Tag Archives: privacy laws

Data Breach Law Could Hurt Consumers

With each passing brand name mega-breach—Home Depot, Target, JPMorgan Chase, Anthem—it becomes ever more urgent for government and industry to get on the same page about how to protect consumers.

Sadly, not all laws are created equal, and there are few better examples of this homespun truth than a would-be federal law currently wending its way through Congress. The Data Security and Breach Notification Act of 2015, in its current form, has a long way to go before it should become the law of the land.

The Data Security and Breach Notification Act of 2015 says it “aims to tackle the nation’s growing data security threats and challenges.” So far, that sounds pretty good to me. The bill was written by Energy and Commerce Committee Vice Chairman Marsha Blackburn (R-TN) and Rep. Peter Welch (D-VT), making it a bipartisan effort. The goal: to implement “a comprehensive plan to help safeguard sensitive consumer information and shield Americans from the harmful consequences of cyber attacks.”

I’ve written elsewhere about the need for a federal breach notification law, so in theory I’m on board. A strong federal law that requires businesses and government entities to inform people that their personal information has been compromised in a data breach can absolutely be a good thing…if it’s done right.

The problem with this proposal is that there are far more effective laws already on the books in several states, and they could be preempted were the bill to pass. If that weren’t bad enough, the proposed bill could also supersede stronger rules already put in play by the FCC with regard to telephone, broadband Internet, cable and satellite user information.

The undermining of better laws is bad, but worse is the way the Data Security and Breach Notification Act of 2015 underscores a continuing failure of our leaders to fully understand the nature of the problems we face in the mare’s nest that is consumer privacy and data security. In a widely publicized survey conducted by the Pew Research Center, “91% of adults in the survey ‘agree’ or ‘strongly agree’ that consumers have lost control over how personal information is collected and used by companies.” Data breaches, and the identity theft that flows from them, have become the third certainty in life. We need a strong federal law, but as I argued in my op-ed about the Data Breach Disclosure Box, any proposed bill that threatens to weaken existing laws has to be challenged, quickly and without equivocation.

Why It’s an Issue

Senior Policy Counsel at New America’s Open Technology Institute Laura Moy eloquently outlined the problems this bill could create in her testimony before the House of Representatives.

In a wide-ranging discussion of the major concerns raised by the bill, Moy pointed out some of the laws that could be preempted. One was California’s Song-Beverly Credit Card Act, which made it illegal to record a credit card holder’s personal identification information during a transaction. Another law in Connecticut outlawing the public posting of any individual’s Social Security number was also named. Both state laws represent solid advances in the realm of data security, and both might be preempted were the bill moving through Congress to succeed.

And here’s the really bad news: they would be two of the less alarming casualties.

The problem with the bill hinges on the way that it tries to separate privacy from data security, but they are inextricably intertwined. This could weaken or even eliminate protections for the many kinds of information – like your email address, for one — that fall outside the bill’s narrow definition of the personal data that is covered. That’s why this matters so much.

As Moy argued during her testimony, “Many laws that protect consumers’ personal information [can] be thought of simultaneously in terms of both privacy and security.” I will go one step further and say that I do not believe it is possible to discuss data security until we have a worst-case scenario definition of what constitutes personally identifiable information in the eyes of an identity thief.

To give an example of the kinds of preemption that are possible here, Florida’s privacy law includes email and a consumer’s username-password combination in its definition of personal information, the logic being that consumers use the same combination for many different login pages, including financial accounts. Eight other states currently mandate the same standard—California, Missouri, New Hampshire, North Dakota, Texas, Virginia and, as of July 1, Hawaii and Wyoming. Under the currently proposed bill, a business would not have to notify you if your email and username-password combination were involved in a breach. Meanwhile, the above kinds of information continue to be highly exploitable data points in an identity thief’s toolkit.

