Most employers are well aware that potential liability lurks if unauthorized information is disclosed to third parties. Obvious examples would include unauthorized employee or applicant health or financial information or personal information such as social security numbers and the like.

In an interesting twist, the Minnesota Supreme Court considered whether liability could be created when disclosure of requested information was incomplete.

In Larson v. The Northwestern Mutual Life Insurance Company, CMInformation Specialists, Inc., Minnesota Supreme Court, No. A13-0186, October 22nd, 2014, Larson sued Northwestern Mutual for death benefits related to her deceased husband’s life insurance policy. Northwestern Mutual denied death benefits on the grounds that her husband had not been forthcoming regarding a prior heart-related condition when he completed the life insurance application years earlier. Northwestern Mutual maintained it would not have written the policy if it had been aware of the cardiac condition.

Larson sued CMInformation Specialist because they had been retained by Northwestern Mutual to gather all relevant medical records related to Larson’s husband during the policy application process. Apparently, the records gathered by CMI were incomplete as the cardiac-related medical records were not provided to Northwestern Mutual. Larson claimed that had CMI provided all of the requested records, Northwestern Mutual would have been made aware of the heart condition and therefore would not have been in a position to deny the death benefits at issue.

Larson sued CMI on the specific legal grounds that it had violated a Minnesota statute relating to the authorized production of a patient’s medical records. CMI argued that the Minnesota statute in question imposed liability only for the unauthorized disclosures of medical records and therefore did not provide a cause of action when an entity gathering medical records fails to disclose all of the records authorized for release.

Ultimately, the Court found in favor of CMI, holding that no unauthorized records had been disclosed. The Court held that liability under the specific Minnesota statute only arose when the disclosing entity actually discloses an unauthorized health record.

Although no liability for an incomplete disclosure was found in this case, it does not take a stretch of logic to apply this question to other situations. What if an employer does not provide all requested information or records in regard to a reference request that is accompanied by a consent? What if an employer provides incomplete responses to a payroll information request from a lending institution? What if an employer does not provide all requested information to a subpoena in a collateral legal proceeding? Generally, employers are most concerned about providing more information than is authorized. Employers should be cautioned to consider that in some instances, not providing complete information in response to requests may also create liability as well.

Thanks to a new state law enacted to protect minors from the modern follies of youth, minors in California can ring in the New Year by permanently deleting their regrettable online posts. This so-called “Online Eraser Law” – signed by Governor Jerry Brown on September 23, 2013 – will take effect on January 1, 2015.

The “Online Eraser Law” provides protections to minors, defined as California residents under age 18, including affording minors the right to “erase” content or information they post online. The new law imposes specific obligations on operators of Internet websites, online services, online applications, or mobile applications that are either directed to minors or with respect to which the operators have actual knowledge that a minor who is a registered user of the website or application is using. Such operators specifically will be required to permit minors to remove, or request and obtain removal of, such content or information; provide notice to minors of their rights to do so; provide clear instructions to minors about how to exercise these rights; and notify minors that removal of such content or information does not ensure complete removal.

This “Online Eraser Law” is not likely to be a foolproof method of achieving the goal of protecting minors from themselves. While it provides a means to remove content or information they personally posted, it does not apply to content or information posted or shared by others.

This law also contains protections for minors from certain marketing practices, including protecting them from being targeted by marketing of an enumerated list of products and services, such as alcohol, tobacco, drugs, firearms, tattoos, and other things deemed inappropriate for minors.

Although the law is not targeted specifically to employers, its seemingly broad application may have a far-reaching impact. Employers therefore need to determine whether they fall within the scope of the law and, for those who do, must ensure policies and practices are in place to comply with its requirements and constraints. A thorough review of online privacy policies and procedures is recommended.

Just before the tricks and treats began, the FCC issued an order about another tricky practice—junk faxes.  On October 30, 2014, FCC confirmed that all fax ads must contain an opt-out provision and comply with the rules set out in FCC’s 2006 Junk Fax Order.  There is a six-month window for companies to come into compliance.

