We reported earlier that the National Labor Relations Board had been considering changing its previous position that  “employees have no statutory right to use the[ir] Employer’s e-mail system for Section 7 purposes.”  The NLRB’s position in this regard was established in 2007, under the NLRB’s ruling in Register Guard.  Today, in Purple Communications Inc. and Communications Workers of America, AFL-CIO, the NLRB overruled the Register Guard decision as “clearly incorrect” and held that employees have a right to use their employers’ email systems for nonbusiness purposes, including communicating about union organizing.  Specifically, the NLRB held “employee use of email for statutorily protected communications on nonworking time must presumptively be permitted by employers who have chosen to give employees access to their email systems.  [The NLRB] therefore overrule[s] the Board’s divided 2007 decision in Register Guard to the extent it holds that employees can have no statutory right to use their employer’s email systems for Section 7 purposes.” It is important to remember that this ruling applies to employers whether or not they have union employees.

At issue in Purple Communications and Communications Workers of America, AFL-CIO, was the right of employees under Section 7 of the National Labor Relations Act to effectively communicate with one another at work regarding self-organization and other terms and conditions of employment.  In deciding the case, the NLRB said the workplace is “uniquely appropriate” and “the natural gathering place” for such communications, and the use of email as a common form of workplace communication has expanded dramatically in recent years.

The NLRB was careful to limit its holding as follows:

  • Only applies to employee who have already been granted access to the employer’s email system in the course of their work and does not require an employer to provide such access;
  • An employer may justify a total ban on nonwork use of email by demonstrating that special circumstances make the ban necessary to maintain production or discipline;
  • Absent justification for a total ban, the employer may apply uniform and con­sistently enforced controls over its email system to the extent such controls are necessary to maintain production and discipline;
  • The ruling does not address email access by nonemployees;
  • The ruling does not address any other type of electronic communications systems.

Our Labor Group plans a more thorough analysis of the NLRA issues, as employers must now take certain steps or risk potential Board action.

In light of this decision, employers must reexamine their existing electronic communication, bring your own device (BYOD), and social media policies which may have been adopted post 2007.  This is especially true if any of those policies do not permit, or prohibit, an employee’s use of company-provided communication systems for nonwork-related purposes, such as to fulfill certain union-related purposes or other “protected concerted activities” under Section 7 of the National Labor Relations Act.  Similarly, employers will now need to exercise caution in monitoring company email and what actions are taken in connection with employee use of the company’s email systems.

 

In what may be considered a blow to class action defense, this week the U.S. Court of Appeals for the Eleventh Circuit ruled that an offer of judgment to the named plaintiffs did not moot a proposed class action.  This was a case of first impression before the Eleventh Circuit.

The putative class action,  Stein v. Buccaneers LP, alleges that owners of the Tampa Bay Buccaneers sent unsolicited faxes advertising ticket sales to the plaintiff and more than 100,000 others nationwide in violation of the Telephone Consumer Protection Act (TCPA).   After removing the matter to federal court, the defendant, Buccaneers LP, made offers of judgment under Fed. R. Civ. P. 68 to each of the six named plaintiffs based on the alleged number of faxes each received.   In what courts have sometimes called a “pick-off,” two days after making the offers of judgment, Buccaneers LP moved to dismiss the case for lack of jurisdiction.  Specifically, Buccaneers LP argued that the unaccepted offers of judgment, which provided each named plaintiff with the full relief they were entitled to under the TCPA, rendered the case moot.  Thereafter, the plaintiffs filed a motion for class certification.  The district court denied the motion for class certification and after the plaintiffs failed to accept the offers of judgment within the 14 day deadline, the district court held that the action was moot and dismissed the case.

In reversing the district’s court’s dismissal of the case, the Eleventh Circuit held that a defendant can’t moot a class action through an unaccepted offer of judgment made to the named plaintiffs before the plaintiffs have moved to certify the class.  While the Seventh Circuit has held otherwise, the Eleventh Circuit stated that the Third, Fifth, Ninth and Tenth Circuits have reached the same conclusion: “a Rule 68 offer of full relief to the named plaintiff does not moot a class action, even if the offer precedes a class-certification motion, so long as the named plaintiff has not failed to diligently pursue class certification.”

As we’ve discussed previously, medical identity information is worth more than ten (10) times that of financial information on the black market. This gives hackers a financial incentive to obtain such information that is maintained not only by medical providers and pharmacies but also by employers who provide medical insurance coverage to their employees. Employers may hold, in their human resources or other networking systems, not only the medical records of their employees obtained from managing workers compensation claims and other matters, but also, and more importantly, employers may maintain medical insurance registration forms and health insurance billing information on their employees. This is exactly the type of information that is at risk and which increasingly is breached.

