Iowa made changes to its breach notification law (Iowa Code § 715C.1 et seq.) when the state’s Governor, Terry Branstad, signed S.F. 2259 into law. The amendment makes the following key changes which become effective July 1, 2014:

  1. The existing law applies to “computerized” personal information. The amendment clarifies that this includes personal information maintained in any medium, including paper, transferred to that medium from computerized form. So, paper files printed from a computer that contain the elements that constitute personal information (e.g., name and Social Security number) can trigger a notification obligation under Iowa law. The breach notification statute in Indiana has a similar rule.
  2. For breaches that affect more than 500 residents of the state, the statute now requires notice must also be made to the Director of the Consumer Protection Division of the Office of the Attorney General, in addition to the affected individuals. A similar change was made in California.

The nuances of breach notification laws across the country continue to grow in number and further complicate responding to multi-state breaches. Whether a national standard will resolve this challenge remains to be seen. In the meantime, companies have to exercise care when determining whether a particular incident constitutes a breach, and to whom notice must be provided.

 

Kentucky Gov. Steve Beshear signed H.R. 232 on April 10, 2014, making the Commonwealth the 47th state to enact a data breach notification law. The law also limits how cloud service providers can use student data. A breach notification law in New Mexico may follow shortly.

Data Breach Notification Mandate

The Kentucky law follows the same general structure of many of the breach notification laws in the other states:

  • A breach of the security of the system happens when there is unauthorized acquisition of unencrypted and unredacted computerized data that compromises the security, confidentiality, or integrity of personally identifiable information maintained by the information holder as part of a database regarding multiple individuals that actually causes, or leads the information holder to reasonably believe has caused or will cause, identity theft or fraud against any resident of Kentucky. The law does not refer to “access” only acquisition, and appears to have a risk of harm trigger.
  • The good faith acquisition of personally identifiable information by an employee or agent of the information holder for the purposes of the information holder is not a breach if the personally identifiable information is not used or subject to further unauthorized disclosure.
  • “Personally identifiable information” means an individual’s first name or first initial and last name in combination with the individual’s (i) Social Security number, (ii) Driver’s license number; or (iii) Account number, credit or debit card number, in combination with any required security code, access code, or password permit access to an individual’s financial account.
  • The notification required under the law must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
  • Notice may be provided in writing and can be provided electronically if the E-Sign Act requirements are met. For larger breaches, the law also contains substitute notice provisions similar to those in other states.
  • If notification is required to more than 1,000 Kentuckians at one time under this law, all nationwide consumer reporting agencies and credit bureaus also must be notified of the timing, distribution and content of the notices. However, the law does not require the Kentucky Attorney General to be notified of the incident, as is the case in a number of other states such as California, Maryland, Massachusetts, New Hampshire, and New York.
  • The law excludes persons and entities that are subject to Title V of the Gramm-Leach-Bliley Act of 1999 and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Of course, covered entities, business associates and certain vendors have their own breach notification requirements.

Protections for Student Data In the Cloud

The law is designed to protect student data at educational institutions, public or private, including any administrative units, that serve students in kindergarten through grade twelve when stored in the “cloud”. We may see more of these kinds of laws, particularly in light of the Fordham Law School study on the topic. For purposes of this law, “student data” means

any information or material, in any medium or format, that concerns a student and is created or provided by the student in the course of the student’s use of cloud computing services, or by an agent or employee of the educational institution in connection with the cloud computing services. Student data includes the student’s name, email address, email messages, postal address, phone number, and any documents, photos, or unique identifiers relating to the student.

Cloud providers serving these institutions in Kentucky need to be aware of this law not only so they can take steps to comply, but because it requires the providers to certify in their services contracts with the educational institutions that the providers will comply with this new law.

Specifically, the law prohibits cloud computing service providers from “processing student data for any purpose other than providing, improving, developing, or maintaining the integrity of its cloud computing services, unless the provider receives express permission from the student’s parent.” Processing is defined pretty broadly, it means to “use, access, collect, manipulate, scan, modify, analyze, transform, disclose, store, transmit, aggregate, or dispose of student data.”

While the provider may assist an educational institution with certain research permitted under the Family Educational Rights and Privacy Act of 1974, also known as “FERPA,” it may not use the data to “advertise or facilitate advertising or to create or correct an individual or household profile for any advertisement purpose.” Finally, the provider may not sell, disclose, or otherwise process student data for any commercial purpose.

