Most would expect that when an entity experiences a data breach, that entity would take reasonable and appropriate steps to investigate the breach and mitigate harm. Making credit monitoring services available to affected persons is a typical way companies attempt to mitigate harm, and that is exactly what the Plymouth County Correctional Facility did when one of its prisoners hacked into its personnel records. Including these monitoring costs in a restitution award to the prison facility was proper, the U.S. Court of Appeals for the First Circuit ruled in United States v. Janosko.

Charged under the criminal provisions of the Computer Fraud and Abuse Act (CFAA), the inmate who hacked into the prison’s records while incarcerated pleaded guilty

not only to causing such “damage” but also to causing “loss” by his damaging conduct, § 1030(a)(5)(B)(i).

The Court found that the "near juxtaposition of “loss” to “damage” inflicted on items or systems of equipment indicates some broader concept of forbidden effect and consequent scope of restitution" and that the definition of "loss" under the CFAA includes “any reasonable cost to any victim, including the cost of responding to an offense.” In this case, recovery by the prison facility was further enabled under the Mandatory Victims Restitution Act which mandates restitution for “expenses incurred during … the investigation or prosecution of the offense.”

Actually recovering these costs from this or any other hacker will likely be difficult. However, companies are increasingly experiencing breaches and are getting better at being able to identify those committing the breach, which often times are employees or former employees. This decision provides support for those companies seeking to recover the costs they incur when taking appropriate steps to investigate these data incidents and mitigate harm when a breach is found to have occurred. As this court noted:

It should go without saying that an employer whose personnel records have been exposed to potential identity thieves responds reasonably when it makes enquiry to see whether its employees have been defrauded. This act of responsibility is foreseeable to the same degree that indifference to employees’ potential victimization would be reproachable. It is true, of course, that once they were told of the security breach, the individual employees and former workers involved in this case could themselves have made credit enquiries to uncover any fraud, but this in no way diminishes the reasonableness of the Facility’s investigation prompted by the risk that its security failure created. And quite aside from decency to its workers, any employer would reasonably wish to know the full extent of criminality when reporting the facts to law enforcement authorities.
 

 

On April 12, 2011, Maryland Governor Martin O’Malley signed into law S.B. 132/H.B. 87. Under this law, Maryland employers, except in limited circumstances, are prohibited from using an individual’s consumer credit history for hiring or other employment purposes. 

Beginning October 1, 2011,  employers are prohibited from using credit report data to deny employment, discharge an employee, set compensation, terms, conditions, or privileges of employment, unless, after making an offer of employment to an individual, the employer has a use for such information that is “substantially job-related.”   Additionally, an employer must disclose in writing its use of such information to the employee or applicant.

While the law does not contain any individual right of action, it allows individuals to file an administrative complaint with the state Commissioner of Labor and Industry. The Commissioner is authorized to assess a civil penalty of up to $500 per initial violation and up to $2,500 for repeat violations.

Employers exempt from the new law include those required by federal law to examine credit history data, financial institutions, or entities registered with the federal Securities and Exchange Commission as investment advisors.

As we have detailed previously, several other states (Florida, Michigan, and Montana) are considering similar laws, while Hawaii, Illinois, Oregon, and Washington have already enacted laws restricting the use of credit history in employment. 

When considering the proper use or disclosure of patient data, most health care providers look immediately to the Health Insurance Portability and Accountability Act (“HIPAA”) privacy rules. But that may not be enough. As the plaintiff in Isidore Steiner, DPM, PC dba Family Foot Center v. Marc Bonanni learned, state law also must considered. In general, a state law will be applied instead of HIPAA if the state law is more stringent and protective of patients’ protected health information (PHI).

In Bonanni, the Family Foot Center, a HIPAA-covered entity, was seeking to enforce a non-compete agreement with its former employee, a physician. Believing the former employee was soliciting its patients in violation of the agreement, the Center requested its former employee’s patient lists as part of pre-trial discovery. The physician objected on the ground that HIPAA and Michigan law on physician-patient privilege protected information of non-party patients from disclosure without their consent. The Center filed a motion to compel the disclosure.

