The details of the 2009 data breaches and the security holes that enabled them are summarized in the FTC’s press release, which you can find here. The data breaches stemmed from two incidents. In the first one, an intruder used an automated password-guessing tool to enter an administrative password (a weak lower-case password consisting of a common dictionary term) on the site’s main login page. Using the password, the intruder reset several passwords and posted some of them on a website where they could be used by others. In the second incident, an intruder hacked a Twitter employee’s personal e-mail account and was able to derive an administrative password from similar passwords that were stored in plain-text. Twitter’s privacy policy at the relevant times used common boilerplate to describe its data security procedures:

“Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.”

It is important to note that Twitter never guaranteed the security of its site. Indeed, tech lawyers like myself routinely warn clients again calling their sites “secure” and making similar unqualified assurances. A cynic might remark that “weasel language” like Twitter’s is designed to stimulate a cozy feeling in users without committing the site to any concrete obligations or precautions.

The FTC’s explanation of the charges against Twitter crystallizes its thinking and underlines the agency’s increasingly aggressive approach to regulating privacy and data security on the Internet and especially on social media sites:

“When a company promises consumers that their personal information is secure, it must live up to that promise,” said David Vladeck, Director of the FTC’s Bureau of Consumer Protection. “Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations. Consumers who use social networking sites may choose to share some information with others, but they still have a right to expect that their personal information will be kept private and secure.”

There seems to be little question here that Twitter screwed up. The FTC’s complaint recites a litany of data security lapses that have been no-no’s for at least three or four years in the wake of the FTC’s prosecution of TJX for its data breaches and the advent of the Payment Card Industry Data Security Standard (PCI DSS). These no-no’s include Twitter’s failure to:

* require employees to use hard-to-guess administrative passwords that they did not use for other programs, websites, or networks;
* prohibit employees from storing administrative passwords in plain text within their personal e-mail accounts;
* suspend or disable administrative passwords after a reasonable number of unsuccessful login attempts;
* provide an administrative login webpage that is made known only to authorized persons and is separate from the login page for users;
* enforce periodic changes of administrative passwords, for example, by setting them to expire every 90 days;
* restrict access to administrative controls to employees whose jobs required it; and
* impose other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.

Again, it’s hard to argue Twitter didn’t screw up. However, this case demonstrates beyond a shadow of a doubt that the FTC will nail you for failing to use generally accepted data security best practices regardless of how you characterize your security measures in your privacy policy. In other words, saying that there are risks beyond your control no longer provides a get out of jail free card. Before the TJX case, the FTC targeted its wrath at sites that explicitly promised better security than they delivered. Now, however, there is an absolute minimum standard of data security: according to the FTC, inviting users to submit information which they can designate as private without complying with best practices is inherently misleading and deceptive. Furthermore, FTC scrutiny is no longer confined to privacy policies and “advertising” or “marketing” messages; the wording of social media categories, designations and preferences, such as privacy preferences, is now fair game.

Under the settlement Twitter is prohibited from misleading consumers about its data security practices for 20 years and must implement a comprehensive information security program, which will be audited by the FTC every other year. The FTC and Twitter, in other words, will be best buddies for years to come.

You’ve met the dramatis personae on this blog over the past year or so: the Federal Trade Commission, which issued a staff report in February 2009 containing “self-regulatory” guidelines for online behavioral advertising and now is panting to go further; the State of California, one of several that requires the posting of a website privacy policy and use of data security safeguards, including vendor oversight; the State of Nevada, which requires the encryption of personal information; and the Commonwealth of Massachusetts, source of the most comprehensive information security regulation in the nation (201 CMR 17.00, which went into effect on March 1, 2010).

The patchwork is so befuddling that a reporter once barked at me in frustration: “You mean a business has to hire someone like you to keep track of all of this?” No offense meant, of course. None taken, I replied, but the answer was yes. In an indirect way, the FTC funds my Philly Beer Week expenditures.

Now the federal bear is beginning to growl. After reading the draft legislation unveiled by U.S. Representatives (D-VA) and Cliff Stearns (R-FL) on May 4 — which has attracted strong comments by the Direct Marketing Association, along with criticism from the Technology Liberation Front and others — I’m trying to decide whether things just got better or worse for my clients. Actually, scratch that. This bill needs to be rewritten, since it takes a top-down, process-heavy Gramm-Leach-Bliley type of approach and tries to plaster it onto the vast domain of cyberspace. (The Gramm-Leach-Bliley Act is the seminal 1999 financial privacy bill that requires financial institutions to provide initial and annual privacy notices to their customers and a way for them to opt out of having their personal information shared with unaffiliated marketers. No doubt you read every line of the GLBA privacy notice your bank sends you every year. Anyway, there is a real strong musty whiff of GLBA in the Boucher-Stearns draft.)

Cowpunk pioneer Dan Baird exercises his right to opt out of data-sharing. (Actually, this is from his 1991 album Love Songs for the Hearing Impaired).

On the plus side, the draft legislation would set a single national online privacy and data security standard that preempts (supersedes) state privacy and data security laws — one-stop shopping, unless you’re unfortunate enough to also be covered by GLBA, HIPAA, the CAN-SPAM Act or the Children’s Online Privacy Protection Act, in which case it’s unclear how the inconsistencies with the draft legislation would be resolved.

