Could This Be Your Retirement Plan?

Image result for cardboard box record storageAs reported by CBC, B.C. Pension Corporation announced a data breach involving pension plan records after discovering a box containing microfiche could not be found following a recent office move. The box contained personal information (names, social insurance numbers and dates of birth) on approximately 8,000 pension plan participants. The company employed those participants during the period 1982 to 1997. Learning of this incident, persons responsible for pension plan administration might be wondering how secure are their facilities (or their service provider’s facilities) for remote storage. And, pension plan participants might be wondering why do plans need this information and for so long.

In the U.S., the Employee Retirement Income Security Act (ERISA) governs the administration of pension plans, and the law includes specific record retention requirements. For example, persons who are responsible for filing plan reports must “maintain records to provide sufficient detail to verify, explain, clarify and check for accuracy and completeness.” ERISA Section 107. In addition, ERISA requires employers to maintain sufficient records to determine benefits due to employees. ERISA Section 209. Because employees may not retire for many years after accruing benefits under the pension plan, plans need to maintain records until plan participants retire and the records must be sufficient to determine benefits under the plan.

These record retention requirements present important issues for employers, plan administrators, and pension plan service providers. We have written about pension plans experiencing data breaches caused by malicious attackers. But, relatively straightforward administrative recordkeeping activities also can result personal information being compromised.  In late 2016, the ERISA Advisory Council, a 15-member body appointed by the Secretary of Labor to provide guidance on employee benefit plans, shared with the federal Department of Labor some considerations concerning cybersecurity. To date, the DOL has not issued any formal guidance on these recommendations, however, employers, plan administrators, and pension plan service providers should revisit their procedures for handling sensitive personal information maintained in their pension plan records.

According to the Council’s recommendations, there are four major areas for effective practices and policies: (i) data management; (ii) technology management; (iii) service provider management; and (iv) people issues. This is a good list to work from. However, while not an exhaustive list, the following action items may help to avoid incidents like the one discussed above:

  • Retain only the data that is needed; if certain data elements can be redacted, removed them;
  • Maintain an inventory of records that are retained regardless of format, and where to find them;
  • Outline a clear process for moving records, and track location and inventory during the move; and
  • Delete records that are no longer needed; confirm service providers have done so, as applicable.

Of course, no set of safeguards for protecting personal information will prevent all kinds of compromises to it. Mistakes happen, so employers and plan administrators should be prepared by developing and maintaining incident response plans and practice them.

Illinois BIPA Defendants May Soon Be Getting Relief…Or Not

UPDATE: As discussed below, SB2134, as introduced, would have amended BIPA to delete the language that creates a private right of action and provide, instead, that violations resulting from the collection of biometric information by an employer for employment, human resources, fraud prevention, or security purposes would be subject to the enforcement authority of the Department of Labor. But, to survive, SB 2134 needed to be reported out of committee by March 28, 2019. That did not happen. Again, businesses should continue their efforts to comply with the requirements of BIPA.

Many businesses currently are defending a wave of class action lawsuits filed under the Illinois’ Biometric Information Privacy Act, popularly known as “BIPA” ).  The floodgates to litigation were opened earlier this year when the Illinois Supreme Court ruled that individuals need not allege actual injury or adverse effect, beyond a violation of his/her rights under BIPA, in order to qualify as an “aggrieved” person and be entitled to seek liquidated damages, attorneys’ fees and costs, and injunctive relief under the Act.  Potential damages are substantial as the BIPA provides for statutory damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation of the Act. The majority of BIPA suits have been brought as class actions seeking statutory damages on behalf of each individual affected, exposing businesses to potentially crushing damages.

In February, SB2134 was introduced and would amend BIPA to delete the language that creates a private right of action. If enacted, the amendment would provide, instead, that violations resulting from the collection of biometric information by an employer for employment, human resources, fraud prevention, or security purposes would be subject to the enforcement authority of the Department of Labor. The amendment would permit employees and former employees to file a complaint with the DOL, provided they are filed within one year from the date of the violation. Violations of BIPA that constitute a violation of the Consumer Fraud and Deceptive Business Practices Act would be enforced by the Attorney General. If the amendment is enacted, the changes would be effective immediately. Of course, it is unclear what the effect would be for pending litigation.

