In a recent employee termination case, the Third Circuit Court of Appeals recently upheld the dismissal of race discrimination claims by a bank employee who was terminated due to a social media post.

Plaintiff, a Caucasian woman, was employed as a project manager in her employer’s wealth management department.  In June 2018, a public news article on a social media site reported on the arrest of a local politician who allegedly drove a car through a crowd of demonstrators protesting the shooting death of Antwon Rose, Jr., a young, African-American male, by police officers.  Plaintiff publicly commented on the article under her own social media account, “[t]otal BS.  He should have taken a bus to plow thru.”  Plaintiff’s social media account publicly stated that she was employee of the bank.

The bank was not monitoring plaintiff’s social media account and was not aware of the post until offended users of the social media platform flooded the bank, and even its executive officers, with complaints.  Plaintiff was terminated after an investigation that found her post violated the bank’s conduct and social media policies.

The District Court agreed that plaintiff violated the bank’s policies and granted summary judgment in its favor.  In doing so, it rejected plaintiff’s attempts to point to African-American employees who were not terminated for their social media posts.  The Court specifically found those individuals were not similarly situated because, among other things, their posts did not advocate violence, were not made in the comments section of a public news story, and did not result in a “public outcry.” The Third Circuit affirmed the dismissal and agreed the alleged comparators were not similarly situated.  The Court specifically agreed plaintiff’s post was far more egregious than those of the alleged comparators and was far more likely to harm to the bank’s reputation.

Over the past few years, states around the country have enacted laws limiting an employer’s ability to access the personal social media accounts of job applicants and employees. However, these laws generally do not prohibit employers from conducting certain investigations, such as to ensure compliance with state or federal laws, regulatory requirements or prohibitions against work-related employee misconduct based on the receipt of specific information about activity on an employee or applicant’s personal online account. Employers also may monitor, review, access or block electronic data stored on an electronic communications device paid for, in whole or in part, by the employer, or traveling through or stored on the employer’s network.

When companies are faced with adverse social media activity or campaigns, whether it be by employees, customers, bloggers, etc., they frequently are unprepared to take the appropriate steps to investigate, or to weigh the legal, business, reputational, and related risks in deciding what actions, if any, to take. For this reason, it is important to have a clear workplace social media policy in place to help prevent the likelihood of an incident or at least limit its impact. But while courts and the National Labor Relations Board (NLRB) seem to be employer friendly of late in approval of such policies, it is important to tread carefully, aiming to develop a policy that achieves the company’s legitimate business interests without compromising its employees’ right to privacy under statutory and common law and rights related to freedom of speech. Employers should continue to exercise care  when addressing and/or responding to their employees’ social media usage.  Jackson Lewis attorneys are available to assist with those and other issues and formulate preventative strategies that mitigate risk.

Today, the U.S. Department of Labor’s Employee Benefits Security Administration (EBSA) issued much anticipated cybersecurity guidance for employee retirement plans. This comes more than four and a half years after the ERISA Advisory Council, a 15-member body appointed by the Secretary of Labor to provide guidance on employee benefit plans, shared with the federal Department of Labor some considerations concerning cybersecurity. The essence of today’s guidance:

Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.

What that obligation means at this point is at least what EBSA set out in the following materials on its website, although the “Online Security Tips” are directed more to plan participants than plan fiduciaries:

Acknowledging ERISA-covered plans hold “millions of dollars or more in assets and maintain personal data on participants,” EBSA’s guidance lists a range of best practices for use by plan recordkeepers and service providers responsible for plan-related IT systems and data, as well as plan fiduciaries having the duty to make prudent decisions when evaluating and selecting plan service providers. Some of the EBSA’s best practices include:

  • Maintain a formal, well documented cybersecurity program.
  • Conduct prudent annual risk assessments.
  • Implement a reliable annual third-party audit of security controls.
  • Follow strong access control procedures.
  • Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
  • Conduct periodic cybersecurity awareness training.
  • Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
  • Encrypt sensitive data, stored and in transit.

