Privacy and Data Security Archives - Page 13 of 22

Italian Data Protection Authority’s Guide on Cloud Computing

by McDermott Will & Emery | Oct 17, 2012 | Privacy and Data Security

The Italian Data Protection Authority (DPA) has published a guide on cloud computing, "How to Protect Your Data Without Falling From a Cloud," which contains useful recommendations on how to select and appoint cloud providers and vendors of data management and storage services. This is the first official guidance issued by the Italian DPA in response to the fast growing use of cloud services in Italy and it might be of particular interest to employers who outsource their data systems to cloud service providers. The guide offers an overview of the potential issues linked to the various types of cloud services, whether they are managed on public, private or hybrid clouds. Under Italian law, cloud providers are appointed as a data processors while employers act as data controllers and will be liable for any wrongdoing committed by the data processors. Employers are therefore well advised to negotiate appropriate terms for the management of the "cloud-based" data and make sure that adequate technical and organizational measures are in place in order to avoid possible loss or unauthorized disclosure.

Click here to read the full guide on the Italian DPA website.

Binding Corporate Rules as a Global Solution for Data Transfer

by McDermott Will & Emery | Oct 9, 2012 | Privacy and Data Security

by Rohan Massey and Heather Egan Sussman

All multinational companies are constantly transferring data relating to identified or identifiable human beings (data subjects). Data is moved between different parts of the same business and to and from suppliers, customers and other third parties. When such data moves between countries, the laws of multiple countries may become relevant, potentially including a multinational business within their jurisdiction when that multinational acts as a data controller determining the purposes, conditions and means of processing involved. This also renders the business vulnerable to potential penalties for breaches of the law. One way to manage the ongoing problems of moving data across the world is to introduce Binding Corporate Rules (BCRs) to govern global data transfer.

To read the full article, click here.

Alison Wetherfield, former partner, also contributed to this article.

Save the Date: Privacy and Data Protection Webcast Series

by McDermott Will & Emery | Aug 2, 2012 | Privacy and Data Security

In the quickly changing regulatory environment of digital privacy, an organization’s data privacy stakeholders need to understand the latest legal developments and risks their organizations face—or will face—globally.

McDermott Will & Emery is pleased to offer this complimentary three-part webcast series for professionals with data privacy responsibilities that will take a look at the legal developments in 2012 and provide a sneak peek at what new regulations may come in 2013.

Save the Date

Part I. U.S. Office for Civil Rights Finalizes Amendments to HIPAA Regulations to Implement HITECH Act
Following the issuance of regulations

Part II. Hot Topics in Workplace Privacy around the Globe
September 20, 2012

Part III. Data Privacy Year in Review
December 6, 2012

Further information on each webcast is forthcoming.

For more information, please contact McDermott Events.

FTC: Employers Who Buy Profiles from Data Brokers to Supply Profiles on Applicants or Employees Must Comply with the FCRA

by McDermott Will & Emery | Jul 3, 2012 | Privacy and Data Security

by Jennifer S. Geetter, Heather Egan Sussman and Carla A. R. Hine

We recently released a Hot Topic that details the Federal Trade Commission’s (FTC) settlement with Spokeo, Inc. Spokeo collected information about individuals from online and offline sources to create profiles that included contact information, marital status, age range and in some cases included a person’s hobbies, ethnicity, religion, participation on social networking sites and photos that Spokeo attributed to a particular individual. Spokeo marketed these profiles to companies in the human resources, background screening and recruiting industries as information to serve as a factor in deciding whether to interview or hire a job candidate. The FTC concluded that Spokeo acted as a consumer reporting agency and thus violated the Fair Credit Reporting Act (FCRA) by: (1) failing to ensure the consumer reports it sold were used for legally permissible purposes; (2) failing to ensure that the information it sold was accurate; and (3) by failing to inform users of Spokeo’s consumer reports of their obligations under the FCRA. Spokeo agreed to pay $800,000, and comply with the FCRA going forward, among other things.

