Top Ten Data Privacy Developments in Employment and Labor Law (United States)

Technology, compliance, and data privacy and security are among the most critical issues business leaders are grappling with globally. In most queries of top executives, these areas remain at the top of their lists in terms of significant challenges and risks for their organizations. In that space, we summarize some of the more specific areas of concern.

 

While no organization wants to experience a data breach, these events can become more costly and troubling when affected individuals are able to file a lawsuit as a result. Most of these types of suits were previously dismissed for lack of a concrete injury and standing.

 

However, recent decisions suggest that the door to litigation may not be as closed as it once was to data breach victims. This is particularly true as plaintiffs are able to demonstrate an "injury" in numerous ways. For instance, in 2015 the US Court of Appeals for the 7th Circuit held that the theft of consumers' financial information was enough to satisfy constitutional standing requirements even before an actual incident of identity theft or credit card fraud.

While it is unclear how the 7th Circuit's "substantial risk" analysis and the recent SCOTUS' decision in Spokeo, Inc. v. Robins (requiring an "actual injury" analysis) will be reconciled in court decisions going forward, employers who are faced with class actions which do not have clearly defined damages should be familiar with these decisions and the impact they may have on such suits.

 

Devices such as the FitBit, Microsoft's Hololens and Google Glass, together with more "traditional" devices and technologies that employees use (smartphones, GPS), will no doubt continue to substantially enhance employers' ability to manage their human capital. However, in many cases, employers may not even be aware of all of capabilities of these devices and how data is accessed, managed, disclosed and safeguarded. For example, the data a FitBit collects can have substantial benefits and help control healthcare costs, but using the device also raises new privacy and discrimination risks.

 

2016 has seen significant developments for data privacy and security on the international front, including the General Data Protection Regulation (GDPR) and the EU-US Privacy Shield.

 

GDPR. The GDPR, approved by the European Parliament in April 2016, establishes a single law across the EU and includes provisions on: a right to be forgotten, "clear and affirmative consent" to the processing of private data, a right to transfer your data to another service provider, the right to know when your data has been hacked, ensuring privacy policies are explained in clear and understandable language, and stronger enforcement and fines. The GDPR will be directly applicable in all member states in 2018.

 

EU-U.S Privacy Shield. The Privacy Shield establishes a new framework for transatlantic exchanges of personal data for commercial purposes and reflects the requirements set out by the European Court of Justice in an October 2015 ruling, which declared the old EU-US Safe Harbor framework invalid. Specifically, the Privacy Shield requires commitment to the following privacy principles: 1) Notice, 2) Choice, 3) Security, 4) Data Integrity and Purpose Limitation, 5) Access, 6) Accountability for Onward Transfer, and 7) Recourse, Enforcement and Liability. The Privacy Shield has faced heavy scrutiny, including from both the European Parliament and the Article 29 Work Party who have questioned the adequacy of its protections. This scrutiny raises serious doubts as to when, if at all, the thousands of companies who relied on the invalidated EU-US Safe Harbor will be able to rely on the EU-US Privacy Shield for their data transfer needs.

 

The Health Insurance Portability and Accountability Act ("HIPAA"), and specifically its privacy and security regulations, is one of those most significant and popular compliance challenges in the healthcare sector. What may not be apparent is how broadly the regulations extend. The rules reach not only covered entities (e.g., certain health care providers, health plans, health insurers), but also their business associates and the subcontractors of those business associates, thus creating a tangled web of large and small companies handling sensitive health information that need to comply with a complex set of regulations. These businesses can include administrators, law firms, accounting firms, IT companies, consulting companies, data storage/destruction companies, and other businesses that provide certain services to covered entities.

 

In the past, active enforcement by the Department of Health and Human Service (HHS) was minimal. More recently, however, its Office for Civil Rights (OCR) has started auditing compliance, and in early 2016 launched Phase 2 of its audit program. Companies are already receiving communications from OCR about participation in the program, an effort OCR promises will reach both covered entities and business associates.

