Illinois Governor Pat Quinn approved a measure on August 22, 2011, amending his state’s data breach notification law. The changes, which become effective January 1, 2012, are designed to increase protections for Illinois residents in the following ways:

New information that must be included in breach notifications:

  • the toll-free numbers and addresses for consumer reporting agencies,
  • the toll-free number, address, and website address for the Federal Trade Commission, and
  • a statement that the individual can obtain information from these sources about fraud alerts and security freezes.

Information that may not be included in breach notifications:

  • information concerning the number of Illinois residents affected by the breach.

 

New requirements for "data collectors" that maintain or store, but do not own or license, computerized data:

As with most breach notification statutes, entities that maintain or store certain personal information on behalf of the owner or licensee of that data also have obligations in the event of a breach of the security of that data. Generally, the obligation is to notify the owner of the breach. So, for example, a third party claims administrator or an accounting firm might perform services for ABC Corp. (the owner) requiring the administrator or accounting firm to maintain or store the personal information. If an employee of the administrator or accounting firm loses a laptop containing ABC Corp.’s personal information, or the employee or some third party impermissibly accesses or acquires the information, the administrator or accounting firm would be required to notify ABC Corp. which, in turn, would need to notify the affected individuals.  

As amended, Illinois’ breach notification law requires companies that maintain or store personal information to cooperate with the owner or licensee in matters relating to the breach, by notifying the owner or licensee of: 

  • the date or approximate date of the breach and the nature of the breach, and
  • any steps the entity has taken or plans to take relating to the breach.

However, this cooperation shall not require either (i) the disclosure of confidential business information or trade secrets of the company that maintains or stores the information, or (ii) the notification of an Illinois resident who may have been affected by the breach.

New Mandates for Disposing of Materials Containing Personal Information 

The amended law requires "persons" (including natural persons, corporations, partnerships, associations, or other legal entities, including governmental entities) to dispose of the materials containing personal information "in a manner that renders the personal information unreadable, unusable, and undecipherable." The law provides examples of proper disposal methods: 

  • Paper documents containing personal information may be either redacted, burned, pulverized, or shredded so that personal information cannot practicably be read or reconstructed.
  • Electronic media and other non-paper media containing personal information may be destroyed or erased so that personal information cannot practicably be read or reconstructed.

Companies may engage third parties to carry out the disposal of personal information, provided that third parties performing these services must implement and monitor compliance with policies and procedures that prohibit unauthorized access to or acquisition of or use of personal information during the collection, transportation, and disposal of materials containing personal information. It is recommended that service contracts be carefully drafted to address these issues and appropriate steps be taken to monitor compliance.

Penalties for violations of the disposal requirements can be up to $100 for each individual with respect to whom personal information is disposed, subject to a maximum penalty of $50,000 for each instance of improper disposal.

In a 23-page report, the Acting General Counsel for the National Labor Relations Board summarizes the Board’s positions on social media and labor relations. This report is an interesting read and provides insight into one aspect of drafting social media policies – whether the policy will violate an employee’s right to take part in protected concerted activity.

The report notes that:

Recent developments in the Office of the General Counsel have presented emerging issues concerning the protected and/or concerted nature of employees’ Facebook and Twitter postings, the coercive impact of a union’s Facebook and YouTube postings, and the lawfulness of employers’ social media policies and rules. This report discusses these cases, as well as a recent case involving an employer’s policy restricting employee contacts with the media. All of these cases were decided upon a request for advice from a Regional Director.

Social media clearly is an important issue for the Board and this memorandum likely is not its last word on the rules that will shape employer policy concerning the use of this media. The following discussion summarizes the memorandum and its effects on social media policy.

See related articles concerning NLRB activity concerning social media.

Continue Reading NLRB Acting General Counsel Issues Opinion On Social Media and the NLRA

Connecticut joins five other states (Hawaii, Illinois, Oregon, Washington, and Maryland) in limiting what credit report information employers may use in making hiring or employment decisions. Other states have considered similar measures.

Under the new law, effective October 1, 2011, employers (including their agents, representatives or designees) may not demand that an employee or prospective employee consent to a credit report as a condition of employment unless:

  1. the employer is a financial institution, 
  2. the credit report is required by law,
  3. the employer reasonably believes that the employee has engaged in specific activity that constitutes a violation of the law related to the employee’s employment, or
  4. such report is "substantially related to the employee’s current or potential job" or the employer has a bona fide purpose for requesting or using information in the credit report that is substantially job-related and is disclosed in writing to the employee or applicant.

