The confidentiality of medical records requirement under the Americans with Disability Act (ADA) is violated when an employer discloses a current or former employee’s medical records in response to a state court subpoena absent the employee’s release or some other exception under the ADA, the Equal Employment Opportunity Commission (EEOC) recently held in Bennett v. U.S. Postal Serv., 2011 WL 244217 (E.E.O.C.), Jan. 11, 2011.

Companies frequently receive requests for information about current and former employees. These requests often come in the form of an attorney’s demand letter or a subpoena and apply to the individual’s medical records. Those receiving such requests typically feel compelled to respond without taking the time to think through issues such as: 

  • what kind of information in contained within the files being requested;
  • what specific statutory or regulatory protections apply for some or all of the information being requested (see below);
  • is a response appropriate without an authorization of the individual or giving an individual an opportunity to object;
  • is a court order needed for some or all of the information being requested; and
  • what safeguards should be taken to ensure the disclosure is secure.

As we have reported previously, failing to think through these issues can be a costly trap for the unwary.

EEOC Analysis

In the Bennett decision cited above, the EEOC sets out the basic ADA requirements concerning confidentiality of employee medical records:

Title I of the [ADA] requires that all information obtained regarding the medical condition or history of an applicant or employee must be maintained on separate forms and in separate files and must be treated as confidential medical records. [Citations omitted]. These requirements also extend to medical information that an
individual voluntarily discloses to an employer. [Citations omitted]. The confidentiality obligation imposed on an employer by the ADA remains regardless of whether an applicant is eventually hired or the employment relationship ends. [Citations omitted]. These requirements apply to confidential medical information from any applicant or employee and are not limited to individuals with disabilities. [Citations omitted].

The decision goes on to explain the general exceptions to these requirements:

  • supervisors and managers may be informed regarding necessary restrictions on the work or duties of the employee and necessary accommodations;
  • first aid and safety personnel may be informed, when appropriate, if the disability might require emergency treatment; 
  • government officials investigating compliance with this part shall be provided relevant information on request;
  • employers may disclose medical information to state workers’ compensation offices, state second injury funds, workers’ compensation insurance carriers, and to health care professionals when seeking advice in making reasonable accommodation determinations; and
  • employers may use medical information for insurance purposes.

The EEOC found that the Postal Service’s disclosure of Mr. Bennett’s medical records in response to the subpoena issued by the Galveston County 405th District Court did not fall into one of these exceptions. The EEOC held that while the ADA allows an employer to comply with the requirements of another federal statute or rule, even if in conflict with the ADA, "it is not a valid defense to argue that the [Postal Service’s] actions were required by state law," (emphasis added) unless one of the ADA exceptions applied.  The Commission also noted the subpoena in this case was signed and issued by the Deputy Clerk, and did not qualify as an “order” for purposes of the Privacy Act of 1974, on which the Agency attempted to rely to permit the disclosure.

Because of this violation of the ADA, the EEOC ordered the Postal Service (i) to start an investigation into compensatory and other damages that may be due to Mr. Bennett,  (ii) to conduct training concerning the ADA’s confidentiality requirements, and (iii) to prepare a report regarding corrective action. The Postal Service also may be responsible for Mr. Bennett’s attorneys’ fees, among other things.

Is the ADA the only concern?

In short, no, the ADA is only one protection for medical and other personal information that could trigger exposure for a company that improperly discloses such information. There is an increasing array of federal and state laws that need to be examined, as appropriate, before responding to a request:

  • GINA: Regulations issued under Title II (GINA’s employment provisions) provide that  employers that possess genetic information must maintain the information in confidence and may not disclose that information except in limited circumstances, such as (i) at the request of the employee, (ii) in response to a court order, (iii) to respond to a request from a government official investigating GINA compliance, or (iv) in support of an employee’s FMLA certification. The preamble to the GINA regulations provides that the court order exception "does not allow disclosures in other circumstances during litigation, such as in response to discovery requests or subpoenas that are not governed by an order specifying that genetic information must be disclosed. Thus, a covered entity’s refusal to provide genetic information in response to a discovery order, subpoena, or court order that does not specify that genetic information must be disclosed is consistent with the requirements of GINA." Additionally, the individual whose genetic information is disclosed may need to be notified. 
  • HIPAA: The privacy regulations under HIPAA likewise generally prohibit the disclosure of "protected health information" except in limited circumstances. HIPAA regulation 45 CFR 164.512(e), among other exceptions to the general rule, provides an exception for disclosures in connection with administrative and judicial proceedings. But one of the first questions to ask is whether the information being sought is "protected health information." Very often, employee medical information in a personnel or medical file is not, in the hands of the employer, protected health information subject to HIPAA. 
  • 42 USC Part 2: Federal law provides very stringent protection for records relating to substance abuse treatment at certain federally funded facilities. 
  • State law: Many states have laws protecting certain classes of medical records from disclosure without taking appropriate safeguards to address confidentiality. This includes application of the physician-patient privilege, as well as statutes and regulations dealing with specific types of information, such as mental health records. 

Because of these issues, businesses should develop a clear policy and procedure to direct employees on how to respond when they receive these requests. 

The First Amendment of the U.S. Constitution protects from judicial restraint discussions over matters of public concern, including claims of wide-scale data breaches of social security numbers and other personal information by a former employee on a blog, a New York State Supreme Court justice has ruled. Cambridge Who’s Who Publishing, Inc. v. Sethi, 009175/10, NYLJ 1201482619238, at *1 (Sup. Ct., Nassau Cty. Jan. 25, 2011). Finding no extraordinary circumstance that would overcome the Constitutional protection, the court denied a company’s request to enjoin its former employee from blogging about the company and its products, despite his agreement to maintain the confidentiality of confidential business information.

Relevant Background

Harsharan Sethi was the Director of Management Information Systems for marketing and networking company Cambridge Who’s Who Publishing. When Sethi started working at Cambridge in July 2008, he signed an “employee covenants and non-disclosure agreement.” The agreement prohibited Sethi from using the company’s confidential information, except to pursue Cambridge’s business. Confidential information included “client names, addresses, and credit card numbers.” Cambridge terminated Sethi’s employment in February 2010.

The Blog Post

After Sethi’s termination, Cambridge suspected he was the author of a post on www.cambridgeregistrscam.com, which stated that members might be entitled to a full refund of their membership fees, suggested that members file complaints with the District Attorney and Attorney General, and offered to provide information on management personnel, including “their backgrounds,” “their life styles,” and “their prior run ins with [the] IRS.”

Cambridge viewed the blog post on May 11, 2010, and moved for a preliminary injunction the very next day. It sought to restrain Sethi from: (1) attempting to access Cambridge’s database; (2) contacting Cambridge’s “members” or customers; (3) disclosing customers’ personal information; (4) making any statements about Cambridge that might interfere with its goodwill, including contacting its employees or vendors; and (5) maintaining any blog or website concerning Sethi’s former employment.

The court granted the company’s request for a preliminary injunction, in part, enjoining the solicitation of Cambridge’s customers or disclosing their names or personal information. The court, however, denied Cambridge’s request that Sethi be restrained from making any allegedly defamatory statements regarding the company.

Cambridge later renewed its injunction request, submitting to the court allegedly defamatory statements made by Sethi after the court’s initial ruling. It presented an e-mail from Sethi to the New York Attorney General in which Sethi stated that tapes containing the personal data (including names, addresses, social security numbers, payroll data, checking account and credit card information) of 400,000 Cambridge members were lost or stolen from the company.

The court then granted a temporary restraining order enjoining Sethi from contacting Cambridge’s employees about his former employment or making statements that interfere with Cambridge’s goodwill, including maintaining a website or blog, until the preliminary injunction hearing.

First Amendment Protection

At the hearing, though, Justice Stephen Bucaria finally denied the injunction, holding that the First Amendment of the U.S. Constitution encompasses “at the least the liberty [to] discuss publicly and truthfully all matter of public concern without previous restraint or fear of subsequent punishment.” Finding that the alleged loss of social security numbers and credit card information, among other data, “implicate[] the economic interests of a large number of people” and, therefore, were matters of public concern, the court held that Cambridge had failed to establish “extraordinary circumstances” justifying a prior restraint on speech and warranting the denial of the injunction restraining Sethi from communicating with Cambridge’s customers or law enforcement agencies concerning data loss.

