In order to be a “protected computer” within the meaning of the federal Computer Fraud and Abuse Act (the “CFAA”), the computer must be used in interstate commerce at the time of the allegedly unauthorized access of the computer, the U.S. District Court for the District of Massachusetts held.  Pine Env. Servs., LLC v. Charlene Carson and Palms Env. and Survey, LLC, No. 1:14-cv-12830-IT (D. Mass. August 20, 2014).

Defendant Charlene Carson was employed by Plaintiff.  When she resigned her employment to join a competitor, she did not return her company-owned laptop.  Approximately two months after leaving her employment, Carson’s roommate observed her in their apartment working on the laptop.  The roommate left the room and when he returned found a note from Carson asking that he return the laptop to Plaintiff.

After Carson’s roommate returned the laptop, Plaintiff performed a forensic analysis of the laptop and learned that a software program called CCleaner was installed on the laptop and was used after Carson’s last day of employment with Plaintiff to destroy data and files, the internet browsing history, and event log entries on the laptop.  Plaintiff brought several state law claims against Carson and her new employer as well as a CFAA claim.  The CFAA protects computers that are used in or affect interstate commerce or communication from unauthorized use or access.

The CFAA provides a private right of action in certain situations where there is a loss of at least $5,000 when someone (1) knowingly and with intent to defraud, accesses a protected computer or exceeds authorized access and by such means furthers the intended fraud and obtains anything of value; or (2) knowingly causes the transmission of a program, information, code, or command, and as a result intentionally causes damage without authorization to a protected computer; or (3) intentionally accesses a protected computer without authorization and as a result causes damage and loss.  Plaintiff asserted the laptop was a protected computer because the company was engaged in providing rental equipment to other businesses throughout the country, Plaintiff’s principal place of business was in a different state from the one in which Carson lived and worked, and the laptop was used in interstate commerce and communication.

The court dismissed the CFAA claim because the laptop was only being used in interstate commerce when Carson was employed by Plaintiff.  Carson’s use of the laptop during her employment was authorized.  The unauthorized use of the laptop happened after the end of Carson’s employment with Plaintiff and thus occurred at a time when the laptop was not being used in interstate commerce.  The court found that the fact that the laptop formerly was used in interstate commerce did not make the later deletion of files from the laptop an action that was “interstate” in nature.

This decision highlights the importance of requiring employees to return all company-owned devices immediately upon their separation from employment.

 

When the U.S. Supreme Court decided United States v. Windsor, it declared section 3 of the Defense of Marriage Act (DOMA) to be unconstitutional. For many companies, the decision meant changes to certain of their employee benefit plans, as well as the tax treatment of employee contributions for same sex spouses. However, declaring section 3 of DOMA unconstitutional reached well beyond ERISA-covered benefit plans, changing the applciation of many federal laws, including the HIPAA Privacy Rule. Today, the Office for Civil Rights (OCR) provided guidance concerning Windsor’s application to the HIPAA Privacy Rule.

Under the HIPAA Privacy Rule, covered entities can share information about a patient’s care with the patient’s family members in various circumstances – those family members include spouses. In addition, the Privacy Rule provides protections against the use of genetic information about an individual. Genetic information includes certain information about family members (including, spouses) of the individual.

Based on the holding in Windsor, when the Privacy Rule uses the terms “spouse” and “marriage,” such as at 45 CFR 160.103 (definition of family member), lawful same-sex spouses have to be included. More specifically, the term “spouse” includes individuals who are in a legally valid same-sex marriage sanctioned by a state, territory, or foreign jurisdiction (as long as, as to marriages performed in a foreign jurisdiction, a U.S. jurisdiction would also recognize the marriage). The term “marriage” includes both same-sex and opposite-sex marriages, and family member includes dependents of those marriages. All of these terms apply to individuals who are legally married, whether or not they live or receive services in a jurisdiction that recognizes their marriage.

The OCR guidance clarifies, for example, that in connection with the standard concerning uses and disclosures to those involved in an individual’s care (45 CFR §164.510(b)), in cases where covered entities are permitted to share an individual’s protected health information with a family member of the individual, family member includes legally married same-sex spouses, regardless of where they live.

Covered entities and business associates should review their practices and alert their workforce members of this development. OCR intends to issue additional clarifications through guidance or rulemaking to address same-sex spouses as personal representatives under the Privacy Rule.

 

You may have been reading about how “Big Data” technologies are being used for a variety of purposes, such as making purchase suggestions based on prior buying patterns or staging law enforcement resources based on predictions for where and when crimes are likely to occur. But these technologies also are being used in the human resources context, such as to better select and manage applicants and employees, and can be of significant value to human resources leaders, and the company generally. Of course, there are mixed views about the use of this technology, as well as legal risks that should be considered.

