Safeguarding Confidential Employee Records

Because information has become increasingly easy to obtain and transfer, employers must take precautionary measures to ensure that confidential data is adequately protected. This applies not just to proprietary business information, but also to confidential employee data.

This article provides an overview of statutory, constitutional and common law concerns with res-pect to obtaining and maintaining confidential employee information, and penalties that employers may face for failing to protect the security of confidential employee records.

State Privacy Statutes

Many states have enacted laws requiring businesses that maintain computerized data including personal information to notify individuals of security breaches and unauthorized access to their personal information. (States with such security breach notification statutes include: Arkansas, California, Connecticut, Delaware, Florida, Illinois, Louisiana, Minnesota, Montana, North Carolina, North Dakota, Ohio, Pennsylvania, Rhode Island, Tennessee, Texas and Washington.) The California Security Breach Notification Act of 2003 (the California Act), Cal. Civ. Code '1798.80 et seq., was the first such law to be enacted, and precipitated similar statutes in sister states. The majority of state security breach notification statutes are modeled after the California Act. Accordingly, we outline the California Act while highlighting key differences in sister state statutes.

The California Act provides in part that any individual or entity conducting business in California owning or licensing computerized data systems including 'personal information' must expediently disclose system security breaches to any California resident whose personal information was, or is believed to have been, acquired by an unauthorized person. Cal. Civ. Code '1798.82. This includes information pertaining to both customers and employees. For this purpose, a system security breach is an 'unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information maintained by the person or business.' Id. It is noteworthy that North Carolina is the only state that currently provides a similar level of statutory protection for non-electronic records, in addition to computerized information. See, N.C. Gen. Stat. '75-65(a).

Pursuant to the California Act, 'personal information' includes names when combined with one or more identifying factors, such as a social security number, driver's license number, California Identification Card number, account number or credit or debit card number (when in combination with a required security code). Cal. Civ. Code '1798.82(a), (b). While the definition of personal information in most state statutes is similar to that of the California Act, certain states also include medical information within the definition of personal information. See, eg, Ark. Code Ann. '4-110-103(7); Fla. Stat. ch. 817.5681(f).

While notification of a security breach is a key component of all state statutes, many states eliminate or delay the notification requirement if a law enforcement agency has determined that such notification will impede a criminal investigation, or has investigated or consulted on the matter and concluded that the security breach does not pose a significant risk of identity theft to those whose personal information has been acquired. (See, eg, Fla. Stat. Ann. '817.5681(3); Minn. Stat. '325E.61(c); N.D. Cent. Code '51-30-04; Pa. Stat. Tit. 73, '2304; R.I. Gen. Laws '11-49.2-4; Tex. Bus. & Com. Code '48.103(d); Wash. Rev. Code. '19.255.010(3).)

The various state statutes differ in their enforcement provisions and penalties for noncompliance. The California Act provides for private civil remedies for individuals who have been harmed by a breach of the act. Cal. Civ. Code '1798.84(b). A violation of certain state security breach statutes may result in criminal penalties and/or enforcement by the state attorney general. (See, eg, Ark. Code '4-88-103, 104; Conn. Gen. Stat. '42-110b; Minn. Stat. '8.31; Pa. Stat. Tit. 73, '2308.) Other state statutes permit civil remedies and damages. (See, eg, Conn. Gen. Stat. '42-110f, '42-110g; La. Rev. Stat. Ann. '51:3075; N.D. Cent. Code '51-30-07; Pa. Stat. Tit. 73, '2308; R.I. Gen. Laws '11-49.2-6; Tenn. Code Ann. '47-18-2107(h); Wash. Rev. Code. '19.
255.010(10).) Finally, some state statutes impose fines upon violators. (See, eg, Fla. Stat. ch. 817.5681(2)-(10); R.I. Gen. Laws '11-49.2-6; Tex. Bus. & Com. Code '48.201.)

Any security breach or unauthorized access of electronic employee records that contain personal information comes within the scope of the California Act as well as the sister statutes. Employers should note the applicable state law(s) regarding security of records containing personal information and notification requirements in the event of a security breach. In addition to maintaining records in a manner designed to prevent unauthorized access, employers should develop plans for timely notification to impacted individuals in the event of a security compromise. (See, www.privacy.ca.gov/recommendations/secbreach.pdf for CA notification guidelines.)