 

The United States Equal Employment Opportunity Commission (EEOC) recently held a meeting to gather information about the growing use of social media and how it impacts the laws the EEOC enforces.

During the meeting, a panel representative from the Society for Human Resource Management (SHRM) explained that employers use different types of social media for various reasons, including: employee engagement and knowledge-sharing; marketing to clients and potential customers; crisis management; and recruitment and hiring.

Others noted that while social media has benefits and can be a valuable tool, the improper use of information obtained from such sites may be discriminatory since most individuals’ race, gender, age, disability, and possibly ethnicity can be discerned from information on social media sites.  This is especially important in states which have prohibited employers from requesting access to employees’ or potential employees’ social media accounts.

Perhaps the most telling area discussed during the meeting was the increased use of social media as a source of discovery in employment discrimination litigation.  While there appears to be no dispute that public social media content is accessible by all, a Senior Trial Attorney in the EEOC’s Denver Field Office warned that the increased effort to access potentially aggrieved persons private social media communications may have a chilling effect on persons seeking to exercise their rights under federal anti-discrimination laws.

The EEOC has often taken the position that social media content is not relevant, while many employers have utilized social media to gain valuable discovery, especially with regard to emotional distress damages.  The EEOC’s position is now being mirrored at the state level where plaintiffs assert that their social media content is not relevant.  However, defendants (often employers) have benefited from obtaining social media content to dispute a plaintiff’s claims, especially when the defendant is able to demonstrate the relevant nature of social media content to the litigation.

Social media, and especially the discovery of same, is one of the most important and ever evolving areas of employment law.  Litigants, and employers must be prepared for the nuances associated with social media and the current standing of the law in the local  jurisdiction.

Employers faced with the inevitable task of terminating an employee’s employment often inquire whether to provide the employee with written reasons for the termination; or, if they are required to provide an explanation of the termination, they ask what should be included in the explanation. Except in a limited number of states (and except where an employment agreement provides otherwise), a written statement of reasons is not required. Indeed, the general rule of thumb is to not provide written reasons. Perhaps the employer in Peace v. Premier Primary Care Physicians, S.C., should have followed the rule of thumb. In a recent decision, a federal court in Illinois ordered the disclosure of patient contact information because the employer had indicated in its termination letter that patients complained about the plaintiffs.

In Peace, two former employees sued seeking unpaid overtime and damages for alleged retaliation. During discovery, plaintiffs sought the names and contact information of defendant’s patients. The basis for the request was that the termination letter said, among other things, “Patients have complained that you are rude and unhelpful to them on the phone and when they are in the office. Patients have reported not receiving reminder calls for their appointments.” The court noted that the letter contained other examples of patient complaints, but that none of the patients was identified. The employer objected to the disclosure of patient names contending that “their patients’ privacy rights outweigh the plaintiffs’ interest in obtaining discovery. . . .” The court rejected the employer’s argument and ordered the disclosure of the patient contact information noting that privacy concerns were minimal (since plaintiffs were not seeking actual medical records) and were outweighed by plaintiffs’ right to relevant discovery.

The fact that the court ordered disclosure of even limited protected health information highlights the importance the court attached to the contents of a written employment termination letter. A termination letter can become the proverbial “Exhibit A” should an employment claim be filed, at least in connection with requests for discovery. Anything contained in the letter will be the subject of scrutiny and discovery. Had the employer not provided the letter (or, provided a letter with a more general explanation), it is likely that the plaintiff would not have had such a focused target of discovery, one that in this case is likely to affect the practice’s business beyond its HR department. Of course, the information may have come out at some point in the case, but by that time, it may have been late in discovery where plaintiff would have had less time to explore these issues, or the case may have settled. The bottom line here is to give serious thought before providing a written statement of reasons and, if doing so, consider carefully the letter’s contents.

 

The 11th Circuit Court of Appeals has rejected the appeal of a former City of Daytona Beach Fire Inspector who argued that the City improperly used her “personal health information” to defend itself against her lawsuit for interference under the Family Medical Leave Act. In Bailey v. City of Daytona Beach Shores, the City of Daytona Beach fired its Fire Inspector, Christine Bailey, after it learned she made claims under the City’s self-funded health plan for reimbursement of the cost of prescription narcotics without informing the City of the use of such drugs, in violation of the City’s drug-free workplace policy while she was on FMLA leave. In response, Bailey sued the City for FMLA interference and retaliation. During the underlying lawsuit, she moved to strike the City’s use of her personal health information on grounds that it would violate the Health Insurance Portability and Accountable Act (“HIPAA”) by the disclosure of her HIPAA-protected personal health information.