The EBSA fleshes out each of these best practices to give recordkeepers, service providers, and plan fiduciaries more guidance when developing their own policies and procedures. It is worth noting these best practices are not dissimilar to other, well-known frameworks designed to protect personal data. So, organizations that have engaged in efforts to comply with, for example, the HIPAA privacy and security rules for group health plans, the Massachusetts data security regulations, or the NY SHIELD Act will have a head start taking similar steps concerning their retirement plans and/or their services to plans.

Selecting ERISA plan service providers has long been an important fiduciary function for plan fiduciaries. In its guidance, EBSA offers key cybersecurity issues to account for when selecting service providers, including the following:

  • Ask about the service provider’s information security standards, practices and policies, and audit results, and compare them to the industry standards adopted by other financial institutions. Plan sponsors may assume that a service provider referred from a trusted source with compelling marketing materials would have put in place appropriate cybersecurity safeguards. As the saying goes, “Trust, but verify.” This also applies to all third-party plan providers, even large, well-known organizations.
  • Ask the service provider how it validates its practices, and what levels of security standards it has met and implemented. Look for contract provisions that give you the right to review audit results demonstrating compliance with the standard.
  • Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded. As these incidents are often reported, consider reviewing news accounts of the service provider’s response to the incident.
  • Investigate whether the service provider might have cyber insurance that would cover losses caused by cybersecurity and identity theft breaches, including misconduct by the service provider’s own employees or contractors, or a third party hijacking a plan participant’s account.
  • Consider the willingness of the service provider to include contract terms requiring ongoing compliance with cybersecurity, clear rules concerning use and disclosure of personal information, responsibility for security breaches, and other key terms addressing exposure to the plan, plan sponsor, and participants.

It is important to note that no set of safeguards will prevent all data breaches and no amount of due diligence will result in the selection of a flawless service provider. In many cases, a data breach experienced by a plan service provider may not warrant moving away from that provider. Here are some reasons why.

Third-party plan service providers and plan fiduciaries should begin taking reasonable and prudent steps to implement safeguards that will adequately protect plan data. EBSA’s guidance should help the responsible parties get there, along with the plan fiduciaries and plan sponsors’ trusted counsel and other advisors.

The Biden administration reportedly has called for all people at least 18 to be eligible for the COVID-19 vaccine by April 19, 2021, two weeks earlier than its prior goal of May 1, and less than a week away. Most states have already done so. Without the barriers created by state-by-state priority rules, the rate of vaccinations is likely to increase, hopefully helping to contain a fourth wave in COVID-19 cases observed in recent weeks.

No more confusing rules, President Biden

A BenefitsPro article cites a 2017 survey from the Society for Human Resource Management (SHRM) that found almost 60 percent of employers offer on-site flu vaccinations. Naturally, with expanding availability of COVID-19 vaccination doses and widespread eligibility, organizations are asking whether setting up an on-site COVID-19 vaccination program is more involved than one offering flu shots. The short answer is yes.

The country continues to operate under a national emergency due to a pandemic, not present during a typical flu season. Accordingly, concerns about safety and minimizing spread are significantly amplified. Individuals tend to be familiar with flu vaccines, not so with the current COVID-19 vaccines. Concerns over the emergency use authorization status of the COVID-19 vaccine, privacy, individual rights, school openings and childcare, effects on continued employment, liability, and so on are apparently not as prominent when getting an annual flu shot.

Taking those and other concerns into account, organizations considering setting up an on-site COVID-19 vaccination program have several issues to consider. Some of my colleagues and I assembled a nonexhaustive list of some of those issues (see our complete article here):

  • Getting Organized
  • Vaccine Administration and Reporting
  • Facility Suitability and Preparedness
  • Liability
  • Communications
  • Employment Issues
  • Privacy and Data Security

There is quite a bit to think about when setting up a COVID-19 vaccination program. While flu vaccination programs likely differ, prior experience with health fairs and flu vaccination offerings can be helpful reference points. Having a good team in place, careful planning, and the support and collaboration of an LHD or TPHCP, among other things, will help lead to a successful program.

COVID-19 drove many formerly in-person interactions onto a variety of video conferencing platforms.  But as millions of vaccinations are administered each day, and case numbers decline, it’s now possible to imagine and plan for the time when conducting business over video will no longer be mandatory.

