Search biometric

This Sunday, January 28, is Data Privacy Day, which Congress recognized on Jan. 27, 2014, when it adopted S. Res. 337, supporting the designation. As noted by the National Cyber Security Alliance, Data Privacy Day began in the United States and Canada in January 2008, an extension of the Data Protection Day celebration in Europe. Don’t count on any days off soon, but awareness about data privacy and security issues affecting our lives and businesses has grown in recent years, and certainly will continue well into the foreseeable future.  In honor of Data Privacy Day, we again prepared our thoughts on some key issues to be on the look out for in 2018. We call it “Top 10 for 2018.”  The topics are below, and a more expansive discussion of them can be accessed here.

1. Greater Focus on EU Data Protection Requirements

2. Biometric Data – Emerging Law and Litigation

3. Analytics in the Workplace – Privacy Vulnerabilities

4. Enhanced Connectivity – GPS plus IoT

5. Ransomware and Phishing Attacks Continue

6. Insider Threats

7. Privacy and Data Breach Class Actions

8. Data Breach Readiness

9. Increased Data Privacy and Security Legislation

10. Vendor Management

 

With the continuing parade of high profile data security breaches, the concern U.S. organizations have about the security of their systems and data has been steadily growing. And rightly so. Almost every organization processes (collects, uses, stores, or transmits) individually identifiable data. Much of this data is personal data, including employee data, which brings heightened privacy and security responsibilities and obligations.

For certain entities, these responsibilities and obligations are about to increase significantly. On May 25, 2018, the EU General Data Protection Regulation (GDPR) goes into effect. This is a game changer for those organizations subject to the jurisdiction of the GDPR, and not just because of its new data breach notification provision. The GDPR contains expanded provisions for data collection, retention, and access rights unlike those they are used to in the U.S. that will create substantial challenges for U.S. employers processing their EU employee data.

To effectively meet these challenges, U.S. employers need to take stock of the data they process concerning individuals relating to EU operations (and not just about employees, although that is our focus here). What categories of EU employee data are processed? Where does it comes from? In what context and where is it processed and maintained? Who has access to it? Are the uses and disclosures being made of that information permitted? What rights do EU employees have with respect to that information? The answers to these questions are not always self-evident. Employee data may cover current, former, or prospective EU employees as well as interns and volunteers. It may come from assorted places and be processed in less traditional contexts. And, it may be processed in the cloud, the U.S., or elsewhere outside the EU.

Starting with the source of EU employee data, the U.S. employer should review its connections with the EU. Does it have a EU branch or office, a subsidiary or affiliate? An EU franchise, agent, or representative? Has it recently merged or acquired an organization with EU locations or connections? Any one of these connections is a potential source of EU employee or comparable internal personal data, regardless of how small.

Next, how does the U.S. employer process its EU employee or internal personal data? This data can be processed in traditional contexts – HRIS, benefits, payroll, Active Directory or contact information, and recruitment or talent management. It can be processed in other contexts – Customer Relationship Management, software applications, IT maintenance and security review activity, surveillance images, remote log in, business-related travel and event attendance support, professional development, training and certification, and external facing websites simulating annual reports or collecting job applications. Even if the U.S. employer outsources payroll, benefits administration, or HR, it may still process EU employee or internal personal data in other contexts.

For a specific example of employee data processing, consider the internal facing website or employee that facilitates business travel or conference registration. This service collects the EU employee’s personal data in the form of name, address, phone number, work title and work address. However, it may also collect the EU employee’s special hotel and dining accommodations needs. This additional information may reveal health, disability, or religious beliefs information about the EU employee, all of which are subject to heightened protections. In another example, the organization’s training portal may use video presentations featuring internal trainers. These videos contain employee personal data – the trainer’s photo and, perhaps, work contact information. Locating and identifying all forms of EU employee data processing is critical.  However, knowing what actually constitutes EU employee personal data is key.

