You’ve just finished your email, electronic communications, social media and/or BYOD policies for employees assuming, among other things, that you did not have to permit employees to use company-provided communication systems for nonwork-related purposes, such as to fulfill certain union-related purposes or other “protected concerted activities” under for Section 7 of the National Labor Relations Act. You might have been safe to assume that because since 2007, as our Labor Group reports, under the Register Guard decision, the National Labor Relations Board took the position that “employees have no statutory right to use the[ir] Employer’s e-mail system for Section 7 purposes.” The Board is considering changing that position, however, and is inviting input on whether to do so. You will have to act fast if you want to influence this decision, our Government Affairs Group points out, as the deadline for doing so is June 16, 2014.

Over the past few years, more employers have begun to develop policies to address employee electronic communications. There are, of course, many issues an organization must consider when crafting such policies, regardless of whether those policies are directed at company-provided email, the movement to “bring your own device” or “BYOD,” activity in social media, or managing employees’ expectation of privacy when using company-provided systems. By no means an exhaustive list, these issues include cost, productivity, safeguarding personal/company confidential information, protecting trade secrets, avoiding impermissible endorsement of company products and services, eliminating harassment and discrimination on company systems, managing email volume, and record keeping and destruction.

Adding to this array of legal, compliance, technical, employee relations and other issues affecting e-communications by employees, the right of employees to use company-provided systems to advance a union’s purposes, among other types of protected concerted activity, could further complicate an increasingly challenging task for employers. For instance, many employers monitor company email for a variety of purposes, such as, protecting sensitive data from improper disclosure, customer service, compliance requirements, managing productivity, and protecting against discrimination. If the NLRB gets its way, employers will need to be much more careful in how it monitors its own systems, and perhaps decide whether and to what extent they should continue to monitor and how management responds to certain monitored communications that violate company policies.

One might ask whether this intrusion into company-owned equipment is even necessary given the ubiquity of personal devices and widespread internet and social media access. Consider one of the areas the Board seeks input on:

Do employee personal electronic devices (e.g., phones, tablets), social media accounts, and/or personal email accounts affect the proper balance to be struck between employers’ rights and employees’ Section 7 rights to communicate about work-related matters? If so, how?

Some may believe that a balance exists at this point seeing the wide spread adoption of communications technologies, together with the significant and expected growth of BYOD programs in more workplaces. We’ll just have to wait and see.

The Minnesota House of Representatives introduced a bill in late February to strengthen Minnesota’s current data breach notification law, Minnesota Statutes Section 325E.61. The bill,  House File No. 2253, was authored by Representative Dan Schoen.  It would require notification within 48 hours to all individuals whose unencrypted personal information has been breached.  The current statute requires notification only in the most expedient time possible and without unreasonable delay.  The proposed amendments also expand the notification requirement to “any individual” instead of “any resident of this state” who is affected.  Other amendments include a requirement to provide credit monitoring and a unique provision that states that if the business required to give notice is a retailer or wholesaler of consumer goods or services, the business must provide a $100 gift card to each individual whose unencrypted personal information was breached. The amendment would also require a business required to give notice to reimburse affected individuals for any charges or fees incurred as a result of the breach.

Minnesota was the epicenter for one of the largest retailer-based data breaches at the beginning of this year. The Minnesota Senate has yet to take action on the bill, and the current session is scheduled to end in late May, so passage is still up in the air. If the Minnesota law is amended, we will update you here.

On the heels of recent nationwide data breaches of consumer personal information, the Florida State Senate has proposed SB 1524, which if adopted will become effective on July 1, 2014, to revamp and replace existing state data security law and, in particular, impose a statutory requirement to safeguard personal information, reporting a breach to the attorney general, and other affirmative obligations. In doing so, Florida follows recent similar legislative developments made in California, New Mexico, Iowa, and Kentucky.

Existing law provides that any person who conducts business in the state of Florida and maintains computerized data in a system which includes personal information (an individual’s first name or initial and last name, in combination with: (i) a social security number; (ii) drivers’ license or identification card number; (iii) or account number, credit or debit card number in combination with any required security code or password to access the account) shall provide notice of a security breach of the system to all affected individuals without unreasonable delay but not later than forty-five (45) days following determination of the breach.  Notification is not required if after an appropriate investigation or after consulting with relevant law enforcement, the person conducting business in the state reasonably determines that the breach has not and will not likely result in harm to the individuals whose persona information has been acquired and accessed. This determination must be documented in writing and maintained for five (5) years.

