San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Data Security : Workplace Privacy Counsel

Survey Reports High Percentage of Employee Misuse and Theft of Company Data

Posted on March 19, 2013 by Privacy and Data Protection Practice Group

A recent study by independent data privacy research firm Ponemon Institute of 3,317 individuals in six industrialized countries found that employees are moving intellectual property, including trade secrets, outside their companies in all directions.

Over half of those surveyed admitted they had emailed business documents to their personal email accounts; 41% said they do this at least once a week. The same percentage of respondents confessed they downloaded company IP to personally-owned tablets or smartphones. A majority of those surveyed did not believe this was “wrong.”

To learn more about the survey results, and what employers can do to minimize data theft, please read more at Littler's Unfair Competition & Trade Secrets Counsel.

Tags: Data Security

Potential HIPAA Violation Leads to $750,000 Settlement

Posted on June 8, 2012 by Privacy and Data Protection Practice Group

The Attorney General for the Commonwealth of Massachusetts reached an agreement with South Shore Hospital over claims the hospital failed to protect confidential health information for hundreds of thousands of consumers. The Attorney General filed the lawsuit under both state information security laws and the federal Health Insurance Portability and Accountability Act (HIPAA).

The problem arose when the hospital shipped three boxes containing more than 400 unencrypted back-up tapes to an off-site vendor. The hospital had contracted with the vendor to erase the tapes and resell them. The tapes contained significant amounts of confidential information such as patients’ names, Social Security numbers, bank account numbers and medical diagnoses. Only one of the three boxes arrived at its intended destination.

To learn more about the settlement, please continue reading at Littler's Healthcare Employment Counsel.

Tags: Data Breach, Data Security, HIPAA, Massachusetts, Medical Information, Social Security Numbers, State Privacy Laws, Vendor Management

Finding the Messages to Employers in $1.5M HIPAA Settlement

Posted on March 14, 2012 by Privacy and Data Protection Practice Group

By Philip L. Gordon

Yesterday’s $1.5M “Resolution Agreement” between Blue Cross Blue Shield of Tennessee (“BCBST”) and the U.S. Department of Health and Human Services (“HHS”), the agency responsible for enforcing HIPAA, is the fourth major settlement announced by HHS in the past 15 months and the third to exceed seven figures. This settlement has several important messages for employers.

Before turning to those messages, here are the key facts as set forth in the Resolution Agreement. BCBST stored, in a network data closet, computer equipment which included servers and 57 hard drives. The hard drives were part of a system that recorded customer service calls and contained the protected health information (PHI) of more than one million participants, including member names, member ID numbers, diagnosis codes, dates of birth, and Social Security numbers. The network data closet “was secured by biometric and keycard scan security with a magnetic lock and an additional door with a keyed lock.” The property management company for the leased spaced where the network data closet was located provided security services.

After BCBST vacated most of its office space, but while it still leased the space containing the network data closet, thieves stole the 57 hard drives from the closet. The hard drives were not encrypted. BCBST notified HHS of a security breach in accordance with the HITECH Act’s requirements.

Tags: Covered Health Plan, Data Security, Department of Health and Human Services, Encryption, Enforcement Action, HHS, HIPAA, HITECH Act, Hard Drive, Investigation, PHI, Protected Health Information, Resolution Agreement, Security Breach, Vendor

Upcoming Privacy Events

Posted on December 20, 2011 by Privacy and Data Protection Practice Group

Philip Gordon will be speaking on a range of privacy and data protection issues at the following upcoming events:

Date: January 11, 2012
Conference: BNA
Location: Webinar
Topic: Phil Gordon and Michael McGuire, Shareholder and Chief Information Security Officer at Littler, will co-present “The Challenges of Bring Your Own Device (BYOD) to Work Policies”
Description: With employees demanding the ability to use their personal smart phones and tablets for business purposes and employers looking for new ways to reduce cost and increase productivity, the trend towards “dual-use devices” in the workplace will undoubtedly continue to pick up stream. This webinar will provide practical recommendations for both areas so that your organization understands the risks of saying “yes” to requests from C-level executives or department chiefs to connect their smartphones or tablets to the corporate network.
For more information and to register, please visit: www.bna.com/own-device-19107/.

Tags: Background Checks, Cell Phones, Data Breach, Data Security, Electronic Resources Policy, Events, FTC, International, Portable Storage Devices, Privacy, Privacy Protection Policy, Social Media, Social Networking, State Privacy Laws

California Amends its Security Breach Notification Law

Posted on September 9, 2011 by Privacy and Data Protection Practice Group

By Ellen M. Giblin

On August 31, 2011, Governor Jerry Brown signed Senate Bill 24, amending California’s security breach notification law. That law was the nation’s first to require data owners to disclose a data breach to any California resident whose unencrypted personal information is reasonably believed to have been acquired by an unauthorized person. Senate Bill 24 applies to breaches occurring on or after January 1, 2012, and makes several important changes to the landmark law.

First, SB 24 enhances the security breach notifications sent to affected individuals. Whereas before the notice law did not impose any requirements for the content of the notice, the amended law requires that the notice contain specific information regarding the breach, including the following: (a) the name and contact information of the reporting person or business; (b) the types of personal information subject to the breach; (c) the date or date range of the breach; (d) whether notification was delayed due to law enforcement investigation; (e) a general description of the breach; and (f) the toll-free telephone numbers and addresses of the three major credit bureaus, if the breach exposed a social security number, driver’s license or California identification card number.

Tags: California, Data Breach, Data Security, HIPAA, HITECH Act, Security Breach, State Privacy Laws, State Privacy Legislation

Massachusetts Extends Reach of Data Protection Regulations

Posted on May 18, 2011 by Privacy and Data Protection Practice Group

By Ellen Giblin

The first anniversary of the effective date of 201 CMR 17.00 went by with little fanfare, then came the Final Judgment by Consent (“Judgment by Consent”) stating that a Boston-based restaurant chain engaged in “unfair or deceptive practices, in violation of Massachusetts General Laws c. 93A, §2” by accepting credit and debit cards from customers at its bars and restaurants after a known breach, yet failing to take reasonable steps to protect the personal information obtained from its patrons as required under 201 CMR 17.00.

In support of its decree, the Judgment by Consent lists basic data security measures that the company failed to implement: (a) failing to change default usernames and passwords on its point-of-sale computer system, (b) allowing multiple employees to share common usernames and passwords, (c) failing to properly secure its remote access utilities and wireless network, (d) continuing to accept credit and debit cards from customers after the company knew that its systems were compromised but had not yet been secured, (e) storing payment card personal information in clear (i.e., unencrypted) text on its servers, and (f) failing to comply with the Payment Card Industry Data Security Standards (“PCI DSS”).

Tags: Credit Cards, Data Breach, Data Security, HIPAA, Massachusetts, Penalty, Privacy, State Law Claims, State Privacy Laws

Managing Employees' Use of Personal SmartPhones and Tablets for Work

Posted on April 26, 2011 by Privacy and Data Protection Practice Group

By Philip L. Gordon

Woman using smartphone A recent article in the Wall Street Journal aptly identified several challenges that employers face when they allow employees to use their personal smartphones and tablets for work. The article, entitled “So You Want To Use Your iPhone For Work? Uh-Oh. How The Smartest Companies Are Letting Employees Use Their Personal Gadgets To Do Their Jobs,” notes several steps employers are taking to reduce privacy and information security risks. These steps include the following: (a) requiring that employees enable passwords, (b) sending a “kill command” to wipe business information from a lost or stolen device, and (c) walling off sensitive data into an “encrypted container.” While these steps are all useful, they comprise only a partial list of critical issues employers should consider before permitting employees to use a personal device for work.