For many organizations, though, COVID-19 has led to an epiphany that will very likely outlast the pandemic: Many aspects of work can be conducted remotely, without any drop in productivity and with enormous advances in convenience and geographic reach.

An organization based in Chicago, for instance, no longer needs to limit its pool of job candidates to those willing to relocate to that city, and no longer needs to fly candidates in – at great expense – for in-person interviews.  Instead, the organization can expand the scope of its search to include candidates who live – and plan to remain – in distant locations like Austin, Denver, Miami, and Nashville, and can interview those candidates by video conference.

What’s more, video conferencing platforms allow an organization to record those interviews, thereby potentially reducing biases and errors in its interview processes by creating far more reliable records of what transpired during each interview.  The benefits don’t end there.  The organization can then use its archive of video interviews to evaluate which interview styles and questions were most effective in screening candidates and can use the videos to train its staff on best practices for conducting future interviews.

But there’s a catch: In addition to potential concerns that the recordings may create unhelpful or even harmful “evidence,” video recording job interviews may also expose organizations to significant data privacy and security risk – risk which can and must be managed through thoughtful policies and procedures.

Risks

  1. Candidates in other states or countries may bring their jurisdictions’ data privacy and security obligations with them. Many data privacy and security laws are tied to the location or residence of the data subject (e.g., the job candidate); not the location of the data controller (e.g., the organization conducting the search).  If your organization records interviews of candidates residing in California or the EU, for instance, it may be subject to obligations under the CCPA or GDPR, respectively.  Both of these laws generally require the provision of certain privacy notices and, in the case of the GDPR, grant to data subjects an expansive set of rights related to the collection, use, disclosure, and retention of their data.  (Beginning in January 2023, when a new California law, the CPRA, takes effect, California candidates will have similarly expansive rights.)
  2. Interview recordings will likely contain far more personal information than the notes or memos generated during or after in-person interviews. Interview discussions can be wide-ranging, often touching on subjects that may qualify as personal information under applicable law – including information that would rarely make it into written records of that discussion.  For instance, even if not asked, the candidate might discuss her own or a family member’s medical condition, or she might directly or indirectly indicate her religious affiliation or sexual orientation.  And even when discussion focuses on more mundane topics – like educational and work histories – the information collected may trigger privacy obligations under expansive privacy regimes like the CCPA, CPRA, and GDPR.
  3. Complying with purpose limitations. The CCPA and GDPR require organizations to disclose to data subjects the purposes for which their personal information is used.  And, in the case of the GDPR, the organization may be required to assess whether its own purposes for using the personal information may be overridden by competing interests of the data subject.  The obvious, likely unobjectionable, purpose for recording a video interview is to better evaluate the candidate at issue.  But if the organization subsequently decides to use the recording for training or marketing, it could incur obligations to provide additional disclosures, obtain additional consent, and/or conduct additional analysis.
  4. Ensuring all parties consent. About a dozen US states require consent of both parties to record a conversation.  An organization conducting interviews by video conference must therefore be mindful that, prior to recording the interview, it should obtain consent from both the candidate and the employees involved in conducting the interview.
  5. Ensuring video interviews are adequately secured. Data breaches have become an enormous source of liability for most organizations.  It is not unusual for breaches to stem from systems or databases that an organization overlooked when designing its data security program because they weren’t obvious repositories of sensitive information.  An archive of interview videos could easily fall into that category.

