New Requirements in Effect for Employment Background Checks
As of January 1, new requirements, notices and deadlines when conducting background checks of employees and applicants came into effect, issued by the recently created Consumer Financial Protection Bureau (CFPB). The CFPB is now the enforcement authority over the Fair Credit Reporting Act, replacing the FTC in this role. Specific state laws may be more restrictive; for example, Massachusetts has special timing requirements that differ from the FCRA.
NLRB Rules Against Firing Non-Union Employees for Facebook Posts
In another decision affecting non-union as well as union employers, the National Labor Relations Board ruled on December 14 that comments posted on Facebook are protected in the same manner and to the same extent as comments made at the "water cooler." In its review of Hispanics United of Buffalo, the Board found that a non-union employer's termination of five employees for Facebook postings was unlawful, awarding the employees full reinstatement and back pay. The NLRB upheld an administrative law judge's decision that the terminations violated the National Labor Relations Act.
Half-dozen HR Data Breaches in December
Six breaches of HR-related personal data were reported during December: Workers United (hard drive stolen from the office of an independent contractor, exposing SSNs and other sensitive data of an undisclosed number of retirees in the 100,000-member union); Mt. Diablo Unified School District (an undisclosed number of current and former employees impacted by the theft of a computer from an office of the California school district); Library Systems & Services (an undisclosed number of employees jeopardized by the theft of a company laptop); Accume Partners (an unknown number of participants in the firm’s 401(k) plan impacted by the theft of a laptop belonging to a CPA firm preparing an ERISA report); US Army Fort Monmouth, NJ (personal data of 36,000 personnel and visitors compromised by a hacker); and Sunview Vineyards of California (an unknown number of employees impacted by the theft of a laptop containing workers’ compensation data).
Art 29 WP Launches BCRs for Processors
Meeting in early December, the Article 29 Working Party decided to launch Binding Corporate Rules (BCR) for processors on January 1, 2013. According to a press release from the Working Party, “The use of a BCR for processors is not obligatory and each company acting as a processor, for example in the context of outsourcing activities or cloud computing, may decide to file an application at the data protection authority….Once a BCR for processors is approved it can be used by the controller and processor, thereby ensuring compliance with the EU data protection rules without having to negotiate the safeguards and conditions each and every time when a contract is entered into.” During 2012 the Working Party adopted both a Working Document (WP195) on the topic and an application form for submitting a BCR for processors.
German DPAs Call for Stronger Employee Data Protection
Amongst the results of the 84th conference of German data protection authorities was a call for stronger legal protections for employee data, both within Germany and in reforms being debated at the European level. Quoting from a statement released by the conference organizers, “An example for the need of Europe-wide high minimum requirements is the employee data protection. In Germany the relevant rules are totally inadequate. Binding provisions for employee data protection should be added to the European Commission’s proposals.”
China Tightens Restrictions on Use of the Internet
The Chinese government issued new Internet rules on December 28 that restrict anonymity, while assigning Internet companies greater responsibility for deleting forbidden postings and reporting them to the authorities. The new regulations, issued by the Standing Committee of the National People’s Congress, allow the use of pseudonyms in postings but only if users first provide their real names to service providers. The rules include a mandate for businesses to be more cautious in gathering and protecting electronic data. The government also has been increasingly identifying and blocking VPNs, which many companies use to protect their confidential information from the government and competitors.
Court Rejects Claim ADA Protects Non-HIPAA Health Information
The U.S. Court of Appeals for the Seventh Circuit, ruling in EEOC v. Thrivent Financial for Lutherans, rejected as overbroad the EEOC’s claim that health information obtained by an employer but not covered by HIPAA falls within the scope of the Americans with Disabilities Act’s medical confidentiality provision. In the case in question, the court held that an employer who received medical information on a voluntary basis from an employee was free to disclose that information in the future to other employers carrying out reference checks. In other words, like HIPAA, the ADA protects only a subset of employee health information that an employer might receive during the course of the employment relationship. State law, such as California’s Confidentiality of Medical Information Act, may still apply.
Experiment Confirms Online Info Can Lead to Hiring Discrimination
Using a controlled experiment, researchers at Carnegie Mellon University confirmed the common supposition that information individuals post about themselves online through Facebook, Twitter, blogs and other Web 2.0 services can, in fact, become a source of hiring discrimination. The research, carried out by Alessandro Acquisti and Christina Fong, was described in a paper entitled “Will Johnny Facebook Get a Job? An Experiment in Hiring Discrimination via Online Social Networks,” released as one of eight Privacy Papers for Policy Makers by the Future of Privacy Forum.
Six HR Data Breaches in November
Six breaches of employment-related personal information were reported in November: NASA (personal data of up to 10,000 employees and others compromised by the theft of a laptop computer from an employee’s locked vehicle in Washington, DC); Sourcefire (up to 500 employees jeopardized by the theft of a password-protected laptop from the network security firm); Kaiser Permanente (an undisclosed number of employees in the company’s Northern California Region impacted when an HR employee accidentally emailed their sensitive personal information, including SSNs, to the wrong party); Salinas Valley State Prison (an undisclosed number of employees notified that a database file of their personal information was inadvertently placed on an intranet server accessible by all SVSP staff); Pinnacle Foods (names, SSNs, driver’s license numbers, credit card numbers and other personal information of up to 1,818 employees exposed when an employee’s password-protected laptop was stolen from her home); and Pinkerton Government Services (an undisclosed number of current and former employees impacted by the theft of computers from a PGS operating center).
Member States Take Sides on Regulation vs. Directive
Following a meeting of EU Ministers in October to discuss the proposed new legal framework for data protection, a lack of consensus was reported on whether that framework should take the form of a regulation or a directive. Six member states are opposed to a single data protection regime across the EU: the UK, Belgium, Denmark, Sweden, Slovenia and Hungary. Nine support a new regulation: Ireland, Germany, France, Spain, Italy, the Netherlands, Luxembourg, Bulgaria and Greece. The remaining 12 member states were said to be undecided. Whether the proposed reforms are contained in a Regulation or a Directive is important because it determines the amount of flexibility member states will have to adopt their own approach to the rules.
