Search biometric

The flood of massive data breaches – including, most recently, the Equifax breach that compromised the personal data of around 145 million U.S. consumers – has increased the pressure on Congress to pass sweeping federal data security and breach reporting legislation. While it’s difficult to project whether such legislation will be enacted in the near future, and what it will look like in the event that it is, an important and contentious question has already arisen: If federal legislation is ultimately enacted, should preempt the patchwork of state and local laws that presently govern this area?

Setting aside the handful of industries – including healthcare and finance – that are already subject to federal data security laws, the data security and breach reporting obligations of most U.S. organizations are established by a medley of state and local laws. This legal patchwork is confusing and arduous for organizations and data subjects to navigate, particularly since the types of data elements protected, and the processes for determining when a breach must be reported, vary from state to state. At least in theory, therefore, federal preemption in this area would be a step in the right direction.

Not so, say the New York and Massachusetts attorney general’s offices, both of which have been active in the data security space. On October 25, 2017, these offices urged U.S. House members to use federal law to set a floor for data security and reporting standards; not a ceiling. Setting a federal ceiling, argued Kathleen McGee, Chief of the Bureau of Internet and Technology at the New York Attorney General’s Office, would stifle innovation in this area: “States have proven the ability to act quickly” to address technological changes that impact data security, Ms. McGee said. Congress, she added, “should not limit states’ ability to innovate in this area.”

Touting the effectiveness of state-level legislative and enforcement efforts, assistant Massachusetts Attorney General Sara Cable noted that her office has received over 19,000 notices since its data breach notification law went into effect in 2007, including 4,000 in 2016 alone. These notices, she said, have revealed that, while “there are entities that are doing it right,” she sees “far too often that entities are not treating consumer information like the valuable asset it is.” “I would submit,” she continued, “that any [federal] law that is proposed that is weaker than the law that we currently have today [in Massachusetts] is worse than doing nothing.”

We will keep you posted as federal lawmakers continue to grapple with the escalating threats to personal data. In the meantime, we strongly encourage organizations to take appropriate steps to ensure that they are compliant with their current state law data security obligations. A growing number of states now require subject organizations to develop policies and procedures to safeguard the personal information that they hold, and the definitions of “personal information” under state law continue to expand to cover additional data elements like health information, email addresses and usernames, and biometric data. And state agency investigations and enforcement actions are not the only area of concern for organizations that fail to comply with their data security and reporting obligations. Some state laws provide a private right of action and, in an ominous development, 26 employment class actions lawsuits in the past three months alone have alleged violations of the Illinois Biometric Information Privacy Act.

Delaware joins the growing number of states that recently amended their data breach notification law. On August 17th, Delaware amended its data breach notification law with House Bill 180, the first significant change since 2005, effective 240 days after enactment (on or about April 14, 2018). 

Delaware maintains the state law trend of requiring businesses to implement reasonable security measures, expanding the definition of personal information, increasing notification requirements, requiring a risk of harm trigger, and requiring mitigation.

Key aspects of Delaware’s amended data breach notification law include:

  • Maintain Reasonable Procedures and Practices to Protect Personal Information Any “person” subject to the amended law, is now required to implement and maintain reasonable security procedures and practices. The definition of “person” has now been expanded to include any business form, governmental entity, “or any other legal entity”.
  • Expanding the Definition of “Personal Information” – The definition of “Personal Information” was expanded to include: passport number; a username or email address, in combination with a password or security question and answer that would permit access to an online account; medical history, mental or physical condition, medical treatment or diagnosis by a health care professional, or deoxyribonucleic acid profile; health insurance policy number, subscriber identification number, or any other unique identifier used by a health insurer to identify the person; unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes; and an individual taxpayer identification number.
  • Data Breach Notification/Risk of Harm Trigger – Businesses affected by a data breach are now required to give notice to affected state residents “as soon as possible” following the conclusion of an investigation that “misuse of information about a Delaware resident has occurred or is likely to occur”. In addition, the new amendment requires notification within 60 days unless the investigation “reasonably determines that breach of security is unlikely to result in harm to the individuals whose personal information has been breached” or law enforcement has requested a delay in notification.
  • Attorney General Notice – If the affected number of Delaware residents to be notified exceeds 500 residents notice must also be provided to the Attorney General.
  • Credit Monitoring – If the breach of security includes a social security number, the business is now required to offer to each resident, whose personal information was breached or is reasonably believed to have been breached, reasonable identity theft prevention services and identity theft mitigation services at no cost to such resident for a period of 1 year. Both California and Connecticut have similar provisions.