Data Security

The data security requirements generally follow those in the FTC Safeguards Rule promulgated under GLBA and are flexible and risk-based (appropriate administrative, technical and physical safeguards, as determined by the FTC, for protecting the security, confidentiality and integrity of covered information and preventing unauthorized loss, destruction, disclosure or misuse) as opposed to the one-size-fits-all prescriptive approach used by the encryption-happy legislature in Nevada. There is no notification requirement in the event of a data breach, although the safeguards must be sufficient to determine the scope of the breach and remediate its effects. The data security provision of the draft bill also contains a rather bizarre clause that, without any further explanation, requires a covered entity to establish reasonable measures to “assure the accuracy” of the information it collects.

Here’s the kicker, though: the Boucher-Stearns draft does not track state data security laws like Massachusetts’ in limiting its coverage to first and last name (or first initial and last name) combined with financial account number or government-issued identification number (e.g., Social Security number or driver’s license number). In fact, “covered information” as defined in the bill includes name, address or contact information. Practically speaking, then, this represents a potentially onerous expansion of existing data security regulation, even though the security requirements themselves resemble existing rules.

What information is “covered” by the bill?

Covered information includes any of the following: first name or initial together with last name; postal address; phone or fax number; e-mail address; unique biometric data; government-issued identification number; financial account number and any code or password necessary to permit access to the account; unique identifier (such as an IP address or customer number) if used to collect, store, or identify information about a specific individual or a computer, device or software application owned or used by a particular user or that is otherwise associated with a particular user; and “preference profile” (defined as “a list of information, categories of information, or preferences associated with a specific individual or a computer or device owned or used by a particular user that is maintained by or relied upon by a covered entity”).

The draft bill therefore abandons the current regulatory focus on “personal” or “personally identifiable” information in favor of the FTC position that any data that is linkable to a specific web user or device requires protection.

Privacy: And Now for Something Completely Different

The privacy requirements of the draft legislation would drastically reshape the state of the world. Here’s a high-level overview:

The bill would generally preserve the current practice of providing notice of a site’s privacy practices and an ability to opt out prior to any collection, use or sharing of information online BUT would require affirmative express consent (that is, an opt-in) before covered information could be shared with unaffiliated third parties. These requirements would not apply to information collection, use and sharing for transactional or operational purposes (i.e, as necessary to effectuate a transaction between the site and an individual). Sharing of information with a service provider which assists the site to effectuate a “first-party transaction” with the individual is also permitted, subject to an opt-out consent requirement. Finally, the bill includes a behavioral advertising exception whereby information could be shared with online advertising networks without opt-in consent, but subject to certain notice and opt-out requirements, such as the prominent display of a notice or seal on the covered entity’s website and on or near targeted advertisements, along with a link to information about behavioral advertising and how consumers can opt out.

For the required “notice,” every site that collects covered information would need to post clearly and conspicuously (and make accessible via a link on its home page) a privacy policy containing the mandatory disclosures. (The draft bill also contains privacy notice requirements for covered information collected offline, so if it is passed, businesses should consider adopting an integrated, holistic privacy policy covering all aspects of their operations.) Some of these disclosures are already standard practice, such as a description of the information collected, purposes for collecting and using the information, how the information is collected, categories of third parties with which the information may be shared, and how individuals may obtain access to their information. Other disclosure requirements break new ground, such as:

◊ how information may be merged, linked or combined with other information from unaffiliated sources
◊ how information is stored by the entity
◊ how long the information is retained in identifiable form
◊ how the entity disposes of (or renders anonymous) covered information after the end of the retention period
◊ a means to contact the entity with an inquiries or complaints about the handling of covered information
◊ consent mechanism as required by the bill

Notably the draft legislation would codify the FTC’s diktat that material changes in privacy practices cannot be applied retroactively (i.e., to information collected prior to their posting), and information cannot be shared for purposes previously undisclosed that an individual would not reasonably expect, unless the entity gets the individual’s opt-in.

Finally, in its February 2009 staff report on behavioral advertising, the FTC posited that certain information might warrant special protection due to the increased risk of harm or embarrassment to the individual. Sure enough, the draft legislation would also create a special category of “sensitive information” for which an opt-in is required prior to collection. “Sensitive information” includes, when associated with covered information of an individual, information about medical history or condition; information about financial accounts; information about sexual orientation, race, ethnicity or religious beliefs; and — interestingly — “precise geolocation information.”

Am I Gonna Get Hit by This?

If it passes, and if you collect covered information (which you probably do) either online or offline, then yes, unless you have a very small customer or user base or are a government agency. Excluded from the draft legislation’s reach are government agencies and entities that collect covered information from fewer than 5,000 individuals in any 12-month period. However, if you collect any sensitive information at all, you are covered even if your customer or user base is under 5,000.

Who Is Going to Come After Me If I Don’t Comply?

The primary enforcer would be the FTC, the big 900-pound gorilla in this draft legislation, since it would have the power to prosecute violations as unfair or deceptive acts or practices and would also acquire broad rulemaking authority to regulate online privacy and data security (although the draft bill prohibits the FTC from requiring specific technologies or software). Based on the FTC’s activity to date in these areas, the agency would not be shy about using this power. State attorney-generals and consumer protection agencies could also enforce the law. Private actors, however, have no right of action.