We expect businesses will be watching developments concerning SB2134 closely, which is currently is in committee. However, businesses should continue their efforts to comply with the requirements of BIPA, which do not appear to be included in the changes being proposed in SB2134.

As Wearable Technology Booms, Sports and Athletic Organizations at all Levels Face Privacy Concerns

As wearable and analytics technology continues to explode, professional sports leagues, such as the NFL, have aggressively pushed into this field. (See Bloomberg). NFL teams insert tiny chips into players shoulder pads to track different metrics of their game. During the 2018-2019 NFL season, data was released that Ezekiel Elliot ran 21.27 miles per hour for a 44-yard run, his fastest of the season. The Dallas Cowboys are not alone as all 32 teams throughout the league can access this chip data which is collected via RFID tracking devices. Sports statistics geeks don’t stand a chance as this technology will track completion rates, double-team percentages, catches over expectation, and a myriad of other data points.

There are obvious questions and concerns about the use of this technology, and not just at the professional level. Wearables can be found at all levels of sports and athletic activities, including at colleges and high schools. At the professional level, the NFL is unique in that it allows teams to use the chip data during contract negotiations. However, players do not have full access to this information, unless specifically granted by individual teams. This is important since there is much debate over who truly owns this data. And, for a variety of reasons, players and athletes want to know where their information is stored, how it is stored, whether and how it might be used and disclosed, who has access to it, and what safeguards are in place to protect it. Major League Baseball and the Players Association added Attachment 56 to the 2017-2021 Collective Bargaining Agreement to address some of these concerns. But, again, these and other questions are not unique to professional ball players.

See the source imageWith devices ranging from wearable monitors to clothing and equipment with embedded sensors, professional teams, colleges and universities, local school districts, and other sports and athletic institutions, as well as the companies that provide the wearables, can now collect massive amounts of data such as an athlete’s heart rate, glucose level, breathing, gait, strain, or fatigue. On the surface, this data may relate to an athlete’s performance and overall wellness, which may be somewhat apparent to onlookers without the aid of the device. However, alone or aggregated, the data may reveal more sensitive personal information relating to the athlete’s identity, location, or health status, information that cannot be obtained just by closely observing the individual. When organizations collect, use, share, or store this data, it creates certain privacy and security risks and numerous international, federal, and state data protection laws may apply. Any sports or athletic organization that develops a wearable device program, or has reason to believe that these devices are being used by coaches and others to collect similar data, should be mindful of these risks and regulatory issues.

Below is a non-exhaustive list of some of these laws: Read More

Damaging Data Breaches Don’t Just Involve SSNs or Medical Information

A few weeks back a company’s watch list containing nearly 2.5 million individuals and entities considered “high-risk” for its clients was mistakenly leaked to the public. A “high-risk” entity in this circumstance was one potentially linked to organized crime or terrorism. The leak resulted from an unsecured and incorrectly configured company database.

Typically in the news we hear of data breaches involving a leak of personal information including social security numbers, medical information or credit card numbers. Moreover, state data breach notifications and reasonable safeguard laws generally create an affirmative obligate to protect against and respond to a data breach involving personal information. For example, under California data security law a business that owns, licenses or maintains personal information must implement and maintain reasonable security procedures and practices appropriate to the nature of the information. Similarly, under New Jersey data breach notification law, any business that conducts business in New Jersey, or any public entity that compiles or maintains computerized records that include personal information, shall disclose any breach of security of those computerized records following discovery or notification of the breach to any customer who is a resident of New Jersey whose personal information was, or is reasonably believed to have been, accessed by an unauthorized person.  The definition of personal information under state data breach notification and reasonable safeguard laws commonly includes the following types of data: (i) Social Security number; (ii) driver’s license number or state issued ID card number; or (iii) account number, credit card number or debit card number combined with any security code, access code, PIN or password needed to access an account. Moreover, some states have broader definitions of personal information which can include other types of data such as biometric data, passport numbers or medical information. Note that this type of data is unlike the information involved in the “watch list” incident mentioned above.