State Constitutional Concerns

Several states have constitutional privacy provisions that apply to both public and private actors. See, eg, Cal. Const. art. I, '1; Haw. Const. art. I, '6; La. Const. Art. 1, '5. Here, too, the California constitutional privacy provision is exemplary. The California Constitution provides: 'All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.' Cal. Const. art. I, '1. In Hill v. NCAA, 865 P.2d 633, 644 (Cal. 1994), the California Supreme Court addressed whether an intrusion into privacy by a private actor violates the state constitutional right to privacy, and found that the constitutional privacy provision both applies to, and creates, a cause of action against private actors. While California has not yet adjudicated an action where a constitutional privacy claim was filed against an employer who failed to protect confidential employee records, such an action is possible under the California constitution ' as well as potentially under other state constitutions containing parallel provisions.

Common Law

Privacy Concerns

Employers should also note the potential for common-law invasion of privacy actions in the event of a breach in the security of confidential employee records. In such a case, an employer may be liable for the tort of intrusion upon seclusion. See, Restatement (Second) of Torts '652B. As opposed to other tort actions involving privacy, no publication is required to state a claim for intrusion upon seclusion. Rather, the mere intentional interference with the privacy interests of another gives rise to this cause of action.

Another tort for which an employer might be liable in the event of a security breach is publicity given to private life. See, Restatement (Second) of Torts '652D. While this tort requires publication, the threshold for the requirement is not stringent. This is exemplified by Bratt v. Int'l Bus. Machines, Corp., 392 Mass. 508 (Mass. 1984), an action involving, among other things, a breach of privacy claim by an employee. In Bratt, private facts regarding an employee were disclosed to several other employees of the same entity. Id. at 511-12. The Massachusetts Supreme Court found 'the disclosure of private facts about an employee through an intracorporate communication [to be] sufficient publication to impair an employee's right of privacy.' Id. at 509-10. Further, the court found that any conditional privilege held by the employer to disclose potentially defamatory personal information regarding the employee was lost if such publication did not further a legitimate business interest. Id. at 510.

Given recent high-profile breaches of personal information ' including those involving retail merchants, data processors, and even government agencies ' the issue of the security of personal information has been called to the attention of the public and the plaintiff's bar. Accordingly, employers should keep abreast of developments in the relationship between privacy-related torts and employee records, as well as be aware of the potential for tort actions for both intentional and unintentional breaches of confidential employee information.

Federal Statutes Protecting Employee Health Information

The Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), 42 U.S.C. '1320d-1 et seq., creates privacy obligations for employers by
safeguarding the use of individually identifiable health information. To implement the privacy requirements for HIPAA, the Department of Health and Human Services established certain standards for privacy of individually identifiable health information (the Privacy Rules), 45 C.F.R. ' 160.102 et seq.

Pursuant to the Privacy Rules, 'protected health information' received by a 'covered entity' may not be used or disclosed other than in certain limited circumstances. For these purposes, a 'covered entity' includes health plans, health care clearinghouses, and health care providers. 45 C.F.R. '160.102(a). While employers are not specifically included in these regulations, HIPAA applies to employers operating in any of these capacities. 'Protected health information' means information created or received by a covered entity relating to the past, present or future physical or mental health or condition or the provision of or payment for health care that identifies the individual or reasonably could be used to identify the individual. Id. '160.103.

HIPAA prevents a covered entity from disclosing protected health information in any manner that is not specifically permitted or required by the statute. 45 C.F.R. '164.502(a). The statute permits disclosure of protected health information to the individual for treatment, payment or health care operations, or pursuant to an authorization or agreement. Id. HIPAA requires disclosure for certain government investigations and upon request of the individual. Id. In the event that protected health information is disclosed, a covered entity must make reasonable efforts to limit the information given to the minimum necessary to accomplish the intended
purpose of the use, disclosure or request. Id. '164.502(b). Restrictions are also placed upon the use of protected health information received by plan sponsors or employers from a covered entity. Specifically, plan sponsors and employers may not use protected health information for the purpose of employment related actions or decisions, and must take measures to adequately safeguard and restrict access to such information. Id. '164.504(f).

There is no express private cause of action for a HIPAA violation, and courts have consistently held there is no such implied right. See, Johnson v. Quander, 370 F. Supp. 2d 79, 100 (D.D.C. 2005); Logan v. VA, 357 F. Supp. 2d 149, 155 (D.D.C. July 28, 2004); O'Donnell v. Blue Cross Blue Shield of Wyo., 173 F. Supp. 2d 1176, 1178 (D. Wyo. 2001); Brock v. Provident Am. Ins. Co., 144 F. Supp. 2d 652, 657 (N.D. Tex. 2001). Pursuant to HIPAA, the Secretary of Health and Human Services has the authority to pursue actions against HIPAA violators. 42 U.S.C. '1320d-5. The statute punishes wrongful disclosure of protected health information by fines and/or imprisonment. Id. '1320d-6(b).

