Archives: Employee Privacy

By Breton Leone-Quick

Many of the highest-profile and headline-catching data breaches involve external breaches of a company’s electronic systems. But the reality that these headlines obscure is the fact that internal data breaches are generally more prevalent and represent a primary source of concern for data security managers.

The legal liability of employers for data breaches by its employees is generally an underdeveloped area of the law. But a case currently pending before the Massachusetts Appeals Court will help determine the scope of this liability in Massachusetts. Continue Reading Massachusetts Appeals Court Set to Consider Scope of Employer Liability for Employee Data Breaches

The U.S. Office of Personnel Management (OPM) announced that hackers have stolen the personal information of approximately 4 million current and former federal employees, including names, birthdates and social security numbers.  OPM serves as the human resources department -and holds employee records – for the entire federal government, ranging from security clearances to the identities of covert CIA agents.  Every federal agency is potentially affected by this breach.  Notifications to affected employees will begin going out on Monday, June 8th, via email or US mail.  OPM will provide credit monitoring, identity theft insurance and recovery services for 18 months to affected individuals.

OPM is working with the Department of Homeland Security’s Computer Emergency Readiness Team – CERT – and the FBI to assess the full extent of the breach.  Early reports suggest that the breach originated in China.

Compounding the pain for OPM and the affected individuals is the revelation in OPM’s website  notice that the agency recently implemented an “aggressive effort” to update its network security.  Unfortunately, this effort only revealed the hack, but was not implemented in time to prevent it.

OPM’s breach follows a highly publicized IRS data breach, in which hackers accessed the personal information of 100,000 taxpayers and used it to file false refund requests.  In 2014 alone, the US Postal Service, White House, National Weather Service and US Department of State were all victims of cyber-attacks, some of them suspected of originating in China.

As of now, federal data breach numbers pale in comparison to private sector breaches, but it will be interesting to see if these incidents create a credibility problem for federal regulators, who can’t seem to keep their own systems secure.  According to Mark Robinson, a former federal prosecutor and cyber defense litigator at Mintz Levin:

At a minimum, the government’s own inability to keep it’s cyber security house in order will be used defensively by private companies breach victims as a glowing example of how easily hackers can get in to even the most fortified government controlled computer systems.

It will also be interesting to see if this breach results in private litigation on behalf of affected employees, particularly those whose safety and ability to do their jobs depends on the secrecy of their identities.  According to Kevin McGinty, Mintz Levin privacy class action litigator:

As day follows night, class actions typically follow data breaches.  Here, most OPM employees would have a difficult time alleging any injury sufficient to confer standing to sue.  The most plausible harm that could flow from this data breach, identity theft, is addressed by the services already being offered by OPM.  Unless a would-be litigant could allege some additional and imminent risk of harm that would not be covered by the services that OPM is offering, a private lawsuit would be likely to face dismissal for lack of standing.

We will have more on this story as it evolves.

On this Privacy Monday, we have some upcoming events that you might want to add to your calendar.Privacy & Security Matters Monday Blog Series Image

Wednesday, May 13 – Mintz Employment Law Summit (Boston)

A discussion of hot topics facing employers, including Privacy in the Workplace.  Free event, breakfast and lunch included.   Register here.

Wednesday, May 13 – National Security, Privacy, and Renewing the USA PATRIOT Act, Hudson Institute, NY

Live streaming starts at noon. #PATRIOTAct.  More information here.

Wednesday, May 13 – Ninth Annual Law & Information Society Symposium – Fordham Law School

Trends in the global processing of data, developments in new technologies, privacy enforcement actions and government surveillance put international privacy at the center of the global law and policy agenda. Government regulators, policymakers, legal experts, and industry players need to find solutions to cross-border conflicts and to the issues presented by innovative technologies. This conference seeks to create a robust, but informal dialog that will explore possible solutions to current questions arising from the international legal framework, infrastructure architecture and commercial practices.   Information here.

