shutterstock_164426618We are pleased to announce the webinar “Information Security Policies and Data Breach Response Plans” is now available as a podcast and webinar recording.

With the recent uptick of high-profile data breaches and lawsuits being filed as a result by both employees and consumers as a result, every business should take a fresh look at its information security policies and data breach response plans with two thoughts in mind: compliance with applicable laws, and limiting liability in the event of litigation. Cybersecurity is a critical and timely issue for all businesses. If your company has employees and pays them or gives them benefits, then your company is maintaining their personally identifiable information and faces liability in the event of a data breach.

Currently, there is no comprehensive federal law that sets forth a uniform compliance standard for information security best practices or data breach response plans. Companies operating in the U.S. must comply with a patchwork of 47 different states’ laws that set forth a company’s obligations in the event of a data breach. In the wake of several high-profile data breaches, state legislators in the U.S. have been updating these state laws in the past few months, adding new requirements.

In addition to dictating how and when a company must respond in the event of a data breach in which personal information has been compromised, a number of these laws also contain substantive requirements about cybersecurity measures a company must take generally. Add into this mix that a U.S. Court of Appeals agreed with the Federal Trade Commission (FTC) that it has the right to file lawsuits against businesses that it deems have lax information security protocols – without informing companies in advance of the standard to which they will be held.

Against this backdrop, Seyfarth attorneys  Karla Grossenbacher and John T. Tomaszewski provided a high-level discussion on how businesses can structure an information security program to comply with applicable law and minimize liability – since waiting for a breach is not an option. They discussed, from a legal perspective:

  • Essential components of a comprehensive information security policy;
  • Key elements of a data breach response plan including strategies for state law compliance; and
  • Best practices for dealing with third party vendors that store personally identifiable information for your company.

Social Media Privacy Legislation Desktop Reference
What Employers Need to Know

There is no denying that social media has transformed the way that companies conduct business. In light of thSMPLe rapid evolution of social media, companies today face significant legal challenges on a variety of issues ranging from employee privacy and protected activity to data practices, identity theft, cybersecurity, and protection of intellectual property.

Seyfarth’s Social Media practice group has prepared an easy-to-use “Social Media Privacy Legislation Desktop Reference,” as a starting point to formulating guidance when these issues arise.

The Desktop Reference:

  • Describes the content and purpose of the various states’ new social media privacy laws.
  • Delivers a detailed state-by-state description of each law, listing a general overview, what is prohibited, what is allowed, the remedies for violations, and special notes for each statute.
  • Provides an easy-to-use chart summarizing existing social media privacy laws by state.
  • Offers our thoughts on the implications of this legislation in other areas, including technological advances in the workplace, trade secret misappropriation, bring your own device (BYOD) issues and concerns, social media discovery, and federal law implications.
  • Concludes with some best practices to assist companies in navigating this challenging area.

We hope that you find its content useful.

How to get your Desktop Reference:

This publication may be requested from your Seyfarth contact in hard copy or is available as an eBook, which is compatible with PCs, Macs and most major mobile devices*. The eBook format is fully searchable and offers the ability to bookmark useful sections for easy future reference and make notes within the eBook.

To request the 2015-2016 Edition of the Social Media Privacy Legislation Desktop Reference in eBook or hard copy, please click the button below:

BUTTON

WebinarOn Tuesday, September 22 at 12:00 p.m. Central, Seyfarth attorneys Karla Grossenbacher and John Tomaszewski will present “Information Security Policies and Data Breach Response Plans.” With the recent uptick of high-profile data breaches and lawsuits being filed as a result by both employees and consumers as a result, every business should take a fresh look at its information security policies and data breach response plans with two thoughts in mind: compliance with applicable laws, and limiting liability in the event of litigation. Cybersecurity is a critical and timely issue for all businesses. If your company has employees and pays them or gives them benefits, then your company is maintaining their personally identifiable information and faces liability in the event of a data breach.

Currently, there is no comprehensive federal law that sets forth a uniform compliance standard for information security best practices or data breach response plans.  Companies operating in the U.S. must comply with a patchwork of 47 different states’ laws that set forth a company’s obligations in the event of a data breach. In the wake of several high-profile data breaches, state legislators in the U.S. have been updating these state laws in the past few months, adding new requirements.

