HHS Issues New Privacy Guidelines for EHRs
The Department of Health and Human Services released new privacy guidelines designed to establish a single, consistent approach to defining the roles of individuals and the responsibilities of those who hold and exchange electronic health records (EHRs), regardless of the legal framework that may apply to a particular organization. The eight privacy principles of the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information include patient access; correction of records; openness and transparency; patient choice; limitations to the collection, use, and disclosure of personal health information; data integrity; safeguards; and accountability. HHS also published a privacy and security toolkit and an extremely innovative facts-at-a-glance sample privacy notice.
Employers Face Challenges with Social Networking
During an interview on the need to include privacy as one component of a larger information governance strategy, GE’s CPO, Nuala O'Connor Kelly, noted that some 13,000 GE employees have self-identified on Facebook as GE employees, sometimes using their GE e-mail address and putting up GE logos to create discussion groups. The legal and organizational challenges posed by such activities were underscored by three separate reports, the first being that Salesforce.com has found a novel way to help companies recruit using Facebook. With an employee’s permission, companies can run Salesforce.com software that scans the profiles of an employee’s Facebook friends in search of the right candidate for an open position. The second source of concern relates to the Facebook’s newly announced Connect feature, which raises questions as to what user information will be shared with other websites as a result of Connect’s single sign-on functionality. The third relates to potential violations of HIPAA by an OB/GYN nurse in Pennsylvania who complained about patients on her MySpace page.
Cobbler’s Children Once Again Go without Shoes
Two firms that offer data security products, HP and Symantec, each reported breaches of employee data in December, along with six other organizations: HP (at least several thousand employee records exposed on a laptop stolen from an HP employee in the Houston area); Symantec (100 employees or less impacted by the theft of a laptop from an employee’s home); the Library of Congress; (at least 10 employees victimized by the theft and misuse of their identities by a staff member of the Library’s HR department); the DC public schools (65 job applicants and employees similarly victimized by a program support specialist employed by the school system); Florida Agency for Workforce Innovation (sensitive information of 250,000 job seekers who sought state help exposed to Internet searchers by a breach in computer security); the University of North Carolina at Greensboro (2,700 employees jeopardized by use of a virus-infected computer to process payroll); North Pacific Group (information on 2,249 employees exposed by the theft of several laptops and other computer equipment); and Lehigh Hanson (payroll files on an undisclosed number of employees accidentally placed on the Internet).
FTC to Co-Sponsor International Data Security Conference
The FTC, in conjunction with the Asia-Pacific Economic Cooperation (APEC) forum and the Organisation for Economic Co-operation and Development (OECD), will host a two-day international conference: “Securing Personal Data in the Global Economy.” The conference, which will address how companies can manage personal data security issues in a global information environment where data can be stored and accessed from multiple jurisdictions, will be held in Washington DC on March 16-17, 2009. As with recent government-sponsored privacy conferences in Europe, the conference will be webcast.
Switzerland Accepts US-EU Safe Harbor Framework
Switzerland’s Federal Data Protection Commissioner signed an agreement with the US establishing a US-Swiss Safe Harbor Framework. Benefits for companies in Switzerland are that they no longer need to prepare model contracts for transferring personal data to the US nor submit the contracts to the Federal Data Protection Commissioner for review. According to a report in Privacy Laws & Business, it is uncertain when the framework will enter into effect.
Massachusetts's Data Security Law Delayed
The deadline for compliance with Massachusetts’s comprehensive information security requirements, originally scheduled for January 1, 2009, has been postponed until May 1, 2009; the requirement for obtaining written certifications of compliance from third-party vendors has been put off to January 1, 2010. According to a press release issued by the state, the implementation deadline was extended “in light of intervening economic circumstances… to provide flexibility to businesses that may be experiencing financial challenges brought on by national and international economic conditions.”
Employee Snooping Back in News
Employee snooping was back in the news in November, with reports that Verizon fired a number of workers for inappropriately accessing the cell phone records of President-Elect Obama. Earlier in the year State Department workers and contractors were sacked for looking at Obama’s passport records. Separately, a hospital in Little Rock fired six employees for snooping into the medical records of a local TV station anchorwoman, following a routine patient-privacy audit. A common theme in all the snooping cases is employees enjoying greater access to information than called for by their responsibilities.