Despite media and legislative focus on data breaches of personal information, there are other types of sensitive data that when breached can have a detrimental impact on an organization. An organization can face a data breach involving leaked confidential business information, trade secrets, organizational strategies or financial information, just to name a few. As a result it is important for an organization to have safeguards in place to protect any data it deems of value, whether personal information or otherwise, even if there is no affirmative obligation under the law to do so. Strong IT safeguards are part of the solution, but not a silver bullet. Administrative and physical safeguards also are needed, such as access management policies, awareness training, equipment inventory, and vendor assessment and management programs. No organization is immune to a data breach, and preparedness can make all the difference in both preventing a breach, and responding if one does occur.

Below are a few of our helpful resources for preventing and responding to a data breach:


Washington State’s GDPR-like Bill Passes Senate

The California Consumer Privacy Act (CCPA), passed in 2018 and taking effect January 1, 2020, is considered the most expansive state privacy law in the United States, and sparked a flurry of state privacy law legislative proposals, in particular in Washington state. This January, a group of state senators in Washington introduced the Washington Privacy Act, SB 5376 (WPA), slightly updated in late February. On March 6th, the bill passed the Senate with a nearly unanimous vote, and now heads to the House for review. If approved, the WPA will take effect July 31, 2021.

Unlike other states that are modeling their bills largely on the CCPA (e.g. Hawaii, Maryland, New Mexico), the WPA would establish more GDPR-like requirements on businesses that collect personal information related to Washington residents. In fact, the WPA’s legislative findings explicitly state that Washington residents “deserve to enjoy the same level of privacy safeguards”, as those afforded to EU residents under the GDPR. In addition to requirements for notice, and consumer rights such as access, deletion, and rectification, the WPA would impose restrictions on use of automatic profiling and facial recognition.

Below are key aspects of the WPA:

  • Jurisdictional Scope. The WPA would apply to legal entities that conduct business in Washington or produce products or services intentionally targeted to residents of Washington, and that satisfy one or more following thresholds: Controls or processes data of 100,000 consumers or more; or Derives over 50% of gross revenue from the sale of personal information and processes or controls personal information of 25,000 consumers or more. The bill includes exemptions for personal data regulated by HIPAA, HITECH, or the GLBA, and data sets maintained for employment record purposes. Personal data is defined vaguely to include any information relating to an identified or identifiable natural person.
  • Consumer Rights. Washington residents are afforded the power to request that controllers of their personal data:
    • provide them with confirmation whether their personal information is being processed by the controller or sold to a third-party;
    • provide them with a copy of the personal data undergoing process;
    • correct inaccurate personal data;
    • delete their personal data under specified circumstances
      (g. personal data is no longer necessary in relation to the purpose for which it was collected, the processing is for direct marketing purposes, personal data has been unlawfully processed).
  • In general, businesses in the U.S. are used to needing only implied or negative consent from customers with respect to the collection and use of their data. The WPA would require consent to be a “clear affirmative act establishing a freely given, specific, informed, and unambiguous indication of a consumer’s agreement to the processing of personal data relating to the consumer, such as by a written statement or other clear affirmative action.”
  • Controllers and Processors. In general, controllers determine the purposes and means of processing personal data, while processors process personal data on behalf of the controllers. Thus, under the WPA, controllers would be responsible for meeting the requirements of the WPA, while processors are responsible for following the instructions of their controllers and assisting them with meeting the requirements of the law. Contracting between the parties will be critical.
  • Controllers must be transparent and accountable for processing of personal data by making a “meaningful,” “clear,” and “reasonably accessible” privacy notice available (although the language in the bill is less than clear). Notice must include: the categories of personal data collected, the purpose for which personal data is disclosed to third parties, the rights the consumer may exercise, the categories of personal data shared with third-parties, the categories of third-parties with whom the controller shares data.
  • Risk Assessments. Controllers must conduct and document risk assessments covering the processing of personal data prior to the processing of such personal data whenever there is a change in processing that materially impacts the risk to individuals, and on at least an annual basis regardless of changes in processing.
  • A controller in violation of the law is subject to an injunction and liable for a civil penalty of not more than $2,500 for each violation or $7500 for each intentional violation.

