Privacy and Data Security Archives - Page 11 of 22

Privacy and Data Security

Consumer Health Information Update from Both Sides of the Atlantic

by Jennifer S. Geetter and Scott Weinstein | Apr 21, 2015 | Privacy and Data Security

As we reported in May 2014, the Federal Trade Commission (FTC) convened stakeholders to explore whether health-related information collected from and about consumers — known as consumer-generated health information (CHI) — through use of the internet and increasingly-popular lifestyle and fitness mobile apps is more sensitive and in need of more privacy-sensitive treatment than other consumer-generated data.

One of the key questions raised during the FTC’s CHI seminar is: “what is consumer healthinformation”? Information gathered during traditional medical encounters is clearly health-related. Information gathered from mobile apps designed as sophisticated diagnostic tools also is clearly health-related — and may even be “Protected Health Information,” as defined and regulated by Health Information Portability and Accountability Act (HIPAA), depending on the interplay of the app and the health care provider or payor community. But, other information, such as diet and exercise, may be viewed by some as wellness or consumer preference data (for example, the types of foods purchased). Other information (e.g., shopping habits) may not look like health information but, when aggregated with other information generated by and collected from consumers, may become health-related information. Information, therefore, may be “health information,” and may be more sensitive as such, depending on (i) the individual from whom it is collected, (ii) the context in which it is initially collected; (iii) the other information which it is combined; (iv) the purpose for which the information was initially collected; and (v) the downstream uses of the information.

Notably, the FTC is not the only regulatory body struggling with how to define CHI. On February 5, 2015, the European Union’s Article 29 Working Party (an EU representative body tasked with advising EU Member States on data protection) published a letter in response to a request from the European Commission to clarify the definitional scope of “data concerning health in relation to lifestyle and wellbeing apps.”

The EU’s efforts to define CHI underscore the importance of understanding CHI. The EU and the U.S. data privacy and security regimes differ fundamentally in that the EU regime broadly protects personally identifiable information. The US does not currently provide universal protections for personally identifiable information. The U.S. approach varies by jurisdiction and type of information and does not uniformly regulate the mobile app industry or the CHI captured by such apps. These different regulatory regimes make the EU’s struggle to define the precise scope and definition of “lifestyle and wellbeing” data (CHI) and develop best practices going forward all the more striking because, even absent such a definition, the EU privacy regime would offer protections.

The Article 29 Working Party letter acknowledges the European Commission’s work to date, including the European Commission’s “Green Paper on Mobile Health,” which emphasized the need for strong privacy and security protections, transparency – particularly with respect to how CHI interoperates with big data – and the need for specific legislation on CHI-related apps or regulatory guidance that will promote “the safety and performance of lifestyle and wellbeing apps.” But, in [...]

Continue Reading

C-Suite – Changing Tack on the Sea of Data Breach?

by McDermott Will & Emery | Mar 24, 2015 | Employment, Privacy and Data Security

The country awoke to what seems to be a common occurrence now: another corporation struck by a massive data breach. This time it was Anthem, the country’s second largest health insurer, in a breach initially estimated to involve eighty million individuals. Both individuals’ and employees’ personal information is at issue, in a breach instigated by hackers.

Early reports, however, indicated that this breach might be subtly different than those faced by other corporations in recent years. The difference isn’t in the breach itself, but in the immediate, transparent and proactive actions that the C-Suite took.

Unlike many breaches in recent history, this attack was discovered internally through corporate investigative and management processes already in place. Further, the C-Suite took an immediate, proactive and transparent stance: just as the investigative process was launching in earnest within the corporation, the C-Suite took steps to fully advise its customers, its regulators and the public at-large, of the breach.

