Like any business that handles personal information, debt collection agencies have obligations to maintain reasonable safeguards to protect that information. Recent enforcement activity by the Minnesota Attorney General’s office makes this clear. The banks, health care providers and other businesses that utilize collection services are also driving compliance as they demand these companies have written information security programs in place to protect the personal information of their customers/patients. Increasingly, debt collection companies are required to complete comprehensive surveys about their data protection practices, and are not always in the best position to do so.

In the Minnesota case, even where appropriate safeguards may have been in place, a breach resulting from a stolen laptop triggered the state’s Attorney General to inquire into not only the company’s privacy safeguards, but its business model as well. According to Attorney General’s office, the company employee left an unencrypted laptop containing sensitive information on 23,500 Minnesota hospital patients in a rental car in the parking area located in a bar and restaurant district of Minneapolis where it was stolen.

For these companies, the requirements can be complex since they will depend on not only the kinds of information they collect, but also the businesses they serve (and what laws regulate those businesses), the state of residency of the individuals whose records the collection agency maintains, and the states in which the company does business.

According to a Ponemon Institute study*, data breaches occurring in the hands of third-party vendors amounted to 39 percent of breaches in 2010.  Whether it be cloud service providers, benefits brokers, medical billing services, debt collection companies, consultants, accountants, law firms, staffing services, shredding/data destruction services, cleaning service providers and other businesses, most companies utilize third party vendors to provide an array of services. Those services often involve letting the vendor access, store and/or process personal information, which creates additional risk and legal obligations for the company using the vendor, such as the service provider contract requirement in Massachusetts.

Massachusetts deadline. A number of states have passed laws requiring companies that put personal information in the hands of third party service providers must obtain the written agreement of the third party to safeguard this information. The Massachusetts data security regulations that went into effect March 1, 2010, gave businesses until March 1, 2012 to update contracts with service providers that were entered into no later than March 1, 2010. However, next month that grace period expires. Thus, beginning March 1, 2012, a contract to safeguard personal information must be in place with all service providers who handle personal information concerning a Massachusetts resident on behalf of the company.   

Other mandates. Requirements to ensure third party vendors are safeguarding personal information is not limited to Massachusetts. Examples include:

  • States such as California, Maryland, Nevada, Oregon, and Texas have had for some time a contract requirement similar to the Massachusetts rule.
  • The privacy and security regulations under HIPAA have a more expansive requirement for “business associates” and “subcontractors.” Businesses subject to HIPAA are anxiously awaiting final regulations under HITECH which will be specifically addressing business associate agreement requirements, among other things.
  • The Payment Card Industry (PCI) standards require similar agreements.
  • Law firms in many states are subject to specific state ethical mandates to have written assurances from vendors handling client data (these mandates are not limited to personal information, but seem to apply to all client information). For example, lawyers in states such as ME, MO, NJ, NY, OR, VT, WI are required to make sure that contractors maintain appropriate safeguards through a “legally enforceable obligation.”   

What to do next? Vendor management should be part of an overall strategy to safeguard company and personal information. It is important to add that while personal information typically is the focus of this risk because of the breach reporting obligations across the country, confidential and proprietary company data is, of course, also at risk in the hands of vendors.

Companies should develop a list of all of their vendors and require all that have access to sensitive personal or company information to agree to amend the services agreement to include a requirement that the vendor have in place appropriate data privacy and security safeguards. Careful negotiations and drafting is critical to ensure legal compliance and protection/indemnity in the event of a data breach. In addition, some business might want to maintain a right to audit operations and require certain specific safeguards, depending on the volume and sensitivity of the information at issue. Companies also have developed comprehensive questionnaires and assessments for their vendors to complete to obtain a more complete picture of the vendors’ data security protocols.

Whatever the approach, companies should at a minimum obtain written assurances from their vendors concerning the safeguarding of personal information.  
 

 

*Ponemon Institute, LLC. 2010 Annual Study: U.S. Cost of a Data Breach, March 2011.

A number of courts throughout the nation are grappling with disputes between employers and departing employees over the ownership of social media accounts. These employers are attempting to seek ownership over company Twitter and LinkedIn profiles claiming, among other things, that these contain “trade secrets.” Employees dispute these contentions by pointing out that there is nothing “secret” about social media profiles and that employers have no inherent property interests in Twitter and LinkedIn accounts.

For example, in Phonedog v. Kravitz, No. 3:11-cv-03475 (MEJ) (N.D. Cal., Nov. 8, 2011), a federal court in California denied a motion to dismiss where the employer sought damages for each Twitter follower that a departing employee took with him. The employee was given use of and maintained a Twitter account for the employer’s business during his employment. When he left, he changed the Twitter account handle and continued to use the account. Phonedog and its former employee do not have a written agreement pertaining to ownership of the disputed Twitter account. The company alleged several claims against the departing employee, including misappropriation of trade secrets, conversion, and tortious interference with prospective advantage.

