Search right to access

As reported on our Benefits Law Advisor, the EEOC has issued proposed wellness program regulations. Much of the attention to those proposed rules understandably will be how they would affect the incentives employers have implemented to spur their employees to engage in healthier behaviors. The proposed rules also address, however, the confidentiality provisions under the Americans with Disabilities Act and, in particular, offer suggestions about steps for complying with the confidentiality requirements, along with some best practices. Interestingly, while these rules are directed at wellness programs, the EEOC’s interpretive guidance may influence changes to existing practices for safeguarding employees’ medical records (those not covered by HIPAA) beyond merely separating medical files from personnel files and limiting disclosures of such information.

Wellness Programs and Coordination with HIPAA

The EEOC’s proposed regulations apply to those wellness programs that make disability-related inquiries or medical examinations. This could include wellness programs that are part of an employer-sponsored group health plan and those programs that are not.

For those wellness programs that are part of a group health plan, the privacy, security, breach notification and certain other rules under HIPAA apply to safeguard “protected health information.”  (The Office for Civil Rights issued some FAQs last week to address this issue.) And, the EEOC acknowledged in its proposed regulations that a wellness program that is part of a HIPAA covered entity (e.g., a group health plan) “likely will be able to comply with its obligation under section 1630.14(d)(6) by complying with the HIPAA Privacy Rule.” However, for such wellness programs, the EEOC also would require employers to notify employees of the following:

  • what medical information is being obtained,
  • the purposes for which it is being obtained,
  • who gets the medical information,
  • the restrictions on how it will be disclosed, and
  • safeguards in place to prevent unauthorized disclosure.

It is unclear whether the HIPAA Notice of Privacy Practices could be used to meet this requirement. Regardless of whether the wellness program is part of a group health plan (and also subject to HIPAA), the EEOC proposed regulations would permit employers to collect medical information as part of wellness program only in aggregate form which does not disclose, and is not reasonably likely to disclose, the identity of specific individuals, except as is necessary to administer the program or as otherwise permitted under the ADA confidentiality rule. These rules also apply to agents of the employer that are administering the program for the employer.

Shaping the Obligations Under the ADA Confidentiality Rule

As noted above, for wellness programs that are part of a group health plan, complying with the HIPAA rules likely will be sufficient to meet some of the confidentiality requirements under the ADA. However, the EEOC’s interpretive guidance notes that employers must take steps to “protect the confidentiality of employee medical information” provided as part of a wellness program. The guidance goes on to reference steps that are required by law, as well as to suggest certain best practices. These include:

  • Proper training of individuals who handle medical information in the requirements of the HIPAA Rules, the ADA, and any other applicable privacy laws. Of course, privacy training is already required under HIPAA and some state laws, and is no doubt a best practice.
  • Employers also should have clear privacy policies and procedures concerning the collection, storage, and disclosure of medical information.
  • On-line systems and other technology should guard against unauthorized access, such as through use of encryption for medical information stored electronically.
  • Individuals who handle medical information that is part of a wellness program should not be responsible for making decisions related to employment. However, the guidance seems to acknowledge that for some employers that may not be practical and suggests that adequate firewalls be in place to prevent unintended disclosures.
  • Companies should be prepared to investigate and respond to breaches of confidentiality, and that discipline be imposed for workers who breach confidentiality. Likewise, in the case of third party vendors that breach confidentiality, the company should consider terminating its relationship with the vendor.

Again, while the EEOC’s proposed wellness program regulations are directed at wellness program, they include guidance that may be looked to when assessing whether an employer has adequately met its ADA confidentiality requirements concerning employee medical information, whether or not in connection with a wellness program. As the rules continue to strengthen for maintaining sensitive personal information confidentially and securely, employers should consider revisiting their approach to compliance with the ADA confidentiality rule with respect to their wellness programs and generally.

Alabama recently introduced a bill (S.B. 106) which would require notification in the event of a breach affecting the personal information of an Alabama resident.  While 47 states currently have laws requiring breach notification — most recently joined by Kentucky — New Mexico, South Dakota, and Alabama are the only states that do not.