In addition to dictating how and when a company must respond in the event of a data breach in which personal information has been compromised, a number of these laws also contain substantive requirements about cybersecurity measures a company must take generally. Add into this mix that a U.S. Court of Appeals agreed with the Federal Trade Commission (FTC) that it has the right to file lawsuits against businesses that it deems have lax information security protocols – without informing companies in advance of the standard to which they will be held.

Against this backdrop, the presenters will provide a high-level discussion on how your business can structure an information security program to comply with applicable law and minimize liability – since waiting for a breach is not an option. They will discuss, from a legal perspective:

  • Essential components of a comprehensive information security policy;
  • Key elements of a data breach response plan including strategies for state law compliance; and
  • Best practices for dealing with third party vendors that store personally identifiable information for your company.

Registration: There is no cost to attend this program, however, registration is required.

register

 

If you have any questions, please contact events@seyfarth.com.

*CLE Credit for this webinar has been awarded in the following states: CA, IL, NJ and NY. CLE Credit is pending for GA, TX and VA. Please note that in order to receive full credit for attending this webinar, the registrant must be present for the entire session.

shutterstock_134112389As we have frequently reported in this blog, social media privacy issues increasingly permeate the workplace.  For example, earlier this year, Montana and Virginia joined a growing number of states in enacting laws restricting employer access to the social media accounts of applicants and employees.  With Governor Dannell Malloy’s approval of similar legislation in Connecticut on May 21, the Constitution State has now become the latest state to follow this trend.

Connecticut’s law (Public Act 15-6) becomes effective October 1, 2015 and is generally similar to social media privacy laws enacted in other states.  Under the new Connecticut law, employers may not:

  • Request or require that an employee or applicant provide such employer with a user name and password, password or any other authentication means for accessing a personal online account;
  • Request or require that an employee or applicant authenticate or access a personal online account in the presence of such employer;
  • Require that an employee or applicant invite such employer or accept an invitation from the employer to join a group affiliated with any personal online account of the employee or applicant; or
  • Fail or refuse to hire any applicant as a result of his or her refusal to (A) provide such employer with a user name and password, password or any other authentication means for accessing a personal online account, (B) authenticate or access a personal online account in the presence of such employer, or (C) invite such employer or accept an invitation from the employer to join a group affiliated with any personal online account of the applicant.
  • In addition, like social media privacy laws in other states, the new Connecticut law has an anti-retaliation provision stating that employers may not “discharge, discipline, discriminate against, retaliate against or otherwise penalize any employee who (A) refuses to provide such employer with a user name and password, password or any other authentication means for accessing his or her personal online account, (B) refuses to authenticate or access a personal online account in the presence of such employer, (C) refuses to invite such employer or accept an invitation from the employer to join a group affiliated with any personal online account of the employee, or (D) files, or causes to be filed, any complaint, whether verbally or in writing, with a public or private body or court concerning such employer’s violation of [the law].”
  • The new law authorizes aggrieved employees and applicants to file complaints with the Connecticut Labor Commissioner, who is required to conduct an investigation and may hold an evidentiary hearing.  Remedies and penalties for violation of the statute include recovery of attorneys’ fees and costs by the aggrieved employee or applicant, back pay, rehiring or reinstatement, reestablishment of employee benefits, and civil penalties.
  • Despite the somewhat onerous penalties that employers can face for violations of the statute, the new law does contain some important exceptions.  Under the statute, employers are not prevented from:
  • Conducting an investigation for the purpose of ensuring compliance with applicable state or federal laws, regulatory requirements or prohibitions against work-related employee misconduct based on the receipt of specific information about activity on an employee or applicant’s personal online account,
  • Conducting an investigation based on the receipt of specific information about an employee or applicant’s unauthorized transfer of the employer’s proprietary information, confidential information or financial data to or from a personal online account operated by an employee, applicant or other source;
  • Monitoring, reviewing, accessing or blocking electronic data stored on an electronic communications device paid for, in whole or in part, by an employer, or traveling through or stored on an employer’s network, in compliance with state and federal law; or
  • Complying with the requirements of state or federal statutes, rules or regulations, case law or rules of self-regulatory organizations.

