NLRB Approves Workplace Social Media Policy Limiting Employees’ Online Communications

By Jason C. Gavejian and Maya Atrakchi on

Recently, the National Labor Relations Board (NLRB), in a split decision 2-1, approved a California-based ambulance company’s implementation of a social media policy that prohibited employees from “inappropriate communications” related to the company.  The NLRB’s ruling reversed a decision by an administrative law judge, back in October 2019, that concluded that the company’s social media policy was overly broad and infringed on worker’s rights established in the National Labor Relations Act (NLRA).

Key aspects of the company’s workplace social media policy included:

  • Prohibition on disclosure of proprietary or confidential information of the employer or co-workers.
  • Limitations on an employee’s use of the employer’s name, logo, trademarks, or other symbols in social media to endorse, promote, denigrate or otherwise comment on any product, opinion, cause or person.
  • Prohibition on posting of photos of coworkers without their written consent.
  • Prohibition on use of social media to disparage the employer or others.
  • Prohibition of “inappropriate communications” generally on social media.
  • Prohibition of sharing of employee compensation information.

The majority highlighted that, “[t]he legitimate justifications for the respondent’s nondisparagement rule are substantial, and we find that they outweigh any potential adverse impact of the respondent’s facially neutral rule on protected rights”.

NLRB member Lauren McFerran, the only dissenter, emphasized that the decision “again illustrates how eager the board majority is to uphold employer rules, how unwilling it is to consider rules from an employee’s true perspective and how little weight it gives to the rights protected by our statute.”

Back in a 2017, in Boeing Company, the NLRB set out a new standard for determining whether a facially neutral work rule, reasonably interpreted, would unlawfully interfere with, restrain, or coerce employees in exercise of their NLRA rights.  In Boeing Company, the NLRB overruled the “reasonably construed” prong established in Lutheran Heritage Village-Livonia (2004), which held that a work rule that did not otherwise violate the NLRA would be found unlawful if employees would reasonably construe it to prohibit NLRA rights. Instead, the NLRB held in Boeing Company that, when evaluating a facially neutral policy, rule or handbook provision that, when reasonably interpreted, would potentially interfere with the exercise of NLRA rights, the Board will evaluate two things: (i) the nature and extent of the potential impact on NLRA rights, and (ii) legitimate justifications associated with the rule.

This evaluation system would, “strike the proper balance between . . . asserted business justifications behind the policies, on the one hand, and the invasion of employees’ rights in light of the Act and its policy.”

In the NLRB’s latest decision, analyzing the California ambulance company’s workplace social media policy, the NLRB relied on Boeing Company’s evaluation standard, and other NRLB decisions of late related to workplace social media policies.  For example, in July of 2020 the Board, citing Boeing Company, held in Motor City Pawn Brokers Inc  that “the work rules at issue fall squarely into the category of lawful, commonsense, facially neutral rules that require employees to foster “harmonious interactions and relationships” in the workplace and adhere to basic standards of civility.”

 Takeaway

When companies are faced with adverse social media activity or campaigns, whether it be by employees, customers, bloggers, etc., they frequently are unprepared to take the appropriate steps to investigate, or to weigh the legal, business, reputational, and related risks in deciding what actions, if any, to take.  For this is reason, it is important to have a clear workplace social media policy in place to help prevent the likelihood of such an incident or at least limit its impact.  But while the NLRB seems to be employer friendly of late in approval of such policies, it is important to tread carefully, aiming to develop a policy that achieves the company’s legitimate business interests without compromising its employees’ NLRA rights.  This is especially true as the NLRB’s current majority will change in summer 2021.

CDC Expands Guidance on Workplace SARS-CoV-2 Testing to Require Informed Consent

By Joseph J. Lazzarotti, Jason C. Gavejian and Maya Atrakchi on

As employers continue to grapple with a safe return to the workplace, on January 21, the U.S. Center for Disease Control and Prevention (CDC) issued new guidance for businesses and employers on SARS-CoV-2 testing of employees, as part of a more comprehensive approach to reducing transmission of the virus in non-healthcare workplaces. While the CDC had already released some guidance on the matter of workplace testing (last updated in October), the CDC’s more recent guidance places a new emphasis on informed consent prior to testing and measures an employer can take to ensure employees are fully supported in their decision-making.

Specifically, the CDC’s guidance states:

Workplace-based testing should not be conducted without the employee’s informed consent. Informed consent requires disclosure, understanding, and free choice, and is necessary for an employee to act independently and make choices according to their values, goals, and preferences. (emphasis in original)

For employers that have required employees to submit to COVID-19 viral testing in order to enter the workplace consistent with EEOC guidance, the CDC’s reference to an informed consent may come as a bit of a surprise. However, while the CDC’s guidance appears to require informed “consent,” it does not appear to prevent employers from requiring testing as a condition of entering the workplace. The CDC’s guidance seems to clarify its position, recommending that employers provide employees:

complete and understandable information about how the employer’s testing program may impact employees’ lives, such as if a positive test result or declination to participate in testing may mean exclusion from work. (emphasis added)

When developing a SAR-CoV-2 testing program, according to the CDC, an employer should first address some basic considerations. For example – why is the employer offering the test to begin with, how frequently will employees be tested, how to effectively obtain employee consent, and what to do if an employee declines to be tested.

