Related to the last post -- is your company working on its social media employee policy? If not, you should be. If you happen to be in Boston, Mintz Levin is hosting a breakfast briefing on social media in the workplace next week.
Register here
Friday, November 13, 2009
Some startling statistics regarding social networking issues in the workplace......
You might be surprised to know that social networking policies, governing employee use of blogging, Facebook, Twitter and the like, are still a rarity at many business, including teaching hospitals. And, you might be equally surprised to hear that studies are revealing that medical students are displaying cavalier attitudes towards the protection of patient confidentiality.
The Journal of the American Medical Association published a the results of an eye-popping study in the September issue. In response to a survey conducted by the Health Care Compliance Association (HCCA) and the Society of Corporate Compliance and Ethics (SCCE), only 38 percent of survey respondents said that they have policies to cover online conduct. The “status update” features of social media platforms encourages people to record what they’re working on or who they are meeting with -- jeopardizing personal information and confidentiality.
Related Links
Mintz Levin Client Alert - HCCA/SCCE Survey
Social media behavior could threaten your reputation, job prospects :: Oct. 12, 2009 ... American Medical News
Medical students using Facebook and Twitter can get expelled
The Journal of the American Medical Association published a the results of an eye-popping study in the September issue. In response to a survey conducted by the Health Care Compliance Association (HCCA) and the Society of Corporate Compliance and Ethics (SCCE), only 38 percent of survey respondents said that they have policies to cover online conduct. The “status update” features of social media platforms encourages people to record what they’re working on or who they are meeting with -- jeopardizing personal information and confidentiality.
Related Links
Mintz Levin Client Alert - HCCA/SCCE Survey
Social media behavior could threaten your reputation, job prospects :: Oct. 12, 2009 ... American Medical News
Medical students using Facebook and Twitter can get expelled
Thursday, November 12, 2009
Massachusetts Attorney General proposes privacy regulations to apply to her office
Written by Cynthia and Elissa
An oft-cited criticism of the Massachusetts data security regulations (201 CMR 17.00), effective March 1, 2010, is that the regulations specifically do not apply to government entities -- the only reason being that the Office of Consumer Affairs and Business Regulation does not have the authority or jurisdiction to enact regulations over governmental entities in Massachusetts.
One agency is seeking to correct that. The Massachusetts Office of the Attorney General has released draft privacy regulations to apply to the AG’s office, effective December 31, 2009. The regulations mirror the obligations imposed upon private business by 201 CMR 17.00.
This post would not be complete if we did not also take note of the fact that Attorney General Martha Coakley is a candidate for the U.S. Senate seat left vacant by the death of Senator Edward Kennedy.
An oft-cited criticism of the Massachusetts data security regulations (201 CMR 17.00), effective March 1, 2010, is that the regulations specifically do not apply to government entities -- the only reason being that the Office of Consumer Affairs and Business Regulation does not have the authority or jurisdiction to enact regulations over governmental entities in Massachusetts.
One agency is seeking to correct that. The Massachusetts Office of the Attorney General has released draft privacy regulations to apply to the AG’s office, effective December 31, 2009. The regulations mirror the obligations imposed upon private business by 201 CMR 17.00.
This post would not be complete if we did not also take note of the fact that Attorney General Martha Coakley is a candidate for the U.S. Senate seat left vacant by the death of Senator Edward Kennedy.
Tuesday, November 10, 2009
Remember the school-days admonition that something might end up on your "permanent record"?
A Fordham Law School study found that state educational databases across the country have severely inadequate privacy protections for the nation's school children. The study, prepared by the Center on Law and Information Policy, reports that at least 32% of states warehouse children's social security numbers; at least 22% of states record student pregnancies; and at least 46% of the states track mental health, illness, and jail sentences as part of the children's educational records. Almost all states with known programs collect family wealth indicators.
According to the study, most states use third party vendors for at least part of their data collecting and reporting needs. Some states outsource the data processing without any restrictions on use or confidentiality for children's information. The Fordham study therefore recommended that states which outsource data processing have comprehensive agreements explicitly addressing the privacy obligations of the third party vendors. Furthermore, access to the information and the disclosure of personal data may occur for decades and follow children well into their adult lives. More than 80% of states fail to have data-retention policies and may retain the information indefinitely. Thus, the study recommended that states should limit data collection to necessary information and should have specific data retention policies and procedures.