For purposes of this law, a credit report is a report that contains information about the employee’s or prospective employee’s credit score, credit account balances, payment history, savings or checking account balances or savings or checking account numbers. The report will be treated as being "substantially related to the employee’s current or potential job," where the position:

  • is a managerial position which involves setting the direction or control of a business, division, unit or an agency of a business,
  • involves access to customers’, employees’ or the employer’s personal or financial information other than information customarily provided in a retail transaction,
  • involves a fiduciary responsibility to the employer, including, but not limited to, the authority to issue payments, collect debts, transfer money or enter into contracts,
  • provides an expense account or corporate debit or credit card,
  • provides access to certain confidential or proprietary business information, including trade secret information under certain circumstances; or
  • involves access to the employer’s nonfinancial assets valued at $2,005 or more, including, but not limited to, museum and library collections and to prescription drugs and other pharmaceuticals.

Employees or prospective employees who believe the law has been violated may file a complaint. Employers could be liable for $300 in civil penalties for each inquiry that violates the law.

In addition to affecting the traditional employee-employer relationship, this law (and those cited above) may affect the practice of requiring employees of a company’s vendors to jump through certain hoops before coming on-site. Increasingly, company A, when it utilizes the services of employees of company B (such as for back office processing or health care staffing needs) will require company B to ensure its employees undergo certain background checks and other certification procedures and tests. Those arrangements need to consider these limitations on the kinds of inquiries that can be made by employers.

. . . A Potential Headache for Employers of Younger Workers

Retail, entertainment, hospitality and other industries that traditionally employ large numbers of younger workers may soon get dragged into criminal proceedings because of “sexting” by their younger workers. Florida has joined 20 other states — Alaska, Arkansas, California, Hawaii, Indiana, Iowa, Kansas, Mississippi, Nevada, New Jersey, New York, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Texas, and Guam — which have all enacted similar legislation addressing teen sexting. Because employees frequently transmit these materials using their employer’s networks, criminal prosecutions under these laws may require employers to respond to discovery requests and subpoenas, or permit searches pursuant to warrants obtained by law enforcement authorities, which, in turn, may unexpectedly trigger disciplinary proceedings.

On June 21, 2011, Florida Governor Rick Scott signed into law H.B.75/S.B. 888. Under this law, which will take effect beginning October 1, 2011, a minor (anyone under the age of 18) commits the criminal act of “sexting” if he or she knowingly uses a computer, cell phone, or other transmission device (1) to transmit or distribute to another minor a photograph or video of any person which depicts nudity; or (2) possesses such photograph or video which was transmitted or distributed by another minor, unless the photograph was unsolicited, the minor took reasonable steps to report the photograph or video to their legal guardian, school official, or law enforcement, and the minor did not transmit or distribute the video or photograph to a third party. A minor’s first offense is considered noncriminal and is punishable by 8 hours or community service or a $60 fine. The minor’s second offense is a misdemeanor in the first degree, punishable with imprisonment not to exceed one year or a $1,000 fine; and the minor’s third offense is a felony of third degree, punishable with up to five years’ imprisonment or a $5,000 fine.

Of course, sexting is not only an issue for minors. It is fast becoming an easy and well-utilized mechanism for sexual and other workplace harassment. Accordingly, employers should review and update their anti-harassment policies to include a prohibition of harassment via e-mail, text messaging, or use of social networking sites; and they should review their electronic communications policies to include a prohibition against using any employer-provided electronic device to transmit or retain any sexually suggestive or explicit pictures, texts, videos or any other derogatory material regarding race, ethnicity, age, disability, religion, or any other protected category. Employers should also educate and train employees on the revised policies and continue to enforce all policies in a fair and consistent manner. At the same time, employers should remain mindful of any limitations on such policies (as written or as applied) that may be imposed under the National Labor Relations Act.

Disclosure to management by the company’s in-house physician of an employee’s alleged “lie” (or at least significant omission) made months earlier on a post-job offer medical questionnaire violated the Americans with Disabilities Act’s confidentiality provisions, a federal District Court in Maine held last week. Blanco v. Bath Iron Works Corp., D. Me., No. 2:10-cv-00429.