The trial court denied the motion, reasoning that the names, addresses, and phone numbers of non-party patients were privileged under Michigan law. The Center appealed.

Under HIPAA, a covered entity generally may not use or disclose an individual’s PHI without a written authorization or providing the individual the opportunity to agree or object. However, it may do so for example, when responding to a subpoena or discovery request, upon satisfying certain conditions. 45 CFR 164.512(e). Nevertheless, HIPAA further provides that even this limited exception can be trumped by a more stringent state law that prohibits such use or disclosure of PHI.

The appellate court held that under Michigan’s physician-patient privilege, MCL 600.2157, the right to waive the privilege rests solely with the patient. Further, unlike HIPAA, the privilege did not contain exceptions for disclosing patient information in judicial proceedings. The Court concluded that Michigan’s physician-patient privilege conflicted with HIPAA and provided more stringent protections for the PHI at issue. Therefore, the state’s privilege law trumped HIPAA. The Court affirmed the denial of the Center’s discovery motion. In reaching this result, it rejected the Center’s plea that it could not proceed with its non-compete action without the requested information. The Court stated:

To this, we say that it is not our role to address either the wisdom of a physician’s efforts to restrict with whom a patient may consult or the appropriate business or legal means by which a corporation can effectively protect its practice. Instead, our limited role is to decide whether the names, addresses and telephone numbers of non-party patients are protected from disclosure by law.

Health care providers receive requests for PHI in many different contexts, not just in connection with litigations. This ruling makes clear that when making disclosures of PHI, considering only HIPAA could be risky. Because this analysis is not limited to Michigan (see, for example, recent Ohio decisions, Turk v. Oiler and Grove v. Northeast Ohio Nephrology Associates, Inc.), providers should undertake a detailed analysis of the applicable federal, state and local laws and regulations prior to making any disclosure.

Two Senators who clearly did not let the potential government work stoppage affect them, formally introduced the Commercial Privacy Bill of Rights Act of 2011 on April 12.  In a bipartisan effort, Senators John Kerry (D-Mass.) and John McCain (R-Arizona) introduced the legislation which sets forth privacy rules governing businesses that collect, use, or share personal data.

Under the bill, the Federal Trade Commission is given rulemaking and enforcement power.  Additionally, the bill would require covered entities to implement comprehensive privacy by design programs and provide clear disclosures of their data-collection practices.  Further, the FTC would be given authority to approve nongovernmental organizations to oversee safe harbor programs for firms that complied with approved self-regulatory schemes.

While passage of national privacy legislation has proven difficult in the past, companies must remain aware of these legislative updates, especially when they are of a bi-partisan nature.

 

A data entry specialist in Minnesota who was fired for accessing medical records on behalf of a colleague was denied unemployment benefits by the Minnesota Court of Appeals in a recent decision that highlights the importance of zero tolerance policies for employers. The unpublished decision, Bingham v. Allina Health System, No. A10-872 (Jan. 11, 2011), involved an employee whose duties consisted of electronically scanning old medical records for storage, for which she had access to current patient medical data. A co-worker, who did not have the same access, asked the employee to retrieve her minor daughter’s lab test results.  The employee did as her co-worker asked. Her conduct was discovered and she was promptly terminated for breach of company policy and violation of the Health Insurance Portability and Accountability Act (HIPAA).

The appellate court noted that the employer’s policy was worded in "emphatic terms" and required employees to keep confidential all patient information except their own, and prohibited them from participating in unauthorized computer access to view confidential data or accessing medical information except for business purposes.  The policy said that there would be "no tolerance" for inappropriate access or sharing of patient information" and that failure to comply could lead to termination.  The court also noted that the policy was meant to conform with the requirements of HIPAA, 42 U.S.C. Sections 1320d-1 – 1320-9.