Notably, the proposed legislation includes a number of novel provisions.  Specifically, the bill includes an expansive definition of “personal information” including some data elements which many other jurisdictions do not currently define as “personal information.”  In particular (and in additional to more traditional data elements such as name, social security number and state identification number) the bill’s definition of “personal information” includes:

  • Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;
  • An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual;
  • A user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.

Further, if enacted the law would: apply to paper and/or unencrypted electronic personal information; require notification to affected individuals within 30 days after a breach determination; and include a risk of harm trigger providing that notice need not be provided if “the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed.”  If notice is not provided however, the decision must be documented in writing and maintained for 5 years.  Oddly, a copy of the determination not to provide notice would still need to be provided to the Attorney General notwithstanding the fact the bill only calls for Attorney General notification in the event of a breach affecting 500 or more residents of Alabama.

Lastly, and to address the growing number of payment card industry breaches, the proposed law requires businesses to not retain credit and debit card security code data, PIN verification numbers, or the full contents of any magnetic stripe data.  Entities who do experience a payment card data breach would be required to “reimburse the financial institution that issued any access devices affected by the breach for the costs of reasonable actions undertaken by the financial institution as a result of the breach in order to protect the information of its cardholders or to continue to provide services to cardholders.”

The bill was sent to the Alabama Senate’s Judiciary Committee for consideration.

In honor of National Data Privacy Day, we provide the following “Top 15 for 2015.”  While the list is by no means exhaustive, it does provide some hot topics for businesses to consider in 2015.