The CDC provides a list of key measures an employer should implement when developing an SAR-CoV-2 testing program in the workplace to ensure employee informed consent and a supportive environment:

  • Ensure safeguards are in place to protect an employee’s privacy and confidentiality.
  • As noted above, provide complete and understandable information about how the employer’s testing program may impact employees’ lives, such as if a positive test result or declination to participate in testing may mean exclusion from work.
  • Explain any parts of the testing program an employee would consider especially important when deciding whether to participate. This involves explaining the key reasons that may guide their decision.
  • Provide information about the testing program in the employee’s preferred language using non-technical terms. Consider obtaining employee input on the readability of the information. Employers can use this tool to create clear messages.
  • Encourage supervisors and co-workers to avoid pressuring employees to participate in testing.
  • Encourage and answer questions during the consent process. The consent process is active information sharing between an employer or their representative and an employee, in which the employer discloses the information, answers questions to facilitate understanding, and promotes the employee’s free choice.

In addition, in order to ensure informed consent, an employee must be provided certain disclosures regarding the workplace testing program. Of course, the disclosures must include those required in the U.S. Food and Drug Administration (FDA) emergency use authorization patient fact sheet external for the particular test, such as the type of the test, how the test will be performed, and known and potential risks.  Notably, these disclosures must be provided during the consent process, meaning employers will have to know this information and ensure it is provided employees prior to the employee agreeing to the test.

Employers will need to consider which aspects of the testing program may be more relevant than others to an employee’s decision whether to accept an offered test and include the appropriate disclosures. Areas to consider include the process for scheduling tests and how the cost of the tests will be covered, what employees should expect at the testing site (e.g., screening), recommended next steps if an employee tests positive, and what assistance is available should an employee be injured while the test is administered.

There are, of course, privacy and security issues to consider when implementing such a program. For example, an employer must consider what personal information the employee will need to provide to the test provider (e.g. name, DOB, insurance, etc.),  the test results to follow, and the myriad of issues that arise once that information is obtained. For example: Whether, where, and for how long the employer will retain the results? How will personal information be kept confidential and secure and how will the employer keep the results confidential and secure? Who will have access to the results?

The employee’s test results will be considered confidential medical information, and while not subject to HIPAA in the employer-employee context, this information still may have protections under state statutory and common law. Consider, for example, that several states, such as California and Florida, include “medical information” as part of the definition of “personal information” under their breach notification laws. Accordingly, if that information is breached, which could include access to the information by an unauthorized party, notification to impacted individuals and relevant state agencies may be required. Additionally, statutory and common law obligations exist requiring employers to safeguard employee personal information, which may include information about their physical health, such as test results or information provided by the employee before taking the test. Thus, maintaining reasonable safeguards to protect such information is prudent. This might include access management measures and record retention and destruction policies. It also may include having clear guidelines for making disclosures of this information and determining whether an authorization is needed before such information may be disclosed to, or accessed by, a third party.

The COVID-19 pandemic has completely reshaped workplace practices, and we have certainly entered a “new normal.”  Just earlier this week, we discussed on this blog the EEOC’s guidance on best practices for workplace identification of employees that have been vaccinated. And temperature and symptom screening protocols in the workplace have been mandated or recommended by nearly every state and city across the U.S. These measures are essential in halting the spread of the virus, and ensuring a safe and healthy workplace and workforce. Nevertheless, organizations must consider the legal risks, challenges, and requirements prior to implementation of such measures.

ACC Launches Data Steward Program: An Approach to Assessing Law Firm Data Security

By Joseph J. Lazzarotti and Maya Atrakchi on

On December 8th, the Association of Corporate Counsel (ACC), which represents over 45,000 in-house counsel across 85 countries, announced the launch of its Data Steward Program (DSP) to help organizations and their law firms assess and share information about information security relating to client data. The DSP is two years in the making, collecting input from attorneys, cybersecurity and privacy experts and litigation support experts from corporations, law firms, vendors and government. The DSP, a voluntary-based program, creates a standardized framework for “assessing, scoring, benchmarking, validating and accrediting” a law firm’s stance regarding client data security leveraging existing data security frame works, such as the ISO or NIST, but also customizing “control selection, arrangement and compliance metrics” to meet a law firm’s specific needs.

The DSP was developed in response to the struggles corporations face in attempting to ensure that the law firms they utilize have adequate data security measures in place – a Fortune 500 company often has relationships with upwards of 500 law firms and vendors. Moreover, SMBs that utilize smaller sized law firms and vendors are often ill equipped to effectively perform data security related due diligence.