Mitigation Strategies

  1. Conduct scope analysis. Given the proliferation of data privacy and security laws – Virginia recently passed an expansive new privacy law, and Colorado, Florida, New York, and other states may soon follow suit – and the fact that many of these laws are tied to the location or residence of the data subject, determining which laws will govern your organization’s recording of video interviews is a critical first step.
  2. Ensure you provide requisite privacy notices. If applicable, based on your organization’s scope analysis, provide privacy notices to interviewees prior to their interview.  Where the CCPA applies, for instance, your organization will likely need to provide a “notice at collection” to candidates, disclosing to them the categories of personal information that your organization collects about job applicants and the purposes for which it uses that information.
  3. Prepare to respond to requests for access, deletion, and rectification. If the GDPR applies, candidates may be entitled to request that your organization grant them access to their interview recordings, that it delete those recordings, or that it permit candidates to correct inaccurate information in the recordings.  In California – the CPRA – will begin imposing similar requirements when it takes effect.
  4. Collect requisite consent. Your organization will, in most instances, be able to address applicable obligations to obtain consent to record video interviews by taking two relatively simple steps.  First, it should develop a policy placing all employees who conduct video interviews on notice that those interviews will be recorded and collect from each employee an acknowledgment of receipt of that notice.  Second, it should train applicable employees to advise candidates at the start of each interview that the interview will be recorded for specified purposes (e.g., to improve the quality of the organization’s interview processes).
  5. Develop policies and procedures to ensure proper use, disclosure, security, and retention. To comply with the GDPR, CCPA, and other data privacy and security laws, your organization should  ensure that it has policies and procedures in place to regulate how interview recordings are used, who has access to them, to whom they’re disclosed, where they’re stored, and how long they’re kept.  For instance, your organization may need to develop policies to prevent the use of interview recordings for purposes not previously disclosed; to restrict access to the recordings to employees with a legitimate need; to limit disclosure of the recordings to trusted third-parties with whom it has proper contractual protections in place; and to ensure the recordings are securely destroyed in accordance with the organization’s record retention policy.

With good reason, many organizations are intrigued by the prospect of recording video interviews – along with other video communications – for future use.  For organizations engaging in this practice, or planning to, however, it’s important to be mindful of the associated risks.  These risks will not, in most instances, be prohibitive, but they require careful consideration and the implementation of thoughtful mitigation strategies.

Utah Military and Veteran Benefits | The Official Army Benefits WebsiteIn mid-March, Utah Governor Spencer Cox signed into law the Cybersecurity Affirmative Defense Act (HB80) (“the Act”), an amendment to Utah’s data breach notification law, creating several affirmative defenses for persons (defined below) facing a cause of action arising out of a breach of system security, and establishing the requirements for asserting such a defense.

In short, the Act seeks to incentivize individuals, associations, corporations, and other entities (“persons”) to maintain reasonable safeguards to protect personal information by providing an affirmative defense in litigation flowing from a data breach. More specifically, a person that creates, maintains, and reasonably complies with a written cybersecurity program that is in place at the time of the breach will be able to take advantage of an affirmative defense to certain claims under the Act:

  • A claim alleging that the person failed to implement reasonable information security controls that resulted in the breach of system security.
  • A claim that the person failed to appropriately respond to a breach of system security.
  • A claim that the person failed to appropriately notify an individual whose personal information was compromised in a breach of security.

The written cybersecurity programs must satisfy several requirements to warrant the Act’s protection. In part, such programs must provide administrative, technical, and physical safeguards to protect personal information. These safeguards include:

  • being designed to:
    • protect the security, confidentiality, and integrity of personal information;
    • protect against any anticipated threat or hazard to the security, confidentiality, or integrity of personal information; and
    • protect against a breach of system security.
  • reasonably conforming to a recognized cybersecurity framework (see below); and
  • being of an appropriate scale and scope in light of several factors (e.g. size/complexity of the business, the business’s nature/scope, sensitivity of the information protected, etc.)

Reasonably conforming to a recognized cybersecurity framework generally means (i) being designed to protect the type of information involved in the breach of system security, and (ii) either (I) constituting a reasonable security program as described in the Act; (II) reasonably conforming to an enumerated security framework, such as the NIST special publication 800-171 or the Center for Internet Security Critical Security Controls for Effective Cyber Defense; or (III) reasonably complying with the federal or state regulations applicable to the personal information obtained in the breach of system security (e.g., complying with HIPAA when “protected health information” is breached).

A person may not claim an affirmative defense, however, if:

  • The person had actual notice of a threat or hazard to the security, confidentiality, or integrity of personal information;
  • The person did not act in a reasonable amount of time to take known remedial efforts to protect the personal information against the threat or hazard; and
  • The threat or hazard resulted in the breach of system security.

