Connecticut Becomes Only the Second State to Mandate an Employee Data Protection Policy

Posted on June 23, 2008 by Philip Gordon

With the State of Connecticut reeling from a series of massive security breaches that have exposed the personal information of hundreds of thousands of state residents, Connecticut's Governor and General Assembly joined forces in mid-June to make Connecticut only the second state (after Michigan) to mandate that private employers publish a policy on the protection of employee Social Security numbers (SSNs). The new Connecticut law — entitled, "An Act Concerning the Confidentiality of Social Security Numbers" (the "Act"), and effective October 1, 2008 — also imposes on private employers a statutory duty to safeguard, and properly dispose of, personal information more broadly defined. Continue reading. . .

Tags: , , , , , , ,

California Supreme Court Just Says "No" to Weed At Work

Posted on January 25, 2008 by Nancy N. Delogu

Gary Ross, the military veteran who urged his employer to accommodate his medical use of marijuana, has failed to convince the Supreme Court of California to revive his case.  On January 24, 2008, the Court affirmed (5 - 2) the trial and appellate court decisions that RagingWire Telecommunications was not required to employ Ross, who tested positive for marijuana, even though his use of the drug has been decriminalized under California’s Compassionate Use Act.

As discussed in an earlier posting, Ross argued that his former employer, RagingWire, had discriminated against him under the California Fair Employment and Housing Act by terminating him because of his positive drug test which resulted form his use of marijuana for his disability.  He also alleged that he had been wrongfully discharged as a matter of public policy.  Yesterday’s decision rejects Ross’s disability discrimination claim for one simple reason:  The Compassionate Use Act provides only that individuals who use marijuana pursuant to a recommendation from a health care provider have a defense to criminal prosecution.  Noting that California voters cannot obscure federal laws which state that the drug poses a risk of abuse, the Court concluded that the Compassionate Use Act simply fails to address the rights of employers and employees.  The Court further observed that any effort to enact such a law would likely generate significant controversy, and it declined to read such a requirement into the limited protections of the statute.

Continue Reading...
Tags: , , , , , , , ,

Workplace Privacy and the MRSA "Superbug"

Posted on December 5, 2007 by Philip Gordon

The rumors are flying: The TV news ran a story last night on the evacuation and de-contamination of the local public school after one of the football players missed Saturday’s game because of infection with the MRSA Superbug.  One of your employees happens to have a son on the football team, and she called in sick on the Monday after the game.  Employees who work in the area of her cubicle have “petitioned” HR not to let the mother return to work until she has submitted written documentation from her physician that she is not infected or contagious.  Where does HR even start to unravel the privacy concerns of the mother and her child, and how should those concerns be weighed against the health interests of the mother’s co-workers? 

The legal analyses related to this issue are among the most complex in the area of workplace privacy, involving the interplay of the Americans with Disabilities Act (ADA); the Family and Medical Leave Act (FMLA); the Health Insurance Portability and Accountability Act of 1996 (HIPAA); state privacy statutes, such as California’s Confidentiality of Medical Information Act; state common law; and, at least in California, state constitutional law. 

Before wading into this quagmire, HR professionals should consider the following guidelines for balancing the privacy interests of potentially infected workers and the health interests of co-workers.

Continue Reading...
Tags: , , , , , , , , , ,

Is "Microchipping" Employees Ever A Viable Option?

Posted on October 3, 2007 by Philip Gordon

The idea of mandatory “microchipping” — the practice of employers requiring employees to have a small computer chip inserted beneath the skin — triggers a high score on virtually any cringe meter.  According to a 2007 study conducted jointly by Littler Mendelson and the Ponemon Institute (“Workplace Survey on the Privacy Age Gap”) more than 90% of respondents, regardless of age, responded that mandatory microchipping by their employer would constitute a privacy violation. 

Mirroring this sentiment, in early September, the California Legislature sent to Governor Schwarzenegger for signature a bill which would prohibit any person from requiring, coercing or compelling “any other individual to undergo the subcutaneous implanting of an identification device.” [UPDATE:  Governor Schwarzenneger signed the bill into law].  An “identification device” is defined as one capable of transmitting personal information by radio frequency (RFID) or other means. 

The only surprise about this bill is that California — the state most protective of individual privacy — is not the first to ban mandatory microchipping legislatively.  North Dakota and Wisconsin grabbed that honor, passing prohibitions on mandatory microchipping in April and May 2006, respectively.  Legislatures in seventeen other states — including Georgia, Michigan and New Jersey — are considering similar laws. 

From the employer’s perspective, these bills are, in a sense, irrelevant.  After all, what employer would dare risk the employee and public relations disaster of forcing employees to accept a microchip?

Continue Reading...
Tags: , , , , , , ,

Employers Face New Compliance Challenges As Massachusetts Becomes the 39th State to Enact a Security Breach Notice Law

Posted on September 11, 2007 by Philip Gordon

Misdirected e-mail, lost and stolen laptops, and security flaws in corporate websites, when they expose employee personnel information to unauthorized individuals, are now more than a potential embarrassment; they are a legal compliance challenge, especially for multi-state employers. With Massachusetts recently becoming the 39th state to pass a notice-of-security-breach statute, it is just a matter of time before all fifty states require notice of a security breach. While these statutes share a common thread, their requirements can materially vary, complicating the determination whether an employer has a legal obligation to notify employees and, if so, the steps that the employer must take to discharge its legal responsibilities.

