Upcoming Privacy Events

Philip Gordon will be speaking on a range of privacy and data protection issues at the following upcoming events:

Date: January 11, 2012
Conference: BNA
Location: Webinar
Topic: Phil Gordon and Michael McGuire, Shareholder and Chief Information Security Officer at Littler, will co-present “The Challenges of Bring Your Own Device (BYOD) to Work Policies”
Description: With employees demanding the ability to use their personal smart phones and tablets for business purposes and employers looking for new ways to reduce cost and increase productivity, the trend towards “dual-use devices” in the workplace will undoubtedly continue to pick up stream. This webinar will provide practical recommendations for both areas so that your organization understands the risks of saying “yes” to requests from C-level executives or department chiefs to connect their smartphones or tablets to the corporate network.
For more information and to register, please visit: www.bna.com/own-device-19107/.

Date: February 1, 2012
Conference: ACI Privacy & Security of Consumer and Employee Information (pdf)
Location: The Westin Washington, DC City Center, Washington D.C.
Topic: “Mobile Devices, Applications, and Workforces: Minimizing the Threats Posed Through Proven Security Measures”
Description: Phil Gordon will moderate a panel of experts discussing, among other things, how to:

• Raise employee awareness and educate employees in the handling of sensitive data
• Safeguard company equipment and wireless devices and minimize damage in the event of breach 
• Protect corporate networks from the use of multiple portable devices while preserving employee rights
• Establish policies and procedures to strengthen and maintain data security

For more information and to register, please click here (pdf).

Date: February 9-10, 2012
Conference: Littler Global Employer – Latin America Conference
Location: Miami, Florida
Topic: “The Legal and Operational Challenges of Complying with New Latin American Data Protection Laws”
Description: In the past two years, Colombia, Costa Rica, Mexico, Peru, and Uruguay have enacted broad data protection laws which generally follow the E.U. Model but also have a distinct Latin flavor. These laws require employers to fundamentally rethink the way that they handle employees’ personal data in these countries and impose significant restrictions on the transfer of employees’ personal data within the corporate group. This presentation will provide a detailed explanation of the key requirements of Mexico’s new privacy law and pending regulations, identify key similarities and differences among the new privacy laws in these five countries, and make practical recommendations for harmonizing multi-national compliance efforts from a legal and operational perspective. Joining in the discussion are speakers Michael McGuire, Shareholder and Chief Information Officer at Littler, Javiera Medina, Shareholder in Littler’s Mexico office and Dr. Rainer Lorenzo, Senior Director, Legal & Business Affairs, HBO Latin America.
For more information and to register, please visit: www.littler.com/events/global-employer-latin-america.

Date: March 9, 2012
Conference: IAPP Global Privacy Summit
Location: Washington Marriott Wardman Park, Washington D.C.
Topic: “Who Are Your Applicants and Employees Anyway? Conducting Lawful Social
Media, Criminal History and Credit Checks”
Description: This session will examine background checks against the backdrop of vendor limitations, social media, new state laws, and FTC regulation. The presentation will cover recent legal developments affecting the permissible scope of background checks and provide practical steps an organization can take to conduct lawful background checks.
For more information and to register, please visit: www.privacyassociation.org/events_and_programs/global_privacy_summit/.

Photo credit: CrackerClips

Your Common Questions On EU Privacy Regulations Answered

The security group at Forrester has been handling a steady stream of client inquiries regarding EU data privacy laws, from both EU and North America clients. While there are many good legal sources out there, we thought it'd be a good idea to compile a list of common Q&A questions about EU privacy laws into a report, to serve as a definitive information source for Forrester clients.

The report, titled: "Q&A: EU Privacy Regulations," is now live on Forrester's website. It is not our intention, by writing this report, to give legal advice. Rather, we envisioned this report to be a repository of the most important information regarding EU privacy laws, updated every 18 months or so. The report has a wealth of information, including links to actual information sources - be that EU's data protection directive web site or interesting studies/analysis done by external parties. For example, one noteworthy study on US Safe Harbor is by Chris Connelly from Galexia consulting. He looked at 2,170 US companies that claimed to be Safe Harbor compliant. Out of these, 940 do not provide information on how to enforce individuals' rights; 388 were not even registered with the US Department of Commerce.

The report also contained information on Model Clauses and Binding Corporate Rules, for which we are beginning to see increased interest. We also discussed new and pending privacy laws in the report, including the EU "cookies" directive and EU's view on geo-location privacy.

