As highlighted by many news sources, including CNN.com and MSNBC.com, the United States Supreme Court listened to oral argument (pdf) today in the case of City of Ontario v. Quon today. This is the case involving a police officer who claimed his employer violated his privacy when it read the personal text messages (which happened to be sexually explicit in nature) which he sent and received using his department issued pager. For further information concerning this case, see our prior analysis, as well as the discussion at Inc.com. Stay tuned for an update following the Supreme Court’s decision.
Florida AG Settles Data Breach under “Deceptive and Unfair Trade Practices” Authority
On April 16, 2010, Florida Attorney General Bill McCollum announced a settlement (pdf) with Certegy Check Services, Inc. over how the company secures consumer records. The Attorney General’s enforcement action stems from a massive data breach by a former Certegy employee who stole personal identification information from approximately 5.9 million consumer files.
According to the Attorney General’s press release, Certegy promptly notified the Attorney General and consumers of the data thefts, and cooperated with the Attorney General’s investigation. In addition to agreeing to maintain a comprehensive information security program, under the settlement, Certegy will contribute $125,000 to the Attorney General’s “Seniors vs. Crime Program” for educational, investigative and crime prevention programs for the benefit of senior citizens and the community. Further, it will pay $850,000 for the state’s investigative costs and attorney’s fees.
Massachusetts and some other states have specific statutory provisions requiring the safeguarding of personal information. No similar law exists in Florida. The Attorney General commenced its action against Certegy under the State’s deceptive and unfair trade practices statutes. Businesses with data security safeguards that can be viewed as subpar, therefore, cannot depend on the absence of specific state statutes to shield them from state action in case of a data breach or allegations that personal information is not being adequately safeguarded.
In addition to the nearly one million dollars Certegy will pay the State of Florida, the company agreed to
maintain a comprehensive “Information Security Program” that assesses internal and external risks to consumers’ personal information, implements safeguards to protect that consumer information, and regularly monitors and tests the effectiveness of those safeguards. Certegy and its related entities will also adhere to payment card industry data security standards as those standards continue to evolve.
Significantly, the settlement requires Certegy to conduct initial and annual assessments of its policies and procedure.
The settlement with the Attorney General followed a class action settlement in U.S. District Court in Tampa. Under that settlement, Certegy made certain monitoring services available to affected consumers, who also were able to seek reimbursement of certain out-of-pocket costs incurred or identity theft expenses.
Mississippi Becomes 46th State to Enact a Data Breach Notification Law
With Mississippi enacting its own data breach notification law on April 7, Alabama, Kentucky, New Mexico, and South Dakota remain the only states without such a law. Mississippi Gov. Haley Barbour signed H.B. 583 making his state the 46th to enact a breach notification law. The law becomes effective July 1, 2011.
Like many breach notification statutes:
- the notification obligation falls on any business in the state which owns or licenses personal information,
- personal information generally includes name plus either Social Security number, drivers license number, or financial account number,
- encrypted personal information is not subject to the breach notification requirement, and
- the notification obligation applies only when there is a risk of harm to affected state resident in connection with a breach of security.
The law will be enforced by Mississippi’s Attorney General, however, the law prohibits individuals from commencing a privacy lawsuit under the new law.
EEOC Counsel Provides Guidance for Managing Employee Medical Information
In a February 18, 2010, informal letter, an Equal Employment Opportunity Commission senior staff attorney responded to an inquiry concerning the duties of federal employees and contractors relating to medical confidentiality under the Rehabilitation Act. The letter discusses the role of medical records custodians (MRCs) – those individuals whose official duties require access to employee medical information. Because the same legal standards apply to private-sector employers under the Americans with Disabilities Act’s medical confidentiality rules, the principles discussed in this letter can be helpful for all employers, including federal contractors.
The letter explains that MRCs should work in an environment that does not allow for unauthorized co-workers to have access to employee medical information. It goes on to list certain steps federal agencies and covered contractors should take to safeguard the confidentiality of employee medical information:
- Remind all employees that medical information is confidential and only MRCs are authorized to have access to such information on a need-to-know basis.
- Issue a memorandum informing all employees that anyone who discusses another employee’s medical information with unauthorized persons or reads medical documents not intended for him or her will be disciplined.
- To ensure that other employees, including other MRCs, cannot overhear conversations about an employee’s confidential medical information, consider providing an office with a door that an MRC can use when he or she needs to discuss an employee’s medical condition or history by telephone or in person.
- Install a fax machine that is shared only by other MRCs in the office, with the door kept locked except when in use by an MRC.
- Remind MRCs to keep any employee medical information in a locked file cabinet in their cubicles or in a file cabinet in the shared office to which only other MRCs have access.