Medical professionals are becoming a fixture at many workplaces, whether they be occupational nurses or full scale on-site health clinics. As reported by the L.A. Times on July 3, 2011, 15% of U.S. companies with 500 or more employees had health centers last year, up from 11% the year before, and companies with 20,000 or more employees were even more likely to have clinics. However, having these resources on site can raise a range of workplace law risks, not the least of which concerns confidentiality.

In the Maine case, following his job offer, Mr. Blanco completed a pre-placement medical screening, which included filling out and signing a “Medical Surveillance History Questionnaire,” administered by the employer’s in-house physician. He did not reveal on that form that he had Attention Deficit Hyperactivity Disorder (ADHD). Mr. Blanco received good reviews for the first few months of his employment, but when he was moved to a different position, his performance began to wane. During a meeting with his manager, he attributed his poor performance to his ADHD and not long after requested a reasonable accommodation.

Mr. Blanco was referred to the same in-house physician who administered the Medical Surveillance History Questionnaire. Rather than explore the substance of his request, the physician interrogated Mr. Blanco concerning the ADHD omission on the Questionnaire. He explained that he did not understand the questions to ask about mental or emotional issues, such as ADHD. The physician refused to provide an accommodation, or even address the issue, and shortly after the physician informed management of Mr. Blanco’s omission from the Questionnaire, he was fired.

In refusing to dismiss Mr. Blanco’s complaint under the Americans With Disabilities Act and the state anti-discrimination law, the Court rejected two interesting arguments raised by the employer:

  1. Employees that lie should not be able to get protection under the ADA’s medical information confidentiality protections; and,
  2. As a policy matter, these kind of misstatements put in-house physicians “in a pickle.” The court allowed, “If the revealed condition places the employee and his co-workers at risk, the doctor’s conflicting loyalty would become a safety issue."

In each case, however, the Court said it didn’t matter to its decision that the employee may have lied on the medical questionnaire. The Court simply pointed to the statutory language, which it found clear and controlling. The court stated:

The Court agrees that whether he lied is not dispositive since the confidentiality provision does not apply only to truthful information. But this does not assist the Defendants. The ADA clearly protects the confidentiality of Mr. Blancos’ response if truthful and the ADA still protects its confidentiality if not. In other words, there is no prevarication exception to the ADA’s confidentiality mandate for employment entrance examinations, much less for information the company doctor perceives is inaccurate. It is the information, accurate or not, that the statute protects.

In response to the conflicting loyalty argument, the Court reasoned:

The brief answer, however, is that these policy arguments do not trump the statutory language. Congress, not this Court, is a policy-making body, and the Court is duty-bound to follow the law as enacted by Congress. Congress may or may not have considered whether to carve out a disclosure exception for instances where the employer concludes that the employee lied or misrepresented his pre- employment medical or mental condition. In any event, there is no such exception in the statute.

More than ever, businesses are realizing that comprehensive approaches to disability and leave management not only can mitigate compliance and litigation concerns, but also can enhance employee productivity and, therefore, profit margins. For these companies, on-site health clinics, occupational health clinics, and in-house physicians can be attractive options. However, as this case makes clear, employers need to be mindful of the workplace law risks. The ADA may be one source of such risks.

A Missouri federal district court has ruled, in I.S. v. Washington University, that a HIPAA-covered entity’s disclosure of protected information can form the basis for a state-law negligence claim.  The Court reached this holding despite the well-accepted principle there is no private cause of action under HIPAA. 

The plaintiff, I.S., was undergoing medical treatment for colon cancer at Washington University.  I.S. gave Washington University a limited authorization to disclose only the dates of her treatments in order to satisfy her employer’s medical leave requirements.  Notwithstanding this limited authorization, plaintiff asserts that Washington University also sent her employer additional medical records and information that far exceeded her authorization. These included I.S.’s HIV status, mental health issues, and insomnia treatments.  Based on that disclosure, I.S. sued Washington University for negligence per se based on a violation of HIPAA. 

Procedurally, Washington University removed the state court action to federal court and sought dismissal of the negligence per se claim, arguing that HIPAA does not create a private cause of action. 

The district court, disagreeing with Washington University, held the plaintiff’s claim could stand despite its exclusive reliance on HIPAA.   The court held that a federal statute that does not provide for a private right of action nevertheless may be a legitimate element of a state law negligence per se claim. 

Under Missouri law, among other things, the plaintiff must show:

·         a violation of a statute or ordinance occurred,

·         the plaintiff was a member of the class of people intended to be protected,

·         the injury complained of was of the type intended to protect against, and

·         the violation was the proximate cause of the plaintiff’s injury.  