Of course, for all service providers, including law firms, it is critical to maintain reasonable administrative, physical, and technical safeguards when interacting with sensitive corporate and personal data of customers, as well as to ensure that adequate protections are in place to prevent and respond to data breaches. Law firms should not be surprised to see enhanced efforts, such as the DSP, to help assess those safeguards on a more consistent basis. Firms concerned about facing requests for assessments and/or maintaining their privacy and security protocols in an increasingly dynamic environment should review their cybersecurity risk management policies, procedures and practices sooner rather than later.

The ACC DSP has established a clear set of goals to help ensure the program’s success:

  • Exacting and Thorough Assessment
    • Requiring a “rigorous and thorough review” of a law firm’s data security status, detailed enough for both law firms and clients to make adequate business decisions. This is satisfied by “selecting and/or modeling controls” from established data security frameworks including ISO and NIST.
  • Value to All Participants
    • The DSP aims to ensure all relevant parties are involved in the standard setting process. “The balanced needs of all parties were represented (and will be maintained) by putting the DSP under the creative control of an ACC-sponsored working group of industry experts, including ACC Members, law firm partners, information security officers and CIOs, legal industry service providers and data security assessment firms who truly understand the issues and practices of the legal industry.”
  • Secure Platform
    • The DSP data-sharing program titled Data Steward Exchange or DSP-X operates on a third-party SaaS platform with “an established record of security and has recently passed its latest SOC-2 audit”.
  • Open Standard Benchmarking
    • The DSP algorithm for scoring is 100% transparent and available to all participants.
  • Accommodate Legal Practice Diversity
    • The practice standards established by the ACC Working Group were designed to be applicable to law firms across all sizes and specialties, and all law firms are invited to participate in the DSP.
  • Independent Assessor Neutrality
    • The DSP establishes that an ACC accredited assessor performing a review may not perform either data security prevention or remediation services for that participant six months prior to or following an accreditation validation, to ensure neutrality.

This is not the first time of late that the ACC has prioritized data security and privacy matters for in-house counsel and law firms. In 2017, the ACC released Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information (“the Model Controls”), data safety guidelines to help “in-house counsel as they set expectations with their outside vendors, including outside counsel.” The Model Controls addressed a broad range of data security related measures including: data breach reporting, data handling and encryption, physical security, employee background screening, information retention/return/destruction, and cyber liability insurance. The Model Controls were developed to serve as a “best practice” standardizing the protocols companies implement when interacting with third-party vendors who may have access to sensitive corporate data, and in many ways the DSP is a continuation of that initiative.

The DSP can be initiated in one of two ways: 1) a law firm can volunteer to participate and conduct a self-assessment, or 2) an ACC corporate member or prospective member can invite a law firm to participate. Even prior to launch, corporations were already inviting their law firms and legal vendors to undergo an assessment. 2020 has proven that data privacy and security risks must be prioritized across all industries.

CCPA at the One-Year Mark

By Mary T. Costigan on

The CCPA has reached the one-year mark. This is a good time for businesses to review the success of their compliance programs and recalibrate for the CCPA’s second year. Here are a few suggestions to kick off that review:

  1. Privacy Policies. The CCPA requires a business to update the information in its privacy policy or any California-specific description of consumers’ privacy rights at least once every twelve months. If a business has not already done so, now is a good time to review both online and offline data collection practices to ensure privacy policies accurately disclose, at a minimum, the categories of personal information (“PI”) it collected in the preceding 12 months, the categories of PI it sold in the preceding twelve months, and the categories of PI it disclosed for a business purpose in the last 12 months.

Given the challenges of the last several months, a business may be collecting PI beyond what it currently discloses in its privacy policies. For example, a company may need to update its privacy policies to disclose the collection and use of COVID-19 related screening information, biometric information, or PI collected as a result of remote work situations.

If the business needs to update its privacy policy to reflect additional data collection activities, it will likely need to update its “notices at collection”, including employee and job applicant privacy notices.

  1. Employee training. The CCPA provides that a business shall ensure all individuals responsible for handling inquiries on consumer rights, the businesses’ privacy practices, or its compliance with the CCPA are informed of applicable CCPA requirements. Businesses will want to review their training programs to ensure they now include appropriate CCPA related training; determine whether employee handbooks and manuals have been updated accordingly; and, document that relevant employees have received training.
  2. Reasonable Safeguards. The CCPA does not currently impose an affirmative obligation on a business to implement reasonable safeguards to protect consumer PI; however, it provides a consumer private right of action where the consumer’s PI has been involved in a data breach resulting from the business’s failure to implement reasonable security safeguards. As a best practice, a business will want to review whether it has performed a risk assessment, at least annually, to identify new or enhanced risks, threats, or vulnerabilities to its systems or the PI it collects or maintains; whether it has reviewed and updated its written information security program and data retention schedule; and whether it has practiced its incident response plan.

