Written by Alexander Nemiroff

Employers are beginning to realize that their employees are sending or receiving recommendations on social media sites, such as LinkedIn, that are inconsistent with the employer’s policies, or worse, are false or fraudulent. They need to do something about it.

A large number of social media web sites are allowing users to recommend the work performance or services of co-workers, vendors, and customers. Unfortunately, many employers are not paying attention to this phenomenon. To their chagrin, they are discovering serious problems with these recommendations only when it is much too late.

For many years, attorneys have advised employers that providing positive or negative references for former employees can be problematic. Negative references for employees can often lead to defamation actions. As for positive references, a number of courts have found employers liable who provided false positive references for former employees that employers knew had committed crimes or engaged in other misconduct. As a result, many employers today simply provide neutral references for all former employees.

Unsanctioned recommendations appearing on social media sites also can cause complications for employers. Take, for instance, an ill-timed positive reference published by a manager on a social media site extolling his former employee’s honesty while, at the same time, but unbeknownst to the manager, the employer was contemplating litigation against the former employee for taking trade secrets or other confidential business information as he was leaving. 

Anonymous recommendations or endorsements by employees also may run afoul of the Federal Trade Commission’s Guidelines on the Use of Endorsements and Testimonials in Advertising, 16 C.F.R. § 255. For example, employees anonymously endorsing their own company’s products without full disclosure of their relationship may trigger liability. The Guidelines require not only full disclosure of such relationships, but that employers have procedures in place to prevent such an endorsement from being made.

To avoid these issues, employers should take several steps. First, employers need to amend their written social media and/or reference policies to address unauthorized employee recommendations and references on social media sites. Depending upon the circumstances, barring employees from making such references may be appropriate. However, this is not always practical or prudent for employers who are encouraging employees to promote their businesses through social media. Under these circumstances, employers may require that employees request authorization from their human resources department or other designated individual before making references or recommendations, and to make any necessary disclosures.

Simply amending social media and references policies and procedures, however, may be insufficient. Employers need to be vigilant and proactive in this area. Appointing suitable personnel, and perhaps a social media manager, to monitor public social media sites to ensure that employees are not violating these critical policies, is another measure employers should consider. When monitoring, special care should be taken by governmental entities not to violate an employee’s constitutional right to privacy and by private employers not to infringe upon laws protecting employee off duty or protected concerted activities. 

The Securities and Exchange Commission’s Division of Corporate Finance provided guidance to public companies on October 13, 2011, about their disclosure obligations concerning cybersecurity risks and cyber incidents. The Division is careful to point out that federal securities laws, in part, are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision. So, while this guidance does establish new obligations for registrants, it seeks to help them understand their existing disclosure obligation as they relate to increasing cyber risks.

The guidance summarizes the kinds of attacks that may raise concerns:

  • unauthorized access to digital systems for purposes of misappropriating assets or sensitive information, corrupting data, or causing operational disruption;
  • causing denial-of-service attacks on websites; or
  • third parties or insiders using techniques that range from highly sophisticated efforts to electronically circumvent network security or overwhelm websites to more traditional intelligence gathering and social engineering aimed at obtaining information necessary to gain access.

Concerning the disclosure obligation, the Division observes:

Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. In addition, material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading. Therefore, as with other operational and financial risks, registrants should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.

In determining whether risk factor disclosure is required, including whether to include cybersecurity risks and cyber incidents in the Management’s Discussion and Analysis of Financial Condition and Results of Operations (MD&A), registrants will need to consider all of the facts and circumstances, such as:

  • prior cyber incidents;
  • severity and frequency of those incidents;
  • the probability of cyber incidents occurring;
  • the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption;
  • the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware; and
  • the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.

At the same time, the Division does not expect a registrant will make a disclosure that itself would compromise the registrant’s cybersecurity.

As cybersecurity risks continue to grow and cyber incidents become more widespread, all companies need to assess and address these risks. For public companies, this is even more critical given their reporting requirements. 

Have you hired a social media manager?  A social media guru/wizard/ninja/diva?  Each of these job "titles" are increasingly being used by companies to attract individuals who specialize in marketing a company’s brand and/or services in social media.  A recent article in the Chicago Tribune and Los Angeles Times highlights just how prevalent these job titles are becoming corporate America.  