Below are seven key steps that employers should consider taking before allowing employees to use a personal device for work:

1. Demand the Installation of Adequate Malware Protection: Personal devices may be used for activities — such as peer-to-peer file sharing, viewing pornography, or downloading games — that increase the risk of infection by malicious software. Yet, personal devices typically will not have protections against malicious software that are nearly as effective as those loaded on a company-issued device. As a result, the risk that the corporate network will be infected with malware can increase materially if inadequately protected personal devices are connected to the corporate network. One solution is to require that employees load an approved package of malware protection to any personal device that will be connected to the corporate network.

2. Get Consent Before Sending a Kill Command: The Journal article noted that it is illegal in South Korea and in China to send a kill command to an employee’s personal device. Although no U.S. court has yet addressed this specific issue, sending a kill command to an employee’s personal device without the employee’s prior consent runs the risk of violating the federal Computer Fraud and Abuse Act and state computer trespass laws. These laws generally prohibit unauthorized destruction of information stored on someone else’s computer. To avoid potential criminal and civil liability under these statutes, employers should obtain written consent to send a kill command to any personal device that is reported lost or stolen.

Tags: Confidential Business Information, Data Security

HHS' One-Two HIPAA Penalty Punch Sends a Message to Employers and Providers

Posted on March 8, 2011 by Privacy and Data Protection Practice Group

By Philip Gordon

Two days after announcing its first-ever HIPAA penalty, a whopping $4.3 million imposed against Stack of medical records with stethoscope Cignet Health of Prince George’s County, Maryland, HHS announced that a large Massachusetts hospital had agreed to pay $1 million to avoid a penalty proceeding. Although the hospital did not admit liability and did not pay a penalty, the settlement demonstrates how the significant increase in available HIPAA penalties as a result of the HITECH Act’s enactment has provided HHS with substantial leverage when negotiating a resolution of alleged HIPAA violations. HHS’ settlement with the hospital also is important because it suggests that HHS may not be very forgiving in one area of particularly high risk: the physical removal of protected health information (PHI) from a covered entity’s premises.

The incident that ultimately led to the hospital’s $1 million settlement payment was innocent enough. According to the settlement agreement, which is public, and HHS’ press release announcing the settlement, an employee of the hospital’s outpatient practice took home, for work purposes, paper records containing the PHI of 192 patients, including patients with HIV/AIDS. The settlement agreement states that the “documents consisted of billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis and name of provider of 66 patients and the practice's daily office schedules for three days containing the names and medical record numbers of 192 patients.” On her way into work on the subway, the employee placed the documents, bound by a rubber band, on the seat next to her and forgot them there when she exited the train. The records never were recovered.

Tags: Data Security, Federal Privacy Legislation, HHS, HIPAA, Medical Information, Personal Health Information

Why Corporate Counsel Should Lose Sleep Over the Federal Wiretap Act

Posted on January 27, 2011 by Privacy and Data Protection Practice Group

This article was written by Philip Gordon, and originally appeared in Corporate Counsel Online. Reprinted with permissed from ALM Media Properties, LLC.

Typing email Once seen only in the shadows of the war against organized crime, the Federal Wiretap Act should now be moving steadily and rapidly toward the top of the corporate compliance checklist. Robust civil remedies, recent court decisions and technological developments have transformed the act's risk profile from a nonevent to a statute worthy of significant attention.

Although principally a criminal statute, the Federal Wiretap Act is unique among privacy laws in that it provides for substantial monetary damages without proof of actual harm.

Under the act, an aggrieved party can recover a minimum award of $10,000 or $100 per day of violation — whichever is greater, or, actual damages, plus punitive damages, attorneys' fees and costs. Comparing recent class action litigation involving security breaches with potential class actions involving the Federal Wiretap Act demonstrates the significantly pro-plaintiff aspect of this remedial scheme.

To date, the vast majority of security breach class actions have been dismissed, or resolved in the defendant's favor on summary judgment, because the plaintiff failed to plead or prove that the security breach at issue proximately caused any cognizable damage to class members.

By contrast, under the Federal Wiretap Act, proof that the violation proximately caused cognizable harm is unnecessary, and each individual plaintiff can recover a minimum of $10,000 even in the absence of actual damages.

Tags: 'Federal, Act", Data Security, Seventh Circuit, Wiretap, email

Eleventh Circuit Ruling Strengthens Employers' Hand Against Employees who Abuse Access to Information Systems

Posted on January 18, 2011 by Privacy and Data Protection Practice Group

Roberto Rodriquez tried to impress female acquaintances with an almost creepy knowledge of their personal information. He sent flowers on Valentine’s Day to one acquaintance who had never Computer crime revealed her home address to him and called to wish her a happy half-birthday even though she never had revealed that fact to him either. He sent mail to another female acquaintance at her home address even though she directed all of her mail to a post office box, and he jotted her middle initial on the envelope even though she had not used her middle initial since grade school. He gave a female employee at a restaurant that he frequented a pair of earrings on her birthday even though she had not shared her birthday with him.

What was the source of Rodriguez’ apparent omniscience? Databases at the Social Security Administration (SSA), to which Rodriguez had access as a TeleService representative. In 2008 and 2009, Rodriguez accessed those databases for nonbusiness reasons on hundreds of occasions to view sensitive personal information of more than one dozen women. Rodriguez was a serial violator of an SSA policy that prohibited employees from obtaining information from SSA’s databases without a business reason. Mandatory training on the policy, notices posted in SSA’s office, and daily banners that appeared on Rodriguez’ computer did not stop him. Ultimately, Rodriguez was indicted and convicted for obtaining information from the federal government through unauthorized access to a computer in violation of the Computer Fraud and Abuse Act (CFAA).

Rodriguez tried to escape his conviction on appeal by arguing that he had accessed only databases that he was authorized to access as a TeleService representative. Rejecting this argument, the Eleventh Circuit explained (pdf) that the CFAA outlaws not only unauthorized access to a computer system but also access in excess of authorization. The court reasoned that SSA’s policy established the scope of Rodriguez’ authorized excess. By accessing SSA’s databases for purely personal reasons, Rodriguez violated that policy and thus had exceeded his authorized access.

Tags: Computer Fraud and Abuse Act, Data Security, Electronic Resources Policy, Eleventh Circuit, Email Communications, Federal Privacy Legislation, Ninth Circuit

What Does the "Year of the Tablet" (or of the iPad) Mean for Employers?

Posted on January 13, 2011 by Privacy and Data Protection Practice Group

digital tablet On the first business day of 2011, the New York Times reported that Apple’s rivals had proclaimed 2011 to be their year to recapture a slice of the computer tablet market, currently dominated by the iPad. Since the iPad’s launch in late 2010, Apple has sold more than 4 million of its tablets; some commentators predict that Apple will sell tens of millions more iPads in 2011. Adding to the flood of tablets into the marketplace — and into the workplace –- corporate IT departments are getting into the act. According to a recent report by ChangeWave, only 1% of corporate IT buyers reported in August 2010 that their organization provided employees with a tablet, but that number jumped to 7% in November 2010, and 14% of respondents stated that their organization plans to buy tablets in Q1 of 2011. Even the public sector is turning to the iPad. The Virginia legislature recently purchased 45 iPads for selected legislators and staffers in an effort to reduce the use of paper.

These trends pose serious challenges for corporate HR, Legal, and IT departments that should be addressed — or at least considered — before the “tablet tsunami” hits with full force. To begin with, employees in many organizations — often senior executives who scored an iPad as a holiday present — are clamoring to connect their iPad to the corporate network or are using the iPad for work even if the IT department refuses a connection. In fact, the iPad may represent a turning point in the battle between businesses and their workforce over the use of personal devices to conduct business. According to a November 2010 study by Ovum, approximately 50% of employees already are permitted to connect their personal devices to the corporate network. Because the iPad is so enjoyable and easy to use, that percentage is likely to surge in the next year or two as organizations bow to employee demands to use their personal iPad (or other tablet) for work.