Health plans, like the one sponsored by the City, are “covered entities” under HIPAA and the use of protected health information from those plans for employment purposes is prohibited. Apparently, the Department of Health and Human Services notified the City that using the personal health information from the City’s plan for employment-related decisions would violate Bailey’s rights under HIPAA. We regularly advise employers who sponsor health plans, particularly self-funded plans, that individually identifiable health information they obtain in connection with plan administration services they provide for those plans cannot be used in the course of making employment decisions, absent the individual’s authorization or some other exception.

Affirming the trial court’s rejection of Bailey’s motion to strike, the 11th Circuit determined that while HIPAA prohibits the use and disclosure of personal health information in employment-related decisions, it does not bar a defendant in litigation from using the plaintiff’s personal health information to defend against that lawsuit. Thus, at least in the 11th Circuit, “fruit of the poisonous tree” can be used by employers to defend their employment decisions made based on fruit from their HIPAA-covered plans. The court further rejected Bailey’s FMLA interference and retaliation claims on grounds that the City proved it would have taken the same action, i.e., firing her for violations of the City’s drug policy, if she had not taken FMLA leave.

The 11th Circuit’s ruling may appear to be a victory for defendants in litigation who seek to use plaintiffs’ HIPAA-protected personal health information to defend themselves from plaintiff allegations that involve such information. However, the Court seems to gloss over the distinction made in the HIPAA regulations between functioning as a covered entity-health plan and functioning as an employer. The employee was suing the employer in this case, not the plan, and the employer, functioning as an employer, simply should not have had access to this information. The effects of this decision may be problematic for employers that do not read this decision and HIPAA carefully. Specifically, some employers may be encouraged to tap into health plan claims records more freely, not for plan administration purposes, but for employment purposes, believing that information can be used to defend their employment decisions in subsequent litigation.

Of course, while there may not be a private right of action under HIPAA, using protected health information in that way could expose the health plans, and in effect the employers, to investigations by the Office for Civil Rights. The 11th Circuit focused on the use of personal health information in litigation only, but whether such information is used in litigation or not does not remedy any underlying HIPAA violation. HIPAA would bar an employer from reviewing a prescription claim submitted to its health plan for the purposes of making an employment decision, irrespective of any litigation involving the disclosure or use. It remains to be seen whether a claimant who successfully files a HIPAA charge with the Office of Civil Rights, would be able to obtain a different result by a court addressing that party’s personal health information in the litigation context, the Bailey case notwithstanding.

 

In an earlier post, we discussed the basics behind how Bitcoin operates and how it might create unique issues for employers. In the span of just a little over a month, the Bitcoin community has had its share of stories in the news cycle. One of the largest exchanges, Mt. Gox, has filed for bankruptcy following an apparent security breach costing customers and the exchange nearly $500 million. Within a couple weeks of Mt. Gox’s demise, Newsweek then claims to have identified the creator of the virtual currency, known only as Satoshi Nakamoto (the pseudonym used in the white paper that laid out the cryptography framework for bitcoin operations). Whether the person identified really is Nakamoto is still debated, but stories like this and the fall of Mt. Gox continue to add to the mystery that is bitcoin.

Yesterday, the IRS removed some of that mystery when it released guidance on the tax treatment of bitcoin and other virtual currencies (which just happened to be day one of a virtual currency industry summit in San Francisco). One of the appealing factors for users of the virtual currency is that it was an unregulated peer-to-peer network, meaning it is not tied to any central monetary authority. The IRS’s guidance was expected, but many in the Bitcoin community believed that it would be treated like any other foreign currency. Apparently relying on the premise that bitcoin does not have legal tender status in any jurisdiction, the IRS has determined that bitcoin should be treated as property for tax purposes.

IRS Notice 2014-21 is somewhat of a blow to bitcoin users because the exchange of property, even to buy a cup of coffee, is now a reportable event. The notice provides that virtual currency is treated as property for U.S. federal tax purposes. General tax principles that apply to property transactions apply to transactions using virtual currency. Among other things, this means that:

  • Wages paid to employees using virtual currency are taxable to the employee, must be reported by an employer on a Form W-2, and are subject to federal income tax withholding and payroll taxes.
  • Payments using virtual currency made to independent contractors and other service providers are taxable and self-employment tax rules generally apply. Normally, payers must issue Form 1099.
  • The character of gain or loss from the sale or exchange of virtual currency depends on whether the virtual currency is a capital asset in the hands of the taxpayer.
  • A payment made using virtual currency is subject to information reporting to the same extent as any other payment made in property.

