HR Tech Corner: Cyber Security Laws in the U.S.A. – Part I

Cyber security is an emerging area of law that no organization can afford to ignore. In the United States, understanding cyber security means being familiar with a host of both state and federal laws. With that in mind, we are kicking off our series on cyber security with a look at the major federal laws that touch on this topic:

The Electronic Communications Privacy Act (ECPA) and the Computer Fraud and Abuse Act (CFAA) regulate the interception of electronic communications and computer tampering, respectively. These laws address what communications employers may or may not intercept, but do not require notification to those “injured” under the law; i.e., those people whose communications are intercepted. Typically, if the employee is communicating through business-related software owned by the employer, such as Outlook, there is no violation. Still, employers should indicate in a policy that they monitor this software. If you need policy language, Employers Council provides it in the Employee Handbook Planning Guide section of our website.

The Federal Trade Commission Act (FTC Act), the Financial Services Modernization Act (which we will abbreviate as “GLB” for its other name, the Gramm-Leach-Bliley Act), and the Children’s Online Privacy Protection Act (COPPA) are all enforced by the Federal Trade Commission. The FTC Act prohibits unfair or deceptive practices and applies to privacy and data-security policies. GLB covers financial institutions, including any business providing financial services and products, and limits the disclosure of personal information. COPPA concerns the online collection of information from children. These laws also do not require injured parties to be notified of data breaches, and generally only cover employers in certain industries. Employers in these industries generally are well aware of the laws.

The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act) and the Telephone Consumer Protection Act (TCPA) regulate the collection and use of email addresses and telephone numbers. A recent increase in penalties is causing the Federal Communications Commission (FCC) to enforce the CAN-SPAM Act more vigorously. This law does not typically impact the employment relationship.

The Fair Credit Reporting Act (FCRA) requires employers to notify applicants of unfavorable information and consumer reporting agencies, who have knowledge of inaccurate data, to correct it. This notice must be given when the employer uses the information in a background check done by a third party to deny employment. Employers must first notify the applicant and then provide a reasonable time for the applicant to fix the information if it is inaccurate. While neither case law nor regulations define “reasonable,” five days is typical.

The Health Insurance Portability and Accountability Act (HIPAA) regulates the disclosure of certain medical information. It applies to people and entities that have access to “protected health information” data. (This definition is a legal term of art, so if you’re not sure what falls under this definition, please contact us.) HIPAA’s regulations also apply to the electronic transmission of medical data. Employers must guard employee medical information that meets the definition of protected health information from release. Workers’ compensation information about a work-related injury is not protected health information, nor is medical information obtained in order to follow the Family and Medical Leave Act or the Americans with Disabilities Act. While this information should not be shared for other reasons, HIPAA’s laws on what to do in case of a breach of this information will not apply in these scenarios. If the employer or the employer’s carrier has health information as a result of health insurance, this is likely protected health information and must not be shared.

The next article in this series will cover state laws that require certain protections for data security.