  1. Inside Threats for Healthcare Providers and Business Associates.  While news reports of security risks often focus on hackings and breaches caused by individuals, terror groups or even countries around the world, many organizations, including healthcare providers and business associates, face a significant and perhaps more immediate risk with an organization’s workforce members.  However, these organizations are not without recourse and can take several steps to reduce their risk for a data breach, reputational      harm, investigation by federal and state agencies, and litigation.
  2. The Telephone Consumer Protection Act (TCPA).  According to data cited by the U.S. Chamber of Commerce, TCPA suits have increased 30% in the past year, with many of those suits being filed as class actions.  Notably, many of these suits are not just aimed at large companies.  Instead, these suits are often focused on small businesses who may unknowingly violate the TCPA.  With statutory damages ranging from $500 to $1500 per violation (e.g. per fax/text sent or call made) these suits often result in potential damages in the hundreds of thousands, if not millions, of dollars.  Understanding the FAQs for the TCPA is a great first step as we enter 2015.
  3. Location Based Tracking As the utilization of GPS enable devices becomes more and more prevalent, employers are often faced with the  difficult decision of just how much information they may obtain about an employee’s whereabouts.  This is particularly true when an employee is absent from work, is traveling for business, or makes a representation as to their location which the employer questions for one reason or another.  The case law in this area is evolving rapidly, and both the public and private sector can expect to continue to face this issue in the future.
  4. Company Budgets with Respect to Technology.  With each passing year, we see an increase in the amount of technology available to businesses and their employees.  While many tech initiatives are focused on increasing employee productivity or company profits, business also must be prepared to appropriately increase their IT      and data security budgets accordingly.  As more company information is shifted to the cloud or available to employees remotely, budgetary constraints will not provide a justification for poor tech support or data security.      
  5. “HIPAA Litigation.”  While HIPAA does not provide for a private cause of action, cases were brought in 2014 which utilized the HIPAA rules as an element in common law tort claims.  By way of example, the Connecticut Supreme Court held that HIPAA did not preempt a negligence claim in connection with the healthcare provider’s disclosure of patient information in response to a subpoena.  While it remains unclear whether liability will ultimately be determined, these cases will likely give potential plaintiffs legal precedent to file these types of actions and the outcome of these actions should be monitored closely throughout 2015.
  6. BYOD More and more businesses are realizing the risks of allowing employees to utilize their own electronic devices in the workplace and are turning to Bring Your Own Device (“BYOD”) programs to diminish some of these risks.  Additionally, 2014 saw some companies shy away from BYOD and return to a strict company owned device policy.  Businesses considering BYOD should review our comprehensive BYOD issues outline.
  7. User Generated Health Data.  The transformation of health information into electronic format has been well documented and will continue into the  future.  However, one of the biggest concerns for 2015 is health data which an individual voluntarily provides to track or chart their own health or fitness.  Devices such as Nike Fuelband, Fitbits, or      similar devices or applications continue to allow individuals to enter and store more and more health information about themselves electronically.  However, the privacy or security of this information is largely up for debate.
  8. Risk Assessment. As we have previously mentioned, many businesses remain unaware of how much personal and confidential information they maintain, who has access to it, how it is used and disclosed, how it is safeguarded, and so on. Getting a handle on a business’ critical information assets must be the first step, and is perhaps the most      important step to tackling information risk. It is logically impossible to adequately safeguard something you are not aware exists. In fact, failing to conduct a risk assessment may subject the business to penalties under federal and/or state law.
  9. Develop a Written Information Security Program. Even if adopting a written information security program (WISP)      to protect personal information is not an express statutory or regulatory mandate in your state (as it is in MA, MD, TX, CT, etc.), having one is critical to addressing information risk. Not only will a WISP, and      associated training, better position a company when defending claims      related to a data breach, but it will help the company manage and safeguard critical information, potentially avoid a breach from occurring in the first place, and may even help the company avoid whistleblower claims from employees.
  10. Dealing with Vendors.  One area of high risk for company data is its use or access by a company’s vendors during the course of the vendor services.  Companies need to be aware of the legal requirements concerning the company owned data in this scenario as well as how to negotiate confidentiality and security provisions in the applicable services agreement.
  11. Develop a Plan for Breach Notification. All state and federal data breach notification requirements currently in effect require notice be provided as soon as possible. Failing to respond appropriately could result in significant liability.  This is true even when the number of individuals affected is relatively small.  As we have seen this past year, a data breach can not only harm a company’s bottom line, but also can negatively impact the company’s reputation in the marketplace.  Developing a breach response plan is not      only prudent but also may be required under federal or state law.  A proactive approach is often the simplest, and cheapest way, to avoid liability.
  12. Federal Trade Commission (FTC) & Federal Communications Commission’s (FCC) Enforcement Re: Data Security.  2014 saw the FTC continue to regulate      company data security practices by bringing enforcement actions against many types of businesses.  In one of the most significant cases of FTC enforcement, LabMD challenged the FTC’s authority to engage in enforcement activity related to its data security practices absent specific statutory authority to do so.  In a recent ruling, the Eleventh Circuit sided with the FTC and held that companies that find themselves subject to regulatory investigation cannot seek judicial aid in avoiding FTC jurisdiction until the FTC’s actions are      final. Practically speaking, the Eleventh Circuit’s decision means that companies will find no relief from a court until the FTC issues a final agency action.  Similarly, 2014 saw      the FCC issue its first fines against a telecommunications carrier for the carrier’s alleged failure to reasonably secure their customer’s personal information in violation of the companies’ statutory duty under the Communications Act.  We anticipate 2015 will see additional action by the FTC & FCC, as well as legal challenges to any enforcement by either agency.
  13. Investigating Social Media.  Social media continues to grow on a global scale, and the content available on a user’s profile or account is often being sought in connection with litigation.  In fact, failure to preserve relevant information in social media may have dire consequences.  Further, while public content may generally be utilized without issue, if private content is accessed improperly, serious repercussions can follow.
  14. Watch for New Legislation.   Today, managing data and ensuring its privacy, security and integrity is critical for businesses and individuals, and is increasingly becoming the subject of broad, complex regulation. This is especially true given the number of significant data breaches that occurred throughout 2014.  While no national law requiring them protection of personal information has yet to be passed in the U.S., President Obama has stated that data security is one of the top issues for legislation in 2015.  In the      interim, companies are left to navigate the constantly evolving web of growing state legislation. Companies therefore need to stay tuned in order to continue to remain compliant and competitive in this regard.
  15. Jackson Lewis Webinar Series.  Given the numerous developments in the world of data privacy and security, Jackson Lewis will be hosting a comprehensive webinar series to address these issues and how they may impact your business.  We hope you can join us.

The on-going fight to hammer out the extent of the Federal Trade Commission’s authority to bring regulatory enforcement actions in data breach cases took another blow last week in LabMD v. FTC. In that case, the U.S. Court of Appeals for the Eleventh Circuit sided with the FTC holding companies that find themselves subject to regulatory investigation cannot seek judicial aid in avoiding FTC jurisdiction until the FTC’s actions are final. Practically speaking, the Eleventh Circuit’s decision means that companies already beleaguered from investigating and remediating data breaches will be further embroiled with the FTC for the duration of an enforcement action, with no relief from a court until the FTC issues a final agency action.