The bill proposes the following significant changes to existing law:

  • Borrowing from a recent change to the law in California, the term personal information would also include an individual’s user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.
  • Clarification that a covered entity means a sole proprietor, partnership, corporation, estate, cooperative association or any other commercial entity that acquires, maintains, stores, or uses personal information.
  • In the event of a data breach affecting 500 or more Floridians, written notice to the Attorney General would be required no later than thirty (30) days after the determination that a breach has occurred or reason to believe one occurred. Additionally, upon request, a covered entity would be required to provide to the Attorney General a copy of its policies in place regarding breaches, steps taken to rectify the breach, and a police report, incident report, or computer forensics report.
  • Notice of individuals would be required as expeditiously as possible, but no later than thirty (30) days from discovery of the breach when the individual’s personal information was or the covered entity reasonably believes it was accessed as a result of a breach.
  • Notice is not required if, after the covered entity conducts an appropriate investigation and consults with relevant law enforcement agencies, the covered entity reasonably determines that the breach has not and will not likely result in identity theft or any other final harm to affected individuals.  This determination must be documented in writing, maintained for at least five (5) years, and provided to the Attorney General within thirty (30) days after the determination has been made.

All businesses maintain personal information in some form on the individuals they employ and those with whom they conduct business. Because data breaches are becoming more prevalent and continue to raise risks of identity theft and other issues for individuals, states like Florida are stepping up their enforcement efforts on behalf of their state residents. Businesses should take the time to be sure they appropriately safeguard personal information of customers, employees and other individuals, as well as to be prepared to respond to a breach should they experience one.

 

Unencrypted laptop computers and other mobile devices pose significant risks to the security of patient information, reminds the U.S. Department of Health and Human Services Office for Civil Rights (OCR) in its announcement yesterday that it collected $1,975,220 from two entities collectively to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. All HIPAA covered entities and business associates should review these resolutions agreements as they are instructive to handling a key area of risk for just about any such organization – electronic mobile devices – which are frequently lost or stolen, and not encrypted.

In one of the cases, OCR found that the covered entity, Concentra Health Services:

failed to adequately remediate and manage its identified lack of encryption or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption, if reasonable and appropriate.

In other words, OCR claims that although Concentra identified the lack of encryption as a risk, OCR determined that it failed to adequately remediate or manage the risk. It is also important to note, however, that OCR acknowledged that encryption is an “addressable” standard under the HIPAA Security Rule. This means that covered entities and business associates need not encrypt such devices, provided they determine encryption is not reasonable and appropriate, and implement an equivalent alternative measure(s) to encryption, if reasonable and appropriate, and document that determination.

In the other case, following receipt of a breach notice in February 2012 from the covered entity concerning a stolen unencrypted laptop with protected health information of 148 individuals, OCR investigated and contends that the covered entity failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, including conducting a thorough risk assessment.

So, there are a number of lessons for covered entities and business associates from these resolutions including:

  1. Conduct a risk assessment to identify vulnerabilities. HHS recently released a tool to assist covered entities with this step.
  2. Doing a risk assessment is not enough. Risks identified in the assessment have to be dealt with completely and consistently.
  3. While encryption may be preferred, it is not required so long as the entity identifies and applies alternative measures that are reasonable and appropriate, and documents that determination. But remember that depending on the information stored on the laptops or other mobile storage devices, states such as Massachusetts may require those laptops and devices be encrypted.

Norton Rose Fulbright recently released the results of their 9th annual litigation trends survey.  The Fulbright survey reflects information collected from 392 in-house attorneys; including 82% identifying themselves as general counsel and 14% as head of litigation. Additionally, the companies responding to the survey represent virtually all industries, include entities of all sizes, and are almost evenly split between public and private.

Notably, the survey addressed several key areas of workplace privacy.  Specifically:

  • Privacy & Data Protection: Nearly one-third of all respondents encountered issues involving privacy and/or data protection in disputes or investigations in the past 12 months. Issues arose most frequently in the context of collecting data from company equipment and from employees’ personal equipment. Companies were also concerned about the use of third-party vendors to collect and process data.
  • Cloud Computing: One-third of responding companies utilized the cloud. Of those companies, a third have had to preserve or collect data from the cloud in connection with actual or threatened disputes or investigations.
  • Employees & Social Media: About one-fifth of all companies responding had to preserve or collect data from an employee’s personal social media account in connection with a dispute or investigation. But only 9% of U.S. companies reported having to actually produce, as part of discovery, information stored on social media.
  • Mobile Data: 41% of U.S. companies have had to preserve or collect data from an employee’s mobile device for a dispute.

