Category Archives: Privacy Rights
The Department of Health and Human Services (“HHS”) has issued additional requirements for covered entities that maintain protected health information or contract with a business associate for health plan-related services.
There are a number of technical changes made by the new guidance. The more significant changes are as follows:
- The extension of the privacy and security rules to vendors employed by business associates.
- Changes to the rule that make it more likely that notice of security breach will need to be provided to plan participants.
- Clarification as to the use of and disclosure of genetic information that will impact wellness programs.
- Agreements with business associates will need to be revised to reflect the obligations required by the new rules. A sample agreement issued by HHS is available for use.
- These new rules take effect on September 23, 2013, with the possibility that business associate agreements will not need to be revised until September 23, 2014.
Takeaways: Employers will need to review and, likely, revise their privacy and security policies and procedures to comply with these new rules. More detailed information will be provided at our April 9th seminar titled, “Safeguarding Employers in 2013.” The seminar invitation can be found here.
Private employers in Minnesota need to be familiar with personnel record statutes and employee privacy rights. The Minnesota Government Data Practices Act, a wholly separate and much more demanding set of employee privacy laws that apply to public employers and public employees, is irrelevant to private employers – for the most part.
An exception is for corporations or non-profit organizations under contract with a government entity when following the Data Practices Act is required by the contract. See Minn. Stat. § 13.05, Subd. 11; see also Minn. Stat. § 13.02, Subd. 11. By virtue of contracting with the governmental entity (state, county, or a municipality), a private employer may need to respond to certain employee or public personnel data requests based upon the classifications and processes provided in the Data Practices Act. Typically, the Data Practices Act governs data on individuals (including personnel data) made available to the private employer through the government contract. Determining whether, how, and to what extent the Data Practices Act may apply to personnel data related to a government contract is a process of careful contract drafting and legal analysis.
Takeaway: A private employer with a government contract needs to keep in mind possible state Data Practice implications in responding to third party or employee requests for certain contract-related personnel data. This is an important point in contract drafting, and legal review should be involved to determine whether this unique requirement of the Minnesota Data Practices Act may apply to a private employer.
Employers must begin using new Fair Credit Reporting Act (FCRA) forms no later than January 1, 2013. The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 transferred FCRA rulemaking authority from the Federal Trade Commission (FTC) to the newly created Consumer Financial Protection Bureau (CFPB).
The FCRA regulates employers who use background checks provided by third parties, known as Consumer Reporting Agencies (CRA), as part of the employment process. Before an employer may obtain a background check on an applicant or employee from a CRA, the applicant or employee must be given certain information about the scope of the background check and must consent to the background check. This is where the new forms are relevant. The main change in the forms is that consumers must now contact the CFPB, rather than the FTC, about their rights under the FCRA.
What is confusing for employers is that the FTC’s website still has the old forms on it, and still has information about the FCRA, even though the CFPB is now the agency responsible for the FCRA and background checks. The new forms are not easy to locate, but can be found on the government’s website at the end of a very long document. You need to know that you are looking for Title 12, Banks and Banking Regulations, of the Code of Federal Regulations. Go to http://www.ecfr.gov/ in order to find the forms. Once you are at that website, find Title 12 “Banks and Banking,” and then scroll down to Part 1022, called “Fair Credit Reporting.” The actual forms for employers and CRAs are found at Appendix K (for employers) and Appendices M and N (for CRAs). Or you can access the new forms by using the links below.
The first of the new forms is called “A Summary of Your Rights Under the Fair Credit Reporting Act.” Employers must provide this form to applicants and employees when issuing a pre-adverse action letter, and in some other situations. PDFs for this form can be found here.
The second new form is called “Notice to Users of Consumer Reports: Obligations of Users Under the FCRA.” This form must be provided by a CRA to users of their services, like employers. PDFs for this form can be found here.
The last new form is called “Notice to Furnishers of Information: Obligations of Furnishers Under the FCRA.” The FCRA requires CRAs to give this notice to entities that provide information under certain circumstances, such as when a consumer disputes some information in the background report. PDFs for this form can be found here.
Takeaways: Employers need to make certain they are using the correct “Summary of Rights” form no later than the beginning of 2013. Employers who fail to comply with the FCRA or to use the new forms may be subject to lawsuits for actual damages, attorney’s fees, statutory damages, and possibly punitive damages, depending upon whether the failure to comply with the FCRA was negligent or willful.
