The National Institute of Standards and Technology (NIST), working in collaboration with private and public stakeholders, has issued a preliminary draft of its voluntary NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management (Privacy Framework). This document strives to drive better privacy engineering and aid organizations in the protection of individuals’ privacy. Among its goals, the Privacy Framework seeks to build customer-trust through product and service design or deployment that optimizes beneficial uses of data. It also seeks to build organizational communication channels about privacy practices with customers, assessors, and regulators. NIST provides the Privacy Framework to assist organizations by building “better privacy foundations by bringing privacy risk into parity with their broader enterprise risk portfolio.”
The Privacy Framework applies to organizations of all sizes and “agnostic to any particular technology, sector, law, or jurisdiction.” Through its recommended protocols, diverse sectors of an organization’s workforce—executives, legal, and IT—will be responsible for different outcomes and activities. Cross-organization collaboration is essential to identification of privacy protections and cybersecurity risks. The Privacy Framework focuses on all organizations and entities regardless of their role in “the data processing ecosystem—the complex and interconnected relationships among entities involved in creating or deploying systems, products, or services.”
The Privacy Framework is composed of three parts: Core, Profiles, and Implementation Tiers, each of which reinforces privacy risk management through connection between business/mission drivers and privacy protection activities. The Core delineates best practices to allow for communicating prioritized privacy protection activities and outcomes across all sectors of an organization from the C-suite to the implementation and operation levels. The Profiles direct organizations to identify business and mission drivers in its data processing and privacy protections. Profiles can enable continual privacy enhancement by evolving current practices into targeted best practices. The Implementation Tiers provide a point of reference on how an organization views privacy risks and how it approaches agile management of such risks.
All organizations should take the time to read and evaluate the recommendations of the Privacy Framework. NIST will accept public comments on the preliminary draft through October 24.
On March 8, 2019, JAMA published a study analyzing the effects of simulated phishing emails at U.S. health care organizations. Concluding that the click rates for the simulated phishing emails present a big cybersecurity risk for health care organizations, the study provides helpful insight into how to prepare an organization’s workforce to detect harmful emails.
Phishing emails are deceptive communications intended to trick recipients into disclosing their security credentials or otherwise sharing sensitive information. Oftentimes, a sender’s identity is spoofed, tricking the recipient into thinking that the email originated from within their organization or that it was sent by a colleague or superior. Hospitals and other health care organizations are attractive targets of cyberattacks, as they have high-value personal and health data.
The study analyzed six health care organizations across the United States as they participated in simulated phishing emails between August 1, 2011 and April 10, 2018. The phishing emails fell into three categories: office-related, personal, and information technology-related. The emails were sent to employees in all types of roles. In total, approximately 2.9 million simulated phishing emails were sent, and recipients clicked on approximately 422,000 of them (approximately 14%). This means that the employees from the studied health care organizations clicked on an average of almost one in seven of the simulated phishing emails.
The study showed that the median click rates were higher for the information technology-related simulated phishing emails (18.6%) than the office-related emails (12.2%).
The study noted that repeated phishing simulations decreased the odds of an individual clicking on a simulated phishing email, which highlights the importance of the phishing simulation process and other forms of personnel training on these types of attacks.
As hospitals and other health care organizations face financial and care-related consequences from cyberattacks, this study emphasizes the need for health care organizations to train their workforces on cybersecurity best practices, including through simulated phishing emails. As the study noted, it only takes one successful phishing incident to paralyze a system that is critical to the patient care provided by a health care organization. The study cited to several elements that may make a health care organization more vulnerable to a cyberattack, including a continuous stream of new employees, the use of a large number of information technology systems, and devices and systems that are highly interdependent. It also discussed other techniques that health care facilities can use to prevent or limit personnel from clicking on phishing emails, including using technology to try to filter suspicious emails and indicate on emails when they are sent by a person outside of the organization.
Copyright © 2019, American Health Lawyers Association, Washington, DC. Reprint permission granted.
