Wednesday, December 22, 2010

Hacked Sightseeing Company may be first Major Test of Massachusets Data Privacy Law

Threatpost, Kapersky Labs' security news blog, reported today that a New York Based tour company who's web site was hacked, exposing customer credit card information, may be the first real test of Massachusetts' stringent new data privacy laws. See the full article here.

The Massachusetts law, which went into effect on March 1, 2010, is particularly aggressive as it covers the treatment of sensitive data of Massachusetts citizens by individuals and companies outside of Massachusetts.

This case is likely to be instructive of the dangers faces by companies which handle and/or retain sensitive data, and points up the need to have comprehensive policies and procedures to deal with data handling and, in worst case scenarios, data breaches.

Unfortunately, the Massachusetts data privacy law makes it clear that these policies and procedures must be compliant not only with local laws, but also with  the laws of other jurisdictions such as Massachusetts which extend the reach of their privacy laws beyodn their own borders.

All of this begs the question: Are your company's data policies and procedures up to date and sufficient to protect your company?  If not, or if you are not sure, the time to remedy this is now!

Wednesday, March 17, 2010

Interesting Article on Data Retention in the Medical Industry

I follow a number of blogs and other online publications dealing with business, technology, and data privacy issues. I recently came across an interesting article on data retention practices on a blog called "Life as a Healthcare CIO". The article discusses a number of the issues that businesses (both within and outside the medical industry) who deal with sensitive data struggle with. Here is a link to the article:

http://geekdoctor.blogspot.com/2010/03/purging-files.html

 This article gives a good sense of the importance of having well thought-out policies and procedures for data handling and retention, both from a purely technological standpoint and from a legal and risk-management standpoint.

Hopefully it will stir your thoughts on these issues.

Thursday, March 11, 2010

Give your company’s employment policies a “self-check”

As I am fond of repeating, “An ounce of prevention is worth a pound of cure.” Maintaining and following good, current employment policies and procedures is one of many things that businesses can and should do on an ongoing basis to reduce the likelihood  that they will be sucked into the quagmire of disputes (or worse, lawsuits) with their employees. As part of good legal and risk-management regime, it is a good idea for companies to perform a periodic “self-check” on their policies and procedures. (Note that such a “self-check” is not a substitute for getting regular advice from a qualified attorney, but it is a helpful adjunct, and well worth a company’s time and effort.)

Identified below are a few areas which companies should think about when performing a self-check and in discussing with their attorney what sort of policies and procedures make the most sense for them: 

1.         Review the company’s classification of employees as exempt from overtime under federal and state wage and hour laws.  Lawsuits and investigations based on improper classifications of employees can result in significant awards against employers.  For a quick overview of proper classification standards, go to the U.S. Department of Labor’s Fairpay website at www.dol.gov. If your classifications are not in compliance, it is important to fix them promptly.

2.         Review the company’s harassment policy with employees. Incorporate a review of the company’s discriminatory workplace harassment policy in their first employee meeting of the new year. Reviewing the harassment policy periodically with employees reminds employees what behavior is not tolerated, shows that the company takes harassment issues seriously, and can bolster the employer’s defenses to most harassment claims. Be sure to include nonharassment on the basis of genetic information under the Genetic Information Nondiscrimination Act (see below).

3.         GINA compliance. The Genetic Information Nondiscrimination Act of 2008 (GINA) restricts the collection and use of genetic information by group health plans, insurers, employers and labor organizations.  Title II of GINA, which applies to employers and labor organizations went into effect on November 21, 2009.  Title I of GINA, covering group health plans, is effective for plan years beginning on or after December 7, 2009.  Genetic information includes, but is not limited to, family medical history and genetic diseases for which an employee believes he or she might be at risk.  The restrictions in GINA can affect how employers run wellness programs, including prohibiting incentives, such as premium discounts, rebates, or other rewards, for employees who complete a Health Risk Assessment for the wellness program.  In addition, employers may not discriminate against employees or applicants on the basis of genetic information or retaliate against individuals who oppose practices made unlawful by GINA.  Employers should update their Equal Employment Opportunity and harassment policies to cover genetic information, revise hiring and medical examination practices to ensure that they do not request prohibited genetic information, ensure that their record keeping practices protect the confidentiality of any genetic information that may be provided by an employee, and post the supplement to the “Equal Employment Opportunity is the Law” poster.  The supplement for the poster can be found at http://www.eeoc.gov/employers/upload/eeoc_gina_supplement.pdf.

4.         FMLA compliance.  If your company has 50 or more employees, make sure that you post the FMLA poster that the US Department of Labor issued in 2009.  Update your FMLA forms and policies, if you have not done so already.  The DOL prototype poster can be found at http://www.dol.gov/whd/regs/compliance/posters/fmla.htm (Check out whether you are in compliance with other federal posting requirements by using the DOL compliance advisor at http://www.dol.gov/elaws/posters.htm). 

5.         Review and revise your company’s written vacation policy.  Review you company’s written vacation policy to ensure that the policy provides proper notice of forfeiture, carryover, and accrual of vacation consistent with company practice or to make any desired changes before employees accrue vacation in the new year.  In most states, employers are required to provide vacation benefits according to their policies.  This means that if a policy provides that employees are awarded vacation hours at the beginning of the new year but does not state that employees forfeit accrued vacation on termination, the employee can quit on January 2, 2010 and be entitled to pay for his accrued unused vacation.  Note that specific rules apply in some states (such as California) prohibiting forfeiture of any accrued vacation, even with notice.