While all states do not currently require reasonable safeguards or credit monitoring, there appears to be a growing trend (which we expect will continue) to include these requirements when breach notification laws are amended. As such, it is imperative for organizations facing a breach to ensure they are applying the most current law.

On April 6, 2017, New Mexico Governor Susana Martinez signed HB 15, making New Mexico the 48th state to enact a data breach notification law.  The law has an effective date of June 16, 2017 and follows the same general structure of many of the breach notification laws in other states.

Importantly, the definition of personal identifying information (PII) under New Mexico’s Data Breach Notification Act includes biometric data (“a record generated by automatic measurements of an identified individual’s fingerprints, voice print, iris or retina patterns, facial characteristics or hand geometry that is used to uniquely and durably authenticate an individual’s identity when the individual accesses a physical location, device, system or account.”).  We have seen a number of states (e.g. Illinois) implement or amend their own data breach notification laws to include elements such as biometric data.

The Data Breach Notification Act includes three key components: (i) Disposal of PII; (ii) Security Measures for Storage of PII; and (iii) Notification of a Security Breach.

Disposal of PII:

Under the Act, organizations are required to arrange for the proper disposal of records containing the PII of New Mexico residents when they are no longer reasonably needed for business purposes.  Proper disposal means shredding, erasing, or otherwise modifying the PII contained in the records to be unreadable or undecipherable.

Security Measures for Storage of PII:

Organizations must implement and maintain – and contractually require their service providers and vendors to implement and maintain – reasonable security procedures and practices to protect the PII they own or license from unauthorized access, destruction, use, modification, or disclosure.  Unlike California, New Mexico has not yet provided guidance on what constitutes reasonable security procedures and practices.  Nevertheless, all organizations should be implementing safeguards to protect the personal and company information they maintain.

Notification of a Security Breach:

In the event of a breach, the Act provides:

  • Notification must be provided to each New Mexico resident within forty-five (45) calendar days following discovery of the breach.
  • If the person maintains or possesses PII of a New Mexico resident (but is not the owner or licensee) notification must be provided to the owner or licensee of the PII within forty-five (45) calendar days following discovery of the breach.
  • Notification to each New Mexico residents must include:
    • The name and contact information of the notifying person;
    • A list of the types of PII reasonably believed to have been subject to the breach;
    • The date(s), or estimated dates(s), of the breach;
    • A general description of the breach;
    • The toll-free numbers and addresses of the major consumer reporting agencies;
    • Advice directing the recipient to review account statements and credit reports to detect errors; and
    • Advice informing the recipient of their rights pursuant to the federal Fair Credit Reporting Act.
  • In the event of a breach affecting more than 1000 New Mexico residents, notification must be provided to the New Mexico Attorney General and the major consumer reporting agencies within forty-five (45) calendar days following discovery of the breach.  Such notice must include a copy of the notification sent to affected residents.
  • Notification may be delayed at the request of law enforcement or as necessary to determine the scope of the breach and restore the integrity, security, and confidentiality of the system.
  • A risk of harm trigger.  Specifically, notification is not required if, after an appropriate investigation, the person determines the breach “does not give rise to a significant risk of identity theft of fraud.”
  • The Act does not apply to a person subject to GLBA or HIPAA.

Under the Act, the New Mexico Attorney General may bring an action for injunctive relief and an award of damages for actual costs or loses, including consequential financial losses.  If a violation of the Act is knowing or reckless, a civil penalty of the greater of $25,000 or, in the case of failed notification, $10 per instance of failed notification up to a maximum of $150,000.

Breach notification laws continue to evolve and it is imperative for organizations to be prepared to respond appropriately.  If you need assistance with a data incident or data breach, please contact our 24/7 Data Incident Response Team at 844-544-5296 or breach@jacksonlewis.com.

In honor of Data Privacy Day, we provide the following “Top 10 for 2017.”  While the list is by no means exhaustive, it does provide some hot topics for organizations to consider in 2017.

