The • & • PRIVACY DATA • LAWJOURNAL PROTECTION NEWSLETTERS legal reporter™ Volume 1, Number 4 • May 2006 What Every U.S. Employer Should Know About Workplace Privacy

Part One of a Two-Part Series Many sources of information used This type of information may include in background checks are public dates of attendance at educational By Lisa J. Sotto and Elisabeth M. records, including criminal, civil institutions and degrees earned. McCarthy court, bankruptcy, tax lien, profes- Employers seeking information from sional licensing, workers’ compensa- education records, however, may be he U.S. privacy arena is a tion, and driving records. The Fair restricted in gaining access to certain minefield for employers. The Credit Reporting Act (“FCRA”) impos- records without authorization from TUnited States has no omnibus es restrictions on the inclusion of cer- an adult-age student or parent due to employee privacy law. Instead, tain public records in background restrictions set forth in the Family employers are faced with a patch- screening reports. For example, for Educational Rights and Privacy Act. work of privacy laws that they must positions with an annual salary of Employers can also learn much piece together to avoid legal liability. less than $75,000, civil judgments and about job applicants and employees This article focuses on the key priva- paid tax liens cannot be reported in a by using an Internet search engine cy issues employers in the U.S. must background screening report after 7 like Google. Employers likely will be confront. years, and bankruptcy filings cannot able to determine information such BACKGROUND SCREENING be reported after 10 years. In addi- as an individual’s age, marital status, According to a January 2004 survey tion, records relating to an individ- house value (complete with an aerial by the Society for Human Resource ual’s arrest cannot be included in a photograph), political affiliation, Management, 82% of employers inves- background check report after 7 liens, blog entries, and more. tigate the backgrounds of potential years. A criminal conviction, howev- Fair Credit Reporting Act and employees. Employers conduct back- er, may be reported indefinitely. To Fair and Accurate Credit ground checks on job applicants not the extent that an employer conducts Transactions Act of 2003 only to verify the candidates’ creden- a background check internally, these The FCRA was enacted in 1972 (and tials, but also to ensure workplace safe- limitations do not apply. In the event amended in 1996) to promote the ty and avoid potentially devastating a consumer reporting agency errs accuracy, fairness, and privacy of per- financial and reputational harms asso- and includes in a report provided to sonal information assembled by con- ciated with negligent hiring, retention, the employer information beyond the sumer reporting agencies. The FCRA and supervision claims. It is significant- applicable time limit, an employer allows consumer reporting agencies ly less costly to conduct a thorough would not be precluded from consid- to furnish an entity with consumer background check on a job applicant ering such information. reports only where the recipient has a than to hire an employee with a histo- A job applicant or employee back- permissible purpose to use the ry of violence, sexual harassment, or ground check may also include an reports. Permissible purposes include embezzlement. Conducting appropri- employment report from one or all use for employment purposes or use ate background checks has reached a three of the credit reporting agencies in connection with credit or insurance new imperative since 9/11. This has (Equifax, Experian, and TransUnion). transactions. The FCRA defines a been further fueled by the corporate An employment report contains “consumer report” as “any written, scandals of 2002 involving companies information regarding an individual’s oral or other communication of any such as Enron and WorldCom. credit payment history and other information by a consumer reporting Employers typically ask consumer credit habits, but does not include agency bearing on a consumer’s cred- reporting agencies to assemble and the individual’s credit score or date of it worthiness, credit standing, credit evaluate information about a job birth. Employers often look at an capacity, character, general reputa- applicant’s professional and personal individual’s credit history as an indi- tion, personal characteristics or mode life. Certain jobs, such as those in the cation of financial responsibility. of living, which is used or collected in banking, childcare, health care, air- In addition, employers may seek to whole or in part for the purpose of line, and trucking industries require obtain education records relating to serving as a factor in establishing the criminal background checks. job applicants or current employees. continued on page 2

