The U.S. Equal Employment Opportunity Commission (EEOC) and the Federal Trade Commission (FTC) issued joint informal guidance concerning the legal pitfalls employers may face when consulting background checks into a worker’s criminal record, financial history, medical history or use of social media.  The FTC enforces the Fair Credit Reporting Act, the law that protects the privacy and accuracy of the information in credit reports. The EEOC enforces laws against employment discrimination.

The two short guides, Background Checks: What Employers Need to Know and Background Checks: What Job Applicants and Employees Should Know, explain the rights and responsibilities of both employers and employees.

The agency press releases state that the FTC and the EEOC want employers to know that they need written permission from job applicants before getting background reports about them from a company in the business of compiling background information. Employers also should know that it’s illegal to discriminate based on a person’s race, national origin, sex, religion, disability, or age (40 or older) when requesting or using background information for employment.

Additionally, the agencies want job applicants to know that it’s not illegal for potential employers to ask someone about their background as long as the employer does not unlawfully discriminate. Job applicants also should know that if they’ve been turned down for a job or denied a promotion based on information in a background report, they have a right to review the report for accuracy.

According to EEOC Legal Counsel Peggy Mastroianni, “The No. 1 goal here is to ensure that people on both sides of the desk understand their rights and responsibilities.”

 

 

Skagit County, Washington, has agreed to settle potential violations of the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), according to an announcement by the Office for Civil Rights (OCR) on Friday.  OCR reported that Skagit County, home to approximately 118,000 residents, agreed to a $215,000 monetary settlement and to comply with a three-year HIPAA compliance program under OCR’s watchful eye.

OCR began investigating Skagit County and its Public Health Department when OCR received

a breach report that money receipts with electronic protected health information (ePHI) of seven individuals were accessed by unknown parties after the ePHI had been inadvertently moved to a publicly accessible server maintained by the County.

A relatively minor breach at first glance. However, OCR’s investigation revealed the incident was broader and included the ePHI of 1,581 individuals, in some cases involving files concerning the testing and treatment of infectious diseases. According to the resolution agreement, Skagit County allegedly failed to provide notification as required by the HIPAA Breach Notification Rule to all of the affected individuals for whom it knew or should have known that the privacy or security of the individuals’ ePHI had been compromised.

Like other OCR investigations, the enforcement activity uncovered “general and widespread non-compliance by Skagit County with the HIPAA Privacy, Security, and Breach Notification Rules.” For example, OCR looked back to April 20, 2005 (the effective date of the HIPAA Security Rule), and alleged that Skagit County had not complied with various aspects of the HIPAA security regulations, including maintaining written policies and training employees.

The Skagit County Public Health Department provides essential services to many individuals who would otherwise not be able to afford health care. A $215,000 payment to OCR certainly will be a hit to the Department’s budget and the services it provides. Cities, counties and other public sector entities that perform HIPAA covered functions should be reviewing their HIPAA compliance efforts to ensure they are in a strong defensible position. Some basic compliance steps – risk assessment, written policies and procedures, training, a breach response plan, documentation, and others – can go a long way.

The U.S. Commodity Futures Trading Commission (Commission) issued a Staff Advisory on best practices for financial institutions that must comply with Gramm-Leach-Bliley Act (GLBA) provisions on data security and customer privacy.

GLBA was enacted to ensure that financial institutions respect the privacy of their customers and protect the security and confidentiality of nonpublic personal information.  Specifically, under the Commission’s regulations, futures commission merchants, commodity trading advisors, commodity pool operators, introducing brokers, retail foreign exchange dealers, swap dealers, and major swap participants (covered entities) “must adopt polices and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.”  Those policies and procedures must:

  1. Insure the security and confidentiality of customer records and information;
  2. Protect against any anticipated threats or hazards to the security or integrity of such records; and
  3. Protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
The recommended best practices include:
  • Designating a specific employee with privacy and security management oversight responsibilities;
  • Identifying, in writing, all reasonably foreseeable internal and external risks to security, confidentiality, and integrity of personal information and systems processing personal information;
  • Designing and implement safeguards, in writing, to control the identified risks;
  • Training staff to implement the program;
  • Regularly testing and monitoring the safeguards;
  • Implementing third party service provider agreements which specify that the third party is maintaining appropriate safeguards;
  • Regularly evaluating and adjusting the program; and
  • Designing and implementing policies and procedures to respond to incidents involving unauthorized access, disclosure, or use of personal information.
The best practices should look familiar to those who are familiar with the various state laws which require companies to implement written information security programs, as well as entities which are required to comply with HIPAA’s requirements.  Ultimately, every entity who maintains personal information, whether that of customers, clients, patients, or employees, should consider implementing a program to safeguard such information.

The U.S. Department of Health and Human Services, Food and Drug Administration (FDA) recently issued draft guidance entitled “Guidance for Industry-Fulfilling Regulatory Requirements for Postmarketing Submissions of Interactive Promotional Media For Prescription Human and Animal Drugs and Biologics.”

