San Francisco has joined the growing numbers of cities and states around the country implementing “ban the box” legislation which restricts inquiries regarding an applicant’s criminal records on applications for employment and during job interviews.  The EEOC recommends “banning the box” in line with its guidance regarding convictions and consideration in use of information based on job-relatedness.  Currently, 10 states have “ban the box” laws in some form impacting public or both public and private employers.  These states include Hawaii, California, Colorado, New Mexico, Minnesota, Illinois, Rhode Island, Connecticut, Massachusetts and Maryland.  Other states that have “ban the box” legislation pending include Delaware, New Jersey, Michigan, North Carolina and Ohio, among others.  San Francisco’s Fair Chance Ordinance becomes operative on August 13, 2014 and applies to private sector employers in the city of San Francisco.  For specifics regarding the San Francisco ordinance click here for information.

A Florida appellate court has ruled that a teenaged daughter’s post on Facebook mentioning her father’s confidential settlement of an age discrimination claim breached a confidentiality provision in the settlement agreement, barring the father from collecting an $80,000 settlement. Gulliver Schools, Inc. v. Snay, No. 3D13-1952 (Fla 3d DCA Feb. 26, 2014).

The plaintiff, Patrick Snay, was a headmaster of Gulliver, a private school in the Miami area. After his contract was not renewed, he sued for age discrimination. The parties reached a settlement pursuant to a written agreement, which included a detailed confidentiality provision. The provision stated in part:

13. Confidentiality . . . [T]he plaintiff shall not either directly or indirectly, disclose, discuss or communicate to any entity or person, except his attorneys or other professional advisors or spouse any information whatsoever regarding the existence or terms of this Agreement. . . A breach . . . will result in disgorgement of the Plaintiff’s portion of the Settlement Payments.

A couple of days after the agreement was signed, Snay’s daughter, who had recently been a student at Gulliver, posted the following on her Facebook page:

Mama and Papa Snay won the case against Gulliver. Gulliver is now officially paying for my vacation to Europe this summer. SUCK IT.

Snay’s daughter had about 1,200 Facebook friends, many of whom were current or former Gulliver students. Gulliver notified Snay of the breach and refused to tender the $80,000 to Snay under the terms of the settlement. (Snay’s attorneys received their portion). Snay moved to enforce the agreement. Limited discovery revealed that Snay and his wife notified their daughter “that the case was settled and they were happy with the result.” Snay denied ever discussing a trip to Europe. The district court held that Snay’s actions did not violate the terms of the agreement, but the appellate court reversed, noting that Snay was prohibited from “directly or indirectly” disclosing even the “existence” of the settlement.

The decision offers lessons for counsel, litigants, and parents. Counsel and litigants need to remember that these types of confidentiality provisions with disgorgement penalties are taken seriously by the courts and can be enforced. Parents need to remind their children to be mindful of what they post on social media, because it might have adult consequences.

The National Labor Relations Board (“NLRB”) continues to be active in its review of employer social media policies. In recent years, the NLRB’s review of social media policies has focused largely on whether an employee would reasonably construe the language of the policy as prohibiting him or her from engaging in activity protected by Section 7 of the National Labor Relations Act (“NLRA”), such as discussing terms and conditions of employment with fellow employees and engaging in strikes and other job actions.

In this case, Boch Imports, Inc. d/b/a Boch Honda, the NLRB Administrative Law Judge (“ALJ”) reviewed several provisions of an employer’s employee handbook. The employee handbook contained an extensive social media policy that included the following provisions:

1. The Company requires its employees to confine any and all social media commentaries to topics that do not disclose any personal or financial information of employees, customers or other persons, and do not disclose any confidential or proprietary information of the Company.

2. If an employee posts comments about the Company or related to the Company’s business or a policy issue, the employee must identify him/herself…

5. If an employee’s online blog, posting or other social media activities are inconsistent with, or would negatively impact the Company’s reputation or brand, the employee should not refer to the Company, or identify his/her connection to the Company… 

7. While the Company respects employees’ privacy, conduct that has, or has the potential to have a negative effect on the Company might be subject to disciplinary action up to, and including, termination, even if the conduct occurs off the property or off the clock.