Workplace Privacy with an “adverse action notice.” This 5) will use the background report notice would include the name, only for employment purposes. The continued from page 1 address, and phone number of the FCRA’s notice and consent require- consumer’s eligibility for credit or consumer reporting agency that pre- ments do not apply to employers that insurance to be used primarily for pared the report and statements that 1) conduct background checks internal- personal, family or household pur- the employer, and not the agency, ly rather than retaining a third-party poses; employment purposes; or any made the adverse decision regarding consumer reporting agency to do so. other permissible purpose authorized the individual, 2) the individual has Employers that fail to comply with under 1681b.” the right to a free copy of the report, the FCRA’s requirements may be liable The FCRA does not require that and 3) the individual has the right to to the individual that is the subject of employers conduct background dispute the accuracy or completeness the consumer report for actual dam- checks, but establishes national stan- of the information contained in the ages, litigation costs, attorneys’ fees, dards that employers must follow consumer report. and punitive damages. Employers also when screening potential employees The FCRA permits an employer to may face criminal penalties for obtain- or investigating current employees obtain a consumer report that has ing a credit report under false pretens- using consumer reports obtained information about an individual’s es. The FCRA authorizes the Federal from consumer reporting agencies. “character, general reputation, per- Trade Commission (“FTC”) to enforce Under the FCRA, an employer sonal characteristics and mode of liv- its provisions. The FTC may sue must disclose to the job applicant or ing” collected as a result of inter- employers for up to $2500 per viola- employee that the employer will be views with neighbors, friends, rela- tion of the FCRA. retaining a consumer reporting agency tives, associates or others as part of A number of states have laws that to prepare a consumer report on the an employment background check. contain provisions similar to the fed- individual. This disclosure must be Such reports are “investigative con- eral FCRA. Several states, including on a stand-alone document and not sumer reports.” When an employer California and New York, have FCRA part of an employment application. requests an “investigative consumer analogues that regulate the use of The employer must receive the indi- report,” the FCRA requires that the background screening for “employ- vidual’s signed consent to the prepa- employer provide written notice to ment purposes.” Most state ana- ration of such a report prior to the individual that the background logues provide protections similar to requesting the report from the con- report will include interviews, pro- those found in the FCRA. To the sumer reporting agency. vide the individual with a statement extent an employer conducts back- If the employer uses information of the nature and scope of the ground investigations in which it contained in the consumer report for requested report and the individual’s requests credit reports, it should 1) an “adverse action,” such as failure to right to request additional details determine whether the relevant state hire or promote, rescinding an existing and, if requested, provide a written has an FCRA analogue, and 2) if it job offer, or reassigning or demoting notice informing the subject of the does, comply with its requirements. an existing employee, where such report how to obtain a copy of his or In 2003, the Fair and Accurate Credit actions are based, in whole or in part, her file. The employer must certify to Transactions Act (“FACTA”) amended on information contained in the the consumer reporting agency that the FCRA to establish standards for report, the employer must notify the the employer has provided the prop- “employee misconduct investigations.” subject of the report prior to taking the er notice to the individual. An “employee misconduct investiga- adverse action. This pre-adverse The FCRA also requires employers tion” is an investigation of an employ- action notice must include a copy of to certify to the consumer reporting ee which is conducted by a third party the report and an explanation of the agency that the employer 1) is that the employer hires if the employ- individual’s rights under the FCRA. requesting the report for a legitimate er suspects the employee of work- After the adverse action occurs, the purpose (ie, investigation of a job place misconduct or noncompliance employer must provide the individual applicant or existing employee), 2) with federal, state, or local laws or reg- has provided the employee or job ulations, pre-existing written policies of the employer, or rules of a self-reg- Lisa J. Sotto is a partner in the New applicant or employee with the req- ulatory organization. FACTA exempts York office of Hunton & Williams LLP uisite notice of the background from the definition of “consumer and heads the firm’s Privacy and check, 3) has obtained written per- report” communications made by a Information Management Practice. mission from the employee or job third party to an employer in connec- She also serves as Acting Chair of the applicant to request the background tion with an employee misconduct U.S. Department of Homeland report, 4) will provide the applicant investigation. Consequently, an Security’s Data Privacy and Integrity or employee with a copy of the employer is not required to obtain an Advisory Committee. Elisabeth M. report and written notice of the employee’s consent before hiring a McCarthy is counsel in the New applicant’s or employee’s rights prior third party to investigate employee York office of Hunton & Williams LLP to taking an adverse action based in misconduct. If the employer decides and advises clients on privacy and whole or in part on information con- information management issues. tained in the background report, and continued on page 3

2 The Privacy &Internet Data Protection Law & Strategy Legal Reporter❖ www.ljnonline.com/alm?net❖ www.ljnonline.com/alm?privacy May 2006 

Workplace Privacy The Disposal Rule requires cov- required by the disposal rule into ered entities to properly dispose of the information security program continued from page 2 consumer report information “by tak- required by the Safeguards Rule. to take an adverse action against an ing reasonable measures to protect State Records Disposition Laws employee following an employee mis- against unauthorized access to or use Several states also have laws that conduct investigation, however, the of the information in connection with address the disposition of records employer must give the employee an its disposal.” “Disposal” includes: containing personal information. “adverse action” notice after such • discarding or abandoning consumer Employers should determine whe- adverse action has occurred. information; and ther the state in which they conduct The employer must provide the • selling, donating, or transferring any business has enacted such a law and, employee subject to the adverse medium, including computer if so, be sure to comply with its action with a summary of the investi- equipment, on which consumer requirements. gation report that resulted in the information is stored. SOCIAL SECURITY NUMBER LAWS adverse action. The employer is not The rule does not define what is Social Security Numbers (“SSNs”) required to disclose the sources of “reasonable,” instead allowing for a were initially issued by the federal information for the report or the flexible standard that permits cov- government for the purpose of admin- identity of any witnesses. The inves- ered entities to determine what istering Social Security programs. Over tigation report must be kept confi- measures are reasonable based on time, however, many businesses have dential and may only be disclosed to the sensitivity of the information, the taken to using SSNs as unique identi- the employer or the employer’s costs and benefits of different dis- fiers for individuals. As a result, SSNs agent, governmental authorities, and posal methods, and relevant changes have become a widely used device for the self-regulatory organization with in technology over time. The rule managing employee files, medical regulatory authority over the employ- includes specific examples of meas- records, health insurance records, er or employee. FACTA does not per- ures the FTC believes satisfy the credit and bank accounts, and educa- mit an employee who is subject to an rule’s disposal standard. These exam- tional records. In addition, SSNs are adverse action as a result of an inves- ples, which are intended as guidance frequently printed on licenses and tigation to dispute the findings con- and not as safe harbors or exclusive identification cards. tained in the report. methods for compliance, include: Limiting the widespread use of DISPOSING OF EMPLOYEE • implementing policies and proce- SSNs has become a major focus of PERSONAL INFORMATION dures that require 1) the burning, state legislators seeking to curb iden- FTC Rule on the Disposal of pulverizing or shredding of papers tity theft. In an attempt to limit access Consumer Report Information containing consumer information, to SSNs by unauthorized individuals, In November 2004, the FTC issued and 2) the destruction or erasure of many states have enacted laws that regulations requiring businesses to electronic media containing con- limit their use or require that SSNs be properly dispose of consumer report sumer information, so the informa- redacted. At the end of 2005, at least information. The rule, which became tion cannot practicably be read or 25 states had enacted laws restricting effective on June 1, 2005, was reconstructed; the use of SSNs. designed to help combat identity • after conducting due diligence of the At least 13 states prohibit printing an theft resulting from the improper dis- disposal company (which due dili- individual’s SSN on any card required posal of information. The Disposal gence could include conducting an for the individual to receive products Rule requires companies to take rea- independent audit of the compa- or services provided by the person or sonable steps to guard against unau- ny’s operations, obtaining refer- entity issuing the card. Eight states prohibit printing SSNs on materials thorized access to or use of consumer ences, or requiring that the dispos- that are mailed to individuals unless report information in connection with al company be certified), entering otherwise required by federal or state its disposal. It applies to any business into a contract with the disposal law. A couple of states have chosen to that maintains or otherwise possesses company to dispose of consumer allow redacted SSNs to be used in cer- “consumer information,” which is information in a manner consistent tain circumstances. A recent law enact- defined as “any record about an indi- with the disposal rule; ed in California requires employers, vidual, whether in paper, electronic, • for disposal companies, implement- by Jan. 1, 2008, to use no more than or other form, that is a consumer ing policies and procedures that four digits of an employee’s SSN on report or is derived from a consumer protect against unauthorized or checks or vouchers. As of Jan. 1, 2006, report ... [or] a compilation of such unintentional disposal of consumer health insurance carriers in records.” Because employers fre- information, and disposing of such Washington state are prohibited from quently rely on consumer reports in information in accordance with the connection with employment deci- displaying on identification cards first example set forth above; and more than any four-digit portion of the sions, the Disposal Rule affects them. • for entities subject to the Gramm- Information that does not identify subject person’s SSN. Delaware pro- Leach-Bliley Act’s Safeguards Rule, hibits health insurers from using SSNs individuals, such as aggregate or incorporating the proper disposal blind data, is not covered by the rule. of consumer information as continued on page 4

