Seemingly intent on making sure it is perceived as current, if not trendy, today’s National Labor Relations Board (NLRB) has continued to demonstrate an avid interest in social media. Not only is it paying attention to new media in all its forms, but it is also actively participating, with a Facebook page, a YouTube channel and a Twitter feed.

On April 12, 2011, the NLRB General Counsel issued a memorandum (pdf) to NLRB Regional Directors updating the list of matters that must be submitted to the Division on Advice. Included on the list are cases involving:

employer rules prohibiting or discipline of employees for engaging in, protected concerted activity using social media, such as Facebook or Twitter.

This is expected to allow the Board to have an earlier and more uniform oversight of matters involving social media.

The directive comes after the Board’s recent involvement in matters concerning possible protected concerted activity on Facebook and Twitter. In late 2010, the NLRB challenged a company’s Social Media/Facebook policies which the company maintained were lawful. The case settled with the company agreeing to make suggested changes to its policies.

In April, 2011, the NLRB targeted another social medial resource – Twitter. According to the New York Times,  the NLRB had warned a New York news agency that it planned to file a complaint accusing the company of illegally reprimanding a reporter over her criticism of company management in a Twitter posting. The Board asserted the company violated the reporter’s right to discuss working conditions with other employees. The matter was resolved when the union and company – which had been negotiating a new contract – reached a tentative contract on April 28, 2011. According to the New York Times,  the company has agreed to negotiate a new social media policy that would include language that will protect employees’ speech and the right to engage in other concerted activity about working conditions.

The Board again focused on Facebook after issuing its directive. On April 27, 2011, the NLRB reported it had approved a settlement in a case involving a California web-based home improvement retailer. A former employee had claimed she was terminated from her employment in retaliation for having posted comments about the company and possible state labor code violations on Facebook. The case was resolved and as part of the settlement the company agreed to post a notice at the workplace for 60 days stating that employees have the right to post comments about terms and conditions of employment on their social media pages and that they will not be terminated or otherwise punished for such conduct.

It is only a matter of time before there is a litigated case and a court’s ruling addressing these very real and reoccurring issues. Employers should exercise care in how they handle social media issues from a labor relations perspective and treat the recent NLRB scrutiny as an invitation to revisit their own social media policies.

Promising a company that you will safeguard its employees’ information and then failing to do it according to Federal Trade Commission (FTC) standards likely will be viewed by the FTC as an unfair and deceptive business practice and trigger an enforcement action.

This was the case for Lookout Services, Inc., a company that maintains large amounts of sensitive information about the employees of its business customers, including Social Security numbers. According to an FTC announcement on May 3, 2011, Lookout claimed it would take reasonable measures to secure the consumer data it maintained, including Social Security numbers, but failed to do so.

Lookout markets a product that allows employers to comply with federal immigration laws. It stores information such as names, addresses, dates of birth and Social Security Numbers. According to the FTC’s complaint, despite the company’s claims that its system kept data reasonably secure from unauthorized access, it did not in fact provide adequate security. (Note that an FTC complaint is not a finding or ruling that a respondent, such as Lookout , actually has violated the law.) For example, unauthorized access to sensitive employee information allegedly could be gained without the need to enter a username or password, simply by typing a relatively simple URL into a web browser, the complaint asserted. In addition, the complaint charged that Lookout failed to require strong user passwords, failed to require periodic changes of such passwords, and failed to provide adequate employee training. As a result of these and other failures, it was claimed, an employee of one of Lookout’s customers was able to access sensitive information maintained in the company’s database, including the Social Security numbers of about 37,000 consumers.

The settlement agreed to by Lookout to resolve these charges is comprehensive. Among other things, the settlement order requires Lookout (i) to conduct a risk assessment, (ii) to implement a comprehensive, written information security program, (iii) to cease making misrepresentations, including misleading claims about the privacy, confidentiality, or integrity of any personal information collected from or about consumers, (iv) to obtain independent third party security audits of the program every other year for 20 years, and (v) to make the settlement order available to its current and future employees having responsibilities relating to safeguarding customer data.

For companies that maintain personal information on other businesses’ employees in the course of providing services to those businesses, this development is an important reminder: Promises made to those businesses concerning the safeguarding of personal information must be supported by comprehensive policies and procedures. In addition to this kind of enforcement exposure, which also could arise at the state level from the states’ attorneys general, the employers that these businesses serve also could have causes of action for negligence and/or breach of contract. Increasingly, state laws require businesses to contractually obligate vendors to have appropriate safeguards to protect personal information provided to the vendor to perform its services. States having such laws include California, Maryland, Massachusetts, and Texas.