Identifying employee personal data in the context of the GDPR is challenging. The GDPR definition, especially when applied to an EU employee, can be expansive. And for U.S. employers, often surprising. EU employee personal data includes “any information relating to an identified or identifiable” EU employee. Identifiable simply means the employee can be “identified directly or indirectly… by reference to an identifier… or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.” This may include name, address, driver’s license number, date of birth, passport number, vehicle registration plate number, phone number, photos, email address, id card, workplace or school, and financial account numbers. With respect to employees, it may also encompass – gender, personnel reports (including objective and subjective statements), recruitment data, job title and position, work address and phone number, salary information, health and sickness records, monitoring and appraisals, criminal records, rent, retirement or severance data, and online identifiers such as dynamic IP addresses, metadata, social media accounts and posts, cookie identifiers, radio frequency tags, location data, mobile device IDs, web traffic surveillance that identifies the machine and its user, and CCTV images.  ‘Special categories’ of employee data – racial and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning an employee’s health, sex life, or sexual orientation, and biometric and genetic data – require heightened levels of protection under the GDPR. Given the broad interpretation of personal data under the GDPR, a determination of what constitutes employee personal information is often based on relevant facts and circumstances.

May 2018 is approaching quickly. The GDPR may bring new and enhanced obligations for U.S. employers. Significant among these is employee consent to processing personal data. With this in mind, employers should begin evaluating their organizations through the lens of employee data collection and processing, keeping in mind applicable national laws.

In a ruling that may have significant impact on the recent wave of biometric privacy suits, an Illinois state appeals court held that plaintiffs must claim actual harm to be considered an “aggrieved person” covered by Illinois’ Biometric Information Privacy Act (BIPA), in a dispute arising from the alleged unlawful collection of fingerprints from a Six Flags season pass holder. Rosenbach v. Six Flags Entertainment Corp., 2017 IL App (2d) 170317 (Ill. App. Ct. Dec. 21, 2017).

The plaintiff, whose son’s fingerprint was collected by Six Flags after purchasing a season pass for one of its Great America amusement parks, filed suit on behalf of her son and similarly situated class members, against Great America LLC and Six Flags Entertainment Corp. for allegedly violating Illinois’ BIPA by failing to obtain proper written consent or disclosing their plan for the collection, use, storage, or destruction of her son’s biometric information. The plaintiff further claimed that had she known of Six Flags’ collection of fingerprints, she would not have allowed her son to purchase a season pass.

Six Flags argued in a motion to dismiss that the BIPA allows only “aggrieved” individuals to sue for all alleged violations, and that the plaintiff’s son and other similar plaintiffs who had not suffered actual harm have not met the necessary threshold to bring a claim.

After a lower court denied Six Flags’ motion to dismiss, the Illinois’ state appeals court three-judge panel held that in order for a plaintiff to meet the definition of “aggrieved person” under the BIPA, a plaintiff must demonstrate actual harm.

If the Illinois legislature intended to allow for a private cause of action for every technical violation of the act, it could have omitted the word ‘aggrieved’ and stated that every violation was actionable,” the panel ruled. “A determination that a technical violation of the statute is actionable would render the word ‘aggrieved’ superfluous. Therefore, a plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person under … the act.

Employment BIPA Class Actions

With over 30 employment class actions filed against employers in Illinois state court since July 2017 claiming BIPA violations for implementation of biometric technology, the Six Flags ruling represents a significant victory. We recently reported on a putative class action filed by employees against their employer, Oak Park Rehabilitation & Nursing Center LLC, alleging that mandatory daily biometric fingerprint scans violate employees’ privacy rights under the BIPA. Similar to the suit against Oak Park, the recent flood of employee class actions allege employer misuse of timekeeping systems that collect fingerprint scans. They claim the employer failed to provide proper notification and obtain written consent or neglected to institute a valid use policy.

