Here is a link to a post on our sister blog Non-Compete and Trade Secrets Report entitled LinkedIn Account at Center of Lawsuit. The case involves a dispute over control of a LinkedIn account between a company and its former President. The litigation may portend more disputes between employers and employees over social media accounts in the future.
New Jersey may become the fourth state, following Maryland, Illinois and California, to place limits on employers’ ability to access the social media accounts of employees and applicants, following yesterday’s 38-0 vote in the State’s Senate. S1915 makes some changes to an Assembly bill that also was overwhelmingly approved.
The Senate version would provide for a private right of action, in addition to civil penalties starting at $1,000 per violation. Acts by an employer that could lead to a violation include requiring or requesting that an employee or applicant disclose whether he or she has a personal social media account, or that he or she provide access to such account. Assuming the Assembly approves these changes, the measure will head to Governor Chris Christie for signature.
If approved, the law would take effect on the first day of the fourth month following enactment. The Senate also approved a similar measure affecting college students.
Leaving single copies of email on the server of one’s web-based email account (in this case Yahoo!) without downloading them or saving them to another location does not constitute storing the emails for backup protection under the Stored Communications Act (SCA), according to the South Carolina Supreme Court. Jennings v. Jennings, S.C. Sup. Ct. Oct. 12, 2012, No. 27177. This case arises out of civil litigation relating to a domestic dispute, but can affect how the SCA is applied in other contexts where a person’s or employee’s email account is accessed by an unauthorized third party. The case also highlights the difficulty courts have had with consistently applying this somewhat dated law to current technology.
When the plaintiff’s spouse learned her husband was having an affair, she confided in her daughter-in-law who then gained access to the husband’s Yahoo! account which contained emails corroborating the affair. When these emails became part of the divorce proceedings, the husband sued and alleged, among other things, that his Yahoo! account had been illegally hacked under the SCA. The court of appeals found that the e-mails were in electronic storage, therefore triggering the SCA. The state’s Supreme Court disagreed.
The SCA is violated when a person:
(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or
(2) intentionally exceeds an authorization to access that facility;
and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section.
18 USC 2701(a). However, the decision came down to the meaning of "electronic storage," defined in 18 USC 2510(17) to mean:
(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and
(B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication;
The Court acknowledged differing views on how this definition has been interpreted – noting that the Department of Justice prefers the interpretation that both (A) and (B) be established to constitute electronic storage, while a majority of courts have found only one of the two prongs needs to be met. Because the plaintiff only alleged storage under (B), the Court focused on when electronic communications are stored for purposes of backup protection.
In that connection, the Court noted that the plaintiff left single copies of his e-mails in his Yahoo! email account, without saving or downloading them elsewhere. Looking to a dictionary definition of "backup" – "one that serves as a substitute or support" – the Court held that use of a backup presupposes the existence of another copy. Since there was no other copy according to the Court, the plaintiff could not have been storing the email for backup protection and, therefore, the defendant could not have violated the SCA. A concurring opinion by Judge Kittredge, however, suggests a more in-depth analysis.
This case make clear that businesses, attorneys and individuals need to proceed with caution when conducting investigations that involve electronic communications, a necessary source of information for just about any investigation. Something that may appear to be clearly in or not in "storage," may not hold true should the matter be analyzed by a court, or a state or federal agency.
As we have referenced in previous posts, the Federal Trade Commission (FTC) has launched an aggressive push against data brokers and credit reporting agencies in its enforcement of the rules under the Fair Credit Reporting Act (FCRA). That push continues today with the U.S. Department of Justice’s announcement of the prosecution of a matter referred to it by the FTC.
In U.S. v. Direct Lending Source Inc., filed by the DOJ on October 9, 2012, the DOJ alleges that Direct Lending Source and two other companies bought and sold consumer credit reports when they bought thousands of pre-screened consumer lists and credit report data and resold that information to dealers who marketed credit relief services instead of making firm offers of credit. The DOJ alleges such practice violates the FCRA because the companies failed to comply with provisions forbidding the sale of credit reports without a “permissible purpose.” The only permissible purpose under the FCRA for using such pre-screened lists is to make “firm offers of credit or insurance” to consumers. The complaint further alleges that certain purchasers of the defendants’ credit report information have become the subject of law enforcement actions for consumer fraud against persons in financial trouble.
The complaint also alleges that the defendants did not take reasonable steps to identify the ultimate purchasers of the credit reports. In some cases, according to the complaint, the defendants sold lists to brokers who then re-sold them to unidentified entities.
The FCRA regulates the collection, dissemination, and use of consumer information, including consumer credit information (broadly defined to include personally identifiable information contained in consumer financial records). Under the statute, a consumer report is any written, oral, or other communication of any information by a consumer reporting agency that bears on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.
The DOJ has entered a preliminary consent decree with the defendants, requiring them to pay a combined $1.2 million and to agree to injunctive relief against further FCRA or FTC violations. In addition, the defendants would be mandated to use, collect or resell consumer reports only for authorized purposes. Under the order, defendants would be prohibited selling consumer reports in connection with credit relief services.
Like other recent FTC actions, this matter reminds companies to use credit report information in conformance with the FCRA. We expect continued FTC, and potential DOJ, action under the FCRA.
