1
Your Client as Employer:Your Client as Employer:
Workplace Privacy andWorkplace Privacy and
Identity TheftIdentity Theft...
2
Tension Between Competing InterestsTension Between Competing Interests
• Employees’ RightEmployees’ Right
to Privacy oft...
3
Personnel Files: A Fertile SourcePersonnel Files: A Fertile Source
For Identity ThievesFor Identity Thieves
Information ...
4
Identity Theft In The WorkplaceIdentity Theft In The Workplace
• Most identity theft is perpetrated by relatives, friend...
5
Examples of Security Breaches:Examples of Security Breaches:
• In December 2006, a Boeing Co. employee lost a laptop con...
6
Thirty-Nine States Have StatutesThirty-Nine States Have Statutes
• Private right of action in many statesPrivate right o...
7
New Jersey: Identity TheftNew Jersey: Identity Theft
Prevention ActPrevention Act
N.J.S.A.N.J.S.A. 56:11-4456:11-44 et s...
8
The New Jersey Act DefinesThe New Jersey Act Defines
“Personal Information” as:“Personal Information” as:
• A person’s l...
9
Mechanism:Mechanism:
New Jersey ActNew Jersey Act
– restricts a company’s use, retention andrestricts a company’s use, r...
10
Broad Definitions, Broad ReachBroad Definitions, Broad Reach
• ““CustomerCustomer” includes any individual who” include...
11
What Types of RecordsWhat Types of Records
Are Subject to the Act?Are Subject to the Act?
• In the workplace, common do...
12
How Does the Act Work?How Does the Act Work?
• Limits Use and Display of Social SecurityLimits Use and Display of Socia...
13
How Does the Act Work?How Does the Act Work?
• Requires Timely Destruction of RecordsRequires Timely Destruction of Rec...
14
How Does the Act Work?How Does the Act Work?
• Imposes notification requirement if electronic filesImposes notification...
15
A Private Right of ActionA Private Right of Action
Willful failure to comply withWillful failure to comply with
restric...
16
Patchwork of State LegislationPatchwork of State Legislation
• Understanding the “Trigger Event” forUnderstanding the “...
17
New York: Confidentiality ofNew York: Confidentiality of
Social Security Account NumbersSocial Security Account Numbers...
18
New York: Disposal of PersonalNew York: Disposal of Personal
Records LawRecords Law
N.Y. Gen. Bus.N.Y. Gen. Bus. § 399-...
19
OREGON’S LAWOREGON’S LAW
• Oregon’s new law requires businesses that maintainOregon’s new law requires businesses that ...
20
Suggestions for ComplianceSuggestions for Compliance
– Employers should update their internal policies and/orEmployers ...
21
Suggestions for ComplianceSuggestions for Compliance
(cont’d)(cont’d)
– Establish a confidentiality policy that limits ...
22
Suggestions for ComplianceSuggestions for Compliance
(cont’d)(cont’d)
-- Examine current computer systems and installEx...
23
Suggestions for ComplianceSuggestions for Compliance
(cont’d)(cont’d)
– Establish and implement notice procedures in th...
24
Union IssuesUnion Issues
• Employers must be careful not to draft overbroadEmployers must be careful not to draft overb...
25
Jane Doe v. XYC CorporationJane Doe v. XYC Corporation
New Jersey Appellate DivisionNew Jersey Appellate Division
Decem...
26
FactsFacts
• Somerset County employer with 250 employeesSomerset County employer with 250 employees
• Computer speciali...
27
FactsFacts (Cont’d)(Cont’d)
• Supervisor discovers renewed activities but takesSupervisor discovers renewed activities ...
28
Lawsuit Against EmployerLawsuit Against Employer
• Employee’s wife, and mother of child, files suit againstEmployee’s w...
29
Appellate Division AnalysisAppellate Division Analysis
• Did the employer have theDid the employer have the abilityabil...
30
Appellate Division AnalysisAppellate Division Analysis (Cont’d)(Cont’d)
• Did the employer have theDid the employer hav...
31
Appellate Division AnalysisAppellate Division Analysis (Cont’d)(Cont’d)
• Did the employerDid the employer know, or sho...
32
Appellate Division AnalysisAppellate Division Analysis (Cont’d)(Cont’d)
• Did the employer haveDid the employer have re...
33
Appellate Division AnalysisAppellate Division Analysis (Cont’d)(Cont’d)
• Where did XYC Corp. go wrong?Where did XYC Co...