Another such pending dispute is Eagle v. Morgan, No. 2:11-cv-04303 (RB) (E.D. Pa., Dec. 22, 2011). A federal court in Pennsylvania denied a motion to dismiss in a dispute over an employee’s LinkedIn account. The disputed LinkedIn account was used for company business and developed by company personnel. As in Phonedog, the parties do not have a written agreement as to ownership of the disputed LinkedIn account. Both the company and the employee brought claims against one another over use of this LinkedIn account.

The above cases are headed into prolonged discovery and extensive litigation. These disputes may have been avoidable had the parties entered into a clear written agreement at or near the inception of the employment relationship. Such an agreement was upheld in Ardis Health, LLC v. Nankivell, No. 1:11-cv-05013 (NRB) (S.D.N.Y., Oct. 19, 2011). A federal court in New York granted a preliminary injunction and required an employee to turn over access to social media sites to her employer pursuant to the obligations under the written Non-Disclosure and Rights to Work Product Agreement between the parties.

All employers who profit from their employees’ use of social media should be aware of and carefully analyze these issues. In many cases, a properly drafted agreement delineating the property interests of employee work product will save employers from time-consuming and expensive litigation over ownership of social media accounts.

Have you ever reviewed the Facebook or LinkedIn profile or other social media activity of an employee or applicant? How about requiring employees or applicants to provide access to social media activity as a condition of employment. The Maryland and Illinois legislatures would like to limit employers’ ability to engage in this kind of activity with new laws that would be the first of their kind in the nation.

UPDATE – Newly enacted Maryland law prohibits employers from demanding access to Facebook or other on line accounts of employees and applicants.

Maryland. Under one version of the law in Maryland, H.B. 364, employers would not be permitted to

  • require an employee or applicant . . . to disclose any user name, password, or other means for accessing any internet site or electronic account through an electronic device, or
  • require an employee to install on the employee’s personal electronic device software that monitors or tracks the content of the electronic device.  

Under this bill, the employer could not discipline the employee or refuse or fail to hire the applicant for not complying with such requests. However, an employer could require an employee to disclose username, password or other means of access to the employer’s internal computer or information systems. 

The provision that would prohibit employers from monitoring or tracking content on electronic devices would present a dilemma for employers faced with various legal and ethical obligations to safeguard personal and other confidential data. Many employers are struggling to find ways to track, limit, and in some cases encrypt, personal and other confidential information maintained on portable electroinc devices, including the personal devices of employees. This bill would make that process more challenging, particulalry for businesses with nationwide operations in heavily regulated businesses such as healthcare, insurance, finance and so on.   

Two other bills (H.B. 310, S.B. 434) also are being considered that would prohibit public and nonpublic colleges and universities from making similar demands on students and applicants.

Illinois. The Illinois law being considered (H.B. 3782) would make it unlawful for "any employer to ask any prospective employee to provide any username, password, or other related account information in order to gain access to a social networking website where that prospective employee maintains an account or profile."

Existing Risks with Searching/Monitoring the Social Media Activity of Employees or Applicants. The Maryland and Illinois laws, if passed, may be the first of their kind, but they certainly are not the first risks employers have faced when engaging in this kind of activity. In fact, there are a range of existing risks employers must consider, such as

  • Finding medical information protected under the American with Disabilities Act or the Genetic Information Nondiscrimination Act.
  • Acting inconsistently when similar information is found about different applicants/employees/executives.
  • Acting on information that is not true.
  • Intruding into private areas.  
  • Failure to document the steps taken in conducting the search.
  • Not realizing the Fair Credit Reporting Act may apply and require consent and notice requirements.
  • Unlawfully limiting protected concerted activity under the National Labor Relations Act.

Employers therefore need to proceed carefully when using social media as a tool for making decisions concerning hiring, promotion, discipline, and termination.  Assessing whether to engage in such activity, how and when to do so, who should be authorized to search and monitor in this way, and what training should be provided can go a long way to minimizing these risks.

In United States v. Jones, the Supreme Court unanimously decided that FBI agents violated the Fourth Amendment when they attached a Global-Positioning-System (GPS) tracking device to a suspected drug dealer’s Jeep Cherokee and monitored the vehicle’s movements on public streets for 28 days without obtaining a warrant to do so. Justice Scalia wrote the Court’s opinion, with four justices joining the opinion – Chief Justice Roberts and Justices Anthony Kennedy, Sonia Sotomayor, and Clarence Thomas.