Why is medical identity information so valuable on the black market?  As Fortune reports, medical identity theft is in demand on the black market. Employer data systems are a goldmine for would-be hackers. Within medical records hackers can find social security numbers, dates of birth, health insurance policy numbers, and other billing information that can be used for financial fraud, but also medical identity theft, where the billing information can be utilized to obtain medical services and prescriptions in the name of the individual whose identity has been compromised.

How can employers protect the medical identity information they hold?  The starting point is doing a risk and vulnerability assessment to gain an understanding of the business’ data privacy and security risks. There are a number of resources available to assist in designing and carrying out an assessment. If the medical information is subject to HIPAA, such as in the case of information maintained with respect to the company’s group health plan for employees, HHS has released a security assessment tool. Of course, much of an employee’s medical information maintained by an employer is NOT subject to HIPAA, such as leave of absence records and workers compensation records.

Another source is  the National Institute of Standards and Technology (NIST) which recently issued a draft update of its primary guide to assessing security and privacy controls. While the work NIST does, including this guide, is designed for federal information systems and networks, it is an excellent and comprehensive source for businesses to understand steps they too can take to safeguard their systems and data. For many employers, these tools may be too extensive and simply not practical. This is where a qualified data privacy expert counselor can add value in helping you to appropriately assess your administrative, physical and technical risks. Either way, a necessary and appropriate risk assessment will then lead to the development and implementation of a written information security program.

Of course, getting management, C-suite, support is essential. Data privacy and security is an enterprise-wide risk which requires an enterprise-wide solution. This is not something that should be left up to the IT Department to handle solo. Rather, the buy-in for the need for adequate safeguards and training has to come from the top and key stake holders have to be brought into the planning and assessment early in the process in order to obtain adequate support for building of data safety program and culture of data privacy and security.  Accordingly, the protection of all personally identifiable information, including medical information, takes buy-in and leadership from senior management, a careful understanding the organization’s risks and vulnerabilities, knowing what the law requires, coordination with key persons inside the organization and certain third parties outside the organization, frequent and regular security awareness and training, and regular re-evaluation of the organization’s approach for changed circumstances.

Data security is too often synonymous with the loss of consumer financial information. A recent report by a cybersecurity research firm reminds us, however, that a data breach can have an impact far beyond consumer privacy concerns.  On December 1, 2014, FireEye Inc. announced that a group called “FIN4” was duping executives, lawyers, and financial consultants into providing access to confidential and proprietary information at publically traded companies, and that FIN4 was using that information to gain an advantage in the stock market.  In other words, FIN4 was using data breaches to commit securities fraud on a massive scale.

This scheme reminds us that data breaches can be a vehicle to commit analog crimes. The FireEye report describes hackers using authentic Securities and Exchange Commission documents to deceive (presumably seasoned) finance sector workers into revealing their authentication information (username/password) to the fraudsters. Schemes like this one, that do not rely on hacking but, instead, trick users into disclosing passwords, are known as “spearphishing.” The term intentionally invokes images of a sportsman patiently waiting to catch a specific fish and stabbing it with a long spear, rather than casting a wide net and catching any fish that unwittingly swims into it.

FireEye believes that there may have been spearphishing attacks at as many as 100 publically traded U.S. companies. This means that for the affected companies, there may be fraudsters with prying eyes still inside their networks—operating on authentic credentials—following inside communications about revenues, costs, potential mergers and acquisitions—all things that move markets.

There are several lessons still to be learned from the FIN4 scheme, as the researchers continue to uncover its breadth. That said a few morals to this story are apparent. First, there are scarier fish in the sea than just malware and zombie bots. Companies simply must train employees how to recognize and respond to spearphishing and social engineering attacks—hackers use psychology as often as they use malicious code. There should almost never be an occasion that an employee must provide anyone else at his or her company with a password. Most business software provides an automatic password reset function using shared secret technology that sends an email to the user allowing him or her to reset forgotten passwords.

Second, this is the type of attack that a good cyber security and data privacy risk assessment can often spot and prevent. If your company doesn’t have technical systems in place that prevent employees from ever needing to share passwords with IT or management, then your company could fall prey to an attack like this. A good risk cybersecurity and data privacy risk assessment can spot this and other types of spearsphishing and social engineering risks and help your company eliminate them before they are exploited.