CCPA compliance is an ongoing activity and these three action items are particularly worthy of review at the one-year mark. However, further year-end review might also include an assessment of the business’s website’s accessibility; confirmation that service provider agreements have been amended to satisfy the CCPA, where appropriate; and all new service provider contracts include relevant CCPA provisions.

Although this post is focused on the CCPA, it is important to note that California recently passed the Consumer Privacy Rights Act (“CPRA”). The CPRA supplements and amends the CCPA. Two CPRA provisions are worth noting as they relate to items on this action item list. First, effective January 1, 2023, businesses will have an affirmative obligation to implement reasonable safeguards. Second, businesses will be required to disclose their collection and use of “sensitive personal information” and shall permit individuals to limit the business’s use of this information in certain circumstances. By adding these new provisions, the CPRA builds upon and expands the CCPA, inching it a bit closer to the EU General Data Protection Regulation.

Want to Know if Your Employees Received the COVID-19 Vaccine? Some Best Practices to Consider

By Joseph J. Lazzarotti on

While its rollout has been slow, the vaccine is being administered across the U.S. and in other countries. As of January 15, 2021, nearly 36 million doses of a COVID-19 vaccine have been administered, just over 11 million in the U.S. For a variety of reasons, organizations want to know whether their workforce members (employees, contractors, etc.) have been vaccinated. Some are trying to assess prospects for return to work, while others want to provide incentives to get the vaccine, and still others are managing customer demands to know if their vendor’s workforce has been vaccinated.

The EEOC has provided some guidance on the issue:

K.3. Is asking or requiring an employee to show proof of receipt of a COVID-19 vaccination a disability-related inquiry? (12/16/20)

No.  There are many reasons that may explain why an employee has not been vaccinated, which may or may not be disability-related.  Simply requesting proof of receipt of a COVID-19 vaccination is not likely to elicit information about a disability and, therefore, is not a disability-related inquiry.  However, subsequent employer questions, such as asking why an individual did not receive a vaccination, may elicit information about a disability and would be subject to the pertinent ADA standard that they be “job-related and consistent with business necessity.”  If an employer requires employees to provide proof that they have received a COVID-19 vaccination from a pharmacy or their own health care provider, the employer may want to warn the employee not to provide any medical information as part of the proof in order to avoid implicating the ADA.

So, based on the answer to the question posed above, we know the EEOC’s position is that asking or requiring employees to provide information on whether or not an employee was vaccinated is not a disability-related inquiry under the Americans with Disabilities Act (ADA). But that may not be the end of the inquiry. These are several considerations and best practices that organizations might consider before putting such requests to their workforce members.

  • Who wants the information, and why? As noted above, there could be several reasons for wanting to ask employees about their vaccination status. Those reasons can affect compliance and best practice considerations. For example, if an organization is working to accommodate customer demands for vaccination status of the organization’s employees who are performing services at the customers’ facilities, the organization might want to consider, among other things:
    • Does it need to provide the information to the customer?
    • Is consent/authorization necessary?
    • How should the information be transmitted?
    • Who at the customer would have access to that information?
    • Will the customer safeguard it?
  • What steps can be taken to limit compliance risk? If an organization decides to ask workforce members about their vaccination status, there are steps it can take to minimize compliance risk. For instance, an organization can minimize the chance of an ADA violation by (i) designing the request so it is not likely to elicit information about a disability, (ii) not asking why an individual did not receive a vaccination, and (iii) warning the employee not to provide any medical information as part of the requested proof of receipt of a COVID-19 vaccination. Similarly, employers that are subject to the California Consumer Privacy Act (CCPA) and wondering whether their notice at collection to California employees needs to cover vaccination information may decide to provide notice in the abundance of caution.
  • Is it necessary to even ask employees directly…couldn’t the organization look at its health plan’s claims information for vaccine-related administration charges? Aside from being arguably more administratively difficult, this method likely would be considered a violation of the HIPAA privacy rule. Plan sponsors may not use protected health information under HIPAA for an employment purpose without the employee’s authorization.  
  • Does the collection and processing of vaccination information raise data privacy and security risks? Even if making the request is not a disability-related inquiry, it may be considered a medical inquiry, and the employee’s response, confidential medical information. While not subject to HIPAA in the employer-employee context, this information still may have protections under state statutory and common law. Consider, for example, that several states, such as California and Florida, include “medical information” as part of the definition of “personal information” under their breach notification laws. Accordingly, if that information is breached, which could include access to the information by an unauthorized party, notification may be required.

Additionally, statutory and common law obligations exist to require employers to safeguard employee personal information, which may include information about their physical health, such as vaccination status. Thus, maintaining reasonable safeguards to protect such information is prudent. This might include access management measures and record retention and destruction policies. It also may include having clear guidelines for making disclosures of this information and determining whether an authorization is needed before such information may be disclosed or accessed by a third party.