Undoubtedly the Boucher-Stearns draft legislation will be heavily changed before it is passed, if it is even passed. Significant problem areas, as pointed out by the DMA and other commenters, are the expansive definition of covered information (which would lump mere name and contact information into the same protected category as Social Security numbers) and the requirement of an opt-in to share covered information with unaffiliated marketers. This regime is even more restrictive than GLBA and is a huge departure from how business is currently conducted on the Internet. If the bill passes in anything resembling its current form, expect to be bathed in disclosure and to paddle through a profusion of annoying click-throughs.

The facts of the case are very simple. Brelyn Hammernick was a Minneapolis technical recruiter for the IT services firm TEKsystems who left to take a job with their competitor Horizontal Integrations. Ms. Hammernick used LinkedIn’s e-mail tool to communicate with her network, which included several current TEKsystems employees. Ms. Hammernick had signed a non-compete agreement with TEKsystems containing standard non-solicitation language that prohibited her from communicating with company employees to induce them to leave TEKsystems or work for a competitor. Yet, as several attorney bloggers have already commented, certain of Ms. Hammernick’s e-mails were clearly solicitations. The relevant paragraph from TEKsystems’ complaint alleges:

“Hammernick is soliciting TEKsystems’ Contract Employees and clients in the geographic area encompassed by the non-competition and non-solicitation provisions of the Hammernick Agreement. For example, Hammernick has communicated with at least 20 of TEKsystems’ Contract Employees using such electronic networking systems as “Linkedin.” Hammernick has, at a minimum, “connected” with the following TEKsystems’ employees through “Linkedin: Harold Osmundson, Steve Wicks, Kazim Merchant, Shawn Faber, Srujana Pasunuri, Shailaja Garishakurti, Kevin Jordahl, Mitha KC, Carl Boudreau, Tom Peterson, Seann Van Cleve, Bob Hasselman, Marcia Diterich, Bill Severson, Claude Wallander, and Brett Snaza. In her contacts with Tom Peterson, Hammernick asked Peterson if he was “still looking for opportunities.” She then stated that she ‘would love to have [you] come visit my new office and hear about some of the stuff we are working on.’”

You can also find a full reprint of the key e-mails, along with some trenchant commentary, on Dallas attorney Rob Radcliff’s blog here. (I don’t normally cite other law firms’ blogs, but I consider Mr. Radcliff’s post both informative and dead-on.)

What are the take-aways here?

1. No one seriously believes that the federal district court is going to treat LinkedIn communications as qualitatively different from traditional channels of solicitation, such as telephone calls, e-mails outside of the social media context, or in-person conversations. Doing something dumb on Web 2.0 is the same as doing something dumb on Web 1.0, which in turn is the same as doing something dumb using a telephone, telegraph or smoke signals.

2. As Mr. Radcliff notes in his blog, employers may find social media posts and communications of departed employees to be a font of useful evidence in employment-related litigation. Employers should also consider mentioning social media posts and communications as a specific example in employee agreements and materials prohibiting solicitation and other objectionable activities.

3. The TEKsystems case involves deliberate one-to-one communications through LinkedIn. A salient question, however, is whether posts or updates to one’s entire network or chosen group can violate non-solicitation obligations if the content is objectionable and certain recipients are still employees of the sender’s late, unlamented employer. Or, to put it differently, if you’ve signed a non-compete with non-solicit requirements, should you “un-friend” or “de-link” your former work colleagues? Simply updating your career profile should not be a problem, but you may want to think twice before blitzing your network or friends about all of the terrific opportunities you’re getting at your new employer.

4. Careless chatter on social media is a problem not only for departing employees, but also for their new employers, who (like Horizon Integrations in the TEKsystems case) may get named in the lawsuit if the objectionable behavior appears to work for their benefit.

Legally speaking, social media is no different from other forms of communication. However, just as e-mail did in the 1990’s, it has a tendency to invite informal, spontaneous and poorly considered actions from its users. Given the uncertain state of privacy on Facebook and other popular social media sites, expect to see a mountain of social media evidence building up in future litigation.

The facts of Stengart are simple. Ms. Stengart brought an employment discrimination suit against her home-nursing company employer, Loving Care (great name, that) and exchanged e-mails with her attorney through a web-based personal Yahoo account that she accessed from a company-issued laptop. In the course of the discovery process the employer’s counsel imaged the laptop’s hard drive and found the e-mails, but did not promptly notify Ms. Stengart’s counsel and turn over the e-mails, as required by New Jersey’s attorney ethics rules. Although the employer purportedly maintained an Internet use policy that indicated “e-mail” and Internet use was the company’s property and could be monitored, the policy was poorly drafted and internally inconsistent, stating at the same time that occasional personal use of work computers was permitted.

