Header graphic for print

Privacy Law Blog

Protecting Privacy or Enabling Fraud? Employee Social Media Password Protection Laws May Clash with FINRA Rules

By Jessica Goldenberg on Posted in California, Online Privacy, Workplace Privacy

As a growing number of states pass legislation which will protect individuals’ social media accounts from employer scrutiny, they have encountered a surprising adversary – FINRA and other securities regulators.

To date, at least six states have enacted social media employee privacy laws (which were blogged about here, here, here, and here) and upwards of thirty-five states have considered legislation since the beginning of 2013. Washington State may soon join the ranks with SB 5211, a bill unanimously passed by both chambers of Washington legislature on April 27, 2013, which now awaits the Governor’s signature. Social media password protection laws, although unique to each state, generally restrict employers from requesting or requiring that employees or applicants provide their social media user names, passwords, and account information. Supporters believe the laws are necessary to protect employee and prospective employee privacy and to prevent against unlawful employer action in response to an employee’s social media use.

FINRA, the Financial Industry Regulatory Authority, fears that the new employee privacy laws may directly conflict with securities rules and threaten investor protection. With an increasing number of financial firms taking to Facebook and Twitter to interact with investors and give financial advice, FINRA has set forth various guidelines governing social media use. Under FINRA rules, securities firms must “adopt policies and procedures reasonably designed to ensure that their associated persons who participate in social media sites for business purposes are appropriately supervised,” and broker-dealers must be able to “retrieve and supervise business communications regardless of whether they are conducted from a device owned by the firm or by the associated person.” FINRA Regulatory Notice 11-39 (August 2011). According to FINRA, if the employee of a broker-dealer is engaging in business communications over a social networking site, the broker-dealer must have access to the account for general monitoring and for its records. Broker-dealers must also be able to freely follow up on red flags, or misuse of an account. FINRA fears that the adoption of social media employee privacy laws may conflict with monitoring and reporting requirements and could force some employers into a lose-lose situation—violate state law or violate a FINRA rule. FINRA worries that employers who choose the former will increase investor risk and the potential for securities fraud.

FINRA has sent letters to lawmakers in approximately ten states seeking carve-outs to social media employee privacy laws for the financial services industry. Many of the laws already include narrow exemptions, which allow for employers to require disclosure if an employee’s alleged misconduct has risen to a certain level. FINRA does not appear satisfied with these exemptions, which may be too limited for broker-dealers to be in full compliance with monitoring, recording and supervision requirements. California has rejected FINRA’s request for an exception for the financial services industry, but it remains to be seen how the states will react in general.

FINRA is not alone in its concerns that social media privacy laws are too broad. On May 6, 2013, Governor Christie of New Jersey conditionally vetoed a social media employee privacy Bill which he criticized for its over-breadth and for putting employers at increased risk.

While it is too soon to predict how this conflict between employee privacy interests and financial industry oversight will be resolved, what is apparent is the increasingly complex issue of handling privacy in the age of social media.

HHS Empowers Consumers to Know (and Enforce) their Rights Under HIPAA

By Ryan Blaney on Posted in Electronic Communications, HIPAA, Medical Privacy

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published on its website a series of factsheets designed to educate consumers unfamiliar with their rights under the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules.  These four factsheets are described in detail below and are available in eight languages on OCR’s website at:  www.hhs.gov/ocr/privacy/hippa/understanding/consumers.

I.            OCR Consumer Factsheet: “Your Health Information Privacy Rights”

  • OCR tells consumers that HIPAA gives them rights over their health information including the right to get a copy of their information, make sure it is correct and know who has seen it.
  • OCR says that in most cases consumers must be given a copy of their medical record and other health information within 30 days.
  • Consumers can ask to change any wrong information in their file if they believe that something is missing or incomplete.  OCR states, “Even if the hospital believes the test result is correct, you still have the right to have your disagreement noted in your file.”
  • OCR summarizes how a consumer’s health information can be used and shared for specific reasons not directly related to the consumer’s care (i.e., “making sure doctors give good care, making sure nursing homes are clean and safe, reporting when the flu is in your area, or reporting as required by state or federal law”). 
  • OCR encourages consumers to learn how their health care providers and health insurers are using and sharing their health information.
  • OCR encourages consumers to let their health care providers and health insurers know if there is information that they do not want to be shared.
  • OCR also tells consumers that they can make reasonable requests to direct their health care provider to contact them at a different place or in a different manner.  For example, if the doctor’s office usually sends a postcard with an appointment reminder, the consumer may request that the appointment reminder be sent in an envelope instead.

