Lock It Up (Encrypt)

In honor of National Cybersecurity Awareness Month, we’re sharing our top practical tips for small businesses to keep their data secure.  Tip #1 is encryption.  The National Institute of Standards and Technology (NIST) defines encryption as “the process of transforming plaintext into ciphertext using a cryptographic algorithm and key.”  In plain terms, encryption is the process of securing data by using a digital lock and key. 

The premise behind encryption is pretty simple.  If you want to keep private papers from prying eyes, how would you do it?  You could put the papers in a safe.  Only someone who knows the combination to the safe can open it and access the papers inside.  Encryption does the same thing to data, except using digital methods.  Encryption essentially “locks” data by scrambling it so it becomes unintelligible to anyone who doesn’t have the “key” necessary to unscramble it.  The idea is that scrambled data is useless to anyone who can’t unscramble it.  It doesn’t matter if the encrypted data falls into the hands of a hacker or is released to the public due to a data security breach.  Data that looks like gibberish isn’t very useful.

Understanding this principle is the key to minimizing legal liability under data privacy laws.  Take Hawaii’s data breach notification law, for example.  The breach notification requirements of Hawaii Revised Statutes chapter 487N-2 apply when a “security breach” has occurred.  The term “security breach” refers to “an incident of unauthorized access to and acquisition of unencrypted or unredacted records or data containing personal information where illegal use of the personal information has occurred, or is reasonably likely to occur and that creates a risk of harm to a person.”  Did you catch the reference to “unencrypted” records?  If data that is the subject of a breach incident acquisition is encrypted, then a “security breach” did not happen for purposes of HRS 487N-2, and compliance with the breach notification requirements of the statute is unnecessary.

The California Consumer Privacy Act (CCPA) that will take effect on January 1, 2020 is another example.  A business can be sued by a consumer whose “nonencrypted or nonredacted personal information” is subject to unauthorized access and is copied, transferred, stolen, or disclosed due to the business’s failure to use reasonable security procedures.   Want to reduce exposure to private lawsuits under the CCPA?  Encrypt consumer data.

The General Data Protection Regulation (GDPR) isn’t quite as black-and-white in carving out liability for encrypted data, but the law certainly incentivizes encryption.  For example, Article 34 of the GDPR provides a safe harbor from the data breach notifications where “the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption.”  (Emphasis added.)  While encryption won’t guarantee exemption from the GDPR’s data breach notification requirements, failure to encrypt data almost certainly would trigger the requirements.

It should be fairly obvious by now that encrypting sensitive data is a highly recommended, if not mandatory, cybersecurity measure.  How encryption fits into your cybersecurity program depends on your organization’s IT system, the type of data at issue, operational needs, and cost, among other factors.  Encryption can deployed at different stages of the data lifecycle.  Encryption can also be paired with other data security practices such as pseudonymization and anonymization.  Consult a cybersecurity expert and privacy lawyer to determine how best to use encryption to secure your data and minimize legal liability.

A sea change in data protection law in the European Union (EU) is about to take place, and your organization doesn’t have to be based in the EU to feel its impact.  The General Data Protection Regulation (GDPR) will take effect on May 25, 2018.  The GDPR applies not just to EU Member States, but also to U.S. organization with EU-based employees.  Any U.S. organization that has a branch, office, affiliate, franchise, or agent based in the EU should check if it must comply with the GDPR.  Failure to comply with the GDPR can lead to fines of up to 20 million euros or 4% of annual global turnover (revenue), whichever is higher.

The GDPR regulates how “personal data” of EU citizens is collected, stored, processed, and destroyed.  The GDPR definition of “personal data” has a broader meaning than how U.S. laws usually define the term.  In addition to typical identifying information (e.g., name, address, driver’s license number, date of birth, phone number, or email address), “personal data” under the GDPR includes more expansive categories of data such as salary information, health records, and online identifiers (dynamic IP addresses, cookie identifiers, mobile device IDs, etc.).  The GDPR also provides heightened levels of protection for special categories of employee data, including racial and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning an employee’s health, sex life, or sexual orientation, and biometric and genetic data.