LabMD provides cancer testing services for doctors. Several years ago, FTC discovered that LabMD files could be inappropriately accessed on a peer-to-peer review network. LabMD has corrected this security issue. FTC investigated LabMD for three years. LabMD filed suit against the FTC seeking an injunction to stay the FTC action from continuing against it. LabMD took the position, among other things, that FTC lacks the authority to regulate healthcare data breaches—an ultra vires argument that has been made, albeit slightly differently by different companies in different contexts. Although LabMD raised numerous legal arguments about FTC’s authority to regulate cybersecurity, the Eleventh Circuit did not reach them on the merits. Instead the Court determined that LabMD’s entanglement with the FTC was not sufficiently final for the Court to rule leaving LabMD to tangle with FTC for a while longer.

According to the Administrative Procedures Act, (“APA”) which governs judicial review of agency actions, only a “final agency action for which there is no other adequate remedy in a court [is] subject to judicial review.” 5 U.S.C. § 704. LabMD argued that FTC’s Order and Complaint were sufficiently “final” and thus ripe for review. The Eleventh Circuit Court of Appeals disagreed. It stated that no “direct and appreciable legal consequences” flowed from the on-going FTC action, and “no rights or obligations had been determined. Thus, the APA barred review of the FTC’s authority to investigate LabMD until agency took a more final action.

LabMD also argued that FTC’s actions in its case were unconstitutional and ultra vires, and that failures of jurisdictional authority made the decision ripe for review. The Court disagreed holding that such matters would better be considered on a more thorough and complete administrative record. The Eleventh Circuit stated that a constitutional challenge is intertwined with a review of the procedures and merits in the context of the agency’s final order. Thus, it would not review such questions in the absence of a final agency record.

LabMD illustrates the practical problem of the decisions regarding the FTC’s authority in the cyber security space. If the FTC has a statutory (and constitutional) authority to regulate in this arena under Section 5 of the Federal Trade Commission Act, then its investigation and enforcement of companies that commit “unfair” or “deceptive” cyber security practices is lawful. However, if FTC does not have such authority, it does not have it—not now, not ever, as a matter of law.  Waiting until it has spent more than four years investigating and sanctioning a company in order to create a final agency action on which to base such a decision seems inefficient and costly for businesses that are left guessing what the law is.

The practical implications of LabMD are similar to those gleaned from other recent FTC jurisdiction cases in other circuits. At this juncture, companies must operate with the assumption that the FTC has the authority to: (1) investigate data breaches; (2) bring enforcement actions for cyber security and privacy practices it believes are unfair or deceptive; (3) enter into consent decrees for penalties, on-going supervision and policy revision and training.

News reports of security risks, hackings and breaches caused by individuals, terror groups or even countries around the world certainly are important and can be unsettling. But, for many organizations, including healthcare providers and business associates, a significant and perhaps more immediate area of data risk rests with an organization’s workforce members. An organization’s information technology (IT) department can do a tremendous job securing the systems from outside intruders, however, relying too heavily on external risks at the expense of internal risks can be problematic for any healthcare practice or healthcare industry vendor. Whether inadvertently or intentionally, employees are frequently the cause of improper uses or disclosures of patient data, putting the company at risk for a data breach, reputational harm, investigation by federal and state agencies, and litigation.

It is true that no system or set of safeguards is infallible; breaches are going to happen. However, here are some steps providers and business associates can take to reduce the risk that those breaches will be caused by members of the company’s workforce:

