Welcome to the next advancement in the delivery of health services –

monitoring patients and promoting healthy behavior through mobile phones and other portable devices

The Washington Post reported today about a service offered through Voxiva whereby expectant mothers receive free text messages concerning prenatal health advice. The pilot program has been in place since February and since then more than 100,000 expectant mothers are reported to have participated in the program. These technologies clearly are in line with initiatives in this country to move to electronic health records. However, whether these methods for delivering health care take hold remains to be seen. As the WP notes, while these technologies are attractive, there are challenges:

  • As noted by WP reporter Steven Overly, communicating to a wide variety of patients through a "wide variety of mobile devices, operating systems and network speeds" raises significant challenges. 
  • Another issue, of course, is HIPAA and how these communications and devices will meet the privacy and security requirements under those regulations.
  • Human error easily could cause the wrong messages to be sent to the wrong patients creating data breach, malpractice and other risks.
  • One of our more recent posts highlights the concern about information maintained on cellphones and other mobile devices and what happens to that information when the phones are discarded. 
  • Employers who provide phones to their employees and have the right to review text messages, see recent U.S. Supreme Court decision in Quon v. City of Ontario, can easily find themselves with access to all kinds of medical information of employees and possibly their dependents who give their doctors their cell phone number. This risks here could be significant.   

As with the adoption of any new technology or new application of technology, companies and employers should be careful to think through all of the issues and take appropriate preventive steps toward minimizing risks.

The Seventh Circuit Court of Appeals in U.S. v. Szymuszkiewicz recently affirmed the criminal conviction of an employee under the federal Wiretap Act, 18 U.S.C. § 2511, after he auto-forwarded emails from his supervisor’s email account to his own. The Court concluded the use of the auto-forward feature constituted an “interception” in violation of the Act.

Szymuszkiewicz shows the application of traditional criminal statutes like the Wiretap Act to Internet-based modes of communications such as email, but also to voice-over IP phone communications. The case also is an example of the courts’ continuing struggle with applying the Act to modern communications technologies such as email. Szymuszkiewicz is an instructive reminder for employers, however, about the remedies applicable under the Act to employees who misuse an employer’s email system actions, in addition to traditional remedies such as discipline or termination. In light of the length of time in which Szymuszkiewicz forwarded his supervisor’s emails without her knowledge, 3 years, the case also highlights a need for review and audit of employer technology systems and education to employees to monitor their accounts for privacy purposes.
 

 

Continue Reading Court Finds Use of Microsoft Outlook’s Auto Forward Feature is an “Interception” and Upholds Criminal Conviction of Employee Under the Federal Wiretap Law

237801The folks at Identity Theft 911 remind us of the need to be "smart" about handling smartphones. In a recent post, the company warns that the wealth of data on these devices can substantially expose an individual if his or her device(s) are not purged upon disposal. The same is true, of course, for employers with respect to the phones and other devices they make available to their employees, as well as the employees’ own devices which employers permit to access their systems.

Whether because of personal preference, workforce turnover, technological advancement, a better provider contract, or business needs generally, phones and other communications devices are updated frequently. This typically results in the disposal of old devices which can have significant amounts of data stored on them. This data may include not only the personal information of the user of the phone, but sensitive company information, as well as personal information of other employees or the company’s customers. 

Employers should be taking steps to ensure these devices are handled properly. From a technical perspective, Identity Theft 911 notes that fortunately there are a number of ways to ensure that all sensitive data are cleared from a phone’s memory before it is thrown away. They warn, however, that it may not be enough to use a handset’s option to restore it to factory settings. Rather, the phone’s SIM card(s) which stores information should also be obtained, removed, purged, and/or destroyed, as appropriate.