Sotomayor’s concurring opinion is worth noting for its detailed analysis of the chilling effect on associational and expressive freedoms that government monitoring via technology, like GPS surveillance, will have if left unchecked. She wrote:

“GPS monitoring generates a precise, comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious and sexual associations…The Government can store such records and efficiently mine them for information for years into the future…And because GPS monitoring is cheap in comparison to conventional surveillance techniques and, by design, proceeds surreptitiously, it evades the ordinary checks that constrain abusive law enforcement practices: ‘limited police resources and community hostility.’ “

Justice Alito, who also concurred in the majority opinion, argued for warrants based on the “reasonable expectation of privacy” standard, instead of the common law trespass test applied by Scalia. Alito, clearly troubled by the Court’s reliance on the law of trespass, points out that technology today allows for easy electronic monitoring, without any need to come into physical contact with the subject being tracked. He expresses concern over the “increased convenience” of new technology at the “expense of privacy,” and suggests that these “new intrusions on privacy” may motivate Congress to enact legislation addressing these “new intrusions” as it did with wiretapping. Sotomayor clearly agrees, but whether Congress will act obviously remains to be seen.

So, what does U.S. v. Jones mean for employers?

Private employers generally are not subject to the Fourth Amendment’s prohibition against unreasonable search and seizure. However, it is certainly foreseeable that employees of private employers could cite to this case in support of claims that GPS monitoring, or any sort of electronic monitoring for that matter, during non-working hours violated their “reasonable expectation of privacy.” The question of whether this decision might influence courts as technology becomes more powerful, remains to be seen.

As such, it is imperative for employers, especially those who provide smart phones and company vehicles containing GPS monitoring devices to their employees, to adopt policies notifying their employees of the company’s right to monitor their actions while using Company owned property. These policies should also contain language notifying employees about the GPS monitoring capabilities of the Company-issued property and that they should not have an expectation of privacy while using the same.

In light of the contours of a “reasonable expectation of privacy” analysis and concerns over common law claims of intrusion upon one’s seclusion, employers should also avoid monitoring during non-work hours. In addition, where the data received from location tracking reveals details of an employee’s personal life, employers should not review it or be prepared to show that they have a legitimate business justification for looking at this type of information.

Finally, private employers in states like California may have more to be concerned about where constitutional privacy protections apply to the private sector. A number of states also have laws prohibiting the installation of a tracking device without the consent of the vehicle’s owner or lessor.

In connection with its coverage of national signing day, ESPN.com recently highlighted that social media is increasingly being utilized by coaches to contact, recruit and gather information about players. For players, it’s a way to get recruited, control the message and interact with fans and other recruits at unprecedented levels.  And, like in the workplace, misuse of the media can have unfortunate consequences. A New Jersey high school prospect recently found this out when he was expelled from Don Bosco Preparatory after questionable posts were viewed on his Twitter account.  We have noticed similar trends and similar missteps in the employment context, where social media is often being utilized by companies and employees without first being well thought out. 

While the NCAA does provide some social media regulations, online interaction is far less regulated than more “old fashioned” forms of communication. According to Gregg Clifton, Co-chair of the Jackson Lewis’ Collegiate and Professional Sports Industry Group, “The days of face-to-face interaction between coach and recruit have been forever transformed. While the NCAA limits direct phone contact and texting by coaches to recruits, current NCAA regulatory freedom still permits coaches to use social media to contact, recruit, and gather information about players they are considering for their programs.” Similarly, both state and federal employment law struggle to keep up with the ever expanding social media realm.  This was most recently highlighted by the NLRB General Counsel’s report on social media. Consequently, even for employers that do have social media policies, they often do not address key issues such as the company’s presence on-line, regulatory requirements that apply in their industry, and how managers and supervisors should and should not be using the medium. In fact, as shown by many of the NLRB’s rulings discussed in the recent report, many policies contain overbroad proscriptions that violate a variety of laws.  

To keep up with social media, some schools are hiring individuals to monitor the social media of prospective student-athletes and to make sure that improper interaction is not occurring, as well as to ensure confidential information, such as under FERPA, is not being disclosed.  Employers too are seeking to hire individuals to not only assist in utilizing social media for marketing, but also individuals who can monitor how social media is and should be utilized in employment decisions.  This is particularly true for statutes and regulations which one may not necessary link with social media.  For example, employers often don’t realize that they may improperly acquire genetic information in violation of the GINA by “friending” or “following” employees or applicants. 