  • In-person Training. Many covered entities and business associates use on-line, “in-the-can” training products. These could be a valuable part of any training and awareness program, particularly for conveying general HIPAA privacy and security concepts. But there is no substitute for in-person training about the provider’s own policies as applied to the day-to-day circumstances of that practice or business. Employees need to ask questions and hear how policies interact with their particular job responsibilities to best understand some of the nuances in applying HIPAA and applicable state laws and privileges. The Texas Medical Records Privacy Act (the state’s “mini-HIPAA” law), for example, does not mandate in-person training, but it does require at Section 181.101 that training address “state and federal law concerning protected health information as necessary and appropriate for the employees to carry out the employees’ duties for the covered entity.” It is important to make training real, practical and regular. In many cases, it is the more senior employees, physicians and nurses, who could benefit most from such training.
  • Enhance Monitoring. All the training in the world will not protect an organization from an employee who is intent on taking information or improperly accessing information. For example, the employee might be trying to find out information about the diagnosis or drug use of a family member, or the employee may be in fear of losing his or her job and want to collect evidence for subsequent litigation. Other employees may want to steal patient/customer information for a new business, or commit medical identity theft which is reported to be growing rapidly. Implemented carefully and responsibly, monitoring systems activity can be an excellent tool for helping the organization to mitigate and in some cases stop data loss.
  • Manage Devices. The flood of new and more powerful devices carried by employees is a headache for any Privacy Officer. But some of the risks could be relieved through careful planning and policies. Consider the following: (i) should all devices be permitted, (ii) if so, what mobile device management solution, if any, should be used; (iii) which employees should be permitted to use devices at the workplace, and what should they be permitted to access; (iv) what happens to the device when the employee is terminated or purchases a new device; (v) do employees have to be reimbursed for the cost of the device or the data service; and (vi) do we have any labor law considerations, whether or not the workforce is unionized.
  • Plan for a Breach. As noted above, breaches are going to happen, so plan and run drills. Even if on a single page, have a checklist for responding that addresses such things as – who should be involved in the response process, who will coordinate the investigation and ensure systems are secure, what vendors can the organization call upon (legal, forensic, etc.), insurance contacts and requirements, and who makes decisions on such things, as whether to notify, who to notify, and what to say in the notice. Employees hear about these incidents, but many do not have a feel for what a breach is, how to report internally, the steps involved, and how quickly the organization must respond.
  • Assess Confidence in IT Staff. For many practices, it likely is easier to assess a surgeon’s competence than the competence of the practice’s IT director. Often the owners of a healthcare practice do not find this out until it is too late. The business should take steps to ensure it has the right team in this critical department. In some cases, it may need to have an outside vendor assess the performance of its internal team.

Could your healthcare practice or business become the target of an external attacker? Yes. Is it likely? Probably not as likely as an internal incident. The steps outlined above are not exhaustive, and do not promise HIPAA compliance. They are, however, sensible best practices to help avoid inadvertent and intentional activities inside the organization that can cause a data privacy or security incident.

The New Jersey Assembly on December 15 unanimously approved, by a vote of 75-0, a bill designed to better protect consumers from identify theft.  Bill A3146, if approved by the Senate, would expand the state’s law to include disclosure of a breach of security of online accounts.

Per the Identity Theft Resource Center, between 2005 and 2014, there have been 4,695 breaches exposing 633 million records. with the cost of a breach to an organization averaging an estimated $3.5 million.

Under the NJ bill, the definition of “personal information” set forth in Section 10 of P.L.2005, c.226 (C.56:8-161) would be amended and expanded to include a combination of user name or email address with any password or security question and answer that would permit access to an online account.  Currently, the law covers breaches involving a combination of a Social Security number, driver’s license number or State identification card number, or account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.  The expansion would allow consumers, upon notice of a breach, “to change their online account information quickly following a breach and put consumers on notice to monitor for potential identity theft,” said one of the bill’s sponsors.

Notably, the New York assembly earlier introduced Bill A10190 which would amend New York’s data breach notification law (NY Gen. Bus. Law 899-aa).  The proposed amendment would require entities which conduct business in New York State, and which own or license  computerized  data  which  includes  private information to develop, implement, and maintain a comprehensive information security program which must be consistent with the safeguards for protection of personal information.  The New York amendment would impose requirements nearly identical to those required under Massachusetts law.

Each of these developments should be closely monitored so that companies can ensure compliance.