34
Policy Drafting ConsiderationPolicy Drafting Consideration
• Employers should warn employees thatEmployers should warn ...
35
Other Privacy Issues:Other Privacy Issues:
• Searches in the workplaceSearches in the workplace
• CEPA – public policyC...
36
What Privacy?What Privacy?
Personal ConductPersonal Conduct
• Executives Resigning over PersonalExecutives Resigning ov...
Upcoming SlideShare
Loading in...5
×

October 2007 Icle Presentation Final

224

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
224
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

October 2007 Icle Presentation Final

  1. 1. 1 Your Client as Employer:Your Client as Employer: Workplace Privacy andWorkplace Privacy and Identity TheftIdentity Theft Presented by:Presented by: David E. CassidyDavid E. Cassidy Norris McLaughlin & Marcus, P.A.Norris McLaughlin & Marcus, P.A.
  2. 2. 2 Tension Between Competing InterestsTension Between Competing Interests • Employees’ RightEmployees’ Right to Privacy ofto Privacy of Personal,Personal, Confidential andConfidential and FinancialFinancial InformationInformation • Employers’ Right toEmployers’ Right to Protect Assets,Protect Assets, Promote TheirPromote Their Business andBusiness and Maintain SecureMaintain Secure WorkplacesWorkplaces vs.
  3. 3. 3 Personnel Files: A Fertile SourcePersonnel Files: A Fertile Source For Identity ThievesFor Identity Thieves Information contained in a company’sInformation contained in a company’s personnel files, whether maintained in a filepersonnel files, whether maintained in a file folder or electronically, is a fertile sourcefolder or electronically, is a fertile source for identity thieves.for identity thieves.
  4. 4. 4 Identity Theft In The WorkplaceIdentity Theft In The Workplace • Most identity theft is perpetrated by relatives, friendsMost identity theft is perpetrated by relatives, friends or coworkers of victims.or coworkers of victims. • Sophisticated computer hacking strategies can be usedSophisticated computer hacking strategies can be used to access employee information.to access employee information. • A large percentage of identity theft in the workplaceA large percentage of identity theft in the workplace occurs through simpler, unsophisticated means such asoccurs through simpler, unsophisticated means such as copying personnel files from an unlocked file room,copying personnel files from an unlocked file room, downloading confidential information from adownloading confidential information from a company’s network, or negligence.company’s network, or negligence.
  5. 5. 5 Examples of Security Breaches:Examples of Security Breaches: • In December 2006, a Boeing Co. employee lost a laptop containingIn December 2006, a Boeing Co. employee lost a laptop containing personal information on 382,000 workers and retirees, including theirpersonal information on 382,000 workers and retirees, including their names, social security numbers, home addresses and other personalnames, social security numbers, home addresses and other personal information.information. • In November 2006, Chicago Teachers Union inadvertently mailed outIn November 2006, Chicago Teachers Union inadvertently mailed out personal information including social security numbers of 1,700personal information including social security numbers of 1,700 former employees.former employees. • In September 2006, four laptops containing personal information ofIn September 2006, four laptops containing personal information of 60,000 Starbucks employees were lost or stolen.60,000 Starbucks employees were lost or stolen.
