Philip Gordon Answers Questions About Human Resources' Top Privacy Concerns

On June 18, Philip Gordon will present at the International Association of Privacy Professionals (IAPP) Practical Privacy Series on the topic "On the Cutting Edge: The Top Five Developments for 2009" (You may register for the event here). Below, Mr. Gordon answers questions about some of the top HR privacy concerns that every organization is confronting.

IAPP: With so much focus on safeguarding customer information, why is HR privacy even an issue?

Gordon: HR privacy should be a major concern of every organization for several reasons. Virtually all class-action litigation involving the compromise of customers’ personal data has been unsuccessful because of the absence of any actual damages. By contrast, privacy violations involving employee personal data often do result in cognizable injuries, including loss of employment and emotional distress. The risk of significant damages is particularly high in the employment context because employers maintain not only the full range of personal identifiers but also financial information and very sensitive health information. In addition, security breaches involving employee personal data can have a negative impact on employee morale, and employees, unlike consumers, can easily express their disgruntlement to senior management. While the potential exposure is high, developments in technology and recently enacted legislation have complicated employer’s compliance obligations, further increasing their exposure to liability.

IAPP: Could you provide some examples of recent developments that have a significant impact on HR privacy compliance and employers’ exposure to liability for privacy violations?

Gordon: Employers are struggling to find the right approach for addressing text messaging in the workplace and the variety of Web 2.0 communications platforms. Unlike e-mail, text messaging almost always is transmitted through, and stored at, a third-party service provider. The laws governing access to electronic communications stored at a service provider impose substantial restrictions on employers. These restrictions do not apply when accessing communications stored on the corporate network. Social networking is particularly challenging for employers, especially as employees form their own networks, because personal profiles often blur the line between “private” and work life while, at the same time, permitting employees to communicate messages that senior management views as contrary to the organization’s interests.

On the legal side, we have the passage in February 2009 of significant amendments to HIPAA, which will have an impact on every employer that sponsors a HIPAA-covered benefit plan. In November, the Genetic Information Non-Discrimination Act of 2009 (GINA) will become effective. GINA will raise significant compliance challenges because the Act defines “genetic information” to include several categories of information that most privacy and HR professionals might not think of as “genetic” in nature, such as certain FMLA certifications. I will cover these technological and legal developments at the Practical Privacy Series in a presentation entitled, “On the Cutting Edge: The Top Five Developments For 2009.”

IAPP: You mentioned employee health information in your initial response. How are the issues involving such information any different today than they were in the recent past?

Gordon: Russell Chapman’s presentation at the Practical Privacy Series, “Privacy Issues in Employer Wellness Initiatives,” will highlight the new challenges. The soaring cost of employee health benefits has put significant pressure on employers to encourage a healthier workforce. One look at the complex regulations in this area makes it clear that this laudable goal is much more easily enunciated than achieved. Government regulators have, to some extent, handcuffed employers in these offerings to protect employee privacy and to prevent discrimination against employees who can not, or do not want to, become exercise junkies. Russ is an expert in employee benefits law, and he will walk attendees through the legal complexities that employers are confronting as they implement wellness initiatives to trim health care costs.

IAPP: Over the past few years, “electronic discovery” has become a privacy issue. Could you explain how electronic discovery and privacy intersect in the employment context?

Gordon: Getting access to a former employee’s personal electronic information—their home computer, personal e-mail account, text messages, or social networking profile—often can be the difference between an employer’s success and defeat in employment litigation. Plaintiffs’ lawyers also have become increasingly aggressive in pursuing the electronic information of co-workers and supervisors who are not directly involved in the events that triggered the lawsuit, but whose statements and actions might provide useful evidence in support of the plaintiff’s claims. In many situations, the employer or the employee tries to limit the scope of electronic discovery by invoking the privacy interests of the employee to whom the information relates. The HR Practical Privacy Series will include a panel of three widely recognized experts in the area of electronic discovery—Becky Burr, a partner at WilmerHale; Laura Kibbee, formerly in-house counsel at Pfizer and now a senior vice president at the e-discovery consulting firm, EPIQ Systems; and Paul Weiner, national director of e-discovery at Littler Mendelson. The panel will delve into not just the domestic privacy issues raised by electronic discovery, but also the difficulties that multinational employers are confronting. In one recent case, for example, a French lawyer was subjected to criminal sanctions in France for conducting discovery ordered by a U.S. court. Multi-national employers are caught between a rock and a hard place in this area. This panel discussion, “e-Discovery and Privacy: How Domestic and Global Employers Can Manage the Ultimate ‘Catch-22’” will provide practical solutions to these difficult issues.

IAPP: As you noted above, security breaches involving employee data can have significant ramifications for the organization, what steps can employers take to reduce the risk of these breaches and how best can employers respond when a breach occurs?

Gordon: Organizations often can leverage the policies, procedures, and practices implemented to safeguard consumer privacy to prevent a compromise of HR data. The problem, for many organizations, is that employee data is not viewed as falling within the chief privacy officer’s jurisdiction and human resources professionals generally do not have the same level of expertise in privacy and information security issues as the CPO. Ken DeJarnette, a leading privacy consultant with Deloitte, will address how to eliminate this silo effect at the Practical Privacy Series in the presentation “Leveraging Your Existing Customer Privacy Program for HR Data and Processes.”

As many studies and anecdotal evidence suggest, even the best information security programs fail from time to time. My experience handling dozens of employee breaches has highlighted several important distinctions from consumer breaches. Frequently, my client contacts are themselves put at risk by the compromise, often raising the level of engagement and concern. Employee breaches typically implicate Social Security numbers, a fact which is particularly concerning because SSNs can be used for different types of identity theft so the cancellation of credit accounts is not enough to protect affected employees. As a result, employees tend to take advantage of services offered by the employer at a higher rate than consumers in breaches involving credit card numbers. Employers also may have a longer-term communications issue. While a consumer may sever a customer relationship, I have yet heard of an employee quitting over a security breach. That does not mean that employees are not disgruntled over the breach, with potential ramifications for the workplace. Peter McCorkell, senior counsel at Wells Fargo, and Rick Dakin, founder and president of the security consulting firm Coalfire Systems, will address the unique challenges of responding to an employee breach in their presentation at the Practical Privacy Series, “Investigating and Responding to an HR Data Breach.”

Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.