BLOGS: Privacy and Data Protection

Tuesday, May 24, 2011, 10:42 AM

EEOC Regulations Spotlight Social Media

Does your human resources staff dig into MySpace, snagging pictures of applicants at bong parties and finding admissions of employees stealing boxes of copy paper? Does your manager learn about the latest office pregnancy or skiing accident on Facebook? Is social media an official information source for your company?

If so, the EEOC is aiming to regulate your company’s use of social networking sites, especially as it relates to health data.

The EEOC commentary comes in the form of new anti-discrimination regulations and some interpretive guidance by the EEOC’s top lawyer. For several years the EEOC has cautioned of what one official has called “the snowballing problem” of potentially discriminatory hiring practices in the Internet era. Use of social media in particular creates further issues, as an employer may become aware of an individual’s protected characteristics such as marital status, sexual orientation, religious affiliation, or political activities.

The EEOC’s concerns are evidenced in long-awaited regulations implementing GINA (the federal Genetic Information and Nondiscrimination Act). The EEOC recognizes that advances in technology have made it possible for employers to obtain vast and varied information about employees and potential hires, including family medical history and medical conditions. This access creates significant compliance issues, as GINA not only prohibits employers from discriminating against employees and job applicants but also prohibits employers from acquiring employees’ genetic information.

Addressing this issue, the EEOC decided that the sharing of information over Facebook, Twitter, and other social networking sites is analogous to discussing such matters around the water cooler – with management in earshot. This scenario falls within the “inadvertent acquisition” exception to GINA’s prohibition on the employer’s acquisition and possession of employees’ genetic information.

Even if the acquisition of genetic information on social networking sites is not purposeful, employers must still address the significance of having obtained that information – which may be uncovered in the course of a routine background check of a potential hire. In a recent interview, P. David Lopez, general counsel for the EEOC was asked “What are the big, cutting-edge discrimination issues facing the EEOC?” Mr. Lopez responded “We’re going through difficult economic times right now. It’s important to identify discriminatory hiring practices and policies that are excluding people unlawfully from the workplace.” Questioned further, he was asked “With so much information available online about virtually everyone, how much checking should an employer do before making a hiring decision?” He answered “I think they need to be very cautious doing online background checks.” He further advised that “The employer should examine how it recruits and hires new people. Once you start digging, it’s not always passive.” The Houston Chronicle, April 8, 2011.

The take-away? Employers should implement clear procedures for social media use in screening job applicants and avoid rogue searching. An employer in the possession of information about applicants’ or employees’ protected characteristics may face the challenge of establishing that employment decisions were made without regard for that information. A structured process with a division of duties between human resource professionals trained in the use of social media screening and managers making employment decisions offers one means of risk reduction. Such a division permits relevant information to reach decision-makers without unnecessary “inadvertently acquired” material obtained from social media sites.

Should you have any questions about the contents of this alert, please contact Mary Windham, Ted Claypoole or Stephanie Shaw or any of Womble Carlyle’s Privacy and Data Protection or Labor & Employment lawyers.

Friday, May 20, 2011, 11:22 AM

Privacy Bulletin: Issue No. 58

India Enacts Final Privacy Rules which may Impact U.S. Companies that Outsource

India released its final privacy rules in four parts that went into effect April 13, 2011. These rules could have a significant impact on businesses that transact business in India, those businesses that outsource business activities to India or have subsidiaries or affiliates based in India that perform various back-office functions and other business activities.

The rules have requirements for the storage and use of “sensitive personal data or information,” which includes certain financial and health data such as bank account details, credit or debit card account details, physical, physiological and mental health conditions, and medical records. There are also rules impacting the transfer of “sensitive personal data or information” between companies in India or between entities in India and entities outside of India. These requirements may apply not only to Indian citizens but to foreign citizens as well. Thus, these rules could impact a wide variety of U.S. businesses that outsource to India. For example, many financial service providers outsource certain loan application functions to India companies or to subsidiaries or affiliates based in India. Many companies have customer call centers based India who may handle customer billing issues that may also be impacted.