The New Jersey Supreme Court held that, given the lack of clarity in the policy that appeared to invite some personal activity, and the fact that the policy did not refer specifically to employer monitoring of password-protected, web-based e-mail usage, Ms. Stengart had not been adequately placed on notice of her employer’s claimed right to monitor. Therefore, under the New Jersey constitutional and common law of privacy, she retained an objectively and subjectively reasonable expectation of privacy in her Yahoo account (i.e., that it fell outside the scope of the monitoring described in the Internet use policy), which Loving Care violated when its lawyers retrieved her private e-mails. Furthermore, the Court held — and this is the kicker — even if the employer’s policy had been totally clear that her Yahoo account usage could be monitored, it would not be enforceable to destroy Ms. Stengart’s attorney-client privilege in the e-mails with her lawyer.

The Court neatly summed up its views on Internet use policies at the end of the opinion:

“Our conclusion that Stengart had an expectation of privacy in e-mails with her lawyer does not mean that employers cannot monitor or regulate the use of workplace computers. Companies can adopt lawful policies relating to computer use to protect the assets, reputation, and productivity of a business and to ensure compliance with legitimate corporate policies. And employers can enforce such policies. They may discipline employees and, when appropriate, terminate them, for violating proper workplace rules that are not inconsistent with a clear mandate of public policy…. For example, an employee who spends long stretches of the workday getting personal, confidential legal advice from a private lawyer may be disciplined for violating a policy permitting only occasional personal use of the Internet. But employers have no need or basis to read the specific contents of personal, privileged, attorney-client communications in order to enforce corporate policy. Because of the important public policy concerns underlying the attorney-client privilege, even a more clearly written company manual — that is, a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employee’s attorney-client communications, if accessed on a personal, password-protected e-mail account using the company’s computer system — would not be enforceable.”

Until now, courts examining the issue of whether employees have privacy rights in personal online communications sent from work computers have largely deferred to employer Internet use policies that reserved broad monitoring rights. It is not particularly surprising that the New Jersey judiciary, with its more liberal policy preferences and insistence on the sanctity of the attorney-client privilege, has diverged from more employer-friendly, freedom-of-contract regimes like Pennsylvania in establishing limits on what employers can peek at with Internet use policies. Still, the Stengart case does provide some useful guidelines for how employers (in New Jersey and elsewhere) can structure their Internet use policies to avoid the loss of productivity and liability risks associated with uncontrolled employee web surfing, Facebook usage, etc., while at the same time avoiding a tort claim for invasion of privacy.

1. Specifically discuss whether and how employee access of password-protected, web-based e-mail accounts may be monitored. In other words, don’t make the mistake of the employer in Stengart and assume that references to “e-mail” usage will be interpreted to cover personal Yahoo and gmail accounts as well as messages sent via the company’s official e-mail system. So, for example, you should mention that e-mails from personal web accounts might be stored on the hard drive of the employer’s computer. Also consider giving similar examples with respect to personal activity on restricted areas of social media sites when accessed from work. Greater clarity and specificity about monitoring of password-protected account usage could also help prevent a Stored Communications Act violation as well as liability for invasion of privacy.

2. Don’t send mixed messages concerning personal Internet usage at work. The New Jersey Supreme Court indicated that an employer has the right to prohibit the use of work computers and Internet access for personal reasons and to discipline or terminate employees who violate this policy. For cultural reasons many employers have resisted taking such a draconian line up to now, but it may be time to consider drawing a line in the sand if productivity loss is a major concern. If an employer is willing to tolerate limited personal usage of company IT resources (subject to the restrictions in the policy and any blocking of particular sites that the employer considers a distraction), the policy needs to be absolutely clear that even allowed personal communications may still be monitored and stored. Bottom line for employers: tell your employees that if they consider something really private or sensitive, they should do it at home using their own computer.

3. Be consistent in applying the policy. This is a logical corollary of #2, i.e., don’t send mixed messages. Inconsistent application of an IT use policy landed the city of Ontario, California before the U.S. Supreme Court on April 19. In City of Ontario v. Quon, a SWAT team member was issued a department pager under a use policy that clearly indicated everything could be monitored. However, a supervisor allegedly assured Quon that personal text messages would not be reviewed as long as the employee paid for any overages. Needless to say, they were. The question before the Court is whether the supervisor’s statements, which deviated from the IT use policy, were enough to give Quon a reasonable expectation of privacy in the personal texts. Based on the transcript of the oral arguments, the justices seem skeptical (more so, perhaps, than the New Jersey Supreme Court might be). Their decision will be forthcoming in the next few weeks. However, the real take-away here is the case should never have happened. Make sure that all employees, including (and especially) managers confirm receipt of, and are knowledgeable about, your company’s Internet use policy (for example, it can be discussed in employee information security training). A well-drafted policy should describe the business interests underlying it and the company’s seriousness in promoting those interests, and should identify a contact person who can address any questions or issues concerning the policy. The company should also cultivate a culture of compliance (if you’ll forgive the alliteration) so that no one is perceived as exempt; selective application and enforcement can lead not only to privacy-related liability but discrimination claims too.

Now that employee privacy is more than just a rallying cry for plaintiffs’ lawyers, consider whether your Internet use policy could use a little loving care.

In Stengart, as I predicted in my last post on the case, the New Jersey Supreme Court held that an employee did not waive her attorney-client privilege in her suit against the employer by accessing her personal Yahoo! e-mail account through a work computer and using it to communicate with her attorney (not a good idea, but still …). On the other hand, in Quon, where the police department accessed and reviewed a SWAT team member’s provocative texts from a department-issued pager, the situation is a little murkier, and the Court seems leery of making a grand statement about workplace privacy.

