In a groundbreaking move, likely to have significant impact on employee hiring and HR tech, the New York City Council has passed a measure (“the NYC measure”) that bans the use of automated decision-making tools to (1) screen job candidates for employment, or (2) evaluate current employees for promotion, unless the tool has been subject to a “bias audit”, conducted not more than one year prior to the use of the tool.  The NYC measure will take effect January 2, 2023.

The NYC measure was passed due to growing concern about automated decision-making tools – which will also be regulated under the California Privacy Rights Act, which is set to take effect at the same time as the NYC measure – one of which is that such tools may be imbedded with unintended biases that result in outcomes that discriminate against individuals based on protected characteristics like race, age, religion, sex and national origin.

The category of automated decision-making tools targeted by the NYC measure is “automated employment decision tools,” which the measure defines as “any computational process, derived from machine learning, statistical modeling, data analytics, or artificial intelligence, that issues simplified output, including a score, classification, or recommendation, that is used to substantially assist or replace discretionary decision making for making employment decisions that impact natural persons.”  Excluded from the measure’s scope are tools that do not automate, support, substantially assist or replace discretionary decision-making processes and that do not materially impact natural persons, such as, for instance, junk email filters, firewalls, antivirus software, calculators, spreadsheets, databases, data sets, or other compilations of data.

Employers that intend to utilize an employment decision tool must first conduct a bias audit and must publish a summary of the results of that audit on their websites.  They must also notify all NYC employees and/or job candidates that: (1) the tool will be used in connection with assessment or evaluation of their employment or candidacy and (2) specify the job qualifications and characteristics that the tool will use to make that assessment or evaluation.

Utilizing an automated employment decision tool without first conducting a compliant bias audit exposes employers to civil penalties of up to $500 on day one, followed by penalties of $500 to $1,500 every day thereafter.   Failure to properly notify candidates or employees about use of such tools constitutes a separate violation.

This is not the first legislation of its kind, but certainly the most expansive.   In late 2019, Illinois passed the Artificial Intelligence Video Interview Act (“the AIVI Act”), HB2557, which imposes consent, transparency and data destruction requirements on employers that implement AI technology during the job interview process. The AIVI Act, the first state law to regulate AI use in video interviews, took effect January 1, 2020. Likewise, in 2020, Maryland enacted a law that requires notice and consent prior to use of facial recognition technology during a job interview.  And the Attorney General of Washington D.C. recently introduced a bill that addresses discrimination in automated decision-making tools generally.    Similar legislation is likely to trend across other states, as this technology continues to infiltrate hiring practices and other areas of business.  As early as 2014, the EEOC has been taking notice of “big data” technologies and the potential that the use of such technology may be in violation of existing employment laws such as Title VII of the Civil Rights Act of 1964, the Age Discrimination in Employment Act, the American with Disabilities Act and the Genetic Information Nondiscrimination Act.

Only time will tell the impact the NYC measure and others of its kind will have on employment practices, but employers should tread carefully with AI usage in the workplace. Moreover, it will likely not be long before other states and localities enact similar legislation. Employers, regardless of jurisdiction, should be evaluating their hiring practices and procedures, particularly to ensure that they obtain appropriate written consent before using any technology that collects sensitive information about job applicants or employees, and that they have conducted all requisite privacy and bias impact assessments.

The CCPA has reached the two-year mark. This is a good time for businesses to review the success of their compliance programs, recalibrate for the CCPA’s third year, and gear up for the CPRA’s January 1, 2023 effective date.

Here are a few suggestions:

  1. Privacy Policies. The CCPA requires a business to update the information in its privacy policy or any California-specific description of consumers’ privacy rights at least once every twelve months. If your business has not already done so, now is a good time to review both online and offline data collection practices to ensure privacy policies accurately disclose, at a minimum, the categories of personal information (“PI”) collected in the preceding 12 months, the categories of PI sold in the preceding twelve months, and the categories of PI it disclosed for a business purpose in the last 12 months.

Given the challenges of the last few months, your business may be collecting PI beyond what it currently discloses in its privacy policies. For example, the business may need to update its privacy policies to disclose the collection and use of COVID-19 related screening information, biometric information, or PI collected as a result of remote work situations.

If your business needs to update its privacy policy to reflect additional data collection activities, it will likely need to update its “notice at collection”, including employee and job applicant privacy notices.

  1. Employee training. The CCPA requires that a business ensure all employees handling inquiries about consumer rights, the businesses’ privacy practices, or its compliance with the CCPA are informed of applicable CCPA requirements. Businesses will want to
  • review training programs to ensure they include appropriate CCPA related content;
  • determine whether employee handbooks and manuals have been updated accordingly; and,
  • document that relevant employees have received training.
  1. Reasonable Safeguards. The CCPA does not currently create an affirmative obligation to implement reasonable safeguards for protecting consumer PI; however, it provides a private right of action to consumers whose PI has been involved in a data breach resulting from the business’s failure to implement reasonable security safeguards. With this in mind, your business will want to review whether it has
  • performed an annual risk assessment to identify new or enhanced risks, threats, or vulnerabilities to its systems or the PI it collects or maintains;
  • reviewed and updated its written information security program and data retention schedule;
  • practiced its incident response plan; and
  • updated its vendor management program to address cyber-based risk.

