In addition to concerns about social media, school districts across the country need to address a growing interest in the personal data of the students they educate. No, this interest does not stem from a desire to see if kids are reading at the desired level, or if the children have the resources they need to receive an adequate education. Data thieves want this information to commit identity theft. 

As reported by the Huffington Post:

Identity theft in schools is more than theoretical. Last July, Sheyla Diaz, 44, a former Broward County, Florida high school teacher, was sentenced to six months of house arrest for stealing the identities of former students. In 2009, Jonathan E. Kelly, who worked as a police officer for the Palm Beach County School District, was sentenced to eight years in prison for stealing the identities of former students and teachers.

The thieves know that children have pristine credit and that school districts, hampered by substantial budget cuts, may not be doing all they could to safeguard this information. Parents and school districts need to take steps to address this growing risk.

A Wall Street Journal article on December 2 discusses the National Labor Relations Board’s emergence into social media and non-union workplaces. For employers that have not looked at their policies and practices concerning employee activity in social media, this article serves as a good reminder. 

Click here for more information.   

Many employers often question what recourse is available when faced with the destruction or alteration of company data by former employees.  This question is made more complicated when employees use their own personal computer for work. In addressing this issue, the U.S. District Court for the Northern District of Illinois, Eastern division held that an employee’s use of her personal computer to delete e-mails on her employer’s computer servers may support an unauthorized access claim under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”).  

Plaintiffs, a group of real estate companies, allege that several of their former employees, on company resources and company time, founded a competing business and stole customers.  Plaintiffs claim that one of the defendants told the others to delete e-mails related to their “scheme”, and then delete them again from the “deleted items” folder.  This “hard delete” made the files hard to retrieve.  

Defendants sought to dismiss the CFAA claims.  Specifically, defendants claimed that “unauthorized access” is impossible because the individual defendant had used her own personal computer for work, and plaintiffs thus lost nothing when she left with it.  Although defendants cited to no cases, some District Courts (Keystone Fruit Marketing, Inc. v. Brownfieldhave concluded that using one’s personal computer will not support a CFAA unauthorized access claim.  Here, the Court found that the CFAA appears to prohibit damaging (not accessing) a computer without authorization and the definition of “protected computer” does not specify whose computer it must be. While the Court ultimately dismissed plaintiffs’ claim as not sufficiently alleged, the Court did rule that plaintiffs may be able to make out a claim against the individual defendant by showing that she impermissibly destroyed files or other data belonging to them. 

Companies must be aware of jurisdictional nuances as they strive to protect themselves.  Stay tuned as we address similar issues in an upcoming series of posts! 

 As the holidays approach, I am reminded of an employment law attorney I used to know who wrote a column about this time of year about holiday parties. He would warn Human Resources (“HR”) professionals to beware of sexual harassment issues as the punch flows and inhibitions dissipate at the annual office get-together.  How things have changed. In this era of Facebook and I-phones, every day is a holiday party in terms of potential liability. It used to be the only photographic evidence of employee carousal was a black and white photocopy of someone’s derriere. Now, smart phones capture everything in full color pixilation and the evidence is posted instantly. We may never know what Herman Cain and his associates were up to in the 1990s, but if it had happened now, you can bet there would be a text, tweet, or digital photo to add fuel to the Yule log fire.

As 2011 draws to a close, most employers have realized they cannot ignore social media. Social media exponentially increases a company’s opportunity for marketing. But HR folks also know that social media exponentially increases the opportunities for employees to do silly things and get in trouble. More than one fast food franchise has had to respond to digital photos posted on line of teen-aged employees bathing in a restaurant sink. Even folks who ought to know better, including an NFL quarterback and a United States Congressman, allegedly sent digital photos of their sugarplums to women who either did not want them, or did not mind sharing them on the Internet.

Based on my conversations with members of corporate HR departments, in the 2012 New Year they will be facing Social Media 2.0 – Rise of the Smart Phones.  Anyone who does not already have a smart phone will probably get one for Hanukkah or Christmas. All employers should already have a social media policy addressing expectations of privacy, anti-harassment, overtime, trade secret protection, Federal Trade Commission (FTC) restrictions, and exceptions for concerted activity and protected speech under the National Labor Relations Act.  Next year, employers will need to consider whether certain categories of employees should be required to keep smart phones locked away during business hours and will also need to respond to the growing demands by employees that they be allowed to conduct confidential company business on their personal I-phone.