Utah is the second state to establish an affirmative defense to claims arising from a data breach.  Back in 2018, Ohio enacted the Ohio Data Protection Act (SB 220), similarly providing a safe harbor for businesses implementing and maintaining “reasonable” cybersecurity controls.

This affirmative defense model established by both Utah and Ohio is a win for both companies and consumers, as it incentivizes heightened protection of personal data, while providing a safe harbor from certain claims for companies facing data breach litigation.   It would not be surprising to see other states take a similar approach.  Most recently, the Connecticut General Assembly reviewed HB 6607, “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses”, which provides for a similar safe harbor as in Utah and Ohio.  Creating, maintaining, and complying with a robust data protection program is a critical risk management and legal compliance step, and one that might provide protection from litigation following a data breach.

One of the industries perhaps hardest hit by the coronavirus, the travel industry, received welcomed news late last week in the form of CDC guidance stating that people fully vaccinated against COVID-19 can resume domestic travel and do not need to get tested for COVID-19 before or after travel or self-quarantine after travel.

According to the guidance, released on April 2, 2021, fully vaccinated people need not get tested before leaving the United States (unless required by the destination) or self-quarantine after returning to the United States (unless required by state or local law). With the increasing rate of vaccinations, this is another encouraging sign of a steady approach to some sense of a normalcy, though there are lots of questions about what travel will look like in the months and possibly years ahead.

This change from the agency’s previous recommendation that people “delay travel and stay home,” according to the Washington Post, is based largely on “newly released studies showing the real-world effectiveness of the vaccines.” For example, one study showed the second dose of the COVID-19 vaccine reduced infection risk by 90 percent. Highlighting the demand for travel, the Washington Post notes TSA officials reported 26 days in March when more than a million people moved through security checkpoints, compared to only 124,021 on April 1, 2020.

So, what will travel look like going forward?

An option may be a “vaccine passport” or similar arrangement whereby a person’s vaccination status or other related information can be verified. According to CNN, although the White House has said it is not planning to maintain a central vaccinations database, officials are “working with a range of companies on establishing standards” for people to show they have been vaccinated. Other countries also are working on “vaccine passport”-type technology to facilitate travel while containing COVID-19.

A vaccine passport likely will involve a massive collection of individuals’ personal information, a price many may be willing to pay for vacation or work-related travel. Some involved in efforts to build such systems acknowledge the challenges, ranging from ensuring the systems work correctly to preventing identity theft and fraud. The World Health Organization echoed these concerns in a recent bulletin discussing similar technology it refers to as “immunity passports”:

While there may be limits to maintaining personal immunity certification information as private and confidential, measures should be implemented to minimize confidentiality breaches and non-consensual identification to reduce privacy concerns and protect nonimmune-certified individuals from any potential stigma and harm.

With business travel likely to increase, businesses quick to adopt a vaccine passport or similar system will have their own issues to consider concerning the privacy and security of their employees data and use of such systems, particularly in connection with international travel as the standards and requirements may be different.

Data privacy and security challenges are but one concern as travel in a post-COVID vaccination world picks up. Continued concern over COVID-19 variants combined with slow inoculation rates in many countries mean that U.S. consulates (which issue travel visas enabling international travelers to come to the U.S.) may be unable to keep up. Over the past year, international travel bans have proliferated across the world , starting with the travel bans and visa bans put into place beginning on March of 2020 by the Trump administration which were quickly followed by a succession of travel bans in other countries. The resulting patchwork of travel bans and rules resulted in shutting down most international travel to the United States, as well as worldwide, which has created a backlog of cases at U.S. consulates. Consulates have been operating at reduced staff for health and safety reasons and have struggled to implement the ever-changing travel bans. Throughout the last year the processing times for visa processing have steadily increased, if a visa was available at all. As travel opens up, adding a “vaccine passport” to the long list of travel requirements for obtaining a visa will further strain the consulates if they will be expected to implement it. Although consulates are familiar with handling personal identifying information, after all a visa application covers practically every personal biographical detail of the applicant’s life, a vaccine passport is an entirely new thing. How any such requirement would be balanced against the economic and business needs for travel is anyone’s guess.