The United States Court of Appeals for the Third Circuit has upheld a preliminary injunction that Scherer Design Group, LLC (SDG), an engineering firm, obtained against four former employees, stopping them from contacting SDG’s clients and destroying information taken from SDG. The defendants asserted that SDG surreptitiously monitored one of the former employees’ Facebook activity after he left SDG and claimed that the company’s “unclean hands” barred it from obtaining equitable relief. The Third Circuit ruled that the federal trial court acted within its discretion in declining to apply the unclean hands doctrine against defendant’s former employer. Scherer Design Group, LLC v. Ahead Engineering LLC, et al., No. 18-2835 (3rd Cir. Feb. 25, 2019).
One of the defendants, Chad Schwartz, left SDG after a dispute over whether he was promised an equity partnership in the engineering firm. Before resigning, Schwartz declined to sign a noncompete agreement. After resigning, Schwartz started two competing engineering firms and recruited SDG employees to join his new firms. Three SDG employees discussed Schwartz’s new venture with him using, in part, Facebook, and transmitted SDG documents and information to Schwartz’s firms. The three employees eventually resigned from SDG to work with Schwartz.
After the mass loss of employees and a key customer account, SDG’s network administrator examined the former employees’ SDG computers. One of those former employees, Daniel Hernandez testified that while working at SDG, he accessed his Facebook account from his SDG laptop and “would log off sometimes and leave it open sometimes,” but that on the day he resigned from SDG he closed out of Facebook by clearing the history on the internet browsers on his SDG laptop. SDG’s network administrator (1) reviewed Hernandez’s browser history using software that allowed him to access deleted activity, (2) asserted that he was able to access Hernandez’s Facebook account without a password because Hernandez had not cleared it from the laptop and (3) installed software that allowed him to monitor Hernandez’s Facebook activity without detection. For several weeks after the exit of the employees, the administrator accessed Hernandez’s Facebook account “very often” from Hernandez’s laptop and uncovered messages that revealed the defendants’ plans and actions taken to secure SDG’s client information and other intellectual property.
In litigation, the parties disputed how SDG gained access to Hernandez’s Facebook account, and the defendant employees opposed any injunctive relief against them by contending that their former employer’s secret monitoring left it with “unclean hands,” thus precluding its request for injunctive relief. The “unclean hands” doctrine is not an automatic or absolute bar to injunctive relief, but rather one factor to apply in the equitable analysis. A party seeking to invoke the doctrine must show: (1) the party seeking equitable relief committed an unconscionable act; and (2) the act is related to the claim upon which equitable relief is sought.
In affirming an injunction in favor of SDG, the Third Circuit cited three grounds. First, SDG did not dirty its hands to “acquire the rights” that it asserts in the complaint. SDG did not monitor Hernandez’s Facebook account so it could obtain a right it did not otherwise have. Defendants owed a duty of loyalty to SDG well before the Facebook monitoring occurred. Second, while SDG obtained proof of its duty of loyalty claim from its monitoring and benefitted from its activity, it had a right to defendants’ loyalty and could prove their breach without relying on the surreptitiously obtained Facebook messages, as SDG was able to corroborate all of the messages among the defendants. SDG’s monitoring of the Facebook messages was not related to whether the defendants earlier stole SDG’s property. Third, SDG’s alleged privacy violation and defendants’ alleged breach of duty of loyalty are causes of action subject to distinct bodies of law and with separate remedies. In sum, because relatedness is a critical element of the unclean hands doctrine and SDG’s allegedly unclean hands are not directly related to the defendants’ breaches of their duty of loyalty, the Third Circuit ruled that the trial court did not abuse its discretion in declining to apply the unclean hands doctrine to prevent SDG from obtaining injunctive relief.
A dissenting opinion disagreed with the majority’s analysis, citing to the requirements of New Jersey privacy law. The dissent concluded that SDG’s activities were tortious based upon New Jersey case law regarding employer monitoring of personal e-mails from work accounts and the standards for invasion of privacy claims.
The ruling presents a common occurrence in business dealings, especially where there are no noncompete or nonsolicitation agreements in place applying to employee departures. Before engaging in similar monitoring as SDG’s actions, a company should carefully consult with counsel to evaluate the extent to which company policies and controlling jurisdictional law will permit the review and monitoring of social media and private e-mail accounts, particularly as to former employees.
