As yet another example of the Massachusetts Attorney General enforcing compliance with the Commonwealth’s data privacy and security laws, that office recently reached a $15,000 settlement in an enforcement action involving Maloney Properties, Inc. (MPI), a property management company based in Massachusetts.

In the lawsuit, the AG alleged that MPI’s policies and procedures failed to adequately protect its customers’ personal information when an MPI employee stored the unencrypted personal information of 621 Massachusetts residents on a company laptop, left the laptop in a personal vehicle overnight, and the laptop was then stolen.

Although there was no indication that any of the personal information on the laptop was acquired or used by an unauthorized person or for an unauthorized purpose, the AG still required MPI to pay a monetary penalty of $15,000 and agree to take certain steps before ending its action against the company.

Some of the steps MPI agreed to take include complying with the Commonwealth’s regulations – including the requirement to encrypt personal information on portable devices, to the extent technically feasible. This also includes encrypting personal information on company-owned portable devices, ensuring that the devices are kept in secure locations, purging personal information when it’s not needed anymore, training its employees at least annually on encryption and proper storage, and performing an annual audit of its compliance with its Written Information Security Program (WISP). In addition, the company must submit the results of its 2012 and 2013 annual WISP audits to the AG’s Office.

The AG’s actions in this matter demonstrate that it does not take lightly the loss of Massachusetts residents’ personal information, even if that loss has not caused any known harm to the affected residents, and that it may remain watchful over the subject of an investigation for years to come. This provides a timely reminder for all companies of the importance of understanding and complying with the Commonwealth’s requirements in this area.

UPDATE: Governor Martin O’Malley signed the bills discussed below into law on May 2, 2012.

Maryland will likely become the first state to prohibit employers from demanding usernames, passwords or other means to access any personal account or service through an electronic communication device (computer, phone, PDA, etc.), such as social media sites Facebook or LinkedIn, belonging to employees or job applicants. If signed by Governor Martin O’Mailey, as expected, the new law would become effective October 1, 2012, after being passed unanimously passed in the Senate last week and by a vote of 128-10 in the House. Employers need to monitor developments, as legislatures in other states have taken up similar measures.

S.B. 433/ H.B. 964 applies to any employer engaged in business in Maryland, as well as any unit of state or local government. It also reaches any agent, representative or designee of a covered employer. So, an employer cannot ask a third party to do under the law what the employer cannot do.

Covered employers also are prohibited from discharging, disciplining or otherwise penalizing  employees or applicants (or threatening same) who refuse to comply with the requests for access prohibited above. In addition, employers may not fail or refuse to hire applicants to object to similar requests. However, the Maryland law prohibits employees from making unauthorized downloads of company financial or proprietary data, and permits employers to investigate when it receives information about such activities. 

In this space we have frequently discussed social media issues ranging from legal considerations in policy development, to employers’ legal and practical risks attendant to reviewing job applicants’ social media presence, to legislative reactions to employers’ requiring disclosure of passwords as part of their background check process.   Two further reactions to the password disclosure issue are worthy of note.
First, Connecticut Senator Richard Blumenthal has stated he will introduce federal legislation similar to that currently under consideration in the Illinois and Maryland legislatures.   Arguing that employers’ mandating disclosure of user names and passwords “is a huge invasion of privacy,” State Assemblyman John Burzichelli has indicated that he will introduce similar legislation prohibiting the practice in the New Jersey legislature.
Second, in a statement issued this past Friday by Erin Egan, Chief Privacy Officer, Policy, Facebook responded to “a distressing increase in reports of employers or others seeking to gain inappropriate access to people’s Facebook profiles or private information [which] …undermines the privacy expectations and the security of both the user and the user’s friends [and]…also potentially exposes the employer who seeks this access to unanticipated legal liability.”  Facebook advised that it is now a violation of its Statement of Rights of Responsibilities to share or solicit a Facebook password since users “shouldn’t be forced to share [their] private information and communications just to get a job” and friends of users shouldn’t have to worry that [their] private information or communications will be revealed to someone [they] don’t know and didn’t intend to share with just because [their friend] is looking for a job.”
Employers must stay abreast of these developments as they continue to refine all policies and procedures pertaining to employee social media usage.