New Data Security Regulations Established in Russia
On November 1, Russian Prime Minister Dmitry Medvedev approved new data security requirements by signing Decree Number 1119. The new regulation defines three types of threats to information systems that process personal data: the first involves threats associated with the presence of undeclared capabilities in the system software; the second involves undocumented features in the application software; and the third involves threats not associated with undocumented features in either the system or application software. The resolution also defines four levels of protection of personal data that need to be adhered to, depending upon the type of threats that are present and the number of data subjects covered by the processing. The specific technical and organizational measures that will be required have yet to be issued by the regulator. A security expert quoted on the Roskomnadzor website expressed concerns that the new regulations might significantly restrict the ability to use tablets and other mobile devices in non-secure environments.
Privacy Reform Bill Passes Parliament in Australia
The Privacy Amendment (Enhancing Privacy Protection) Bill 2012, representing the conclusion of the first phase of a legislative reform process that began six years ago, was passed by the Australian Parliament at the end of November and is due to come into effect in March 2014. The bill expands the powers of the Australian Information Commissioner and establishes a new set of 13 Australian Privacy Principles governing both public and private sector entities. The Commissioner will be able to conduct assessments and accept enforceable undertakings that could result to in million-dollar fines for serious and repeated violations. Guidelines as to how the new privacy principles apply to everyday situations will be issued by the Office of the Australian Information Commissioner in 2013.
Senators Urge Investigations of Forced Password Disclosures
Senators Charles Schumer (D-NY) and Richard Blumenthal (D-CT) have called for the EEOC and Department of Justice to investigate what they describe as “rapidly and widely-spreading employer practices” of demanding job applicants’ social networking names and passwords. According to a report in Privacy Times, the practice represents a grave intrusion into personal privacy that makes it more difficult for Americans to get jobs and exposes employers to discrimination claims. Facebook’s privacy officer also stated that there has been a “distressing increase” in the practice in recent months.
Another Typical Month for HR Data Breaches
Seven HR data breaches were reported in October, including: U.S. Army (SSNs of 31 of the nation’s most highly decorated war heroes from Iraq and Afghanistan posted on a public website by a civilian contractor); Army Material Command (Huntsville) (personnel records of 400 employees taken without authority to an employee’s home); University of Chicago (SSNs of 9,100 employees printed on postcards mailed to faculty and staff); Korn/Ferry (personal information of an undisclosed number of the executive recruiting firms’ clients and candidates exposed through a cyber-attack); FEI Company (SSNs and other personal data of an undisclosed number of employees compromised by the theft of a laptop); Plainville School District (personal information of 23,000 online applicants for positions with the Illinois school district accessed by a hacker); and University of Georgia (SSNs and other personal data of 8,500 current and former employees exposed via an overseas hacker who reset the passwords of two IT workers).
Article 29 WP Issues Second Opinion on Draft DP Reform
On October 5 the Article 29 Working Party published its second opinion on the proposed General Data Protection Regulation. The Working Party called for (a) broadening the concept of personal data to include not only information that permits a person to be identified, but also information that permits a person to be "singled out and treated differently," even if they are never identified; (b) clarifying that "identification numbers, location data, online identifiers or other specific factors as such should as a rule be considered personal data;” (c) ensuring that consent must always be explicit; and (d) reducing the number of delegated acts. Speaking later in the month, Jacob Konstamm, Chair of the Working Party, outlined a number of ways in which the proposed reform needs to be strengthened, even in the face of what he called “fierce lobbying” against the current version of the regulation.
Russia Tightening, Fleshing Out its Data Protection Regime
The Russian DPA, Roscomnadzor, has set a number of developments in motion: (a) it has prepared a draft list of countries that ensure appropriate protection for personal information. Once finalized and published, cross-border transfers of personal data may occur to those countries on the basis of consent of an individual presented in any form; (b) a regulation that came into effect in October allows data controller associations and unions to develop industry standards on data processing within their specific industry sector, with the standards subject to approval of regulatory agencies; (c) under another regulation, information security specialists will need to be licensed to provide their services; (d) audits of compliance of data controllers, irrespective of whether they are registered, have intensified; and (e) a proposal has been developed for substantial increases in penalties for violations, comparable to those the EU is considering. January 1, 2013 is the deadline for registration as a data controller.
Colombia Enacts Omnibus Data Protection Law
On October 17, with the approval of its Constitutional Court, Colombia enacted a comprehensive data protection law modeled upon European precedents. The law contains significant notice and consent requirements, special provisions for the processing of children’s data, European-style data subject rights (e.g., access and correction), special obligations applicable specifically and directly to service providers, a registration requirement and cross-border data transfer restrictions. It also provides for the establishment of a data protection authority within the Superintendency of Industry and Commerce.
Canadian Supreme Court Affirms Employee Computer Privacy Rights
The Supreme Court of Canada, ruling in R. v. Cole, held that employees have a privacy right over personal use of workplace computers and should not be subject to warrantless police searches. In a 6-1 judgment with national implications, the high court said an individual’s expectation of privacy may well be lessened or diminished if the computer belongs to an employer or if strict workplace policies bar personal use. However, the majority ruling said police must still obtain a warrant to seize contents. “Computers that are reasonably used for personal purposes - whether found in the workplace or the home - contain information that is meaningful, intimate and touching on the user’s biographical core,” the court said, adding that “Canadians may therefore reasonably expect privacy in the information contained on these computers, at least where personal use is permitted or reasonably expected.” The court ordered a new trial for teacher Richard Cole, charged with possession of child pornography and unauthorized use of a computer.
