UPDATE:  The Federal Communications Commission (FCC) has reached a settlement with two telecom companies in connection with allegations the telecom companies violated the law regarding the privacy of phone customers’ personal information.

As we previously reported and discussed, in October 2014 the FCC initiated its first data security case against TerraCom, Inc. and YourTel America, Inc.  Originally, the FCC had proposed a $10 million fine, which at the time made it the largest privacy action in the FCC’s history.  Ultimately, the FCC and the telecom companies reached agreement on a $3.5 million settlement.

According to the consent decree, the companies allegedly breached the personal information of over 300,000 consumers through lax security practices, despite the privacy policies for the two companies stating that they had in place technology and security features to safeguard the privacy of your customer specific information from unauthorized access or improper use.

In addition to the $3.5 million settlement, the companies are also required to provide notification to all customers whose information was subject to the breach, provide credit monitoring to each individual, and improve privacy and data security by taking a number of additional steps.  Those steps include, by way of example:

While the settlement is significantly lower than the initial proposed fine, this matter demonstrates the significant liability associated with the failure to adequately safeguard information and/or to implement safeguards consistent with a company’s statements regarding same.

As anticipated, on July 10, 2015, the Federal Communications Commission (FCC) released its Telephone Consumer Protection Act (TCPA) Omnibus Declaratory Ruling which had previously been approved on June 18, 2015.  The Declaratory Ruling takes effect immediately.

In short, the Declaratory Ruling provides numerous rulings including:

  • Dialing equipment that simply has the capacity to store or produce, and dial random or sequential numbers meets the TCPA’s definition of “autodialer.”
  • Predictive dialers meet the definition of “autodialer.”
  • Callers cannot avoid obtaining consent by dividing ownership of pieces of dialing equipment that work in concert among multiple entities.
  • App developers do not make or initiate calls when one of the app users sends an invitational message using the app.
  • App developers do not make or initiate a text when an individual merely uses its service to set up auto-replies to incoming voicemails.
  • A called party may revoke consent at any time and through any reasonable means.
  • A calling party may not limit the manner in which revocation may occur.
  • If a question arises as to whether prior express consent was provided, the burden is on the calling party to prove that it obtained the necessary prior express consent.
  • The TCPA requires the consent not of the intended recipient of a call, but of the current subscriber (or non-subscriber customary user of the phone) and caller best practices can facilitate detection of number reassignment before calls are made.
  • Callers who make calls without knowledge of reassignment and with a reasonable basis to believe they have valid consent to make the call are permitted to initiate one call after reassignment as an opportunity to gain actual or constructive knowledge of the reassignment and cease future calls to the new subscriber.
  • For telemarketing calls, prior-express-written-consent requirements apply for each call made to a wireless number, rather than to a series of calls to wireless numbers made as part of a marketing or advertising campaign as a whole.
  • Nothing in the Communications Act or the FCC’s rules or orders prohibits carriers or VoIP providers from implementing call-blocking technology that can help consumers to stop unwanted robocalls.

In connection with the release of the Declamatory Ruling, FCC Chairman Tom Wheeler, who previously proposed the rulings said:

The American public has asked us – repeatedly – to do something about unwanted robocalls. Today we help Americans hang up on nuisance calls.

The text of the Declaratory Ruling makes it clear that the FCC’s interpretation of the TCPA is extremely broad, with the intent of protecting those who are called — often to the detriment of companies which are trying to reach their customers/clients, potential customers/clients, or other interested parties, often with no ill intent.

As of July 2, 2015, Wisconsin law makes it a Class A misdemeanor for any individual to place a GPS device on another individual’s vehicle without the consent of the vehicle’s owner.    Based on comments from the bill’s sponsors, it appears as though the goal of the new law is to protect potential victims or harassment or stalking.  Given the advancements in technology, including the ability for anyone to purchase such a GPS device, measures like this are necessary to protect individual privacy rights.

While many employers may contemplate the use of GPS technology to track their employees, care must be given to jurisdictional laws which may be impacted by such use.  This is particularly true when the employer does not own the vehicle or device on which the GPS technology is installed.  As we have previously discussed, employers who utilize GPS tracking technology should be cognizant of potential legal issues which may arise when tracking employees during non-work hours as the employer may gain private information about an employee that may be considered an invasion into the employee’s personal privacy.  Similarly, the information obtained when tracking an employee (e.g. an employee’s religious denomination based on attendance at group services; an employee’s treatment for a medical issue based on travel to and from a treatment facility, etc.) could potentially lead to employee claims of discrimination or wrongful termination based upon off-duty conduct.

