While we’re not in the habit of driving traffic to other blogs, it is always a pleasure to point to one of our Mintz family of blogs doing some great work — the Employment Law Matters blog is hosting a 2015 Employment Law Issues Tournament to go along with your college basketball brackets. 64 employment law issues, seeded 1 through 16 across four regions.
You cannot miss this (I only wish we’d thought of it…..)! And there are certainly some privacy teams in the matchups as well (Go BYOD Policies and Social Media Policies!)
First Round Results and Recaps
Taking another “step” toward developing comprehensive privacy legislation, the White House has released a discussion draft of the Consumer Privacy Bill of Rights Act of 2015. The draft reflects the Fair Information Practice Principles (“FIPPs”) long championed by the Obama Administration, and calls on businesses engaged in the collection of consumer information (“covered entities”) to either abide by a Privacy Bill of Rights or engage in self-regulation. While commentators have suggested the proposal is dead on arrival (read here, here and here) , the Privacy Bill of Rights warrants attention because it will serve as jumping-off point for further legislative and policy discussions on consumer privacy rights.
The draft Data Protection Regulation doesn’t offer many carrots to business – and a recent announcement by the Council of the European Union takes away one of the biggest carrots, the “One-Stop Shop” mechanism.
The One-Stop Shop refers to the principle that businesses would have to deal with just a single national data protection authority instead of 28 different authorities across the EU. The objective was to simplify logistics for businesses and to reduce any chance of multiple, inconsistent requirements from different authorities.
“Responding to Insider Data Theft & Disclosure”
What do these companies have in common? They were all victims of insider data theft.
The third presentation in our popular Wednesday Webinar series is coming up on Wednesday, March 25th. Our presenters, Jonathan Cain and Paul Pelletier, will offer practical advice about responding to data theft and disclosure by employees and former employees. They will cover such topics as conducting a proper investigation, utilizing state and local civil court processes to deter, halt, and remediate data thefts, and when and how to engage local and/or federal law enforcement.
Join us Wednesday, March 25 at 1:00 pm ET/10:00 am PT. Register here.
MCLE credit is available in New York and California.
State legislatures are not waiting for Congressional action on a national data breach notification standard.
Montana — Montana has amended its 10-year old breach notification law (see Mintz Matrix) to expand the definition of “personal information” and require notice to the state attorney general’s consumer protection office. H.B. 74, signed into law by Governor Bullock, adds medical record information and “identity protection personal identification number” issued by the Internal Revenue Service to the definition of “personal information.” The amended statute takes effect October 1.
New Jersey — Governor Christie recently signed legislation into law requiring health insurance companies in that state to encrypt personal information of policyholders. All health insurance carriers that compile computer records that contain personal information must protect those records through encryption or “by any other method or technology rendering it unreadable, undecipherable, or otherwise unusable by an unauthorized person.” In November 2013, two laptops with unencrypted information about 840,000 policyholders were stolen from an office at Horizon Blue Cross Blue Shield of New Jersey in Newark. The Barnabas Health Medical Group’s Pediatric branch in Livingston and the Inspira Medical Center in Vineland also had breaches in 2013, according to a NJ Advance Media report in September.
Connecticut — In the aftermath of the massive Anthem data breach, legislation has been introduced in the Connecticut General Assembly requiring a wide swath of insurance businesses to implement data security technology that encrypts personal information of insureds. The covered entities include health insurers, healthcare centers – similar to an HMO under Connecticut’s insurance laws, and “other entities licensed to do health insurance business in Connecticut,” pharmacy benefits managers, third-party administrators that administer health benefits, and utilization review companies. The requirement is similar to that of New Jersey’s new law, except that the bill requires that entities subject to the law update their technology as necessary to ensure compliance. Anthem is one of Connecticut’s largest health insurers, and reportedly that breach impacted more than 1 million people in the state. See “Act Concerning the Security of Consumer Data”.
Washington — The Washington House has unanimously passed a bill that would make the failure to notify consumers of a breach as required by the state’s data breach notification law (again, see the Mintz Matrix) a violation of the state’s Consumer Protection Act. Washington’s House of Representatives has passed a bill (H.B. 1078) that would make the failure to notify consumers of a breach in the security of their personal information a violation of the state Consumer Protection Act. The measure would require notification to consumers — and the state’s AG — as quickly as possible and no later than 45 days after discovery of a breach of personal information such as a person’s name in combination with a Social Security number, driver’s license number or payment card number and payment card access code or password. Under the bill, the attorney general could bring an action on behalf of the state or consumers living in Washington.
New Mexico — New Mexico is only one of three holdouts from the state data breach notification crazy quilt (again, see the Mintz Matrix), but HB 217, the Data Breach Notification Act, is working its way through the state legislature. The bill only applies to computerized data, and uses an “acquisition” trigger for breach notification. “Personal information” under HB 217 is defined as the “usual suspects” and does not include username/password or other login credentials. The bill requires “reasonable security” and includes disposal provisions that apply to paper records as well as electronic. Similar legislation failed in the 2014 session of the legislation, thus it remains to be seen whether New Mexico will join the Mintz Matrix this year.
