The Federal Financial Institutions Examination Counsel (FFIEC) recently issued supervisory guidance entitled “Social media:  Consumer Compliance Risk Management Guidance.”  Financial institutions are expected to use the Guidance in their efforts to ensure that their policies and procedures provide oversight and controls commensurate with the risks posed by their involvement in social media.

The Guidance was published to address the applicability of federal consumer protection and compliance laws, regulations, and policies to activities conducted via social media by banks, savings associations, and credit unions, as well as by nonbank entities supervised by the Consumer Financial Protection Bureau (CFPB). Notably, the Guidance does not impose any new requirements on financial institutions, but instead is a guide to help financial institutions understand the applicability of existing requirements and supervisory expectations associated with the use of social media.

According to FFIEC, the use of social media by a financial institution to attract and interact with customers can impact a financial institution’s risk profile. The increased risks can include the risk of harm to consumers, compliance and legal risk, operation risk, and reputation risk. The Guidance is meant to help financial institutions identify potential risk areas to appropriately address, as well as to ensure institutions are aware of their responsibility to oversee and control these risks within their overall risk management program.

The Guidance specifies that a financial institution should have a risk management program that allows it to identify, measure, monitor, and control the risk associated with social media and should be designed with participation from specialists in compliance, technology, information security, legal, human resources, and marketing. Involving all of these specialists underscores the need for an institution to have a uniform approach to social media, with input from all facets of the institutions hierarchy. The risk management program should include:

  • A clearly defined governance structure;
  • Policies and procedures for use and monitoring of social media;
  • A risk management process for selecting and managing third-party relationships;
  • An employee training program on social media including the institutions policies and procedures of official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities;
  • An oversight process for monitoring information posted to proprietary social media sites;
  • Audit and compliance functions; and
  • Parameters for providing appropriate reporting to the institution’s board of directors or senior management.

While the Guidance is intended to help financial institutions understand and successfully manage the risk associate with the use of social media, the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), and the CFPB will all use it as a supervisory guidance for the institutions they supervise and the State Liaison Committee of the FFIEC has encouraged state regulators to adopt the Guidance.

On December 13, 2013, Fordham Law School’s Center on Law and Information Policy published a study (Study) that paints a sobering picture of how many public schools across the country handle student data, particularly with respect to data they store and services they (and students) use in the “cloud.” There is little doubt that many school districts are strapped for cash and, indeed, utilizing cloud services provides a new opportunity for significant cost savings. However, according to the Study, some basic, low-cost safeguards to protect the data of the children attending these public school are not in place.

For example, some of the Study’s key findings include:

  • 95% of districts rely on cloud services for a diverse range of functions including data mining related to student performance, support for classroom activities, student guidance, data hosting, as well as special services such as cafeteria payments and transportation planning,
  • only 25% of districts inform parents of their use of cloud services,
  • 20% of districts fail to have policies governing the use of online services, and
  • with respect to contracts negotiated by districts with cloud service providers
    • they generally do not provide for data security and allow vendors to retain student information in perpetuity,
    • fewer than 25% specify the purpose for disclosures of student information,
    • fewer than 7% restrict the sale or marketing of student information, and
    • many districts have significant gaps in their contract documentation.

A data  breach can be significant for any organization, and school districts are not immune. Parents are also beginning to pressure districts for more action, particularly as children can be an attractive target for identity theft.

The Fordham Study provides a number of helpful recommendations for public school districts. Indeed, based on the Study and consistent with basic data privacy and security principles (not to mention FERPA and other laws concerning the safeguarding of student data), there seems to be quite a bit of low-hanging fruit school districts can use to address the risks identified. These include, for example, establishing basic, written privacy policies and procedures that apply to cloud and similar services, implementing more thorough vetting of vendors handling sensitive personal information, and adopting and implementing for consistent use a set of strong privacy and security contract clauses when negotiating with all vendors that will access personal and other confidential information.

