Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

By Thomas Flaherty and Rebecca Roche

Virginia has enacted a new law that is intended to enhance employee protections, particularly during union organizing drives in the Commonwealth.  Effective July 1, 2013, the law limits those situations in which an employer may be required to disclose certain information to third parties about current and former employees.  Delegate Barbara Comstock, who spearheaded this law, calls it “...a victory for the rights of workers and for protecting employees in the workplace.”

The bill, entitled “Keeping Employees’ Emails and Phones (KEEP) Secure Act,” carries the title and tracks the language of a bill introduced in the U.S. Congress in February 2012 by Rep. Sandy Adams (R-FL), which would have prevented the National Labor Relations Board (the NLRB or Board) from implementing a rule requiring employers to provide to a union or the Board employee telephone numbers or email addresses. The federal bill did not pass. The Virginia law provides that employers cannot be “required to release, communicate, or distribute” to third parties personal identifying information (defined as home and mobile telephone numbers, email addresses, shift times and work schedules) about current or former employees, unless required by federal or state law, ordered by a court of competent jurisdiction, required pursuant to a warrant, or required by a subpoena or discovery in a civil case.  These exceptions may largely swallow the rule, particularly if the NLRB changes the election procedures under the National Labor Relations Act (the NLRA) to include, among other things, a requirement that employers disclose employees’ phone numbers and email addresses to labor organizations once an election has been ordered.  

• Print
• Trackbacks
• Share Link

Effective January 1, 2014, recent amendments to Minnesota law will restrict the timing of pre-employment inquiries by most private employers into a candidate’s criminal past.  Employers who are not exempted from the law may not (1) inquire into or consider or require disclosure of criminal record information until the applicant has been selected for an interview or, if there is not an interview, until a conditional job offer of employment has been extended to the applicant, and (2) use any form of employment application that seeks such criminal record information.

The new law does not outright preclude inquiries into or consideration of an applicant’s criminal past.  Representative Tim Mahoney, who sponsored the legislation, has stated that the law “does not prohibit private employers from eventually conducting background checks and fully investigating the criminal past of potential employees,” but, “is designed to get applicants past the initial application stage, so that if they qualify for the job, they get a chance to explain themselves.”  Further, the statute expressly states that it does not prohibit an employer from notifying applicants that either law or the employer’s policy will disqualify an individual with a particular criminal history background from employment for particular positions.  To learn more about the law, please see Littler's ASAP, Minnesota Enacts “Ban the Box Law" Prohibiting Employment Application Criminal History Checkmark Boxes and Restricting Criminal Record Inquiries Until After Interviews or Conditional Job Offers, by Dale Deitchler, Rod Fliegel, Susan Fitzke and Jennifer Mora.

• Print
• Trackbacks
• Share Link

 By Philip L. Gordon, Katherine (Katie) Dix, and Jordan Cornett

The number of states enacting social media password protection laws has risen once again, as such legislation continues to gain traction across the country.  On May 1, 2013, Colorado’s General Assembly became the ninth legislature to submit a bill to its governor restricting an employer’s ability to access the personal social media accounts of employees and applicants.  The other states are Arkansas, California, Illinois, Maryland, Michigan, New Jersey, New Mexico, Utah and Washington.  Compared to several of the more recent social media protection laws, such as New Jersey’s A.B. 2878, Colorado’s bill is relatively weak.

• Print
• Trackbacks
• Share Link

By Philip L. Gordon and Joanna M. Silverstein 

• Print
• Trackbacks
• Share Link

By Amber Spataro

On March 21, 2013, the New Jersey legislature overwhelmingly passed one of the most pro-employee social media password protection bills in the nation. The bill not only prohibited employers from requesting employee passwords to their personal social media accounts, but also prohibited employers from even asking employees or applicants if they possessed a personal social media account. The bill conferred on applicants and employees the right to sue for damages.

Over May 6, 2013, Governor Chris Christie issued a statement and a “conditional veto” of the measure. The conditional veto means the governor objects to parts of a bill and contains proposed amendments that would make the bill acceptable to him. If the legislature re-enacts the bill with the recommended amendments, the governor will have another opportunity to sign the bill and presumably would sign it.

• Print
• Trackbacks
• Share Link

Social media websites such as Facebook, Twitter, LinkedIn and others have become a part of daily life in the United States and abroad. The unavoidable reach of social media into our personal lives has extended into our professional lives. Facebook claims to have more than 1 billion users. As of December 31, 2012, LinkedIn boasted more than 200 million registered users in over 200 countries and territories and that LinkedIn members performed "over 5.7 billion professionally-oriented searches on the platform in 2012." It is reasonable to infer that those 5.7 billion searches were not limited to individuals seeking jobs, professional connections or merely long lost friends, but also included employer representatives searching for qualified candidates.

In the last decade, most employers, at some point, have reviewed an employee's or applicant's emails, blogs or online social media postings, either in the capacity of "employer" or perhaps as a "friend." Social media monitoring service Reppler recently surveyed over 300 hiring professionals to determine when and how job recruiters are screening job candidates on different social networks. The study found that more than 90 percent of recruiters and hiring managers have visited a potential candidate's profile on a social network as part of the screening process. Moreover, 69 percent of recruiters have rejected a candidate based on content found on his or her social networking profiles—an almost equal proportion of recruiters (68%), though, have hired a candidate based on his or her presence on those networks.

Employers' access to applicants' and employees' social media activity raises two separate but related questions. First, what social media sites can employers lawfully access to obtain information about applicants and employees? Second, to what extent can employers lawfully rely on information obtained through social media to make employment decisions? The second question raises the types of anti-discrimination concerns that employers have been confronting in the off-line world for decades. However, the first question exposes employers to a completely new legal landscape, one which just began to evolve in April 2012, when Maryland enacted the Nation's first "social media password protection law" and has expanded in the past year to include six additional states—California, Illinois, Michigan, New Jersey, New Mexico, and Utah. With password-protection legislation pending in over twenty state legislatures, this legal landscape undoubtedly will become more complex, especially for multi-state employers, over the next one to two years.

To learn more about the history and background of social media password protection legislation, the differences between the state laws, and how those differences create challenges for employer compliance, please see Littler's Report, Workplace Policy Institute: Social Media Password Protection and Privacy — The Patchwork of State Laws and How It Affects Employers, by Phillip Gordon, Amber Spataro, and William Simmons.