This may sound like an insurmountable hurdle of onerous recordkeeping for virtual currencies, but automated accounting solutions are already in the works with more likely on the way. With a request for public comments included in its guidance, the IRS has signaled that these rules are not set in stone and changes may be ahead to the tax treatment of virtual currencies.

What seems unlikely to change is the continuing momentum bitcoin and other virtual currencies appear to be gaining. The failure of Mt. Gox may have been bad for Bitcoin’s public image, but supporters of the virtual currency seem undeterred. Despite security concerns, Bitcoin ATMs continue to pop up in the United States and abroad. The number of e-commerce retailers accepting bitcoin has outpaced those accepting in-store purchases, but that is starting to change. And even if your store of choice does not let you spend bitcoins, other companies have begun to find innovative ways around that problem too.

But perhaps the most intriguing item on the horizon is the race to open regulated investment funds and exchanges in the United States. Bitcoin might soon see an enormous influx of capital if investors are comfortable with the regulatory safeguards. The hope amongst the Bitcoin community is that this will lead to new innovations, making the use virtual currencies more prevalent and practical for everyday use.

New technologies almost always trend to the ‘more’ side of the spectrum. Whether Mr. Nakamoto’s (who(m)ever he or she is) vision of a global economy utilizing peer-to-peer transactions will come to pass is anyone’s guess, but you may not want to bet too much bitcoin against it.

A New Jersey student has filed a federal court lawsuit, H.W. v. Sterling High School District, alleging that she has been subject to disability discrimination and that her First Amendment rights have been violated.

The student, known only as H.W. in court papers, was banned from the prom, senior trip, and the school’s commencement ceremony following a tweet wherein the student called the principal a “pussy ass bitch.”  The student alleges in her suit that the tweet was the result of “oppositional defiant disorder,” a psychological disorder, which the student alleges causes her to have difficulty with authority and dramatic mood swings.  The suit claims that the school’s punishment of the student violated the New Jersey Law Against Discrimination since the school failed to consider the student’s behavior as a consequence of her psychological condition.

Additionally, the student claims the remark, although offensive, is entitled to First Amendment protection because it was made off of school grounds, outside school hours, and did not disrupt school activities.  As we have previously discussed (and as raised by plaintiff’s counsel), two prominent rulings in J.S. v. Blue Mountain School District, 650 F.3d 915 (2011) and Laycock v. Hermitage School District, 650 F.3d 205 (2011) have upheld a student’s free-speech rights concerning online posts about school officials.

In addition to the tweet about the school’s principal, the student also claims that another one of her tweets, an invitation for her classmates to “smoke with [her] before school tomorrow,” was also protected by the First Amendment.  The school interpreted that tweet as a reference to smoking marijuana and ordered the student to submit to drug test.

Both tweets were sent after the student received a 2 day suspension for using her cell phone during the school day in violation of school rules.  The suit seeks an apology, an injunction against the school barring the student from school activities, an injunction against the drug test, an expungement of documents related to the incidents, a revision of  school policies, damages,  legal fees and costs.

Many organizations believe they have taken all steps necessary to eliminate the risk of a data breach. They often point to the organization’s deft IT team and tout the installation of some of the latest software solutions to protect sensitive data. However, some of these same organizations often fail to take some very basic steps to address the kind of low-hanging fruit that can help to prevent significant data breaches. Recent examples include:

  • An Internal Revenue Service employee potentially caused the Social Security numbers, names and addresses of 20,000 or so employees and contract workers to be accessible online when the employee took a thumb drive home from work and plugged it into the employee’s unsecure home network, as reported in Bloomberg.
  • Also within the past week, the Metropolitan Transportation Authority notified some 15,000 MTA workers that their Social Security numbers and other personal information had been found on a CD inside a refurbished CD drive sold by a retailer, according to a report by the Wall Street Journal.

Safeguards that might have prevented these kinds of incidents include clearly written policies, regular employee training and reminders, and purging of mobile electronic devices before they are sold, donated or otherwise discarded. Of course, there are others and often these basic measures can be implemented with relatively little cost, and they are in many cases required by law. For example, a number of states have law mandating the proper of personally identifiable information, which would include information stored on electronic devices.