Upcoming Privacy Events

Philip Gordon will be speaking on a range of privacy and data protection issues at the following upcoming events:

Date: January 11, 2012
Conference: BNA
Location: Webinar
Topic: Phil Gordon and Michael McGuire, Shareholder and Chief Information Security Officer at Littler, will co-present “The Challenges of Bring Your Own Device (BYOD) to Work Policies”
Description: With employees demanding the ability to use their personal smart phones and tablets for business purposes and employers looking for new ways to reduce cost and increase productivity, the trend towards “dual-use devices” in the workplace will undoubtedly continue to pick up stream. This webinar will provide practical recommendations for both areas so that your organization understands the risks of saying “yes” to requests from C-level executives or department chiefs to connect their smartphones or tablets to the corporate network.
For more information and to register, please visit: www.bna.com/own-device-19107/.

Date: February 1, 2012
Conference: ACI Privacy & Security of Consumer and Employee Information (pdf)
Location: The Westin Washington, DC City Center, Washington D.C.
Topic: “Mobile Devices, Applications, and Workforces: Minimizing the Threats Posed Through Proven Security Measures”
Description: Phil Gordon will moderate a panel of experts discussing, among other things, how to:

• Raise employee awareness and educate employees in the handling of sensitive data
• Safeguard company equipment and wireless devices and minimize damage in the event of breach 
• Protect corporate networks from the use of multiple portable devices while preserving employee rights
• Establish policies and procedures to strengthen and maintain data security

For more information and to register, please click here (pdf).

Date: February 9-10, 2012
Conference: Littler Global Employer – Latin America Conference
Location: Miami, Florida
Topic: “The Legal and Operational Challenges of Complying with New Latin American Data Protection Laws”
Description: In the past two years, Colombia, Costa Rica, Mexico, Peru, and Uruguay have enacted broad data protection laws which generally follow the E.U. Model but also have a distinct Latin flavor. These laws require employers to fundamentally rethink the way that they handle employees’ personal data in these countries and impose significant restrictions on the transfer of employees’ personal data within the corporate group. This presentation will provide a detailed explanation of the key requirements of Mexico’s new privacy law and pending regulations, identify key similarities and differences among the new privacy laws in these five countries, and make practical recommendations for harmonizing multi-national compliance efforts from a legal and operational perspective. Joining in the discussion are speakers Michael McGuire, Shareholder and Chief Information Officer at Littler, Javiera Medina, Shareholder in Littler’s Mexico office and Dr. Rainer Lorenzo, Senior Director, Legal & Business Affairs, HBO Latin America.
For more information and to register, please visit: www.littler.com/events/global-employer-latin-america.

Date: March 9, 2012
Conference: IAPP Global Privacy Summit
Location: Washington Marriott Wardman Park, Washington D.C.
Topic: “Who Are Your Applicants and Employees Anyway? Conducting Lawful Social
Media, Criminal History and Credit Checks”
Description: This session will examine background checks against the backdrop of vendor limitations, social media, new state laws, and FTC regulation. The presentation will cover recent legal developments affecting the permissible scope of background checks and provide practical steps an organization can take to conduct lawful background checks.
For more information and to register, please visit: www.privacyassociation.org/events_and_programs/global_privacy_summit/.

Photo credit: CrackerClips

"Social Checks" Come of Age: What Does It Mean for Employers?

By Philip Gordon

Last month, the Federal Trade Commission (FTC) published a letter closing its investigation into whether an “Internet and social media background screening service used by employers in pre-employment background screening” complied with the Fair Credit Reporting Act (FCRA). At first blush, the letter appears to be a non-event. The FTC did not impose a penalty but also admonished that its “action is not to be construed as a determination that a violation may not have occurred.” While not much can be drawn from this equivocal result, the FTC’s letter does contain the following important conclusion: the “social check” service in question, known as Social Intelligence, “is a consumer reporting agency because it assembles or evaluates consumer report information that is furnished to third parties that use such information as a factor in establishing a consumer’s eligibility for employment.” Put into plain English, employers that rely on a social check service, like Social Intelligence, to search social media for information about job candidates must comply with the FCRA.

This conclusion likely will have an impact on a substantial number of employers. According to a recent study by the Society of Human Resources Management (SHRM), more than 50% of employers are relying on social media for recruitment purposes, up from 34% in 2008, and another 20% plan to use social media for recruiting in the future. The SHRM study does not address the percentage of employers that conduct these searches exclusively in-house, in which case the FCRA would not apply, as compared to those that rely on a third-party service, in which case the FCRA likely would apply. However, the fact that the social check space is beginning to fill with new enterprises, like Social Intelligence, suggests that the number of employers that are relying on third parties to conduct social checks has grown significantly.

When the FCRA does apply, employers will need to take the following steps vis-à-vis any applicant who is the subject of a social check. First, review the notice and authorization currently provided to applicants before more traditional background checks are conducted to ensure that those documents encompass social media searches. Second, ensure that applicants who may be eliminated from consideration based in whole or in part on the results of a social check receive a pre-adverse action notice which provides the applicant with the report received by the employer, the FTC’s “A Summary Of Your Rights Under the FCRA,” and an opportunity to dispute the apparently adverse information with the service provider which ran the social check. Third, upon rejecting the applicant, send a final adverse action notice to the applicant containing the language required by the FCRA.

