On March 25, 2015, the United States House of Representative, Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade approved draft legislation which would replace state data breach notification laws with a national standard.  This draft legislation comes on the heels of the President’s call for a national data breach notification law.  The proposed legislation is identified as the “Data Security and Breach Notification Act of 2015.”

The overview of the draft provides that “Data breaches are a growing problem as e-commerce evolves and Americans spend more of their time and conduct more of their activities online. Technology has empowered consumers to purchase goods and services on demand, but it has also empowered criminals to target businesses and steal a host of personal data. This costs consumers tens of billions of dollars each year, imposes all kinds of hassles, and can have a lasting impact on their credit.”  Like many existing state laws, the proposal would require companies to secure the personal data they collect and maintain about consumers and to provide notice to individuals in the event of a breach of security involving personal information.

The draft legislation contains several key provisions:

  • Companies would be required to implement and maintain reasonable security measures and practices to protect and secure personal information;
  • The definition of personal information is more expansive than most state breach notification laws, including home address, telephone number, mother’s maiden name, and date of birth as data elements;
  • Companies are not required to provide notice if there is no reasonable risk of identity theft, economic loss, economic harm, or financial harm;
  • Companies would be required to provide notice to affected individuals within 30 days after discovery of a breach;
  • The law would preempt all state data breach notification laws;
  • Enforcement would be by the Federal Trade Commission (FTC) or state attorneys general; and
  • No private right of action would be permitted.

The measure must now be formally introduced in the House of Representatives before further action can be taken.  Notably, similar measures introduced in the past in an effort to nationalize data breach response have all failed.  However, given the number of individuals affected by, or likely to be affected by, a data breach and the fact identity theft has topped the FTC’s ranking of consumer complaints for the 15th consecutive year, support for a national data breach notification law has never been stronger.

With breaches caused by payment card thieves and hackers dominating the news, it is easy for mid-sized and small companies to think that data breaches are unfortunate events that affect only large companies. Not only is this sentiment misguided, but in relative terms the information contained in exposed emails can cause far more damage to an organization than the loss of customer payment card data. In this case, as reported by CNET, the inadvertent error was caused by a staff member of Australia’s Department of Immigration whose email blunder disclosed to an unauthorized party the personal passport information (e.g., passport number, date of birth) of all of the G20 leaders, including President Obama.

Embarrassing no doubt, but it looks like potential harm was mitigated as the recipient (someone at the Local Organizing Committee of the Asian Cup international soccer tournament) confirmed the email was immediately deleted and not forwarded or copied to a backup system. For sure, the G20 leaders have teams of people able to track down and secure such a transmission. Most businesses will not have the same good fortune, nor the same resources to track and secure such an errant email.

Company email and other electronic communications systems can tell a very comprehensive story about an organization, the details of which even management may not be fully aware. There will, of course, be emails and attachments that contain sensitive personal information about employees, customers and other individuals. Consider, for example, the employee relations nightmare that could erupt if a spreadsheet containing names, SSNs and salary information of all company employees and executives is inadvertently sent company-wide. The same would be true for email communications containing details of a workplace affair or establishing evidence of systemic workplace discrimination.

However, companies also maintain critically important trade secret information, intellectual property and strategic business planning data that is communicated through email and other systems. Such data, if disclosed to or accessed by the wrong person(s), could severely hamper the company’s business. The same would be true if a similar error, albeit unintentional, resulted in the disclosure of important information belonging to the company’s clients.

It should go without saying that the autofill feature is not the only risk to confidential information in electronic communication systems. These systems could be hacked, synched and unencrypted devices could be lost, and rouge employees could remove vast amounts of files containing a wealth of damaging data. In either case, the potential harm could take many forms beyond the typical payment card breach. Indeed, customer payment card information could be included in email. However, in the case of a professional services firm, for example, sensitive client information included in the breach could result in the loss of key clients, the cost of which could be difficult to overcome, as would be the cost to regain that client’s trust. Emails included in the group could expose a sordid affair involving the company’s chief executive, damaging the company’s position in the community. The same incident also could result in the loss of key intellectual property that undermines the business’ competitive advantage. The list could go on.

