Washington D.C. Significantly Overhauls its Data Breach Notification Law

By Joseph J. Lazzarotti and Maya Atrakchi on May 27, 2020

In the midst of COVID-19 challenges, privacy and security matters continue to be at the forefront for federal and state legislature. In late March, the Washington D.C. (“D.C.”) legislature amended its data breach notification law, with significant overhauls including expansion of its definition of personal information, updates to notification requirements and new credit monitoring obligations. The Security Breach Protection Amendment Act of 2019, b23-0215, passed the 12-member D.C. Council unanimously and was signed by D.C. Mayor Muriel Bowser on March 26. The new law became effective on May 19, 2020.

Key updates to D.C.’s new law include:

Expansion of personal information

Following many other states, the new law will add to the data elements that if breached could trigger a notification obligation. Currently, personal information is defined as (1) any number or code or combination of numbers or codes, such as account number, security code, access code, or password, that allows access to or use of an individual’s financial or credit account, (2) or an individual’s first name or first initial and last name, or phone number, or address, and any one or more of the following data elements: Social Security Number; Driver license number or DC identification card number; or Credit card number or debit card number.

The amendment significantly expands the definition of personal information to include the following new data elements:

Identifiers including taxpayer identification number, passport number, military identification number and other unique identification numbers issued on a government document;
medical information;
genetic information and DNA profile;
health insurance information, including a policy number, subscriber information number, or any unique identifier used by a health insurer that permits access to an individual’s health and billing information;
biometric data; and
any combination of data elements listed above, that would enable a person to commit identity theft without reference to the individual’s name.

Personal information also includes “a user name or email address in combination with a password, security question and answer, or other means of authentication, or any combination of data elements [listed above] that permits access an individual’s email account.”

Notification to Attorney General

Notification to the Office of the Attorney General is now required for any breach affecting 50 or more D.C. residents. Notice must be provided in the “most expedient manner possible, without unreasonable delay, but in no event later than when notice is provided”. There are also several specific content requirements for notice to the Attorney General, including whether there is knowledge of any foreign country involvement.

GLBA/HIPAA Exemption

The new law exempts entities subject to GLBA or HIPAA if those entities maintain breach notification procedures and provide notification as required under those law, as applicable. However those entities must still notify the Attorney General of any breach that requires notification by GLBA or HIPAA.

Risk of Harm Threshold

If a person or entity reasonable determines, after reasonable investigation and consultation with the Office of the Attorney General and federal law enforcement agencies, that the breach likely will not result in harm to affected individuals, notice is not required.

Free Mitigation Services for Affected Residents

D.C. joins California, Connecticut, Delaware and Massachusetts in requiring companies to provide identity theft protection or credit monitoring services to residents affected by a breach at no cost. The new D.C. law requires that a person or entity that experiences a breach that includes Social Security numbers and/or taxpayer identification numbers, must offer affected individuals at least 18 months of identity theft protection services at no cost.

Data Security Requirements

Finally, the new law, notably, establishes data security requirements for covered businesses. In short, any business that owns, licenses, maintains, handles or otherwise possesses personal information of D.C. residents must implement and maintain reasonable security safeguards, including procedures and practices that are appropriate to the nature of the personal information and nature and size of the entity of the operation. Further, covered entities must enter written agreements with their third party service providers requiring the service provider to implement and maintain similar security procedures and practices.

This amendment keeps Washington D.C. in line with other states across the nation currently enhancing their data breach notification laws in light of recent large-scale data breaches and heightened public awareness. Organizations across the United States should be evaluating and enhancing their data breach prevention and response capabilities.

Addressing the COVID19 Risks of Your Third-Party Service Providers and Vendors

By Joseph J. Lazzarotti on May 18, 2020

States are reopening – find out which ones here. As they do, organizations will begin and/or continue adhering to a complex set of distancing, screening, capacity, sanitization, mask, posting, reporting, and other guidelines designed to maintain COVID19 curve flattening efforts. For organizations with operations in multiple states, the patchwork of federal, state, and local “guidelines” becomes even more complex. For organizations that tackle these guidelines, their job still may not be complete.

The risk of COVID19 infection in areas such as on a salesfloor, in common areas of an apartment complex, on a loading dock, or in an office environment is not limited to the members of an organization’s workforce or its customers or clients. Virtually all organizations rely on third-party service providers or vendors, directly or indirectly, to operate efficiently, including those providers and vendors. In a retail business, service providers or vendors might include delivery companies, manufacturer representatives, temporary staffing companies, and IT support services. Senior living communities might have similar service providers or vendors as retail businesses, along with landscape companies, building maintenance technicians, and equipment suppliers. The same is true for professional service providers, whose service providers or vendors also could include office equipment maintenance providers, window and office cleaners, food service providers, and transportation vendors.

