A New Jersey restaurant has been hit with a jury verdict in favor of two waiters who were fired after the restaurant’s managers accessed a private social networking site where the waiters were criticizing management.

As the social networking (e.g., MySpace and Facebook) “craze” continues to expand, employers must be more mindful of privacy concerns relating to content made available in these media by applicants and employees. Hiring and other job decisions often seem based on information obtained from employees’ or applicants’ social interactions on the Internet, at least to some degree. Generally, employment decisions are more supportable where there is a social networking policy that has been communicated to employees.

In Brian Pietrylo, et al. v. Hillstone Restaurant Group d/b/a Houston’s, a federal court in New Jersey rejected the employer’s attempt to throw out the jury verdict that managers at a Houston’s restaurant intentionally and without authorization accessed a private, invitation-only chat group on MySpace in violation of the federal Stored Communications Act (SCA). The SCA prohibits unauthorized access of stored communications such as e-mail and Internet accounts. The Court also upheld the jury’s award of compensatory and punitive damages against Hillstone.

This case reminds employers to consider carefully any decision to monitor employees’ use of social networking sites.  Mistakes may be costly.

Reports indicate that identity theft is the fastest growing crime in the United States. In fact, the FTC lists identity theft as the most reported crime for 2008. Identity thieves use personally identifying information of unsuspecting individuals to open new accounts and misuse existing accounts, creating havoc for individuals and business and costing millions of dollars. To help slow the frequency of these offenses, the federal government passed the Fair and Accurate Credit Transactions Act of 2003 (PDF).

Under the FACT Act, a number of federal agencies, including the FTC, the federal bank regulatory agencies, and the National Credit Union Administration, issued regulations (“Red Flags Rules”) requiring financial institutions and creditors to develop and implement written identity theft prevention programs to detect, prevent, and mitigate instances of identity theft. These programs must be designed to provide for the identification, detection, and response to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.

The Red Flag Rules apply to “financial institutions” and “creditors” with “covered accounts.” The FTC has broadly interpreted the term “creditors” to include professionals such a lawyers and doctors. However, the U.S. House of representatives passed H.R. 3763 which would exclude from the meaning of “creditor” any health care practice, accounting practice, or legal practice with 20 or fewer employees. Currently, this Bill awaits action by the Senate.  Similarly, a federal judge in the U.S. District Court for the District of Columbia recently ruled that the FTC cannot force practicing lawyers to comply with the red flags, holding that she had a problem concluding that Congress intended to regulate lawyers when these statutes were enacted. 

Given the November 1, 2009 enforcement date, and the unresolved definition of "creditor," businesses of all sizes and industries will need to take immediate steps to develop a comprehensive strategy for compliance with the Red Flag Rules. Here is helpful information for the Red Flag Rules and small businesses.

Update:  Since the publishing of this post, the FTC has again extended the enforcement date to June 1, 2010.  Additionally, the U.S. District Court for the District of Columbia upheld the American Bar Association’s challenge to the Rule and the opinion enjoins the FTC from enforcing the Rule against lawyers. 

As reported by Ameet Sachdev, of the Chicago Tribune, a jury found an employer responsible for the actions of its investigators who obtained a former employee’s phone records through “pretexting.” Of the $1.8 million awarded to the former employee for breaches of her privacy, the jury awarded $1.75 million in punitive damages. Regardless of whether this verdict survives on appeal, the lesson for employers is to be mindful of their internal investigatory techniques, but also those of their hired investigators.

Pretexting “is the act of creating and using an invented scenario (the pretext) to persuade a targeted victim to release information or perform an action.” As in many cases, the pretexting in Lawlor v. N. Amer. Corp. of Ill., Ill. Cir. Ct., No. 08 L 5931 (jury verdict rendered 9/19/09) involved use of the telephone to obtain telephone records. This case involved a key company saleswoman who, during a dispute over her compensation, was about to land a significant new account for the company. Concerned that Lawlor would take this new account to a competitor magnified the dispute and a company investigation ensued. The jury found one of the investigators hired by the employer called Lawlor’s telephone carriers and pretended to be her.

Both the federal and state governments have taken action to prevent pretexting. In 2006, the Telephone Records and Privacy Protection Act of 2006 (HR 4709) was enacted. This federal law criminalizes a number of actions related to pretexting. For example, it is a crime for a person to knowingly and intentionally obtain, or attempt to obtain, certain phone records under false pretenses. Violations of this law can result fines and/or imprisonment for up to 10 years. A number of states also have laws prohibiting pretexting. In 2006, the Consumer Communication Records Privacy Act became law in New York which provides similar protections against pretexting.

Employers frequently conduct investigations involving issues such as theft of company assets or trade secrets, disability fraud, harassment, and other sensitive matters where phone records and other information can be critical to obtain. Given how much sensitive information can now be obtained electronically, it is critical to understand the methodologies and techniques of third-party vendors and to ensure there are appropriate representations and indemnity provisions in service agreements.

Data privacy and security laws in states such as Massachusetts, Maryland and Nevada require businesses to develop written policies and procedures that provide administrative, physical, and technological safeguards to protect personal information – or a "written information security program" or "WISP." These laws do not require protections for confidential company information and trade secrets, but such information also warrants protection.

Failure to do develop a WISP can leave a business exposed. messy desk

Certain businesses also can lose a business advantage as individuals (clients, employees, dependents, and others) and business partners increasingly demand heightened security of their sensitive and personal information.

But where does a business start?

 

Don’t wait any longer! Develop a plan by reading the Data Privacy Primer (PDF).

Little more than one month after the HIPAA breach notification regulations became effective (September 23, 2009), covered entities (health care providers, health plans) and their business associates are struggling with the effects of these new rules. Many are asking:

  • What is a breach?
  • Do we have to notify in all cases, what are the exceptions?
  • Who do we notify?
  • Do we have to notify the government?
  • Do we have to modify our business associate agreements?
  • Do we have to create, update our policies and procedures?

Indeed, it is important to learn about these issues before a breach happens. However, if a reportable breaches happens, covered entities will need to know how and when to notify the Department of Health and Human Services (HHS). For breaches involving 500 or more individuals, the covered entity must notify HHS at the same time as the affected individuals. For breaches involving fewer than 500 individuals, the covered entity must maintain a log of the breaches during the calendar year and report them to the Secretary within 60 days following the end of that year.

HHS established a website for reporting breaches, with separate links for immediate and annual notifications. Note that in addition to gathering information specific to the breach, both forms ask about the safeguards in place prior to the breach and steps taken following the breach. Also, the instructions require covered entities to complete a separate on-line form for each breach.

Remember: Breaches triggering a notification requirement under HIPAA also may require notice under state law, including notice to certain state agencies and officials.