Tags: Data Security, Digital Tablet, Electronic Monitoring, Electronic Resources Policy, Personal Information

Massachusetts Attorney General Reviews 2010 Data Breach and Data Security Regulations Compliance

Posted on January 5, 2011 by Privacy and Data Protection Practice Group

Data encryption concept laptop and lock With the first anniversary of the Massachusetts Data Security Regulations, 201 CMR 17 (pdf) (“Regulations”), coming in March, the International Association of Privacy Professionals (IAPP) recently hosted a panel discussion providing direct access to the Massachusetts Attorney General's Office and the Office of Consumer Affairs and Business Regulation to discuss their investigations to date and their current approach to enforcement. Panelists included Scott Schafer, Chief of the Consumer Protection Division, Massachusetts Attorney General's Office; Shannon Choy-Seymour, Assistant Attorney General, Consumer Protection Division, Massachusetts Attorney General's Office; Jason Egan, Deputy General Counsel, Massachusetts Office of Consumer Affairs and Business Regulation; and Lam Nguyen, Director (Digital Forensics), Stroz Friedberg LLP.

Scott Schafer opened with an overview of the enforcement actions to date and the daily reviews his office conducts. Schafer noted at the outset, the Attorney General’s (AG) current enforcement approach is not audit based due to insufficient resources. However, the AG is receiving a daily average of three to four data breach notifications pursuant to Massachusetts General Laws Ch. 93H (the “Notice Law”), and each breach report is closely reviewed. According to Schafer, the AG’s Office is looking for warning signals that may indicate noncompliance with the Regulations that would trigger a detailed investigation. Some of the circumstances likely to trigger a detailed investigation include:

The reporting entity knew of the breach, but failed to notify affected individuals as required by the Notice Law.
A Written Information Security Plan (WISP) cannot be produced.
The WISP is inadequate, or had significant gaps because of a lack of due diligence in the risk assessment process.
The compromised data was stored or maintained in circumstances not compliant with the “reasonable” security required by the Regulations.
Unfairness or deception around the purpose for which the data was originally collected.
Collected data that was subsequently used for purposes not disclosed to consumers, or where the collection itself is not disclosed leading to unfairness or deception to Massachusetts residents.

Shannon Choy-Seymour stated that she typically will ask to review a business’ WISP if the notification of security breach submitted to the AG revealed non-compliance with the Regulations. According to Choy-Seymour, she takes into account the size and scope of the business in question and the sensitivity of the data compromised when deciding whether to ask the business to submit its WISP. The AG recognizes that achieving full compliance may be a longer process for small businesses. In particular, Choy-Seymour stated the WISP must identify who is in charge of the businesses’ information security program, demonstrate the required risk assessment to create a reasonable plan, and include employee training. Further, “reasonable” steps toward compliance with the relevant policies should be evident, and when in place can reduce the risk of enforcement actions even if full compliance has not yet been achieved.

Tags: Data Security, Identity Theft, Massachusetts, State Privacy Legislation, Vendor Management, WISP

After Starbucks Laptop Is Stolen, Alleged Victims of Identity Theft Win Pyrrhic Victory

Posted on January 4, 2011 by Privacy and Data Protection Practice Group

In a recent published decision, the Ninth Circuit court of appeals held that the threat of identity theft arising from stolen personal information about current and former Starbucks’ employees contained on a company laptop computer was enough of an injury to establish the plaintiffs’ standing to sue the company in federal court. This victory was short-lived, however, because the court also held — consistent with many other courts deciding security breach notification cases — that the plaintiffs had not pleaded, and could not prove, that Starbucks’ actions caused them any cognizable harm under state tort or contract law.

In 2008, someone stole a laptop computer from Starbucks containing the unencrypted names, addresses, and social security numbers of nearly 100,000 Starbucks employees. The company informed all affected employees of the theft and offered them one year of free credit monitoring services. Three current and former Starbucks employees who were affected brought two nearly identical putative class action lawsuits against Starbucks, alleging that the compromise of their personal information amounted to negligence and a breach of an implied contract:

One plaintiff asserted she had been “extra vigilant about watching her banking and 401(k) accounts,” spent a “substantial amount of time doing so,” and will pay out-of pocket for credit monitoring services once the free service expires.
The second plaintiff alleged he “spent and continues to spend substantial amounts of time checking his 401(k) and bank accounts,” placed fraud alerts on his credit cards, and “has generalized anxiety and stress regarding the situation.”
The third plaintiff maintained that his bank notified him in December 2008 that someone had attempted to open a new account using his social security number. The bank closed the account, and he did not allege that he suffered any financial loss.

Tags: Data Breach, Data Security, Identity Theft, Laptop, Ninth Circuit, Personal Information, Seventh Circuit, Sixth Circuit, State Law Claims, standing

What's Left of Employee Consent as Grounds for Data Processing After Recent European Court of Justice Decision on Attorney-Client Privilege?

Posted on October 4, 2010 by Privacy and Data Protection Practice Group

U.S. corporations routinely rely on domestic employees’ consent to searches and disclosure of their personal information to avoid liability for privacy-based claims. In the European Union, by contrast, national data protection authorities and the Article 29 Working Party, which issues guidance on the implementation of the European Union Data Protection Directive, have repeatedly warned employers against relying on employees’ consent to provide a legitimate basis for processing personal data. In the European view, the balance of power in the employer-employee relationship so disproportionately favors the employer that an employee’s consent to an employer’s processing of personal data typically cannot be truly voluntary.

The recent decision by the European Court of Justice (ECJ) in Akzo Nobel Chemicals Ltd. v. EU (pdf), albeit addressing attorney-client privilege (known as the “legal professional privilege” in the E.U.) demonstrates just how risky it can be for employers to rely on the consent of E.U. employees as a legitimate ground for data processing. In Akzo, the ECJ rejected the assertion of the legal professional privilege to protect from disclosure communications between in-house counsel and their internal business clients in an anti-trust investigation. The following quotation reflects the logical fulcrum of the court’s decision:

[A]n in-house lawyer cannot, whatever guarantees he has in the exercise of his profession, be treated in the same way as an external lawyer, because he occupies the position of an employee which, by its very nature, does not allow him to ignore the commercial strategies pursued by his employer, and thereby affects his ability to exercise professional independence.”

In other words, according to the ECJ, the employer’s commercial interests so cloud the judgment of in-house attorneys that they are incapable of providing unbiased legal advice to their employer.

Tags: Attorney-Client Communications, Data Security, European Union

Agency States Interim Final Rule for Breach Notification Effective Until Further Notice

Posted on August 9, 2010 by Privacy and Data Protection Practice Group

Caution sign On August 4, we posted about uncertainty created by the U.S. Department of Health and Human Services' (HHS) decision to withdraw its interim final regulations addressing security breach notification for breaches that involve protected health information (PHI) subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Since that time, HHS updated its website to state that, "[u]ntil such time as a new final rule is issued, the Interim Final Rule that became effective on September 23, 2009, remains in effect." This means that the harm standard embodied in the Interim Final Rule is still in effect and that, until further notice, employers and providers must conduct the risk assessment discussed in our July 30 blog post.

This entry was written by Philip L. Gordon.

Photo credit: cosmonaut

Tags: Data Security, Federal Privacy Legislation, HHS, HIPAA, Medical Information, Personal Health Information

Agency's Withdrawal of HIPAA Security Breach Notification Regulations Creates Uncertainty for Employers and Health Care Providers

Posted on August 4, 2010 by Privacy and Data Protection Practice Group

United States Department of Health and Human Services Logo In a two-paragraph press release recently posted on its website, the U.S. Department of Health and Human Services (HHS) announced the withdrawal of its interim final regulations addressing security breach notification for breaches that involve protected health information (PHI) subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The interim final regulations construed the security breach notification provisions contained in the Health Information Technology for Economic and Clinical Health (HITECH) Act, which amended HIPAA effective February 17, 2010. The agency’s action could have significant implications for employers and health care providers and puts them in limbo until new regulations are published when responding to a security incident involving PHI.