Starbucks Not the Only Employer Spilling the Beans
Seven HR data breaches were reported in November, including Starbucks (97,000 employees put at risk because of a stolen laptop); Lenscrafters (information on 59,000 employees exposed through a mainframe breach); the Veterans Administration (sensitive data of 1,600 veterans inadvertently posted on the Internet); the University of Missouri (41,000 employees and retirees in jeopardy in connection with an extortion threat made against Express Scripts, a company that manages prescription benefits for millions of employees); Maryland Department of the Environment (data on 1,367 former employees exposed when two laptops were stolen); Sinclair Community College (Ohio) (names and SSNs of 1,000 employees accidentally posted for a year on the Internet); and the Seattle School District (personal information of 5,000 employees unintentionally released to a local union representing some workers).
Bermuda Preparing EU-Style Privacy Law
The government of Bermuda announced that it was preparing legislation that would bring it into conformance with European standards for protecting personal information. Bermuda would become the second Caribbean nation, after The Bahamas, to enact EU-style data protection legislation.
Employee Firing for Blog Comments Upheld
An arbitrator upheld the firing of a public service employee in Alberta over inappropriate comments about her supervisor and co-workers in a blog. In upholding the dismissal in Alberta v. Alberta Union of Provincial Employees the arbitrator noted “that a blog is a form of public expression is, or ought to be, self-evident” and held that the employee, by “expressing contempt for her managers, ridiculing her co-workers, and denigrating administrative processes, engaged in serious misconduct that irreparably severed the employment relationship.”
Six HR Data Breaches, Six Different Causes
A half-dozen HR data breaches were reported in October, each illustrative of a different way in which sensitive personal information can be compromised: the City of Fresno (5,700 employees impacted by a break-in and theft of computer equipment from a vendor processing workers compensation claims); City of Charleston (information on 535 Administration Department employees exposed when a laptop was stolen from an auditor’s vehicle); Shell Oil (an undisclosed number of employees jeopardized by an IT contractor who used stolen data to file fake unemployment claims); Medical Mutual of Ohio (11 computer disks with information on 36,000 employees and retirees missing in the mail); NYS Labor Department (personal data of 400 applicants for unemployment insurance mistakenly mailed to other applicants); and PSS World Medical (an undisclosed number of job applicants impacted by unauthorized access to private information associated with an online job board).
Mutual Recognition Pact May Speed BCR Approvals
The data protection authorities of nine EU member states have agreed to give mutual recognition to the approval any one of them gives to Binding Corporate Rules submitted by a company. The countries involved are France, Germany, Ireland, Italy, Latvia, Luxembourg, the Netherlands, Spain and the UK. The step is designed to speed the process of securing approvals from multiple DPAs, which currently takes years to achieve. An early test may come in the next few months, with Sanofi-Aventis's BCR application to the CNIL.
European Privacy Conferences Available Online
Streaming webcasts of the complete programs of two major privacy conferences held in Europe in October are available online, including the 30th International Conference of Data Protection and Privacy Commissioners, held in Strasbourg, and the European Commission’s Workshop on International Transfers of Personal Data, held in Brussels.
More Funding, Powers for UK DPA
The Office of the Information Commissioner of the UK will get an extra £6-million and added powers, including the power to conduct data security spot checks and to fine companies for violations of the Data Protection Act. The strengthening of oversight powers, expected before the end of 2008, comes amidst a steady and ongoing drumbeat of well-publicized public and private sector data breaches (277 within the past year).
Uruguay Enacts Comprehensive Data Protection Law
A comprehensive data protection law, modeled upon those in Europe, went into effect in Uruguay in August. According to a report in a Privacy Laws and Business newsletter, the law contains a full set of data protection principles including consent, notices, special provisions for sensitive data, limitations on certain transfers of personal data and a provision banning the transfer of personal data to destinations lacking adequacy. The law also calls for establishment of a Regulatory and Personal Data Control Unit, expected to come into existence in 2010.
Massachusetts Mandates Rigorous Data Security Program
The Massachusetts Office of Consumer Affairs and Business Regulation issued regulations, effective January 1, 2009, that require businesses to develop and implement a comprehensive, written information security program for handling ID theft-related personal information in either paper or electronic form. The security program must contain more than a dozen components that collectively are more rigorous than those normally imposed by the FTC in its enforcement actions, including: designation of responsible individuals; risk assessments; security policies; employee training; disciplinary sanctions; personal information inventories; passage of security program requirements on to vendors; documentation of breach-related activities and responses; and encryption of personal information on portable devices and in transmission. The regulations, promulgated on September 22, were authorized by a data breach law passed in August 2007.
