With Mississippi enacting its own data breach notification law on April 7, Alabama, Kentucky, New Mexico, and South Dakota remain the only states without such a law. Mississippi Gov. Haley Barbour signed H.B. 583 making his state the 46th to enact a breach notification law. The law becomes effective July 1, 2011.

Like many breach notification statutes:

  • the notification obligation falls on any business in the state which owns or licenses personal information,
  • personal information generally includes name plus either Social Security number, drivers license number, or financial account number,
  • encrypted personal information is not subject to the breach notification requirement, and
  • the notification obligation applies only when there is a risk of harm to affected state resident in connection with a breach of security.

The law will be enforced by Mississippi’s Attorney General, however, the law prohibits individuals from commencing a privacy lawsuit under the new law.

In a February 18, 2010, informal letter, an Equal Employment Opportunity Commission senior staff attorney responded to an inquiry concerning the duties of federal employees and contractors relating to medical confidentiality under the Rehabilitation Act. The letter discusses the role of medical records custodians (MRCs) – those individuals whose official duties require access to employee medical information. Because the same legal standards apply to private-sector employers under the Americans with Disabilities Act’s medical confidentiality rules, the principles discussed in this letter can be helpful for all employers, including federal contractors.

The letter explains that MRCs should work in an environment that does not allow for unauthorized co-workers to have access to employee medical information. It goes on to list certain steps federal agencies and covered contractors should take to safeguard the confidentiality of employee medical information:

  1. Remind all employees that medical information is confidential and only MRCs are authorized to have access to such information on a need-to-know basis.
  2. Issue a memorandum informing all employees that anyone who discusses another employee’s medical information with unauthorized persons or reads medical documents not intended for him or her will be disciplined.
  3. To ensure that other employees, including other MRCs, cannot overhear conversations about an employee’s confidential medical information, consider providing an office with a door that an MRC can use when he or she needs to discuss an employee’s medical condition or history by telephone or in person.
  4. Install a fax machine that is shared only by other MRCs in the office, with the door kept locked except when in use by an MRC.
  5. Remind MRCs to keep any employee medical information in a locked file cabinet in their cubicles or in a file cabinet in the shared office to which only other MRCs have access.
  6. Periodically audit policies and procedures to ensure sufficient measures are in place to guarantee the confidentiality of employee medical information and protect against unauthorized disclosure.

While the EEOC Office of Legal Counsel’s letter is not an official opinion of the Commission, it provides insights into the EEOC’s view of potential safeguards to protect against unlawful disclosure of employee medical information under the ADA and Rehabilitation Act. Organizations with multiple departments reviewing employee medical information in connection with an injury or illness (such as departments for occupational health, risk management, HR and benefits) may have the greatest need to adopt recommended safeguards to protect employee medical information from unlawful disclosure.

Under a measure passed overwhelmingly by the U.S. House of Representatives (408-13), federal contractors would be required to adopt measures established by the Office of Management and Budget to limit open network peer-to-peer file sharing software (P2P Software). Likely a response to the leakage of House and Senate ethics investigations, if the “Secure Federal File Sharing Act” (H.R. 4098) (pdf) becomes law it would be the first widespread federal statute regulating P2P Software.

Under the law, federal government employees and contractors would be prohibited from downloading, installing, or using P2P Software on federal computers without government approval. Federal agencies would be required to take steps to find and remove P2P Software from such computers, including those government computers operated by contractors. In particular, the Act requires OMB guidelines to:

to address the download, installation, or use by Government employees and contractors of such software on home or personal computers as it relates to telework and remotely accessing Federal computers, computer systems, and networks, including those operated by contractors on the Government’s behalf.

Within 90 days of enactment, OMB will need to set up a procedure for approving the use of P2P Software. Within 180 days of enactment, with respect to contractors, agencies will need to

  1. require any contract awarded by the agency to include a requirement that the contractor comply with OMB guidance in the performance of the contract;
  2. update their information technology security or ethics training policies to ensure that all employees working for contractors on the government’s behalf are aware of the requirements of OMB guidance and the consequences of engaging in prohibited conduct; and
  3. ensure that proper security controls are in place to prevent, detect, and remove file sharing software that is prohibited by the OMB guidance from all federal computers, computer systems, and networks operated by contractors on the government’s behalf.

Numerous examples of data leaks caused by irresponsible use of P2P Software should push all businesses to take steps to use this potentially valuable technology more carefully. 

Nearly 100 organizations have been notified by the Federal Trade Commission (“FTC”) that personal information, including sensitive employee and customer data, shared from the organizations’ computer networks is available on peer-to-peer (P2P) file-sharing networks. This, the FTC warned, could be used to commit identity theft or fraud. The notices went to both private and public entities, including schools and local governments. The entities ranged in size from those with as few as eight employees to public corporations employing tens of thousands. The notices come not long after the Congressional Ethics breach we discussed in October. 