Thursday, May 14 – IAPP KnowledgeNet (Boston area)

Learn about data privacy issues posed by wearables, wellness tracking apps, company wellness programs and other technologies and services here in the U.S. and abroad.   Register here.

Monday, May 18 – 36th IEEE Symposium on Security & Privacy – Fairmont Hotel (San Jose)

Since 1980, the IEEE Symposium on Security and Privacy has been the premier forum for presenting developments in computer security and electronic privacy, and for bringing together researchers and practitioners in the field. The 2015 Symposium will mark the 36th annual meeting of this flagship conference.  More information here.

Wednesday, May 27 – Mintz Privacy Wednesday Webinar – The Long Reach of COPPA

The fifth in our Wednesday Webinar series will focus on a discussion of COPPA, the long-awaited amendment and issues.   We’ll also discuss the latest Federal Trade Commission settlements and how to avoid being the next target.   Register here.

 

 

Our 2015 monthly Privacy Issues Wednesday webinar series continued this month with Jennifer Rubin and Gauri Punjabi’s Privacy in the Workplace presentation. Jen and Gauri discussed the latest statutory and common law developments concerning employer monitoring of employee email, access to employee social media accounts, social media policies, and bring your own device (“BYOD”) policies.  We were pleased to host over 125 participants for this webinar.

For those who missed the webinar, some of the key takeaways for employers include the following:

  • While there is not much federal or state statutory authority on employer monitoring of employee email access, employers are advised to provide employees with prior notice of such monitoring and obtain their consent to do so.
  • Many states now prohibit employers from requesting access to their employees’ or job applicants’ social media accounts. This trend, along with the number of other states that have considered passing similar legislation, suggests that Congress may soon weigh in on this issue.
  • The National Labor Relations Act applies to all employers, regardless of whether the workplace is unionized, and protects employees who use social media to discuss their wages, hours, and other terms and conditions of employment (i.e., concerted activity).  Employers cannot prohibit employees from using work email accounts to have such discussions during non-working time.  Employees will lose the protection of the Act when their actions disparage the employer’s products or services and/or create a risk of harm to the employer or to others.
  • Social media policies should specify the nature of conduct that is permitted and prohibited and should not utilize broad language that could encompass the right of employees to engage in protected concerted activity.  Social media policies should also take into account an employer’s need to protect trade secrets, comply with industry regulations and applicable federal and state employment statutes, and preserve information relevant to litigation.
  • BYOD policies often result in lower employer costs related to device overhead (purchase/maintenance), improve employee productivity, and result in greater employee job satisfaction.  Prior to implementation, however, employers should consider the process for monitoring compliance with other company policies, keeping track of wages owed to non-exempt employees who use their personal devices to work outside of the office, and maintaining the security of company information that ends up on an employee’s personal device and ensuring its removal once the employee leaves the company.

For a recording of the webinar,  click here.   To download the presentation slides, click here.

The next webinar in the Privacy series — Responding to Insider Theft and Data Disclosure — will take place on Wednesday, March 25, 2015.  This webinar will offer practical advice about responding to data theft and disclosures by employees and former employees. We will cover such topics as conducting a proper investigation, utilizing state and local civil court processes to deter, halt, and remediate data thefts, and when and how to engage local and/or federal law enforcement. This webinar will be presented by members of Mintz Levin’s privacy and data security and white collar crime practice groups.

Sign up here to attend.

The Mintz Levin Privacy & Data Security Team invites you to register and join us at two upcoming events:

Our next Wednesday Webinar is coming up on February 25th, with a focus on privacy in the workplace. Our workplace is everywhere these days, which makes employment and privacy compliance even more challenging. Jen Rubin and Gauri Punjabi will discuss developments in the workplace privacy field, including statutory developments, mobile device regulation, social media’s impact on workplace privacy, recruiting and hiring, and some practical advice to keep your workplace policies in compliance with rapid legal developments.  Register here!