Financial Crisis May Spur More Regulation of Privacy
The disastrous failure of government oversight of Wall Street companies and mortgage lenders may mark the end of 30-year period of belief in limited government intervention in the marketplace. Should the pendulum of public opinion swing back towards greater regulation, stronger laws for protecting privacy, as opposed to the prevailing emphasis on industry self-regulation, may be one outcome.
Google Remains in Art 29 WP Crosshairs
The Article 29 Working Party announced that it will hold hearings with Google over the company’s claim that European data protection laws do not apply to it, even though it has offices and servers in Europe and collects personal data from Europeans. The Working Party, while praising Google’s decision to reduce the time it stores results of web searches from 18 to 9 months as a step in the right direction, pressed for a six month period and criticized what it said were inadequate anonymization routines. Google also came under fire in South Korea for exposing sensitive ID numbers of thousands of Koreans and in the US for privacy lapses in Chrome, its new Internet browser.
HR Data Breaches Slow in September
September was a relatively quiet month for HR data breaches, with losses reported by Intuit (22,000 employees impacted by a previously reported break-in at an HR outsourcing vendor, Colt Express, that also affected 19 other companies); Orbitz Worldwide (loss of an undisclosed number of employees’ information on a laptop stolen from a car); and U.S. Foodservice (a significant but undisclosed expansion in the number of employees impacted by a previously reported laptop theft).
Who is Guarding the Guardians?
A new Cyber-Ark Software survey of 300 IT security professionals reveals that 88 percent of IT administrators, if laid off tomorrow, would take valuable and sensitive company information with them, including the CEO's passwords, customer databases, R&D plans, financial reports, M&A plans, and the company's list of privileged passwords.
DOJ Backtracks on Attorney-Client Privilege
In a major advance in corporate privacy, the Justice Department announced it would no longer pressure companies to wave attorney-client privilege and not pay the legal fees of employees accused of crimes. The announcement came on the same day as a federal court ruling dismissing charges against 13 employees in the KPMG tax fraud case, in which the government used these tactics. Under the new policy, the Department will evaluate corporate cooperation based upon information provided by a company, rather than whether it was willing to waive attorney-client privilege.
Laptop Seizures Gaining Attention of Lawmakers
Pressure mounted against seizures of laptops at border crossings following the Dept. of Homeland Security’s release of policy guidelines governing such actions. The government is claiming expansive powers to randomly search laptops, decrypt and translate any information on the machine, and even retain the laptop for an indeterminate amount of time. Several legislators have said they will introduce bills prohibiting such open-ended, suspicion-less searches when Congress returns after its summer recess. The Canada Border Services Agency was reported to be following a similar policy at its border crossings.
Only Four HR Data Breaches in August
Following the record-setting 11 data breaches reported by employers in July, only four were noted in August, by Charter Communications (a dozen laptops containing detailed personal information on 9,000 current and former workers nationwide stolen from a South Carolina office); Delphi (a flash drive with SSNS and other personal data about 2,600 former Dayton-area workers removed from the unattended laptop of a state employee); Ohio Police & Fire Pension Fund (data of 13,000 retirees improperly taken by a former fund employee); and the US Army (data of 50,000 noncommissioned officers on promotion lists compromised by inadvertent posting on the Internet).
Russia Establishes DPA, Website and Registration
Two years after enacting a comprehensive data protection law, implementation efforts are finally reported to be underway in Russia. The Federal Service for Oversight of Mass Media, Communications and Protection of Cultural Heritage, the agency emerging as responsible for overseeing compliance with the law, has launched a website and begun registering data controllers. Although there are a number of exemptions to the registration requirement, more than 11,500 businesses have registered to date, with 300 signing up during the last week of July alone.
ALRC Issues Massive Report on Privacy Law Changes
The Australian Law Reform Commission released its final report on its multi-year review of Australian privacy laws. The 2,700 page report contains some 295 recommendations, including removal of exemptions for employee records and small businesses, institution of a statutory cause of action for privacy invasions, a mandatory data breach notification requirement and tighter controls on cross-border data transfers. Observers expect a year or more to pass before any of the recommendations are adopted and enacted into law.