The Americans With Disabilities Act

The Americans With Disabilities Act of 1990 (ADA), 42 U.S.C. '12101 et seq., limits the circumstances under which an employer may obtain health-related information from an employee or applicant, and also requires employers to secure and protect any such information received. Pursuant to the ADA, any information obtained by an employer regarding the medical condition or history of an employee or applicant must be maintained on separate forms, in separate medical files, and treated as a confidential medical record. 42 U.S.C. ”12112(d)(3)-(4). Such information may be disclosed only in limited circumstances, and then only as necessary to supervisors and managers, first-aid and safety personnel and certain government officials investigating ADA compliance. Id. Like the restrictions on medical inquiries, the ADA's restrictions on the use and retention of employee health information applies to all employees, not merely those with disabilities as defined by the ADA.

An individual, the attorney general or the EEOC may bring an action against any party for acts inconsistent with the ADA. 42 U.S.C. '12117(a). Penalties for a violation of the ADA include injunctions, affirmative action, equitable relief and damages. 42 U.S.C. '2000e-5.

Other Current and Pending Federal Statutes

The Identity Theft and Assumption Deterrence Act of 1998, 18 U.S.C. '1028, imposes criminal penalties upon anyone who knowingly transfers, uses or possesses a means of identification of another in connection with any unlawful activity that violates federal law or is a felony under applicable state or local law. The punishment for a violation is a fine or imprisonment, depending upon the severity of the offense.

In June 2005, Senators Specter and Leahy introduced the Personal Data Privacy and Security Act of 2005. The purpose of this bill is to help protect the privacy of personal information in light of recent data security breaches, and discourage insecure databases. The proposed legislation, which remains on the Senate calendar, increases penalties for identity theft, requires entities to establish policies to protect personal data, and requires entities to give notice to individuals and law enforcement in the event of a security breach of sensitive personal data.

Conclusion

Like other businesses, law firms should familiarize themselves with applicable federal and state information security laws. Prudence requires planning for maintaining the security of personal employee information, as well for as dealing with the consequences of a breach, including prompt notification of affected individuals.

Because information has become increasingly easy to obtain and transfer, employers must take precautionary measures to ensure that confidential data is adequately protected. This applies not just to proprietary business information, but also to confidential employee data.

This article provides an overview of statutory, constitutional and common law concerns with res-pect to obtaining and maintaining confidential employee information, and penalties that employers may face for failing to protect the security of confidential employee records.

State Privacy Statutes

Many states have enacted laws requiring businesses that maintain computerized data including personal information to notify individuals of security breaches and unauthorized access to their personal information. (States with such security breach notification statutes include: Arkansas, California, Connecticut, Delaware, Florida, Illinois, Louisiana, Minnesota, Montana, North Carolina, North Dakota, Ohio, Pennsylvania, Rhode Island, Tennessee, Texas and Washington.) The California Security Breach Notification Act of 2003 (the California Act), Cal. Civ. Code '1798.80 et seq., was the first such law to be enacted, and precipitated similar statutes in sister states. The majority of state security breach notification statutes are modeled after the California Act. Accordingly, we outline the California Act while highlighting key differences in sister state statutes.

The California Act provides in part that any individual or entity conducting business in California owning or licensing computerized data systems including 'personal information' must expediently disclose system security breaches to any California resident whose personal information was, or is believed to have been, acquired by an unauthorized person. Cal. Civ. Code '1798.82. This includes information pertaining to both customers and employees. For this purpose, a system security breach is an 'unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information maintained by the person or business.' Id. It is noteworthy that North Carolina is the only state that currently provides a similar level of statutory protection for non-electronic records, in addition to computerized information. See, N.C. Gen. Stat. '75-65(a).

Pursuant to the California Act, 'personal information' includes names when combined with one or more identifying factors, such as a social security number, driver's license number, California Identification Card number, account number or credit or debit card number (when in combination with a required security code). Cal. Civ. Code '1798.82(a), (b). While the definition of personal information in most state statutes is similar to that of the California Act, certain states also include medical information within the definition of personal information. See, eg, Ark. Code Ann. '4-110-103(7); Fla. Stat. ch. 817.5681(f).

