Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

Linking his announcement to National Privacy Day, January 28, 2013, Maryland Attorney General Douglas F. Gansler informed the public that his office has formed an Internet Privacy Unit. (See similar step taken by Connecticut AG)

The stated purpose of the Unit is to protect the privacy of online users. The Unit will be charged with "monitor[ing] companies to ensure they are in compliance with state and federal consumer protection laws." In addition, the Unit will "examine weaknesses in online privacy policies" and help to create awareness about privacy rights. Of course, the Unit also will pursue enforcement actions to ensure consumer protection.

As in other states, such as Massachusetts and California, Maryland has a Personal Information Protection Act.  The Act provides, in part:

To protect personal information from unauthorized access, use, modification, or disclosure, a business that owns or licenses personal information of an individual residing in the State shall implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information owned or licensed and the nature and size of the business and its operations.

Md. Code Ann. Comm. Section 14-3503. The Attorney General's Office has published some guidance about the data breach provisions of the law.

Maryland businesses and businesses which maintain personal information about Maryland residents should review their online privacy statements, as well as the policies and procedures for safeguarding personal information. In his press release, Attorney General Gansler acknowledged "the emergence and evolution of the Digital Age has created new and significant privacy risks for both consumers and businesses." Businesses need to be prepared to address these risks and defend against enforcement activities.

• Email This
• Print
• Comments
• Trackbacks

Not long after Maryland enacted a law prohibiting employers from demanding passwords to employees' or prospective employees' Facebook and certain other social media accounts, the California State Assembly voted 73-0 in favor of A.B. 1844. The California bill would prohibit an employer from requiring: 

an employee or prospective employee to disclose a user name or account password to access a personal social media account that is exclusively used by the employee or prospective employee.

The state's Senate will now need to consider the measure, where a related bill, S. 1349 (named "The Social Media Privacy Act"), would also protect students from having to disclose similar information to school officials. A hearing on S. 1349 is scheduled for May 21. Congress and a number of other states, including, Delaware, Illinois, Michigan, Minnesota, Missouri, New York, and South Carolina are considering similar measures.

Employers will need to monitor these developments carefully and consider how to advise and train their managers and human resources personnel about these new requirements.
 

• Email This
• Print
• Comments
• Trackbacks

UPDATE: Governor Martin O'Malley signed the bills discussed below into law on May 2, 2012.

Maryland will likely become the first state to prohibit employers from demanding usernames, passwords or other means to access any personal account or service through an electronic communication device (computer, phone, PDA, etc.), such as social media sites Facebook or LinkedIn, belonging to employees or job applicants. If signed by Governor Martin O’Mailey, as expected, the new law would become effective October 1, 2012, after being passed unanimously passed in the Senate last week and by a vote of 128-10 in the House. Employers need to monitor developments, as legislatures in other states have taken up similar measures.

S.B. 433/ H.B. 964 applies to any employer engaged in business in Maryland, as well as any unit of state or local government. It also reaches any agent, representative or designee of a covered employer. So, an employer cannot ask a third party to do under the law what the employer cannot do.

Covered employers also are prohibited from discharging, disciplining or otherwise penalizing  employees or applicants (or threatening same) who refuse to comply with the requests for access prohibited above. In addition, employers may not fail or refuse to hire applicants to object to similar requests. However, the Maryland law prohibits employees from making unauthorized downloads of company financial or proprietary data, and permits employers to investigate when it receives information about such activities. 

• Email This
• Print
• Comments
• Trackbacks

Have you ever reviewed the Facebook or LinkedIn profile or other social media activity of an employee or applicant? How about requiring employees or applicants to provide access to social media activity as a condition of employment. The Maryland and Illinois legislatures would like to limit employers' ability to engage in this kind of activity with new laws that would be the first of their kind in the nation.

UPDATE - Newly enacted Maryland law prohibits employers from demanding access to Facebook or other on line accounts of employees and applicants.

Maryland. Under one version of the law in Maryland, H.B. 364, employers would not be permitted to

• require an employee or applicant . . . to disclose any user name, password, or other means for accessing any internet site or electronic account through an electronic device, or
• require an employee to install on the employee's personal electronic device software that monitors or tracks the content of the electronic device.  

Under this bill, the employer could not discipline the employee or refuse or fail to hire the applicant for not complying with such requests. However, an employer could require an employee to disclose username, password or other means of access to the employer's internal computer or information systems. 