• Print
• Trackbacks
• Share Link

On April 19, 2013, Colorado Governor John W. Hickenlooper signed into law Senate Bill 13-018 (the "Employment Opportunity Act"), which will significantly restrict the ability of Colorado employers to use “consumer credit information” for hiring and other employment purposes unless use of the information is limited to the narrow category of positions set forth in the statute. With this law, Colorado becomes the ninth state to regulate the use of credit-related information for employment purposes, following laws enacted in California, Connecticut, Hawaii, Illinois, Maryland, Oregon, Vermont and Washington. Colorado’s law goes into effect July 1, 2013. To learn more about the law, please see Littler’s ASAP, Colorado is the Latest and Ninth State to Enact Legislation Restricting the Use of Credit Reports for Employment Purposes, by Rod Fliegel, Philip Gordon, and Jennifer Mora.

• Print
• Trackbacks
• Share Link

By Philip Gordon

New Jersey is expected to shortly join California, Illinois, Maryland, Michigan, and Utah in prohibiting employers from seeking employee or applicant passwords to social media accounts or services. New Jersey’s General Assembly passed its bill on March 21, 2013, and that bill now awaits signature by Governor Christie. Although there is no indication from the governor whether he intends to sign the bill, ignore it, or veto it, any action other than signature would simply be symbolic and almost certainly overruled (the General Assembly passed the bill 75-2). New Jersey’s law is more pro-employee/applicant than any such law enacted to date, providing the broadest protections, the narrowest exceptions, and the most generous remedies.

Specifically, the New Jersey bill would prohibit an employer from requesting or requiring, as a condition of employment, that a current or prospective employee “provide or disclose any user name or password, or in any way provide the employer access to,” any personal social networking account, service or profile. The italicized language appears to prohibit New Jersey employers not only from “shoulder surfing,” i.e., reviewing social media content by observing the individual’s access without requesting login credentials, but also goes one step further. The bill apparently would prohibit an employer from asking an employee who complains about the social media activity of a coworker, such as online sexual harassment, for access to the complaining employee’s personal social media account to observe what the alleged harasser posted. Moreover, unlike similar laws in California, Michigan, and Utah, the New Jersey bill contains no exception for workplace investigation into suspected unlawful conduct or violations of employer policies. Notably, the New Jersey bill does not contain a narrower exception, such as the one in Maryland’s law, which includes a carve-out for investigations into suspected violations of securities laws or regulations or into suspected misappropriation of trade secrets.

• Print
• Trackbacks
• Share Link

Privacy law stands as one of the most discussed areas of law during President Barack Obama’s first term in office. Though a  lot of action was seen, not all of it is attributable to the president, and the same may hold true during his second term. In an interview with the LexBlog Network, Philip Gordon, Chair of Littler‘s Workplace Privacy and Data Protection Practice Group, offers his thoughts on what the realm of privacy law will look like over the coming years—at both the federal and state level.

• Print
• Trackbacks
• Share Link

The 2012 elections placed a number of marijuana initiatives before state voters around the United States, ranging from efforts to legalize the sale and use of marijuana for recreational purposes to further expansion of the "medical marijuana" laws that currently exist in 17 states and the District of Columbia. Voters in Colorado and Washington passed initiatives directing their states to decriminalize the possession of marijuana by adults for recreational use. Oregon voters, in contrast, rejected a ballot initiative that would have legalized marijuana for recreational use. Massachusetts has adopted a "medical marijuana" law that decriminalizes the use and possession of marijuana by state residents with debilitating medical conditions. Montana voters appear to have authorized amendments to that state's existing medical marijuana law that narrow who is eligible to use marijuana for medical reasons. To learn more, please see Littler's ASAP, Marijuana Laws Liberalized in Colorado, Washington – But Effect on Workplace Policies Likely Small, by Nancy Delogu and Chris Leh.

• Print
• Trackbacks
• Share Link

Effective November 18, 2012, most employers that operate in Newark, New Jersey must comply with a new ordinance broadly restricting their discretion to rely on criminal background records for employment purposes. The ordinance prohibits a covered employer from, among other things, conducting a criminal history inquiry unless and until the employer has determined in good faith that such an inquiry is warranted based on the "sensitivity" of the position, has provided the requisite notices to the candidate, and has extended to the candidate a conditional offer of employment. The ordinance does not include a private right of action, but instead provides for the enforcement of fines of up to $1,000 for each violation by an office or agency of the City that will be designated by the Mayor of Newark. It remains to be seen whether the plaintiffs' employment bar will attempt to bring Pierce-type public policy actions, claiming that individuals whose rights have been violated under the ordinance necessarily have a right to vindication by suing directly in court.

To learn more about the ordinance, please continue reading Littler’s ASAP, Employers in Newark, New Jersey Must Comply with a New Ordinance Broadly Restricting Their Discretion to Rely on Criminal Records for Employment Purposes, by Rod Fliegel, Jedd Mendelson, and Jennifer Mora.

• Print
• Trackbacks
• Share Link

Under a new California law, employers cannot request or require that applicants or employees:

• Disclose social media log-in credentials;
• Access personal social media in the employer’s presence; or
• Divulge any personal social media content.

However, an exception permits employers to ask an employee to divulge personal social media content that the employer “reasonably believe[s] to be relevant to an investigation of allegations of employee misconduct or employee violation of applicable laws and regulations.”

To learn more about the law and its potential implications for employers, please continue reading Littler's ASAP, California’s New Social Media “Password Protection” Law Takes a More Balanced Approach by Accounting for Employers’ Legitimate Business Interests, by Philip Gordon and Lauren Woon.

• Print
• Trackbacks
• Share Link

By Philip L. Gordon

Following the lead of Maryland and Illinois, California’s legislature, last week, sent to the governor for signature the nation’s third “password protection” law. Unlike the Maryland and Illinois laws, California’s pending statute takes into account employers’ legitimate business interests.

The Illinois law broadly prohibits employers from requesting or requiring that applicants or employees disclose their personal social media log-in credentials. Maryland’s law has two narrow exceptions for investigations into suspected securities violations or misappropriation of trade secrets, without any legislative findings explaining why these two categories of workplace misconduct should be exempted from the statute’s purview while other forms of workplace misconduct, such as a threat posted on social media to kill co-workers, is not. Earlier versions of the California bill, like the Illinois law and more than one dozen bills currently pending in other states, imposed a blanket prohibition on all employer requests for personal social media log-in credentials, without consideration of employers’ legitimate need to make such requests. In a July article entitled, “Rethinking and Rejecting Social Media Password Protection Laws,” we challenged the myopic view implicit in these laws and bills, i.e., that employers rarely or never have a good reason to investigate the content of an applicant’s or employee’s restricted-access social media site.
 

