The balance between security and privacy has faced increased challenges over the last two decades, as information technology has become an integral part of the global environment. In the workplace, the competing interests between the employers’ and the employees’ rights and responsibilities can give rise to a multitude of complex issues.
Employers must comply with ever-evolving government security and privacy laws and regulations, while ensuring business success and productivity. They must also protect themselves from employee behavior that could give rise to liability. Employees and job applicants are faced with balancing the security and privacy requirements levied upon their employer, while ensuring their personal data and privacy is protected. Flawed or inexistent policies, intentional third-party data attacks, and human error can lead to data breaches resulting in significant information and reputational losses for employers and employees alike.
Regulatory Framework
Employers are required to comply with various laws when collecting and managing employee and job applicant information obtained throughout the course of employment. This includes information gathered from background checks,[1] drug, alcohol and health screenings, as well as information residing in employer computers, phones, and other information systems. Businesses are also responsible for the proper collection, security and privacy of data gathered from customers and other parties, including children. Some of the applicable federal laws aimed to protect the privacy of relevant information include, among others:
- American with Disabilities Act (ADA)
- Children’s Online Privacy Protection Act (COPPA)
- Electronic Communications Privacy Act (ECPA)
- Federal Credit Reporting Act (FCRA)
- Genetic Information Nondiscrimination Act (GINA)
[1] See Employment Background Checks blog article for additional detail.
- Gramm-Leach-Bliley Act (GLB)
- Health Insurance Portability and Accountability Act (HIPAA)
- Health Information Technology for Economic and Clinical Health Act (HITECH)
- Stored Communications Act (SCA)
In 2014, Florida passed the Florida Information Protection Act (FIPA) that aims to protect all Florida citizens (not just employees) from identity theft by requiring business and governmental entities to protect personal information and report data breaches. The law has a strict reporting requirement and a broad definition of the term personal information, which includes health insurance policy or subscriber numbers, information regarding an individual’s medical history, financial information, and online user names or email addresses in combination with their associated passwords, or security questions and answers to permit account access.
Penalties
The different Federal and state laws impose penalties for non-compliance, which could overlap, depending on the nature of the violation. Some provide private causes of action while others do not.
For example, under Florida’s data security law FIPA, failure to provide adequate notice of a data breach also violates the Florida Deceptive and Unfair Trade Practices Act (FDUTPA) and this triggers the following civil penalties:
- $1,000 per day for the first 30 days
- $50,000 thereafter for each 30-day period or portion thereof for up to 180 days
- $500,000 as the maximum amount of total penalties for violations continuing more than 180 days
Although FIPA does not provide for private redress, FDUTP states that any aggrieved person may bring an action for appropriate relief, which may include actual damages, attorney’s fees, and costs.
At a federal level, for example, HIPPA penalties for noncompliance hinge on the level of negligence committed. They can range from $100 to $50,000 per violation, with a maximum penalty of $1.5 million per year for repeated violations of an identical provision. Criminal penalties may also be imposed. Although a HIPPA violation does not give rise to a private cause of action, in Acosta v. Byrum the privacy and security provisions of HIPAA were used successfully in court to establish the standard of care owed by a doctor-defendant with regard to a patient-plaintiff’s medical records.
In addition, a violation of FCRA for the mishandling of background check information provides for a private recovery including costs, attorney’s fees, and punitive damages.[1] Criminal sanctions may also be imposed under certain conditions.[2]
Balancing Competing Interests
Employers and employees can both benefit from sound workplace policies and practices that balance their rights and responsibilities. The prevention of the loss of sensitive information and the preservation of everyone’s privacy and reputation are key elements to a productive working relationship and business success.
Besides preserving data integrity and privacy, employers must be concerned with the improper use of their information systems by employees. This practice leads not only to economic loss, but also to heightened liability. Specifically, a Kansas State University study published in the Computers in Human Behavior journal in May of 2013 found that “cyberloafing” (employees use of their workplace Internet access for personal use) ranged between 60 and 80 percent of an employee’s time at work. In addition, improper workplace conduct, such as accessing online pornography, shopping, gambling, transmitting personal emails or messages, and the use of social media via the employer’s information technology infrastructure (and sometimes even the employee’s own device) could impose liability on employers and compromise the health of the business.
While a reasonable employer reaction to the above conduct may be to fully curtail the use of workplace computers for personal purposes, for many employees becoming totally disconnected at work is an unrealistic demand, especially given today’s connected world. Yet, it may not be in the employer’s best interest to allow employee personal use of the employer’s information infrastructure.
A possible solution may be the development of a sound Bring Your Own Device (BYOD) policy that can provide the employee with a reasonable personal connectivity means, while managing employer liability. However, such policies must manage the time spent by employees on personal matters and limit the use of personal devices in the workplace to proper and legal activities. In addition, the employer must decide whether the employee may access the employer’s Internet networks, and if so, how.
Best Practices
The Orlando employment law attorneys at Burruezo & Burruezo, PLLC can assist employers in establishing and communicating workplace data protection and privacy policies and practices. Such policies will enable the employers and their employees to efficiently and legally balance the competing interests of privacy, information protection, and a technology-driven environment. Among other benefits, our attorneys may assist employers with the following areas:
[2] See Employment Background Checks blog article for more information.
[3] See Employment Criminal Background Checks blog article for more detail.
- Compliance with federal, state, and international legal and regulatory requirements
- Development of employee screening, background checks, and drug and alcohol testing policies
- Development of corporate protocols to collect, transmit, and protect employer and employee sensitive information
- Development of workplace policies to manage the use of social media, Internet, email, as well as data transmission, access, and monitoring
- Development of Bring Your Own Device (BYOD) policies for use of personal devices in the workplace
- Development of protocols to prevent and respond to workplace data security breaches
- Defense and prosecution of claims rooted on violations of privacy and data security laws and regulations
- Management third party liability from the actions of contracted organizations
Burruezo & Burruezo, PLLC can also assist employees whose privacy rights have been violated by a data breach and/or a failed employer practice.
Whether you are an employer or a claimant, the Orlando employment law attorneys of Burruezo & Burruezo, PLLC can assist you in assessing your options under a data security and privacy compliance or breach situation and offer legal representation, if necessary. Click here to contact an attorney now.