From an employment policy perspective, employers should consider establishing policies to better manage the use of these devices. Policies such as:

  • limiting the kinds of devices that can be used,
  • maintaining an inventory of the devices being used,
  • controlling the information that can be stored on the devices, and
  • securing/purging devices upon termination of employment,

can go a long way to minimizing risk of a data breach involving sensitive personal and company information. Of course, employers that take these steps need to be mindful of employees’ expectation of privacy with respect to personal information that may be stored together with company information.  Such policies should be a part of any Written Information Security Program (WISP).

In March 2010, we reported on a decision by the U.S. District Court for the District of New Jersey that allowed an employee’s retaliation claim to proceed to trial under the New Jersey Conscientious Employee Protection Act (“CEPA”) on the ground that he was engaged in protected whistle blowing activity – voicing concerns regarding his employer’s handling of data security. A California Appellate Court recently adopted a similar line of reasoning. 

Rather than addressing an employee’s concerns, a company fired the employee for questioning whether the company’s networks and information systems adequately protected HIPAA patient information contained on those systems. Cutler v. Dike, 2010 WL 3341663 (Cal. Ct. App. Aug 26, 2010) (unpublished). Based on his employment contract, the employee reasonably believed that his job included acting as the company’s privacy officer. As the court found, the employee also reasonably believed:

the database used to test the company’s . . . software contained confidential patient information which would be exposed in violation of HIPAA, because [the company president] had told him it was patient information . . . [and that] confidential patient data would be used in the future as the program was implemented.

The employee had refused to participate in configuring the computer system as directed and voiced his objections that doing so would violate HIPAA rules and regulations. In response, the company president recommended that the employee resign or risk being fired “since you have chosen to be very negative about issues in the organization.” The employee sued the employer for wrongful termination and the jury found against the employer. The employer appealed the jury verdict.

The court began by citing the relevant section of the California Labor Code (Section 1102.5), which states:

[a]n employer may not retaliate against an employee for refusing to participate in an activity that would result in a violation of state or federal statute, or a violation or noncompliance with a state or federal rule or regulation.

The court went on to hold, “[T]he protection of confidential patient information is clearly the type of general public interest that supports a cause of action for wrongful termination in violation of public policy.” Accordingly, the court upheld the jury’s finding of liability against the employer for wrongful termination in violation of public policy.

Employers across the country generally are prohibited from retaliating against employees for refusing to participate in activities that are impermissible under state or federal law or regulations. This includes retaliating against employees that raise concerns under the HIPAA privacy and security regulations, or other data security mandates under federal or state laws, such as those in Massachusetts, Connecticut, or New Jersey. Employers may find themselves responding to more of these kinds of concerns from employees as employees are more aware of breaches reported in the media over the past few years and become anxious over their own sensitive personal information in their employer’s possession.

An employer should avoid reacting to an employee’s complaint of weaknesses in its data system by firing or disciplining the employee. Shooting the messenger is not acceptable. The company should investigate the issues which have been raised and, if necessary, address them appropriately. Employers are better served by employees who feel secure enough to come forward with unpleasant news, than by suppressing such reports and enduring embarrassing and costly disclosures later. Of course, vulnerabilities can be minimized by taking the preventive steps required under many state and federal laws to safeguard personal and confidential information.  

The long awaited final Title II regulations under the Genetic Information Nondiscrimination Act (GINA) will be issued tomorrow, November 9, 2010. The Equal Employment Opportunity Commission published proposed regulations under Title II of GINA on March 2, 2009. A period of public comment followed. The final regulations will have an impact on a number of employment practices, including wellness programs. We will be reviewing these regulations together with our Disability, Leave and Health Management Group, as well as our Employee Benefits Group. This guidance is welcomed news as litigation concerning GINA in the workplace has already commenced.

In general, Title II of GINA prohibits use of genetic information in the employment context, restricts
employers and other entities covered by Title II from requesting, requiring, or purchasing genetic
information, and strictly limits such entities from disclosing genetic information. The law
incorporates by reference many of the familiar definitions, remedies, and procedures from Title
VII of the Civil Rights Act of 1964, as amended, and other statutes protecting federal, state, and
Congressional employees from discrimination.