In addition to the exemption of breaches that “only” include email addresses or user login details, the bill is unclear about personal information related to telecommunications, cable and satellite customers, which hinge on a trigger of “authorized access,” and Moy believes it may supersede important protections created by the Communications Act. Most alarming is the prospect of less robust notifications regarding compromised customer proprietary network information (CPNI) – that includes texts, phone calls, every location where you were when you made this or that phone call, your location when you didn’t make a phone call and the location of all your network-connected devices. All this information could be breached, and this proposed law in Congress says you don’t need to know about it. The same goes for what you watch on television, including any items you may have purchased on pay-per-view. All of it could, hypothetically, be out there open to public perusal. Every site you ever visited on line. Every call. Every text.

And what about your protected health information (PHI)? Critics note the bill doesn’t mention it, which at first blush seems like a four-alarm-fire level of non-comprehension. However, whether the product of partisan warfare or common sense, it’s actually a bit of good news. Because it has been entirely carved out here, most forms of PHI actually would still be covered by the notification requirements of the HIPPA/HITECH Act — with a few notable preemptions of existing state law affecting over-the-counter purchases and other health-related items.

Defining Harm

According to the narrow logic of the proposed legislation, a breach of any of the above information will not result in financial damage, which is the reason it isn’t covered. It’s a position easily brushed aside with one mind-blowing word of refutation: extortion. Scam artists have countless tricks up their sleeves, and the onus to anticipate the adaptive nature of crime falls on legislators. A single text or rented video could potentially ruin a person’s life, and fraudsters know that. If the wrong person has access to the above data points—and any of those bytes contain information that might harm you professionally or personally—they most certainly could be used against you for financial gain.

A recent Science study showed that with just a few data points (Instagram posts and tweets) it was possible to re-identify anonymized data about credit card purchases with the unique consumer who made them. While it may seem off the beaten path, the proposed bill, with its narrow definition of what should be covered, would not cover a glitch in Instagram’s code that revealed protected accounts to the public. For the end user unaware that their private posts were viewable, and that those posts could be used to re-identify data that is publicly available, the above hypothetical scenario featuring a “financially harmless” compromise (that revealed every purchase made on an individual’s credit card) could be a life changer—and not for the better.

What we really need in the federal government is someone in a position of authority with the expertise and knowledge to make sure anyone exposed in a breach knows about it, and is informed about the potential fallout as far as current intel permits as quickly as possible. Call this person a Breach Tzar, if you will. Since data-related crimes are often quite ingenious, isn’t it best to err on the side of caution? The fact is that any federal law aimed at protecting consumers from the danger of identity-related crime needs to be best-in-class, and far better than all the existing state laws combined, and, while it should go without saying, it must not supersede stronger existing protections afforded by non-state agencies.

There is still a yawning gulf between what’s been done so far and what needs to happen in the realm of cyber legislation. The protections we deserve are a work in progress, one that the entire constellation of consumer advocates and data-security experts must solve in concert. In the same way that data-related crimes are constantly evolving, we need to get into the habit of responding to the very biggest picture we can imagine.

Can Employers Ever Monitor Employees' Personal Social Media?

Yes, but be careful! There is no denying that the use of social media sites such as Facebook, Twitter and LinkedIn has exploded. The explosion includes both personal and business use of social media. It also includes use that is beneficial to employers and use that can be very damaging. Unfortunately, the influx of employment lawsuits that have followed the explosion have had limited practical value in guiding employees and employers on the permissible use and oversight of social media in the workplace. While many questions remain, the California State Legislature's recent enactment regulating employer use of social media does provide some guidance.

California Labor Code section 980 was enacted to prevent employers from (1) requesting an employee disclose usernames or passwords for personal social media accounts; (2) requiring an employee to access his or her personal social media in the presence of the employer; or (3) requiring an employee to divulge any personal social media to the employer. Applicants are protected in the same way as employees. The new statute, coupled with existing privacy laws, limits what employers may monitor when it comes to the personal social media of employees and applicants.

Definition Of Social Media
In what appears to be an effort to account for the ever increasing development of new social media, the new statute broadly defines social media as an “electronic service or account, or electronic content, including, but not limited to, videos, still photographs, blogs, video blogs, podcasts, instant and text messages, e-mail, online services or accounts, or internet web site profiles or locations.”