 

Employers increasingly have health professionals on-site providing medical services to employees. For some employers, the reason is to address the rising costs of health care, including uncertainties about the full impact of health care reform, the Affordable Care Act, looming in 2014. For others, more comprehensive approaches to disability and leave management can mitigate compliance and litigation concerns. 

Whether it is a single nurse at a facility providing basic first aid and assisting in fitness-for-duty exams, or a full-scale health clinic staffed with physicians, nurses and others, there are a range of issues the company should be thinking about – e.g., workplace safety, disability/leave management, labor, employee benefits, and privacy. Some of our practice group leaders put together a white paper to aid employers in spotting these issues. We hope you find this helpful and easy to read. 

Click here to access the White Paper: An Overview of Legal Considerations When Bringing Health Care "In-House"
 

Complying with the Genetic Information Nondiscrimination Act (GINA) is a growing concern for employers and others. We have developed a comprehensive set of frequently asked questions concerning this new law. If you are interested in learning more about GINA:

 

Like any business that handles personal information, debt collection agencies have obligations to maintain reasonable safeguards to protect that information. Recent enforcement activity by the Minnesota Attorney General’s office makes this clear. The banks, health care providers and other businesses that utilize collection services are also driving compliance as they demand these companies have written information security programs in place to protect the personal information of their customers/patients. Increasingly, debt collection companies are required to complete comprehensive surveys about their data protection practices, and are not always in the best position to do so.

In the Minnesota case, even where appropriate safeguards may have been in place, a breach resulting from a stolen laptop triggered the state’s Attorney General to inquire into not only the company’s privacy safeguards, but its business model as well. According to Attorney General’s office, the company employee left an unencrypted laptop containing sensitive information on 23,500 Minnesota hospital patients in a rental car in the parking area located in a bar and restaurant district of Minneapolis where it was stolen.

For these companies, the requirements can be complex since they will depend on not only the kinds of information they collect, but also the businesses they serve (and what laws regulate those businesses), the state of residency of the individuals whose records the collection agency maintains, and the states in which the company does business.

According to a Ponemon Institute study*, data breaches occurring in the hands of third-party vendors amounted to 39 percent of breaches in 2010.  Whether it be cloud service providers, benefits brokers, medical billing services, debt collection companies, consultants, accountants, law firms, staffing services, shredding/data destruction services, cleaning service providers and other businesses, most companies utilize third party vendors to provide an array of services. Those services often involve letting the vendor access, store and/or process personal information, which creates additional risk and legal obligations for the company using the vendor, such as the service provider contract requirement in Massachusetts.

Massachusetts deadline. A number of states have passed laws requiring companies that put personal information in the hands of third party service providers must obtain the written agreement of the third party to safeguard this information. The Massachusetts data security regulations that went into effect March 1, 2010, gave businesses until March 1, 2012 to update contracts with service providers that were entered into no later than March 1, 2010. However, next month that grace period expires. Thus, beginning March 1, 2012, a contract to safeguard personal information must be in place with all service providers who handle personal information concerning a Massachusetts resident on behalf of the company.   

Other mandates. Requirements to ensure third party vendors are safeguarding personal information is not limited to Massachusetts. Examples include:

  • States such as California, Maryland, Nevada, Oregon, and Texas have had for some time a contract requirement similar to the Massachusetts rule.
  • The privacy and security regulations under HIPAA have a more expansive requirement for “business associates” and “subcontractors.” Businesses subject to HIPAA are anxiously awaiting final regulations under HITECH which will be specifically addressing business associate agreement requirements, among other things.
  • The Payment Card Industry (PCI) standards require similar agreements.
  • Law firms in many states are subject to specific state ethical mandates to have written assurances from vendors handling client data (these mandates are not limited to personal information, but seem to apply to all client information). For example, lawyers in states such as ME, MO, NJ, NY, OR, VT, WI are required to make sure that contractors maintain appropriate safeguards through a “legally enforceable obligation.”   

What to do next? Vendor management should be part of an overall strategy to safeguard company and personal information. It is important to add that while personal information typically is the focus of this risk because of the breach reporting obligations across the country, confidential and proprietary company data is, of course, also at risk in the hands of vendors.