Federal contractors are subject to numerous requirements under federal law and, as we have previously highlighted here, need to keep pace with changes in law and regulation. 

Under the Federal Information Security Management Act of 2002 (FISMA) each federal agency is required to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. Accordingly, FISMA provides authority for the imposition of requirements on those companies which qualify as federal contractors. 

By way of example, the Centers for Medicare and Medicaid Services (CMS), as well as the Department of Veterans Affairs impose specific requirements on their contractors.   

Adding new data protection requirements for federal contractors who use or handle U.S. Department of Defense (DOD) information, the DOD earlier this year issued an advanced notice of proposed rulemaking regarding amendments, 75 F.R. 9563, to the Defense Federal Acquisition Regulation Supplement (DFARS). 

The proposed amendments require “adequate security,” defined as “protection measures … commensurate with the risks of loss, misuse, or unauthorized access to or modification of information,” and have three main subparts; basic safeguarding, enhanced safeguarding, and cyber intrusion reporting. 

Basic safeguards, required for any unclassified DOD information, include:

  • Designating  the level of access and dissemination of informationProtecting DOD information on public computer or Web sites
  • Transmitting electronic information using technology and processes that provide the best level of security and privacy
  • Transmitting voice and fax information on with reasonable assurances that access is limited
  • Protect information by at least one physical or electronic barrier
  • Sanitize media in accordance with the National Institute of Standards and Technology (NIST) before external release or disposal
  • Provide protection against computer intrusions and the unauthorized release of data. 

In addition to the basic safeguards outlined above, contractors are required to implement enhanced safeguards to certain types of data. The enhanced safeguards include:

  • Encryption/Storage controls
  • Network intrusion protection
  • Implement information security controls

Additionally, a reporting requirement has now been proposed, requiring contractors to report to the DOD within 72 hours of any cyber intrusion event that affects DOD information resident on or transiting the contractor’s unclassified information systems.

The new proposed DOD amendments, along with the various other federal contractor requirements, including those imposed by CMS and the Department of Veterans Affairs, highlight the necessity for companies that qualify as federal contractors to be up to date on their legal obligations or risk loss of their federal contractor status. 

In another favorable decision for companies, the Maine Supreme Court ruled on September 21, 2010 that consumers affected by a data breach could not claim damages from the company unless they suffered uncompensated financial losses or some other tangible injury. 

The Maine Supreme Court addressed the following:

In the absence of physical harm or economic loss or identity

theft, do time and effort alone, spent in a reasonable effort to

avoid or remediate reasonably foreseeable harm, constitute a

cognizable injury for which damages may be recovered under

Maine law of negligence and/or implied contract?

The Court ruled they do not. Additionally, the Court went on to state that "[t]he tort of negligence does not compensate individuals for the typical annoyances or inconveniences that are a part of everyday life….An individual’s time alone, is not legally protected from the negligence of others."

The underlying suits were filed following a breach, and fraudulent use, which resulted when card holder data of nearly 4.2 million people was stolen. The lawsuits alleged the company was negligent in protecting card holder data and failed to notify of the breach in a timely fashion.  The above holding was issued when the District Court Judge who heard the underlying case, agreed to let the state Supreme Court decide whether the plaintiffs could sue the company for the time and effort put into avoiding or mitigating harm from fraudulent charges on their cards.

Two other cases are similarly instructive. In 2003 the Minnesota Supreme Court found that an invasion of privacy cause of action requires that the dissemination resulted in “publicity” of private facts. Because the disclosure was internal to other employees, and not to the public at large, the Court held the dissemination was insufficient publicity to support an invasion of privacy claim against the employer. Further, in Guin v. Brazos Higher Educ. Serv. Corp. Inc., 2006 U.S.Dist. LEXIS 4846(D. Minn. Feb. 2, 2006), the District Court dismissed plaintiff’s negligence claim holding that the threat of future harm not yet realized will not support a claim for negligence which requires a showing of an injury.

