Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

Touted as the most stringent information security regulations to date, Massachusetts’ requirements—applicable to both customer and employee personal information—mandate the implementation of a comprehensive written information security program. As explained in previous blog posts, the regulations require “cradle-to-grave” protections for the following categories of information about Massachusetts residents when combined with first name or initial and last name: Social Security number, driver’s license and other government-issued identification number, debit or credit card number, and financial account number. One critical question for organizations, particularly those grappling with tightened budges, is where to focus limited resources in light of the enforcement risk. Recent statements by Massachusetts regulators provide a view towards the answer.

In an interview published on February 27 in BNA’s Privacy and Security Law Report, the director of the agency that promulgated the regulations, Massachusetts’ Office of Consumer Affairs and Business Regulation (OCABR), made three statements that could have an important bearing on enforcement. First, OCABR takes the position that the regulations apply even when the personal information of Massachusetts employees is stored in a centralized human resources database located at a corporate headquarters outside of Massachusetts. Second, in the director’s view, employers have virtually no excuse for failing to encrypt personal information stored on laptops. Third, although current technology does not permit encryption of personal information stored on a hand-held device, such as a Blackberry® or a Smartphone®, employers should consider other steps that will limit the risk to Massachusetts personal information if the hand-held device is lost or stolen.

• Email This
• Print
• Trackbacks
• Share Link

Identity theft is a booming business. Each year, millions of Americans fall victim to identity theft or have their personal privacy otherwise compromised through unlawful means. Whether it comes in the form of a lost or stolen credit card, or computer hackers accessing social security numbers from employment records, financial institutions, medical records, or government agencies, the costs are staggering. Studies demonstrate that victims spend anywhere from a few hours to, in some cases, literally thousands of hours working to repair damage done by identity theft. Investigations related to identity theft often take months – or sometimes years – to resolve. Reports have estimated that hundreds of billions of dollars per year are lost by businesses worldwide due to identity theft. Individual victims sometimes lose thousands of dollars in wages resolving their cases, and can spend several hundred (sometimes thousands) of dollars in various expenses related to their case.

In an effort to combat ID theft, more than thirty states (including California, New York, Illinois, and Pennsylvania) have enacted laws restricting certain uses and disclosure of social security numbers. The federal judiciary has taken note – and is following suit. Recent revisions to the Federal Rules of Civil Procedure (FRCP) now require attorneys to redact certain personal identifying information of individuals involved in litigation when filing documents in federal court – either electronically or in traditional paper format. 

Revised FRCP 5.2(a) reads:

Unless the court orders otherwise, in an electronic or paper filing with the court that contains an individual’s social-security number, taxpayer-identification number, or birth date, the name of an individual known to be a minor, or a financial-account number, a party or nonparty making the filing may include only:
(1) the last four digits of the social-security number and taxpayer identification number;
(2) the year of the individual’s birth;
(3) the minor’s initials; and
(4) last four digits of the financial-account number.

• Email This
• Print
• Trackbacks
• Share Link

Less than one week after a state court judge halted New York state’s emergency regulation requiring mandatory H1N1 flu shots for most health care workers, Governor Paterson announced that the State Health Commissioner is suspending the requirement due to a limited supply of vaccine - approximately 23% of the anticipated amount. Available vaccines will instead be used for populations most at risk of serious illness or death, e.g., pregnant women and young people between the ages of 6 months and 24 years.

This entry was written by Philip L. Gordon.

• Email This
• Print
• Trackbacks
• Share Link

In response to the swine flu pandemic sweeping the nation, New York in August 2009 became the only state in the United States to adopt an emergency regulation requiring most health care workers who come into contact with patients to get annual vaccinations for both seasonal and swine flu (H1N1) by no later than November 30, 2009. The regulation, issued by the New York State Commissioner of Health, provides a limited exemption for workers with “medical contraindications,” but not for those with a religious or ideological opposition to the vaccination.

In response to the emergency regulation, several unions and other groups filed suit in New York, challenging the mandatory vaccinations and the authority of the New York State Health Commissioner to institute mandatory vaccinations.

• Email This
• Print
• Trackbacks
• Share Link

In what appears to be an on-going effort to find the right balance between information security and burdens on businesses, Massachusetts’ Office of Consumer Affairs and Business Regulation (OCABR) has materially revised—for a second time—regulations that were initially promulgated in October 2008, and has extended the compliance deadline for a third time. We have discussed the regulations in detail in prior blog posts. Consequently, we will only focus on the most recent revisions, which are described below:

• New Compliance Deadline: The compliance deadline has been extended from January 1, 2010, until March 1, 2010.