Many employment law attorneys and HR managers may be asking Santa for a respite from the technology onslaught, and may need a drink at the holiday party as much as the next employee.

 

 

The Minnesota Supreme Court issued a decision on November 16, 2011 holding that the state’s Genetic Privacy Act, Minn. Stat. Section 13.386 (2010) restricts the collection and use of blood samples taken from newborns pursuant to the state’s Newborn Screening Statutes, Minn. Stat. Section 144.125-128.  The litigation, captioned Bearder et al v. State of Minnesota, was initiated by a group of families with children born between 1998 and 2008 who challenged the newborn screening program run by the Minnesota Department of Health ("DOH"). The DOH’s program requires the collection of blood samples from newborn children within the fifth day of birth. The DOH analyzes the sample for the presence of substances that indicate the presence of a metabolic disorder. Only one of the many tests, a second level test for cystic fibrosis, analyzes DNA or RNA.  If a portion of any blood sample remained after screening tests were completed, the DOH either stored the sample indefinitely or allowed the Mayo Clinic to use the samples for unrelated studies, provided the samples had been either de-identified or Mayo had received written consent from the child’s legal guardian.

Plaintiff’s claimed that the Minnesota Genetic Privacy Act required the DOH to obtain informed consent before it could collect, use, store, or disseminate the samples that remained after the newborn health screening was complete. The trial court and Minnesota Court of Appeals rejected plaintiffs’ argument, but the Minnesota Supreme Court reversed, holding that the Genetic Privacy Act placed limits on the DOH’s practices. A central question in the case was whether a blood sample was properly considered "genetic information" as the term is defined in the state law. The Court held that it was, with one justice dissenting on that question.

Minnesota’s Genetic Privacy Act was passed in 2006 as part of the Data Practices Act which governs the use and disclosure of information by state and local government.  Although it is unclear whether the Minnesota Legislature intended to limit section 13.386 to public entities, the plan language of the statute suggests it may govern the collection of genetic information by private companies and employers as well. It certainly serves as a reminder that there is a growing body of federal and state regulation in the area of medical privacy. The lawsuit also highlights the public’s growing concern about the use of genetic information and may portend more litigation under federal laws such as GINA – the Genetic Information Nondiscrimination Act. 

 

 

Record keeping requirements in New Jersey add to the complexities multistate employers face trying to develop strong and practical record retention programs. Garden State employers must conspicuously post and distribute to employees a notice and maintain certain records according to a law, N.J.S.A. 34:1A-1.11 et seq., that went into effect on July 13, 2010.

To assist employers, the New Jersey Department of Labor and Workforce Development (“NJDOL”) published a notice entitled, “Employer Obligation to Maintain and Report Records,” that employers can post and distribute. According to the law, employers must 

  1. post this notice immediately in the workplace;
  2. provide each employee hired prior to November 7, 2011, a written copy of the notice no later than December 7, 2011; and
  3. provide employees hired after November 7, 2011, a written copy of the notice at the time of hire. 

Click here for more information concerning the posting and other requirements of the law.

While we do not know the exact nature and scope of the imminent HIPAA audits, we do know that HIPAA compliance and the verification of compliance (the audit) can be a very daunting process that mandates a great deal of preparation and organization. Beyond getting legally compliant, HIPAA covered entities and business associates need to consider how to practically and efficiently track and illustrate this compliance should they find an OCR investigator knocking at the door.

We have asked Alan Heyman, Managing Director of Cyber Security Auditors & Administrators LLC (CSA2) to discuss how certain applications can facilitate the response to a HIPAA audit, including minimizing the time staff needs to be involved. The following is an excerpt from Alan’s discussion of this issue:

For many health care providers and other covered entities, compliance with HIPAA and other data privacy and security requirements is a multifaceted and ongoing process of assessing changing risks, policy development and implementation across various departments, conducting and tracking training of workforce members, monitoring compliance, managing vendors and vendor agreements, responding the customer complaints and so on. When an OCR auditor is on the doorstep, pulling evidence of all of these efforts together would likely sap an already thin workforce of most covered entities. When various segments of the covered entity are not coordinated, the files are incomplete, and the persons leading the effort are in disarray, the auditor is likely to suspect there are substantial deficiencies and adjust the audit accordingly.

It is not difficult to imagine the Privacy Officer having to go from department to department asking, among other things:

  • Where are the current policies and procedures for your department concerning privacy and security?

