Rep. Boucher's Privacy Bill Would Impose Substantial Burdens on Virtually All Employers

Posted on May 20, 2010 by Privacy and Data Protection Practice Group

Perhaps providing the public with an opportunity to identify unanticipated consequences of long-awaited, federal privacy legislation, Reps. Rick Boucher (D-Va.), Chairman of the House Energy and Commerce Subcommittee on Communications, Technology, and the Internet, and Cliff Stearns (R-Fla.), the panel's ranking member, have requested public comment on a privacy bill before formally introducing it. The bill, which has not yet received a title--though apparently is intended to regulate on-line marketers--would impose substantial burdens on virtually every U.S. employer.

At its highest level, the draft bill would require only that on-line retailers who collect annually personal information of more than 5,000 customers provide a privacy notice and obtain opt-out consent from consumers. Upon closer examination, however, the bill would require almost every employer, regardless of size, to provide every employee and apparently every job applicant with a privacy notice and obtain their affirmative opt-in consent to the employer’s collection, use and disclosure of certain categories of personal information.

As currently written, the draft bill broadly defines a “covered entity” to include any business that engages in interstate commerce and collects basic contact information, such as name, postal address, telephone or fax number, and e-mail address, and excludes from that definition businesses that do not collect such information from fewer than 5,000 individuals annually. The problem is that the exclusion does not apply to any covered business which collects “sensitive information.” The draft bill defines “sensitive information” to include medical records, race or ethnicity, religious beliefs, sexual orientation, precise geolocation information, and financial records and other financial information associated with a financial account, including balance and other financial information.

Virtually every employer collects at least one category of sensitive information as defined by the bill. Employers routinely obtain employee medial information at a minimum in connection with workers’ compensation claims and leave requests. Employers subject to regulation by the Equal Employment Opportunity Commission are required by law to collect information about race and ethnicity. Many employers obtain employees’ financial account information for direct deposit purposes. Finally, an increasing number of employers rely upon location-tracking technology to monitor employees who work primarily off-site.

The drafters also appear to have attempted to limit the burden of the bill on employers by providing that that the consent requirement does not apply to the collection, use or disclosure of covered information for “operational purposes.” The draft bill defines “operational purposes” to include “carrying out an employment relationship with individuals.”

The apparent removal of employers from the consent requirements, however, appears to be illusory. The draft bill expressly prohibits the collection or disclosure of sensitive information “for any purpose” — including an operational/employment purpose — without providing the individual with the required privacy notice before collection and obtaining the individual’s “express affirmative consent” before collecting or disclosing the sensitive information. As noted above, virtually all employers routinely collect one or more categories of sensitive information as defined by the draft bill.

The notice and consent requirement could be substantially burdensome for employers. The notice requires that employers provide fifteen different categories of information regarding the employer's collection and use of the covered information. Employers might be able to satisfy the bill’s requirements with a single, omnibus privacy notice when an individual applies for a job or is first hired. Preparing the notice, however, could be a highly complex task. The bill, for example, mandates that the notice include “the specific purposes” for which the employer collects and uses covered information as well as how long the information will be retained. Employers use sensitive information, such as medical information, for a large number of “specific purposes.” In addition, retention periods for different categories of medical information — pre-employment physical vs. OSHA-mandated medical surveillance — and for other types of sensitive information can vary substantially.

The draft bill also potentially would permit disgruntled employees to wreak havoc with human resources administration. Under the draft bill, an employee’s withdrawal of consent bars the employer from “us[ing] covered information previously collected.” Taken literally, this provision would, for example, empower an employee to bar his employer from reporting his race or ethnicity to the EEOC.

The draft bill contains yet another dose of bitter medicine for employers. The bill arguably could be read to limit the notice and opt-in consent requirements for employers to the six categories of sensitive information described above. However, the draft bill provides that an employer can not disclose any form of covered information — sensitive or non-sensitive — to a third-party service provider unless the employer has provided the notice described above and obtained, at a minimum, the employee’s opt-out consent. Given employers’ heavy and growing reliance on third-party service providers to perform human resources administration, compliance with this provision effectively would require most, if not virtually all, employers to provide notice with respect to their collection and use of non-sensitive information as well as sensitive information.