As organizations reimagine how they do business, and now how travel will fit in to that mix, the list of things that need to be considered before getting on the road again continues to expand.

In a decision certain to have significant impact on Telephone Consumer Protection Act (TCPA) class action litigation, today the U.S. Supreme Court concluded narrowly that to qualify as an “automatic telephone dialing system”, a device must be able to either “store a telephone number using a random or sequential generator or to produce a telephone number using a random or sequential number generator”.  The underlying decision of the Ninth Circuit is reversed and remanding.

Back in July of 2020, the Supreme Court accepted writ of certiorari to review a Ninth Circuit ruling regarding the TCPA addressing the issue of whether the definition of ATDS in the statute encompasses any device that can “store” and “automatically dial” telephone numbers, even if the device does not “us[e] a random or sequential number generator.” The Ninth Circuit had taken a broad approach to this issue, concluding that “an ATDS need not be able to use a random or sequential generator to store numbers[.]”  The Ninth Circuit court explained that “it suffices to merely have the capacity to ‘store numbers to be called’ and ‘to dial such numbers automatically.’”

ATDS Circuit Split

When the TCPA was enacted in 1991, most American consumers were using landline phones, and Congress could not begin to contemplate the evolution of the mobile phone. The TCPA defines “Automatic Telephone Dialing System” (ATDS) as “equipment which has the capacity—(A) to store or produce telephone numbers to be called, using a random or sequential number generator; and (B) to dial such numbers.” 47 U.S.C § 227(a)(1). In 2015, the Federal Communications Commission (FCC) issued its 2015 Declaratory Ruling & Order (2015 Order), concerning clarifications on the TCPA for the mobile era, including the definition of ATDS and what devices qualify. The 2015 Order only complicated matters further, providing an expansive interpretation for what constitutes an ATDS, and sparking a surge of TCPA lawsuits in recent years.

Consequently, several FCC-regulated entities appealed the 2015 FCC Order to the D.C. Circuit Court of Appeals, in ACA International v. FCC, No. 15-1211, Doc. No. 1722606 (D.C. Cir. Mar. 16, 2018). The D.C. Court concluded the FCC’s opinion that all equipment that has the potential capacity for autodialing is subject to the TCPA, is too broad. Although the FCC did say in its 2015 Order “there must be more than a theoretical potential that the equipment could be modified to satisfy the ‘autodialer’ definition”, the Court held that this “ostensible limitation affords no ground for distinguishing between a smartphone and a Firefox browser”. The Court determined that the FCC’s interpretation of ATDS was “an unreasonably expansive interpretation of the statute”.

Since the decision in ACA Int’l, courts have weighed in on the D.C. Circuit Court ruling and the status of the 2015 Order, sparking a circuit split over what constitutes an ATDS. The Second and Ninth Circuit have both broadly interpreted the definition of an ATDS, while the Third, Seventh and Eleventh have taken a much narrower reading. For example, earlier this year the Eleventh and Seventh Circuit Courts reached similar conclusions, back-to-back, narrowly holding that the TCPA’s definition of Automatic Telephone Dialing System (ATDS) only includes equipment that is capable of storing or producing numbers using a “random or sequential” number generator, excluding most “smartphone age” dialers.

Supreme Court Decision 

The Supreme Court unanimously concluded, in a decision written by Justice Sotomayor, that to qualify as an “automatic telephone dialing system” under the TCPA, a device must have the capacity either to store, or to produce, a telephone number using a random or sequential number generator.

“Expanding the definition of an autodialer to encompass any equipment that merely stores and dials telephone numbers would take a chainsaw to these nuanced problems when Congress meant to use a scalpel,” Justice Sotomayor pointed out in rejecting the Ninth Circuit’s broad interpretation of the law.