The rule requires that faxes sent to recipients that have provided “a prior express invitation or permission to the sender” must include an opt-out notice that is:

  • Clear and conspicuous and on the first page of the ad;
  • State that the recipient may request that the sender not send any more ads and that the failure to comply, within 30 days, of such request, is unlawful; and
  • Contain a domestic contact telephone number and fax number for the recipient to transmit an opt-out request.

Faxes sent pursuant to an on-going business relationship must also meet these requirements. An opt-out will not satisfy the rule unless all three requirements are met.

economistThe October 25, 2014 issue of the Economist, a U.K. business news periodical, contains a tongue-in- cheek guide to “skiving,” which apparently is the British word for shirking on the job. The piece highlights the challenge and opportunity created by new technology for employees who want to pretend to work, rather than work. It notes:

[I]nformation technology is both the slacker’s best friend and deadliest enemy. The PC is custom-made for the indolent: You can give every impression of being hard at work when in fact You are doing your shipping, booking a holiday or otherwise frolicking in the cyber-waves. And thanks to mobile technology you can now continue to frolic while putting face time in meetings. . . . But there is a dark side to IT: one estimate suggests that 27 [million] employees around the world have their internet use monitored. Dealing with this threat requires vigilance: do everything you can to hide your browsing history. It may also require something that does not come naturally to skivers: political activism. Make a huge fuss about how even the smallest concessions on the principles of absolute data privacy will create a slippery slope to a totalitarian society. Skiving is like liberty: it can flourish only if Big Brother is kept at bay.

–  A Guide to skiving, The Economist, Oct. 25, 2014.

From the nation that gave us George Orwell, the point is well made. For many jobs, shirking is becoming more difficult. Good news for employers. Increasing productivity is probably the number two motivation for employee monitoring after protection of assets, data, and trade secrets. New privacy legislation at the state level in the U.S., however, means that employers need to be careful about how and what they monitor, and provide proper notice when required. Increasingly sophisticated employee monitoring may also mean dark days ahead for slackers, which perhaps takes out just a little of the human element of the workplace, even if it increases worker productivity overall.

Following up on our recent post on the subject, I had the opportunity to speak with Colin O’Keefe, Editorial Manager-LexBlog, on the FCC’s first foray into policing a cybersecurity incident. In the brief video interview, I explain what happened and what it could mean going forward.  Special thanks to Colin, and LXBN TV, for the opportunity.

 

Data is rarely still. It is captured, processed and moved around the world at speeds we wouldn’t have dreamed possible 20 years ago. Data often disrespects borders. By way of example, companies often mistakenly store personal data in the cloud to be accessed by multiple international locations, without considering the legal rights of the data subjects in the countries in which data processors or controllers do business, or where the data subject resides. These issues give rise to data transfer laws across geographic boundaries.

On October 28, the Federal Communications Commission (FCC) announced that it is joining fifty other countries and the U.S. agency the Federal Trade Commission (FTC) to launch the Global Privacy Enforcement Network (GPEN). FCC and FTC’s decision to help form this group grew out of a 2007 Recommendation on Cross-Border Cooperation in Enforcement of Laws Protecting Privacy, adopted by the Organization for Economic Cooperation and Development (OECD).

This is a development employers, especially those with international human resources information systems (HRIS) that are stored in the cloud, should follow. We do not yet have a full understanding of how the GPEN will function. However, industry press believes that increased focus on international data protection by two of the U.S.’s largest data privacy and security regulators could portend tighter auditing of those functions at home.

The GPEN will include, but not be limited to, the following sovereign nations in addition to the U.S.: Australia, Canada, France, Germany, Israel, Ireland, Italy, the Netherlands, New Zealand, Spain and the United Kingdom. FTC officials have said they hope to reduce the number of privacy and security related unfair and deceptive trade practices pertaining to privacy and cyber security.