As organizations develop policies and devise procedures to address COVID19 in their facilities, they should be taking their third-party service providers or vendors into account, especially when the workforce members of those entities will need to interact with the organizations’ employees, customers, clients, etc. How to do so presents some difficult questions and additional challenges. Some organizations may want to (or be required to) play a more active role, such as screening a vendor’s employees before being permitted to enter the organization’s facilities. Others might prefer to rely on the vendor’s compliance efforts. Either way, these decisions raise critical health, liability, insurance, public relations, operational, and business issues.

Depending on how organizations decide to approach the risks posed by third-party service providers or vendors, below is a checklist of items an organization might want to cover with respect to each of those entities.

Modifying the delivery of products and/or services to minimize COVID19 risk.
Compliance with all applicable federal, state, and local COVID19 guidelines, including those specific to the organization which may not be applicable to the service provider or vendor, and including changes to those guidelines and best practices as the pandemic continues to evolve.
Allocating responsibility for COVID19-related issues, such as reporting, exposures, liabilities, etc. For example, organizations may want to confirm whether they or their service providers are responsible to provide personal protective equipment (PPE) in the organizations’ facilities. Organizations also may want to reevaluate insurance coverage requirements, indemnification provisions, and limitation of liability clauses to ensure they align with a changing risk landscape due to the pandemic.
Ensuring service provider and vendor workforce members are aware and trained on the organization’s applicable COVID19 policies and procedures including without limitation social distancing, sanitization, screening, cleaning supplies, contact tracing, and other measures.
Administering screening/testing for all vendor or service provider workforce members prior to entering the organization’s facilities, and who is responsible for carrying it out.
Arranging for communication and reporting of COVID19 symptoms, or infections or likely infections in order to carry out contact tracing. As contact tracing efforts expand, many organizations are considering different approaches such as contact tracing apps. Depending on the circumstances, having service providers use the same contact tracing app could enhance the organization’s efforts.
Pushing service provider and vendor’s obligation downstream to their agents, subcontractors, and third-party service providers where applicable.
Ensuring cooperation and consistent communications in the event of any investigation concerning COVID19 infection believed to be at the organization’s facilities.
Maintaining a process to assess compliance and appropriate record keeping. Some organizations may want to be able to review a service provider or vendor’s record keeping to show they have been complying with applicable COVID-19 guidelines.
Confirming that service providers and vendors have hardened their privacy and cybersecurity protections as ransomware, business email compromise, and other attacks are on the rise with COVID-19 and could result in business interruption. Much of this post relates to increased physical interaction as organizations reopen. However, significant segments of the workforce will continue to work from home, including service providers and vendors, extending these heightened risks.

A “compliance with all applicable laws” or related clauses in the service provider or vendor’s master services agreement (MSA) likely will not be sufficient to address many, if not all, of these issues. COVID19 implications are far reaching, affecting the provision of services, service level agreements, costs, liabilities, etc. Organizations and their service providers and vendors may need to rethink certain provisions of their MSAs to address the new reality of how products and services are provided and performed during the coronavirus pandemic, including amendments that outline specific COVID19-related operational issues, practices, etc.

California AG Urges Consumers to be Vigilant While Online During the COVID-19 Pandemic

By Frank J. Fanshawe on May 15, 2020

With California’s mandatory COVID-19 stay-at home orders impacting some 40 million people by forcing the vast majority of them to connect remotely to work, go to school, order necessities, socialize and do many other things, California’s Attorney General Xavier Becerra recently issued an alert reminding consumers of their privacy rights and to encourage them to be vigilant about practicing sound security practices while online.

In his alert, Attorney General Becerra urges consumers to take steps to understand their rights under the California Consumer Privacy Act (“CCPA”), a new law that went into effect on January 1, 2020 and provides important consumer privacy rights both during and after the COVID-19 public health crisis. To learn more about the CCPA’s consumer privacy rights, see our previous posts on this blog located at this link.

Attorney General Becerra’s alert also warns consumers about common COVID-19 phishing email scams; provides tips on how to enable privacy and security settings during virtual meetings and otherwise protect home networks from outside hackers; and recommends online resources that “help parents set boundaries and guide their children towards becoming good digital citizens.”