We'd love to hear your thoughts on the report, or whether there is anything else that you'd like us to include in a future revision of the report.

Two Recent Decisions Illuminate for Employers the Broad Contours of ADA Confidentiality vs. the Narrow Boundaries of HIPAA Privacy

By Philip Gordon

Ever since the HIPAA Privacy Rule first went into effect for larger health plans in April 2003, HR professionals and in-house employment counsel often warn of the proverbial “HIPAA violation” when discussing employee medical information. However, one recent federal decision demonstrates that the greater risk for many employers is a violation of the ADA’s confidentiality requirement, that can protect even false information disclosed by an employee to an in-house physician. The second recent decision highlights a critical limitation on the ADA’s broad confidentiality requirement.

The first case arose out of General Dynamics’ decision to terminate the employment of Guillermo Blanco (Blanco) for failing to disclose his Attention Deficit Hyperactivity Disorder (ADHD) when he responded to the company’s post-offer, pre-hire Medical Surveillance History Questionnaire. According to Blanco’s complaint, the in-house physician with whom Blanco discussed his post-employment request for a reasonable accommodation accused Blanco of failing to disclose his ADHD on the medical questionnaire. Blanco further alleged that the in-house physician discussed Blanco’s allegedly false responses to the questionnaire with management in General Dynamics’ Labor Relations Department. Blanco claimed that General Dynamics terminated his employment as a result of the disclosure. 

Notably, the case did not involve an alleged HIPAA violation at all. Although in-house physicians are health care providers as defined by the HIPAA Privacy Rule, they are not “covered” health care providers required to comply with the Privacy Rule. Only providers who use HIPAA-mandated electronic codes to bill insurance companies and government welfare programs for services are subject to HIPAA. Because virtually all in-house physicians are paid a salary and do not bill for their services, HIPAA does not apply to them, contrary to common misconceptions of HIPAA’s scope.

The ADA’s confidentiality requirement, by contrast, does apply to in-house physicians. The ADA requires that employers separately file employees’ medical information and maintain it as confidential. The ADA carves out only three narrow exceptions to the confidentiality requirement. Employee medical information may be disclosed to managers to the limited extent necessary for them to accommodate an employee with a disability or otherwise be made aware of work restrictions, to first aid and safety personnel who need to know about a disability that might require emergency treatment, and to government officials responsible for enforcing the ADA.

The court in the General Dynamics case read the ADA’s confidentiality requirement to apply not only to disclosures to third parties outside the company (except in the limited circumstances described above), but also to intra-corporate disclosures. More to the point, if the complaint’s allegations turned out to be true, the in-house physician would have violated the ADA because her disclosure of Blanco’s medical information was not necessary for managers in General Dynamics’ Labor Relations Department to accommodate Blanco or to address a work restriction, and the other two exceptions obviously did not apply.

The General Dynamics decision is particularly remarkable because the court held that the ADA protects even false medical information provided by an applicant or employee to an employer. The court explained its reasoning as follows:
 

The ADA clearly protects the confidentiality of Mr. Blanco’s response [to the medical questionnaire] if truthful, and the ADA still protects its confidentiality if not. In other words, there is no prevarication exception to the ADA’s confidentiality mandate for employment entrance examinations, much less for information the company doctor perceives is inaccurate. It is the information, accurate or not, that the statute protects.

(emphasis supplied). While the court acknowledged that this ruling could be troublesome for employers, such as General Dynamics, whose employees operate heavy machinery or are exposed to workplace hazards made even riskier by a disability, the court concluded that it was bound to apply the ADA’s plain language and leave the policymaking to Congress.

The second recent decision establishes a critical limitation on what might otherwise seem like a boundless protection in light of the General Dynamics case. In the second case, Thrivent Financial for Lutherans (Thrivent) had hired a temporary IT consultant, named Messier, through Omni Resources (Omni). When Messier, a typically reliable employee, was “no-call, no-show” for work, Thrivent asked Omni for an explanation. Messier’s manager at Omni sent Messier an e-mail asking him to call because he “need[ed] to know what’s going on.” Messier responded with a lengthy e-mail to both his Omni and Thrivent managers, explaining that he had missed work because of a severe migraine and providing them with a lengthy explanation of his medical history related to migraines. The Thrivent manager later disclosed this information to a reference check company hired by Messier who suspected the Thrivent manager of re-disclosing his medical information. The EEOC, taking up Messier’s cause, sued Thrivent for violating the ADA’s confidentiality requirement.