 It is worth noting that unlike California’s CCPA which leaves open the possibility of application to employee data, the WPA explicitly states that a protected “consumer” does not include an employee or contractor of a business acting in their role as an employee or contractor. Moreover, as already mentioned above, data sets maintained for employment record purposes are exempt from the jurisdictional scope. That said, the WPA is not yet final, and could be revised during the legislative process to include employee data.

States across the country are contemplating ways to enhance their consumer privacy and security protections. For example, we recently spotlighted New Jersey in two posts (available here and here), detailing several NJ Assembly bills relating to privacy and security, currently under consideration.   Organizations, regardless of their location, should be assessing and reviewing their data collection activities, building robust data protection programs, and investing in written information security programs (WISPs).


U.S. Supreme Court Allows Zappos Data Breach Litigation to Proceed

Yesterday, the U.S. Supreme Court rejected a petition for a writ of certiorari by Zappos requesting the Court to review a Ninth Circuit Court decision which allowed customers affected by a data breach to proceed with a lawsuit on grounds of vulnerability to fraud and identity theft. The ruling stems from a 2012 breach that affected over 24 million Zappos customers, which included hackers accessing customer’s names, account numbers, passwords, email addresses, billing and shipping addresses, phone numbers, and the last four digits of the credit cards.

In March of 2018, the Ninth Circuit Court reversed a decision by the United States District Court for the District of Nevada that tossed claims brought by customers affected by the data breach who claimed that the breach left them in “imminent” risk, because they did not allege having already suffered financial losses. A three-judge Ninth Circuit panel held that sensitivity of the information stolen in the breach — including credit card numbers and other means to commit fraud or theft — led them to conclude the customers had adequately alleged an injury. “Plaintiffs allege that the type of information accessed in the Zappos breach can be used to commit identity theft, including by placing them at higher risk of ‘phishing’ and ‘pharming,’ which are ways for hackers to exploit information they already have to get even more PII,” the panel wrote.

Businesses facing class action litigation following a data breach have long waited for the Supreme Court to weigh in on the issue of whether a demonstration of actual harm is required to have standing to sue. Federal circuit courts over the past few years have struggled with this issue, in large part due to lack of clarity following the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins which held that even if a statute has been violated, plaintiffs must demonstrate that an “injury-in-fact” has occurred that is both concrete and particularized, but which failed to clarify whether a “risk of future harm” qualifies as such an injury. For example, the 3rd6th, 7th,  9th  and D.C. circuits have generally found standing, while the 1st2nd4th and 8th circuits have generally found no standing where a plaintiff only alleges a heightened “risk of future harm”.

In its appeal to the Supreme Court, Zappos argued that “the factual scenario this case presents – a database holding customers’ personal information is accessed, but virtually no identity theft or fraud results – is an increasingly common one”. The rejection by the Supreme Court of the Zappos petition is considered a setback for companies facing similar litigation. Moreover, the California Consumer Privacy Act, set to take effect in 2020, authorizes a private cause of action against a covered business for damages resulting from a failure to implement appropriate security safeguards which result in a data breach, and the Illinois Supreme Court recently held that actual harm was not required to sue under the Illinois Biometric Information Privacy Law (“BIPA”).  The Supreme Court did not provide a reason for its denial of the Zappos petition, nonetheless its decision coupled with these state initiatives, is likely to have a significant impact on data breach class action lawsuits going forward.

Third Circuit Rules in Favor of Employer Who Monitored Former Employees’ Social Media Accounts

On February 25, 2019, the Third Circuit held that a New Jersey engineering firm that monitored its former employees’ social media accounts was not barred from winning an injunction to prevent four former employees from soliciting firm clients and destroying company information.

In this case, several employees left the engineering firm to start two competing businesses. While still employed with the firm, the employees discussed over social media the possibility of starting a competing venture, and transmitted firm documents and other relevant information outside the firm’s network. After the mass resignation, and loss of a key firm client, the firm’s network administrator was instructed to examine the former employees’ work computers. During this time the administrator allegedly, inter alia, reviewed browser history (including deleted activity), accessed personal social media accounts via passwords saved on the computers and installed software allowing him to monitor social media activity without detection.