Finally, company business information must be protected as thoroughly as customer data.  This requires, among other things, a good data classification system. If your data is properly classified as confidential then your information technologists can segregate and protect it much better from attacks.

Hackers know their targets. Does your business know your hackers?

After being hit with a data breach, the last thing a company might want is the scrutiny of the union representing its employees affected by the incident. When the data breach potentially affecting hundreds of thousands of United States Postal Service employees was reported, it was not long after that the American Postal Workers Union filed an unfair labor practice with the National Labor Relations Board. The Union alleges that the Postal Service should have bargained with the union over the impact of the security breach. (Regarding impact, the Postal Service reportedly is offering employees a one-year of free credit monitoring through Equifax, but the union believes the Postal Service did not have the legal right to decide to offer the Equifax subscription without first offering to Bargain with the union.)

While none of the data breach notification statutes include an employee’s labor union as one of the parties entitled to notice of a breach, the APWU is making the argument that the National Labor Relations Act required the Postal Service to let it be involved in the discussions on how to address the breach and the negative consequences on employees. APWU President Mark Dimondstein acknowledged receiving a call from Postmaster General Patrick Donahoe concerning the breach, but apparently wanted to be more involved.

A primary purpose of most if not all data breach notification laws is to provide the required notice to individuals affected by the breach so they can take appropriate steps to protect their information and identity. All of the state data breach notification laws and HIPAA generally require notification be provided without unreasonable delay. Some laws provide an outside date by which notice must be provided – e.g., not more than 30, 45 or 60 days following discovery. But the rule is to provide notice as soon as possible, without unreasonable delay.

When a breach is discovered there are many steps companies must go through to be in a position to respond without unreasonable delay, a time frame that is not clearly defined and is influenced by a variety of circumstances. For instance, among many other steps, companies must immediately investigate the nature and scope of the incident which can involve a significant amount of forensics and research, stop the breach if it is continuing, determine who was affected, understand the applicable legal and compliance requirements, coordinate with law enforcement and state Attorneys General, as applicable, gather up to date contact information to the extent available, and coordinate with vendors regarding mailing letters, credit monitoring and other services for affected persons. Entering into negotiations with one or more representative unions about responding to such an incident before the notifications go out likely would be an involved process that would further delay the notice to affected persons.

However, depending on how the NLRB charge turns out, employers may have to interact more closely with their employees’ union representatives when employee personal information may have been breached. Of course, employers should expect that, as here, the union may make further the inquiry into the company’s data privacy and security practices in an effort to protect its members and seek additional leverage in negotiations. For these reasons, companies need to revisit (develop if they have not already) their data breach response plans and consider additional steps they might want to take, if any, to involve the union. Additionally, companies should take steps to ensure that employee personal data is safeguarded in accordance with applicable law and best practices.

The FTC recently settled a charge with True Ultimate Standards Everywhere, Inc. (“TRUSTe”) alleging that the internet privacy certification company deceived consumers about its recertification program, as well as misrepresented itself as a non-profit entity when, in fact, it had converted to a for-profit company. TRUSTe is a well-known internet privacy watchdog. Its seal is recognized as connoting a safe place for a consumer to conduct an on-line transaction. As set forth on TRUSTe’s website “[i]f you see a TRUSTe seal on that policy, you can be confident that website is transparent about its privacy practices and respects your online privacy. And if you have a privacy concern with any site that displays our privacy seal, TRUSTe will help you resolve them promptly.”

According to the FTC complaint, TRUSTe misrepresented the frequency of TRUSTe seal recertification. Specifically, the complaint alleges that from 2006 until January 2013, TRUSTe failed to conduct annual recertification over 1,000 times, despite making statements that companies holding TRUSTe Certified Privacy Seals were recertified annually. FTC also alleged that in the time since TRUSTe converted from a not-for-profit to a for-profit company, it did not require its customers to update references to TRUSTe’s nonprofit status on their websites.

The terms of the TRUSTe consent decree are not modest. In avoiding a court battle, TRUSTe has accepted a laundry list of terms from the FTC. It agrees not to misrepresent its certification procedures or the time periods for recertification. It also agrees to be transparent about its for-profit status.

In keeping with a trend in FTC consent decrees, much of the meat in the order is in the future regulatory oversight TRUSTe can expect from FTC. TRUSTe agreed, in its role as a COPPA safe harbor, to provide detailed information about its COPPA-related activities in its annual filing to the FTC, as well as maintaining comprehensive records about its COPPA safe harbor activities for ten years. These requirements will likely bring with them significant cost and administrative burden. On top of the reporting and other requirements, TRUSTe will also pay a $200,000.00 penalty.

