SlideShare a Scribd company logo

October 2007 Icle Presentation Final

D
David Cassidy
1 of 36
1 Your Client as Employer:Your Client as Employer: Workplace Privacy andWorkplace Privacy and Identity TheftIdentity Theft Presented by:Presented by: David E. CassidyDavid E. Cassidy Norris McLaughlin & Marcus, P.A.Norris McLaughlin & Marcus, P.A.
2 Tension Between Competing InterestsTension Between Competing Interests • Employees’ RightEmployees’ Right to Privacy ofto Privacy of Personal,Personal, Confidential andConfidential and FinancialFinancial InformationInformation • Employers’ Right toEmployers’ Right to Protect Assets,Protect Assets, Promote TheirPromote Their Business andBusiness and Maintain SecureMaintain Secure WorkplacesWorkplaces vs.
3 Personnel Files: A Fertile SourcePersonnel Files: A Fertile Source For Identity ThievesFor Identity Thieves Information contained in a company’sInformation contained in a company’s personnel files, whether maintained in a filepersonnel files, whether maintained in a file folder or electronically, is a fertile sourcefolder or electronically, is a fertile source for identity thieves.for identity thieves.
4 Identity Theft In The WorkplaceIdentity Theft In The Workplace • Most identity theft is perpetrated by relatives, friendsMost identity theft is perpetrated by relatives, friends or coworkers of victims.or coworkers of victims. • Sophisticated computer hacking strategies can be usedSophisticated computer hacking strategies can be used to access employee information.to access employee information. • A large percentage of identity theft in the workplaceA large percentage of identity theft in the workplace occurs through simpler, unsophisticated means such asoccurs through simpler, unsophisticated means such as copying personnel files from an unlocked file room,copying personnel files from an unlocked file room, downloading confidential information from adownloading confidential information from a company’s network, or negligence.company’s network, or negligence.
5 Examples of Security Breaches:Examples of Security Breaches: • In December 2006, a Boeing Co. employee lost a laptop containingIn December 2006, a Boeing Co. employee lost a laptop containing personal information on 382,000 workers and retirees, including theirpersonal information on 382,000 workers and retirees, including their names, social security numbers, home addresses and other personalnames, social security numbers, home addresses and other personal information.information. • In November 2006, Chicago Teachers Union inadvertently mailed outIn November 2006, Chicago Teachers Union inadvertently mailed out personal information including social security numbers of 1,700personal information including social security numbers of 1,700 former employees.former employees. • In September 2006, four laptops containing personal information ofIn September 2006, four laptops containing personal information of 60,000 Starbucks employees were lost or stolen.60,000 Starbucks employees were lost or stolen.
6 Thirty-Nine States Have StatutesThirty-Nine States Have Statutes • Private right of action in many statesPrivate right of action in many states • Most require documentation of stepsMost require documentation of steps taken to implement data securitytaken to implement data security practices (Policies and Procedures)practices (Policies and Procedures)
7 New Jersey: Identity TheftNew Jersey: Identity Theft Prevention ActPrevention Act N.J.S.A.N.J.S.A. 56:11-4456:11-44 et seq.et seq. Effective January 1, 2006Effective January 1, 2006 Public purpose to prevent identity theftPublic purpose to prevent identity theft
8 The New Jersey Act DefinesThe New Jersey Act Defines “Personal Information” as:“Personal Information” as: • A person’s last name and first name (or initial)A person’s last name and first name (or initial) • PLUSPLUS – One or more of the following:– One or more of the following: – social security numbersocial security number – driver’s license numberdriver’s license number – state identification numberstate identification number – account information related to debit or credit cards,account information related to debit or credit cards, including any password or access codesincluding any password or access codes
9 Mechanism:Mechanism: New Jersey ActNew Jersey Act – restricts a company’s use, retention andrestricts a company’s use, retention and destruction of an individual’s personaldestruction of an individual’s personal informationinformation – establishes notice requirements applicable toestablishes notice requirements applicable to employers when personal information isemployers when personal information is improperly accessed or disclosedimproperly accessed or disclosed
10 Broad Definitions, Broad ReachBroad Definitions, Broad Reach • ““CustomerCustomer” includes any individual who” includes any individual who provides personal information to a businessprovides personal information to a business • ““BusinessBusiness” is a sole proprietorship,” is a sole proprietorship, partnership, corporation, association, or anypartnership, corporation, association, or any other entityother entity
11 What Types of RecordsWhat Types of Records Are Subject to the Act?Are Subject to the Act? • In the workplace, common documents that wouldIn the workplace, common documents that would contain personal information include:contain personal information include: – job applicationsjob applications – health benefits forms/ID cardshealth benefits forms/ID cards – retirement/401k account cardsretirement/401k account cards – I-9 Employment Eligibility Verification formsI-9 Employment Eligibility Verification forms – direct deposit authorization formsdirect deposit authorization forms – credit reportscredit reports – background checksbackground checks
12 How Does the Act Work?How Does the Act Work? • Limits Use and Display of Social SecurityLimits Use and Display of Social Security NumbersNumbers – cannot publicly post or display a SSN (in full orcannot publicly post or display a SSN (in full or any 4 or more consecutive numbers)any 4 or more consecutive numbers) – cannot print a SSN on materials to be mailed tocannot print a SSN on materials to be mailed to an individual unless required by lawan individual unless required by law
13 How Does the Act Work?How Does the Act Work? • Requires Timely Destruction of RecordsRequires Timely Destruction of Records Containing “Personal Information” toContaining “Personal Information” to render themrender them – UnreadableUnreadable – IndecipherableIndecipherable – NonreconstructableNonreconstructable