CCPA compliance is an ongoing activity, and these action items are worthy of review at the one-year mark. However, further year-end review might also include

  • an assessment of the business’s website’s accessibility;
  • confirmation that service provider agreements have been amended to satisfy the CCPA; and
  • incorporation of relevant CCPA provisions in new service provider contracts.

Although the CCPA does not mandate implementing reasonable safeguards, this will change effective January 1, 2023. The CPRA, which amends the CCPA, creates an affirmative duty to do so. Businesses should use the next year to identify what constitutes reasonable safeguards for their data and systems, begin implementing those safeguards, update internal policies and procedures as necessary, and train staff.

The CPRA also amends the CCPA disclosure requirements to include information relating to the collection and use of “sensitive personal information”. In addition, California consumers will have the right to limit the business’s use of this information in certain circumstances, similar to the right to opt out of the sale of personal information. In order to comply, businesses may need to revisit and expand their data mapping to capture sensitive personal information.

These are just two examples that necessitate reviewing your business’s data protection program and setting in motion processes to prepare for the CPRA. We will continue to post on steps your business can take in anticipation of January 1, 2023.

The leaders of our Wage & Hour Practice, Justin Barnes Jeffrey Brecher and Eric Magnus collaborated with us on this article.

According to reports, Kronos, the cloud-based, HR management service provider, suffered a data incident involving ransomware affecting its information systems. Kronos communicated that it discovered the incident late on Saturday, December 11, 2021, when it “became aware of unusual activity impacting UKG solutions using Kronos Private Cloud.”   Shortly after,  Kronos issued a helpful Q & A for customers impacted by the incident. The company confirmed:

[T]his is a ransomware incident affecting the Kronos Private Cloud—the portion of our business where UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling Solutions are deployed. At this time, we are not aware of an impact to UKG Pro, UKG Ready, UKG Dimensions, or any other UKG products or solutions, which are housed in separate environments and not in the Kronos Private Cloud.

This incident has already impacted time management, payroll processing, and other HR-related activities of organizations using the affected services. Ransomware and similar attacks also could compromise confidential and personal information maintained on affected systems, although there is no indication of that at this point. Clearly, organizations that use these services can be affected in several ways. The FAQs below provide information on some of the key issues these organizations should be thinking about.

Isn’t this really Kronos’ problem?

This certainly is a significant issue for Kronos and, based on communications from Kronos, the company is in the process of remediating the incident and alerting its impacted customers. However, because of the nature and extent of the services Kronos provides to its customers (i.e., employers), there are several issues that HR, IT and other groups inside organizations that are customers of the affected services need to be doing. We address some of those items below.

From a communications perspective, this incident likely will receive significant news coverage, prompting questions from employees about the impact of the incident on their personal information, their schedules, their pay, etc. Employers will need to think carefully about how to respond to these inquiries, especially when there is little known at this point about the incident.

From a compliance perspective, employers should be reviewing and implementing their contingency plans depending on the scope of services received from Kronos. For example, clients using Kronos time management systems should be evaluating what measures they should be implementing to ensure their employees’ time is properly captured and paid. A company has a legal obligation to accurately track hours worked, regardless of whether their third-party vendor (like Kronos) responsible for the task can do so or not. Clients might want to institute, in the short-term, paper timekeeping and tracking systems to ensure that employees are taking appropriate breaks and being paid for all time worked. It would be especially helpful in this situation to have employees sign off that the amount of time they report and the breaks they took are accurate.

From a cybersecurity standpoint, the answer to the question of whether this is only Kronos’ problem likely is no. All 50 states, as well as certain cities and other jurisdictions, have breach notification laws. If there is a breach of security under those laws, there may be a notification obligation. The notification obligation to affected individuals largely rests with the owner of that information, which likely would be employers. We anticipate that if notification is required, Kronos may take the lead on that, although employers will want some assurances that notification will be provided in a time and manner consistent with applicable law.

What should we be doing?

There are several steps employers likely will need to take in response to this incident, not all of which are clear at this point because of what little is currently known. Still, there are some action items affected employers should be considering:

  • Stay informed. Closely follow the developments reported by Kronos, including coordinating with your HR and IT teams.
  • Consult with counsel. Experienced cybersecurity and employment counsel can help employers properly identify their obligations and coordinate with Kronos, as needed.
  • Communicate with employees. Maintaining accurate and consistent communications with employees is critical, especially considering a significant part of the discussions around this incident could be taking place in social media. Your employees and their representatives, where applicable, may already be aware of this incident. To be prepared to address and respond to employee concerns, organizations should consider providing an initial short summary of the incident to potentially impacted individuals as soon as possible. That communication could be expanded over time with more information as it come available, perhaps in the form of FAQs like these. Less is more on the initial communication, again, given what little is known. However, it is important to let employees know the organization is aware of the incident and actively taking steps to mitigate its effects on employees.
  • Review Your Kronos Services and Service Agreement. Begin evaluating the services that the organization receives from Kronos. This will help to implement contingency plans, but also to assess the nature and extent of the information that Kronos maintains on the organization’s behalf. The organization might be able to conclude early on that, while there may be impacted systems and operations, Kronos was not in possession of the kind of personal information pertaining to employees of the organization that could lead to a breach notification obligation. This information could be reassuring for employees. Also, review the services agreement between the organization and Kronos as it may include provisions that have particular relevance here. For example, the agreement may outline a process agreed to between the parties for handling data incidents like this.
  • Review your cyber insurance policy. It might be premature to make a claim against the organization’s cyber policy, assuming the organization has a cyber policy – an important consideration nowadays. But, key stakeholders should review the situation and discuss potential coverage options with the organization’s insurance broker and/or legal counsel. Becoming more familiar with existing cyber insurance policies and coverage is prudent as it might cover some of the costs an organization incurs in connection with incidents like this.
  • Evaluate vendors. What some are asking may have led to the Kronos incident is the “Log4j” vulnerability, however, that has not been confirmed at this time. Log4j is described as a Java library for logging error messages in applications. Because other vendors also may have Log4j exposure, organizations may want to use this incident as a reason to examine more closely the data privacy and security practices of other third-party vendors, regardless of whether the Log4j vulnerability was exploited here. This is particularly the case for those vendors that handle the personal information of employees and customers.
  • Revisit your own data security compliance measures. Organizations also should check their own systems for Log4j and other vulnerabilities and fix them as quickly as possible.

Will the state breach notification laws apply?

We do not know if there has been a “breach” at this point. This will require investigation and analysis of the incident, which we understand is underway at Kronos at this time. However, if the incident affects certain unencrypted personal information of individuals, such as names coupled with social security numbers, drivers’ license numbers, financial account numbers, medical information, biometric information or certain other data elements, state breach notification laws may apply. Organizations that utilize Kronos’ services globally must consider a broader definition of personal data, such as under the General Data Protection Regulation (GDPR).

Thousands of organizations have suffered similar attacks, all of which illustrate the importance of planning for a response, not only trying to prevent one. Third party service providers play important roles for most organizations, particularly with regard to their HR systems and corresponding operations. It will take some time to work through this incident, but it should be a reminder for all affected organizations to continue to develop, refine, and practice their contingency plans.

Earlier this month, New York Governor Kathy Hochul signed into a law a bill that will require New York private sector employers to provide written notice to employees before engaging in electronic monitoring of their activities in the workplace.  Civil Rights (CVR) Chapter 6, Article 5, Section 52-C*2 will take effect six months after enactment, i.e. May 7th, 2022.

Pursuant to the new New York law, electronic monitoring in the workplace includes monitoring of employees’ telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage of or by an employee by any electronic device or system, including but not limited to the use of a computer, telephone, wire, radio, or electromagnetic, photoelectronic or photo-optical systems. Prior written notice of the electronic monitoring must be issued at the time of hiring and must be acknowledged by the employee in writing or electronically.  In addition, the notice must be posted in a conspicuous place readily available for viewing by employees.

It is important to note that under the new law, a private right of action for employees that are impacted by the law is not available. The New York attorney general has exclusive enforcement authority. Failure to comply with the law’s notice requirements may subject the employer to a civil penalty of $500 for the first offense, $1000 for the second offense, and $3000 for the third and each subsequent offense.

Employer monitoring requirements of this kind are not exclusive to New York. In Connecticut, for example, both private and public sector employers are required to notify employees prior to electronic monitoring, with similar penalties for failure to comply.  Likewise, in Delaware, an employer is not permitted to monitor or intercept an employee’s telephone conversations, email or internet usage without prior notice in writing or alternatively notification, day of, each time the employee accesses the employer-provided email or Internet access services.

Excessive, clumsy, or improper employee monitoring can cause significant morale problems and, worse, create potential legal liability for privacy-related violations of statutory and common law protections, as evidenced by the New York law and others of its kind. Advancements in technology have made it easier to monitor remote employees, and by extension easier to violate the law for employers that are not careful.

When organizations decide to engage in any level of surveillance or search of employees, they should consider what their employees’ expectations are concerning privacy. Whether in a jurisdiction that requires prior notice of employee monitoring or not, in general, it is best practice to communicate to employees a well-drafted acceptable use and electronic communication policy that informs them what to expect when using the organization’s systems, whether in the workplace or when working remotely. This includes addressing employees’ expectations of privacy, as well as making clear the information systems and activities that are subject to the policy.

COVID-19 changed the way many organizations operate, and monitoring and surveillance have become increasingly important, particularly for employers that do not share the same physical workspace with their employees.  When employers implement new monitoring and surveillance tools, they need to plan carefully, have the right team in place, review policies and applicable state and federal law, and be prepared to address problems when they arise.

