Our adversaries are trolling social networks, blogs and forums, trying to find sensitive information they can use about our military goals and objectives. Therefore, it is imperative that all Soldiers and Family members understand the importance of practicing good operations security measures.

-Sgt. Maj. of the Army Kenneth O. Preston

The above quote is contained in the U.S. Army Social Media Handbook, (pdf) published January 2011, which lays out a comprehensive set of guidelines for soldiers participating in social media. According to the the Handbook: The Army encourages members of the Army Family to use social media to connect and tell their stories, but it also advises everyone to do this in a safe
and secure manner.

This move by the Army follows a February 25, 2010, Department of Defense Directive-Type Memorandum (DTM) which provided guidelines for military use of social media and acknowledged
“that Internet-based capabilities are integral to operations across the Department of Defense.”  The DTM clearly indicates that use of social media in the DoD is authorized.

While much of the specific policy governing soldiers’ is left to Army leaders, the Handbook provides some familiar advice:

  • Take a close look at all privacy settings. Set security options to allow visibility to “friends only.”
  • Do not reveal sensitive information about yourself such as schedules and event locations.
  • Ask, “What could the wrong person do with this information?” and “Could it compromise the safety of myself, my family or my unit?”
  • Geotagging is a feature that reveals your location to other people within your network. Consider turning off the GPS function of your smartphone.
  • Closely review photos before they go online. Make sure they do not give away sensitive information which could be dangerous if released.
  • Make sure to talk to family about operations security and what can and cannot be posted.
  • Videos can go viral quickly, make sure they don’t give away sensitive information.

Many of the technological and personnel issues that concern the Army apply in the private sector, although for obvious reasons there can be far different consequences for the military (and for us). Still, having clear policies and thinking through how social media can affect your business is critical for today’s workplace

The demand for "data breach" insurance appears to be growing based on our experiences, as well as commentary such as a recent article by Pamela Lewis Dolan of American Medical News.

As we’ve reported, data breach coverage is something quite different than traditional "cyber-risk" coverage which tends to address "hazards such as unauthorized Web site access, online libel, data privacy loss and repairs to company databases after system failures.” According to Ms. Dolan’s article, data breach policies tend to cover the cost of notification and credit monitoring for affected persons, public relations expenses to address reputational harm, breach investigation, legal fees and compensatory damages, judgments and settlements. Of course, as with any type of insurance, businesses should seek appropriate advice concerning the scope of coverage they are purchasing.

Ms. Dolan’s focus on health care providers is well placed given the recent HIPAA breach notification mandate and the sensitive protected health information such businesses handle. This is particularly true for small health care practices which often do not have the resources to adequately respond to a data breach – for those, a data breach policy could be a wise investment.  It is also true for those businesses that service the health care industry – many of which are business associates that are also subject to HIPAA and its breach notification requirements. 

Beyond HIPAA, breach notification mandates exist in nearly all states in the U.S. and other jurisdictions. So, many businesses can benefit from addressing this risk through insurance as well as adopting policies and procedures to reduce the likelihood of a breach in the first place. In this connection, Ms. Dolan is also wise to report that data breach insurance doesn’t absolve health care practices or any other business for that matter from implementing safeguards to protect personal information or protected health information. Various federal and state laws require to one degree or another businesses to adopt "written information security programs" to safeguard personal information.

This is much like protecting your building/office space from fire damage – you have fire insurance, but you also have a plan to safeguard critical assets and exit the building!

 

Together with some other U.S. Senators who have offered data security laws in recent years, Senate Majority Leader Harry Reid introduced S.21 on January 25. The bill, a "sense of Congress" bill, urges the passage of a comprehensive law to address cybersecurity, without making any changes to current law.

This bill is important in that it acknowledges the critical role information technology plays in the U.S. economy:

With information technology now the backbone of the United States economy, a critical element of United States national security infrastructure and defense systems, the primary foundation of global communications, and a key enabler of most critical infrastructure, nearly every single American citizen is touched by cyberspace and is threatened by cyber attacks.