1.  Phishing Attacks and Ransomware – Phishing, as the name implies, is the attempt, usually via email, to obtain sensitive or personal information by disguising oneself as a trustworthy source. The IRS reported a 400 percent surge in phishing and malware incidents in 2016 and dedicates a page on its website to phishing and online scams. A relatively simply, yet extremely effective safeguard against such an attack is for organizations to advise employees (especially those in HR and Payroll) to be on the lookout for email requests, often appearing to come from a supervisor, for the personal information of all, or large groups of, the company’s employees. Before responding electronically, employees should verbally confirm such requests. This is especially true as organizations begin the W2 process and are compiling large amounts of personal information.

In some cases delivered by a phishing attack, ransomware is a type of malware that hackers use to stop you from accessing your data so they can require you to pay a ransom, often paid in cryptocurrency such as Bitcoin, to get it back. According to the FBI and the Department of Health and Human Services’ Office of Civil Rights, ransomware attacks have quadrupled, occurring at a rate of 4,000/day. These agencies and the Federal Trade Commission have offered guidance to help curb these attacks. Among other things, the guidance urges organizations to be prepared. A great start to combat ransomware’s effectiveness is for your organization to consider whether you maintain regular backups of your electronic systems.

2.  Safeguards Required to Protect Personal Information State laws continue to emerge and expand requiring businesses to protect personal information. Joining states such as Florida, Massachusetts, Maryland, and Oregon, Illinois businesses must implement and maintain reasonable safeguards to protect personal information beginning January 1, 2017, and California clarified what it means to have reasonable safeguards. Similar rules go into effect in Connecticut beginning October 1, 2017, for health insurers, health care centers, pharmacy benefits managers, third-party administrators, utilization review companies, or other licensed health insurance business. And, during 2017 in New York, entities regulated by the state’s Department of Financial Services, such as banks, check cashers, credit unions, insurers, mortgage brokers and loan servicers, and some of their subcontractors, likely will become subject to a complex set of cybersecurity regulations many view as the first of their kind in the country.

3.  Big Data, Analytics, AI, Wearables, IoT New technologies and devices continuously emerge, promising a myriad of societal, lifestyle and workforce advancements and benefits including increased productivity, talent recruiting and management enhancements, enhanced monitoring and tracking of human and other assets, and improved wellness tools. This will continue in 2017, and will require an unprecedented and unimaginable collection of data, which very often will be personal data. Federal agencies, such as the FTC and EEOC, and others are taking note. While these advancements are undoubtedly valuable, the potential legal issues and risks should be considered and addressed prior to implementation or use.

4.  HIPAA Privacy and Security Enforcement – The Office for Civil Rights continues in enforcement mode in 2017, announcing two settlements so far in January 2017, totaling nearly $3 million.  In one action, the agency addressed for the first time the 60-day rule for providing notification of breaches of unsecured protected health information. In this case, the covered entity discovered the breach involving 863 patients on October 22, 2013, but did not notify OCR until January 31, 2014, about 41 days late. The settlement amount was $475,000, or approximately $11,500 per day. OCR Director Jocelyn Samuels reminded covered entities that they “need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements.”

5.  Breach Notification Laws – There are currently 47 states with breach notification laws, and they continue to be updated. For example, beginning in 2017, California businesses and agencies can no longer assume that notification is not required when personal information involved in the breach is encrypted. Illinois also changed its breach notification law, effective January 1, 2017, to, among other things, expand the definition of “personal information” to include medical information, health insurance information, and unique biometric data. These laws continue to evolve and be amended to address the extensive amount of sensitive data that is stored electronically.

6.  The Telephone Consumer Protection Act (TCPA) – 4,860 TCPA lawsuits were filed in 2016 according to statistics compiled by WebRecon LLC. This represents an almost 32% increase over 2015 and marks the 9th consecutive year where the number of TCPA suits increased from the preceding year. With the SCOTUS decision in Campbell-Ewald making defense of class actions under the TCPA more difficult, we expect the number of TCPA suits to continue to grow in 2017. Many of these suits are not just aimed at large companies.  Instead, these suits are often focused on small businesses that may unknowingly violate the TCPA and can result in potential damages in the hundreds of thousands, if not millions, of dollars.  Understanding the FAQs for the TCPA and taking steps to comply with the TCPA is a great first step.