Companies should develop a list of all of their vendors and require all that have access to sensitive personal or company information to agree to amend the services agreement to include a requirement that the vendor have in place appropriate data privacy and security safeguards. Careful negotiations and drafting is critical to ensure legal compliance and protection/indemnity in the event of a data breach. In addition, some business might want to maintain a right to audit operations and require certain specific safeguards, depending on the volume and sensitivity of the information at issue. Companies also have developed comprehensive questionnaires and assessments for their vendors to complete to obtain a more complete picture of the vendors’ data security protocols.

Whatever the approach, companies should at a minimum obtain written assurances from their vendors concerning the safeguarding of personal information.  
 

 

*Ponemon Institute, LLC. 2010 Annual Study: U.S. Cost of a Data Breach, March 2011.

A number of courts throughout the nation are grappling with disputes between employers and departing employees over the ownership of social media accounts. These employers are attempting to seek ownership over company Twitter and LinkedIn profiles claiming, among other things, that these contain “trade secrets.” Employees dispute these contentions by pointing out that there is nothing “secret” about social media profiles and that employers have no inherent property interests in Twitter and LinkedIn accounts.

For example, in Phonedog v. Kravitz, No. 3:11-cv-03475 (MEJ) (N.D. Cal., Nov. 8, 2011), a federal court in California denied a motion to dismiss where the employer sought damages for each Twitter follower that a departing employee took with him. The employee was given use of and maintained a Twitter account for the employer’s business during his employment. When he left, he changed the Twitter account handle and continued to use the account. Phonedog and its former employee do not have a written agreement pertaining to ownership of the disputed Twitter account. The company alleged several claims against the departing employee, including misappropriation of trade secrets, conversion, and tortious interference with prospective advantage.

Another such pending dispute is Eagle v. Morgan, No. 2:11-cv-04303 (RB) (E.D. Pa., Dec. 22, 2011). A federal court in Pennsylvania denied a motion to dismiss in a dispute over an employee’s LinkedIn account. The disputed LinkedIn account was used for company business and developed by company personnel. As in Phonedog, the parties do not have a written agreement as to ownership of the disputed LinkedIn account. Both the company and the employee brought claims against one another over use of this LinkedIn account.

The above cases are headed into prolonged discovery and extensive litigation. These disputes may have been avoidable had the parties entered into a clear written agreement at or near the inception of the employment relationship. Such an agreement was upheld in Ardis Health, LLC v. Nankivell, No. 1:11-cv-05013 (NRB) (S.D.N.Y., Oct. 19, 2011). A federal court in New York granted a preliminary injunction and required an employee to turn over access to social media sites to her employer pursuant to the obligations under the written Non-Disclosure and Rights to Work Product Agreement between the parties.

All employers who profit from their employees’ use of social media should be aware of and carefully analyze these issues. In many cases, a properly drafted agreement delineating the property interests of employee work product will save employers from time-consuming and expensive litigation over ownership of social media accounts.

Have you ever reviewed the Facebook or LinkedIn profile or other social media activity of an employee or applicant? How about requiring employees or applicants to provide access to social media activity as a condition of employment. The Maryland and Illinois legislatures would like to limit employers’ ability to engage in this kind of activity with new laws that would be the first of their kind in the nation.

UPDATE – Newly enacted Maryland law prohibits employers from demanding access to Facebook or other on line accounts of employees and applicants.

Maryland. Under one version of the law in Maryland, H.B. 364, employers would not be permitted to

  • require an employee or applicant . . . to disclose any user name, password, or other means for accessing any internet site or electronic account through an electronic device, or
  • require an employee to install on the employee’s personal electronic device software that monitors or tracks the content of the electronic device.  

Under this bill, the employer could not discipline the employee or refuse or fail to hire the applicant for not complying with such requests. However, an employer could require an employee to disclose username, password or other means of access to the employer’s internal computer or information systems. 

The provision that would prohibit employers from monitoring or tracking content on electronic devices would present a dilemma for employers faced with various legal and ethical obligations to safeguard personal and other confidential data. Many employers are struggling to find ways to track, limit, and in some cases encrypt, personal and other confidential information maintained on portable electroinc devices, including the personal devices of employees. This bill would make that process more challenging, particulalry for businesses with nationwide operations in heavily regulated businesses such as healthcare, insurance, finance and so on.   