These are just some of the issues organizations may find themselves grappling with as COVID-19 vaccinations become more available. Thinking them through carefully should help organization minimize their compliance and legal risks as they continue to manage their businesses through this pandemic.

New York Could Become the Next Hotbed of Class Action Litigation Over Biometric Privacy

By Joseph J. Lazzarotti on

Dubbed the “Biometric Privacy Act,” New York Assembly Bill 27 (“BPA”) is virtually identical to the Biometric Information Privacy Act in Illinois, 740 ILCS 14 et seq. (BIPA). Enacted in 2008, BIPA only recently triggered thousands of class actions in Illinois. If the BPA is enacted in New York, it likely will not take as long for litigation to begin under the new privacy law. Interestingly, late last year, Governor Cuomo signed AB A6787D which, among other things, prohibited the use of biometric identifying technology in schools at least until July 1, 2022.

Just like BIPA, the BPA would establish a comprehensive set of rules for companies possessing and/or collecting “biometric identifiers” and “biometric information” of a person, such as:

  • Development of a publicly available policy establishing retention and destruction guidelines
  • Informed consent required prior to collection
  • Limited right to disclose without consent
  • Mandated security and confidentiality safeguards
  • Prohibiting private entities from profiting from the data

Most important, the BPA also would create a private right of action for persons “aggrieved” by violations of BPA, using the same language as under BIPA, permitting persons to recover the greater of (i) statutory damages of at least $1,000 for each negligent violation, or $5,000 for each intentional or reckless violation, and (ii) actual damages.

We know the Illinois Supreme Court decided that, in general, persons bringing suit under BIPA do not need to allege actual injury or adverse effect, beyond a violation of his/her rights under BIPA, in order to qualify as an “aggrieved” person and be entitled to seek liquidated damages, attorneys’ fees and costs, and injunctive relief under the BIPA. See Rosenbach v. Six Flags Entertainment Corp.

Of course, the BPA is not currently the law in New York. However, if enacted, companies should immediately take steps to comply. That is, they should review their time management, point of purchase, physical security, or other systems that obtain, use, or disclose biometric information (any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry used to identify an individual) against the requirements under the BPA. In the event they find technical or procedural gaps in compliance – such as not providing written notice, obtaining a release from the subject of the biometric information, obtaining consent to provide biometric information to a third party, or maintaining a policy and guidelines for the retention and destruction of biometric information – they need to quickly remedy those gaps.

It is unclear whether courts in New York will interpret the availability of remedies under BPA, if enacted, the same as the Illinois Supreme Court in Rosenbach. However, if they do, the duties imposed on private entities subject to the law regarding the collection, retention, disclosure, and destruction of a person’s biometric identifiers or biometric information will define the statutory rights of persons protected by the law. Accordingly, when a private entity fails to comply with one of the BPA requirements, that violation could constitute an invasion, impairment, or denial of a right under the BPA resulting in the person being “aggrieved” and entitled to seek recovery.

OCR Releases Report Summarizing HIPAA Privacy and Security Compliance Failures

By Joseph J. Lazzarotti and Maya Atrakchi on

In the final days of 2020, the Office for Civil Rights (OCR) at the U.S. Health and Human Service (HHS) released a HIPAA Audits Industry Report (“the Report”), that could be quite helpful to covered entities and business associates for tackling HIPAA compliance as we enter the new year.  The Report examines OCR’s findings from HIPAA audits the agency conducted during 2016-2017 of 166 healthcare providers and 41 business associates. The audits were intended to examine mechanisms for compliance, identify promising practices for protecting the privacy and security for health information, and discover vulnerabilities that may be have been overlooked by OCR enforcement activity. It is the OCR’s hope that insights from the Report will enhance industry awareness of compliance obligations and assist the OCR in developing tools and guidance to assist industry compliance, self-evaluation, and prevent data breaches.

The Report looked at seven components of HIPAA compliance by covered entities:

Privacy Rule:

      • notice of privacy practices/content requirements
      • provision of notice – electronic notice (website posting)
      • right of access

Breach Notification Rule:

      • timeliness of notification
      • content of notification

Security Rule:

      • security management process – risk analysis
      • security management process – risk management

For business associates, the Report examined three components:

Breach Notification Rule –

      • notification by a business associate,

Security Rule –

      • security management process – risk analysis and
      • security management – risk management.