7.  The EU General Data Protection Regulation (GDPR) and the EU-U.S. Privacy Shield – GDPR has been adopted, and while it will not apply until May 25, 2018, there is a lot to do to get compliant. For example, GDPR adds a data breach notification requirement for data controllers; if notification is required, it must be provided to the data protection authority within 72 hours. Also, the EU-U.S. Privacy Shield data transfer agreement (“the Privacy Shield”) was reached to replaced the EU-U.S. Safe Harbour agreement which was invalidated on October 6, 2015, by the Court of Justice of the European Union’s (CJEU) ruling in Schrems v. Data Protection Commissioner. As of August 1, 2016, organizations based in the U.S. were able to self-certify their compliance with the Privacy Shield. Please review our detailed Q&A on some of the most common questions.

8.  President Trump – As we near the end of the President’s first full week in office, it remains to be seen just how the new administration will address privacy and cybersecurity issues. We considered some of these issues shortly after the election based on the President’s campaign which may provide some insight while we await more clarity from the White House.

9.  Social Media Investigations – Social media use continues to grow on a global scale and become more and more prevalent for organizations. This is especially true as generations who have lived their entire lives in a Social Media World represent an ever expanding percentage of the workforce.   User profiles or accounts are regularly sought and reviewed in litigation and/or employment decisions.   While public content may generally be viewed without issue, employers need to be aware of how they are accessing social media content and ensure they are doing so consistent with state laws protecting social media privacy and avoiding access to information they would rather not have.

10.  Be Vigilant and Watch for Changes – As more and more personal information and data is available and stored electronically, it is important for organizations to realize this data is extremely valuable, especially in the wrong hands. To this end, and as outlined above, organizations should be constantly assessing how best to secure their electronic systems. This is particularly true as the law and industry guidance are constantly changing and evolving in an effort to keep up with technological advancements.

 

BadgeIt is not uncommon for employers to assign badges to their employees to grant access to certain locations on the employer’s property and parking garages. Many employees have them, use them, lose them and think little of them. But, badges made by Humanyze are so much more, raising concerns from privacy advocates and others. According to a New York Post article and earlier reports, these badges are designed to be worn by employees all day (and possibly night) and are capable of capturing a wide range of information about the employee, along with data from other systems of the employer. Through data mining and analytics, according to Humanyze’s chief executive Ben Waber:

you can actually get very detailed information on how people are communicating, how physiologically aroused people are, and can make predictions about how productive and happy they are at work

So, just what does this badge collect? According to the report and the company’s website, the badge is worn around the neck (kind of like name badges at association conferences) and captures sleep patterns, analyzes voice, monitors body language and fitness, tracks location, and the levels of communications with colleagues. This and other data is combined with the employee’s email and phone activity to produce insights into productivity levels and the employee’s emotions, including stress and coping levels. According to the article, the badge “can even detect if an employee is drunk.” However, Mr. Waber points out that conversations are not recorded, only the tone of the conversation, and that individuals use the badges only after giving their consent.

This super badge certainly is not the first or only product working its way to market that engages in this kind of monitoring. For example, we reported on Microsoft’s Hololens, the company’s “augmented reality help system,” which is equipped with a “plurality” of sensors that gather a range of biometrics parameters (heart rate, perspiration, etc.) along with other information to assist employees with certain tasks. There are others coming.

The badge, Hololens and other similar devices can be valuable tools for businesses to understand their workforces, increase productivity, improve safety, reduce human error and so on. However, beyond assessing whether the technology works, there are a range of legal and risk management issues employers need to consider when deciding to use these devices.

Privacy and data security considerations are among them as these devices collect a range of health-related data, as well as information relating to the employee’s emotions, locations and interactions with others. However, as we have noted in earlier posts, other questions that are raised, such as whether gathering of biometric and other medical data constitutes a disability-related inquiry under the Americans with Disabilities Act, is monitoring constantly going too far, does the company have to bargain with the union, how will this affect morale, what obligations are there to secure the data collected and who can have access to it. Employers should think through these and other issues carefully before introducing these kinds of tools and devices into the workplace.