What does all of this mean for businesses seeking to avoid liability and manage use of corporate IT resources? As I said, more on this shortly.

Two items emerged almost immediately from the roundtables and the FTC’s related comments: (1) the FTC does not believe industry self-regulation in behavioral advertising is working, and (2) the category of “personally identifiable information” (PII) that has been used in privacy law up to this point to denote sensitive information warranting legal and regulatory protection is effectively obsolete.

RIP, PII

To the latter point, studies have shown that non-personalized information like IP addresses or even browser and operating system specifications can be combined with other information gathered from online browsing to build detailed personal profiles and even identify individuals with a reasonable degree of certainty. The FTC’s 2009 behavioral guidelines anticipated a breakdown of the existing personal/non-personal information dichotomy by expanding the category of information covered by the guidelines to include information that can be used to identify a specific computer or device (not just a particular human being). According to the FTC, such data include clickstream data that can be combined with a consumer’s website registration information; individual pieces of anonymous data combined into a detailed profile that is identifiable with a particular person; and behavioral profiles that are not associated with a particular consumer, but are stored and used to deliver personalized advertising and content to a particular device.

In addition, the guidelines identified a special category of personal information, such as health information, financial information, precise geographic location information or information about children, that is so sensitive it warrants heightened privacy protection (for example, requiring consumers to opt in before such data can be collected for behavioral advertising, rather than providing the standard opt-out).

More Powers for the FTC?

Greater privacy regulation in online behavioral advertising seems to be a given, therefore. Some sites like Yahoo! have felt it prudent to get ahead of the curve by expanding their privacy disclosure preemptively (for example, Yahoo!’s Ad Interest Manager allows you to see information about your browsing activities that Yahoo! collects for targeted advertising purposes and set your preferences accordingly). The big question, though, is how sweeping the new rules will be. One problem with a non-incremental approach is that the FTC is currently limited in its rule-making authority when it is using its power to combat unfair or deceptive practices under Section 5 of the FTC Act. This is the main authority the FTC has used for a decade to make its views known with respect to online privacy (Congress has granted it broader powers to regulate in specific areas, such as under the Children’s Online Privacy Protection Act and the CAN-SPAM Act).

However, a clause in Congress Barney Frank’s (D-Mass.) financial reform bill H.R. 4173, otherwise known as the Wall Street Reform and Consumer Protection Act of 2009, would greatly expand the FTC’s power to regulate and litigate, and not just against financial services companies. Specifically, the bill would allow the FTC to implement consumer protection regulations generally through the Administrative Procedures Act (APA) rule-making process, rather than through the more rigorous current process, which takes much longer and requires greater public participation and comment. The FTC would also be able to file suit directly instead of having to act through the Department of Justice. (NOTE: this is the second time in a week I have blogged about a little-known clause in Congressional financial reform legislation that drastically expands regulatory involvement in areas that have nothing to do with the 2008 financial collapse.) FTC Chairman Jon Leibowitz argued for such powers in Senate testimony on the pending legislation, promising to use them sparely. It remains to be seen whether Congressman Frank’s creation of an “FTC on steroids” (as some libertarian/anarchist tech bloggers have called it) will appear in the final act after reconciliation with Senator Chris Dodd’s (D-Conn.) bill.

So, what’s next for online privacy? More disclosure and more consumer choice, probably, as well as the possible creation of a sliding scale of privacy protection based on categories of totally de-identified data, data that can (either alone or in combination with other data available through the Internet) be associated with a unique individual, and sensitive personal data warranting strong safeguards. Online advertisers and ad networks: be aware that the FTC is watching you. Of course, I am watching them, and you can find new developments on this blog as soon as they occur.

Title II of GINA prohibits both the use of individual genetic information in making employment decisions and any action by an employer to “request, require or purchase” genetic information, subject to certain limited exceptions. It also imposes strict confidentiality requirements when an employer or other covered entity comes into possession of genetic information. Title II applies to private and governmental employers with 15 or more employees. “Genetic information” is defined in the statute to include not only information about an individual’s genetic tests, but also genetic tests of family members and family medical history, including the manifestation of a disease or disorder in a family member. “Family members” include dependents as well as relatives of an individual or dependent from the first to the fourth degree. So, to take a completely hypothetical example, the fact that a maternal grandmother died of lymphatic cancer would be protected genetic information. This casts a very wide net indeed.

Employers Are Looking at You Online

The policies behind Title II of GINA are laudable: maintaining privacy and protecting individuals from job-related discrimination due to factors that are totally outside their control and not meaningfully related to their job qualifications or performance (but that may give rise to certain assumptions about insurance costs, work attendance, etc.). However, It’s not difficult to see how such an expansive definition of genetic information can create a legal minefield when blogs and social media are worked into the equation.

Blogs and social media provide the tools for us to share and publicize details about our personal lives, about where we are in this world and what we’re going through right now, as well as to foster an ever-greater interconnectedness that provides a substrate of meaning at the same time as it boosts our audience size. For these reasons, many employers, particularly those hiring for positions involving significant professional responsibility, customer or public exposure, or access to confidential information, Google job applicants and examine personal blogs and social media profiles as part of their due diligence process.