14 How Does the Act Work?How Does the Act Work? • Imposes notification requirement if electronic filesImposes notification requirement if electronic files containing personal information are breached:containing personal information are breached: - To New Jersey State Police (before notice to- To New Jersey State Police (before notice to customer/employee)customer/employee) - To customers/employees who are New Jersey- To customers/employees who are New Jersey residents who are affected by breachresidents who are affected by breach - If > 1000 individuals are affected, to all- If > 1000 individuals are affected, to all consumer reporting agenciesconsumer reporting agencies
15 A Private Right of ActionA Private Right of Action Willful failure to comply withWillful failure to comply with restrictions on use of Social Securityrestrictions on use of Social Security numbers actionable as an unlawfulnumbers actionable as an unlawful practice under New Jersey’spractice under New Jersey’s Consumer Protection StatutesConsumer Protection Statutes (NJSA C.56:11-38 and 39)(NJSA C.56:11-38 and 39)
16 Patchwork of State LegislationPatchwork of State Legislation • Understanding the “Trigger Event” forUnderstanding the “Trigger Event” for NotificationNotification • ““Reasonable likelihood of harm or identityReasonable likelihood of harm or identity theft” to the individuals whose personaltheft” to the individuals whose personal information has been exposed?information has been exposed? • Notice – “without unreasonable delay”?Notice – “without unreasonable delay”?
17 New York: Confidentiality ofNew York: Confidentiality of Social Security Account NumbersSocial Security Account Numbers N.Y. Gen. Bus.N.Y. Gen. Bus. § 399-dd§ 399-dd Effective January 1, 2008Effective January 1, 2008 Public purpose to protect privacy andPublic purpose to protect privacy and integrity of dataintegrity of data
18 New York: Disposal of PersonalNew York: Disposal of Personal Records LawRecords Law N.Y. Gen. Bus.N.Y. Gen. Bus. § 399-h§ 399-h Effective December 4, 2006Effective December 4, 2006 Public purpose to protect personal andPublic purpose to protect personal and confidential information by requiring properconfidential information by requiring proper disposal of recordsdisposal of records
19 OREGON’S LAWOREGON’S LAW • Oregon’s new law requires businesses that maintainOregon’s new law requires businesses that maintain personal information on Oregon residents to:personal information on Oregon residents to: – Designate a security officerDesignate a security officer – Conduct a risk assessment and train employees in security policiesConduct a risk assessment and train employees in security policies and proceduresand procedures – Require vendors and other service providers to maintain adequateRequire vendors and other service providers to maintain adequate securitysecurity – Update their security programs over timeUpdate their security programs over time – Implement safeguards and properly dispose of personalImplement safeguards and properly dispose of personal informationinformation • Compliance will satisfy many other states laws.Compliance will satisfy many other states laws.
20 Suggestions for ComplianceSuggestions for Compliance – Employers should update their internal policies and/orEmployers should update their internal policies and/or employee handbooks to comply with relevant statutesemployee handbooks to comply with relevant statutes – Publish a policy prohibiting dissemination of personalPublish a policy prohibiting dissemination of personal informationinformation – Define confidential information and forbid collection ofDefine confidential information and forbid collection of confidential information that is unnecessaryconfidential information that is unnecessary
21 Suggestions for ComplianceSuggestions for Compliance (cont’d)(cont’d) – Establish a confidentiality policy that limits employeeEstablish a confidentiality policy that limits employee access to personal information to those with a need toaccess to personal information to those with a need to knowknow – Store hard copies of personnel records in a secureStore hard copies of personnel records in a secure location with limited access, ideally monitored accesslocation with limited access, ideally monitored access – Train employees who have access to personalTrain employees who have access to personal information about proper use and handling of suchinformation about proper use and handling of such informationinformation
22 Suggestions for ComplianceSuggestions for Compliance (cont’d)(cont’d) -- Examine current computer systems and installExamine current computer systems and install safeguards to protect against access to information bysafeguards to protect against access to information by unauthorized individualsunauthorized individuals – Implement appropriate software/encryption to protectImplement appropriate software/encryption to protect against computer viruses, unauthorized access toagainst computer viruses, unauthorized access to computer networks, and similar on-line or electroniccomputer networks, and similar on-line or electronic invasions of electronic data storageinvasions of electronic data storage – Review and modify document retention policies asReview and modify document retention policies as appropriateappropriate
23 Suggestions for ComplianceSuggestions for Compliance (cont’d)(cont’d) – Establish and implement notice procedures in the eventEstablish and implement notice procedures in the event of a security breachof a security breach – Consider outsourcing to shredding companies with aConsider outsourcing to shredding companies with a written contractwritten contract
24 Union IssuesUnion Issues • Employers must be careful not to draft overbroadEmployers must be careful not to draft overbroad privacy and confidentiality policiesprivacy and confidentiality policies • Employers have a duty to provide a Union withEmployers have a duty to provide a Union with requested information that is necessary to fulfill itsrequested information that is necessary to fulfill its duty as a bargaining representativeduty as a bargaining representative • Confidentiality Agreements and negotiation ofConfidentiality Agreements and negotiation of samesame
25 Jane Doe v. XYC CorporationJane Doe v. XYC Corporation New Jersey Appellate DivisionNew Jersey Appellate Division December 2005December 2005 • Employees’ known or suspected illegalEmployees’ known or suspected illegal activities impose new duty on employers:activities impose new duty on employers: – IInvestigatenvestigate – AAct to stop conductct to stop conduct – RReport conduct to the authoritieseport conduct to the authorities – PPrevent harm to third partiesrevent harm to third parties