NLRB Rules against Overly Restrictive Social Media Policies
NLRB Administrative Law judges struck down the social media policies of two companies in September, on the grounds that they had a chilling effect on employees’ exercise of their rights under Section 7 of the National Labor Relations Act. In the first case, the NLRB found that Costco’s rule prohibiting employees from posting statements electronically that “damage the Company, defame any individual or damage any person’s reputation” was overly broad. In the second case, the NLRB found that EchoStar’s policy prohibiting employees from making “disparaging comments” about it on social media sites, as well as a ban on employees using social media sites with company resources or on company time, undermined their Section 7 rights.
California Bans Employers from Requesting Social Media Passwords
California Governor Jerry Brown approved a bill that prohibits employers from asking employees or applicants for their e-mail or social media account passwords, becoming the third state, after Maryland and Illinois, to pass such legislation. Brown’s action came in spite of opposition by the Securities Industry and Financial Markets Association (SIFMA), the Financial Industry Regulatory (FINRA) and the American Council of Life Insurers, all of whom said the measure would unduly restrict their ability to fulfill obligations to guard against employee malfeasance.
DPAs Force Facebook Retreat on Facial Recognition
Under pressure from European data protection authorities, led by the Irish Privacy Commissioner, Facebook promised that it would forgo using the “tag suggestion” feature of its facial recognition technology in Europe. Facebook has also come under fire from consumer protection groups and lawmakers in the United States over this feature, including pressure from Sen. Al Franken (D-MN) to use it only on an opt-in basis in the U.S. and a complaint to the FTC filed by EPIC. The Irish DPA gave Facebook four weeks to complete the implementation of other measures needed to come into compliance with European data protection law.
HR Data Breaches Dip In September
Reports of HR-related data breaches dipped in September, with only four reported: U.S. Navy (personal information of more than 200,000 current and former Navy personnel compromised when hackers broke into the Navy’s Smart Web Move Internet site, an application used to arrange household moves); University of Chicago (SSNs of 9,100 employees printed on the outside of postcards sent out as reminders of open enrollment for health benefits); Town of Willimantic, CT (an undisclosed number of employees impacted by the theft of a laptop from Town Hall); and Blue Cross Blue Shield of Massachusetts (15,000 current and former employees jeopardized by a vendor’s “inappropriate use” of their information).
Data Protection Laws Coming to the Cayman Island, Jamaica, Singapore
The government of the Cayman Islands published a draft data protection law based upon European precedents for public review through November 2, 2012. There was no stated timeline for when the bill might come before the Legislative Assembly. Registration of databases with a government entity is included in the draft bill. Meanwhile, the Jamaican Ministry of Science, Technology, Energy and Mining announced that a Data Protection Act will be promulgated within the current financial year ending March 31, 2013, and a proposed Personal Data Protection Bill received its first reading in Singapore’s Parliament.
Australian House Passes Privacy Reform Bill
On September 17 the House of Representatives of Australia’s Commonwealth Parliament passed significant reforms to the Privacy Act 1988, including expanded powers of the Australian Information Commissioner and a new set of 13 Australian Privacy Principles to replace the current Information Privacy Principles for the public sector and National Privacy Principles for the private sector. While Australia’s Attorney General, Nicola Roxon, welcomed the reforms, Privacy Commissioner Timothy Pilgrim warned of technical glitches in the bill and two parliamentary parties joined big banks and telcos in fighting the measure. The bill now moves to the Senate for its consideration.
FTC Settles with Background Screening Firm
The FTC has reached a settlement with HireRight Solutions, an employment background screening company, under which the company will pay $2.6 million to resolve charges that it committed multiple violations of the Fair Credit Reporting Act by failing to use reasonable procedures to assure the accuracy of information it provided to employers. The FTC also claimed that HireRight failed to give consumers copies of their reports, failed to resolve consumer disputes and even assigned criminal records to the wrong person.
Two More States Bar Employers from Asking for Social Media Passwords
Illinois became the third state to pass a law prohibiting employers from requiring employees or job applicants to provide access to their social media accounts, following Maryland and Delaware. Later in August, California joined the trend with two social media bills, one governing colleges and universities and the other employers. Adopting a more balanced and comprehensive approach, the California law provides businesses with a legal liability shield from plaintiffs who may allege that they have a legal duty to monitor their employees’ social media accounts. At least 15 other states are considering legislation banning employer requests for social media passwords.
Federal CIO Council Releases BYOD Toolkit
The Federal CIO Council released a Bring Your Own Device resource toolkit for government agencies contemplating BYOD programs. Privacy, security and legal considerations are explored in the toolkit, along with more practical issues such as reimbursement of employees for voice and data costs. Besides BYOD considerations, the toolkit includes three case studies and five sample policies. The toolkit is publicly available on the Council’s website in online and PDF versions.
Seven HR Data Breaches in August
Seven breaches of employment-related data were reported in August, including: U.S. Environmental Protection Agency (5,100 employees exposed to ID theft when their SSNs, bank routing numbers and home addresses were compromised when hackers tricked an employee into opening an e-mail containing a malicious attachment); Petco Animal Supplies (hundreds of employees impacted when five laptop computers were stolen from a company hired to audit the company’s 401k retirement plan); Atlanta Police Department (39 police officers and civilian employees duped by two women posing as AFLAC representatives and collecting personal information from them in their station houses); BNSF Railway (100 employees in North Dakota experiencing fraudulent openings of credit card and PayPal accounts using their non-public personal information); Steamboat Ski and Resort Club (sensitive personal information of an undisclosed number of employees accidentally e-mailed to a former employee); City of Ocoee (FL) (sensitive data of over 350 city workers accidentally posted since January on a public domain server); and General Motors (personal information of 833 active and retired employees exposed after a GM employee copied the information just before retiring in May).