This piece only touches on some parts of the rules put in place by the Indian government. What remains to be seen about these rules is how the rules will be enforced by the Indian government. All businesses transacting business in India, or who outsource functions to Indian companies or have subsidiaries or affiliates in India with access to the information governed by the rules should ensure that each is complying with these new rules. Links to the four sets of rules: data security safeguard rules, guidelines for cyber cafes, intermediaries guidelines, and electronic service delivery rules.

DO-NOT-TRACK Legislation Introduced in Senate

On May 9, 2011, Senator John D. Rockefeller (D-W.Va.) introduced “do not track” legislation that would allow consumers to block Internet companies from following their activity on the Web. The “Do-No-Track Online Act of 2011” (S. 913) would give the Federal Trade Commission authority to draft specific rules about (i) how and when consumers could register their choice to be tracked by providers of online services or through providers of mobile applications and services, and (ii) rules that prohibit those providers from collecting personal information when a consumer has opted not to be tracked. The FTC and state attorneys general would be responsible for enforcing the law.

“Recent reports of privacy invasions have made it imperative that we do more to put consumers in the driver’s seat when it comes to their personal information,” Sen. Rockefeller said in a statement. . Womble Carlyle’s Privacy blog has covered recent allegations of privacy investigations such as Apple’s alleged collection and retention of precise location data through its iPhone product and Sony Corp.’s reported breach exposing the personal data of more than 100 million of its online video game users (See Privacy Bulletin: Issues 57 and 55).

Along these lines, Senator Al Franken (D-MI) recently held a hearing to review this location-based data. “Consumers have a fundamental right to know what data is being collected about them,” Sen. Franken said, as reported on Bloomberg Business Week.. “And yet reports that the information on our mobile devices is not being protected in the way it should be.” Testifying in this hearing were, among others, the FTC, the Department of Justice, Google, Inc., and Apple, Inc. Copies of the witnesses written testimony is available online.

Washington Enacts Bill Restricting Access to Juvenile Records

On May 12, Governor Christine Gregoire (D-Wash.) signed House Bill 1793, which restricted access to juvenile records into law. Effective July 22, 2011, the bill prohibits credit reporting agencies from generating consumer reports that contain juvenile records when the subject of the records is twenty-one years old or older at the time of the report. In an attempt to balance the public’s right to information with the goal of rehabilitating juvenile offenders and reintegrating juvenile offenders into society by keeping their records private, the act provides several instances when juvenile records can be used in credit reports. These instances include use in connection with credit and life insurance transactions in excess of fifty thousand ($50,000) dollars and use in employment investigations in excess of twenty thousand ($20,000) dollars. The Act also amends certain provisions related to the sealing of juvenile records and establishes a joint legislative task force which is tasked with determining how to cost-effectively restrict public access to juvenile records when an individual has met statutory requirements and reporting its findings and recommendations to the governor and legislature by December 15, 2011.

ACLU Asks for More Information on Michigan State Police Use of “Data Extraction Devices”

The American Civil Liberties Union has requested information from the Michigan State Police over its use of “data extraction devices,” reports CNet. It was alleged that the Michigan State Police are using these devices on motorists the Police pull over. “Data extraction devices” can download text messages, photos, videos, and even GPS data from many brands of cell phones.

The Michigan State Police responded to this request by stating that it is not using these devices during routine traffic stops but only use the devices when it has obtained a search warrant or had the consent of the cell phone owner, CNet reports. CNet further reports that the State Police further stated that, "the MSP does not possess DEDs that can extract data without the officer actually possessing the owner's mobile device. The DEDs utilized by the MSP cannot obtain information from mobile devices without the mobile-device owner knowing."

The ACLU later stated that it was not accusing the Michigan State Police of wrongdoing but was still seeking further information on the Police’s use of these devices.