Privacy Certification Coming for Personal Health Records
The Certification Commission for Healthcare Information Technology (CCHIT) launched an industry working group in June that will create a certification plan to protect the privacy of consumers who use personal health record (PHR) technologies. CCHIT, which hopes to begin certifying personal health record providers and services in July 2009, has adopted a “big tent” definition of PHRs as any product or service that performs either or both of the following activities: (1) collecting, receiving, storing, or using personal health information (PHI) as part of a consumer data stream or PHR services; and (2) transmitting or disclosing to a third party any PHI gathered through or derived from a consumer data stream or PHR services.
Eleven HR Data Breaches in July
July was a banner month for HR data breaches, with reports of data losses from 11 employers: Google (all pre-2006 employees exposed to ID theft when thieves stole computer equipment from the offices of a former vendor, Colt Express Outsourcing Services); Bristol-Meyers (an undisclosed number of employees impacted by a stolen back-up tape); Baxter International (personal data of 6,900 employees exposed when an HR staff member’s laptop was stolen from a Chicago hotel room); Computer Associates (973 employees and dependents also affected by the Colt Express break-in); Huron Consulting Group (an undisclosed number of employees warned of the theft of payroll information by a fired employee); US Army - Fort Lewis, WA (personal information of 700 soldiers lost when a laptop was stolen from an Army employee’s truck); Washington DC Transit Authority (accidental publishing of SSNs of 4,700 employees on a website); Missouri National Guard (personal data of 2,000 soldiers at risk from a breach of an undisclosed nature); Anheuser-Busch (theft of laptops during the burglary of a company office in St. Louis); California Dept. of Consumer Affairs (5,000 employees jeopardized by the unauthorized download of their data by a personnel specialist on her last day of work); and Hillsborough Community College, FL (sensitive information of 2,000 employees exposed when a programmer’s laptop was stolen).
CNIL Audits Employment Sector
CNIL, the French data protection authority, announced in late June that it had carried out audits of the human resources function of 50 unnamed French companies, with the audits leading in several cases to enforcement actions. The most frequent problems the CNIL encountered were failure to inform employees about their data protection rights; failure to adequately protect employee personal data, particularly in cross-border data transfers; and the absence of policies for the disposal of data. CNIL also reported that anonymous whistleblower hotlines required by SOX are rarely used by French employees, and that many employers failed to notify the CNIL before putting them in place. Over the past several years the CNIL, under the leadership of Alex Türk, who also chairs the influential Article 29 Working Party, has emerged as one of the most vigorous data protection regulators in Europe.
Top Canadian Court: Attorney-Client Privilege Trumps Privacy
The Supreme Court of Canada issued a unanimous ruling in the Blood Tribe case that attorney-client privilege supersedes the power of the Federal Privacy Commissioner to compel the disclosure of personal information when investigating possible breaches of PIPEDA.
DOC Issues Safe Harbor Certification Mark
Outsourcing of Communications Creates Right to Privacy
In a major decision, the Ninth Circuit Court of Appeals ruled that employers need either a court warrant or consent to read the e-mail or text messages of employees when it contracts with outside entities to provide such services. The ruling stemmed from a lawsuit by Ontario CA Police Sgt. Jeff Quon and three others against the city's service provider and the city and Police Department for violating the 4th Amendment prohibition against unreasonable search and seizure. An estimated 28% of employers use outside vendors to host e-mail and text-messaging services.
Tech and Health Care Firms Announce PHR Privacy Guidelines
Google, Microsoft, Cisco Systems, Intuit, Aetna, Blue Cross Blue Shield and 25 other organizations announced support for a privacy guideline framework for protecting the data people keep in their online personal health records (PHRs). The privacy framework, hundreds of pages in length, is the outcome of a Markle Foundation initiative that supported an industry working group over the past 18 months. The guidelines, known as the Common Framework, are based upon the idea that information in a PHR should be under the control of the individual. They consist of a set of 17 mutually-reinforcing technical documents and specifications, testing interfaces, code, privacy and security policies, and model contract language. About 9 in 10 Americans call privacy-related factors essential or significant to their use of an online PHR, according to a recent Markle survey.