  6. 6. 6 Thirty-Nine States Have StatutesThirty-Nine States Have Statutes • Private right of action in many statesPrivate right of action in many states • Most require documentation of stepsMost require documentation of steps taken to implement data securitytaken to implement data security practices (Policies and Procedures)practices (Policies and Procedures)
  7. 7. 7 New Jersey: Identity TheftNew Jersey: Identity Theft Prevention ActPrevention Act N.J.S.A.N.J.S.A. 56:11-4456:11-44 et seq.et seq. Effective January 1, 2006Effective January 1, 2006 Public purpose to prevent identity theftPublic purpose to prevent identity theft
  8. 8. 8 The New Jersey Act DefinesThe New Jersey Act Defines “Personal Information” as:“Personal Information” as: • A person’s last name and first name (or initial)A person’s last name and first name (or initial) • PLUSPLUS – One or more of the following:– One or more of the following: – social security numbersocial security number – driver’s license numberdriver’s license number – state identification numberstate identification number – account information related to debit or credit cards,account information related to debit or credit cards, including any password or access codesincluding any password or access codes
  9. 9. 9 Mechanism:Mechanism: New Jersey ActNew Jersey Act – restricts a company’s use, retention andrestricts a company’s use, retention and destruction of an individual’s personaldestruction of an individual’s personal informationinformation – establishes notice requirements applicable toestablishes notice requirements applicable to employers when personal information isemployers when personal information is improperly accessed or disclosedimproperly accessed or disclosed
  10. 10. 10 Broad Definitions, Broad ReachBroad Definitions, Broad Reach • ““CustomerCustomer” includes any individual who” includes any individual who provides personal information to a businessprovides personal information to a business • ““BusinessBusiness” is a sole proprietorship,” is a sole proprietorship, partnership, corporation, association, or anypartnership, corporation, association, or any other entityother entity
  11. 11. 11 What Types of RecordsWhat Types of Records Are Subject to the Act?Are Subject to the Act? • In the workplace, common documents that wouldIn the workplace, common documents that would contain personal information include:contain personal information include: – job applicationsjob applications – health benefits forms/ID cardshealth benefits forms/ID cards – retirement/401k account cardsretirement/401k account cards – I-9 Employment Eligibility Verification formsI-9 Employment Eligibility Verification forms – direct deposit authorization formsdirect deposit authorization forms – credit reportscredit reports – background checksbackground checks
  12. 12. 12 How Does the Act Work?How Does the Act Work? • Limits Use and Display of Social SecurityLimits Use and Display of Social Security NumbersNumbers – cannot publicly post or display a SSN (in full orcannot publicly post or display a SSN (in full or any 4 or more consecutive numbers)any 4 or more consecutive numbers) – cannot print a SSN on materials to be mailed tocannot print a SSN on materials to be mailed to an individual unless required by lawan individual unless required by law
  13. 13. 13 How Does the Act Work?How Does the Act Work? • Requires Timely Destruction of RecordsRequires Timely Destruction of Records Containing “Personal Information” toContaining “Personal Information” to render themrender them – UnreadableUnreadable – IndecipherableIndecipherable – NonreconstructableNonreconstructable
  14. 14. 14 How Does the Act Work?How Does the Act Work? • Imposes notification requirement if electronic filesImposes notification requirement if electronic files containing personal information are breached:containing personal information are breached: - To New Jersey State Police (before notice to- To New Jersey State Police (before notice to customer/employee)customer/employee) - To customers/employees who are New Jersey- To customers/employees who are New Jersey residents who are affected by breachresidents who are affected by breach - If > 1000 individuals are affected, to all- If > 1000 individuals are affected, to all consumer reporting agenciesconsumer reporting agencies
  15. 15. 15 A Private Right of ActionA Private Right of Action Willful failure to comply withWillful failure to comply with restrictions on use of Social Securityrestrictions on use of Social Security numbers actionable as an unlawfulnumbers actionable as an unlawful practice under New Jersey’spractice under New Jersey’s Consumer Protection StatutesConsumer Protection Statutes (NJSA C.56:11-38 and 39)(NJSA C.56:11-38 and 39)
  16. 16. 16 Patchwork of State LegislationPatchwork of State Legislation • Understanding the “Trigger Event” forUnderstanding the “Trigger Event” for NotificationNotification • ““Reasonable likelihood of harm or identityReasonable likelihood of harm or identity theft” to the individuals whose personaltheft” to the individuals whose personal information has been exposed?information has been exposed? • Notice – “without unreasonable delay”?Notice – “without unreasonable delay”?
  17. 17. 17 New York: Confidentiality ofNew York: Confidentiality of Social Security Account NumbersSocial Security Account Numbers N.Y. Gen. Bus.N.Y. Gen. Bus. § 399-dd§ 399-dd Effective January 1, 2008Effective January 1, 2008 Public purpose to protect privacy andPublic purpose to protect privacy and integrity of dataintegrity of data
  18. 18. 18 New York: Disposal of PersonalNew York: Disposal of Personal Records LawRecords Law N.Y. Gen. Bus.N.Y. Gen. Bus. § 399-h§ 399-h Effective December 4, 2006Effective December 4, 2006 Public purpose to protect personal andPublic purpose to protect personal and confidential information by requiring properconfidential information by requiring proper disposal of recordsdisposal of records
  19. 19. 19 OREGON’S LAWOREGON’S LAW • Oregon’s new law requires businesses that maintainOregon’s new law requires businesses that maintain personal information on Oregon residents to:personal information on Oregon residents to: – Designate a security officerDesignate a security officer – Conduct a risk assessment and train employees in security policiesConduct a risk assessment and train employees in security policies and proceduresand procedures – Require vendors and other service providers to maintain adequateRequire vendors and other service providers to maintain adequate securitysecurity – Update their security programs over timeUpdate their security programs over time – Implement safeguards and properly dispose of personalImplement safeguards and properly dispose of personal informationinformation • Compliance will satisfy many other states laws.Compliance will satisfy many other states laws.
