As a growing number of states pass laws to restrict employers from gaining access to employees’ personal social media accounts, what employees post in social media can be critical evidence in employment-related investigations and litigations. Check out my partner J. Gregory Grisham’s recent article in HR Professionals Magazine discussing a recent Sixth Circuit decision concerning this issue in an FMLA context.
On Monday, the Office for Civil Rights released guidance regarding methods for de-identification of protected health information (PHI) in accordance with the HIPAA Privacy Rule and as required by the American Recovery and Reinvestment Act of 2009.
HIPAA covered entities and business associates recognize the increasing risks related to handling "protected health information." One way to reduce these risks is through the "de-dentification" process. When performed correctly, de-identification causes the remaining information to no longer constitute "protected health information," and therefore no longer subject to the HIPAA privacy and security rules.
The OCR page provides greater detail, in question and answer format, concerning the two methods that can be used to satisfy the Privacy Rule’s de-identification standard:
Under either method, PHI is no longer protected by the Privacy Rule, but the remaining data has limited usefulness. However, the guidance also describes de-identification strategies that can minimize the loss of usefulness to the data. Of course, where de-identification is not practical, which is often the case, covered entities and business associates need to ensure compliance with HIPAA privacy and security rules.
California Governor Jerry Brown has signed into law (AB 2674) new requirements specifying when and how employers must respond to their employees’ requests for inspection and copying of their personnel files. The new requirements become effective January 1, 2013.
Have you received this letter? If you did, it is part of Attorney General Kamala D. Harris efforts to formally notify scores of mobile application developers and companies that they are not in compliance with one aspect of California’s privacy law. Letters are being sent out to up to 100 non-compliant apps at this time, starting with those who have the most popular apps available on mobile platforms. Even if you have not received the letter, you may want to think about whether you need to comply.
The California Online Privacy Protection Act (CalOPPA) requires commercial operators of online services, including websites and mobile and social apps, which collect personally identifiable information from Californians to conspicuously post a privacy policy. Privacy policies should address how companies collect, use, and share personal information. Companies can face fines of up to $2,500 each time a non-compliant app is downloaded.
This enforcement action by Attorney General Harris is directed at mobile and social app platforms, but CalOPPA applies more broadly – to all commercial operators of online services that collect personal identifiable information about Californians.
It also is important to note that CalOPPA is just one of a number of privacy laws that the Privacy Enforcement and Protection Unit is charged with enforcing. Created in 2012, the Privacy Unit’s mission is to enforce federal and state privacy laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government. This includes laws relating to cyber privacy, health privacy, financial privacy, identity theft, government records and data breaches.
The establishment of the Privacy Unit and this more recent enforcement of CalOPPA suggests California is stepping up the enforcement of its privacy laws. Privacy officers, security officers, compliance officers, information security officers, risk managers, and others in California and beyond should take stock of their compliance efforts and make adjustments where necessary.
The effects of a hurricane like Sandy should be a reminder to all businesses of the importance of disaster recovery planning. When these storms threaten there is no shortage of images of sandbags and plywood being used to prevent harm to companies’ bricks and mortar. However, rarely do we see steps businesses should be taking to protect their information and technology assets from natural disasters. Information and technology assets are essential to the success of most organizations, making appropriate preparations critical.
There are many aspects to comprehensive disaster recovery planning. Below are just a few of the key steps a company should take concerning its information and technology assets:
So, as you clean up from Sandy, think about whether your disaster recovery plan worked the way you expected. If it did not, make appropriate changes. If you think your company could have benefited from such a plan, there is no time like the present to begin developing one.
Here is a link to a post on our sister blog Non-Compete and Trade Secrets Report entitled LinkedIn Account at Center of Lawsuit. The case involves a dispute over control of a LinkedIn account between a company and its former President. The litigation may portend more disputes between employers and employees over social media accounts in the future.
New Jersey may become the fourth state, following Maryland, Illinois and California, to place limits on employers’ ability to access the social media accounts of employees and applicants, following yesterday’s 38-0 vote in the State’s Senate. S1915 makes some changes to an Assembly bill that also was overwhelmingly approved.
The Senate version would provide for a private right of action, in addition to civil penalties starting at $1,000 per violation. Acts by an employer that could lead to a violation include requiring or requesting that an employee or applicant disclose whether he or she has a personal social media account, or that he or she provide access to such account. Assuming the Assembly approves these changes, the measure will head to Governor Chris Christie for signature.
If approved, the law would take effect on the first day of the fourth month following enactment. The Senate also approved a similar measure affecting college students.