Moreover, Sotomayor noted that, “[t]he statutory context confirms that the autodialer definition excludes equipment that does not “us[e] a random or sequential number generator.””  The TCPA’s restrictions on the use of autodialers include, using an autodialer to call certain “emergency telephone lines” and lines “for which the called party is charged for the call”. The TCPA also prohibits the use of an autodialer “in such a way that two or more telephone lines of a multiline business are engaged simultaneously.” The Court narrowly concluded that “these prohibitions target a unique type of telemarketing equipment that risks dialing emergency lines randomly or tying up all the sequentially numbered lines at a single entity.”

Take Away

The Supreme Court’s decision should help resolve the ATDS circuit split and provide greater clarity and certainty for parties facing TCPA class action litigation. And while this decision is considered a win for defendants facing TCPA litigation, organizations are advised to review and update their telemarketing and/or automatic dialing practices to ensure TCPA compliance.

 

 

On March 11th, Indiana Governor Eric Holcomb signed into law HB 1143, prohibiting employers from requiring a candidate for employment or an employee to have a device implanted or otherwise incorporated into their body, as a condition of employment. The Indiana law will take effect July 1, 2021.

The COVID-19 pandemic caused many companies to instruct employees to work-from-home for the foreseeable future, which resulted in a spike in the use of employee monitoring technologies in the workplace.  Frequently, the aim is to track an employee’s physical location, to measure productivity, or, most recently, to track close contacts for COVID-19-related contact tracing purposes. These measures bring up questions about proper protection for employee privacy rights.

Advancements in technology have made it easier to monitor remote employees, and by extension easier to violate the law for employers that are not careful. Several states have taken legislative action to prohibit an employer from requiring an employee to permit implantation of a device or microchip as a condition of employment or continued employment, Indiana being the latest.  We provide an in-depth analysis of the Indiana law here, along with legislative activity in other states.

How To Do a Colorado DMV Change of Address | Moving.comColorado recently became the latest state to consider a comprehensive consumer privacy law.  On March 19, 2021, Colorado State Senators Rodriguez and Lundeen introduced SB 21-190, entitled “an Act Concerning additional protection of data relating to personal privacy”. Following California’s bold example of the California Consumer Privacy Act (“CCPA”) effective since January 2020, Virginia recently passed its own robust privacy law, the Consumer Data Protection Act (“CDPA”), and New York, as well as other states, like Florida, appear poised to follow suit.  Furthermore, California is expanding protections provided by the CCPA, with the California Privacy Rights Act (CPRA) – approved by California voters under Proposition 24 in the November election.

Unsurprisingly, Colorado’s SB 21-190 generally tracks the CCPA, CPDA, CPRA and the EU General Data Protection Regulation (GDPR).  Key elements of the Colorado bill include:

  • Jurisdictional Scope. SB 21-190 would apply to legal entities that conduct business or produce products or services that are intentionally targeted to Colorado residents and that either:
    • Control or process personal data of more than 100,000 consumers per calendar year; or
    • Derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers.
  • Exemptions. SB 21-190 includes various exemptions related to healthcare entities and health data, such as protected health information under HIPAA, patient identifying information maintains by certain substance abuse treatment facilities, and identifiable private information collected in connection with human subject research. Additional exemptions include without limitation personal data collected for the purposes of the Gramm Leach Bliley Act (GLBA), Driver’s Privacy Protection Act (DPPA), Children’s Online Privacy Protection Act (COPPA), Family Educational Rights Act and Privacy Act. Finally, data maintained for employment records purposes are exempted as well.
  • Personal Data. Similar to its counterparts, Colorado’s SB 21-190 broadly defines personal data to mean “information that is linked or reasonably linkable to an identified or identifiable individual.”
  • Sensitive Data. Like the CPDA, CPRA and GDPR, SB 21-190 includes a category for “sensitive data”. This is defined as “personal data revealing racial or ethical origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status OR genetic or biometric data that may be processed for the purpose of uniquely identifying an individual OR personal data from a known child”. As with Virginia’s CPDA, there are two key compliance obligations related to “sensitive data”.  First, sensitive data cannot be processed without obtaining consumer consent, or in the case of a known child or student, without obtaining consent from a parent or lawful guardian.  Second, the controller must conduct and document a data protection assessment specifically for the processing of sensitive data.
  • Protected Persons. SB 21-190 defines “consumer” as an “individual who is a Colorado resident acting only in an individual or household context”. The Colorado bill states that the definition of consumer does not include “an individual acting in a commercial or employment context”.
  • Consumer Rights. Under SB 21-190, consumers have the right to opt out of the processing of their personal data; access, correct, or delete the data; or obtain a portable copy of the data.
  • Data Protection Assessments. Akin to Virginia’s CPDA, the Colorado bill requires data controllers to conduct a data protection assessment for each of their processing activities involving personal data that presents a heightened risk of harm to consumers, such as processing for purposes of targeted advertising or processing sensitive data (as mentioned above).
  • Enforcement. If enacted, SB 21-190 would only be enforceable by the Colorado attorney general or district attorneys. A violation of law could result in a civil penalty of not more than $2,000 for each such violation (not to exceed $500,000 for any related series of violations), or injunction.