- Periodically audit policies and procedures to ensure sufficient measures are in place to guarantee the confidentiality of employee medical information and protect against unauthorized disclosure.
While the EEOC Office of Legal Counsel’s letter is not an official opinion of the Commission, it provides insights into the EEOC’s view of potential safeguards to protect against unlawful disclosure of employee medical information under the ADA and Rehabilitation Act. Organizations with multiple departments reviewing employee medical information in connection with an injury or illness (such as departments for occupational health, risk management, HR and benefits) may have the greatest need to adopt recommended safeguards to protect employee medical information from unlawful disclosure.
New Jersey Supreme Court Rules on Personal E-mail Privacy: Stengart v. Loving Care
Co-author: Joseph J. Lazzarotti
The New Jersey’s highest Court has concluded that an employee, Marina Stengart, could reasonably expect that e-mail communication with her lawyer through her personal, password-protected, web-based e-mail account would remain private, and that sending and receiving them using a company laptop did not eliminate the attorney-client privilege that protected them. The Court went on to say that her employer’s counsel had violated the rules of professional conduct by reading her e-mails. The Supreme Court decided Stengart v. Loving Care on March 30, 2010 upholding the June 2009 decision of the state Appellate Division.
This case makes two important points for employers:
1) The Court stated that even a more clearly written and unambiguous policy regarding employer monitoring of emails would not be enforceable. That is, a clear policy stating that the employer could retrieve and read an employee’s attorney-client communication, accessed through a personal, password-protected e-mail account using the company’s computer system will not overcome an employee’s expectation of privacy and the privilege would remain.
2) The Court’s opinion seems to suggest that employers cannot discipline employees for simply spending some time at work receiving personal, confidential legal advice from a private lawyer, although the Court noted that an employee who “spends long stretches of the workday” doing so may be disciplined. 
Loving Care’s employee handbook’s “Electronic Communication” policy governed employees’ use of company computers. The policy stated, among other things, “internet use and communication … are considered part of the company’s business” and “such communication are not to be considered private or personal to any individual employee.” However, the policy also provided, “[o]ccasional personal use is permitted.”
The Court found the Policy does not give express notice to employees that messages exchanged on a personal, password-protected, web-based e-mail account are subject to monitoring if company equipment is used. Although the Policy states that the company may review matters on “the company’s media systems and services,” those terms are not defined. The prohibition of certain uses of “the e-mail system” appears to refer to a company e-mail account, not personal accounts. Similarly, the Policy does not warn that the contents of personal, web-based e-mails are stored on a hard drive and can be forensically retrieved and read. The Court also found the Policy creates ambiguity by declaring that e-mails “are not to be considered private or personal,” while also permitting “occasional personal use” of e-mail.
The Court determined that an employee’s reasonable expectation of privacy in a particular work setting must be addressed on a case-by-case basis, but stated that by using a personal e-mail account and not saving the password, Stengart had a subjectively reasonable expectation of privacy in the e-mails exchanged with her attorney on her personal, password-protected, web-based e-mail account, which was accessed on a company laptop. This subjective expectation of privacy was objectively reasonable in light of the ambiguous language of the Policy and the attorney-client nature of the communication.
This decision, and others highlighted previously in this blog, present numerous issues for employers. While it may not be enforceable in New Jersey, we recommend, in light of the reasoning in this decision, that employers consider modifying their existing electronic communication policies to include:
- Clear notice that personal, web-based emails accessed using company networks and stored on company networks or company computers can be monitored and reviewed by the company (of course, care should be taken here to avoid concerns under the Electronic Communications Privacy Act and the Stored Communications Act);
- Definitions of the specific technologies and devices to which the policies apply;
- Warnings that web-based, personal e-mail can be stored on the hard-drive of a computer and forensically accessed;
- No ambiguities about personal use.
See our sample electronic communication policy outline for more information. However, even with such a policy in place, employers and their lawyers must be aware of the potential liability they face for improperly accessing information on the employers’ systems which may later be deemed “private” or subject to a privilege.
Federal Contractors To Deal With Federal File Sharing Concerns
Under a measure passed overwhelmingly by the U.S. House of Representatives (408-13), federal contractors would be required to adopt measures established by the Office of Management and Budget to limit open network peer-to-peer file sharing software (P2P Software). Likely a response to the leakage of House and Senate ethics investigations, if the “Secure Federal File Sharing Act” (H.R. 4098) (pdf) becomes law it would be the first widespread federal statute regulating P2P Software.
Under the law, federal government employees and contractors would be prohibited from downloading, installing, or using P2P Software on federal computers without government approval. Federal agencies would be required to take steps to find and remove P2P Software from such computers, including those government computers operated by contractors. In particular, the Act requires OMB guidelines to:
to address the download, installation, or use by Government employees and contractors of such software on home or personal computers as it relates to telework and remotely accessing Federal computers, computer systems, and networks, including those operated by contractors on the Government’s behalf.