Lessons

Cambridge provides employers with several significant lessons.

  • First, it is instructive of the enforceability of a non-solicitation-of-customers provision that it enforced by injunction.
  • Second, absent compelling facts constituting “extraordinary circumstances,” courts generally are reluctant to enjoin or restrain speech that may be protected by the First Amendment.
  • Third, the decision raises two key points about data security:
    • Companies that experience an unauthorized access to or acquisition of personal information that they possess may be required to report the unauthorized access to affected individuals and certain state agencies. In New York, there are three state agencies that must be notified in cases of certain breaches of personal information: Office of Cyber Security, Attorney General’s Office, and Consumer Protection Board.
    • Likewise, companies must take appropriate steps when employees complain about or raise data-security issues. In at least two court decisions, one in New Jersey and the other in California, employees were permitted to proceed with claims of employment retaliation upon asserting they have suffered an adverse employment action after their complaints about data security at their companies.

HHS continues to show signs of increased enforcement of HIPAA. Earlier this month, the agency announced it would hold 2-day, instructor-led HIPAA Enforcement Training courses in 4 locations across the country. Some Attorneys General, such as Connecticut’s former Attorney General Richard Blumenthal, have already used their new found authority to enforce HIPAA. This announcement follows two significant, high profile Office of Civil Rights (OCR) press releases touting its own enforcement activities, one involving the first imposition of penalties under HIPAA and the other involving a significant settlement with a Massachusetts hospital

The Health Information Technology for Clinical and Economic Health (HITECH) Act (pdf), part of the American Recovery and Reinvestment Act of 2009, gave State Attorneys General the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules. The HITECH Act permits State Attorneys General to obtain damages on behalf of state residents or to enjoin further violations of the HIPAA Privacy and Security Rules.

Attendees at each of the HIPAA Enforcement Training sessions will receive instruction on a number of enforcement topics including:

  • Investigative techniques for identifying and prosecuting potential violations
  • A review of HIPAA and State Law
  • The role and responsibility of an Attorney General under HIPAA and the HITECH Act
  • Resources available to Attorneys General to pursue alleged HIPAA violations

In addition to training, OCR promises that it will collaborate with and assist State Attorneys General seeking to bring civil actions to enforce HIPAA and Security Rules. This collaboration and assistance will include OCR providing to Attorneys General (i) information upon request about pending or concluded OCR actions against covered entities or business associates related to attorney general investigations, and (ii) guidance regarding the HIPAA statute, the HITECH Act, and the HIPAA Privacy, Security, and Enforcement Rules as well as the Breach Notification Rule.  

While years of lax enforcement may have lulled many HIPAA covered entities and business associates to not take HIPAA seriously, these recent activities should spur renewed efforts toward compliance. 

In the face of increasing unemployment, in March 2011, Florida, Michigan, and Montana joined the ranks of approximately fifteen other states that are considering bills limiting employers’ ability to use credit checks for employment purposes.

Florida. Florida’s Senate Bill 1562, introduced on March 3, would prohibit employers from using an applicant’s personal credit history as hiring criteria, except where a review of credit history is legally required. The proposed Florida law allows an employer to request credit history during the “application process if such history is shown to be directly related to the position sought by the applicant.” However, the credit history cannot be used as the “determining factor” in the hiring decision.

Michigan. Michigan’s House Bill 4363, introduced March 2, would prohibit employers from making hiring decisions based on an individual’s credit history and from inquiring about a job applicant’s or potential applicant’s credit history, unless good credit history is “an established bona fide occupational requirement of the particular position or employment classification.” Individuals cannot waive any right or protection under the proposed act and aggrieved individuals would be able to bring civil suit for damages or injunctive relief.

Montana. Montana’s House Bill 601, introduced March 1, would prohibit employers from using credit history information for employment purposes unless the employee’s current or potential position is one “for which credit is issued in goods, a line of credit is provided, or a fiduciary responsibility is owed to the employer,” or the position allows for use of such data when done in compliance with the Fair Credit Reporting Act, 15 U.S.C. §§1681(b)(2)(C) and (b)(4). Misuse of credit data or other violations of this proposed act would be punishable as a misdemeanor with fines up to $500.