We have previously addressed each of the issues above, and highlighted many of them in our Top 14 for 2014.  We can expect as technology continues to grow and advance that its reach will continue to extend into the litigation arena, and companies will need to be proactive in addressing these issues.

Iowa made changes to its breach notification law (Iowa Code § 715C.1 et seq.) when the state’s Governor, Terry Branstad, signed S.F. 2259 into law. The amendment makes the following key changes which become effective July 1, 2014:

  1. The existing law applies to “computerized” personal information. The amendment clarifies that this includes personal information maintained in any medium, including paper, transferred to that medium from computerized form. So, paper files printed from a computer that contain the elements that constitute personal information (e.g., name and Social Security number) can trigger a notification obligation under Iowa law. The breach notification statute in Indiana has a similar rule.
  2. For breaches that affect more than 500 residents of the state, the statute now requires notice must also be made to the Director of the Consumer Protection Division of the Office of the Attorney General, in addition to the affected individuals. A similar change was made in California.

The nuances of breach notification laws across the country continue to grow in number and further complicate responding to multi-state breaches. Whether a national standard will resolve this challenge remains to be seen. In the meantime, companies have to exercise care when determining whether a particular incident constitutes a breach, and to whom notice must be provided.

 

Kentucky Gov. Steve Beshear signed H.R. 232 on April 10, 2014, making the Commonwealth the 47th state to enact a data breach notification law. The law also limits how cloud service providers can use student data. A breach notification law in New Mexico may follow shortly.

Data Breach Notification Mandate

The Kentucky law follows the same general structure of many of the breach notification laws in the other states:

  • A breach of the security of the system happens when there is unauthorized acquisition of unencrypted and unredacted computerized data that compromises the security, confidentiality, or integrity of personally identifiable information maintained by the information holder as part of a database regarding multiple individuals that actually causes, or leads the information holder to reasonably believe has caused or will cause, identity theft or fraud against any resident of Kentucky. The law does not refer to “access” only acquisition, and appears to have a risk of harm trigger.
  • The good faith acquisition of personally identifiable information by an employee or agent of the information holder for the purposes of the information holder is not a breach if the personally identifiable information is not used or subject to further unauthorized disclosure.
  • “Personally identifiable information” means an individual’s first name or first initial and last name in combination with the individual’s (i) Social Security number, (ii) Driver’s license number; or (iii) Account number, credit or debit card number, in combination with any required security code, access code, or password permit access to an individual’s financial account.
  • The notification required under the law must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
  • Notice may be provided in writing and can be provided electronically if the E-Sign Act requirements are met. For larger breaches, the law also contains substitute notice provisions similar to those in other states.
  • If notification is required to more than 1,000 Kentuckians at one time under this law, all nationwide consumer reporting agencies and credit bureaus also must be notified of the timing, distribution and content of the notices. However, the law does not require the Kentucky Attorney General to be notified of the incident, as is the case in a number of other states such as California, Maryland, Massachusetts, New Hampshire, and New York.
  • The law excludes persons and entities that are subject to Title V of the Gramm-Leach-Bliley Act of 1999 and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Of course, covered entities, business associates and certain vendors have their own breach notification requirements.

Protections for Student Data In the Cloud

The law is designed to protect student data at educational institutions, public or private, including any administrative units, that serve students in kindergarten through grade twelve when stored in the “cloud”. We may see more of these kinds of laws, particularly in light of the Fordham Law School study on the topic. For purposes of this law, “student data” means

any information or material, in any medium or format, that concerns a student and is created or provided by the student in the course of the student’s use of cloud computing services, or by an agent or employee of the educational institution in connection with the cloud computing services. Student data includes the student’s name, email address, email messages, postal address, phone number, and any documents, photos, or unique identifiers relating to the student.

Cloud providers serving these institutions in Kentucky need to be aware of this law not only so they can take steps to comply, but because it requires the providers to certify in their services contracts with the educational institutions that the providers will comply with this new law.