26 FactsFacts • Somerset County employer with 250 employeesSomerset County employer with 250 employees • Computer specialists discover employee accessingComputer specialists discover employee accessing pornographic websites with company computerpornographic websites with company computer • No further investigation done over two year periodNo further investigation done over two year period • Complaints from supervisors and co-workersComplaints from supervisors and co-workers • IT Manager confirms employee’s access, including oneIT Manager confirms employee’s access, including one site with name suggesting child pornography, but does notsite with name suggesting child pornography, but does not access those sitesaccess those sites • Employee instructed to stop unauthorized actionsEmployee instructed to stop unauthorized actions
27 FactsFacts (Cont’d)(Cont’d) • Supervisor discovers renewed activities but takesSupervisor discovers renewed activities but takes no actionno action • Employee arrested on child pornography chargesEmployee arrested on child pornography charges • Videotape and photos of 10 year old stepdaughterVideotape and photos of 10 year old stepdaughter recently had been transmitted to childrecently had been transmitted to child pornography website from company computerpornography website from company computer • More than 1,000 pornographic imagesMore than 1,000 pornographic images downloaded to company computerdownloaded to company computer
28 Lawsuit Against EmployerLawsuit Against Employer • Employee’s wife, and mother of child, files suit againstEmployee’s wife, and mother of child, files suit against employer in February 2004, claiming:employer in February 2004, claiming: – EmployerEmployer knew or should have knownknew or should have known of employee’s conductof employee’s conduct – Employer had aEmployer had a dutyduty to report actions to authorities for workplaceto report actions to authorities for workplace crimescrimes – EmployerEmployer breachedbreached that duty, enabling employee to continuethat duty, enabling employee to continue activitiesactivities – StepdaughterStepdaughter harmedharmed by resultant molestation and photographyby resultant molestation and photography – MoneyMoney damagesdamages for resulting harm (treatment and care)for resulting harm (treatment and care)
29 Appellate Division AnalysisAppellate Division Analysis • Did the employer have theDid the employer have the abilityability to monitorto monitor its employee’s use of the Internet?its employee’s use of the Internet? – YES because:YES because: • Employer had already conducted limited investigationEmployer had already conducted limited investigation of activitiesof activities • Employer had software that allowed regular monitoringEmployer had software that allowed regular monitoring • Employer could have kept a log of sites visited by theEmployer could have kept a log of sites visited by the employeeemployee
30 Appellate Division AnalysisAppellate Division Analysis (Cont’d)(Cont’d) • Did the employer have theDid the employer have the rightright to monitorto monitor his activities?his activities? – Yes, because:Yes, because: • Written company policy permitted itWritten company policy permitted it • Employee had no reasonable expectation of privacyEmployee had no reasonable expectation of privacy
31 Appellate Division AnalysisAppellate Division Analysis (Cont’d)(Cont’d) • Did the employerDid the employer know, or should it haveknow, or should it have known,known, that the employee was using its equipmentthat the employee was using its equipment for an illegal purpose?for an illegal purpose? – Yes, because:Yes, because: • Employees complained of activitiesEmployees complained of activities • Supervisory personnel confirmed access to pornSupervisory personnel confirmed access to porn sitessites • More thorough investigation would uncover childMore thorough investigation would uncover child pornography accesspornography access
32 Appellate Division AnalysisAppellate Division Analysis (Cont’d)(Cont’d) • Did the employer haveDid the employer have responsibilityresponsibility for employee’sfor employee’s conduct outside the scope of employment?conduct outside the scope of employment? – Yes: Employer can be held responsible for damagesYes: Employer can be held responsible for damages caused by criminal conduct if:caused by criminal conduct if: 1)1) the employee engages in the conduct on the employer’sthe employee engages in the conduct on the employer’s premisespremises 2)2) the employee uses the employer’s equipmentthe employee uses the employer’s equipment 3)3) the employer has the ability to control the conductthe employer has the ability to control the conduct 4)4) the employer knows or should know there is a reason tothe employer knows or should know there is a reason to exercise controlexercise control
33 Appellate Division AnalysisAppellate Division Analysis (Cont’d)(Cont’d) • Where did XYC Corp. go wrong?Where did XYC Corp. go wrong? – Should have conducted immediate and thoroughShould have conducted immediate and thorough investigationinvestigation – Could have terminated the employeeCould have terminated the employee – Should have reported activities to law enforcementShould have reported activities to law enforcement authoritiesauthorities – Breached dual duties:Breached dual duties: • public policy against possession or viewing child pornographypublic policy against possession or viewing child pornography • obligation as employer to prevent its employee fromobligation as employer to prevent its employee from intentionally harming others or creating unreasonable risk ofintentionally harming others or creating unreasonable risk of bodily harm to thembodily harm to them
34 Policy Drafting ConsiderationPolicy Drafting Consideration • Employers should warn employees thatEmployers should warn employees that their electronic communications may betheir electronic communications may be disclosed to law enforcement authorities ifdisclosed to law enforcement authorities if they create a suspicion of criminal conductthey create a suspicion of criminal conduct
35 Other Privacy Issues:Other Privacy Issues: • Searches in the workplaceSearches in the workplace • CEPA – public policyCEPA – public policy • FACTA and background checksFACTA and background checks • ADA and medical informationADA and medical information • Negligent Hiring & Negligent ReferencesNegligent Hiring & Negligent References
36 What Privacy?What Privacy? Personal ConductPersonal Conduct • Executives Resigning over PersonalExecutives Resigning over Personal Conduct ViolationConduct Violation