UK ICO Takes Flexible Line on Need for Immediate Data Deletion
The UK Information Commissioner's Office said that organizations that are unable to justify the continued storage of personal data they had been processing may not have to delete the information immediately, under certain conditions. In new 5-page guidance, the ICO said that it recognized that organizations can face challenges in deleting personal data and that it would generally accept putting unjustifiably held information "beyond use" until it was ultimately deleted.
Privacy Act Signed into Law in the Philippines
Philippines President Benigno Aquino III signed the Data Privacy Act into law on August 15. The bill had been passed by both legislative chambers in the spring and was delayed during the summer by a debate over its perceived muzzling of the press. The Act, modeled closely upon European precedents, is viewed by its chief sponsor, Senator Edgardo Angara, as “an unequivocal sign that the country is taking the necessary actions to become a functioning knowledge-based, ICT-driven economy.”
Private Employers Do Not Seek Social Media Passwords
According to a Littler Mendelson survey of 1,000 C-suite executives, corporate counsel and HR professionals in U.S. corporations, 99% of respondents stated that their organization had not requested social media passwords as part of the hiring or onboarding process. In all of the media frenzy about the practice earlier this year, only one instance of a private employer was cited; the rest were public agencies such as law enforcement agencies. Nevertheless, one state, Maryland, has enacted a password protection law and similar legislation is pending in eleven states.
Cloud Computing Opinion Includes Cautions on Safe Harbor
The Article 29 Working Party opinion on cloud computing included new cautions about reliance upon claims of Safe Harbor participation by cloud service providers. According to the opinion, adequacy findings, such as Safe Harbor, are limited in geographic scope and cannot cover all transfers within the cloud. Even for transfers only to the U.S., the Working Party states that “self-certification with Safe Harbor may not be deemed sufficient in the absence of robust enforcement of data protection principles in the cloud environment.” Echoing recommendations of German DPAs in 2010, companies exporting personal data to such a cloud provider are advised to “obtain evidence that the Safe Harbor self-certification exists and request evidence demonstrating that their principles are complied with.” Furthermore, unless the mandatory Article 17 contract includes information on sub-processors required by some member states, the exporter is encouraged to use standard contractual clauses or BCRs, Safe Harbor participation notwithstanding. Finally, the Working Party asserts that the unique security issues associated with cloud computing were not adequately addressed by the Safe Harbor privacy principles.
HR Data Breaches Slow in July
Only five breaches of employment-related personal data were reported in July: ITWallStreet.com (detailed personal data of 50,000 job applicants exposed when a hacker broke into the website for IT professionals); Neurocare (direct deposit data hacked by the theft of the healthcare firm’s login-credentials for its payroll processor; the vigilant processor stopped deposits when it detected an unusually high number of change of account transactions); Petco (over 500 employees notified that their SSNs and 401(k) data were compromised by the theft of laptops from their auditor’s office in San Diego); City of Ottawa (800 former employees and beneficiaries of the Canadian city jeopardized when an unencrypted hard drive was stolen from a Towers Watson office in the Philippines); and the New York State Assembly (personal data of hundreds of lawmakers and their staffs accidentally exposed in the hidden tab of an Excel spreadsheet of travel expense reports posted on a news site by the State Comptroller’s office).
CNIL Fines Company for Withholding Employee Data
The French data protection agency (CNIL) fined a regional water utility €10,000 for failing to hand over GPS tracking data to an employee who was attempting to prove to a court that he had been the victim of a workplace accident. After waiting 11 weeks for a response to his access request, the employee reported the company to the CNIL; the CNIL then sent four requests over the next six months and a formal notice to hand over the data, all to no avail. The CNIL’s ruling found that through its stalling tactics the company had deprived the employee of the possibility of accessing the data, which was stored for only six months after its recording.
Crackdown on Criminal Record Checks of Employees in BC
An investigation by the Privacy Commissioner of British Columbia found that BC government employees and prospective candidates are being subjected to unnecessary and illegal criminal record checks. Following the much-publicized case of Richard Wainwright, a government employee who falsified his criminal history, as many as 85% of the province’s 33,500 employees have been compelled to submit to criminal record checks, sometimes repeatedly. According to Commissioner Elizabeth Denham, while criminal record checks are appropriate for some positions, the current practice is far too broad. An audit of related practices in the private sector will follow, according to Denham, who believes that too many employers are using a little-known police database called PRIME-BC to make employment decisions. PRIME-BC is believed to contain a wide variety of information on more than 85% of the province’s adult population.
MIIT Proposes Amendments to Regulations Governing IISPS
The Chinese Ministry of Industry and Information Technology (MIIT) has proposed extending the current data retention period observed by Internet Information Services Providers (IISPs) from 60 days to 12 months. While the new draft amendments to the Regulation on Internet Information Services do not specify whether they apply to foreign IISPs, most observers believe they do not. The draft amendments also require IISPs to request that users posting public information be requested to register their true identity and establish a legal obligation to maintain the confidentiality of user information. A public consultation on the amendments ended on July 6.
Spokeo to Pay $800,000 to Settle FTC Charges of FCRA Violations
Spokeo, a data broker that compiles and sells detailed information profiles on millions of consumers, will pay $800,000 to settle Federal Trade Commission charges that it marketed the profiles to companies in the human resources, background screening, and recruiting industries without taking steps to protect consumers required under the Fair Credit Reporting Act. According to an FTC press release, Spokeo also falsely represented endorsements of its service as being independent, when in fact they were created by their own employees.
NLRB Issues Third Guidance Document on Social Media
The National Labor Relations Board's Acting General Counsel issued his third guidance document on social media on May 30, 2012 and, for the first time, approved the social media policy of a company - Walmart - in its entirety. Previous guidance had focused on provisions of policies that were viewed as violating the National Labor Relations Act, raising doubts as to whether any social media policy could pass muster.