Congress "has the sense" that a future law should serve at least 10 critical goals, such as:

  • provide incentives to the private sector to quantify, assess, and mitigate cybersecurity risks to their communications and information networks;
  • promoting investments in the American information technology sector to create jobs;
  • preventing and mitigating identity theft and guarding against abuses or breaches of personally identifiable information;
  • protect federal government communications from cyber attack; 
  • maintaining robust protections of the privacy of American citizens and their online activities and communications;
  • protecting and increasing the resiliency of U.S. critical infrastructure and assets, such as the electric grid, military assets, financial sector and telecommunications networks; and
  • enhancing international cooperation on cybersecurity to promote free access and fight cybercrime.

Will a new law follow?

Maybe. It will take some time as Committees and federal agencies jockey for position, although it seems this "sense of Congress" will advance the ball further than it has been.

The advice to companies, business leaders, professionals and others, however, is "Don’t wait!" Many states already have data security laws in effect and, even without those laws, all businesses have sensitive company proprietary to safeguard. 

With some harsh words of warning, a judge in the U.S. District Court for the District of Minnesota has sanctioned another law firm for electronic filing of documents disclosing birth dates, names of minors, financial account numbers and at least one social security number in violation of Fed. R. Civ. P. 5.2(a).

In a decision issued on November 24, 2010 in the case of Allstate Insurance Company v. Linea Latina de Accidentes, Judge Joan N. Erickson noted that,

"Every federal district has now embraced electronic filing.  The days of attorneys being able to ignore the computer and shift blame to support staff in the event of an error are gone.  The consequences are simply too serious. To the extent there are attorneys practicing in federal court who are under the impression that someone in the Clerk’s office will comb their filings for errors and call them with a heads-up, the court delivers this message: its is the responsibility of counsel to ensure that personal identifiers are properly redacted."

In this case, upon being notified of the problem, plaintiff’s counsel initially moved to have the complaint and its attachments filed under seal.  The court responded by stating that there was no reason to seal the complaint if had been properly redacted, and then noted that plaintiff’s motion showed no sense of urgency to remedy the fact the information was on the Internet, perhaps permanently.  Counsel then attempted to redact the information using Adobe Acrobat’s rectangle tool, which the court found insufficient as the black rectangles could be removed with a few keystrokes. The court ultimately ordered the plaintiff’s counsel to remedy the problem, notify each individual affected, provide credit monitoring,and to pay $300 to a charity.

 We previously warned you about similar sanctions in the case of Engeseth v. County of Isanti. Caveat jurisconsultor (lawyer beware)!

On December 18, 2010 President Obama signed into law the Social Security Number Protection Act of 2010. The law has two key components. 

First, the law establishes that no Federal, State, or local agency may display the Social Security account number of any individuals or any derivative of such number, on any check issued for payment by said agency. 

Second, the law prohibits Federal, State, or local agencies from employing, or entering into a contract for the use or employment of, prisoners in any capacity that would allow such prisoners access to the Social Security account numbers of other individuals. 

As employers have been grappling with the recent uptick in state laws addressing safeguards for Social Security numbers, this new law tightens protections at the federal level.   Additionally, federal contractors may need to consider how this change impacts their other obligations under the Federal Information Security Management Act.

As we reported here, the Senate passed legislation to clarify the application of the "red flag" rules to "creditors."  The law, the Red Flag Program Clarification Act of 2010, made its way through the House and, on December 18, 2010, was signed into law by President Barack Obama.

The Act makes clear that the red flag rules apply to a creditor that:

regularly and in the ordinary course of business – 

(i) obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction;

(ii) furnishes information to consumer reporting agencies [defined elsewhere in the Fair Credit Reporting Ac] in connection with a credit transaction; or

(iii) advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person.

 

The definition of "creditor" under the Act goes on, however, to exclude those creditors that fall into item (iii) above, if the creditor advances funds for expenses incidental to a service provided by the creditor to the person. For many who believed that the red flag rules were never intended to apply to them, such as health care providers and attorneys, this language is expected to provide the relief they were seeking.