We reported earlier that the National Labor Relations Board had been considering changing its previous position that  “employees have no statutory right to use the[ir] Employer’s e-mail system for Section 7 purposes.”  The NLRB’s position in this regard was established in 2007, under the NLRB’s ruling in Register Guard.  Today, in Purple Communications Inc. and Communications Workers of America, AFL-CIO, the NLRB overruled the Register Guard decision as “clearly incorrect” and held that employees have a right to use their employers’ email systems for nonbusiness purposes, including communicating about union organizing.  Specifically, the NLRB held “employee use of email for statutorily protected communications on nonworking time must presumptively be permitted by employers who have chosen to give employees access to their email systems.  [The NLRB] therefore overrule[s] the Board’s divided 2007 decision in Register Guard to the extent it holds that employees can have no statutory right to use their employer’s email systems for Section 7 purposes.” It is important to remember that this ruling applies to employers whether or not they have union employees.

At issue in Purple Communications and Communications Workers of America, AFL-CIO, was the right of employees under Section 7 of the National Labor Relations Act to effectively communicate with one another at work regarding self-organization and other terms and conditions of employment.  In deciding the case, the NLRB said the workplace is “uniquely appropriate” and “the natural gathering place” for such communications, and the use of email as a common form of workplace communication has expanded dramatically in recent years.

The NLRB was careful to limit its holding as follows:

  • Only applies to employee who have already been granted access to the employer’s email system in the course of their work and does not require an employer to provide such access;
  • An employer may justify a total ban on nonwork use of email by demonstrating that special circumstances make the ban necessary to maintain production or discipline;
  • Absent justification for a total ban, the employer may apply uniform and con­sistently enforced controls over its email system to the extent such controls are necessary to maintain production and discipline;
  • The ruling does not address email access by nonemployees;
  • The ruling does not address any other type of electronic communications systems.

Our Labor Group plans a more thorough analysis of the NLRA issues, as employers must now take certain steps or risk potential Board action.

In light of this decision, employers must reexamine their existing electronic communication, bring your own device (BYOD), and social media policies which may have been adopted post 2007.  This is especially true if any of those policies do not permit, or prohibit, an employee’s use of company-provided communication systems for nonwork-related purposes, such as to fulfill certain union-related purposes or other “protected concerted activities” under Section 7 of the National Labor Relations Act.  Similarly, employers will now need to exercise caution in monitoring company email and what actions are taken in connection with employee use of the company’s email systems.

 

white houseAccording to a November 13, 2014 article in the New York Times (based on a review by the Department of Homeland Security), an intruder was able to enter the White House back in September due to a succession of performance, organizational, and technical failures.  One of the specific findings was that:

“Omar Gonzalez, the man charged in the incident, could have been stopped by a Secret Service officer who was stationed on the North Lawn with an attack dog. . . [b]ut the officer did not realize that an intruder had made it over the fence because he was sitting in his van on his personal cellphone. The officer did not have his radio earpiece in, and had left the second radio he was supposed to have in his locker.”

Wait, what? We know from the report, as well as from Clint Eastwood movies, that Secret Service members use their own communication system with ear-buds for professional duties, so there is no excuse for this agent to have been on his cell phone.

The Report suggests that the United States Secret Service either needs to adopt or enforce a robust policy prohibiting or limiting the use of personal cell phones or any personal devices (e.g. cell phones, smartphones, tablets, etc.) while on duty.  Landscapers and insurance adjusters working in the field might very well use a personal cell phone for work purposes to great efficiency pursuant to a Bring Your Own Device (“BYOD”) to work policy, although many companies restrict smart phone use while driving. For other positions, however, unrestricted use of smart phones can cause problems ranging from customer satisfaction, loss of efficiency, and sexual harassment up to life-or-death safety issues, as in the case of Omar Gonzalez and the un-named agent who, for all we know, was playing Angry Birds on the North Lawn.  One often observes restaurant hosts, receptionists, government clerks and other employees tapping on their smart phones while customers tap their feet in line. Employers are within their rights to curtail such behavior, even as members of the public obnoxiously talk into their phones while ordering a latte. It’s bad enough that employees from ticket agents to medical doctors are forced to spend more time looking at computer screens than looking people in the eye, but personal use of smart phones on the job is rampant and in certain circumstances can lead to safety issues. Proper drafting and enforcement of policies can mitigate these problems.