Similar bills are also being considered in numerous jurisdictions such as: California, Connecticut, Georgia, Indiana, Kentucky, Maryland, Missouri, Nebraska, New Jersey, New Mexico, New York, Ohio, Pennsylvania, Vermont, and Texas. Illinois, Oregon, and Washington already have such laws in place.

“Employers with multi-state operations, in particular, must remain abreast of these developments and ensure any background check program involving credit checks complies with applicable state law. Further, due to EEOC initiatives in this area, credit checks should be limited to positions in which credit history can be deemed job-related and individualized analysis of each applicant’s history should be the goal,” counsels Richard Greenberg, a partner with Jackson Lewis LLP in New York.

In an effort to go “green” or “paperless,” employers have been rapidly moving to electronic employment application and on-boarding systems. This movement has created a cottage industry with vendors of all kinds seeking to help employers obtain the benefits of this technology.

These vendors often promise significant advantages for those making the switch, such as: (i) thousands of dollars in savings due to reduced paper and paperwork costs, (ii) simplified compliance for human resources through the use of the proper electronic forms; and (iii) increased productivity. These can be particularly attractive to businesses facing the demands for increased effectiveness and efficiency, the difficulties of managing an off-site/remote workforce, and the expectations of technologically savvy job applicants.

While going green by reducing the use of paper and moving to a web-based employment application and on-boarding system can increase efficiency and reduce costs, employers should be aware of the fresh workplace challenges such a move can present. Before jumping in, employers need to consider issues such as the privacy, security and management of personal data, compliance with various federal and state regulations governing the use of electronic media in obtaining verifiable signatures, how to provide required notices, and the implications of having employees electronically fill out required tax and other government hiring forms, among other things.

Key considerations and questions for employers include the following:

  • Does the company have to comply with the federal Electronic Signatures in Global and National Commerce Act or a state law equivalent?
  • Are there laws limiting the personal information that may be collected from applicants?
  • Can the company require that employees receive notices electronically?
  • Can the company require that employees make their benefit elections and receive benefit plan summaries and other benefits documents electronically?
  • Is the process subject to collective bargaining?
  • How must personal information collected during the process be safeguarded, retained, preserved, and, ultimately, destroyed?
  • Are there special rules for government contractors?
  • Are electronic consents for fitness-for-duty examinations, background checks, and drug testing valid?
  • Can employees fill out I-9 forms electronically? Can the company retain only electronic copies of the I-9 forms?
  • If an applicant is hired, how should the collected information about the person be transferred accurately and securely for benefit plan enrollment, payroll, personnel, and other purposes? Does the company have a plan or policy in place that not only addresses how the information is safeguarded, but how to respond if a data breach occurs?
  • Are there specific ERISA (Employee Retirement Income Security Act), HIPAA (Health Insurance Portability and Accountability Act), IRS (Internal Revenue Service), and other regulations that apply to using an electronic medium? How do these regulations intersect and how do they differ?
  • Do the rules change for applicants from other countries?
  • Can handbooks be provided on-line as part of the on-boarding process?
  • Can direct deposit forms be filled out and signed electronically?
  • Can restrictive covenant agreements be signed electronically?
  • Can employees be notified of and sign arbitration agreements electronically?
  • Has the on-boarding vendor been vetted and shown capable of safeguarding personal data and preserving the integrity of that data? Where is the data stored by the vendor? Are appropriate contract provisions in place?

Employers implementing electronic application and on-boarding systems may realize savings of time and money. However, those savings may be short-lived if the on-line process is not designed to fit the particular company and address its particular needs and risks. Before taking this step, employers should seek appropriate guidance in navigating their way through the regulatory quagmire that is implicated by the seemingly simple act of going green.

In a uniquely timed second showing of enforcement authority, the Department of Health and Human Services (HHS) announced on February 24, 2011 a one million dollar settlement with a Massachusetts hospital that allegedly breached patient data.  This settlement announcement comes only days after HHS announced a 4.3 million dollar HIPAA Privacy Rule fine.  The Massachusetts hospital settlement resulted from a hospital employee who took home documents containing sensitive personal information on patients. The employee then lost those documents while commuting to work.  

