On January 29, 2009, I had the opportunity to attend a brief presentation sponsored by Minnesota CLE entitled, “Corporate Data Privacy & Security: 10 Legal Practice Tips,” given by Brad Bolin, Senior Corporate Counsel for Best Buy, Inc. a Fortune 500 electronics retailer headquartered in Richfield, Minnesota. Bolin is a specialist in information security and privacy law. I was curious to hear what data privacy issues were on the mind of someone who monitors these issues for a living on behalf of a large corporation, especially a company that sells some of the very devices that make data privacy more challenging and which is known for its “results oriented” work environment. Many of the issues relate to topics discussed on this blog. The views expressed were strictly those of Bolin, not Best Buy. Here were his observations:
1. Work/Life Balance. Electronic connections are collapsing the distinctions between work and personal life. Employees expect to be connected 24 -7. Bolin quoted Best Buy CEO Brian Dunn as noting, “Technology is … a constant backdrop in people’s lives, at home, at work, on the road and literally in the palms of their hands. We call it the ‘connected world’ and, as exciting as it is, it’s also increasingly complex, and difficult to keep pace with.”
2. Smart Phones Part 1. Smart phones are becoming common and are a great example of how the “limited personal use” exception is swallowing the rule. He cited a survey showing that 20% of companies allow their employees to use personal devices for work, and the number is surely growing. Bolin discussed how under the old corporate model, a company that pays for an employee’s smart phone ought to take it back from the employee upon his or her departure, erase the contents and either recycle or reuse the device to prevent the disclosure of confidential corporate information. But what about the employee’s personal photographs, “apps”, movies, contacts and downloaded songs? What if the employee paid for the device but the company reimburses the cost? Securing employee-owned smart phones is not the same as securing corporate-owned devices, he emphasized.
3. Smart Phones Part 2. Bolin said that, whatever rules you choose, a departing employee should be able to take his or her personal data, while IT should be able to ensure that any corporate information has been safely removed. The process should be simple and transparent to all. Adopt simple rules that make corporate data on an employee's smart phone easier to identify and control. For example, distinguish between media files on the one hand, and xls doc, ppt, and pdf documents on the other. Have a transparent dialog with employees about the trade-offs that exist cost when placing personal phones on the corporate network. For example, an employee might be required to archive SMS text messages on his phone for e-discovery purposes.
4. Texting Issues. While e-mail typically is stored on a common server, text messages usually are stored by cell phone companies or directly on phones, and often the employer does not directly pay for their storage. Employers must have either a warrant or the employee's permission to see cell phone text messages that are not stored by the employer or by someone the employer pays for storage, Bolin said, citing Quon v. Arch Wireless, et al. 529 F.3d 892 (9th Cir. 2008), The case is now under review by the United States Supreme Court.
5. TMI = Too much information. An embedded Global Positioning System (GPS) feature is great for supporting and measuring effectiveness of a mobile sales force, but it raises the danger of collecting information about employees regarding the personal part of their life.
6. Social Networking. Much has been made of social networking, he says, but this is not different in kind from past employee disclosure concerns, only in degree. Most policies on employee's social networking tend to be recitations of or references to standard confidentiality, acceptable use, and other policies. He suggests guidelines like:
a. Disclose your affiliation with your employer.
b. State that it’s your opinion, not the employer’s.
c. Protect yourself – be careful of disclosing personal information on line.
d. Act responsibly end ethically.
e. Respect diversity and honor policies against discrimination.
7. Monitoring Electronic Communications. Bolin says the “old news” is having an electronic communications policy addressing employee expectations of privacy when using company email. The “new news” is that companies have to have a governance policy in place regarding how the company may and will use such information, and it needs to follow it. Tools to gather emails and other electronic information today are immensely powerful, and very easy to use. The temptation will be great to pursue investigations without adequate cause, or without sufficient protective boundaries in place. Bolin cited the Hewlett Packard pretexting scandal of 2006.
8. HITECH Act (HIPAA Redux). HIPAA is still HIPAA, Bolin says, but HITECH ups the ante by requiring breach notification to government and affected consumers of Protected Health Information (‘PHI”), and placing enforcement powers in the hands of the states attorneys general. Covered entities must promptly notify affected individuals, Health and Human Services (“HHS”) and the media in cases where a breach affects more than 500 individuals, and report ALL breaches on an annual basis. Bolin noted that the “hysteria” that has arisen around recent credit card breach notifications could well develop around PHI breach notifications.
9. Employee Privacy in Europe. Privacy is fundamental human right in the European Union and, unlike in United States, can't be waived, Bolin emphasized. If a company wishes to transmit data concerning EU employees to the U.S., he noted, “you'll be required to bring your game up” and enact policies to take advantage of the safe harbor provision.
I think he gives us all some good points to consider.