Although the employee argued that she thought she had permission for her actions, the court relied on the written policy, HIPAA, and public policy in enforcing the zero tolerance provision. It found that the employee was not eligible for unemployment benefits because she had committed misconduct, as defined by state law.

The case is similar to periodic reports of health care employees improperly accessing confidential medical information of celebrities and public figures and shows that a well-crafted written policy is necessary and will be upheld by the courts. 

 

 

In a case addressing the Family Medical Leave Act (FMLA) that directly implicates the privacy rules under the Health Insurance Portability and Accountability Act (HIPAA), Pacosa v. Kaiser Foundation Health Plan of the Northwest, the Portland Division of the United States District Court of Oregon awarded summary judgment against a physician assistant who claimed he was discharged in retaliation for taking FMLA leave. While the court primarily focused on the boundaries of what constitutes FMLA retaliation, the case serves as a good example of the limits healthcare companies can place on employee access to available protected health information and enforcement mechanisms for addressing violations of such access.

Frank Pacosa was a physician assistant for Kaiser Foundation Health Plan of the Northwest in Portland, Oregon. He alleged that he took intermittent leave under the FMLA for a period of 2001 to 2008 for purposes of caring for his wife’s clinical depression. While employed, Pacosa signed a number of confidentiality agreements, which prohibited him from accessing his own health records or those health records of his family or friends on Kaiser Permanente’s proprietary medical records system unless he had specific authorization from the patient and the access was approved. An additional confidentiality policy that he signed and had training on prohibited him, as an employee, from accessing any protected health information records except where related to his job.

In 2008, Kaiser Permanente’s Compliance Department received a series of phone calls from Pacosa’s wife, who informed it that Pacosa had accessed her medical records without authorization and that he was using the information to obtain a restraining order against her. The Compliance Department’s investigation revealed that Pacosa had accessed his wife’s records without authorization, and further accessed and edited his daughter’s records as if he was the treating medical provider, all while he was on alleged FMLA leave.

Kaiser Permanente determined that Pacosa, who at one time served on the Confidentiality Committee and Health Information Management Committee, improperly and with intent of personal gain, accessed the protected health information of his wife and daughter, violating its confidentiality policies. Kaiser Permanente terminated Pacosa’s employment on October 30, 2008.

Pacosa sued Kaiser Permanente in Oregon District Court, alleging multiple state and federal statutory violations, including that his termination interfered with his leave rights under the FMLA. The Oregon District Court granted summary judgment on each of Pacosa’s claims, determining that there was no issue of material fact that Pacosa violated confidentiality policies, which was the reason for his termination rather than any FMLA violation.

As we have touched upon in previous posts, the chance of a data breach or information misuse rises with the use of electronic data and employee access to that data. Of course, the advent of the electronic medical record is both a result of developing technology and required under HIPAA, but as Mr. Pacosa’s termination illustrates, the portability of electronic records make it easy to view or misuse a patient’s private health information.

Kaiser Permanente’s repeated distributions of confidentiality policies and the obligations to secure and limit access to protected health information by employees illustrates a best practice and minimum necessary compliance obligation that covered entities have under HIPAA’s privacy rule and recent changes to it in the American Recovery and Reinvestment Act of 2009 (“ARRA”). The Pacosa case serves as another reminder to covered entities to review and place appropriate limits on employee access to protected health information.

Background checks may be a prudent practice for businesses, but they present a range of issues.

The Association of Corporate Counsel recently published a "Top Ten" list of issues businesses should consider when deciding to implement a background check program, written by our Partner, Richard Greenberg and Dani Sanchez-Gleason.

See also prior posts.     

In New York, the Electronic Equipment Recycling and Reuse Act (pdf) (Environmental Conservation Law, Article 27, Title 26), creates electronics recycling programs effective April 1, 2011. The new law requires free and convenient recycling of electronic waste be provided to most "consumers" (see definition below) in the state, including households, many small businesses and many not-for-profit corporations. The State’s Department of Environmental Conservation has set up a detailed website providing information about this new law. As discussed below, other states are taking similar steps to deal with this new form of waste. 