The draft guidance is intended to describe the FDA’s current thinking about how manufacturers, packers, and distributors (firms) can fulfill regulatory requirements for post marketing submissions of interactive promotional media (e.g. blogs, microblogs such as Twitter, social networking sites like Facebook, online communities, and online podcasts) for FDA-approved products.

Under FDA regulations, if a firm has any control of, or influence on a site, it must submit promotional material about its product(s) to the FDA under the FDA’s postmarketing submission requirements.

Recognizing the challenges of submitting promotional materials that display real-time information, the FDA provided recommendations for submitting interactive promotional media.  In its examples, the FDA explained:

  • At the time of initial display, a firm should submit in its entirety all sites for which the firm is responsible, including submission in a way that allows the FDA to view and interact with the submission in the same way as the end user;
  • For third-party sites on which the firm’s participation is limited to interactive or real-time communications, a firm should submit the third-party site’s home page, along with the interactive page within the third-party site and the firm’s first communication;
  • Once a month, a firm should submit an updated listing of all non-restricted sites for which it is responsible or in which it remains an active participant;
  • If a site has restricted access, a firm should submit all content related to the discussion to adequately provide context to facilitate the review; and
  • A submitting firm should take formatting factors into consideration to enable the FDA to view the communications as a whole.

When finalized, the guidance will not create or confer any rights, and will not operate to bind the FDA or the public.  Rather, the guidance should be viewed as recommendations, unless specific regulatory or statutory requirements are cited.

Specific industry guidance concerning social media is not a novel idea.  In fact, the financial industry issued its own guidance late last year.  When examining your businesses social media participation, it is imperative you familiarize yourself with any applicable industry specific guidance.

The U.S. Equal Employment Opportunity Commission (EEOC) just announced they will be holding a meeting on March 12, 2014 to discuss the use of social media in the workplace and its impact on the enforcement of equal employment opportunity laws.  According to the EEOC’s announcement, the participants will address a range of issues, including recruitment and hiring, harassment, records retention, and discovery.

The EEOC’s announcement, the opinions of the NLRB’s Acting General Counsel, state laws prohibiting employers from requesting social media account access, and numerous industry specific guidance all highlight the need for employers to examine their own social media practices and the impact social media may have on their business. 

Our Special Report-Social Media in the Workplace has examined each of the issues the EEOC plans to discuss and considered many of the opinions, laws, and guidance that have been issued with regard to social media. 

The Florida District Court of Appeal, Second District quashed an order requiring the mother of a vehicle accident victim to produce copies of certain postings on her Facebook account. 

In Root v. Balfour Beatty Constr., LLC, the plaintiff, Tonia Root (“plaintiff”) filed a negligence suit against the city and its contractors following an accident where her toddler was struck by a vehicle near a construction site.  During discovery, defendants sought the production of plaintiff’s Facebook postings relating to plaintiff’s children, plaintiff’s mental health and stress, and counseling that plaintiff may have obtained before or after the accident.  Ultimately, the circuit court ordered plaintiff to produce the Facebook postings.

On review, the Florida District Court of Appeal, Second Circuit quashed the order, finding that the posts are irrelevant to plaintiff’s claims.  Specifically, the appellate court held the Facebook discovery requested did not pertain to the accident, the negligence claim or plaintiff’s claims for loss of consortium. The court characterized the discovery as a “fishing expedition.”

Ultimately, the discovery of social media content is an essential, but often precarious, undertaking which will turn on the legal precedent in your jurisdiction.  For example, states like New York, New Jersey, Indiana, and Kentucky have addressed issues of this nature to various outcomes.

San Francisco has joined the growing numbers of cities and states around the country implementing “ban the box” legislation which restricts inquiries regarding an applicant’s criminal records on applications for employment and during job interviews.  The EEOC recommends “banning the box” in line with its guidance regarding convictions and consideration in use of information based on job-relatedness.  Currently, 10 states have “ban the box” laws in some form impacting public or both public and private employers.  These states include Hawaii, California, Colorado, New Mexico, Minnesota, Illinois, Rhode Island, Connecticut, Massachusetts and Maryland.  Other states that have “ban the box” legislation pending include Delaware, New Jersey, Michigan, North Carolina and Ohio, among others.  San Francisco’s Fair Chance Ordinance becomes operative on August 13, 2014 and applies to private sector employers in the city of San Francisco.  For specifics regarding the San Francisco ordinance click here for information.

A Florida appellate court has ruled that a teenaged daughter’s post on Facebook mentioning her father’s confidential settlement of an age discrimination claim breached a confidentiality provision in the settlement agreement, barring the father from collecting an $80,000 settlement. Gulliver Schools, Inc. v. Snay, No. 3D13-1952 (Fla 3d DCA Feb. 26, 2014).

