On December 18, 2010 President Obama signed into law the Social Security Number Protection Act of 2010. The law has two key components. 

First, the law establishes that no Federal, State, or local agency may display the Social Security account number of any individuals or any derivative of such number, on any check issued for payment by said agency. 

Second, the law prohibits Federal, State, or local agencies from employing, or entering into a contract for the use or employment of, prisoners in any capacity that would allow such prisoners access to the Social Security account numbers of other individuals. 

As employers have been grappling with the recent uptick in state laws addressing safeguards for Social Security numbers, this new law tightens protections at the federal level.   Additionally, federal contractors may need to consider how this change impacts their other obligations under the Federal Information Security Management Act.

As we reported here, the Senate passed legislation to clarify the application of the "red flag" rules to "creditors."  The law, the Red Flag Program Clarification Act of 2010, made its way through the House and, on December 18, 2010, was signed into law by President Barack Obama.

The Act makes clear that the red flag rules apply to a creditor that:

regularly and in the ordinary course of business – 

(i) obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction;

(ii) furnishes information to consumer reporting agencies [defined elsewhere in the Fair Credit Reporting Ac] in connection with a credit transaction; or

(iii) advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person.

 

The definition of "creditor" under the Act goes on, however, to exclude those creditors that fall into item (iii) above, if the creditor advances funds for expenses incidental to a service provided by the creditor to the person. For many who believed that the red flag rules were never intended to apply to them, such as health care providers and attorneys, this language is expected to provide the relief they were seeking.

 

The combination of “social media” and the “workplace” raises many traps for the unwary employer:

Can we use social media when hiring? Can employees be prohibited from using social media at work? Can we monitor employees use of social media? What are the essential elements of a social media policy?

As with many issues involving new technology, however, a good part of the analysis typically reverts back to traditional principles of employment law. The same is likely to be true when the use of social media intersects with certain aspects of Labor Law.

Section 7 of the National Labor Relations Act states:

Employees shall have the right to self-organization, to form, join, or assist labor organizations, to bargain collectively through representatives of their own choosing, and to engage in other concerted activities for the purpose of collective bargaining or other mutual aid or protection, and shall also have the right to refrain from any or all such activities except to the extent that such right may be affected by an agreement requiring membership in a labor organization as a condition of employment as authorized in section 8(a)(3) [section 158(a)(3) of this title].

An employer violates NLRA Section 8(a)(1) by acts and statements reasonably tending to interfere with, restrain, or coerce employees in the exercise of their Section 7 rights. Thus, employers need to remember to consider existing labor principles issues when adopting and enforcing social media policies, discussing social media usage with employees and monitoring usage, and disciplining employees because of their social media usage.

In a recent case (Salon/Spa at Boro, Inc. 9-CA-45349, 9-CA-454426, 9-CA-45538), employees claimed their manager unlawfully threatened them concerning their social media usage. The manager impressed upon the employees that their postings on social networking sites were perhaps more available for public viewing than they realized, and expressed displeasure that certain current employees were choosing to post comments on social network sites belonging to disgruntled former employees. In addition to agreeing with the employer’s statute of limitations arguments, the Administrative Law Judge found the purpose of the manager’s statements concerning publicity to be didactic, not coercive. In regard to the statements about postings on sites belonging to disgruntled employees, the ALJ found no threats, but rather a lawful expression by an employer of opinion, citing NLRB v. Gissel Packing Co., 395 U.S. 575, 617 (1969).

A nonbinding Advice Memorandum from the National Labor Relations Board in Sears Holdings (Roebucks) Case 18-CA-19081 addressed a social media policy and whether it violated Section 7 of the NLRA. The policy stated:

In order to maintain the Company’s reputation and legal standing, the following subjects may not be discussed by associates in any form of social media:

  • Company confidential or proprietary information
  • Confidential or proprietary information of clients, partners, vendors, and suppliers
  • Embargoed information such as launch dates, release dates, and pending reorganizations
  • Company intellectual property such as drawings, designs, software, ideas and innovation
  • Disparagement of company’s or competitors’ products, services, executive leadership, employees, strategy, and business prospects
  • Explicit sexual references
  • Reference to illegal drugs
  • Obscenity or profanity
  • Disparagement of any race, religion, gender, sexual orientation, disability or national origin

The Division of Advice held that while the provision concerning disparagement of the company’s executive leadership, employees, and strategy could “chill” Section 7 activity, the policy should be viewed in context, not by looking at any provision in isolation. The Division of Advice reasoned that the policy does not apply to Section 7 activity because while the statement “could chill the exercise of Section 7 rights if read in isolation, the Policy as a whole provides sufficient context to preclude a reasonable employee from construing the rule as a limit on Section 7 conduct.” This is because virtually all of the other items on the list of proscribed activities in the policy are clearly not protected by Section 7.