May 2006 The Privacy & Data Protection Legal Reporter ❖ www.ljnonline.com/alm?privacy 3 

Workplace Privacy restricting the use of SSNs. More states Next month’s installment will dis- likely will follow with similar legisla- cuss the Health Insurance Portability continued from page 3 tion. Employers should understand and Accountability Act of 1996; entirely as identification numbers on how their organization uses its employ- information security; and monitor- health insurance cards. ee SSNs and remain vigilant about the ing employee telephone, e-mail, and Internet use. To date this year, at least 38 states impact of evolving legal requirements. have introduced additional legislation —❖—

Hunton & Williams LLP • www.hunton.com

Atlanta • Bangkok • Beijing • Brussels • Charlotte • Dallas • Houston • Knoxville • London • McLean • Miami • New York • Norfolk • Raleigh • Richmond • Singapore • Washington

4 The Privacy &Internet Data Protection Law & Strategy Legal Reporter❖ www.ljnonline.com/alm?net❖ www.ljnonline.com/alm?privacy May 2006 

The • & • LAWJOURNAL PRIVACY DATA NEWSLETTERS • PROTECTION legal reporter™ Volume 1, Number 5 • June 2006 What Every U.S. Employer Should Know About Workplace Privacy

Part Two of a Two-Part Series health care clearinghouse, or health trative, physical, and technical safe- care provider who transmits health guards will be implemented. information in electronic form in con- The fundamental purpose of the By Lisa J. Sotto and Elisabeth M. Privacy Rule and the Security Rule is McCarthy nection with certain specified transac- tions. While the Privacy Rule and the to preserve and safeguard PHI. Last month’s article discussed back- Security Rule do not directly apply to Because plan sponsors often perform ground screening and Social employers, the requirements of these functions that are integral to the func- Security number laws. This month’s rules do apply to ERISA-covered tions of group health plans and thus installment covers the Health “group health plans” that are spon- require access to an individual’s Insurance Portability and sored by many employers. health information held by the group Accountability Act of 1996; informa- The Privacy Rule prohibits covered health plan, the Privacy Rule restricts tion security; and monitoring entities from disclosing PHI except the flow of information from the employee where disclosure is 1) to the individual group health plan to the employer telephone, e-mail, and Internet use. who is the subject of the PHI, 2) for plan sponsor. Under the Privacy treatment, payment, or health care Rule, a group health plan may dis- HIPAA operations as defined in the Privacy close PHI to its plan sponsor only for hrough the Health Insurance Rule, 3) authorized by the individual, limited purposes and only after the Portability and Accountability or 4) specifically permitted without plan sponsor has complied with the TAct of 1996 (“HIPAA”), authorization by the individual. The Rule’s prescribed requirements for Congress called on the U.S. Privacy Rule requires covered entities disclosure. The principal purpose of Department of Health and Human to adopt written policies and proce- this regulatory barrier between a Services (“HHS”) to promulgate regu- dures regarding the use and disclosure “group health plan” and an employer lations that would help ensure the pri- of PHI that are designed to comply plan sponsor is to prevent employers vacy and security of health informa- with the Privacy Rule. from using their employees’ PHI to tion. The Standards for Privacy of The Security Rule imposes obliga- make employment-related decisions. Individually Identifiable Health tions on covered entities to ensure It is worth noting, however, that the Information (the “Privacy Rule”) and the confidentiality, integrity, and Privacy Rule exempts from the defi- the Security Standards (the “Security availability of all electronic PHI that nition of PHI, employment records Rule”) promulgated pursuant to the covered entity creates, receives, held by a covered entity in its role as HIPAA apply to “covered entities” and maintains, or transmits. Pursuant to employer. Pursuant to this exemp- limit the ability of such entities to use the Security Rule, a covered entity is tion, to the extent that an employer or disclose protected health informa- required to conduct a risk assessment in its capacity other than as plan tion (“PHI”). The Privacy Rule defines of the potential risks and vulnerabili- sponsor collects and maintains health a “covered entity” as a health plan, ties to the confidentiality of electron- information regarding its employees, Lisa J. Sotto is a partner in the New ic PHI held by the covered entity and HIPAA would not apply. York office of Hunton & Williams LLP to implement a risk management To determine the impact of the and heads the firm’s Privacy and program to reduce the identified risks Privacy Rule, an organization must Information Management Practice. and vulnerabilities to a reasonable examine 1) the type of health infor- She also serves as Acting Chair of the and appropriate level. Covered enti- mation the plan sponsor receives; 2) U.S. Department of Homeland ties must have in place certain speci- the purposes for which the plan Security’s Data Privacy and Integrity fied administrative, physical, and sponsor receives information; and 3) Advisory Committee. Elisabeth M. technical safeguards to protect the the extent, if any, to which the plan McCarthy is counsel in the New electronic PHI they maintain. sponsor performs administrative York office of Hunton & Williams LLP Covered entities are required to functions on behalf of the group and advises clients on privacy and adopt written policies and proce- health plan. information management issues. dures regarding how these adminis- continued on page 2 Workplace Privacy nection with any other benefit or consider relevant state laws on a case- Workplace Privacy To conduct a risk assessment, an tivity caused by the unavailability of employee benefit plan of the plan by-case basis as specific issues arise. employer will need to identify the systems or data; notifying affected continued from page 1 continued from page 2 sponsor; INFORMATION SECURITY information that is being protected individuals and government agen- The Privacy Rule defines a plan • report to the group health plan any Security Breach to comply with such state’s specific and the related risks to that informa- cies, as appropriate; responding to sponsor’s responsibilities based on use or disclosure that is inconsis- Notification Laws requirements in the event of a secu- tion. In particular, an employer regulator inquiries and enforcement whether the plan sponsor receives tent with those provided for in the The recent increase in identity theft rity breach. should focus on protecting individu- actions; legal fees and costs for the “protected health information” or plan documents; crimes (discussed earlier) resulted in Safeguarding Personal als’ personal information in addition defense of private lawsuits; lost cus- “summary health information.” A • allow individuals to inspect and copy the enactment of numerous state Information to the company’s business informa- tomers; reputational damage; and a plan sponsor that receives summary PHI about themselves; security breach notification laws. Considering the tremendous cost to tion and operations. To begin, an possible drop in stock price. The health information — that is, infor- • allow individuals to amend PHI about These laws generally do not distin- businesses that suffer security breach- employer should identify the person- harm caused by a compromise mation that is a subset of PHI that themselves; guish between consumers and es, employers are well advised to al information that it actually collects, should be defined more broadly than summarizes claims history, expense, • provide individuals with an accoun- employees. Consequently, employers develop and implement a plan to how the employer uses it, where it is just the resulting financial costs. or experience and is stripped of cer- ting of disclosures of their PHI; would be required to comply with safeguard the personal information stored, to whom it is disclosed, who 3) Design and implement a safe- tain personal identifiers — is mini- • make the plan sponsor’s practices these laws in the event that unautho- that they maintain. Such a plan has access to it for what purposes, guards program, and regularly moni- mally impacted by the Privacy Rule. available to the Department of rized individuals acquire certain should be appropriate to the size and and how it will ultimately be dis- tor and test it. A plan sponsor that needs only sum- Health and Human Services (“HHS”) employee personal information. A complexity of the organization, the posed. The employer should map