• Print
• Trackbacks
• Share Link

By Philip Gordon and Sarah Moss

[NOTE: This blog post replaces an earlier entry and provides a more detailed discussion of the new New York law.]

On August 14, 2012, New York Governor Andrew Cuomo signed into law a bill intended to reduce the risk of identity theft by generally prohibiting private entities from requesting or requiring an individual to provide the SSN in connection with almost any activity. The law, General Business Law section 399-ddd, contains several exceptions to this general prohibition, including exceptions where the request is “for purposes of employment” or “a lawful request for a consumer report or investigative consumer report.” However, these exceptions do not appear to encompass the entire hiring process.

By its plain terms, the “employment purposes” exception includes requests during “the course of administration of a claim, benefit, or procedure related to the individual’s employment by the [employer], including the individual’s termination from employment, retirement from employment, injury suffered during the course of employment, or to check on an unemployment claim of the individual.” All of the activities listed in the exception presuppose an existing or pre-existing employment relationship between the employer and the person who is being asked to disclose his or her SSN. In other words, this exception does not appear to address the hiring process at all.

• Print
• Trackbacks
• Share Link

By Philip Gordon and Inna Shelley

When the photographs and videos flooding social media include images of patients or the victims of an accident or crime, it gives human resources professionals, compliance officers and in-house employment counsel at health care facilities heartburn and forces them to spring into action. In the past several years, dozens of snap-happy health care workers have been fired for using smartphones to photograph patients and then upload the images to their social media page. One startling illustration of this phenomenon occurred when emergency room workers and staff at a medical center in California photographed an urgent care patient’s gruesome stab wounds and posted the photos on the web. In another example, an Oregon nursing assistant received an eight-day prison sentence after posting graphic photographs of nursing home residents on her social media site. Given these types of stories, it is not surprising that, according to a PricewaterhouseCoopers study published in April 2012, 63% of health care consumers expressed concern about personal health information being shared in public.

Many health care workers mistakenly believe that posting a patient’s image on a social media site does not violate HIPAA’s privacy requirements if the post excludes the patient’s name and other identifying information. To the contrary, an image that includes a patient’s face is not de-identified under HIPAA. Even when the face is obscured, the image still could be entitled to protection under HIPAA if the patient reasonably could be identified, for example, where the image reveals a distinguishing tattoo or scar.

• Print
• Trackbacks
• Share Link

On August 1, 2012, Illinois Governor Pat Quinn signed into law a bill modifying Illinois' Right to Privacy in the Workplace Act to limit employers' access to applicants' and employees' restricted social media accounts. The Illinois bill applies to both public sector and private sector employers.  The law makes Illinois the second state in recent months (after Maryland) to forbid employers from requesting or requiring log-in credentials for an applicant's or employee's social networking sites.

Specifically, Illinois' new law makes it unlawful for an employer to:

• "request or require any employee or prospective employee to provide any password or other related account information in order to gain access to the employee's or prospective employee's account or profile on a social networking website[;]" or
• "demand access in any manner to an employee's or prospective employee's account or profile on a social networking website."

To learn more about the law and its potential implications for employers, please continue reading Littler's ASAP, Illinois' New Social Media Password Protection Law Handicaps Employers' Legitimate Business Activities, by Philip Gordon and Kathryn Siegel.

• Print
• Trackbacks
• Share Link

Reproduced with permission from the HR Library. Copyright © 2012 The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com

By Philip Gordon and Lauren Woon

The story went viral, and legislators around the country caught the virus. On March 21, 2012, the Associated Press reported a few incidents where employers had requested or required log-in credentials from applicants or employees to access their personal social media account. Over the next three weeks, more stories were published; some regurgitating the incidents originally reported by the A.P., and others reporting on additional, alleged inquiries. The media frenzy stoked public outrage. Legislators around the country and in Congress sought to ride the wave of public sentiment by introducing legislation to slam the door on the perceived abuse. The result has been one state law as well as bills pending in eleven states and in Congress that are unnecessary, radically rewrite the law of privacy, and unfairly expose private employers to potential liability.

Social Media “Password Protection” Laws Are Unnecessary

Neither the A.P. article nor any other article from a major U.S. news outlet comprising the media frenzy of spring 2012 cites a single study proving that private employers routinely ask applicants or employees for log-in credentials to their personal social media accounts. In fact, a careful review of the anecdotal “evidence” contained in these news stories demonstrates that the exact opposite is true. All of the media coverage combined reported one instance in which a private employer requested log-in credentials. All but this one reported incident involved public employers, such as corrections departments and police forces. The overwhelming buzz drowned out this distinction.

The only empirical data of which we are aware is fully consistent with this anecdotal evidence demonstrating that private employers do not ask for log-in credentials. Littler Mendelson’s Executive Employer Survey Report, published in June 2012, asked nearly 1,000 C-suite executives, corporate counsel, and human resources professionals from corporations throughout the United States and ranging in market capitalization from less than $1 billion to more than $4 billion the following question: “Has your organization requested social media logins as part of the hiring or onboarding process?”¹ The response: 99% of respondents answered the question in the negative.

• Print
• Trackbacks
• Share Link

It has been over one month since we discussed Illinois’s proposed social media password law. On May 22, 2012, both state legislative houses passed HB 3782, a bill that would amend the state’s Right to Privacy in the Workplace Act to prohibit employers from requesting applicant and employee social media login credentials. At that point it looked like Illinois would become the second state to enact such a law – on May 2, 2012, Maryland became the first state to prohibit such conduct. However, the bill was not sent to the governor until June 20, 2012. Moreover, the waiting game may continue because the governor has 60 days to sign, veto, or take no action on the bill. If no action is taken during the 60-day period, the bill becomes law. From a compliance readiness standpoint, because of the bill’s slow movement, if the governor signs the bill (or takes no action), employers will have more time to review and revise relevant policies because the law will not become effective until June 1, 2013; compared to January 1, 2013, had the law been signed before June 1, 2012.

• Print
• Trackbacks
• Share Link

On May 17, 2012, Vermont Governor Peter Shumlin signed Vermont Act No. 154 (S. 95), which prohibits employers, subject to certain exceptions, from using or inquiring into an applicant or employee's credit report or "credit history" for employment purposes. Relying on a variety of statistics regarding the purported reason that families "go into debt" and the alleged increased use of credit reports for employment purposes, the legislature stated that the new law was necessary because "information contained in a credit report has no correlation to job performance" and "credit reports do not provide meaningful insight into a candidate's character, responsibility, or prospective job performance." To learn about the new law and its potential implications for employers, please continue reading Littler's ASAP, Vermont Becomes the Eighth State to Restrict the Use of Credit Reports for Employment Purposes, by Rod Fliegel and Jennifer Mora.