Importantly, the Wisconsin law does contain a number of exemptions from liability.  Specifically, the law exempts an employer or business owner acting to track the movement or location of a motor vehicle owned, leased, or assigned for use by the employer or business owner.  As such, employers tracking their own vehicles, even when utilized by an employee, would not be subject to liability under the Wisconsin law.

While GPS technology may have numerous benefits for an employer, consideration should be given to potential issues, many of which may not be readily apparent, prior to implementing the use of such technology.

In the wake of recent, large-scale data breaches, one being the breach at the Office of Personnel Management (OPM) affecting millions of federal employees, a number of bills have been battling their way through Congress to address breach notification and data security requirements at the federal level. There has been an ongoing pattern for years – big breaches, flurry of bills in both houses of Congress, bills die… big breaches, flurry of bills in both houses of Congress, bills die…

A sticking point for this legislation now and in past years is whether a federal law should preempt state notification laws. In a letter signed by the Attorneys General of just about every state with a data breach notification law (47 states have such a law), the National Association of Attorneys General tells Congress to let states continue to address this issue. It does not appear that the NAAG is necessarily opposed to a federal data breach notification law or data security standard, it just prefers that “a federal law must not diminish the important role states already play protecting consumers from data breaches and identity theft.”

However, many consider the matrix of state laws to be confusing and a barrier to a streamlined notification process that a uniform federal standard might bring. There is some merit to this. For example, the notification law in Massachusetts prohibits businesses from describing the circumstances of the breach in the notification letter. However, the notification laws in many other states require the letter contain a brief description. Also, some states such as New Jersey require notification to a state agency before notification is made to affected individuals, while other states do not have such a requirement. A third example is that many state laws have a “risk of harm” trigger; that is, a provision that says, in essence, notification is not required if there is not a significant risk of harm to the affected persons. The language in these provisions, however, varies considerably, making it difficult for a business to apply those provisions in a multi-state breach.

The debate certainly will continue. But what is important for businesses large and small is that they have a plan to respond to a breach, and practice that plan. Most companies will experience a data breach affecting personal information and, whether driven by federal and/or state laws, will likely have to notify affected persons. Preparation is critical, and here are some questions businesses, particularly small and mid-sized businesses should be asking:

  • Who are the key people in the organization that would be in the best position to drive the breach response?
  • Do employees know what a data breach is and where to report one?
  • Does the company have vendors lined-up in the event there is a breach?
  • Does our IT team have the appropriate expertise – they manage our systems, and IT equipment, but do they know data security, forensics, etc.
  • Who should we call first if we suspect we have had a breach?
  • Do we have to bargain with the union about our plans for dealing with breaches involving employee data?
  • Is there an insurance policy that might cover some of the costs?
  • Do we have a plan for addressing media attention?
  • Do we have any contractual obligations in connection with a breach? Will this affect our government contract? Have we met our payment card obligations (PCI compliance)?
  • Are we prepared to have our data privacy and security safeguards and written policies scrutinized by a federal or state agency?
  • What steps should we be prepared to take to mitigate potential harm following a breach?

Among the multitude of unpleasant issues facing a company whose network has been breached is potential liability to customers and employees whose personal information has been compromised.  However, recent district court decisions from around the country continue to limit the opportunity of those customers and employees to have their day in court.  Specifically, these cases have held that, in order for a customer or employee whose data has been stolen to gain standing to sue the company that experienced the breach, the customer or employee must show that the stolen data was, in fact, used to the customer or employee’s financial detriment.  And such financial detriment must be “concrete.”  Increased risk of future harm does not suffice, damages are not recoverable for “mitigation” measures – such as the purchase of credit monitoring services – taken to protect against speculative future harm, and an individual’s allegations that he fears such future harm will generally not be enough to establish a claim for emotional distress.

In Green v. eBay Inc., the U.S. District Court for the Eastern District of Louisiana dismissed a putative class action brought on behalf of eBay customers whose data was stolen when eBay user information was hacked.  The suit alleged that, as a result of eBay’s security failure, Plaintiffs suffered (a) actual identity theft, (b) improper disclosure of their personal information, (c) out-of-pocket expenses incurred to mitigate the increased risk of identity theft and/or identify fraud, (d) the value of the time they had spent mitigating identity theft and/or identity fraud, and (e) the deprivation of the value of their personal information.  eBay’s failure, Plaintiffs alleged, violated the Federal Stored Communications Act, the Fair Credit Reporting Act, the Gramm-Leach-Billey Act, and several state laws.  The Court disagreed.  Noting that the “mere increased risk of identity theft or identify fraud alone does not constitute a cognizable injury[,] unless the harm alleged is certainly impending,” the Court dismissed the suit in its entirety.