Recommended

Federal Data Protection Act (FDPA)
Federal Data Protection Act (FDPA)Federal Data Protection Act (FDPA)
Federal Data Protection Act (FDPA)AMIPCI
 
Massachusetts New Data Security Laws Presentation
Massachusetts New Data Security Laws PresentationMassachusetts New Data Security Laws Presentation
Massachusetts New Data Security Laws Presentationbillanetworks
 
Revision Data Protection Act (Eduardo And Salvador)
Revision Data Protection Act (Eduardo And Salvador)Revision Data Protection Act (Eduardo And Salvador)
Revision Data Protection Act (Eduardo And Salvador)itgsabc
 
China: Mastering the Ediscovery Process by Understanding the Culture
China: Mastering the Ediscovery Process by Understanding the CultureChina: Mastering the Ediscovery Process by Understanding the Culture
China: Mastering the Ediscovery Process by Understanding the CultureKate Chan
 
Draft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal DataDraft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal DataRenato Monteiro
 
Personal Data Protection Law
Personal Data Protection LawPersonal Data Protection Law
Personal Data Protection LawHatice Zümbül, LL.M.
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
 
Cyber Security For Law Firms - February 2015 -Westchester County Bar Associat...
Cyber Security For Law Firms - February 2015 -Westchester County Bar Associat...Cyber Security For Law Firms - February 2015 -Westchester County Bar Associat...
Cyber Security For Law Firms - February 2015 -Westchester County Bar Associat...dmenken60
 

Recommended

Federal Data Protection Act (FDPA)
Federal Data Protection Act (FDPA)Federal Data Protection Act (FDPA)
Federal Data Protection Act (FDPA)AMIPCI
 
Massachusetts New Data Security Laws Presentation
Massachusetts New Data Security Laws PresentationMassachusetts New Data Security Laws Presentation
Massachusetts New Data Security Laws Presentationbillanetworks
 
Revision Data Protection Act (Eduardo And Salvador)
Revision Data Protection Act (Eduardo And Salvador)Revision Data Protection Act (Eduardo And Salvador)
Revision Data Protection Act (Eduardo And Salvador)itgsabc
 
China: Mastering the Ediscovery Process by Understanding the Culture
China: Mastering the Ediscovery Process by Understanding the CultureChina: Mastering the Ediscovery Process by Understanding the Culture
China: Mastering the Ediscovery Process by Understanding the CultureKate Chan
 
Draft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal DataDraft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal DataRenato Monteiro
 
Personal Data Protection Law
Personal Data Protection LawPersonal Data Protection Law
Personal Data Protection LawHatice Zümbül, LL.M.
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
 
Cyber Security For Law Firms - February 2015 -Westchester County Bar Associat...
Cyber Security For Law Firms - February 2015 -Westchester County Bar Associat...Cyber Security For Law Firms - February 2015 -Westchester County Bar Associat...
Cyber Security For Law Firms - February 2015 -Westchester County Bar Associat...dmenken60
 
Personal Data Privacy and Information Security
Personal Data Privacy and Information SecurityPersonal Data Privacy and Information Security
Personal Data Privacy and Information SecurityCharles Mok
 
Nevada Data Protection & Privacy Regulations
Nevada Data Protection & Privacy RegulationsNevada Data Protection & Privacy Regulations
Nevada Data Protection & Privacy RegulationsJulia Mak
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
Draft data protection regn 2012
Draft data protection regn 2012Draft data protection regn 2012
Draft data protection regn 2012lilianedwards
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidanceAmy Purcell
 
ScifoBYODSample
ScifoBYODSampleScifoBYODSample
ScifoBYODSampleJohn M. Scifo II
 
Data protection training emea new joiners. mandatory quiz
Data protection training emea new joiners. mandatory quizData protection training emea new joiners. mandatory quiz
Data protection training emea new joiners. mandatory quizDeborahchiesa
 
ODI Queensland - Open Data Essentials - Law and Licensing
ODI Queensland - Open Data Essentials - Law and LicensingODI Queensland - Open Data Essentials - Law and Licensing
ODI Queensland - Open Data Essentials - Law and LicensingAusGOAL
 
State Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork QuiltState Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork QuiltRochester Security Summit
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issuesSagar Rahurkar
 
Presentatie dma boston 2011: Welke impact heeft us privacyregulering op uw bu...
Presentatie dma boston 2011: Welke impact heeft us privacyregulering op uw bu...Presentatie dma boston 2011: Welke impact heeft us privacyregulering op uw bu...
Presentatie dma boston 2011: Welke impact heeft us privacyregulering op uw bu...DDMA
 
4. florence dupre new usagesprivacy legal framework fd
4. florence dupre new usagesprivacy legal framework fd4. florence dupre new usagesprivacy legal framework fd
4. florence dupre new usagesprivacy legal framework fdGlobalForum
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_indiaAltacit Global
 
Hey that's my client! Protecting client lists and confidential information wh...
Hey that's my client! Protecting client lists and confidential information wh...Hey that's my client! Protecting client lists and confidential information wh...
Hey that's my client! Protecting client lists and confidential information wh...Mike Fourcher
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Financial Poise
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsFinancial Poise
 
Privacy icms (handouts)
Privacy icms (handouts)Privacy icms (handouts)
Privacy icms (handouts)brentcarey
 
4514611.ppt
4514611.ppt4514611.ppt
4514611.pptssusera4419c
 
Identity Theft Red Flags Rule for Business
Identity Theft Red Flags Rule for BusinessIdentity Theft Red Flags Rule for Business
Identity Theft Red Flags Rule for BusinessHerring Consulting & Financial Group
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
 
IDT Red Flags White Paper By Wrf
IDT Red Flags White Paper By WrfIDT Red Flags White Paper By Wrf
IDT Red Flags White Paper By WrfBucacci Business Solutions
 
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Diana Maier
 

More Related Content

What's hot

Personal Data Privacy and Information Security
Personal Data Privacy and Information SecurityPersonal Data Privacy and Information Security
Personal Data Privacy and Information SecurityCharles Mok
 
Nevada Data Protection & Privacy Regulations
Nevada Data Protection & Privacy RegulationsNevada Data Protection & Privacy Regulations
Nevada Data Protection & Privacy RegulationsJulia Mak
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
Draft data protection regn 2012
Draft data protection regn 2012Draft data protection regn 2012
Draft data protection regn 2012lilianedwards
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidanceAmy Purcell
 
Data protection training emea new joiners. mandatory quiz
Data protection training emea new joiners. mandatory quizData protection training emea new joiners. mandatory quiz
Data protection training emea new joiners. mandatory quizDeborahchiesa
 
ODI Queensland - Open Data Essentials - Law and Licensing
ODI Queensland - Open Data Essentials - Law and LicensingODI Queensland - Open Data Essentials - Law and Licensing
ODI Queensland - Open Data Essentials - Law and LicensingAusGOAL
 
State Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork QuiltState Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork QuiltRochester Security Summit
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issuesSagar Rahurkar
 
Presentatie dma boston 2011: Welke impact heeft us privacyregulering op uw bu...
Presentatie dma boston 2011: Welke impact heeft us privacyregulering op uw bu...Presentatie dma boston 2011: Welke impact heeft us privacyregulering op uw bu...
Presentatie dma boston 2011: Welke impact heeft us privacyregulering op uw bu...DDMA
 
4. florence dupre new usagesprivacy legal framework fd
4. florence dupre new usagesprivacy legal framework fd4. florence dupre new usagesprivacy legal framework fd
4. florence dupre new usagesprivacy legal framework fdGlobalForum
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_indiaAltacit Global
 

What's hot (13)

Personal Data Privacy and Information Security
Personal Data Privacy and Information SecurityPersonal Data Privacy and Information Security
Personal Data Privacy and Information Security
 
Nevada Data Protection & Privacy Regulations
Nevada Data Protection & Privacy RegulationsNevada Data Protection & Privacy Regulations
Nevada Data Protection & Privacy Regulations
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 
Draft data protection regn 2012
Draft data protection regn 2012Draft data protection regn 2012
Draft data protection regn 2012
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and Avoidance
 
ScifoBYODSample
ScifoBYODSampleScifoBYODSample
ScifoBYODSample
 
Data protection training emea new joiners. mandatory quiz
Data protection training emea new joiners. mandatory quizData protection training emea new joiners. mandatory quiz
Data protection training emea new joiners. mandatory quiz
 
ODI Queensland - Open Data Essentials - Law and Licensing
ODI Queensland - Open Data Essentials - Law and LicensingODI Queensland - Open Data Essentials - Law and Licensing
ODI Queensland - Open Data Essentials - Law and Licensing
 
State Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork QuiltState Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork Quilt
 
Privacy in India: Legal issues
Privacy in India: Legal issuesPrivacy in India: Legal issues
Privacy in India: Legal issues
 
Presentatie dma boston 2011: Welke impact heeft us privacyregulering op uw bu...
Presentatie dma boston 2011: Welke impact heeft us privacyregulering op uw bu...Presentatie dma boston 2011: Welke impact heeft us privacyregulering op uw bu...
Presentatie dma boston 2011: Welke impact heeft us privacyregulering op uw bu...
 
4. florence dupre new usagesprivacy legal framework fd
4. florence dupre new usagesprivacy legal framework fd4. florence dupre new usagesprivacy legal framework fd
4. florence dupre new usagesprivacy legal framework fd
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_india
 

Similar to October 2007 Icle Presentation Final

Hey that's my client! Protecting client lists and confidential information wh...
Hey that's my client! Protecting client lists and confidential information wh...Hey that's my client! Protecting client lists and confidential information wh...
Hey that's my client! Protecting client lists and confidential information wh...Mike Fourcher
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Financial Poise
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsFinancial Poise
 
Privacy icms (handouts)
Privacy icms (handouts)Privacy icms (handouts)
Privacy icms (handouts)brentcarey
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
 
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Diana Maier
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidanceAmy Purcell
 
Affirmative Defense Reponse System
Affirmative Defense Reponse SystemAffirmative Defense Reponse System
Affirmative Defense Reponse Systemoldshaman
 
Operational Information as "Personal Information"
Operational Information as "Personal Information"Operational Information as "Personal Information"
Operational Information as "Personal Information"DLA Piper (Canada) LLP
 
Privacy introduction
Privacy introduction Privacy introduction
Privacy introduction brentcarey
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentDonald E. Hester
 
Privacy & publicity trade secrets in Wisconsin
Privacy & publicity trade secrets in WisconsinPrivacy & publicity trade secrets in Wisconsin
Privacy & publicity trade secrets in WisconsinBoyle_Fredrickson
 
Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11pdewitte
 
Privacy learning forum broadmeadows
Privacy learning forum broadmeadowsPrivacy learning forum broadmeadows
Privacy learning forum broadmeadowsbrentcarey
 

Similar to October 2007 Icle Presentation Final (20)

Hey that's my client! Protecting client lists and confidential information wh...
Hey that's my client! Protecting client lists and confidential information wh...Hey that's my client! Protecting client lists and confidential information wh...
Hey that's my client! Protecting client lists and confidential information wh...
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and Requirements
 
Privacy icms (handouts)
Privacy icms (handouts)Privacy icms (handouts)
Privacy icms (handouts)
 
4514611.ppt
4514611.ppt4514611.ppt
4514611.ppt
 
Identity Theft Red Flags Rule for Business
Identity Theft Red Flags Rule for BusinessIdentity Theft Red Flags Rule for Business
Identity Theft Red Flags Rule for Business
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacy
 
IDT Red Flags White Paper By Wrf
IDT Red Flags White Paper By WrfIDT Red Flags White Paper By Wrf
IDT Red Flags White Paper By Wrf
 
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and Avoidance
 
AIIM 2015 - Data Privacy
AIIM 2015 - Data PrivacyAIIM 2015 - Data Privacy
AIIM 2015 - Data Privacy
 
Affirmative Defense Reponse System
Affirmative Defense Reponse SystemAffirmative Defense Reponse System
Affirmative Defense Reponse System
 
Operational Information as "Personal Information"
Operational Information as "Personal Information"Operational Information as "Personal Information"
Operational Information as "Personal Information"
 
Privacy introduction
Privacy introduction Privacy introduction
Privacy introduction
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local Government
 
Privacy & publicity trade secrets in Wisconsin
Privacy & publicity trade secrets in WisconsinPrivacy & publicity trade secrets in Wisconsin
Privacy & publicity trade secrets in Wisconsin
 
Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11
 
Privacy Compliance for Law Firms: Moving Beyond Confidentiality
Privacy Compliance for Law Firms: Moving Beyond ConfidentialityPrivacy Compliance for Law Firms: Moving Beyond Confidentiality
Privacy Compliance for Law Firms: Moving Beyond Confidentiality
 
Privacy learning forum broadmeadows
Privacy learning forum broadmeadowsPrivacy learning forum broadmeadows
Privacy learning forum broadmeadows
 
Privacy Needs to be Personal
Privacy Needs to be PersonalPrivacy Needs to be Personal
Privacy Needs to be Personal
 

October 2007 Icle Presentation Final

  • 1. 1 Your Client as Employer:Your Client as Employer: Workplace Privacy andWorkplace Privacy and Identity TheftIdentity Theft Presented by:Presented by: David E. CassidyDavid E. Cassidy Norris McLaughlin & Marcus, P.A.Norris McLaughlin & Marcus, P.A.
  • 2. 2 Tension Between Competing InterestsTension Between Competing Interests • Employees’ RightEmployees’ Right to Privacy ofto Privacy of Personal,Personal, Confidential andConfidential and FinancialFinancial InformationInformation • Employers’ Right toEmployers’ Right to Protect Assets,Protect Assets, Promote TheirPromote Their Business andBusiness and Maintain SecureMaintain Secure WorkplacesWorkplaces vs.
  • 3. 3 Personnel Files: A Fertile SourcePersonnel Files: A Fertile Source For Identity ThievesFor Identity Thieves Information contained in a company’sInformation contained in a company’s personnel files, whether maintained in a filepersonnel files, whether maintained in a file folder or electronically, is a fertile sourcefolder or electronically, is a fertile source for identity thieves.for identity thieves.
  • 4. 4 Identity Theft In The WorkplaceIdentity Theft In The Workplace • Most identity theft is perpetrated by relatives, friendsMost identity theft is perpetrated by relatives, friends or coworkers of victims.or coworkers of victims. • Sophisticated computer hacking strategies can be usedSophisticated computer hacking strategies can be used to access employee information.to access employee information. • A large percentage of identity theft in the workplaceA large percentage of identity theft in the workplace occurs through simpler, unsophisticated means such asoccurs through simpler, unsophisticated means such as copying personnel files from an unlocked file room,copying personnel files from an unlocked file room, downloading confidential information from adownloading confidential information from a company’s network, or negligence.company’s network, or negligence.
  • 5. 5 Examples of Security Breaches:Examples of Security Breaches: • In December 2006, a Boeing Co. employee lost a laptop containingIn December 2006, a Boeing Co. employee lost a laptop containing personal information on 382,000 workers and retirees, including theirpersonal information on 382,000 workers and retirees, including their names, social security numbers, home addresses and other personalnames, social security numbers, home addresses and other personal information.information. • In November 2006, Chicago Teachers Union inadvertently mailed outIn November 2006, Chicago Teachers Union inadvertently mailed out personal information including social security numbers of 1,700personal information including social security numbers of 1,700 former employees.former employees. • In September 2006, four laptops containing personal information ofIn September 2006, four laptops containing personal information of 60,000 Starbucks employees were lost or stolen.60,000 Starbucks employees were lost or stolen.
  • 6. 6 Thirty-Nine States Have StatutesThirty-Nine States Have Statutes • Private right of action in many statesPrivate right of action in many states • Most require documentation of stepsMost require documentation of steps taken to implement data securitytaken to implement data security practices (Policies and Procedures)practices (Policies and Procedures)
  • 7. 7 New Jersey: Identity TheftNew Jersey: Identity Theft Prevention ActPrevention Act N.J.S.A.N.J.S.A. 56:11-4456:11-44 et seq.et seq. Effective January 1, 2006Effective January 1, 2006 Public purpose to prevent identity theftPublic purpose to prevent identity theft
  • 8. 8 The New Jersey Act DefinesThe New Jersey Act Defines “Personal Information” as:“Personal Information” as: • A person’s last name and first name (or initial)A person’s last name and first name (or initial) • PLUSPLUS – One or more of the following:– One or more of the following: – social security numbersocial security number – driver’s license numberdriver’s license number – state identification numberstate identification number – account information related to debit or credit cards,account information related to debit or credit cards, including any password or access codesincluding any password or access codes
  • 9. 9 Mechanism:Mechanism: New Jersey ActNew Jersey Act – restricts a company’s use, retention andrestricts a company’s use, retention and destruction of an individual’s personaldestruction of an individual’s personal informationinformation – establishes notice requirements applicable toestablishes notice requirements applicable to employers when personal information isemployers when personal information is improperly accessed or disclosedimproperly accessed or disclosed
  • 10. 10 Broad Definitions, Broad ReachBroad Definitions, Broad Reach • ““CustomerCustomer” includes any individual who” includes any individual who provides personal information to a businessprovides personal information to a business • ““BusinessBusiness” is a sole proprietorship,” is a sole proprietorship, partnership, corporation, association, or anypartnership, corporation, association, or any other entityother entity
  • 11. 11 What Types of RecordsWhat Types of Records Are Subject to the Act?Are Subject to the Act? • In the workplace, common documents that wouldIn the workplace, common documents that would contain personal information include:contain personal information include: – job applicationsjob applications – health benefits forms/ID cardshealth benefits forms/ID cards – retirement/401k account cardsretirement/401k account cards – I-9 Employment Eligibility Verification formsI-9 Employment Eligibility Verification forms – direct deposit authorization formsdirect deposit authorization forms – credit reportscredit reports – background checksbackground checks
  • 12. 12 How Does the Act Work?How Does the Act Work? • Limits Use and Display of Social SecurityLimits Use and Display of Social Security NumbersNumbers – cannot publicly post or display a SSN (in full orcannot publicly post or display a SSN (in full or any 4 or more consecutive numbers)any 4 or more consecutive numbers) – cannot print a SSN on materials to be mailed tocannot print a SSN on materials to be mailed to an individual unless required by lawan individual unless required by law