On October 27, 2021 the FTC issued a final rule (the “Final Rule”) amending 16 CFR Part 134, Standards for Safeguarding Customer Information (“Safeguards Rule”), after a period of notice and comment. While the existing Safeguards Rule imposes a general obligation on financial institutions to maintain an information security program, the Final Rule outlines these requirements in more granular detail. Importantly for smaller financial institutions, the Final Rule exempts businesses with fewer than 5,000 customers.

The Final Rule now defines key terms rather than incorporating them by reference. Other changes include requiring greater oversight and responsibility of a company’s information security program by designating a qualified individual to maintain the program, requiring annual reports to a company’s board of directors or governing body, and requiring vulnerability assessments and penetration testing. While there will likely be some cost to comply with the new requirements of the Final Rule, the FTC indicated the importance of these requirements justifies any associated costs.

What Businesses are Subject to the New Final Rule

The Final Rule applies to financial institutions that maintain customer information for over 5,000 individuals.

Data Breach Reporting Obligations

The FTC indicated in their discussion of the Final Rule that there may be future reporting obligations of data breaches to the FTC. The FTC requested comments on whether it should require such reporting. While reporting obligations were not added to the Final Rule, the FTC is issuing a Notice of Supplemental Rulemaking to impose data breach reporting obligations.

While not yet imposing data breach notification obligations, the Final Rule does require that covered business implement a written incident response plan.

Designation of a Qualified Individual and Internal Reporting

The Final Rule requires covered institutions to designate a qualified individual to oversee the organization’s information security program. This person need only be qualified and does not need to be an executive or CISO. In fact, this individual need not even be an employee. This allows smaller enterprises to utilize a third-party such as a virtual CISO. Previously, covered institutions were only required to designate an employee to coordinate the company’s information security program.

The qualified individual must now submit written reports to the company’s board of directors or senior officers no less than once a year. These reports must provide status updates regarding the company’s information security program, compliance with the Safeguards Rule, and other material issues such as risk assessments, security events or violations, and recommended changes to the information security program.

Overall, this change appears to be geared toward encouraging the participation of company leadership in information security. As the number of data breaches continue to increase, this change indicates that information security should receive regular consideration from company executives. The FTC stopped short of requiring the board of directors to certify the report, however.

Risk Assessments and Vulnerability Testing

The Final Rule requires companies conduct regular, written risk assessments that include testing for vulnerabilities and penetration testing. Previously, risk assessments could remain fairly high level. Vulnerability assessments and penetration testing, however, are far more granular and technical in nature.

Penetration testing must be conducted at least annually. Not all IT managed service providers are equipped with the ability to conduct this testing. Companies may therefore need to employ additional vendors with increased technical capabilities.

Vulnerability assessments must be conducted every six months or whenever there is a material change in business operations or a material impact on the information security program. Vulnerability assessments are designed to identify and detect publicly known security vulnerabilities.

Increased Security Controls

The Final Rule imposes greater security controls on covered businesses. Here are some of the significant requirements imposed by the Final Rule:

  • Encryption – Customer data must now be encrypted both in transit and at rest. Data need not be encrypted while in transit throughout internal business networks, however.
  • MFA – Covered businesses are now required to implement multi-factor authentication for all remote connections. Long considered a best practice, the Final Rule now mandates MFA.
  • Audit Trails – Information systems must be continuously monitored to detect and log unauthorized access. Logging must be enabled to show when individual users access protected information.
  • Change Management – Any change within a company’s technical infrastructure has the potential to introduce new vulnerabilities. The Final Rule requires covered businesses to implement formal change management procedures. This includes identifying potential impact beforehand and thoroughly documenting all changes.
  • Secure Disposal – Financial institutions would be required to dispose of customer information when no longer needed or when not required by law to retain the information. This applies to both digital and paper records. The Final Rule requires deletion of customer information not accessed for more than two years.
  • Secure Development Practices – Any applications that utilize or access customer information, whether developed in-house or by a vendor, must implement secure development practices. This includes regular testing and security evaluations during the development lifecycle.

Vendor Management

The Final Rule identifies the significant risk presented by outside vendors. Covered businesses will be required to take reasonable step in selecting service providers, which includes ensuring service providers implement and maintain appropriate safeguards for customer information. This oversight requirement is not just during the selection of vendors but includes periodic assessments. Covered businesses may no longer simply rely on a vendor’s security certifications or attestations.

Effective Date

The Final Rule will take effect 30 days after the date of its publication in the Federal Register. But certain provisions of the Final Rule will not take effect until one year after publication to give smaller organizations adequate time to comply. Provisions that take effect one year after publication include:

  • Designation of a qualified individual and annual written reporting
  • Written risk assessments
  • Continuous monitoring
  • Annual penetration testing
  • Biannual vulnerability assessments
  • Enhanced training
  • Periodic vendor assessments
  • Written incident response plan

 Conclusion

The Final Safeguards Rule imposes more detailed requirements for the information security programs of financial institutions. Covered businesses should prepare for the additional costs and administrative burden. Notification obligations to the FTC for data breaches may be soon to follow.