As companies struggle to keep up with the rapidly evolving world of social media, they are turning to hiring to hiring social media managers to handle their social media presence.  However, companies should be leery of the “jump first, look second” approach.  In fact, several key questions should be asked when delving into the realm of social media and hiring a new, typically younger employee with responsibility for a company’s social media existence and, therefore, its brand

Qualifications:

  • What qualifications are you looking for?  Often companies seek a younger employee who is "tech-savy."  Traditional employment issues notwithstanding (i.e. age discrimination when an "older" employee is not hired/considered for a position), companies must also consider what their social media mission/focus will be.  For example, to the extent a company utilizes social media as a marketing tool, will you want your social media manager to have a background in marketing?  Similarly, to the extent you wish to utilize social media to handle client/customer complaints, will you want your social media manager to have a background in customer relations? Will you hire an external candidate who is perhaps unfamiliar with your company and its mission, or will you hire an internal candidate?

Responsibilities:

  • What products/services will the social media manager be responsible for discussing/marketing?
  • Will the social media manager have total freedom to explore and execute social media opportunities? 
  • What policies will the social media manager be responsible for implementing?  Will the social media manager have responsibility for implementing the company’s social media policy to employees and managers as well?

Training/Protocols

  • What training will be provided to your social media manager?  For example, will the social media manager be trained on what information he/she should or should not consider when examining posts by customers and/or employees? 
  • What policies will govern your social media manager’s employment?  Will the social media manager be permitted to “friend” employees/subordinates on social media or establish policies for employees to follow? 
  • What safety protocols will be in place?  For example, if your company has a Facebook page, will you social media manager be responsible for maintaining the password and access to same?  How will the company transition its social media presence if and when the social media manager separates from employment? 

While the above list is by no means exhaustive, it demonstrates some of the additional considerations that must be examined when a company wishes to expand into social media.   Companies are often unaware of the need to consider these questions prior to implementing a social media policy or hiring a social media manager.  However, examining these points will help ensure your company’s social media experience flows more smoothly. 

A Federal Acquisition Regulation proposed on October 14, 2011 (76 Fed. Reg. 63896, 10/14/11), would require federal contractors to conduct privacy training before being given access to government records or handling personally identifiable information. For many entities, training may already be called for under a federal or state law, or contract provision. However, this regulation raises the bar by effectively halting a contractor’s work until the training is performed. Contractors will need to watch this regulation closely as it may affect their businesses. The public may submit comments on this regulation until Dec. 13, 2011.

Key features of the proposed regulations:

  • Contractors would be required to provide initial training and annual training for employees who either —(1) require access to a government system of records; (2) Handle personally identifiable information; or (3) Design, develop, maintain, or operate a system of records on behalf of the federal government.
  • Federal agencies are required to provide contractors the training materials unless, on
    an exception basis, the contracting officer authorizes a contractor to provide its own privacy training materials.
  • The contractor is responsible to ensure the training is completed, and must maintain documentation of the training.
  • Certain privacy clauses will need to be added to the contract between the contractor and  the government.

Training must cover at least the following seven areas:

  1. The protection of privacy, in accordance with the Privacy Act (5 U.S.C. 552a);
  2. The handling and safeguarding of personally identifiable information;
  3. The authorized and official use of government system of records;
  4. Restrictions on the use of personally-owned equipment to process, access, or store personally identifiable information;
  5. The prohibition against access by unauthorized users, and unauthorized use by authorized users, of personally identifiable information or systems of records on behalf of the Federal
    Government;
  6. Breach notification procedures i.e., procedures for notifying appropriate individuals when privacy information is lost, stolen, or compromised) and
  7. Any agency-specific privacy training requirements.

"Enforcement promotes compliance" according to the new director of the Department of Health and Human Services’ Office for Civil Rights, Leon Rodriguez, during an interview with HealthcareInfoSecurity’s Howard Anderson. In September, Mr. Rodriguez replaced Georgina Verdugo, and enters his post with significant relevant experience. He was formerly chief of staff and deputy assistant attorney general for the Department of Justice Civil Rights Division, a health care attorney in privacy practice, and a prosecutor at the federal and state level. 

On the upcoming HIPAA audits, Director Rodriguez had the following to say:

This is the first time we’re doing it, so the first thing … is for us to ‘go to school’ on how best we will run an audit program. In part, this is what you might call a pilot. We’re going to look at it and learn: How do we use an audit program? How does an audit program best advance our enforcement goals? 

The second purpose, and this is really different than enforcement, is to promote compliance among the covered entities that are subject to the audit. Our first objective is not to go out there and start banging [organizations] with penalties; it’s really to take a good look at them, find out where their opportunities for improvement are and help them improve. Having said that, I think we know that there are cases where we’re going to find some significant vulnerabilities and weaknesses. And in those cases, we may be pursuing significant corrective action. And in some of those cases, we may be actually pursuing civil monetary penalties. But that’s really not the primary goal of the audit program.