Prohibitions On Employers Monitoring Social Media
Employers may not require, or even request, that an employee or applicant:

  • Disclose a username or password for the purpose of gaining access to the employee or applicant's personal social media;
  • Access their personal social media in the employer's presence; or
  • Divulge any personal social media.

Employers are also prohibited from retaliating or threatening to retaliate against an employee or applicant who refuses to comply with a request or demand that violates the statute.

Despite the statute's broad definition of social media and its restrictive prohibitions on employers, it does provide some exceptions under which employers may request and gain access to employees' personal social media. For each exception, however, pitfalls exist. Employers need to know them in order to avoid costly mistakes.

Accessing Social Media As Part Of An Investigation
The statute does not affect an employer's existing rights to obtain personal social media “reasonably believed to be relevant” to an investigation of employee misconduct. Under this exception, the employer may only access the employee's personal social media under the condition that it is used strictly for purposes of the investigation or a related proceeding. While the statute does not define what “reasonably believed to be relevant” means, California Courts evaluate employee privacy concerns utilizing a balancing test, weighing the employee's reasonable expectation of privacy against the employer's legitimate business needs for accessing the information. It is wise for employers to evaluate each instance carefully before requesting an employee to divulge his or her personal social media under this exception.

Employer-Issued Electronic Devices
The statute does not preclude an employer from requiring an employee to disclose a username and password for the purpose of accessing an employer-issued electronic device such as a computer, smartphone or e-mail account. Employers should exercise caution, however, before digging through an employee's use of personal social media on the employer-issued device.

It is a violation of the federal Stored Communications Act to access a restricted or password protected site without the owner's consent. So, while it is permissible for an employer to require an employee to provide his or her password for access to the employer-issued device, an employer may be violating the law by accessing social media information on the device. For instance, having the IT department look up the employee's Facebook password stored on the employer-issued device in order to gain access the employee's personal Facebook page.

Adverse Action Against Employees
The statute does not prohibit an employer from terminating or taking adverse action against an employee or applicant if otherwise permitted by law. For instance, an employer may discipline an employee for violating company policy and using personal social media during work time. Nor does the statute specifically prohibit employers from accessing publicly available social media. This means that employers may view the personal social media of its employees that is available to the general public on the internet, such as blogs and other websites that do not restrict user access.

But, before taking any adverse action against an employee based upon the content of his or her personal social media, employers must keep in mind that California law prohibits employers from discriminating against an employee based upon the employee's lawful conduct occurring away from the employer's premises during non-work hours. Moreover, the National Labor Relations Board has held that employees may use social media to voice concerns over working conditions. While an employee complaining about working conditions or an issue with a manager on his or her Facebook page may reflect negatively upon the organization, the employee's use of social media to criticize working conditions may qualify as protected speech for which an employee cannot be lawfully disciplined.

What Is An Employer To Do?
First, be patient. The law develops at a snail's pace compared to the development of new technology and cultural trends. More guidance will come. In the meantime, employers should approach social media issues with careful consideration and planning. This should start with the development of a written social media policy, and not a sample or template policy. The policy needs to be specifically tailored to the employer and should discusses the importance of social media, the impact that social media has on the workplace, and how employee's use of social media reflects upon the organization. The policy should also define the permitted use of technology owned by the organization and employee's expectations of privacy or lack thereof.

If an employer elects to have a policy restricting personal social media use during work hours, it should ensure that the policy is applied even-handedly to avoid claims of discrimination. Employers should also consider the pros, cons and legal issues that relate to restrictions on supervisors' social media interaction with subordinates. For most organizations, it would be advisable to inform employees that they are not required to interact with supervisors on personal social media and will not be retaliated against for refusing to interact with supervisors.

A carefully planned and well written social media policy that outlines the organization's goals and expectations of employees' use of personal social media can help ensure compliance with the new rules and prevent costly disputes with employees.