Although the Six Flags decision represent a win for employers, plaintiffs will likely continue to attempt alternative legal arguments to claim that an individual is an “aggrieved person” under the BIPA. Accordingly, companies that want to implement technology that uses employee or customer biometric information (for timekeeping, physical security, validating transactions, or other purposes) need to be prepared.

Below are additional resources to help navigate biometric information protection laws:

Primarily motivated by several recent massive data breaches, Senate Democrats recently introduced a bill geared toward protecting Americans’ personal information against cyber attacks and to ensure timely notification and protection when data is breached.

The Consumer Privacy Protection Act of 2017 provides that companies that collect and hold data on at least 10,000 Americans would be required to implement “a comprehensive consumer privacy and data security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity, and the nature and scope, of the activities of the covered entity.”

The legislation protects broad categories of data, including: Social Security, drivers’ license, and passport numbers, financial account numbers or debit/credit card numbers in combination with a security code or PIN, online usernames and passwords, unique biometric data such as fingerprints and retina or iris scans, physical and mental health data, geolocation data, and private digital photographs and videos.

The bill would also allow the United States Attorney General, state attorneys general, and the Federal Trade Commission to enforce alleged violations of the breach notification or security rules, which could subject companies to civil penalties of at least $16,500, depending on the number of records that were breached. The bill does not provide for a private right of action.

The legislation would require notification to be made “as expediently as possible and without unreasonable delay following the discovery by the covered entity of a security breach.”

The law would also require companies to provide “five years of appropriate identity theft prevention and mitigation services” at no cost to any individual who asks for it, and prohibits automatic enrollment in the identity theft prevention and mitigation services without their consent.

The text of the bill can be found here.

It is worth noting that shortly following the introduction of the Consumer Privacy Protection Act, three Democrat senators introduced the Data Security and Breach Notification Act that would require companies to report data breaches within 30 days of becoming aware of a breach. An individual who conceals a data breach could face a penalty of up to five years in prison. This bill comes on the heels of Uber’s recent data breach announcement that hackers stole 57 million records in 2016, and that Uber paid the hackers $100,000 to destroy the documents.

We will continue to report on the status of these bills and other legislative proposals for heightened data security at the federal level, in light of the massive data breaches of late, as developments unfold.

 

On November 2nd, New York Attorney General Eric T. Schneiderman announced his proposal of the SHIELD Act – Stop Hacks and Improve Electronic Data Security Act – a bill that would heighten data security requirements for companies and better protect New York residents from data breaches of their personal information.

“It’s clear that New York’s data security laws are weak and outdated. The SHIELD Act would help ensure these hacks never happen in the first place. It’s time for Albany to act, so that no more New Yorkers are needlessly victimized by weak data security measures and criminal hackers who are constantly on the prowl,” said Attorney General Eric Schneiderman.

Key aspects of the proposed SHIELD ACT include:

  • Covering any business that holds sensitive data of New York residents. Interestingly, the proposed legislation would amend the existing breach notification requirement to remove language currently limiting application of the notification rule to persons or businesses that conduct business in New York
  • Requiring all covered businesses to implement “reasonable” administrative, technical, and physical safeguards to protect sensitive data
  • Businesses that are already regulated by and comply with certain applicable state or federal cybersecurity laws (e.g., HIPAA, NY DFS Reg 500, Gramm-Leach-Bliley Act) are considered “compliant regulated entities” under the SHIELD Act. These entities and others that are annually certified by an authorized and independent third party to be compliant with certain data security standards, such as the most up to date version of the ISO /NIST standards, are called “certified compliant entities.” These entities are deemed to be compliant with the proposed law’s reasonable safeguard requirements, and a safe harbor from state enforcement actions would apply to “certified compliant entities”
  • A more flexible standard would exist for small businesses (less than 50 employees and under $3 million in gross revenue; or less than $5 million in assets)
  • Data breach notification obligations would become broader by (i) adding “access to” (in addition to the current trigger “acquisition”) as a trigger for notification, and (ii) expanding the data elements that if breached would require notification to include username-password combination, biometric data, and HIPAA covered health data
  • Deeming inadequate security to be a violation of General Business Law § 349 and permitting the Attorney General to bring suit and civil penalties under General Business Law § 351

