Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

Earlier this year, we posted about new laws in Utah and New Mexico that limit employers' ability to access the online accounts of their employees. Since then, Washington and Colorado have joined these and other states, such as Maryland, Illinois, California, Michigan, that have enacted similar laws. Oregon and New Jersey appear to be not far behind regulating employers in this area. 

Increasingly, employers across the country will need to revisit some of the hiring and monitoring practices they may be following, in particular, those of lower level managers and supervisors who may not be aware of these developments. Companies also need to reconsider what role they want employees to play in the businesses' marketing strategies in social media.  

Colorado. Governor John Hickenlooper signed HB 13-1046 into law on May 11, 2013. Under the new law, employers may not "suggest, request or require" or cause employees or applicants to (i) disclose the means of accessing the employees or applicants' personal account or service through the employees or applicants' electronic communication device, or (ii) change their privacy settings for an associated social networking account. An employer also may not compel an employee or applicant to become a friend, contact or connection of the employer or the employer's agent. Employers may not fail or refuse to hire applicants, or discipline or otherwise penalize employees, who refuse to provide access to their personal accounts or add the employers to their contacts.

The good news for employers is that the law does not prohibit them from requiring employees to provide access, including user name and password, to non-personal accounts or services that allow access to employers' information systems. The law also does not prohibit certain employers (those in certain industries (e.g., securities, finance) who have to comply with certain regulatory requirements) from conducting investigations concerning the use of personal websites, web-based accounts or similar accounts by an employee for business purposes. The same is true for investigations involving the unauthorized downloading of employer proprietary or financial information to a personal website, web-based account or similar account.

The new Colorado law does not provide for a private right of action, but injured persons may file a complaint with the Department of Labor and Employment, which may impose fines of up to $1,000 for a first offense, and not more than $5,000 for subsequent offenses.   

Washington. Gov. Jay Inslee signed a similar law (SB 5211) on May 21, 2013, that contains restrictions on employers concerning the personal online accounts of their employees. The law also contains similar exceptions concerning employee investigations. The law becomes effective on July 28, 2013. 

Oregon. Last week, the Oregon legislature sent HB 2654 to the Governor's desk for signature. Like the two measures above, the law would prohibit employers from requiring or requesting access to the personal social media accounts of employees or applicants, as well as prohibiting employers from requiring employees or applicants to make the employer a contact or connection of the employer. Unlike the laws discussed above, the current version of the bill does not include an investigation exception.

New Jersey. Responding to Governor Chris Christie's concerns about a prior version of the bill (such as objecting to a provision that would have made it illegal to ask an employee if he or she has a Facebook account), the New Jersey General Assembly recently approved unanimously modifications to A2878, making it virtually certain to become law in New Jersey in the short term. The Governor has already signed a similar law protecting access to the social media accounts of university students and applicants.

Similar to the laws described above, A2878 would prohibit employers from requiring or requesting employees or applicants to disclose login information for their personal social media accounts. The law also proscribes retaliating or discriminating against any employee or applicant who fails to provide such information, reports a violation of the law, participates in an investigation or otherwise opposes a violation of the law. However, the new version of the law no longer provides for a private right of action, but civil penalties can be imposed for violations - up to $1,000 for the first violation,  $2,500 for each subsequent violation.

• Email This
• Print
• Comments
• Trackbacks

Today the White House issued a Cybersecurity Legislative Proposal. The proposed legislation focuses on protecting the American people, the nation’s critical infrastructure, and the federal government's computers and networks.  While legislation of this nature would simplify the breach reporting process for businesses, and overall streamline cybersecurity laws, a number of legislative attempts to do this have previously failed.  It is important to note that while this proposal sets forth some guidelines, the specific details of how each provision would be instituted are not yet clear

Our critical infrastructure – such as the electricity grid, financial sector, and transportation networks that sustain our way of life – have suffered repeated cyber intrusion, and cyber crime has increased dramatically over the law decade. The President has thus made cybersecurity an Administration priority. 