In an effort to prevent the perpetuation of the gender wage gap, Westchester County, New York, joins the City of New York and Albany County as the latest Empire State municipality to make it an unlawful discriminatory practice for an employer to ask an applicant about his or her wage history or taking such information into account when setting initial compensation, unless voluntarily disclosed by the applicant to negotiate higher pay. Passed by the Westchester County Board of Legislators on April 9, 2018, and signed into law by the Westchester County Executive the day after, the law becomes effective July 9, 2018.
Known as the Wage History Non-Discrimination Law, the new legislation amends the Westchester County Human Rights Law, which applies to employers with four or more employees. The law makes it an unlawful discriminatory practice for an employer, labor organization, employment agency or licensing agency—or their employees or agents—to:
rely on the wage history of a prospective employee from any current or former employer of the individual in determining the wages for such individual. The employer may rely on prior salary history when it is voluntarily provided by the prospective employee to support a wage higher than the wage offer by the employer;
orally, or in writing, request or require as a condition of being interviewed or as a condition of continuing to be considered for an offer of employment, or as a condition of employment, that a prospective employee disclose information about the employee’s own wages from any current or former employer;
orally, or in writing, seek from any current or former employer the previous wages of any prospective employee. The employer may, however, seek prior wage information only after an offer of employment has been made to the prospective employee and the employee responds to the offer by providing prior wage information to support a wage higher than offered by the employer. The employer may seek prior wage information only after obtaining written authorization from the prospective employee to do so; and
refuse to hire or otherwise retaliate against an employee or prospective employee based upon prior wage or salary history or for opposing an act or practice prohibited by the law.
Unlike other similar laws, the legislation explicitly provides that it will become null and void in the event that New York State enacts the same or similar provisions or in the event that a New York or federal administrative agency promulgates regulations pre-empting such action by the Westchester County legislature. This provision appears to recognize that Governor Andrew Cuomo recently endorsed similar legislation that is currently pending before the New York State legislature.
Westchester County employers should be aware of the foregoing prohibitions and obligations and review their employment applications and hiring policies and procedures to ensure that they are not seeking prohibited wage history information during the hiring process. In addition to reviewing and revising their hiring procedures and policies, employers should also train their managers to ensure that they are aware of the requirements of this new law to ensure compliance.
This coming June will be a busy month for employers in the State of Washington. The impending activity is due to Governor Jay Inslee’s recent signature of a series of bills that directly impact the employer-employee relationship and impose novel restrictions and obligations on employers. All of these newly-minted laws become effective on June 7, 2018.
For example, Washington has joined the ever-growing list of states that have enacted “ban-the-box” legislation which imposes certain restrictions on employers regarding inquiries into a job applicant’s criminal history. The Washington Fair Chance Act (“WFCA”) prohibits employers from posting any job advertisement that “excludes people with criminal records from applying.” The WFCA also prohibits an employer from making any oral or written inquiries about a job applicant’s criminal history until after it determines that the applicant is “otherwise qualified” for the position. In other words, only after an employer determines that an applicant is “otherwise qualified”, may it conduct a criminal background check. Along those same lines, the WFCA prohibits employers from enacting policies that categorically exclude applicants with criminal records from seeking employment before an initial determination that the applicant is “otherwise qualified.” An applicant is “otherwise qualified” under the WFCA if – without considering criminal record – the applicant meets the “basic criteria” for the job as set forth in the job advertisement or job description.
However, the overhaul of Washington’s employment laws does not stop there. Governor Inslee also signed three bills into law that address sexual harassment in the workplace.
· Senate Bill 5996: Employers cannot “require an employee, as a condition of employment, to sign a nondisclosure agreement, waiver, or other document that prevents the employee from disclosing sexual harassment or sexual assault occurring in the workplace, at work-related events coordinated by or through the employer, or between employees, or between an employer and an employee, off the employment premises.” This new law, however, does not apply to settlement agreements that contain confidentiality provisions. Rather, it only prohibits nondisclosure agreements that an employee is required to sign as a “condition of employment.”