The Report applied a rating scale of 1-5 to covered entities, one being essentially full compliance and five being no evidence of a serious attempt to comply with the rules. Based on this scale and the results from the audits, the Report concludes covered entities generally demonstrated compliance in only two of the seven areas audited: 1) timeliness of breach notification and 2) prominent posting of the notice privacy practices on their websites. Here are some troubling data points from the Report:

  • With regard to satisfying the content requirements for HIPAA notices of privacy practices, only 2% of covered entities fully met the requirements, and two-thirds failed to or made minimal or negligible efforts to comply.
  • Almost all covered entities audited (89%) failed to show they were correctly implementing the individual right of access. Notably, right of access compliance is a specific enforcement initiative of the OCR, having announced 13 enforcement actions over the past two years. Compliance gaps included inadequate or incorrect policies and procedures for providing access, such as policies that incorrectly state that the entity could deny access to PHI or lack of policies for honoring requests for information to be provided to a designated third party.
  • Approximately 70% of covered entities used breach notification letters that failed to satisfy regulatory content requirements, such as a description of the electronic personal health information (ePHI) breached and steps individuals can take to protect themselves from additional harm.
  • As the OCR’s previous audit (from 2012) found, covered entities struggled to implement the Security Rule’s requirements for both risk analysis and risk management – the Report highlighted that only 14% of audited covered entities “substantially fulfilled” responsibilities regarding safeguarding of ePHI through risk analysis mechanisms, and only 6% of covered entities adequately fulfilled requirements to implement appropriate risk management mechanisms to reduce risks and vulnerabilities to a reasonable and appropriate level.

Business associates shared similar struggles with covered entities regarding implementation of security risk analysis and management requirements – only 17% of audited business associates “substantially fulfilled” requirements regarding safeguarding of ePHI through risk analysis, and only 12% of business associates fulfilled the requirement to implement appropriate risk management mechanisms. Moreover, while few audited business associates reported a breach of ePHI, those that did generally evidenced minimal or negligible efforts to address audited requirements.

On a positive note, the Report noted that a large majority of the covered entities and business associates shared their appreciation for the comments or findings, and already initiated steps to strengthen policies, procedures, and/or correct deficiencies.  The Report also provides helpful easy-to-use tools and resources to assist organizations with compliance. For example, the Report highlights the Model Notices of Privacy Practices available on the OCR’s website – covered entities may customize these models by entering their entity-specific information.

In the OCR’s announcement of the Report, OCR Director Roger Severino emphasized,

The audit results confirm the wisdom of OCR’s increased enforcement focus on hacking and OCR’s Right of Access initiative.  We will continue our HIPAA enforcement initiatives until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.

Takeaway

The OCR was active in enforcing HIPAA regulations in 2020. In particular, there were thirteen settlements under the OCR’s Right to Access Initiative which enforces patients’ rights to timely access medical records at reasonable cost. In September of 2020 alone, the OCR announced settlements with five providers under that Initiative. OCR settlements have impacted a wide array of health industry related businesses including hospitals, health insurers, business associates, physician clinics, and mental health/substance abuse providers. Furthermore, 2020 saw more than $13.3 million recorded by OCR in total resolution agreements.

In addition, there was a significant amount of OCR issued guidance relating to HIPAA in 2020. In March OCR issued back-to-back guidance on COVID-19 related issues, first regarding getting protected health information (PHI) of COVID-19 exposed individuals to first responders, and next providing FAQs for telehealth providers. In July, the Director of the OCR issued advice to HIPAA subject entities in response to the influx of recent OCR enforcement actions – “When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information.” In September, the OCR published best practices for creating an IT asset inventory list to assist healthcare providers and business associates in understanding where electronic protected health information (ePHI) is located within their organization and improve HIPAA Security Rule compliance, and shortly after issued updated guidance on HIPAA for mobile health technology. Finally, regulations have been issued to permit hospitals and health systems to donate cybersecurity technology to physician practices.

The Report combined with increased OCR enforcement activity and guidance, serves as a reminder of the seriousness in which OCR treats HIPAA compliance obligations, and healthcare organizations and their business associates need to address basic best practices as they enter 2021.

CPRA Series: The Importance of Data Retention Schedules and Records Management Policies

By Mary T. Costigan on

Record retention and records management policies are key elements for a company’s data protection program. Numerous recently enacted, or amended, data protection laws adopt data retention or storage limitation principles to safeguard personal information. Companies that do not have clearly defined record retention practices should take notice. Companies with existing practices should review those practices to ensure they comply with applicable legislation and their information security program.

The recently passed California Privacy Rights Act of 2020 (CPRA), which amends and supplements the California Consumer Privacy Act (CCPA), adopts the EU General Data Protection Regulation (GDPR) storage limitation principle. Under the GDPR, record retention practices play a significant role; storage limitation is a key data processing principle. Personal data must be stored only as long as needed to achieve the articulated purpose for which it was collected, thus ensuring the retention period is limited to a strict minimum. The goal is to minimize risks to the privacy and security of the personal data. The longer a business retains personal data, the more opportunity exists for unauthorized and perhaps unlawful access, use, or disclosure of that data. EU regulators have emphasized the importance of storage limitation in various GDPR enforcement actions, including a €14.5 million fine assessed by the Berlin Commissioner for Data Protection and Freedom of Information for improper data storage and retention.

Similarly, under the CPRA, a business shall not retain a consumer’s personal information for longer than is reasonably necessary for the stated purpose it was collected. (Comparable to the GDPR, the business must also disclose to the individual the length of time it intends to retain the data, or if that is not possible, the criteria it uses to determine such period.) A failure to implement and comply with an appropriate data retention and disposal schedule may result in a violation of the CPRA’s storage limitation principle.