No set of safeguards will reduce to zero the risk of these kinds of incidents. That does not mean efforts to reduce the risks should be ignored. Limiting data collected and transmitted in electronic communications systems, a closely followed record retention and destruction policy, reasonable monitoring of systems, and creating a culture of privacy and security are all steps a company can take to reduce this exposure. But, that is not all. Businesses also must plan for the inevitability that breaches involving the loss of confidential information of many different varieties can and will occur. Key members of management should be thinking through different scenarios, developing appropriate plans to respond, and practicing those plans.

This year’s IAPP Global Privacy Summit was very informative on a number of fronts, including the helpful insight provided by officials at the Federal Trade Commission (FTC) on a range of topics. A good summary of some of their comments can be found here, which includes concerns they expressed about the Consumer Privacy Bill of Rights released by the White House during the last week in February. One example of good practical guidance was offered by Jessica Rich, Director, Bureau of Consumer Protection, relating to how companies go about creating written information security programs (WISPs). She said, “No checklists.”

We did not understand Ms. Rich to be suggesting businesses not use checklists as a tool in building a WISP. Of course, well-crafted checklists can be enormously helpful for companies, particularly small and mid-sized companies, to learn about best practices and to ensure they have met the applicable compliance requirements. This is true regardless of the topic of compliance or the industry. For example, when a health care provider or one of its business associates is trying to grasp the different administrative, physical and technical standards under the HIPAA Security Rule, a checklist could be very useful in helping to understand the scope of the project and for organizing an efficient compliance effort. Similarly, when creating a data breach response plan, there are a number of legal and practical steps that need to be taken, and a checklist can help to organize those steps.

We believe Ms. Rich was emphasizing that each business must understand its particular circumstances when developing a WISP, and not rely solely on a checklist. More specifically, we understood her to be calling for businesses to dig deeper and assess their particular risks, vulnerabilities, resources, needs and other circumstances in order to move toward compliance and appropriately mitigate the risks and vulnerabilities identified. That process can be aided by one or more checklists, but the process has to be informed by the circumstances actually facing the company and the process has to be ongoing. That is, completing the checklist neither completes the WISP nor the things a business needs to be doing to ensure its WISP is appropriate for its business at any given time.

Comprehensive federal privacy legislation seems to be moving more vigorously than it has in recent years. What form it will take, if any, and what role the FTC will play is unclear at this point. What is clear is that companies in all industries have to use their best efforts to maintain the privacy and security of personal and other important data. This requires a comprehensive and deep understanding of the business, it practices, its customers, its products and services, its employees, its resources, its legal and regulatory environment, and how those factors shape its overall information risk. Checklists can help gather and analyze this information, and implement solutions, but they are no substitute for understanding the business’ risks and being able to address those risks now and in the future.

Reacting to a report that identity theft was a top concern for Illinois residents (second in a list of ten), Attorney General Lisa Madigan announced a legislative proposal to strengthen the state’s existing data breach notification law. The call for stronger breach notification laws is a trend that has emerged in other states, such as New York and Indiana, and one that has had results. Florida and California are good examples. As summarized below, AG Madigan’s proposal follows a similar pattern – add provisions that require notification to the state Attorney General, expand the definition of personal information that would trigger a notification requirement, and require reasonable safeguards to protect personal information before a breach happens. It is this last point to which companies should pay particular attention. In a state Attorney General investigation following a breach, it will be those safeguards that are examined.

Attorney General Madigan has been active in the area of identity theft, maintaining an Identity Theft Unit and Hotline that provides one-on-one assistance to victims of identity theft and data breaches. She also has testified before the U.S. Senate and the U.S. House of Representatives in recent years concerning data breaches, including her testimony last month in connection with federal data breach law being debated. She is now proposing significant changes to the law originally passed in 2005, Personal Information Protection Act (PIPA). The changes include:

  • Expanding the types of personal information that could trigger a notification requirement to include medical information, biometric data, geolocation information, sensitive consumer marketing data, contact information when combined with identifying information, and login credentials for online accounts;
  • Requiring that the Attorney General’s office be notified in the event of a breach; and
  • Mandating that businesses take “reasonable” steps to protect the personal information covered by the law.

The substantial changes made to the Florida breach notification law last year also added a requirement for businesses to adopt and implement reasonable safeguards to protect personal information. Similar requirements exist in states such as Connecticut, California, Maryland, and Oregon. The most popular and most stringent of these state laws is the one in Massachusetts. Becoming effective almost 5 years ago to the day, March 1, 2010, the Massachusetts data security regulations flesh out one approach to providing reasonable safeguards. (Checklist available here).