Check out our labor colleagues’ recent post (see Labor & Collective Bargaining blog) concerning the permissibility of a policy to prohibit audio/video recording in the workplace under the National Labor Relations Act, and the decision in Whole Foods Market, Inc., Case No. 1-CA-96965 (10/30/13).

Most of us do not go too far – whether at work or at home – without our favorite smartphone, tablet or other mobile device(s) in hand. The audio and video recording capabilities on these devices are standard equipment these days and increasingly sophisticated, and in some cases can be quite surreptitious. For many employers, that functionality makes it more difficult to, among other things: (i) safeguard proprietary and confidential company information, trade secrets, and personal information, (ii) maintain employee, customer and/or patient privacy, (iii) control internal communications, (iv) prevent spoliation of data, and (v) avoid discrimination and harassment activity. So, it is not hard to see why many employers would want to prohibit this activity in the workplace. When doing so, all employers certainly should consider the labor law issues discussed in our colleagues’ post and craft a clear and practical policy.

But what should employers consider when drafting a policy that prohibits certain photography/recording in the workplace? Here are some thoughts:

  • Be clear. The policy should not leave employees to wonder about when recording is prohibited and by whom. For example, taking photos and recordings may be prohibited in certain circumstances, for certain events/information, or by certain company employees, but not at other times, consistent with applicable law.
  • Be technology neutral. Your policy should be written to cover new devices/technolgies that enter the market without having to be amended.
  • Keep in mind that not all recording is bad. In many cases, photos and audio or video recordings can benefit the business. For example, video recording could significantly enhance training and documentation capabilities.  
  • Avoid unambiguous language. Overbroad language can create legal risks and confusion for employees. For example, prohibiting employees from engaging in “any and all” recording in the workplace would likely be impermissible under the NLRA.  
  • Be practical and consistent in implementation and enforcement. In some cases, a policy might not be enough to address the potential risks. So, a company may want to consider not allowing devices to be present when performing certain functions. And, like all policies, disciplining some employees and not others for doing the same thing creates a range of risks.
  • Require consents/releases when needed. When photos or recordings are permitted and made for a commercial purpose, a number of states (e.g., California and New York) have statutory and/or common law protections. In general, a written consent is required. In addition to getting the individuals’ consent, the company also may want to obtain from the person(s) sufficient rights to the images captured (and as may be edited) for the intended uses, as well as a release from claims concerning such uses. 
  • Address how the photos/recordings should be handled. When photos or recordings are needed for business purposes, employees should be advised about appropriate document management practices to ensure the photos/recordings are properly made, filed, saved, safeguarded, and destroyed when no longer needed. For example, photos and recordings could capture information that constitutes protected health information under HIPAA. In that case, employees need to be advised about and trained with respect to the applicable HIPAA policies and procedures.
  • Inform employees of the risks of making and using electronic photos and recordings. For example, when snapping photos or recording, employees may not be thinking about what is in the background visually or what sounds or conversations are being captured.  They also may not think about how quicky and broadly these files can be shared if they are not careful. 

 

In a recent consent order, the New Jersey Division of Consumer Affairs settled an investigation involving Dokogeo, Inc., a California based mobile application developer.

Under the Children’s Online Privacy Protection Act (“COPPA”) websites and online services which collect information from children younger than 13 are subject to certain parental notice and consent requirements.

In the Dokogeo investigation, the state alleged that COPPA and the Federal Trade Commission’s COPPA Rule were violated when the personal information of children was collected during the children’s use of a geolocation scavenger hunt application that uses animated cartoon characters.  Specifically, the state alleged that by utilizing animation and a child-themed storyline, the app is directed at children and adults which would subject the website to COPPA.  Additionally, the state asserted the app collects personal information as defined under COPPA, including photographs, geolocation information and e-mail addresses.  Further, and perhaps most importantly, the state alleged that the app’s privacy policy (which would detail the company’s data collection practices) did not obtain verifiable parental consent prior to the collection of personal information from children and no link to the privacy policy was provided on the home page.