The $1 million-plus settlement in the Anne Marie Rasmusson case is a costly example of why employers need to make certain that their employees do not abuse their access to confidential information. The facts of the case are fascinating and surprising.
Anne Marie Rasmusson, a former St. Paul police officer, filed a lawsuit against numerous Minnesota cities and police officers in March of 2012. In the lawsuit, Ms. Rasmusson alleged that her driver’s license information was improperly accessed 425 times by 104 police officers between 2007 and 2011. Ms. Rasmusson’s complaint asserted claims arising under 42 U.S.C. § 1983, the Driver’s Privacy Protection Act of 1994, as well as claims for invasion of privacy.
In her complaint, Ms. Rasmusson alleged that she retired as a police officer in 2003. After Ms. Rasmusson divorced in 2007, she noticed that numerous police officers began taking an unusual interest in her and asking her for dates. The officers appeared to know where Ms. Rasmusson lived and what kind of car she drove. Because of these circumstances, Ms. Rasmusson contacted the Department of Public Safety and inquired whether any officers had accessed her private information. She learned that over 100 police officers from at least 18 different departments had accessed her records over 400 times since 2007. Upon learning this information, Ms. Rasmusson’s complaint alleges that she was “horrified” and that she “became physically ill” and “vomited.”
During discovery, many police officers who accessed Ms. Rasmusson’s data acknowledged that they did not have legitimate reasons to do so. One supervisor admitted that he encouraged subordinate officers to look up Ms. Rasmusson’s data “because she was very attractive and so they could see that she’s changed and she’s got a new look.”
The overall theme of Ms. Rasmusson’s lawsuit was that the various police departments and officers involved allowed a culture to develop in which her private data was not protected and was routinely accessed for illegitimate reasons.
Recently, many of the parties involved in the lawsuit entered into large settlements with Ms. Rasmusson. The City of St. Paul agreed to pay Ms. Rasmusson $385,000. The City of Minneapolis agreed to pay her $392,000. Various other cities agreed to pay her $280,000. Overall, Ms. Rasmusson has already recovered settlements in excess of $1 million. For more information about the case, click here.
Takeaways: While most employers do not have employees who have access to driver’s license data, many employers have employees who have access to other private and confidential data – such as data protected under the Health Insurance Portability and Accountability Act (“HIPAA”), the Family and Educational Rights and Privacy Act (“FERPA”), or other records for which a reasonable expectation of privacy may exist. The Anne Marie Rasmusson case is a somewhat unusual and extreme case, but it shows that employers who do not have strong policies and procedures in place to prevent employee abuse of confidential data may be subject to significant liability.
Minnesota law provides protection to employers who disclose certain types of information in response to requests for employment references. If an employer stays within the confines of the statute, a current or former employee must make a heightened evidentiary showing to prevail on a lawsuit against the employer related to the disclosure.
The types of information that employers can generally disclose under Minnesota’s employment reference law without an employee’s authorization are:
- Dates of employment;
- Compensation and wage history;
- Job description and duties;
- Training and education provided by the employer; and
- Acts of violence, theft, harassment, or illegal conduct documented in the personnel record that resulted in disciplinary action or resignation and the employee’s written response, if any, contained in the employee’s personnel record. (Note: For this type of disclosure to qualify for protection under the statute, the disclosure must be in writing with a copy sent contemporaneously by regular mail to the employee’s last known address).
If the employer has a written authorization from the employee, the employer may also disclose the following types of information about the employee:
- Written employee evaluations conducted before the employee’s separation from the employer, and the employee’s written response, if any, contained in the employee’s personnel record;
- Written disciplinary warnings and actions in the five years before the date of the authorization, and the employee’s written response, if any, contained in the employee’s personnel record; and
- Written reasons for separation from employment.
With limited exceptions, in order to maintain a cause of action against an employer for disclosure of the above-listed information, a current or former employee must be able to prove by clear and convincing evidence that: (i) the information was false and defamatory; and (2) the employer knew or should have known the information was false and acted with malicious intent to injure the current or former employee.
Takeaway: Employers can minimize potential liability for employment references by limiting their disclosures to include only the information that is authorized under the statute.
On March 26, 2012, Representative Mary Franson proposed legislation that would make it illegal for employers in Minnesota to require applicants or employees to provide passwords or other account information related to their social networking websites. The text of the proposed legislation is as follows:
No person, whether acting directly or through an agent, shall require, as a condition for consideration of employment, that any employee or prospective employee provide any password or other related account information in order to gain access to the employee’s or prospective employee’s account or profile on a social networking Web site.