Specifically, the law prohibits cloud computing service providers from “processing student data for any purpose other than providing, improving, developing, or maintaining the integrity of its cloud computing services, unless the provider receives express permission from the student’s parent.” Processing is defined pretty broadly, it means to “use, access, collect, manipulate, scan, modify, analyze, transform, disclose, store, transmit, aggregate, or dispose of student data.”

While the provider may assist an educational institution with certain research permitted under the Family Educational Rights and Privacy Act of 1974, also known as “FERPA,” it may not use the data to “advertise or facilitate advertising or to create or correct an individual or household profile for any advertisement purpose.” Finally, the provider may not sell, disclose, or otherwise process student data for any commercial purpose.

 

The United States Equal Employment Opportunity Commission (EEOC) recently held a meeting to gather information about the growing use of social media and how it impacts the laws the EEOC enforces.

During the meeting, a panel representative from the Society for Human Resource Management (SHRM) explained that employers use different types of social media for various reasons, including: employee engagement and knowledge-sharing; marketing to clients and potential customers; crisis management; and recruitment and hiring.

Others noted that while social media has benefits and can be a valuable tool, the improper use of information obtained from such sites may be discriminatory since most individuals’ race, gender, age, disability, and possibly ethnicity can be discerned from information on social media sites.  This is especially important in states which have prohibited employers from requesting access to employees’ or potential employees’ social media accounts.

Perhaps the most telling area discussed during the meeting was the increased use of social media as a source of discovery in employment discrimination litigation.  While there appears to be no dispute that public social media content is accessible by all, a Senior Trial Attorney in the EEOC’s Denver Field Office warned that the increased effort to access potentially aggrieved persons private social media communications may have a chilling effect on persons seeking to exercise their rights under federal anti-discrimination laws.

The EEOC has often taken the position that social media content is not relevant, while many employers have utilized social media to gain valuable discovery, especially with regard to emotional distress damages.  The EEOC’s position is now being mirrored at the state level where plaintiffs assert that their social media content is not relevant.  However, defendants (often employers) have benefited from obtaining social media content to dispute a plaintiff’s claims, especially when the defendant is able to demonstrate the relevant nature of social media content to the litigation.

Social media, and especially the discovery of same, is one of the most important and ever evolving areas of employment law.  Litigants, and employers must be prepared for the nuances associated with social media and the current standing of the law in the local  jurisdiction.

Employers faced with the inevitable task of terminating an employee’s employment often inquire whether to provide the employee with written reasons for the termination; or, if they are required to provide an explanation of the termination, they ask what should be included in the explanation. Except in a limited number of states (and except where an employment agreement provides otherwise), a written statement of reasons is not required. Indeed, the general rule of thumb is to not provide written reasons. Perhaps the employer in Peace v. Premier Primary Care Physicians, S.C., should have followed the rule of thumb. In a recent decision, a federal court in Illinois ordered the disclosure of patient contact information because the employer had indicated in its termination letter that patients complained about the plaintiffs.

In Peace, two former employees sued seeking unpaid overtime and damages for alleged retaliation. During discovery, plaintiffs sought the names and contact information of defendant’s patients. The basis for the request was that the termination letter said, among other things, “Patients have complained that you are rude and unhelpful to them on the phone and when they are in the office. Patients have reported not receiving reminder calls for their appointments.” The court noted that the letter contained other examples of patient complaints, but that none of the patients was identified. The employer objected to the disclosure of patient names contending that “their patients’ privacy rights outweigh the plaintiffs’ interest in obtaining discovery. . . .” The court rejected the employer’s argument and ordered the disclosure of the patient contact information noting that privacy concerns were minimal (since plaintiffs were not seeking actual medical records) and were outweighed by plaintiffs’ right to relevant discovery.

The fact that the court ordered disclosure of even limited protected health information highlights the importance the court attached to the contents of a written employment termination letter. A termination letter can become the proverbial “Exhibit A” should an employment claim be filed, at least in connection with requests for discovery. Anything contained in the letter will be the subject of scrutiny and discovery. Had the employer not provided the letter (or, provided a letter with a more general explanation), it is likely that the plaintiff would not have had such a focused target of discovery, one that in this case is likely to affect the practice’s business beyond its HR department. Of course, the information may have come out at some point in the case, but by that time, it may have been late in discovery where plaintiff would have had less time to explore these issues, or the case may have settled. The bottom line here is to give serious thought before providing a written statement of reasons and, if doing so, consider carefully the letter’s contents.