Companies and employers must be on notice of these decisions when faced with individual lawsuits following data breaches. 

Confidentiality and non-disparagement clauses are customary in settlement agreements and severance contracts in the employment law context. These days, however, the temptation can be irresistible for disgruntled former employees to trash their former employer on social media sites like Facebook, Twitter, or LinkedIn, on blogs, by text or e-mail or other electronic means.

In the 1800s, Londoners stood on soapboxes at Speaker’s Corner in Hyde Park to air their grievances to small groups of passers-by. But in 2010, with greater permanency and reach, disgruntled employees are more likely to turn to the Internet to share their thoughts to the entire planet. A former software company employee once sent 200,000 e-mails to 35,000 employees complaining of his treatment by a former employer.

For this reason, standard confidentiality and non-disparagement clauses should include a specific prohibition regarding communications on social media and e-mail, along with a liquidated damages provision. This puts the former employee on notice and will make him or her think twice before “tweeting” about the employer. In addition, a court will be more likely to enforce the agreement and award the company damages for a breach if there is specific language addressing this behavior.

In one recent case, a federal court ruled that an employer was relieved from payment obligations under a confidential settlement agreement after the plaintiff texted her friends about the amount of the settlement. In another case, a former CEO and CFO anonymously posted negative comments about a publicly traded company on Yahoo. The company determined their identity by subpoena and sued under a non-disparagement clause, recovering six-figure severance payments. These cases fly under the radar because they are often filed under seal, but they are increasing. 

A claim for breach of a non-disparagement clause is different from a defamation claim in important ways. Most importantly, truth is not necessarily a defense. Damages are generally limited to liquidated damages or compensation damages. Disgorgement of any severance pay is a proper form of contractual damages for a breach.

In City Group, Inc. v. Ehlers, 402 S.E.2d 787 (Ga. Ct. App. 1991), a company’s former president was quoted as saying that he left because of “philosophical differences” and that “[i]t was hard to define the direction of the Company.” The company sued him under a non-disparagement clause. The court held that the comments did not constitute disparagement, noting:   The term, "disparagement," is defined in Webster’s Third New Intl. Dictionary (1961) as "diminution of esteem or standing and dignity; disgrace . . ., the expression of a low opinion of something; detraction. . . ."  A “disparaging” term, according to the court, can therefore be broadly viewed as a negative statement, even if true. The Webster’s New Riverside University Dictionary defines “derogatory” as “disparaging.” So the terms seem synonymous.

As employers strive to protect their reputation, good will, and employee morale in the age of social media, non-disparagement clauses are worth a look.

 

A UK law firm may find itself subject to significant penalties following reports of a data breach affecting thousands of people.  The recent 2010 ABA Annual Meeting in San Francisco devoted two sessions to the topic, specifically dealing with “cloud computing,” and the risks and ethical issues it raises for law firms. As data privacy and security risks mount for all businesses, they are perhaps even more critical for law firms. 

Law schools in the United States teach their students about a long-standing and fundamental tenet of the legal profession – the attorney-client privilege. It is indeed the general obligation of attorneys to keep client communications confidential. Law schools generally do not teach, at least not nearly to the same degree, how lawyers as law firm business owners ought to protect the personal information of their clients from unauthorized acquisition or access, without hampering their practice.

This primer is intended to provide a brief discussion of the key issues for law firms and some helpful steps for developing a plan to safeguard such information.

Beginning March 1, 2010, businesses will be required to safeguard from identity theft and other dangers personal information about Massachusetts residents under a “written information security program” or WISP. Similar requirements exist in other states around the country, although those requirements generally are not as comprehensive as those becoming effective in the Bay state.

Our complimentary webinar is designed to help employers and businesses become compliant. The program will cover:

  • the emergence of data security mandates across the country,
  • the Massachusetts approach to data security – breach notification, data destruction, the nuts and bolts of the identity theft/data security regulations, and
  • best practices when creating a WISP.

We hope you enjoy the webinar.