With first responders on the front lines of helping to fight the coronavirus, sharing information about potential exposure to COVID-19 is critical to protecting them and preventing further spread. In these situations, the information shared is most often “protected health information” (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.
Disclosure of State Employees’ Birthdates Not Protected Per Washington Supreme Court
The Washington State Supreme Court ruled recently that state employees’ birthdates associated with their names are not exempt from disclosure pursuant to a freedom of information records request. In so holding, the Court strictly construed the applicable statute that did not expressly exempt birthdates from disclosure. Wash. Pub. Emps. Assn. v. State Ctr for Childhood
Vermont Court Finds Patient Can Sue Hospital and an Employee for Breach of Confidentiality
In a landmark ruling, the Vermont Supreme Court recently held that a patient had standing to sue both the hospital at which she was a patient and the employee who attended to her, for negligent disclosure of her personal health information to a third-party. Neither the Health Insurance Portability and Accountability Act (HIPAA) nor Vermont
Liability for Providing Too Little Information?
Most employers are well aware that potential liability lurks if unauthorized information is disclosed to third parties. Obvious examples would include unauthorized employee or applicant health or financial information or personal information such as social security numbers and the like.
In an interesting twist, the Minnesota Supreme Court considered whether liability could be created when
New Jersey Ban On Employer Access To Social Media Accounts
As we have previously anticipated, yesterday New Jersey joined the multitude of other states which have enacted laws limiting employer access to employee social media accounts.
The law prohibits employers from requesting or requiring a current or prospective employee to provide or disclose any user name or password, or in any way provide the employer access to, a personal account. 
Additionally, the law goes on to prohibit employers from requiring an individual to waive or limit any protection granted under the law as a condition of applying for or receiving an offer of employment. Specifically, the law states that an agreement to waive any right or protection is against the public policy of New Jersey and is void and unenforceable.
The law also prohibits employer retaliation or discrimination against an individual because the individual: refuses to provide or disclose any user name or password, or in any way provide access to, a personal account; reports an alleged violation to the Commission of Labor and Workforce Development; testifies, assists, or participates in an investigation, proceeding, or action concerning a violation of the law; or otherwise opposes a violation of the law.
Notably, the law permits the Commissioner of Labor and Workforce Development to collect civil penalties in an amount not to exceed $1,000 for the first violation and $2,500 for each subsequent violation.
Based on the Governor’s recommendations, the final law does not prevent an employer from implementing and enforcing a policy pertaining to the use of an employer issued electronic communications device or any accounts or services provided by the employer or that the employee uses for business purposes.
While the law prohibits certain employer activity, it does permit employers to conduct investigations regarding: work-related employee misconduct based on information about activity on social media; or an employee’s actions based on information about the unauthorized transfer of an employer’s proprietary, confidential, or financial information to social media. Logically, the law also does not prevent an employer from viewing, accessing, or utilizing information about a current or prospective employee that can be obtained in the public domain.
It appears that New Jersey is just the next in the line of states which will adopt similar provisions limiting employer access to an employee’s personal social media accounts. While it is difficult to say the impact the law will have, at a minimum, employers must begin to assess their own internal hiring and human resources practices to make sure they comply with this law.
Continue Reading New Jersey Ban On Employer Access To Social Media Accounts
Lawful Access and Improper Use of Computer Data Does Not Violate the CFAA
The Fourth Circuit recently held that the Consumer Fraud and Abuse Act’s (“CFAA”) prohibitions against unauthorized access or access in excess of authorization were not violated by an employee when the employee used his valid access to employer’s computer network to download confidential business information that he later used while working for a competitor.
Prior
SEC Guidance Related to Reporting Cyber Risks and Incidents
SEC issues guidance clarifying reporting obligations for public companies relating to cybersecurity and cyber incidents.
Continue Reading SEC Guidance Related to Reporting Cyber Risks and Incidents
Alleged HIPAA Violation Supports State Common Law Negligence Claim
A Missouri federal district court has ruled, in I.S. v. Washington University, that a HIPAA-covered entity’s disclosure of protected information can form the basis for a state-law negligence claim. The Court reached this holding despite the well-accepted principle there is no private cause of action under HIPAA.
The plaintiff, I.S., was undergoing medical treatment
U.S. Bank Hit with Class Action Suit Alleging Data Breach Cover-Up
Paintball Punks filed a class action suit against U.S. Bank in Hennepin County, Minnesota. The case was subsequently removed on December 6, 2010, to the Minneapolis District Court. In the complaint, Paintball Punks alleges that between August and December 2009 it received 9 orders totaling approximately $11,000, which were fraudulently billed to U.S. Bank-issued cards. The amount
California Department of Public Health Continues to Fine Hospitals and Nursing Homes for Data Breaches
CDPH’s data privacy enforcement activity continues, this time affecting 6 hospitals and a nursing home with total penalties approaching $800,000.
Continue Reading California Department of Public Health Continues to Fine Hospitals and Nursing Homes for Data Breaches