While notification of a security breach is a key component of all state statutes, many states eliminate or delay the notification requirement if a law enforcement agency has determined that such notification will impede a criminal investigation, or has investigated or consulted on the matter and concluded that the security breach does not pose a significant risk of identity theft to those whose personal information has been acquired. (See, eg, Fla. Stat. Ann. '817.5681(3); Minn. Stat. '325E.61(c); N.D. Cent. Code '51-30-04; Pa. Stat. Tit. 73, '2304; R.I. Gen. Laws '11-49.2-4; Tex. Bus. & Com. Code '48.103(d); Wash. Rev. Code. '19.255.010(3).)

The various state statutes differ in their enforcement provisions and penalties for noncompliance. The California Act provides for private civil remedies for individuals who have been harmed by a breach of the act. Cal. Civ. Code '1798.84(b). A violation of certain state security breach statutes may result in criminal penalties and/or enforcement by the state attorney general. (See, eg, Ark. Code '4-88-103, 104; Conn. Gen. Stat. '42-110b; Minn. Stat. '8.31; Pa. Stat. Tit. 73, '2308.) Other state statutes permit civil remedies and damages. (See, eg, Conn. Gen. Stat. '42-110f, '42-110g; La. Rev. Stat. Ann. '51:3075; N.D. Cent. Code '51-30-07; Pa. Stat. Tit. 73, '2308; R.I. Gen. Laws '11-49.2-6; Tenn. Code Ann. '47-18-2107(h); Wash. Rev. Code. '19.
255.010(10).) Finally, some state statutes impose fines upon violators. (See, eg, Fla. Stat. ch. 817.5681(2)-(10); R.I. Gen. Laws '11-49.2-6; Tex. Bus. & Com. Code '48.201.)

Any security breach or unauthorized access of electronic employee records that contain personal information comes within the scope of the California Act as well as the sister statutes. Employers should note the applicable state law(s) regarding security of records containing personal information and notification requirements in the event of a security breach. In addition to maintaining records in a manner designed to prevent unauthorized access, employers should develop plans for timely notification to impacted individuals in the event of a security compromise. (See, www.privacy.ca.gov/recommendations/secbreach.pdf for CA notification guidelines.)

State Constitutional Concerns

Several states have constitutional privacy provisions that apply to both public and private actors. See, eg, Cal. Const. art. I, '1; Haw. Const. art. I, '6; La. Const. Art. 1, '5. Here, too, the California constitutional privacy provision is exemplary. The California Constitution provides: 'All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.' Cal. Const. art. I, '1. In Hill v. NCAA , 865 P.2d 633, 644 (Cal. 1994), the California Supreme Court addressed whether an intrusion into privacy by a private actor violates the state constitutional right to privacy, and found that the constitutional privacy provision both applies to, and creates, a cause of action against private actors. While California has not yet adjudicated an action where a constitutional privacy claim was filed against an employer who failed to protect confidential employee records, such an action is possible under the California constitution ' as well as potentially under other state constitutions containing parallel provisions.

Common Law

Privacy Concerns

Employers should also note the potential for common-law invasion of privacy actions in the event of a breach in the security of confidential employee records. In such a case, an employer may be liable for the tort of intrusion upon seclusion. See, Restatement (Second) of Torts '652B. As opposed to other tort actions involving privacy, no publication is required to state a claim for intrusion upon seclusion. Rather, the mere intentional interference with the privacy interests of another gives rise to this cause of action.

Another tort for which an employer might be liable in the event of a security breach is publicity given to private life. See, Restatement (Second) of Torts '652D. While this tort requires publication, the threshold for the requirement is not stringent. This is exemplified by Bratt v. Int'l Bus. Machines , Corp. , 392 Mass. 508 (Mass. 1984), an action involving, among other things, a breach of privacy claim by an employee. In Bratt, private facts regarding an employee were disclosed to several other employees of the same entity. Id. at 511-12. The Massachusetts Supreme Court found 'the disclosure of private facts about an employee through an intracorporate communication [to be] sufficient publication to impair an employee's right of privacy.' Id. at 509-10. Further, the court found that any conditional privilege held by the employer to disclose potentially defamatory personal information regarding the employee was lost if such publication did not further a legitimate business interest. Id. at 510.

Given recent high-profile breaches of personal information ' including those involving retail merchants, data processors, and even government agencies ' the issue of the security of personal information has been called to the attention of the public and the plaintiff's bar. Accordingly, employers should keep abreast of developments in the relationship between privacy-related torts and employee records, as well as be aware of the potential for tort actions for both intentional and unintentional breaches of confidential employee information.