• Print
• Trackbacks
• Share Link

Beginning on October 1, 2012, Connecticut residents will be able to smoke marijuana to alleviate symptoms of a debilitating medical condition without fear of arrest or prosecution by Connecticut authorities, or adverse employment action by employers in the state. The new law, entitled An Act Concerning the Palliative Use of Marijuana (Public Act No. 12-55), was signed by Governor Malloy on May 31.

Connecticut joins approximately one-third of the states and the District of Columbia in legalizing medical marijuana use and possession by certain individuals. However, the Connecticut law goes further than most similar laws because it forbids employers from refusing to hire, discharging, penalizing, or threatening individuals based on their medical marijuana use.

To learn more about the law and its potential implications for employers, please continue reading Littler's ASAP, Connecticut Legalizes Medical Marijuana Use, Places Limits on Employers, by Katherine Goetzl.

• Print
• Trackbacks
• Share Link

The Illinois Senate and House passed a bill that will soon make their state the second in the country to have a law prohibiting employers from asking employees for their credentials to social networking sites. While this surely makes employees happy, the law and ones like it have the potential to inhibit legitimate business activities. In an interview with The Lexblog Network, Philip Gordon—Chair of the Privacy and Data Protection Practice Group at Littler—explains the basics of the Illinois law, how it could potentially inhibit businesses and where we might find some kind of happy medium.

• Print
• Trackbacks
• Share Link

By Philip L. Gordon

With last week’s approval by Illinois’ Senate of a House bill entitled, “The Right to Privacy in the Workplace Act,” Illinois (assuming the Governor signs the bill) will soon become the second state, joining Maryland, to forbid employers from requesting or requiring log-in credentials for an applicant’s or employee’s social networking site. This bill, like Maryland’s law, raises significant interpretative challenges for employers while imposing unjustified and overbroad restrictions on their ability to run their own business.

Remarkably, the Illinois bill (like the Maryland law) contains no legislative findings supporting the need for the law. To be sure, in March and April of this year, there was a media frenzy aimed at creating the impression that private employers routinely request access to applicants’ and employees’ social networking accounts. This stir, however, was substantially overblown. It was based on a small number of news stories, virtually all of which involved job applicants, not employees, and public, not private, employers. To date, we have seen no empirical evidence suggesting that private employers are engaging in the practice which is the subject of legislation not only in Illinois and Maryland, but also of pending bills in ten other states (California, Delaware, Michigan, Minnesota, Missouri, New Jersey, New York, Ohio, South Carolina and Washington) and in both houses of Congress.

• Print
• Trackbacks
• Share Link

Philip Gordon, Chair of Littler Mendelson's Privacy and Data Protection Practice Group Chair and a frequent contributor to this blog, was recently interviewed by The Lexblog Network about Maryland's recently-enacted Facebook password law and what it accomplishes.

Video courtesy of The Lexblog Network

• Print
• Trackbacks
• Share Link

Effective May 4, 2012, the Massachusetts Criminal Offender Record Information ("CORI") Reform Act (the Act), which was enacted in August 2010 with the controversial "ban the box" legislation, will significantly change the way employers access, use and maintain information obtained through the Commonwealth's CORI system. The Act will allow all employers access to a new online records system, but also imposes obligations on employers that acquire criminal history information from private sources, such as consumer reporting agencies (background report vendors). Employers should review their hiring and background check policies now to determine whether any updates are necessary. To learn about the Act and its potential implications for employers, please continue reading Littler's ASAP, Massachusetts Employers Face New Obligations When Conducting Background Checks Involving Criminal History Records, by Christopher Kaczmarek, Carie Torrence, and Joseph Lazazzero.

• Print
• Trackbacks
• Share Link

On October 10, 2011, the Office of California Governor Jerry Brown announced that Governor Brown had signed AB 22, legislation that adds a new provision to the California Labor Code and amends the state's Consumer Credit Reporting Agencies Act to restrict the discretion that private and public sector employers have to use "consumer credit reports" for hiring and personnel decisions. Together, the new laws, which take effect on January 1, 2012, limit when employers lawfully can use consumer credit reports and impose notice and disclosure obligations on employers who intend to do so. To learn more about the laws and their implications for employers, please continue reading Littler's ASAP, California Joins States Restricting Use of Credit Reports for Employment Purposes, by Rod Fliegel and Jennifer Mora.

• Print
• Trackbacks
• Share Link

By Ellen M. Giblin

On August 31, 2011, Governor Jerry Brown signed Senate Bill 24, amending California’s security breach notification law. That law was the nation’s first to require data owners to disclose a data breach to any California resident whose unencrypted personal information is reasonably believed to have been acquired by an unauthorized person. Senate Bill 24 applies to breaches occurring on or after January 1, 2012, and makes several important changes to the landmark law.

First, SB 24 enhances the security breach notifications sent to affected individuals. Whereas before the notice law did not impose any requirements for the content of the notice, the amended law requires that the notice contain specific information regarding the breach, including the following: (a) the name and contact information of the reporting person or business; (b) the types of personal information subject to the breach; (c) the date or date range of the breach; (d) whether notification was delayed due to law enforcement investigation; (e) a general description of the breach; and (f) the toll-free telephone numbers and addresses of the three major credit bureaus, if the breach exposed a social security number, driver’s license or California identification card number.

• Print
• Trackbacks
• Share Link

Effective October 1, 2011, employers in Connecticut will face new restrictions on the use of credit reports regarding current or prospective employees as a result of the recent enactment this month of Connecticut Public Act 11-223. In enacting the new law, Connecticut becomes the sixth state limiting employers' use of credit reports, following Hawaii, Washington, Oregon, Illinois, and Maryland. Similar laws are pending in several other states and at the federal level. The Equal Employment Opportunity Commission (EEOC) is also conducting related investigations and pursuing at least one disparate impact claim based on the use of credit reports. Thus, employers who use credit history information to inform hiring or personnel decisions in states that have enacted credit check laws should review their policies for compliance, and employers everywhere should continue to monitor developments in this evolving area of the law. To learn more about the Connecticut law and its implications for employers, please continue reading Littler's ASAP, Use of Credit Reports by Employers Will Soon Be Restricted in Connecticut, by Rod Fliegel and William Simmons.