There is an important message for employers in this settlement: If you receive profile information from data brokers and use that information in making employment decisions, the FCRA applies. And while this enforcement action focused on the data broker, the FTC could turn next to offending employers. The FTC has published guidance on how to avoid an enforcement action in these circumstances and comply with the FCRA at: Using Consumer Reports: What Employers Need to Know Employers should also check on the local state laws that may apply, because some states restrict the use of such reports for employment purposes.

Acting General Counsel of the NLRB Issues Second Report on Social Media

by Jackie Sinn | Jan 27, 2012 | Employment, Labor, Privacy and Data Security

by Heather Egan Sussman, Linda Doyle and Sabrina Dunlap

On Wednesday, January 25, 2012, National Labor Relations Board (NLRB) acting General Counsel Lafe Solomon released a second report describing social media cases reviewed by his office. The report (Operations Management Memo) addresses 14 cases related to social media and employer social media policies.

Many of the cases reviewed involved employees who had been discharged after they posted comments on Facebook. The general counsel found that a number of the terminations were improper because employees had engaged in protected activity and their terminations arose from unlawful employer policies. However, the general counsel upheld several terminations – despite overly broad employer policies – where the employees involved were not engaged in protected activity and had merely posted general complaints or individual gripes unrelated to working conditions or wages.

The report emphasizes two key points made in an earlier report in August 2011: 1) Employer policies should not be so broad that they prohibit activity protected by federal labor law, such as the discussion of wages or working conditions; and 2) an employee’s comments on social media sites will generally not be protected if they are simply complaints unrelated to working conditions or wages that impact a group of employees.

There are three cases involving social media questions currently pending before the NLRB and those decisions will likely give further guidance on acceptable employer social media policies.

In addition, McDermott partner Heather Egan Sussman will be speaking with Lafe Solomon, and Edward Loughlin (EEOC) on this topic at the International Association of Privacy Professionals (IAPP) Global Privacy Summit, Wednesday, March 7, 2012.

McDermott Releases An Employer’s Guide To Implementing EU-Compliant Whistleblowing Hotlines

by McDermott Will & Emery | Aug 25, 2011 | Employment, Privacy and Data Security

by Heather Egan Sussman and Alison Wetherfield

Companies listed on U.S. stock exchanges are required under the Sarbanes-Oxley Act to establish a system for employees to internally report concerns over questionable auditing or accounting matters. These systems are often referred to as “whistleblowing hotlines”. When setting up hotlines around the globe, however, employers must be mindful of the European Union (EU) privacy regime. Previously, some EU regulatory authorities intimated that such hotlines could never be acceptable in their jurisdictions. Public company employers were left, therefore, with the unfortunate choice of foregoing the hotline and potentially violating Sarbanes-Oxley, or implementing the hotline and potentially violating EU privacy laws.

Over the past few years, however, a framework has developed, at both the EU level and among the member states, that provides guidance on how employers may lawfully implement such a hotline throughout most of the European continent. McDermott just released an article outlining a checklist of basic principles for public company employers to follow so they can stay within this framework. As explained in more detail in the article found here, these principles include:

1. Encourage “confidential” rather than “anonymous” reporting

2. Set up a filtration system

3. Ensure confidentiality and data security

4. Limit the nature and scope of the processed data

5. Ensure compliant transfers of data outside of the EEA

6. Retain and destroy data according to local requirements

7. Give employees the right of correction

8. Inform employees about the program

9. Follow authorization procedures

By observing these basic principles when setting up a whistleblowing hotline in the EU, and by following the other best practices detailed in the full article, public companies can best position themselves to mitigate the risk of an enforcement action on both sides of the pond.

New Connecticut Law Limits Employer Access to Employee Credit Data

by McDermott Will & Emery | Aug 8, 2011 | Employment, Privacy and Data Security

by Heather Egan Sussman, Stephen D. Erf and Sabrina E. Dunlap

Adding to the growing number of states limiting employers’ use of credit reports, including Hawaii, Washington, Oregon, Illinois, and Maryland), Connecticut recently passed Public Act No. 11-223 restricting employer use of credit reports and credit history for employees or job applicants. The Connecticut law goes into effect October 1, 2011, and prohibits employers from requiring an employee or job applicant to consent to a request for a credit report “as a condition of employment.” This includes reports that contain information about credit score, credit account balances, payment history, savings or checking account balances or savings or checking account numbers.