Of course, schools also are employers…so, while universities and colleges need to institute effective policies and procedures to address their use of social media in recruiting, they also must address social media usage in the employment context.  

In recognition of Data Privacy Day (January 28, 2012) and to facilitate a more interactive experience for our readers and subscribers, we want to extend to you the opportunity to tell us what is on your mind in the world of data privacy, social media and information management.

For the last two years, we have brought you developments on a wide range of issues concerning these topics. We realize many of you might like us to report on or provide information concerning certain issues/topics that we have not covered before. If so, please tell us!

To submit a topic, you can email us at informationrisk@jacksonlewis.com, or reach out to us through our Workplace Privacy Report on Facebook and Twitter. Feel free to “Like” our Facebook page and “Follow” us on Twitter by clicking on the corresponding buttons on the right below. If we select your topic, we will reach out to you privately to see if you would like us to identify you in the responsive post.

Of course, what would any communication from a lawyer be without a DISCLAIMER?

We look forward to hearing from you!

Today, the NLRB‘s Acting General Counsel posted a second report concerning social media issues and the National Labor Relations Act. The cases discussed in this report should provide further guidance to employers struggling with developing strategies for using social media in their business, developing employee policies regulating activity in social media, and enforcing those policies. Look for follow up analysis from us and our Labor partners.

Check out our prior reporting on related developments.

The ECRI Institute recently published an excellent summary of key issues for hospitals concerning social media (registration required), a valuable read for any hospital administrator, risk manager or human resources director. ECRI reports that approximately 4,000 U.S. hospitals own social media sites and that number is sure to grow significantly. One of the reasons for this growth will likely be due in significant part to the increasing number of people looking to social media to research health decisions. According to a National Research Corporation survey cited in the summary, 41% of nearly 23,000 respondents said that they used social media for this purpose.

The summary discusses critical areas for healthcare organizations to consider concerning social media, which can be applied to most other industries:

  • Understand the medium – what is social media, what are the different venues (Facebook, LinkedIn, FourSquare etc.), what is the competition doing, what new media is coming.
  • Determine desired uses – promotion of services/sales, recruiting, reputation management, community involvement, education, and so on. 
  • Assess risks – privacy, network security, employment, reputation, regulatory, malpractice, and protecting the brand.
  • Develop policies and procedures – control company message and regulate employee activity.
  • Implement and train and reevaluate – limit the number of employees who can speak for the organization, train employees on legal risks (such as with HR looking up applicant/employee background information on line), determine whether social media plan is producing desired results

Businesses in all industries are "going social," and should be developing a comprehensive plan before doing so. The ECRI summary provides a good starting point for thinking through some of the issues, particularly for those in healthcare.   

An invasion-of-privacy claim against an insurance agent brought by his former employee should proceed even where a surveillance camera placed by the agent in the workplace’s unisex bathroom was faulty, the Iowa Supreme Court has ruled. Koeppel v. Speirs, No. 08-1927.

The district court dismissed the invasion-of-privacy claim on summary judgment because there was no proof that the equipment was operational or that the employer had actually viewed any recordings of the employees. The Court of Appeals reversed the dismissal, and on December 23, 2011, the Iowa Supreme Court affirmed the reversal and remanded the employee’s common law privacy claim to the district court.

The issue before the Iowa Supreme Court was whether an actual "viewing" was a necessary element of an invasion-of-privacy claim involving hidden monitoring equipment. Courts in other states have split on the issue. After analyzing decisions from other states and law review articles on privacy law as well as the origin of the term, "peeping Tom," the Iowa Supreme Court held that an actual viewing was not required. Following the reasoning of a 1964 New Hampshire Supreme Court decision, it concluded an intrusion occurs when the defendant performs an act that has the "potential to impair a person’s state of mind and comfort associated with the expectation of privacy."

The Iowa Supreme Court said, "[W]e think it is important to keep in mind that the tort [of invasion of privacy] protects against acts that interfere with a person’s mental well-being by intentionally exposing the person in an area cloaked with privacy." It determined that “[a]n electronic invasion occurs under the intrusion on solitude or seclusion component of the tort of invasion of privacy when the plaintiff establishes by a preponderance of evidence that the electronic device or equipment used by a defendant could have invaded privacy in some way.” Thus, under Koeppel, a victim’s mental state can be more important to an invasion of privacy claim than what the defendant actually viewed, accessed, or shared. (The employee here also sued for sexual harassment, but that claim was dismissed because an employer with fewer than four employees is not liable for sexual harassment under Iowa law.)

An invasion-of-privacy claim in Iowa, therefore, need not include a showing that the monitoring device was functioning at the time it was discovered or that it was ever used. It is sufficient that the device was capable of functioning.