 

A number of states require businesses to have "reasonable safeguards" to protect personal information, although many wonder exactly what constitutes "reasonable safeguards." While Massachusetts and Oregon have been more specific in their data security mandates, California is the first state to define its statute's requirement of "reasonable safeguards." Under California law, "A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure." Importantly, this law applies to any organization, which maintains personal information about a California resident, regardless of where the organization may be located. In its Data Breach Report, the California's Attorney General's office specified an organization's failure to implement all 20 controls set forth in the Center for Internet Security's Critical Security Controls constitutes a lack of reasonable security. The 20 controls include, but are not limited to: inventories for hardware and software, secure configurations, administrative controls, vulnerability assessments, audit logs, monitoring, and incident response plans.

 

According to a recent survey by the ACC, "employee error" is the most common reason for a data breach. An example of the kind of employee error mentioned in the survey is "accidently sending an email with sensitive information to someone outside the company." Of course, there are other examples: lost devices, responding to phishing emails, and removing personal information in anticipation of litigation against the employer. With many more ways for employees to access and maintain data, employers must continually rethink strategies to protect against breaches. This is particularly true in industries where employees are likely to have access to greater amounts of personal information - healthcare, insurance, retail, professional services, etc. Employers need to understand the risks their workforces present beyond the IT department and consider carefully the roles employees play and the functions they carry out.

 

Recent reports about Facebook's "Trending" section and whether it is politically biased raises questions about the use of algorithmic tools and analytics. While there may be statistical validity to the results, might those results raise unintended consequences and risks to be considered? If Facebook's Trending section turns out to be biased politically, for example, could algorithms used in other contexts also have embedded biases, albeit unintentional ones? If algorithms were deployed in the area of HR, could conscious or unconscious bias undermine the employer's desired results and violate employment laws? Indeed, facially neutral policies or practices could effect a protected class and create a disparate impact, and there could be privacy concerns when using analytics. Employers and their data scientists will need to consider these issues carefully to ensure their enormously powerful and valuable analytics programs produce reliable results with minimal legal risk.

 

Third party service providers can present significant data risk to their customers. Vendors include service provides of all kinds that access, receive or process confidential and personal information on behalf of clients and their clients' customers and employees. Examples include: cloud service providers, benefits brokers, medical billing services, debt collection companies, consultants, accountants, law firms, shredding/data destruction services, cleaning companies and other businesses. In a number of states such as California, Massachusetts, Maryland and others, businesses using vendors that have access to personal information of residents of those states must, at a minimum, get written assurances from the vendors that they will safeguard the information. Clearly, vendor management should be part of an overall strategy to safeguard company and personal information. Importantly, while personal information typically is the focus of this risk due to breach reporting obligations across the country, confidential and proprietary company data is, of course, also at risk in the hands of vendors.

 

Many organizations have adopted policies allowing employees to utilize their own electronic devices in the workplace and are turning to Bring Your Own Device ("BYOD") programs. These programs allow employees to bring their personal devices to work and connect to employers' networks and systems in order to perform work. Other organizations are sticking with the more familiar Corporate Owned Personally Enabled ("COPE") programs. Under COPE, the employer purchases the device(s) and provides them to employees for work functions. Unfortunately, organizations typically adopt these types of programs or permit employees to bring their own devices without considering the numerous issues, which may be presented. By way of example, before deciding on BYOD or COPE, organizations should consider: business necessity, data security, discovery obligations in the event of litigation, wage and hour concerns, privacy issues associated with remotely wiping a device, and record retention.

 

2015 marked the eighth year in a row where the number of lawsuits filed under the Telephone Consumer Protection Act (TCPA) increased from the preceding year. Nearly one out of every four of those suits were filed as class actions. This number is expected to grow, especially in light of the recent SCOTUS decision (Gomez v. Campbell-Ewald) finding an unaccepted settlement offer or offer of judgment (a potential defense strategy to limit exposure and defeat class action claims) does not moot a plaintiff's case. Many of these suits are not just aimed at large companies. Instead, these suits are often focused on small businesses that may unknowingly violate the TCPA. With statutory damages ranging from $500 to $1500 per violation (e.g. per fax/text sent or call made), these suits often result in potential damages in the hundreds of thousands, if not millions, of dollars.

 

In the context of data privacy, employers must consider all of the factors described above when formulating and reviewing their policies and practices.