The federal appeals court in San Francisco has reinstated an indictment charging a former employee of Korn/Ferry International, Inc., with violations of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (the “CFAA”) in trying to start a business that would compete with his former employer. .

The indictment in United States v. Nosal, which a lower court dismissed, alleged that the employee, David Nosal, “knowingly and with intent to defraud” exceeded his authorized access to his employer’s computer system for the purpose of setting up a competing business. Nosal was an executive at Korn/Ferry and subject to a non-competition agreement. After leaving the company, he started a competing business, soliciting the help of three Korn/Ferry employees to provide him with source lists, names, and contact information from a Korn/Ferry proprietary and confidential database. Employee access to the database was specifically restricted, except for legitimate Korn/Ferry business.

The Ninth Circuit Court of Appeals reinstated the indictment on April 28 against Nosal on the basis of its interpretation that “an employee exceeds authorization under [the CFAA] when the employee uses that authorized access to obtain or alter information in the computer that the accesser is not entitled in that manner to obtain or alter.” The Court reaffirmed that employers determine what access or authorization an employee has to an employer’s computer, and pointed to specific examples of steps the employer in this case took to limit access to and authorized uses of information. These examples include the use of unique usernames and passwords, requiring employees to enter into agreements that explained the limitations on the use of certain company information, and causing a notice concerning data security and confidentiality to pop-up on each employee’s computer screen whenever the employee logged on to the company’s system.

Joining the Fifth and Eleventh Circuits, the Court ruled that as long as an employee has knowledge of an employer’s limitations on authorized use of a computer system, the employee will exceed authorized access under the CFAA whenever he or she violates those limitations or goes beyond his or her authorized access with an “intent to defraud” by an action that “furthers the intended fraud and obtains anything of value. It is as simple as that.”
The message to employers from this case is that if you want to be able to effectively use the CFAA as a means of recovery when employees steal data or take other actions to harm company computers or data, you will need to plan ahead. That is, employers will need to clearly define access rights and limitations to their information and information systems, and effectively communicate those rights and limitations to employees.

In distinct efforts to strengthen data security requirements, the California and Massachusetts legislatures recently passed bills affecting data breach notification requirements and data security notification, respectively.  

On April 14, 2011, the California senate approved S.B. 24, requiring California businesses and agencies to notify the state attorney general if more than 500 California residents are notified of a data breach. The California bill also would require certain information be included in the notices.

While similar attempts to modify California’s data breach law have been vetoed by then-Gov. Arnold Schwarzenegger (R), the state’s new governor, Edmund G. “Jerry” Brown, Jr. (D) may likely sign S.B. 24. The bill also would amend the substitute notice provisions for breaches to require placing a notice that a breach has occurred on the business’s website and in major statewide media and notifying the California Office of Privacy Protection. 

While California’s current breach notice statute does not specify the information that must be included in an individual breach notification, S.B. 24 would mandate the notice include, among other things, the type of information breached, the time of the breach, and a toll-free telephone number of major credit reporting agencies.

On April 13, 2011, Massachusetts H.B. 3360 was referred for committee consideration. Under the bill, vendors of photocopiers in Massachusetts that fail to adequately notify purchasers of potential data security risks would be subject to a civil fine of up to $50,000 and could be sued by customers whose personal information is subsequently compromised.  Also, Massachusetts businesses that sell photocopiers must tell customers if a particular machine is equipped with a hard drive capable of retaining information from copied documents. Vendors must provide a notice stating that "the photocopier does or does not contain an eraser that deletes and destroys any previously captured picture from the copier’s hard drive.” The notice must “inform the user of the risk of retention of such private data or images.” In addition, if a machine is such a “digital copier,” the vendor also must place a “conspicuous,” written data-security warning on the top of the copier.

H.B. 3360 also authorizes the state attorney general to enforce the law by filing a civil action seeking a fine of up to $50,000. Additionally, the bill would permit a lawsuit by customers who did not receive the required notification and warnings and whose private data was subsequently “misused.”

Acknowledging the need "to help states combat the growing threat of business identity theft," the National Association of Secretaries of State (NASS) announced on April 18, 2011, the formation of a "Business Identity Theft Task Force." The focus of this task force is to assist states (not necessarily private business) with combating business identity theft in areas such as "the types of technology used by states in housing business documents, solutions for securing state business filing information and records, and key partnerships/liaisons for conducting outreach."