II.          OCR Consumer Factsheet: “Privacy, Security, and Electronic Health Records”

  • OCR explains that electronic health records (EHRs) are electronic versions of the consumer’s paper medical record and includes health information such as medical history, notes, diagnoses, medications, lab results, and immunizations. 
  • OCR tells consumers that their privacy rights are the same whether the health information is stored as paper or in an electronic form.
  • In the factsheet, OCR summaries the benefits of health care providers using EHRs.  Consumers should expect “improved quality of care”, “more efficient care”, and “more convenient care.” 
  • OCR summarizes certain protections that can safeguard EHR systems including access controls like passwords and PIN numbers, encrypting, and an audit trail feature.
  • OCR describes for the consumers the breach notification requirement for health care providers.

III.        OCR Consumer Factsheet: “Understanding the HIPAA Notice”

  • OCR provides a four step process for consumers to follow to make sure that they understand the “Notice of Privacy Practices” and their rights under HIPAA.
  • Step 1: OCR encourages consumers to “Get a Copy of the Notice of Privacy Practices”
  • Step 2: OCR encourages consumers to “Read the Notice”
    • The Notice explains how the health care provider or insurer is allowed to use or share their information
    • Explains the consumers’ privacy rights
    • Explains the doctor or insurer’s legal duties to protect consumers’ health information
    • Provides the contact information about the doctor or insurance company’s privacy polices.
  • Step 3: OCR encourages consumers to “Ask Questions about the Notice or Your Rights”
  • Step 4: OCR encourages consumers to “Know What You are Signing”
    • HIPAA requires the consumer’s doctor, hospital, or other health care provider to ask for written proof that he or she received the Notice of Privacy Practices acknowledgement of receipt. 
    • Consumers are not required to sign the acknowledgment of receipt; however providers must keep a record that the consumer decided not to sign the form.  Providers must still care for consumers who do not sign the acknowledgment of receipt. 

IV.         OCR Consumer Factsheet: “Sharing Health Information with Family Members and Friends”

  • OCR summarizes and provides examples of when a health care provider or health plan may share relevant information with family members or friends involved in the consumer’s health care or payment for health care.
  • OCR states that under HIPAA, a health care provider may share a consumer’s information face-to-face, over the phone, or in writing … if:
    • The consumer gives the provider or plan permission to share the information.
    • The consumer is present and does not object to sharing the information.
    • The consumer is not present, and the provider determines based on professional judgment that it is in the consumer’s best interest.
  • OCR provides frequently occurring examples for each of these scenarios. 
    • The consumer’s hospital may discuss the consumer’s bill with his or her daughter who is with the consumer and has a question about the charges, if the consumer does not object.
    • The consumer’s doctor may discuss the drugs the consumer needs to take with the consumer’s health aide who has accompanied the consumer to his or her appointment.
    • The consumer had emergency surgery and is still unconscious.  The consumer’s surgeon may tell the consumer’s spouse about his or her condition, either in person or by phone, while the consumer is unconscious.
    • A doctor may not tell a consumer’s friend about a past medical problem that is unrelated to the consumer’s current condition.

Finally, OCR provides information to consumers on who to contact if their HIPAA rights are being denied or their health information is not being protected.

The SEC and CFTC Adopt Identity Theft Red Flag Rules

By Charley Lozada on Posted in Identity Theft, Uncategorized

The Securities and Exchange Commission (the “SEC”) and Commodity Futures Trading Commission (the “CFTC”) recently adopted rules requiring entities subject to their respective enforcement authorities to adopt and implement programs to detect and respond to indicators of possible identity theft, as required by the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (the “Dodd-Frank Act”). The SEC rules apply to entities such as broker-dealers, investment companies and investment advisers, while the CFTC’s rules apply to entities such as futures commission merchants, commodity trading advisors and commodity pool operators.