These two decisions provide some good news for employers. The bad news is that both of these decisions were made before the significant changes in the make-up of the National Labor Relations Board following Barack Obama’s becoming President. Many believe the current composition of the NLRB is likely to substantially change these results, requiring employers to exercise more care in how they handle social media issues from a labor relations perspective. There also are related issues that may be revisited by the NLRB in the near future, such as Board’s decision in Guard Publishing Co., d/b/a The Register-Guard, 351 NLRB 1110 (2007) (pdf), that a policy prohibiting use of the employer’s e-mail system for any “non-job-related solicitations” does not violate the §8(a)(1).

Paintball Punks filed a class action suit against U.S. Bank  in Hennepin County, Minnesota. The case was subsequently removed on December 6, 2010, to the Minneapolis District Court. In the complaint, Paintball Punks alleges that between August and December 2009 it received 9 orders totaling approximately $11,000, which were fraudulently billed to U.S. Bank-issued cards. The amount was subsequently chargebacked (U.S. Bank tapped into Paintball Punks’ account to recoup the money after payment). 

The online retailer asserts that U.S. Bank failed to protect them and other merchants by failing to remedy a known data breach in the Bank’s system.   Despite knowledge of those breaches, U.S. Bank allegedly allowed compromised card accounts to remain active, which led to fraudulent credit card transactions with Paintball Punks and other merchants similarly situated, followed by chargebacks that U.S. Bank processed against the accounts of the merchants.

According to the complaint, the most likely explanation (allegedly consistent with statements obtained from two U.S Bank employees) is that the fraudulent activity resulted from a data breach at U.S. Bank. The complaint alleges that U.S. Bank could have corrected the data breach at several points before the losses were suffered by Paintball Punks and the rest of the class: when it learned of the breach it could have notified all of the affected cardholders at once and cancelled their cards. If that were the case, none of the information lost in the breach could have been used to defraud Paintball Punks.

The complaint alleges that concerns about fraud supersede that of terrorism, computer and health viruses and personal safety, and that the Banks “fear” of public repercussion motivated U.S. Bank’s decision to fail to remedy this breach.   Paintball Punks asserts that if U.S. Bank were to notify large numbers of its cardholders of a data breach in its facilities, then it would stroke the fears and concerns of credit card fraud among its cardholders, and they would associate that fear with U.S. Bank as an issuer.

This case is one of the first instances where a merchant has filed suit against a bank for a potential breach of information that did not directly implicate the merchant’s personal information, instead simply resulted in “damages” to the merchant.   Companies must be aware that the plaintiff’s bar is looking for new and creative ways to sue for damages based on data breaches. 

A Minnesota Court of Appeals panel has affirmed the issuance of a temporary injunction against a co-owner of an LLC blocking him from accessing emails of his partner from the company’s server in the midst of their business dispute.  The unpublished decision, Gates v. Wheeler A09-2355 (Minn. App. November 23, 2010), raises some interesting issues regarding email privacy under unsettled Minnesota law.

The parties were co-owners of a limited liability company called Residential Science Resources. After a falling out, Gates sued Wheeler under a Minnesota law which allows the court to grant equitable relief in the case of a management deadlock. Wheeler was the designated administrator for the company’s server. Without informing Gates, Wheeler hired an outside information technology contractor to obtain access to Gates’ personal and business emails. The information included correspondence between Gates and his wife, financial and password information, discussions with his accountant, and communications with his lawyer regarding the pending lawsuit. After learning of the interception at a deposition, Gates sought an injunction halting Wheeler’s access. The district court granted the injunction, concluding that Gates had established a "probability of success on the merits for claims of invasion of privacy, violation of the Minnesota Privacy of Communications Act, violation of the Federal Wire and Electronic Communications and Transactional Records Access Act, conversion, and unjust enrichment." Gates had not asserted these claims prior to his request for an injunction, but did so later by amending his complaint. In response to Gates’s challenge, the Appellate Court held that the court’s authority to issue an injunction is not limited to matters raised in the underlying complaint, relying in part on the court’s broad equitable powers in business disputes.