With P2P file-sharing software, a user can share music, video, and documents. However, when not configured correctly, P2P file-sharing software may allow anyone on the P2P network to access files not intended for sharing.

To aid businesses in managing the security risks of file-sharing software, the FTC also has released education materials, including a new business education brochure – Peer-to-Peer File Sharing: A Guide for Business – designed to assist businesses and others as they consider whether to allow file-sharing technologies on their networks. The brochure also explains how to safeguard sensitive information on their systems, and provide other security recommendations. Additionally, the FTC published tips for consumers about computer security and P2P. 

In addition to the FTC notices, employers should consider the P2P Cyber Protection and Informed User Act, which was introduced in Congress shortly after the notices were sent. Under the Act, P2P file-sharing programs must clearly inform users when their files are made available to other P2P users, are prohibited from being installed without informed consent, and are prohibited from preventing a user from blocking/disabling/removing any sharing program. 

The FTC has urged entities to review their security practices and, if appropriate, the practices of their contractors and vendors, to ensure that the practices are reasonable, appropriate, and in compliance with the law.  FTC Chairman Jon Leibowitz also cautioned,  , “companies and institutions of all sizes are vulnerable to serious P2P-related breaches…” and “[companies] should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure.” 

A company’s failure to prevent such information from being shared on a P2P network, may violate applicable law and subject the company to legal action. 

Employees’ increasing sensitivity to data privacy and security, and widely accepted public policy to protect personal data maintained by businesses, require employers to respond meaningfully to employee data privacy and security complaints or risk whistle blower claims of retaliation.

The U.S. District Court for the District of New Jersey recently held that an employee who voiced concerns regarding his employer’s handling of data security before he was fired may proceed to trial under the New Jersey Conscientious Employee Protection Act (“CEPA”) on the ground that he was engaged in protected whistle blowing activity under CEPA. This is one of the first decisions linking a NJ CEPA or similar claim and data security concerns, and is in line with increased efforts by both the federal and state governments to protect employee data.

Continue Reading Employee Data Security Complaint Supports Whistleblower Retaliation Claim

Over the past few months, many businesses, particularly in the Northeast Region, have been focusing on creating a written information security program (WISP) to comply with Massachusetts identity theft regulations that went into effect March 1, 2010. For many, this has been a significant effort, reaching most, if not all, parts of their organizations. However, it is important to remember that although Massachusetts may be the state with the most comprehensive set of rules for securing personal data, other states have enacted similar protections, and compliance with Massachusetts does NOT necessarily mean compliance with other states.

Consider the following examples:

California. The Civil Code in California states a business that owns or licenses personal information about a California resident must:

implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

For purposes of this requirement, “personal information" means:

an individual’s first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
(A) Social security number.
(B) Driver’s license number or California identification card number.
(C) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
(D) Medical information.

Similar pretections for medical information exist in Arkansas, but that information is not covered by the rules in Massachusetts. Illinois requires safeguards for certain biometric information, a classification of data also not covered by the Massachusetts regulations.

Oregon. Oregon’s Consumer Identity Theft Protection Act lays out safeguards similar to those in Massachusetts, with some relief for small businesses (those manufacturing businesses with 200 employees or fewer and all other forms of business having 50 employees or fewer). Key is the requirement to implement an “information security program” that contains administrative, technical and physical safeguards.

Administrative safeguards include, for example: 

  1. designating one or more employees to coordinate the program;
  2. identifying reasonably foreseeable internal and external risks;
  3. assessing the sufficiency of data safeguards;
  4. training employees in the program’s practices and procedures;
  5. limiting outside service providers to those maintaining adequate data security safeguards; and
  6. adjusting the program according to business changes or new circumstances.

In New Jersey, regulations are pending that would create similar obligations.

Connecticut. Without specifying the kinds of safeguards, Connecticut requires any person in possession of personal information of another person to:

safeguard the data, computer files and documents containing the information from misuse by third parties, and [ ] destroy, erase or make unreadable such data, computer files and documents prior to disposal.

For purposes of this law, “personal information” includes:

information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver’s license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number.

Similar requirements were enacted in other states, including Arkansas, North Carolina, Rhode Island, Texas, and Utah. But note the definition in Connecticut goes beyond the elements of data protected under the Massachusetts regulations.

Service contracts. Some states go a step further, requiring certain provisions be included in contracts between entities and their service providers when the contracts involve the disclosure of a state resident’s personal information from the owner of the information to the service provider. For example, such contracts in Nevada and Maryland must include a provision requiring the person to whom the information is disclosed to implement safeguards to protect that information.

The emergence of state mandates fueled by the continued rapid advancement and increased use of technology suggest a trend that is sure to become a fact of life for businesses operating anywhere in the U.S. Whether the technology is “cloud computing” or “peer-to-peer” software, businesses need to take appropriate steps to protect personal information maintained throughout their organizations.