Within 90 days of enactment, OMB will need to set up a procedure for approving the use of P2P Software. Within 180 days of enactment, with respect to contractors, agencies will need to
- require any contract awarded by the agency to include a requirement that the contractor comply with OMB guidance in the performance of the contract;
- update their information technology security or ethics training policies to ensure that all employees working for contractors on the government’s behalf are aware of the requirements of OMB guidance and the consequences of engaging in prohibited conduct; and
- ensure that proper security controls are in place to prevent, detect, and remove file sharing software that is prohibited by the OMB guidance from all federal computers, computer systems, and networks operated by contractors on the government’s behalf.
Numerous examples of data leaks caused by irresponsible use of P2P Software should push all businesses to take steps to use this potentially valuable technology more carefully.
Peer-To-Peer (P2P) File Sharing Data Breaches Lead to FTC Action
Nearly 100 organizations have been notified by the Federal Trade Commission (“FTC”) that personal information, including sensitive employee and customer data, shared from the organizations’ computer networks is available on peer-to-peer (P2P) file-sharing networks. This, the FTC warned, could be used to commit identity theft or fraud. The notices went to both private and public entities, including schools and local governments. The entities ranged in size from those with as few as eight employees to public corporations employing tens of thousands. The notices come not long after the Congressional Ethics breach we discussed in October. 
With P2P file-sharing software, a user can share music, video, and documents. However, when not configured correctly, P2P file-sharing software may allow anyone on the P2P network to access files not intended for sharing.
To aid businesses in managing the security risks of file-sharing software, the FTC also has released education materials, including a new business education brochure – Peer-to-Peer File Sharing: A Guide for Business – designed to assist businesses and others as they consider whether to allow file-sharing technologies on their networks. The brochure also explains how to safeguard sensitive information on their systems, and provide other security recommendations. Additionally, the FTC published tips for consumers about computer security and P2P.
In addition to the FTC notices, employers should consider the P2P Cyber Protection and Informed User Act, which was introduced in Congress shortly after the notices were sent. Under the Act, P2P file-sharing programs must clearly inform users when their files are made available to other P2P users, are prohibited from being installed without informed consent, and are prohibited from preventing a user from blocking/disabling/removing any sharing program.
The FTC has urged entities to review their security practices and, if appropriate, the practices of their contractors and vendors, to ensure that the practices are reasonable, appropriate, and in compliance with the law. FTC Chairman Jon Leibowitz also cautioned, , “companies and institutions of all sizes are vulnerable to serious P2P-related breaches…” and “[companies] should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure.”
A company’s failure to prevent such information from being shared on a P2P network, may violate applicable law and subject the company to legal action.
Employee Data Security Complaint Supports Whistleblower Retaliation Claim
Employees’ increasing sensitivity to data privacy and security, and widely accepted public policy to protect personal data maintained by businesses, require employers to respond meaningfully to employee data privacy and security complaints or risk whistle blower claims of retaliation.
The U.S. District Court for the District of New Jersey recently held that an employee who voiced concerns regarding his employer’s handling of data security before he was fired may proceed to trial under the New Jersey Conscientious Employee Protection Act (“CEPA”) on the ground that he was engaged in protected whistle blowing activity under CEPA. This is one of the first decisions linking a NJ CEPA or similar claim and data security concerns, and is in line with increased efforts by both the federal and state governments to protect employee data.
Continue Reading Employee Data Security Complaint Supports Whistleblower Retaliation Claim
WISPs Beyond Massachusetts
Over the past few months, many businesses, particularly in the Northeast Region, have been focusing on creating a written information security program (WISP) to comply with Massachusetts identity theft regulations that went into effect March 1, 2010. For many, this has been a significant effort, reaching most, if not all, parts of their organizations. However, it is important to remember that although Massachusetts may be the state with the most comprehensive set of rules for securing personal data, other states have enacted similar protections, and compliance with Massachusetts does NOT necessarily mean compliance with other states.
Consider the following examples:
California. The Civil Code in California states a business that owns or licenses personal information about a California resident must:
implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
For purposes of this requirement, “personal information" means:
an individual’s first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
(A) Social security number.
(B) Driver’s license number or California identification card number.
(C) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
(D) Medical information.
Similar pretections for medical information exist in Arkansas, but that information is not covered by the rules in Massachusetts. Illinois requires safeguards for certain biometric information, a classification of data also not covered by the Massachusetts regulations.