Generally speaking, employers are not legally prohibited from doing this and taking the findings into account when they make decisions about you (as long as the decisions aren’t based on certain impermissible factors defined by the law, such as race, gender, age, disability and now genetic background).

Therefore, if you plan to apply in the future for a financial services position managing the portfolios of wealthy clients, I would strongly advise you not to post a college photo of yourself drowning your svelte naked body in Yuengling. However humorous and compelling such a photo may be — and I really do like Yuengling! — it can easily be pulled up on the Internet years after it is posted, i.e., when you’re older, more professionally oriented and sober.

Finding Family Medical Information Online

All kidding aside, what if someone’s family member is ill and, out of an understandable desire to unburden herself and seek support from her user community, she shares information about the illness and the distress she is experiencing? If an employer then reads the page, does this constitute an illegal acquisition of genetic information?

GINA’s prohibition on requesting, requiring or purchasing genetic information excludes situations “where an employer purchases documents that are commercially and publicly available (including newspapers, magazines, periodicals, and books, but not including medical databases or court records) that include family medical history.” In its proposed regulations issued in March 2009, the EEOC expanded the commercially and publicly available document exception to also cover genetic information from documents that are available “through electronic media, such as information communicated through television, movies, or the Internet, except that a covered entity may not research medical databases or court records, even where such databases may be publicly and commercially available, for the purpose of obtaining genetic information about an individual.” (Such information also would not be covered by GINA’s confidentiality requirements, although it still could not be used to discriminate.)

The EEOC is seeking further comment on how genetic information acquired from personal websites such as blogs and social networking sites should be treated.

Some commenters have recommended a total exclusion for information on publicly available web pages, on the theory that employers should not be penalized for stumbling across information that an individual deliberately posts for the entire world to see (obviously, making an employment decision based on this information would still be forbidden).

Other commenters have urged the EEOC to take into account the site’s user restrictions and privacy settings: if an employer pries its way into a restricted user group (like in the Pietrylo case) whose members can view an individual’s family medical history, that looks more like an illicit attempt to acquire private or protected information than reading a publicly available website.

Still other commenters have suggested a regulatory standard that delves into the employer’s motives: is the employer searching sites for the specific purpose of obtaining genetic information? From the viewpoint of an attorney counseling businesses, I hope the EEOC avoids such a subjective test, since anyone could raise this accusation in a legal or administrative complaint with the flimsiest of evidence (or no evidence whatsoever). Due to the messy factual issue of intent it would be difficult for the employer to get the case dismissed before trial, meaning that costly litigation would be an ever-constant threat. However, the EEOC may already be thinking along these lines, since its proposed rules prohibit an employer from researching publicly available medical databases and court records for the purpose of obtaining genetic information.

Employers: Be Careful Where You Look

Even before the EEOC speaks on these issues, employers should take special note of GINA where online research plays a role in employment-related decisions. My advice to employers is to focus on the presence or absence of naked beer-waterfall photos and other content that is clearly relevant to a candidate’s judgment or his or her qualifications to hold a position; don’t go searching for (or dwell on or document) confessional posts about a sick aunt, however poignant and compelling they may be. If you do, you may risk a claim for either illegal acquisition of genetic information or (if the candidate is turned down or suffers some other adverse employment action) genetic discrimination.

Technology marches on, and, as always, the law struggles to keep up and adapt.

The Christmas blizzard

Richard Convertino is a former federal anti-terrorism prosecutor who was forced out by an investigation of prosecutorial misconduct during the Bush administration. Information about the investigation was leaked to the Detroit Free Press. In his action against the Justice Department for whistleblowing retaliation and other claims, Convertino sought discovery of e-mails between Tukel, another prosecutor involved in the investigation, and his private attorney, e-mails that were sent from a Justice Department computer using Tukel’s DOJ account (not even a web-accessed personal e-mail account, as in Stengart). The court refused to grant access to the e-mails, holding that Tukel had a reasonable expectation of privacy which supported his assertion that the e-mails were still protected by the attorney-client privilege.

In finding for Tukel, the court specifically examined the Justice Department’s Internet use policy and determined that, in view of the policy, he was not on notice that his personal e-mails were being monitored and, therefore, his actions in deleting the e-mails from his account in an expeditious manner amounted to a non-waiver of the attorney-client privilege:

“Mr. Tukel reasonably expected his e-mails with his personal attorney to remain private…. Case law in this jurisdiction in not directly on point but New York gives the Court some direction. ‘[T]he question of privilege comes down to whether the intent to communicate in confidence was objectively reasonable.’ … In order for documents sent through e-mail to be protected by the attorney-client privilege there must be a subjective expectation of confidentiality that is found to be objectively reasonable…. [Four factors to determine reasonableness are] ‘(1) does the corporation maintain a policy banning personal or other objectionable use, (2) does the company monitor the use of the employee’s computer or e-mail, (3) do third parties have a right of access to the computer or e-mails, and (4) did the corporation notify the employee, or was the employee aware, of the use and monitoring policies?’ … Each case should be given an individualized look to see if the party requesting the protection of the privilege was reasonable in its actions….