Similarly, in Strautins v. Trustwave Holdings, Inc., the U.S. District Court for the Northern District of Illinois granted Defendant’s motion to dismiss Plaintiffs’ class action lawsuit seeking damages stemming from the hacking of the South Carolina Department of Revenue.  The data breach had exposed in excess of 3.5 million social security numbers, 380,000 credit and debit card numbers, and the tax records of more than 650,000 businesses.  Plaintiffs alleged that they had not received timely and adequate notification of this breach, and that the breach had resulted in the improper disclosure of their personal information, loss of privacy, the need to incur out-of-pocket mitigation expenses (relating both to dollars spent and time expended), and deprivation of the value of their personal identifying information.  They also alleged that Defendant, by failing to protect their data, had violated their rights under the Fair Credit Reporting Act.  The Court, however, found that Plaintiffs’ “claims of injury . . . [were] too speculative to permit the complaint to go forward.” “Allegations of possible future injury are not sufficient to establish standing,” the Court held. Instead, the “threatened injury must be certainly impending.”  (Emphasis in original.)

Even if a plaintiff can show that a hacker used the data it stole from plaintiff’s employer or merchant, such use may not suffice to confer standing on the plaintiff, unless he can also show that he suffered financial harm as a result.  In Peters v. St. Joseph Services Corp., for example, hackers infiltrated a health care system provider’s network and accessed personal information of patients and employees, including names, social security numbers, birthdates, addresses, medical records, and bank account information.  Even though there was an attempted purchase on Plaintiff’s credit card, which she declined when she received a fraud alert, the U.S. District Court for the Southern District of Texas held that Plaintiff did not have standing to bring suit.  The basis for the Court’s holding was that Plaintiff’s allegation that the breach exposed her to certainly impending or substantial risk of identity fraud/theft was too speculative and attenuated to constitute injury-in-fact.  Notably, she was unable to “describe how [she would] be injured without beginning the explanation with the word ‘if.’”

Notwithstanding the above decisions, companies should continue striving to establish legal and technological protections against data breaches and exposure to related liability.  Even where class actions and other litigations fail, federal agencies and state attorneys general may continue to investigate data breaches and take enforcement actions.  (Many have, the Massachusetts Attorney General being one example.)  These actions can include, among other things, significant fines and increased oversight of the company’s data privacy and security compliance.  And, of course, the potential consequences of data breaches do not end there.  Companies that experience a breach may also suffer damage to their brand and to employee morale.

Yesterday, the Federal Communications Commission (FCC) adopted a package of declaratory ruling which is meant to provide clarity to the Telephone Consumer Protection Act (TCPA).  This ruling was previously proposed by FCC Chairman Tom Wheeler on May 27, 2015.

According to the FCC, the declaratory ruling is meant to protect consumers against unwanted robocalls and spam texts.  As we have previously discussed, complaints related to unwanted calls are the largest category of complaints received by the FCC.  The declaratory ruling was influenced by those complaints and is focused on addressing 23 petitions and requests for clarity on the FCC’s interpretations of the TCPA.

Key provisions of the ruling for consumers who use either landline or wireless phones include:

  • Green Light for ‘Do Not Disturb’ Technology – Service providers can offer robocall blocking technologies to consumers and implement market-based solutions that consumers can use to stop unwanted robocalls.
  • Empowering Consumers to Say ‘Stop’ – Consumers have the right to revoke their consent to receive robocalls and robotexts in any reasonable way at any time.
  • Reassigned Numbers Are Not Loopholes – If a phone number has been reassigned, companies must stop calling the number after one call.
  • Third-Party Consent – A consumer whose name is in the contacts list of an acquaintance’s phone does not consent to receive robocalls from third-party applications downloaded by the acquaintance.