Anthem’s chief executive officer, Joseph Swedish, sent a personal, detailed e-mail to all customers. An identical message appeared in a widely broadcast press statement. Swedish outlined the magnitude of the breach, and that the Federal Bureau of Investigation and other investigative and regulatory bodies had already been advised and were working in earnest to stem the breach and its fallout. He advised that each customer or employee with data at risk was being personally and individually notified. In a humanizing touch, he admitted that the breach involved his own personal data.

What some data privacy and information security advocates noted was different: The proactive internal measures that discovered the breach before outsiders did; the early decision to cooperate with authorities and press, and the involvement of the corporate C-Suite in notifying the individuals at risk and the public at-large.

The rapid and detailed disclosure could indicate a changing attitude among the American corporate leadership. Regulators have encouraged transparency and cooperation among Corporate America, the public and regulators as part of an effort to stem the tide of cyber-attacks. As some regulators and information security experts reason, the criminals are cooperating, so we should as well – we are all in this together.

Will the proactive, transparent and cooperative stance make a difference in the aftermath of such a breach? Only time will tell but we will be certain to watch with interest.

Employers with Group Health Plans: Have You Notified State Regulators of the Breach?

by Anthony A. Bongiorno and Amy C. Pimentel | Feb 23, 2015 | Health and Welfare Plans, Privacy and Data Security

Data security breaches affecting large segments of the U.S. population continue to dominate the news. Over the past few years, there has been considerable confusion among employers with group health plans regarding the extent of their responsibility to notify state agencies of security breaches when a vendor or other third party with access to participant information suffers a breach. This On the Subject provides answers to several frequently asked questions to help employers with group health plans navigate the challenging regulatory maze.

Read the full article.

McDermott Predictions for 2015 on Employee Social Media Accounts

by McDermott Will & Emery | Feb 19, 2015 | Employment, Privacy and Data Security

In 2015, I predict an increased focus on employees’ rights regarding their personal social media accounts. Since 2012, individual states have enacted laws prohibiting employers from requesting access to their employees’ (or job applicants’) personal social media accounts. In 2014 alone, six states enacted such laws, bringing the total number of states with this type of legislation to 18. (Click here for additional analysis of the impact of these laws on employers.)

In addition to individual states’ laws, I expect clarification on a national level regarding employer policies and actions related to employees’ personal social media accounts. In the past year, the National Labor Relations Board (NLRB) has started to focus on whether employer policies regarding employee social media accounts are consistent with the National Labor Relations Act (“Act”). The Act prohibits employers from interfering with employees who come together to discuss their employment for the purpose of collective bargaining or other mutual aid or protection. According to the NLRB, employees’ comments on their personal social media accounts can constitute protected activity under the Act. One recent NLRB case involved two employees who posted on their Facebook accounts about the employers’ alleged failure to correctly withhold taxes from their paychecks. The employer terminated the employees because of their comments on their personal social media accounts. The NLRB found that the employee’s comments were protected under the Act, ordered the employer to reinstate the employees, and ordered the employer to clarify its social media policy. The employer is now appealing the NLRB’s determination in court.

I predict not only that more states will enact employee social media account legislation, but also that the NLRB and the courts will provide more guidance on employer restrictions or sanctions related to employee social media use.

A Simplified Norm to Represent an Expanding Power: the Right to Listen in on Employees’ Phone Calls and the Standardization of French Privacy Law

by McDermott Will & Emery | Feb 12, 2015 | Employment, Privacy and Data Security

Since 2001, the French Court of Cassation has made a continuous effort to refine and, in some circumstances, narrow the scope of the right to privacy in the workplace with a view to reaching a fair and balanced approach. The January 6, 2015 declaration of the French Data Protection Authority (CNIL) further highlights this trend towards the standardization of information collection at work, and serves to clarify and expand the right of employers to listen in on employees’ phone calls at work.