· Senate Bill 6313: An employment contract is void and unenforceable if it requires contains a waiver of the employee’s right to “publicly pursue” claims under federal or state anti-discrimination laws in a lawsuit or by filing a complaint with the appropriate state or federal agency. This law also renders any employment agreement unenforceable that requires an employee to “resolve claims of discrimination in a dispute resolution process that is confidential.”
· Senate Bill 6471: The Washington Human Rights Commission is required to assemble a “work group” tasked with creating model policies to address sexual harassment and other discriminatory practices in the workplace. The “work group” is to consist of various individuals, such as representatives from the business community, human resources professionals, representatives from groups advocating for survivors of sexual harassment, and others.
This bevy of new legislation serves as yet another reminder to employers that, in many states, legislatures are trending towards passing laws that favor the privacy interests of employees. Particularly in the #MeToo era, state and local legislatures are becoming more aggressive in passing laws that hinder an employer’s effort to keep allegations of sexual harassment confidential or to confidentially resolve discrimination and/or harassment cases. In light of this, employers across the country should carefully watch pending legislation in their jurisdictions so they are ready to adapt their policies and practices to the demands of these new laws.
The National Football League (“NFL”) recently made headlines when Louisiana State University running back Derrius Guice announced that he had been asked by an NFL team representative at the scouting combine if he “likes men.” This is not the first time the NFL has come under scrutiny for asking improper questions during the recruitment process. In 2013, three draft prospects were also asked about their sexual orientation at the scouting combine, which led to an internal investigation. This recent incident reinforces the ongoing discussion amongst employers as to what questions can be legally asked by an employer about an applicant’s sexual orientation during a job interview.
Despite several recent developments protecting lesbian, gay, bisexual and transgender (“LGBT”) rights, there is still a lack of conformity in the law across the country. Currently only 22 states have anti-discrimination laws that prohibit sexual orientation discrimination in public and private employment. While Title VII of the Civil Rights Act of 1964 (“Title VII”) protects employees in all states working for employers with 15 or more employees from discrimination based on their sex, the plain language of the law does not specifically prohibit discrimination based on sexual orientation. In connection with its enforcement efforts, the Equal Employment Opportunity Commission has taken the position that Title VII prohibits discrimination based on sexual orientation. The federal appeals courts addressing the issue, however, have been divided.
Last month, the United States Court of Appeals for the Second Circuit, the federal appeals court covering New York, Connecticut and Vermont, broke from its own standing precedent on this issue. In Zarda v. Altitude Express, Inc., 883 F.3d 100 (2d Cir. 2018), the Second Circuit held that Title VII prohibits sexual orientation discrimination. The Zarda decision follows the Seventh Circuit’s landmark decision last year in Hively v. Ivy Tech Community College, 853 F.3d 339 (7th Circ. 2017) when it became the first circuit court to expand Title VII’s sex discrimination provision to include sexual orientation discrimination. Given that the Eleventh Circuit has held to the contrary, the issue of whether Title VII prohibits sexual orientation discrimination appears primed to be decided by the United States Supreme Court in the near future.
As a general practice, employers should not ask applicants questions about their sexual orientation. Many states currently prohibit discrimination against employees based on their sexual orientation and it seems likely that the current trend will continue and Title VII will be interpreted to prohibit sexual orientation discrimination in the workplace for all employers with more than 15 employees. In asking an applicant about his or her sexual orientation, it would certainly appear that the employer may be using this potentially impermissible factor as part of its decision-making process.
In what has become a nationwide trend, many states and local jurisdictions have enacted legislation prohibiting employers from asking applicants about their prior salary history or considering such information when setting a new employee’s compensation. Effective January 1, 2018, California became the latest state to prohibit such inquiries and considerations.
As of the New Year, Labor Code section 432.3 prohibits private and government employers – as well as their agents – from seeking “salary history information” from applicants for employment. While “salary history information” is not specifically defined in the statute, the law does provide that it includes “compensation and benefits.” The law further prohibits an employer from relying on salary history information as a factor when determining whether to offer an applicant employment or setting initial compensation.