The plaintiff, Patrick Snay, was a headmaster of Gulliver, a private school in the Miami area. After his contract was not renewed, he sued for age discrimination. The parties reached a settlement pursuant to a written agreement, which included a detailed confidentiality provision. The provision stated in part:

13. Confidentiality . . . [T]he plaintiff shall not either directly or indirectly, disclose, discuss or communicate to any entity or person, except his attorneys or other professional advisors or spouse any information whatsoever regarding the existence or terms of this Agreement. . . A breach . . . will result in disgorgement of the Plaintiff’s portion of the Settlement Payments.

A couple of days after the agreement was signed, Snay’s daughter, who had recently been a student at Gulliver, posted the following on her Facebook page:

Mama and Papa Snay won the case against Gulliver. Gulliver is now officially paying for my vacation to Europe this summer. SUCK IT.

Snay’s daughter had about 1,200 Facebook friends, many of whom were current or former Gulliver students. Gulliver notified Snay of the breach and refused to tender the $80,000 to Snay under the terms of the settlement. (Snay’s attorneys received their portion). Snay moved to enforce the agreement. Limited discovery revealed that Snay and his wife notified their daughter “that the case was settled and they were happy with the result.” Snay denied ever discussing a trip to Europe. The district court held that Snay’s actions did not violate the terms of the agreement, but the appellate court reversed, noting that Snay was prohibited from “directly or indirectly” disclosing even the “existence” of the settlement.

The decision offers lessons for counsel, litigants, and parents. Counsel and litigants need to remember that these types of confidentiality provisions with disgorgement penalties are taken seriously by the courts and can be enforced. Parents need to remind their children to be mindful of what they post on social media, because it might have adult consequences.

The National Labor Relations Board (“NLRB”) continues to be active in its review of employer social media policies. In recent years, the NLRB’s review of social media policies has focused largely on whether an employee would reasonably construe the language of the policy as prohibiting him or her from engaging in activity protected by Section 7 of the National Labor Relations Act (“NLRA”), such as discussing terms and conditions of employment with fellow employees and engaging in strikes and other job actions.

In this case, Boch Imports, Inc. d/b/a Boch Honda, the NLRB Administrative Law Judge (“ALJ”) reviewed several provisions of an employer’s employee handbook. The employee handbook contained an extensive social media policy that included the following provisions:

1. The Company requires its employees to confine any and all social media commentaries to topics that do not disclose any personal or financial information of employees, customers or other persons, and do not disclose any confidential or proprietary information of the Company.

2. If an employee posts comments about the Company or related to the Company’s business or a policy issue, the employee must identify him/herself…

5. If an employee’s online blog, posting or other social media activities are inconsistent with, or would negatively impact the Company’s reputation or brand, the employee should not refer to the Company, or identify his/her connection to the Company… 

7. While the Company respects employees’ privacy, conduct that has, or has the potential to have a negative effect on the Company might be subject to disciplinary action up to, and including, termination, even if the conduct occurs off the property or off the clock.

8. Employees may not post videos or photos which are recorded in the workplace, without the Company’s permission.

9. If an employee is ever asked to make a comment to the media, the employee should contact the Vice President of Operations before making a statement.

10. The Company may request that an employee temporarily confine its social media activities to topics unrelated to the Company or a particular issue if it believes this is necessary or advisable to ensure compliance with applicable laws or regulations or the policies in the Employee Handbook. The Company may also request that employees provide it access to any commentary they posted on social media sites.

11. Employees choosing to write or post should write and post respectfully regarding current, former or potential customers, business partners, employees, competitors, managers and the Company. Employees will be held responsible for and can be disciplined for what they post and write on any social media. However, nothing in this Policy is intended to interfere with employees’ rights under the National Labor Relations Act.

12. Managers and supervisors should think carefully before “friending,” “linking” or the like on any social media with any employees who report to them.

The ALJ found “It requires little discussion to find that a number of these provisions clearly violate the [NLRA] as employees would reasonably construe these provisions as preventing them from discussing their conditions of employment with their fellow employees, radio and television stations, newspapers or unions, or limiting the subjects that they could discuss.” [emphasis added.]

Many employers maintain social media policies similar to the one at issue in this case. This decision highlights that employers, regardless of whether their employees are represented by a union, must be mindful of the NLRA when crafting social media policies.

According to an FTC press release, identity theft tops the national ranking of consumer complaints for 2013, with American consumers losing a reported $1.6 billion to fraud last year. Here is how some of the numbers break down:

  • Fourteen (14) percent of the more than two million complaints to the FTC (or 290,056) stemmed from identity theft.
  • Thirty (30) percent of these incidents were tax- or wage-related; the largest category of identity theft complaints.
  • Persons between ages 20-29 made most of the complaints

For businesses, the FTC provides a range of resources to help address privacy and security of personal information.  Very often there are some basic, easy to implement safeguards that can significantly enhance a company’s risk profile. This “low-hanging fruit” may not address every risk but will better position the company to avoid many types of data incidents. When a federal or state agency comes knocking, such as the FTC or the Office for Civil Rights in the case of a HIPAA breach, organizations that have taken few, if any, steps to safeguard personal information generally will have a more difficult time (and likely have to pay more in fines/settlement) resolving the enforcement action.