Organizations in addition to FTC and FCC include the European Union, the Australian Information Commissioner, Office of the Privacy Commissioner of Canada, Dutch Data Protection Authority, Commission Nationale de l’Informatique et des Libertes of France, Federal Data Protection Authority of Germany, Federal Institution for Access to Information and Data Protection of Mexico, and the Office of the Privacy Commission of New Zealand.

Employers with HRIS or other cloud-based symptoms that process data abroad should assess risks related to data transfer rules both in U.S. and their other host countries. FTC and FCC’s move in helping to form GPEN is just one of many more “nods” from U.S. and foreign regulators that they are examining data at home and abroad.

On October 24, 2014, the Federal Communications Commission (FCC) announced its intention to fine two telecom companies $10 million for several violations of laws protecting the privacy of phone customers’ personal information.  This marks the FCC’s first data security case and the largest privacy action in the FCC’s history.

According to the FCC, TerraCom, Inc. and YourTel America, Inc. stored Social Security numbers, names, addresses, driver’s licenses, and other sensitive information belonging to their customers on unprotected Internet servers that anyone in the world could access.  The information was collected in connection with eligibility verification for the Lifeline program, the government’s telephone subsidy program for low-income Americans.  The companies allegedly breached the personal information of over 300,000 consumers through their lax security practices.

The privacy policies for the two companies stated that they had in place “technology and security features to safeguard the privacy of your customer specific information from unauthorized access or improper use.”  Nevertheless, the FCC’s asserts that from September 2012 through April 2013, the sensitive information they collected was apparently accessible via the Internet and readable by anyone.   Importantly, the FCC took issue with the fact that even after learning of the security breach, the companies allegedly failed to notify all potentially affected consumers, thus depriving the consumers of any opportunity to protect their personal information from misuse.

The FCC alleges that the carrier’s failure to reasonably secure their customer’s personal information violates the companies’ statutory duty under the Communications Act.    Specifically, the carriers had an alleged duty to protect the information, and the companies failure to do so constitutes an unjust and unreasonable practice in violation of the Act, as their data security practices lacked “even the most basic and readily available technologies and security features…”  Similarly, the FCC alleges that the companies’ deceptive and misleading representations of customer privacy protections, and their subsequent failure to notify, constitute unjust and unreasonable practices as well.

Travis LeBlanc, Chief of the FCC’s Enforcement Bureau, said, “Consumers trust that when phone companies ask for their…personal information, these companies will not put that information on the Internet or otherwise expose it to the world….When carriers break that trust, the [FCC] will take action to ensure that they are held accountable…”

Effective management of an Ebola infection in your business can be dramatically enhanced by some careful planning. If you are addressing safety and health issues, questions about whether an employee should come to work (or employees who don’t want to come to work because of a belief there is an infected employee there already), or privacy issues relating to persons who may have been infected with Ebola, having thought through some of the key legal requirements and principles and other considerations can help you to make measured decisions more quickly. Our privacy group has been coordinating with other key practice groups at our Firm to develop resources and gather and communicate insights that may be helpful to clients and others as they consider steps they should take to be prepared for an Ebola infection in their workplace.

In addition to a high level summary of key issues, three of us sat down today to discuss some of the key considerations in this area, with an overriding theme of Ebola preparedness. You can access our conversation here. Of course, as noted during our discussion, your particular circumstances, industry, location and so on will shape the course of action that is best for you and in line with your risk tolerances. In addition, as we receive more information about Ebola from public health agencies and guidance from other federal and state agencies, the steps you planned to take may need to be modified.

We hope you enjoy our discussion.

 

An employer had no cause of action under the Computer Fraud and Abuse Act (“CFAA”) against an employee who accessed its computer systems to misappropriate confidential and proprietary business information to start a competing business, the U.S. District Court for the Southern District of Ohio has held. Cranel Inc. v. Pro Image Consultants Group, LLC, 2014 U.S. Dist. LEXIS 137347 (S. D. Ohio Sept. 29, 2014).