Visit our previous blog posts for more information about the CCPA and other privacy and security developments during the COVID-19 pandemic:

Federal COVID-19 Consumer Data Protection Bill Introduced

By Joseph J. Lazzarotti and Maya Atrakchi on May 13, 2020

As the COVID-19 pandemic presses on, legislators and regulators continue to remind the public of the importance of data security and privacy protections. On April 30^th, U.S. Senator Roger Wicker (R-Miss), Chairman of the Senate Committee on Commerce, Science, and Transportation, announced plans to introduce (jointly with several co-sponsors) the COVID-19 Consumer Data Protection Act. The bill aims to provide consumers with greater “transparency, choice, and control” over their health, geolocation and proximity data. Further, the bill would impose data privacy and security requirements on businesses that handle personal data related to COVID-19.

The text of the bill has not yet been released to the public, however according to Senator Wicker’s announcement, the COVID-19 Consumer Data Protection Act would:

Require companies under the jurisdiction of the Federal Trade Commission to obtain affirmative express consent from individuals to collect, process, or transfer their personal health, geolocation, or proximity information for the purposes of tracking the spread of COVID-19.
Direct companies to disclose to consumers at the point of collection how their data will be handled, to whom it will be transferred, and how long it will be retained.
Establish clear definitions about what constitutes aggregate and de-identified data to ensure companies adopt certain technical and legal safeguards to protect consumer data from being re-identified.
Require companies to allow individuals to opt out of the collection, processing, or transfer of their personal health, geolocation, or proximity information.
Direct companies to provide transparency reports to the public describing their data collection activities related to COVID-19.
Establish data minimization and data security requirements for any personally identifiable information collected by a covered entity.
Require companies to delete or de-identify all personally identifiable information when it is no longer being used for the COVID-19 public health emergency.
Authorize state attorneys general to enforce the Act.

Although the bill focuses exclusively on data related to the spread of COVID-19, its consumer protections are similar in kind to those provided for in the California Consumer Protection Act (CCPA), including, for example, notice requirements, a consumer’s right to opt out, data security obligations and more.

“While the severity of the COVID-19 health crisis cannot be overstated, individual privacy, even during times of crisis, remains critically important…This bill strikes the right balance between innovation – allowing technology companies to continue their work toward developing platforms that could trace the virus and help flatten the curve and stop the spread – and maintaining privacy protections for U.S. citizens,” stated Senator John Thune, a co-sponsor of the bill.

The bill is still in early stages of the legislative process, but may have greater success than some of the attempts at a federal consumer privacy law of late, given the urgency of the COVID-19 pandemic.

These are difficult times for many businesses, and while there has been significant flexibility from legislatures and regulators in certain areas of the law, the proposal of the COVID-19 Consumer Data Protection Act signals that data privacy and security protections continue to be a priority. Moreover, with the emergence of technologies such as contact tracing apps and social distancing wearables, increasingly used in the workplace to help limit the spread of COVID-19, collection of sensitive data related to the virus is almost inevitable. Organizations should be assessing and reviewing their data collection activities, and ensuring that a robust data protection program and written information security program (WISP) are in place.

Examples of COVID19 Screening, Social Distancing, and Contact Tracing Technologies and Related Legal and Practical Issues

By Joseph J. Lazzarotti and Jason C. Gavejian on May 11, 2020

As organizations work feverishly to return to business in many areas of the country, they are mobilizing to meet the myriad of challenges for providing safe environments for their workers, customers, students, patients, and visitors. Chief among these challenges are screening for COVID19 symptoms, observing social distancing, contact tracing, and wearing masks. Fortunately, innovators are rising to meet this need, developing a range of technologies – wearables, apps, devices, kiosks, AI, etc. – all designed to support these efforts. But, for many organizations, the question is what technologies are out there and what should they be thinking about in deciding to adopt one or more of them.

Wading through the wide variety of COVID19-related technologies can be like scrolling through your cable provider’s movie guide – lots of time spent, not sure what to choose. So, to help you get a quick, bird’s eye view of some of the kinds of technologies being developed and which may be available, please see our table of “Selected COVID19 Distancing, Screening, Contact Tracing, and Other Technologies” (Table)*.

Needless to say, compiling, implementing, enforcing, and documenting extensive and sometimes conflicting federal, state, and local mandates and recommendations for screening, distancing, contact tracing, and mask wearing requires a significant and on-going effort. Technologies, such as those listed in the Table, can help. Some of the features of these technologies include:

Wearables that alert the wearer that he or she is getting too close to a colleague may boost an organization’s efforts to adhere to distancing requirements.
Kiosks with thermal scanning capabilities may facilitate temperature screening in a faster more efficient way while minimizing contact that might further spread of COVID19.
Apps that track the locations of individuals could automate otherwise laborious manual contact tracing activities.