Oregon. Oregon’s Consumer Identity Theft Protection Act lays out safeguards similar to those in Massachusetts, with some relief for small businesses (those manufacturing businesses with 200 employees or fewer and all other forms of business having 50 employees or fewer). Key is the requirement to implement an “information security program” that contains administrative, technical and physical safeguards.
Administrative safeguards include, for example:
- designating one or more employees to coordinate the program;
- identifying reasonably foreseeable internal and external risks;
- assessing the sufficiency of data safeguards;
- training employees in the program’s practices and procedures;
- limiting outside service providers to those maintaining adequate data security safeguards; and
- adjusting the program according to business changes or new circumstances.
In New Jersey, regulations are pending that would create similar obligations.
Connecticut. Without specifying the kinds of safeguards, Connecticut requires any person in possession of personal information of another person to:
safeguard the data, computer files and documents containing the information from misuse by third parties, and [ ] destroy, erase or make unreadable such data, computer files and documents prior to disposal.
For purposes of this law, “personal information” includes:
information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver’s license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number.
Similar requirements were enacted in other states, including Arkansas, North Carolina, Rhode Island, Texas, and Utah. But note the definition in Connecticut goes beyond the elements of data protected under the Massachusetts regulations.
Service contracts. Some states go a step further, requiring certain provisions be included in contracts between entities and their service providers when the contracts involve the disclosure of a state resident’s personal information from the owner of the information to the service provider. For example, such contracts in Nevada and Maryland must include a provision requiring the person to whom the information is disclosed to implement safeguards to protect that information.
The emergence of state mandates fueled by the continued rapid advancement and increased use of technology suggest a trend that is sure to become a fact of life for businesses operating anywhere in the U.S. Whether the technology is “cloud computing” or “peer-to-peer” software, businesses need to take appropriate steps to protect personal information maintained throughout their organizations.
New Mobile Phones Capable of Monitoring Employee’s Every Move?
New mobile phone technology may allow employers to track very precise movements and activities of employees, such as walking, climbing stairs or even cleaning. As reported by Michael Fitzpatrick of BBC News, the technology developed by KDDI Corporation, a Japanese company, “works by analyzing the movement of accelerometers, found in many handsets.” This enhanced level of monitoring likely will raise serious concerns for courts seeking to balance an employer’s legitimate need to monitor employees with an employee’s expectation of privacy.
To get a sense of how sensitive this technology is, Mr. Fitzpatrick notes that a KDDI mobile phone
strapped to a cleaning worker’s waist can tell the difference between actions performed such as scrubbing, sweeping, walking and even emptying a rubbish bin.
Employers should proceed with caution. There certainly are legitimate business reasons for gathering and analyzing this kind of data:
- Improving customer service
- Enhancing employee productivity
- Identifying safety concerns and rectifying them
- Ensuring employees are performing only assigned tasks
- Confirming employees are working when they say that they are
At the same time, significant concerns about the technology and how it is implemented, together with the potential for unintended consequences, should motivate employers to think carefully before using this equipment:
- Does the technology really work as advertised?
- Can employees manipulate the “accelerometers,” creating false positives for employers?
- When should/must employers turn the monitoring off?
- Will effects will data capable of showing the time, date and duration of certain activities have in the areas of wage and hour law, collective bargaining, classification of workers as employees versus independent contractors, workers’ compensation, administration of leaves of absence, and so on?
- Will data collected constitute personal information to be safeguarded and retained?
- Will employers be required to produce information collected through these mobile phones in unrelated litigation, such as where an employee’s spouse seeking to prove claims of adultery in a divorce action seeks “phone” records to show the location and activity of the employee-spouse?
- Some states already have laws dealing with electronic monitoring, but it is unclear how those laws will apply to this new technology. For example, a Connecticut statute prohibits employers from recording or monitoring the activities of employees in areas designed for the health or personal comfort of the employees or for safeguarding of their possessions, such as rest rooms, locker rooms or lounges operating. When Connecticut employers perform permissible electronic monitoring on their premises, they must provide employees with prior written notice.
However, if these phones work as intended, the level of intrusiveness likely will spur opposition by privacy advocates and additional legislation. It also is possible that the U.S. Supreme Court’s decision in City of Ontario, Ontario Police Department, and Lloyd Scharf v. Jeff Quon, et al., currently before the Court, will provide guidance for employers and lower courts as they consider the effects new technologies have on workplace privacy issues. In that case, one issue the Court is considering is whether a California police department violated the privacy of one of its officers when it read the personal text messages on his department issued pager.
There is no doubt technology will continue to advance and bring with it enhanced functionality and capabilities. While the law will try to keep pace, employers will be challenged to apply these technologies in ways that meet the demands of their business, while avoiding the pitfalls of law not yet clearly established.