This consent decree is another in a line of FTC settlements that (1) target alleged misrepresentations to consumers about their privacy; (2) come with heavy reporting and follow up administrative burdens entangling the company with the FTC for years to come; and (3) also carry a significant financial penalty.

The lesson? Check your privacy policies, notices and other representations to consumers and employees. Are they 100% accurate? That is, are you doing what the policies say you are doing? If not, it’s time to amend your policies (or your practices) before the FTC knocks on your door.

You can read about the steps TRUSTe is taking to maintain its customers’ trust at its blog:

http://www.truste.com/blog/2014/11/17/truste-ftc/

 

 

Many of us have likely received a notification from our bank or credit card company concerning suspected fraud or improper charges.  However, the legality of those messages is not always clear.  To this end, on October 14, 2014, the American Bankers Association (Association) filed a petition for exemption requesting that the Federal Communications Commission (FCC) exempt “certain time-sensitive information calls, placed without charge to the called parties from the Telephone Consumer Protection Act’s (TCPA)restrictions on automated calls to mobile devices.”

Specifically, the Association asked the FCC to exempt automated calls and text message alerts to wireless telephone numbers concerning:  (1) transactions and events that suggest a risk of fraud or identity theft; (2) possible breaches of the security of customers’ personal information; (3) steps consumers can take to prevent or remedy harm caused by data security breaches; (4) money transfer notifications and notifications of actions needed to arrange for receipt of pending transfers.  The Association’s petition explains that automated communications to mobile devices would be without charge and are best suited to provide quick and efficient notifications to customers in time-sensitive situations, such as in cases of data security breaches or attempted identity theft.  Additionally, the petition proposed certain conditions on these automated calls and text message alerts, if exempted.  In particular, the petition specifies that the calls or messages would not include any solicitation, telemarketing, or advertising information, and would only be sent to the telephone number of the consumer to whom the alert or notification is directed.

Under the TCPA and the FCC’s implementing rules, an entity is prohibited from using an automatic telephone dialing system or an artificial or prerecorded voice to make a call to a wireless number absent an emergency or the prior express consent of the called party.  Notably, the FCC may exempt calls to wireless numbers that are not charged to the called party and which protect consumer privacy.

In light of the petition, the FCC is now seeking comment on the issues raised, including whether the exemptions requested allow the financial services industry to reduce privacy and security risks proactively so that fraud, data security breaches, and identity theft are less likely to occur.  Comments must be submitted to the FCC by December 8, 2014 with reply comments due by December 22, 2014.

white houseAccording to a November 13, 2014 article in the New York Times (based on a review by the Department of Homeland Security), an intruder was able to enter the White House back in September due to a succession of performance, organizational, and technical failures.  One of the specific findings was that:

“Omar Gonzalez, the man charged in the incident, could have been stopped by a Secret Service officer who was stationed on the North Lawn with an attack dog. . . [b]ut the officer did not realize that an intruder had made it over the fence because he was sitting in his van on his personal cellphone. The officer did not have his radio earpiece in, and had left the second radio he was supposed to have in his locker.”

Wait, what? We know from the report, as well as from Clint Eastwood movies, that Secret Service members use their own communication system with ear-buds for professional duties, so there is no excuse for this agent to have been on his cell phone.

The Report suggests that the United States Secret Service either needs to adopt or enforce a robust policy prohibiting or limiting the use of personal cell phones or any personal devices (e.g. cell phones, smartphones, tablets, etc.) while on duty.  Landscapers and insurance adjusters working in the field might very well use a personal cell phone for work purposes to great efficiency pursuant to a Bring Your Own Device (“BYOD”) to work policy, although many companies restrict smart phone use while driving. For other positions, however, unrestricted use of smart phones can cause problems ranging from customer satisfaction, loss of efficiency, and sexual harassment up to life-or-death safety issues, as in the case of Omar Gonzalez and the un-named agent who, for all we know, was playing Angry Birds on the North Lawn.  One often observes restaurant hosts, receptionists, government clerks and other employees tapping on their smart phones while customers tap their feet in line. Employers are within their rights to curtail such behavior, even as members of the public obnoxiously talk into their phones while ordering a latte. It’s bad enough that employees from ticket agents to medical doctors are forced to spend more time looking at computer screens than looking people in the eye, but personal use of smart phones on the job is rampant and in certain circumstances can lead to safety issues. Proper drafting and enforcement of policies can mitigate these problems.