  • 13. 13 How Does the Act Work?How Does the Act Work? • Requires Timely Destruction of RecordsRequires Timely Destruction of Records Containing “Personal Information” toContaining “Personal Information” to render themrender them – UnreadableUnreadable – IndecipherableIndecipherable – NonreconstructableNonreconstructable
  • 14. 14 How Does the Act Work?How Does the Act Work? • Imposes notification requirement if electronic filesImposes notification requirement if electronic files containing personal information are breached:containing personal information are breached: - To New Jersey State Police (before notice to- To New Jersey State Police (before notice to customer/employee)customer/employee) - To customers/employees who are New Jersey- To customers/employees who are New Jersey residents who are affected by breachresidents who are affected by breach - If > 1000 individuals are affected, to all- If > 1000 individuals are affected, to all consumer reporting agenciesconsumer reporting agencies
  • 15. 15 A Private Right of ActionA Private Right of Action Willful failure to comply withWillful failure to comply with restrictions on use of Social Securityrestrictions on use of Social Security numbers actionable as an unlawfulnumbers actionable as an unlawful practice under New Jersey’spractice under New Jersey’s Consumer Protection StatutesConsumer Protection Statutes (NJSA C.56:11-38 and 39)(NJSA C.56:11-38 and 39)
  • 16. 16 Patchwork of State LegislationPatchwork of State Legislation • Understanding the “Trigger Event” forUnderstanding the “Trigger Event” for NotificationNotification • ““Reasonable likelihood of harm or identityReasonable likelihood of harm or identity theft” to the individuals whose personaltheft” to the individuals whose personal information has been exposed?information has been exposed? • Notice – “without unreasonable delay”?Notice – “without unreasonable delay”?
  • 17. 17 New York: Confidentiality ofNew York: Confidentiality of Social Security Account NumbersSocial Security Account Numbers N.Y. Gen. Bus.N.Y. Gen. Bus. § 399-dd§ 399-dd Effective January 1, 2008Effective January 1, 2008 Public purpose to protect privacy andPublic purpose to protect privacy and integrity of dataintegrity of data
  • 18. 18 New York: Disposal of PersonalNew York: Disposal of Personal Records LawRecords Law N.Y. Gen. Bus.N.Y. Gen. Bus. § 399-h§ 399-h Effective December 4, 2006Effective December 4, 2006 Public purpose to protect personal andPublic purpose to protect personal and confidential information by requiring properconfidential information by requiring proper disposal of recordsdisposal of records
  • 19. 19 OREGON’S LAWOREGON’S LAW • Oregon’s new law requires businesses that maintainOregon’s new law requires businesses that maintain personal information on Oregon residents to:personal information on Oregon residents to: – Designate a security officerDesignate a security officer – Conduct a risk assessment and train employees in security policiesConduct a risk assessment and train employees in security policies and proceduresand procedures – Require vendors and other service providers to maintain adequateRequire vendors and other service providers to maintain adequate securitysecurity – Update their security programs over timeUpdate their security programs over time – Implement safeguards and properly dispose of personalImplement safeguards and properly dispose of personal informationinformation • Compliance will satisfy many other states laws.Compliance will satisfy many other states laws.
  • 20. 20 Suggestions for ComplianceSuggestions for Compliance – Employers should update their internal policies and/orEmployers should update their internal policies and/or employee handbooks to comply with relevant statutesemployee handbooks to comply with relevant statutes – Publish a policy prohibiting dissemination of personalPublish a policy prohibiting dissemination of personal informationinformation – Define confidential information and forbid collection ofDefine confidential information and forbid collection of confidential information that is unnecessaryconfidential information that is unnecessary
  • 21. 21 Suggestions for ComplianceSuggestions for Compliance (cont’d)(cont’d) – Establish a confidentiality policy that limits employeeEstablish a confidentiality policy that limits employee access to personal information to those with a need toaccess to personal information to those with a need to knowknow – Store hard copies of personnel records in a secureStore hard copies of personnel records in a secure location with limited access, ideally monitored accesslocation with limited access, ideally monitored access – Train employees who have access to personalTrain employees who have access to personal information about proper use and handling of suchinformation about proper use and handling of such informationinformation
  • 22. 22 Suggestions for ComplianceSuggestions for Compliance (cont’d)(cont’d) -- Examine current computer systems and installExamine current computer systems and install safeguards to protect against access to information bysafeguards to protect against access to information by unauthorized individualsunauthorized individuals – Implement appropriate software/encryption to protectImplement appropriate software/encryption to protect against computer viruses, unauthorized access toagainst computer viruses, unauthorized access to computer networks, and similar on-line or electroniccomputer networks, and similar on-line or electronic invasions of electronic data storageinvasions of electronic data storage – Review and modify document retention policies asReview and modify document retention policies as appropriateappropriate
  • 23. 23 Suggestions for ComplianceSuggestions for Compliance (cont’d)(cont’d) – Establish and implement notice procedures in the eventEstablish and implement notice procedures in the event of a security breachof a security breach – Consider outsourcing to shredding companies with aConsider outsourcing to shredding companies with a written contractwritten contract
  • 24. 24 Union IssuesUnion Issues • Employers must be careful not to draft overbroadEmployers must be careful not to draft overbroad privacy and confidentiality policiesprivacy and confidentiality policies • Employers have a duty to provide a Union withEmployers have a duty to provide a Union with requested information that is necessary to fulfill itsrequested information that is necessary to fulfill its duty as a bargaining representativeduty as a bargaining representative • Confidentiality Agreements and negotiation ofConfidentiality Agreements and negotiation of samesame
  • 25. 25 Jane Doe v. XYC CorporationJane Doe v. XYC Corporation New Jersey Appellate DivisionNew Jersey Appellate Division December 2005December 2005 • Employees’ known or suspected illegalEmployees’ known or suspected illegal activities impose new duty on employers:activities impose new duty on employers: – IInvestigatenvestigate – AAct to stop conductct to stop conduct – RReport conduct to the authoritieseport conduct to the authorities – PPrevent harm to third partiesrevent harm to third parties