Last month, Illinois Governor Bruce Rauner signed into law a number of amendments to the State’s Personal Information Protection Act (“PIPA”) that expand the definition of protected personal information and increase certain data breach notification requirements.  The amendments, highlighted below, take effect January 1, 2017.

Currently, “personal information” is limited to an individual’s first name or first initial and last name in combination with the individual’s Social Security number; driver’s license number or state identification card number; or account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

The amendments now expand the definition of “personal information” to include medical information, health insurance information, or unique biometric data. Importantly, beginning in January, PIPA will require entities that suffer a security breach to inform Illinois residents of the security breach even if the personal information was encrypted or redacted but the password/keys to unencrypt or underact that information is also acquired through the breach.

In addition, “personal information” will now include a user name or email address, in combination with a password or security question and answer that would permit access to an online account, when either the user name or email address or password or security question and answer are not encrypted or redacted.

Under the new provisions, if notice is required and the breach of security involved an individual’s user name or email address, the notice is required to direct individuals to promptly change their user name or password and security question or answer, as applicable, or to take other steps appropriate to protect all online account for which the individual uses the same user name or email address and password or security question and answer.

An entity in possession of personal information will be required to implement and maintain reasonable security measures to protect the records from unauthorized access, destruction, or disclosure. Any entity that is in compliance with Section 501(b) of the Gramm-Leach-Bliley Act will be deemed in compliance with this provision.  Similarly, a HIPAA covered entity or business associates subject to the privacy and security standards will also be deemed to be in compliance with PIPA.  A covered entity or business associate that is required to provide notification of a breach to the Secretary of Health and Human Services under the HITECH Act must also provide such notification to the Illinois Attorney General.

As states continue to expand their breach notification statutes, compliance will continue to become more and more difficult.

In the face of seemingly daily news reports of company data breaches and the mounting legislative concern and efforts on both the state and federal level to enact laws safeguarding personal information maintained by companies, employers should be questioning whether they should implement privacy policies to address the protection of personal information they maintain on their employees.

To date, there is no all-encompassing federal privacy law. Rather, there are several federal laws which touch upon an aspect of protecting personal or private information collected from individual, such as the Children’s Online Privacy Protection Act (giving parents control over the information collected from their children online); Federal Trade Commission Act (pursuant to which the FTC has sought enforcement against companies who failed to follow their own privacy policies relating to consumers); Gramm-Leach-Bliley Act (requiring financial institutions, such as banks, to protect consumer financial information); Health Insurance Portability and Accountability Act of 1996 (requiring covered entities to protect individually identifiable health information); and the Americans with Disabilities Act and Family and Medical Leave Act (requiring confidentiality of employee medical information obtained by employer).

State legislatures have likewise used a piecemeal approach at attacking the problem by some states mandating the protection of social security numbers, protecting credit card information, protecting consumer financial information, and securing personally identifiable information (usually aimed at preventing identity theft). Additionally, forty seven (47) states now have laws addressing notification and other requirements when a data breach occurs. While only a handful of states explicitly require a written privacy policy (such as Connecticut when collecting social security numbers and Massachusetts in connection with a written information security program), the overwhelming majority of states inexplicitly require privacy policies by requiring security of personal information (such as California which now requires encryption) and notification when a breach of personal information has occurred. As such, where companies are required to notify affected individuals of a breach, they are implicitly required to protect the information to prevent such a breach. The first step in assembling that protection armor is to institute a privacy policy.

Employers maintain various types of personally identifiable information on their employees, including, but not limited to: names, dates of birth, social security numbers, addresses, telephone numbers, financial information (such as bank account numbers and credit/debit card numbers), email addresses and passwords, driver’s license, state issued identification and passport numbers, health insurance number, biometric data, and personally identifiable information on an employee’s spouse and/or children (most commonly contained in benefit enrollment forms), and any other information maintained about an individual that could be used to identify him/her or obtain access to an online account.

Employer privacy policies should at a minimum address: (1) the types of personal information, (such as that listed above), whether in electronic or paper format, obtained and maintained regarding employees and their family members; (2) where the information is maintained/stored; (3) how the information is protected both while being maintained and also when being transferred from the employee to the employer, between the employer’s systems/departments, and outside of the employer’s organization (such as to a third party vendor); (4) who has access to the information, including any outside vendors who perform personnel-related services for the employer; (5) the effective date of the policy; and (6) identify the individual within the organization responsible for compliance with the policy.