959695New mobile phone technology may allow employers to track very precise movements and activities of employees, such as walking, climbing stairs or even cleaning. As reported by Michael Fitzpatrick of BBC News, the technology developed by KDDI Corporation, a Japanese company, “works by analyzing the movement of accelerometers, found in many handsets.” This enhanced level of monitoring likely will raise serious concerns for courts seeking to balance an employer’s legitimate need to monitor employees with an employee’s expectation of privacy.

To get a sense of how sensitive this technology is, Mr. Fitzpatrick notes that a KDDI mobile phone

strapped to a cleaning worker’s waist can tell the difference between actions performed such as scrubbing, sweeping, walking and even emptying a rubbish bin.

Employers should proceed with caution. There certainly are legitimate business reasons for gathering and analyzing this kind of data:

  • Improving customer service
  • Enhancing employee productivity
  • Identifying safety concerns and rectifying them
  • Ensuring employees are performing only assigned tasks
  • Confirming employees are working when they say that they are

At the same time, significant concerns about the technology and how it is implemented, together with the potential for unintended consequences, should motivate employers to think carefully before using this equipment:

  • Does the technology really work as advertised?
  • Can employees manipulate the “accelerometers,” creating false positives for employers?
  • When should/must employers turn the monitoring off?
  • Will effects will data capable of showing the time, date and duration of certain activities have in the areas of wage and hour law, collective bargaining, classification of workers as employees versus independent contractors, workers’ compensation, administration of leaves of absence, and so on?
  • Will data collected constitute personal information to be safeguarded and retained?
  • Will employers be required to produce information collected through these mobile phones in unrelated litigation, such as where an employee’s spouse seeking to prove claims of adultery in a divorce action seeks “phone” records to show the location and activity of the employee-spouse?
  • Some states already have laws dealing with electronic monitoring, but it is unclear how those laws will apply to this new technology. For example, a Connecticut statute prohibits employers from recording or monitoring the activities of employees in areas designed for the health or personal comfort of the employees or for safeguarding of their possessions, such as rest rooms, locker rooms or lounges operating.  When Connecticut employers perform permissible electronic monitoring on their premises, they must provide employees with prior written notice

However, if these phones work as intended, the level of intrusiveness likely will spur opposition by privacy advocates and additional legislation. It also is possible that the U.S. Supreme Court’s decision in City of Ontario, Ontario Police Department, and Lloyd Scharf v. Jeff Quon, et al., currently before the Court, will provide guidance for employers and lower courts as they consider the effects new technologies have on workplace privacy issues. In that case, one issue the Court is considering is whether a California police department violated the privacy of one of its officers when it read the personal text messages on his department issued pager.

There is no doubt technology will continue to advance and bring with it enhanced functionality and capabilities. While the law will try to keep pace, employers will be challenged to apply these technologies in ways that meet the demands of their business, while avoiding the pitfalls of law not yet clearly established.

Whether it be Facebook, MySpace, LinkedIn, Twitter, YouTube or the company blog, employee presence in social media is way, way up, creating risks for employers that are proving difficult to manage without careful planning and appropriate policies.

These risks can take many forms – FTC endorsement issues, inadvertent sharing of confidential company or personal information, harassment claims, blog posts harmful to the company’s reputation – to name a few.  The damage can be done whether the employee is posting at home or during working hours.

This white paper (pdf), which takes into account some of our prior posts, is intended to help employers get a better handle on these issues, particulalry in three area: (1) employees’ misuse of social media; (2) monitoring and regulating employees’ social media use; and (3) basing hiring decisions on information obtained from social media.

In another example of a medical provider facing potential civil liability for providing medical records in response to a subpoena, a federal court in the Northern District of Ohio denied summary judgment for the Cleveland Clinic and other defendants in Turk v. Oiler, No. 09-CV-381 (N. D. Ohio Feb 1, 2010.  We previously discussed the decision in Kim v. St. Elizabeth’s Hosp. in which a court allowed similar claims to proceed under an Illinois law protecting mental health records. In Turk, the claims were based in part on the Ohio physician-patient privilege codified at Ohio Rev. Code Section 2317.02.

Plaintiff James Turk was a private investigator accused of possessing a weapon while under a disability in violation of Ohio law.  The Cleveland Clinic received a grand jury subpoena from the Cuyahoga County Court of Common Pleas seeking Turk’s medical records. The clinic complied with the subpoena and produced the records. Turk and his wife later brought suit against the clinic claiming damages for invasion of privacy, negligent disclosure of medical records, and violation of the First Amendment.

The clinic moved for summary judgment, arguing that it was required to respond to a grand jury subpoena and that Section 2317.02 was preempted by the Health Insurance Portability and Accountability Act ("HIPAA").  The federal district court denied the motion and allowed the claims to proceed, reasoning that Ohio law was not preempted by HIPAA where it provided greater protections than the federal law.  The case stands for the proposition that compliance with HIPAA by itself is not enough and reinforces yet again the caution which health care providers must exercise when responding to subpoenas or other requests for medical records without a proper release.