The Court found that I.S. had met all of the required elements of her claim and remanded the case back to state court. It held that I.S.’s claim, although premised on HIPAA, did not raise a federal question as it did not raise any compelling federal interests or present a substantial federal question.  

This case illustrates the need for HIPAA covered entities to provide training and institute policies and procedures regarding HIPAA compliance.  Here, a process for responding to requests for information would have highlighted the importance of carefully adhering to the limits of the authorization and prevented this alleged unauthorized disclosure, thus precluding I.S.’s claims.  Additionally, employers, and their counsel, must be aware that common law claims may support litigation based on HIPAA, despite the fact HIPAA itself does not provide for a private cause of action. 

NLRB Acting General Counsel Lafe E. Solomon offered some insight into the NLRB’s interest in Social Media earlier this month when he spoke at the Annual Conference on Labor at New York University. During his presentation, Solomon revealed that every one of the 52 NLRB regional offices across the country has at least one pending case presenting issues about employee use of Social Media or an employee’s policy concerning the use of Social Media.

Solomon noted that his work had reached a higher profile than his predecessor, and he credited it in large part to the NLRB’s attention to social media. Solomon said that the “good part” about the intense publicity the NLRB has received over the past year has been that he has had the “rare privilege” of using media appearances and interviews to explain the rights of employees under the National Labor Relations Act (“NLRA”), which had been unfamiliar or unknown to many Americans.

Solomon’s comments make it apparent he enjoys having the NLRB in the spotlight. His comments also explain what may be the motivation behind the NLRB focus on Social Media – the topic of Social Media provides the Board with an always-available platform from which to reach a public which may not otherwise be interested in hearing what the Board has to say about the NLRA.

Due to the pervasiveness of Social Media cases at all 52 regional offices, it appears certain that the summer months will heat-up with discussion of Social Media issues at the workplace.

The pervasiveness of social media in professional and everyday communication is a hot button issue (discussed at length here), particularly for private and public employers and organizations.  In fact, many organizations have adopted, or are considering adopting, social media policies for employees and providing training for how employees should interact in cyberspace.  But what should those policies say and what should the training focus on?

To answer those questions, organizations should, among other things, develop and shape their policies, training and discipline concerning social media with an eye toward their particular businesses, regulatory environments, and whether they are in the public or private sectors. A number of recent developments show why this is critical:

·         Two recent Third Circuit opinions handed down on June 13, 2011– J.S. v. Blue Mountain School District and Layshock v. Hermitage School District (discussed below)– illustrate the importance of educating employees (teachers and administrators) about student’s First Amendment rights concerning social media and when discipline is appropriate,

·         FTC’s guidelines for endorsement of products or services are important for businesses whose employees are likely to be commenting online about the company’s products and services,

·         The NLRB’s recent actions regarding social media use and the National Labor Relations Act are important for all employers, particularly those in traditionally union-dominated industries,

·         The use of social media in the health care setting is presenting a range of challenges under HIPAA and patient privacy generally.

In addressing the extent to which school officials can regulate student speech, the Third Circuit Court of Appeals has held that school officials violated students’ First Amendment free speech rights by disciplining students for creating, outside of school, “fake” social networking profiles ridiculing their school principals. 

In Blue Mountain School District, 8th grader J.S., using her home computer, created a MySpace profile in the name of her principal.  The profile was presented as a self-portrayal of a bisexual Alabama middle-school principal named “M-Hoe,” and contained crude and vulgar content. Upon learning of the content, the School District suspended J.S. for 10 days.  The Court held that because J.S. was suspended for speech that caused no substantial disruption in school and that could not reasonably have led school officials to forecast substantial disruption in school, the School District’s actions violated J.S.’s First Amendment free speech rights.

In Layshock, Justin Layshock, a high school senior, using his grandmother’s computer, also created a MySpace profile in the name of his principal.  The profile included “degrading” content regarding the principal.  Upon learning of the profile, the School District suspended Justin for 10 days.  In analyzing whether a school district may punish a student for expressive conduct that originated outside of the schoolhouse, did not disturb the school environment, and was not related to any school-sponsored event, the Court found the School District was prohibited from reaching beyond the school yard.