See H.F. 2963.
The practice of employers asking employees or applicants for the passwords to their social networking sites, like Facebook or LinkedIn, has been criticized heavily in the press recently. Even if the proposed legislation regarding this topic does not become law, there are some circumstances under which the practice could arguably raise invasion of privacy or Stored Communications Act concerns.
Takeaways: Even if the proposed legislation prohibiting employers from requiring employees or applicants to provide access to their social networking sites does not become law, there are potential legal risks with this practice. As a practical matter, the practice may also lead to negative media attention for employers. Employers should consult with counsel if they have further questions about this topic.
“Invasion of privacy” is an umbrella term for tort claims based on violations of an individual’s privacy rights. The Restatement (Second) of Torts identifies four separate causes of action that qualify as invasion of privacy: (1) intrusion upon seclusion; (2) appropriation; (3) publication of private facts; and (4) false light publicity.
Minnesota law recognizes three of the four types of invasion of privacy claims: (1) intrusion upon seclusion; (2) appropriation; and (3) publication of private facts. Minnesota does not recognize a claim for false light publicity. In Lake v. Wal-Mart Stores, Inc., the Minnesota Supreme Court refused to recognize false light publicity claims because they are similar to defamation claims and because of potential tension with First Amendment rights. 582 N.W.2d 231 (Minn. 1998). However, the Minnesota Supreme Court in Lake recognized the other three types of invasion of privacy claims and described them as follows:
- Intrusion Upon Seclusion: Intrusion upon seclusion occurs when one person intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or upon his or her private affairs or concerns, and the intrusion would be highly offensive to a reasonable person.
- Appropriation: Appropriation protects an individual’s identity. This tort occurs when one person appropriates to his or her own use or benefit the name or likeness of another.
- Publication of Private Facts: Publication of private facts occurs when one person gives publicity to a matter concerning the private life of another, and the matter publicized is of a kind that: (a) would be highly offensive to a reasonable person; and (b) is not of legitimate concern to the public.
Takeaway for Employers: Invasion of privacy claims can sometimes arise in the employment context. Familiarity with the three types of invasion of privacy claims recognized in Minnesota should help employers avoid potential liability.
In United States v. Jones, the United States Supreme Court addressed the question of whether the government violated the Fourth Amendment’s prohibition against unreasonable searches and seizures when it attached a Global Positioning System (GPS) tracking device on a vehicle registered to a criminal defendant’s wife and monitored the vehicle’s movements for four weeks. All nine Supreme Court justices agreed that the government’s use of the GPS device without a valid warrant violated the defendant’s Fourth Amendment rights, but they disagreed as to why.
The Trespass Analysis: Justices Scalia, Roberts, Kennedy, Thomas, and Sotomayor determined that the installation of a GPS device on the defendant’s vehicle constituted a physical “search” under the Fourth Amendment. Those justices held that it was unnecessary to analyze whether the defendant had a “reasonable expectation of privacy” with respect to the underbody of the vehicle where the GPS device was attached or with respect to the public roads where the defendant drove the vehicle. They reasoned that the physical intrusion of attaching the GPS device to the defendant’s vehicle was a trespass sufficient to invoke the Fourth Amendment’s protections. Therefore, attaching the GPS device to the vehicle without a valid warrant violated the Fourth Amendment.
The Expectation-of-Privacy Analysis: Justices Alito, Ginsburg, Breyer, and Kagan determined that the government’s use of the GPS device violated the defendant’s Fourth Amendment rights because it violated a reasonable expectation of privacy. While the justices stated that “relatively short-term monitoring of a person’s movements on public streets” may not violate privacy expectations, longer periods of monitoring likely impinge on reasonable privacy expectations. Therefore, the government’s use of GPS to monitor the defendant’s movements for four weeks without a valid warrant violated the defendant’s Fourth Amendment Rights.
Takeaway for Employers: Private employers are not subject to the Fourth Amendment’s prohibition against unreasonable searches and seizures. However, employees of private employers could potentially cite the United States v. Jones decision in support of an invasion-of-privacy claim to argue that GPS monitoring violated their reasonable privacy expectations. To prevent this type of claim, employers who monitor employees with GPS (whether via cell phones, company vehicles, or other GPS devices) should adopt policies to notify those employees about the GPS monitoring and that they should not have an expectation of privacy while using company property with GPS capabilities.