Indiana Enacts Bill Extending Do Not Call to Cell Phones and VoIP and Instituting other Consumer Protection Programs

On May 13, Indiana Governor Mitch Daniels (R) signed House Bill 1273, an Act to amend the Indiana Code concerning trade regulation. Among the many amendments contained in the bill, the Act amended the Do Not Call provisions enacted in connection with the National Do Not Call List to include phone calls places to mobile telecommunications services, VoIP subscribers, and prepaid wireless calling services. Effective immediately, the law allows Indiana residents to register any wireless or VOIP telephone number associated with their residential addresses or a prepaid wireless number that is used primarily in Indiana. The definition of a “telephone sales call” was broadened to include text messages sent to a wireless phone number and thus prohibits the sending of solicitations by text to numbers that are on the Do Not Call list. Violators of the law are subject to the same penalties, including fines up to ten thousand dollars ($10,000) for the first violation and twenty-five thousand dollars ($25,000) for subsequent violations, as those who call a registered landline.

In addition the Do Not Call provisions, the Act also made other consumer protection changes including, for example, clarifying that a violation of the federal Fair Debt Collection Practices Act as well as other state consumer protection statutes constitutes a violation of the state provision on deceptive consumer sales and requiring that specific information is collected and stored about residential mortgage and real estate transactions.

Thursday, May 5, 2011, 11:54 AM

Privacy Bulletin: Issue No. 57

Maryland Enacts Credit History Bill; Takes Up Health Privacy

The Maryland Legislature has been active in the Privacy arena, passing the Job Applicant Fairness Act (SB 132/H.B. 87), which was signed into law by Governor Martin O’Malley on April 12 and moving forward on legislation which would require the Maryland Health Care Commission (“MHCC”) to develop regulations focused on the privacy and security of protected health information transmitted via a health information exchange (SB 723/HB 784).

Effective October 1, 2011, the Job Applicant Fairness Act prohibits employers from using an applicant’s or employee’s credit report or history in determining whether to (i) hire the applicant, (ii) fire the employee, (iii) or determine employee compensation or other terms, conditions, or privileges of employment. The bill is applicable to all employers excluding employers who are required to inquire into an employee or applicant’s credit report or history by law, financial institutions who accept federally insured deposits, a credit union share guaranty corporations, or entities that are registered with the SEC as an investment advisor. In addition, the bill contains provisions which authorize an employer to request or use an employee’s credit report in specific instances, such as when the employer has a bona fide purpose that is substantially job-related for requesting or using a credit report and discloses such request in writing to the affected individual. Violations of the act may be reported to the Commissioner of Labor and Industry who may resolve the matter informally or assess civil penalties up to $500 for an initial violation or $2,500 for a repeated violation. With the passage of this law, Maryland is one of four other states that have laws limiting the use of credit data for employment purposes.

The Maryland Legislature also concurrently sent identical House and Senate bills to Governor O’Malley for approval that would require the MHCC to adopt regulations governing privacy and security that would ensure that personal health information transmitted via a health information exchange is protected consistent with the federal Health Insurance Portability and Accountability Act. If enacted, the law would prohibit the sale of data obtained or released through a health information exchange until regulations are adopted by MHCC and would require the MHCC to adopt regulations that promote technology standards that conform to the standards of the Office of the National Coordinator for Health Information Technology and limit the scope of clinical information to information that is exchanged to purposes that promote improved access to clinical records or uses of the state designated exchange important to public health agencies. Governor O’Malley has until May 31 to sign or veto this measure, which would be effective October 1, 2011, if enacted.

PlayStation Data Breach Puts 77 Million Customers at Risk

Most gamers wouldn’t think their personal, confidential information could be compromised simply by playing a video game online. But an attack on Sony’s PlayStation Network, as reported on TheHill.com, may impact up to 77 million consumers worldwide.

The extent of the breach has yet to be fully determined. But Sony confirmed that user account information was compromised, including users’ names, addresses, email addresses, birthdates, passwords, and logins. Perhaps most damaging is the possible exposure of credit card numbers. Sony said that while it does not believe that its customers’ credit card numbers were compromised, it cannot rule out that possibility.