Colorado’s SB 21-190 is in the early stages of the legislative process, still it signals the continued momentum building in states across the country to enhance consumer data privacy and security protections. Organizations, regardless of their location, should be carefully assessing their data collection activities, developing policies and procedures to address their evolving compliance obligations and data-related risks, and training their workforce on effective implementation of those policies and procedures.

Understanding the HIPAA individual right of access to health information | Healthcare InnovationA small New Jersey plastic surgery practice, Village Plastic Surgery (“VPS”), has become the eighteenth HIPAA covered entity to face an enforcement action under the Office for Civil Right’s HIPAA Right of Access Initiative. According to the OCR’s announcement, VPS agreed to a two-year corrective action plan and pay $30,000 to settle a potential HIPAA violation.

What is the “right to access” under HIPAA?

The HIPAA Privacy Rule generally requires HIPAA covered entities (health plans and most health care providers) to provide individuals, upon request, with access to PHI about them in one or more “designated record sets” maintained by or for the covered entity. This includes the right to inspect or obtain a copy, or both, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice. This right applies for as long as the covered entity (or its business associate) maintains the information, regardless of the date the information was created, and whether the information is maintained in paper or electronic systems onsite, remotely, or is archived.

When implementing this rule, covered entities and their business associates have several issues to consider, such as:

  • What information is subject to the right and what information is not, such as psychotherapy notes.
  • Confirming the authority of “personal representative” to act on behalf of an individual.
  • Procedures for receiving and responding to requests – such as written request requirements, verifying the authority of requesting parties, timeliness of response, whether and on what grounds requests may be denied, and fees that can be charged for approved requests.
  • To assist covered entities (and business associates), the OCR provides a summary of right of access issues, as well as a set of frequently asked questions.

Resolution of OCR’s Eighteenth “Right of Access” Enforcement Action 

The OCR’s investigation commenced in September 2019, when it received a complaint from a patient that VPS failed to timely respond to a patient’s records access request made in the prior month. According to the OCR resolution agreement, OCR determined that VPS’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access standard, which requires a covered entity to take action on an access request within 30 days of receipt (or within 60 days, if an extension is applicable).

In addition to reaching a monetary settlement of $30,000, the resolution agreement also requires VPS will have a corrective action plan (“CAP”) that includes two years of monitoring by the OCR. The CAP requires the small practice to, among other things

  • revise its right of access policies,
  • submit its right of access policies to OCR review,
  • obtain written confirmation from staff that they read and understand the new right of access policies,
  • train staff on the new policies, and
  • every 90 days submit to OCR a list of requests for access from patients and VPS’ responses.

Getting Compliant

Providers receive all kinds of requests for medical and other records in the course of running their businesses. Reviewing and responding to these requests no doubt creates administrative burdens. However, buying forms online might not get the practice all it needs, and could put the practice at additional risk if those are followed without considering state law or are not implemented properly.

Putting in place relatively simple policies, carefully developing template forms, assigning responsibility, training, and documenting responses can go a long way toward substantially minimizing the risk an OCR enforcement action and its severity. Providers also should be considering sanctions under state law that also might flow from failing to provide patients access to their records. It is worth nothing that in some cases state law may be more stringent than HIPAA concerning the right of access, requiring modifications to the processes practices follow for providing access.