Additionally, employers should consider training their employees on the policy. Employees who handle private information in the course of their employment should be trained on the contents of the policy; importance of maintaining the privacy of the information; methods to be used to achieve the protection of such information; limiting disclosure of the information within the duties performed by the employee with respect to use of the information; and what to do when a suspected breach of the information has occurred. The general employee population should also be trained on the contents of the policy; the importance of maintaining the privacy of the information; and what to do if the employee suspects or has knowledge that the information has been breached.

Bloomberg BNA (subscription) recently reported that this fall the Center for Democracy & Technology (CDT) will be issuing a report on Fitbit Inc.’s privacy practices. Avid runners, walkers or those up on the latest gadgets likely know about Fitbit, and its line of wearable fitness devices. Others may know about Fitbit due to the need to measure progress in their employers’ wellness programs, or even whether they qualify for an incentive. When participating in those programs, employees frequently raise questions about the privacy and security of data collected under such programs, a compliance issue for employers. Earlier this month, FitBit reported that its wellness platform is HIPAA compliant.

FitBitFitBit’s Charge HR (the one I use) tracks some interesting data in addition to the number of steps: heart rate, calories burned, sleep activity, and caller ID. This and other data can be synched with a mobile app allowing users to, among other things: create a profile with more information about themselves, to track progress daily and weekly, and to find and communicate with friends also using a similar device.

Pretty cool stuff, and reasons why FitBit is the most popular manufacturer of wearables with nearly 25 percent of the market, as noted by Bloomberg BNA. But, of course, FitBit is not the only player in the market, and the same issues have to considered with the use of wearables regardless of the manufacturer.

According to Bloomberg BNA’s article, one of the concerns raised by CDT about FitBit and other wearables is that the consumer data collected by the devices may not be protected by federal health privacy laws. However, CDT’s deputy director of the Consumer Privacy Project stated to Bloomberg BNA that she has “a real sense that privacy matters” to FitBit. This is a good sign, but the laws that apply to the use of these kinds of devices depend on how they are used.

When it comes to employer-sponsored wellness programs and health plans, a range of laws may apply raising questions about what data can be collected, how it can be used and disclosed, and what security safeguards should be in place. At the federal level, the Health Insurance Portability and Accountability Act (HIPAA), the Americans with Disabilities Act (ADA), and the Genetic Information Nondiscrimination Act (GINA) should be on every employer’s list. State laws, such as California’s Confidentiality of Medical Information Act, also have to be taken into account when using these devices in an employment context.

Recently issued EEOC proposed regulations concerning wellness programs and the ADA address medical information confidentiality. If finalized in their current form, among other safeguards, the regulations would require employers to provide a notice informing employee about:

  • what medical information will be obtained,
  • who will receive the medical information,
  • how the medical information will be used,
  • the restrictions on its disclosure, and
  • the methods that will be used to prevent improper disclosure.

Preparing these notices for programs using wearables will require knowing more about the capabilities of the devices and how data is accessed, managed, disclosed and safeguarded.

But is all information collected from a wearable “medical information”? Probably not. The number of steps a person takes on a given day, in and of itself, seems unlikely to be medical information. However, data such as heart rate and other biometrics might be considered medical information subject to the confidentiality rule. Big data analytics and IoT may begin to play a greater role here, enabling more detailed pictures to be developed about employees and their activities and health through the many devices they use.

Increasingly wellness programs seek to incentivize the household, or at least employees and their spouses. Collecting data from wearables of both employee and spouse may raise issues under GINA which prohibits employers from providing incentives to obtain genetic information from employees. Genetic information includes the manifestation of disease in family members (yes, spouses are considered family members under GINA). The EEOC is currently working on proposed regulations under GINA that we are hoping will provide helpful insight into this and other issues related to GINA.

HIPAA too may apply to wearables and their collection of health-related data when related to the operation of a group health plan. Employers will need to consider the implications of this popular set of privacy and security standards including whether (i) changes are needed in the plan’s Notice of Privacy Practices, (ii) business associate agreements are needed with certain vendors, and (iii) the plan’s risk assessment and policies and procedures adequately address the security of PHI in connection with these devices.

