Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

On Wednesday, July 1, 2009, the recently enacted Alaska and South Carolina notice of security breach laws will take effect. Alaska and South Carolina join forty-three other jurisdictions with notice of security breach laws. Some of the key provisions of these laws are described below.

The “Trigger Event”

Both laws require businesses to provide notice of security breaches when an unauthorized person acquires unencrypted computerized “personal information.” Alaska is one of six states that also requires notice in response to the unauthorized acquisition of paper records containing personal information. Under both laws, personal information includes the affected individual’s first name or initial and last name, plus social security number, driver’s license number, or credit or debit card or financial account number in combination with any required security code.

The “Harm Requirement”

In Alaska, notice is not required, if, after an investigation and notice to the Attorney General, the business determines that there is not a reasonable likelihood of harm to the consumer. Likewise, the South Carolina law does not require businesses to notify residents if illegal use of the information has not occurred, or is not reasonably likely to occur, or if use of the information does not create a material risk of harm to the resident.

• Email This
• Print
• Trackbacks

Nevada has joined Massachusetts as the only two states currently mandating encryption of sensitive human resources information.* The Nevada law — which, like the Massachusetts regulations, takes effect January 1, 2010 — applies to any organization doing business in Nevada that collects an individual’s first name or initial and last name plus Social Security number, employee identification number, driver’s license number, or credit or debit card number or financial account number with any required security code (collectively “Personal Information”). Every employer collects employees’ SSNs in the ordinary course of business, and many employers assign employee identification numbers and collect driver’s license numbers. Consequently, the new law applies to all employers.

The statute requires encryption in two circumstances. First, electronic transmissions of Personal Information must be encrypted unless the transmission (a) passes within a secure network, or (b) is sent by fax machine. This means that intracorporate e-mail will not need to be encrypted as long as e-mails do not pass over the public Internet (which usually is the case). However, all e-mail to third parties, i.e., e-mails that do pass over the public Internet containing Personal Information, will need to be encrypted.

Second, no “data storage device” which contains Personal Information may be taken off-site unless the Personal Information is encrypted. The new law’s broad definition of “data storage device” includes laptops, iPhones, BlackBerrys, back-up tapes and disk drives, as well as virtually any other electronic device that can store Personal Information.

Employers who fail to comply with the law will be easily discovered. Because Nevada’s security breach notification law provides a safe harbor from notification for Personal Information that is encrypted, any notice of a security breach that discloses the loss or theft of a laptop, portable digital assistant, back-up tape or other electronic storage medium effectively would constitute an admission that the employer failed to comply with Nevada’s encryption requirement. Because that failure would violate a statutory standard, the absence of encryption most likely would be deemed negligent. For this reason, employers with operations in Nevada should begin now to develop plans for complying with the new Nevada encryption standard.

*For comprehensive coverage of the Massachusetts data security regulations, see Littler ASAP "New Massachusetts Regulations Impose Substantial Obligations on Corporate Human Resources Departments to Safeguard Employees' Personal Information" by Philip Gordon.

• Email This
• Print
• Trackbacks

Private employers are increasingly implementing location-tracking devices — Global Positioning Systems (GPS) and Radio Frequency Identification (RFID) — to manage their workforces. These devices, for example, permit insurance companies to confirm that adjusters who may never come to the home office are, in fact, adjusting; help delivery companies identify the most efficient routes for their drivers; and allow hospitals to find nurses in an emergency. Employees, however, often shirk at the notion that their employer is tracking their every move.

The New York Court of Appeals, New York State’s highest court, recently issued an opinion in the case captioned, People v. Weaver, reflecting that court’s fundamental discomfort with pervasive and surreptitious location tracking by law enforcement. In that case, a police investigator, who did not have a warrant, secretly placed a location-tracking device on the defendant’s van. For 65 days, the police tracked the van’s movements, unbeknownst to the driver. Prosecutors ultimately used the location information to obtain the defendant’s conviction for crimes related to two burglaries.

The court’s majority emphasized that location-tracking technology is fundamentally different from other forms of surveillance: “any person or object, such as a car, may be tracked with uncanny accuracy to virtually any interior or exterior location, at any time and regardless of atmospheric conditions. Constant relentless tracking of anything is now . . . entirely practicable.” The court reached a high note in expressing its concern over tracking technology’s impact on personal privacy:

The whole of a person's progress through the world, into both public and private spatial spheres, can be charted and recorded over lengthy periods . . . . Disclosed in the data retrieved from the transmitting unit . . . will be trips the indisputably private nature of which takes little imagination to conjure: trips to the psychiatrist, the plastic surgeon, the abortion clinic, the AIDS treatment center, the strip club, the criminal defense attorney, the by-the-hour motel, the union meeting, the mosque, synagogue or church, the gay bar and on and on. What the technology yields and records with breathtaking quality and quantity, is a highly detailed profile, not simply of where we go, but by easy inference, of our associations -- political, religious, amicable and amorous, to name only a few -- and of the pattern of our professional and avocational pursuits.