The advantages of these technologies can be substantial, quickening the path to compliance and opening the organization’s doors to business. However, organizations should proceed carefully to examine not only whether the particular solution will have the desired effect, but whether it can be implemented in a compliant manner with minimal legal risk. Below are some questions organizations should be considering:

What is the organization’s goal for the technology? If the goals of the organization is keep workers who may have COVID19 from entering its facility, then screening technologies are something the organization may consider. However, if the goal is the identify other workers who may have been exposed to a COVID19 positive co-worker, the contact tracing technologies may be more appropriate. To this end, it is important to consider the organizations goals prior to selecting technologies for implementation.
Does the technology work? For temperature taking/scanning technology, this may mean validation of the accuracy of the device. When looking at contact tracing, accuracy will similarly be key in your efforts to identify co-workers who may be potentially impacted by COVID19.
Will the technology require employees to incur expenses that must be reimbursed? In some states, the implementation of this technology may require reimbursement if workers must incur costs or expenses as part of the implementation. For example, if an app requires an employee to have a mobile device for work purposes, expense reimbursement obligations with respect to that device may exist.
Is bargaining with the union required? As organizations look to these technologies, there may be numerous instances where the organization will need to consult, and possibly engage in bargaining with, the applicable union(s). Depending on which technology is being contemplated may dictate whether the organization’s efforts are supported or challenged.
Is notice/consent required? This may be a difficult question to answer without having an understanding of the data that the technology is collecting. For example, collecting the geolocation of employees as well as their COVID status, and interactions with others all are likely elements of personal information under the California Consumer Privacy Act (CCPA) which applies to employees that reside in California if the organization is subject to the law. Similarly, electronic tracking of workers or the collection of worker’s biometric information (facial scans, etc.) may require notice and/or consent depending on the state of implementation. If the technology requires access to an employee’s personally-owned device, notice and consent are likely required, but most certainly a best-practice. While many think HIPAA is implicated in the collection of workers’ temperature or responses to screening questions, this is often not the case unless a third-party provider or lab (i.e., a covered entity) is performing the screening, in which case an authorization is needed to share the results with the employer.
Will workers participate? Determining whether technology implementation may require notice or consent is discussed above. However, if implementation and/or usage is voluntary the effectiveness of the technology in meeting the organizations goals may be substantially impacted. Regardless of whether implementation is voluntary or required, it is important for organizations to communicate with their workers to explain the goals of the technology, answer questions regarding same, and address concerns over privacy and relates issues in order to ensure buy-in and effectiveness.
How is data collected, shared, secured, returned? Understanding the answers to these questions are imperative in order to help ensure compliance. This is especially true as there are numerous laws which may be implicated when data is collected from workers. These include the Americans with Disabilities Act (ADA), the Genetic Information Nondiscrimination Act (GINA), state laws, CCPA, and the General Data Protection Regulation (GDPR). In addition to statutory or regulatory mandates, organization will also need to consider existing contracts or services agreements which may provide for or limit the collection, sharing, storage, or return of data. Finally, whether mandated by law or contract, organizations should still consider best practices to help ensure the privacy and security of the data it is responsible for.
Are employees implementing the technology capable, trained? Should “managers” be viewing dashboards which provide extensive information about many of the organization’s workers? In these uncertain times an organization may be left with no choice other than to expand the list of individuals who may have access to workers’ personal information. However, when doing so organizations still need to be mindful of the ADA’s confidentiality requirements, discrimination, as well as state laws protecting against discrimination for lawful off-duty conduct (that may be discovered during the monitoring process). Addressing privacy and security obligations through a confidentiality agreement may be one way to help address these concerns.
What is the relationship with the vendor? The organization’s relationship with the vendor is established way of contract or service agreement. It is important for these contracts/agreements to include confidentiality, data security, and similar provisions. This is most important if the vendor will be maintaining, storing, accessing, or utilizing the information collected about the organization’s workers.
When should we stop using the technology? The Equal Employment Opportunity Commission (EEOC) has said that currently COVID19 meets the ADA’s direct threat standard and thus organizations may screen, take the temperatures of, and test workers prior to permitting those workers onsite. The EEOC has not yet expressly addressed contact tracing. As organizations look to the future, and the hopeful end to the COVID19 pandemic, they will need to consider when the state of the pandemic no longer supports the use of these technologies. The EEOC may provide that guidance, however, organizations may still have reasons to continue utilizing some of these technologies. For example, contract tracing may continue to help slow/limit spread within an organization. Similarly, organizations may face contractual demands from customers or clients who are looking to limit future risks or outbreaks related to COVID19. At points during this process, organizations also will need to consider whether and how long to retain the data collected.