In designing a safeguards program, mary health information to effective- for determining compliance; security breach occurs when an nature and scope of its activities, and these data flows and classify data by employers should consider all areas ly manage its health benefits pro- • return and destroy all PHI when no unauthorized person acquires or the sensitivity of the information it sensitivity so security measures can of operations, such as employee man- gram may receive the information if longer needed, if feasible; and accesses personal information main- maintains. While there are a handful be prioritized. agement and training; information it agrees to limit its use of the infor- • ensure that firewalls for records and tained by a company. It is not a of basic elements listed below that Next, an employer should consider systems; and managing system fail- mation to 1) obtaining premium bids employees have been established breach when an employee or com- every safeguards plan should all the ways that personal informa- ures, which encompasses prevention, for providing health insurance cover- between the group health plan and pany agent acquires or accesses the address, businesses have the flexibili- tion can be compromised. While an detection and response to attacks, age to the group health plan, or 2) the plan sponsor. data for company purposes as long ty to implement policies, procedures, employer should obviously consider intrusions, and other system failures. modifying, amending, or terminating In addition, the plan documents as the data is not used or disclosed in and technologies that are appropriate intrusions by computer hackers, The goal is to create security poli- the group health plan. must identify, either by name or an unauthorized manner. to their unique circumstances. employers should also think about cies and procedures that are more On the other hand, a plan sponsor function, any employee of the plan Although these laws differ some- 1) Designate one or more employees ways that employees, service than mere paper and will actually be that receives PHI is subject to sponsor who receives PHI for pay- what, generally an entity that main- to coordinate a safeguards program. providers, business partners, or ven- followed in day-to-day business oper- increased operational and administra- ment, health care operations, or tains “personal information” about Whether an organization tasks a dors could compromise the security ations. Employers should monitor tive burdens. Plan sponsors typically other matters related to the group individuals needs to notify those single employee with coordinating of personal information either inten- and test each of the elements of their may receive PHI either from the health plan. The plan documents individuals of certain security breach- safeguards or spreads the responsi- tionally or through carelessness. program to reveal whether it is being group health plan itself or from also must restrict access to and use of es involving computerized data. bility among a team of employees, Employers should take into account followed consistently and whether it another entity (such as an insurer) PHI to specific, identified employees Specifically, entities are required to someone in the organization needs risks beyond those associated with is operating effectively to manage the that administers the company’s health for the purpose of completing the notify those whose unencrypted per- to be accountable for information information technology and consider risks to personal information that it benefits program. Before a plan administrative functions the plan sonal information is reasonably security. In deciding who it should business processes as well. It is was designed to address. sponsor may receive PHI, the group sponsor performs for the group believed to have been acquired by be, employers should recognize that advisable to have the risk assessment 4) Select appropriate service health plan or the insurer acting on health plan. Finally, the plan docu- an unauthorized person. “Personal information security is fundamentally process be conducted by a team that providers and contract with them to behalf of the plan must get assurance ments must provide an effective information” typically means unen- a management issue, not a technolo- includes both technical and business implement safeguards. in the form of a “certification” that the mechanism for resolving issues of crypted data consisting of a person’s gy issue. While information technol- personnel because of their different When service providers or other plan sponsor has complied with the improper use of or access to PHI. first name or first initial and last ogy can play a significant role in pro- perspectives on the likelihood and third parties have access to data or new regulatory requirements. The health insurance issuer or other name, in combination with a Social tecting data, effective information impact of threats. information systems, steps should be A plan sponsor must certify to the group health plan may disclose PHI Security number; a driver’s license or security requires a broader focus and Once the risks are identified, a gap taken to determine whether they can group health plan that it has amend- to the plan sponsor only after it ID card number; or an account, cred- should include physical security, analysis is necessary to evaluate be trusted not to compromise infor- ed the plan documents to incorpo- receives the plan sponsor’s certifica- it card, or debit card number along employee training and management, where current safeguards are inade- mation security and to ensure that rate various provisions. Unless dis- tion indicating that the plan docu- with a password or access code. and business processes. quate to address the identified risks. they are contractually required to closing PHI for enrollment purposes, ments were amended. Entities subject to these laws must In addition, an appropriate safe- Employers should consider the likeli- meet specified safeguards standards. the plan documents need to be Disclosure of PHI in violation of notify individuals immediately fol- guards program will almost certainly hood that a given risk will occur and When conducting due diligence on amended before the sponsor may HIPAA can result in steep civil and lowing discovery of a breach if an require the coordination of legal, the severity of the consequences third-party service providers, em- receive PHI. The plan sponsor must criminal penalties (up to $250,000 in unauthorized person may have human resources, information tech- should it happen. Employers should ployers should review an independ- agree to: fines and 10 years of imprisonment). acquired unencrypted electronic per- nology, audit, and business functions. also consider the effectiveness of the ent audit of the third party’s opera- • not use or further disclose PHI ex- Consequently, employers who act as sonal information. The person or team that coordinates various available security measures tions; obtain information about the cept as permitted or required by plan sponsors must carefully assess To date, 29 states have enacted the program should have the ability and their cost, relative to the harm third party from several references or the plan documents or as required their compliance with HIPAA’s Pri- security breach notification laws. to communicate and work effectively caused by a compromise. other reliable sources; require that by law; vacy Rule and Security Rule. Most of these state laws differ at least with all of these different groups. Employers should recognize the the third party be certified by a rec- • ensure that any subcontractors or HIPAA establishes a basic level of to some extent. Employers are well 2) Identify and assess the risks to full range of potential costs in the ognized trade association or similar agents to whom the plan sponsor protection for health information. advised to determine whether the individuals’ personal information in event of a security breach: the cost of authority; review and evaluate the provides PHI agree to the same State laws relating to the privacy of state in which they operate has a each relevant area of the company’s investigating a security breach; miti- service provider’s information securi- restrictions; health information are not pre-empt- security breach notification law and operations and evaluate the effective- gating and remediating damage to ty policies and procedures; and take • not use or disclose PHI for em- ed by HIPAA if they offer more strin- ness of current safeguards for con- systems, and securing the systems other appropriate measures to ployment-related actions or in con- gent protections. Employers should continued on page 3 trolling these risks. after the breach; lost sales or produc- continued on page 4