In the wake of the Anthem breach, we’ll be presenting a timely seminar in our Washington, D.C. office on Tuesday, March 3rd:  HACKED!  What to Do When It Happens to You

This roundtable, featuring national subject matter experts from the United States Secret Service and the Federal Bureau of Investigation, as well as forensic and legal professionals, will provide unique and important insights, tips, and advice on current cyber threats affecting your business and what to do when the cyber-thief strikes and the opportunity for in-person, live discussion with law enforcement officials.  Early registration (here) is encouraged, because space is limited.

Registration is open for the next installment in the Mintz Levin Privacy & Security Group Wednesday Webinar series —

This webinar,  scheduled for Wednesday, February 25,  will focus on privacy in the workplace. Our workplace is everywhere these days, which makes employment and privacy compliance even more challenging. Jen Rubin and Gauri Punjabi will discuss developments in the workplace privacy field, including statutory developments, mobile device regulation, social media’s impact on workplace privacy, recruiting and hiring, and some practical advice to keep your workplace policies in compliance with rapid legal developments.

Save the date and register online here!

Continue Reading Register for our next Wednesday Webinar — February 25

Three privacy/security stories that you should know as you start your week:

 

President Obama to Offer Cybersecurity/Privacy Previews to State of the Union Proposals

In a series of speeches this week, President Obama will preview important issues to appear in his January 20th State of the Union address.    A White House official said in a statement to reporters over the weekend that the president would “lay out a series of legislative proposals and executive actions that will be in his State of the Union that will tackle identity theft and privacy issues, cybersecurity, and access to the Internet.”   The President will reportedly speak at an event at the Federal Trade Commission today and outline a plan to tackle identity theft and improve consumer and student privacy.    Tuesday, the President will discuss cybersecurity at the National Cybersecurity and Communications Integration Center.    We will keep readers updated on what the White House is calling “SOTU Spoilers.”

Read more here:Privacy and Security Updates Monday

CNBC

CNET

New York Times

 

ICYMI:  The January 2015 Edition of the Mintz Matrix Is Out — and State Changes are in the Works

On Friday, we released the updated version of the Mintz Matrix of state data breach notification laws.   In case you missed it, you can get the updated chart here.

Now that the state legislatures are getting into session, we are expecting more action amending and tightening up state laws.    For example, legislators in Washington state have already filed an amendment to that state’s data breach notification law.

At the end of 2014, several proposals were introduced and we will be following where these bills head in the  2015 session.     New York‘s proposal (Bill A10190) imposes requirements on entities conducting business in New York and which own/license computerized data that includes private information that are nearly identical to those required under Massachusetts 201 CMR 17.   Most importantly (as you will recall), the Massachusetts regulations require that entities develop, implement and maintain a comprehensive written information security program.     A proposed New Jersey amendment would expand the definition of “personal information” to include a combination of user name or email address with any password or security question and answer that would permit access to the online account.  Attorneys general in Indiana and Oregon closed out the year with calls for more robust data breach protection legislation in their states.    Stay tuned.

 

Tax Time is a Good Time For a “Security Check”

Businesses and their employees are all dealing with receipt of documents, filings, etc. during this taxing time of year.  Tax season is also a prime time for personal information scams and can expose lax internal controls.   Here are a few things to remember as you begin preparing for tax season:

Secure your data – Do you prepare your business’ taxes on a company computer? If so, you likely have some very sensitive financial information on your hard drive. Make sure your files are secured with password-protected directories and accounts, and that your entire system is protected from outside threats. Also, if you plan to use a wireless network to electronically file your taxes, be sure to use a secure Internet connection and never use public wireless hotspots.  Do NOT send personal information to employees or service providers via email.   Make sure that you only use secure transmission methods for sending W2 and other forms that contain Social Security or other sensitive information.   If a tax preparer asks you to send documents via unencrypted email — find another tax preparer.

