Question of the Month

September 2019

Question
What are your state/province's current laws concerning the protection of employee personal information?
Answer from Alabama

The Alabama Data Breach Notification Act of 2018 requires entities with Sensitive Personally Identifying Information stored in electronic format to take reasonable security measures to protect that information.  It further imposes investigation and notification requirements in the event of a breach.

For more information please contact Michael Thompson at mthompson@lehrmiddlebrooks.com

*Disclaimer: All answers to the Question of the Month are current the day on which they are posted. After this date, the information may subsequently change as a result of laws or rulings. For the most current information, please contact the responding lawyer for each state in which you are interested.

Answer from California

California’s Consumer Privacy Act of 2018 goes into effect January 1, 2020, and gives “consumers” rights in relation to their personal information, including: (1) the right to know what personal information a business has collected about them; (2) the right to “opt out” of allowing a business to sell their personal information to third parties; and (3) the right to have a business delete their personal information.  The law will apply to for-profit businesses that collect and control California residents’ personal information, do business in the State of California, and either: (a) have annual gross revenues in excess of $25 million; or (b) receive or disclose the personal information of 50,000 or more California residents, households or devices on an annual basis; or (c) derive 50 percent or more of their annual revenues from selling California residents’ personal information.

For more information please contact David Wimmer at dwimmer@swerdlowlaw.com

*Disclaimer: All answers to the Question of the Month are current the day on which they are posted. After this date, the information may subsequently change as a result of laws or rulings. For the most current information, please contact the responding lawyer for each state in which you are interested.

Answer from Florida

Florida law requires notice to individuals of access or potential access of their personal information (FS 501.171)

For more information please contact Wayne Helsby at whelsby@anblaw.com

*Disclaimer: All answers to the Question of the Month are current the day on which they are posted. After this date, the information may subsequently change as a result of laws or rulings. For the most current information, please contact the responding lawyer for each state in which you are interested.

Answer from Georgia

Georgia does not have any statutory provisions, and the case law is unsettled.

For more information please contact Douglas Duerr at duerr@elarbeethompson.com

*Disclaimer: All answers to the Question of the Month are current the day on which they are posted. After this date, the information may subsequently change as a result of laws or rulings. For the most current information, please contact the responding lawyer for each state in which you are interested.

Answer from Hawaii

Hawaii has a law preventing disclosure of an employee’s entire social security number, and a non-governmental employer who does so can be assessed a $2500 fine and actual damages for each violation.  Haw. Rev. Stat. §§ 487J-2, 487J-3.  However, a public employee’s personal records can be disclosed to a collective bargaining agent when relevant to an investigation or the processing of a grievance.  Haw. Rev. Stat. § 89-16.5.

For more information please contact Megumi Sakae at msakae@marrjones.com

*Disclaimer: All answers to the Question of the Month are current the day on which they are posted. After this date, the information may subsequently change as a result of laws or rulings. For the most current information, please contact the responding lawyer for each state in which you are interested.

Answer from Maryland

The Maryland Personal Information Protection Act specifically provides protections to employees. The law governs the disposal of personal information, including employee data, and provides for notification of the breach of electronically-maintained personal information. Of particular interest, the definition of personal data includes biometric data. Md. Code Ann. Comm. Law §§ 14-3501.

For more information please contact Fiona Ong at fwo@shawe.com

*Disclaimer: All answers to the Question of the Month are current the day on which they are posted. After this date, the information may subsequently change as a result of laws or rulings. For the most current information, please contact the responding lawyer for each state in which you are interested.