Photo credit: Pawel Gaul

• Print
• Trackbacks
• Share Link

by Philip L. Gordon

When Maryland enacted its law (pdf) restricting the use of credit history for employment purposes on April 12, 2011, it became the fifth state – joining Hawaii, Illinois, Oregon, and Washington – to enact a credit privacy law. Maryland’s law transforms what was a mildly complicated compliance challenge for multi-state employers into an expanding morass. With credit privacy bills currently pending in more than twenty states, multi-state employers should expect that it will become increasingly difficult to establish company-wide policies on the use of credit history for employment purposes.

The core issue for employers who use credit checks for employment purposes (other than financial institutions which are carved out from each of the laws) is the scope of the exception to the general prohibition against using credit checks for employment purposes. At first blush, there appears to be uniformity because all five states permit employers to use credit checks for employment purposes when the check is “substantially related” to the applicant’s or employee’s job responsibilities.

The crux of the problem is the near total discordance over how “substantially related” should be defined. To begin with, the laws in Washington and Oregon provide no definition at all of “substantially related.” Oregon’s Bureau of Labor and Industry (BOLI), by regulation, defines “substantially related” to mean that an essential function of the job require access to financial information, but the regulations do not define the term “financial information.” Illinois’ law also permits credit checks for positions that “involve access to . . . financial information.” However, it is not clear whether the access must be an essential job function (as is the case in Oregon). Furthermore, Illinois narrowly defines “financial information” to mean “non-public information on the overall financial direction of an organization, including, but not limited to, company taxes or profit and loss reports.” At least as of now, employers have no way of knowing whether Oregon’s BOLI intended to define “financial information” more broadly than Illinois’ legislature.

• Print
• Share Link

With the first anniversary of the Massachusetts Data Security Regulations, 201 CMR 17 (pdf) (“Regulations”), coming in March, the International Association of Privacy Professionals (IAPP) recently hosted a panel discussion providing direct access to the Massachusetts Attorney General's Office and the Office of Consumer Affairs and Business Regulation to discuss their investigations to date and their current approach to enforcement. Panelists included Scott Schafer, Chief of the Consumer Protection Division, Massachusetts Attorney General's Office; Shannon Choy-Seymour, Assistant Attorney General, Consumer Protection Division, Massachusetts Attorney General's Office; Jason Egan, Deputy General Counsel, Massachusetts Office of Consumer Affairs and Business Regulation; and Lam Nguyen, Director (Digital Forensics), Stroz Friedberg LLP.

Scott Schafer opened with an overview of the enforcement actions to date and the daily reviews his office conducts. Schafer noted at the outset, the Attorney General’s (AG) current enforcement approach is not audit based due to insufficient resources. However, the AG is receiving a daily average of three to four data breach notifications pursuant to Massachusetts General Laws Ch. 93H (the “Notice Law”), and each breach report is closely reviewed. According to Schafer, the AG’s Office is looking for warning signals that may indicate noncompliance with the Regulations that would trigger a detailed investigation. Some of the circumstances likely to trigger a detailed investigation include:

• The reporting entity knew of the breach, but failed to notify affected individuals as required by the Notice Law.
• A Written Information Security Plan (WISP) cannot be produced.
• The WISP is inadequate, or had significant gaps because of a lack of due diligence in the risk assessment process.
• The compromised data was stored or maintained in circumstances not compliant with the “reasonable” security required by the Regulations.
• Unfairness or deception around the purpose for which the data was originally collected.
• Collected data that was subsequently used for purposes not disclosed to consumers, or where the collection itself is not disclosed leading to unfairness or deception to Massachusetts residents.

Shannon Choy-Seymour stated that she typically will ask to review a business’ WISP if the notification of security breach submitted to the AG revealed non-compliance with the Regulations. According to Choy-Seymour, she takes into account the size and scope of the business in question and the sensitivity of the data compromised when deciding whether to ask the business to submit its WISP. The AG recognizes that achieving full compliance may be a longer process for small businesses. In particular, Choy-Seymour stated the WISP must identify who is in charge of the businesses’ information security program, demonstrate the required risk assessment to create a reasonable plan, and include employee training. Further, “reasonable” steps toward compliance with the relevant policies should be evident, and when in place can reduce the risk of enforcement actions even if full compliance has not yet been achieved.

• Print
• Share Link

Background checks seem to be a hot topic in state legislatures these days. In the past six months, for example, several states — including Illinois, Massachusetts, Oregon, and most recently California — have enacted laws bearing upon the process of checking the backgrounds of job applicants and employees. Under the new California law (pdf), effective January 1, 2012, background check authorizations must include the “Internet Web site address . . . where the consumer may find information about the investigative reporting agency’s privacy practices.” This seemingly trivial change is endemic to the challenges that employers confront in the area of background check compliance.

No case of which we are aware addresses the question whether an employer’s background check procedures must comply with only the law of the state(s) in which the employer is located, only the law of the state where the applicant or employee resides, or both. The question is far from academic. Even employers located in a single state routinely advertise positions on a company-sponsored web site, or through third-party web sites, accessible to applicants in all fifty states. Further, given the high unemployment rate and the general mobility of the U.S. workforce, job applicants for virtually any position could reside in any state.

In light of these factors, the most conservative employer — even if located in a single state — would conduct background screening in a manner that complies with the laws of all fifty states. However, as noted above, state legislatures are enacting new restrictions on, or requirements for, pre-employment background checks at an accelerated rate. In addition to the challenge of remaining up to date with this surge of legislation, employers face the difficulty of generating compliance forms that are not encyclopedic and that applicants of all educational levels can easily comprehend.

• Print
• Share Link

Recently enacted legislation in Massachusetts will significantly affect employers’ use of criminal history information for employment purposes. While most provisions of the new law (pdf) do not go into effect until May 2012, one provision, effective on November 4, 2010, requires the immediate attention of multi-state employers.

This provision generally prohibits employers from inquiring in an “initial written application form” about an applicant’s criminal history. Two narrow exceptions permit questions about criminal history if a federal or state regulation (1) disqualifies the applicant from employment in the open position based on a criminal conviction; or (2) bars the employer from hiring for one or more positions an individual with a criminal conviction. The second exception, as written in the statute, is ambiguous. It is unclear whether an employer who is barred from hiring a convicted criminal for certain positions may inquire into an applicants’ criminal history on the initial employment application used for a variety of positions, including those that can be filled by a convicted criminal. This issue is particularly important for multi-state employers who use a standard job application form for all jurisdictions.

