Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

The fundamental problem with the trend toward employee use of personal devices is the organization’s potential loss of control over its information and its information security. Employees, for example, might not take steps, such as activating a log-in screen, to secure their personal devices against unauthorized access. Employees can refuse to permit access to their personal device when the organization needs it to conduct a workplace investigation or to satisfy its e-discovery obligations. As a third example, an employee who loses a personal device may be loathe to send a “kill command” (assuming the employee has enabled the ability to do so) out of concern for losing personal files, e-books, music, photos, and video, even if the lost device puts corporate information at risk.

Organizations can try to regain a modicum of control by issuing corporate iPads or other tablets, but that will not solve all of the problems. Anyone who has used an iPad knows that a no-personal use policy would be like telling Adam not to take a bite of the biblical apple. Indeed, according to the Ovum study referenced above, 70% of employee-respondents stated that their organization (apparently bowing to the inevitable) permits them to use company-issued devices for personal purposes. Thus, company-owned tablets likely will have an agglomeration of personal and business documents, complicating searches, electronic discovery, and access to business information when an employee is unavailable.

What issues should HR, Legal, and IT be considering? They include the following:

• How can the organization help its workforce enable the security features of their personal devices to make them more secure?
• Should the organization require employees to load anti-malware software (to the extent available) onto their personal devices to reduce the risk of infecting corporate networks?
• To what extent is information stored on employees’ personal devices encrypted so that the organization can benefit from the “encryption safe harbor” in security breach notification laws if a device is lost or stolen?
• If the personal device is not, or cannot be, encrypted, how will the organization determine the full scope of business information stored on the device to satisfy its breach notification obligations?
• How can the organization arrange to send a “kill command” to an employee’s personal device without violating state and federal computer trespass laws as well as potential liability for destruction of the employee’s digital belongings stored on the device?
• What type of monitoring, if any, will the organization conduct when an employee connects a personal device to the corporate network?
• How will the organization ensure that the monitoring of a personal device, which likely includes substantial information that the employee considers to be private, does not violate applicable privacy laws?
• How will the organization gain access to relevant information stored on the personal device when needed for a workplace investigation, especially where the employee-owner of the personal device is the target of an unannounced investigation?
• Will the organization be responsible for preserving business information stored on the personal device when the organization is sued or threatened with a lawsuit?
• How will the organization collect discoverable information from a personal device while avoiding allegations of invasion of privacy by the employee-owner?

Grappling with these issues in advance — before a personal device loaded with sensitive employee, customer or business information is lost or stolen and before a complaint that a manager propositioned his subordinate through his “mixed-use” personal device is made — will go a long way towards protecting the organization’s interests.

This entry was written by Philip Gordon.

Photo credit: kupicoo

In its decision, the Ninth Circuit addressed the issue of whether the plaintiffs had standing to sue Starbucks. All parties agreed that standing requires a plaintiff to show that: (1) he or she has suffered an injury that is concrete and particularized, as well as actual or imminent rather than conjectural or hypothetical (injury in fact); (2) the injury in fact is fairly traceable to the challenged action of the defendant (causation); and (3) it is likely that the injury will be redressed by a favorable decision (redressability).

Starbucks conceded both causation and redressability, so the Ninth Circuit addressed only injury in fact. It noted that the alleged victim of identity theft would have an injury in fact when he or she faces a credible threat of harm. It then held that each of the plaintiffs below had alleged a credible threat of real and immediate harm stemming from the theft of the Starbucks laptop. In so doing, the Ninth Circuit reached a result similar to that of the Seventh Circuit, but contrary to the application of what appears to be a stricter standard in the Sixth Circuit.

In a second, unpublished memorandum opinion issued the same day, the Ninth Circuit held that even if the plaintiffs' allegations were true, they would not support a claim under state tort or contract law. Under Washington law, said the court, “[t]he mere danger of future harm, unaccompanied by present damage,” was insufficient to support a negligence claim. The court then rejected the plaintiffs’ argument that there was an implied contract between the plaintiffs and Starbucks and dismissed both claims.