Earlier this year, for example, a Forbes article explored the concern that if too heavy a weight is placed on “data” in the recruiting process, the human element can be lost and the business might not be capturing the top talent for the position. Others have observed that analytics tools in this context fall short in that they “don’t directly assess whether a person can do a job” and base recommendations on correlations that might not translate into good performance.

Certainly the role big data analytics tools can and should play in the workplace will depend on a range of factors, not the least of which is whether they can actually produce results. Employers that are considering whether these tools can positively impact HR decision making should also be considering the applicable risks when using this technology, even if “big data’s” recommendations are only one of many factors in the ultimate decision.

Attorneys at the EEOC, for example, are already considering the potential ways that using “big data” tools can violate existing employment laws, such as Title VII of the Civil Rights Act of 1964, the Age Discrimination in Employment Act, the American with Disabilities Act and the Genetic Information Nondiscrimination Act. Law360 recently reported (registration required) on comments made by EEOC Assistant Legal Counsel Carol Miaskoff who discussed these potential risks and others during a workshop hosted by the Federal Trade Commission. There are, of course, a range of other potential issues including employee relations, labor relations, privacy and so on. At a minimum, employers need to proceed cautiously and be sure to maintain records that can verify their decisions were made lawfully.

I recently had the pleasure of speaking to a great group at the Connecticut Assisted Living Association (CALA) about HIPAA and a range of related practical issues. Many covered entities and business associates, particularly those that are small businesses, continue to work on understanding the privacy and security standards, and how to best apply them in their businesses and with their varied workforces. Compliance can be challenging, but it is important to get started and document the compliance steps taken. Here are some reminders about HIPAA privacy and security compliance:

  • Risk assessment. This is a critical step required under the security regulations. Many covered entities and business associates focus first on written policies and procedures to safeguard protected health information (PHI). But those policies and procedures need to address the risks and vulnerabilities to PHI, which can only be determined through an appropriate risk assessment. Of course, organizations need to continually assess their risks and vulnerabilities as their businesses change and grow.
  • Business Associate Agreements. The Health Information Technology for Economic and Clinical Health (HITECH) Act made a number of changes affecting “business associates.” Among those changes were updates to the “business associate agreements” that the HIPAA Rules require covered entities to maintain with their business associates, which could include claims administrators, consultants, cloud and other data storage providers. The final HIPAA regulations established a transition rule that permitted covered entities and business associates to continue to operate under certain existing business associate agreements for up to one year beyond the compliance date of the final regulations (September 23, 2013). That transition period ends this month. Accordingly, it is critical that business associate agreements be updated.A starting point for business associate agreement compliance is the set of sample provisions posted by the Office of Civil Rights. However, there are other issues that parties to the business associate agreement will want to address, such as, data breach coordination and response, indemnity, and agency status. Additionally, a number of state laws (e.g., California, Massachusetts, Maryland) require businesses to have contracts with third-party service providers to safeguard personal information, which likely will include information in addition to protected health information under HIPAA.
  • Data Breach Preparedness. Data breaches continue to happen across the country, exposing vast amounts of sensitive data. HIPAA regulations and laws in 47  states require a number of steps to be taken when a breach happens including notifying the affected individuals and certain governmental agencies. Absent a plan for responding, companies often find themselves ill-prepared to respond timely, correctly and completely. Responding timely is particularly important for avoiding an inquiry from a federal or state agency concerning a data breach. Having a plan and practicing that plan can significantly enhance a company’s ability to respond and minimize its exposure following a breach.
  • OCR AuditsIt is expected that the Office for Civil Rights, which enforces the HIPAA privacy and security rules, will be resuming its audit program this fall – which applies to both covered entities and business associates. There are many steps covered entities and business associates can take to be audit ready. Good documentation is one of the most important. OCR wants to be able to see that the organization has taken steps to address the standards under the privacy and security rules. A documented risk assessment, written policies and procedures, and sign-off sheets showing workforce members went through HIPAA training are all examples of documentation an OCR investigator would be expecting to find as part of the audit.

Being “compliant” is no small task, especially as each business has its own particular needs, risks, vulnerabilities, environments, and circumstances that have to be considered. Compliance for an assisted living facility, for example, might look a bit different than it does for a large metropolitan hospital, but many of the fundamental principles are the same.  The key is to get started, understand the risks to PHI, address those risks in a manner appropriate to the organization (one hundred and fifty pages of policies and procedures is not appropriate for many organizations) and under each of the required standards, implement appropriate policies and procedures, and document.