While the settlement did not include an admission of liability, in addition to the monetary settlement, and submitting to HHS oversight, the hospital must also adopt more stringent privacy practices and retain an independent security and privacy monitor. The investigation of the incident found the hospital failed to implement reasonable and appropriate standards to protect the privacy of patient information removed from the facility.  Under the settlement, the hospital must present new privacy and data security administrative, physical, and technical safeguards policies and procedures for HHS approval. Specifically, these policies and procedures must address the physical removal and transportation of protected health information and encryption of portable storage devices.  Despite a general prohibition on employees physically removing protected health information from the hospital,  HHS permitted an exception when the information is removed by an employee to perform his or her job duties.  Additionally, the hospital must implement training for all employees.  

This settlement, when considered with the 4.3 million dollar fine, likely signals how HHS will approach future enforcement actions.  In light of this, covered entities must seriously examine their privacy and security obligations, including implementing appropriate policies and procedures regarding the safeguarding of information.

 

The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has imposed its first civil monetary penalty since the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) became effective in April 2003. HHS issued a Notice of Final Determination finding that Cignet Health of Prince George’s County, Md., (Cignet) violated the Privacy Rule and imposed $4.3 million in penalties for the violations. The penalty amount is based on the increased penalty amounts authorized by Section 13410(d) of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

In a Notice of Proposed Determination issued Oct. 20, 2010, OCR found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009. These patients individually filed complaints with OCR, initiating investigations of each complaint. The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. The penalty for these violations is $1.3 million.

During the investigations, Cignet refused to respond to OCR’s demands to produce the records. Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints and produce the records in response to OCR’s subpoena. OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means. When Cignet did produce the records, it included certain records of 4,500 unrelated patients.

OCR also found that Cignet failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule. Covered entities are required under law to cooperate with the Department’s investigations. The penalty for these violations is $3 million.

There are some important lessons from this case for covered entities and business associates (now subject to the same penalty provisions as covered entities):

  • HHS appears to have turned the corner – it is willing to impose substantial penalties for Privacy and Security Rule violations under HIPAA.
  • Each day that a violation continues can be treated as a separate violation, allowing penalties to add up quickly. Cignet’s failure to provide a patient timely access to his records was a violation, and each day that continued was a separate violation. 
  • When responding to an HHS investigation concerning patient or participant information, be sure to include only the information being requested, and not that of unrelated persons.
  • Most important, be responsive to the agency. The reason for the significance of the penalties was almost certainly due to Cignet’s level of cooperation HHS.  

 

What is a company’s recourse when a former employee deletes e-mails and other company electronic information before he leaves? A case from Indiana provides a lesson.

When Meridian Financial Advisors began serving as Receiver for bankrupted OCMC, Inc., it took possession of a number of OCMC computers, including one belonging to Joseph A. Pence, OCMC’s President and CEO. In the course of its investigation, Meridian learned that OCMC employees, including Mr. Pence, had deleted e-mails and computer documents detailing improper conduct just before leaving OCMC. Meridian filed suit against Pence and others in connection with OCMC’s collapse, including a claim for civil damages under the Computer Fraud and Abuse Act (“CFAA”) for damaging OCMC’s protected computers. Meridian Fin. Advisors Ltd. v. Pence, No. 07-995 (S.D. Ind. 1/14/11).

A person violates CFAA by:

knowingly caus[ing] the transmission of a program, information, code, or
command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer. 18 U.S.C. § 1030(a)(5)(A)(i).

Civil penalty provisions under the CFAA allow for recovery of compensatory damages when the damage exceeds $5,000.

Pence argued that even if a deletion occurred there was no damage to OCMC computers and, therefore, no damage under the CFAA. The federal district court rejected this argument, pointing out that the statute defines "damage" as:

any impairment to the integrity or availability of data, a program, a system, or information 18 U.S.C. § 1030(e)(8). 

The court reasoned that a "deletion of files impairs the availability of data and, as such, is covered under the statute" (citing other cases with similar holdings, Monson v. Whitby Sch., Inc., No 3:09-CV-1096, 2010 WL 3023873, at *3 (D. Conn. Aug. 2, 2010) (under some circumstances, deletion of an employee’s own e-mail can give rise to a CFAA claim); and Condux Int’l, Inc. v. Haugum, No. 08-4824, 2008 WL 5244818, at *8 (D. Minn. Dec. 15, 2008) (same with deletion of evidence of computer use)).