Connecticut Mandates Employee Data Protection Policy
In response to a series of massive security breaches, Connecticut became the second state (after Michigan) to mandate that private employers publish a policy on the protection of employee SSNs. The new law, An Act Concerning the Confidentiality of Social Security Numbers, effective October 1, 2008, also imposes a statutory obligation to safeguard, and properly dispose of, personal information. For purposes of the law, personal information is defined broadly as any "information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number."
And the Beat Goes On
The familiar drumbeat of HR data breaches continued in June, with reports of losses by six employers: AT&T (a laptop containing unencrypted payroll data for an undisclosed number of managers was stolen from an employee’s car); Stanford University (a stolen laptop impacting 72,000 current and former employees); CNET (more than 6,500 employees and relatives exposed to ID theft after burglars stole computer systems from the offices of a vendor, Colt Express Outsourcing Services); California State Department of Consumer Affairs (5,000 employees, contractors and board members warned of a security breach when a Word document was improperly transmitted); Dickson County (TN) Board of Education (sensitive personal data of 850 employees lost when a laptop computer was stolen from the office of the district school superintendent); and the New Mexico Department of Workforce Solutions (four boxes of manila folders with documents containing names and SSNs found in a trash bin behind the Roswell office).
Article 29 WP Encourages Use of BCRs The Article 29 Working Party continued its effort to support and encourage corporate use of binding corporate rules at its June plenary session, announcing creation of a BCR toolkit and working to streamline the approval process. During a special meeting on BCRs convened earlier in the month in Paris by Alex Türk, who heads up both the CNIL and the Working Party, data protection authorities in attendance agreed that although Safe Harbor and model contracts are also available, BCRs are the best compliance option available to global companies.
New Genetic Information Law Poses Challenges
President Bush signed House Bill 493, the Genetic Information Nondiscrimination Act, into law on May 21. The bill, which prohibits employers and insurers from discrimination on the basis of genetic information, contains some surprises and challenges for employers. Genetic information is defined broadly, to include not only the results of genetic testing but also information about "the manifestation of a disease or disorder in family members”, such as that found in family medical histories of the employee or of the employee’s spouse or dependents. The law does not become effective until November 21, 2009.
Facebook: Coming Soon to an Employee Portal Near You?
As some corporations, such as Dell, begin to utilize Facebook’s social networking software, privacy advocates and regulators continue to pressure the company to improve its privacy policies and practices. In Canada, Federal Privacy Commissioner Jennifer Stoddart said in a speech at Queens’ University that websites such as Facebook and MySpace were “the single biggest threat to the security of Canadians' personal information.” A few weeks later CIPPIC, a Canadian public policy group, filed a complaint with Commissioner Stoddart charging Facebook with 22 separate violations of a Canadian personal information protection law. In the US, Facebook reached an agreement with Attorneys General from 49 states and the District of Columbia to strengthen privacy protections for minors and teenagers using the site.
Google Launches Health Service in Beta Mode
Google began giving users a central place online to store their health records and then share them with health-care providers, with the beta launch of Google Health. Individuals can go to www.google.com/health and create profiles that include information such as existing medical conditions, allergies and any medicines being taken. They can also import medical records from US pharmacies and medical facilities that have signed on as partners, although few have so far. With the service still a work-in-progress, concerns about privacy and security remain a big hurdle.
Sixth Pfizer Data Breach in a Year
Pfizer set an unwanted record when it experienced its sixth loss of employee data in a year, when a laptop and flash drive containing information on 13,000 employees was reported stolen from an employee’s car. Other HR data breaches reported during the month included the Marine Corps Reserve Center in San Antonio (a former contractor pled guilty to unauthorized access to a computer and aggravated ID theft after being accused of selling names and SSNs of 17,000 military employees); Bearing Point Management & Technology Consultants (a laptop stolen from an employee's vehicle containing records of an undisclosed number of employees); LPL Financial (personal data on 2800 employees lost when a laptop was stolen from an employee's car); Las Cruces Public Schools, NM (a part-time computer analyst inadvertently posted personal data of 1,750 district employees on the Internet); University of Iowa (946 current and former employees impacted by improper access of a computer application); and BB&T Insurance (a laptop containing personnel data of an unknown number of Harrisonburg City (VA) Schools employees stolen from an agent’s car).