“On the facts of this case, Mr. Tukel’s expectation of privacy was reasonable. The DOJ maintains a policy that does not ban personal use of the company e-mail. Although the DOJ does have access to personal e-mails sent through this account, Mr. Tukel was unaware that they would regularly access and save e-mails sent from his account…. Because his expectations were reasonable, Mr. Tukel’s private e-mails will remain protected by the attorney-client privilege.”

As with Stengart (which was recently argued before the New Jersey Supreme Court), I am unconvinced that rulings like this create a broad right of privacy in personal communications sent through an employer’s IT resources. For one thing, the Internet use policy in Stengart as well as the DOJ’s policy in Convertino explicitly permitted personal use but were less than clear that ALL communications (personal as well as work-related) were subject to monitoring. Had the policies contained language like the following, the results might have been different: “We reserve the right to monitor, and periodically monitor, ALL communications sent using our computers and Internet access, whether personal or work-related, and including personal e-mails sent using your web-accessed e-mail (e.g., gmail, hotmail) account. You agree that you have no expectation of privacy in these e-mails and other communications. You should NOT send sensitive personal e-mails from a work e-mail account or a work computer.”

Secondly, I maintain that the attorney-client privilege is something special. If it’s held to be waived, the legal effect on a litigant — loss of or inability to implement legal strategy or exercise legal rights — is potentially catastrophic. Privileged e-mails are different from, say, embarrassing e-mails or e-mails that could get you into trouble with your boss. My sense is that courts will strain to avoid piercing such a hallowed privilege, except where a litigant has acted in a totally cavalier manner with regard to secrecy. I don’t agree with those legal commentators who claim the Convertino case actually reflects a dawning recognition that, due to the timing constraints in our harried modern lives, personal e-mails MUST be sent from work and should be shielded for that reason (regardless of how an employer’s computer/Internet use policy is worded or distributed). The court didn’t say this. In its own words, the case was about what the employee did and did not know about monitoring, pure and simple.

This battle will continue, of course. In the meantime, employers should think carefully about what personal uses of company Internet access and IT resources they wish to permit and make sure their approach to monitoring is clearly explained, particularly when read together with the sections of the policy detailing any approval of personal use.

Carpenters Hall at Yuletide

According to the PTO, the average time between filing and the first office action (PTO response) on a green technology patent application is 30 months, with the final action on the applications coming after 40 months on average. The PTO estimates that participation in the pilot program will shave a year off the time to get a green technology patent. Green technology eligible for the pilot program is defined as patent applications relating to environmental quality, energy conservation, development of renewable energy resources or greenhouse gas emissions reductions. You can download detailed eligibility and petition requirements on the PTO website here.

2. Online Privacy and Behavioral Advertising. Check out Yahoo!’s new Ad Interest Manager, which enables you to see information about your online browsing activities that Yahoo collects for targeted advertising purposes. The new site feature was unveiled with great fanfare on December 7, which — coincidentally? — was the same day the FTC kicked off the first of three new Privacy Roundtables examining online data collection for behavioral advertising and similar topics and the adequacy of current privacy rules and industry self-regulation.

Yahoo! may be ahead of the curve. The noises the FTC is making seem to indicate impatience and dissatisfaction with the current state of self-regulation in behavioral advertising (supposedly based on notice and choice, as provided in the behavioral advertising self-regulatory guidelines issued by the FTC in February 2009). More aggressive privacy regulation, as well as stepped-up administrative enforcement, may be on the way. Of course, this is exactly what I predicted last summer.

I am monitoring this situation closely, and if there is a new rulemaking, I am considering participating in the public comment process. I acknowledge the concern in government and academic circles about the ability to build profiles and derive personal information by associating and combining data on the Internet and applying behavioral analytics (connecting the dots to tease out or guess specific attributes of an Internet user, such as demographic information, based on browsing activity and clickstream data). However, as a matter of personal opinion I tend to fall into the “what privacy?” camp and am not convinced we are dealing with a full-scale public emergency that warrants shackling innovative new technologies and communication channels.

3. Workplace Internet Privacy Before the NJ Supreme Court. Stengart v. Loving Care Agency, Inc., a New Jersey appellate court case I blogged about this past summer, was argued before the New Jersey Supreme Court on December 2. The issue in Stengart is whether an employee’s e-mails to her attorney using her personal web account are still covered by the attorney-client privilege in her suit against the employer where she accessed the account from a work computer. (The defendants’ counsel found the e-mails when imaging the computer’s hard drive during discovery.) The employer had a poorly drafted Internet use policy that (arguably) rendered all communications over the computer subject to monitoring, although the policy also allowed limited personal use of the computer.

The case is important, because if the Supreme Court agrees with the appellate court that the employee did have an expectation of privacy in the e-mails to her attorney, notwithstanding the Internet use policy, it could curtail employers’ previously untrammeled ability to regulate the use of their IT resources.

A finding for the employee seems likely, since the New Jersey Supreme Court is a liberal bench that has often taken a broadly protective approach to the attorney-client privilege. Also, at least two of the justices, including Chief Justice Rabner, seemed troubled by the employer’s reliance on the policy as support for its position that it could monitor anything transmitted using its computers.