 

The combination of “social media” and the “workplace” raises many traps for the unwary employer:

Can we use social media when hiring? Can employees be prohibited from using social media at work? Can we monitor employees use of social media? What are the essential elements of a social media policy?

As with many issues involving new technology, however, a good part of the analysis typically reverts back to traditional principles of employment law. The same is likely to be true when the use of social media intersects with certain aspects of Labor Law.

Section 7 of the National Labor Relations Act states:

Employees shall have the right to self-organization, to form, join, or assist labor organizations, to bargain collectively through representatives of their own choosing, and to engage in other concerted activities for the purpose of collective bargaining or other mutual aid or protection, and shall also have the right to refrain from any or all such activities except to the extent that such right may be affected by an agreement requiring membership in a labor organization as a condition of employment as authorized in section 8(a)(3) [section 158(a)(3) of this title].

An employer violates NLRA Section 8(a)(1) by acts and statements reasonably tending to interfere with, restrain, or coerce employees in the exercise of their Section 7 rights. Thus, employers need to remember to consider existing labor principles issues when adopting and enforcing social media policies, discussing social media usage with employees and monitoring usage, and disciplining employees because of their social media usage.

In a recent case (Salon/Spa at Boro, Inc. 9-CA-45349, 9-CA-454426, 9-CA-45538), employees claimed their manager unlawfully threatened them concerning their social media usage. The manager impressed upon the employees that their postings on social networking sites were perhaps more available for public viewing than they realized, and expressed displeasure that certain current employees were choosing to post comments on social network sites belonging to disgruntled former employees. In addition to agreeing with the employer’s statute of limitations arguments, the Administrative Law Judge found the purpose of the manager’s statements concerning publicity to be didactic, not coercive. In regard to the statements about postings on sites belonging to disgruntled employees, the ALJ found no threats, but rather a lawful expression by an employer of opinion, citing NLRB v. Gissel Packing Co., 395 U.S. 575, 617 (1969).

A nonbinding Advice Memorandum from the National Labor Relations Board in Sears Holdings (Roebucks) Case 18-CA-19081 addressed a social media policy and whether it violated Section 7 of the NLRA. The policy stated:

In order to maintain the Company’s reputation and legal standing, the following subjects may not be discussed by associates in any form of social media:

  • Company confidential or proprietary information
  • Confidential or proprietary information of clients, partners, vendors, and suppliers
  • Embargoed information such as launch dates, release dates, and pending reorganizations
  • Company intellectual property such as drawings, designs, software, ideas and innovation
  • Disparagement of company’s or competitors’ products, services, executive leadership, employees, strategy, and business prospects
  • Explicit sexual references
  • Reference to illegal drugs
  • Obscenity or profanity
  • Disparagement of any race, religion, gender, sexual orientation, disability or national origin

The Division of Advice held that while the provision concerning disparagement of the company’s executive leadership, employees, and strategy could “chill” Section 7 activity, the policy should be viewed in context, not by looking at any provision in isolation. The Division of Advice reasoned that the policy does not apply to Section 7 activity because while the statement “could chill the exercise of Section 7 rights if read in isolation, the Policy as a whole provides sufficient context to preclude a reasonable employee from construing the rule as a limit on Section 7 conduct.” This is because virtually all of the other items on the list of proscribed activities in the policy are clearly not protected by Section 7.

These two decisions provide some good news for employers. The bad news is that both of these decisions were made before the significant changes in the make-up of the National Labor Relations Board following Barack Obama’s becoming President. Many believe the current composition of the NLRB is likely to substantially change these results, requiring employers to exercise more care in how they handle social media issues from a labor relations perspective. There also are related issues that may be revisited by the NLRB in the near future, such as Board’s decision in Guard Publishing Co., d/b/a The Register-Guard, 351 NLRB 1110 (2007) (pdf), that a policy prohibiting use of the employer’s e-mail system for any “non-job-related solicitations” does not violate the §8(a)(1).