UK DPA Gains Power to Fine Data Breachers
Passage of the Criminal Justice and Immigration Act has given the UK Information Commissioner’s Office the power to impose substantial fines on public and private sector organisations that deliberately or recklessly commit serious breaches of the Data Protection Act. Observers believe the new powers, comparable to those of the Financial Services Authority, will cause the ICO to be taken far more seriously. One legal expert, Dr. Chris Pounder, finds the authority given to the ICO to be so substantial that security breach notification legislation is no longer necessary.
Congress Passes Genetic Non-Discrimination Act
After a decade of debate, both houses of Congress passed a bill designed to bar discrimination by employers and insurance companies on the basis of information obtained from genetic tests. The bill, the Genetic Information Non-Discrimination Act (GINA), was sent on to the President, who previously indicated he would sign it into law. 31 states already have laws related to genetic discrimination by employers. The employment provisions of the bill will not apply until 18 months after enactment. Critics of the bill, including Deborah Peel and Sue Blevins, say the law doesn’t go far enough, for example by not prohibiting disclosure of genetic information without consent.
No Spring Break for Employee Data Breaches
Seven breaches of employee data were reported in April: Pfizer, in its fifth breach in 15 months, disclosed that a laptop containing records of 800 employees was stolen from the home of a contractor proving travel services; the West Seneca School District (NY) reported that information on 1,800 employees was exposed by hacking by two teenage students; the University of Toledo, which suffered a breach last month, disclosed that payroll information of 6,488 employees was accidentally posted on the university’s intranet; the Baltimore Highway Administration announced a breach of 1,800 employee records due to an inappropriate use of a shared network drive; Siemens disclosed that information on 3,542 employees was exposed when a laptop was stolen from the home of an employee; Stryker reported that its VPN had been repeatedly penetrated by an unauthorized user using an administrative password, exposing personal information of an undisclosed number of employees; and SPX disclosed that information of 403 employees was missing on a laptop stolen from a vendor, USintemetworking.
European Commission to Study Privacy Law Changes
The European Commission issued a contract notice in March seeking bidders for a “study on different approaches to tackle the new privacy challenges in particular in the light of development of new technologies and security issues.” Among the objectives of the study are the identification of privacy challenges created by “globalization and ubiquity of personal data,” and a comparative analysis of the ways in which different legal systems and self-regulatory systems deal with these challenges. The legal basis for transborder data flows is likely to receive particular attention.
CNIL Fines Another Employer
CNIL, the French data protection authority, reported that it had imposed a 40,000 Euro fine on the Service Innovation Group (SIG) France, a direct marketing company, after the company was found to have included irrelevant subjective information about both permanent and temporary employees in its personnel files. SIG was also found to have failed to comply with the subject access requirements of French data protection law.
JAL Employees Reject $473,000 Settlement Offer
The Japanese media reported that 194 employees of Japan Air Lines (JAL) rejected an offer of 48 million Yen (about $473,000) to settle a lawsuit in filed in Tokyo District Court alleging that their personal information had been collected and disclosed unlawfully without their consent. The employees claimed that some 150 items of personal information, including names, addresses, physical descriptions, medical records, and notes of “character traits” were shared with their workplace union without their consent, in violation of the 2003 Personal Information Protection Act.
Japan Issues Guidelines for Working with Data Processors
The Japanese Ministry of Economy, Trade and Industry (METI) released new guidelines at the end of February requiring tighter oversight of data processors and restricting the kind of data they may receive. The guidelines have four major points: (1) the data processor may only receive data necessary to fulfill their designated duties; (2) the data processor must employ adequate data protection measures; (3) the data processing contract must state the measures the data processor will take to protect the data; and (4) the data controller must inspect the operations of the data processor from time to time.
HR Groups Support New Federal Work Eligibility Bill
A group of HR organizations, led by the Society for Human Resource Management, is backing a federal bill that would replace the E-Verify program with one based on existing state systems used to locate non-child-support-paying parents. The New Employee Verification Act (H.R. 5515), introduced by Reps. Sam Johnson, R-Texas, Kevin Brady, R-Texas, and Paul Ryan, R-Wis, would expand the use of databases currently used by 90% of US employers and eliminate the paper-based I-9 process. Supporters claim the new approach would help prevent ID theft and be more reliable than the E-Verify program.
Patriot Act Chills Acceptance of Software-as-a-Service
Companies seeking to adopt web-based Software-as-a-Service (SaaS) applications are facing opposition from abroad over government access to information in the applications via the US Patriot Act. For example, employees at Lakehead University in Thunder Bay, Ontario have filed a grievance against the introduction of Google Gmail and other applications. Companies with European employees will need a legal basis to transfer personal information from Europe to servers located elsewhere, before they can begin using SaaS applications.