New York’s e-Waste Law

The new law affects consumers, retailers, and manufacturers of "covered electronic equipment" (CEE), as well as certain waste recycling, consolidation, collection and management facilities. One of the notable requirements under the new law is that beginning April 1, 2011, manufacturers of CEE are required to take back from consumers a wide range of electronic waste.

Who is a "consumer" and what equipment is covered under the law?

A "consumer" is an individual, business, corporation, limited partnership, not-for-profit corporation, the state, a public corporation, public school, school district, private or parochial school or board of cooperative educational services or governmental entity located in New York State, except when involved in a wholesale transaction between a distributor and retailer.

"Covered electronic equipment" includes:

  • Computers
  • Televisions
  • Cathode Ray Tubes
  • Small Scale Servers
  • Computer Peripherals (Computer peripherals also include any cable, cord, or wiring permanently affixed to or incorporated into such product.)
    • Monitors
    • Electronic Keyboards
    • Electronic Mice or Similar Pointing Devices
    • Facsimile Machines, document scanners, and printers (only those intended for use with a computer and weighing less than 100 lbs.)
  • Small Electronic Equipment (Small electronic equipment also include any cable, cord, or wiring permanently affixed to or incorporated into such product.)
    • VCRs
    • Digital Video Recorders
    • Portable Digital Music Players
    • DVD Players
    • Digital Converter Boxes
    • Cable or Satellite Receivers
    • Electronic or Video Game Consoles

"Covered electronic equipment" does not include such things as cameras, portable or stationary radios, household appliances, monitoring and control instrument or system, telephones of any type; portable digital assistant or similar device, calculator, global positioning system (GPS) receiver or similar navigation device, a server other than a small-scale server, a cash register or retail self checkout system, stand-alone storage product intended for use in industrial, and other equipment.

What is the cost?

For the basic services required under the new law, which include acceptance of CEE, for-profit businesses with fewer than 50 full-time employees and not-for-profit organizations with fewer than 75 full-time employees may not be charged for the collection, handling, recycling, or reuse of CEE. Larger organizations may be charged for these services. (Full-time employment is not defined under the law.) Note, however, the new law generally does not affect contracts consumers had with manufactures entered into prior to January 1, 2011.

In addition, any consumer may be charged for "premium services." "Premium services" are any services above and beyond the reasonably convenient acceptance methods defined in the new law. These include equipment and data security services, refurbishment for reuse by the consumer, and other custom services as may be determined by the Department of Environmental Conservation such as at-home collection (other than mail back programs), data wiping, specialized packing and preparation for collection, etc.

Does the law require e-waste to be recycled?

Not yet. However, beginning January 1, 2012, businesses, municipalities, and subdivisions of the state, including their waste collection company or service, will no longer be able to collect electronic waste for disposal, or dispose of any electronic waste in a landfill or waste-to-energy facility. A similar rule goes into effect for individuals and households on January 1, 2015.

Will recycling be performed in a secure manner?

No. The Department of Environmental Conservation’s website warns:

Consumers should erase all personal and confidential data on their electronic equipment before sending it for recycling or reuse. Reformatting your hard drive or deleting files does not destroy your data. The resources listed on the right side of this page under "Offsite links," provide guidance on data wiping, etc., however, there might be other data security service resources and options available. Please note, the Department is not responsible for the contents of any offsite webpages referenced. These links are provided as a public service only (see disclaimer on the Electronic Equipment Recycling and Reuse Act main page).

This means that consumers need to take appropriate steps to safeguard data before submitting their CEE to be recycled under this program. Under New York’s new law, the manual for electronic products that contain internal memory capabilities, such as a hard drive which could retain personal or other confidential information, must describe for consumers how they can destroy such data before surrendering the products for recycling or reuse.

Activity in Other States

As reported in the BNA Privacy and Security Law report, a pending law in New Jersey (A. 2975) "would require businesses and government agencies to destroy personal data stored on a digital copy machine before disposing of it." The State’s Attorney General would be able to seek penalties of up to $10,000 for the first offense and up to $20,000 for subsequent violations. Similar laws are being considered in NevadaFlorida, Connecticut and Oregon.  