 The Dodd-Frank Act requirement shifted rulemaking responsibility and enforcement authority for identity theft rules governing such entities to the SEC and CFTC from the six federal agencies that had jointly adopted identity theft rules under the Fair Credit Reporting Act in 2007.

 The rules adopted by the SEC and the CFTC specify: (1) which financial institutions and creditors must develop and implement a written identity theft prevention program; (2) the objectives of such program; (3) the elements that the program must contain; and (4) the steps financial institutions and creditors need to take to administer the program. The rules do not contain any requirements that were not already in the rules established in 2007, nor do they expand the scope of those rules to include new categories of entities that the rules did not already cover.  However, the rules and the related adopting release contain examples and minor language changes that are designed to help guide entities with compliance.

 The rules will become effective 30 days after publication in the Federal Register, and the compliance date will be six months after that effective date.

Navigating the Patchwork: When Is European Data Privacy Law Applicable to US Companies?

By Cecile Martin on Posted in Data Privacy Laws, European Union, International, Online Privacy

Are social media companies based in the United States subject to European data privacy laws?  Two recent judicial decisions – one in France and the other in Germany – arrived at different answers.  The Civil Court of Paris held that Twitter, based in California, was obligated under the French Code of Civil Procedure to reveal the identity of its users in France who posted racist tweets.  In Germany, on the other hand, an administrative court held that Facebook, also based in California, was not subject to a German law that would have prohibited Facebook from requiring users to register under their real names.  Continue Reading

Shine the Light a Little Brighter – Changes Resulting in Increased Customer Access Proposed to California’s “Shine the Light” Act

By Charley Lozada on Posted in California, Data Privacy Laws, Online Privacy

California Assembly Member, Bonnie Lowenthal, recently introduced the “Right to Know Act of 2013″ (AB 1291), which would require any company that retains a  California resident’s personal information to provide a copy of that information to that person, free of charge, within 30 days of the request. The company would also have to disclose a list of all third parties with whom it has shared the resident’s data during the previous 12 months, the contact information of such third parties, and the types of personal information that was shared. In contrast to the existing Shine the Light Act, this legislation would not be limited to data sharing for direct marketing purposes, and would not provide exceptions for companies that maintain an opt-in or opt-out policy for data sharing.  Moreover, the legislation’s definition of “personal information” is broader, and includes data such as online usage information. Also, the legislation would apply to businesses even if they do not have a direct relationship with the California resident, such as data aggregators and online ad networks.  Additional requirements also exceed what is present in the existing law.  If a company does not comply, California residents would be empowered to file a civil suit to force compliance. The law does not distinguish between brick-and-mortar businesses and online companies.

Continue Reading

New Mexico Joins Other States in Prohibiting Employers from Requesting Access to Applicants’ Social Networking Accounts

By Kevin Khurana on Posted in Workplace Privacy

On April 5, 2013, New Mexico joined six other states (including, among others, Utah, Maryland and California) in passing a new law prohibiting employers from requesting or requiring that a prospective employee provide access to his or her social networking accounts.  Proskauer’s Labor & Employment group has discussed the new law here

Six European Data Protection Authorities Will Launch Legal Actions against Google Stemming from its Privacy Policy

By Marianne Le Moullec on Posted in Behavioral Marketing, Data Privacy Laws, European Union, International, Online Privacy, Privacy Litigation

The French, Italian, British, German, Spanish and Dutch Data Protection Authorities announced on April 2, 2013 that each will launch investigations and enforcement actions against Google on the grounds that its privacy policy is not compliant with the European Directive on Data Protection, available at http://eur-lex.europa.eu/en/index.htm, (the “Directive”). Continue Reading

Utah’s New Internet Employment Privacy Law Continues a Growing Trend

By Kevin Khurana on Posted in Workplace Privacy

Following a growing trend among states, on March 26, 2013, the Utah legislature passed the Internet Employment Privacy Act, which prohibits employers from requesting that job applicants or employees disclose passwords protecting their personal internet accounts.  Proskauer’s Labor & Employment group has discussed the new law here.