The big question, then, is how broad or narrow the ruling will be. Was this a badly drafted policy that on its terms shouldn’t be construed to apply to such personal communications? Or going forward do all Internet use policies need to specifically call out the right to monitor communications using web-accessed personal e-mail accounts? Or (most radical) will an employer’s “unilateral” reservation of the right to monitor its IT resources be held unenforceable as a matter of public policy when applied to certain types of communications — such as e-mails to a “spouse, a physician or a cleric”? (The possibility of such employer monitoring appeared to disconcert Justice Albin.) If the court were to take the most radical approach, this might scare employers into slamming the door on ANY personal use of workplace computers and Internet access.

4. Data Breach Dixie-Style. Several restaurants in Louisiana and Mississippi, including the rustically named Mel’s Grill, Sammy’s Diner and Crawfish Town USA, have sued Radiant Systems, a provider of point-of-sale (POS) hardware and software, and the distributor Computer World, Inc. to recover fines and penalties imposed by Visa and MasterCard after a foreign hacker exploited security vulnerabilities to access the systems remotely. The plaintiffs, whose claims include negligence and breach of contract, allege that the POS solution was not compliant with the Payment Card Industry Data Security Standard (PCI DSS) and that the distributor also was also out of compliance (according to the plaintiffs, among other things, the system retained sensitive credit card information unnecessarily and the distributor used the same password for 200 different systems). The plaintiffs also alleged that Radiant had, in fact, been warned about by Visa about the vulnerability of the POS system in 2007.

The negligence claims are significant because of the plaintiffs’ attempt to use PCI compliance to set the baseline for reasonableness in order to show that the defendants’ behavior was negligent. However, the plaintiffs will face an uphill battle if their contracts with the defendants contain the typical technology vendor/service provider legalese limiting product- and service-related claims to breaches of the narrow warranties given in the contract, disclaiming damages for lost or stolen data, characterizing third-party criminal acts as force majeure for which the vendor is not responsible, and limiting the customer’s recoverable damages to direct damages no greater than the fees paid for the defective product or service.

However this case unfolds, the loss suffered by the restaurants highlights the need to carefully scrutinize and negotiate technology agreements covering products that store or process sensitive personal information. The customer should strongly consider requiring the vendor/service provider to warrant that they have validated compliance with PCI and will update their product or service as needed to maintain compliance. The customer should also seek indemnification against claims and losses resulting from a data breach where the breach is attributable to a defect in PCI compliance. (Many vendors/service providers will scream at this, protesting that their prices don’t reflect assumption of these risks. The proper response to this is “why not?”, especially if a vendor/service provider hypes itself as being PCI-certified.)

Of course, don’t place absolute trust in having a strong contract; make sure you do your due diligence too.

Data breaches impose huge costs on businesses in terms of investigation, remediation, fraud losses, notification of affected individuals, replacement of accounts and reputational and customer-relations damage. Given the resources and sophistication of foreign criminal syndicates and other fraudsters, some data breaches are probably unavoidable. However, in the unfortunate event of a breach, you do not want to be seen as having fallen too far behind the state of the art in information security protection, or you could face statutory or regulatory fines and negligence liability. The FTC busted TJX, which ended up paying millions of dollars in fines to the FTC and the states, because, among other things, they used WEP, an outdated wireless encryption standard. As previously described in this blog, Nevada’s data security law, Senate Bill 227 (which is potentially applicable to any business with Nevada customers), requires personal information stored on portable devices in motion or transmitted outside a business’ secure systems to be encrypted using technology approved by an “established standards setting body.”

And now, in the case of Shames-Yeakel v. Citizens Financial Bank, No. 07-C-5387 (N.D. Ill. Aug. 21, 2009), a federal district court in Illinois has denied Citizens Bank’s motion for summary judgment dismissing a data breach-related negligence claim where the bank allegedly had not moved promptly enough to implement multifactor authentication (i.e., secondary inputs beyond name and password, such as tokens, personal questions, etc.) to secure sensitive Internet transactions. (A 2005 regulatory guidance had criticized single-factor authentication, i.e., name and password alone, as being inadequate.)

There is a dialectic going on here: legislatures, regulators and courts are wary of imposing compliance requirements involving huge costs for new IT infrastructure at a time when the national unemployment rate is 9.8%. At the same time, given the mounting economic costs of data breaches, the public outcry over identity theft, and the connection between identity theft, organized crime and terrorism, legal and regulatory scrutiny of data security protections is increasing and will continue to do so. This dialectic was evident in Massachusetts this past August, when, at the urging of business groups, 201 CMR § 17.00, a highly prescriptive, technology-specific data security regulation that would have gone into effect in January 2010 (and would have required data in motion or stored on portable devices to be encrypted using 128-bit technology) was thoroughly revised to be risk-based and technology-neutral and to take into account the size, scope and type of business, the amount of resources available to the business, etc.

Don’t be an outlier. Learn what the state of the art is (the supporting and ancillary documents for the Payment Card Industry Data Security Standard are particularly useful here) and try to be in the general vicinity. If it’s too expensive, think about outsourcing the hosting or processing of personal information (but make sure you have done due diligence on the vendor and have a protective contract with them, as required by PCI DSS, HIPAA, federal banking regulations and state data security laws) or whether you even need to hold personal information in the first place. Amid the carnage and emotional trauma of a data breach, there’s no need to add legal fees, regulatory fines and tort damages to the heap of misery.