Paintball Punks filed a class action suit against U.S. Bank  in Hennepin County, Minnesota. The case was subsequently removed on December 6, 2010, to the Minneapolis District Court. In the complaint, Paintball Punks alleges that between August and December 2009 it received 9 orders totaling approximately $11,000, which were fraudulently billed to U.S. Bank-issued cards. The amount was subsequently chargebacked (U.S. Bank tapped into Paintball Punks’ account to recoup the money after payment). 

The online retailer asserts that U.S. Bank failed to protect them and other merchants by failing to remedy a known data breach in the Bank’s system.   Despite knowledge of those breaches, U.S. Bank allegedly allowed compromised card accounts to remain active, which led to fraudulent credit card transactions with Paintball Punks and other merchants similarly situated, followed by chargebacks that U.S. Bank processed against the accounts of the merchants.

According to the complaint, the most likely explanation (allegedly consistent with statements obtained from two U.S Bank employees) is that the fraudulent activity resulted from a data breach at U.S. Bank. The complaint alleges that U.S. Bank could have corrected the data breach at several points before the losses were suffered by Paintball Punks and the rest of the class: when it learned of the breach it could have notified all of the affected cardholders at once and cancelled their cards. If that were the case, none of the information lost in the breach could have been used to defraud Paintball Punks.

The complaint alleges that concerns about fraud supersede that of terrorism, computer and health viruses and personal safety, and that the Banks “fear” of public repercussion motivated U.S. Bank’s decision to fail to remedy this breach.   Paintball Punks asserts that if U.S. Bank were to notify large numbers of its cardholders of a data breach in its facilities, then it would stroke the fears and concerns of credit card fraud among its cardholders, and they would associate that fear with U.S. Bank as an issuer.

This case is one of the first instances where a merchant has filed suit against a bank for a potential breach of information that did not directly implicate the merchant’s personal information, instead simply resulted in “damages” to the merchant.   Companies must be aware that the plaintiff’s bar is looking for new and creative ways to sue for damages based on data breaches. 

A Minnesota Court of Appeals panel has affirmed the issuance of a temporary injunction against a co-owner of an LLC blocking him from accessing emails of his partner from the company’s server in the midst of their business dispute.  The unpublished decision, Gates v. Wheeler A09-2355 (Minn. App. November 23, 2010), raises some interesting issues regarding email privacy under unsettled Minnesota law.

The parties were co-owners of a limited liability company called Residential Science Resources. After a falling out, Gates sued Wheeler under a Minnesota law which allows the court to grant equitable relief in the case of a management deadlock. Wheeler was the designated administrator for the company’s server. Without informing Gates, Wheeler hired an outside information technology contractor to obtain access to Gates’ personal and business emails. The information included correspondence between Gates and his wife, financial and password information, discussions with his accountant, and communications with his lawyer regarding the pending lawsuit. After learning of the interception at a deposition, Gates sought an injunction halting Wheeler’s access. The district court granted the injunction, concluding that Gates had established a "probability of success on the merits for claims of invasion of privacy, violation of the Minnesota Privacy of Communications Act, violation of the Federal Wire and Electronic Communications and Transactional Records Access Act, conversion, and unjust enrichment." Gates had not asserted these claims prior to his request for an injunction, but did so later by amending his complaint. In response to Gates’s challenge, the Appellate Court held that the court’s authority to issue an injunction is not limited to matters raised in the underlying complaint, relying in part on the court’s broad equitable powers in business disputes.

The Court also affirmed the district court’s analysis that the privacy claims had a probability of success on the merits, noting however that there were no published Minnesota cases applying common law invasion of privacy claims to interception of email. Although noting that Gates and Wheeler were partners and not employer and employee, it also cited the analysis in In re Asia Global Crossing Ltd, a Bankruptcy Court decision from the Southern District of New York regarding employee expectations of privacy in workplace email. The court also stated that

the division of Gates’ account into personal and  private business files indicates that Gates expected the personal file would be private.

This suggests that individuals with company email accounts should take similar steps to differentiate personal information. Surprisingly, the court did not delve into the issues of privilege regarding Gates’ communications with his attorney.

The decision reflects increasing tensions over the privacy of information contained on employer email servers and may encourage more litigation in Minnesota under state and federal privacy laws involving emails.