Background

In the landmark 2001 “Nikon Case,” the Court of Cassation ruled that “an employee has the right to the respect of his private life – including the right to the secrecy of correspondence – on the work premises and during working hours.” This announcement was qualified, however, and the court further refined that unless marked by the employee as “private,” the documents and files created by an employee on a company-computer for work purposes are presumed to be professional, which means that the company can access those documents and files without the employee’s presence. This can lead to an employer using such emails against an employee in the case of employment termination. Nonetheless, employers have an obligation under privacy and labor laws to inform employees about the collection and use of their personal data.

Building off of this decision, in October 2014, the French Social Supreme Court held that evidence gathered against an employee from data that had not previously been declared to and registered with CNIL was de facto illegal.

The French Labor Code and the French Data Protection Act both stipulate rules for the use of monitoring software by employers in the event that an employer wishes to establish such mechanisms. In particular, the employer must submit information to and engage in consultation with the works council, provide information to employees impacted by the software and make a formal declaration of the proposed monitoring activities to CNIL.

CNIL Declaration: Movement Toward a Simplified Norm

Continuing this trend, the declaration issued by the CNIL on January 6, 2015, further demonstrates not only how important the CNIL is, but also how the area of data protection is evolving and become more standardized in France.

This recent declaration established that employers wishing to record their employee’s telephone communications must first declare such information by filling out a simplified declaration form in lieu of a normal declaration form. After effectuating this simplified declaration, an employer will have the ability to listen to and record employee conversations for the purpose of employee training, evaluation and betterment of the quality of service.

While this declaration serves to grant employers permission to monitor employees, it also imposes upon them a number of restrictions: (i) the employee must be notified and informed of his or her right to refuse such recordings and (ii) the employee may only keep recordings for a period of six months. The information gathered from such recordings, however, may be kept for a reasonable period of time.

The issuance [...]

Continue Reading

Wearable Technologies Are Here To Stay: Here’s How the Workplace Can Prepare

by McDermott Will & Emery | Sep 23, 2014 | Privacy and Data Security

More than a decade ago, “dual use” devices (i.e., one device used for both work and personal reasons) began creeping into workplaces around the globe. Some employees insisted on bringing fancy new smart phones from home to replace the company-issued clunker and, while many employers resisted at first, dual use devices quickly became so popular that allowing them became inevitable or necessary for employee recruitment and retention, not to mention the cost savings that could be achieved by having employees buy their own devices. Because of early resistance, however, many HR and IT professionals found themselves scrambling in a reactive fashion to address the issues that these devices can raise in the workplace after they were already prevalent. Today, most companies have robust policies and procedures to address the risks presented by dual use devices, setting clear rules for addressing privacy, security, protection of trade secrets, records retention and legal holds, as well as for preventing harassment, complying with the National Labor Relations Act (NLRA), protecting the company’s relationships and reputation, and more.

In 2014, there is a new trend developing in the workplace: wearable technologies. The lesson to be learned from the dual use device experience of the past decade: Companies should consider taking proactive steps now to identify the risks presented by allowing wearables at work, and develop a strategy to integrate them into the workplace in a way that maximizes employee engagement, but minimizes corporate risk.

An effective integration strategy will depend on the particular industry, business needs, geographic location and corporate culture, of course. The basic rule of thumb from a legal standpoint, however, is that although wearables present a new technology frontier, the old rules still apply. This means that companies will need to consider issues of privacy, security, protection of trade secrets, records retention, legal holds and workplace laws like the NLRA, the Fair Labor Standards Act, laws prohibiting harassment and discrimination, and more.

Employers evaluating use of these technologies should consider two angles. First, some companies may want to introduce wearables into the workplace for their own legitimate business purposes, such as monitoring fatigue of workers in safety-sensitive positions, facilitating productivity or creating efficiencies that make business operations run more smoothly. Second, some companies may want to consider allowing “dual use” or even just “personal use” wearables in the workplace.

