Add Oklahoma to the list of states prohibiting employers from requesting or demanding access to the personal social media accounts of employees or applicants. Signed into law by Gov. Mary Fallin, H.B. 2372 becomes effective November 1, 2014.

In addition to being prohibited from requesting or demanding usernames or passwords from employees or applicants to their personal social media accounts, the new law makes clear that Oklahoma employers cannot demand that employees or applicants access those accounts in the presence of the employer, allowing the employer to see the contents of those accounts. As in other states with similar laws, employees and applicants that refuse to provide access to their personal social media accounts generally cannot be fired, disciplined, denied employment, or otherwise penalized.

Employers may, however, request or demand access information to information systems or electronic communications devices owned or subsidized by the employer, as well as any accounts or services provided by the employer “or that the employee uses for business purposes.” It will be interesting to see whether this language will be interpreted to apply to accounts such as LinkedIn, which employees might use for business purposes – e.g., connecting with customers or clients of the employer. The Act also does not prohibit employers from engaging in certain investigations, such as where the employer has specific information about activity on the employee’s personal social media account and the investigation is for the purpose of ensuring compliance with applicable laws regulatory requirements, or prohibitions against work-related employee misconduct.

The law protects Oklahoma employers from inadvertently acquiring the access information for employee personal social media accounts, so long as the employer does not use that information to access the accounts. However, the law states:

Neither this section nor any other Oklahoma law shall prohibit an employer from reviewing or accessing personal online social media accounts that an employee may choose to use while utilizing an employer’s computer system, information technology network or an employer’s electronic communication device.

So, while employers cannot ask employees for their usernames or passwords to personal social media accounts, it appears employers can monitor the activities and communications of employees made in their personal social media accounts when the employees access their accounts through employer-provided information systems, networks or devices. Employer should exercise caution here as federal law and laws in other states may be triggered, such as the Stored Communications Act.

Employers may have legitimate needs to access employee or applicant personal social media or other online accounts – such as in cases involving theft of trade secrets, disclosures of confidential information and other reasons. However, as these state laws develop, employers will need to be careful in determining which law applies and what the applicable law permits them to do, particularly for larger multi-state employers.

 

Baltimore, MD has joined the growing list of cities and states around the country implementing “ban the box” legislation.  “Ban the box” legislation restricts inquiries regarding an applicant’s criminal history on applications for employment and during job interviews.  The EEOC recommends “banning the box” believing the use of conviction records excludes applicants and can disparately impact minorities.

The Baltimore Ordinance prohibits employers (who employ 10 or more full-time employees in the city of Baltimore) from, at any time before a conditional offer of employment has been made:  requiring an applicant for employment to disclose or reveal whether he or she has a criminal records or otherwise has had a criminal accusation brought against her or him; conducting a criminal-record check on the applicant; or otherwise making an inquiry of the applicant or others about whether the applicant has a criminal record or otherwise has had criminal accusations brought against her or him.

While many “ban the box” laws only apply to public employers, more and more jurisdictions have passed these laws applying to private employers.  For example, the states of Hawaii, Massachusetts, Minnesota, and Rhode Island have such laws, while the cities of Buffalo, NY, Newark, NJ, Philadelphia, PA, and San Francisco, CA have also enacted “ban the box” laws.  While these jurisdictions currently have laws on the books, similar legislation is pending in numerous states and cities throughout the country.

With an effective date of August 13, 2014, employers with operations in Baltimore, MD need to review their hiring processes to determine what, if any, changes will need to be made to comply.

As we previously reported, the Florida legislature was considering joining numerous other states which have banned employers from requesting or requiring access to current or prospective employees’ social media accounts.

Senate Bill SB198, which was entitled “An Act Relating to Social Media Privacy,” has died in committee.  As such, Florida will not be joining the other states which have already enacted similar laws. Those states include Arkansas, Colorado, New Mexico, Oregon, Utah, Vermont and Washington, California, Illinois, Maryland, Michigan, Nevada, and New Jersey.

At this stage, it is unclear whether a new bill will be proposed, but it appears that the efforts to prohibit such employer activity in 2014 have failed.

Effective January 1, 2015, Tennessee employers, including government entities, will be prohibited from requesting or requiring access to the private social networking or online accounts of employees and job applicants under the Volunteer State’s “Employee Online Privacy Act of 2014,” signed by Governor Bill Haslam. Our Tennessee colleagues outline the key provisions of the law, including some of the key exceptions.

The exceptions will be helpful for employers. For example, some of the them permit employers to:

  • request or require a username or password to access an electronic communications device supplied by or paid for wholly or in part by the employer, as well as to access an account or service provided by the employer and obtained by virtue of the employment relationship or used for the employer’s business purposes;
  • monitor, review, access, or block electronic data stored on an electronic communications device supplied by or paid for wholly or in part by the employer, or stored on an employer’s network, in accordance with state and federal law; and
  • View, access, or use information about an employee or applicant that can be obtained without violating the prohibited conduct or information that is available in the public domain.