Massachusetts Supreme Court Rules ZIP Codes Are Definitely “Personal Identification Information”

By Erin Aures on Posted in Data Privacy Laws

In a recent ruling arising from certain certified questions in Tyler v. Michaels Stores, Inc., Civ. No. 11-10920-WGY (D. Mass. Jan. 6, 2012, the Massachusetts Supreme Court interpreted “personal identification information” under Mass. Gen. Laws, ch. 93, § 105(a) Section 105(a) to include a consumer’s ZIP code and determined that collecting such personal information is a violation of state privacy law for which the consumer can sue (see slip opinion).

Continue Reading

President Obama Signs Executive Order on Cybersecurity

By Carly Ziegler on Posted in Data Breaches, Data Privacy Laws, National Security, Online Privacy

As announced during the 2013 State of the Union Address, President Obama recently signed an Executive Order on cybersecurity.  The primary goals of the Executive Order are to (a) improve communication between private companies and the federal government about emerging cyber threats and (b) safeguard the nation’s critical infrastructure against cyber attacks by developing and implementing baseline cybersecurity standards. Critical infrastructure refers to those systems and assets, both physical and virtual, so vital to our nation that any cyber attacks upon them would have a debilitating impact on national security, economic security, and/or public health or safety. 

According to a report issued by the Department of Homeland Security (the “DHS”) in December 2012, there were 198 cyber attacks on the nation’s critical infrastructure last year, several of which were successful.  One such successful attack involved highly sophisticated malware found on critical engineering workstations at a power generation facility.  According to the DHS’ Industrial Control Systems Cyber Emergency Response Team Monitor, an “ineffective or failed cleanup would have significantly impaired” the power plant’s operations.  Critical infrastructure systems ranging from air traffic control systems, highways, and hospitals to electrical grids, water systems, power plants and financial systems all have virtual components that are vulnerable to cyber attack.  Over the past year, the need for stronger defenses against cyber attacks has gained traction in the public eye, as hackers have successfully targeted numerous high profile companies, including major newspapers, banks, and federal agencies. 

President Obama’s Executive Order on cybersecurity comes in the wake of proposed cybersecurity legislation, which was stalled in Congress last year. The Executive Order relies heavily on a voluntary program that encourages private companies operating critical infrastructure to adopt baseline cybersecurity standards, which the federal government will develop with industry assistance.

Continue Reading

China Introduces New Data Privacy Law

By Matthew Black on Posted in Data Privacy Laws, Online Privacy

On December 28, 2012, the Standing Committee of China’s National People’s Congress, China’s legislative body, passed the “Decision on Strengthening Network Information Protection” (the “Decision”), which contains various principles for protecting, collecting and using electronic personal information in China.  According to the Decision, these principles were passed in order to protect network information security, protect the lawful interests of citizens, legal persons and other organizations, and safeguard China’s security and social order.

The Decision provides legal protection for electronic information that is personally identifiable or involves personal privacy, and imposes various obligations on network service providers and other entities that collect and use the electronic personal information of Chinese citizens (collectively, “Network Service Providers”).  Some of the significant obligations contained in the Decision include:

  • Prohibition on stealing, illegally obtaining, selling or illegally providing electronic personal information;
  • Requirement that Network Service Providers clearly and publicly indicate the objective, methods and scope for the collection and use of electronic personal information;
  • Requirement that Network Service Providers obtain consent when collecting or using electronic personal information and keep such information confidential;
  • Requirement that Network Service Providers adopt technological measures to ensure information security; and
  • Prohibition on the sending of commercial electronic communications to fixed telephones, mobile telephones or to e-mail accounts without consent.

Network Service Providers must also improve their management of information disseminated by their users.  When that information violates laws or regulations, Network Service Providers are required to take certain affirmative actions, including stopping the dissemination of the information, preserving the relevant records and informing the relevant government departments.

Further, the Decision requires any entity providing access to internet, fixed telephones or mobile telephones or providing information publication services (e.g., microblogging) to gather real identity information from users at the time of entering into agreements or confirming service provision with users.