The Federation of State Medical Boards (FSMB) recently adopted model policy guidelines for the appropriate use of social media and social networking in a medical practice. The model policy guidelines can be viewed here. In its findings, the FSMB reports that 67 percent of 4,000 physicians surveyed use social media for professional purposes and that research indicates 35 percent of practicing physicians have received friend requests from a patient or member of their family, and 16 percent of practicing physicians have visited an on line profile of a patient or patient’s family member. This growing on-line connection between doctors and patients requires doctors and their employers to enact policies to ensure compliance with professional, legal, and ethical standards.
The guidelines also point to model social media policies that have been published by the American Medical Association, the Cleveland Clinic and the Mayo Clinic. Other professionals, including lawyers, and their employers can also benefit from consideration of the issues raised by the FSMB’s guidelines.
Former New York Yankee Lou Gehrig died 71 years ago from amyotrophic lateral sclerosis or ALS, now known as Lou Gehrig’s disease. Now some legislators in Minnesota want to make his medical records, maintained at the Mayo Clinic, public. A story in the Star Tribune raises the question of how long a patient’s personal health information is private after the patient’s death. According to the Mayo Clinic, "only the spouse, parents, or Gehrig’s appointed representative have access to his medical records." Phyllis Khan, a Minnesota state Representative, has proposed a state law which would not prohibit the release of medical records of someone who has been dead at least 50 years, does not have a will that blocks the records release, and does not have any direct descendants objecting. A similar proposed federal regulation is also under discussion. Advocates stress that access to medical records after a period of time has elapsed could assist scientific research. The slugger who described himself as the luckiest man on the face of the earth may have more to contribute to privacy regulation, and perhaps medical science. Stay tuned.
Late last week, California Governor Jerry Brown "took to Twitter, Facebook, Google+, LinkedIn and MySpace to announce that he has signed two bills that increase privacy protections for social media users in California."
As discussed, one of the bills, A.B. 1844, updates California’s Labor Code to significantly limit when employers could ask employees and job applicants for social media passwords and account information. However, the law permit employers to request an employee to divulge personal social media activity reasonably believed to be relevant to an investigation of allegations of employee misconduct or employee violation of applicable laws and regulations. This exception applies so long as the social media is used solely for purposes of that investigation or a related proceeding.
The other bill, S.B. 1349, establishes a similar privacy policy for postsecondary education students with respect to their use of social media. While the bill prohibits public and private institutions from requiring students, prospective students and student groups to disclose user names, passwords or other information about their use of social media, it stipulates that this prohibition does not affect the institution’s right to investigate or punish student misconduct
The new laws take effect Jan. 1, 2013.
To help businesses comply with amendments to Connecticut’s data breach notification law, which becomes effective October 1, 2012, CT Attorney General George Jepsen’s Privacy Task Force has made an email address – ag.breach@ct.gov – available to facilitate breach reporting, reports Hartford Business.com.
According to the AG’s press release, a Web page detailing the new law’s requirements will go live on the AG’s Website when the amendment goes into effect. The key change made by the amendment is that persons, including businesses, required to notify residents of the Nutmeg State of a security breach must also notify the Attorney General’s office within the same time frame. The email address and informational website should facilitate the breach reporting process in Connecticut.
In another case of a breach reported to HHS Office for Civil Rights (“OCR”), a HIPAA covered health care provider, the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively, “MEEI”), has settled charges of potential HIPAA security rule violations. MEEI agreed (i) to pay $1.5 million and (ii) to take corrective action to improve policies and procedures to safeguard the privacy and security of its patients’ protected health information.
As in the Alaska Department of Health and Social Services (DHSS) case, an unencrypted electronic storage device was stolen, the covered entity reported the breach, OCR investigated the breach and broader compliance with HIPAA’s privacy and security rules, and found potential violations.
For more information about the MEEI incident, click here.
This kind of enforcement activity could be lucrative for cash-strapped federal and state agencies. It is no wonder that some states are amending their statutes to require Attorney General notification. Accordingly, because data breaches can and will occur, HIPAA covered entities and businesses subject to HIPAA and state data breach notification statutes should be doing more to prepare for the audit that may follow the reporting of a data breach. That is, they should be doing more to safeguard personal information and PHI pursuant to the applicable standards.
The U.S. Department of Defense (DOD), General Services Administration (GSA) and National Aeronautics and Space Administration (NASA) on August 24, 2012, proposed amendments to the Federal Acquisition Regulation – the rules governing the process through which the government purchases goods and services – addressing data security.
In short, the proposed rule would add a required contract clause for federal contractors to “address requirements for the basic safeguarding of contractor information systems” containing or processing government information. DoD, GSA, and NASA all recognize that an outgrowth of the requirements for Federal agencies to provide information security for information and information systems that support agency operations and assets, as set forth under the Federal Information Security Management Act (FISMA) of 2002, includes the information and information systems managed by contractors.
The rule would apply to information provided by or generated for the Government that will be contained in or processed through a contractor’s or subcontractor’s information system. Basic safeguarding of such systems would include:
Additionally, contractors would be required to include the substance of the contract clause in all subcontracts for subcontractors who may have information subject to the rule residing in or transiting through the subcontractors’ information systems.
Federal contractors will need to reevaluate their information systems and written information security programs (WISPs) if this rule is made final and such provisions are added to their contracts.