Additional highlights for wireless consumers include:

  • Affirming the TCPA’ Definition of Autodialer – “Autodialer” is defined in the TCPA as any technology with the capacity to dial random or sequential numbers. This definition ensures that robocallers cannot avoid consumer consent requirements through changes in calling technology design or by calling from a list of numbers.
  • Text Messages as Calls – The FCC reaffirmed that consumers are entitled to the same consent-based protections for texts as they are for voice calls to wireless numbers.
  • Internet-to-Phone Text Messages – Equipment used to send Internet-to-phone text messages is an autodialer, so the caller must have consumer consent before calling.
  • Very Limited/Specific Exemptions for Urgent Circumstances – Free calls or texts to alert consumers to possible fraud on their bank accounts or remind them of important medication refills, among other financial alerts or healthcare messages, are allowed without prior consent, but other types of financial or healthcare calls, such as marketing or debt collection calls, are not allowed under these limited and very specific exemptions. Also, consumers have the right to opt out from these permitted calls and texts at any time.

While the ruling provides clarity as to the FCC’s interpretation of the TCPA, it also makes it clear that the FCC intends to interpret the provisions of the TCPA very broadly in an effort to afford the greatest protections to consumers – often at the expense of legitimate businesses.  Declaratory Ruling and Order (FCC 15-72) was approved by a 3-2 vote, with Chairman Wheeler and Commissioner Clyburn, Commissioners Rosenworcel and O’Rielly approving and dissenting in part and Commissioner Pai dissenting.   The ruling takes effect immediately upon release of the full text.  For additional information concerning the TCPA and its potential impact on you or your business, please see our TCPA FAQs.

 

Senate Bill 949 is now law in Connecticut, after being signed by Governor Malloy on June 11. As we reported, this law amends the state’s current breach notification mandate to require that for breaches of certain personal information covered business must provide one year of free identity-theft protection for affected persons. So, beginning October 1, 2015, covered companies that experience a data breach affecting a Connecticut resident – one that includes the resident’s name and Social Security number (SSN) – must offer that individual free identity theft prevention services and, if applicable, identity theft mitigation services for at least one year.

Identity Theft Protection Services: Requirements and Implications

As noted, the one-year requirement to provide identity theft protection services applies only when the breach involves a Connecticut resident’s name and SSN. Also, SB 949 requires that if such services have to be provided, the notification to the resident(s) must inform the recipient(s) on how to enroll in the services, and how to place a credit freeze on their credit file. The law also tightens the timeframe for providing all breach notifications (not just those involving free theft protection services). Breach notifications must continue to be made without unreasonable delay, but effective October 1, 2015, may not be made later than ninety days after the discovery of the breach, unless a shorter time is required under federal law.

This new mandate has significant implications for companies that have breaches involving SSNs and affecting individuals in many states including Connecticut. In such cases, the companies might feel compelled to offer identity theft protection services to all affected individuals, even though it may only be required for Connecticut residents. Of course, many businesses provide similar services already, but not in all cases.

In addition, businesses should consider evaluating potential providers of these services ahead of time so they will be ready to move quickly in the event of a breach that triggers this new mandate. Not as clear as the Connecticut requirement, some have read the California breach notification law to have a similar mandate to extend one-year of free identity theft protection services.

Another issue for businesses is determining the scope of services that needs to be offered. A cottage industry of credit monitoring, identity theft protection and remediation services has emerged. Like with most service offerings, some companies provide more extensive and thorough services than others, at varying costs. While SB 949 contains no minimum requirements for the identity theft prevention or mitigation services it requires, companies should consider the different service providers and levels of service in the marketplace to ensure their needs will be met.

As a reminder, during the legislative process for SB 949, Connecticut’s Attorney General, George Jepsen acknowledged that the law would only set “a floor for the duration of the protection” and his office may continue to “seek broader kinds of protection.” In particular, in cases where the breach involves more sensitive personal information, the AG stated he would continue this practice of seeking two years of identity theft prevention or mitigation services, even though the statute requires only one year.

Following a string of states across the country that have strengthened their data breach notification laws in recent months, Connecticut is about to amend its law to require, among other things, that businesses provide one year of identity-theft protection for persons affected by the breach. Many businesses already extend such services to breach victims, but, if enacted, Senate Bill 949 would mandate covered business incur this expense. According to Connecticut’s Attorney General, George Jepsen, this change would only set “a floor for the duration of the protection” and his office may continue to “seek broader kinds of protection,” reports the Hartford Courant.