6.         Update your company confidentiality agreement and have employees who have access to company confidential information sign a copy.  A strong nondisclosure and confidentiality agreement is a key way to protect your company’s proprietary information against any employees who attempt to depart with important company records.  The economic upheaval of the past few years has made competition stiffer and has made employees facing termination more willing to take risks in order to obtain employment elsewhere.  As a result, there has been a corresponding surge in employees taking their employer’s confidential, proprietary, and trade secret information to use in new employment.  The laws on what a confidentiality agreement can and cannot contain vary from state to state. For this reason, it is important to check the applicable law in the states where you have employees.  It is also helpful to review your confidentiality agreements and policies to ensure they do not prohibit employees from discussing their wages or terms and conditions of employment with their fellow employees.  Although employers can prohibit disclosure of confidential pay strategies and plans to outsiders, a prohibition on employees discussing terms and conditions of employment may be viewed by the National Labor Relations Board as an interference with concerted activity and a violation of the labor laws, even if your company is not unionized.
7.         Institute other processes and protections for confidential information and trade secrets.  Implement policies requiring storage of any hard copies of sensitive documents in locked cabinets.  Password protect electronic copies.  Consider implementing clean desk rules and prohibiting or limiting removal of confidential records from the office.  Restrict access to sensitive documents to those employees who need to know the information to do their jobs.  These steps do not replace the benefits of having a good confidentiality agreement with employees.  Rather, they enhance protections against employee misappropriation and may be essential in maintaining legal protection of trade secrets.  These steps also dovetail with companies’ efforts to comply with state and federal data privacy and protection laws. 

8.         Data Privacy and Protection compliance. Data privacy and protection laws are quickly coming into being at both the state and federal levels. It important that businesses understand what laws and regulations may apply to them and the data they collect and retain. Good, detailed data privacy and data protection policies and procedures which discuss the collection, retention, safeguard, and destruction of sensitive information, including but not limited to customer information, credit card numbers, social security numbers, employee healthcare information, etc. are increasingly essential. It is important to not only have such policies but to make employees aware of them and to monitor compliance. Consider reviewing these policies and procedures with employees annually, and conducting regular, period internal check-ups to ensure compliance.

9.         Update your technology resources policy. Increasingly employees are downloading, transferring, destroying, or emailing to their home computers and portable storage devices confidential or sensitive company information.  The federal Computer Fraud and Abuse Act (and similar laws in some states) prohibit such conduct when it is unauthorized.  A good technology resources policy (covering computer, internet, telephone, and email systems use) can help employers succeed on CFAA claims by clearly defining what actions by an employee are unauthorized.  A well-worded policy can give employers a powerful investigation tool by making clear that employees do not have a right to privacy in their use of these resources and by requiring employee consent to employer searches of employee computers and other devices. It is important to note, however, that the law on workplace privacy and employer’s ability to monitor their employees use of company technology resources is constantly evolving.  A periodic review of these types of policies by a qualified and experienced lawyer is essential.  There has also been an increase in employees harming their employers’ reputation — and even disclosing trade secrets — through postings on blogs, social networking websites, and video sharing websites.  A good technology resources policy can address what sorts of uses of such social media outlets are proper and provide a basis for discipline if it does occur.  It can also help a company harness the power of its employees’ use of social media to benefit the company, if properly implemented. If you company does not already have a technology resources policy, implement one sooner rather than later.

10.       Make sure your health care plan provides required notices to employees regarding Michelle’s Law.  Michelle’s Law, effective for new plan years effective October 9, 2009 and after, amends ERISA to allow dependent college students who are seriously ill or injured to take up to a year of medical leave without losing their health insurance coverage.  Group health plans must receive written certification by the student’s treating physician stating the child is suffering from a serious illness or injury and that the leave, or change of enrollment, is medically necessary. A student on leave is entitled to the same benefits that he or she would have received if the leave had not been taken.  The extended coverage may end earlier if the student ages out of dependent eligibility by exceeding the plan’s normal dependent eligibility age.  Plans must provide notice of the Michelle’s Law requirements with any notice requiring certification of student status for coverage under the plan.

11.       Conduct an internal I-9 audit.  Ensure that you company has verified work authorization for every employee hired on or after November 6, 1986 and that the company has filled out and kept a Form I-9 for each such employee. In November 2009, U.S, Immigration and Customs Enforcement (the “ICE”) announced that it was issuing more than a thousand new I-9 audits of U.S. employers. Don’t wait until you received a notice that you are being audited by the ICE to find out if you have a problem.

Keep in mind that even the best policies and procedures need to be reviewed and updated regularly, as the employment law is constantly evolving, laws and regulations are being amended, and new laws and regulations are coming into existence.  For example, final EEOC regulations on the Americans with Disabilities Act Amendment Act (the ADAAA) are expected sometime in 2010 and will likely broaden further the employees and applicants who will be covered by the protections of the ADAAA.  Employers need to carefully assess an employee’s or applicant’s condition before refusing to offer or provide a reasonable accommodation.

It is important to understand that this list is by no means intended to be an exhaustive list of issues for employers to consider implementing and maintaining good employment policies and procedures. Rather, these are just a few of the key areas that often present serious problems for employers when they either fail to create or fail to implement appropriate polices.

While keeping up with good employment polices procedures can seem cumbersome, remember that cost (both in real dollars and in opportunity cost) of even a single dispute arising out of employment law issues can dwarf the costs of implementing and updating good policies. As always, an once of prevision is worth a pound of cure.

Wednesday, March 10, 2010

Study Shows: Data Breach Costs Exceed $200 Per Customer Record

A recent article in NetworkWorld (link: http://www.networkworld.com/news/2010/012510-data-breach-costs.html) discusses a new study which has revealed that the average cost to a company suffering from a data breach in 2009 has risen to approximately $204 for each customer record compromised.

Placing such concrete numbers on the costs associated with data breached underscores both the potentially devastating effects of such a data breach on a company and highlights the cost-effectiveness of solid data protection, privacy protection, and data security policies and procedures.