2 The Privacy &Internet Data Protection Law & Strategy Legal Reporter❖ www.ljnonline.com/alm?net❖ www.ljnonline.com/alm?privacy June 2006 June 2006 The Privacy & Data Protection Legal Reporter ❖ www.ljnonline.com/alm?privacy 3

 Workplace Privacy To conduct a risk assessment, an tivity caused by the unavailability of employer will need to identify the systems or data; notifying affected continued from page 2 information that is being protected individuals and government agen- to comply with such state’s specific and the related risks to that informa- cies, as appropriate; responding to requirements in the event of a secu- tion. In particular, an employer regulator inquiries and enforcement rity breach. should focus on protecting individu- actions; legal fees and costs for the Safeguarding Personal als’ personal information in addition defense of private lawsuits; lost cus- Information to the company’s business informa- tomers; reputational damage; and a Considering the tremendous cost to tion and operations. To begin, an possible drop in stock price. The businesses that suffer security breach- employer should identify the person- harm caused by a compromise es, employers are well advised to al information that it actually collects, should be defined more broadly than develop and implement a plan to how the employer uses it, where it is just the resulting financial costs. safeguard the personal information stored, to whom it is disclosed, who 3) Design and implement a safe- that they maintain. Such a plan has access to it for what purposes, guards program, and regularly moni- should be appropriate to the size and and how it will ultimately be dis- tor and test it. complexity of the organization, the posed. The employer should map In designing a safeguards program, nature and scope of its activities, and these data flows and classify data by employers should consider all areas the sensitivity of the information it sensitivity so security measures can of operations, such as employee man- maintains. While there are a handful be prioritized. agement and training; information of basic elements listed below that Next, an employer should consider systems; and managing system fail- every safeguards plan should all the ways that personal informa- ures, which encompasses prevention, address, businesses have the flexibili- tion can be compromised. While an detection and response to attacks, ty to implement policies, procedures, employer should obviously consider intrusions, and other system failures. and technologies that are appropriate intrusions by computer hackers, The goal is to create security poli- to their unique circumstances. employers should also think about cies and procedures that are more 1) Designate one or more employees ways that employees, service than mere paper and will actually be to coordinate a safeguards program. providers, business partners, or ven- followed in day-to-day business oper- Whether an organization tasks a dors could compromise the security ations. Employers should monitor single employee with coordinating of personal information either inten- and test each of the elements of their safeguards or spreads the responsi- tionally or through carelessness. program to reveal whether it is being bility among a team of employees, Employers should take into account followed consistently and whether it someone in the organization needs risks beyond those associated with is operating effectively to manage the to be accountable for information information technology and consider risks to personal information that it security. In deciding who it should business processes as well. It is was designed to address. be, employers should recognize that advisable to have the risk assessment 4) Select appropriate service information security is fundamentally process be conducted by a team that providers and contract with them to a management issue, not a technolo- includes both technical and business implement safeguards. gy issue. While information technol- personnel because of their different When service providers or other ogy can play a significant role in pro- perspectives on the likelihood and third parties have access to data or tecting data, effective information impact of threats. information systems, steps should be security requires a broader focus and Once the risks are identified, a gap taken to determine whether they can should include physical security, analysis is necessary to evaluate be trusted not to compromise infor- employee training and management, where current safeguards are inade- mation security and to ensure that and business processes. quate to address the identified risks. they are contractually required to In addition, an appropriate safe- Employers should consider the likeli- meet specified safeguards standards. guards program will almost certainly hood that a given risk will occur and When conducting due diligence on require the coordination of legal, the severity of the consequences third-party service providers, em- human resources, information tech- should it happen. Employers should ployers should review an independ- nology, audit, and business functions. also consider the effectiveness of the ent audit of the third party’s opera- The person or team that coordinates various available security measures tions; obtain information about the the program should have the ability and their cost, relative to the harm third party from several references or to communicate and work effectively caused by a compromise. other reliable sources; require that with all of these different groups. Employers should recognize the the third party be certified by a rec- 2) Identify and assess the risks to full range of potential costs in the ognized trade association or similar individuals’ personal information in event of a security breach: the cost of authority; review and evaluate the each relevant area of the company’s investigating a security breach; miti- service provider’s information securi- operations and evaluate the effective- gating and remediating damage to ty policies and procedures; and take ness of current safeguards for con- systems, and securing the systems other appropriate measures to trolling these risks. after the breach; lost sales or produc- continued on page 4