The Fordham report also recommended that data at the state level be made anonymous, that the collection of information by the state be minimized and specifically tied to an articulated audit or evaluation purpose, and that states should have a Chief Privacy Officer in the department of education who monitors the privacy protections of educational record databases and who publicly reports privacy impact assessments.
Study Website:
http://law.fordham.edu/childrensprivacy
According to the study, most states use third party vendors for at least part of their data collecting and reporting needs. Some states outsource the data processing without any restrictions on use or confidentiality for children's information. The Fordham study therefore recommended that states which outsource data processing have comprehensive agreements explicitly addressing the privacy obligations of the third party vendors. Furthermore, access to the information and the disclosure of personal data may occur for decades and follow children well into their adult lives. More than 80% of states fail to have data-retention policies and may retain the information indefinitely. Thus, the study recommended that states should limit data collection to necessary information and should have specific data retention policies and procedures.
The Fordham report also recommended that data at the state level be made anonymous, that the collection of information by the state be minimized and specifically tied to an articulated audit or evaluation purpose, and that states should have a Chief Privacy Officer in the department of education who monitors the privacy protections of educational record databases and who publicly reports privacy impact assessments.
Study Website:
http://law.fordham.edu/childrensprivacy
Monday, November 9, 2009
When employee handbooks don't tell the whole story.....
Written by Cynthia and Jennifer
In Stengart v. Loving Care Agency, Inc., the court completely rejected an employer's attempt to rely upon an email policy to gain access to an employee's confidential communications with her attorney conducted through the employer's email system. The court found that the employer could have no legitimate interest in reviewing an employee's private communications with her attorney, noting that "[p]roperty rights are no less offended when an employer examines documents stored on a computer as when an employer rifles through a folder containing an employee's private papers or reaches in and examines the contents of an employee's pockets; indeed, even when a legitimate business purpose could support such a search, we can envision no valid precept of property law that would convert the employer's interest in determining what is in those locations with a right to own the contents of the employee's folder of private papers or the contents of his pocket." The court went on to reject the notion that emails relating to an anticipated lawsuit against her employer would seem to be an illegitimate business use of the computer system: "the company had no greater interest in those communications than it would if it had engaged in the highly impermissible conduct of electronically eavesdropping on a conversation between plaintiff and her attorney while she was on a lunch break." Additionally, the court sanctioned the employer's law firm for not returning the emails to the employee as soon as the law firm became aware they were privileged communications.
This is a very interesting pro-employee decision but its lesson is clear: even email policies that notify employees that they are waiving certain privacy rights in the workplace do not give employers carte blanche to access or take ownership of all of those communications. Employers who access (intentionally or not) such information should promptly seek counsel before proceeding further.
Tuesday, November 3, 2009
Privacy Class Actions....Waiting for Hannaford
My colleague, Kevin McGinty, has penned an interesting analysis of the latest in the class action litigation arising out of the Hannaford supermarket chain data breach.
Specifically, Maine’s highest court is being asked to determine whether the law recognizes the time and effort payment cardholders spend trying to protect themselves after a data breach as a “substantial injury” for which they can be compensated. Kevin analyzes how the Maine Supreme Court's decision could affect the protections that zero-liability programs afford retailers involved in data breaches because consumers do not experience actual out-of-pocket damages.
Links:
Mintz Levin Privacy and Class Action Alert
Motion to Dismiss
Complaint
Specifically, Maine’s highest court is being asked to determine whether the law recognizes the time and effort payment cardholders spend trying to protect themselves after a data breach as a “substantial injury” for which they can be compensated. Kevin analyzes how the Maine Supreme Court's decision could affect the protections that zero-liability programs afford retailers involved in data breaches because consumers do not experience actual out-of-pocket damages.
Links:
Mintz Levin Privacy and Class Action Alert
Motion to Dismiss
Complaint
Subscribe to:
Posts (Atom)