Although Starbucks ultimately prevailed, this case underscores three practical lessons. First, employers continue to incur attorneys’ fees, litigation and credit monitoring costs, and the imputed costs associated with staff resources that must be devoted to defending against such class action lawsuits. Second, the prospect of having to incur such costs creates a strong incentive to mitigate the potential risk of a security breach by proactively implementing safeguards for employee data now. Third, the putative plaintiff class included former employees, highlighting the need to extend safeguards to the personal information not only of current employees but also of job applicants and former employees.

This entry was written by Christopher M. Leh and Philip L. Gordon.
 

To address privacy issues, the FTC has focused on two regulatory models:

• The notice-and-choice mode “encourages companies to develop privacy notices describing their information collection and use practices to consumers, so that consumers can make informed choices.” (Report at iii.)
• The harm-based model “focuses on protecting consumers from specific harms – physical security, economic injury, and unwanted intrusions into their daily lives.” (Id.)

Rather than advocating abandonment of these approaches, the report notes the drawbacks of each one: the notice-and-choice model has led to lengthy privacy policies that are neither read nor understood by consumers; the harm-based model has failed to adequately protect privacy interests that cannot be easily measured in monetary terms, such as reputational harm and the fear of being subjected to unwanted tracking in cyberspace. (Id.) Further, technological advancements have challenged both models:

• Companies can collect, store, manipulate and share consumer data at minimal cost.
• Companies can collect and use consumers’ information in ways that often are invisible to consumers.
• The distinctions between personally identifiable information and non-personally identifiable information has become blurred. Customers are very interested in strong privacy protections. At the same time, however, the free flow of information is critical to providing the goods and services.
   

The report proposes an alternative, three-part framework for future privacy regulation by the FTC:

1. Privacy by Design, an approach in which companies would promote consumer privacy throughout their organizations and at every stage of the development of their products and services. They would build into their everyday practices privacy protections, such as reasonable security for consumer data, collection of only the data needed for a specific business purpose, retention of data only as long as necessary to fulfill that purpose, safe disposal of data no longer being used, and implementation of reasonable procedures to promote data accuracy. (Report at v.) This approach also would include the assignment of privacy officers, privacy training, and internal privacy reviews when new products and services are developed.
2. Simplified Consumer Choices. Companies would not need to provide choices to consumers before collecting and using their data for commonly accepted practices such as purchase order fulfillment. But for practices that would result in a material change from a customer’s expected use of personal data, companies would offer the choice at a time and in a context in which the consumer made a decision about providing and authorizing the use of his or her data.
3. Greater Transparency in Data Practices. Companies would clarify, shorten and standardize privacy notices, provide reasonable access to the personal data they maintain about a person based on the sensitivity of the kind of data and the nature of its use; provide prominent disclosures; and obtain affirmative express consent before using consumer data in a materially different manner than claimed when the data was collected.
    

Whether the FTC will adopt the framework outlined in the preliminary staff report after the public comment period ends on January 31, 2011, is unclear. But if the report is adopted, it likely will be over objection. Two of the five Commissioners issued concurring written statements to the report in which they questioned whether a new or modified model is necessary or desirable.

If the report is adopted, employers would need to consider the following implications:

• Increased Need for Privacy Training for All Employees. “Privacy by design” entails efforts at every level of a business to protect the private information of consumers during the entire data life cycle, from collection to use to transfer to storage to destruction. The population of employees who should receive privacy training likely will expand materially.
• Institution of Privacy Reviews During Product and Service Development. Another implication of “privacy by design” is the need to scrutinize privacy issues during the service- or product-development process. That would necessarily require a broader group of employees with expertise in the area of privacy than most organizations currently have.
• Increased Need for Employee Sensitivity to Private Customer Information at Key Points in Business Transactions. The FTC’s new framework would require a business to give customers “just in time” choices about whether and how to use sensitive data. Automated notices and prompts would help solve some of these issues in online transactions. But with respect to phone or face-to-face transactions, employees would have to be vigilant to both identify those key decision points in business transactions and then respond appropriately.

This entry was written by Christopher M. Leh.