 

Last week, the Occupational Safety and Health Administration (OSHA) issued an Emergency Temporary Standard (ETS) implementing President Joe Biden’s COVID-19 vaccine mandate covering employers with at least 100 employees. The ETS is summarized here, including the general compliance deadline of 30 days from November 5, 2021, with an additional 30 days for testing to begin, if applicable.

Employers may already have the basic policy in place – get vaccinated or submit to periodic testing. But they may not be ready for the ETS’ record collection and record keeping requirements, or the obligations to make these records available upon request, sometimes within 4 business hours. Those are outlined here should the ETS survive the legal challenges filed in courts across the country.

When employers consider their ETS policies, they should consider these records issues to ensure compliance.

What records must covered employers collect and maintain?

Vaccination status. Because the ETS requires covered employers to determine the COVID-19 vaccination status of each employee, covered employers must collect “acceptable proof” of vaccination status, including whether each employee is fully or partially vaccinated. The list of items constituting “acceptable proof” includes, among other things, a copy of a COVID-19 Vaccination Record Card. See the full list here. If these items are unavailable, “acceptable proof” may also be an employee’s written certification, which is a signed and dated statement by the employee:

  • Attesting to vaccination status,
  • Attesting that they lost or are otherwise unable to provide the other forms of acceptable proof, and
  • Stating: I declare that this statement about my vaccination status is true and accurate. I understand that knowingly providing false information regarding my vaccination status on this form may subject me to criminal penalties.

The ETS notes that when attesting to vaccination status, employees should include in the attestation, to the extent they can recollect: (i) vaccination type, (ii) date(s) administered, (iii) name of health care professional(s) or clinic site(s) administering the vaccination. Employers using an app for this purpose, will want to ensure the app can capture this information, if available.

Employers must maintain a record of each employee’s vaccination status and preserve the “acceptable proof” for each fully or partially vaccinated employee. This includes the vaccine ascertainment records the employer obtained from employees prior to the ETS becoming effective. Employers also must maintain a roster of each employee’s vaccination status. The roster must list all employees and clearly indicate for each one whether they are fully vaccinated, partially vaccinated, not fully vaccinated either because (i) they qualify for a medical or religious accommodation, or (ii) they have not provided acceptable proof of their vaccination status.

Testing. Covered employers that opt for a policy permitting employees either to be fully vaccinated or provide proof of regular testing must collect:

  • Documentation of the most recent COVID-19 test result which may not be provided more than seven days after the employee last provided a test result. This is for employees who report at least once every seven days to a workplace where other coworkers or customers are present.
  • Documentation of a COVID-19 test within 7 days prior to returning to the workplace, to be provided upon return. This is for employees who do not report for seven or more days to such a workplace.

The employer must maintain a record of each test result provided by each employee.

Are these records confidential?

The vaccination records and rosters, as well as testing records, discussed above are considered employee medical records and must be maintained as such. They must not be disclosed except as required or authorized by the ETS or other federal law. Here are some best practices to consider. Employers using third parties to assist in the administration these obligations should take steps to assess the safeguards in place at those third parties.

How long must the records be maintained?

In a move that will please covered employers, OSHA’s standard 30-year retention requirement is not applicable to the records or rosters discussed above. Instead, they must be maintained and preserved while the ETS remains in effect. Of course, all are hoping that period will be much shorter than 30 years! But remember the Emergency Temporary Standard is just that, temporary, and only remains in effect for 6 months unless extended, while OSHA works on a permanent standard under which OSHA could choose to make COVID-19 vaccination records subject to its normal 30 year rule for retention.

Do employees have a right to the COVID-19 vaccination or testing records maintained by their employers?

Yes. Covered employers must make individual COVID-19 vaccination documentation and any COVID-19 test results available either to an employee or anyone with the written authorization of the employee. The records must be available for examination and copying, and must be available by the end of the next business day following the request. The regulation does not indicate whether the employee’s request must be in writing.

In an effort to help ensure compliance with the ETS, covered employers also must make available to an employee or the employee’s representative (no written consent required here; OSHA does not believe these records will contain any PII and has no serious confidentiality or privacy concerns) the aggregate number of fully vaccinated employees along with the total number of employees at the workplace.  Again, employers must make this information available by the end of the next business day following the request. Representatives include an employee’s (or former employee’s) personal representative as well as an authorized representative – an authorized collective bargaining agent of one or more employees.

What about OSHA, does it have a right to the COVID-19 vaccination or testing records maintained by employers?

An even tighter time frame applies to the obligation of covered employers to provide the Assistant Secretary for examination or copying (i) the employer’s written policy required for vaccination/testing and (ii) the aggregate number of fully vaccinated employees and total number of employees at the workplace. An Assistant Secretary includes the Assistant Secretary’s designees, which could include OSHA’s Compliance Safety and Health Officers.

The time frame – within 4 business hours of a request. If the records are maintained at a location in a different time zone, the employer may use the business hours of the establishment at which the records are located when calculating the deadline. For any other records required to be maintained under the ETS, covered employers have until the end of the next business date after the request to provide same to the Assistant Secretary.