Regrettably, it no longer is a matter of "if", but "when," human resources professionals and in-house counsel will be required to confront this legal compliance challenge. In a 2007 study conducted by the Ponemon Institute, a leading think tank on privacy and data protection, 85% of respondents had suffered a security breach within the previous 24 months, and 81% had been required to notify individuals of the breach. With the centralization and digitization of employees' personal data into computerized human resources information systems (HRIS), security breaches involving personnel information are likely to become increasingly common and involve ever larger numbers of current and former employees, raising the stakes each time a security breach occurs.

Reviewing the provisions of the new Massachusetts notice law with reference to the thirty eight notice statutes which preceded it helps to highlight the most significant similarities and the most salient differences among these laws. With a full view of the variegated, legislative landscape, employers can more readily determine when and how they are required to provide notice.  Click here to download and continue reading full-length Litter Insight publication:  Employers Face New Compliance Challenges As Massachusetts Becomes the 39th State to Enact a Security Breach Notice Law.

 

 

 

 

Tags: , , , , ,

What Does The Crazy Quilt of Security Breach Laws Mean for Employers as Massachusetts Becomes the 39th State to Enact One?

Posted on August 21, 2007 by Philip Gordon

On August 3, 2007, Governor Deval Patrick enrolled Massachusetts as the 39th member in the soon-to-be nationwide club of states with laws requiring notice of a security breach.  While these laws vary — sometimes materially — from one another, they share a common thread: at a minimum, they require employers to notify employees (and customers) when an unauthorized person acquires unencrypted, computerized “personal information,” creating a risk of identity theft.  In all 39 states that have adopted this law, “personal information” includes (again at a minimum) the affected individual’s first name or initial and last name plus social security number, driver’s license number, or credit card, debit card, or financial account number in combination with any required security code. 

Here are five key points for employers to consider as they confront these statutes.

  •  Be Prepared.  Responding to a security incident can create a pressure cooker, especially when the personal information of senior corporate executives is among the compromised data.  Identify the members of your incident response team — typically from HR, IT, Legal, and Public Relations — and do a dry run of how your organization would respond if, for example, a payroll database had been stored on a stolen laptop.
  • Train  HR Professionals.  In the employment context, a security breach can take many forms — a misdirected e-mail, a CD lost by a courier service, a stolen BlackBerry, or a successful hack are just a few examples.  HR employees and others who work with personal information should  be trained that these types of occurrences, which in the past might not have been taken seriously, now pose compliance risks.  The training should help employees identify a possible security breach, list the type of information which should be reported, and explain to whom the report should be made.
  • Determine Your Notice Obligations.  When a breach does occur, consult knowledgeable counsel (whether in-house or outside) to determine the organization’s obligations under all potentially applicable notice laws.  To do so, counsel will need to know all the facts related to the incident, the states of residence of affected employees, and the number of affected employees in each state.  In some circumstances, a security breach may not trigger a legal obligation to notify  — for example, the theft of a hard copy (as opposed to computerized) payroll spreadsheet -- but the employer still may decide to provide notice as an employee relations matter.
  • Help Your Employees.  Employees may view themselves as innocent victims when their employer suffers a security breach and  expect their employer to protect them and foot the bill. Providing free access to a credit monitoring service is the most commonly offered form of assistance.  Employers may want to consider a new service offered by MyIDentityIQ, Inc. and National ID Recovery: 1-877-252-9891.  This service not only alerts employees to possible misuse of their personal information (like credit monitoring), it also provides fully managed identity theft recovery services for employees after their personal information has been misused.
  • Learn From Your Mistakes.  After the storm subsides, figure out what went wrong, what you did right, and how you can adjust your security incident response plan (or put one in place) to improve your response the next time around.

Tags: , , , , , , , ,

New Oregon Law Imposes Most Stringent Information Security Standards Yet On Employers

Posted on August 13, 2007 by Philip Gordon

An Oregon law, signed by Governor Ted Kulongoski in mid-July and effective January 1, 2008, establishes the strictest information security requirements imposed by any state law to date. This new law is especially significant for multi-state employers, as the statute applies to any business which maintains the “personal information” of an Oregon resident regardless of the size of the company’s presence in Oregon. Personal information is defined to include precisely the type of information which all employers maintain about every employee, i.e., first name or initial and last name plus social security number, driver’s license number, or financial account number.

The Oregon law requires employers who maintain personal information on Oregon residents to do the following:

  • Designate a security officer
  • Conduct a risk assessment
  • Assess the safeguards in place to manage the risks
  • Train employees in security policies and procedures
  • Require by contract that service providers maintain adequate security (note the connection to the trend discussed above)
  • Adjust the security program over time to meet changing circumstances
  • Implement adequate physical and technical safeguards
  • Properly dispose of personal information

While Oregon may be one of the less populous states, state legislators appear to be engaging in “one-upmanship” as they enact new data protection statutes. Employers can expect other states to attempt to match or exceed Oregon’s legislation. Consequently, employers can expect that, in the near future, they will need to take a closer look at their information security practices for employee data and take steps to better safeguard that information not as some extra effort but simply to be in compliance with newly enacted state data protection legislation.

Tags: , , , , ,