Tags: Data Breach, Data Security, Department of Health and Human Services, Federal Privacy Laws, HHS, HIPAA, HIPAA Privacy Rule, HITECH Act, Health Care, PHI, Privacy, Protected Health Information, Regulations, Security Breach

Enhanced HIPAA Penalties Raise Stakes for Employers and Health Care Providers Responding to a Security Breach

Posted on July 30, 2010 by Privacy and Data Protection Practice Group

While HIPAA’s recently enhanced penalty provisions and newly enacted security breach notification Medical Records requirements have each received a significant amount of attention, the connection between them and its significant implications for employers and health care providers subject to HIPAA have not. Most significantly, because of the enhanced penalties, it is critical that covered entities conduct a careful and documented risk assessment before deciding not to provide notice of a security incident.

HIPAA’s recently promulgated security breach notification regulations require notice only if (a) there has been access to, or acquisition, use or disclosure of, protected health information (PHI) in violation of the HIPAA Privacy Rule; and (b) that violation “poses a significant risk of financial, reputational or other harm” to the subjects of the PHI. In the preamble to the security breach regulations, the U.S. Department of Health and Human Services (HHS) takes the position that a covered entity “will need to perform a risk assessment” to determine whether the second element of the notification standard has been satisfied. Besides identifying four factors that covered entities might consider in conducting this risk assessment, HHS provides no other guidance on how to assess risk. HHS does emphasize, however, that “[c]overed entities and business associates must document their risk assessments, so their they can demonstrate, if necessary, that no breach notification was required.” In other words, covered entities should expect that if HHS ever challenges a decision not to provide notice of a security breach, HHS’ first request will be for production of the covered entity’s risk assessment that decision.

The decision whether to provide notice of a security breach could be momentous for a covered entity. Under HIPAA’s security breach notification regulations, if the incident involves more than five hundred individuals in the same state, the covered entity would be required to report the breach to HHS, which will post the report on its Web site and notify “prominent media outlets,” which may choose to publicize the breach. As a result, notification of even a relatively small breach could expose the covered entity to class action litigation, damaging media coverage, and collateral damage to patient or employee relationships, in addition to the cost of providing notice and incident response services to affected individuals. Given these potential adverse consequences, a covered entity often will have an overriding interest in finding that a HIPAA violation did not create a material risk of harm and, therefore, does not require notification.

Tags: Data Security, Federal Privacy Legislation, HIPAA, Medical Information, Personal Health Information

Massachusetts Regulators Provide Significant Insight Into Enforcement of Stringent Information Security Regulations That Are Effective as of Today (March 1, 2010)

Posted on March 1, 2010 by Privacy and Data Protection Practice Group

Touted as the most stringent information security regulations to date, Massachusetts’ requirements—applicable to both customer and employee personal information—mandate the implementation of a comprehensive written information security program. As explained in previous blog posts, the regulations require “cradle-to-grave” protections for the following categories of information about Massachusetts residents when combined with first name or initial and last name: Social Security number, driver’s license and other government-issued identification number, debit or credit card number, and financial account number. One critical question for organizations, particularly those grappling with tightened budges, is where to focus limited resources in light of the enforcement risk. Recent statements by Massachusetts regulators provide a view towards the answer.

In an interview published on February 27 in BNA’s Privacy and Security Law Report, the director of the agency that promulgated the regulations, Massachusetts’ Office of Consumer Affairs and Business Regulation (OCABR), made three statements that could have an important bearing on enforcement. First, OCABR takes the position that the regulations apply even when the personal information of Massachusetts employees is stored in a centralized human resources database located at a corporate headquarters outside of Massachusetts. Second, in the director’s view, employers have virtually no excuse for failing to encrypt personal information stored on laptops. Third, although current technology does not permit encryption of personal information stored on a hand-held device, such as a Blackberry® or a Smartphone®, employers should consider other steps that will limit the risk to Massachusetts personal information if the hand-held device is lost or stolen.

Tags: Data Security, Encryption, Massachusetts, Personal Information, Regulations, State Privacy Legislation, email

New Hampshire Security Incident Demonstrates Importance of Documenting Any Decision to Forego Security Breach Notification

Posted on December 14, 2009 by Privacy and Data Protection Practice Group

The New Hampshire Attorney General and the federal Center for Medicare and Medicaid Services are investigating Wentworth-Douglass Hospital’s decision not to notify patients or the Attorney General of a security incident that occurred more than two years ago. The security incident, which lasted from May 2006 until July 2007, involved a former hospital employee who became disgruntled after being transferred from the pathology lab. The former employee gained unauthorized access to pathology reports on nearly 2,000 occasions and changed reports involving more than 1,100 patients. The hospital investigated the incident and determined that neither New Hampshire’s notice law nor HIPAA required notification.

Tags: Data Breach, Data Security, HIPAA, Health Care, Privacy, Privacy Protection Policy, Security Breach

Lawyers Also Can Be Snared by Privacy Rules

Posted on November 2, 2009 by Privacy and Data Protection Practice Group

Identity theft is a booming business. Each year, millions of Americans fall victim to identity theft or have their personal privacy otherwise compromised through unlawful means. Whether it comes in the form of a lost or stolen credit card, or computer hackers accessing social security numbers from employment records, financial institutions, medical records, or government agencies, the costs are staggering. Studies demonstrate that victims spend anywhere from a few hours to, in some cases, literally thousands of hours working to repair damage done by identity theft. Investigations related to identity theft often take months – or sometimes years – to resolve. Reports have estimated that hundreds of billions of dollars per year are lost by businesses worldwide due to identity theft. Individual victims sometimes lose thousands of dollars in wages resolving their cases, and can spend several hundred (sometimes thousands) of dollars in various expenses related to their case.

In an effort to combat ID theft, more than thirty states (including California, New York, Illinois, and Pennsylvania) have enacted laws restricting certain uses and disclosure of social security numbers. The federal judiciary has taken note – and is following suit. Recent revisions to the Federal Rules of Civil Procedure (FRCP) now require attorneys to redact certain personal identifying information of individuals involved in litigation when filing documents in federal court – either electronically or in traditional paper format.

Revised FRCP 5.2(a) reads:

Unless the court orders otherwise, in an electronic or paper filing with the court that contains an individual’s social-security number, taxpayer-identification number, or birth date, the name of an individual known to be a minor, or a financial-account number, a party or nonparty making the filing may include only:
(1) the last four digits of the social-security number and taxpayer identification number;
(2) the year of the individual’s birth;
(3) the minor’s initials; and
(4) last four digits of the financial-account number.

Tags: Credit Cards, Data Security, Federal Court, Identity Theft, Personal Information, Social Security Numbers, State Privacy Legislation

Multinationals Certified to the U.S.-E.U. Safe Harbor Agreement Beware: The Federal Trade Commission Has Bared Its Enforcement Teeth

Posted on October 13, 2009 by Privacy and Data Protection Practice Group

European Flag Since its inception in the year 2000, the U.S.-E.U. Safe Harbor Agreement has attracted nearly 2,000 multinationals seeking to establish a lawful basis to transfer to the U.S. the personal data of their consumers and employees who reside in the European Union (E.U.). To obtain the benefits of the Safe Harbor, these organizations are required to (a) certify to the U.S. Department of Commerce that they have implemented the seven Safe Harbor principles, (b) post for their employees and/or customers (depending upon the type of personal data being imported from the E.U.) a Safe Harbor privacy policy that embodies those principles, and (c) implement policies and procedures to ensure that the organization processes personal data received from the E.U. in compliance with the privacy policy. The Safe Harbor certification must be updated annually.