June 2006 The Privacy & Data Protection Legal Reporter ❖ www.ljnonline.com/alm?privacy 3

 Workplace Privacy obligations before conducting such calls. Most states require at least one Workplace Privacy is for purposes of investigating an ille- 877 A.2d 1156 (2005), the New Jersey monitoring. person who is a party to the conver- gal activity. Similar to Connecticut, Appellate Court held that an employ- continued from page 3 continued from page 4 TELEPHONE MONITORING sation to consent to recording the violation of the statute may result in er that is on notice that one of its determine the competency and The Federal Omnibus conversation. Some states, however, electronic monitoring in the work- monetary penalties. employees is using a workplace com- integrity of the party. Crime, Control and Safe require the consent of all parties place and prohibit monitoring with- State Wiretapping Laws puter to access child pornography Contracts with third parties should Streets Act of 1968 involved. out such notice to employees. There Many states have passed anti-wire- has a duty to investigate the employ- specifically address safeguards obli- The Federal Omnibus Crime, Employers wishing to monitor tele- is no case law in either Connecticut tapping laws, similar to the ECPA, ee, to report the employee’s activities gations; a general confidentiality pro- Control and Safe Streets Act of 1968 phone conversations of employees or Delaware interpreting or applying which regulate the interception of to the proper authorities, and to take vision is not sufficient. Employers (the “Federal Wiretapping Law”) gov- should be aware of, and abide by, the relevant statutes. electronic communications. Most effective internal action to stop the should also require third parties to erns the access, use, disclosure, inter- the applicable state law prior to Connecticut. Section 31-48d of the states require the consent of at least continuation of such activities. notify them of significant security ception, and privacy protections asso- engaging in such activity. Connecticut General Statutes governs one person who is a party to the COMMON LAW PRIVACY incidents (so the employer can deter- ciated with wire communications. The E-MAIL MONITORING an employer’s ability to electronically communications. Some states, how- In circumstances where an mine whether it has any legal obliga- Federal Wiretapping Law prohibits the Federal Electronic monitor its employees. This law ever, require the consent of all par- employee may not be able to prove tions to provide notice to individuals intentional interception of wire com- Communications Privacy requires employers to conspicuously ties involved. a violation of federal or state statuto- of a possible data compromise) and munications such as telephone calls. Act of 1986 and the post a notice concerning the types of National Labor Relations Board ry law, the employer may still be to cooperate in responding to securi- “Intercept” means the acquisition of Stored Communications Act electronic monitoring in which the Workplaces with unionized labor liable for common law invasion of ty incidents and investigating data the contents of any wire communica- Although primarily drafted to employer may engage. “Electronic may be subject to additional restric- privacy. In the United States, there breaches. In addition, an employer tion through the use of any electronic, apply to law enforcement authorities, monitoring” is broadly defined as “the tions on e-mail monitoring. The are four privacy torts: 1) intrusion may want to ask for the right to audit mechanical, or other device. There are the federal Electronic Communica- collection of information on an National Labor Relations Board upon seclusion, 2) false light, 3) a third party’s safeguards program for exceptions under the Federal tions Privacy Act of 1986 (“ECPA”) employer’s premises concerning (“NLRB”) Office of General Counsel appropriation of likeness, and 4) compliance with legal and contractu- Wiretapping Law for telephone calls governs the access, use, disclosure, employees’ activities or communica- published an Advice Decision in 1998 public disclosure of embarrassing al requirements. intercepted by wire communications interception, and privacy protections tions by any means other than direct stating that business-only e-mail poli- private facts. The availability of these 5) Evaluate and adjust the safeguards service providers in the ordinary associated with electronic communi- observation, including the use of a cies (restricting use of e-mail to busi- tort claims depends on the relevant program in light of relevant circum- course of business and where there is cations. The ECPA prohibits the computer, telephone, wire, radio, ness purposes only) were unlawful in state law and the specific facts stances, including changes in business express or implied consent by one of intentional interception of electronic camera, electromagnetic, photoelec- situations where computers and com- alleged. For example, a constitution- arrangements or operations, or the the parties to the communication. communications, including e-mail in tronic or photo-optical systems.” puter networks are part of employee al right of privacy exists in California results of testing and monitoring. Employers generally are considered to transit, but not such communications There is a limited exception for the “work-areas.” The NLRB indicated and nine other states. Georgia has a Security is an ongoing process, not be service providers because the in storage (ie, in an e-mail “In Box”). investigation of illegal activities. that such policies would deter pro- common law right of privacy. New a static condition. Employers need to employer typically provides the tele- There is an exception, however, for Pursuant to the exception, an tected communication among union York has neither a constitutional nor evaluate and adjust their safeguards phone service being used. Whether or e-mail intercepted in the ordinary employer may conduct monitoring members. The NLRB found the prohi- a common law right of privacy. Of program at regular intervals and not one of these exceptions applies is course of business and another without giving prior written notice bition of all personal e-mail to be the four privacy torts, intrusion upon respond to results obtained through determined on a case-by-case basis. exception where there is express or when 1) an employer has reasonable “overbroad and facially unlawful” in seclusion is probably the most rele- testing and monitoring the program. For example, the Eighth Circuit in implied consent by at least one party grounds to believe an employee is situations where the computers are vant to employers. A safeguards program also will Deal v. Spears, 980 F.2d 1153 (8th Cir. to the communication. The ECPA as engaged in conduct that violates a considered an employee’s work area The Restatement (Second) of Torts require changes to keep up with 1992), and the 11th Circuit in Watkins initially drafted did not apply to elec- law, violates legal rights of the because it banned protected oral §625B defines the tort of intrusion technology, business practice, and v. L.M., Berry & Co., 704 F.2d 577 (11th tronic communications in storage. employer or other employees, or cre- solicitation by union members. NLRB upon seclusion as the intentional personnel. Employers should remain Cir. 1983), ruled that implied consent The ECPA eventually was amended ates a hostile workplace environ- rules treat union-related oral solicita- intrusion upon the solitude or seclu- vigilant about new or emerging does not exist where an employee is by the Stored Communications Act, ment, and 2) electronic monitoring tion and the distribution of written sion of another or his private affairs which governs access to electronic threats to information security and only informed that telephone conver- may produce evidence of such mis- materials differently. An employer or concerns that would be “highly communication in storage. This Act changes in the legal and regulatory sations might be monitored. Implied conduct. Violation of the statute may may not prohibit all oral solicitation offensive to a reasonable person.” To prohibits the intentional unauthorized environment. consent requires a higher standard of result in monetary penalties. in the work area, but may limit this determine whether an intrusion access to e-mail in storage. Service would be offensive to a reasonable MONITORING EMPLOYEE awareness that monitoring will take Delaware. Delaware law requires communication to non-work hours. providers, however, are exempt place. The court in Watkins also held employers who monitor employees’ In finding that the computer systems person, courts have examined the TELEPHONE, E-MAIL, AND when accessing stored electronic that personal phone calls may not be Internet access, telephone calls, or were part of employee work areas, degree of intrusion, the context, the INTERNET USE information. Employers generally are intercepted in the ordinary course of electronic mail to provide notice to communications in the work area conduct and circumstances surround- Employers have a legitimate inter- considered to be service providers business, except to guard against the employees at hiring or before could not be completely prohibited ing the intrusion, and the intruder’s est in knowing how their employees because the employer typically pro- unauthorized activity or to determine beginning monitoring. Employers or limited to business uses without motives and objectives. The key fac- spend their time at work. Inappro- vides the electronic communications that such communications are person- may provide notice either by posting effectively banning oral solicitation in tor, however, is the expectation of priate e-mail can trigger workplace service being used. Therefore, the the individual whose privacy alleged- al. An employer must discontinue it electronically so an employee sees it that work area. lawsuits and sexual harassment federal statutes permit employers to ly was invaded. An individual would recording or monitoring of any per- at least once each day or by providing INTERNET MONITORING claims. Cyberslacking and excessive monitor employee e-mail. have to show that he had a “reason- personal telephone calls at work sonal communication once it is known a one-time notice in writing, in an Employers have a legitimate inter- State E-mail Monitoring Laws able expectation of privacy.” waste employee time, costing that the call is personal. In Deal v. electronic record or in another elec- est in monitoring the Internet use of Connecticut and Delaware are the The intrusion upon seclusion tort employers millions of dollars in lost Spears, the court held that excessive tronic form and having it acknowl- employees. Employers should be only states that specifically regulate is relevant in the context of informa- productivity. Technological advances monitoring without a legitimate busi- edged by the employee either in writ- aware, however, that if they monitor the monitoring of employee e-mail tion privacy because employees have make it increasingly easy for employ- ness purpose is not permitted. ing or electronically. Unlike the employee Internet use, the informa- by employers. Both states have used it to make arguments against ers to monitor employees and limit State Wiretapping Laws Connecticut law, the Delaware law tion the employer learns or is on enacted statutes that require employ- employer monitoring. It is a difficult negative behavior. Employers should Most states have passed anti-wire- does not exempt employers from giv- notice of as a result of such monitor- ers to provide advance notice of any claim, however, for employees to make certain, however, that they tapping laws that regulate the inter- ing notice to employees when the ing may impose a legal obligation on understand their legal rights and ception and recording of telephone continued on page 5 monitoring of e-mail communications the employer. In Doe v. XYC Corp., continued on page 6