Before the new law’s November effective date, all multi-state employers should carefully reviewany job application form that is completed by Massachusetts applicants. If the employer has no position for which federal or state law prohibits the hiring of a convicted criminal, the employer should add an instruction to Massachusetts applicants, immediately below any question seeking information about criminal history, directing Massachusetts applicants not to respond. If the employer has one or more positions for which federal or state law prohibits the hiring of a convicted criminal, the employer should consider an instruction which directs Massachusetts applicants not to answer the question unless they are applying for one or more of a list of specified positions. The list would include those positions for which state or federal law prohibits the hiring of a convicted criminal.

• Print
• Share Link

Last week, Oregon joined a growing national trend, apparently in response to the recession and the foreclosure crisis, that restricts the ability of employers to use credit history in employment decisions. Under the Oregon law, it is an unlawful employment practice, except in limited circumstances, for an Oregon employer to use credit history in making hiring decisions or any decision affecting current employees. The law confers on Oregon employees the right to file an administrative complaint or a private lawsuit claiming that the law has been violated. Employees who prevail may recover lost wages and attorney fees. The law becomes effective July 1, 2010.

• Print
• Trackbacks
• Share Link

Touted as the most stringent information security regulations to date, Massachusetts’ requirements—applicable to both customer and employee personal information—mandate the implementation of a comprehensive written information security program. As explained in previous blog posts, the regulations require “cradle-to-grave” protections for the following categories of information about Massachusetts residents when combined with first name or initial and last name: Social Security number, driver’s license and other government-issued identification number, debit or credit card number, and financial account number. One critical question for organizations, particularly those grappling with tightened budges, is where to focus limited resources in light of the enforcement risk. Recent statements by Massachusetts regulators provide a view towards the answer.

In an interview published on February 27 in BNA’s Privacy and Security Law Report, the director of the agency that promulgated the regulations, Massachusetts’ Office of Consumer Affairs and Business Regulation (OCABR), made three statements that could have an important bearing on enforcement. First, OCABR takes the position that the regulations apply even when the personal information of Massachusetts employees is stored in a centralized human resources database located at a corporate headquarters outside of Massachusetts. Second, in the director’s view, employers have virtually no excuse for failing to encrypt personal information stored on laptops. Third, although current technology does not permit encryption of personal information stored on a hand-held device, such as a Blackberry® or a Smartphone®, employers should consider other steps that will limit the risk to Massachusetts personal information if the hand-held device is lost or stolen.

• Print
• Trackbacks
• Share Link

Identity theft is a booming business. Each year, millions of Americans fall victim to identity theft or have their personal privacy otherwise compromised through unlawful means. Whether it comes in the form of a lost or stolen credit card, or computer hackers accessing social security numbers from employment records, financial institutions, medical records, or government agencies, the costs are staggering. Studies demonstrate that victims spend anywhere from a few hours to, in some cases, literally thousands of hours working to repair damage done by identity theft. Investigations related to identity theft often take months – or sometimes years – to resolve. Reports have estimated that hundreds of billions of dollars per year are lost by businesses worldwide due to identity theft. Individual victims sometimes lose thousands of dollars in wages resolving their cases, and can spend several hundred (sometimes thousands) of dollars in various expenses related to their case.

In an effort to combat ID theft, more than thirty states (including California, New York, Illinois, and Pennsylvania) have enacted laws restricting certain uses and disclosure of social security numbers. The federal judiciary has taken note – and is following suit. Recent revisions to the Federal Rules of Civil Procedure (FRCP) now require attorneys to redact certain personal identifying information of individuals involved in litigation when filing documents in federal court – either electronically or in traditional paper format. 

Revised FRCP 5.2(a) reads:

Unless the court orders otherwise, in an electronic or paper filing with the court that contains an individual’s social-security number, taxpayer-identification number, or birth date, the name of an individual known to be a minor, or a financial-account number, a party or nonparty making the filing may include only:
(1) the last four digits of the social-security number and taxpayer identification number;
(2) the year of the individual’s birth;
(3) the minor’s initials; and
(4) last four digits of the financial-account number.

• Print
• Trackbacks
• Share Link

Less than one week after a state court judge halted New York state’s emergency regulation requiring mandatory H1N1 flu shots for most health care workers, Governor Paterson announced that the State Health Commissioner is suspending the requirement due to a limited supply of vaccine - approximately 23% of the anticipated amount. Available vaccines will instead be used for populations most at risk of serious illness or death, e.g., pregnant women and young people between the ages of 6 months and 24 years.

This entry was written by Philip L. Gordon.

• Print
• Trackbacks
• Share Link

In response to the swine flu pandemic sweeping the nation, New York in August 2009 became the only state in the United States to adopt an emergency regulation requiring most health care workers who come into contact with patients to get annual vaccinations for both seasonal and swine flu (H1N1) by no later than November 30, 2009. The regulation, issued by the New York State Commissioner of Health, provides a limited exemption for workers with “medical contraindications,” but not for those with a religious or ideological opposition to the vaccination.

In response to the emergency regulation, several unions and other groups filed suit in New York, challenging the mandatory vaccinations and the authority of the New York State Health Commissioner to institute mandatory vaccinations.

• Print
• Trackbacks
• Share Link

In what appears to be an on-going effort to find the right balance between information security and burdens on businesses, Massachusetts’ Office of Consumer Affairs and Business Regulation (OCABR) has materially revised—for a second time—regulations that were initially promulgated in October 2008, and has extended the compliance deadline for a third time. We have discussed the regulations in detail in prior blog posts. Consequently, we will only focus on the most recent revisions, which are described below:

• New Compliance Deadline: The compliance deadline has been extended from January 1, 2010, until March 1, 2010.

• Third-Party Service Providers: While the regulations still require that employers expressly address information security in their contracts with vendors who create or receive personal information on the employer’s behalf, employers now have until March 1, 2012, to negotiate amendments to vendor agreements entered into before the March 1, 2010 compliance deadline. Vendor agreement entered after that date must require that vendors implement and maintain “appropriate security measures to protect [Massachusetts] personal information” in a manner that is consistent with the regulations and applicable federal law.

• Print
• Trackbacks
• Share Link

Texas recently enacted a law, effective September 1, 2009, that criminalizes online harassment. Texas joins other states, including Nevada, New York and Tennessee, which have enacted similar legislation criminalizing the use of electronic communication devices to commit criminal stalking and harassment.

Although speaking in terms of “online harassment,” the law is aimed at outlawing online impersonation with the intent to cause harm. Thus, the law outlaws the unauthorized use of another’s name or persona to create a web page, or to post one or more messages on a commercial social networking site, with the intent to defraud, harm, intimidate or threaten another person. This offense is a third-degree felony, punishable by two to ten years imprisonment and a fine not to exceed $10,000.