Planning for a data breach is critical, but that should be part of an overall plan to safeguard personal information. If the trend of enhancements to data breach notification and safeguarding laws continues, it will not be long before most states have a statutory obligation to safeguard personal information through a set of written policies and procedures, just as 47 states today mandate notification in the event of a breach.

When a physician participated in the peer review of another physician and his conduct during the review became the basis for adverse employment action against him, the New Mexico Supreme Court, in Yedidag v. Roswell Clinic Corp., ruled that the reviewing physician had a private cause of action against his employer, and affirmed the jury’s verdict for compensatory and punitive damages. 

In this case, a hospital administrator who was present during a peer review meeting, but not as a member of the committee, later reported to the hospital’s physician practice manager her “visual memories of [the Plaintiff’s] behavior, body language, tone of voice and the way things were being said” when the plaintiff, a reviewing physician, verbally attacked his colleague. Other peer review committee members did not agree with the administrator’s characterization of the plaintiff’s actions during the peer review meeting. According to the Court’s decision, the information conveyed by the administrator about the plaintiff’s actions during the peer review meeting directly contributed to his termination.

The primary legal basis for the Court’s decision was the confidentiality mandates in the Review Organization Immunity Act (ROIA), the law regulating peer reviews in New Mexico, including the provisions at Section 41-9-5(A) which state that “[n]o person… shall disclose what transpired at a meeting of a review organization” except for the purposes listed in the statute. According to the Court, this provision creates an implied promise that the plaintiff would not suffer adverse employment action from participating in the peer review process, and that this promise is incorporated into physician-reviewer employment contracts. 

Of course, as noted by the Court, confidentiality in the peer review process is critical. Absent confidentiality, it would be difficult to promote peer review integrity and have candor and objectivity during meetings. Physicians and other medical staff would be reluctant to adhere to those principles for a variety of reasons including fears about loss of referrals, retaliation, damage to personal relationships, lawsuits, and malpractice actions based on records used during the proceedings. On the other hand, decisions like this may leave employers feeling that medical staff participating in the peer review process are immune from actions that transpire during that process. The New Mexico Supreme sought to dispel that notion.  

Our holding limits the use of peer review information for a statutory purpose, see § 41-9-5(A), and only those individuals responsible for furthering the statutory purposes of ROIA can be privy to such information. See § 41-9-5 (noting that no person can utilize peer review information except to carry out the statutorily enumerated purposes of a review organization). Eastern contends that our holding will completely immunize physician-reviewer conduct in peer reviews, “no matter how egregious.” This argument ignores the dual regulatory structure within hospitals. As will be explained, because only medical staff, not hospital administrators, are responsible for peer reviews, medical staff may utilize information concerning peer reviewer conduct to discipline reviewers.

The Court explained that its holding does not conflict with an employer’s contractual provisions enabling termination of employment for cause, it “merely prevents [employers] from using confidential peer review information in making [their] personnel decisions.” Healthcare employers, like the defendant in this case, often regulate employee-physicians both through medical staff bylaws and employment contracts. As the Court noted, those bylaws can provide that disruptive conduct may lead to a loss of privileges. An employment contract provision conditioning continued employment on maintaining privileges would, in turn, support the termination of the physician’s employment. So, the Court concludes, physicians that are disruptive during peer review are not free from discipline, they just cannot be disciplined by hospital administrators who should not be “privy to what transpires during peer review meetings.” Discipline in that case is up to the medical staff.

Hospitals in other states should consider their own processes and the state laws that apply, as many states have laws similar to the ROIA. This includes reviewing medical staff bylaws, employment contracts and long standing practices to ensure they are coordinated, provide appropriate mechanisms to impose discipline and maintain the confidentiality of the peer review process.

Late last year we reported Indiana Attorney General Greg Zoeller was seeking legislation which would better protect the online personal and financial information of Indiana residents. That legislation, S.B. 413, was unanimously passed by the Indiana Senate on February 24, 2015.  Indiana’s bill follows similar efforts in New Jersey, New York and Oregon.