  • Would you please send me the training sign-in sheets for your group? Why was that group not trained?

  • Where are the signed copies of the business associate agreements? Is this all of them?

  • Where can I find a copy of the risk assessment for your department? Is it updated?

  • How was that complaint resolved? Were there any others?

  • Do you have all of the documents for the data breach that affected the radiology department?

  • Can you send me your evaluation logs and what changes you have made based upon those efforts?

It is also not difficult to imagine how much easier this process would be if the covered entity’s compliance efforts were tracked, maintained and documented in a single environment. An environment that would, for example

  • Allow different departments/groups to log on an update their compliance efforts,

  • Secure email notification/reminders for maintenance to update all required analysis, training, network architecture diagrams, etc.,

  • Digital repository for all required employee affidavits, training sign-in sheets and managed with email notification for maintenance and updating,

  • Maintain and track policy changes via secure email notification/reminders to all departments and employees from Privacy Officer or legal counsel,

  • Track and document responses to patient complaints,

  • Digitize interactive system for updating and obtaining required commentary from all required departments and Business Associates to establish and audit trail for creating “defensible position” to regulators.

  • Centralize administration for permissions to all employees, advisors or Business Associates access to read only, print, edit, etc., with watermark capabilities on all printed and viewed documents.

  • Centralize reporting dashboard status of all projects as well as the ability to digitally feed approved 3rd party software analytic results for centralized viewing to permission based participants with email notification of updates.

  • Prepare for post-breach requirements in a pre-breach environment allowing reduction in costs of time sensitive response.

Such a tool also could be designed to permit the auditor limited access to conduct the audit with less effort on the part of the privacy officer or his or her staff. While certainly not required under HIPAA, organizing compliance in this way would simplify the compliance process and put the covered entity in a much better position to survive an OCR audit with minimal effort.

 

Today, the Office for Civil Rights formally announced it is implementing the audit requirement under the American Recovery and Reinvestment Act of 2009, in Section 13411 of the HITECH Act. The agency confirmed that it is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance, and that the pilot phase will begin November 2011 and conclude by December 2012.

A new page on OCR’s website answers some helpful questions for covered entities and business associates… 

Continue Reading OCR Announces HIPAA Audit Program

As previously discussed, the federal appeals court in San Francisco had reinstated an indictment charging a former employee of Korn/Ferry International, Inc., with violations of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (the “CFAA”) for trying to start a business that would compete with his former employer. Now, however, at the urging of the former employee’s counsel, by order dated October 27, the same court has agreed to rehear, en banc, its previous indictment reinstatement order.

The Ninth Circuit Court of Appeals reinstated the indictment on April 28 against former employee David Nosal on the basis of its interpretation that “an employee exceeds authorization under [the CFAA] when the employee uses that authorized access to obtain or alter information in the computer that the accesser is not entitled in that manner to obtain or alter.” The Court had reaffirmed that employers determine what access or authorization an employee has to an employer’s computer. It also pointed to specific examples of what the employer did to limit access to and authorized uses of information, including using unique usernames and passwords, requiring employees to enter into agreements that explained the limitations on the use of certain company information, and causing a notice concerning data security and confidentiality to pop up on each employee’s computer screen whenever the employee logs onto the company’s system.

The Ninth Circuit’s pending rehearing by the full court of the issue of unauthorized employee access to information under the CFAA puts its previous interpretation in doubt. It is clear, however, is that employers that wish to rely on the CFAA as a means of recovery against employees who steal data or take other actions to harm company computers must plan ahead. That is, employers must clearly define access rights and limitations to their information and information systems, and effectively communicate those rights and limitations to employees.
 

If you have an interest in the role the growing use of mobile communications devices (smart phones, iPads, iPhones, etc.) will play in how personal health information is exchanged in the health care industry, the Office of the National Coordinator for Health Information Technology (ONC) is seeking your input. According to a notice published Nov. 1, 2011 (76 Fed. Reg. 67455), comments are due Dec. 31.

As part of the Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009, ONC is proposing to conduct a nationwide communication campaign to meet the Congressional mandate to educate the public about privacy and security of electronically exchanged personal health information. To conduct the campaign effectively, ONC requires "formative and process information" about different segments of the public. Among other things, ONC is seeking comments on consumer attitudes and preferences about the use of these devices to exchange health information, including how privacy and security information is presented electronically to consumers.