The court went on to address whether Pence deleted the e-mails without authorization, a required element for recovery under the CFAA. While the courts are not in agreement on this issue, the U.S. Court of Appeals for the Seventh Circuit (which has jurisdiction over Illinois, Indiana, and Wisconsin) recognizes that previously authorized use of a computer system may become unauthorized when an employee breaches his duty of loyalty to his employer. Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420 (7th Cir. 2006). The district court in Pence followed the holding in Citrin, although a question of fact remained as to whether Pence actually deleted the e-mails. Because of the open question of fact, the court could not grant Meridian’s motion for summary judgment.

Deletion of files is becoming common practice when employees, typically key employees, leave an organization. Where possible, employers should try to prevent the deletions and take steps to better manage their important data. However, when these kinds of deletions happen, in the right cases, the CFAA can be a valuable tool for employers to remedy their damages. 

Last month, the Federal Trade Commission’s Bureau of Consumer Protection posted FAQs on its website to guide health care providers and health plans when their patients and subscribers are affected by medical identity theft. 

When most people hear about an identity theft or a data breach, they typically think about credit card data or Social Security numbers being stolen and used by unauthorized parties, and the damage to one’s credit rating that sometimes follows. However, as reported by Businessweek, medical identity theft is one of the fastest growing types of identity theft. According to the article, the number of incidents of medical identity theft was approximately 275,000 in 2009; double the number in 2008. As the country implements the new health care reform law, assuming it gets past some significant obstacles, there likely will be periods of confusion and transition that may create the perfect conditions for even higher levels of medical identity theft.

The FTC’s FAQs point out that health care providers and health plans may have some obligations when they learn about medical identity theft affecting their patients or subscribers. For example, depending on the circumstances, the provider or plan may have to revisit its privacy and security policies and procedures under HIPAA and other federal and state laws. The theft also may have resulted from a data breach that requires the provider or plan to notify other affected persons. Providers and plans also need to be prepared to help victims get the information they need and exercise their rights under HIPAA and other laws to help mitigate the adverse effects of this unfortunate crime.

Providers and plans should be taking steps to be prepared to address medical identify theft situations.

As employees become more savvy with electronic communications and employers face increasing challenges with controlling vast amounts of data, the circumstances in this recent San Francisco Examiner story are likely being repeated all over the country – employee takes company information to support her wrongful termination case.

As reported by the Examiner, a Human Services Agency of San Francisco employee, after being terminated for performance issues, e-mailed caseload files, containing Medi-Cal beneficiaries’ names, Social Security numbers, and other personal identifying information belonging to 2400 individuals, to her personal computer, two attorneys and two union representatives.

While the facts are not entirely clear from the report, including why the former employee still had access to her former employer’s systems following termination, such a disclosure could have triggered the breach notification requirements under the HIPAA Privacy and Security Rules, and likely did trigger California’s own breach notification laws. With breach notification mandates in almost every state, few employers are immune from the risks of a data breach or the costs that are associated with responding to a breach when it occurs.

As this situation makes clear, employers need to implement written information security programs containing privacy and security policies. These policies should include data breach detection and response procedures and mandate training for all employees. While being mindful of applicable whistle blower protections, employers should remind employees that confidential company and personal information is not to be used or disseminated, except when consistent with the employee’s assigned job responsibilities. In this case, based on the information reported, the entire incident might have been avoided had the former employee’s access to the Agency’s systems been terminated.

Employers must continually assess their risks (e.g., examining what information the company has, the nature of that information, how it moves through the organization and to/from its vendors, and the company’s current set of safeguards), determine the best methods of protecting the sensitive information they possess, and create a culture of data security and privacy throughout their organizations. This can only be accomplished when data security and privacy are made a priority through clear policies with frequent training and attention. And, of course, when terminating or disciplining employees, employers should expect employees might begin using and disclosing information in a manner that is not permitted, and should take steps to prevent these kinds of disclosures.