Category Archives: Privacy Rights
No – the U.S. District Court for the Northern District of California recently dismissed a complaint alleging Fair Credit Reporting Act (FCRA) violations based on LinkedIn’s Reference Search function. LinkedIn’s “Reference Search” function is available to premium account holders. It is designed to generate a list of individuals who previously worked with a job applicant and who may be able to provide feedback about the applicant’s previous job performance.
In Sweet et al. v. LinkedIn Corporation, a group of rejected job applicants sued LinkedIn and argued that the Reference Search function did not comply with the requirements of the FCRA. No. 5:14-cv-04531-PSG (N.D. Cal., Apr. 14, 2015). The FCRA is a federal statute that regulates “consumer reporting agencies,” which provide “consumer reports,” such as background checks, for employment purposes. See 15 U.S.C. § 1681 et seq. Among other things, the FCRA requires consumer reporting agencies to “adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy and proper utilization of such information.” 15 U.S.C. § 1681(b). The FCRA also imposes requirements for employers who utilize consumer reports provided by consumer reporting agencies to assess job applicants, including obtaining written authorization from the applicant and notifying the applicant if an adverse decision is based in part on information contained in the consumer report.
In Sweet, the court granted LinkedIn’s motion to dismiss based on its conclusion that the Reference Search function on LinkedIn was not a “consumer report” for purposes of the FCRA. The court explained that “Reference Searches are not consumer reports because the information contained in these histories came solely from LinkedIn’s transactions or experiences with these same consumers.” The FCRA defines “consumer report” to exclude a “report containing information solely as to transactions or experiences between the consumer and the person making the report.” 15 U.S.C. § 1681a(d)(2)(A)(i).
The court also held that LinkedIn was a not a “consumer reporting agency” under the FCRA. The FCRA defines “consumer reporting agency” as “any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties . . . .” 15 U.S.C. § 1681a(f). The court reasoned that because the complaint alleged that the plaintiffs voluntarily provided their names and employment histories to LinkedIn, the complaint supports the conclusion that LinkedIn gathered the information for the purpose of carrying out the plaintiff’s information-sharing objectives – not for the purpose of creating consumer reports.
Takeaway: Because the Reference Search function is not a consumer report subject to the FCRA, employers who utilize the function are not required to comply with the FCRA requirements unless they conduct a separate background check that qualifies as a “consumer report.”
Most employers maintain records with sensitive information relating to their employees, such as social security numbers or similar information. When a data breach occurs and this information is disclosed without authorization, employers may have legal obligations to notify employees affected by the breach.
For example, Minnesota law has a data breach notification requirement that would require an employer to notify employees “in the most expedient time possible and without unreasonable delay” of a suspected data breach. The law provides that:
Any person or business that conducts business in this state, and that owns or licenses data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, . . . or with any measures necessary to determine the scope of the breach, identify the individuals affected, and restore the reasonable integrity of the data system.
See Minn. Stat. § 325E.61. For purposes of the statute, “personal information” is defined to include unencrypted data including an individual’s first name or first initial and last name in combination with any of the following: (i) a social security number; (ii) a driver’s license number or Minnesota identification card number; or (iii) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
For a mass data breach affecting 500 or more individuals at a time, the employer would also need to provide notification within 48 hours to “all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis . . . of the timing, distribution, and content of the notices.”
Takeaway: When a data breach affecting employee data occurs, an employer may need to comply quickly with notification obligations under applicable state law. In the event of a data breach, it is important for employers to check the notification requirements for each state where affected employees are located.
In early February 2015, Anthem, Inc. reported that on January 29, 2015, it had discovered that it was the target of “a very sophisticated external cyber attack.” Anthem believes the attack happened over the course of several weeks, starting on December 10, 2014. Accessed information may have included the names, dates of birth, social security numbers, home addresses, email addresses, and income data of current or former members of one of Anthem’s affiliated health plans, or one of the health plans that Anthem provides administrative services to. Anthem is one of the largest health insurance companies in the United States, and one of the largest service provider to self-funded group health plans and Blue Cross and Blue Shield plans across the country. Over 300,000 Minnesotans may have been affected by this breach.