How must these requests for information be submitted to employers?

As noted in ETS FAQs, employees, employee representatives, and OSHA can submit requests in any manner that provides adequate notice of the request to the employer. This may include requests by in writing (e.g., email, fax, letter), by phone, or in person.

 

We anticipate many employers will be leveraging either existing platforms or new applications to assist with managing the records, roster, and other information required under the ETS. In the course of doing so, employers should be sure to maintain the privacy and security of the information throughout the process.

Last week, the Department of Justice (“DOJ”) announced the launch of its Civil Cyber-Fraud Initiative (“the Initiative”) aimed at combating “new and emerging cyber threats to the security of sensitive information and critical systems” specifically targeting accountability of cybersecurity obligations for federal contractors and federal grant recipients, by way of the False Claims Act.  The Initiative will be led by the Civil Division’s Commercial Litigation Branch – Fraud Section.

The False Claims Act imposes liability on persons and entities that defraud governmental programs. The Initiative will hold persons and entities accountable, via the False Claims Act, for several practices related to cybersecurity practices including: 1) putting U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, 2) knowingly misrepresenting cybersecurity practices or protocols, and 3) knowingly violating obligations to monitor and report cybersecurity incidents and breaches.

“For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it,” said Deputy Attorney General Lisa O. Monaco in her announcement of the Initiative.

Well that changes today. We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fiscal and public trust.

As detailed in Deputy General Monaco’s announcement, benefits of implementing the Initiative will include:

  • Building broad resiliency against cybersecurity intrusions across the government, the public sector and key industry partners.
  • Holding contractors and grantees to their commitments to protect government information and infrastructure.
  • Supporting government experts’ efforts to timely identify, create and publicize patches for vulnerabilities in commonly-used information technology products and services.
  • Ensuring that companies that follow the rules and invest in meeting cybersecurity requirements are not at a competitive disadvantage.
  • Reimbursing the government and the taxpayers for the losses incurred when companies fail to satisfy their cybersecurity obligations.
  • Improving overall cybersecurity practices that will benefit the government, private users and the American public.

Notably, that same day, the DOJ also announced a 2nd cybersecurity related initiative, the National Cryptocurrency Enforcement Team (“the Team”), which will address activities by entities such as virtual currency exchanges that misuse cryptocurrency for criminal activity, including ransomware attacks.  The Team, in addition to prosecuting such violations, will help recover lost cryptocurrency payments, including those to ransomware groups.

The DOJ is strategically increasing focus on cybersecurity, as the Biden Administration makes cybersecurity a top priority. The U.S. government has continued to ramp up efforts to strengthen its cybersecurity in the past year, and we can expect states to continue to legislate and regulate in this area. Businesses across all sectors will likely experience pressure to evaluate their data privacy and security threats and vulnerabilities and adopt measures to address their risk and improve compliance.

With health-related data and how to protect it at the forefront of discussion since the start of the COVID-19 pandemic, this week California Governor Gavin Newsom signed into law two bills related to genetic data.  First, AB 825, will expand the definition of personal information to include genetic data, for data breach notification requirements for businesses and government agencies, as well as reasonable safeguard requirements for businesses. Second,  SB 41, will establish the Genetic Information Privacy Act, requiring a direct-to-consumer genetic testing company to provide a consumer with notice and consent regarding its genetic data collection, use and disclosure policies.

Below is a breakdown of each law:

  • AB 825 – Unanimously approved by the Senate on September 8th, and Assembly back in May, AB 825, will expand the definition of personal information to include genetic data and define genetic data to mean any data, regardless of its format, that results from the analysis of a biological sample of an individual, or other source, and concerns genetic material, as specified. This expanded definition of personal information will apply to three existing laws: 1) the Information Practices Act of 1977 which requires an agency that owns or licenses computerized data that includes personal information to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was compromised, 2) Civil Code 1798.81.5 which requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices, and 3) Civil Code  Section 1798.82 which requires a person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, to disclose a breach of the security of the system following discovery or notification of the breach.
  • SB 41 – Also passed unanimously by both the Senate and Assembly in September, SB 41 will establish the Genetic Information Privacy Act, which will require a direct-to-consumer genetic testing company to provide a consumer with certain information regarding the company’s policies and procedures for the collection, use, maintenance, and disclosure, as applicable, of genetic data, and to obtain a consumer’s express consent for collection, use, or disclosure of the consumer’s genetic data. In particular, the new law will provide consumers with the right to revoke consent in accordance with certain procedures, and a requirement for companies to destroy a consumer’s biological sample within 30 days of revocation of consent. The bill will further require a direct-to-consumer genetic testing company to comply with all applicable laws for disclosing genetic data to law enforcement without a consumer’s express consent, implement and maintain reasonable security procedures and practices to protect a consumer’s genetic data against unauthorized access, destruction, use, modification, or disclosure, and develop procedures and practices to enable a consumer to access their genetic data, and to delete their account and genetic data. The law will impose civil penalties for violations of the law, and enforcement of such actions will be exclusive to the Attorney General, district attorney, county counsel, city attorney, or city prosecutor.