A company’s data retention practices may be exposed in various ways. For purposes of the CPRA, a California regulator may examine a business’s data retention practices, or the absence of, when investigating a consumer complaint. For example, a consumer may exercise their right to know what personal information a business maintains about him or her.  In response, the business may disclose that it maintains personal information the consumer believes is no longer needed for the purpose it was collected, such as when the consumer is no longer a member of the business’ loyalty program. Or, a business may notify the consumer of a data breach affecting their personal information. The consumer may take the position the business no longer needed this information for the purpose it was collected. Alternatively, in the course of investigating a data breach to determine whether the business failed to implement reasonable safeguards, an enforcement agency may discover the business retained personal information for longer than the agency believes was reasonable. This might also be discovered when a consumer brings a private cause of action alleging the business’s failure to implement reasonable safeguards resulted in the unauthorized access or disclosure of their information in a data breach.

A company’s failure to retain personal information for only as long as needed to satisfy the specific, stated purpose for which it was collected may violate the CPRA storage limitation principle. However, the CPRA also imposes an affirmative duty on a business to implement reasonable safeguards to protect personal information from unauthorized or illegal access, destruction, use, modification or disclosure. Enforcement bodies may view storage limitation practices as a basic reasonable safeguard and the failure to implement or follow storage limitations may also constitute a violation of this affirmative duty.

The Federal Trade Commission took such a position in a complaint alleging unfair acts or practices in relation to a personal data breach. The FTC alleged a U.S. technology business failed to implement reasonable safeguards which enabled a hacker to access consumer personal information. In its complaint, the FTC listed several data security practices the business engaged in, including the failure to have a systematic process for inventorying and deleting consumers’ personal information when no longer needed, which it argues were unreasonable. The 2019 settlement agreement requires the company to implement an information security program to address the security failures raised in the complaint.

Currently, over twenty states including Florida, Texas and Illinois have laws requiring businesses that collect and maintain personal information to implement reasonable safeguards to protect that data. Although the majority of these statutes do not define reasonable safeguards, it is likely that state attorneys general will agree with the FTC’s position that deleting personal information when no longer needed is a “reasonable, low-cost, and readily available security” safeguard.

Over thirty states, including California, New York and Colorado have enacted laws requiring businesses to securely dispose of records containing certain personal information when no longer needed. Compliance with these laws necessitates developing and adhering to appropriate data retention schedules and records management policies. However, unlike the CPRA, the storage limitations imposed by these laws are not tied expressly to completion of the specific purpose for which the data was obtained.

Prolonged data retention creates heightened risk to the privacy and security of the personal information a company maintains. Minimizing that risk, and reducing potential liability, necessitates understanding existing records management, data retention, and data destruction practices. With the increased statutory focus on record retention and, in some cases, movement toward more restrictive storage limitations, companies will want to review or develop an informed data retention schedule, identify any contractual, statutory or operational needs for retaining personal data, and determine whether the company retains stale or legacy data. As with any data protection activity, these steps will be most effective when performed by an interdisciplinary team.

For more information on the CPRA or data protection best practices, please see our blog https://www.workplaceprivacyreport.com/.

FTC Settles Claims Financial Institution Failed to Oversee Its Vendor’s Data Security Practices

By Joseph J. Lazzarotti on

Assessing the privacy and cybersecurity practices of third-party service providers is critical not only for employee personal information, but also for confidential and personal information pertaining to an organization’s business and its clients, customers, patients, students, etc. The Federal Trade Commission (FTC) announced a settlement on December 15 with a financial institution that it claimed failed to oversee the data security practices of one of its third-party service providers as required under the  Gramm-Leach Bliley Act’s Safeguards Rule.

The Safeguards Rule requires financial institutions to develop, implement, and maintain a comprehensive information security program. As part of that program, financial institutions must oversee their third-party vendors, by ensuring they are capable of implementing and maintaining appropriate safeguards for customer information, and requiring them to do so by contract. The FTC alleged the financial institution in this case failed to do this.

Oversight of vendors is a critical part of any comprehensive data security program, particularly where those vendors can put sensitive consumer data at risk,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “If you’re a financial company, vendor oversight is not just a good idea, it’s the law.”

In this case, the FTC alleges the financial institution’s vendor, which performed text recognition scanning on mortgage documents, stored the contents of the documents on a cloud-based server in plain text, without any protections to block unauthorized access, such as requiring a password or encrypting the information. And, according to the FTC, the financial institution (i) failed to adequately vet the vendor at issue and other vendors; (ii) did not have safeguard requirements in all vendor contracts; and (iii) did not conduct risk assessments of all of its third-party vendors, as required under the Safeguards Rule. Unfortunately, the complaint claims the server was accessed dozens of times and the documents on the server contained sensitive information about mortgage holders and others, such as names, dates of birth, Social Security numbers, loan information, credit and debit account numbers, drivers’ license numbers, or credit files.