Leaving single copies of email on the server of one’s web-based email account (in this case Yahoo!) without downloading them or saving them to another location does not constitute storing the emails for backup protection under the Stored Communications Act (SCA), according to the South Carolina Supreme Court. Jennings v. Jennings, S.C. Sup. Ct. Oct. 12, 2012, No. 27177. This case arises out of civil litigation relating to a domestic dispute, but can affect how the SCA is applied in other contexts where a person’s or employee’s email account is accessed by an unauthorized third party. The case also highlights the difficulty courts have had with consistently applying this somewhat dated law to current technology.
When the plaintiff’s spouse learned her husband was having an affair, she confided in her daughter-in-law who then gained access to the husband’s Yahoo! account which contained emails corroborating the affair. When these emails became part of the divorce proceedings, the husband sued and alleged, among other things, that his Yahoo! account had been illegally hacked under the SCA. The court of appeals found that the e-mails were in electronic storage, therefore triggering the SCA. The state’s Supreme Court disagreed.
The SCA is violated when a person:
(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or
(2) intentionally exceeds an authorization to access that facility;
and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section.
18 USC 2701(a). However, the decision came down to the meaning of "electronic storage," defined in 18 USC 2510(17) to mean:
(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and
(B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication;
The Court acknowledged differing views on how this definition has been interpreted – noting that the Department of Justice prefers the interpretation that both (A) and (B) be established to constitute electronic storage, while a majority of courts have found only one of the two prongs needs to be met. Because the plaintiff only alleged storage under (B), the Court focused on when electronic communications are stored for purposes of backup protection.
In that connection, the Court noted that the plaintiff left single copies of his e-mails in his Yahoo! email account, without saving or downloading them elsewhere. Looking to a dictionary definition of "backup" – "one that serves as a substitute or support" – the Court held that use of a backup presupposes the existence of another copy. Since there was no other copy according to the Court, the plaintiff could not have been storing the email for backup protection and, therefore, the defendant could not have violated the SCA. A concurring opinion by Judge Kittredge, however, suggests a more in-depth analysis.
This case make clear that businesses, attorneys and individuals need to proceed with caution when conducting investigations that involve electronic communications, a necessary source of information for just about any investigation. Something that may appear to be clearly in or not in "storage," may not hold true should the matter be analyzed by a court, or a state or federal agency.
As we have referenced in previous posts, the Federal Trade Commission (FTC) has launched an aggressive push against data brokers and credit reporting agencies in its enforcement of the rules under the Fair Credit Reporting Act (FCRA). That push continues today with the U.S. Department of Justice’s announcement of the prosecution of a matter referred to it by the FTC.
In U.S. v. Direct Lending Source Inc., filed by the DOJ on October 9, 2012, the DOJ alleges that Direct Lending Source and two other companies bought and sold consumer credit reports when they bought thousands of pre-screened consumer lists and credit report data and resold that information to dealers who marketed credit relief services instead of making firm offers of credit. The DOJ alleges such practice violates the FCRA because the companies failed to comply with provisions forbidding the sale of credit reports without a “permissible purpose.” The only permissible purpose under the FCRA for using such pre-screened lists is to make “firm offers of credit or insurance” to consumers. The complaint further alleges that certain purchasers of the defendants’ credit report information have become the subject of law enforcement actions for consumer fraud against persons in financial trouble.
The complaint also alleges that the defendants did not take reasonable steps to identify the ultimate purchasers of the credit reports. In some cases, according to the complaint, the defendants sold lists to brokers who then re-sold them to unidentified entities.
The FCRA regulates the collection, dissemination, and use of consumer information, including consumer credit information (broadly defined to include personally identifiable information contained in consumer financial records). Under the statute, a consumer report is any written, oral, or other communication of any information by a consumer reporting agency that bears on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.
The DOJ has entered a preliminary consent decree with the defendants, requiring them to pay a combined $1.2 million and to agree to injunctive relief against further FCRA or FTC violations. In addition, the defendants would be mandated to use, collect or resell consumer reports only for authorized purposes. Under the order, defendants would be prohibited selling consumer reports in connection with credit relief services.
Like other recent FTC actions, this matter reminds companies to use credit report information in conformance with the FCRA. We expect continued FTC, and potential DOJ, action under the FCRA.
The Federation of State Medical Boards (FSMB) recently adopted model policy guidelines for the appropriate use of social media and social networking in a medical practice. The model policy guidelines can be viewed here. In its findings, the FSMB reports that 67 percent of 4,000 physicians surveyed use social media for professional purposes and that research indicates 35 percent of practicing physicians have received friend requests from a patient or member of their family, and 16 percent of practicing physicians have visited an on line profile of a patient or patient’s family member. This growing on-line connection between doctors and patients requires doctors and their employers to enact policies to ensure compliance with professional, legal, and ethical standards.
The guidelines also point to model social media policies that have been published by the American Medical Association, the Cleveland Clinic and the Mayo Clinic. Other professionals, including lawyers, and their employers can also benefit from consideration of the issues raised by the FSMB’s guidelines.