Sony has come under some criticism for waiting more than a week to inform customers of the data breach. It is alleged that the lag in reporting could give the hackers more time to potentially exploit stolen customer information. Senator Richard Blumenthal (D-CT) sent Sony a letter criticizing the company for its failure to inform its customers.

As a result of this security breach, Sony reportedly has shut down its servers and hired an outside firm to strengthen its security protections. So far, Sony has not provided any details as to how the breach happened. The Chicago-Sun Times reports that the FBI is investigating.

This incident has already launched a lawsuit against Sony. The first class-action lawsuit was filed by Kristopher Jones of Alabama in the United States District Court for the North District of California. The lawsuit accuses Sony of breach of warranty, negligent data security, and violations of consumers’ rights of privacy. Given the scope of the breach, it seems inevitable that more lawsuits will follow.

On May 3, 2011, Sony communicated that a second breach had taken place April 16-17, before the PlayStation intrusions. Sony said that hackers may have stolen about 12,700 credit or debit card numbers (but not credit card security codes) of users in other countries outside the United States and about 10,700 direct debit records of customers in Austria, Germany, Netherlands, and Spain.

U.S. Supreme Court Examines Prescription Privacy Laws in Connection with Data Mining

On Tuesday, April 26, 2011, oral arguments were heard before the Supreme Court in Sorrell v. IMS Health Inc. on whether a Vermont law prohibiting the sale of raw patient data by pharmacies to data mining companies constitutes an impermissible restriction on commercial speech. Vermont passed its law in 2007. The state claimed it was protecting patient privacy and stopping an unwanted “data mining” practice. The drug companies challenged the state law on the grounds it violated the First Amendment by restricting commercial speech.

In Vermont, it was alleged that pharmacies collected information on patient drug prescriptions, and then sold that raw data (redacting personal information about the patients) to data collection agencies. The collection agencies then sold the information to pharmaceutical companies, which used that data to drive their marketing decisions.

The Vermont law was upheld at the District Court level but was found to be an impermissible restriction on commercial speech by the U.S. Court of Appeals for the Second Circuit. Should the Supreme Court rule in favor of the state, it is likely that other state legislatures will pass similar restrictions on prescription data mining. Both Maine and New Hampshire enacted similar laws; both of these statutes were also challenged in court and are in various stages of adjudication.

Womble Carlyle will continue to monitor this case and its potential impact on the number of companies that collect and sell consumers’ personal information.

Texas Agency Accidentally Exposes Personal Data of 3.5 Million

Texas State Comptroller Susan Combs recently said her office inadvertently exposed personal information—including Social Security numbers—of approximately 3.5 million people on its public Web site. The information was exposed for close to a year before the breach was discovered. Most of the people affected were state employees or retired state workers.

Combs' office is offering one year of free credit monitoring to the affected individuals to ensure their accounts aren’t being misused. Combs’ campaign fund (not the state) will pay to restore the identity of anyone whose information is misused as a result of the breach. A special Web site, http://www.txsafeguard.org/, and toll-free number have been set up to answer questions and respond to inquiries.

On April 29th, Thomson Reuters reported that the first class action lawsuit was filed over this privacy breach and it appears another lawsuit may be imminent.

“I am deeply sorry this incident occurred and I take full responsibility for it,” Combs said in her April 28th press release. “This incident has affected the lives of Texans that I have dedicated my life to serving, and I am determined to restore their faith in the Comptroller's office. That's why we are taking additional actions to assist those who were affected and implementing new policies and procedures to help ensure this never happens again.”

Senate to Hold Hearing on iPhone, Android Collection of User Data

Senator Al Franken (D-Minn.) announced that he will hold a Senate Judiciary Subcommittee on Privacy, Technology and the Law hearing on Apple and Google’s collection of consumer data via the iPhone and smart phones using Google’s Android system. According to recent media reports, some iPhone and Android users are reporting that their locations are being tracked. The hearing is scheduled for May 10th. Representatives from Apple and Google have been invited to appear.