However, this action by the NASS highlights a growing problem for small and medium sized businesses: 

"With the downturn in the economy, the newest victims of identity theft are small and medium-sized businesses, including dormant or inactive companies," said NASS President Mark Ritchie of Minnesota, who serves on the task force. "As the state officials who oversee business registrations and corporate filings, secretaries of state have come together to educate business owners on how they can reduce their chances of falling prey to identity thieves and to explore safeguards for state filing systems." 

Identity thieves are not just attacking state filing systems, so businesses need to take steps of their own to safeguard not only personal information of customers, employees and others, but also the businesses’ corporate and financial data. Many of the same principles that apply in the safeguarding of personal information also would apply to safeguarding the information of the business. Two critical steps in this process are conducting a risk assessment and developing a written information security program.

Most would expect that when an entity experiences a data breach, that entity would take reasonable and appropriate steps to investigate the breach and mitigate harm. Making credit monitoring services available to affected persons is a typical way companies attempt to mitigate harm, and that is exactly what the Plymouth County Correctional Facility did when one of its prisoners hacked into its personnel records. Including these monitoring costs in a restitution award to the prison facility was proper, the U.S. Court of Appeals for the First Circuit ruled in United States v. Janosko.

Charged under the criminal provisions of the Computer Fraud and Abuse Act (CFAA), the inmate who hacked into the prison’s records while incarcerated pleaded guilty

not only to causing such “damage” but also to causing “loss” by his damaging conduct, § 1030(a)(5)(B)(i).

The Court found that the "near juxtaposition of “loss” to “damage” inflicted on items or systems of equipment indicates some broader concept of forbidden effect and consequent scope of restitution" and that the definition of "loss" under the CFAA includes “any reasonable cost to any victim, including the cost of responding to an offense.” In this case, recovery by the prison facility was further enabled under the Mandatory Victims Restitution Act which mandates restitution for “expenses incurred during … the investigation or prosecution of the offense.”

Actually recovering these costs from this or any other hacker will likely be difficult. However, companies are increasingly experiencing breaches and are getting better at being able to identify those committing the breach, which often times are employees or former employees. This decision provides support for those companies seeking to recover the costs they incur when taking appropriate steps to investigate these data incidents and mitigate harm when a breach is found to have occurred. As this court noted:

It should go without saying that an employer whose personnel records have been exposed to potential identity thieves responds reasonably when it makes enquiry to see whether its employees have been defrauded. This act of responsibility is foreseeable to the same degree that indifference to employees’ potential victimization would be reproachable. It is true, of course, that once they were told of the security breach, the individual employees and former workers involved in this case could themselves have made credit enquiries to uncover any fraud, but this in no way diminishes the reasonableness of the Facility’s investigation prompted by the risk that its security failure created. And quite aside from decency to its workers, any employer would reasonably wish to know the full extent of criminality when reporting the facts to law enforcement authorities.
 

 

On April 12, 2011, Maryland Governor Martin O’Malley signed into law S.B. 132/H.B. 87. Under this law, Maryland employers, except in limited circumstances, are prohibited from using an individual’s consumer credit history for hiring or other employment purposes. 

Beginning October 1, 2011,  employers are prohibited from using credit report data to deny employment, discharge an employee, set compensation, terms, conditions, or privileges of employment, unless, after making an offer of employment to an individual, the employer has a use for such information that is “substantially job-related.”   Additionally, an employer must disclose in writing its use of such information to the employee or applicant.

While the law does not contain any individual right of action, it allows individuals to file an administrative complaint with the state Commissioner of Labor and Industry. The Commissioner is authorized to assess a civil penalty of up to $500 per initial violation and up to $2,500 for repeat violations.

Employers exempt from the new law include those required by federal law to examine credit history data, financial institutions, or entities registered with the federal Securities and Exchange Commission as investment advisors.

As we have detailed previously, several other states (Florida, Michigan, and Montana) are considering similar laws, while Hawaii, Illinois, Oregon, and Washington have already enacted laws restricting the use of credit history in employment. 

When considering the proper use or disclosure of patient data, most health care providers look immediately to the Health Insurance Portability and Accountability Act (“HIPAA”) privacy rules. But that may not be enough. As the plaintiff in Isidore Steiner, DPM, PC dba Family Foot Center v. Marc Bonanni learned, state law also must considered. In general, a state law will be applied instead of HIPAA if the state law is more stringent and protective of patients’ protected health information (PHI).