As other states join the growing chorus of states enacting social media privacy laws, we will continue to report of the latest developments.  In the meantime, employers should review their policies and procedures to ensure that they are up-to-date with the latest legislative enactments.

With the FTC’s 2015 report “Internet of Things: Privacy & Security in a Connected World” (“Report”) the idea that more than just computers and phones are able to connect to the Internet. In fact, the Report states that the “IoT explosion is already around us.” This is true, and the Report goes on to describe some of the more interesting things that can be connected to the Internet which most of us don’t think about (e.g. smart health trackers, smoke detectors, and light bulbs). However, how vast is the actual IoT? And what does that mean to businesses?

As security professionals will tell you, if it has an IP address, it is a potential access point to your network. As such, it is a potential place where a hacker can find a way into your network and then “elevate permissions” into more sensitive parts of a network. This seemed to the be way that several recent large hacks occurred. Thus, the internet of things represents a potential security hole if one doesn’t consider all the different devices which can be hacked.

So – what is out there which has the ability to acquire an IP address (and thus is a hacking risk)?

These we know about:

  • Desktop Computers
  • Laptops
  • Tablets
  • Smartphones

But what about:

  • Copy machines
  • Printers
  • Fax machines
  • VoIP enabled Phones
  • Televisions
  • Bluetooth headsets
  • cash registers (Point-of-Sale terminals generally)
  • Handheld barcode readers
  • Smart thermostats
  • Keycard readers (for doors)
  • Security cameras
  • Light bulbs
  • Environmental control panels
  • Lab equipment
  • Medical diagnostic equipment
  • Warehouse inventory scanners
  • The fridge in the break room
  • Personal fitness monitors
  • Wristwatches (iWatch)
  • Armbands 
  • Glasses

And maybe even…

Shirts and other clothes.

As each one of these neat bits of technology start to take hold companies which allow them into the physical range to connect with the corporate network will need to have a strategy to manage the security risks inherent in all of them.

It’s not going to get any easier…

Cross Posted from Global Privacy Watch

The plethora of security incidents in the news have once again put security front and center of the international agenda. Predictably, this has triggered a number of responses from governments around the world. Some of these responses seem to have been ill-considered. However, one of the more comprehensive responses came out of the US President’s address to the Federal Trade Commission last week. A series of laws were proposed to address the increasing risks which are confronting individual security and privacy rights.

The President’s remarks at the FTC gives some valuable insight into where the US regulatory environment may end up in the next year or so. As a part of this analysis, one should focus on two very different agendas: Privacy and Security. These issues, while similar, are very different. Case in point, the UK PM’s comment around banning encryption could well result in increased security. However, it will absolutely damage individual privacy (and arguably also damage commercial security).

Security Breach Notification

President Obama has proposed a national standard for security breach notification. This is not the first time this proposal has been placed on the legislative agenda. While this is a step in the right direction, as is always the case, the devil is in the details.

One of the most challenging issues to deal with regarding a security breach is “what data” is impacted, and “does it matter”? In essence, the definition of “personal information” and the “harm” v. “access” triggers are the primary headache for those dealing with whether or not they have to provide notice. Elsewhere in the world, “personal information” is very broadly defined. Historically, the limiting definition of “personal information” was supposed to avoid over-notification. As has been pointed out, this does not seem to have worked.

Practically, it would be more useful to standardize the notice trigger around the concept of “harm”. This would operate to make the definition of “personal information” far less important. In effect, if there is a reasonable likelihood of harming someone with the information breached, a notice would be required. This “harm” concept is a well-established principle of tort law, and one that most lawyers are quite capable of dealing with when given the necessary facts. Removal of a variable always makes a solution more efficient, and the use of a results-driven variable such as “harm” should help avoid any unintended consequences which result in an imprecise definition of “personal information”. Let’s hope the Administration moves in this direction.

Another component which is concerning is the timing requirement around breach notification. While there have been instances of companies being slow to notify impacted consumers, notice is only going to be useful when you actually know what data was compromised, what was the source of the compromise, and who was responsible for the compromise. While a company may know it was breached, it may take well over 30 days to determine the scope and reasons for the breach. Without a clear understanding of the scope and reasons for a breach, an arbitrary 30-day notice requirement may lead to additional notice-fatigue. If this legislation is to be actually useful, there will need to be a considered discussion as to when the 30 day clock starts ticking; as well as when that clock can be stopped. Almost all the State breach statutes have a tolling period for law enforcement investigations. Hopefully, any national standard will at least have the same limitation.