The GDPR has wide-ranging effects on data collection, use, and retention.  Some of the data practices regulated by the GDPR include:

  • Data processing – Consent is one legitimate basis for processing personal data of employees, but the GDPR requires that consent be freely-given, specific, informed, and revocable. This means most blanket consent provisions typically found in employment contracts are not valid.  If obtaining consent according to GDPR requirements isn’t practical, an employer might need to rely on other legal bases for processing employee data.  Processing employee data is legal if it is necessary for the performance of the employment contract, required by law, or in the employer’s legitimate interests which outweigh the general privacy rights of employees.
  • Employee monitoring – The GDPR limits what employers may do with data obtained through employee monitoring.
  • Notification – The GDPR specifies what information employers must include in notices informing employees about the kind of personal data that will be collected from them.
  • Right to be forgotten – Under certain circumstances, data subjects have the right to require data controllers to erase their personal data.
  • Data portability – A person is entitled to transfer their personal data from one electronic processing system to another without being prevented from doing so by the data controller.
  • Data breach – The GDPR governs the procedures and substantive requirements for giving notification of a personal data breach.

Now is the time to revisit your employment contracts and policies with privacy counsel to ensure compliance with the GDPR.

A recent National Labor Relations Board Shore Point Advisory Letter gives a bit of good news to employers who want to use modern monitoring technology to monitor employees that they suspect are breaking work rules. On November 2, 2015, the NLRB concluded that an alcoholic beverage distributor (Shore Point), did not violate labor laws by failing to negotiate with its employees’ union before installing a GPS tracking device on an employee’s company truck. Shore Point suspected that the employee was stealing time while on his work routes. Shore Point’s collective bargaining agreement contains rules against stealing time.

Shore Point hired a private investigator to follow the employee to collect evidence for disciplinary purposes, an established practice the union had not objected to in the past. The investigator placed a GPS tracking device on the employee’s truck to maintain and regain visual contact.  The GPS was only installed on the employee’s vehicle on the days when the investigator was following the employee, and was used as a backup method in case the investigator lost visual sight of the employee and his truck. Based on the investigator’s observations of the employee engaging in misconduct, Shore Point terminated the employee. The union filed a charge alleging that the employer unilaterally engaged in electronic surveillance without bargaining in violation of the National Labor Relations Act.

The NLRB determined that Shore Point did not have an obligation to bargain over the installation and use of the GPS device. Although the use of the device was a mandatory subject of bargaining, it did not amount to a material, substantial, and significant change in the terms and conditions of employment.  Shore Point had an existing practice of using a personal investigator to monitor employees suspected of misconduct. Using a GPS tracking device was just “a mechanical method to assist in the enforcement of an established policy,” and therefore was not a material, substantial, or significant change in policy.  The NLRB also noted that the GPS device only added to information that the private investigator had collected through personal observation, did not increase the likelihood of employee discipline, and did not provide an independent basis for termination.

At least two lessons can be learned from this case. First, when crafting employee work rules subject to bargaining, build in flexibility to allow for use of technological advances in enforcement methods. Second, disciplinary action against an employee should be supported with various types of evidence if possible. Just relying on evidence collected with a controversial or untested method is risky because if the use of the method is determined unlawful, the basis for the disciplinary action disappears.

The New York Times recently reported that Hillary Rodham Clinton used a personal email address for work and personal matters while she served as Secretary of State. Many employees could probably appreciate why Ms. Clinton chose to use a private email address for work purposes. She enjoyed the convenience of carrying one mobile device instead of two. That’s the same reason the Bring Your Own Device movement has been rapidly gaining momentum.

The convenience of commingling professional and personal online accounts comes at a price. One danger is unauthorized disclosure of confidential information.   Work-related information stored in an employee’s personal online account is not subject to security measures like firewalls, anti-virus software, and metadata scrubbing programs. Private online accounts may be vulnerable to cyberattacks, putting the confidentiality of their contents at risk. While such records might not concern national security matters as in the Clinton controversy, they could contain personnel information, medical history, or trade secrets, the disclosure of which could violate data privacy laws like HIPAA and the Sarbanes-Oxley Act, not to mention hurting a company’s competitive edge or creating a public relations debacle.