Until just a few weeks ago, the Federal Trade Commission (FTC), which enforces the Safe Harbor, had not commenced a single enforcement action in the nine years that the Safe Harbor has been in effect. Last week, the FTC requested public comment on six separate settlements of complaints alleging that multinationals had violated the Safe Harbor by representing to the public that they were current members of the Safe Harbor even though their certification was not up-to-date. Notably, the settlements do not include any monetary penalties, but instead would enjoin the targets from future misrepresentations about their Safe Harbor status.

The lessons learned include the following:

Tags: Data Security, European Union, Federal Trade Commission, International, Safe Harbor

Employers and Health Care Providers Receive New Guidance on HIPAA Security Breach Notification

Posted on August 25, 2009 by Philip Gordon

The Health Information Technology for Economic and Clinical Health Act (HITECH Act), one small legislative portion of the massive economic stimulus bill enacted on February 17, 2009, mandates that employers and health care providers provide notice of any “breach” of “unsecured” protected health information (PHI) to affected individuals; the U.S. Department of Health and Human Services (HHS); and, in certain circumstances, “prominent media outlets.” The quoted terms and many others in the HITECH Act are either undefined or raise a multitude of unanswered questions. HHS has recently published interim final regulations and accompanying commentary that clarifies many of the Act’s ambiguities.

For an in-depth discussion and guidance on this development, see Littler ASAP, Employers and Health Care Providers Receive New Guidance on HIPAA Security Breach Notification, by Philip L. Gordon.

Tags: ARRA, Data Security, Federal Privacy Legislation, HHS, HIPAA, HITECH Act, Medical Information, Personal Health Information

Massachusetts Agency Revises Information Security Regulations -- Yet Again

Posted on August 19, 2009 by Philip Gordon

Image by Producer

In what appears to be an on-going effort to find the right balance between information security and burdens on businesses, Massachusetts’ Office of Consumer Affairs and Business Regulation (OCABR) has materially revised—for a second time—regulations that were initially promulgated in October 2008, and has extended the compliance deadline for a third time. We have discussed the regulations in detail in prior blog posts. Consequently, we will only focus on the most recent revisions, which are described below:

New Compliance Deadline: The compliance deadline has been extended from January 1, 2010, until March 1, 2010.

Third-Party Service Providers: While the regulations still require that employers expressly address information security in their contracts with vendors who create or receive personal information on the employer’s behalf, employers now have until March 1, 2012, to negotiate amendments to vendor agreements entered into before the March 1, 2010 compliance deadline. Vendor agreement entered after that date must require that vendors implement and maintain “appropriate security measures to protect [Massachusetts] personal information” in a manner that is consistent with the regulations and applicable federal law.

Tags: Compliance Deadline, Data Security, Encryption, Identity Theft, Massachusetts, State Privacy Laws, State Privacy Legislation, Vendor Management

New Data Security Breach Laws in Alaska and South Carolina Take Effect July 1, 2009

Posted on June 16, 2009 by Privacy and Data Protection Practice Group

On Wednesday, July 1, 2009, the recently enacted Alaska and South Carolina notice of security breach laws will take effect. Alaska and South Carolina join forty-three other jurisdictions with notice of security breach laws. Some of the key provisions of these laws are described below.

The “Trigger Event”

Both laws require businesses to provide notice of security breaches when an unauthorized person acquires unencrypted computerized “personal information.” Alaska is one of six states that also requires notice in response to the unauthorized acquisition of paper records containing personal information. Under both laws, personal information includes the affected individual’s first name or initial and last name, plus social security number, driver’s license number, or credit or debit card or financial account number in combination with any required security code.

The “Harm Requirement”

In Alaska, notice is not required, if, after an investigation and notice to the Attorney General, the business determines that there is not a reasonable likelihood of harm to the consumer. Likewise, the South Carolina law does not require businesses to notify residents if illegal use of the information has not occurred, or is not reasonably likely to occur, or if use of the information does not create a material risk of harm to the resident.

Tags: Alaska, Compliance, Data Security, Encryption, Personal Information, Social Security, South Carolina

New Nevada Law Mandates Encryption of Sensitive HR Data

Posted on June 15, 2009 by Philip Gordon

Nevada has joined Massachusetts as the only two states currently mandating encryption of sensitive human resources information.* The Nevada law — which, like the Massachusetts regulations, takes effect January 1, 2010 — applies to any organization doing business in Nevada that collects an individual’s first name or initial and last name plus Social Security number, employee identification number, driver’s license number, or credit or debit card number or financial account number with any required security code (collectively “Personal Information”). Every employer collects employees’ SSNs in the ordinary course of business, and many employers assign employee identification numbers and collect driver’s license numbers. Consequently, the new law applies to all employers.

The statute requires encryption in two circumstances. First, electronic transmissions of Personal Information must be encrypted unless the transmission (a) passes within a secure network, or (b) is sent by fax machine. This means that intracorporate e-mail will not need to be encrypted as long as e-mails do not pass over the public Internet (which usually is the case). However, all e-mail to third parties, i.e., e-mails that do pass over the public Internet containing Personal Information, will need to be encrypted.

Second, no “data storage device” which contains Personal Information may be taken off-site unless the Personal Information is encrypted. The new law’s broad definition of “data storage device” includes laptops, iPhones, BlackBerrys, back-up tapes and disk drives, as well as virtually any other electronic device that can store Personal Information.

Employers who fail to comply with the law will be easily discovered. Because Nevada’s security breach notification law provides a safe harbor from notification for Personal Information that is encrypted, any notice of a security breach that discloses the loss or theft of a laptop, portable digital assistant, back-up tape or other electronic storage medium effectively would constitute an admission that the employer failed to comply with Nevada’s encryption requirement. Because that failure would violate a statutory standard, the absence of encryption most likely would be deemed negligent. For this reason, employers with operations in Nevada should begin now to develop plans for complying with the new Nevada encryption standard.

*For comprehensive coverage of the Massachusetts data security regulations, see Littler ASAP "New Massachusetts Regulations Impose Substantial Obligations on Corporate Human Resources Departments to Safeguard Employees' Personal Information" by Philip Gordon.

Tags: Data Security, Encryption, Laptop, Personal Information, Social Security

Philip Gordon Answers Questions About Human Resources' Top Privacy Concerns

Posted on June 5, 2009 by Privacy and Data Protection Practice Group

On June 18, Philip Gordon will present at the International Association of Privacy Professionals (IAPP) Practical Privacy Series on the topic "On the Cutting Edge: The Top Five Developments for 2009" (You may register for the event here). Below, Mr. Gordon answers questions about some of the top HR privacy concerns that every organization is confronting.

IAPP: With so much focus on safeguarding customer information, why is HR privacy even an issue?

Gordon: HR privacy should be a major concern of every organization for several reasons. Virtually all class-action litigation involving the compromise of customers’ personal data has been unsuccessful because of the absence of any actual damages. By contrast, privacy violations involving employee personal data often do result in cognizable injuries, including loss of employment and emotional distress. The risk of significant damages is particularly high in the employment context because employers maintain not only the full range of personal identifiers but also financial information and very sensitive health information. In addition, security breaches involving employee personal data can have a negative impact on employee morale, and employees, unlike consumers, can easily express their disgruntlement to senior management. While the potential exposure is high, developments in technology and recently enacted legislation have complicated employer’s compliance obligations, further increasing their exposure to liability.

IAPP: Could you provide some examples of recent developments that have a significant impact on HR privacy compliance and employers’ exposure to liability for privacy violations?

