Massachusetts Regulators Provide Significant Insight Into Enforcement of Stringent Information Security Regulations That Are Effective as of Today (March 1, 2010)

Posted on March 1, 2010 by Privacy and Data Protection Practice Group

Touted as the most stringent information security regulations to date, Massachusetts’ requirements—applicable to both customer and employee personal information—mandate the implementation of a comprehensive written information security program. As explained in previous blog posts, the regulations require “cradle-to-grave” protections for the following categories of information about Massachusetts residents when combined with first name or initial and last name: Social Security number, driver’s license and other government-issued identification number, debit or credit card number, and financial account number. One critical question for organizations, particularly those grappling with tightened budges, is where to focus limited resources in light of the enforcement risk. Recent statements by Massachusetts regulators provide a view towards the answer.

In an interview published on February 27 in BNA’s Privacy and Security Law Report, the director of the agency that promulgated the regulations, Massachusetts’ Office of Consumer Affairs and Business Regulation (OCABR), made three statements that could have an important bearing on enforcement. First, OCABR takes the position that the regulations apply even when the personal information of Massachusetts employees is stored in a centralized human resources database located at a corporate headquarters outside of Massachusetts. Second, in the director’s view, employers have virtually no excuse for failing to encrypt personal information stored on laptops. Third, although current technology does not permit encryption of personal information stored on a hand-held device, such as a Blackberry® or a Smartphone®, employers should consider other steps that will limit the risk to Massachusetts personal information if the hand-held device is lost or stolen.

During a presentation at the Massachusetts Information Security Summit on January 27, the chief of the consumer protection division for Massachusetts’ Office of the Attorney General, which will be responsible for enforcing the regulations, suggested that his office will not be conducting compliance audits. Rather, the office will select potential targets for enforcement from security breach notifications. Under Massachusetts law, such notifications must be sent to affected Massachusetts residents and to the Attorney General’s Office when unencrypted Massachusetts personal information has been acquired or used by an unauthorized person in a manner that creates a substantial risk of identity theft or fraud.

Given that the loss and theft of portable devices is one of the likeliest causes of a security breach and in light of these regulators’ recent statements, employers can substantially reduce the risk of an enforcement inquiry or action by focusing particular attention on those devices. Policies to consider include the following:

  • Prohibit employees from storing personal information on a laptop except in those limited circumstances, such as the need to work on an airplane, where the information can not be accessed through a secure, remote connection to the corporate server;
  • In the limited circumstances where employees can permissibly store personal information on a laptop, require the installation of disk-based encryption and the deletion of the personal information from the laptop when the business purpose has been accomplished;
  • Train employees not to store any personal information on a hand-held device and to immediately report the loss or theft of a hand-held device so that the company can send a “kill signal” that will delete all information from the device;
  • Train employees to save an e-mail or attachment containing personal information to the network server and permanently delete the e-mail from their e-mail inbox, thereby eliminating the ability to access those e-mails from a hand-held device; and
  • Multi-state employers should consider applying these steps to all employees, not just those located in Massachusetts. 

This entry was written by Philip L. Gordon.
 
Tags: , , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

Federal Courts' Disagreement Over E-Mail Privacy Highlights Employers' Need to Revisit E-Mail Policies

Posted on December 21, 2009 by Privacy and Data Protection Practice Group

As the Supreme Court prepares to address the question whether public employees can expect privacy in text messages sent by government-issued phones through a service provider under contract with the government, federal district courts continue to reach conflicting results when addressing whether private employees waive the attorney-client privilege by communicating with a personal attorney using their employer’s electronic resources. With yet another federal court recently finding no waiver, employers should revisit and revise their electronic resources policies to increase their chances of winning the waiver battle.

In Convertino v. United States DOJ, 2009 U.S. Dist. LEXIS 115050 (D.C. Dec. 10, 2009), a case decided last week, a former federal prosecutor suing the Justice Department for an allegedly improper leak concerning an investigation into charges that he engaged in prosecutorial misconduct, sought to compel production of e-mails exchanged through the Justice Department’s e-mail system between Jonathan Tukel, a federal prosecutor involved in the investigation, and Tukel’s personal attorney. The federal District Court for the District of Columbia held that Tukel had not waived the privilege. The court determined that Tukel reasonably could expect privacy in the communications with his attorney because the Justice Department’s e-mail policy permitted personal use of its e-mail system, and Tukel stated in an affidavit that he was unaware that the Department regularly monitored his e-mail.