Hawaii and Washington have recently enacted similar laws. Bills currently are pending in the following states: Connecticut, Illinois, Maryland, Michigan, Missouri, New Jersey, New York, Ohio, Oklahoma, South Carolina, Vermont, and Wisconsin. Legislation also is pending in the United States House of Representatives to amend the Fair Credit Reporting Act to prohibit use of consumer credit checks in employment decisions.

There are several exceptions to the new Oregon prohibition. Specifically, federally insured banks and credit unions, businesses required by law to consider employee credit history, and police and other public employers hiring for law enforcement and airport security may still conduct credit checks. In addition, the law contains a somewhat vaguely worded exception that permits employers to conduct credit checks for “substantially job-related reasons,” so long as those reasons are disclosed to the employee in writing.

Employers should exercise caution in applying the “substantially job related” exception. It is unclear as yet how that exception will be interpreted, either by regulation or the courts. In the meantime, employers should consider obtaining a credit check on an applicant or employee only in those situations where the results of the check would have a significant bearing upon the determination whether the applicant or employee can perform essential job functions and even then should consult with counsel before relying on this exception.

This entry was written by Philip L. Gordon and Jennifer A. Nelson.

During a presentation at the Massachusetts Information Security Summit on January 27, the chief of the consumer protection division for Massachusetts’ Office of the Attorney General, which will be responsible for enforcing the regulations, suggested that his office will not be conducting compliance audits. Rather, the office will select potential targets for enforcement from security breach notifications. Under Massachusetts law, such notifications must be sent to affected Massachusetts residents and to the Attorney General’s Office when unencrypted Massachusetts personal information has been acquired or used by an unauthorized person in a manner that creates a substantial risk of identity theft or fraud.

Given that the loss and theft of portable devices is one of the likeliest causes of a security breach and in light of these regulators’ recent statements, employers can substantially reduce the risk of an enforcement inquiry or action by focusing particular attention on those devices. Policies to consider include the following:

• Prohibit employees from storing personal information on a laptop except in those limited circumstances, such as the need to work on an airplane, where the information can not be accessed through a secure, remote connection to the corporate server;
• In the limited circumstances where employees can permissibly store personal information on a laptop, require the installation of disk-based encryption and the deletion of the personal information from the laptop when the business purpose has been accomplished;
• Train employees not to store any personal information on a hand-held device and to immediately report the loss or theft of a hand-held device so that the company can send a “kill signal” that will delete all information from the device;
• Train employees to save an e-mail or attachment containing personal information to the network server and permanently delete the e-mail from their e-mail inbox, thereby eliminating the ability to access those e-mails from a hand-held device; and
• Multi-state employers should consider applying these steps to all employees, not just those located in Massachusetts. 

This entry was written by Philip L. Gordon.
 

Why is this massive review of Facebook privacy settings significant to employers? Facebook’s default privacy setting is, perhaps ironically, “Everyone.” In other words, job applicants and employees who do not change their default privacy settings on Facebook permit the general public, including recruiters, human resources professionals, in-house employment counsel, and employment litigators to view all information posted on their profile. Because the information is readily accessible to the general public, the law imposes no restriction on these viewers, even when their interests may be adverse to those of the applicant or employee.

Facebook’s privacy settings include an option that permits a user to restrict viewing to “Only Friends,” i.e., only those people whom the user has permitted to access her profile. While some users exercise little or no discretion in accepting friend requests and have hundreds of friends, many users restrict their friends to those whom the user can trust to further disclose information posted on the user’s profile page only with permission. Employers face significant legal restrictions on access to a user’s restricted Facebook page. One of our recent blog posts highlighted an adverse jury verdict against Houston’s restaurants where two managers who were not on the friends list of a MySpace group page, nonetheless, gained access to the page and fired two of the group’s members who were Houston’s employees based on their postings.

Even if only one-quarter of the Facebook users who recently changed their privacy settings restricted access to “Only Friends,” that change would translate into approximately 44 million users. Put another way, employers may be seeing the start of a cultural shift in which social networking users become far more careful before posting information about themselves that could be lawfully accessed without their knowledge or consent and used against them in employment-related decisions.

