses whose employees are likely to be commenting online about the company’s products and services,

·         The NLRB’s recent actions regarding social media use and the National Labor Relations Act are important for all employers, particularly those in traditionally union-dominated industries,

·         The use of social media in the health care setting is presenting a range of challenges under HIPAA and patient privacy generally.

In addressing the extent to which school officials can regulate student speech, the Third Circuit Court of Appeals has held that school officials violated students’ First Amendment free speech rights by disciplining students for creating, outside of school, “fake” social networking profiles ridiculing their school principals. 

In Blue Mountain School District, 8^th grader J.S., using her home computer, created a MySpace profile in the name of her principal.  The profile was presented as a self-portrayal of a bisexual Alabama middle-school principal named “M-Hoe,” and contained crude and vulgar content. Upon learning of the content, the School District suspended J.S. for 10 days.  The Court held that because J.S. was suspended for speech that caused no substantial disruption in school and that could not reasonably have led school officials to forecast substantial disruption in school, the School District’s actions violated J.S.’s First Amendment free speech rights.  

In Layshock, Justin Layshock, a high school senior, using his grandmother’s computer, also created a MySpace profile in the name of his principal.  The profile included “degrading” content regarding the principal.  Upon learning of the profile, the School District suspended Justin for 10 days.  In analyzing whether a school district may punish a student for expressive conduct that originated outside of the schoolhouse, did not disturb the school environment, and was not related to any school-sponsored event, the Court found the School District was prohibited from reaching beyond the school yard.  

These decisions were based on the Supreme Court’s landmark case on the First Amendment’s application to public schools is Tinker v. Des Moines Indep. Cmty. Sch. Dist., 393 U.S. 503 (1969).  In Tinker, a group of high school students decided to wear black armbands to school to protest the war in Vietnam.  When school officials learned of the plan, they preemptively prohibited students from wearing armbands.  Several students who ignored the prohibition and wore armbands to school were suspended.  Eventually, the students brought suit alleging their First Amendment rights had been violated.  The Supreme Court overruled the district and circuit courts, holding that student expression may not be suppressed unless school officials reasonably conclude that such expression will “materially and substantially" disrupt the work and discipline of the school. 

These cases demonstrate the court's struggle in addressing social media content, especially where there are additional constitutional concerns when a party is a public entity.  For many organizations, First Amendment issues will not be at issue, but there likely will be other considerations.  As each and every industry is impacted by social media, attempting to address it in a one-size-fits-all manner without taking appropriate considerations into account is not only impractical, but in some cases unlawful.  As these developments have shown, efforts to address social media must include an effective industry specific social media policy coupled with training programs to educate employees on the use of social media in all facets of employment and conducting the entity's business. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Promising a company that you will safeguard its employees’ information and then failing to do it according to Federal Trade Commission (FTC) standards likely will be viewed by the FTC as an unfair and deceptive business practice and trigger an enforcement action.

This was the case for Lookout Services, Inc., a company that maintains large amounts of sensitive information about the employees of its business customers, including Social Security numbers. According to an FTC announcement on May 3, 2011, Lookout claimed it would take reasonable measures to secure the consumer data it maintained, including Social Security numbers, but failed to do so.

Lookout markets a product that allows employers to comply with federal immigration laws. It stores information such as names, addresses, dates of birth and Social Security Numbers. According to the FTC’s complaint, despite the company’s claims that its system kept data reasonably secure from unauthorized access, it did not in fact provide adequate security. (Note that an FTC complaint is not a finding or ruling that a respondent, such as Lookout , actually has violated the law.) For example, unauthorized access to sensitive employee information allegedly could be gained without the need to enter a username or password, simply by typing a relatively simple URL into a web browser, the complaint asserted. In addition, the complaint charged that Lookout failed to require strong user passwords, failed to require periodic changes of such passwords, and failed to provide adequate employee training. As a result of these and other failures, it was claimed, an employee of one of Lookout’s customers was able to access sensitive information maintained in the company’s database, including the Social Security numbers of about 37,000 consumers.