  20. 20. 20 Suggestions for ComplianceSuggestions for Compliance – Employers should update their internal policies and/orEmployers should update their internal policies and/or employee handbooks to comply with relevant statutesemployee handbooks to comply with relevant statutes – Publish a policy prohibiting dissemination of personalPublish a policy prohibiting dissemination of personal informationinformation – Define confidential information and forbid collection ofDefine confidential information and forbid collection of confidential information that is unnecessaryconfidential information that is unnecessary
  21. 21. 21 Suggestions for ComplianceSuggestions for Compliance (cont’d)(cont’d) – Establish a confidentiality policy that limits employeeEstablish a confidentiality policy that limits employee access to personal information to those with a need toaccess to personal information to those with a need to knowknow – Store hard copies of personnel records in a secureStore hard copies of personnel records in a secure location with limited access, ideally monitored accesslocation with limited access, ideally monitored access – Train employees who have access to personalTrain employees who have access to personal information about proper use and handling of suchinformation about proper use and handling of such informationinformation
  22. 22. 22 Suggestions for ComplianceSuggestions for Compliance (cont’d)(cont’d) -- Examine current computer systems and installExamine current computer systems and install safeguards to protect against access to information bysafeguards to protect against access to information by unauthorized individualsunauthorized individuals – Implement appropriate software/encryption to protectImplement appropriate software/encryption to protect against computer viruses, unauthorized access toagainst computer viruses, unauthorized access to computer networks, and similar on-line or electroniccomputer networks, and similar on-line or electronic invasions of electronic data storageinvasions of electronic data storage – Review and modify document retention policies asReview and modify document retention policies as appropriateappropriate
  23. 23. 23 Suggestions for ComplianceSuggestions for Compliance (cont’d)(cont’d) – Establish and implement notice procedures in the eventEstablish and implement notice procedures in the event of a security breachof a security breach – Consider outsourcing to shredding companies with aConsider outsourcing to shredding companies with a written contractwritten contract
  24. 24. 24 Union IssuesUnion Issues • Employers must be careful not to draft overbroadEmployers must be careful not to draft overbroad privacy and confidentiality policiesprivacy and confidentiality policies • Employers have a duty to provide a Union withEmployers have a duty to provide a Union with requested information that is necessary to fulfill itsrequested information that is necessary to fulfill its duty as a bargaining representativeduty as a bargaining representative • Confidentiality Agreements and negotiation ofConfidentiality Agreements and negotiation of samesame
  25. 25. 25 Jane Doe v. XYC CorporationJane Doe v. XYC Corporation New Jersey Appellate DivisionNew Jersey Appellate Division December 2005December 2005 • Employees’ known or suspected illegalEmployees’ known or suspected illegal activities impose new duty on employers:activities impose new duty on employers: – IInvestigatenvestigate – AAct to stop conductct to stop conduct – RReport conduct to the authoritieseport conduct to the authorities – PPrevent harm to third partiesrevent harm to third parties
  26. 26. 26 FactsFacts • Somerset County employer with 250 employeesSomerset County employer with 250 employees • Computer specialists discover employee accessingComputer specialists discover employee accessing pornographic websites with company computerpornographic websites with company computer • No further investigation done over two year periodNo further investigation done over two year period • Complaints from supervisors and co-workersComplaints from supervisors and co-workers • IT Manager confirms employee’s access, including oneIT Manager confirms employee’s access, including one site with name suggesting child pornography, but does notsite with name suggesting child pornography, but does not access those sitesaccess those sites • Employee instructed to stop unauthorized actionsEmployee instructed to stop unauthorized actions
  27. 27. 27 FactsFacts (Cont’d)(Cont’d) • Supervisor discovers renewed activities but takesSupervisor discovers renewed activities but takes no actionno action • Employee arrested on child pornography chargesEmployee arrested on child pornography charges • Videotape and photos of 10 year old stepdaughterVideotape and photos of 10 year old stepdaughter recently had been transmitted to childrecently had been transmitted to child pornography website from company computerpornography website from company computer • More than 1,000 pornographic imagesMore than 1,000 pornographic images downloaded to company computerdownloaded to company computer