1.  To protect the American people, the proposed legislation calls for a national data breach reporting law which would simplify and standardize the existing patchwork of 47 state laws that contain these requirements. Additionally, the proposal calls for penalties for computer criminals and clarifies the penalties for computer crimes, synchronizes them with other crimes, and sets mandatory minimums for cyber intrusions into critical infrastructure.
2. To protect our nation’s critical infrastructure the proposal calls on legislative changes to fully protect this infrastructure. Specifically, proposal will enable the Department of Homeland Security (DHS) to quickly help a private-sector company, state, or local government when that organization asks for its help. It also clarifies the type of assistance that DHS can provide to the requesting organization.

Additionally, the proposal permits businesses, states, and local governments to share information about cyber threats or incidents with DHS. To fully address these entities’ concerns, it also provides them with immunity when sharing cybersecurity information with DHS. At the same time, the proposal mandates robust privacy oversight to ensure that the voluntarily shared information does not impinge on individual privacy and civil liberties.

Further, the proposal emphasizes transparency to help market forces ensure that critical-infrastructure operators are accountable for their cybersecurity.

Finally, the proposal requires DHS to work with industry to identify the core critical-infrastructure operators and to prioritize the most important cyber threats and vulnerabilities for those operators. Critical infrastructure operators would then take steps to address cyber threats, develop risk mitigation plans, and permit DHS to modify the processes which are implemented if they are insufficient. 

3.  To protect federal government computers and networks the legislative proposal includes: an update to the Federal Information Security Management Act (FISMA) as well as formalizing DHS’ current role in managing cybersecurity for the Federal Government’s civilian computers and networks, in order to provide departments and agencies with a shared source of expertise; giving DHS more flexibility in hiring highly-qualified cybersecurity professionals; the permanency of DHS’s authority to oversee intrusion prevention systems for all Federal Executive Branch civilian computers while codifying strong privacy and civil liberties protections, congressional reporting requirements, and an annual certification process; and preventions on states requiring companies to build their data centers in that state, as opposed to in the cloud, except where expressly authorized by federal law.

The Administration’s proposal also attempts to ensure the protection of individuals’ privacy and civil liberties through a framework designed expressly to address the challenges of cybersecurity. Some of these provisions include: requiring federal agencies (and likely federal contractors) to follow privacy and civil liberties procedures; limitations on monitoring, collecting, using, retaining, and sharing of information; requiring efforts to remove identifying information unrelated to cybersecurity threats; as well as immunity provisions for those business which comply with the proposal’s requirements.  

As the proposal concludes: 

Our Nation is at risk… [t]he Administration has responded to Congress’ call for input on the cybersecurity legislation that our Nation needs, and we look forward to engaging with Congress as they move forward on this issue.

• Email This
• Print
• Comments
• Trackbacks

On April 12, 2011, Maryland Governor Martin O’Malley signed into law S.B. 132/H.B. 87. Under this law, Maryland employers, except in limited circumstances, are prohibited from using an individual's consumer credit history for hiring or other employment purposes. 

Beginning October 1, 2011,  employers are prohibited from using credit report data to deny employment, discharge an employee, set compensation, terms, conditions, or privileges of employment, unless, after making an offer of employment to an individual, the employer has a use for such information that is “substantially job-related.”   Additionally, an employer must disclose in writing its use of such information to the employee or applicant.

While the law does not contain any individual right of action, it allows individuals to file an administrative complaint with the state Commissioner of Labor and Industry. The Commissioner is authorized to assess a civil penalty of up to $500 per initial violation and up to $2,500 for repeat violations.

Employers exempt from the new law include those required by federal law to examine credit history data, financial institutions, or entities registered with the federal Securities and Exchange Commission as investment advisors.

As we have detailed previously, several other states (Florida, Michigan, and Montana) are considering similar laws, while Hawaii, Illinois, Oregon, and Washington have already enacted laws restricting the use of credit history in employment. 

• Email This
• Print
• Comments
• Trackbacks