8. Employees may not post videos or photos which are recorded in the workplace, without the Company’s permission.

9. If an employee is ever asked to make a comment to the media, the employee should contact the Vice President of Operations before making a statement.

10. The Company may request that an employee temporarily confine its social media activities to topics unrelated to the Company or a particular issue if it believes this is necessary or advisable to ensure compliance with applicable laws or regulations or the policies in the Employee Handbook. The Company may also request that employees provide it access to any commentary they posted on social media sites.

11. Employees choosing to write or post should write and post respectfully regarding current, former or potential customers, business partners, employees, competitors, managers and the Company. Employees will be held responsible for and can be disciplined for what they post and write on any social media. However, nothing in this Policy is intended to interfere with employees’ rights under the National Labor Relations Act.

12. Managers and supervisors should think carefully before “friending,” “linking” or the like on any social media with any employees who report to them.

The ALJ found “It requires little discussion to find that a number of these provisions clearly violate the [NLRA] as employees would reasonably construe these provisions as preventing them from discussing their conditions of employment with their fellow employees, radio and television stations, newspapers or unions, or limiting the subjects that they could discuss.” [emphasis added.]

Many employers maintain social media policies similar to the one at issue in this case. This decision highlights that employers, regardless of whether their employees are represented by a union, must be mindful of the NLRA when crafting social media policies.

According to an FTC press release, identity theft tops the national ranking of consumer complaints for 2013, with American consumers losing a reported $1.6 billion to fraud last year. Here is how some of the numbers break down:

  • Fourteen (14) percent of the more than two million complaints to the FTC (or 290,056) stemmed from identity theft.
  • Thirty (30) percent of these incidents were tax- or wage-related; the largest category of identity theft complaints.
  • Persons between ages 20-29 made most of the complaints

For businesses, the FTC provides a range of resources to help address privacy and security of personal information.  Very often there are some basic, easy to implement safeguards that can significantly enhance a company’s risk profile. This “low-hanging fruit” may not address every risk but will better position the company to avoid many types of data incidents. When a federal or state agency comes knocking, such as the FTC or the Office for Civil Rights in the case of a HIPAA breach, organizations that have taken few, if any, steps to safeguard personal information generally will have a more difficult time (and likely have to pay more in fines/settlement) resolving the enforcement action.

On Thursday, California Attorney General Kamala Harris announced heightened enforcement concerning data breaches, reports USAToday. AG Harris’ office also issued a Guide that provides recommendations to California businesses, particularly small businesses, to help them protect against and respond to the increasing threat of malware, data breaches and other cyber risks.

The circumstances are certainly threatening for small business. According to the Guide:

  • In 2012, 50 percent of all targeted attacks were aimed at businesses with fewer than 2,500 employees.
  • More significantly, businesses with fewer than 250 employees were the target of 31 percent of all cyberattacks

The Guide is a good read for most small businesses which provides general principles and best practices to address data security. It is not comprehensive, and the Guide itself admits it does not provide “regulations, mandates or legal opinions…[but r]ather, … an overview of the cybersecurity threats facing small businesses, a brief and incomplete summary of several best practices that help manage the risks posed by these threats, and a response plan in the event of a cyberincident.”

Large national and multi-national companies are not the only targets for data breaches, and states like California are stepping up their enforcement efforts. Businesses should take the time to be sure they appropriately safeguard personal information of customers, employees and other individuals, as well as to be prepared to respond to a breach should they experience one.

 

A significant percentage of “recycled” computers were found to still contain personal information, according to a study conducted by the National Association for Information Destruction (NAID). As reported in e-Place Solutions, the NAID-ANZ Secondhand Hard Drive Study, found that “15 of 52 hard drives randomly purchased contained highly confidential personal information.”

