Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

In its press release, HHS cryptically explains that the agency withdrew the regulations “to allow for further consideration, given the Department’s experience to date in administering the regulations.” The agency established no deadline for issuing new regulations, stating only that it “intend[s] to publish a final rule in the Federal Register in the coming months.” The agency also provided no guidance concerning its enforcement of the HITECH Act’s security breach notification requirements — which remain in effect despite the absence of regulations — while covered entities await the final rule’s publication.

The impetus behind the HHS’s withdrawal may have been opposition from Congress and from privacy and patient advocacy groups to the “harm standard” contained in the now-withdrawn regulations. Under that standard, a covered entity that discovered unauthorized access to, or acquisition, use or disclosure of, PHI was not required to provide notice of security breach unless the unauthorized conduct “pose[d] a significant risk of financial, reputational or other harm” to the subject of the information. Opponents of the “harm standard” contended that it added an unwarranted gloss to the HITECH Act’s plain language and was not sufficiently protective of patients’ and plan participants’ rights.

If HHS were to eliminate the “harm standard” in its to-be-issued final regulations, the upshot for employers and health care providers would be significant as just one example demonstrates. It is not uncommon for an employee in the health care sector who is involved in a dispute with her employer over performance to take patient records for possible future use in a lawsuit alleging that the employer’s discipline or termination was unfounded and resulted from discrimination. The employee’s acquisition of patient records potentially to advance her own claims of discrimination is an unauthorized acquisition of PHI. Were HHS to issue final regulations that omit a harm standard, health care employers in this situation likely would be required to provide notice of security breach even if the employer never used or disclosed the copied documents and ultimately returned or properly destroyed them. In short, elimination of the “harm standard” could dramatically increase not only the number of notices that employers and health care providers will be required to provide but also the attendant out-of-pocket expense and potential damage to business reputation.

The problem now for employers and health care providers during “the coming months” before HHS publishes a final rule is whether to analyze a security incident with or without a harm standard, a decision which often will be dispositive of the question whether notice will be necessary. On the one hand, HHS itself found — at least at one time — that the HITECH Act’s security breach notification requirement properly could be construed to include a harm standard, and the agency’s cryptic press release does not expressly or implicitly point to the “harm standard” as the reason for withdrawing the interim final regulations. On the other hand, the HITECH Act does not expressly include a harm standard, and given the opposition to the “harm standard,” one fairly can surmise that the final rule to be issued by HHS will not include a harm standard. At least until HHS issues additional clarification of its withdrawal or publishes the final rule, each employer and health care provider confronted by a security incident involving PHI will need to make its own judgment call on whether to ignore the harm standard and potentially “over-notify,” or to apply the standard to justify a decision not to provide notice but run the risk of an enforcement action.

This entry was written by Philip L. Gordon.

According to a report issued last week by the School District’s attorney and recent news reports, the School District installed a program called Theft Tracker on more than 2,000 laptops issued to students. When activated, the program records the laptop’s Internet address, captures an image of anything on the computer’s screen, and takes a Webcam photo every fifteen minutes until the program is deactivated. Theft Tracker downloaded all captured information and images to the School District’s server and erased them from the laptop’s memory. The program reportedly was responsible for taking 56,000 photographs. Approximately two-thirds were related to six laptops that actually had been stolen. The local police relied on at least some of those photos to recover the stolen laptops. Many of the remaining pictures, however, were taken because School District employees forgot to deactivate Theft Tracker after students reported that they found laptops that had been reported stolen.

Since the story broke, the School District has found itself at the center of a maelstrom. At least one student has sued the School District, alleging invasion of privacy. The FBI is investigating for potential criminal conduct. Congress held hearings on surreptitious surveillance, and Senator Arlen Specter proposed the "Surreptitious Video Surveillance Act," to extend the Federal Wiretap Act to video surveillance without prior notice. Editorialists and the media have hammered the School District. What went wrong?

According to one news report and the School District’s attorney, the School District made several mistakes:

• The School District did not have written policies and procedures regulating the use of Theft Tracker.
• Parents and students were not provided with an explanation of the program and not required to consent to its use.
• Students were asked to sign a policy that related only to use of the School District’s own network and did not mention school-issued laptops.
• There was no written policy concerning disclosure to law enforcement authorities of information obtained through Theft Tracker

In addition, the School District apparently conducted no legal analysis before implementing Theft Tracker to identify and assess the potential legal risks.