These decisions were based on the Supreme Court’s landmark case on the First Amendment’s application to public schools is Tinker v. Des Moines Indep. Cmty. Sch. Dist., 393 U.S. 503 (1969).  In Tinker, a group of high school students decided to wear black armbands to school to protest the war in Vietnam.  When school officials learned of the plan, they preemptively prohibited students from wearing armbands.  Several students who ignored the prohibition and wore armbands to school were suspended.  Eventually, the students brought suit alleging their First Amendment rights had been violated.  The Supreme Court overruled the district and circuit courts, holding that student expression may not be suppressed unless school officials reasonably conclude that such expression will “materially and substantially” disrupt the work and discipline of the school.

These cases demonstrate the court’s struggle in addressing social media content, especially where there are additional constitutional concerns when a party is a public entity.  For many organizations, First Amendment issues will not be at issue, but there likely will be other considerations.  As each and every industry is impacted by social media, attempting to address it in a one-size-fits-all manner without taking appropriate considerations into account is not only impractical, but in some cases unlawful.  As these developments have shown, efforts to address social media must include an effective industry specific social media policy coupled with training programs to educate employees on the use of social media in all facets of employment and conducting the entity’s business.

Reuters and other news outlets are reporting that Representative Mary Bono Mack has circulated draft legislation in response to the steady stream of data breaches that have occurred this year. According to the report, Senate Majority leader Harry Reid also has asked four Senate committees to pull together a comprehensive cybersecurity bill, hoping it will be brought to the floor by late summer. After years of failed attempts at data breach legislation, the federal government could be poised to enact broadly applicable requirements for safeguarding data and responding to data breaches. 

Some key provisions of the draft legislation would require covered entities (basically, any person engaged in interstate commerce) to:

  • establish and implement policies and procedures to protect personal information (defined in a manner similar to most current state breach notification laws) to include, without limitation, designating a point person to manage information security, and having a process for identifying and assessing foreseeable vulnerabilities;
  • erase personal data that is no longer needed and otherwise take steps to minimize the amount of personal information maintained;
  • notify law enforcement within 48 hours of a data breach, and if data could be used to steal a customer’s identity, notify the Federal Trade Commission within 48 hours and begin contacting the affected persons; and
  • provide 2 years of credit reporting services or credit monitoring services to individuals affected by a covered data breach.

The law would be enforceable by state attorneys general and the Federal Trade Commission with maximum penalties running into the millions of dollars. The law would generally preempt similar state laws, but would not permit private lawsuits. 

Of course, companies should not be waiting to see if any action is taken at the federal level. There are a number of states with similar laws already on the books. In addition, exposure from a data breach, particularly when there were no safeguards in place to prevent the breach, should be sufficient motivation to take steps to safeguard personal data.

An article in Bloomberg tells a harrowing story of computers that have secretly come under the control of hackers. This can happen to company and personal computers alike that download certain embedded malware – such as when downloading an email attachment. These computers become known as "bots," and part of a "botnet." The consequences can be crippling.

Accordingly to the article:

The enslaved “bots,” as the infected computers are known, have become so pervasive they now threaten the security of the Internet, said Gunter Ollmann, head of research at Atlanta-based Damballa Inc., which tracks botnet activity. At least 18 percent of home computers are now under remote command of cyber-thieves without their owners’ knowledge, according to Damballa’s research. 

For corporate computers, which are usually protected by expensive security measures, around seven percent are controlled by such malware, which is hidden from the user and controlled via the Internet, Ollmann said.

When this happens, companies can find themselves in uncomfortable and potentially dangerous circumstances . . . consider the following exchange described in the Bloomberg article:

“I’m sure we can settle on control of bots,” a LulzSec hacker called Ninetales told Hijazi, according to a computer log of their interaction provided to Bloomberg News by Hijazi.

When Hijazi said he didn’t want to face extortion, another hacker named hamster_nipples replied: “Unfortunately, you have little choice at this point.”

Hijazi, who declined to identify his corporate clients, refused to comply with LulzSec’s demands and rejected a separate request for money. The hackers posted the company’s e-mails on the Internet June 3.

The harm that can result is significant. The Bloomberg article cites to one example of hackers controlling a botnet who sought to transfer nearly $1 million from one company. In other cases, hackers were successful in removing tens of thousands of dollars from bank accounts of affected companies.

Companies need to be more aware of these developments and take appropriate steps to protect their systems. While there are federal and state laws that require steps be taken to safeguard against these kinds of risks, the extent of damage that a botnet can cause to an entity’s business can be far more damaging.