Consumer Privacy Bill of Rights

Several years ago, the Obama administration presented a Consumer’s Privacy Bill of Rights as part of the US endorsement of the APEC Cross Border Privacy Rules System. There are 7 high-level principles contained in the Privacy Bill of Rights. These are: Transparency, Respect for Context, Individual Control, Focused (read: limited) Collection, Accuracy, Security and Accountability. As is usually the case, the high-level principles sound fine at first blush. However, the way they are implemented may have serious unintended consequences. For example, anti-fraud, development of new services, and IP protection are all activities which may become more challenging if the Individual Control principle does not include appropriate limitations. Additionally, some espouse a baseline set of obligations, regardless of individual choice, should be in place. Others point out that individuals often don’t have the time or expertise to exercise control in a meaningful way. Consequently, an over-broad reliance on Individual Choice may actually reduce the privacy protections of individuals.

Remedies

Along with the Privacy Bill of Rights, careful consideration will need to be taken around remedies. Some proposals for law have included private rights of action for violations of privacy. The current trend is to rely on the FTC or State Attorney’s General to enforce privacy rights. Regardless of one’s position on this issue, it is going to be a significant policy driver, with significant impacts to innovation and business growth. Policy makers and legislators will need input from their constituencies to avoid unintended negative consequences growth.

In anyone’s analysis, Privacy and Information Security are going to be hot topics on the agenda for the foreseeable future.

Until December 11, employers thought that they owned their email systems and could limit their use to company business.  On that day, a divided National Labor Relations Board (“NLRB”) ruled “not so.”  In Purple Communications, 361 NLRB No. 126 (Dec. 11, 2014), the NLRB ruled that employees who have access to an  employer’s email system as part of their job generally may, during non-working time, use the email system to communicate about wages, hours, working conditions and union issues.  The NLRB reached this conclusion notwithstanding the fact that Purple Communications has a rule providing that its email system was to be used for “business purposes only.”  It is expected that the NLRB’s ruling will be challenged in the federal courts.

Specifically, the NLRB ruled that employees with access to company email can use company email systems for union organization and Section 7 protected activities.  The ruling overturned the NLRB’s 2007 decision in Guard Publishing v. NLRB, (571 F.3d 53 (D.C. Cir. 2009)) (“Register Guard”) which held, in relevant part, that employees have no statutory rights to use their employer’s email systems for labor organization purposes or discussions about wages or other workplace issues.  The Purple Communications ruling is the result of a case brought by the Communications Workers of America union (“the Union”) after it failed in its attempt to organize employees of a company that provides interpreting services for the deaf and hard of hearing.  The Company, for its part, had an “Internet, Intranet, Voicemail, and Electronic Communication Policy” that allowed the use of company owned electronic equipment and systems, including its email system, for “business purposes only.”  The Company claimed that its “business purposes only” restrictions for company email use were aimed at reducing workplace distraction.  The Union argued, on the contrary, that the Company’s prohibition of its employees’ use of company email for non-business purposes and on behalf of organizations not associated with the company interfered with the Company’s employees’ Section 7 rights.

As anticipated, the NLRB sided 3-2 with the Union; the three Democratic appointees voting in favor of what many will view as an unprecedented taking of private, employer property. The two Republican appointees filed vigorous dissents.   The NLRB held that Section 7 statutorily protected communications (e.g., communications about labor organizations, wages or other workplace issues) between employees on nonworking time must be permitted by employers that have chosen to provide employees email accounts hosted on the employer’s email servers.  In the ruling, the NLRB stated that Register Guard initially got the issue wrong because it undervalued employees’ Section 7 rights and placed too much emphasis on employers’ property rights.  Additionally, the majority opined, Register Guard incorrectly analogized company email to company-related equipment (e.g., bulletin boards, copy machines, public address systems, etc.).  The NLRB previously determined in an unrelated case that employers could place restrictions on company-related equipment, given its physical size and content limitations.  But, for purposes of the current case, the NLRB concluded that this analogy “inexplicably failed to perceive the importance of email as a means by which employees engage in protected communications.”  Moreover, the majority noted that since Register Guard was decided seven years ago, the importance of email as a means for communication has only increased, further intensifying the error of the Register Guard decision.