Due to the sensitive nature of its work, a BYOD policy allowing the use of personal cell phones while on duty would probably not work for the Secret Service.  Many private employers, however, have found great success in limiting the use of personal devices by allowing employees to utilize their own devices for work purposes and adopting BYOD policies to address such use.  BYOD policies may properly address not only who will pay for a smart phone, access to organizational systems, and how to protect company information, but also when employees may access smart phones while on the job.

According to the New York Times, Bellevue Hospital Center patient Craig Spencer, the first New Yorker to be infected with Ebola, is scheduled to be released today. And while the intense reporting about Ebola has subsided, perhaps indicating a lowering of the perceived threat of Ebola spreading further in the U.S. (although many continue to be under surveillance) companies should remain vigilant and be sure they are prepared. To that end, the agency responsible for enforcing the HIPAA privacy and security regulations, the Office for Civil Rights, issued a bulletin – HIPAA Privacy in Emergency Situations.

In emergency situations, uncertainty and a lack of preparedness can inhibit a health care provider or health plan’s ability to act. That uncertainty can include concerns about whether certain information can be used or disclosed. The OCR’s Bulletin provides helpful guidance for providers and plans, as well as business associates, so that they can be prepared to act in accordance with the HIPAA privacy requirements, which the Bulletin affirms is not suspended during a public health or other emergency. The Bulletin reminds covered entities and business associates that “protected health information” CAN be disclosed in connection with treatment without the authorization of the individual. It also provides a short summary of the rules for making disclosures in connection with certain public health activities, such as disclosures to public health authorities.

Responding to media inquiries is a significant concern for providers, and the bulletin addresses that. It reiterates that a hospital or other health care facility can, upon request for information about a particular patient by name, disclose limited facility directory information to acknowledge an individual is a patient at the facility and provide basic information about the patient’s condition in general terms. This is the case so long as the patient has not objected to or restricted the release of such information or, if the patient is incapacitated, the disclosure is believed to be in the best interest of the patient and is consistent with any prior expressed preferences of the patient. However, except in limited cases, affirmative reporting to the media or the public at large about an identifiable patient, or the disclosure to the public or media of specific information about treatment of an identifiable patient, may not be done without the patient’s written authorization (or the written authorization of the patient’s personal representative).

The Bulletin also reminds the reader that HIPAA only applies to covered entities and business associates. It does not apply to employers. However, employers need to be mindful of other federal and state laws that protect the confidentiality of employee medical information, such as the Americans with Disabilities Act and the Genetic Information Nondiscrimination Act.

The Bulletin could provide a helpful training or refresher resource for covered entities and business associates to help their workforce members be prepared for all emergency situations, not just another Ebola case.

One of the most complex issues under the Telephone Consumer Protection Act (TCPA) is determining whether the technology utilized qualifies as an “automatic telephone dialing system” (ATDS) or “autodialer.”  The TCPA prohibits using an ATDS to make calls to cell phone numbers, absent prior consent of the called party.  An ATDS  is generally define as equipments which has the capacity to store or generate telephone numbers randomly or sequentially and dial those numbers.
The U.S. District Court for the Southern District of California recently held that the electronic platform for sending promotional text messages was not an autodialer because it could not generate random or sequential numbers.  While guidance from the Federal Communications Commission, as well as decisions at the district and circuit court level, have focused on whether a system has the capacity to generate and dial numbers without human intervention (even if the numbers came from a defined list, as opposed to randomly generated), the Court here distinguished such reasoning.
Here, the plaintiff joined defendant’s fitness center in 2012.  The defendant utilized a 3rd-party, web-based platform to then send promotional text messages to members and prospective members on their cell phones.  The system utilized could enter numbers manually; by collecting numbers individuals entered on the defendant’s website, or by collecting numbers when individuals responded via text message to marketing campaigns.  The plaintiff allegedly received 3 unwanted text message and brought suit.  Thereafter, the defendant moved for summary judgment asserting that the platform used with not an ATDS and the Court agreed.
Despite FCC guidance which states that equipment that can generate and dial numbers without human intervention would qualify as an ATDS, whether or not the numbers are randomly or sequentially generated, the Court found that the definition of ATDS within the statute is clear and unambiguous and the FCC does not have rule making authority.  Agreeing with some other cases which have addressed this issue, the Court found that “capacity” means the systems current capabilities, not its “potential.”  The Court said that focusing on “capacity” would subject a wide array of devices to the TCPA (e.g. all computers and smartphones).
As the defendant’s platform required human intervention, it was not an ATDS and thus the Court granted summary judgment in defendant’s favor.