As previously mentioned, the Indiana bill would amend the state’s current data breach notification law by (i) imposing stricter requirements for the   safe storage of sensitive data, (ii) reducing harm to consumers following a data breach, and (iii) increasing transparency of online privacy policies.   Importantly, S.B. 413 would expand Indiana’s existing law to include protected data in all formats, as opposed to just unencrypted computerized   data.

One of the bill’s sponsors, Sen. James Merritt (R), said “[d]ata breaches and identity theft are serious crimes and have become more common as technology advances.  By passing this legislation, we’re taking steps to ensure consumers feel confident and protected when conducting business online.”

The measure will now head to the Indiana House of Representatives for consideration.

According to a report by Deutsche Welle, the German Federal Labor Court held that employers may monitor employees only when they have concrete suspicions of wrongdoing that are based on fact. In the U.S., the standards for engaging in monitoring employees may not be quite that high, but employers should be thinking about whether a decision to take that step is reasonable and defensible.

In the case before the German court, the employer engaged a private investigator when suspicions arose concerning the reasons for the secretary’s sick leave. The suspicions were due mainly to the secretary’s change in the reasons for her leave and the healthcare providers she was using – initially she claimed bronchial ailments, and later claimed back pain. The investigator commenced video surveillance which captured the employee with her family outside her home and in her neighborhood. Evidence was presented that the employee was acting in a manner not consistent with the reasons she gave for her leave.

Nonetheless, because the court found that the employer did not have a sufficient level of suspicion to commence the surveillance in the first place, it upheld an award of damages equal to €1,000, albeit less than the €10,500 claimed. The court opined further that damages for unjustified surveillance would still be appropriate even if it was shown that the employee was lying about the basis for the leave.

In the U.S., monitoring can take place for a variety of reasons – customer service, compliance, productivity, physical and informational security, as well as whether claims under benefit plans are being paid appropriately. In some states, employees are entitled to notification of certain types of electronic monitoring (see, e.g., Connecticut and Delaware). In most cases, it is a good practice to manage employees’ expectations and let them know of the potential for monitoring, at least at the “workplace.” Of course, given the mobility of the workplace these days, that can get a little tricky.

Reasonableness is key, as is shown by a 2001 case, Dishman v. UNUM Life Ins. Co., involving facts similar to the case discussed above. There, the company’s disability insurer questioned an employee’s claim that migraines made him unable to work. The carrier engaged in extensive surveillance to investigate. According to the case, the employee claimed that the investigators –

Claim[ed] to be a bank loan officer endeavoring to verify information he had supplied; … elicited personal information about him from neighbors and acquaintances by representing that he had volunteered to coach a basketball team…sought and obtained personal credit card information and travel itineraries by impersonating him…falsely identified themselves when caught photographing his residence…repeatedly called his residence and either hung up or else dunned the person answering for information about him

The disability plan was an employee welfare benefit plan subject to the Employee Retirement Income Security Act (ERISA) and, as such, enjoyed broad protections from certain state laws that related to the plan under ERISA’s preemption doctrine. The privacy claims by the employee in this case might have been preempted by ERISA had the investigatory tactics been more reasonable and in the usual and customary course of plan administration. In this case, however, the court determined that the actions went far beyond that and did not depend on benefit claim. Accordingly, the state claims survived ERISA preemption.

Whatever the reason for monitoring, companies need to proceed cautiously, and make sure their managers are doing so as well. At a minimum, employers should have reasonable basis to commence monitoring, consider of the kinds of information the monitoring might access and collect (and whether they want that information), who should conduct the monitoring, and what tactics can and should be used. It is prudent to develop internal guidelines that prompt thinking about these and other issues.

During this year, businesses will be hearing a lot about the Affordable Care Act’s (ACA’s) information reporting requirements under Code Sections 6055 and 6056. Information gathering will be critical to successful reporting, and there is one aspect of that information gathering which employers might want to take action on sooner rather than later – collecting Social Security numbers (SSNs), particularly when required to do so from the spouses and dependents of their employees. There are, of course, ACA implications for not taking this step, as well as data privacy and security risks for employer and their vendors. We address the latter here.