Welcome to March (and in the Northeast, the arrival of meteorological spring is welcome indeed……)
We start this month with a question: Have you looked at your cyber resilience?
The Federal Financial Institutions Examination Council (FFIEC) recently described “cyber resilience” as an organization’s ability to recover critical IT systems and resume normal business operations in the event of a cyberattack. On February 6, the FFIEC added a new Appendix J to its Business Continuity Planning booklet titled Strengthening the Resilience of Outsourced Technology Services (Guidance) which discusses the importance of cyber resilience in light of the increasing sophistication and volume of cyber threats and their ability to disrupt operations and challenge business continuity preparedness and provides recommendations for financial institutions and their services providers for addressing and mitigating cyber resilience risks and strengthening business resilience. Published in 2003, the Business Continuity Planning booklet is one of a series of booklets that comprise the FFIEC Information Technology (IT) Examination Handbook and provides guidance to assist field examiners from the FFIEC member agencies in evaluating financial institution and service provider risk management processes to ensure the availability of critical financial services. The FFIEC has also set up a cybersecurity awareness website and in the past year piloted a cybersecurity assessment program at a number of financial institutions across the country. Although these most directly apply to financial institutions and their service providers, the question of cyber resilience is critical to every organization.
So what are cyber resilience risks?
Our 2015 monthly Privacy Issues Wednesday webinar series continued this month with Jennifer Rubin and Gauri Punjabi’s Privacy in the Workplace presentation. Jen and Gauri discussed the latest statutory and common law developments concerning employer monitoring of employee email, access to employee social media accounts, social media policies, and bring your own device (“BYOD”) policies. We were pleased to host over 125 participants for this webinar.
For those who missed the webinar, some of the key takeaways for employers include the following:
- While there is not much federal or state statutory authority on employer monitoring of employee email access, employers are advised to provide employees with prior notice of such monitoring and obtain their consent to do so.
- Many states now prohibit employers from requesting access to their employees’ or job applicants’ social media accounts. This trend, along with the number of other states that have considered passing similar legislation, suggests that Congress may soon weigh in on this issue.
- The National Labor Relations Act applies to all employers, regardless of whether the workplace is unionized, and protects employees who use social media to discuss their wages, hours, and other terms and conditions of employment (i.e., concerted activity). Employers cannot prohibit employees from using work email accounts to have such discussions during non-working time. Employees will lose the protection of the Act when their actions disparage the employer’s products or services and/or create a risk of harm to the employer or to others.
- Social media policies should specify the nature of conduct that is permitted and prohibited and should not utilize broad language that could encompass the right of employees to engage in protected concerted activity. Social media policies should also take into account an employer’s need to protect trade secrets, comply with industry regulations and applicable federal and state employment statutes, and preserve information relevant to litigation.
- BYOD policies often result in lower employer costs related to device overhead (purchase/maintenance), improve employee productivity, and result in greater employee job satisfaction. Prior to implementation, however, employers should consider the process for monitoring compliance with other company policies, keeping track of wages owed to non-exempt employees who use their personal devices to work outside of the office, and maintaining the security of company information that ends up on an employee’s personal device and ensuring its removal once the employee leaves the company.
For a recording of the webinar, click here. To download the presentation slides, click here.
The next webinar in the Privacy series — Responding to Insider Theft and Data Disclosure — will take place on Wednesday, March 25, 2015. This webinar will offer practical advice about responding to data theft and disclosures by employees and former employees. We will cover such topics as conducting a proper investigation, utilizing state and local civil court processes to deter, halt, and remediate data thefts, and when and how to engage local and/or federal law enforcement. This webinar will be presented by members of Mintz Levin’s privacy and data security and white collar crime practice groups.
Sign up here to attend.
Originally posted to Mintz Levin’s Employment Matters Blog
These days most employers manage a vast amount of electronic information about their employees, including the employees’ personal identifying information. But, what obligations do employers have to unionized employees with respect to managing that information and bargaining with them in the event of a breach of their private information? Continue Reading
In a recently-released Form 8-K filing announcing fourth quarter and year-end financial results, Target Corporation reported that expenses incurred in 2014 relating to its 2013 data breach totaled over $191 million. Those expenses were offset by $46 million in insurance proceeds, resulting in a $145 million charge against Target’s 2014 operating results. The expenses incurred in 2014 were in addition to $61 million in breach-related expenses incurred in 2013 which, after receipt of $44 million in insurance proceeds, yielded $17 million in net breach-related expenses for Target in 2013. In all, Target has incurred $252 million in costs arising from the data breach through the end of 2014 which, after receipt of $90 million in insurance proceeds, has resulted in total net expenses to Target in 2013 and 2014 of about $162 million. Continue Reading
Google made good on the rumors and the company’s subsequent promise last December to create a family-friendly version of its popular YouTube service with its launch on Monday of the YouTube Kids app. Available on both the App Store and Google Play free of cost and only in the United States, the YouTube Kids app is described by Google as an “app designed for curious little minds to dive into a world of discovery, learning, and entertainment…delightfully simple and packed full of age-appropriate videos, channels, and playlists.” Continue Reading