In the wake of the Edward Snowden’s intelligence leaks and increasing concerns about the use of personal information, the Center for Digital Democracy recently filed a Fair Trade Commission complaint alleging that 30 US Databrokers and data management firms had violated the European Union’s Privacy Directive Safe Harbor framework.  According to the CDD, the collection of private data of EU residents, including online tracking, purchasing history, addresses, income and family structures, each violates EU Safe Harbor commitments made by the companies as required by the EU Privacy Directive. 

What is the Safe Harbor Framework and Why is it Useful?

The EU Privacy Directive establishes the protection of one’s personal data as a fundamental human right and prohibits the transmission of such data outside of the EU unless the covered entity or individual can certify that “adequate safeguards” are in place. This of course, raises issues when EU-protected personal data needs to be sent cross-border to U.S. businesses because the EU does not view the U.S. as having adequate safeguards. 

Exceptions are made where U.S. companies use EU-approved standard contractual clauses (SCCs), which embody key EU privacy principles. In the case of transfers of personal data across EU borders within a multinational corporation, the EU has issued approved binding corporate rules (BCRs).

Yet, the biggest exception to the directive’s prohibitions on transmission of personal data is the EU’s “safe harbor”.  Under that safe harbor, data can be transmitted to third party nations where “the third country in question ensures an adequate level of protection and the [EU] laws implementing other provisions of the Directive are respected prior to the transfer.”  Companies seeking protection of the safe harbor certify their compliance with the Directive’s seven privacy principles and subject to themselves to enforcement by the Federal Trade Commission in the event of non-compliance. More than 3,000 U.S. businesses have enrolled in the Safe Harbor program, and it underlies millions of data transfers from the EU. 

U.S. Criticized for Lax Enforcement of Safe Harbor

The EU Data Protection Authority and the CDD have each recently criticized the FTC for its weaker enforcement of what the EU deems to be privacy violations. And the CDD’s complaint alleges more than just personal data has been used by the 30 companies it targeted in its FTC complaint.  As CDD’s Legal Director Hudson Kingston has explained, “CDDs complaint describes the systemic failure of the Safe Harbor to function as it was intended. Companies are flouting standards that the Department of Commerce agreed to and the Federal Trade Commission pledged to enforce . . . The fundamental privacy right of 500 million Europeans has been ignored and must be acknowledged and protected going forward.”

Jeff Chester, CDD’s executive director further elaborated in in a statement:  “Instead of ensuring that the U.S. lives up to its commitment to protect EU consumers, our investigation found that there is little oversight and enforcement by the FTC. The Big Data-driven companies in our complaint use Safe Harbor as a shield to further the information-gathering practices without serious scrutiny . . . Our investigation found that many of the companies are involved with a web of powerful multiple data broker partners who, unknown to the EU public, pool their data on individuals so they can be profiled and targeted online

FTC Steps Up Safe Harbor Enforcement

 In an apparent response to some of these criticisms, the FTC has started to more actively enforce safe harbor violations in 2014. In January of this year the FTC announced it had settled privacy violations with 12 companies.  Then, in June 2014, the FTC announced that it had settled privacy violations under the safe harbor with 14 U.S. companies.  We expect increasing enforcement to continue in light of actions like the CDD complaint.

The National Labor Relations Board has found that another employer (a non-union employer) violated its employees’ protected concerted activity rights under the National Labor Relations Act (NLRA) when it disciplined and fired them for certain social media activity. Our Labor Group provides an extensive analysis of this decision in Triple Play Sports Bar and Grille, 361 NLRB No. 31 (2014).

The analysis of the issues in Triple Play, you will see, is quite fact intensive and requires some thought in applying the applicable legal principles – and that is just addressing the NLRA issues. When companies are faced with adverse social media activity or campaigns, whether it be by employees, customers, bloggers, etc., they frequently are unprepared to take the appropriate steps to investigate, or to weigh the legal, business and other risks in deciding what actions, if any, to take. The situation in Triple Play, and other activity in social media, provide good reason for companies to be better prepared and to have a plan. Many companies may already have a crisis management plan or a communications policy, but those plans and policies need to reflect the nuances of social media and other factors, such as who is engaging in the activity and what information is being communicated.

Here are some basic questions/issues that should be considered in any plan, which are by no means exhaustive:

  • Should we have resources proactively monitoring social media activity and communications that potentially affect the company, and what limitations should there be on that monitoring?
  • Who in the company should receive initial reports of a potential problem?
  • Who should be involved in the investigation? Do we need third-party forensic expertise?
  • Do we have insurance coverage for the particular incident?
  • How will the persons involved in the activity – employees, customers, bloggers, etc. – affect the process from a legal, business or other perspective?
  • How did we learn about, get access to the activity – was it permissible under the Stored Communications Act (SCA), the Electronic Communications Privacy Act (ECPA), state laws concerning social media passwords?
  • Is the information being communicated accurately?
  • Are we acting consistent with our own privacy and other policies in connection with the investigation?
  • Is the activity/communication protected – protections may exist under First Amendment, the NLRA, whistleblowing, or other sources?
  • Do we need to respond? How have we responded in the past to similar situations? Will a response only make things worse? If a response is warranted, what should it be?
  • What can we learn from this incident in order to avoid incidents like this in the future?