Answer from Massachusetts

Massachusetts has a Security Breach Statute and accompanying regulations.  See Mass. Gen. L. Ch. 93H and 201 CMR §§17.00-17.05.  The statute applies to employers who own, license, receive, store, maintain, process, or otherwise have access to personal information of Massachusetts residents in connection with employment.  Personal information includes a Massachusetts resident’s first and last name or last name and first initial together with any one or more of the following:  social security number, driver’s license or state-issued identification card, financial account number, and credit or debit card number.  Additionally, employers are required to develop, implement, and enforce a Written Information Security Program (“WISP”).  A WISP, which must be in writing, must, at a minimum:  designate an employee to maintain the WISP; identify and assess internal and external risks; develop policies relating to storage, access, and transportation of records containing personal information; warn employees that there will be discipline for violation of the WISP; outline a plan to prevent terminated employees from accessing personal information; outline restrictions for physical access to records; indicate that the WISP will be reviewed annually; and outline documentation requirements related to data breach reporting, including a post-incident review. For employers who electronically store personal information, the WISP must meet additional requirements, including, but not limited to, establishing user IDs and passwords and controlling those username and passwords; restricting access to records containing personal information; outlining appropriate security software and firewall measures; and encrypting transmitted records.  The regulations also require employers to train and educate employees on proper use of a computer security system and the importance of protecting personal information.  Massachusetts' Security Breach law also places strict requirements on employers who experience a data breach.  Whenever there is unauthorized access to or use of personal information that creates a substantial risk of identity theft, an employer is obligated to notify the impacted Massachusetts resident(s); the Attorney General; and the Director of the Office of Consumer Affairs and Business Regulation.  The statute and regulations outline specific notice requirements to each, which can be obtained on the Attorney General's website.  See https://www.mass.gov/service-details/reporting-data-breaches-to-the-attorney-generals-office.  In 2018, the Massachusetts Attorney General launches an online portal for reporting security breaches, which can also be found on the Attorney General's website.

For more information please contact Marylou Fabbo at mfabbo@skoler-abbott.com

*Disclaimer: All answers to the Question of the Month are current the day on which they are posted. After this date, the information may subsequently change as a result of laws or rulings. For the most current information, please contact the responding lawyer for each state in which you are interested.

Answer from Minnesota

Minnesota law permits employees to sue their employers for invasion of privacy in three situations:

(1) intrusion into seclusion (i.e. personal and private matters); (2) publication of personal information that others do not need to know and that employees reasonably expect to remain private; and (3) misappropriation of someone’s name, picture, or likeness without their consent.  Lake v. Wal-Mart Stores, Inc., 582 N.W.2d 231, 235 (Minn. 1998).  The exact scope of claims for invasion of privacy is not clear, but probing into employees’ personal lives and sharing information that employees might expect to remain confidential may cause litigation.

Minnesota law permits, but does not require, private employers to provide information about employees or former employees without being subject to a legal claim by the employee.  Minn. Stat. § 181.967.  The following information can be provided by an employer without written authorization from the employee:

(1) dates of employment;
(2) compensation and wage history;
(3) job description and duties;
(4) training and education provided by the employer; and
(5) acts of violence, theft, harassment, or illegal conduct documented in the personnel record that resulted in disciplinary action, termination, or resignation.  If the employee submitted a written response to the action, that must be supplied as well.

Minn. Stat. § 181.967, subd. 2-3. Information disclosed in (5) above must also be sent to employees at their last known address.  Minn. Stat. § 181.967, subd. 3.  Additionally, if the employee provides written authorization, the employer may disclose the following in addition to the items listed above:

(6) written evaluations and the employee’s response;
(7) written disciplinary actions in the employee’s file in the last 5 years and the employee’s written response; and
(8) written reasons for separation.  

Minn. Stat. § 181.967, subd. 3(b).  Responses to these items must also be mailed to the employee at the same time as it is mailed to the person requesting the information.  Id.  An employer may still decline to provide information on former employees but should consider having a written policy advising employees of this policy.  Supervisory personnel should be directed to refer all calls for references to one person, such as the human resources director.  

Employee assistance records may not be disclosed to a third party (including the employer) without prior authorization from the person receiving services.  Minn. Stat. § 181.980, subd. 5. The only exceptions to the nondisclosure rule are disclosures pursuant to state or federal law or a court order, disclosures required in the normal course of providing the employee assistance services, and disclosures to prevent physical harm or the commission of a crime. Minn. Stat. § 181.980, subd. 5(1)-(3).

Employers in Minneapolis, Minnesota are also required to maintain the confidentiality of any health, medical, or personal information about an employee, or his or her family members.  Minneapolis Ord. ch. 40, art. III, § 40.230.

Minnesota also has a Social Security Number Shield Law (“Shield Law”), which requires Minnesota businesses to take affirmative steps to protect against disclosure of an individual’s social security number.  Minn. Stat. § 325E.59.  To comply with Minnesota’s Shield Law, employers are required to restrict access to social security numbers to ensure that only employees who require the numbers to perform their job duties have access.  Id. subd. 1(d).  The Shield Law does not apply to government entities.  Among other restrictions, no private employer may require an individual to transmit his or her social security number over the internet unless the connection is secure or the social security number is encrypted, except as provided by federal law.  Id. subd. 1(a)(3).  Additionally, employers may not print an individual’s social security number on any material that is mailed to an individual, unless state or federal law requires the social security number to be on the document to be mailed.  Id. subd. 1(a)(5).