Finally, the draft bill’s requirements apply to the collection, use and disclosure of covered information about an “individual” without defining that term. “Individual,” on its face, encompasses not only job applicants and employees who reside in the U.S. and/or are U.S. citizens but any applicant or employee located anywhere in the world. In other words, the draft bill arguably would require a multinational employer that uses third-party service providers for human resources administration to provide notice and obtain consent from tens of thousands of job applicants and employees.

Given the potentially substantial burdens that the draft bill as currently written imposes on employers, they should carefully track this legislation and consider taking advantage of the thirty-day public comment period opened by the drafters.

This entry was written by Philip Gordon.
 
Tags: , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

The Legal Perils of Social Media & Social Networking: Questions & Answers

Posted on October 5, 2009 by Privacy and Data Protection Practice Group

On September 29, 2009, Littler Mendelson presented a webinar, hosted by HR.com, entitled, “Legal Perils of Social Media & Social Networking: What Every Employer Needs to Know.” Several of the attendees submitted questions by e-mail that could not be answered during the time allotted for the webinar. The answers to those questions are below.

Question: Because of the sketchy and inconsistent nature of HR policy around this topic, it seems reasonable for employees to ask for definition from their employers regarding use of social media to avoid being surprised should there be a potential issue. Would you agree?

Response: I would agree. The intersection of social networking sites and work is so new that accepted etiquette, custom, or norms have not yet developed. Employers can address this problem by establishing a policy that provides easily understood guidelines for employees’ social media activities whether authorized by the employer or not. Training also is very important in this area. Employers need to train managers and employees on how to respond to and handle the many complicated issues raised by the intersection of work and social media activity.

Question: What if employees are using their cell phones for social networking, not utilizing company technology? And what if they are doing it on their own times: breaks and lunch?

Response: Employers can establish guidelines for employees’ off-duty social media activities even if employees are using their own cell phones, laptops, desktops, or other personal devices. As discussed in the webinar, there are several laws that might restrict an employer’s ability to take adverse action based upon an employee’s off-duty social networking activities. These laws include, for example, the National Labor Relations Act, state laws that prohibit adverse action based on an employee’s lawful off-duty activities, the First Amendment for public employers, and anti-discrimination laws.

Question: Can you expand upon the scope of First Amendment protections and the Connecticut law that you mentioned during the webinar?

Response: One common misconception is that the First Amendment protects all employees against adverse action based on their speech. In fact, the First Amendment protects only public employees. However, Connecticut has an unusual law (Conn. Gen. Stat. 31-51q) that extends First Amendment protections to private employees. A private employer violates the law by terminating a Connecticut employee on account of that employee's exercise of rights guaranteed by the First Amendment--provided such activity does not substantially or materially interfere with the employee's bona fide job performance or the working relationship between the employee and the employer.

Question: Can employees assume that because the company hasn't blocked a social site from being accessed that it must be okay for them to use it during the day?

Response: Employees might make that assumption if the employer does not have any policy addressing Internet use generally or social media use in particular, or if a general Internet policy permits incidental non-business use of the employer’s Internet access. An employer can defeat the assumption without blocking access to social media sites by specifically informing employees in a policy that use of the employer’s electronic resources to access social media sites for non-business purposes is prohibited. For the policy to eliminate an assumption like this one, management and human resources professionals need to communicate about, and consistently enforce, the policy. In this regard, HR and managers should work together to remain well versed on best practices and ongoing developments in this area.

This entry was co-written by Philip L. Gordon and Kevin P. O'Neill.
Tags: , , , ,
  • Email This
  • Print
  • Share Link

Philip Gordon Answers Questions About Workplace Privacy Issues

Posted on June 11, 2008 by Philip Gordon

Philip Gordon will present at the International Association of Privacy Professionals' (IAPP) human resources event on June 17 on the topics "Sex Offenders, Terrorists, And Video Resumes: How Far Can You Go To Get Information About Prospective, Current, And Former Employees?" and "It's 10:00 AM: Do You Know Where Your Employees Are And What They Are Doing?" Below, Mr. Gordon answers questions about workplace privacy.
 
IAPP: The IAPP is sponsoring its first ever Practical Privacy Series on Human Resources (HR) privacy. Why should privacy professionals be concerned about HR privacy?

Philip Gordon: There are many reasons. Here are just a few: First, privacy breaches involving employees are becoming a much more significant risk to organizations. Virtually every security breach involving employees triggers a notice obligation because of the prevalence of Social Security numbers, driver’s license numbers and financial account information in corporate HR departments. Also, sensitive health and disciplinary information can be much more easily disseminated through social networking sites or Web postings, raising the risks of litigation and substantial damages awards.