The Court also affirmed the district court’s analysis that the privacy claims had a probability of success on the merits, noting however that there were no published Minnesota cases applying common law invasion of privacy claims to interception of email. Although noting that Gates and Wheeler were partners and not employer and employee, it also cited the analysis in In re Asia Global Crossing Ltd, a Bankruptcy Court decision from the Southern District of New York regarding employee expectations of privacy in workplace email. The court also stated that

the division of Gates’ account into personal and  private business files indicates that Gates expected the personal file would be private.

This suggests that individuals with company email accounts should take similar steps to differentiate personal information. Surprisingly, the court did not delve into the issues of privilege regarding Gates’ communications with his attorney.

The decision reflects increasing tensions over the privacy of information contained on employer email servers and may encourage more litigation in Minnesota under state and federal privacy laws involving emails.  

California hospitals and nursing homes take note – the California Department of Public Health (CDPH) takes data breaches seriously. Since June of this year, CDPH has imposed nearly $1.5 million in fines affecting 12 California health facilities. California Health and Safety Code 1280.15(a) requires covered health facilities to prevent unlawful or unauthorized access, use or disclosure of patient medical information.

Violations of this requirement can result in penalties of up to $25,000 per patient and up to $17,500 per subsequent occurrences of unlawful or unauthorized access, use or disclosure of that patients medical information

In its most recent wave of penalties, announced November 19, 2010, CDPH assessed fines totaling $792,500 against six hospitals and one nursing home that it determined failed to prevent unauthorized access to confidential patient medical information. In one case, a health facility was fined $310,000:

  • $60,000 because the facility failed to prevent unauthorized access and disclosure of one patient’s medical information by two employees on three occasions.
  • $250,000 because the facility failed to prevent the theft of 596 patients’ medical information

The larger penalty resulted in part when laboratory reports of 596 patients were lost. In its investigation, CDPH learned that the staff employee at the facility responsible for running and storing laboratory reports, and who had signed the facility’s confidentiality statement, placed lab reports in an outside locker, but did not lock the locker because the lock was not working and the locker door was broken. This staff member told CDPH the locker had been broken for several months, although he did not report it. The lab reports that were lost included patient names, Social Security numbers and laboratory results, among other personal information. 

Beyond that, California health facilities should be reminded of Cal. Health and Safety Code § 1280.15, which requires covered facilities to notify CDPH and affected individuals of “unlawful or unauthorized access to” personal health data within five business days after discovery of a breach. Late notices can result in fines of $100 per day for each patient affected, up to maximum of $250,000. Of course, health care providers also need to take into account the interim final rules, promulgated under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and enforced by the Department of Health and Human Services (“HHS”), which require entities covered by the Health Insurance Portability and Accountability Act (“HIPAA”) to report similar incidents.  Under the HIPAA rules, notice must be provided without “unreasonable delay.”

As the number of data security incidents in the health care industry continue to mount, CDPH’s enforcement activity should urge covered health facilities in California to pay greater attention to data security. As the incident above makes clear, simply requiring an employee to sign an acknowledgment of complying with facility data security policy will not be enough. Health facilities, including hospitals and nursing homes, need to continually assess their risks in this area and create a culture of data privacy and security across their organizations. This can only be accomplished through clear policy and frequent training and attention to the issue. 

We’ve written extensively here on the importance of safeguarding personal information. We’ve also made clear that the safeguarding of data should not stop with individually identifiable personal information. In fact, many times a company’s most sensitive information, data critical to the survival of its business, is its corporate trade secrets, proprietary information, and its clients’ information. My partner, Patricia Diulus-Myers, in our Pittsburgh office, drives this point home during a Q&A session with the Smart Business Network.