Under the ACA, providers of “minimum essential coverage” (MEC) must report certain information about that coverage to the Internal Revenue Service (IRS), as well as to persons receiving that MEC. Employers that sponsor self-insured group health plans are providers of MEC for this purpose, and in the course of meeting the reporting requirements, must collect and report SSNs to the IRS. However, this reporting mandate requires those employers (or vendors acting on their behalf) to transmit to the IRS the SSNs of employee and their spouses and dependent covered under the plan, unless the employers either (i) exhaust reasonable collection efforts described below, (ii) or meet certain requirements for limited reporting overall.

Obviously, employers are used to collecting, using and disclosing employee SSNs for legitimate business and benefit plan purposes. Collecting SSNs from spouses and dependents will be an increased burden, creating more risk on employers given the increased amount of sensitive data they will be handling, and possibly from vendors working on their behalf. The reporting rules permit an employer to use a dependent’s date of birth, only if the employer was not able to obtain the SSN after “reasonable efforts.” For this purpose, reasonable efforts means the employer was not able to obtain the SSN after an initial attempt, and two subsequent attempts.

From an ACA standpoint, employers with self-insured plans that have not collected this information should be engaged in these efforts during the year (2015) to ensure they are ready either to report the SSNs, or the DOBs. At the same time, collecting more sensitive information about individuals raises data privacy and security risks for an organization regarding the likelihood and scope of a breach. Some of those risks, and steps employers could take to mitigate those risks, are described below.

  • Determine whether the information is subject to HIPAA. Employers will need to consider whether this information, collected for ACA group health plan reporting requirements, is protected health information under HIPAA (PHI) or within the HIPAA “employment records” exception.
  • Implement appropriate safeguards. For an employer that determines the information collected for this purpose is PHI, it will need to ensure the appropriate steps are taken under the HIPAA privacy and security rules. Either way, employers need to take steps to safeguard this data. A number of states, such as California, Connecticut, Florida, Maryland, Massachusetts, New York, Oregon require reasonable safeguards be in place to protect such information. Examples of good practices include: (i) design forms to collect only the information needed; (ii) direct responses to the requests for the information to go to a single location; (iii) if collected online, make sure the connection is secure; (iv) limit who has access to the information; and (v) after the information is captured and input, destroy all copies of the information other than as needed for appropriate documentation.
  • Ensure your vendors will protect this information. The IRS reporting regulations permit the use of third party vendors to assist employers in the reporting process. Whether the vendor is a “business associate” under HIPAA or a third-party service provider under state law, employers should be sure the vendor is contractually bound to maintain and implement appropriate privacy and security practices, including data breach preparedness.

Employers navigating through ACA compliance and reporting requirements have many issues to be considered. How personal information or protected health information is safeguarded in the course of those efforts is one more important consideration.

The first massive data breach of 2015 hit one of the country’s largest insurance issuers, Anthem, Inc., including Anthem Blue Cross and Blue Shield and other related entities (Anthem). The incident reportedly affected over 80 million persons who are or were covered under a policy or program insured or serviced by Anthem. The personal note from Anthem’s CEO, Joseph R. Swedish, and the Anthem Facts (or FAQs), seek to provide helpful information to the millions of individuals affected. These communications address what is known about the incident, describe the kinds of information compromised, warn affected persons about potential email attacks, and advise that there is more information coming.

But there is not much information at this point for employers that are plan sponsors of group health plans and other welfare plans serviced by Anthem either as an insurance issuer or a third party claims administrator (TPA). To assist employers, we prepared some FAQs that can be accessed at the link below, along with some key considerations and action items.

Click here for Employer FAQs concerning the Anthem breach. 

As we previously reported, sending a “friend” request to access information on an individual’s Facebook page that is not publicly available may have serious ethical implications.  Specifically, the New Jersey Office of Attorney Ethics (OAE) alleges John Robertelli and Gabriel Adamo violated the Rules of Professional Conduct, including those governing communications with represented parties, when they caused a paralegal to “friend” the plaintiff in a personal injury case so they could access information on the plaintiff’s Facebook page.

In an attempt to end the disciplinary action against them, the attorneys brought a declaratory judgment action against the state ethics authorities for lack of subject matter jurisdiction.  Today, an appeals panel upheld the dismissal of that declaratory judgment action, finding that only the New Jersey Supreme Court can decide the appropriateness of bringing an ethic’s case.  As such, the matter returns to the OAE for decision and/or further proceedings.

This case highlights the need for care when conducting investigations into an adverse party and the limits on accessing truly non-public information contained in social media.