New Google Tool Helps Employers, Raises Privacy Concerns
Google Maps Coordinate, a new app developed in the company’s office in Sydney, Australia, allows employers to better track and co-ordinate employees in the field, but there is a concern that the new software could inadvertently track employees during their non-working hours. For $15 per month per staff member, a company can set up a team, join team members with a special corporate email address, track their whereabouts and provide encrypted communications with the base. Employers and team-coordinators can see the whereabouts of team members on a web-based console and can select who to send jobs to based on location. Staff in turn can talk to base using the app, accept or reject jobs and can see the location of fellow workers. A special privacy button lets staff turn off the tracking capability. Users can also set times each day during which location sharing is automatically disabled.
Ten HR Data Breaches Reported in June
Breaches of employment-related personal information reported in June returned to levels common in recent years, with seven in the public/nonprofit sector and three in the private sector: U.S. Department of the Interior (7,500 employees placed in jeopardy when the agency’s shared service center in Denver reported that a CD could not be accounted for); U.S. Commodities Futures Trading Commission (names, e-mail addresses, SSNs and other data of 700 employees exposed when the agency’s system was compromised through a phishing e-mail); New Mexico Public Employees Retirement Association (100,000 active and retired government workers alerted to guard against possible fraud following the theft of an unencrypted computer); Sacramento Department of Parks and Recreation (100 employees jeopardized when folders containing names, SSNs, phone numbers, birth dates, addresses, monthly incomes and copies of driver’s licenses were thrown in a dumpster); Oregon National Guard (more than 3,500 Guard members impacted by the theft of a laptop containing sensitive personal information from a Guard member’s vehicle); Roanoke City Schools (personal data of more than 2,000 employees compromised when the Virginia school district sold a number of computers with their hard drives intact); Towards Employment (personal information of the Cleveland-based nonprofit’s 26,000 low-income clients over the last 26 years exposed by the theft of an unencrypted laptop); National Gypsum (an undisclosed number of employees put at risk by Towers Watson’s loss of two unencrypted DVDs back in February); Inovis (an unspecified number of employees of the Georgia-based B2B e-commerce company at risk by virtue of a stolen laptop); Quantum Corporation (an undisclosed number of employees impacted by the theft of some laptop computers whose encryption had been temporarily disabled while they were in the company’s IT workroom for repair).
Proposed EU DP Regulation Runs into Member State Buzz Saw
Part of the process of vetting the proposed General Data Protection Regulation involves securing the input and support of the Council of Ministers, which represents the executives of member states. That support is now highly questionable, given the Council’s leaked release of a document detailing 147 reservations on Articles 1-10 and 80(a) and 83 of the Regulation (about one-ninth of the total number of articles). As veteran UK privacy consultant Chris Pounder points out, at this rate of objection, one can anticipate about 1,000 reservations about the Regulation. Pounder concludes that “with this level of Member State squabbling, I don’t see this Regulation surviving; if it does survive it will be a completely different animal. And I expect the lead in time will not be 2 years but far longer.”
Stoddart Speaks Out against Delays in PIPEDA Reform
Canada’s Federal Privacy Commissioner, Jennifer Stoddart, expressed her strongest criticism of the federal government to date, telling an interviewer after her annual report was tabled, “I am very, very disappointed that we’re not moving ahead with privacy reform issues. They’re long overdue.” Parliament is required, every five years, to review the Personal Information Protection and Electronic Documents Act (PIPEDA), but the latest review, scheduled for 2011, has yet to be launched. Meanwhile, amendments to the law arising from the 2006 review, tabled only last fall, are outdated already and languishing in Parliament. In her annual report Stoddart repeats her call for new powers for the Office of the Privacy Commissioner. Industry Minister Christian Paradis declined to answer questions put to him about why the 2006 reform has stalled in Parliament, the delay in the 2011 PIPEDA review, and Stoddart's push for more powers.
Lawmakers and Regulators Tell Employers to Back off Facebook Passwords
Fallout from April’s media storm over a few employers demanding Facebook passwords from job applicants continued in May. Maryland became the first state to enact a law prohibiting employers from requesting or requiring employees or job applicants to provide access to personal social media accounts, while a more restrictive and troublesome bill with the same objective passed both chambers of the Illinois legislature. Addressing the same concern at the federal level, Sen. Richard Blumenthal (D-CT) and Rep. Martin Heinrich (D-NM) and a number of co-sponsors filed the Password Protection Act of 2012 in the Senate and House. In Ontario, the Information and Privacy Commissioner, Ann Cavoukian, released a paper providing practical advice on how best to protect online privacy when using social media. The paper, "Reference Check: Is Your Boss Watching? The New World of Social Media: Privacy and Your Facebook Profile" provides examples of improper employer practices, among others. Requesting personal passwords from current or potential future staff is “fundamentally wrong," according to Cavoukian.
IBM Reins in BYOD Usage
In 2010 IBM, like many large companies, adopted a "bring your own device" policy, meaning that employees who want to work outside the office don't have to use a smart phone provided by the company. Some 80,000 employees took advantage of the policy by using non-Blackberry smart phones and tablets to connect to internal IBM networks. Faced with security challenges, IBM has now reined in BYOD usage, banning use of public file transfer services such as Dropbox and Apple’s iCloud, disabling Siri, and prohibiting the use of smart phones to create Wi-Fi hot spots. A writer who covers consumerization of IT for CIO advises that employees who want to use their smart phones and tablets for work better be prepared to sign on IT's dotted line and essentially give away their privacy rights.
Six of Eight May HR Breaches Were in the Public Sector
Eight breaches of HR data were reported in May: California Department of Social Services (375,000 home care workers jeopardized when payroll data administered by Hewlett Packard was shipped by U.S. mail to a state office in Riverside); U.S. Federal Retirement Thrift Investment Board (SSNs and other personal data of 123,000 participants and payees of the Thrift Savings Plan exposed when a computer owned by third-party administrator Serco was hacked); L-3 Communications (a thumb drive containing personal data on an undisclosed number of employees said to be misplaced from a workstation); Bimbo Bakeries USA (personal data of an undisclosed number of employees compromised when a laptop was stolen from the trunk of an employee’s car); NASA's Glenn Research Centre (staff details of 700 government workers exposed via an Internet hack); York County, SC (SSNs of 17,000 job applicants and vendors exposed by an intrusion into a web application server); Lake County Sheriff’s Office and Glade County Sheriff’s Office (personal information of an undisclosed number of staff of the two Florida agencies hacked and published by AntiSec).