Continuing the trend of significant enforcement of data privacy and security laws by federal and state agencies across the nation, the Office of the Massachusetts Attorney General (AG) has settled a lawsuit against Boston-based Briar Group LLC for $110,000, according to a press release issued by that AG’s office on March 28, 2011.

See complaint and final judgment.

As we reported in prior posts, the U.S. Department of Health and Human Services (HHS) recently imposed a $4.3 million fine on a Maryland health care provider for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and days later entered into a $1 million settlement with a Massachusetts hospital that allegedly breached patient data. The recent enforcement activity of the HHS and the Massachusetts AG confirms that employers nationwide need to be as cognizant of the data privacy and security laws that apply to their operations as the government.

In its press release, the Massachusetts AG’s Office stated that the Briar Group, which owns and operates a number of bars and restaurants in the Boston area, “failed to take reasonable steps to protect its patrons’ personal information, thereby putting the payment card information of tens of thousands of consumers at risk.” The initial lawsuit filed by the AG’s Office stated that the Briar Group experienced a data breach in April 2009, in which hackers accessed customers’ credit and debit card information, but did not take steps to remove the software which allowed the hackers access to the company’s computer systems until December 2009, six months later. The lawsuit also outlined various other ways in which the company failed to properly safeguard its customers’ personal information, including:

  • Failing to change default usernames and passwords on point-of-sale computer systems;
  • Allowing multiple employees to share common usernames and passwords;
  • Failing to properly secure its remote access utilities and wireless network; and
  • Continuing to accept credit and debit card account information after knowing of the April 2009 data breach.

In addition to the monetary payment, the terms of the settlement require the company to “develop a security password management system and implement data security measures to comply with Payment Card Industry [PCI] Data Security Standards [and] state data security regulations, including implementation, maintenance, and adherence to a Written Information Security Program.”

This recent activity by the Massachusetts AG’s Office, along with HHS’s latest actions, should be motivation to employers to put in place the policies and procedures required by applicable data security and privacy laws. For those who have already taken steps toward conformity with the relevant laws, this should prompt a review of current policies and procedures to ensure the thoroughness of those policies and that they are being followed. For example, employers subject to HIPAA should have policies and procedures that address the management of protected health information of its constituents. Employers who employ Massachusetts residents or who maintain the personal information of Massachusetts residents are well advised to implement and follow a comprehensive WISP governing the storage, access, transmission and other forms of handling those individuals’ personal information.

Trying to keep up with the fast-moving world of social media, the Kentucky Court of Appeals has ruled that “tagged” or captioned photographs posted on Facebook may be admitted as evidence. The ruling in the case has implications for employers.  In LaLonde v. LaLonde, the appellant-wife objected to the trial court’s admitting into evidence photographs taken from Facebook that identified her by “tagging.”  The photographs appeared to show her consuming alcohol in contradiction to the advice of her mental health providers—a key issue in the custody dispute.     

The wife argued the photographs should not be admitted because Facebook allows anyone to post pictures and then “tag” or identify people in the pictures and she never gave permission for the photographs to be published in this manner on.  Rejecting this argument, the appellate court held, “There is nothing in the law that requires permission when someone takes a picture and posts it on a Facebook page.  There is nothing that requires her permission when she was ‘tagged’ or identified as a person in those pictures.”  The Court acknowledged that modern digital photography techniques may allow for alteration of the photograph, but pointed out that the wife never suggested such techniques were used, instead acknowledging the pictures were accurate.

The potential implications of this holding are numerous.  As we have previously discussed, employers may be able to use social media (which arguably includes tagged pictures) to fight emotional distress damages.  Similarly, as we described here, Facebook content has been utilized by employers in disciplinary decisions.   Our Social Media White Paper provides a helpful discussion of this and other issues employers should think about when it comes to social media.