Gordon: Employers are struggling to find the right approach for addressing text messaging in the workplace and the variety of Web 2.0 communications platforms. Unlike e-mail, text messaging almost always is transmitted through, and stored at, a third-party service provider. The laws governing access to electronic communications stored at a service provider impose substantial restrictions on employers. These restrictions do not apply when accessing communications stored on the corporate network. Social networking is particularly challenging for employers, especially as employees form their own networks, because personal profiles often blur the line between “private” and work life while, at the same time, permitting employees to communicate messages that senior management views as contrary to the organization’s interests.

On the legal side, we have the passage in February 2009 of significant amendments to HIPAA, which will have an impact on every employer that sponsors a HIPAA-covered benefit plan. In November, the Genetic Information Non-Discrimination Act of 2009 (GINA) will become effective. GINA will raise significant compliance challenges because the Act defines “genetic information” to include several categories of information that most privacy and HR professionals might not think of as “genetic” in nature, such as certain FMLA certifications. I will cover these technological and legal developments at the Practical Privacy Series in a presentation entitled, “On the Cutting Edge: The Top Five Developments For 2009.”

Tags: Conferences, Data Security, GINA, Genetic Information, HIPAA, Internet Communications, Medical Information, Social Networking, Social Security Numbers, Text Messaging, Wellness Programs

Newly Enacted HIPAA Security Breach Notification Requirements Raise New Risks For Employers

Posted on March 4, 2009 by Philip Gordon

Employers have good reason to re-evaluate their HIPAA compliance efforts. Recent enforcement actions by the U.S. Department of Health and Human Services (HHS) that resulted in large settlement payments signal more pronounced efforts to enforce HIPAA’s compliance requirements. These enforcement actions were driven by publicly disclosed security breaches that brought compliance lapses to HHS’ attention.

Recent amendments to the HIPAA Privacy Rule, enacted as part of the massive federal economic stimulus legislation, will fuel this “breach-driven enforcement.” Under existing law, the HIPAA Privacy Rule contains no security breach notification requirement. Effective February 17, 2010, however, employers will be required to take the following steps when they learn that the “unsecured” protected health information (PHI) of participants in HIPAA-covered plans has been subjected to unauthorized access, use or disclosure:

• Notify major media outlets and HHS if a breach involves 500 or more plan participants
• Notify affected individuals within 60 days of becoming aware of the breach
• Provide in the notice to individuals, at a minimum, five specific categories of information
• Deliver the notice by first-class mail to each affected individual’s last known address

This notice obligation applies regardless of whether the employer or a third-party service provider, such as a benefits administrator, pharmacy benefits manager, or insurance broker is responsible for the breach.

Tags: ARRA, Compliance, Data Security, Federal Privacy Legislation, HHS, HIPAA Privacy Rule, Medical Information, PHI, Stimulus Bill

Massachusetts Regulatory Agency Revises the Massachusetts Data Security Breach Regulations and Further Extends Compliance Deadline

Posted on February 13, 2009 by Privacy and Data Protection Practice Group

On Thursday, February 12, 2009, Massachusetts’ Office of Consumer Affairs and Business Regulation (OCABR) publicly disclosed key changes to the controversial Massachusetts data security breach regulations, 201 CMR 17.00. Taking into account testimony heard from business associations and employers at a public hearing last month, OCABR has further delayed the implementation deadline and somewhat loosened employers’ obligations with respect to third-party service providers and mandatory encryption requirements.

Highlights of the amendments to the regulations are:

Effective Date: Previously set to go into effect on May 1, 2009, the compliance date has been delayed until January 1, 2010.

Third-Party Service Providers: The original regulations required all employers to obtain: (a) by May 1, 2009, contractual assurances from their third-party vendors having access to Massachusetts residents’ personal information that the vendors are capable of safeguarding this information; and (b) by January 1, 2010, written certifications from each vendor that it has adopted a comprehensive information security program in compliance with Massachusetts regulations (201 CMR 17.00 et seq.).

Tags: Data Security, Encryption, Massachusetts, State Privacy Legislation, Vendor Management

Contemporaneous Announcements of Obama's Cybersecurity Agenda and of the "Biggest Security Breach Ever" Should Highlight for Employers the Message of National Data Privacy Day

Posted on January 28, 2009 by Philip Gordon

Today — January 28, 2009 — is National Data Privacy Day, which, according to a January 2009 Resolution of the House of Representatives, “constitutes an international collaboration and a nationwide and statewide effort to raise awareness about data privacy and the protection of personal information on the Internet.” This reference to “international collaboration” is not precatory. Canada and the 27 Member States of the European Union also are seeking to focus attention on data privacy today by celebrating their own National Data Privacy Day. In light of two recent events that preceded National Data Privacy Day by only one week, HR departments should take note.

On January 22, 2009, Barack Obama’s first full day as President, he outlined, on the Whitehouse.gov website, his plan to enhance the nation’s cybersecurity. Two central planks of that plan will have a direct impact on employers. First, the plan calls on private industry to “secure personal data stored . . . on private systems” and to institute a “common standard for securing such data.” Second, the plan would create national standards for corporate security breach notification. Put simply, federal data protection and security breach notification legislation is on the way; it is just a matter of time. Such legislation most likely would have the beneficial effect of relieving multi-state employers from the burdens of complying with a patchwork of state data protection and security breach notification laws. Federal legislation, however, also would bring the substantial resources and enforcement power of the federal government to an area of the law that has, to date, seen only fledgling enforcement by the states.

Tags: Credit Cards, Cyber Security, Data Security, Electronic Files, H.Res. 31, Identity Theft, Obama, Personal Information, Vendor Management

Massachusetts Extends Deadline for Compliance with Data Security Breach Regulations

Posted on November 21, 2008 by Philip Gordon

On Friday November 14, 2008, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued a press release postponing the deadline for businesses to comply with recently promulgated regulations mandating the implementation of a “comprehensive written information security program.” As discussed in a previous blog post, the regulations require corporate human resource departments to implement a range of policies and procedures to safeguard the personal information of employees who are Massachusetts residents.

OCABR had initially required that companies comply with these regulations by January 1, 2009. The administrative agency apparently recognized the need to extend the compliance deadline after hearing the business community’s concerns over being forced to bear an additional financial burden in the midst of an economic downturn.

Tags: Compliance Deadline, Data Security, Information Security Program, Laptop, Massachusetts, OCABR, Regulations

New Massachusetts Regulations Impose Substantial Obligations on Human Resources Departments to Safeguard Employees' Personal Information

Posted on October 23, 2008 by Philip Gordon

New Massachusetts regulations, effective January 1, 2009, are a clarion call for corporate human resources departments to join the war on identity theft. The regulations mandate the development and implementation of a "written, comprehensive information security program" to safeguard the information of Massachusetts employees and consumers. Such a program rarely will be fully effective without the involvement of human resources professionals and in-house employment counsel.

While these regulations apply only to organizations with Massachusetts employees, even employers without a Massachusetts presence should consider implementing a similar program. These regulations likely will be a model for other jurisdictions and could become the standard against which all information security programs are measured. Continue reading. . .

Tags: Data Security, Encryption, Identity Theft, Massachusetts, Personal Information, Portable Storage Devices, Social Security Numbers, Vendor Management

Connecticut Becomes Only the Second State to Mandate an Employee Data Protection Policy

Posted on June 23, 2008 by Philip Gordon

With the State of Connecticut reeling from a series of massive security breaches that have exposed the personal information of hundreds of thousands of state residents, Connecticut's Governor and General Assembly joined forces in mid-June to make Connecticut only the second state (after Michigan) to mandate that private employers publish a policy on the protection of employee Social Security numbers (SSNs). The new Connecticut law — entitled, "An Act Concerning the Confidentiality of Social Security Numbers" (the "Act"), and effective October 1, 2008 — also imposes on private employers a statutory duty to safeguard, and properly dispose of, personal information more broadly defined. Continue reading. . .