In Bonanni, the Family Foot Center, a HIPAA-covered entity, was seeking to enforce a non-compete agreement with its former employee, a physician. Believing the former employee was soliciting its patients in violation of the agreement, the Center requested its former employee’s patient lists as part of pre-trial discovery. The physician objected on the ground that HIPAA and Michigan law on physician-patient privilege protected information of non-party patients from disclosure without their consent. The Center filed a motion to compel the disclosure.

The trial court denied the motion, reasoning that the names, addresses, and phone numbers of non-party patients were privileged under Michigan law. The Center appealed.

Under HIPAA, a covered entity generally may not use or disclose an individual’s PHI without a written authorization or providing the individual the opportunity to agree or object. However, it may do so for example, when responding to a subpoena or discovery request, upon satisfying certain conditions. 45 CFR 164.512(e). Nevertheless, HIPAA further provides that even this limited exception can be trumped by a more stringent state law that prohibits such use or disclosure of PHI.

The appellate court held that under Michigan’s physician-patient privilege, MCL 600.2157, the right to waive the privilege rests solely with the patient. Further, unlike HIPAA, the privilege did not contain exceptions for disclosing patient information in judicial proceedings. The Court concluded that Michigan’s physician-patient privilege conflicted with HIPAA and provided more stringent protections for the PHI at issue. Therefore, the state’s privilege law trumped HIPAA. The Court affirmed the denial of the Center’s discovery motion. In reaching this result, it rejected the Center’s plea that it could not proceed with its non-compete action without the requested information. The Court stated:

To this, we say that it is not our role to address either the wisdom of a physician’s efforts to restrict with whom a patient may consult or the appropriate business or legal means by which a corporation can effectively protect its practice. Instead, our limited role is to decide whether the names, addresses and telephone numbers of non-party patients are protected from disclosure by law.

Health care providers receive requests for PHI in many different contexts, not just in connection with litigations. This ruling makes clear that when making disclosures of PHI, considering only HIPAA could be risky. Because this analysis is not limited to Michigan (see, for example, recent Ohio decisions, Turk v. Oiler and Grove v. Northeast Ohio Nephrology Associates, Inc.), providers should undertake a detailed analysis of the applicable federal, state and local laws and regulations prior to making any disclosure.

Two Senators who clearly did not let the potential government work stoppage affect them, formally introduced the Commercial Privacy Bill of Rights Act of 2011 on April 12.  In a bipartisan effort, Senators John Kerry (D-Mass.) and John McCain (R-Arizona) introduced the legislation which sets forth privacy rules governing businesses that collect, use, or share personal data.

Under the bill, the Federal Trade Commission is given rulemaking and enforcement power.  Additionally, the bill would require covered entities to implement comprehensive privacy by design programs and provide clear disclosures of their data-collection practices.  Further, the FTC would be given authority to approve nongovernmental organizations to oversee safe harbor programs for firms that complied with approved self-regulatory schemes.

While passage of national privacy legislation has proven difficult in the past, companies must remain aware of these legislative updates, especially when they are of a bi-partisan nature.

 

A data entry specialist in Minnesota who was fired for accessing medical records on behalf of a colleague was denied unemployment benefits by the Minnesota Court of Appeals in a recent decision that highlights the importance of zero tolerance policies for employers. The unpublished decision, Bingham v. Allina Health System, No. A10-872 (Jan. 11, 2011), involved an employee whose duties consisted of electronically scanning old medical records for storage, for which she had access to current patient medical data. A co-worker, who did not have the same access, asked the employee to retrieve her minor daughter’s lab test results.  The employee did as her co-worker asked. Her conduct was discovered and she was promptly terminated for breach of company policy and violation of the Health Insurance Portability and Accountability Act (HIPAA).

The appellate court noted that the employer’s policy was worded in "emphatic terms" and required employees to keep confidential all patient information except their own, and prohibited them from participating in unauthorized computer access to view confidential data or accessing medical information except for business purposes.  The policy said that there would be "no tolerance" for inappropriate access or sharing of patient information" and that failure to comply could lead to termination.  The court also noted that the policy was meant to conform with the requirements of HIPAA, 42 U.S.C. Sections 1320d-1 – 1320-9.

Although the employee argued that she thought she had permission for her actions, the court relied on the written policy, HIPAA, and public policy in enforcing the zero tolerance provision. It found that the employee was not eligible for unemployment benefits because she had committed misconduct, as defined by state law.

The case is similar to periodic reports of health care employees improperly accessing confidential medical information of celebrities and public figures and shows that a well-crafted written policy is necessary and will be upheld by the courts.