In short, in 2020 we have extensive technology at our disposal and/or in development which may play a crucial role in helping organizations address COVID19, ensuring a safe and health workplace and workforce, and preventing future pandemics. Nevertheless, organizations must consider the legal risks, challenges, and requirements with any such technology prior to implementation.

*As noted, the Table is for general information purposes only. We have sampled none of these products or services. Neither the selection of these products and services nor the exclusion of others is in any way intended as an endorsement of, or opposition to, any type of product, service, application, or any manufacturer. The listing is intended solely to provide readers with a general, high-level overview of the kinds of products being developed to address certain aspects of COVID19 remediation. This is by no means an exhaustive list. All readers must carefully evaluate their own specific needs for COVID19 mitigation and compliance, review the specific features and specifications of any technology being considered, configure and install same with qualified information systems specialists, and obtain experienced and informed legal counsel concerning the applicable legal and compliance requirements concerning the selection and implementation of any technology solution.

Legislators and Regulators Weigh in On Privacy and Data Security Protections for Healthcare Providers Amid COVID-19 Pandemic

By Michael R. Bertoncini on May 8, 2020

As they work to combat the surging COVID-19 virus, healthcare providers recently were reminded by legislators and regulators of the importance of data security and privacy protections.

On the data security front, U.S. Senators Richard Blumenthal, Tom Cotton, David Perdue, and Mark Warner recently wrote to the Director of the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Agency (“CISA”) and the commanding general of the U.S. Cyber Command to express their “profound concerns” that healthcare providers are “facing an unprecedented and perilous campaign of sophisticated hacking operations from state and criminal actors amid the coronavirus pandemic,” which “pose an alarming risk of disrupting or undermining our public health response at this time of crisis.” The Senators urged CISA and the Cyber Command to issue guidance and provide technical resources to deter these threats.

Beyond their general call for action, the Senators offered specific measures CISA and the Cyber Command should adopt to protect healthcare providers’ data security:

Provide private and public cyber threat intelligence information, such as indicators of compromise (IOCs), on attacks against the healthcare, public health, and research sectors, including malware and ransomware.
Coordinate with the Department of Health and Human Services, the Federal Trade Commission, and the Federal Bureau of Investigation on efforts to increase public awareness on cyberespionage, cybercrime, and disinformation targeting employees and consumers, especially as increased telework poses new risks to companies.
Provide threat assessments, resources, and additional guidance to the National Guard Bureau to ensure that personnel supporting state public health departments and other local emergency management agencies are prepared to defend critical infrastructure from cybersecurity breaches.
Convene and consult partners in the healthcare, public health, and research sectors, including its government and private healthcare councils, on what resources and information are needed to reinforce efforts to defend healthcare IT systems, such as vulnerability detection tools and threat hunting.
Consider issuing public statements regarding hacking operations and disinformation related to the coronavirus for public awareness and to put adversaries on notice, similar to the joint statement on election inference issued on March 2nd.
Evaluate further necessary action to defend forward in order to detect and deter attempts to intrude, exploit, and interfere with the healthcare, public health, and research sectors.

On the heels of this call for action on data security, the Office for Civil Rights (“OCR”) at the U.S Department of Health and Human Services issued additional guidance reminding covered health care providers that the HIPAA Privacy Rule does not permit them to give media and film crews access to facilities where patients’ protected health information will be accessible without the patients’ prior authorization. In this guidance, the OCR reiterated that “it is not sufficient for a covered health care provider to require the media to mask patients’ identities when airing recorded video (such as by blurring, pixelation, or voice alteration), after the fact. Prior, express authorization from the patient is always required.” While this guidance does not break new ground, it serves as a timely reminder as newscasts focus daily on the efforts of healthcare providers to treat COVID-19 patients.

These are difficult times for healthcare providers, but even as they tackle the clinical demands of the COVID-19 pandemic, the developments discussed above demonstrate the importance of continuing to be vigilant in the enforcement of data security and privacy policies.

For more on recent privacy and cybersecurity updates for healthcare providers, check out some of our past blog posts:

U.S. Supreme Court Will Finally Weigh in on Scope of CFAA

By Jason C. Gavejian, Joseph J. Lazzarotti and Maya Atrakchi on April 28, 2020

The United States Supreme Court recently granted a petition for certiorari in Van Buren v. United States addressing the issue of whether it is a violation of the Computer Fraud and Abuse Act (“CFAA”) when an individual who is authorized to access information on a computer, accesses the same information for an improper purpose. The Supreme Court will have a chance to resolve the long-standing circuit split regarding the scope of the CFAA. Some circuits (the 2nd, 4th and 9th) take a narrow view of the CFAA, allowing claims against employees who lacked any authorization to access information stored on computers, but not allowing claims against employees who were permitted access and misused that access for allegedly improper purposes. Other circuits (the 1st, 5th, 7th, and 11th) permit CFAA claims against employees for misusing information stored on the computer even though they otherwise were authorized to access such material.