In either case, companies should consider the following as part of an integration plan:

Identify a specific business-use case;
Consider the potential for any related privacy and security risks;
Identify how to mitigate those risks;
Consider incidental impacts and compliance issues – for instance, how the technologies impact the existing policies on records retention, anti-harassment, labor relations and more;
Build policies that clearly define the rules of the road;
Train employees on the policies;
Deploy the technology; and
Review the program after six or 12 months to confirm the original purpose is being served and whether any issues have emerged that should be addressed.

In other words, employers will need to run through a similar [...]

Continue Reading

OCR to Begin Phase 2 of HIPAA Audit Program

by Edward G. Zacharias and Daniel F. Gottlieb | Aug 26, 2014 | Health and Welfare Plans, Privacy and Data Security

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) will soon begin a second phase of audits (Phase 2 Audits) of compliance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy, security and breach notification standards (HIPAA Standards) as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. Unlike the pilot audits during 2011 and 2012 (Phase 1 Audits), which focused on covered entities, OCR will conduct Phase 2 Audits of both covered entities and business associates. The Phase 2 Audit Program will focus on areas of greater risk to the security of protected health information (PHI) and pervasive noncompliance based on OCR’s Phase I Audit findings and observations, rather than a comprehensive review of all of the HIPAA Standards. The Phase 2 Audits are also intended to identify best practices and uncover risks and vulnerabilities that OCR has not identified through other enforcement activities. OCR will use the Phase 2 Audit findings to identify technical assistance that it should develop for covered entities and business associates. In circumstances where an audit reveals a serious compliance concern, OCR may initiate a compliance review of the audited organization that could lead to civil money penalties.

The following sections summarize OCR’s Phase 1 Audit findings, describe the Phase 2 Audit program and identify steps that covered entities and business associates should take to prepare for the Phase 2 Audits.

Read the full article.

More States Restrict Employers’ Access to Employees’ Social Media Accounts

by McDermott Will & Emery | Aug 7, 2014 | Employment, Privacy and Data Security

As first discussed in McDermott Will & Emery’s Privacy and Data Protection 2013 Year In Review, state legislatures are enacting laws limiting employers’ ability to access the social media accounts of their employees.

Thus far in 2014, four more states – Louisiana, Oklahoma, Tennessee and Wisconsin – have enacted social media legislation, bringing the total number of states with such legislation to 16.

How State Social Media Laws Effect Employers

Generally, state social media laws bar employers from requiring or requesting that an employee or applicant provide log-in credentials for his/her personal social media account. Some of these state social media laws also prohibit an employer from requiring an employee to add another employee or supervisor to a social media account “friends” or contacts list or to access personal social media accounts in the employer’s presence. Many of the state social media laws also prohibit employers from basing adverse employment action on an employee’s refusal to comply with an employer’s request for social media account access.

While these laws offer employees added protection with respect to their personal social media accounts, most of the laws feature important carve-outs. Among other exceptions, most state social media laws allow employers to: access publicly-available social media about employees, restrict employees’ access to social media during work hours and conduct certain types of employment-related investigations that may involve an employee’s social media account(s).

Notably, all four of the recently-enacted laws allow employers to monitor the social media activity of employees when employees access their social media accounts through employer-provided IT systems.

Compliance Tips

Since the terms of state social media laws vary, employers should consider establishing and following basic guidelines to ensure compliance with the myriad laws. Key steps are:

Updating employer policies to clarify state-specific restrictions related to employee access to personal social media accounts through employer-provided information systems; and
Providing training to managers, Human Resources and IT professionals about the conduct prohibited by the different state social media laws.

Supreme Court Prohibits Warrantless Mobile Phone Searches, Underscores Individual Right to Privacy

by David Quinn Gacioch | Jul 22, 2014 | Employment, Privacy and Data Security

The Supreme Court of the United States’ recent decision prohibiting warrantless mobile phone searches incident to arrest underscores unique privacy concerns raised by modern technology. The decision has an immediate impact on an individual’s rights under the Fourth Amendment, and may also have an impact on evolving areas of white collar and employment law.

Read the full article.