• Third-Party Service Providers: While the regulations still require that employers expressly address information security in their contracts with vendors who create or receive personal information on the employer’s behalf, employers now have until March 1, 2012, to negotiate amendments to vendor agreements entered into before the March 1, 2010 compliance deadline. Vendor agreement entered after that date must require that vendors implement and maintain “appropriate security measures to protect [Massachusetts] personal information” in a manner that is consistent with the regulations and applicable federal law.

• Email This
• Print
• Trackbacks
• Share Link

Texas recently enacted a law, effective September 1, 2009, that criminalizes online harassment. Texas joins other states, including Nevada, New York and Tennessee, which have enacted similar legislation criminalizing the use of electronic communication devices to commit criminal stalking and harassment.

Although speaking in terms of “online harassment,” the law is aimed at outlawing online impersonation with the intent to cause harm. Thus, the law outlaws the unauthorized use of another’s name or persona to create a web page, or to post one or more messages on a commercial social networking site, with the intent to defraud, harm, intimidate or threaten another person. This offense is a third-degree felony, punishable by two to ten years imprisonment and a fine not to exceed $10,000.

• Email This
• Print
• Trackbacks
• Share Link

Even a brief posting of private information on an Internet site amounts to “publicity per se” sufficient to support a civil action for invasion of privacy, according to a three judge panel of the Minnesota Court of Appeals in Yath v. Fairview Clinics, filed June 23, 2009. Candace Yath was a patient at the defendant clinic, where she sought testing for sexually transmitted diseases because she had a new sex partner. She was observed there by a clinic employee, Tek, who was an acquaintance. Tek later (and in violation of clinic policy) accessed Yath’s medical file, learning of Yath’s new sex partner (Yath was at the time married but estranged from her husband) and that Yath had been diagnosed with a sexually transmitted disease. Tek informed a second person, also an acquaintance (and relative) of Yath about the medical file information. Word soon spread to a group of people, including Yath’s husband.

One month later a web page appeared at MySpace.com bearing the title “Rotten Candy,” and including a photo of Yath and the contents of her medical file. The MySpace page asserted that “Rotten Candy” has a sexually transmitted disease, had recently cheated on her husband and was addicted to plastic surgery. After learning about the Internet posting, the clinic manager investigated. When the manager first accessed the webpage, it listed only six “friends,” indicating that at least six persons had accessed the page. When the manager tried again to access the web page, one or two days later, the webpage had been removed.

• Email This
• Print
• Trackbacks
• Share Link

Transgender individuals have good reason to be concerned about expressing their gender identity in the workplace. According to recent studies, at least one in five transgender individuals reports experiencing employment discrimination. A review of six studies conducted between 1996 and 2006 showed the following concerning reports of mistreatment in the workplace based on gender identity:

• 13%-56% of transgender individuals had been fired;
• 13%-47% had been denied employment;
• 22%-31% had been harassed, either verbally or physically, in the workplace; and
• 19% had been denied a promotion due to their transgender status.

Most employees choose whether, when, and to whom they disclose certain personal information at work. However, transgender individuals who decide to transition from one gender to another while remaining with their current employer do not have the same luxury. This largely is due to the inherently public nature of the transition. Indeed, an employee who intends to undergo a gender transition generally is required to live full-time in their new gender role for at least a year before becoming eligible to undergo sex reassignment and reconstruction surgery (if they so choose to have surgery, which many do not). During this time frame, transgender individuals often seek a variety of medical treatments, including hormone therapy, as well as change their names, modify their identity documents, and other procedures. As a result, employers and co-workers necessarily, but often reluctantly, become involved in a transitioning employee’s gender transition. While a gender transition is an inherently private process, it necessarily becomes known to co-workers at some point by the very nature of the “transition.”

• Email This
• Print
• Trackbacks
• Share Link

On Thursday, February 12, 2009, Massachusetts’ Office of Consumer Affairs and Business Regulation (OCABR) publicly disclosed key changes to the controversial Massachusetts data security breach regulations, 201 CMR 17.00. Taking into account testimony heard from business associations and employers at a public hearing last month, OCABR has further delayed the implementation deadline and somewhat loosened employers’ obligations with respect to third-party service providers and mandatory encryption requirements.

Highlights of the amendments to the regulations are:

Effective Date: Previously set to go into effect on May 1, 2009, the compliance date has been delayed until January 1, 2010.

Third-Party Service Providers: The original regulations required all employers to obtain: (a) by May 1, 2009, contractual assurances from their third-party vendors having access to Massachusetts residents’ personal information that the vendors are capable of safeguarding this information; and (b) by January 1, 2010, written certifications from each vendor that it has adopted a comprehensive information security program in compliance with Massachusetts regulations (201 CMR 17.00 et seq.).
 