Working through plans for the design and implementation of a typical wellness program certainly must involve privacy and security; moreso for programs that incorporate wearables. FitBits and other devices likely raise employees’ interest and desire to get involved, and can ease administration of the program, such as in regard to tracking achievement of program goals. But they raise additional privacy and security issues in an area where the law continues to develop. So, employers need to consider this carefully with their vendors and counselors, and keep a watchful eye for more regulation likely to be coming.

Until then, I need to get a few more steps in…

When businesses set out to safeguard “personal information,” a fundamental consideration is what that term means. Likewise, when negotiating a third-party vendor agreement, it typically is not enough to rely on the standard definition for “confidential information.” Recently, Nevada and other states have updated their definitions of personal information in connection data breaches notification and safeguarding requirements. We cannot cover all of the updates here, but particularly for organizations in multiple states, it is important to ask the question and consider exactly what elements of personal information require protection. You may end up being more protective and include more data than necessary, it may be practical to do so, but you will want to know what must be protected.

The Usual Suspects

In states that have enacted data breach notification laws or affirmative obligations to protect personal information, you can count on personal information including the usual suspects: Social Security number (SSN), drivers’ license number or state identification number, and financial account numbers and payment card numbers with access codes. Why? Well, in general, these are the data elements believed to be the ones most likely used in the commission of identity theft. Note a few states, like Nevada, make clear the law does not apply to the last four digits of some of these numbers, including the SSN.

But, of course, state laws are not the only source for law on the classes of personal information that warrant protection. Depending on the nature of your business, federal and international laws can also play a significant role in shaping the definition of personal information in your policy, as can contractual obligations.

Casting a Wider Net

One of the few states with an encryption mandate, Nevada recently expanded the scope of personal information subject to that mandate. Prior to the amendment, the state law (NRS 603A.040) defined personal information as noted above: Social Security number, drivers’ license number or state identification number, and financial account numbers and payment card numbers with access codes. Massachusetts, which also has encryption mandate, uses a similar definition. With the enactment of Assembly Bill No. 179, which becomes effective July 1, 2015 (though compliance is not require until July 1, 2016), “personal information” also includes:

  • driver authorization card number;
  • a medical identification number;
  • a health insurance identification number; and
  • a user name, unique identifier or electronic mail address in combination with a password, access code or security question and answer that would permit access to an online account.

A quick survey of some of the 47 state data breach notification laws reveals, in addition to the elements above, other elements of personal information that could trigger a notification requirement in certain states, such as:

  • biometric data, such as a fingerprint, retina or iris image;
  • date of birth;
  • maiden name;
  • an identification number assigned by an employer; and
  • digitized or other electronic signature.

As noted, classifications of personal information requiring protection are not solely a function of state law.

From a consumer protection standpoint, the Federal Trade Commission takes a broad view of personal information that needs to be secured and protected. In a decision concerning whether a company adequately safeguarded customer information, the FTC defined that term to include the following elements:

  • first and last name;
  • home or other physical address;
  • e-mail address or other online contact information, such as an instant messaging user identifier or a screen name;
  • telephone number;
  • Social Security number;
  • driver’s license or other state-issued identification number;
  • financial institution account number;
  • credit or debit card information;
  • persistent identifier, such as a customer number held in a “cookie,” a static Internet Protocol (“IP”) address, a mobile device ID, or processor serial number;
  • precise geolocation data of an individual or mobile device, including GPS-based, WiFi-based, or cell-based location information;
  • an authentication credential, such as a username and password; or,
  • any other communications or content that is input into, stored on, captured with, accessed, or transmitted through a covered device, including but not limited to contacts, e-mails, text messages, photos, videos, and audio recording.

For covered entities and business associates under HIPAA, “protected health information” encompasses health information, including demographic information, about an individual (and which does or can reasonably identify the individual) that relates to the (i) past, present, or future physical or mental health or condition of an individual, (ii) the provision of health care to an individual, or (iii) the past, present, or future payment for the provision of health care to an individual.

For employers, federal statutes like the Genetic Information Nondiscrimination Act (GINA) can be a trap for the unwary. It requires genetic information be safeguarded and not disclosed, except under certain circumstances. It may seem unusual, but one example of genetic information is information about the manifestation of disease in the spouse of an employee.