The Purple Communications ruling, of course, turns Register Guard, on its head.  However, the NLRB attempted to make its ruling seem more palatable by proffering several caveats in its general repudiation of Register Guard.  First, the Purple Communication ruling applies only to employees who already have been granted access to an employer’s email system in the course of their work.  Accordingly, the ruling does not require employers to provide employees access to the employer’s email system in the first place.  Second, employers can still ban all non-work-related use of email—including Section 7 email use on nonworking time—if the employers can demonstrate that special circumstances make the ban necessary to maintain “production or discipline.”  Additionally, absent justification for a total ban of non-work related email on non-working time, employers may still limit employees’ use of the employer’s email system as long as the limitations are applied uniformly and are necessary to maintain “production and discipline.”  Unfortunately, the NLRB stated that the circumstances in which a ban would be justifiable would be “rare.”

In a further effort to attempt to placate the anticipated employer reaction to the decision, the majority also stated that its ruling did not apply to non-employees, and that employers could lawfully monitor employee email use as long as doing so fell within the ordinary scope of its email system monitoring polices. This effectively means that employers may not increase its monitoring during a labor “organizational campaign” or “focus its monitoring efforts on protected conduct or union activists” or otherwise enhance their monitoring efforts to stymie protected activity.  But, employers may continue to tell their employees that it monitors, or at least reserves the right to monitor, computer and email use for legitimate business reasons.  Further, the ruling does not change the general rule that employees have no expectation of privacy when they utilize their employer’s email systems.  Thus, even though employees’ use of their employer’s email systems for Section 7 purposes is now protected, employers can still monitor their employees’ use of the email system and also advise employees’ that they are doing just that.

Finally, regardless of the far reaching impact of its decision, the NLRB did note that its Purple Communications decision would not prevent an employer from establishing uniform and consistently enforced restrictions.  These restrictions could include, for example, prohibitions on large attachments or audio/ video segments, if the employer could demonstrate that, left unregulated, the employee actions would interfere with the email system’s efficient functioning.

The upshot of the Purple Communications ruling is that employers should review their email system policies.  In some cases, employers may want to eliminate email system usage by employees whose jobs do not require the use of email.  Otherwise, employers need to ensure they apply their email system policies, including monitoring, uniformly and consistently.  Finally, it never hurts to very clearly remind employees that they have no expectation of privacy when they use company email systems—even if they are engaging in Section 7 protected activities.

While some employers may modify their rules that the email system is to be used for business purposes only to read that “With the exception of communications regarding wages, hours, working conditions and unions, our email system may be used only for business purposes,” other employers may wait to see if the federal appellate courts embrace this departure from decades of NLRB and judicial precedent.

A company faced with a security breach has a lengthy “to do” list, things to accomplish with respect to its incident response plan. It must, among other things, determine the root cause of the vulnerability or breach, investigate and eliminate the vulnerability or breach, determine the full nature and extent of the breach, determine who to notify and finalize the notifications.

If the American Postal Workers Union (APWU) has its way, a unionized employer facing a security breach involving employee personal information would have yet another responsibility – bargaining over the impact of or response to the security breach.

The asserting that the United States Postal Service sent notice of the breach to employees on November 10, 2014, and offered the employees free credit monitoring for 1 year, but “did not give the Union advance notice that would enable it to negotiate over the impact and effects of the data breach on employees.” The Union’s complaint further states that by providing free credit monitoring, the USPS made a unilateral change in wages, hours and working conditions.  Under the various state database security notification laws and the HiTech provisions of HIPAA, employers that encounter a breach of personal information regarding employees, must, absent certain exceptions, notify the affected employees (or for a HIPAA breach, plan participants), as well as potentially notify regulators and others.

There is no legal requirement in the United States that companies must consult with their employees regarding the investigation and/or impact of a security breach involving employee data. In fact, it is important that information concerning potential security incidents be maintained confidential so that the investigation is not compromised. Therefore, the APWU is taking a novel, unprecedented stance in claiming that the USPS had an obligation to be at the table and bargain over what actions USPS would take with respect to investigating and/or remediating a breach.