Both laws will take effect January 1, 2022. Whether an organization is a health care provider, a genetic testing company, an employer, or other company that potentially collects genetic data, it should review its policies and practices concerning genetic tests and genetic information.

The Federal Trade Commission (“FTC”) recently issued an important policy statement to health apps and other connected devices that collect or use consumers’ health information.  The FTC’s policy statement effectively clarified the position that health apps and related connected devices are subject to the Health Breach Notification Rule (“the Rule”), which requires vendors of personal health records (“PHR”) and PHR-related entities to notify U.S. consumers, the FTC, and in cases of certain breaches involving over 500 consumers, the media, if there has been a breach of unsecured identifiable health information.  The FTC’s commissioners voted 3-2 to approve the policy statement.

The FTC’s Rule helps account for entities that are not subject to the requirements of the Health Insurance Portability and Accountability Act (HIPAA), but nonetheless collect and use sensitive health information.  The FTC notes in its policy statement that while the Rule was established more than a decade ago, “the explosion in health apps and connected devices” particularly with the onset of the COVID-19 pandemic, and a spike in cyberattacks in this space, has made the Rule’s obligations “more important than ever.”  Health apps include everything from fitness, sleep and diet trackers, to apps that help individuals track their disease, diagnosis, medications, mental health, other vital areas and more.

Specifically, the Rule states that:

each vendor of personal health records, following the discovery of a breach of security of unsecured PHR identifiable health information that is in a personal health record maintained or offered by such vendor, and each PHR related entity, following the discovery of a breach of security of such information that is obtained through a product or service provided by such entity, shall:

  • Notify each individual who is a citizen or resident of the United States whose unsecured PHR identifiable health information was acquired by an unauthorized person as a result of such breach of security; and
  • Notify the Federal Trade Commission.

In addition, the Rule requires third-party service providers of such vendors, following the discovery of a breach of security, to provide notice of the breach to an official of the vendor designated in writing, and if no such designation is made, to a senior official of the vendor.

PHR is defined as an electronic record or individually identifiable health information that can be drawn from multiple sources and that is managed, shared and controlled by or primarily for an individual.

Notably, the policy statement emphasizes that a health app is subject to the Rule if it is capable of drawing information from multiple sources, even if the health information comes from only one source. The FTC provides the example of a blood sugar monitoring app that draws health information only from one source (e.g., a consumer’s inputted blood sugar levels), but also takes non-health information from another source (e.g., dates from your phone’s calendar) – such an app is covered under the Rule.

The FTC’s policy statement further clarifies that when a health app discloses sensitive health information without user consent, a “breach of security” is triggered under the Rule, and such a breach is not limited to “nefarious behavior”.  “While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” said FTC Chair Lina M. Khan. “Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.” Entities that fail to comply with the Rule are subject to monetary penalties of up to $43,792 per violation, per day.

The Rule has generated significant confusion for entities offering PHRs, particularly since the onset of the COVID-19 pandemic. It is important to emphasize that the FTC’s rule does not apply to HIPAA-covered entities. The preamble of the Rule, for example, addresses whether the Rule would cover PHRs that a HIPAA-covered entity offers its employees. The preamble explicitly notes that “because the FTCs rule does not apply to HIPAA-covered entities, it does not apply to PHRs that such entities offer their employees”.   The overarching goal is to “harmonize” HHS and FTC data breach notification reporting requirements, and compliance with certain HHS rule requirements in turn satisfies compliance under the FTC rule.  There are, however, situations where an entity may have “dual or overlapping” coverage under the HHS and FTC rules.  Here are a couple examples: 1) A vendor with a dual role as both a business associate under HIPAA and a provider of PHRs to the public through its own website (reporting requirements under HHS for its functions related to qualifying as a business associate, and requirements under the FTC rule for its role as a provider of PHRs to the public), 2) PHRs offered to families (a HIPAA covered group health plan would have data breach reporting requirements under HHS Rule for the employee covered by the plan, but not for a spouse who has a PHR under the plan, but is insured by the a different provider, for which the FTC Rule would be applicable). As a result, it is crucial for an entity that provides services and functions to varying categories of individuals, to carefully parse out applicability under each of the rules.

The health app industry is booming. It brings innumerable potential benefits as well as significant data privacy and security risks. Organizations that collect, use, and store medical data face increasing compliance obligations as the law attempts to keep pace with technology, cybersecurity crimes, and public awareness of data privacy and security. Creating a robust data protection program or regularly reviewing an existing one is a critical risk management and legal compliance step.

When use or disclosure of an individual’s health information or medical records is at issue, the assumption seems to be, much more often than not, that the HIPAA privacy and security rules apply. This has certainly been the case during the COVID-19 pandemic. Of course, it is true that in most healthcare settings, HIPAA is the primary law governing the use and disclosure of individually identifiable health information. However, HIPAA is often incorrectly applied in workplace settings.