This entry was written by Philip L. Gordon

Image credit: DaytonChildrens

Last month, the federal district court in Minnesota imposed a $5,000 fine against an attorney who violated FRCP 5.2(a) by including personal information in a court filing. The court also ordered the attorney to contact each of the 179 individuals whose private information had been improperly disclosed in the non-compliant court filing and to offer each of them, at the attorney’s expense, individualized credit reports and a year’s worth of quarterly credit monitoring services. Furthermore, the court ordered the sanctioned attorney to appear in court next year to report on the status of the credit reports. In the opinion, the court noted that it was “deeply concerned with the harmful and widespread ramifications associated with negligent and inattentive electronic filing of court documents.”

The court’s ruling should serve as a wake-up call to attorneys that they too must be careful to comply with privacy and data protection rules aimed at reducing the risk of identity theft.

This entry was written by Richard L. Sloane.

Photo credit: Kameleon007

Required Notices To Third Parties

If an entity is required to notify 1,000 or more Alaska residents, it also must provide the three national credit bureaus (such as TransUnion®, Experian®, and Equifax®) with the timing, distribution, and content of the notices to state residents.

If a business is required to notify 1,000 or more South Carolina residents of a security breach, that entity must notify the Consumer Protection Division of the South Carolina Department of Consumer Affairs as well as the national credit bureaus.

Penalties

Both statutes provide stiff penalties for businesses that fail to provide the required notice to affected individuals. In Alaska, offending business are subject to a civil penalty of up to $500 per resident not notified, with the total penalty capped at $50,000. Moreover, the offending business may be held liable for any actual economic damages suffered by affected individuals as a result of the failure to provide notice.

In South Carolina, businesses that fail to provide notice to affected individuals are subject to civil lawsuits by residents who are injured. Injured individuals may also recover attorneys’ fees and court costs, if successful. Moreover, the law permits the Department of Consumer Affairs to administratively fine knowing and willful violators $1,000 for each resident whose information was accessible by reason of the breach.

Scope Of Alaska’s New Law

In addition to the notice of security breach law, Alaska enacted a comprehensive statute involving protection of social security numbers, care of records, disposal of records and security freezes.

This entry was written by Katherine Dix.

On the day before the cybersecurity announcement--Inauguration Day--Heartland Payment Systems, Inc., one of the five largest credit card processors in the U.S., announced that its computer network had been hacked at some unknown time in 2008. The cybercriminals reportedly planted malicious software on Heartland’s network that might have duplicated as many as 100 million credit cards. Although Heartland has not yet revealed the number of affected credit card holders (and, indeed, may never be able to get an exact count), one respected commentator predicted that Hearland’s would be the “biggest breach ever.” Lesson learned: if a credit card processor--with a presumed interest in enhanced information security--can be breached, other organizations are vulnerable as well.

This confluence of events should serve as a clarion call to corporate HR departments — the repositories of the “crown jewels of ID theft,” i.e., an employee’s Social Security number, bank account number, rate of pay, and date of birth — that data privacy no longer is a “back burner” issue. Beyond that, enhancing information security in these times of severe fiscal constraints can be accomplished with virtually no out-of-pocket expense on hardware or software. A few no-cost steps are listed below:

• Administrative Access Controls: Restrict access to paper documents and electronic files containing personal information to those with a need to know and limit authorized access to the minimum personal information necessary to perform legitimate business activities.

• Establish Clearance Procedures: Only employees who have demonstrated their trustworthiness through years of service or who have been subject to a background check should be authorized to access personal information. Temporary workers generally should not be given access.

• Promptly Modify Access Rights: Terminated employees should not be permitted to access physical locations where personal information is stored, and their electronic access should be terminated upon termination of employment. Rights of access to personal information in paper and electronic form should be modified as job responsibilities change.

• Control Off-Site Use of Personal Information: Require that employees obtain prior approval before removing any personal information, whether in paper or electronic form, from corporate facilities. Personal information in paper form should be returned, and electronic information should be deleted, promptly after the business purpose that justified the off-site transfer has been accomplished.

• Vendor Management: Engage in due diligence with respect to information security before selecting a vendor who will receive personal information. Vendor agreements should contain provisions that address data security with specificity.

• Ensure Proper Destruction of Personal Information: Personal information in paper form should be shredded. Electronic personal information should be rendered irretrievable before discarding the equipment on which it is stored.