The third circuit, in a split three-judge panel opinion, upheld the district court’s July decision, holding that the firm’s monitoring activity did not constitute “inequitable conduct” under the “unclean hands doctrine” to bar the firm from winning its request for injunction. The unclean hands doctrine “applies when a party seeking relief has committed an unconscionable act immediately related to the equity the party seeks in respect to the litigation.” That said, the court emphasized that even if the firm’s monitoring activity did constitute an “unconscionable act”, the conduct was not related to the claim upon which equitable relief was sought. In other words, the court’s decision was not based on whether the firm’s monitoring activity was in fact “unconscionable”, but rather whether it related to their injunction request, leaving the door open for such conduct to be considered “unconscionable” under different circumstances.

Although not mentioned in the opinion, New Jersey has a social media access law that generally prohibits employers from requesting or requiring a current or prospective employee to provide or disclose any user name or password, or in any way provide the employer access to, a personal account. That said, the law includes an exception permitting employers to conduct investigations regarding: work-related employee misconduct based on information about activity on social media; or an employee’s actions based on information about the unauthorized transfer of an employer’s proprietary, confidential, or financial information to social media. Also not mentioned in the opinion, cases under similar circumstances often invoke federal Stored Communications Act (“SCA”) violations. For example, in Pure Power Boot Camp, Inc. v. Warrior Fitness Boot Camp, a New York district court ruled in a non-compete action that accessing former employees’ accounts violated the SCA.

There are many reasons companies monitor employees, including boosting productivity, dissuading cyber-slacking or social “not-working,” protecting trade secrets and confidential business information, preventing theft, avoiding data breaches, avoiding wrongful termination lawsuits, ensuring that employees are not improperly snooping themselves, complying with electronic discovery requirements, and generally dissuading improper behavior.

Excessive, clumsy, or improper employee monitoring, however, can cause significant morale problems and, worse, create potentially legal liability for invasion of privacy under statutory and common law.   Companies should review policies and applicable state and federal law, and tread carefully before embarking on a monitoring program and remember to monitor the monitors.

Washington D.C. Attorney General Seeks Stronger Data Security and Breach Notification Requirements

Add Washington D.C. Attorney General Karl A. Racine’s recent data security legislative proposal – the Security Breach Protection Amendment Act of 2019 – to the growing list of states and jurisdictions across the country seeking to strengthen privacy and security protections around personal information.

Proposed in response to major data breaches, a frequent catalyst to stronger data privacy and security legislation, AG Racine’s bill would expand legal protections concerning personal information to help prevent and enhance the response to a data breach. Specifically, the bill would:

  1. like legislation being considered in New Jersey, expand the definition of personal information that, if breached, would require notification. However, if passed, the definition of personal information in D.C. would be much broader than New Jersey and many other states, and include – passport numbers, taxpayer identification numbers, military ID numbers, health information, biometric data, genetic information and DNA profiles, and health insurance information;
  2. require businesses that experience a data breach to include specific information in the notifications to affected persons, such as (i) the categories of information that were, or are believed to have been, involved in the breach, (ii) contact information for the person making the notification, as well as the credit reporting agencies, the FTC, and the D.C. Attorney General, and (iii) the right under federal law to obtain a security freeze at no cost and how to obtain such a freeze; and
  3. mandate businesses offer two years of free identity theft protection when a breach involves Social Security numbers. Washington D.C. would join states such as Connecticut, Delaware, and, in April, Massachusetts, in requiring such services be provided following certain breaches.

The bill also would mandate that businesses that handle personal information implement reasonable safeguards to protect that data. Additionally, businesses that obtain services from a nonaffiliated third party and disclose personal information of a DC resident under an agreement with that third party must require the third party by agreement to safeguard that information. Again, these changes put D.C. in the company of other states such as California, Colorado, and Massachusetts.

The legislative screws continue to tighten around data privacy and security.