While employers are generally prohibited from asking for or considering salary history information, the law does provide one limited exception. The law does not prohibit applicants from “voluntarily and without prompting” disclosing their salary history information to employers. If an applicant does so, employers are allowed to consider prior salary information when determining the salary for the applicant. Employers, however, should be careful not to rely on the prior salary as the sole factor when determining an applicant’s starting salary because such conduct may violate California’s Fair Pay Act – which prohibits an employer from justifying a difference or disparity in pay among employees based on an applicant’s prior salary history alone.
One aspect of this law which is different than other similar legislation is that it places an affirmative burden on an employer to provide, if asked by the applicant upon “reasonable request”, a “pay scale” for the position sought by the applicant. Unfortunately, the law does not provide a definition of “pay scale” so, without further guidance, employers are left to guess as to what information need be disclosed to an applicant who makes such a request.
California employers should be aware of the foregoing prohibitions and obligations and review their employment applications and hiring policies and procedures to ensure that no prohibited information is sought during the application and interview process. Employers should also train their manager on this new law to ensure compliance. Finally, to the extent that an applicant seeks information on the position’s pay scale, employers should consult with California labor and employment counsel to ensure that the disclosed information is consistent with the new statute.
Numerous Illinois companies utilizing fingerprint-based timekeeping and point-of-sale systems are being sued for alleged violations of the state’s Biometric Information Privacy Act (BIPA). As technologies that rely on biometrics gain popularity for timekeeping and other commercial purposes, states are moving quickly to regulate the collection and use of biometric data. If the trend in Illinois is any indication, businesses can expect liability in other states if they do not implement fingerprint-based and other biometric technologies in compliance with these evolving state law obligations.
States are ramping up regulation of biometrics
For years, consumers and legislators have worried about the breadth and security of personal information being amassed by commercial entities. Although the patchwork of data breach notification statutes enacted in 48 states across the country has long been a staple of state privacy regulation, only nine states currently require businesses to notify individuals whose biometric information is accessed or stolen as a result of a breach, and even fewer states have laws akin to BIPA designed to inform and protect consumers before their fingerprints or retinal features or facial geometry fall into the wrong hands.
But winds appear to be changing. State legislators are paying more attention to the rights of individuals sharing biometric data with employers or commercial entities, and are leaning on BIPA’s framework to design bills concerning the collection, use and protection of this unique personal information. So far only three such laws are on the books—in Illinois, Texas and Washington—but Alaska, Michigan and New Hampshire have similar bills winding through their legislatures. Several other states are tackling related issues (e.g., regulating collection of biometric data by school districts). The bottom line is that a handful of states currently are keyed in to mitigating the risks attendant to biometric data collection, but as technologies evolve and biometrics are increasingly collected from consumers and employees, more states are certain to follow with legislation.
Common themes and a few key differences
Across this regulatory landscape, states are largely embracing BIPA’s requirements around notice, consent and destruction. In brief, a private non-governmental entity regulated by BIPA or a similar law will likely need to notify individuals before collecting their biometric data, obtain their affirmative consent for such collection and destroy the data within a defined period of time. Businesses might also need to publish a written policy about their handling of biometric data and may be subject to restrictions on their ability to disclose the data or to sell, lease or commercialize it for profit. A comprehensive review of BIPA’s requirements can be found here in a recent Nixon Peabody Employment Law Alert.
Despite many consistent features among enacted statutes and emerging bills, legislators are making choices about which types of activity will trigger biometrics-related laws, who will enforce these laws and how violations will be enforced. Where states come down on these issues is likely to play a significant role in shaping the risk profile for businesses in different jurisdictions.
On one end of the spectrum, BIPA applies broadly to private entities collecting biometric information in Illinois, provides for a private right of action and permits plaintiffs to seek liquidated damages ranging from $1,000–$5,000 or actual damages for each violation (as well as attorneys’ fees and litigation costs). The statute’s wide application and heavy fines no doubt have fueled the thirty-plus lawsuits alleging BIPA violations filed against Illinois businesses in recent months. In contrast, the Texas statute is triggered only when a person captures and stores biometric identifiers for a commercial purpose and violations can only be enforced by the state’s attorney general. Texas imposes a steep $25,000 potential penalty for each violation, but after more than eight years on the books, there appear to be few enforcement actions. It is worth noting that the pending bills in Alaska, Michigan and New Hampshire all resemble BIPA far more than they do the Texas statute.
