The Florida District Court of Appeal, Second District quashed an order requiring the mother of a vehicle accident victim to produce copies of certain postings on her Facebook account. 

In Root v. Balfour Beatty Constr., LLC, the plaintiff, Tonia Root (“plaintiff”) filed a negligence suit against the city and its contractors following an accident where her toddler was struck by a vehicle near a construction site.  During discovery, defendants sought the production of plaintiff’s Facebook postings relating to plaintiff’s children, plaintiff’s mental health and stress, and counseling that plaintiff may have obtained before or after the accident.  Ultimately, the circuit court ordered plaintiff to produce the Facebook postings.

On review, the Florida District Court of Appeal, Second Circuit quashed the order, finding that the posts are irrelevant to plaintiff’s claims.  Specifically, the appellate court held the Facebook discovery requested did not pertain to the accident, the negligence claim or plaintiff’s claims for loss of consortium. The court characterized the discovery as a “fishing expedition.”

Ultimately, the discovery of social media content is an essential, but often precarious, undertaking which will turn on the legal precedent in your jurisdiction.  For example, states like New York, New Jersey, Indiana, and Kentucky have addressed issues of this nature to various outcomes.

San Francisco has joined the growing numbers of cities and states around the country implementing “ban the box” legislation which restricts inquiries regarding an applicant’s criminal records on applications for employment and during job interviews.  The EEOC recommends “banning the box” in line with its guidance regarding convictions and consideration in use of information based on job-relatedness.  Currently, 10 states have “ban the box” laws in some form impacting public or both public and private employers.  These states include Hawaii, California, Colorado, New Mexico, Minnesota, Illinois, Rhode Island, Connecticut, Massachusetts and Maryland.  Other states that have “ban the box” legislation pending include Delaware, New Jersey, Michigan, North Carolina and Ohio, among others.  San Francisco’s Fair Chance Ordinance becomes operative on August 13, 2014 and applies to private sector employers in the city of San Francisco.  For specifics regarding the San Francisco ordinance click here for information.

A Florida appellate court has ruled that a teenaged daughter’s post on Facebook mentioning her father’s confidential settlement of an age discrimination claim breached a confidentiality provision in the settlement agreement, barring the father from collecting an $80,000 settlement. Gulliver Schools, Inc. v. Snay, No. 3D13-1952 (Fla 3d DCA Feb. 26, 2014).

The plaintiff, Patrick Snay, was a headmaster of Gulliver, a private school in the Miami area. After his contract was not renewed, he sued for age discrimination. The parties reached a settlement pursuant to a written agreement, which included a detailed confidentiality provision. The provision stated in part:

13. Confidentiality . . . [T]he plaintiff shall not either directly or indirectly, disclose, discuss or communicate to any entity or person, except his attorneys or other professional advisors or spouse any information whatsoever regarding the existence or terms of this Agreement. . . A breach . . . will result in disgorgement of the Plaintiff’s portion of the Settlement Payments.

A couple of days after the agreement was signed, Snay’s daughter, who had recently been a student at Gulliver, posted the following on her Facebook page:

Mama and Papa Snay won the case against Gulliver. Gulliver is now officially paying for my vacation to Europe this summer. SUCK IT.

Snay’s daughter had about 1,200 Facebook friends, many of whom were current or former Gulliver students. Gulliver notified Snay of the breach and refused to tender the $80,000 to Snay under the terms of the settlement. (Snay’s attorneys received their portion). Snay moved to enforce the agreement. Limited discovery revealed that Snay and his wife notified their daughter “that the case was settled and they were happy with the result.” Snay denied ever discussing a trip to Europe. The district court held that Snay’s actions did not violate the terms of the agreement, but the appellate court reversed, noting that Snay was prohibited from “directly or indirectly” disclosing even the “existence” of the settlement.

The decision offers lessons for counsel, litigants, and parents. Counsel and litigants need to remember that these types of confidentiality provisions with disgorgement penalties are taken seriously by the courts and can be enforced. Parents need to remind their children to be mindful of what they post on social media, because it might have adult consequences.

The National Labor Relations Board (“NLRB”) continues to be active in its review of employer social media policies. In recent years, the NLRB’s review of social media policies has focused largely on whether an employee would reasonably construe the language of the policy as prohibiting him or her from engaging in activity protected by Section 7 of the National Labor Relations Act (“NLRA”), such as discussing terms and conditions of employment with fellow employees and engaging in strikes and other job actions.