Cost and Benefit Analysis of Bring Your Own Device Programs

An increasing number of companies have adopted Bring Your Own Device (“BYOD”) programs. Under a BYOD program, companies permit employees to connect their personal devices (e.g. laptops, smartphones, and tablets) to the company’s networks and systems to complete work-related duties. In contrast, under Corporate Owned Personally Enabled (“COPE”) programs, companies purchase and provide devices and network systems for employees. The two main benefits of BYOD programs are the company’s ability to maximize cost savings and foster positive relationships with employees. The use of personal devices both remotely and in the office can also improve efficiency and work product.

Although BYOD programs offer numerous advantages to companies, there are several business and legal concerns companies should consider when determining whether to implement, continue, or revise an existing BYOD program. The most apparent concern for companies is ensuring security of company data. Personal devices may not be password protected and/or may not operate on secure networks. Security risks prohibit companies from satisfying their obligations under federal and state laws. BYOD programs may also give rise issues related to non-compete laws. The use of personal devices to conduct job-related tasks creates an opportunity for employees to store proprietary company information. Remote work on personal devices exposes companies to liability for additional wage payments and overtime compensation under the Fair Labor Standards Act and similar state laws. Similarly, BYOD programs may create challenges for companies to maintain company data to satisfy electronic discovery requests during litigation. Companies should also consider its potential obligation to reimburse employees for the costs incurred to use their personal devices for work-related duties.

To minimize exposure to business and legal concerns, companies should focus on managing the security of personal devices both in the office and remotely. Check out our post from earlier this week on the National Institute of Standards and Technology’s Guidelines for Managing the Security of Mobile Devices in the Enterprise.

In addition to the considerations for adopting BYOD programs, companies should also consider key issues that arise when implementing and enforcing BYOD policies. It is important for companies to implement well-crafted BYOD policies addressing the several legal and business concerns. These considerations should include permitted and prohibited uses (e.g. devices and software), responsibility for lost, stolen, or damages devices, maintenance of devices and software, data storage requirements, and exit strategies for wiping company data from the device in the event of a separation, among others.

Our Bring Your Own Device (BYOD) Issues Outline offers a more extensive risk analysis on BYOD programs and to determine whether a BYOD program is a suitable option for your company/organization. Key aspects of an effective BYOD policy include addressing access management protocols, data security safeguards, device-wipe policies, employee stipend and reimbursement programs, data breach protocols and related issues.

NIST Publishes Guide to Secure an Organization’s Mobile Devices

Just last month, the National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST), published guidance for public and private companies to protect mobile devices and help prevent data breaches. The publication, titled “Mobile Device Security: Cloud and Hybrid Build,” is a how to guide for companies to secure mobile devices using commercially available technology. Through collaboration with technology organizations, government agencies, and academic institutes, the publication essentially acts as a practice guide for network architects to ensure employees can access information remotely, while minimizing security risks. It presents a variety of security solutions that can be tailored to a company’s needs and includes instructions for installing security products that meet the NIST’s standards. As stated by the NCCoE, the guide “demonstrates how commercially available technologies can meet your organization’s needs to secure sensitive enterprise data accessed by and/or stored on employees’ mobile devices.”

Companies that permit their employees to use mobile devices benefit from ease of communication and the convenience of allowing data to be accessed practically anywhere. However, security controls have not kept pace with the risks inherent in using mobile devices. As a result, a poorly secured mobile device may present significant security risks to a company.

Stolen or infiltrated mobile devices can be a gateway for wrongdoers to access a company’s sensitive and confidential information, email accounts, contacts, calendars, and other proprietary information. Even worse, a wrongdoer could gain remote access and hold a company’s data and information hostage, a tactic that has gained popularity in recent years. Moreover, not only is a company at risk of having its data compromised, but mobile device security breaches have resulted in significant financial penalties. See HIPAA Enforcement Actions.

With many states recently enacting or proposing consumer privacy and security legislation, companies must be mindful of the security risks presented by using mobile devices and ensure the devices are adequately protected. Moreover, companies must have an effective “Bring Your Own Device” (BYOD) policy in place concerning the use of the device, in addition to the security controls on the device. Be on the look out for our article on the cost – benefit analysis of implementing a BYOD policy, coming later this week.