The law has four exceptions. Paraphrasing from the law, employers may request credit data if:

The employer is a financial institution;
A report is required by law;
The employer reasonably believes that the employee has engaged in specific activity that constitutes a violation of the law related to employment; or
Either (a) a report is substantially related to the job or (b) the employer requests the credit report for a bona fide purpose that is “substantially job-related” and discloses this purpose in writing to the employee or applicant.

Regarding the last exception, the law broadly defines “substantially related to the job” to mean that the information contained in the credit report is related to the following: a managerial position that involves setting direction and control of the business; a position that involves access to customers, employees or the employer’s personal or financial information (other than retail transaction information); involves a fiduciary responsibility to the employer; provides an expense account or corporate debit or credit card; provides access to confidential or proprietary business information; or involves access to the employer’s nonfinancial assets valued at $2,005 or more, including but not limited to, museum and library collections and to prescription drugs and other pharmaceuticals.

Job applicants and employees may lodge complaints alleging violations of the law with the Connecticut Labor Department. Employers will be liable to the Labor Department for a civil penalty of $300 for each improper request for a credit check. The Connecticut Attorney General can bring civil actions to recover penalties brought by the Labor Department.

As a result of these new restrictions, Connecticut employers should review hiring policies, and other policies that require employee credit information, and prepare to comply with the law by October 1, 2011.

Companies Should Brace Themselves: It’s Going To Be Easier and Faster to Unionize America

by McDermott Will & Emery | Jul 6, 2011 | Employment, Labor, Privacy and Data Security

by Stephen D. Erf, Heather Egan Sussman and Sabrina E. Dunlap

Recently, the National Labor Relations Board (NLRB) proposed new rules purportedly intended “to reduce unnecessary litigation” and streamline pre- and post-election procedures. The bottom line is that these new rules, if adopted, will make it easier to unionize American workforces. One way the new rules “streamline” the unionization process is by requiring the exchange of timely information, including employee contact data and required forms. The proposed rules also aim to defer potential litigation until after an election has been held, so that proceedings related to litigation do not slow down the election process, which will limit the opportunity for the employer to present its views regarding the issues. Given these proposed rules, American businesses may likely step-up union avoidance efforts.

The U.S. Department of Labor (DOL) simultaneously has released a new proposed rule that appears designed to discourage such union avoidance efforts. Under this proposed rule, an existing exemption from certain disclosure requirements for “advice” would be significantly narrowed such that employers would be required to disclose arrangements with consultants that draft communications on behalf of an employer designed to “directly or indirectly persuade workers concerning their rights to organize or bargain collectively,” even when the consultants do not contact employees directly. Under the proposed rule, the DOL said employers should disclose information about “union avoidance” seminars and trainings offered to employers by lawyers or labor consultants, because theses seminars “involve reportable persuader activity.” The DOL is warning employers against classifying such seminars as “advice” to avoid disclosure under the exception.

The combined NLRB and DOL efforts appear to be a governmental one-two punch aimed at American business – they make it easier for unions to organize workplaces on the one hand, and discourage union avoidance efforts on the other. Fortunately, however, we suspect corporate America will not be so easily discouraged, because it could be far more costly for companies to skip the union avoidance training, now that the NLRB has helped grease the skids toward organizing American workplaces. On balance therefore, we expect companies still will elect to move forward with the training, and just be mindful of their disclosure obligations, assuming these proposed rules go into effect.

Recent NLRB Activity Zeroes In On Social Media Policies

by McDermott Will & Emery | Apr 20, 2011 | Employment, Labor, Privacy and Data Security

by Stephen D. Erf, Heather Egan Sussman, Christopher Scheithauer and Sabrina E. Dunlap

The law is not new – it’s just being applied to our newest forms of communication: Twitter, Facebook and others. Even the legal framework is relatively straightforward: Section 7 of the National Labor Relations Act (NLRA) protects “concerted activities,” which include circumstances where employees seek to “initiate or induce” group action for “mutual aid or protection.” In today’s workplace, activities such as blogging, or posting messages on social networking websites, can be considered concerted activity, and unless the activity falls within one of the exceptions to the NLRA’s protections (e.g., confidentiality breaches, extreme disloyalty, etc.), the law limits an employer’s control over what employees may write and post.