“The same technology that has given us smart phones...has also allowed these devices to gather extremely sensitive information about users, including detailed records of their daily movements and location,” Franken said. Yahoo News also reported that Illinois Attorney General Lisa Madigan expressed similar concerns in a separate letter.

This is not Franken’s first inquiry into this issue. In a letter to Apple’s Steve Jobs dated April 20, 2011, Franken asked why the company was “secretly compiling” the data and what it would be used for. Franken’s letter further emphasized that this information is stored in an unencrypted format, which as a result makes it more susceptible for a malicious person to access this data. In addition, the letter raised serious concerns about the millions of children and teenagers who use iPhone or iPad devices.

Wednesday, May 4, 2011, 4:58 PM

NLRB Announces Another Settlement Protecting Employee “Facebook Complaints”

The NLRB was not joking – complaints about your boss on Facebook could be protected speech in the employment context.

On April 27, 2011 the NLRB publicized settlement of a charge brought by a former employee of a web-based home improvement retailer operating out of Chico, California discharged after posting comments about the company to her Facebook page. The April 27, 2011 press release does not provide details of the employee’s comments. However, it quotes Regional Director Joseph Frankl, who expressed satisfaction that “the employer has recognized the rights of its employees to use social networking sites to comment about their working conditions.” The release also describes settlement terms and explicitly notes that the employees in this case were not represented by a union.[1]

This settlement was announced on the heels of the highly publicized unfair practices settlement with ambulance service provider American Medical Response of Connecticut, Inc. (“AMR”). The AMR complaint alleged that AMR illegally terminated an employee who called her employer a mental patient in a Facebook post in violation of the company’s social media policy. On February 8, 2011 the NLRB issued a press release highlighting the terms of the settlement protecting the employee’s right to Facebook gripes about her employer.

By issuing press releases announcing the filing and settlement of complaints arising from employee discipline for Facebook postings the NLRB has brought social media cases into national prominence. The Board’s communications signal that the NLRB has a heightened interest in social media and other policies that restrict employee communications. Its current focus raises questions as to how employers may permissibly seek to reduce the risk that employees’ off-duty social media activity may damage their reputations or expose them to liability.

Some guidance may be found by review of the NLRB complaint against AMR. The complaint alleges that the company maintained overly-broad rules in its employee handbook regarding blogging, Internet posting, and communications between employees. A portion of that employer’s “Blogging and Internet Posting Policy” quoted in the complaint read as follows:

Employees are prohibited from making disparaging, discriminatory, or defamatory comments when discussing the Company or the employee’s superiors, co-workers, and/or competitors.

As reported by the NLRB in its November 2, 2010 News Release from the Office of the General Counsel, an NLRB investigation found that the employee’s Facebook postings constituted protected concerted activity, and that the provisions of the company’s blogging and Internet posting policy set forth above contains unlawful provisions. (The release does not contain further detail of what specific policy language the Board considered to be unlawful). The NLRB News Release of February 7, 2011, specifies that under the terms of the settlement, the company agreed to “revise its overly-broad rules to insure that they do not improperly restrict employees from discussing their wages, hours, and working conditions with co-workers and others while not at work, and that they would not discipline or discharge employees for engaging in such discussions.” In the build.com case, the employer agreed to post a notice at the workplace for 60 days stating that employees have the right to post comments about the terms and conditions of their employment on their social media pages, and that they will not be terminated or otherwise punished for such conduct.

The NLRB confirmed its intention to continue pursuing employees’ social media rights in a March 16, 2011 teleconference reviewing recent Board decisions and regulatory actions. Accordingly, employers should carefully review their social media policies. Should they contain provisions similar to that which the Board has deemed “overly-broad,” statements may be added that in no event is protected activity prohibited. In addition to the use of a disclaimer, examples of prohibited and protected activities and speech may be added to minimize ambiguity.

[1] Employers without a unionized workforce may not pay close attention to the decisions of the NLRB, presuming that they do not apply to them. But often they do, as Section 7 of the NLRA guarantees that all employees – regardless of union status – have the right to engage in “concerted activities for the purpose of . . . mutual aid or protection.”

back to top