A little planning can go a long way toward minimizing mistakes and getting better results when companies face urgent situations that require immediate action.

With the proliferation of wage and hour litigation, especially in Florida which has the highest number of Fair Labor Standards Act (“FLSA”) cases filed annually nationwide, employers have sought for better ways to track employee work time in anticipation of defending against unpaid overtime claims. Additionally, employers have used monitoring devices in hopes of increasing efficiency, address safety concerns, ensure compliance with company policies, protection of employer-owned property; and for customer service purposes.  One such monitoring method is the implementation of global positioning system (“GPS”) devices on equipment, such as vehicles, cellular phones, laptops, IPADs.

Few courts have addressed the issue of GPS tracking in the employment context, although, most have held that employers may use tracking devices on company-owned equipment, where the employee does not have a reasonable expectation of privacy in its use. Several states, California, Minnesota, Tennessee, and Texas, have laws preventing the use of mobile tracking devices in order to track other individuals.  Common exceptions to these laws include the consent of the owner of the device or vehicle to which a tracking device is attached.

In addition to notice and consent, employers should consider whether employees have a reasonable expectation of privacy when using the equipment on which the GPS device is to be attached or installed.  A balance needs to be considered between the employee’s expectation of privacy, the reasonableness of the intrusion upon that privacy (i.e., being tracked by the employer), and the employer’s legitimate business purpose for utilizing the tracking device. These considerations are heightened when the device is attached to an employee’s personal property or to company owned equipment that the employee uses or transports after work hours and the tracking system continues to record such after-hour usage.

Tracking employees during non-work hours can be an invasion of the employee’s privacy, whether the tracking is done via the employer-owned or employee-owned equipment. When the device tracks non-work time, such as during the evenings, weekends, and when the employee is on vacation, the employer may gain private information about an employee that would be considered an invasion into the employee’s personal privacy.  For example, an employer may find out that an employee travels each day after work to a dialysis center; that the employee has a pattern of visiting gambling facilities; the employee’s travel habits; where and how often the employee shops; the amount of restroom breaks an employee takes during the day; the employee’s eating habits; the employee’s religious service attendance patterns or schedule; etc.  Not only does obtaining and acting upon such information potentially lead to employee claims of an unreasonable invasion of privacy, but could also lead to claims of discrimination or wrongful termination based upon off-duty conduct (where such claims are permitted under state law, such as in New York).

Thus, information collected through GPS monitoring should be focused on an employee’s job performance and disseminated only to employees who have a legitimate business reason for knowing the information. The tracking should be limited to the legitimate business purposes, conducted only during working hours, and provided the company has addressed the employee’s expectation of privacy. Policies should be carefully drafted to explain the legitimate business purpose, circumstances under which monitoring will take place, notice of the company’s right to monitor employee actions while using Company owned property, the GPS monitoring capabilities of the Company-issued property, and that employees should not have an expectation of privacy while using the same.  For employee-owned equipment, employers should have a carefully drafted Bring Your Own Device policy that provides for employee consent for use of the tracking device on the employee’s equipment, and be carefully limited to use only while the employee is working.

As previously reported, in a March 2014 filing titled H.W. v. Sterling High School District, a New Jersey high school student filed suit claiming school officials had violated her constitutional rights when they punished her for content she posted on Twitter which criticized Sterling High School’s principal.

The settlement, which was approved by the Sterling High School District in April and entered by the Court on July 29, 2014, provides that the district will reimburse the student $9,000 for her legal fees.   However, the district will not pay additional damages to the student.  In addition, the school district agreed to revoke punishments imposed against the student for her Twitter postings, expunge documents related to the incident from the student’s academic record, and abandon its attempted requirements for drug testing of the student.  Specifically, the agreement provides that the student is eligible for graduation upon completion of outstanding assignments, is allowed to attend the senior class trip to Florida, and if the student does not seek press coverage or disclose the settlement terms she will be allowed to participate in prom and the graduation ceremony.

Beyond agreements directly between the school district and the student, the settlement also calls of the school to modify its student handbook to specify that administrators “may be monitoring student discussions on Facebook, Twitter or other social media outlets and may seek to impose penalties in accordance with the student code of conduct if such discussions cause a substantial disruption at the school.”