The critical dispute between the parties revolved around whether the ADA protected Messier’s medical information in the first instance. The EEOC took the position that the ADA protects any health information provided by an employee in response to an employer-initiated inquiry, such as the inquiry by the Omni manager into the reason for Messier’s absence. Thrivent responded that the ADA protects only information that an employee is required to provide in response to a permissible medical examination or disability-related inquiry, such as a mandatory post-offer, pre-hire medical examination or a request for medical documentation to support a request for an accommodation. Because Messier had volunteered health information in response to the Omni manager’s generalized inquiry into the reasons for Messier’s absence, the ADA did not apply.

The court rejected the EEOC’s broad reading and adopted Thrivent’s narrower construction. The court reasoned as follows:

[A]n employee’s disclosure is voluntary if the disclosure is not preceded by any request or demand for medical information by the employer. Which party initiates the conversation that leads to a disclosure is not relevant; which party initiates or requests the employee’s actual disclosure of medical information is determinative.

Applying this standard to Omni’s inquiry, the court concluded that the ADA’s protections did not attach to Messier’s medical information because Omni had not asked Messier for medical information and Messier could have been absent from work for a “vast number of reasons” unrelated to his health.

HIPAA was not a factor in this case because information received by an employer in its capacity as employer is not subject to HIPAA’s protections. HIPAA applies only to individually identifiable health information created or received by or on behalf of the employer in its capacity as the administrator of a HIPAA-covered plan. Such plans are limited to group health, dental, vision, long-term care, pharmacy benefits, health care reimbursement flexible spending accounts, and employee assistance programs.

This pair of cases provides important guidance for employers on the boundaries of the ADA’s confidentiality requirement. They also reveal, by negative implication, the relatively narrow boundaries of HIPAA’s privacy protection in the employment context. Employers who have not developed policies and procedures for handling employee medical information not protected by HIPAA should consider doing so to ensure that in-house medical staff, HR professionals and managers understand when the ADA protects employee medical information, how that information may be lawfully used, and to whom it may be lawfully disclosed.

Photo credit: hoch2wo photo & design

Does The Mobile Internet Mean The Death Of User Privacy?

Innovations in mobile technologies are making the mobile Internet increasingly ubiquitous and powerful. Consumers are drawn to the mobile Internet because it can be highly contextual and leverages information such as geo-location, presence, and user-specific information to deliver a rich and intensely personal experience.

As my colleague Julie Ask pointed out in her new report eBusiness: The Future Of Mobile Is User Context, companies that produce consumer products/services will increasingly take user context into account to produce convenient products with relevancy and immediacy for consumers. Already location-aware applications are becoming more and more ubiquitous; our movements as individuals are invariably documented somewhere.

Our phone is packed with sensors that can gather more contextual information about its surroundings than anything we've seen before. Sensors such as GPS, accelerometers, gyroscopes, NFC, and high resolution cameras are now commonplace in smartphones. Emerging sensor technologies like barometer, microbolometers, and chemical sensors will provide even richer user context information.

Soon your phone will not only know where you are, but what you are doing, how fast you are moving -- and if Apple gets their way, the rate your heart beats!

Massachusetts Extends Reach of Data Protection Regulations

By Ellen Giblin

The first anniversary of the effective date of 201 CMR 17.00 went by with little fanfare, then came the Final Judgment by Consent (“Judgment by Consent”) stating that a Boston-based restaurant chain engaged in “unfair or deceptive practices, in violation of Massachusetts General Laws c. 93A, §2” by accepting credit and debit cards from customers at its bars and restaurants after a known breach, yet failing to take reasonable steps to protect the personal information obtained from its patrons as required under 201 CMR 17.00.

In support of its decree, the Judgment by Consent lists basic data security measures that the company failed to implement: (a) failing to change default usernames and passwords on its point-of-sale computer system, (b) allowing multiple employees to share common usernames and passwords, (c) failing to properly secure its remote access utilities and wireless network, (d) continuing to accept credit and debit cards from customers after the company knew that its systems were compromised but had not yet been secured, (e) storing payment card personal information in clear (i.e., unencrypted) text on its servers, and (f) failing to comply with the Payment Card Industry Data Security Standards (“PCI DSS”).