4 The Privacy &Internet Data Protection Law & Strategy Legal Reporter❖ www.ljnonline.com/alm?net❖ www.ljnonline.com/alm?privacy June 2006 June 2006 The Privacy & Data Protection Legal Reporter ❖ www.ljnonline.com/alm?privacy 5  Workplace Privacy is for purposes of investigating an ille- 877 A.2d 1156 (2005), the New Jersey gal activity. Similar to Connecticut, Appellate Court held that an employ- continued from page 4 violation of the statute may result in er that is on notice that one of its electronic monitoring in the work- monetary penalties. employees is using a workplace com- place and prohibit monitoring with- State Wiretapping Laws puter to access child pornography out such notice to employees. There Many states have passed anti-wire- has a duty to investigate the employ- is no case law in either Connecticut tapping laws, similar to the ECPA, ee, to report the employee’s activities or Delaware interpreting or applying which regulate the interception of to the proper authorities, and to take the relevant statutes. electronic communications. Most effective internal action to stop the Connecticut. Section 31-48d of the states require the consent of at least continuation of such activities. Connecticut General Statutes governs one person who is a party to the COMMON LAW PRIVACY an employer’s ability to electronically communications. Some states, how- In circumstances where an monitor its employees. This law ever, require the consent of all par- employee may not be able to prove requires employers to conspicuously ties involved. a violation of federal or state statuto- post a notice concerning the types of National Labor Relations Board ry law, the employer may still be electronic monitoring in which the Workplaces with unionized labor liable for common law invasion of employer may engage. “Electronic may be subject to additional restric- privacy. In the United States, there monitoring” is broadly defined as “the tions on e-mail monitoring. The are four privacy torts: 1) intrusion collection of information on an National Labor Relations Board upon seclusion, 2) false light, 3) employer’s premises concerning (“NLRB”) Office of General Counsel appropriation of likeness, and 4) employees’ activities or communica- published an Advice Decision in 1998 public disclosure of embarrassing tions by any means other than direct stating that business-only e-mail poli- private facts. The availability of these observation, including the use of a cies (restricting use of e-mail to busi- tort claims depends on the relevant computer, telephone, wire, radio, ness purposes only) were unlawful in state law and the specific facts camera, electromagnetic, photoelec- situations where computers and com- alleged. For example, a constitution- tronic or photo-optical systems.” puter networks are part of employee al right of privacy exists in California There is a limited exception for the “work-areas.” The NLRB indicated and nine other states. Georgia has a investigation of illegal activities. that such policies would deter pro- common law right of privacy. New Pursuant to the exception, an tected communication among union York has neither a constitutional nor employer may conduct monitoring members. The NLRB found the prohi- a common law right of privacy. Of without giving prior written notice bition of all personal e-mail to be the four privacy torts, intrusion upon when 1) an employer has reasonable “overbroad and facially unlawful” in seclusion is probably the most rele- grounds to believe an employee is situations where the computers are vant to employers. engaged in conduct that violates a considered an employee’s work area The Restatement (Second) of Torts law, violates legal rights of the because it banned protected oral §625B defines the tort of intrusion employer or other employees, or cre- solicitation by union members. NLRB upon seclusion as the intentional ates a hostile workplace environ- rules treat union-related oral solicita- intrusion upon the solitude or seclu- ment, and 2) electronic monitoring tion and the distribution of written sion of another or his private affairs may produce evidence of such mis- materials differently. An employer or concerns that would be “highly conduct. Violation of the statute may may not prohibit all oral solicitation offensive to a reasonable person.” To result in monetary penalties. in the work area, but may limit this determine whether an intrusion Delaware. Delaware law requires communication to non-work hours. would be offensive to a reasonable employers who monitor employees’ In finding that the computer systems person, courts have examined the Internet access, telephone calls, or were part of employee work areas, degree of intrusion, the context, the electronic mail to provide notice to communications in the work area conduct and circumstances surround- the employees at hiring or before could not be completely prohibited ing the intrusion, and the intruder’s beginning monitoring. Employers or limited to business uses without motives and objectives. The key fac- may provide notice either by posting effectively banning oral solicitation in tor, however, is the expectation of it electronically so an employee sees it that work area. the individual whose privacy alleged- ly was invaded. An individual would at least once each day or by providing INTERNET MONITORING have to show that he had a “reason- a one-time notice in writing, in an Employers have a legitimate inter- able expectation of privacy.” electronic record or in another elec- est in monitoring the Internet use of The intrusion upon seclusion tort tronic form and having it acknowl- employees. Employers should be is relevant in the context of informa- edged by the employee either in writ- aware, however, that if they monitor tion privacy because employees have ing or electronically. Unlike the employee Internet use, the informa- used it to make arguments against Connecticut law, the Delaware law tion the employer learns or is on employer monitoring. It is a difficult does not exempt employers from giv- notice of as a result of such monitor- claim, however, for employees to ing notice to employees when the ing may impose a legal obligation on monitoring of e-mail communications the employer. In Doe v. XYC Corp., continued on page 6