Ultimately, the court ruled that the warrantless use of the location-tracking device in Weaver was an unreasonable search in violation of New York State’s equivalent to the Fourth Amendment to the United States Constitution.

• Email This
• Print
• Trackbacks

On June 18, Philip Gordon will present at the International Association of Privacy Professionals (IAPP) Practical Privacy Series on the topic "On the Cutting Edge: The Top Five Developments for 2009" (You may register for the event here). Below, Mr. Gordon answers questions about some of the top HR privacy concerns that every organization is confronting.

IAPP: With so much focus on safeguarding customer information, why is HR privacy even an issue?

Gordon: HR privacy should be a major concern of every organization for several reasons. Virtually all class-action litigation involving the compromise of customers’ personal data has been unsuccessful because of the absence of any actual damages. By contrast, privacy violations involving employee personal data often do result in cognizable injuries, including loss of employment and emotional distress. The risk of significant damages is particularly high in the employment context because employers maintain not only the full range of personal identifiers but also financial information and very sensitive health information. In addition, security breaches involving employee personal data can have a negative impact on employee morale, and employees, unlike consumers, can easily express their disgruntlement to senior management. While the potential exposure is high, developments in technology and recently enacted legislation have complicated employer’s compliance obligations, further increasing their exposure to liability.

IAPP: Could you provide some examples of recent developments that have a significant impact on HR privacy compliance and employers’ exposure to liability for privacy violations?

Gordon: Employers are struggling to find the right approach for addressing text messaging in the workplace and the variety of Web 2.0 communications platforms. Unlike e-mail, text messaging almost always is transmitted through, and stored at, a third-party service provider. The laws governing access to electronic communications stored at a service provider impose substantial restrictions on employers. These restrictions do not apply when accessing communications stored on the corporate network. Social networking is particularly challenging for employers, especially as employees form their own networks, because personal profiles often blur the line between “private” and work life while, at the same time, permitting employees to communicate messages that senior management views as contrary to the organization’s interests.

On the legal side, we have the passage in February 2009 of significant amendments to HIPAA, which will have an impact on every employer that sponsors a HIPAA-covered benefit plan. In November, the Genetic Information Non-Discrimination Act of 2009 (GINA) will become effective. GINA will raise significant compliance challenges because the Act defines “genetic information” to include several categories of information that most privacy and HR professionals might not think of as “genetic” in nature, such as certain FMLA certifications. I will cover these technological and legal developments at the Practical Privacy Series in a presentation entitled, “On the Cutting Edge: The Top Five Developments For 2009.”

• Email This
• Print
• Trackbacks

An undivided panel of the United States Court of Appeals for the District of Columbia Circuit has upheld a new drug testing regulation that requires employers in the aviation, rail, motor carrier, mass transit, maritime and pipeline industries to directly observe every employee who must produce a urine sample for return-to-work and follow-up drug tests. The regulation, issued by the U.S. Department of Transportation (DOT) in June 2008, requires employees subject to observed collections “to raise their shirts, blouses, or dresses/skirts above the waist, and lower their pants and underpants, to show the observer, by turning around, that they do not have a prosthetic device on their person. After this is done, they may return their clothing to its proper position,” and produce a specimen “in such a manner that the observer can see the urine exiting directly from the individual into the collection container.”

Although the Omnibus Transportation Employee Testing Act directs the DOT to adopt procedures that “promote[], to the maximum extent practicable, individual privacy in the collection of specimen samples,” the agency justified the intrusive regulation given the vast and increasing number of products designed to defeat urine drug tests. A group of employers and unions, however, challenged the regulation, arguing first that it violated the Administrative Procedure Act (APA), which prohibits arbitrary and capricious agency action, and second, that it was unconstitutional under the Fourth Amendment, which prohibits unreasonable government searches.

• Email This
• Print
• Trackbacks

The explosive growth in Facebook and MySpace pages has created a fertile ground for evidence-gathering by trial lawyers. However, these websites enable users to establish privacy settings, and to serve as “gatekeepers,” to control who can gain access to their posted material. One privacy setting limits access to those whom the user has accepted as a “friend.” An attorney who is not on the user’s “friends list,” in theory, could effectively circumvent the user’s gatekeeping by asking a third party to send a friend request to the user. Many social networking users are not particularly selective when it comes to making “friends.”