In contrast to this result, a federal district court in Idaho, in Alamar Ranch, LLC v. County of Boise, 2009 U.S. Dist. LEXIS 101866 (D. Idaho Nov. 2, 2009), held just six weeks earlier that an employee had waived the attorney-client privilege by exchanging e-mail with her attorney using her employer’s e-mail system. The court relied on the employer’s e-mail usage policy, which notified the employee that: (1) all e-mail was the employer’s property; (2) the employer reserved the right to monitor e-mail; and (3) employees should not assume that e-mail would be confidential. The court gave no weight to the employee’s testimony, almost identical to Tukel’s in the D.C. case, that she was unaware of the monitoring. The court found her subjective belief “unreasonable . . . in this technological age.”

Although not mentioned in the D.C. court’s opinion, the Justice Department’s e-mail usage policy most likely contains the same language that the Idaho court relied upon to find a waiver. Thus, the principal difference between the two cases appears to be the Justice Department’s express permission of some non-business use of its e-mail system. That said, employers would be short-sighted to think that prohibiting all non-business use in an e-mail policy would ensure a finding of waiver. Courts are likely to look to the employer’s de facto policy regarding non-business use, which, for virtually all employers, will be tacit permission of non-business e-mail despite an express ban on non-business use in the employer’s e-mail policy.

Given the above, employers can strengthen their position in the waiver battler by expressly stating the following in an e-mail policy with respect to non-business use of the employer’s e-mail system:

  • Non-business e-mails are not private and are subject to the employer’s electronic resources policy in its entirety, including the employer’s policy on monitoring;
  • Employees are prohibited from using the employer’s electronic resources to communicate with a personal attorney;
  • Employees who use the employer’s electronic resources to engage in non-business e-mail communications through a personal web-based e-mail account should be aware that duplicates of such e-mail may be stored on the employer’s electronic resources and will be subject to review by the employer in accordance with its electronic resources policy.

This entry was written by Philip L. Gordon.
Tags: , , , , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

It's Time To Dust Off Your "Use Of Electronic Resources Policy"

Posted on August 29, 2007 by Philip Gordon

Certain provisions of employer policies governing the use of electronic resources have become mantra:  “Employees should have no expectation of privacy in their e-mail or Internet use”; “Employer reserves the right to access, monitor, and review any communication sent or received using corporate communications resources”; “Corporate communications resources can not be used to send or receive harassing, pornographic, or offensive messages,” etc.  But, employers who do not want their policies to become anachronistic should review and update those policies regularly to stay abreast of new technologies and new uses of technologies flooding the workplace as well as recent developments in pertinent case law.  Here are a few changes to consider.  We will follow with more in future blog entries:

            Blogging:  Blogging by employees is common.  With more than 70 million blogs on the World Wide Web and nearly 1.4 million new blog entries daily, employers need to consider the impact that employee blogging may have on their business and workplace.  Employers who do not endorse blogging should consider adding to their electronic resources policy a provision which bars employees from using corporate communications resources to view or post to any blog that is unrelated to work.  Employers also should consider a separate blogging policy to address off-duty blogging on the employee’s own time. 

            Video In The Workplace:  That employee who has spent the last three hours glued to her computer monitor without pause may be watching Gone With The Wind.  According to a recent Pew Foundation study, 57% of online adults have used the Internet to watch or download video, and 19% do so on a typical day.  Three-quarters of broadband users (74%) who enjoy high-speed connections at both home and work watch or download video online.  Employers who do not currently prohibit viewing or downloading video unrelated to work should now consider doing so before “bandwidth hogs” interfere with business operations.

            Web-Based E-Mail:  According to a report in the New York Times earlier this year, employees frequently rely on their personal Web-based e-mail accounts to conduct business or to store business-related material.  This trend raises a host of issues for employers including the inability to monitor the messages, if necessary, and the difficulty of preserving the messages as part of the litigation hold process.  Employers should consider barring employees from using personal Web-based e-mail for business purposes.

            Electronic Communications May Be Disclosed To Law Enforcement:  Recent cases, such as United States v. Ziegler, Doe v. XYC Corp., and United States v. Angevine, suggest that child pornography in the workplace is becoming all too common.  When the child porn is disclosed to law enforcement authorities without a warrant, the employee may be able to succeed in suppressing the evidence, thereby defeating the criminal investigation – as happened in United States v. Long, 64 M.J. 57 (C.A.A.F. 2006).  Employers can make this result less likely by warning employees that their electronic communications may be disclosed to law enforcement authorities if they create a suspicion of criminal conduct.
Tags: , , , , ,
  • Email This
  • Print
  • Trackbacks (1)
  • Share Link