• Email This
• Print
• Trackbacks
• Share Link

With the State of Connecticut reeling from a series of massive security breaches that have exposed the personal information of hundreds of thousands of state residents, Connecticut's Governor and General Assembly joined forces in mid-June to make Connecticut only the second state (after Michigan) to mandate that private employers publish a policy on the protection of employee Social Security numbers (SSNs). The new Connecticut law — entitled, "An Act Concerning the Confidentiality of Social Security Numbers" (the "Act"), and effective October 1, 2008 — also imposes on private employers a statutory duty to safeguard, and properly dispose of, personal information more broadly defined. Continue reading. . .

• Email This
• Print
• Trackbacks
• Share Link

Gary Ross, the military veteran who urged his employer to accommodate his medical use of marijuana, has failed to convince the Supreme Court of California to revive his case.  On January 24, 2008, the Court affirmed (5 - 2) the trial and appellate court decisions that RagingWire Telecommunications was not required to employ Ross, who tested positive for marijuana, even though his use of the drug has been decriminalized under California’s Compassionate Use Act.

As discussed in an earlier posting, Ross argued that his former employer, RagingWire, had discriminated against him under the California Fair Employment and Housing Act by terminating him because of his positive drug test which resulted form his use of marijuana for his disability.  He also alleged that he had been wrongfully discharged as a matter of public policy.  Yesterday’s decision rejects Ross’s disability discrimination claim for one simple reason:  The Compassionate Use Act provides only that individuals who use marijuana pursuant to a recommendation from a health care provider have a defense to criminal prosecution.  Noting that California voters cannot obscure federal laws which state that the drug poses a risk of abuse, the Court concluded that the Compassionate Use Act simply fails to address the rights of employers and employees.  The Court further observed that any effort to enact such a law would likely generate significant controversy, and it declined to read such a requirement into the limited protections of the statute.

• Email This
• Print
• Trackbacks
• Share Link

The rumors are flying: The TV news ran a story last night on the evacuation and de-contamination of the local public school after one of the football players missed Saturday’s game because of infection with the MRSA Superbug.  One of your employees happens to have a son on the football team, and she called in sick on the Monday after the game.  Employees who work in the area of her cubicle have “petitioned” HR not to let the mother return to work until she has submitted written documentation from her physician that she is not infected or contagious.  Where does HR even start to unravel the privacy concerns of the mother and her child, and how should those concerns be weighed against the health interests of the mother’s co-workers? 

The legal analyses related to this issue are among the most complex in the area of workplace privacy, involving the interplay of the Americans with Disabilities Act (ADA); the Family and Medical Leave Act (FMLA); the Health Insurance Portability and Accountability Act of 1996 (HIPAA); state privacy statutes, such as California’s Confidentiality of Medical Information Act; state common law; and, at least in California, state constitutional law. 

Before wading into this quagmire, HR professionals should consider the following guidelines for balancing the privacy interests of potentially infected workers and the health interests of co-workers.

• Email This
• Print
• Trackbacks
• Share Link

The idea of mandatory “microchipping” — the practice of employers requiring employees to have a small computer chip inserted beneath the skin — triggers a high score on virtually any cringe meter.  According to a 2007 study conducted jointly by Littler Mendelson and the Ponemon Institute (“Workplace Survey on the Privacy Age Gap”) more than 90% of respondents, regardless of age, responded that mandatory microchipping by their employer would constitute a privacy violation. 

Mirroring this sentiment, in early September, the California Legislature sent to Governor Schwarzenegger for signature a bill which would prohibit any person from requiring, coercing or compelling “any other individual to undergo the subcutaneous implanting of an identification device.” [UPDATE:  Governor Schwarzenneger signed the bill into law].  An “identification device” is defined as one capable of transmitting personal information by radio frequency (RFID) or other means. 

The only surprise about this bill is that California — the state most protective of individual privacy — is not the first to ban mandatory microchipping legislatively.  North Dakota and Wisconsin grabbed that honor, passing prohibitions on mandatory microchipping in April and May 2006, respectively.  Legislatures in seventeen other states — including Georgia, Michigan and New Jersey — are considering similar laws. 

• Email This
• Print
• Trackbacks
• Share Link

Misdirected e-mail, lost and stolen laptops, and security flaws in corporate websites, when they expose employee personnel information to unauthorized individuals, are now more than a potential embarrassment; they are a legal compliance challenge, especially for multi-state employers. With Massachusetts recently becoming the 39th state to pass a notice-of-security-breach statute, it is just a matter of time before all fifty states require notice of a security breach. While these statutes share a common thread, their requirements can materially vary, complicating the determination whether an employer has a legal obligation to notify employees and, if so, the steps that the employer must take to discharge its legal responsibilities.