There are other exceptions in the Tennessee law, but not all of the same exceptions exist in the laws enacted in the other states across the country, such as Arkansas, California, Colorado, Illinois, Maryland, Michigan, Nevada, New Jersey, New Mexico, Oregon, Utah, Washington, and more recently in Wisconsin. Employers will need to be careful in navigating these laws nationwide. At the same time, as more employers explore BYOD and other monitoring technologies, including spyware and keylogging, they will need to consider the risks those practices and technologies may present under statutes like the one in Tennessee.

You’ve just finished your email, electronic communications, social media and/or BYOD policies for employees assuming, among other things, that you did not have to permit employees to use company-provided communication systems for nonwork-related purposes, such as to fulfill certain union-related purposes or other “protected concerted activities” under for Section 7 of the National Labor Relations Act. You might have been safe to assume that because since 2007, as our Labor Group reports, under the Register Guard decision, the National Labor Relations Board took the position that “employees have no statutory right to use the[ir] Employer’s e-mail system for Section 7 purposes.” The Board is considering changing that position, however, and is inviting input on whether to do so. You will have to act fast if you want to influence this decision, our Government Affairs Group points out, as the deadline for doing so is June 16, 2014.

Over the past few years, more employers have begun to develop policies to address employee electronic communications. There are, of course, many issues an organization must consider when crafting such policies, regardless of whether those policies are directed at company-provided email, the movement to “bring your own device” or “BYOD,” activity in social media, or managing employees’ expectation of privacy when using company-provided systems. By no means an exhaustive list, these issues include cost, productivity, safeguarding personal/company confidential information, protecting trade secrets, avoiding impermissible endorsement of company products and services, eliminating harassment and discrimination on company systems, managing email volume, and record keeping and destruction.

Adding to this array of legal, compliance, technical, employee relations and other issues affecting e-communications by employees, the right of employees to use company-provided systems to advance a union’s purposes, among other types of protected concerted activity, could further complicate an increasingly challenging task for employers. For instance, many employers monitor company email for a variety of purposes, such as, protecting sensitive data from improper disclosure, customer service, compliance requirements, managing productivity, and protecting against discrimination. If the NLRB gets its way, employers will need to be much more careful in how it monitors its own systems, and perhaps decide whether and to what extent they should continue to monitor and how management responds to certain monitored communications that violate company policies.

One might ask whether this intrusion into company-owned equipment is even necessary given the ubiquity of personal devices and widespread internet and social media access. Consider one of the areas the Board seeks input on:

Do employee personal electronic devices (e.g., phones, tablets), social media accounts, and/or personal email accounts affect the proper balance to be struck between employers’ rights and employees’ Section 7 rights to communicate about work-related matters? If so, how?

Some may believe that a balance exists at this point seeing the wide spread adoption of communications technologies, together with the significant and expected growth of BYOD programs in more workplaces. We’ll just have to wait and see.

The Minnesota House of Representatives introduced a bill in late February to strengthen Minnesota’s current data breach notification law, Minnesota Statutes Section 325E.61. The bill,  House File No. 2253, was authored by Representative Dan Schoen.  It would require notification within 48 hours to all individuals whose unencrypted personal information has been breached.  The current statute requires notification only in the most expedient time possible and without unreasonable delay.  The proposed amendments also expand the notification requirement to “any individual” instead of “any resident of this state” who is affected.  Other amendments include a requirement to provide credit monitoring and a unique provision that states that if the business required to give notice is a retailer or wholesaler of consumer goods or services, the business must provide a $100 gift card to each individual whose unencrypted personal information was breached. The amendment would also require a business required to give notice to reimburse affected individuals for any charges or fees incurred as a result of the breach.

Minnesota was the epicenter for one of the largest retailer-based data breaches at the beginning of this year. The Minnesota Senate has yet to take action on the bill, and the current session is scheduled to end in late May, so passage is still up in the air. If the Minnesota law is amended, we will update you here.

On the heels of recent nationwide data breaches of consumer personal information, the Florida State Senate has proposed SB 1524, which if adopted will become effective on July 1, 2014, to revamp and replace existing state data security law and, in particular, impose a statutory requirement to safeguard personal information, reporting a breach to the attorney general, and other affirmative obligations. In doing so, Florida follows recent similar legislative developments made in California, New Mexico, Iowa, and Kentucky.

Existing law provides that any person who conducts business in the state of Florida and maintains computerized data in a system which includes personal information (an individual’s first name or initial and last name, in combination with: (i) a social security number; (ii) drivers’ license or identification card number; (iii) or account number, credit or debit card number in combination with any required security code or password to access the account) shall provide notice of a security breach of the system to all affected individuals without unreasonable delay but not later than forty-five (45) days following determination of the breach.  Notification is not required if after an appropriate investigation or after consulting with relevant law enforcement, the person conducting business in the state reasonably determines that the breach has not and will not likely result in harm to the individuals whose persona information has been acquired and accessed. This determination must be documented in writing and maintained for five (5) years.