  • 26. 26 FactsFacts • Somerset County employer with 250 employeesSomerset County employer with 250 employees • Computer specialists discover employee accessingComputer specialists discover employee accessing pornographic websites with company computerpornographic websites with company computer • No further investigation done over two year periodNo further investigation done over two year period • Complaints from supervisors and co-workersComplaints from supervisors and co-workers • IT Manager confirms employee’s access, including oneIT Manager confirms employee’s access, including one site with name suggesting child pornography, but does notsite with name suggesting child pornography, but does not access those sitesaccess those sites • Employee instructed to stop unauthorized actionsEmployee instructed to stop unauthorized actions
  • 27. 27 FactsFacts (Cont’d)(Cont’d) • Supervisor discovers renewed activities but takesSupervisor discovers renewed activities but takes no actionno action • Employee arrested on child pornography chargesEmployee arrested on child pornography charges • Videotape and photos of 10 year old stepdaughterVideotape and photos of 10 year old stepdaughter recently had been transmitted to childrecently had been transmitted to child pornography website from company computerpornography website from company computer • More than 1,000 pornographic imagesMore than 1,000 pornographic images downloaded to company computerdownloaded to company computer
  • 28. 28 Lawsuit Against EmployerLawsuit Against Employer • Employee’s wife, and mother of child, files suit againstEmployee’s wife, and mother of child, files suit against employer in February 2004, claiming:employer in February 2004, claiming: – EmployerEmployer knew or should have knownknew or should have known of employee’s conductof employee’s conduct – Employer had aEmployer had a dutyduty to report actions to authorities for workplaceto report actions to authorities for workplace crimescrimes – EmployerEmployer breachedbreached that duty, enabling employee to continuethat duty, enabling employee to continue activitiesactivities – StepdaughterStepdaughter harmedharmed by resultant molestation and photographyby resultant molestation and photography – MoneyMoney damagesdamages for resulting harm (treatment and care)for resulting harm (treatment and care)
  • 29. 29 Appellate Division AnalysisAppellate Division Analysis • Did the employer have theDid the employer have the abilityability to monitorto monitor its employee’s use of the Internet?its employee’s use of the Internet? – YES because:YES because: • Employer had already conducted limited investigationEmployer had already conducted limited investigation of activitiesof activities • Employer had software that allowed regular monitoringEmployer had software that allowed regular monitoring • Employer could have kept a log of sites visited by theEmployer could have kept a log of sites visited by the employeeemployee
  • 30. 30 Appellate Division AnalysisAppellate Division Analysis (Cont’d)(Cont’d) • Did the employer have theDid the employer have the rightright to monitorto monitor his activities?his activities? – Yes, because:Yes, because: • Written company policy permitted itWritten company policy permitted it • Employee had no reasonable expectation of privacyEmployee had no reasonable expectation of privacy
  • 31. 31 Appellate Division AnalysisAppellate Division Analysis (Cont’d)(Cont’d) • Did the employerDid the employer know, or should it haveknow, or should it have known,known, that the employee was using its equipmentthat the employee was using its equipment for an illegal purpose?for an illegal purpose? – Yes, because:Yes, because: • Employees complained of activitiesEmployees complained of activities • Supervisory personnel confirmed access to pornSupervisory personnel confirmed access to porn sitessites • More thorough investigation would uncover childMore thorough investigation would uncover child pornography accesspornography access
  • 32. 32 Appellate Division AnalysisAppellate Division Analysis (Cont’d)(Cont’d) • Did the employer haveDid the employer have responsibilityresponsibility for employee’sfor employee’s conduct outside the scope of employment?conduct outside the scope of employment? – Yes: Employer can be held responsible for damagesYes: Employer can be held responsible for damages caused by criminal conduct if:caused by criminal conduct if: 1)1) the employee engages in the conduct on the employer’sthe employee engages in the conduct on the employer’s premisespremises 2)2) the employee uses the employer’s equipmentthe employee uses the employer’s equipment 3)3) the employer has the ability to control the conductthe employer has the ability to control the conduct 4)4) the employer knows or should know there is a reason tothe employer knows or should know there is a reason to exercise controlexercise control
  • 33. 33 Appellate Division AnalysisAppellate Division Analysis (Cont’d)(Cont’d) • Where did XYC Corp. go wrong?Where did XYC Corp. go wrong? – Should have conducted immediate and thoroughShould have conducted immediate and thorough investigationinvestigation – Could have terminated the employeeCould have terminated the employee – Should have reported activities to law enforcementShould have reported activities to law enforcement authoritiesauthorities – Breached dual duties:Breached dual duties: • public policy against possession or viewing child pornographypublic policy against possession or viewing child pornography • obligation as employer to prevent its employee fromobligation as employer to prevent its employee from intentionally harming others or creating unreasonable risk ofintentionally harming others or creating unreasonable risk of bodily harm to thembodily harm to them
  • 34. 34 Policy Drafting ConsiderationPolicy Drafting Consideration • Employers should warn employees thatEmployers should warn employees that their electronic communications may betheir electronic communications may be disclosed to law enforcement authorities ifdisclosed to law enforcement authorities if they create a suspicion of criminal conductthey create a suspicion of criminal conduct
  • 35. 35 Other Privacy Issues:Other Privacy Issues: • Searches in the workplaceSearches in the workplace • CEPA – public policyCEPA – public policy • FACTA and background checksFACTA and background checks • ADA and medical informationADA and medical information • Negligent Hiring & Negligent ReferencesNegligent Hiring & Negligent References
  • 36. 36 What Privacy?What Privacy? Personal ConductPersonal Conduct • Executives Resigning over PersonalExecutives Resigning over Personal Conduct ViolationConduct Violation