What this means for you:
- If you are one of the individuals that were directly affected by this breach, you should take advantage of the credit monitoring protection offered by Anthem and continue to watch your banking and other financial accounts for any potential suspicious activity. Anthem will contact affected individuals. However, if you have not yet been contacted by Anthem, but believe you may have been affected by the breach, you can contact Anthem directly by calling (877) 263-7995.
- If you represent an employer that sponsors a group health plan insured or administered by Anthem, you may need to provide notice to the participants in your plan, and may need to provide notice of the breach to the Department of Health and Human Services (HHS), as required by the Privacy Rule under the Health Insurance Portability and Accountability Act (HIPAA). Some state laws also require notifications in these types of instances. As a result, you should contact your company’s employee benefits counsel to determine specifically what notice requirements apply in this case. Anthem may take the lead in fulfilling any notice requirements that apply to your plan, especially if Anthem fully insures the plan. However, as the plan sponsor, your company is generally ultimately responsible for making sure all HIPAA requirements are met, especially if the plan is self-insured and Anthem only serves as the claims administrator. In addition, you should consult your plan’s HIPAA privacy and security policies to determine if further actions are required due to this breach. HIPAA generally requires all group health plans have privacy and security policies and procedures. Therefore, you should make sure you have HIPAA compliant policies and procedures in place for your plan, and that you are following them. Anthem will contact affected plan sponsors. However, if you have not yet been contacted by Anthem, but believe your plan may have been affected by the breach, you can contact Anthem directly by calling (877) 263-7995.
- If you represent an employer that sponsors a group health plan that is not insured or administered by Anthem, you should still familiarize yourself with this breach for two reasons. First, you still may get questions from employees wondering if they are affected. Second, it can serve as a good test of your HIPAA privacy and security policies and procedures. HIPAA generally requires all group health plans have privacy and security policies and procedures. If you do not have such policies and procedures, this serves as a good reminder to implement such policies and procedures as soon as possible. You can be thankful that your plan was not affected this time. But you may not be so lucky next time. In addition, even if your plan is never affected by a breach, HHS has the authority, and regularly exercises such authority, to audit group health plans for HIPAA compliance, and to assess significant fines for noncompliance. Therefore, you should make sure you have HIPAA compliant policies and procedures in place for your plan, and that you are following them.
- If your company provides services to another company, and in the course of providing such services, your company receives, transmits, stores, or otherwise has access to certain health information of individuals, your company may be considered a “business associate” under HIPAA. In that case, HIPAA imposes direct liability on your company for certain HIPAA requirements, and your clients will also expect your company to be HIPAA compliant. As a result of the Anthem breach, your clients may be more interested in your HIPAA policies and procedures, since they do not want to risk being responsible for a HIPAA violation that was caused by your company. Therefore, you should also make sure you have HIPAA compliant policies and procedures in place for your company, and that you are following them.
Takeaway: Clearly if you were directly affected by the Anthem breach, either as an individual whose personal data may have been compromised, or as the representative of a company that sponsors a group health plan insured or administered by Anthem, you should take immediate action to obtain credit monitoring (in the case of an individual) or consult with your company’s employee benefits counsel regarding HIPAA notification requirements. However, even if you were not directly affected by this data breach, if you represent a company that sponsors a group health plan and/or your company is a “business associate,” this data breach serves as a good reminder to make sure you are in compliance with HIPAA. At a minimum you should have, and be following, HIPAA compliant policies and procedures. Two of the most important policies are to conduct a comprehensive security risk assessment and to conduct on-going employee training. If you do not currently have HIPAA compliant policies and procedures, or you are not sure if they are HIPAA compliant, you should contact your company’s employee benefits counsel as soon as possible.
Yes – employers generally can monitor employee emails sent using an employer-provided account, but it’s best for employers to take certain steps to ensure that the monitoring is lawful.
Whether an employer can monitor employee emails sent using company email typically depends on whether the employee has a reasonable expectation of privacy in the emails. One of the leading cases on this subject is In re Asia Global Crossing, Ltd., in which the court developed a four-factor test for analyzing whether an employee’s emails are subject to a reasonable expectation of privacy. 322 B.R. 247 (S.D.N.Y. 2005). The court held that the four factors that should be considered are:
- Does the corporation maintain a policy banning personal or other objectionable use?