Although it will be several months (at the earliest) before the NLRB issues any type of ruling or guidance on this matter, employers should consider this type of communication should a data breach occur.  In other words, while not legally required, it is certainly important and prudent for a company to consider all stakeholders in determining how to respond to a security breach. The goodwill of a company, and its relationships with employees and customers are  extremely valuable.

Since the wrong internal or external communications concerning a breach can have a significant impact on how actual and potential customers and employees, as well as shareholders, perceive the company we recommend that every incident response plan include a company’s public relations and communications experts in order to make sure that the proper groups are properly informed as to the status of a security incident and the measures a company is taking to protect affected individuals.

This week, the Connecticut Supreme Court issued an opinion which upheld a state common law negligence action against a healthcare provider for violation of privacy and confidentiality laws and regulations using as evidence of the standard of care the Health Information Portability and Accountability Act (HIPAA) and its accompanying regulations. The court denied defense arguments that HIPAA, which expressly does not provide a private right of action, preempts such state law negligence claims.

The plaintiff was a patient of the defendant and had been provided with a copy of defendant’s privacy policy, which provided that protected health information would not be released or disclosed without the patient’s authorization. Shortly thereafter, the plaintiff’s ex-boyfriend filed suit against the plaintiff and served defendant with a subpoena requesting patient’s medical records. Defendant responded to the subpoena by filing the plaintiff’s medical record with the court, but did not notify the plaintiff. The plaintiff alleged that, as a result of this disclosure, she suffered harassment and extortion from her ex-boyfriend. The trial court initially ruled for the defendants, stating that HIPAA preempted any state statutory or common law claims related to HIPAA violations.

While acknowledging that it was “well settled” law that HIPAA creates no private right of action, the Connecticut Supreme Court reversed the trial court’s decision, noting that the plaintiff was not asserting a statutory right or a private right of action under HIPAA, but rather was making a common-law negligence claim with HIPAA informing the standard of care. The court, in reviewing HIPAA’s preemption provisions, which apply to “contrary” provisions of state law and exempt “more stringent” state laws, concluded that HIPAA did not preempt a state common law theory of negligence. the court found that HIPAA was appropriately used to inform the standard of care applicable to such a negligence theory on the basis that HIPAA now sets standards for health information privacy and confidentiality among health care providers,. The court was able to identify multiple decisions in both federal and state courts throughout the country which came to similar conclusions regarding HIPAA’s failure to preempt common law claims of negligence.

This is an important decision that reflects how HIPAA non-compliance or breach can be used to establish claims of negligence based on breach of applicable standards of care extending to not only “covered entities” such as health care providers, insurers or clearinghouses, but also those organizations that do business with Covered Entities as Business Associates. Based on the Connecticut decision and other similar cases throughout the country, there is a likelihood we will see an increased number of claims using state common law negligence actions based on unauthorized release or disclosure of the plaintiff’s protected health information, or even an inadvertent breach, if appropriate physical and technological safeguards were not in place as required by federal and state privacy laws.

The case is Emily Byrne v. Avery Center for Obstetrics and Gynecology, P.C. (SC 18904).

Seyfarth Intellectual Property, Trade Secret and Privacy attorneys are participating in the 39th Annual Intellectual Property Institute Conference in Garden Grove, California this week.

The IP Institute brings together preeminent speakers from leading companies and law firms to share tips “from the trenches.” The Institute covers a great array of topics affecting our clients, such as trademarks, copyrights, licensing, litigation, entertainment law, right of publicity, trade secrets, sweepstakes, social media, ADR, privacy, and technology law, as well as a separate patent law track.

Los Angeles Partner Robert B. Milligan will be moderating a panel on “Cybersecurity and Protecting Valuable Trade Secrets and Confidential Information While Balancing Innovation and Employee Mobility,” and Sacramento Partner James D. McNairy will be presenting “Hot Topics in California Trade Secrets Law,” on Thursday, November 6, 2014.

Seyfarth will have a staffed table at the event, Seyfarth attorneys Yandi Fashu-Kanu, Alan M. Lenkin, James D. McNairy, Robert B. Milligan, Puya Partow-Navid, Joshua Salinas, Eugene Suh and Kenneth L. Wilton are scheduled to attend and participate.

For more information, please click here