Today, in an effort to clarify some of these issues as they relate to COVID-19 vaccination data, the Office for Civil Rights (OCR), the agency responsible for enforcing the HIPAA privacy and security rules (the “HIPAA rules”), issued this guidance. We have summarized some of the key points below.

Do the HIPAA rules prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine?

The OCR’s answer is clear – No.

The HIPAA Privacy Rule does not prohibit any person (e.g., an individual or an entity such as a business), including HIPAA covered entities and business associates, from asking whether an individual has received a particular vaccine, including COVID-19 vaccines.

It is important to remember that the HIPAA rules apply only to covered entities and business associates. In general, covered entities include health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions. But, HIPAA does not apply to entities functioning in their role as employers or to employment records.

The OCR also reminds organizations that even if HIPAA applies, it regulates the use and disclosure of protected health information (PHI), not the ability to request information. Thus, the HIPAA rules do not prohibit a covered entity from receiving COVID-19 vaccination information about an individual. Of course, organizations that receive such information, including employers, still may have a duty to safeguard that information and keep it confidential.

Do the HIPAA rules prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties?

This is a popular question these days. The OCR’s answer, “No.”

OCR reminds readers that the HIPAA rules do not apply to employment records:

including employment records held by covered entities or business associates in their capacity as employers.

The OCR also observed that:

federal anti-discrimination laws do not prevent an employer from choosing to require that all employees physically entering the workplace be vaccinated against COVID-19 and provide documentation or other confirmation that they have met this requirement, subject to reasonable accommodation provisions and other equal employment opportunity considerations.

But, again, once collected, vaccination information must be kept confidential and stored separately from the employee’s personnel files under Title I of the Americans with Disabilities Act (ADA). And, group health plans sponsored by employers are, in most cases, HIPAA covered entities. This means that COVID-19 vaccination information maintained in connection with those plans, such as claims information, would be PHI subject to the HIPAA rules.

Do the HIPAA rules prohibit a covered entity or business associate from requiring its workforce members to disclose to their employers or other parties whether the workforce members have received a COVID-19 vaccine?

Another popular question and, again, the OCR’s answer is no.

The HIPAA rules generally do not regulate what information can be requested from employees as part of the terms and conditions of employment. The following examples from OCR make clear that HIPAA does not prohibit a covered entity or business associate from requiring or requesting each workforce member to:

  • Provide documentation of their COVID-19 or flu vaccination to their current or prospective employer.
  • Sign a HIPAA authorization for a covered health care provider to disclose the workforce member’s COVID-19 or varicella vaccination record to their employer.
  • Wear a mask–while in the employer’s facility, on the employer’s property, or in the normal course of performing their duties at another location.
  • Disclose whether they have received a COVID-19 vaccine in response to queries from current or prospective patients.

Do the HIPAA rules prohibit a doctor’s office from disclosing an individual’s PHI, including whether they have received a COVID-19 vaccine, to the individual’s employer or other parties?

Here, the answer is generally, yes. The doctor’s office is a HIPAA covered entity and the HIPAA rules prohibit covered entities from using or disclosing an individual’s (patient’s) PHI except with the individual’s authorization, unless an exception applies. Exceptions include, for example, disclosures made for treatment, payment, or health care operations. Absent an exception, the doctor’s office will need a written authorization in order to disclosure the records.

Note, however, if the physician that owns the practice, while functioning as an employer, has COVID-19 vaccination information about an employee of the practice, the HIPAA rules generally would not apply to prohibit the physician from disclosing that information. But, other laws could apply, such as the ADA.

The OCR provides some additional examples:

  • A covered physician is permitted to disclose PHI relating to an individual’s vaccination to the individual’s health plan as necessary to obtain payment for the administration of a COVID-19 vaccine.
  • A covered hospital is permitted to disclose PHI relating to an individual’s vaccination status to the individual’s employer so that the employer may conduct an evaluation relating to medical surveillance of the workplace (e.g., surveillance of the spread of COVID-19 within the workforce) or to evaluate whether the individual has a work-related illness, provided all of the following conditions are met:
    • The covered hospital is providing the health care service to the individual at the request of the individual’s employer or as a member of the employer’s workforce.
    • The PHI that is disclosed consists of findings concerning work-related illness or workplace-related medical surveillance.
    • The employer needs the findings in order to comply with its obligations under the legal authorities of the Occupational Safety and Health Administration (OSHA), the Mine Safety and Health Administration (MSHA), or state laws having a similar purpose
    • The covered health care provider provides written notice to the individual that the PHI related to the medical surveillance of the workplace and work-related illnesses will be disclosed to the employer.

Organizations across the country are struggling with COVID-19 related regulations and the impact on their operations – screening requirements, vaccination mandates, how to incentivize vaccinations, responding to customer demands for vaccination status information about employees, maintaining adequate staffing levels, arranging for COVID-19 testing, etc. This OCR guidance should help to some degree by clarifying some questions regarding whether an often-cited set of rules – the HIPAA rules – apply to limit the use and disclosure of information necessary to carry out some of these activities. As explained above, the HIPAA rules often are not applicable.