Federal Statutes Protecting Employee Health Information

The Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), 42 U.S.C. '1320d-1 et seq., creates privacy obligations for employers by
safeguarding the use of individually identifiable health information. To implement the privacy requirements for HIPAA, the Department of Health and Human Services established certain standards for privacy of individually identifiable health information (the Privacy Rules), 45 C.F.R. ' 160.102 et seq.

Pursuant to the Privacy Rules, 'protected health information' received by a 'covered entity' may not be used or disclosed other than in certain limited circumstances. For these purposes, a 'covered entity' includes health plans, health care clearinghouses, and health care providers. 45 C.F.R. '160.102(a). While employers are not specifically included in these regulations, HIPAA applies to employers operating in any of these capacities. 'Protected health information' means information created or received by a covered entity relating to the past, present or future physical or mental health or condition or the provision of or payment for health care that identifies the individual or reasonably could be used to identify the individual. Id. '160.103.

HIPAA prevents a covered entity from disclosing protected health information in any manner that is not specifically permitted or required by the statute. 45 C.F.R. '164.502(a). The statute permits disclosure of protected health information to the individual for treatment, payment or health care operations, or pursuant to an authorization or agreement. Id. HIPAA requires disclosure for certain government investigations and upon request of the individual. Id. In the event that protected health information is disclosed, a covered entity must make reasonable efforts to limit the information given to the minimum necessary to accomplish the intended
purpose of the use, disclosure or request. Id. '164.502(b). Restrictions are also placed upon the use of protected health information received by plan sponsors or employers from a covered entity. Specifically, plan sponsors and employers may not use protected health information for the purpose of employment related actions or decisions, and must take measures to adequately safeguard and restrict access to such information. Id. '164.504(f).

There is no express private cause of action for a HIPAA violation, and courts have consistently held there is no such implied right. See , Johnson v. Quander, 370 F. Supp. 2d 79, 100 (D.D.C. 2005); Logan v. VA, 357 F. Supp. 2d 149, 155 (D.D.C. July 28, 2004); O'Donnell v. Blue Cross Blue Shield of Wyo., 173 F. Supp. 2d 1176, 1178 (D. Wyo. 2001); Brock v. Provident Am. Ins. Co., 144 F. Supp. 2d 652, 657 (N.D. Tex. 2001). Pursuant to HIPAA, the Secretary of Health and Human Services has the authority to pursue actions against HIPAA violators. 42 U.S.C. '1320d-5. The statute punishes wrongful disclosure of protected health information by fines and/or imprisonment. Id. '1320d-6(b).

The Americans With Disabilities Act

The Americans With Disabilities Act of 1990 (ADA), 42 U.S.C. '12101 et seq., limits the circumstances under which an employer may obtain health-related information from an employee or applicant, and also requires employers to secure and protect any such information received. Pursuant to the ADA, any information obtained by an employer regarding the medical condition or history of an employee or applicant must be maintained on separate forms, in separate medical files, and treated as a confidential medical record. 42 U.S.C. ”12112(d)(3)-(4). Such information may be disclosed only in limited circumstances, and then only as necessary to supervisors and managers, first-aid and safety personnel and certain government officials investigating ADA compliance. Id. Like the restrictions on medical inquiries, the ADA's restrictions on the use and retention of employee health information applies to all employees, not merely those with disabilities as defined by the ADA.

An individual, the attorney general or the EEOC may bring an action against any party for acts inconsistent with the ADA. 42 U.S.C. '12117(a). Penalties for a violation of the ADA include injunctions, affirmative action, equitable relief and damages. 42 U.S.C. '2000e-5.

Other Current and Pending Federal Statutes

The Identity Theft and Assumption Deterrence Act of 1998, 18 U.S.C. '1028, imposes criminal penalties upon anyone who knowingly transfers, uses or possesses a means of identification of another in connection with any unlawful activity that violates federal law or is a felony under applicable state or local law. The punishment for a violation is a fine or imprisonment, depending upon the severity of the offense.

In June 2005, Senators Specter and Leahy introduced the Personal Data Privacy and Security Act of 2005. The purpose of this bill is to help protect the privacy of personal information in light of recent data security breaches, and discourage insecure databases. The proposed legislation, which remains on the Senate calendar, increases penalties for identity theft, requires entities to establish policies to protect personal data, and requires entities to give notice to individuals and law enforcement in the event of a security breach of sensitive personal data.

Conclusion

Like other businesses, law firms should familiarize themselves with applicable federal and state information security laws. Prudence requires planning for maintaining the security of personal employee information, as well for as dealing with the consequences of a breach, including prompt notification of affected individuals.