Second, employees are more likely to respect consumer privacy in an organization that is concerned about employee privacy. Demonstrating a commitment to addressing HR privacy issues establishes a culture that will enhance protection of consumer data.

Third, an employer’s commitment to HR privacy can provide an edge in recruiting and retaining employees, especially younger employees. In April 2007, Littler Mendelson and the Ponemon Institute published a study entitled “Workplace Survey on the Privacy Age Gap.” The study revealed that 85 percent of respondents under the age of 30 believed that their employer’s commitment to employee privacy was important, but only 20 percent believed that their employer was committed to protecting their privacy. Perhaps more to the point, 27 percent of respondents under age 30 said that they would find another job if their employer committed what they perceived to be a privacy violation.

Finally, HR privacy tends to fall into the gap between the chief privacy officer’s and the human resources director’s areas of responsibility. By way of illustration, in the Littler/Ponemon study, two-thirds of respondents said that their employer had a consumer privacy policy, but only 22 percent stated that their employer had an employee privacy policy. Along the same lines, only 6 percent of respondents said that they would contact a privacy professional in their organization if they had a question about workplace privacy.

IAPP: What do you see as some of the cutting-edge issues in the area of HR privacy?

Philip Gordon: Ironically, some of the most cutting-edge issues arise out of relatively public conduct on the Internet, such as social networking and blogging. Many employees perceive their off-duty blogging and social networking as private, but their postings often can have a significant impact on the workplace, for example, when they post photos of themselves with guns or in sexually provocative poses. Another example of this somewhat ironic twist on “privacy” can be seen when employers attempt to introduce location tracking devices into the workplace. The privacy implications of electronic monitoring also are becoming increasingly complex as employees rely more heavily on personal cell phones, PDAs, and Web-based e-mail accounts to conduct company business. Gary Clayton, founder of the Privacy Compliance Group, and I are going to delve into these issues in our presentations at the Practical Privacy Series, respectively entitled “It’s 10 AM: Do You Know Where Your Employees Are and What They Are Doing?” and “Sex Offenders, Terrorists and Video Résumés: How Far Can You Go to Get Information About Employees?”

IAPP: So much of the focus on consumer privacy revolves around data protection. How is data protection implicated in the area of HR Privacy?

Philip Gordon: Organizations tend to have more sensitive information about their employees than about their customers. State notice and data security laws have forced employers to focus more attention on safeguarding employee data. Global employers accustomed to the greater emphasis on employee data protection in the European Union also are turning their attention to employee data protection. Two of the presentations at the HR Practical Privacy Series will focus on these issues. Peter Rabinowitz, Privacy, Governance & Risk Compliance Consultant at PricewaterhouseCoopers, LLP and Lydia Payne-Johnson, CIPP, Financial Services Privacy Consultant at PricewaterhouseCoopers and former CPO at Morgan Stanley, will explain how to conduct an HR privacy risk assessment. Brian O’Conner, former CPO at Eastman Kodak, and Rick Dakin, founder of Coalfire Systems, will present on security incident response when a breach involves employee data.

IAPP: Congress recently put the spotlight on the privacy of employee health information by enacting the Genetic Information Non-Discrimination Act (GINA). What is the current regulatory environment in the area of employee health information privacy and why is it important for privacy professionals to understand that environment?

Philip Gordon: Employee health information is subject to a very complex regulatory environment involving a variety of federal and state laws in addition to GINA. Employers are being inundated with employee health information as the American workforce ages. Employers also are increasingly relying upon drug and alcohol tests to weed out applicants and employees who might pose a threat to sensitive customer and employee data. Understanding the interplay of these health privacy laws and the web of restrictions on drug and alcohol testing is particularly important for employers because breaches of privacy in this area often result in litigation. Nancy Delogu, a partner at Littler Mendelson and a national expert on drug and alcohol testing, will be addressing this complex area of privacy at the Practical Privacy Series in a presentation entitled, “HIPAA, FMLA, ADA, CMIA: How to Handle Employee Health Information and Drug and Alcohol Testing in Compliance with Confidentiality Requirements.”
 