Breaches of HR Data Reach Peak Levels
Nine employers reported data breaches in March: Kraft Foods (20,000 employees impacted when a laptop was stolen from an employee who was migrating information from one computer to another as part of a systems project); MTV Networks (5,000 employees affected after an Internet connection in an employee's computer was compromised by someone outside the company); Nestle Waters North America (8,245 employees impacted by a theft of computer equipment from Systematic Automation Inc., a vendor of employee benefits statements); Presbyterian Intercommunity Hospital (CA) (5,000 employees also affected by the Systematic Automation breach); Nevada Dept of Public Safety (109 job applicants affected by the loss of a thumb drive by Crown, Stanley and Silverman, a vendor carrying out background checks); Rhode Island Dept of Administration (1,400 employees impacted by a computer disk that was missing after the relocation of an office); Broward School District (FL) (38,000 employees exposed to ID theft because of hacking by a high school senior); and Agilent Technologies (51,000 employees affected when a laptop was stolen in San Francisco from a car of a vendor, Stock & Options Solutions); and Georgia Dept of Human Resources (information on an undisclosed number of current and former employees exposed when an external hard drive went missing).
Consultation on Use of RFID Chips in Workplace
The Privacy Commissioner of Canada opened a period of public consultation on uses of RFID technology in the workplace and issued a very informative and worthwhile 38-page consultation paper. The paper includes a list of questions that employers are invited to provide their opinions and feedback on. The deadline for submissions is April 30, 2008.
Research Shows Weak Wireless Security at Airports
Research conducted at 14 airports around the world by AirTight Networks found that less than 3% of users were protecting data on their laptops by using virtual private networks (VPNs). Most of the networks detected at airports used by the remaining 97% of users were completely unsecured, and many of those with some protection used easily-defeated security protocols such as WEP.
Electronic Health Records Taking Center Stage
Google announced a pilot project involving the creation of electronic health records (EHRs) of up to 10,000 patients of the Cleveland Clinic. Last year Microsoft introduced a similar service called HealthVault, and AOL co-founder Steve Case is backing one called Revolution Health. Like the other services, Google’s will allow individuals to create and manage a password-protected health profile, including information about prescriptions, allergies and medical histories. Separately, the World Privacy Forum warned of the potential pitfalls of using these services offered by companies not subject to federal regulations on privacy and security, such as HIPAA. These concerns were detailed in a 17-page legal and policy analysis entitled Personal Health Records: Why Many PHRs Threaten Privacy. The Privacy Commissioner of Austria also called for public debate about EHRs, questioning whether they are really needed for most people, and arguing that current European data protection law does not provide adequate protections for EHRs.
Laptops Subject to Search and Seizure at US Borders
Employers may want to inform employees traveling outside the US that their laptops and other electronic devices are subject to warrantless search and seizure by customs officers when they return to the US and also develop a policy to address the issue. This long-standing US practice gained renewed prominence in early February with the filing of a lawsuit against the Dept. of Homeland Security by the Electronic Frontier Foundation and the Asian Law Caucus, two California-based civil rights groups. The Association of Corporate Travel Executives (ACTE), which filed an amicus brief in a related case last June, expressed concerns about potential lack of access to business records, possible significant damage to a traveler’s professional standing, and uncertainty over whether providing customs officials with an encryption key was required.
Stolen Computers, Vendors Dominate February Breaches
February easily qualified as Watch Out for Stolen Computers and Vendors Month, with at least six employers reporting thefts of laptops and desktops: Towers Perrin reported the theft of five laptops from its offices in Manhattan, affecting a potentially huge but undisclosed number of its own and its clients’ employees; ADC Telecommunications notified authorities that 2,600 of its employees and retirees were impacted by the theft of a laptop owned by its benefits administrator; 4,000 marines and others stationed on Okinawa and Iwakuni were jeopardized by the theft of a laptop of a federal contractor; the Diocese of Providence (RI) reported the theft of four desktop computers containing information on 5,000 school employees; a laptop lost while an employee of Memorial Hospital in South Bend (IN) was traveling had SSNs and other information on 4,300 employees; and in California, a hard drive holding the names, addresses, birth dates and SSNs of 3,500 Modesto City Schools’ employees was reported stolen from a benefits vendor. Finally, the inadvertent posting of personal information on a company file sharing site affected an undisclosed number of employees of Lexmark International.