What kind information: “spreadsheets of clients’ and account holders’ personal information, confidential client correspondence, billing information and personal medical information.” In one case, the computer included an “entire email box with numerous emails and attachments relating to the inner most workings of a medical facility.”

Some of the recyclers of these computers, which were randomly purchased on e-Bay by NAID, included law firms and a government medical facility. Further, according to the report, the methods used to locate the personal information on the devices were not highly sophisticated.

According to the National Conference of State Legislatures, “at least 30 states have enacted laws that require entities to destroy, dispose, or otherwise make personal information unreadable or undecipherable.” On top of those generally applicable requirements, many businesses are also subject to specific federal and state requirements to safeguard personal information, which include destroying personal information that is no longer needed. These include, for example, the HIPAA privacy and security regulations and the Federal Trade Commission’s Disposal Rule.

As mobile devices continue to proliferate, it is critical for businesses and individuals to ensure that before discarding, reissuing, or “recycling” such equipment, at least personal information is removed/destroyed as required under applicable law. Of course, there is other information, such as company proprietary and confidential information that, even if not subject to these data destruction laws, should be removed for obvious reasons.

The Department of Health and Human Services announced on February 24 that it is seeking information about conducting a pre-audit survey. That is, it plans to conduct a “survey of up to 1200 [HIPAA] covered entities (health plans, health care clearinghouses, and certain health care providers) and business associates (entities that provider certain services to a HIPAA covered entity) to determine suitability for the Office for Civil Rights (OCR) HIPAA Audit Program.” (emphasis added) Many covered entities and business associates will be wondering, of course, whether their compliance efforts are “suitable” to survive an audit.

In any event, the survey would gather information about size, complexity, and fitness of a covered entity or business associate for an audit. Questions in the survey likely will relate to data such as the number of patient visits or insured lives, use of electronic information, revenue, and business locations.

At this point, the survey is not on its way to you. The agency is seeking comments about (1) the necessity and utility of the proposed survey for the proper performance of its functions, (2) the accuracy of the estimated burden, (3) ways to enhance the quality, utility, and clarity of the information to be collected, and (4) the use of automated collection techniques or other technology to minimize the information collection burden. If you would like to submit comments on these issues, you can do so by emailing them to Information.CollectionClearance@hhs.gov to be received no later than April 25, 2014. You also can call (202) 690–6162.

Smartphone privacy and security concerns continue to weigh on businesses, particularly for companies in certain industries such as healthcare, and for those that have or are thinking of moving to a “bring your own device” (BYOD) model. Promoters of the “Blackphone,” according to a Reuters report, hope that their version of Google’s Android software will enable it to tap into the growing mobile security management (MSM) market.

According to the report, the Blackphone technology “encrypts texts, voice calls and video chats,” but it is not the only player with something to launch. Deutsche Telekom plans to offer a smartphone app that will provide similar capabilities. Of course, variations on these technologies are already available, but these new offerings will help expand the availability of privacy and security capabilities into the mass market. The report notes, however, that in the case of the Blackphone and the Deutsche Telekom app, “both sides of a call have to be using the same service to get full encryption.”

A critical component of any BYOD, electronic communication, social media, telecommuting/remote work or similar policy is monitoring developments in technology. A particular technology may not be the right fit for a company, or it may not be all that was promised, but it is important to be aware of these developments as they may provide a solution that is just right for a company’s needs.

After years of identity theft holding the top spot for crimes reported to the Federal Trade Commission, and following recent reports of massive data breaches, U.S. Attorney General Eric Holder urged Congress today to enact a national law setting a uniform standard for notifying individuals regarding breaches involving their personal information, according to a report by Reuters. Earlier this month, Federal Trade Commission Chairwoman Edith Ramirez made a similar request to Congress.