- Does the company monitor the use of employee’s computer or email?
- Do third parties have a right of access to the computer or emails?
- Did the corporation notify the employee, or was the employee aware, of the use and monitoring policies?
The four factors make clear that an employer will have a much greater likelihood of defeating any alleged expectation of privacy in company emails if the company maintains a policy that clearly communicates to employees that the employer reserves the right to monitor and access employee emails and that employees should have no expectation of privacy in their use of company-provided email accounts.
Other potential options that employers can use to eliminate any ambiguity regarding the non-private nature of employee emails are: (i) requiring employees to sign an acknowledgement stating that they have no expectation of privacy in company emails; (ii) using on-screen warnings when an employee logs on to his or her computer warning that emails are subject to monitoring; or (iii) providing periodic trainings to employees that reinforce the company’s email-monitoring policy.
Takeaways: Employers who want to safeguard their right to access and monitor employee emails should make clear their intent and warn employees not to expect privacy in their emails, either by adopting an email monitoring policy or through other steps.
Employers, particularly larger ones, may have difficulty keeping its records straight for employees with more common names. Even middle initials may not help sufficiently. When considering a unique identifier, a company might consider using the employee’s Social Security number.
Minnesota employers considering that option should first consider the limitations on their use or disclosure of social security numbers. Minnesota law provides that an employer may not: (i) intentionally post or display publicly in any manner an individual’s Social Security number; (ii) print an individual’s Social Security number on any card required for access to products or services; (iii) require an individual to transmit a Social Security number over the Internet (unless the number is securely encrypted); (iv) generally require a person to use their Social Security number to access an Internet website; (v) print a number that the employer knows to be an individual’s Social Security number on any materials that are mailed to the person (unless required by state or federal law); (vi) assign or use a number as the primary account identifier that is identical to or incorporates an individual’s complete Social Security number (except in conjunction with an employee retirement or benefit plan or human resource or payroll administration); or (vii) sell Social Security numbers. Minn. Stat. § 325E.59, subd. 1.
While Social Security numbers may be included in certain applications and forms sent by mail, including the Social Security number on the outside of a mailing is prohibited. In addition, an employer must restrict access to Social Security numbers so that only its employees, agents or contractors who require access to records containing the numbers in order to perform their jobs will have access to the numbers. Minn. Stat. § 325E.59, subd. 1. On the other hand, use of Social Security numbers for internal verification or administrative purposes is permissible, as well as use required by state or federal law. Minn. Stat. § 325E.59, subd. 2.
Takeaway: Minnesota employers should carefully guard the confidentiality of employees’ Social Security numbers and be mindful of the specific restrictions imposed by Minnesota law.
Occasionally employees will experience difficult times in their personal or work life. Many employers have available an employee assistance program to which struggling employees may be referred. While the employer may be curious as to the details of any such counseling meetings, Minnesota law protects the confidentiality of those records.
In general, no portion of employee assistance records, or participation in employee assistance services, may be disclosed to a third person, including the employer or its representative, without the prior written consent of the person receiving services or the person’s legal representative. Certain disclosures may be made without the employee’s consent. The law does not prohibit disclosure: (i) pursuant to state or federal law or judicial order; (ii) required in the normal course of providing the requested services; or (iii) if necessary to prevent physical harm or the commission of a crime. Minn. Stat. § 181.980, subd. 5.
To further protect the confidentiality of the employee assistance records, to the extent an employer does possess any such records, they must be maintained separate from personnel records and must not become part of the personnel file. Minn. Stat. § 181.980, subd. 3.
An employee may similarly be curious about their own records. Upon a written request, an employee receiving services may review and obtain a copy of their employee assistance records. Employee assistance records do not include: (i) written or recorded comments or data of a personal nature about a person other than the employee, if disclosure of the information would constitute an intrusion upon that person’s privacy; (ii) written or recorded comments or data kept by the employee’s supervisor or an executive, administrative, or professional employee, provided the written comments or data are kept in the sole possession of the author of the record; (iii) information that is not discoverable in a worker’s compensation, grievance arbitration, administrative, judicial, or quasi-judicial proceeding; or (iv) any portion of a written, recorded, or transcribed statement by a third party about the employee that discloses the identity of the third party by name, inference, or otherwise. Minn. Stat. § 181.980, subd. 1. The employee assistance provider must comply within seven working days (14 days if the records are located outside the State of Minnesota). Minn. Stat. § 181.980, subd. 2.