In the consent order, the company denies that the app is directed at children, however, the order requires the company to clearly and conspicuously disclose in its apps and on the home page of its websites the types of personal information it collects, the manner in which it uses the information and whether it shares information with third parties.  Additionally, the order requires the company to verify that anyone using any of its apps that collect personal information is older than 13.  The order further specifies that if the company fails to comply with the restraints and conditions of the settlement agreement, or violates consumer fraud or child online privacy laws, at any point in the next 10 years it will be responsible for a $25,000 “suspended penalty.”

This matter, and numerous others throughout the country, highlight the need for companies to review their data collection practices and privacy policies to ensure COPPA compliance.

Following up on my recent post on Google Glass and its impact on the workplace, I had the opportunity to speak with Colin O’Keefe of LXBN on the subject. In the brief video interview I explain the general workplace issues it presents and also touch on the potential data management concerns.

WSJ reported on November 22, 2013, Google’s push to move Google Glass, a computerized device with an “optical head-mounted display,” into the mainstream by tapping the prescription eyewear market through VSP Global—a nationwide vision benefits provider and maker of frames and lenses. If the speed and immersion of technology over the past few years had shown us anything, it is that it will not be too long before employees are donning Google Glass on the job, putting yet another twist on technology’s impact on the workplace.

Employers continue to adjust to the influx of personal smartphones in the workplace, many adopting “Bring Your Own Device” (BYOD) strategies and policies. These technologies have no doubt been beneficial to businesses and workplace around the globe. The introduction of Google Glass into the workplace may have similar benefits, but the technology also could amplify many of the same challenges as other personal devices, and create new ones.

For example, employers may experience productivity losses as employees focus on their Glass eye piece and not their managers, co-workers, customers. Likewise, some businesses will need to consider whether Google Glass may contribute to a lack of attention to tasks that can create significant safety risks for workers and customers, such as for employees who drive or use machinery as a regular part of their jobs.

A popular feature of Google Glass is the ability to record audio and video. Smartphones and other devices do this already, but recording with Glass seems so much easier and become potentially less obvious overtime as we get used to seeing folks with the Glass. Of course, recording of activities and conversations in the workplace raise a number of issues. In healthcare, for instance, employees might capture protected health information with their devices, but potentially without the proper protections under HIPAA. Conversations recorded without the consent of the appropriate parties can violate the law in a number of states. Employees with regular access to sensitive financial information could easily capture a wealth of personal data, raising yet another data privacy and security risk.

The capturing of data on the Glass, even if not collected, used or safeguarded improperly, will add to the challenges businesses have to avoid spoliation of data stored in these additional repositories of potentially relevant evidence.

Only time and experience will tell what the impact of Google Glass will be in the workplace. However, as companies continue to adapt to present technologies, they should be keeping an eye on the inevitable presence of such new technologies, and avoid being caught without a strategy for reducing risks and avoidable litigation.

If your cloud service provider sounds like your local weather reporter – partly cloudy with a chance of rain – you may be in for a data security storm. A USA Today guest essay by Rajiv Gupta highlights the need for a multi-layered approach for cloud providers to ensure data stored in the cloud is secure, something we’ve touched upon here before. Businesses need greater certainty concerning the security of their data in the cloud and should be pressing their cloud providers for a security forecast with more certainty than their local weather report.

As Mr. Gupta notes, “by 2020 nearly 40% of the information in the digital universe will be touched by cloud computing providers.” Many businesses recognize this trend and may already have business data and applications in the cloud. However, some may not realize that some of their data is in the cloud without their knowledge or authorization, and without having had an opportunity to vet the provider(s). For example, it has been found that as many as 1 in 5 employees use commercial cloud providers to store company information.

Mr. Gupta discusses a number of tactics cloud providers should employ to secure data in the cloud – encryption, contextual access control, data loss prevention technologies, audit trails, and enforcement of security policies from application to application. Good advice for cloud providers. But customers of the cloud need to think a little differently.