Jackson Lewis’s Privacy, Data and Cybersecurity practice group, in conjunction with the Non-Competes and Protection Against Unfair Competition practice group, published an article on the Jackson Lewis website, explaining the Van Buren case and its potential impact.

Regardless of how the Supreme Court rules in Van Buren, employers should consider reviewing and clarifying their policies concerning which employees have access to what data, particularly in light of the spike in remote work. We will monitor the Van Buren case and provide updates.

Out of Sight is Not Out of Mind – Monitoring Workers Working From Home

By Joseph J. Lazzarotti on April 27, 2020

Maintain High Service Levels to Support for Work From Home Just over a month ago, we provided a high-level checklist to help organizations think about critical issues as employees begin working from home to reduce the spread of COVID19. Consistent with “shelter-in-place”/”stay at home” orders, millions of workers that can are now working from home. However, out of sight is not out mind as many organizations want to be sure these workers remain productive. Periodic office visits to chat are not an option right now, but spyware and keylogging technologies are. Some employers are considering these technologies as they balance employee privacy with the need to manage their team and monitor productivity.

Distractions are easy to come by these days – the daily Gov. Cuomo briefing, kids also “working” from home, the latest firetruck birthday party, and the status of toilet paper deliveries. For many workers, the idea of telecommuting itself is a distraction as they simply are not used to it on a regular basis. These and other distractions raise employers’ suspicion that workers are not being productive or as productive as they could be. But, productivity may not be the employer’s only goal. Protecting trade secrets, avoiding data breaches, finding ways to make remote work easier, and generally dissuading improper behavior are just some of the other drivers for increasing surveillance on remote workers.

Excessive, clumsy, or improper employee monitoring, however, can cause significant morale problems and, worse, create potential legal liability for privacy-related violations of statutory and common law protections. Advancements in technology have made it easier to monitor remote employees, and by extension easier to violate the law for employers that are not careful.

Spyware and keylogging are technologies that have been around for some time and can be attractive options for employers. In general, spyware is software that enables a user to obtain covert information about another’s computer activities by transmitting data covertly from their hard drive. This information could include screenshots from the other user’s computer. Screenshots could include, for example, text of “private” messages the employee believes she is sending to a social media friend. “Keyloggers” can be devices but are most often software designed to monitor and log all keystrokes. Like spyware, keylogging can covertly track a user’s keystrokes and obtain in the process private account credentials or confidential communications, and transfer that information to another computer.

This level of surveillance raises a number of legal and employee relations risks. Here are just a few.

California Consumer Protection Act (CCPA). Effective January 1, 2020, the CCPA currently applies to personal information of employees, at least until December 31, 2020. It requires that employees be provided a “notice at collection” – this is, a notice describing the categories of personal information (including network activity) that the company collects and the purposes that information is used. Businesses subject to the CCPA will need to be sure that this surveillance activity is appropriately covered in notices of collection for employees who reside in California.
State Social Media Password Protection Laws. Over 25 states have laws that prohibit employers from requesting or requiring employees to provide credentials to their online personal accounts. Deploying spyware or keylogging technologies arguably are not requests or requirements in the general sense. However, employers should consider how these laws may be interpreted and shape their approach accordingly.
Stored Communications Act. Accessing personal social media communications or other personal online account communications may run up against protections under the Stored Communications Act.
Taking action based on information obtained though the surveillance
- Credit protection laws. Several states, such as California, Maryland, Nevada, have laws prohibiting employment discrimination on the basis of poor credit or payment histories. These laws were passed in reaction to the great recession and likely have increased relevance again today as more than 20 million workers have filed for unemployment.
- Genetic Information Nondiscrimination Act (GINA). Learning about an employee’s family member suffering from a debilitating health condition or a contagious disease through spyware could raise issues under GINA. EEOC regulations except obtaining this genetic information through inadvertence, but if it was reasonably likely that such data would be collected or if the recipient continues to examine it or look for related information there is risk of a violation. Thus, just the collection of such information could be problematic under GINA, as well as using it for a discriminatory purpose.
- ADA/State Protections for Medical Information. A similar analysis applies for medical information obtained through monitoring. However, the regulations are less specific under the ADA compared to GINA.
- Safeguarding the Information Collected. A growing number of states have stringent requirements to maintain reasonable safeguards to protect personal information. The definition of personal information is not limited to SSNs. Medical information, online account credentials, credit card numbers, dates of birth all can be captured and stored using spyware, keylogging, and other surveillance tools.