The bill proposes the following significant changes to existing law:

  • Borrowing from a recent change to the law in California, the term personal information would also include an individual’s user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.
  • Clarification that a covered entity means a sole proprietor, partnership, corporation, estate, cooperative association or any other commercial entity that acquires, maintains, stores, or uses personal information.
  • In the event of a data breach affecting 500 or more Floridians, written notice to the Attorney General would be required no later than thirty (30) days after the determination that a breach has occurred or reason to believe one occurred. Additionally, upon request, a covered entity would be required to provide to the Attorney General a copy of its policies in place regarding breaches, steps taken to rectify the breach, and a police report, incident report, or computer forensics report.
  • Notice of individuals would be required as expeditiously as possible, but no later than thirty (30) days from discovery of the breach when the individual’s personal information was or the covered entity reasonably believes it was accessed as a result of a breach.
  • Notice is not required if, after the covered entity conducts an appropriate investigation and consults with relevant law enforcement agencies, the covered entity reasonably determines that the breach has not and will not likely result in identity theft or any other final harm to affected individuals.  This determination must be documented in writing, maintained for at least five (5) years, and provided to the Attorney General within thirty (30) days after the determination has been made.

All businesses maintain personal information in some form on the individuals they employ and those with whom they conduct business. Because data breaches are becoming more prevalent and continue to raise risks of identity theft and other issues for individuals, states like Florida are stepping up their enforcement efforts on behalf of their state residents. Businesses should take the time to be sure they appropriately safeguard personal information of customers, employees and other individuals, as well as to be prepared to respond to a breach should they experience one.

 

Unencrypted laptop computers and other mobile devices pose significant risks to the security of patient information, reminds the U.S. Department of Health and Human Services Office for Civil Rights (OCR) in its announcement yesterday that it collected $1,975,220 from two entities collectively to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. All HIPAA covered entities and business associates should review these resolutions agreements as they are instructive to handling a key area of risk for just about any such organization – electronic mobile devices – which are frequently lost or stolen, and not encrypted.

In one of the cases, OCR found that the covered entity, Concentra Health Services:

failed to adequately remediate and manage its identified lack of encryption or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption, if reasonable and appropriate.

In other words, OCR claims that although Concentra identified the lack of encryption as a risk, OCR determined that it failed to adequately remediate or manage the risk. It is also important to note, however, that OCR acknowledged that encryption is an “addressable” standard under the HIPAA Security Rule. This means that covered entities and business associates need not encrypt such devices, provided they determine encryption is not reasonable and appropriate, and implement an equivalent alternative measure(s) to encryption, if reasonable and appropriate, and document that determination.

In the other case, following receipt of a breach notice in February 2012 from the covered entity concerning a stolen unencrypted laptop with protected health information of 148 individuals, OCR investigated and contends that the covered entity failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, including conducting a thorough risk assessment.

So, there are a number of lessons for covered entities and business associates from these resolutions including:

  1. Conduct a risk assessment to identify vulnerabilities. HHS recently released a tool to assist covered entities with this step.
  2. Doing a risk assessment is not enough. Risks identified in the assessment have to be dealt with completely and consistently.
  3. While encryption may be preferred, it is not required so long as the entity identifies and applies alternative measures that are reasonable and appropriate, and documents that determination. But remember that depending on the information stored on the laptops or other mobile storage devices, states such as Massachusetts may require those laptops and devices be encrypted.

Norton Rose Fulbright recently released the results of their 9th annual litigation trends survey.  The Fulbright survey reflects information collected from 392 in-house attorneys; including 82% identifying themselves as general counsel and 14% as head of litigation. Additionally, the companies responding to the survey represent virtually all industries, include entities of all sizes, and are almost evenly split between public and private.

Notably, the survey addressed several key areas of workplace privacy.  Specifically:

  • Privacy & Data Protection: Nearly one-third of all respondents encountered issues involving privacy and/or data protection in disputes or investigations in the past 12 months. Issues arose most frequently in the context of collecting data from company equipment and from employees’ personal equipment. Companies were also concerned about the use of third-party vendors to collect and process data.
  • Cloud Computing: One-third of responding companies utilized the cloud. Of those companies, a third have had to preserve or collect data from the cloud in connection with actual or threatened disputes or investigations.
  • Employees & Social Media: About one-fifth of all companies responding had to preserve or collect data from an employee’s personal social media account in connection with a dispute or investigation. But only 9% of U.S. companies reported having to actually produce, as part of discovery, information stored on social media.
  • Mobile Data: 41% of U.S. companies have had to preserve or collect data from an employee’s mobile device for a dispute.

We have previously addressed each of the issues above, and highlighted many of them in our Top 14 for 2014.  We can expect as technology continues to grow and advance that its reach will continue to extend into the litigation arena, and companies will need to be proactive in addressing these issues.