As reported by the American Bar Association and PHIprivacy.net, lawyers, accountants, health care providers and others soon may get some clarity as to whether the "red flag" rules apply to them. The United States Senate voted unanimously to pass the Red Flag Program Clarification Act of 2010. Under the Act, according to statements from Sen. Christoper Dodd (D) of Connecticut:

lawyers, doctors, dentists, orthodontists, pharmacists, veterinarians, accountants, nurse practitioners, social workers, other types of health care providers and other service providers will no longer be classified as “creditors” for the purposes of the Red Flags Rule just because they do not receive payment in full from their clients at the time they provide their services, when they don’t offer or maintain accounts that pose a reasonably foreseeable risk of identity theft.

After the Red Flags Rule became final, many businesses indicated that they were not aware that they would be covered by this rule. Despite the Federal Trade Commission delaying enforcement of the rule several times to allow these entities time to come into compliance, a number of professional organizations, including the American Bar Association and the American Medical Association, sued the FTC for taking the position that professionals were “creditors” when they allowed consumers to pay later, and would have to comply with its Red Flags Rule. On May 28, 2010, the FTC announced that it would delay enforcing its Red Flags Rule through December 31, 2010 and asked Congress to pass legislation that would resolve any questions about which entities should be covered as “creditors” and to obviate the need for further enforcement delays.

Presently, only the Senate has acted on this request. The measure will need to be approved by the House of Representatives and signed by President Obama. Still, this is encouraging news for many concerned about compliance with this new mandate.  

DriveCam - Camera on Rearview MirrorIn the name of vehicle safety, California Assembly Bill 1942 will permit among other things “driver cams” to be mounted on vehicle windshields beginning on January 1, 2011. Formally known as “video event recorders,” these devices can continuously record audio, video, and G-force levels in a digital loop in order to help identify bad driver habits or other factors that lead to vehicle accidents. Well intended, the new law certainly will create a range of privacy issues for employers, particularly those in the transportation and delivery business.

Specifically, the law will permit the monitoring of driver performance through video event recorders so long as the following are satisfied:

  • Size limitation – The recorder must be mounted either (i) in a seven-inch square in the lower corner of the windshield farthest removed from the driver, (ii) in a five-inch square in the lower corner of the windshield nearest to the driver and outside of an airbag deployment zone, or (iii) in a five-inch square mounted to the center uppermost portion of the interior of the windshield.
  • Notice requirement – A notice must be posted in a visible location informing passengers that their conversations may be recorded.
  • Length of recording – No more than 30 seconds may be recorded before or after a triggering event, e.g., a collision.
  • Driver for hire rights – Employers that install a video event recorder in vehicles of their employees driving for hire must provide those employees with unedited copies of the recordings upon the request of the employee or the employee’s representative. These copies must be provided free of charge to the employee and within five (5) days of the request.

There are a number of obvious issues that face employers interested in utilizing video event recorders, such as not knowing what information will be captured by these devices and how to discipline employees who violate policy as shown in the recording. There are other less obvious issues which employers should consider when deciding to implement this technology.

For example, the law does not provide a period after which employees can no longer request a copy of the recording. This raises the question of how long recordings must be maintained. Another concern is whether information captured in a recording could be used against the employer, such as in a wage and hour class actions or violations of common carrier or vehicle safety requirements. Because the law is designed to address vehicle safety, a question exists as to whether the law implies a training requirement on employers aware of bad driving habits of employees from the recordings.

For these and other reasons, employers ought to think carefully before implementing this technology.

What had been the first use of the enforcement authority under the HIPAA privacy regulations granted to a State Attorney General, has ended in a settlement agreement between Connecticut’s Insurance Department and Health Net of Connecticut. Under the agreement, Health Net will pay $375,000 in penalties, and it agreed to provide credit monitoring protection for 2 years to all affected persons in Connecticut and to take significant steps to improve data and equipment security in both its Shelton, CT locations.

One important item to note from the Insurance Department’s press release is that the "most prominent failure stemmed from the untimely notification of the 2009 loss of a disk drive from the Shelton location resulting in the loss of personal health information of approximately 500,000 Connecticut members." This should be a reminder to any entity involved in a data breach of the importance of acting quickly to notify affected individuals.