AG Schneiderman’s proposed bill comes on the heels of several massive data breaches and ransomware attacks (e.g., Wanncry). The proposed SHIELD Act has the support of two major sponsors in the State Legislature: Senator David Carlucci (D-Clarkstown) of the Independent Democratic Conference and Assemblyman Brian Kavanaugh (D-Manhattan) who led their chamber’s consumer protection committees.

Although the SHIELD Act is a significant step forward for the Empire State, it does not come as a surprise. Attorney General Schneiderman has been vocal and proactive in the pursuit of heightened data security. Following a recent massive credit reporting agency breach, Schneiderman sent formal inquiries to the two other major credit reporting agencies, asking them to detail their security measures, steps they have taken since learning the breach and how they will further assist consumers in protection of their personal information.

In addition, AG Schneiderman has issued several enforcements actions in 2017 against companies that have failed to effectively protect consumer information. In January, Schneiderman announced a settlement with Acer Service Corporation, a computer manufacturer in Taiwan, after a data breach of its website exposed 35,000 credit card numbers. An investigation by the AG office revealed that sensitive customer information had not been protected for almost a full year. Acer agreed to pay $115,000 in penalties and improve data security practices. In April, Schneiderman announced that TRUSTe, Inc., agreed to settle allegations that it failed to properly verify that customer websites aimed at children did not run third-party software to track users. TRUSTe agreed to pay $100,000 and “adopt new measures to strengthen its privacy assessment”. In June, Schneiderman issued his first enforcement action against a wireless security company, Safetech Products LLC, for failing to implement adequate security in its Internet of Things (IoT) devices. It was found that Safetech did not force users to reset default passwords, and did not encrypt passwords sent over the network. As part of the settlement agreement, Safetech agreed to implement a written comprehensive security program.

AG Schneiderman did not begin enforcing New York’s data security laws and regulations in 2017; the issue has been a growing area of concern in his office for some time. In January of 2015, on the heels of former President Obama’s announcement of a cybersecurity legislative proposal, AG Schneiderman indicated his own plans to propose legislation to heighten New York’s data security laws.

The SHIELD Act, if enacted, would have far reaching effects, as any business that holds sensitive data of a New York resident would be required to comply.  Moreover, given the nation’s heightened awareness of cybersecurity in the wake of the recent massive data breaches, other states may also consider similar legislation.

The flood of massive data breaches – including, most recently, the Equifax breach that compromised the personal data of around 145 million U.S. consumers – has increased the pressure on Congress to pass sweeping federal data security and breach reporting legislation. While it’s difficult to project whether such legislation will be enacted in the near future, and what it will look like in the event that it is, an important and contentious question has already arisen: If federal legislation is ultimately enacted, should preempt the patchwork of state and local laws that presently govern this area?

Setting aside the handful of industries – including healthcare and finance – that are already subject to federal data security laws, the data security and breach reporting obligations of most U.S. organizations are established by a medley of state and local laws. This legal patchwork is confusing and arduous for organizations and data subjects to navigate, particularly since the types of data elements protected, and the processes for determining when a breach must be reported, vary from state to state. At least in theory, therefore, federal preemption in this area would be a step in the right direction.

Not so, say the New York and Massachusetts attorney general’s offices, both of which have been active in the data security space. On October 25, 2017, these offices urged U.S. House members to use federal law to set a floor for data security and reporting standards; not a ceiling. Setting a federal ceiling, argued Kathleen McGee, Chief of the Bureau of Internet and Technology at the New York Attorney General’s Office, would stifle innovation in this area: “States have proven the ability to act quickly” to address technological changes that impact data security, Ms. McGee said. Congress, she added, “should not limit states’ ability to innovate in this area.”