The provision that would prohibit employers from monitoring or tracking content on electronic devices would present a dilemma for employers faced with various legal and ethical obligations to safeguard personal and other confidential data. Many employers are struggling to find ways to track, limit, and in some cases encrypt, personal and other confidential information maintained on portable electroinc devices, including the personal devices of employees. This bill would make that process more challenging, particulalry for businesses with nationwide operations in heavily regulated businesses such as healthcare, insurance, finance and so on.   

Two other bills (H.B. 310, S.B. 434) also are being considered that would prohibit public and nonpublic colleges and universities from making similar demands on students and applicants.

Illinois. The Illinois law being considered (H.B. 3782) would make it unlawful for "any employer to ask any prospective employee to provide any username, password, or other related account information in order to gain access to a social networking website where that prospective employee maintains an account or profile."

Existing Risks with Searching/Monitoring the Social Media Activity of Employees or Applicants. The Maryland and Illinois laws, if passed, may be the first of their kind, but they certainly are not the first risks employers have faced when engaging in this kind of activity. In fact, there are a range of existing risks employers must consider, such as

• Finding medical information protected under the American with Disabilities Act or the Genetic Information Nondiscrimination Act.
• Acting inconsistently when similar information is found about different applicants/employees/executives.
• Acting on information that is not true.
• Intruding into private areas.  
• Failure to document the steps taken in conducting the search.
• Not realizing the Fair Credit Reporting Act may apply and require consent and notice requirements.
• Unlawfully limiting protected concerted activity under the National Labor Relations Act.

Employers therefore need to proceed carefully when using social media as a tool for making decisions concerning hiring, promotion, discipline, and termination.  Assessing whether to engage in such activity, how and when to do so, who should be authorized to search and monitor in this way, and what training should be provided can go a long way to minimizing these risks.

• Email This
• Print
• Comments
• Trackbacks

The Maryland Senate recently referred Senate Bill 971 which prohibits Maryland employers from demanding that workers and job applicants turn over their passwords to specific websites or web-based accounts. 

Under the bill, employers would be prohibited from refusing to hire applicants and disciplining, terminating, or taking other adverse employment action against employees who refuse to provide their passwords. The bill also bans employers’ threats of such action.  

The bill was introduced in response to employers’ asking applicants and employees for their passwords as part of background checks to see the content posted by the individuals on social networking sites (e.g., Facebook ). S.B. 971 would, however, permit employers to require workers to disclose their passwords only to the employers’ internal computer systems.  

This proposed Maryland law, and case law from New Jersey, should alert employers that utilizing social media in their hiring, discipline, or termination decisions is under scrutiny.

• Email This
• Print
• Comments
• Trackbacks

On April 12, 2011, Maryland Governor Martin O’Malley signed into law S.B. 132/H.B. 87. Under this law, Maryland employers, except in limited circumstances, are prohibited from using an individual's consumer credit history for hiring or other employment purposes. 

Beginning October 1, 2011,  employers are prohibited from using credit report data to deny employment, discharge an employee, set compensation, terms, conditions, or privileges of employment, unless, after making an offer of employment to an individual, the employer has a use for such information that is “substantially job-related.”   Additionally, an employer must disclose in writing its use of such information to the employee or applicant.

While the law does not contain any individual right of action, it allows individuals to file an administrative complaint with the state Commissioner of Labor and Industry. The Commissioner is authorized to assess a civil penalty of up to $500 per initial violation and up to $2,500 for repeat violations.

Employers exempt from the new law include those required by federal law to examine credit history data, financial institutions, or entities registered with the federal Securities and Exchange Commission as investment advisors.

As we have detailed previously, several other states (Florida, Michigan, and Montana) are considering similar laws, while Hawaii, Illinois, Oregon, and Washington have already enacted laws restricting the use of credit history in employment. 

• Email This
• Print
• Comments
• Trackbacks

Data privacy and security laws in states such as Massachusetts, Maryland and Nevada require businesses to develop written policies and procedures that provide administrative, physical, and technological safeguards to protect personal information - or a "written information security program" or "WISP." These laws do not require protections for confidential company information and trade secrets, but such information also warrants protection.

Failure to do develop a WISP can leave a business exposed.

Certain businesses also can lose a business advantage as individuals (clients, employees, dependents, and others) and business partners increasingly demand heightened security of their sensitive and personal information.

But where does a business start?

Don't wait any longer! Develop a plan by reading the Data Privacy Primer (PDF).

• Email This
• Print
• Comments
• Trackbacks