If you are charged with preparing your company to be compliant with safeguarding personal information, it is worth spending some time thinking about what personal information you need to protect. This requires knowing your business, where you do business, where your employees and customers reside, who you do business with, what youe contractual obligations are, and a number of other factors. The answers may surprise you.

The saying – never let them see you sweat – soon may be more difficult to accomplish with Microsoft’s Hololens. Like Google Glass, the Hololens is worn as a headset. But this device has a “plurality” of sensors that gather a range of biometrics parameters (heart rate, perspiration, etc.) which determine along with other information if the wearer needs help with something, and then tries to provide that help. Referred to in Microsoft’s patent application approved earlier this year as an “augmented reality help system,” the device’s applications and implications can be far reaching, as it is not hard to see, for example, why companies might want to adopt this technology to benefit their business.

Consider a manufacturing or IT employee having trouble trying to install a new piece of equipment or assemble a piece of flat-pack furniture, a chore that drives some of my own biometrics parameters. Hololens may be able to help. The patent application states:

A person may experience stress that is related to a situation or current context. For example, a person may have difficulty performing a task and grow frustrated as the number of unsuccessful attempts at completing the task grows…

Experiencing stress may also inhibit clear thinking and increase the difficulty of successfully managing a task or situation. Additionally… seeking help from electronic devices would impose inconvenient burdens on the person, or may be impractical or even impossible given the person’s current context…

To address the above issues, an augmented reality help system [would] determine that the user is experiencing a stress response [and] present help content to the user via the head-mounted display device.

So, Hololens can be a valuable tool for an individual trying to overcome complicated tasks at work by using various sensors to simultaneously collect and analyze a wide range of biometric and other data points that determine whether the individual needs some help doing his or her job or a particular task. The device then provides information to the wearer through holographic images to help resolve the problem. These sensors include:

  • a heart rate monitor to measure heart rate,
  • a pulse oximeter sensor to measure hemoglobin saturation,
  • an electrodermal response sensor to monitor the skin’s electrical resistance,
  • an electroencephalographic (EEG) monitor to monitor brainwave activity, and
  • a perspiration sensor to detect sweat.

The descriptions of the device in the patent application, news outlets and reports point to various applications and uses for Hololens. A device like this might have substantial productivity benefits and one can envision lower training costs and fewer errors, among other advantages. However, like many new technologies, implementation would need to be handled carefully not only to assess whether the device will work for the application intended, but will it be worth the investment and effort given the legal and other risks. Hololens adds to the long list of technologies and devices already on the market which legislatures and courts are grappling to understand and regulate.

Privacy and data security considerations are among the many legal considerations and, of course, critical as the device collects a range of health-related data that would seem to be able to paint a detailed, albeit incomplete, picture of an individual’s physical and/or mental health condition. Would an employee realize how much data is being collected and to whom that information is made available? Labor relations is another consideration as employers would certainly have to bargain with the union before they would be able to require represented employees to use Hololens for the purposes contemplated herein. An employer also would have to consider, for example, whether the gathering of biometric and other medical data constitutes a disability-related inquiry under the Americans with Disabilities Act and how the U.S. Equal Employment Opportunity Commission (EEOC) might view that activity. Whether the rules the EEOC proposed earlier this year concerning workplace wellness programs will address wearables and perhaps shed light on the agency’s view of such devices, such as Hololens, remains to be seen.

Once the information is collected, how will it be used? Managers oversee and monitor their employees regularly. A plant manager might observe assembly line operations for workers causing delays, or that need additional help, or that simply are not performing sufficiently. Devices like Hololens would increase dramatically the information available to managers to assist in making these determinations. But will that information be the kind managers should be using, will the use of the information increase the likelihood of disparate impact claims? These are just a few of the questions that need to be considered. Assuming such data can be collected and used for certain work-related purposes, companies already face challenges safeguarding personal information. Will they be able to maintain the security of the sensitive health data captured and transmitted by these devices?

Hololens has not been released for sale yet, but there already is speculation about its release date, some are saying 2016. If true, it may not be long before someone at your company says, “Hey, we need this!” At that point, and maybe even before, businesses need to be carefully thinking through the benefits and risks of introducing this or similar devices into the workplace, or allowing employees to use them.