Purchasers of cloud data storage services need to have a sense of the multiple layers of security tactics that are recommended for cloud providers and see to it that their provider(s) have them in place. But they also need to be thinking about:

  • What protections does their company have if the cloud provider’s systems are breached?
  • Does the services agreement with the cloud provider adequately address security, data breach, indemnity, reporting and so on?
  • What policies do they have for their employees concerning the privacy, security, integrity and accessibility of company data when using the cloud? And, which cloud should they be using?
  • How would employees’ use of their personal commercial cloud services complicate a company’s litigation hold processes?
  • Who at the company and at the cloud provider has/should have access to the data?
  • Is the cloud service provider a business associate/subcontractor under HIPAA, prepared to comply with the HITECH Act? What about the agreement requirements under state law?
  • Where is the data stored? Is it in the United States, or in a foreign country subject to different data security standards?
  • What if the cloud goes down, out of business? Will company data and applications be accessible?
  • Are the businesses’ customers and clients on board with use of the cloud for their data?

These are just some of the key questions businesses should be asking about concerning use of the cloud. The technology can indeed yield substantial cost savings, but the failure to think carefully about its adoption and implementation can create substantial exposure for the company.

According to testimony before the House Committee on Science, Space, and Technology and warnings from IT security experts, individuals using the federal government’s website to obtain health coverage through the Exchange are likely putting the security of their sensitive personal information at significant risk. Reports about the cost of the federal website vary, but based on those reports, it is safe to say that the cost to date is tens of millions of dollars, and growing.

Politics aside, most companies spend far less on their websites, whether those sites are directed at customers, the public generally, employees and applicants, and all of the above. These companies might be asking, if the United States government spends tens of millions of dollars on a website that may wind up being inadequate to secure sensitive personal information, have we done enough to secure our sites. Many of these same companies use third party vendors to provide web-based services to their employees and customers, and may be wondering whether those vendors have appropriate security measures in place.

These are important questions that relate not only to the technical data security measures in place for a site, but what is stated on the site in website privacy policies and terms of use about the security of the data collected on the site. The appropriate level of security will vary, for sure, company to company, industry to industry, function to function, and so on. But, the level of website security, what is said about the level of security, and addressing releated exposures should be a priority for any company’s risk management team, and not left solely to the IT department.

The New York Times published an interesting front page article by Somini Sengupta on October 31, 2013 about the growing trend of state legislative action on privacy issues, noting that over two dozen privacy laws have passed this year in more than 10 states. The piece also notes that the “patchwork of rules across the country” is a burden on companies, which must “keep a close eye on evolving laws to avoid overstepping.”  The proliferation of state laws is a result of citizen concerns about privacy combined with Congressional gridlock. Some of the laws described in the piece include three online privacy laws passed in California just this year, “one gives children the right to erase social media posts, another makes it a misdemeanor to publish identifiable nude photos online without the subject’s permission, and a third requires companies to tell consumers whether they abide by ‘do not track’ signals on web browsers.”  The article is a good summary of the state of U.S. privacy regulation today. Expect more state legislative action in the future.

The Florida Senate is considering joining a multitude of states which have banned employers from requesting or requiring access to current or prospective employees’ social media accounts.

Senate Bill SB198, entitled “An Act Relating to Social Media Privacy,” would prohibit employers from requiring or requesting access to employee or applicant social media accounts and from taking any retaliatory personnel action or refusal to hire based on an employee’s or applicant’s failure or refusal to provide access to the account. The proposed law would allow an employee or prospective employee to file a civil suit for injunctive relief and damages, including the recovery of attorney’s fees and costs should the employee or applicant prevail against the employer.

Several other states have already enacted similar laws. These states include Arkansas, Colorado, New Mexico, Oregon, Utah, Vermont and Washington, California, Illinois, Maryland, Michigan, Nevada, and New Jersey.

Employers in Florida and across the country will need to revisit some of the internal hiring, human resources, and monitoring practices they may be following, in particular, those of lower level managers and supervisors who may not be aware of these developments. Companies also need to reconsider what role they want employees to play in the businesses’ marketing strategies in social media.