  28. 28. 28 Lawsuit Against EmployerLawsuit Against Employer • Employee’s wife, and mother of child, files suit againstEmployee’s wife, and mother of child, files suit against employer in February 2004, claiming:employer in February 2004, claiming: – EmployerEmployer knew or should have knownknew or should have known of employee’s conductof employee’s conduct – Employer had aEmployer had a dutyduty to report actions to authorities for workplaceto report actions to authorities for workplace crimescrimes – EmployerEmployer breachedbreached that duty, enabling employee to continuethat duty, enabling employee to continue activitiesactivities – StepdaughterStepdaughter harmedharmed by resultant molestation and photographyby resultant molestation and photography – MoneyMoney damagesdamages for resulting harm (treatment and care)for resulting harm (treatment and care)
  29. 29. 29 Appellate Division AnalysisAppellate Division Analysis • Did the employer have theDid the employer have the abilityability to monitorto monitor its employee’s use of the Internet?its employee’s use of the Internet? – YES because:YES because: • Employer had already conducted limited investigationEmployer had already conducted limited investigation of activitiesof activities • Employer had software that allowed regular monitoringEmployer had software that allowed regular monitoring • Employer could have kept a log of sites visited by theEmployer could have kept a log of sites visited by the employeeemployee
  30. 30. 30 Appellate Division AnalysisAppellate Division Analysis (Cont’d)(Cont’d) • Did the employer have theDid the employer have the rightright to monitorto monitor his activities?his activities? – Yes, because:Yes, because: • Written company policy permitted itWritten company policy permitted it • Employee had no reasonable expectation of privacyEmployee had no reasonable expectation of privacy
  31. 31. 31 Appellate Division AnalysisAppellate Division Analysis (Cont’d)(Cont’d) • Did the employerDid the employer know, or should it haveknow, or should it have known,known, that the employee was using its equipmentthat the employee was using its equipment for an illegal purpose?for an illegal purpose? – Yes, because:Yes, because: • Employees complained of activitiesEmployees complained of activities • Supervisory personnel confirmed access to pornSupervisory personnel confirmed access to porn sitessites • More thorough investigation would uncover childMore thorough investigation would uncover child pornography accesspornography access
  32. 32. 32 Appellate Division AnalysisAppellate Division Analysis (Cont’d)(Cont’d) • Did the employer haveDid the employer have responsibilityresponsibility for employee’sfor employee’s conduct outside the scope of employment?conduct outside the scope of employment? – Yes: Employer can be held responsible for damagesYes: Employer can be held responsible for damages caused by criminal conduct if:caused by criminal conduct if: 1)1) the employee engages in the conduct on the employer’sthe employee engages in the conduct on the employer’s premisespremises 2)2) the employee uses the employer’s equipmentthe employee uses the employer’s equipment 3)3) the employer has the ability to control the conductthe employer has the ability to control the conduct 4)4) the employer knows or should know there is a reason tothe employer knows or should know there is a reason to exercise controlexercise control
  33. 33. 33 Appellate Division AnalysisAppellate Division Analysis (Cont’d)(Cont’d) • Where did XYC Corp. go wrong?Where did XYC Corp. go wrong? – Should have conducted immediate and thoroughShould have conducted immediate and thorough investigationinvestigation – Could have terminated the employeeCould have terminated the employee – Should have reported activities to law enforcementShould have reported activities to law enforcement authoritiesauthorities – Breached dual duties:Breached dual duties: • public policy against possession or viewing child pornographypublic policy against possession or viewing child pornography • obligation as employer to prevent its employee fromobligation as employer to prevent its employee from intentionally harming others or creating unreasonable risk ofintentionally harming others or creating unreasonable risk of bodily harm to thembodily harm to them
  34. 34. 34 Policy Drafting ConsiderationPolicy Drafting Consideration • Employers should warn employees thatEmployers should warn employees that their electronic communications may betheir electronic communications may be disclosed to law enforcement authorities ifdisclosed to law enforcement authorities if they create a suspicion of criminal conductthey create a suspicion of criminal conduct
  35. 35. 35 Other Privacy Issues:Other Privacy Issues: • Searches in the workplaceSearches in the workplace • CEPA – public policyCEPA – public policy • FACTA and background checksFACTA and background checks • ADA and medical informationADA and medical information • Negligent Hiring & Negligent ReferencesNegligent Hiring & Negligent References
  36. 36. 36 What Privacy?What Privacy? Personal ConductPersonal Conduct • Executives Resigning over PersonalExecutives Resigning over Personal Conduct ViolationConduct Violation

×