• Print
• Trackbacks
• Share Link

Even a brief posting of private information on an Internet site amounts to “publicity per se” sufficient to support a civil action for invasion of privacy, according to a three judge panel of the Minnesota Court of Appeals in Yath v. Fairview Clinics, filed June 23, 2009. Candace Yath was a patient at the defendant clinic, where she sought testing for sexually transmitted diseases because she had a new sex partner. She was observed there by a clinic employee, Tek, who was an acquaintance. Tek later (and in violation of clinic policy) accessed Yath’s medical file, learning of Yath’s new sex partner (Yath was at the time married but estranged from her husband) and that Yath had been diagnosed with a sexually transmitted disease. Tek informed a second person, also an acquaintance (and relative) of Yath about the medical file information. Word soon spread to a group of people, including Yath’s husband.

One month later a web page appeared at MySpace.com bearing the title “Rotten Candy,” and including a photo of Yath and the contents of her medical file. The MySpace page asserted that “Rotten Candy” has a sexually transmitted disease, had recently cheated on her husband and was addicted to plastic surgery. After learning about the Internet posting, the clinic manager investigated. When the manager first accessed the webpage, it listed only six “friends,” indicating that at least six persons had accessed the page. When the manager tried again to access the web page, one or two days later, the webpage had been removed.

• Print
• Trackbacks
• Share Link

Transgender individuals have good reason to be concerned about expressing their gender identity in the workplace. According to recent studies, at least one in five transgender individuals reports experiencing employment discrimination. A review of six studies conducted between 1996 and 2006 showed the following concerning reports of mistreatment in the workplace based on gender identity:

• 13%-56% of transgender individuals had been fired;
• 13%-47% had been denied employment;
• 22%-31% had been harassed, either verbally or physically, in the workplace; and
• 19% had been denied a promotion due to their transgender status.

Most employees choose whether, when, and to whom they disclose certain personal information at work. However, transgender individuals who decide to transition from one gender to another while remaining with their current employer do not have the same luxury. This largely is due to the inherently public nature of the transition. Indeed, an employee who intends to undergo a gender transition generally is required to live full-time in their new gender role for at least a year before becoming eligible to undergo sex reassignment and reconstruction surgery (if they so choose to have surgery, which many do not). During this time frame, transgender individuals often seek a variety of medical treatments, including hormone therapy, as well as change their names, modify their identity documents, and other procedures. As a result, employers and co-workers necessarily, but often reluctantly, become involved in a transitioning employee’s gender transition. While a gender transition is an inherently private process, it necessarily becomes known to co-workers at some point by the very nature of the “transition.”

• Print
• Trackbacks
• Share Link

On Thursday, February 12, 2009, Massachusetts’ Office of Consumer Affairs and Business Regulation (OCABR) publicly disclosed key changes to the controversial Massachusetts data security breach regulations, 201 CMR 17.00. Taking into account testimony heard from business associations and employers at a public hearing last month, OCABR has further delayed the implementation deadline and somewhat loosened employers’ obligations with respect to third-party service providers and mandatory encryption requirements.

Highlights of the amendments to the regulations are:

Effective Date: Previously set to go into effect on May 1, 2009, the compliance date has been delayed until January 1, 2010.

Third-Party Service Providers: The original regulations required all employers to obtain: (a) by May 1, 2009, contractual assurances from their third-party vendors having access to Massachusetts residents’ personal information that the vendors are capable of safeguarding this information; and (b) by January 1, 2010, written certifications from each vendor that it has adopted a comprehensive information security program in compliance with Massachusetts regulations (201 CMR 17.00 et seq.).
 

• Print
• Trackbacks
• Share Link

With the State of Connecticut reeling from a series of massive security breaches that have exposed the personal information of hundreds of thousands of state residents, Connecticut's Governor and General Assembly joined forces in mid-June to make Connecticut only the second state (after Michigan) to mandate that private employers publish a policy on the protection of employee Social Security numbers (SSNs). The new Connecticut law — entitled, "An Act Concerning the Confidentiality of Social Security Numbers" (the "Act"), and effective October 1, 2008 — also imposes on private employers a statutory duty to safeguard, and properly dispose of, personal information more broadly defined. Continue reading. . .

• Print
• Trackbacks
• Share Link

Gary Ross, the military veteran who urged his employer to accommodate his medical use of marijuana, has failed to convince the Supreme Court of California to revive his case.  On January 24, 2008, the Court affirmed (5 - 2) the trial and appellate court decisions that RagingWire Telecommunications was not required to employ Ross, who tested positive for marijuana, even though his use of the drug has been decriminalized under California’s Compassionate Use Act.

As discussed in an earlier posting, Ross argued that his former employer, RagingWire, had discriminated against him under the California Fair Employment and Housing Act by terminating him because of his positive drug test which resulted form his use of marijuana for his disability.  He also alleged that he had been wrongfully discharged as a matter of public policy.  Yesterday’s decision rejects Ross’s disability discrimination claim for one simple reason:  The Compassionate Use Act provides only that individuals who use marijuana pursuant to a recommendation from a health care provider have a defense to criminal prosecution.  Noting that California voters cannot obscure federal laws which state that the drug poses a risk of abuse, the Court concluded that the Compassionate Use Act simply fails to address the rights of employers and employees.  The Court further observed that any effort to enact such a law would likely generate significant controversy, and it declined to read such a requirement into the limited protections of the statute.

• Print
• Trackbacks
• Share Link

The rumors are flying: The TV news ran a story last night on the evacuation and de-contamination of the local public school after one of the football players missed Saturday’s game because of infection with the MRSA Superbug.  One of your employees happens to have a son on the football team, and she called in sick on the Monday after the game.  Employees who work in the area of her cubicle have “petitioned” HR not to let the mother return to work until she has submitted written documentation from her physician that she is not infected or contagious.  Where does HR even start to unravel the privacy concerns of the mother and her child, and how should those concerns be weighed against the health interests of the mother’s co-workers? 

The legal analyses related to this issue are among the most complex in the area of workplace privacy, involving the interplay of the Americans with Disabilities Act (ADA); the Family and Medical Leave Act (FMLA); the Health Insurance Portability and Accountability Act of 1996 (HIPAA); state privacy statutes, such as California’s Confidentiality of Medical Information Act; state common law; and, at least in California, state constitutional law. 

Before wading into this quagmire, HR professionals should consider the following guidelines for balancing the privacy interests of potentially infected workers and the health interests of co-workers.