Tags: Data Security, Department of Consumer Protection, Identity Theft, Personal Information, Privacy Protection Policy, Social Security Numbers, State Privacy Legislation, Vendor Management

Philip Gordon Answers Questions About Workplace Privacy Issues

Posted on June 11, 2008 by Philip Gordon

Philip Gordon will present at the International Association of Privacy Professionals' (IAPP) human resources event on June 17 on the topics "Sex Offenders, Terrorists, And Video Resumes: How Far Can You Go To Get Information About Prospective, Current, And Former Employees?" and "It's 10:00 AM: Do You Know Where Your Employees Are And What They Are Doing?" Below, Mr. Gordon answers questions about workplace privacy.

IAPP: The IAPP is sponsoring its first ever Practical Privacy Series on Human Resources (HR) privacy. Why should privacy professionals be concerned about HR privacy?

Philip Gordon: There are many reasons. Here are just a few: First, privacy breaches involving employees are becoming a much more significant risk to organizations. Virtually every security breach involving employees triggers a notice obligation because of the prevalence of Social Security numbers, driver’s license numbers and financial account information in corporate HR departments. Also, sensitive health and disciplinary information can be much more easily disseminated through social networking sites or Web postings, raising the risks of litigation and substantial damages awards.

Second, employees are more likely to respect consumer privacy in an organization that is concerned about employee privacy. Demonstrating a commitment to addressing HR privacy issues establishes a culture that will enhance protection of consumer data.

Third, an employer’s commitment to HR privacy can provide an edge in recruiting and retaining employees, especially younger employees. In April 2007, Littler Mendelson and the Ponemon Institute published a study entitled “Workplace Survey on the Privacy Age Gap.” The study revealed that 85 percent of respondents under the age of 30 believed that their employer’s commitment to employee privacy was important, but only 20 percent believed that their employer was committed to protecting their privacy. Perhaps more to the point, 27 percent of respondents under age 30 said that they would find another job if their employer committed what they perceived to be a privacy violation.

Finally, HR privacy tends to fall into the gap between the chief privacy officer’s and the human resources director’s areas of responsibility. By way of illustration, in the Littler/Ponemon study, two-thirds of respondents said that their employer had a consumer privacy policy, but only 22 percent stated that their employer had an employee privacy policy. Along the same lines, only 6 percent of respondents said that they would contact a privacy professional in their organization if they had a question about workplace privacy.

IAPP: What do you see as some of the cutting-edge issues in the area of HR privacy?

Philip Gordon: Ironically, some of the most cutting-edge issues arise out of relatively public conduct on the Internet, such as social networking and blogging. Many employees perceive their off-duty blogging and social networking as private, but their postings often can have a significant impact on the workplace, for example, when they post photos of themselves with guns or in sexually provocative poses. Another example of this somewhat ironic twist on “privacy” can be seen when employers attempt to introduce location tracking devices into the workplace. The privacy implications of electronic monitoring also are becoming increasingly complex as employees rely more heavily on personal cell phones, PDAs, and Web-based e-mail accounts to conduct company business. Gary Clayton, founder of the Privacy Compliance Group, and I are going to delve into these issues in our presentations at the Practical Privacy Series, respectively entitled “It’s 10 AM: Do You Know Where Your Employees Are and What They Are Doing?” and “Sex Offenders, Terrorists and Video Résumés: How Far Can You Go to Get Information About Employees?”

IAPP: So much of the focus on consumer privacy revolves around data protection. How is data protection implicated in the area of HR Privacy?

Philip Gordon: Organizations tend to have more sensitive information about their employees than about their customers. State notice and data security laws have forced employers to focus more attention on safeguarding employee data. Global employers accustomed to the greater emphasis on employee data protection in the European Union also are turning their attention to employee data protection. Two of the presentations at the HR Practical Privacy Series will focus on these issues. Peter Rabinowitz, Privacy, Governance & Risk Compliance Consultant at PricewaterhouseCoopers, LLP and Lydia Payne-Johnson, CIPP, Financial Services Privacy Consultant at PricewaterhouseCoopers and former CPO at Morgan Stanley, will explain how to conduct an HR privacy risk assessment. Brian O’Conner, former CPO at Eastman Kodak, and Rick Dakin, founder of Coalfire Systems, will present on security incident response when a breach involves employee data.

IAPP: Congress recently put the spotlight on the privacy of employee health information by enacting the Genetic Information Non-Discrimination Act (GINA). What is the current regulatory environment in the area of employee health information privacy and why is it important for privacy professionals to understand that environment?

Philip Gordon: Employee health information is subject to a very complex regulatory environment involving a variety of federal and state laws in addition to GINA. Employers are being inundated with employee health information as the American workforce ages. Employers also are increasingly relying upon drug and alcohol tests to weed out applicants and employees who might pose a threat to sensitive customer and employee data. Understanding the interplay of these health privacy laws and the web of restrictions on drug and alcohol testing is particularly important for employers because breaches of privacy in this area often result in litigation. Nancy Delogu, a partner at Littler Mendelson and a national expert on drug and alcohol testing, will be addressing this complex area of privacy at the Practical Privacy Series in a presentation entitled, “HIPAA, FMLA, ADA, CMIA: How to Handle Employee Health Information and Drug and Alcohol Testing in Compliance with Confidentiality Requirements.”

Tags: Conferences, Data Security, Electronic Monitoring, Federal Privacy Legislation, Human Resources, Medical, Social Networking, Social Security

Is Confidential Business Information Safe At 30,000 Feet?

Posted on December 17, 2007 by Philip Gordon

It will soon be easier to conduct business on airline flights, and a lot riskier from a privacy perspective. The New York Times ran a story the other day – “Some Airlines to Offer In-Flight Internet Service” – describing Jet Blue’s plans to begin offering free in-flight e-mail and instant messaging service. Several other airlines also have announced plans to offer Internet service on their planes. While the convenience may be welcome news to busy executives who criss-cross the country on non-stop business trips, employers should be concerned about the security of private workplace communications and confidential business information in the cramped confines of an airline cabin.

Consider the number and proximity of work-related travelers —especially in business class. Now imagine linking the traveler’s laptop or Blackberry to seat-back entertainment systems (Virgin America has plans to implement a system that allows passengers to send messages during a flight). And now envision your company’s strategic business plan, or non-public profit figures, on display, like an in-flight movie. Add to this the passenger’s oblivion to his surroundings and the scrutiny of other bored and seemingly harmless passengers. Without determined efforts, inadvertent in-flight disclosure of confidential business information could become as commonplace as data breaches caused by stolen laptops. Continue Reading...

Tags: Confidential Business Information, Data Security, Electronic Resources Policy, Email Communications, Internet Privacy, Traveling Data

Employers Face New Compliance Challenges As Massachusetts Becomes the 39th State to Enact a Security Breach Notice Law

Posted on September 11, 2007 by Philip Gordon

Misdirected e-mail, lost and stolen laptops, and security flaws in corporate websites, when they expose employee personnel information to unauthorized individuals, are now more than a potential embarrassment; they are a legal compliance challenge, especially for multi-state employers. With Massachusetts recently becoming the 39th state to pass a notice-of-security-breach statute, it is just a matter of time before all fifty states require notice of a security breach. While these statutes share a common thread, their requirements can materially vary, complicating the determination whether an employer has a legal obligation to notify employees and, if so, the steps that the employer must take to discharge its legal responsibilities.

Regrettably, it no longer is a matter of "if", but "when," human resources professionals and in-house counsel will be required to confront this legal compliance challenge. In a 2007 study conducted by the Ponemon Institute, a leading think tank on privacy and data protection, 85% of respondents had suffered a security breach within the previous 24 months, and 81% had been required to notify individuals of the breach. With the centralization and digitization of employees' personal data into computerized human resources information systems (HRIS), security breaches involving personnel information are likely to become increasingly common and involve ever larger numbers of current and former employees, raising the stakes each time a security breach occurs.