The settlement agreed to by Lookout to resolve these charges is comprehensive. Among other things, the settlement order requires Lookout (i) to conduct a risk assessment, (ii) to implement a comprehensive, written information security program, (iii) to cease making misrepresentations, including misleading claims about the privacy, confidentiality, or integrity of any personal information collected from or about consumers, (iv) to obtain independent third party security audits of the program every other year for 20 years, and (v) to make the settlement order available to its current and future employees having responsibilities relating to safeguarding customer data.

For companies that maintain personal information on other businesses’ employees in the course of providing services to those businesses, this development is an important reminder: Promises made to those businesses concerning the safeguarding of personal information must be supported by comprehensive policies and procedures. In addition to this kind of enforcement exposure, which also could arise at the state level from the states’ attorneys general, the employers that these businesses serve also could have causes of action for negligence and/or breach of contract. Increasingly, state laws require businesses to contractually obligate vendors to have appropriate safeguards to protect personal information provided to the vendor to perform its services. States having such laws include California, Maryland, Massachusetts, and Texas.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Last month, the Federal Trade Commission's Bureau of Consumer Protection posted FAQs on its website to guide health care providers and health plans when their patients and subscribers are affected by medical identity theft. 

When most people hear about an identity theft or a data breach, they typically think about credit card data or Social Security numbers being stolen and used by unauthorized parties, and the damage to one's credit rating that sometimes follows. However, as reported by Businessweek, medical identity theft is one of the fastest growing types of identity theft. According to the article, the number of incidents of medical identity theft was approximately 275,000 in 2009; double the number in 2008. As the country implements the new health care reform law, assuming it gets past some significant obstacles, there likely will be periods of confusion and transition that may create the perfect conditions for even higher levels of medical identity theft.

The FTC's FAQs point out that health care providers and health plans may have some obligations when they learn about medical identity theft affecting their patients or subscribers. For example, depending on the circumstances, the provider or plan may have to revisit its privacy and security policies and procedures under HIPAA and other federal and state laws. The theft also may have resulted from a data breach that requires the provider or plan to notify other affected persons. Providers and plans also need to be prepared to help victims get the information they need and exercise their rights under HIPAA and other laws to help mitigate the adverse effects of this unfortunate crime.

Providers and plans should be taking steps to be prepared to address medical identify theft situations.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Federal Trade Commission announced it is further delaying its enforcement of the “Red Flags” Rule through December 31, 2010. This move comes at the request of several Members of Congress who want to further consider legislation that would clarify who is subject to the Rule.

The delay follows the lawsuit (pdf) filed by the American Medical Association and others arguing that the Red Flags Rule should not apply to physicians.  As reported by amednews.com, the plaintiffs bolster their case by pointing to a 2009 federal court ruling (pdf) (American Bar Assn. v. Federal Trade Commission) exempting lawyers from the Rule. That ruling is now on appeal to the U.S. Court of Appeals for the D.C. Circuit

Legislation is pending in the United States House of Representatives that would exempt certain professions, including physicians, from the Red Flags Rule. H.R. 3763 passed the House unanimously in October 2009, but there has been no further movement in Congress on this issue.

The Rule was developed under the Fair and Accurate Credit Transactions Act, in which Congress directed the FTC and other agencies to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft. The resulting Red Flags Rule requires all such entities that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.

In its announcement, the FTC notes that as was the case with prior enforcement delays, this enforcement delay is limited to the Red Flags Rule and does not extend to the rule regarding address discrepancies applicable to users of consumer reports, or to the rule regarding changes of address applicable to card issuers.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Nearly 100 organizations have been notified by the Federal Trade Commission (“FTC”) that personal information, including sensitive employee and customer data, shared from the organizations’ computer networks is available on peer-to-peer (P2P) file-sharing networks. This, the FTC warned, could be used to commit identity theft or fraud. The notices went to both private and public entities, including schools and local governments. The entities ranged in size from those with as few as eight employees to public corporations employing tens of thousands. The notices come not long after the Congressional Ethics breach we discussed in October. 

With P2P file-sharing software, a user can share music, video, and documents. However, when not configured correctly, P2P file-sharing software may allow anyone on the P2P network to access files not intended for sharing.