It is important to note that similar statutory and regulatory requirements exist at the state level and at the federal level outside of the financial services industry. Here are some examples:

  • Under HIPAA, covered entities that work with certain third parties, known as business associates, must enter into “business associate agreements” setting out extensive contractual obligations on the business associate for privacy and security, which also apply directly to the business associate.
  • The New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) requires “[a]ny person or business which owns or licenses computerized data which includes private information” of a resident of New York to “select[] service providers capable of maintaining appropriate safeguards, and require[] those safeguards by contract.”
  • Businesses subject to the data security regulations in Massachusetts, 201 CMR 17.00, must oversee service providers by (i) taking reasonable steps to select and retain those that are capable of maintaining appropriate security measures to protect such personal information consistent with the Massachusetts regulations and any applicable federal regulations, and (ii) requiring such service providers by contract to implement and maintain such appropriate security measures.
  • Several other states have similar requirements, including California, Colorado, Oregon, and Rhode Island.

The FTC’s proposed settlement requires the financial institution to, among other things:

  • undergo biennial assessments of the effectiveness of its data security program by an independent organization, which the FTC has authority to approve.
  • have a senior company executive annually certify the institution is complying with the final FTC order.
  • report any future data breaches to the FTC within 10 days of notifying other federal or state government agencies.

We discussed here some steps organizations could take to assess their third-party service providers’ capabilities concerning privacy and data security. Of course, these are not the only steps that an organization might include in a vendor management program. Those steps would be a function of the organization’s own risk assessment of the nature and extent of the sharing and processing of sensitive data it engages in with third-party service providers. Of course, at a minimum, any organization should be sure the master services agreement with the vendor includes a requirement that reasonable safeguards concerning personal information be maintained by the vendor. Regardless of the actual steps taken to address this risk, organizations should be regularly assessing the privacy and cybersecurity risks presented by third-party service providers and how to address them. And, remember that as many such organizations are themselves service providers, they too may find themselves under increased scrutiny in this regard.

IoT Devices to See New Security Guidelines in 2021

By Joseph J. Lazzarotti on

Setting up that new IoT device you received for Christmas? Maybe you’ve been derelict in feeding the dog and found a smart dog feeder under the tree, one that will alert you that Luna has been fed or that you have to refill the feeder. Smart gizmos are not just for the home, approximately 25% of businesses use Internet of Things (IoT) technology, a figure only expected to grow substantially. With that growth will be new and varied applications for IoT technology, along with a need to understand the different kinds of risks it presents. Earlier this month, on December 4, 2020, President Trump signed the Internet of Things Cybersecurity Improvement Act of 2020 (Act). The Act is directed at federal agencies, but is likely to have a significant impact in the private sector as well.

Passed by the House in September 2020, the Act mandates a cybersecurity framework be created for the appropriate use and management by federal agencies of IoT devices owned or controlled by an agency and connected to information systems owned or controlled by an agency. Perhaps that most notable provision of the Act is for contractors of federal agencies and their subcontractors – effective two years from enactment, December 5, 2022, and subject to limited opportunities for a waiver, federal agencies will be:

prohibited from procuring or obtaining, renewing a contract to procure or obtain, or using an Internet of Things device, if the Chief Information Officer of that agency determines during a review required by section 11319(b)(1)(C) of title 40, United States Code, of a contract for such device that the use of such device prevents compliance with the standards and guidelines developed under [the Act].

What are the Standards and Guidelines to be Developed under the Act?

Within 90 days following enactment, the Act requires the Director of the National Institute of Standards and Technology (NIST) to develop and publish standards and guidelines on the appropriate use and management by federal agencies of IoT devices they own or control and which are connected to information systems they own or control. Along with bearing in mind standards, guidelines, and best practices developed by the private sector, agencies, and public-private partnerships, the Director also must consider the following for IoT devices:

  • Secure Development.
  • Identity management.
  • Patching.
  • Configuration management.

In addition, within 180 days following enactment, the Director must publish guidelines for reporting, coordinating, publishing, and receiving of information about security vulnerabilities relating to information systems owned or controlled by an agency (including IoT devices) and resolving those vulnerabilities. The Director also must provide guidance for contractors and subcontractors on receiving information on potential information system vulnerabilities and disseminating information about resolutions.

What Does This Mean for IoT Devices?

For federal contractors and subcontractors, it will mean closely tracking and incorporating published security standards and guidelines by NIST, as well as being prepared to receive and act on information about potential security vulnerabilities received from federal agencies concerning devices and systems, and disseminate information on resolutions for those vulnerabilities. However, the Act also may establish recognized best practices for IoT devices, resulting broader adoption in the private sector. In the meantime, NIST has already started developing the standards and guidelines that will flow from the Act.

LexBlog