The employer alleged that the employee emailed himself certain Microsoft Excel, Microsoft Word and PDF files containing the employer’s confidential, proprietary, or trade secret information and convinced a co-worker to send him a proprietary pricing tool that he could not access. The employer claimed that this employee and his competing business violated, among other things, subsection (a)(2)(C) of the CFAA, which prohibits “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing]… information from any protected computer.”

Judge James Graham recognized that courts across the country have struggled with whether a valid CFAA claim exists where an employee accesses his employer’s computer to misappropriate confidential information. Judge Graham noted a split in opinion on the issue, with some courts construing “without authorization” and “exceeding authorized access” broadly and others interpreting these words narrowly, holding that once an employee is granted access to the employer’s computer system, he does not violate the CFAA regardless of how he subsequently uses the information. The court determined the narrow interpretation was more appropriate in light of the CFAA’s definition of “exceeds authorized access.”

The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. §1030(e)(6). The court cited LVRC Holding L.L.C. v. Brekka, 581 F.3d 1127 (9th Cir. 2009), with approval and found that an employee authorized to access the employer’s computer systems does not exceed such authorization, as defined under the CFAA, unless he accesses information on the computer to which he is not permitted.

Based on its narrow interpretation of the statute, the court found the employer failed to state a claim under the CFAA because the employee had authorization to access the confidential and proprietary documents that he later emailed to himself, even if he used the documents for an improper purpose. Additionally, because the employee did not access the proprietary pricing tool himself (he persuaded his colleague who has access to the tool to send it to him), he did not “exceed his authorization.”

The lesson for employers is to restrict access to confidential and proprietary information on their systems to employees with a business need for the information. Employers also should make sure that appropriate security measures are in place to prevent employees from sharing this confidential and proprietary information with co-workers without prior approval.

 

A New York Times article earlier this week reported that top officials at the Treasury Department have identified a key area for strengthening data security – third-party service providers. Reuters reported that on Tuesday of this week New York State Department of Financial Services superintendent, Benjamin Lawsky, sent a letter to a number of banks inquiring about the

level of insight financial institutions have into the sufficiency of cybersecurity controls of their third-party service providers

In his letter, according to the Reuters report, Mr. Lawsky asked banks to provide “any policies and procedures governing relationships with third-party service providers.”

These actions follow the run of recent large-scale data breaches that have plagued many large U.S. companies, including those in the financial services sector. The exposure that vendors create is nothing new. For example, we discussed it in the context of the Massachusetts data security regulations and have seen similar concerns raised and instances of vendor breaches in other sectors such as education and healthcare. But the renewed attention now being paid to this exposure in the financial services sector may result in the need for more effort in this area for all businesses.

Of course, there are a number of laws and best practices that address vendor security. For example, HIPAA covered entities are already familiar with the “business associate agreements” they must have in place with many of their third-party service providers. A number of states, such as California, Massachusetts, Maryland and others, also require businesses that share residents’ personal information with third-party service providers to have a written agreement in place with each of those providers to safeguard that information.

What more could be coming?

That remains to be seen, but there are a number of steps businesses can take to enhance vendor privacy and security in addition to negotiating an agreement concerning data security. Some high-level examples include:

  • Including the vendor in your risk assessment process, and understanding what its risk assessment process involves.
  • Meet with your vendor’s IT lead, but also others in the vendor’s organization – legal, accounting, HR, sales, etc. This will give you a better sense of the culture of privacy and security at the vendor.
  • Review the vendor’s policies and procedures, including how often its employees are trained.
  • Require the vendor to submit to an independent data security audit/review.
  • Ask the vendor about its data breach response plan, and how often it is practiced. Include the vendor when you practice your own response plan.
  • Regularly reevaluate your vendor in this area, particularly when there are changes in technology, in your business, in the vendor’s business, and in the services received from the vendor.

This is not an exhaustive list, and each step could be fleshed out more or less depending on the risk the vendor presents. The point is that because of the critical role vendors play, and the information they have access to (which may include not just personal information but also company proprietary data), the measures taken to protect that data should be comparable.