ROSKOMNADZOR Increasing DP Penalties, Touts Activity
The Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications (ROSKOMNADZOR) announced that its Advisory Board supported the toughening of penalties and an increase in the statute of limitations for violations of Russia’s data protection law. Claiming that too many organizations deliberately ignored the law, the DPA proposed to increase penalties for violations on companies from 200 rubles to 500,000 rubles. ROSKOMNADZOR also reported that in 2011 it conducted 1440 planned audits, 791 unplanned audits, issued more than 2,250 orders to eliminate violations, and made up more than 4.9 thousand protocols on administrative offenses, which is two times higher than in 2010. According to Roman Sheredin, Deputy Head of the Federal Service, these statistics show that Russia has built a “"slim, very effective system of protection of citizens as subjects of personal data." The DPA also decided to establish a working group to develop proposals on optimization of international cooperation in the protection of personal data.
After Long Delay, Australian Government Moves on Privacy Reforms
After announcing at the beginning of May that privacy reforms were on the way, the Australian Government finally introduced its first stage reforms to the Privacy Act 1988 to Parliament on May 23, some six years after the Australian Law Reform Commission began the process of determining what changes were needed. The changes introduced to parliament include increased regulation of personal information for marketing purposes; extending privacy protections to unsolicited information; restrictions on sending personal information to overseas companies; improved access for consumers to information held about them; and expanded powers for the Privacy Commissioner. The removal of exceptions (such as for the processing of employment records), compulsory data breach notifications and the potential for civil penalties for serious breaches of privacy will be addressed by the government in the second stage.
Federal Court Narrows Scope of Computer Fraud and Abuse Act
The Ninth U.S. Circuit Court of Appeals has rejected the opinions of three other federal appellate courts and narrowed the scope of the Computer Fraud and Abuse Act (CFAA). In a 9-2 opinion the court held that the CFAA does not criminalize access to an employer's computer system that was authorized, even though that access occurred for a purpose prohibited by the employer's computer use policy. This decision essentially limits the CFAA to internal or external hacking of a computer system.
Unredacted FCC Street View Report Undercuts Google Claims
On April 28, stating that it hoped to put the matter behind them, Google released the full version of the redacted FCC report, with only the names of individuals blackened out. The report undercut the company’s claim that the worldwide collection of payload data from unencrypted Wi-Fi routers was an inadvertent act by a single engineer. According to the FCC report, the engineer in question told two other engineers, including a senior manager, that he was collecting the payload data. He also gave the entire Street View team a copy of a document in October 2006 that detailed his work on Street View. In it, he noted that Google would be logging such data. The engineer’s to-do list included consulting with a product counsel about the privacy implications of his work.
Cloud Security Alliance Vets the Security of Service Providers
The Cloud Security Alliance launched a Security, Trust and Assurance Registry (STAR) to give potential cloud customers a central database from which they can compare providers' security assertions. Participating providers submit their answers to a self-assessment questionnaire, attesting to the security controls and monitoring that they have put in place to protect customer data. While only four providers, including Solutionary and Microsoft Office 365, have submitted self-assessments to date, a much larger number are reported to be working through the assessment.
Only Two HR Data Breaches Reported in April
Only two breaches of HR data were reported in April: Under Armour (an undisclosed number of the apparel firm’s 5,400 employees impacted by the loss of a flash drive with payroll information by PricewaterhouseCoopers); and Columbia University (names, addresses, SSNs and bank account numbers of 3,000 current and former employees exposed on the Internet).
Support for Self-Certification of BCRs Grows in Europe
The desirability of doing away with requirements that Binding Corporate Rules (BCRs) be approved by DPAs is gaining increased traction in Europe. Speaking at an IAPP Europe Data Protection Conference in London, Accenture’s Bojana Bellamy argued that "Safe Harbor is based on self-certification, standard contractual clauses are too, why should BCRs be the exception?" Richard Thomas, former UK Information Commissioner agreed, pointing out that once use of BCRs becomes more widespread, DPAs will be unable to cope with the volume of reviews that would be needed.
Panel to Evaluate Draft Indian Privacy Law
FTC Issues Final Privacy Framework Report
On March 26, sixteen months after release of a preliminary version, the Federal Trade Commission issued its long-awaited final privacy framework report, a 112-page document entitled “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers.” According to the FTC, the report sets forth best privacy practices, along with recommendations that Congress consider passing general privacy legislation, as well as legislation relating to data security, breach notification and data brokers. The FTC describes the three foundational principles of its privacy framework as Privacy by Design, Simplified Choice and Greater Transparency, and claims that the framework incorporates all the concepts found in the 1980 OECD privacy guidelines. Strong support was voiced for development of a “Do Not Track” mechanism for Internet users and for cooperative work with the Dept. of Commerce on the co-regulatory initiatives it has proposed between industry and government.