In this case, Boch Imports, Inc. d/b/a Boch Honda, the NLRB Administrative Law Judge (“ALJ”) reviewed several provisions of an employer’s employee handbook. The employee handbook contained an extensive social media policy that included the following provisions:

1. The Company requires its employees to confine any and all social media commentaries to topics that do not disclose any personal or financial information of employees, customers or other persons, and do not disclose any confidential or proprietary information of the Company.

2. If an employee posts comments about the Company or related to the Company’s business or a policy issue, the employee must identify him/herself…

5. If an employee’s online blog, posting or other social media activities are inconsistent with, or would negatively impact the Company’s reputation or brand, the employee should not refer to the Company, or identify his/her connection to the Company… 

7. While the Company respects employees’ privacy, conduct that has, or has the potential to have a negative effect on the Company might be subject to disciplinary action up to, and including, termination, even if the conduct occurs off the property or off the clock.

8. Employees may not post videos or photos which are recorded in the workplace, without the Company’s permission.

9. If an employee is ever asked to make a comment to the media, the employee should contact the Vice President of Operations before making a statement.

10. The Company may request that an employee temporarily confine its social media activities to topics unrelated to the Company or a particular issue if it believes this is necessary or advisable to ensure compliance with applicable laws or regulations or the policies in the Employee Handbook. The Company may also request that employees provide it access to any commentary they posted on social media sites.

11. Employees choosing to write or post should write and post respectfully regarding current, former or potential customers, business partners, employees, competitors, managers and the Company. Employees will be held responsible for and can be disciplined for what they post and write on any social media. However, nothing in this Policy is intended to interfere with employees’ rights under the National Labor Relations Act.

12. Managers and supervisors should think carefully before “friending,” “linking” or the like on any social media with any employees who report to them.

The ALJ found “It requires little discussion to find that a number of these provisions clearly violate the [NLRA] as employees would reasonably construe these provisions as preventing them from discussing their conditions of employment with their fellow employees, radio and television stations, newspapers or unions, or limiting the subjects that they could discuss.” [emphasis added.]

Many employers maintain social media policies similar to the one at issue in this case. This decision highlights that employers, regardless of whether their employees are represented by a union, must be mindful of the NLRA when crafting social media policies.

According to an FTC press release, identity theft tops the national ranking of consumer complaints for 2013, with American consumers losing a reported $1.6 billion to fraud last year. Here is how some of the numbers break down:

  • Fourteen (14) percent of the more than two million complaints to the FTC (or 290,056) stemmed from identity theft.
  • Thirty (30) percent of these incidents were tax- or wage-related; the largest category of identity theft complaints.
  • Persons between ages 20-29 made most of the complaints

For businesses, the FTC provides a range of resources to help address privacy and security of personal information.  Very often there are some basic, easy to implement safeguards that can significantly enhance a company’s risk profile. This “low-hanging fruit” may not address every risk but will better position the company to avoid many types of data incidents. When a federal or state agency comes knocking, such as the FTC or the Office for Civil Rights in the case of a HIPAA breach, organizations that have taken few, if any, steps to safeguard personal information generally will have a more difficult time (and likely have to pay more in fines/settlement) resolving the enforcement action.

On Thursday, California Attorney General Kamala Harris announced heightened enforcement concerning data breaches, reports USAToday. AG Harris’ office also issued a Guide that provides recommendations to California businesses, particularly small businesses, to help them protect against and respond to the increasing threat of malware, data breaches and other cyber risks.

The circumstances are certainly threatening for small business. According to the Guide:

  • In 2012, 50 percent of all targeted attacks were aimed at businesses with fewer than 2,500 employees.
  • More significantly, businesses with fewer than 250 employees were the target of 31 percent of all cyberattacks

The Guide is a good read for most small businesses which provides general principles and best practices to address data security. It is not comprehensive, and the Guide itself admits it does not provide “regulations, mandates or legal opinions…[but r]ather, … an overview of the cybersecurity threats facing small businesses, a brief and incomplete summary of several best practices that help manage the risks posed by these threats, and a response plan in the event of a cyberincident.”

Large national and multi-national companies are not the only targets for data breaches, and states like California are stepping up their enforcement efforts. Businesses should take the time to be sure they appropriately safeguard personal information of customers, employees and other individuals, as well as to be prepared to respond to a breach should they experience one.

 

A significant percentage of “recycled” computers were found to still contain personal information, according to a study conducted by the National Association for Information Destruction (NAID). As reported in e-Place Solutions, the NAID-ANZ Secondhand Hard Drive Study, found that “15 of 52 hard drives randomly purchased contained highly confidential personal information.”