In one recent case, the National Labor Relations Board (Board) accused American Medical Response of Connecticut Inc. (AMR) of violating Section 7 when it terminated an employee for allegedly criticizing her boss on Facebook. In its complaint against AMR, the union argued that the company had been interfering with, restraining and coercing employees in exercising their protected rights under Section 7 of the NLRA. The parties reached a settlement on the eve of trial, which required AMR to clarify and narrow its policy.

Even more recently, the Board’s Manhattan office has announced plans to file a complaint against Thompson Reuters over its Twitter policy. In 2010, an employee reportedly tweeted in response to a management inquiry, “One way to make this the best place to work is to deal honestly with [union] members.” The Board claims the company then improperly disciplined her pursuant to the Twitter policy by chastising her for making the statement.

While we will have to wait for the complaint to see exactly what the Board takes issue with (and the company denies the allegations), this case involves a union, so it is easier for an employer to see the potential for NLRA landmines in that workplace. But what many employers do not realize is that Section 7 applies equally to nonunionized workforces.

In the wake of these NLRB complaints, what does this mean for all U.S. employers? If you have not already done so, you should be reviewing your social media policy:

You CAN prohibit employee’s use of social media during work time.
You CANNOT include a blanket prohibition on critical comments.
You CAN prohibit disparaging comments about company products or services.
You CANNOT ominously threaten sanctions or termination for activities that could arguably be protected.
You CAN take a tone that focuses more on using good judgment and common sense.

In addition, an overly broad or vague policy alone may violate the NLRA, so you should consider taking steps now to narrow and clarify your policy to avoid becoming the next Board target.

Final EEOC Regulations for the ADA Amendments Act, Published on March 25, 2011

by Jackie Sinn | Apr 5, 2011 | Employment, Privacy and Data Security

by Heather Egan Sussman and Stephen Erf

The Equal Employment Opportunity Commission (EEOC) recently released the final regulations intended to simplify implementation of the Americans with Disabilities Act Amendments Act (ADAAA). In the ADAAA, which went into effect on January 1, 2009, Congress directed the EEOC to revise its Americans with Disabilities Act (ADA) regulations to conform them to changes made by the ADAAA. Though the ADAAA and these final regulations do not change the definition of a covered “disability” under the ADA—a physical or mental impairment that substantially limits one or more major life activities—the ADAAA and the final regulations made significant changes to how those terms are to be interpreted. In particular, the regulations set forth a list of principles to guide the determination of whether a person has a disability, and provide that the definition should be construed as broadly as possible under the law. The most significant changes to the ADA are as follows:

The principles outlined in the final regulations provide that an impairment is a disability if it “substantially limits” the ability of an individual to perform a major life activity as compared to most people in the general population.
“Mitigating measures” such as medication and assistive devices must not be considered when determining whether someone has a covered disability – so, if an employee’s condition would qualify without medication or assistive devices, then person should be considered to have a covered disability (interestingly, this does not include the ordinary use of contact lenses or eyeglasses).
Physical and mental impairments that are episodic (such as epilepsy) or in remission (like cancer) are disabilities if they could be “substantially limiting” when active.
The final regulations explain that the term “major life activities” includes “major bodily functions,” such as the immune system, normal cell growth, and brain and endocrine functions.

The final regulations state that the question of whether an individual meets the definition of disability should not demand “extensive analysis,” and that the focus in cases brought under the ADA should be whether covered entities have complied with their non-discrimination and reasonable accommodation obligations and whether discrimination has occurred, not whether the individual meets the definition of a covered disability. The intended effect of these changes is to make it easier for an individual seeking protection under the ADA to establish that he or she has a disability within the meaning of the ADA, though whether that is true in practice, and how the EEOC chooses to enforce the changes, remains to be seen.

BLOG EDITORS

STAY CONNECTED

TOPICS

ARCHIVES

RECENT POSTS