Tags: , , , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

IAPP Practical Privacy Series: Human Resources 2008

Posted on June 6, 2008 by Nancy N. Delogu

Workplace privacy obligations continue to grow more burdensome for employers. As more information about workers becomes readily available, employers are often caught between a sense that failing to use that information may lead to negligent hiring and retention claims, and a fear that using or disseminating information that is private or protected will lead to litigation in its own right.

Littler Mendelson is a member of the International Association of Privacy Professionals, and a Gold Sponsor of the IAPP's "Practical Privacy Series Human Resources 2008" conference. The conference, which will take place in New York City on June 17, will cover a range of topics, including:

  • "What to Do When a Human Resources Security Breach Inevitably Occurs":  A security breach involving human resources data is high-stakes for organizations. This presentation focuses on the most common causes of HR security breaches and explains from the trenches how to respond in compliance with applicable notice laws, and without a disgruntled workforce when the dust clears;
  • "It's 10:00 A.M. -- Do You Know Where Your Employees Are and What They Are Doing?": New technology offers employers ever more sophisticated tools to keep tabs on their employees, but to what extent does this monitoring expose them to liability? This session examines the evolving U.S. law on these issues and discusses the challenges for global employers confronting data protection regimes modeled on the EU Data Protection Directive;
  • "H.R. Risk Assessments": Safeguarding HR information often plays second fiddle to seemingly more imperative privacy data, such as patient or customer information. Yet it can be among the most sensitive at an organization. This presentation highlights key lessons learned from HR privacy risk assessments across industries, and from helping organizations remediate weaknesses in their control environments. This session looks into the logistics of operationalizing a response program and handling specific recurring incidents; 
  • Littler's own Phil Gordon will speak on "Sex Offenders, Terrorists, And Video Resumes: How Far Can You Go To Get Information About Prospective, Current, And Former Employees?": With ready access to sensitive personal information, employers are under increasing scrutiny to maintain a workforce that is beyond reproach. Social networking sites, blogs and other resources offer a wealth of information on candidates and employees. How deeply should employers tap these new information sources? This presentation will help frame the debate for your own organization; and
  • I'll be talking about how--and when--an employer can use sensitive medical information in the employment context in a presentation called "How To Handle Employee Health Information And Drug And Alcohol Testing In Compliance With The Alphabet Soup Of State And Federal Confidentiality Requirements": Managing employees’ health is a critical business imperative. Employers confront a maze of laws and regulations governing the confidentiality of employee health information, and dire consequences for mishandling such information. This session addresses questions on collecting, using, storing, documenting and disclosing employee health information, among other concerns.

If you are interested in these topics, or know someone who is, go to International Association of Privacy Professionals and click on the box titled "Practical Privacy Series." We'd love to see you there!

Tags: , , , , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

Employers Face New Compliance Challenges As Massachusetts Becomes the 39th State to Enact a Security Breach Notice Law

Posted on September 11, 2007 by Philip Gordon

Misdirected e-mail, lost and stolen laptops, and security flaws in corporate websites, when they expose employee personnel information to unauthorized individuals, are now more than a potential embarrassment; they are a legal compliance challenge, especially for multi-state employers. With Massachusetts recently becoming the 39th state to pass a notice-of-security-breach statute, it is just a matter of time before all fifty states require notice of a security breach. While these statutes share a common thread, their requirements can materially vary, complicating the determination whether an employer has a legal obligation to notify employees and, if so, the steps that the employer must take to discharge its legal responsibilities.

Regrettably, it no longer is a matter of "if", but "when," human resources professionals and in-house counsel will be required to confront this legal compliance challenge. In a 2007 study conducted by the Ponemon Institute, a leading think tank on privacy and data protection, 85% of respondents had suffered a security breach within the previous 24 months, and 81% had been required to notify individuals of the breach. With the centralization and digitization of employees' personal data into computerized human resources information systems (HRIS), security breaches involving personnel information are likely to become increasingly common and involve ever larger numbers of current and former employees, raising the stakes each time a security breach occurs.

Reviewing the provisions of the new Massachusetts notice law with reference to the thirty eight notice statutes which preceded it helps to highlight the most significant similarities and the most salient differences among these laws. With a full view of the variegated, legislative landscape, employers can more readily determine when and how they are required to provide notice.  Click here to download and continue reading full-length Litter Insight publication:  Employers Face New Compliance Challenges As Massachusetts Becomes the 39th State to Enact a Security Breach Notice Law.

 

 

 

 

 

Tags: , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link