For more information please contact Tom Revnew at TRevnew@seatonlaw.com

*Disclaimer: All answers to the Question of the Month are current the day on which they are posted. After this date, the information may subsequently change as a result of laws or rulings. For the most current information, please contact the responding lawyer for each state in which you are interested.

Answer from Nevada

Nevada law addresses the collection of personal information via Chapter 603A of the Nevada Revised Statutes which is broad enough to apply to employers.  Section 603A.210 requires a “data collector” to implement and maintain reasonable security measures to protect personal information. 

For more information please contact Scott Abbott at SAbbott@kzalaw.com

*Disclaimer: All answers to the Question of the Month are current the day on which they are posted. After this date, the information may subsequently change as a result of laws or rulings. For the most current information, please contact the responding lawyer for each state in which you are interested.

Answer from Ohio

No Ohio law on this point. But in Ohio Rev. Code 2933.52, any “individual or organization” is prohibited from interception of electronic, oral or wire communications.  However employee monitoring by employer where employer removes expectation of privacy permitted and exempted from the statutory proscription.

For more information please contact Lynn Schonberg at lynns@rbslaw.com

*Disclaimer: All answers to the Question of the Month are current the day on which they are posted. After this date, the information may subsequently change as a result of laws or rulings. For the most current information, please contact the responding lawyer for each state in which you are interested.

Answer from Pennsylvania

Pennsylvania has enacted a number of laws relating to the privacy of personal information.  One statute prohibits an employer from engaging in the following practices regarding employee social security numbers:

(1)     Publicly post or publicly display in any manner an individual’s Social Security number. “Publicly post” or “publicly display” means to intentionally communicate or otherwise make available to the general public.
(2)     Print an individual’s Social Security number on any card required for the individual to access products or services provided by the person, entity or State agency or political subdivision.
(3)     Require an individual to transmit his or her Social Security number over the Internet unless the connection is secure or the Social Security number is encrypted.
(4)     Require an individual to use his or her Social Security number to access an Internet website unless a password or unique personal identification number or other authentication device is also required to access the website.
(5)     Print an individual’s Social Security number on any materials that are mailed to the individual unless Federal or State law requires the Social Security number to be on the document to be mailed. Notwithstanding this provision, Social Security numbers may be included in applications and forms sent by mail, including documents sent as part of an application or enrollment process or to establish, amend or terminate an account, contract or policy or to confirm the accuracy of the Social Security number. A Social Security number that is permitted to be mailed under this section may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on the envelope or without the envelope having been opened.
(6)     Disclose in any manner, except to the agency issuing the license, the Social Security number of an individual who applies for a hunting or fishing license.

74 P.S. § 201.

Pennsylvania has also adopted privacy-related laws in the following areas:

•    The Confidentiality of HIV-Related Information Act prohibits employers and their agents from releasing confidential HIV-related information except as specifically permitted by law.  35 P.S. § 7601 et. seq.

•    The Breach of Personal Information Notification Act requires entities that maintain, store or manage computerized data to notify individuals “without unreasonable delay” in the event of a breach of Personal Information.  “Personal Information” is defined as an individual’s first name, or first initial and last name, in combination or linked to the following unredacted information:  (i) social security number, (ii) driver’s license number or state identification card number, and/or (iii) financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account.  73 P.S. § 2303 et. seq.  The Pennsylvania Supreme Court has recently held that employers have a legal duty to exercise reasonable care to safeguard employees’ sensitive electronically-stored personal information.  Dittman v. UPMC, 196 A.3d 1036 (Pa.  2018).

For more information please contact John Ellis at jellis@ufberglaw.com

*Disclaimer: All answers to the Question of the Month are current the day on which they are posted. After this date, the information may subsequently change as a result of laws or rulings. For the most current information, please contact the responding lawyer for each state in which you are interested.

Answer from Texas

Nothing specific in Texas.

For more information please contact Bryant Banes at bbanes@nhblaw.com

*Disclaimer: All answers to the Question of the Month are current the day on which they are posted. After this date, the information may subsequently change as a result of laws or rulings. For the most current information, please contact the responding lawyer for each state in which you are interested.