Specifically, the bill would require businesses that conduct business in the state and who own or license certain personal information of a Connecticut resident that is breached to

offer to each resident…appropriate identity theft prevention services and, if applicable, identity theft mitigation services. Such service or services shall be provided at no cost to such resident for a period of not less than twelve months. Such person shall provide all information necessary for such resident to enroll in such service or services and shall include information on how such resident can place a credit freeze on such resident’s credit file.

Anticipated to become effective October 1, 2015, the bill also would require notice be provided not later than ninety days from discovering the breach, even though the current law already requires notification without unreasonable delay. Other provisions of the bill would add data security requirements applicable to state agencies and companies that contract with the state.

If signed into law by Governor Malloy, this bill would add to the matrix of state laws that businesses contend with when they experience multi-state data breaches. This frequently changing matrix, as highlighted by this possible change and those summarized below, highlights the need for companies to have a plan for responding to data breaches. According to InfoSecurity Magazine, about 86% of IT executives “feel prepared” for a data breach, but only 40% have a response plan. A company’s IT Director may feel she is prepared from an information security perspective, but may not have considered all of the steps the company would have to take in the event of a breach – these include without limitation: investigation, notification, legal compliance, media relations, coordination with law enforcement, arranging for identity theft protection services, setting up a call center, etc.

So what has been going on in other states?

As discussed below, a number of states have strengthened their generally applicable breach notification laws. Some states added provisions specifically for states agencies, while others revised data security mandates concerning student data. For example, Virginia’s Governor signed H.B. 2350 into law which directs the state’s Department of Education to develop a model data security plan that may be used by school divisions to implement policies and procedures related to the protection of student data and data systems.

Montana: Beginning in October, the definition of personal information that could trigger a data breach was expanded from first name or initial and last name together with social security number, driver license number, or certain financial account numbers, to include certain medical information. The law change also requires notification to the States Attorney General’s office, as well as the affected individuals.

Nevada: Effective July 1, 2015, the personal information that will trigger a notification requirement if breached now includes (i) a medical identification number or a health insurance identification number, and (ii) a user name, unique identifier or electronic mail address in combination with a password, access code or security question and answer that would permit access to an online account.

North Dakota: According to the amendment to this state’s law, businesses no longer have to be doing business in the state to be subject to the law, they simply have to own or license personal information that belongs to a resident of the state. The law also adds a notification requirement to the state’s Attorney General if more than 250 residents are affected by the breach. These and other changes made by the amendment become effective on and after August 1, 2015.

Washington: On April 23, 2015, Washington made a number of changes to its breach notification law. These include: (i) 45-day deadline for providing notification; (ii) adding a state Attorney General notification requirement; (iii) addition of specific notice content requirements, such as the name and contact information of the business reporting the breach; and (iv) expanding the application of the law to personal information in paper format. The law becomes effective July 24, 2015.

Wyoming: In Wyoming, two bills were passed to change the law in that state – S.F. 35 and S.F. 36. The changes that become effective July 1, 2015, include expanding the elements of personal information that would trigger a breach, and the information that must be included in the notification letters. Under the law as amended, personal information now also includes personal data such as (i) Federal- or state-government issued identification card; (ii) shared login secrets or security tokens known to be used for data based authentication; (iii) username or email address, in combination with a required password or security question and answer; (iv) a birth or marriage certificate; and (v) certain medical and health insurance information.

Also, notifications must provide breach victims specific information such as: (i) the types of personal identifying information believed to have been the subject of the breach; (ii) a general description of the breach and approximate date of the breach, if reasonably possible to determine at the time of the notice; (iii) actions taken to protect the system from further breaches; and (iv) advice directing affected persons to remain vigilant by reviewing account statements and monitoring credit reports.

Last week, Federal Communications Commission (FCC) Chairman Tom Wheeler circulated proposed declaratory rulings to provide clarity for consumers and businesses regarding the Telephone Consumer Protection Act (TCPA).  The proposal addresses two dozen petitions that sought clarity on how the FCC enforced the TCPA.  In addition to circulating his proposal to the other FCC commissioners for their consideration, Chairman Wheeler also issued a fact sheet to the public concerning the proposal.

As highlighted by Chairman Wheeler, unwanted calls and texts are the number one consumer complaint to the FCC, including 215,000 TCPA complaints in 2014.