For years Congress has tried to enact a national breach notification law. Some recent examples include H.R. 749, Eliminate Privacy Notice Confusion Act (Rep. Luetkemeyer) and S. 635, Privacy Notice Modernization Act of 2013 (Sen. Brown). Other members of Congress, such as Sens. Feinstein and Leahy, have made similar proposals. However, the usual Congressional wrangling over issues such as what agency will control enforcement and whether there should be a risk of harm trigger as exists in many states, have stalled these legislative efforts. At the same time, states fear that their stringent protections may wind up being preempted by a new federal mandate.

Attorney General Holder is reported to have observed that data breaches “are becoming all too common.” Some would say they are already too common. But, it remains to be seen whether Congress will act. For now, companies should be taking steps to avoid data breaches, but also be prepared to respond quickly should a breach happen – which may mean understanding the nuances of the applicable state laws.

Ask the average person what they know about Bitcoin and they might be able to tell you that it is a digital currency. Most have probably heard the name mentioned in articles about its giant fluctuations in value or in connection with black market internet transactions. Beyond that, how Bitcoin actually operates remains relatively unknown to the general public. Public opinion of Bitcoin varies wildly and headlines range from “Bitcoin is Flawed, But It Will Still Take Over the World” to “Welcome to 21st-century Ponzi scheme: Bitcoin.

Recent problems with one of the largest Bitcoin exchanges provides some validation for people’s hesitancy to jump into the world of digital currencies. But it is important to remember that Bitcoin and other so-called “crypto currencies” are a new technology and their prevalence is growing – rapidly. In its 2013 Annual Report to Congress, the Taxpayer Advocate Service, an independent organization within the IRS, noted:

In the four months between July and December 2013, Bitcoin usage has increased by over 75 percent – from about 1,700 transactions per hour to over 3,000. Over the same period, the market value of bitcoins in circulation increased more than ten-fold from about $1.1 billion to $12.6 billion.

The allure of lower transaction costs and publicity has also allowed Bitcoin to gain a footing in the business world. Expensify, an online expense reporting company, even allows its client businesses to reimburse their employees with bitcoins.

While this post is not intended as an in-depth discussion of how Bitcoin or any other crypto currency works, a basic understanding is needed to know why it could be important to your organization and employees.

Bitcoins may be exchanged over the internet, but they are not digital credits to some online account. Commentators usually analogize bitcoins to cash or gold, meaning there is an aspect of possession. Bitcoins are held in “wallets” and there are three general types: desktop, mobile, and web-based. Different wallet applications have different features. Some wallets will only store the bitcoin on the device, where others may have web-based backup. To put it more simply, if you have not taken precautions and lose your Bitcoin wallet, you lose your bitcoins. A quick internet search will turn up a number of sad stories about people who tossed out their old computers now worth millions.

As the prevalence of digital currencies increase, so does the chance that an employee may be storing bitcoins on his or her mobile device. That same mobile device might also contain an employer’s sensitive data. So what should an employer do if an employee calls to say, “I lost my phone, and by the way, my Bitcoin wallet has $1,700 in it?”

A common practice by employers to protect confidential information when an employee loses a company mobile device is the “remote wipe.” A remote wipe is typically executed by a system administrator by sending an email to the employee’s account. In some cases, a remote wipe will simply terminate access to company email and other applications. More commonplace, however, is that the system administrator is hitting the reset button, erasing all data from the phone and returning the device to the original factory settings as if it were just pulled out of the box. Unless an employee is running a wallet application with backup protocols or has taken other prudent security measures, an employer may be deleting its employee’s bitcoins in an effort to prevent unauthorized access to confidential company data.

Bitcoin is illustrative of the problems that employee property on either company or bring-your-own-device phones might create because there is an ascertainable value. But family photos, personal notes, and downloaded media also have value to employees. Rather than taking a wait-and-see approach to how the law may develop relating to issues surrounding the deletion of employee property stored on their phone, employers should be proactive and take the time to review their mobile device policies. Although employees may have notice that a remote wipe is possible, they should also be advised that it is their responsibility to backup and protect their personal property, including their “wallets.”