Touting the effectiveness of state-level legislative and enforcement efforts, assistant Massachusetts Attorney General Sara Cable noted that her office has received over 19,000 notices since its data breach notification law went into effect in 2007, including 4,000 in 2016 alone. These notices, she said, have revealed that, while “there are entities that are doing it right,” she sees “far too often that entities are not treating consumer information like the valuable asset it is.” “I would submit,” she continued, “that any [federal] law that is proposed that is weaker than the law that we currently have today [in Massachusetts] is worse than doing nothing.”

We will keep you posted as federal lawmakers continue to grapple with the escalating threats to personal data. In the meantime, we strongly encourage organizations to take appropriate steps to ensure that they are compliant with their current state law data security obligations. A growing number of states now require subject organizations to develop policies and procedures to safeguard the personal information that they hold, and the definitions of “personal information” under state law continue to expand to cover additional data elements like health information, email addresses and usernames, and biometric data. And state agency investigations and enforcement actions are not the only area of concern for organizations that fail to comply with their data security and reporting obligations. Some state laws provide a private right of action and, in an ominous development, 26 employment class actions lawsuits in the past three months alone have alleged violations of the Illinois Biometric Information Privacy Act.

Delaware joins the growing number of states that recently amended their data breach notification law. On August 17th, Delaware amended its data breach notification law with House Bill 180, the first significant change since 2005, effective 240 days after enactment (on or about April 14, 2018). 

Delaware maintains the state law trend of requiring businesses to implement reasonable security measures, expanding the definition of personal information, increasing notification requirements, requiring a risk of harm trigger, and requiring mitigation.

Key aspects of Delaware’s amended data breach notification law include:

  • Maintain Reasonable Procedures and Practices to Protect Personal Information Any “person” subject to the amended law, is now required to implement and maintain reasonable security procedures and practices. The definition of “person” has now been expanded to include any business form, governmental entity, “or any other legal entity”.
  • Expanding the Definition of “Personal Information” – The definition of “Personal Information” was expanded to include: passport number; a username or email address, in combination with a password or security question and answer that would permit access to an online account; medical history, mental or physical condition, medical treatment or diagnosis by a health care professional, or deoxyribonucleic acid profile; health insurance policy number, subscriber identification number, or any other unique identifier used by a health insurer to identify the person; unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes; and an individual taxpayer identification number.
  • Data Breach Notification/Risk of Harm Trigger – Businesses affected by a data breach are now required to give notice to affected state residents “as soon as possible” following the conclusion of an investigation that “misuse of information about a Delaware resident has occurred or is likely to occur”. In addition, the new amendment requires notification within 60 days unless the investigation “reasonably determines that breach of security is unlikely to result in harm to the individuals whose personal information has been breached” or law enforcement has requested a delay in notification.
  • Attorney General Notice – If the affected number of Delaware residents to be notified exceeds 500 residents notice must also be provided to the Attorney General.
  • Credit Monitoring – If the breach of security includes a social security number, the business is now required to offer to each resident, whose personal information was breached or is reasonably believed to have been breached, reasonable identity theft prevention services and identity theft mitigation services at no cost to such resident for a period of 1 year. Both California and Connecticut have similar provisions.

While all states do not currently require reasonable safeguards or credit monitoring, there appears to be a growing trend (which we expect will continue) to include these requirements when breach notification laws are amended. As such, it is imperative for organizations facing a breach to ensure they are applying the most current law.

On April 6, 2017, New Mexico Governor Susana Martinez signed HB 15, making New Mexico the 48th state to enact a data breach notification law.  The law has an effective date of June 16, 2017 and follows the same general structure of many of the breach notification laws in other states.