The proposed rulings would include:

  • Giving consumers the right to revoke their consent to receive robocalls and robotexts in any way at any time.
  • Allowing carriers to implement market-based solutions to block robocalls.
  • Making clear that a reassigned number would not permit a barrage of robocalls which the previous subscriber consented to, and instead require calls to stops after one call.
  • Defining an “autodialer” as any technology with the capacity to dial random or sequential numbers.
  • Allowing very limited and specific exceptions to urgent circumstances which would be exempt from TCPA liability and permitting consumers to opt out of these calls and texts as well.

In addition, the proposal would leave in place many existing protections which exist under the TCPA including, but not limited to, the Do-Not-Call List, limits on Telemarketing Robocalls, and no exception for Political Calls.  Notably, the proposal would also stress the FCC’s strong enforcement of the TCPA.

The proposal will be voted on at the FCC’s Open Meeting on June 18, 2015 and if approved, would be considered in effect immediately upon release.

For more information concerning the TCPA and its potential impact on you or your business, please see our TCPA FAQs.

 

Over the past few years, states around the country have enacted laws limiting an employer’s ability to access the personal social media accounts of applicants and employees. Earlier this year, Montana’s Governor Steve Bullock signed HB 342 into law. Before that, Virginia enacted a similar measure. On May 19, Connecticut’s Governor added the Nutmeg state to the list, signing S.B. 426 into law, becoming effective October 1, 2015. Taking the protection of employee social media accounts a step further, a measure in Oregon, S.B. 185 A, would amend its existing law to prohibit employers from requiring employees or applicants (i) to establish or maintain personal social media accounts or (ii) to authorize the employer to advertise on their personal social media accounts. That bill, unanimously passed by the State’s legislature, awaits consideration by the Governor.

Similar to the social media privacy laws passed in other states, Connecticut’s law prohibits employers from requesting or requiring an employee or applicant to provide a user name and password, password or any other authentication means for accessing a personal online account. Under the law, employers also cannot require employees or applicants to authenticate or access a personal online account in front of the employer, nor can employers require employees or applicants to invite the employer or accept an invitation from the employer to join a group affiliated with the employee’s or applicant’s account. Like some of the laws in other states, a personal online account is one that is used by the employee or applicant “exclusively for personal purposes and unrelated to any business purpose of such employee’s or applicant’s employer or prospective employer, including, but not limited to, electronic mail, social media and retail-based Internet web sites.”

However, the Connecticut law does not prohibit employers from conducting certain investigations, such as to ensure compliance with state or federal laws, regulatory requirements or prohibitions against work-related employee misconduct based on the receipt of specific information about activity on an employee or applicant’s personal online account. Employers also may monitor, review, access or block electronic data stored on an electronic communications device paid for, in whole or in part, by the employer, or traveling through or stored on the employer’s network. The law also does not “prevent an employer from complying with the requirements of state or federal statutes, rules or regulations, case law or rules of self-regulatory organizations.”

This last point may be helpful for those employers that may have a duty to monitor certain employee communications. For example, in expressing concerns over the effects of these state laws, the Financial Industry Regulatory Authority (FINRA) noted that its Regulatory Notices 10-06 and 11-39 provide that securities firms must establish procedures to review registered representatives’ written and electronic business correspondence, including interactive electronic communications that the firm or its personnel send through social media sites. In addition, firms must adopt policies and procedures reasonably designed to ensure that their associated persons who participate in social media sites for business purposes are reasonably supervised to ensure that their communications are fair and balanced. Of course, employers in these regulated businesses and generally will have to carefully review what is prohibited under these state laws, but also the exceptions, in order to shape a strategy for compliance.

As a way of enhancing their exposure and reach in social media, some employers are looking to leverage their employees’ social media presence to more broadly promote the companies’ products and services. Putting aside potential labor, wage and hour, and other employment issues, the bill in Oregon would address potential privacy issues resulting from the practice of compelling employees to allow employers to use employees’ personal social media accounts to advertise. One effect of the law may be that employees will not allow their personal accounts to be used for business purposes. That, of course, may address some of the concerns FINRA and others raise about being able to monitoring business communications by employees in their personal social medical accounts. Another effect of the law may be the difficulty created in determining whether the employer required, or the employee permitted, the personal online account to be used for advertising the company’s products or services. For certain categories of employment, increased exposure and sales of the company’s products and services result in direct benefits to the employee, as well as the employer.

If passed, employers subject to the Oregon law will have to exercise caution in their approach to employees about using their personal accounts for business purposes. Also, like the popularity of the social media account protection laws themselves (21 states have now enacted these in one form or another), this twist in Oregon may be followed elsewhere.