(Editors’ note: Thanks to Orrick trainee associate, Arne Senger, for his help with this blog post.)
With its recent ruling in Bărbulescu v. Romania (application no. 61496/08), the Grand Chamber of the European Court of Human Rights (ECHR) made a decision of enormous impact for employers in Europe. The decision makes clear that even when private use of business resources is prohibited, employers do not have unlimited access to all communications that occur on corporate systems.
Companies should carefully review their policies to ensure that they can access their corporate IT equipment, at least to the extent permitted by European data privacy law. READ MORE
Today, Orrick announced the launch of our automated General Data Protection Regulation (GDPR) Readiness Assessment Tool, which makes the EU’s new, complex, data privacy law, the GDPR, more accessible. The free tool is available to all organizations and allows businesses to stress test their compliance against the upcoming GDPR. It segments the GDPR into 14 workable themes and guides the user through a series of dynamic questions relating to each theme. Upon completion of the assessment, the tool provides a complimentary tailored report summarizing the likely key impacts of the GDPR for an organization. READ MORE
In this Corporate Counsel article, Orrick attorneys Renee Phillips and Shea Leitch discuss the emerging issue of cybersecurity whistleblowing. The authors discuss scenarios in which cybersecurity whistleblowers may step forward and how a company can best address complaints internally and mitigate the potential of regulatory scrutiny. Click here to read the full article.
On July 5, 2016, the Ninth Circuit Court of Appeals issued its highly anticipated decision in the most recent chapter of United States v. Nosal, holding that an individual acts “without authorization” as used in the Computer Fraud and Abuse Act (“CFAA”) when, after his/her own access has been revoked, the individual utilizes legitimate log‑in information of another to access company databases. This decision has important consequences for organizations as they consider how to implement policy and technical controls on user access to ensure they are protected against unauthorized access under the CFAA.
Can employers look at the company email accounts of employees, such as when they do not show up to work? Can employers monitor employee Internet use during working hours? Can employers read employee emails if they use the company email account for personal purposes?
Companies face these and many more questions about employer-provided email accounts and Internet access every day. To give employers guidance on this, the German Data Protection Authorities (“DPAs”) published “privacy guidelines” about using email and the Internet at the workplace. These guidelines provide essential information, practical tips and helpful advice on this topic.
In this Law360 article, Orrick attorneys Renee Phillips, Aravind Swaminathan, and Shea Leitch explore the rise of the cybersecurity whistleblower. The article examines the DOJ’s investigation, prompted by a cybersecurity whistleblower, into whether Tiversa Holding Corp. provided false information to the Federal Trade Commission about data breaches at companies that declined to purchase its data protection services. Click here to read more about the growing trend of whistleblower-initiated regulatory investigations and what companies can do to protect themselves against this growing risk.
Recently, the Berlin-Brandenburg Regional Labor Court ruled on the rights of an employer to check browsing history without the employee’s consent.
Orrick’s German employment team published a client newsletter about this judgment which can also be found here.
Earlier this month, the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) announced that it had entered into a settlement agreement with St. Elizabeth’s Medical Center (SEMC) in Brighton, Massachusetts. Pursuant to the non-admission settlement, SEMC agreed to pay $218,400 and enter into a one-year Corrective Action Plan (CAP) to settle allegations that its employees violated the HIPAA Security Rule by, among other things, storing electronic protected health information (ePHI) in a cloud document sharing application. Covered entities and business associates that increasingly leverage cloud services for storing and managing Electronic Health Records (EHR), and ePHI more generally, should take notice of this development for a number of reasons. First, it underscores the importance of conducting security assessments on, and evaluations of, cloud services before allowing employees to use them to manage ePHI and EHR. Second, it demonstrates the need to create and enforce clear policies prohibiting use of unapproved and untested cloud services. Finally, the settlement appears to have stemmed from an employee whistleblower and highlights how such whistleblowers will become more prominent considerations in cyber and data security investigations and enforcement actions.