Back up financial data – When was the last time you backed up your company data?  If you don’t already follow a backup schedule, tax season can be a great reminder that you need to regularly back up your data. Regularly backing up your data not only protects you at tax time in the event your data is compromised, it can also help protect you against future events such a natural disaster.  Remember that whether you back up to the cloud or a separate physical device/location, electronic data needs to be kept in a secure environment.

Keep your security software updated – You don’t have the time or resources to keep track of each and every new scam, phishing attack, or threat that comes around – that’s what your security software is supposed to do. But just as you can file your taxes without the most accurate tax information, your security software can’t do its job if it’s not up-to-date. The threat landscape changes daily, so keeping your security software up-to-date helps ensure that it will be able to address the most current threats to your information. After all, your ability to run an effective business depends on making sure your confidential data is safe and secure from outside threats.

Remind employees of phishing threats — Use this time of year as an opportunity to remind employees to protect themselves from tax-related phishing scams.    The IRS will never ask for personal information via email.  Ever.    Some of these reminders from the IRS may be useful to send to your employees as a reminder to protect themselves — and as a result, protect your business.

Have a safe and secure week!

In the past few years the National Labor Relations Board (“NLRB”) has taken an increased interest in whether workplace policies prohibiting employees from discussing the terms and conditions of their employment on social media such as Facebook and Twitter violate the National Labor Relations Act (“NLRA”) by interfering with workers’ rights to engage in concerted activity. Federal law prohibits an employer from interfering with employees who come together to discuss work-related issues for the purpose of collective bargaining or other mutual aid or protection, and the NLRB has (correctly) noted that social media has become one of the primary avenues through which employees engage in such activity. A spate of recent decisions makes clear that the NLRB has intensified (and will likely continue to intensify) its scrutiny of employer social media policies and this scrutiny extends no less to non-unionized employers.

Our colleagues at the Mintz Levin Employment Matters blog have written a thorough analysis of the latest, and you will want to read it and take another hard look at your company’s social media policies.

 

Wearable devices, including health and activity monitors, video and audio recorders, location trackers, and other interconnected devices in the form of watches, wristbands, glasses, rings, bracelets, belts, gloves, earrings and shoes are being heavily promoted in the next wave of consumer electronics.

It is estimated that 90 million wearable data devices (“WDD”) will be shipped to customers in 2014.  Many of these customers will bring them into the workplace, which will challenge employers to adapt employment and IT policies to these new visitors.

WDDs also are attracting the attention of the FTC and legislators.  The FTC is investigating the collection and use of consumer location data transmitted by smartphones and other devices.  Earlier this month, U.S. Senator Chuck Schumer (D-N.Y.) sent a letter to the FTC asking that fitness device companies be required to give users an “opt-out” before sending personal health data to third parties.

Corporate human resources and IT policies are not ready for an influx of these devices and employers do not want to be caught up in the potential for liability.  Smart employers will put policies in place now to manage the integration of WDDs into the workplace, rather than trying to catch up after the fact.  This Advisory outlines the principal issues that any workplace WDD policy should cover.

 

Last Monday in March (Opening Day for you baseball fans) – some privacy/security bits and bytes to close out the month.

Microsoft:  “We won’t access private e-mail accounts …  Promise.”

Microsoft has committed to no longer accessing the private e-mail accounts of its users after criticism that the company looked at the e-mail of a former employee during an internal investigation. The company said it will turn such matters over to law enforcement. Microsoft has “advocated that governments should rely on formal legal processes and the rule of law for surveillance activities,” so “it seems apparent that we should apply a similar principle and rely on formal legal processes for our own investigations,” Microsoft’s General Counsel Brad Smith wrote in a blog post.

Read More:  The Hill’s Hillicon Valley Blog

Reuters

Continue Reading Privacy Monday – March 31, 2014 OPENING DAY!