The Philadelphia Bar Association’s Professional Guidance Committee recently addressed the ethics of this strategem, cautioning that it is unethical for an attorney to use a third party to “friend” a Facebook user who is a litigation witness for purposes of obtaining information that the attorney might use to impeach the witness.

The Committee’s advisory opinion found that an attorney violates rules of professional conduct by gaining access to a private (“invitation only”) social network site by way of deception. Specifically, the opinion explains that by not disclosing to the potential witness the third party’s affiliation with the attorney, the attorney has omitted a “highly material fact” and has “purposefully conceal[ed] that fact from the witness for the purpose of inducing the witness to allow access.” Presumably, had the witness known the “whole story” and the true motivation behind the third party’s friend request, the witness would not have permitted access to his or her social network profile.

• Email This
• Print
• Trackbacks

How far can employers go to access an employee’s restricted social networking profile? A case scheduled for trial next month in New Jersey’s federal district court may give employers and employees alike a better understanding of what it means to engage in “private” on-line social networking.

In March 2006, Brian Pietrylo, an employee at Houston’s Restaurant in Hackensack, New Jersey, created a discussion group about his workplace on his personal MySpace web page. He flagged the group as private and described its purpose as follows: to “talk about all the crap/drama/and gossip occurring in our workplace, without having to worry about outside eyes prying in.” The group was accessible only by invitation. Those who accepted the invitation became members and could log on at any time.

One group member, a Houston’s hostess named Karen St. Jean, showed the discussion group to a manager during a dinner party. The circumstances underlying upper management’s access to the group are disputed, but all parties agree that another restaurant manager soon became aware of the group and asked St. Jean for her sign-in information, which she provided. Houston’s management found sexual comments about employees and customers, disparaging jokes about company practices, references to drugs and violence, as well as a copy of an employee wine test. Because of their findings, the restaurant terminated the employment of Pietrylo and another contributing employee, Doreen Marino.

• Email This
• Print
• Trackbacks

The swine flu pandemic means that employers need information about employees who have swine flu, or who have been exposed to it, but what exactly can employers ask, and what are their obligations when they get an answer? Here are some answers to these and other frequently asked questions about the intersection between swine flu and workplace privacy.

Q: Is it a HIPAA violation to require employees to disclose whether they have swine flu, have symptoms of swine flu, or have been exposed to swine flu?

A: No. HIPAA does not apply to questions that an employer asks employees about their health. In the workplace, HIPAA applies only to individually identifiable health information created or received by, or on behalf of, the employer in its capacity as the administrator of a HIPAA-covered plan, such as self-insured group health, dental or vision plans; a health care reimbursement flexible spending account; or an employee assistance program. Put more succinctly, HIPAA applies only to individually identifiable health information created or received to administer a HIPAA-covered plan.

Q: Does any other law apply to an employer’s efforts to obtain information about whether an employee is, or maybe, infected with swine flu?

A: In certain circumstances described below, the Americans with Disabilities Act (ADA) will apply.

Q: Can an employer require that employees with symptoms of swine flu be tested?

A: Yes. Under the ADA, an employer who reasonably believes, based on an individualized assessment, that an employee has symptoms of swine flu can require that the employee undergo medical testing to determine whether the employee, in fact, is infected. Before requiring testing, the employer should be familiar with the symptoms of swine flu and have sufficient information to confirm that the employee has those symptoms. Any required testing must be limited to a test for swine flu. In addition, the employer is required to pay any costs associated with the test. The employer must treat the test results as confidential.

Note: The answer above is based upon the conservative assumption that the ADA’s restrictions on medical examinations of current employees applies regardless of whether swine flu is a “disability" as defined by the ADA. We are taking this conservative approach based on EEOC guidance which defines a "medical examination" as "a procedure or test that seeks information about an individual's physical or mental impairments or health" and provides as an example, "blood, urine, saliva, and hair analyses to detect disease or genetic markers." This definition would encompass the nasal swab test for swine flu. A court might find the EEOC’s guidance to be overbroad to the extent that it encompasses medical tests, like the test for swine flu, directed exclusively at discerning the presence of a temporary condition that is not subject to protection under the ADA.

• Email This
• Print
• Trackbacks

In a cautionary tale for all employers, the United States Court of Appeals for the Fourth Circuit recently held that an employer who accessed a former employee's personal e-mail account could be held liable for punitive damages and attorneys' fees under the federal Stored Communications Act, even without the employee proving any actual damages. Continue reading Littler ASAP, Recent Fourth Circuit Ruling Demonstrates Risks to Employers of Accessing Employees' Personal E-Mail Accounts, by Philip L. Gordon and Justin A. Morello.

• Email This
• Print
• Trackbacks