Importantly, the definition of personal identifying information (PII) under New Mexico’s Data Breach Notification Act includes biometric data (“a record generated by automatic measurements of an identified individual’s fingerprints, voice print, iris or retina patterns, facial characteristics or hand geometry that is used to uniquely and durably authenticate an individual’s identity when the individual accesses a physical location, device, system or account.”).  We have seen a number of states (e.g. Illinois) implement or amend their own data breach notification laws to include elements such as biometric data.

The Data Breach Notification Act includes three key components: (i) Disposal of PII; (ii) Security Measures for Storage of PII; and (iii) Notification of a Security Breach.

Disposal of PII:

Under the Act, organizations are required to arrange for the proper disposal of records containing the PII of New Mexico residents when they are no longer reasonably needed for business purposes.  Proper disposal means shredding, erasing, or otherwise modifying the PII contained in the records to be unreadable or undecipherable.

Security Measures for Storage of PII:

Organizations must implement and maintain – and contractually require their service providers and vendors to implement and maintain – reasonable security procedures and practices to protect the PII they own or license from unauthorized access, destruction, use, modification, or disclosure.  Unlike California, New Mexico has not yet provided guidance on what constitutes reasonable security procedures and practices.  Nevertheless, all organizations should be implementing safeguards to protect the personal and company information they maintain.

Notification of a Security Breach:

In the event of a breach, the Act provides:

  • Notification must be provided to each New Mexico resident within forty-five (45) calendar days following discovery of the breach.
  • If the person maintains or possesses PII of a New Mexico resident (but is not the owner or licensee) notification must be provided to the owner or licensee of the PII within forty-five (45) calendar days following discovery of the breach.
  • Notification to each New Mexico residents must include:
    • The name and contact information of the notifying person;
    • A list of the types of PII reasonably believed to have been subject to the breach;
    • The date(s), or estimated dates(s), of the breach;
    • A general description of the breach;
    • The toll-free numbers and addresses of the major consumer reporting agencies;
    • Advice directing the recipient to review account statements and credit reports to detect errors; and
    • Advice informing the recipient of their rights pursuant to the federal Fair Credit Reporting Act.
  • In the event of a breach affecting more than 1000 New Mexico residents, notification must be provided to the New Mexico Attorney General and the major consumer reporting agencies within forty-five (45) calendar days following discovery of the breach.  Such notice must include a copy of the notification sent to affected residents.
  • Notification may be delayed at the request of law enforcement or as necessary to determine the scope of the breach and restore the integrity, security, and confidentiality of the system.
  • A risk of harm trigger.  Specifically, notification is not required if, after an appropriate investigation, the person determines the breach “does not give rise to a significant risk of identity theft of fraud.”
  • The Act does not apply to a person subject to GLBA or HIPAA.

Under the Act, the New Mexico Attorney General may bring an action for injunctive relief and an award of damages for actual costs or loses, including consequential financial losses.  If a violation of the Act is knowing or reckless, a civil penalty of the greater of $25,000 or, in the case of failed notification, $10 per instance of failed notification up to a maximum of $150,000.

Breach notification laws continue to evolve and it is imperative for organizations to be prepared to respond appropriately.  If you need assistance with a data incident or data breach, please contact our 24/7 Data Incident Response Team at 844-544-5296 or breach@jacksonlewis.com.

In honor of Data Privacy Day, we provide the following “Top 10 for 2017.”  While the list is by no means exhaustive, it does provide some hot topics for organizations to consider in 2017.

1.  Phishing Attacks and Ransomware – Phishing, as the name implies, is the attempt, usually via email, to obtain sensitive or personal information by disguising oneself as a trustworthy source. The IRS reported a 400 percent surge in phishing and malware incidents in 2016 and dedicates a page on its website to phishing and online scams. A relatively simply, yet extremely effective safeguard against such an attack is for organizations to advise employees (especially those in HR and Payroll) to be on the lookout for email requests, often appearing to come from a supervisor, for the personal information of all, or large groups of, the company’s employees. Before responding electronically, employees should verbally confirm such requests. This is especially true as organizations begin the W2 process and are compiling large amounts of personal information.