Another risk is noncompliance with recordkeeping policies. Work rules dictating how long work files are kept before they’re disposed help organizations manage the task of responding to information inquiries like discovery requests in litigation. In some jurisdictions, an organization’s failure to produce a document in discovery because it was destroyed in compliance with the organization’s document retention policy generally is not considered unlawful destruction of evidence. (Note: Hawaii’s court rules were amended this year to recognize such a defense). But spotty enforcement of a document retention policy could destroy that defense. Popular ways of transferring work files include forwarding them to a personal email address or uploading them to a personal cloud storage account. Such practices could result in work files being kept beyond their authorized retention period, thus casting doubt on whether an organization actually follows its document retention policy.

Managing these risks begins with adopting a formal policy on use of personal accounts for work purposes and training employees to follow the policy. Without a policy in place, employees might have few qualms about using their personal accounts for work.  Consult with a lawyer with data privacy experience to ensure that your policy manages legal risks.

If your company decides to prohibit the transfer of work data to external locations, enforce that policy diligently. Work with your IT department or outside vendors to implement physical and software safeguards against unauthorized transfers. Conduct audits to ensure compliance with the policy.

Another strategy is to offer solutions that allow employees to work outside of the office conveniently without having to use their personal accounts. Consider hosting a private cloud storage site where employees can share files in a secured environment under your control. Also popular is virtual desktop software that allows employees to access their workstation remotely in a controlled environment.

Don’t wait until your employees’ data handling practices make the headlines before taking action to protect the confidentiality of your work files.

The rear LCD display on a Flip Video camrea

(Photo credit: Wikipedia)

“Smile, you’re on Candid Camera.”  Originally coined on the eponymous TV show, that catchphrase is becoming more of common refrain in the workplace.  Any employee with a smartphone can easily record an office conversation in secret.  But are such covert recordings legal?  And what control, if any, does management have over the making of such recordings?

The Law of Recording Face-to-Face Conversations

A majority of states (approximately 37) follow the one-person consent rule for recording face-to-face conversations.  This rule authorizes the recording of a conversation so as long as one person in the conversation consents.  The consenting party can also be the person recording the conversation.  Practically speaking, this means it is legal to record a conversation with another person without his or her knowledge.

Most other states require the consent of all participants in the conversation.  Covert recording of face-to-face conversations would not be permitted in states that follow the all-party consent rule.

Workplace Bans on Covert Recordings

Even if covert recordings are legal, management may regulate the practice if done so consistently with the right of employees to engage in concerted activity, which is protected under Section 7 of the National Labor Relations Act (NLRA).  A recent National Labor Relations Board decision illustrates this.  Whole Foods Market, Inc., Case No. 01-CA-096965 (Oct. 30, 2013).  The case involved a challenge to a company policy that banned employees from recording conversations without prior management approval.  The company’s stated purpose for the policy was “to eliminate a chilling effect to the expression of views that may exist when one person is concerned that his or her conversation with another is being secretly recorded.”

The administrative law judge (ALJ) in the case upheld the policy.  The ALJ noted that there is no protected right to record conversations in the workplace, but even if there were such a right, management may regulate the exercise of that right.  It was not adopted in response to union activity, and it was clearly tied to the company’s core value of fostering open and honest dialogue about company matters.  The ALJ disagreed that the policy could reasonably be interpreted as a restriction on using social media to communicate and share information about work conditions through video recordings made at the workplace.  The policy regulated a means of communication as opposed to the protected activity itself.  It also did not prohibit employees from making recordings during non-work time.  The policy therefore did not violate Section 7 rights.

Takeaways

The Whole Foods Market decision suggests questions that management should consider when drafting a work rule against covert recordings to ensure that the rule does not violate the NLRA:

  • Is the rule clearly linked to a purpose besides preventing employees from engaging in Section 7 activity?
  • Does the rule leave open alternative channels for employees to communicate about Section 7 activity?
  • Does the rule allow employees to make recordings during non-work hours?

A ban on covert recordings is more likely to withstand a legal challenge if management can answer “yes” to each of these questions.

Enhanced by Zemanta