Privacy Risks with Snail Mail

With all (or most) eyes on privacy issues in cyberspace, companies can lose sight of traditional methods of violating privacy rights.

A recent example is Aetna’s late July mailing of 12,000 letters where the large windowed envelopes easily revealed the recipients’ names, addresses, and HIV status and/or prevention information. While the number of affected individuals may seem comparatively low, this incident nevertheless garnered negative publicity and attention.

Since privacy violations can lead to lawsuits, heavy fines, or even criminal penalties, companies—especially those that handle protected information—should review their mailing policies. If third-party mailing companies are used, those companies’ policies should also be reviewed.

Some policies that may help reduce potential privacy breaches for snail mail include:

  • Using heavier-stock or security envelopes with no windows
  • NOT using envelopes with pre-printed sender information if the sender information would reveal private information (for example, if your organization name reveals the specific type of medical condition suffered by your patients)
  • Having someone spot check the final product
  • Making sure that addresses are up-to-date
  • Using a form letter that only provides generalized information and instead requiring the patient to contact your office for particularly sensitive information, such as test results
  • Eliminating unnecessary confidential information (such as Social Security Numbers)
  • Shredding and/or proper disposal of misprinted mail
  • Training employees or vendors regularly

If you need further or specific guidance, or guidance on other media, please do not hesitate to speak to an attorney.

Privacy Law and Social Media: Why Employers Should Create and Update Social Media Policies

When can an employer discipline an employee who uses social media to distribute content online that could be detrimental to the employer’s business interests? The answer, of course, is “it depends.”

The law struggles to keep pace with technology. Cyberspace has expanded the “workplace” beyond the physical confines of an office building and the traditional eight-hour workday (overtime concerns are the subject for a future blog post). At minimum, employers should create, update and distribute to employees its privacy rules and policies – typically in an employee handbook with a signed acknowledgment of receipt – that reduce the expectation of privacy in the workplace. Employees should be informed through company policies that  desks, files, vehicles and even lockers provided by the employer may be subject to search. The privacy rules and policies should also extend to digital property (data) contained in and transmitted through equipment and devices the employer provides that can be used both onsite and offsite such as laptops, smart phones, email accounts.

However, employers in California and other states also must balance the risk of disciplining employees for off-duty conduct online that may be detrimental to the employer’s interests with laws that prohibit employers from retaliating against employees who engage in legal off-duty conduct.  For example, under California Labor Code Section 96(k), commonly known as “the moonlighting law,” the Labor Commissioner may pursue claims against an employer “for loss of wages as the result of a demotion, suspension, or discharge from employment for lawful conduct occurring during nonworking hours away from the employer’s premises.”

So, how does an employer minimize the risks associated with addressing an employee’s off-duty and online conduct that may be undesirable or detrimental, but not illegal? The following steps may reduce the risks:

  • Create an employee handbook that specifically states the company’s privacy and social media polices.
  • Reference and incorporate general policies and guidelines for employee communications transmitted by email, text or voice through internet or social media.
  • Prohibit employees from creating conflicts of interest, revealing trade secrets and other specified conduct that is detrimental to the company’s legitimate business interests.
  • Inform employees they will be held to the same standards and code of conduct whether they are off-duty or on-duty.

3rd Circuit Ruling in FTC v. Wyndham Affirms Broad Governmental Authority Under Section 5

In a much anticipated decision, the Third Circuit recently upheld the Federal Trade Commission’s exercise of authority to fine and take other measures against businesses that fail to abide by the “standard of care” for data security. Federal Trade Commission v. Wyndham Worldwide Corporation, No. 14-3514 (3d Cir. Aug. 24, 2015). Wyndham challenged the FTC’s actions arguing that negligent security practices were not an “unfair practice” and that the FTC failed to provide adequate notice of what constituted the standard of care in this context. The Third Circuit, like the trial court before it, disagreed. It held that Wyndham’s negligent data security practices were an “unfair” business practice under 15 U.S.C. § 45(a), otherwise known as § 5 of the FTC Act, because it “publishe[d] a privacy policy to attract customers who are concerned about data privacy, fail[ed] to make good on that promise by investing inadequate resources in cyber security, and thereby expose[d] its unsuspecting customers to substantial financial injury, and retains the profits of their business.”

The Third Circuit rejected Wyndham’s due process, lack of notice of standard of care argument, holding that Wyndham was not entitled to know with ascertainable certainty the FTC’s interpretation of what cyber security practices are required by § 45(a) – to know what practices are required by the standard of care. The Court explained that Wyndham had adequate notice of the standard of care because § 45(n) of the Act defines it using usual tort cost-benefit analysis. See United States v. Carroll Towing Co., 159 F.2d 169, 173 (2d Cir.1947). Nothing more is required to satisfy due process concerns in this context.

Prior to the Wyndham decision, courts generally held that the economic loss rule precludes a claim for negligent data security practices. E.g., Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 967-973 (S.D. Cal. 2014) (dismissing such claims under both Massachusetts and California law on the basis of lack of a “special relationship”). The question remains open whether Wyndham defines a special relationship and tort duty that would preclude application of the economic loss rule. Keep an eye on this space for further developments.

Speedy Internet May Cost You More Than Money

On March 30, 2015, AT&T offered its “GigaPower” service to Cupertino, California. It is currently offered in a handful of cities across the United States (Austin, Dallas, Fort Worth, Kansas, Raleigh-Durham, and Winston-Salem) with ten other planned metro areas. GigaPower is promoted as Internet service with “[b]lazing-fast speeds up to 1Gbps,” allowing the user to download twenty-five songs in one second, an HD television show in three seconds, and an HD movie in thirty-six seconds.