In some cases delivered by a phishing attack, ransomware is a type of malware that hackers use to stop you from accessing your data so they can require you to pay a ransom, often paid in cryptocurrency such as Bitcoin, to get it back. According to the FBI and the Department of Health and Human Services’ Office of Civil Rights, ransomware attacks have quadrupled, occurring at a rate of 4,000/day. These agencies and the Federal Trade Commission have offered guidance to help curb these attacks. Among other things, the guidance urges organizations to be prepared. A great start to combat ransomware’s effectiveness is for your organization to consider whether you maintain regular backups of your electronic systems.

2.  Safeguards Required to Protect Personal Information State laws continue to emerge and expand requiring businesses to protect personal information. Joining states such as Florida, Massachusetts, Maryland, and Oregon, Illinois businesses must implement and maintain reasonable safeguards to protect personal information beginning January 1, 2017, and California clarified what it means to have reasonable safeguards. Similar rules go into effect in Connecticut beginning October 1, 2017, for health insurers, health care centers, pharmacy benefits managers, third-party administrators, utilization review companies, or other licensed health insurance business. And, during 2017 in New York, entities regulated by the state’s Department of Financial Services, such as banks, check cashers, credit unions, insurers, mortgage brokers and loan servicers, and some of their subcontractors, likely will become subject to a complex set of cybersecurity regulations many view as the first of their kind in the country.

3.  Big Data, Analytics, AI, Wearables, IoT New technologies and devices continuously emerge, promising a myriad of societal, lifestyle and workforce advancements and benefits including increased productivity, talent recruiting and management enhancements, enhanced monitoring and tracking of human and other assets, and improved wellness tools. This will continue in 2017, and will require an unprecedented and unimaginable collection of data, which very often will be personal data. Federal agencies, such as the FTC and EEOC, and others are taking note. While these advancements are undoubtedly valuable, the potential legal issues and risks should be considered and addressed prior to implementation or use.

4.  HIPAA Privacy and Security Enforcement – The Office for Civil Rights continues in enforcement mode in 2017, announcing two settlements so far in January 2017, totaling nearly $3 million.  In one action, the agency addressed for the first time the 60-day rule for providing notification of breaches of unsecured protected health information. In this case, the covered entity discovered the breach involving 863 patients on October 22, 2013, but did not notify OCR until January 31, 2014, about 41 days late. The settlement amount was $475,000, or approximately $11,500 per day. OCR Director Jocelyn Samuels reminded covered entities that they “need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements.”

5.  Breach Notification Laws – There are currently 47 states with breach notification laws, and they continue to be updated. For example, beginning in 2017, California businesses and agencies can no longer assume that notification is not required when personal information involved in the breach is encrypted. Illinois also changed its breach notification law, effective January 1, 2017, to, among other things, expand the definition of “personal information” to include medical information, health insurance information, and unique biometric data. These laws continue to evolve and be amended to address the extensive amount of sensitive data that is stored electronically.

6.  The Telephone Consumer Protection Act (TCPA) – 4,860 TCPA lawsuits were filed in 2016 according to statistics compiled by WebRecon LLC. This represents an almost 32% increase over 2015 and marks the 9th consecutive year where the number of TCPA suits increased from the preceding year. With the SCOTUS decision in Campbell-Ewald making defense of class actions under the TCPA more difficult, we expect the number of TCPA suits to continue to grow in 2017. Many of these suits are not just aimed at large companies.  Instead, these suits are often focused on small businesses that may unknowingly violate the TCPA and can result in potential damages in the hundreds of thousands, if not millions, of dollars.  Understanding the FAQs for the TCPA and taking steps to comply with the TCPA is a great first step.