Two other bills (H.B. 310, S.B. 434) also are being considered that would prohibit public and nonpublic colleges and universities from making similar demands on students and applicants.

Illinois. The Illinois law being considered (H.B. 3782) would make it unlawful for "any employer to ask any prospective employee to provide any username, password, or other related account information in order to gain access to a social networking website where that prospective employee maintains an account or profile."

Existing Risks with Searching/Monitoring the Social Media Activity of Employees or Applicants. The Maryland and Illinois laws, if passed, may be the first of their kind, but they certainly are not the first risks employers have faced when engaging in this kind of activity. In fact, there are a range of existing risks employers must consider, such as

  • Finding medical information protected under the American with Disabilities Act or the Genetic Information Nondiscrimination Act.
  • Acting inconsistently when similar information is found about different applicants/employees/executives.
  • Acting on information that is not true.
  • Intruding into private areas.  
  • Failure to document the steps taken in conducting the search.
  • Not realizing the Fair Credit Reporting Act may apply and require consent and notice requirements.
  • Unlawfully limiting protected concerted activity under the National Labor Relations Act.

Employers therefore need to proceed carefully when using social media as a tool for making decisions concerning hiring, promotion, discipline, and termination.  Assessing whether to engage in such activity, how and when to do so, who should be authorized to search and monitor in this way, and what training should be provided can go a long way to minimizing these risks.

In United States v. Jones, the Supreme Court unanimously decided that FBI agents violated the Fourth Amendment when they attached a Global-Positioning-System (GPS) tracking device to a suspected drug dealer’s Jeep Cherokee and monitored the vehicle’s movements on public streets for 28 days without obtaining a warrant to do so. Justice Scalia wrote the Court’s opinion, with four justices joining the opinion – Chief Justice Roberts and Justices Anthony Kennedy, Sonia Sotomayor, and Clarence Thomas.

Sotomayor’s concurring opinion is worth noting for its detailed analysis of the chilling effect on associational and expressive freedoms that government monitoring via technology, like GPS surveillance, will have if left unchecked. She wrote:

“GPS monitoring generates a precise, comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious and sexual associations…The Government can store such records and efficiently mine them for information for years into the future…And because GPS monitoring is cheap in comparison to conventional surveillance techniques and, by design, proceeds surreptitiously, it evades the ordinary checks that constrain abusive law enforcement practices: ‘limited police resources and community hostility.’ “

Justice Alito, who also concurred in the majority opinion, argued for warrants based on the “reasonable expectation of privacy” standard, instead of the common law trespass test applied by Scalia. Alito, clearly troubled by the Court’s reliance on the law of trespass, points out that technology today allows for easy electronic monitoring, without any need to come into physical contact with the subject being tracked. He expresses concern over the “increased convenience” of new technology at the “expense of privacy,” and suggests that these “new intrusions on privacy” may motivate Congress to enact legislation addressing these “new intrusions” as it did with wiretapping. Sotomayor clearly agrees, but whether Congress will act obviously remains to be seen.

So, what does U.S. v. Jones mean for employers?

Private employers generally are not subject to the Fourth Amendment’s prohibition against unreasonable search and seizure. However, it is certainly foreseeable that employees of private employers could cite to this case in support of claims that GPS monitoring, or any sort of electronic monitoring for that matter, during non-working hours violated their “reasonable expectation of privacy.” The question of whether this decision might influence courts as technology becomes more powerful, remains to be seen.

As such, it is imperative for employers, especially those who provide smart phones and company vehicles containing GPS monitoring devices to their employees, to adopt policies notifying their employees of the company’s right to monitor their actions while using Company owned property. These policies should also contain language notifying employees about the GPS monitoring capabilities of the Company-issued property and that they should not have an expectation of privacy while using the same.

In light of the contours of a “reasonable expectation of privacy” analysis and concerns over common law claims of intrusion upon one’s seclusion, employers should also avoid monitoring during non-work hours. In addition, where the data received from location tracking reveals details of an employee’s personal life, employers should not review it or be prepared to show that they have a legitimate business justification for looking at this type of information.

Finally, private employers in states like California may have more to be concerned about where constitutional privacy protections apply to the private sector. A number of states also have laws prohibiting the installation of a tracking device without the consent of the vehicle’s owner or lessor.