The price tag for this super-speed is either $139.00/month, or $110.00/month plus allowing AT&T to monitor your Internet browsing. Thus, AT&T’s customers will have to choose whether to allow such monitoring or in effect pay $29.00 for their privacy. AT&T’s “Internet Preferences” analytics program monitors all activity in order to use that information to target its customers with personalized advertisements, for which it can then charge advertisers. According to an AT&T spokesperson, opting out of the Internet Preferences program will ensure that the customer does not receive targeted ads, but AT&T’s privacy policy still allows it to collect information on its customers’ web activity for certain purposes. AT&T has stated that the benefits of these ads are that AT&T can keep its prices from rising, and since all the data is maintained in-house, it will not sell its customers’ information. AT&T claims that the “vast majority” of its customers have opted to participate in the Internet Preferences program.

This comes on the heels of the recent battle over net neutrality which resulted in the Federal Communications Commission’s February 26, 2015 adoption of “Open Internet” rules. These rules seek to “protect and maintain open, uninhibited access to legal online content without broadband Internet access providers being allowed to block, impair, or establish fast/slow lanes to lawful content.” Given that the federal government has determined that service providers cannot charge web users or websites for entry onto an Internet superhighway “fast” lane, it is unlikely that AT&T will be the only Internet service provider to start charging to maintain its customers’ privacy.

Our Privacy & Data Security Group will continue to monitor the implications of AT&T’s recent offering in this regard.


Image courtesy of Flickr by Mike Mozart

To Post on Facebook, or Not to Post

We’ve all seen it make the rounds on our Facebook newsfeeds: the post that declares something along the lines of “my rights are attached to all my personal data drawings, paintings, photos, video, texts, etc.”  Its reappearance around the end of 2014 was likely due to a notice sent by Facebook regarding changes in their policies, which took effect on January 1, 2015.

In the United States, this message does not have the power to unilaterally waive the privacy terms to which each user agrees upon opening a Facebook account.  For example, the new terms state that subject to a user’s privacy and application settings, “[f]or content . . . like photos and videos (IP content), . . . you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook.”  The only way to terminate Facebook’s license is to delete your IP content or delete your account, but if you have shared that content with other users that have not deleted it, Facebook still maintains a license on it.

The European Union, however, has taken serious issue with this. EU data protection authorities say that this part (along with other parts) of Facebook’s policy violates their privacy laws.  On February 3, 2015, a task force led by Belgium, the Netherlands, and Germany was formed to investigate the concerns with Facebook’s privacy policy.  On February 23, 2015, a draft report commissioned by the Belgian Data Protection Authority outlined the following issues with Facebook’s policy:

  1. Consent to many of Facebook’s processing activities is likely not valid “[g]iven the limited information Facebook provides and the absence of meaningful choice;”
  1. The current “opt-out” default setting for advertising, as well as Facebook’s practice of combining and sharing data about its users, “do[] not meet the requirements for legally valid consent,” and opt-outs for location-data collection “are simply not provided;”
  1. Facebook’s new Statement of Rights and Responsibilities “contains a number of provisions which do not comply with the Unfair Contract Terms Directive” of European consumer protection law;
  1. The use of user-generated content for commercial purposes (the subject of the “my rights are attached to my personal data” post mentioned above) is not transparent and is not subject to “adequate control mechanisms;”
  1. The collection of location data parameters should be “turned off by default,” and users should be allowed “to determine when and how location data can be used by Facebook and to what purpose;”
  1. Facebook’s monitoring of its users while they are on and off the site is not in compliance with the e-Privacy Directive requiring “free and informed prior consent before storing or accessing information on an individual’s device;” and
  1. The terms “do not properly acknowledge” the fact that users cannot prevent Facebook from using their information gained from outside their network (i.e., if you have shared that content with other users that have not deleted it, Facebook may still use it).

Perhaps the necessitation of making these changes to comply with European Union laws will trickle into Facebook’s privacy policies for the U.S., but it is always wise to be wary of what you post and to periodically review social media privacy policies.

Dropbox Accounts Exposed

Business Insider and many others are reporting that hackers have acquired nearly 7 million account usernames and passwords. News coverage of the recent breach of Dropbox account security reveals that hackers have provided a “teaser” of 400 accounts and associated passwords on, which as of this writing shows that there have been more than 171,976 views.

PVCY BLOG_dropboxDropbox has explained that its services are fully encrypted, and denies responsibility for the leak of emails and passwords, pointing to third-party services that exposed the credentials. Dropbox also claims that all of the passwords that were hacked are expired. Dropbox, for its part, encourages users to enable two-step verification, which should harden account security.  In fact, the nice folks at Business Insider prepared a slideshow to assist in how to implement two-step verification security here.

Professionals who use cloud servers to provide medical, legal and financial services should understand that doing so may be at their own risk, as a cloud server provider or host may not provide indemnification or other recourse in the event of privacy and data breaches. Be sure to carefully read server or cloud provider contracts to assess the scope of any limitation of liability (typically a monetary limit and consequential damages disclaimer) that may be inadequate for a customer’s potential losses in the wake of a breach or other unauthorized disclosure of information.  As with all gathering, storage and use of personal and confidential information, there must be safeguards and risk assessment at each level to avoid being hit with the full liability of a data breach.

Image courtesy of Flickr by Dropbox In 30 Minutes