What can organizations do?

Understand the technology. Organizations should avoid having their IT departments deploy these technologies without a careful review, one that involves appropriate persons outside the IT department. Input from HR and the Legal Department can be invaluable for minimizing legal risk and maintaining good employee relations and trust.
Acceptable Use and Electronic Communications Policy. When organizations decide to engage in any level of surveillance or search of employees, they should consider what their employees’ expectations are concerning privacy. In general, it is best practice to communicate to employees a well-drafted acceptable use and electronic communication policy that informs employees on what they can expect when using the organization’s systems, whether in the workplace or when working remotely. This includes addressing employees’ expectation of privacy, as well as making clear the information systems and activity that are subject to the policy.
Monitoring the monitors. Employees asked to perform monitoring using these technologies can sometimes feel empowered and, believing they are helping the organization, make it easier for them to go too far in their surveillance, creating legal risk. For this reason and others, it is recommended that organizations maintain guidelines for these employees to help make clear boundaries that the organization has determined with counsel to be appropriate, and review compliance with those guidelines from time to time.
Be prepared to investigate. Surveillance may uncover nonperformance, irregular activity, malicious insiders, and other problematic activity that the organization needs to address. The time to lay out that process and how to further investigate is not when evidence of the activity is discovered. Organizations should be prepared to react to findings with a comprehensive investigation plan that involves the appropriate persons at the earliest time.

It may be that this high level of remote work will continue for a while, or considering this forced experiment, certain organizations will realize that they can remain very productive in some or all parts of their business while deriving enormous savings from utilizing this new “workplace.” Either way, managing that work will raise new challenges for management. When more advanced monitoring and surveillance tools are deployed, organizations need to plan carefully, have the right team in place, review policies and applicable state and federal law, and be prepared to address problems when they arise.

FCC’s Declaratory Ruling on the TCPA’s “Emergency Purposes” Exception During COVID-19: Does it apply to Workplace Correspondence?

By Jason C. Gavejian and Maya Atrakchi on April 22, 2020

The Telephone Consumer Protection Act (“TCPA”) generally prohibits the use of automated dialing equipment or prerecorded voice messages to make calls, send text messages, or send faxes absent prior consent of the called party. This includes calls or texts to cellular phone numbers as well as calls to residential lines. There are limited exceptions to the TCPA’s consent requirements, including calls or texts sent for “emergency purposes”, meaning calls or texts made necessary in any situation affecting the health and safety of consumers. On March 20, 2020 the Federal Communications Commission (“FCC”) published a Declaratory Ruling confirming that the COVID-19 pandemic is an “emergency” that qualifies for the TCPA’s “emergency purposes” exception.

FCC History Regarding the TCPA’s “Emergency Purposes” Exception

Since the TCPA’s enactment in 1991, federal courts and the FCC have interpreted the “emergency purposes” exception narrowly, and guidance has been limited. In 2016 the FCC issued a narrow Declaratory Ruling in Blackboard-Edison on the TCPA’s “emergency purposes” exception, highlighting permissible automated calls from schools during “threat situations” affecting the “health and safety of students and faculty”. The FCC also clarified in this ruling that utility companies “may make robocalls and send automated texts to their customers concerning matters closely related to the utility service, such as a service outage or warning about potential service interruptions due to severe weather conditions, because their customers provided consent to receive these calls and texts when they gave their phone numbers to the utility company”. Finally, the FCC noted that the ruling was “tailoring relief to narrow circumstances presented in these petitions…without diluting the TCPA’s core consumer protections”.

FCC’s March 2020 Declaratory Ruling on the COVID-19 Pandemic

Now in its March 2020 Declaratory Ruling, the FCC has again narrowly specified that during the COVID-19 pandemic certain calls and messages qualify for the “emergency purposes” exception under the TCPA. Such calls must meet the following requirements: 1) “the caller must be from a hospital, or be a health care provider, state or local health official, or other government official as well as a person under the express direction of such an organization and acting on its behalf”, and 2) “the content of the call must be solely informational, made necessary because of the COVID-19 outbreak, and directly related to the imminent health or safety risk arising out of the COVID-19 outbreak.”