Where to go from here
With so much regulatory activity focused on biometric data collection and use, businesses currently utilizing or contemplating use of these technologies should consider the following:
Investigate. Determine if your business is collecting biometric data or planning to leverage biometric technologies in the future.
Think about consent. Seeking informed and specific consent when collecting personal information is becoming a common theme in privacy schemes worldwide. Consider if and how your enterprise obtains consent from employees and customers and, if needed, button up your practices when gathering biometric data.
Only ask for what you need. Do not collect and store data without a business need and consider investing in technologies that minimize the scope and precision of biometric data required to function.
Purge, purge, purge. Ensure your record retention policies comply with applicable law and always delete biometric data (and other personal information for that matter) when there is no longer a business or legal need to retain it.
Be prepared. Have a plan in place to mitigate the effects of a potential breach involving biometric data your company has collected or stored, including protocols for reporting and notification to affected parties. Know the extent of your insurance coverage for breach events and for suits involving noncompliance with state laws in this area. If your coverage is insufficient, consider a comprehensive cyber insurance policy that covers acts and omissions regarding biometric data.
Investing time and resources now to manage biometric data collection will help your business mitigate legal, financial and reputational risks.
On November 8, the United States Court of Appeals for the Ninth Circuit affirmed a lower court’s order compelling Glassdoor, Inc. to comply with a grand jury subpoena and disclose information about certain users who posted anonymous reviews on Glassdoor’s website. Glassdoor argued that complying with the subpoena would violate its users’ First Amendment Rights to associational privacy and anonymous speech. This is the latest ruling among other recent court decisions addressing the issues of anonymous speech on the Internet. United States v. Glassdoor, Inc., No. 17-16221 (9th Cir. 11/8/17).
Glassdoor operates Glassdoor.com, a website where employers promote their companies to potential employees, and employees post reviews of what it is like to work at the companies. Employees rate the employers in a variety of categories and describe workplace environments, salaries and interviewing practices. The reviews are anonymous, but users must provide Glassdoor with their e-mail addresses, though the addresses do not appear on the site.
An Arizona federal grand jury is investigating a governmental contractor that administers two Department of Veterans Affairs health care programs. As of March 2017, current and former employees of the subject company had posted 125 reviews on Glassdoor.com, including criticisms of its management and business practices. The government served Glassdoor with a subpoena that ordered it to provide the grand jury with “Company Reviews” and associated “reviewer information.” Glassdoor notified the government that it believed that the scope of the request implicated First Amendment concerns, and the government agreed to limit the request to reviewer information associated with eight exemplar reviews. Glassdoor still objected and sought that a trial court quash the subpoena. The trial court denied Glassdoor’s motion to quash, holding that Glassdoor had not shown that the grand jury investigation was being conducted in bad faith. Glassdoor appealed to the Ninth Circuit.
On appeal, the Ninth Circuit rejected Glassdoor’s argument that its users’ First Amendment associational rights were violated. Glassdoors’ users are necessarily strangers to one another because they are anonymous. They do not “discuss” employment conditions, but rather independently post their individual views.
Applying Supreme Court precedent to determine whether the subpoena violated the First Amendment, the Ninth Circuit held that Glassdoor did not show that the grand jury investigation is being conducted in bad faith or that the government’s subpoena is intended to harass. There is a substantial connection between the subject matter of the investigation and the identifying information of the eight users whose Glassdoor posts allude to potentially fraudulent behavior. The court concluded that any incidental infringement on Glassdoor’s users’ First Amendment rights is “no more drastic than necessary to vindicate compelling interests.”
Over 30 employment class actions claiming violations of the Illinois Biometric Information Privacy Act have been filed in Illinois courts in recent months. Our latest Employment Law Alert addresses important developments relating to the Act and may be viewed here.