Regrettably, it no longer is a matter of "if", but "when," human resources professionals and in-house counsel will be required to confront this legal compliance challenge. In a 2007 study conducted by the Ponemon Institute, a leading think tank on privacy and data protection, 85% of respondents had suffered a security breach within the previous 24 months, and 81% had been required to notify individuals of the breach. With the centralization and digitization of employees' personal data into computerized human resources information systems (HRIS), security breaches involving personnel information are likely to become increasingly common and involve ever larger numbers of current and former employees, raising the stakes each time a security breach occurs.

Reviewing the provisions of the new Massachusetts notice law with reference to the thirty eight notice statutes which preceded it helps to highlight the most significant similarities and the most salient differences among these laws. With a full view of the variegated, legislative landscape, employers can more readily determine when and how they are required to provide notice.  Click here to download and continue reading full-length Litter Insight publication:  Employers Face New Compliance Challenges As Massachusetts Becomes the 39th State to Enact a Security Breach Notice Law.

 

• Email This
• Print
• Trackbacks
• Share Link

On August 3, 2007, Governor Deval Patrick enrolled Massachusetts as the 39^th member in the soon-to-be nationwide club of states with laws requiring notice of a security breach.  While these laws vary — sometimes materially — from one another, they share a common thread: at a minimum, they require employers to notify employees (and customers) when an unauthorized person acquires unencrypted, computerized “personal information,” creating a risk of identity theft.  In all 39 states that have adopted this law, “personal information” includes (again at a minimum) the affected individual’s first name or initial and last name plus social security number, driver’s license number, or credit card, debit card, or financial account number in combination with any required security code. 

Here are five key points for employers to consider as they confront these statutes.

•  Be Prepared.  Responding to a security incident can create a pressure cooker, especially when the personal information of senior corporate executives is among the compromised data.  Identify the members of your incident response team — typically from HR, IT, Legal, and Public Relations — and do a dry run of how your organization would respond if, for example, a payroll database had been stored on a stolen laptop.
• Train  HR Professionals.  In the employment context, a security breach can take many forms — a misdirected e-mail, a CD lost by a courier service, a stolen BlackBerry, or a successful hack are just a few examples.  HR employees and others who work with personal information should  be trained that these types of occurrences, which in the past might not have been taken seriously, now pose compliance risks.  The training should help employees identify a possible security breach, list the type of information which should be reported, and explain to whom the report should be made.
• Determine Your Notice Obligations.  When a breach does occur, consult knowledgeable counsel (whether in-house or outside) to determine the organization’s obligations under all potentially applicable notice laws.  To do so, counsel will need to know all the facts related to the incident, the states of residence of affected employees, and the number of affected employees in each state.  In some circumstances, a security breach may not trigger a legal obligation to notify  — for example, the theft of a hard copy (as opposed to computerized) payroll spreadsheet -- but the employer still may decide to provide notice as an employee relations matter.
• Help Your Employees.  Employees may view themselves as innocent victims when their employer suffers a security breach and  expect their employer to protect them and foot the bill. Providing free access to a credit monitoring service is the most commonly offered form of assistance.  Employers may want to consider a new service offered by MyIDentityIQ, Inc. and National ID Recovery: 1-877-252-9891.  This service not only alerts employees to possible misuse of their personal information (like credit monitoring), it also provides fully managed identity theft recovery services for employees after their personal information has been misused.
• Learn From Your Mistakes.  After the storm subsides, figure out what went wrong, what you did right, and how you can adjust your security incident response plan (or put one in place) to improve your response the next time around.

• Email This
• Print
• Trackbacks
• Share Link

An Oregon law, signed by Governor Ted Kulongoski in mid-July and effective January 1, 2008, establishes the strictest information security requirements imposed by any state law to date. This new law is especially significant for multi-state employers, as the statute applies to any business which maintains the “personal information” of an Oregon resident regardless of the size of the company’s presence in Oregon. Personal information is defined to include precisely the type of information which all employers maintain about every employee, i.e., first name or initial and last name plus social security number, driver’s license number, or financial account number.

The Oregon law requires employers who maintain personal information on Oregon residents to do the following:

• Designate a security officer
• Conduct a risk assessment
• Assess the safeguards in place to manage the risks
• Train employees in security policies and procedures
• Require by contract that service providers maintain adequate security (note the connection to the trend discussed above)
• Adjust the security program over time to meet changing circumstances
• Implement adequate physical and technical safeguards
• Properly dispose of personal information

While Oregon may be one of the less populous states, state legislators appear to be engaging in “one-upmanship” as they enact new data protection statutes. Employers can expect other states to attempt to match or exceed Oregon’s legislation. Consequently, employers can expect that, in the near future, they will need to take a closer look at their information security practices for employee data and take steps to better safeguard that information not as some extra effort but simply to be in compliance with newly enacted state data protection legislation.

• Email This
• Print
• Trackbacks
• Share Link