High-Level EU-U.S. Privacy Conference Held in March
An extremely high-level privacy conference, sponsored by the European Commission, was held on March 19 in Washington, DC with video participation in Brussels. Major policy makers, regulators, legislators, advocates, academics and experts from both sides of the Atlantic were in attendance. Highlights of the conference included: (a) a joint U.S.-EU affirmative that the Safe Harbor framework will continue, with current problems to be addressed; (b) discussion of the Safe Harbor Privacy Principles potentially swerving as baseline protections in the sectoral codes of conduct called for by the Dept. of Commerce; (c) a commitment by the Obama administration to move ahead with its new privacy initiatives regardless of whether legislative action is forthcoming; (d) growing interest in the development of “interoperability” between different privacy regimes in the U.S., Europe and elsewhere; (e) a passionate speech by Rep. Ed Markey (D-MA) against online behavioral targeting; (f) questions about the effectiveness of the FTC’s consent decrees with Goggle and Facebook in the light of subsequent activities by each; and (g) broad recognition that while European and American approaches to privacy protection are converging, the U.S. is unlikely to adopt EU-style privacy legislation anytime soon. The programs, as well as a complete recorded webcast of the conference, are available at http://ec.europa.eu/justice/events/eu-us-data/index.html.
Move over Street View, It’s Time for Google’s Newest Privacy Firestorm
With regulatory slaps on the wrist winding down and lawsuits stretching out over its Street View fiasco, Google’s consolidation of user data and privacy policies put into effect on March 1 ensured that the company will remain in the cross-hairs of regulators around the world. In addition to the critics expressing concerns noted in last month’s Review (36 Attorney Generals; 8 U.S. lawmakers; DPAs in France, Canada, Korea and Japan; and a coalition of 50 U.S. and European advocacy groups), March developments included demands from the CNIL to 69 questions about the new policy by April 5; a warning from the UK ICO that the new policy is too vague to satisfy European notice requirements; a stinging rebuke from EU Justice Commissioner Viviane Reding that “we aren’t playing games here” and will not tolerate “sneaking” citizen’s privacy away; expressions of “common concerns” from members of the Asia Pacific Privacy Authorities, including Australia, four Australian provinces, New Zealand, Hong Kong, Korea, Canada, British Columbia and Mexico; the threat of an investigation from the Justice Ministry of Brazil, a nation that lacks a comprehensive data protection law; a monetary claim against the company by Privacy International's Alexander Hanff; and lawsuits seeking class action status in federal courts in California and New York. Towards the end of March Google released a new utility, Account Activity, which claims to provide a cross-product summary of user activity on a monthly basis.
Demands by Employers for Facebook Access Capture Media Attention
U.S. courts have generally upheld the rights of employers to access the Facebook accounts of employees and to terminate those making inappropriate or offensive posts. However, public opinion swung suddenly and dramatically in the opposite direction in March after the media began reporting on and debating the growing trend of employers to either demand or request access to the Facebook accounts of job applicants as part of the screening process. At first it involved Correction Officers in Maryland and Police Department jobs in North Carolina, then a statistician in New York, job applicants in the city of Bozeman, Montana, sheriff’s departments in Illinois and Virginia, and applicants at Sears. Press reports of the practice spread rapidly from the U.S. to Canada, the UK and beyond, with “invasion of privacy” emerging as a common theme.
HR Data Breaches Return to Normal Levels in March
After a dip in February, breaches of HR data returned to normal levels in March, with 8 breaches reported, mostly in the public sector: City of Providence (SSNs of 3,000 retirees accidentally released in response to a public records request); Wayne County, Michigan (a spreadsheet containing names, employee IDs, SSNs birth dates, addresses and other information for over 1,000 employees accidentally e-mailed to about 1,300 union members); Impairment Resources (sensitive data of over 14,000 individuals exposed when a computer was stolen from the San Diego office of a firm processing workers compensation claims; as a result of the breach, the firm filed for bankruptcy); Lake Worth (TX) School District (an undisclosed number of employees jeopardized by a “computer security breach” carried out by a former employee); Kaiser Permanente (personal data of 30,000 employees discovered on a hard drive for sale in a second hand store in California); NASA (2,300 employees of the Kennedy Space Center impacted by the theft of a laptop from an employee’s car outside his home); Sacramento Area Firefighters (a spreadsheet containing SSNs and addresses of an undisclosed number of firefighters accidentally forwarded to a mailing company that then included the SSNs on mailing labels); and the Town of Plainfield (IN) (personal information of 250 town and state employees exposed online by a hacker)
Philippines Senate Passes Data Privacy Act
On March 20, 2012, the Senate of the Philippines unanimously approved the omnibus Data Privacy Act, which is modeled on the EU Data Protection Directive. It features significant notice, consent and data breach notification requirements, and it imposes direct obligations on both data controllers and data processors, with oversight to be provided by a National Privacy Commission. There is some uncertainty about the scope of the Act, however, since a provision was added excluding coverage of personal data originally collected from residents of foreign jurisdictions but processed in the Philippines. Such a provision, apparently included in a misguided attempt to protect the outsourcing industry, would actually make processing of personal data of Europeans in the Philippines more difficult. The Senate bill still needs to be reconciled with a House version and signed by the President.
White House Releases Online Privacy Framework
The White House released its long-anticipated blueprint for online privacy, in the form of a 52-page document entitled “Consumer Data Privacy in a Networked World: a Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.” The Administration’s framework consists of four key elements: (1) a Consumer Privacy Bill of Rights based upon seven globally recognized privacy principles: individual control, transparency, respect for context, security, access and accuracy, focused collection and accountability; (2) a multi-stakeholder process to specify how the privacy principles apply in particular business contexts, in the form of voluntary but enforceable codes of conduct; (3) effective enforcement of privacy commitments by the FTC, using both its current authority and additional authority to be requested from Congress; and (4) a commitment to increase interoperability with the privacy frameworks of international partners, through mutual recognition and enforcement cooperation. The Department of Commerce is tasked with implementing this framework.
HR Data Breaches Drop Off in February
Only three breaches of HR data were reported in February: Coca-Cola Company Family Federal Credit Union (13,800 members of the Atlanta area credit union impacted by the theft of two laptops containing their names, SSNs, and in some cases, credit card numbers); Los Angeles County Police Canine Association (private information of over 100 police officers and sheriff’s deputies hacked from the association’s website and posted publicly); and Central Connecticut State University (personal data of over 18,000 former and current employees exposed through the infection of the university’s business office by a “Z-Bot” virus).