These legal compliance requirements are straightforward enough, but they, and in particular, the pre-adverse action notice requirement, highlight vexing practical issues: What social media information should be reported in the first place? Is the information relevant to the hiring decision? Is the information reliable? There can be no question that social media posts may contain information that employers may not lawfully consider when vetting an applicant, such as disability, protected and lawful off-duty conduct, or genetic information. There also can be no question that social media posts often contain information that warrants rejection of a candidate. According to a recent study by the Society of Corporate Compliance and Ethics, more than 40% of respondents had disciplined an employee based on his or her social media conduct. However, these two groups of information set only the polar extremes; employers still must determine what, if anything, will be reported concerning the vast range of social media content falling in the middle and how they will fairly evaluate that information. Social Intelligence, for example, notes on its Web site that its customer set-up tools leave to the employer responsibility for “defining screening filters (for evaluating individuals) and redaction criteria (for censoring information).”

Reliability is another critical issue for employers using social media to evaluate job candidates. In the case of more traditional pre-employment screening, the nature of the information itself engenders a higher probability, albeit not certainty, that information is accurate. Court systems, educational institutions, and employers, for example, have an inherent interest in maintaining accurate records for their own legitimate business purposes. By contrast, social media are replete with false, doctored, and biased information about others. Social Intelligence suggests a solution to this issue by noting on its Web site that it reports “only information the applicant has created himself.” However, completely eliminating social media information posted by third persons arguably reduces the effectiveness of a social check to some extent. Perhaps more importantly, social media posts apparently created by the author can be forged. I have recently counseled clients on two separate occasions where employees denied having posted on their Facebook wall negative information about the employer or co-workers, credibly claiming that others had stolen their log-in credentials or hacked into their account.

The absence of any inherent reliability in most social media information emphasizes the importance of providing applicants with a pre-adverse notice even when there is no legal obligation to do so. Employers easily could lose potentially outstanding employees by relying on social media content that is false, misleading or inaccurate. Even if apparently adverse information turns out to be accurate and true, the applicant’s explanation of that information could demonstrate maturity and honesty as opposed to evasiveness and bad character.

With use of social media for hiring becoming increasingly common, human resources professionals and in-house employment counsel need to scrutinize their organization’s use, or potential use, of this new tool and answer several challenging questions. Most importantly, how should social checks supplement more traditional means of vetting applicants’ credentials and pre-employment screening for adverse information? What types of information does the organization need and how will that information be weighted? Next, will the information be gathered through in-house resources or an external service provider, such as Social Intelligence? If the latter, how will FCRA compliance be worked into the social check process? Finally, particularly given the newness of social checks, employers should evaluate them at least annually with one key question in mind: Have the social checks improved the effectiveness of the organization’s hiring process and the quality of new hires?

Photo credit: robas

FTC confirms that all health providers have to comply with Red Flags Rule

The Federal Trade Commission (FTC) confirmed, on 4 February 2009, that physicians and other medical providers have to comply with the identity theft prevention regulation, the Red Flags Rule.

The FTC’s confirmation addresses a challenge raised by the American Medical Association (AMA) in November 2008, which questioned the applicability of the rule to medical providers. According to the AMA, medical providers did not fall under the definition of covered entities, namely ‘creditors’ and ‘financial institutions’.

The FTC Red Flags Rule requires all financial institutions and creditors that have ‘consumer-type accounts’ to implement written identity theft programs to ‘identify, detect and respond to possible risks of identity theft relevant to them’. In a letter to the AMA, the FTC said: ‘[W]e believe that the plain language and purpose of the Rule dictate that health care professionals are covered by the Rule when they regularly defer payments for goods and services. Physicians, who regularly bill their clients, customers or patients for their services after those services are rendered, are ‘creditors”. The FTC referred to the definition of ‘creditor’ under the Equal Credit Opportunity Act, describing it as ‘broad’.

The AMA also argued that it was unnecessary for medical providers to comply with the Red Flags Rule, given they already devote substantial resources to comply with the Health Insurance Portability and Accountability Act (HIPAA) security and privacy rules to ensure the confidentiality and security of their patients’ health data. The FTC responded that the HIPAA rules ensured the prevention of medical data breaches, but not the prevention and mitigation of the misuse of that information if it were compromised.
According to the FTC, the Red Flags Rule would ‘complement rather than duplicate’ the HIPAA rules so that medical identity theft is combated more comprehensively.

In response to the burden of costs that physicians would face, the FTC said that it did not believe that the Rule would impose significant burdens for most providers: ‘In many cases, that risk may be minimal or non-existent, such that a simple and streamlined program would be adequate’.

The deadline for compliance with the rule is 1 May 2009.

http://www.ftc.gov/os/closings/staff/090204amaresponse.pdf