• Print
• Trackbacks
• Share Link

The idea of mandatory “microchipping” — the practice of employers requiring employees to have a small computer chip inserted beneath the skin — triggers a high score on virtually any cringe meter.  According to a 2007 study conducted jointly by Littler Mendelson and the Ponemon Institute (“Workplace Survey on the Privacy Age Gap”) more than 90% of respondents, regardless of age, responded that mandatory microchipping by their employer would constitute a privacy violation. 

Mirroring this sentiment, in early September, the California Legislature sent to Governor Schwarzenegger for signature a bill which would prohibit any person from requiring, coercing or compelling “any other individual to undergo the subcutaneous implanting of an identification device.” [UPDATE:  Governor Schwarzenneger signed the bill into law].  An “identification device” is defined as one capable of transmitting personal information by radio frequency (RFID) or other means. 

The only surprise about this bill is that California — the state most protective of individual privacy — is not the first to ban mandatory microchipping legislatively.  North Dakota and Wisconsin grabbed that honor, passing prohibitions on mandatory microchipping in April and May 2006, respectively.  Legislatures in seventeen other states — including Georgia, Michigan and New Jersey — are considering similar laws. 

• Print
• Trackbacks
• Share Link

Misdirected e-mail, lost and stolen laptops, and security flaws in corporate websites, when they expose employee personnel information to unauthorized individuals, are now more than a potential embarrassment; they are a legal compliance challenge, especially for multi-state employers. With Massachusetts recently becoming the 39th state to pass a notice-of-security-breach statute, it is just a matter of time before all fifty states require notice of a security breach. While these statutes share a common thread, their requirements can materially vary, complicating the determination whether an employer has a legal obligation to notify employees and, if so, the steps that the employer must take to discharge its legal responsibilities.

Regrettably, it no longer is a matter of "if", but "when," human resources professionals and in-house counsel will be required to confront this legal compliance challenge. In a 2007 study conducted by the Ponemon Institute, a leading think tank on privacy and data protection, 85% of respondents had suffered a security breach within the previous 24 months, and 81% had been required to notify individuals of the breach. With the centralization and digitization of employees' personal data into computerized human resources information systems (HRIS), security breaches involving personnel information are likely to become increasingly common and involve ever larger numbers of current and former employees, raising the stakes each time a security breach occurs.

Reviewing the provisions of the new Massachusetts notice law with reference to the thirty eight notice statutes which preceded it helps to highlight the most significant similarities and the most salient differences among these laws. With a full view of the variegated, legislative landscape, employers can more readily determine when and how they are required to provide notice.  Click here to download and continue reading full-length Litter Insight publication:  Employers Face New Compliance Challenges As Massachusetts Becomes the 39th State to Enact a Security Breach Notice Law.

 

• Print
• Trackbacks
• Share Link

On August 3, 2007, Governor Deval Patrick enrolled Massachusetts as the 39^th member in the soon-to-be nationwide club of states with laws requiring notice of a security breach.  While these laws vary — sometimes materially — from one another, they share a common thread: at a minimum, they require employers to notify employees (and customers) when an unauthorized person acquires unencrypted, computerized “personal information,” creating a risk of identity theft.  In all 39 states that have adopted this law, “personal information” includes (again at a minimum) the affected individual’s first name or initial and last name plus social security number, driver’s license number, or credit card, debit card, or financial account number in combination with any required security code. 

Here are five key points for employers to consider as they confront these statutes.

•  Be Prepared.  Responding to a security incident can create a pressure cooker, especially when the personal information of senior corporate executives is among the compromised data.  Identify the members of your incident response team — typically from HR, IT, Legal, and Public Relations — and do a dry run of how your organization would respond if, for example, a payroll database had been stored on a stolen laptop.
• Train  HR Professionals.  In the employment context, a security breach can take many forms — a misdirected e-mail, a CD lost by a courier service, a stolen BlackBerry, or a successful hack are just a few examples.  HR employees and others who work with personal information should  be trained that these types of occurrences, which in the past might not have been taken seriously, now pose compliance risks.  The training should help employees identify a possible security breach, list the type of information which should be reported, and explain to whom the report should be made.
• Determine Your Notice Obligations.  When a breach does occur, consult knowledgeable counsel (whether in-house or outside) to determine the organization’s obligations under all potentially applicable notice laws.  To do so, counsel will need to know all the facts related to the incident, the states of residence of affected employees, and the number of affected employees in each state.  In some circumstances, a security breach may not trigger a legal obligation to notify  — for example, the theft of a hard copy (as opposed to computerized) payroll spreadsheet -- but the employer still may decide to provide notice as an employee relations matter.
• Help Your Employees.  Employees may view themselves as innocent victims when their employer suffers a security breach and  expect their employer to protect them and foot the bill. Providing free access to a credit monitoring service is the most commonly offered form of assistance.  Employers may want to consider a new service offered by MyIDentityIQ, Inc. and National ID Recovery: 1-877-252-9891.  This service not only alerts employees to possible misuse of their personal information (like credit monitoring), it also provides fully managed identity theft recovery services for employees after their personal information has been misused.
• Learn From Your Mistakes.  After the storm subsides, figure out what went wrong, what you did right, and how you can adjust your security incident response plan (or put one in place) to improve your response the next time around.

• Print
• Trackbacks
• Share Link

An Oregon law, signed by Governor Ted Kulongoski in mid-July and effective January 1, 2008, establishes the strictest information security requirements imposed by any state law to date. This new law is especially significant for multi-state employers, as the statute applies to any business which maintains the “personal information” of an Oregon resident regardless of the size of the company’s presence in Oregon. Personal information is defined to include precisely the type of information which all employers maintain about every employee, i.e., first name or initial and last name plus social security number, driver’s license number, or financial account number.

The Oregon law requires employers who maintain personal information on Oregon residents to do the following:

• Designate a security officer
• Conduct a risk assessment
• Assess the safeguards in place to manage the risks
• Train employees in security policies and procedures
• Require by contract that service providers maintain adequate security (note the connection to the trend discussed above)
• Adjust the security program over time to meet changing circumstances
• Implement adequate physical and technical safeguards
• Properly dispose of personal information

While Oregon may be one of the less populous states, state legislators appear to be engaging in “one-upmanship” as they enact new data protection statutes. Employers can expect other states to attempt to match or exceed Oregon’s legislation. Consequently, employers can expect that, in the near future, they will need to take a closer look at their information security practices for employee data and take steps to better safeguard that information not as some extra effort but simply to be in compliance with newly enacted state data protection legislation.

• Print
• Trackbacks
• Share Link