Under the Decision, when citizens discover any network information that discloses their personal identity, invades their personal privacy or otherwise infringes their lawful rights or are being harassed by commercial electronic information, they have the ability to require Network Service Providers to delete the relevant information or adopt necessary measures to stop the infringing activity.  Any individual or organization may report illegal or criminal acts against the Decision to the appropriate government department, and the infringed may also file a lawsuit against the infringers in accordance with law.

Penalties for violating the Decision include warnings, fines, confiscation of unlawful income, cancellation of permits, closure of websites or ban on engaging in web-related business in future, which would also be entered into social credit records and be made public, or other civil, administrative or criminal penalties.

Taking effect as of the date of its publication (i.e., December 28, 2012), the Decision is a great step forward for privacy protection in China. However, the provisions of the Decision are very general and still need to be completed by more specific and detailed implementing rules. So, the implementation and enforcement of the Decision remains to be tested in practice.

California Supreme Court Holds Online Retailers of Downloadable Products May Require Personally Identifying Information For Credit Card Transactions

By Mira Serrill-Robins on Posted in California, Data Privacy Laws, Financial Privacy, Online Privacy

The California Supreme Court held on February 4, 2013 that the provision of the Song-Beverly Credit Card Act of 1971 (the “Act”) prohibiting retailers from requesting personally identifying information as a condition to processing credit card transactions does not apply to online purchases of electronically downloadable items. (Apple v. Super. Ct., S199384, Case No. B238097, available at http://www.courts.ca.gov/opinions/documents/S199384.PDF.) The Court agreed with Apple that online sales of electronically downloadable products fall outside the coverage of the Act. The Court’s reasoning emphasized that the collection of some personally identifying information is important in preventing online fraud. Although the Act does not apply to the transactions in question, the Court pointed out that online retailers are not given free rein because other state and federal laws do apply to place limits on the collection and use of personally identifying information.

Among the provisions of the Act, codified at California Civil Code section 1747 et seq, is a prohibition in section 1747.08 against retailers’ requesting or requiring a credit card holder’s personal identification information in order to process a credit card transaction. The Court has previously held that requesting and recording a Zip Code during a credit card transaction in a brick-and-mortar store is forbidden under the Act. Pineda v. Williams-Sonoma Stores, Inc., 51 Cal. 4th 524 (2011). The Court wrote in Apple that the plain meaning of the statute’s language was not decisive of the issue at hand, and an analysis of the legislature’s statutory scheme as a whole was necessary. The Court also pointed out that section 1747.08 of the act makes no reference to online transactions, which is unsurprising, given that the provision that later became section 1747.08 was enacted in 1990.

The plaintiff in the underlying trial court case alleged that Apple requested or required his address and telephone number in order to accept his credit card payment for electronically downloadable items. Apple demurred to the Complaint, arguing that online transactions fall outside the scope of the Act, and that holding otherwise would undermine the prevention of online identity theft and fraud. Although not addressed in the opinion, presumably, Apple’s payment card processor cross-checks the address information provided by the customer with the payment card billpay address as a method to verify the customer is the authorized cardholder.

The Court noted in its Apple decision various exceptions to the prohibition outlined in the Act, including where the retailer is contractually required to provide personally identifying information to complete the transaction, uses the Zip Code solely to prevent fraud, is obligated to collect information by a federal or state law, or collects the information for a purpose incidental but related to the credit card transaction (like shipping or delivery information). Furthermore, section 1747.08, subdivision (d) specifically states that the Act does not prohibit retailers from requiring safeguards, in the form of reasonable forms of positive identification, as a precondition to a credit card transaction.

The Court reasoned that since the law’s exceptions and its allowance to check IDs at the point of sale do not have practical applicability in e-commerce transactions, it must be that the legislators did not intend the law to apply to e-commerce transactions at all. The Court seemingly was also influenced by a desire to balance the protection of consumers from undesired solicitation against the need to authenticate payment card purchasers who are not physically present to show an ID or provide their signature on a transaction form.

The Court explicitly did not identify specifically what types of personally identifying information would be allowable to collect for authentication purposes. The Court held only that section 1747.08 cannot have been intended to apply to online sales of downloadable products because holding otherwise would foreclose anti-fraud protections enabled by the collection of personal information during e-commerce transactions.