With HIPAA audits scheduled to begin in the next few months, covered entities and business associates should become familiar with HHS’ new Director of Office of Civil Rights and his mission.

Joining six other states, California will impose significant restrictions on an employer’s ability to obtain a credit report for employment purposes. The law becomes effective January 1, 2012.

California Assembly Bill 22, signed by Governor Jerry Brown, generally permits employers who are seeking to fill only specific, identified “exempt” positions to obtain and use credit reports to screen applicants and/or current employees. The use of the credit reports in other occupations generally is prohibited. Further, employers will be required to provide the employee or applicant with a disclosure statement setting forth the specific basis permitting the employer to obtain a credit report. 

Click here for more information about this law.

CLICK HERE FOR UPDATED INFORMATION CONCERNING THE AUDIT PROGRAM

The Health Information Technology for Economic and Clinical Health law (“HITECH”) made a number of changes for HIPAA covered entities and business associates. One key change stems from Section 13411 of HITECH, which gives the Secretary of the Department of Health and Human Services authority to conduct “periodic audits to ensure that covered entities and business associates” comply with the privacy and security mandates under HIPAA. Susan McAndrew, the Deputy Director for Health Information Privacy at the Office of Civil Rights ("OCR"), has been speaking out about the nature, scope and timing of these audits, which are expected to begin in February 2012. A summary of reports about the audit program follows below.  

Covered entities and business associates need to be prepared and take stock of their HIPAA compliance. One hundred percent compliance can be an elusive goal, particularly in a short time frame. So, perhaps a more efficient way to prepare for the coming wave of audits it to look, at a minimum, for the low hanging fruit, such as: (i) having clear policies and procedures on topics such as access management, breach notification, discipline, passwords, managing portable data storage devices, distributing notices of privacy practices, and similar items, (ii) conducting and documenting training of workforce members, and (iii) ensuring appropriate agreements are in place with business associates and subcontractors.   

Continue Reading HIPAA Audits to Begin Early 2012

The Minneapolis Star Tribune reports that a laptop computer containing private information on about 14,000 patients of Fairview Health Services and 2,800 patients of North Memorial Medical Center was stolen from a locked car in the parking lot of a Minneapolis restaurant in July of 2011.  The incident is just one more in a series of recent data breaches around the country, often involving laptops. As we described here, the U.S. Department of Health and Human Services has noted that these types of breaches are increasing in the midst of a massive transition to electronic medical records by health care providers around the country. Both Fairview and North Memorial are sending letters to the affected patients offering free services to protect against identity theft.

The laptop in question belonged to an employee of an outside health care consultant. The computer was password-protected, but the data was not encrypted. Officials contacted for the story stated that, although it is unusual for consultants to keep large amounts of patient data on their laptops, in this case it was justified. Others disagree. Jeff Neuberger of Mid Dakota Clinic in Fargo, North Dakota stated that when an outside contractor needs access to patient information he should be brought on-site and provided temporary, restricted access to the company’s computer system. Either way, it is critically important from a HIPAA and state law compliance standpoint that, when dealing with vendors, the appropriate business associate agreement or other form of confidentiality agreement be in place.

Fairview disclosed another breach of patient data back in April when it lost a box of paper records containing information on 1,200 patients. The box was never recovered, which goes to show that data breaches can still occur the old-fashioned way.

 

In November 2010, the Department of Health and Human Services established the Department-wide Text4Health Task Force to among other things identify ongoing initiatives and proposals for feasible new projects which would deliver health information and resources to users’ fingertips via their mobile phones. The Task Force announced recommendations on September 19 to support health text messaging and mobile health programs, which include addressing the privacy and security concerns inherent in texting.

The Task Force acknowledged in its recommendations some critical facts driving the need for guidance in this area:

  • Approximately 2.2 trillion text messages were sent in the U.S. in 2010.
  • Text messaging is particularly prevalent among teenagers, with nearly 90% of teenagers who have cell phones reporting that they use text messaging.
  • A growing body of empirical studies suggests that the use of mobile phone text messaging can be effective in improving health behaviors and health outcomes.

The recommendations note that text messaging programs may be subject to numerous privacy and security laws, including the privacy and security regulations under Health Insurance Portability and Accountability Act of 1996 (HIPAA). Additional guidance in this area would be welcomed as many health care providers look to use developing technologies, including texting, to deliver their services.