Answer from Virginia

Virginia has two statutes aimed specifically at protecting personal information of employees:

•    VA Code 40.1-28.7:4 – This law generally prohibits employers from releasing, communicating, or distributing personal identifying information about any current or former employee to any third party.  “Personal identifying information” includes home telephone number, mobile number, email address, shift times, or work schedule.  Exceptions apply for information that is: (1) required pursuant to any applicable provision of federal law that might preempt this state law, (2) ordered by a court of competent jurisdiction, (3) required pursuant to a warrant issued by a judicial officer, or (4) required by a subpoena issued in a pending civil or criminal case, or by discovery in a civil case.
•    VA Code 40.1-28.7:5 – This law prohibits employers from requiring any current or prospective employee to (1) disclose his/her username and password to a social media account, or (2) add an employee, supervisor, or administrator to his/her list of contacts associated with a social media account.  Employers also may not take action against or threaten to discharge, discipline, or otherwise penalize any employees for exercising their rights under this section, or fail or refuse to hire any applicant for exercising their rights under this section.  Certain exceptions apply to allow employers to comply with requirements of other applicable laws, or when the employer reasonably believes the employee’s social media account is relevant to an employer investigation of alleged misconduct by the employee.  In addition, the definition of “social media account” excludes accounts opened by the employee at the employer’s request, accounts that are set up by the employee on behalf of the employer, accounts that are provided to the employee by the employer, and accounts that are set up by the employee to impersonate the employer.

For more information please contact Susan Carnell at scarnell@lorengercarnell.com

*Disclaimer: All answers to the Question of the Month are current the day on which they are posted. After this date, the information may subsequently change as a result of laws or rulings. For the most current information, please contact the responding lawyer for each state in which you are interested.

Answer from Washington

Under RCW 49.44.200, applicants and employees have certain privacy rights regarding personal social networking accounts.  Per the statute, employers cannot ask, require, or “otherwise coerce” applicants or employees to disclose their login information, provide access to an account, list an individual (whether the employer or not) on the account so that person can access it, or change the settings to allow the account’s contents to be viewed.  An employer cannot take adverse action against applicants or employees for refusing to do any of this.  These restrictions do not apply, however, if an employer seeks account information in connection with making a factual determination during an investigation if i) the investigation is in response to receiving information regarding an employee’s personal social networking account activity, and ii) the purpose of the investigation is either to ensure compliance with applicable laws against work-related employee misconduct or to investigate an alleged unauthorized transfer of the employer’s proprietary, confidential, or financial information.  For any such investigation, though, the employer still cannot ask for or require an employee to provide his or her login information.
 
In addition, while not directly related to employees, Washington has a data breach statute (19.255.010)  that applies to individuals and businesses and a separate statute (RCW 42.56.590) that applies to local and state agencies.  In May 2019, the state legislature amended the law to expand the breach notice obligations of businesses that maintain personal information regarding Washington citizens.   In particular, the amendments i) expand the scope of personal information that, if subject to unauthorized disclosure, triggers notice requirements, and ii) revise the timing and content of the required notices.  The new law will take effect March 1, 2020.

For more information please contact Ken Diamond at ken@winterbauerdiamond.com

*Disclaimer: All answers to the Question of the Month are current the day on which they are posted. After this date, the information may subsequently change as a result of laws or rulings. For the most current information, please contact the responding lawyer for each state in which you are interested.

Answer from Wisconsin

Wisconsin employers who maintain employee personal information are required to do so in a safe and secure way. If an employer becomes aware of an unauthorized breach or unauthorized use of an employee’s personal information, the employer must notify employees of the breach or use of their personal information. The law requires the employer make reasonable efforts to notify any and all affected employees if their personal information has been acquired without authorization of that employee; failure to notify may result in an employer’s liability for damages related to the misappropriation of the employee’s personal information. See Wis. Stat. §134.98.

For more information please contact Laurie Petersen at LPetersen@lindner-marsack.com

*Disclaimer: All answers to the Question of the Month are current the day on which they are posted. After this date, the information may subsequently change as a result of laws or rulings. For the most current information, please contact the responding lawyer for each state in which you are interested.

Tweets Follow

Nov 15

New @SHRM Court Report: Hostile Work Environment Claim Advances https://t.co/sFyTKcvcko

Nov 15

Legislative Update For California Employers: https://t.co/RJ3t5KujCq

Nov 08

There Is No Delay When It Comes to FMLA: Union Workers Cannot Delay FMLA Leave According to Recent DOL Opinion Lett… https://t.co/lKWyJcRqba