Although, the Massachusetts Data Security Regulations, 201 CMR 17, do not mention PCI DSS, the Judgment by Consent listed the company’s failure to comply with PCI DSS compliance as a basic flaw in its data security measures. The Judgment by Consent in this incident serves as a warning that companies that accept Payment Cards from Massachusetts residents should include PCI DSS compliance in their data protection strategy. Beyond that, the Judgment by Consent demonstrates the commitment of the Massachusetts Attorney General to enforcing the Data Security Regulations.

What does this mean to my company?

The Judgment by Consent has far reaching consequences for businesses that collect personal information about Massachusetts residents. The regulations apply to any organization in retail, banking, health care, general business and every other industry. What’s more, the regulations apply not only to personal information of customers and patients but also to personal information about an organization’s Massachusetts employees. An organization’s Human Resource files, payroll systems, and benefit systems, are all covered by these laws and regulations.

What should my company do?

Organizations should take a second look at their data protection strategy to ensure it covers all systems that contain personal information about Massachusetts customers and employees, and confirm through a risk analysis that the strategy is appropriate to the size and scope of the business. If security practices were developed several years ago, evaluate whether the strategy needs to be updated to cover new processes, products or services, or new markets or industries entered since the strategy was initially implemented. Is your organization following through on actually implementing and enforcing its security procedures? For example, employees should not be allowed to share passwords, user access should be limited on a need-to-know basis and removed promptly after an employee is terminated, employees need to be trained on your organization’s information security policies and those policies must be enforced. Policies need to be in writing to meet the data security regulations’ requirements for a Written Information Security Plan, and, more importantly, to ensure your business remains in compliance with PCI DSS and retains the ability to accept credit cards and allow transactions to continue.

What are the consequences of not complying?

The Judgment by Consent is based on a violation of M.G.L. c. 93A, which is Massachusetts’ consumer protection law. That law provides a private right of action against businesses that engage in unfair or deceptive acts or practices and allows consumers to seek treble damages for “willful or knowing violations” and to recover attorneys’ fees. By basing the Judgment by Consent on 93A, the court appears to be signaling that it is open to allowing Massachusetts residents to bring claims under M.G.L. c. 93A as long as they can prove that an unfair and deceptive act or practice (failure to comply with 201 CMR 17 or other data security regulations) caused them harm. This is new risk exposure for businesses that fall under other data protection regulations, such as HIPAA, that do not provide a private right of action. 

Photo credit: dra_schwartz 

Apple’s Latest Privacy Woes – The Price To Pay For An “Always Connected” Life?

It was revealed yesterday that iPhones/iPads (with iOS 4.0 or later) have been logging the location information of the device and storing that in a hidden file on the phone or the iPad.

This discovery, presented by researchers Alasdair Allan and Pete Warden, at the O'Reilly Where 2.0 conference this week, has sent shock waves through the high tech community. "What? This file contains my whereabouts for the past year? WTF?" was most people's first reaction when the news broke.

Many iPhone/iPad apps have access to the geolocation of the device, but most only access it at a given point of time and do not attempt to log or create a history file of this information. The discovery that such logs exist begs the question why Apple was logging this data and whether it has any intention of utilizing the information.

I can imagine a number of reasons why Apple would want to collect this data and how they might use it. Device tracking, for instance, is a popular parental control feature that users want. Think your teenager lied to you about his/her whereabouts yesterday? No problem, just log into MobileMe and verify the location tracking information. Similarly, a credit-protection app can be instructed to report the phone's general location at the time of a suspicious credit card transaction-- if the card is used in England and the credit card owner's phone is in Alabama, hmm… something could be amiss here.

But none of these scenarios can conveniently justify storing a year's worth of location data; and even stranger is the fact that the phone automatically syncs this data to the host. Mind you, not all data from the phone is transferred to the host during the synchronization, but it does seem Apple really intends to keep this data around. Why?

50 Ways to Take Back Control of Your Personal Data

Internet scams, phishing, identity theft and other attacks that exploit your personal data are always a threat when you shop online, set up an email account, use a credit card, manage an online bank account or carry your Social Security card. There is hope, however, for fighting these threats, and you can start by taking back control of all of your personal data. The 50 tips and tools in this list will help you understand how these scams originate, how to protect yourself online and offline, and how to track down your personal data on the Internet.   Read more >>