Reviewing the provisions of the new Massachusetts notice law with reference to the thirty eight notice statutes which preceded it helps to highlight the most significant similarities and the most salient differences among these laws. With a full view of the variegated, legislative landscape, employers can more readily determine when and how they are required to provide notice. Click here to download and continue reading full-length Litter Insight publication: Employers Face New Compliance Challenges As Massachusetts Becomes the 39th State to Enact a Security Breach Notice Law.

Tags: Data Security, Human Resources, Identity Theft, Massachusetts, State Privacy Legislation, Stolen Laptop

What Does The Crazy Quilt of Security Breach Laws Mean for Employers as Massachusetts Becomes the 39th State to Enact One?

Posted on August 21, 2007 by Philip Gordon

On August 3, 2007, Governor Deval Patrick enrolled Massachusetts as the 39^th member in the soon-to-be nationwide club of states with laws requiring notice of a security breach. While these laws vary — sometimes materially — from one another, they share a common thread: at a minimum, they require employers to notify employees (and customers) when an unauthorized person acquires unencrypted, computerized “personal information,” creating a risk of identity theft. In all 39 states that have adopted this law, “personal information” includes (again at a minimum) the affected individual’s first name or initial and last name plus social security number, driver’s license number, or credit card, debit card, or financial account number in combination with any required security code.

Here are five key points for employers to consider as they confront these statutes.

Be Prepared. Responding to a security incident can create a pressure cooker, especially when the personal information of senior corporate executives is among the compromised data. Identify the members of your incident response team — typically from HR, IT, Legal, and Public Relations — and do a dry run of how your organization would respond if, for example, a payroll database had been stored on a stolen laptop.
Train HR Professionals. In the employment context, a security breach can take many forms — a misdirected e-mail, a CD lost by a courier service, a stolen BlackBerry, or a successful hack are just a few examples. HR employees and others who work with personal information should be trained that these types of occurrences, which in the past might not have been taken seriously, now pose compliance risks. The training should help employees identify a possible security breach, list the type of information which should be reported, and explain to whom the report should be made.
Determine Your Notice Obligations. When a breach does occur, consult knowledgeable counsel (whether in-house or outside) to determine the organization’s obligations under all potentially applicable notice laws. To do so, counsel will need to know all the facts related to the incident, the states of residence of affected employees, and the number of affected employees in each state. In some circumstances, a security breach may not trigger a legal obligation to notify — for example, the theft of a hard copy (as opposed to computerized) payroll spreadsheet -- but the employer still may decide to provide notice as an employee relations matter.
Help Your Employees. Employees may view themselves as innocent victims when their employer suffers a security breach and expect their employer to protect them and foot the bill. Providing free access to a credit monitoring service is the most commonly offered form of assistance. Employers may want to consider a new service offered by MyIDentityIQ, Inc. and National ID Recovery: 1-877-252-9891. This service not only alerts employees to possible misuse of their personal information (like credit monitoring), it also provides fully managed identity theft recovery services for employees after their personal information has been misused.
Learn From Your Mistakes. After the storm subsides, figure out what went wrong, what you did right, and how you can adjust your security incident response plan (or put one in place) to improve your response the next time around.

Tags: Credit, Data Breach, Data Security, Identity Theft, Massachusetts, State Privacy Laws, State Privacy Legislation, Vendor, Vendor Management

More Businesses Demanding Background Checks And Drug Tests Of Vendor Employees, Creating New Privacy And Data Protection Challenges

Posted on August 15, 2007 by Philip Gordon

More and more businesses — especially those in highly regulated industries such as banking, telecommunications, and health care — are engaging in “vendor management” as they implement increasingly rigorous information security programs. Confirming the trustworthiness of vendors’ employees who are permitted on premises or who are authorized access to sensitive information is a cornerstone of such programs. Consequently, these businesses are starting to make a variety of demands in contract negotiations and requests for proposals (RFPs) for background checks and drug-testing of vendor employees.

The demands vary based upon the industry and the company. At a minimum, these businesses require their vendors to certify that employees who will be working on the customer’s account have successfully completed a background check and a drug screen. At the other end of the spectrum, businesses specify the contents of background and drug screens and demand the right to audit the results or even conduct their own background checks and drug tests of the vendor’s employees.

These demands put vendors “between a rock and a hard place.” On the one hand, vendors want to maintain strong relationships with valued customers and win contracts with new customers. On the other hand, turning over background checks and drug test results to a customer can raise red flags with the vendor’s workforce regarding their privacy. And, if not properly handled, the issue can mushroom into an employee relations nightmare and expose the vendor to privacy-based claims. The problem is particularly acute for vendors who have not previously required current employees, or even job applicants, to submit to background checks or drug tests.

Here are three of the steps vendors might consider to avoid this catch 22:

Tags: Background Checks, Contract Proposals, Data Security, Drug Testing, Drug Tests, Employment Policies, State Privacy Laws, Vendor Management

New Oregon Law Imposes Most Stringent Information Security Standards Yet On Employers

Posted on August 13, 2007 by Philip Gordon

An Oregon law, signed by Governor Ted Kulongoski in mid-July and effective January 1, 2008, establishes the strictest information security requirements imposed by any state law to date. This new law is especially significant for multi-state employers, as the statute applies to any business which maintains the “personal information” of an Oregon resident regardless of the size of the company’s presence in Oregon. Personal information is defined to include precisely the type of information which all employers maintain about every employee, i.e., first name or initial and last name plus social security number, driver’s license number, or financial account number.

The Oregon law requires employers who maintain personal information on Oregon residents to do the following:

Designate a security officer
Conduct a risk assessment
Assess the safeguards in place to manage the risks
Train employees in security policies and procedures
Require by contract that service providers maintain adequate security (note the connection to the trend discussed above)
Adjust the security program over time to meet changing circumstances
Implement adequate physical and technical safeguards
Properly dispose of personal information

While Oregon may be one of the less populous states, state legislators appear to be engaging in “one-upmanship” as they enact new data protection statutes. Employers can expect other states to attempt to match or exceed Oregon’s legislation. Consequently, employers can expect that, in the near future, they will need to take a closer look at their information security practices for employee data and take steps to better safeguard that information not as some extra effort but simply to be in compliance with newly enacted state data protection legislation.

Tags: Data Security, Oregon, Personal Information, S.B. 583, Social Security Numbers, State Privacy Legislation

Our HR Manager's Laptop Was Stolen; Should We Offer Credit Monitoring Service?

Posted on July 25, 2007 by Philip Gordon

As of 2006, 1 in 9 Americans had received a notice of security breach. That ratio is bound to rise with the continued onslaught of hacking and the theft of laptop computers now the crime du jour. The decision whether to provide notice of security breach, now governed by law in 36 states and the District of Columbia, is relatively easy when compared to the decision whether to provide free credit monitoring service.

No law requires a business to offer credit monitoring after a security breach, so why do so many businesses seem to opt for it? Preventing loss of good will seems to be the answer. According to a 2006 study by the Ponemon Institute, businesses suffer damages in lost customer opportunity cost equaling almost $100/lost record. That loss far exceeds the cost of one year’s worth of credit monitoring which, depending upon the size of the breach and the type of service, can range from $15 to $50 per individual.

While employees are not customers, employee disgruntlement can result in loss of productivity and increased turnover with an associated increase in recruiting costs. Employers confronting the question whether to offer free credit monitoring should try to quantify these costs as compared to the cost of providing credit monitoring service. In making this calculation, employers should keep in mind that the percentage of notice recipients who actually exercise the right to credit monitoring can be low, ranging, according to one report from as little as 5% or less to as high as 30%.

Tags: Credit, Data Security, Hacking, Laptop, Security Breach, State Privacy Laws