Takeaway: Employers should be careful to not interfere with the confidentiality of the employee assistance program. If an employer is invited by the employee to have access to the records of those sessions, the company should confirm that consent in writing.
The Women’s Economic Security Act recently amended Minnesota’s employment law requirements for nursing mothers. See Minn. Stat. § 181.939. Here’s what employers need to know about the revised break time requirements for nursing mothers:
What Employers Are Subject To the Requirements: Any person or entity that employs one or more employees in Minnesota is subject to the law.
When Are Nursing Mother Entitled To Breaks? The law provides that an employer “must provide reasonable unpaid break time each day to an employee who needs to express breast milk for her infant child.” If possible, the break time must “run concurrently with any break time already provided to the employee.”
Do Nursing Mothers Need To Be Paid For the Breaks? No. The statute provides that the breaks are unpaid.
Where Should The Breaks Occur? The employer must make reasonable efforts to provide a room or other location, in close proximity to the work area, other than a bathroom or a toilet stall, that is shielded from view and free from intrusion from coworkers and the public and that includes access to an electrical outlet, where the employee can express her milk in privacy. The statute provides that an employer will “be held harmless if reasonable effort has been made.”
Are There Any Exceptions? Yes, an employer is not required to provide break time to a nursing mother if to do so would “unduly disrupt the operations of the employer.”
Are Nursing Mothers Protected From Retaliation For Taking Breaks? Yes, the law provides that an employer may not retaliate against an employee for asserting rights or remedies under Minnesota’s nursing mother law.
Takeaway: The revised Minnesota law governing breaks for nursing mothers is similar in many respects to the requirements for nursing mother breaks under federal law, but there are a few key differences. Employers in Minnesota need to be familiar with the requirements of both laws.
In 2008, Congress enacted the Genetic Information and Nondiscrimination Act (GINA), which prohibits genetic information discrimination in employment. 24 U.S.C. § 2000ff-1. While the passage of GINA was significant, Minnesota employers had already been restricted at that time regarding the administration or use of genetic testing for seven years.
In 2001, the Minnesota legislature enacted a similar statute regarding genetic testing in employment. Minn. Stat. § 181.974. That statute restricts an employer or employment agency from directly or indirectly (i) administering a genetic test or requesting, requiring, or collecting protected genetic information regarding a person as a condition of employment or (ii) affecting the terms or conditions of employment or terminating the employment of any person based on protected genetic information. Further, no person is permitted to provide or interpret for any employer or employment agency protected genetic information on a current or prospective employee. “Protected genetic information” means (i) information about a person’s genetic test or (ii) information about a genetic test of a blood relative of a person.
Unlike GINA which applies to employers with 15 or more employees, this state statute applies to employers with one or more employees in Minnesota. The law does not apply to independent contractors. The cost of non-compliance is significant. A person may bring a civil action in which the court may award (i) up to three times actual damages suffered, (ii) punitive damages, (iii) reasonable costs and attorney fees, and (iv) injunctive or other equitable relief.
Takeaway: Smaller employers who may not be covered by GINA should be aware that they are nonetheless restricted by the similar Minnesota law prohibiting genetic information testing.
A recent decision from the U.S. District Court for the District of Minnesota clarified that an employer’s failure to remove a former employee from a company website does not constitute unlawful appropriation, unless it’s intentional.
Appropriation is one of three torts that fall under the umbrella term of invasion of privacy. The tort occurs when one person appropriates to his or her own use or benefit the name or likeness of another.
In Wagner v. Gallup, Inc., the plaintiff alleged that his former employer was liable for appropriation because it failed to update a reference to him on its website from a “principal of Gallup” to a “former principal of Gallup” after his departure. The plaintiff conceded that he consented to the employer’s posting of information about him on the website at the time it was made and during his employment. Civ. No. 12-CV-01816-JNE-TNL (D. Minn., June 20, 2014).