TCPA “Emergency Purposes” Exception and Workplace Correspondence

First, it is worth noting that while common sense would dictate that an employee’s provision of their telephone number to the employer should be viewed as consent to receive calls/texts (just as discussed above in Blackboard-Edison, where a utility company’s customers consented upon provision of their telephone numbers to the company), the TCPA and FCC guidance is silent on whether workplace correspondence are subject to TCPA liability. In at least one case where a claim has been brought against an employer related to the TCPA, the court dismissed the claim finding that the application’s language “authorizing [the employer] to collect, use….personal information provided for employment-related purposes” was consent.

Assuming, however, that an employer’s automated calls/texts to their employees are subject to the TCPA’s consent requirements, the question arises whether safety-related calls/texts made to an employee would qualify under the “emergency purposes” exception. While this is unclear, given the two FCC Declaratory Rulings discussed above, there is a strong argument that such calls or texts would be considered as for “emergency purposes” and thus would be exempt from the TCPA’s consent requirement. This is particularly true as Blackboard-Edison applied the emergency purposes exception not just to students, but also to faculty (employees).

Further in the March 20 Declaratory Ruling the FCC emphasized that “In the Blackboard-Edison Declaratory Ruling, the Commission made clear that automated calls to wireless numbers made necessary by incidents of imminent danger including ‘health risks’ affecting health and safety are made for an emergency purpose and do not require prior express consent to be lawful”. Interestingly, while the March 20 Declaratory Ruling is limited to calls made by hospitals, health care providers or health/government officials, this statement seems to indicate that the FCC intended Blackboard-Edison to apply more broadly.

Finally, the March 20 Declaratory Ruling also provided examples of inappropriate uses of the emergency purposes exception including calls that contain advertising or telemarketing of services like “advertising a commercial grocery delivery service, or selling or promoting health insurance, cleaning services, or home test kits” as well as “debt collection calls”. This sheds some light on when the use of the TCPA’s “emergency purposes” exception is appropriate or not generally, and it would seem that safety-related calls to employees, especially in light of the COVID-19 pandemic, would not fall into the category of inappropriate, based on these examples.

Takeaway

These are uncertain times, and of course, the safety and health of employees is critical. To avoid potential risks of a claim under the TCPA (including class actions), employers looking to implement programs to communicate quickly and timely with employees about health and safety risks, including those posed by COVID-19, should assess the applicability of the emergency purposes exception and/or consider obtaining additional consent.

Videoconferencing Zooms to the Forefront in the COVID-19 World

By Jeffrey M. Schlossberg on April 10, 2020

As the COVID-19 crisis continues, many companies throughout the country have arranged for significant portions of their workforce to work from home. A natural part of that arrangement is conducting videoconferences. With employees working at home in isolation, many seek opportunities to connect with others through a visual medium. Thus, companies are using videoconferencing to conduct business meetings. In other circumstances, employees are using it simply to connect visually with co-workers to catch up on work and life in general. Companies must, however, devote attention to a variety of privacy-related concerns when relying on this technology (as well as other related technologies) that enable expanded work from home opportunities. Recently, we created a work-from-home checklist including a number of relevant privacy issues.

When discussing video conferencing today, there are many options including Google Hangouts, Skype, and WebEx. However, it appears the option gaining the most popularity is Zoom Video Communications.

Last week, a class action lawsuit was commenced in a California federal court against Zoom alleging under the California Consumer Privacy Act and related laws, that it failed to properly safeguard the personal information of its users.

According to the complaint, “upon installing or upon each opening of the Zoom App, Zoom collects the personal information of its users and discloses, without adequate notice or authorization, this personal information to third parties…invading the privacy of millions of users.” The complaint describes that the Zoom app notifies third-party social media app users “when the user opens the app, details on the user’s device such as the model, the time zone and city they are connecting from, which phone carrier they are using, and a unique advertiser identifier created by the user’s device which companies can use to target a user with advertisements.”

The proposed class includes “all persons and businesses in the United States” whose personal information was collected or disclosed to a third party “upon installation or opening” of the Zoom app.”

The complaint acknowledges that on March 27, 2020, Zoom released a new version of the app that purports to no longer send unauthorized personal information of its users to Facebook.

According to a March 27 blog post, Zoom CEO Eric Yuan stated that, “Zoom takes its users’ privacy extremely seriously” and described changes Zoom was making to its software that would take effect when users update to the latest version.

Considering the lightning speed with which this case was brought, companies everywhere should take this opportunity to review its procedures and best practices regarding video conferencing platforms and other technologies in place supporting work from home arrangements. Not only could you avoid a class action lawsuit, but you will also be taking steps to protect the company’s proprietary information as well as any personal identifying information of its employees and customers that you maintain.