To aid businesses in managing the security risks of file-sharing software, the FTC also has released education materials, including a new business education brochure – Peer-to-Peer File Sharing: A Guide for Business – designed to assist businesses and others as they consider whether to allow file-sharing technologies on their networks. The brochure also explains how to safeguard sensitive information on their systems, and provide other security recommendations. Additionally, the FTC published tips for consumers about computer security and P2P. 

In addition to the FTC notices, employers should consider the P2P Cyber Protection and Informed User Act, which was introduced in Congress shortly after the notices were sent. Under the Act, P2P file-sharing programs must clearly inform users when their files are made available to other P2P users, are prohibited from being installed without informed consent, and are prohibited from preventing a user from blocking/disabling/removing any sharing program. 

The FTC has urged entities to review their security practices and, if appropriate, the practices of their contractors and vendors, to ensure that the practices are reasonable, appropriate, and in compliance with the law.  FTC Chairman Jon Leibowitz also cautioned,  , “companies and institutions of all sizes are vulnerable to serious P2P-related breaches…” and “[companies] should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure.” 

A company’s failure to prevent such information from being shared on a P2P network, may violate applicable law and subject the company to legal action. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Whether it be Facebook, MySpace, LinkedIn, Twitter, YouTube or the company blog, employee presence in social media is way, way up, creating risks for employers that are proving difficult to manage without careful planning and appropriate policies.

These risks can take many forms - FTC endorsement issues, inadvertent sharing of confidential company or personal information, harassment claims, blog posts harmful to the company's reputation - to name a few.  The damage can be done whether the employee is posting at home or during working hours.

This white paper (pdf), which takes into account some of our prior posts, is intended to help employers get a better handle on these issues, particulalry in three area: (1) employees’ misuse of social media; (2) monitoring and regulating employees’ social media use; and (3) basing hiring decisions on information obtained from social media.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

 According to the newly revised Federal Trade Commission (“FTC”) Guides, employers may face liability for employees’ commenting on their employer’s services or products on “new media,” such as blogs or social networking sites, if the employment relationship is not disclosed. Potential liability may exist even if the comments were not sponsored or authorized by the employer. 

The revised Guides took effect December 1, 2009. They address the application of Section 5 of the FTC Act (15 U.S.C 45) to the use of endorsements and testimonials in advertising and provide examples of the application of Section 5, including examples that could lead to potential employer liability. One such example specifies liability for an employee’s blog posting concerning his employers’ product, where the employment relationship is not previously disclosed:

An online message board designated for discussions of new music download technology is frequented by MP3 player enthusiasts. They exchange information about new products, utilities, and the functionality of numerous playback devices. Unbeknownst to the message board community, an employee of a leading playback device manufacturer has been posting messages on the discussion board promoting the manufacturer’s product. Knowledge of this poster’s employment likely would affect the weight or credibility of her endorsement. Therefore, the poster should clearly and conspicuously disclose her relationship to the manufacturer to members and readers of the message board.”

In comments to the proposed revisions, the Commission agreed that the establishment of appropriate procedures governing “new media” would be a factor in its determination as to whether law enforcement action is appropriate. Tellingly, the Commission stated that it has brought enforcement actions against companies “whose failure to establish or maintain appropriate internal procedures” had resulted in consumer injury. However, the Commission refused to spell out the procedures companies should put in place to monitor compliance with the principles set forth in the Guides, leaving companies to determine for themselves the process that would best fulfill their responsibilities. 

In light of the FTC’s clear recognition of “new media” and enforcement goal, employers should adopt social media and blogging policies as soon as possible. Employers should consider policies and procedures which address employee use of blog or social networking sites. Those policies, like this sample policy, should articulate the types of disclosure employees must include when they discuss their employers or their employers’ products or services. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Last month, we briefly discussed "cloud computing," along with some issues that should be considered when deciding whether to adopt this new technology. Our post focused on data privacy and security issues.

As reported by Kim Hart, of The Hill's Technology Blog, a December 9, 2009, Federal Communications Commission filing states that the Federal Trade Commission is in the process of investigating "cloud computing" to address some of the same concerns noted in the post referenced above - privacy and security concerns.

Companies operating in the cloud, or thinking of moving in that direction, ought to be on the lookout for regulation or guidance that could come from the FTC's investigation.

• Email This
• Print
• Comments
• Trackbacks
• Share Link