Due to the sensitive nature of its work, a BYOD policy allowing the use of personal cell phones while on duty would probably not work for the Secret Service.  Many private employers, however, have found great success in limiting the use of personal devices by allowing employees to utilize their own devices for work purposes and adopting BYOD policies to address such use.  BYOD policies may properly address not only who will pay for a smart phone, access to organizational systems, and how to protect company information, but also when employees may access smart phones while on the job.

Data is rarely still. It is captured, processed and moved around the world at speeds we wouldn’t have dreamed possible 20 years ago. Data often disrespects borders. By way of example, companies often mistakenly store personal data in the cloud to be accessed by multiple international locations, without considering the legal rights of the data subjects in the countries in which data processors or controllers do business, or where the data subject resides. These issues give rise to data transfer laws across geographic boundaries.

On October 28, the Federal Communications Commission (FCC) announced that it is joining fifty other countries and the U.S. agency the Federal Trade Commission (FTC) to launch the Global Privacy Enforcement Network (GPEN). FCC and FTC’s decision to help form this group grew out of a 2007 Recommendation on Cross-Border Cooperation in Enforcement of Laws Protecting Privacy, adopted by the Organization for Economic Cooperation and Development (OECD).

This is a development employers, especially those with international human resources information systems (HRIS) that are stored in the cloud, should follow. We do not yet have a full understanding of how the GPEN will function. However, industry press believes that increased focus on international data protection by two of the U.S.’s largest data privacy and security regulators could portend tighter auditing of those functions at home.

The GPEN will include, but not be limited to, the following sovereign nations in addition to the U.S.: Australia, Canada, France, Germany, Israel, Ireland, Italy, the Netherlands, New Zealand, Spain and the United Kingdom. FTC officials have said they hope to reduce the number of privacy and security related unfair and deceptive trade practices pertaining to privacy and cyber security.

Organizations in addition to FTC and FCC include the European Union, the Australian Information Commissioner, Office of the Privacy Commissioner of Canada, Dutch Data Protection Authority, Commission Nationale de l’Informatique et des Libertes of France, Federal Data Protection Authority of Germany, Federal Institution for Access to Information and Data Protection of Mexico, and the Office of the Privacy Commission of New Zealand.

Employers with HRIS or other cloud-based symptoms that process data abroad should assess risks related to data transfer rules both in U.S. and their other host countries. FTC and FCC’s move in helping to form GPEN is just one of many more “nods” from U.S. and foreign regulators that they are examining data at home and abroad.

On October 24, 2014, the Federal Communications Commission (FCC) announced its intention to fine two telecom companies $10 million for several violations of laws protecting the privacy of phone customers’ personal information.  This marks the FCC’s first data security case and the largest privacy action in the FCC’s history.

According to the FCC, TerraCom, Inc. and YourTel America, Inc. stored Social Security numbers, names, addresses, driver’s licenses, and other sensitive information belonging to their customers on unprotected Internet servers that anyone in the world could access.  The information was collected in connection with eligibility verification for the Lifeline program, the government’s telephone subsidy program for low-income Americans.  The companies allegedly breached the personal information of over 300,000 consumers through their lax security practices.

The privacy policies for the two companies stated that they had in place “technology and security features to safeguard the privacy of your customer specific information from unauthorized access or improper use.”  Nevertheless, the FCC’s asserts that from September 2012 through April 2013, the sensitive information they collected was apparently accessible via the Internet and readable by anyone.   Importantly, the FCC took issue with the fact that even after learning of the security breach, the companies allegedly failed to notify all potentially affected consumers, thus depriving the consumers of any opportunity to protect their personal information from misuse.

The FCC alleges that the carrier’s failure to reasonably secure their customer’s personal information violates the companies’ statutory duty under the Communications Act.    Specifically, the carriers had an alleged duty to protect the information, and the companies failure to do so constitutes an unjust and unreasonable practice in violation of the Act, as their data security practices lacked “even the most basic and readily available technologies and security features…”  Similarly, the FCC alleges that the companies’ deceptive and misleading representations of customer privacy protections, and their subsequent failure to notify, constitute unjust and unreasonable practices as well.

Travis LeBlanc, Chief of the FCC’s Enforcement Bureau, said, “Consumers trust that when phone companies ask for their…personal information, these companies will not put that information on the Internet or otherwise expose it to the world….When carriers break that trust, the [FCC] will take action to ensure that they are held accountable…”