The court dismissed the plaintiff’s claim for appropriation because there was no evidence that the failure to remove the website’s reference to the plaintiff was intentional. The court explained that “the appropriation tort is an intentional one,” and that the plaintiff must show the defendant “acted intentionally in appropriating his name to prevail on his appropriation claim.” Because there was no evidence that the employer acted intentionally, the plaintiff’s claim failed. The court also noted that plaintiff’s claim would likely fail because there was no evidence of damages.
Takeaway: In most cases, failing to remove an employee’s name or image from a company website after termination will not support a claim for appropriation, unless there is evidence that the appropriation was intentional.
A federal district court in California recently held that an employer could subpoena a former employee’s cell phone records as part of discovery in a pending lawsuit.
In Kamalu v. Walmart Stores, Inc., the plaintiff sued her former employer, alleging discrimination on the basis of national origin, race, and sex, and wrongful termination in violation of public policy. The employer asserted that the plaintiff’s termination was based on legitimate business reasons, including that the plaintiff was terminated for stealing time and misrepresenting her working hours. To obtain evidence to show that the plaintiff was using her cell phone when she should have been working, the employer issued a subpoena to her cell phone provider and requested the following documents:
- All incoming and outgoing cellular phone and text message records for the employee’s phone number during her employment;
- All records regarding any data used by the device associated with the employee’s phone number during her employment; and
- Invoices for the employee’s phone number during her employment.
In response, the plaintiff brought a motion to quash the subpoena, which the district court denied. The district court held that the records were “directly relevant to Defendant’s defense that Plaintiff was terminated for misrepresenting her working hours.” The court also held that the records could potentially support a defense based on after-acquired evidence, even if the plaintiff was never counseled for improperly using her cell phone during her employment.
The court also rejected the argument that the subpoena unnecessarily invaded the plaintiff’s privacy rights, emphasizing that the subpoena only sought information about what calls or messages occurred and how long they were, but not the content of any of the communications. In addition, the court held that the plaintiff had no expectation of privacy in business records maintained by a third-party to whom she voluntarily conveyed the information.
Takeaway: In certain cases, an employee’s cell phone records may provide valuable information that can assist an employer in defending against the employee’s claims. The Kamalu decision supports the ability of an employer to subpoena these records provided that it can establish the relevancy of the records to the litigation.
The Department of Health and Human Services (“HHS”) has issued additional requirements for covered entities that maintain protected health information or contract with a business associate for health plan-related services.
There are a number of technical changes made by the new guidance. The more significant changes are as follows:
- The extension of the privacy and security rules to vendors employed by business associates.
- Changes to the rule that make it more likely that notice of security breach will need to be provided to plan participants.
- Clarification as to the use of and disclosure of genetic information that will impact wellness programs.
- Agreements with business associates will need to be revised to reflect the obligations required by the new rules. A sample agreement issued by HHS is available for use.
- These new rules take effect on September 23, 2013, with the possibility that business associate agreements will not need to be revised until September 23, 2014.
Takeaways: Employers will need to review and, likely, revise their privacy and security policies and procedures to comply with these new rules. More detailed information will be provided at our April 9th seminar titled, “Safeguarding Employers in 2013.” The seminar invitation can be found here.
Private employers in Minnesota need to be familiar with personnel record statutes and employee privacy rights. The Minnesota Government Data Practices Act, a wholly separate and much more demanding set of employee privacy laws that apply to public employers and public employees, is irrelevant to private employers – for the most part.
An exception is for corporations or non-profit organizations under contract with a government entity when following the Data Practices Act is required by the contract. See Minn. Stat. § 13.05, Subd. 11; see also Minn. Stat. § 13.02, Subd. 11. By virtue of contracting with the governmental entity (state, county, or a municipality), a private employer may need to respond to certain employee or public personnel data requests based upon the classifications and processes provided in the Data Practices Act. Typically, the Data Practices Act governs data on individuals (including personnel data) made available to the private employer through the government contract. Determining whether, how, and to what extent the Data Practices Act may apply to personnel data related to a government contract is a process of careful contract drafting and legal analysis.
Takeaway: A private employer with a government contract needs to keep in mind possible state Data Practice implications in responding to third party or employee requests for certain contract-related personnel data. This is an important point in contract drafting, and legal review should be involved to determine whether this unique requirement of the Minnesota Data Practices Act may apply to a private employer.