Employers who consider implementing a program like Theft Tracker or otherwise want to activate Webcams on company-issued laptops should learn the lessons of Lower Merion School District’s disastrous foray into webcam use. The employer must first have a detailed understanding of the technology’s capabilities and subject the technology to a rigorous legal review. If, for example, the technology is capable of recording audio, its use could constitute unlawful wiretapping, especially in states where consent is not a defense unless all parties to the communication have consented. Running afoul of the two-party consent laws is easy especially when family members, house guests, and others who have not consented to the use of the technology could be recorded. Similarly, non-employees could easily be photographed without their knowledge or consent, potentially giving rise to a claim for invasion of privacy.

If an employer determines that the benefits of the technology outweigh the risks, it still should implement detailed, written policies and procedures concerning the technology’s use to mitigate those risks. The guidelines should address at least the following: (1) identification of the employees authorized to activate the program; (2) identification of the management-level employees that must approve activation of the program; (3) circumstances in which the program may be activated; (4) the duration of the monitoring; (5) security for the fruits of the monitoring; (6) identification of the employees permitted to access the fruits of the monitoring; (7) how the fruits of the monitoring may be used; (8) when the fruits of the monitoring may be disclosed to law enforcement; and (9) how long the fruits of the monitoring will be retained.

The employer also should provide employees with full and fair notice of how the technology will be used and obtain the employee’s affirmative consent to its use. The notice should include, at a minimum, an explanation of the technology, the circumstances in which it will be activated, how the fruits of the monitoring may be used, and to whom they may be disclosed. Employers should beware that even after taking all of these precautions, use of webcams might be illegal in certain non-U.S. countries, such as the member states of the European Union.
 

This entry was written by Philip L. Gordon.

Although there are some differences in the privacy standards applicable to public sector and private employers, the standards are sufficiently similar that the Supreme Court’s decision likely will provide important guidance for employers on at least three issues. First, the law is relatively well settled that private employers can review any communications stored on a corporate e-mail server when the employer notifies employees of the monitoring, typically through an electronic resources policy. Quon is one of the first cases to address whether the same rule applies when the employee’s communication is transmitted through a third-party service provider under contract with the employer. The issue has gained increasing importance as an increasingly large number of employees use text messaging during the work day. (A case currently under consideration by the New Jersey Supreme Court, Stengart v. Loving Care, addresses an employee’s privacy expectations in copies of e-mail stored on a company-issued laptop that were sent through the employee’s personal e-mail account to her attorney.)

Second, the Supreme Court’s decision likely will address how a formal employment policy that otherwise would defeat an employee’s privacy expectation could be countermanded by an informal representation to a specific employee. Here, private employers likely will receive guidance on the types of informal statements that could be sufficient to countermand a formal policy as well as the degree of authority of the person making the informal statement necessary to override the formal policy.

Third, the Supreme Court also granted review on the question whether the senders of text messages to the SWAT officer had a reasonable expectation that his government employer would not read them. This question raises an issue that often is overlooked in cases revolving around an employer’s review of employee e-mail, i.e., the privacy interests of the sender. Without further development, it is difficult to anticipate the extent to which the Supreme Court’s ruling on this issue might affect private employers and what that affect might be.

Notably, the Supreme Court denied the service provider’s request for review of the Ninth Circuit’s ruling that the provider violated the federal Stored Communications Act by disclosing the SWAT officer’s text messages to the Department without his consent. Under the Act, a communications service provider, such as an ISP or cell phone provider, generally cannot disclose stored communications without the sender’s or recipient’s consent. An exception permits disclosure to the subscriber — the Department in the Quon case — when the provider is a “remote computing service.” The Ninth Circuit ruled that a “remote computing service” is akin to an electronic filing cabinet. Because the provider in the Quon case was a facilitator of communications, it was not a “remote computing service” and, therefore, could not take advantage of the exception. With the growing prevalence of “cloud computing” services, the proper definition of a “remote computing service” has become increasingly important. The Supreme Court’s decision to forego review of this issue leaves the Ninth Circuit’s ruling on this issue intact.

At bottom, Quon reflects the dynamic nature of the law governing technology in the workplace as communications technology rapidly moves beyond e-mail, and societal expectations change.

This entry was written by Philip L. Gordon

Photo credit: Niklas Bildhauer