7.  The EU General Data Protection Regulation (GDPR) and the EU-U.S. Privacy Shield – GDPR has been adopted, and while it will not apply until May 25, 2018, there is a lot to do to get compliant. For example, GDPR adds a data breach notification requirement for data controllers; if notification is required, it must be provided to the data protection authority within 72 hours. Also, the EU-U.S. Privacy Shield data transfer agreement (“the Privacy Shield”) was reached to replaced the EU-U.S. Safe Harbour agreement which was invalidated on October 6, 2015, by the Court of Justice of the European Union’s (CJEU) ruling in Schrems v. Data Protection Commissioner. As of August 1, 2016, organizations based in the U.S. were able to self-certify their compliance with the Privacy Shield. Please review our detailed Q&A on some of the most common questions.

8.  President Trump – As we near the end of the President’s first full week in office, it remains to be seen just how the new administration will address privacy and cybersecurity issues. We considered some of these issues shortly after the election based on the President’s campaign which may provide some insight while we await more clarity from the White House.

9.  Social Media Investigations – Social media use continues to grow on a global scale and become more and more prevalent for organizations. This is especially true as generations who have lived their entire lives in a Social Media World represent an ever expanding percentage of the workforce.   User profiles or accounts are regularly sought and reviewed in litigation and/or employment decisions.   While public content may generally be viewed without issue, employers need to be aware of how they are accessing social media content and ensure they are doing so consistent with state laws protecting social media privacy and avoiding access to information they would rather not have.

10.  Be Vigilant and Watch for Changes – As more and more personal information and data is available and stored electronically, it is important for organizations to realize this data is extremely valuable, especially in the wrong hands. To this end, and as outlined above, organizations should be constantly assessing how best to secure their electronic systems. This is particularly true as the law and industry guidance are constantly changing and evolving in an effort to keep up with technological advancements.

 

BadgeIt is not uncommon for employers to assign badges to their employees to grant access to certain locations on the employer’s property and parking garages. Many employees have them, use them, lose them and think little of them. But, badges made by Humanyze are so much more, raising concerns from privacy advocates and others. According to a New York Post article and earlier reports, these badges are designed to be worn by employees all day (and possibly night) and are capable of capturing a wide range of information about the employee, along with data from other systems of the employer. Through data mining and analytics, according to Humanyze’s chief executive Ben Waber:

you can actually get very detailed information on how people are communicating, how physiologically aroused people are, and can make predictions about how productive and happy they are at work

So, just what does this badge collect? According to the report and the company’s website, the badge is worn around the neck (kind of like name badges at association conferences) and captures sleep patterns, analyzes voice, monitors body language and fitness, tracks location, and the levels of communications with colleagues. This and other data is combined with the employee’s email and phone activity to produce insights into productivity levels and the employee’s emotions, including stress and coping levels. According to the article, the badge “can even detect if an employee is drunk.” However, Mr. Waber points out that conversations are not recorded, only the tone of the conversation, and that individuals use the badges only after giving their consent.

This super badge certainly is not the first or only product working its way to market that engages in this kind of monitoring. For example, we reported on Microsoft’s Hololens, the company’s “augmented reality help system,” which is equipped with a “plurality” of sensors that gather a range of biometrics parameters (heart rate, perspiration, etc.) along with other information to assist employees with certain tasks. There are others coming.

The badge, Hololens and other similar devices can be valuable tools for businesses to understand their workforces, increase productivity, improve safety, reduce human error and so on. However, beyond assessing whether the technology works, there are a range of legal and risk management issues employers need to consider when deciding to use these devices.

Privacy and data security considerations are among them as these devices collect a range of health-related data, as well as information relating to the employee’s emotions, locations and interactions with others. However, as we have noted in earlier posts, other questions that are raised, such as whether gathering of biometric and other medical data constitutes a disability-related inquiry under the Americans with Disabilities Act, is monitoring constantly going too far, does the company have to bargain with the union, how will this affect morale, what obligations are there to secure the data collected and who can have access to it. Employers should think through these and other issues carefully before introducing these kinds of tools and devices into the workplace.