June 2006 The Privacy & Data Protection Legal Reporter ❖ www.ljnonline.com/alm?privacy 5  Workplace Privacy Employers should take care that face myriad privacy requirements telephone conversations of a person- with respect to the management of continued from page 5 al nature are not monitored once it is employee personal information. successfully assert. The U.S. Supreme apparent that the conversation is not These requirements apply prior to Court recognized in O’Connor v. related to the legitimate business the commencement of the employ- Ortega, 480 U.S. 709 (1987), that purpose that prompted the monitor- ment relationship, throughout the employers have a legitimate interest ing. If employers want to monitor or employment period, and after the in monitoring the workspace of their record conversations of sales or serv- relationship has ended. Employers employees. The only cases in which ice representatives with customers, should use caution in collecting, employees have successfully asserted employee telephones used for such using, and disclosing employee per- an intrusion upon seclusion claim purpose should be marked appropri- sonal information and should aim to involve those in which the employ- ately and a recorded notice should comply with all the legal mandates er’s surveillance activities were con- be given at the beginning of the tele- that impact the use of such informa- sidered “outrageous.” For example, phone call notifying the customer tion. Employers are well advised to in Hawaii v. Bonnell, 856 P.2d 1265 that the call is being monitored or develop and implement comprehen- (Haw. 1993), an employer set up a tape recorded. sive written information security pro- video camera in an employee break Employers should apply the fol- grams to safeguard employee per- room used only for non-work pur- lowing guidelines when monitoring sonal information from misuse or poses. The court held that employees employees: unauthorized acquisition. Employers have a subjective expectation of pri- • Monitor only if there is a com- should also develop and implement vacy to be free from covert video pelling reason; written policies and procedures with surveillance in the break room and • Clearly inform employees on the respect to monitoring the behavior of that their subjective expectation was full scope of monitoring in an their employees. Although U.S. legal objectively reasonable because the employee handbook or e-mail to requirements affecting workplace break room was not a public place or all employees; privacy are complex, employers subject to public view or hearing. • Use the least intrusive measures should respect and protect the priva- Several court decisions, such as available; cy rights of their employees. Smyth v. Pillsbury Co., 914 F.Supp. 97 • Retain information obtained as a (E.D. Pa. 1996), and Bohach v. City of result of monitoring for only the Reno, 932 F.Supp. 1232 (D. Nev. time needed; 1996), have allowed employers to • Treat all employees uniformly and apply policies consistently; and monitor employees’ use of company —❖— e-mail and the Internet, finding that • Determine whether monitoring im- employees do not have a reasonable poses an obligation to take action. expectation of privacy with respect CONCLUSION to an e-mail message communicated Although there is no omnibus U.S. over an employer’s computer system. employee privacy law, employers

Hunton & Williams LLP • www.hunton.com

Atlanta • Bangkok • Beijing • Brussels • Charlotte • Dallas • Houston • Knoxville • London • McLean • Miami • New York • Norfolk • Raleigh • Richmond • Singapore • Washington 6 The Privacy &Internet Data Protection Law & Strategy Legal Reporter❖ www.ljnonline.com/alm?net❖ www.ljnonline.com/alm?privacy June 2006