Ghanaian Parliament Passes Data Protection Bill
After reports last July that the Data Protection Bill had been withdrawn from Ghana’s Parliament for adjustments, the bill was re-introduced and Parliament has passed the bill on February 10. The Act, said to be awaiting presidential assent to be fully operational, is modeled upon European precedents and will set out the rights and responsibilities of data controllers, data processors and data subjects in relation to personal data, under the supervisory authority of a Data Protection Commission. Ghana swore in a new President, John Atta Mills, a 64-year-old law professor, on January 8.
China Adopts Internet Regulations
China’s Ministry of Industry and Information Technology has promulgated regulations governing the collection, storage and use of personal information by parties providing information services over the Internet. Coverage by the regulations includes not only entities known in the West as Internet Service Providers, but also Chinese companies whose principal business is online as well as Chinese companies with more limited online activities. The new rules, Several Regulations on Standardizing Market Order for Internet Information Service, adopts the European definition of personal information; requires user consent for collection and disclosure; imposes obligations to secure data and take immediate remedial measures in case of breaches; requires expressly informing users of the method, content and purpose of collection and limiting use to such purpose; and makes violators subject to sanctions that include rectification orders, warnings and modest financial penalties. The regulations come into effect on March 15, 2012.
Spanish Supreme Court Upholds Dismissal for Personal Use of Computer
The Spanish Supreme Court ruled that the dismissal of an employee for using her work computer for personal purposes was lawful, given the fact that her employer, Lingerie de Nuit, had made it clear through a written policy that such use was prohibited. The court found that the employee could not have had any reasonable expectation of privacy in respect of her use of the company’s IT systems to chat and shop on the Internet. Most cases of this type in Spain have gone the other way in the absence of firm policies prohibiting personal use, even where employees have been accessing pornography or watching TV during business hours.
European Commission Releases Draft General Data Protection Regulation
After pushback from several of its own directorates prompted some modifications, the European Commission released a 119-page draft General Data Protection Regulation that would usher in a new era in privacy protection in Europe. Key proposals from the perspective of multi-national employers include: (a) assignment of a lead data protection agency (“a one stop shop”) based upon where a company’s European headquarters is located, since there will be only one data protection law to comply with across the EU; (b) a requirement that any company with more than 250 employees appoint an internal data protection officer; (c) elimination of requirements to register with local DPAs; (d) data breach reporting within 24 hours of discovery, if feasible; and (e) fines of up to 2% of a company’s global annual turnover for the most serious violations. The Commission also issued a full-blown press kit and mini-website explaining and supporting its proposals.
Security Policy Requirement Likely to be Dropped in Italy
The Italian government adopted an interim decree that would repeal Section 23 of the Data Protection Code requiring data controllers to keep and maintain a security policy document for processing carried out by electronic means. The Italian Parliament is expected to confirm the decree shortly; otherwise it will expire with no further effect. Drafting and annual updating of the security document has often been cited as one of the worst bureaucratic requirements in European data protection, although written information security plans appear to be increasingly popular with U.S. regulators.
Ontario Court of Appeal Recognizes Privacy Tort
The case of Jones v. Tsige, in which a bank employee admitted to snooping into a customer’s private financial affairs, has led the Ontario Court of Appeal to recognize a common law tort for invasion of privacy in circumstances described as “intrusion upon seclusion.” The elements of the tort of intrusion upon seclusion cited in the judge’s ruling are (1) intentional or reckless conduct on the part of the defendant; (2) an invasion of the plaintiff’s private affairs without lawful justification; and (3) an invasion that a reasonable person would regard as highly offensive and that causes the plaintiff distress, humiliation or anguish. Plaintiffs need not prove any financial loss because of the defendant’s actions. Successful plaintiffs are entitled to “moral” damages, and Judge Robert Sharpe fixed the upper end of the range for such awards at $20,000. According to Lisa Stam, a Canadian employment lawyer, employees can now take their claims of invasion of privacy directly to court, suing another employee or their employer over a privacy issue.
Third Parties Take the Lead in January HR Data Breaches
Missteps by third parties haunted employers in January, accounting for four of the eight breaches of employee data reported during the month: Regions Financial Corp. (an undisclosed number of the company’s 27,000 employees impacted when a flash drive containing their data was lost after being mailed by outside auditor Ernst & Young in the same envelope as the drive’s decryption code); Sequoia Hospital, CA (names and SSNs of 381 employees accidentally posted on a public website by an employee of Towers Watson); State of Connecticut (SSNs of about 100 state employees exposed when Wells Fargo/Wachovia Bank sent customers copies of a subpoena for access to multiple bank records it received from the state’s Dept. of Social Services); and Employ Bridge (thousands of records from the Atlanta-based staffing service placed in a dumpster by a landlord who thought the lease had expired at one of the firm’s branch offices). Other breaches during the month were reported by the Spotsylvania VA School System (electronic tax information for 4,289 employees inadvertently exposed on an internal website); the Veterans Affairs Department (4,000 living veterans jeopardized when their names and SSNs were unintentionally released with data about deceased veterans to Ancestry.com); and the California Statewide Law Enforcement Association and the New York State Association of Chiefs of Police (personal information of members of both law enforcement groups intentionally exposed online by AntiSec hackers).
Pepsi Settles Dispute over Criminal Background Checks for $3.13 Million
According to a report in SHRM’s HR Week, Pepsi reached a settlement with the EEOC over charges of violating Title VII. Under the settlement, Pepsi will revise its overly broad criminal background check policy, provide training to hiring managers and pay $3.13 million. The EEOC investigation found that more than 300 black applicants were excluded by Pepsi’s policy, which denied employment to those arrested or convicted of minor offenses. In addition to the monetary relief for the applicants, Pepsi will offer employment to victims of the former policy who are qualified to work and will supply the EEOC with regular reports on its hiring practices under its new policy.