What kind information: “spreadsheets of clients’ and account holders’ personal information, confidential client correspondence, billing information and personal medical information.” In one case, the computer included an “entire email box with numerous emails and attachments relating to the inner most workings of a medical facility.”

Some of the recyclers of these computers, which were randomly purchased on e-Bay by NAID, included law firms and a government medical facility. Further, according to the report, the methods used to locate the personal information on the devices were not highly sophisticated.

According to the National Conference of State Legislatures, “at least 30 states have enacted laws that require entities to destroy, dispose, or otherwise make personal information unreadable or undecipherable.” On top of those generally applicable requirements, many businesses are also subject to specific federal and state requirements to safeguard personal information, which include destroying personal information that is no longer needed. These include, for example, the HIPAA privacy and security regulations and the Federal Trade Commission’s Disposal Rule.

As mobile devices continue to proliferate, it is critical for businesses and individuals to ensure that before discarding, reissuing, or “recycling” such equipment, at least personal information is removed/destroyed as required under applicable law. Of course, there is other information, such as company proprietary and confidential information that, even if not subject to these data destruction laws, should be removed for obvious reasons.

The Department of Health and Human Services announced on February 24 that it is seeking information about conducting a pre-audit survey. That is, it plans to conduct a “survey of up to 1200 [HIPAA] covered entities (health plans, health care clearinghouses, and certain health care providers) and business associates (entities that provider certain services to a HIPAA covered entity) to determine suitability for the Office for Civil Rights (OCR) HIPAA Audit Program.” (emphasis added) Many covered entities and business associates will be wondering, of course, whether their compliance efforts are “suitable” to survive an audit.

In any event, the survey would gather information about size, complexity, and fitness of a covered entity or business associate for an audit. Questions in the survey likely will relate to data such as the number of patient visits or insured lives, use of electronic information, revenue, and business locations.

At this point, the survey is not on its way to you. The agency is seeking comments about (1) the necessity and utility of the proposed survey for the proper performance of its functions, (2) the accuracy of the estimated burden, (3) ways to enhance the quality, utility, and clarity of the information to be collected, and (4) the use of automated collection techniques or other technology to minimize the information collection burden. If you would like to submit comments on these issues, you can do so by emailing them to Information.CollectionClearance@hhs.gov to be received no later than April 25, 2014. You also can call (202) 690–6162.

Smartphone privacy and security concerns continue to weigh on businesses, particularly for companies in certain industries such as healthcare, and for those that have or are thinking of moving to a “bring your own device” (BYOD) model. Promoters of the “Blackphone,” according to a Reuters report, hope that their version of Google’s Android software will enable it to tap into the growing mobile security management (MSM) market.

According to the report, the Blackphone technology “encrypts texts, voice calls and video chats,” but it is not the only player with something to launch. Deutsche Telekom plans to offer a smartphone app that will provide similar capabilities. Of course, variations on these technologies are already available, but these new offerings will help expand the availability of privacy and security capabilities into the mass market. The report notes, however, that in the case of the Blackphone and the Deutsche Telekom app, “both sides of a call have to be using the same service to get full encryption.”

A critical component of any BYOD, electronic communication, social media, telecommuting/remote work or similar policy is monitoring developments in technology. A particular technology may not be the right fit for a company, or it may not be all that was promised, but it is important to be aware of these developments as they may provide a solution that is just right for a company’s needs.

After years of identity theft holding the top spot for crimes reported to the Federal Trade Commission, and following recent reports of massive data breaches, U.S. Attorney General Eric Holder urged Congress today to enact a national law setting a uniform standard for notifying individuals regarding breaches involving their personal information, according to a report by Reuters. Earlier this month, Federal Trade Commission Chairwoman Edith Ramirez made a similar request to Congress.

For years Congress has tried to enact a national breach notification law. Some recent examples include H.R. 749, Eliminate Privacy Notice Confusion Act (Rep. Luetkemeyer) and S. 635, Privacy Notice Modernization Act of 2013 (Sen. Brown). Other members of Congress, such as Sens. Feinstein and Leahy, have made similar proposals. However, the usual Congressional wrangling over issues such as what agency will control enforcement and whether there should be a risk of harm trigger as exists in many states, have stalled these legislative efforts. At the same time, states fear that their stringent protections may wind up being preempted by a new federal mandate.

Attorney General Holder is reported to have observed that data breaches “are becoming all too common.” Some would say they are already too common. But, it remains to be seen whether Congress will act. For now, companies should be taking steps to avoid data breaches, but also be prepared to respond quickly should a breach happen – which may mean understanding the nuances of the applicable state laws.