Swedish DPA Blocks Processing by Standard & Poor’s
The Swedish data protection authority refused to authorize a subsidiary of Standard & Poor’s to process employee criminal records. The subsidiary had been asked to obtain employees’ past criminal records by its US parent company so that the parent could become a member of a “Nationally Recognized Statistical Rating Organisation” (NRSRO) in the US. The Swedish DPA rejected the request on the grounds that it was not directly connected or relevant to the company’s undertaking.
Disk Encryption Not Always Effective
Nine computer researchers, in a paper entitled "Lest We Remember: Cold Boot Attacks on Encryption Keys", argue that encryption keys can be extracted directly from a laptop’s RAM if the device has been locked with a screen saver, left in sleep mode or just recently been turned off. Subjecting RAM chips to simple cooling techniques can lead to their retaining data for hours or even days.
Ninth Circuit Court Hands JPL Employees a Victory
A federal appeals court ruled that NASA should be blocked from conducting intensive background checks on low-risk employees at its Jet Propulsion Laboratory, saying the practice threatens workers' constitutional rights. The government had demanded that the workers, who include scientists involved with the Mars Rover mission, fill out questionnaires on their personal lives, waive the privacy of their financial, medical and psychiatric records and permit open-ended interviews with third parties about them. As a result of the decision, NASA will be enjoined from proceeding with the investigations while a suit brought by the workers proceeds.
New York Law Restricts Use of Truncated SSNs
With the passage of a new law that became effective on January 1, New York became the fifth state to restrict even the use of truncated Social Security Numbers by companies. A total of 29 states now have laws prohibiting certain common uses of SSNs. The New York law also requires companies to take “reasonable measures” to ensure that access to SSNs is strictly for “a legitimate or necessary purpose” and that “necessary or appropriate” safeguards are in place to protect the confidentiality of SSNs.
Microsoft Seeks Patent on Worker-Monitoring System
Microsoft has filed a patent application for a computer system that links workers to their computers via wireless sensors allowing managers to monitor employees’ performance by measuring their heart rate, body temperature, movement, facial expression and blood pressure. Such systems have been used for astronauts, pilots and firefighters, but never for office workers. While described as a tool to alert managers to the need to intervene when a worker experiences excessive stress or frustration, revelation of the patent application drew strong criticism from unions, civil rights lawyers and privacy advocates. A separate patent application from Microsoft presents a method of collecting offline information from users' cell phones, geolocation systems, credit-card information and other data sources to build individual profiles that can facilitate "targeted advertising" when the users go online.
HR Data Breaches Continue in January
There was no lessening of breaches of employee data in January, with losses reported by the Workers Compensation Fund in Utah (a laptop containing information on 2,800 individuals stolen from the garage of a staff auditor); Health Net in Connecticut (5,000 employees affected by a laptop stolen from a vendor); University of Wisconsin-Madison (information of 200 employees exposed on the Internet); the Navy Surface Warfare Center (up to 10,000 employees at risk when four ID thieves were apprehended with employment verification reports); and two beaches of workers compensation systems in Newfoundland and Labrador (exposing the information of at least 1,420 claimants on the Internet via a file-sharing program).
Spain Issues New Data Protection Regulation
On January 19 the Spanish Data Protection Agency published a new Regulation on Data Protection (Royal Decree 1720/2007, of December 21, 2007, currently available only in Spanish). The Regulation establishes new rules on the relationship between data controllers and data processors, on security measures and on paper files. It also authorizes the Data Protection Agency to declare that a non-European country has an adequate level of protection for purposes of data transfers, even if that country has not been approved by the European Union. A provision that calls for getting consent from family members could affect conflict of interest and benefits practices of employers.
FTC Releases Data Security Resources
The FTC has published “Protecting Personal Information: A Guide for Business”. The 28-page high-level guide, which may be most valuable to small and medium-sized businesses, promotes a data security plan built upon five key principles: Take Stock; Scale Down; Lock It; Pitch It; and Plan Ahead. The FTC website makes the basic content of the guide available in an online multi-media tutorial (mistakenly called “interactive”), as well as in a set of PowerPoint slides.