Elder Abuse: Are Granny Cams a Solution, a Compliance Burden, or Both?

In Minnesota, 97% of the 25,226 allegations of elder abuse (neglect, physical abuse, unexplained serious injuries and thefts) in state-licensed senior facilities in 2016 were never investigated. This prompted Minnesota Governor, Mark Dayton, to announce plans last week to form a task force to find out why. As one might expect, Minnesota is not alone. A studypublished in 2011 found that an estimated 260,000 (1 in 13) older adults in New York had been victims of one form of abuse or another during a 12-month period between 2008 and 2009, with “a dramatic gap” between elder abuse events reported and the number of cases referred to formal elder abuse services. Clearly, states are struggling to protect a vulnerable and growing group of residents from abuse. Technologies such as hidden cameras may help to address the problem, but their use raises privacy, security, compliance, and other concerns.

With governmental agencies apparently lacking the resources to identify, investigate, and respond to mounting cases of elder abuse in the long-term care services industry, and the number of persons in need of long-term care services on the rise, this problem is likely to get worse before it gets better. According to a 2016 CDC report concerning users of long-term care services, more than 9 million people in the United States receive regulated long-term care services. These numbers are only expected to increase. The Family Caregiver Alliance reports that

by 2050, the number of individuals using paid long-term care services in any setting (e.g., at home, residential care such as assisted living, or skilled nursing facilities) will likely double from the 13 million using services in 2000, to 27 million people.

However, technologies such as hidden cameras are making it easier for families and others to step in and help protect their loved ones. In fact, some states are implementing measures to leverage these technologies to help address the problem of elder abuse. For example, New Jersey’s Attorney General recently expanded the “Safe Care Cam” program which lends cameras and memory cards to Garden State residents who suspect their loved ones may be victims of abuse by an in-home caregiver.

Common known as “granny cams,” these easy-to-hide devices which can record video and sometimes audio are being strategically placed in nursing homes, long-term care, and residential care facilities. For example, the “Charge Cam” (pictured above) is designed to look like and actually function as a plug used to charge smartphone devices. Once plugged in, it is able to record eight hours of video and sound. For a nursing home resident’s family concerned about the treatment of the resident, use of a “Charge Cam” or similar device could be a very helpful way of getting answers to their suspicions of abuse. However, for the unsuspecting nursing home or other residential or long-term care facility, as well as for the well-meaning family members, the use of these devices can pose a number of issues and potential risks. Here are just some questions that should be considered:

  • Is there a state law that specifically addresses “granny cams”? Note that at least five states (Illinois, New Mexico, Oklahoma, Texas, and Washington) have laws specifically addressing the use of cameras in this context. In Illinois, for example, the resident and the resident’s roommate must consent to the camera, and notice must be posted outside the resident’s room to alert those entering the room about the recording.
  • Is consent required from all of the parties to conversations that are recorded by the device?
  • Do the HIPAA privacy and security regulations apply to the video and audio recordings that contain individually identifiable health information of the resident or other residents whose information is captured in the video or audio recorded?
  • How do the features of the device, such as camera placement and zoom capabilities, affect the analysis of the issues raised above?
  • How can the validity of a recording be confirmed?
  • What effects will there be on employee recruiting and employee retention?
  • If the organization permits the device to be installed, what rights and obligations does it have with respect to the scope, content, security, preservation, and other aspects of the recording?

Just as body cameras for police are viewed by some as a way to help address concerns over police brutality allegations, some believe granny cams can serve as a deterrent to abuse of residents at long-term care and similar facilities. However, families and facilities have to consider these technologies carefully.

This post was written by Joseph J. Lazzarotti  of Jackson Lewis P.C. © 2017
For more legal analysis, go to The National Law Review 

Employees Sue for Fingerprint Use

Employees of Peacock Foods, an Illinois-based food product manufacturer, recently filed a lawsuit against their employer for alleged violations of Illinois’ Biometric Information Privacy Act. Under BIPA, companies that collect biometric information must inter alia have a written retention policy (that they follow). As part of the policy, the law states that they must delete biometric information after they no long need it, or three years after the last transaction with the individual. Companies also need consent to collect the information under the Illinois law, cannot sell information, and if shared must get consent for such sharing.

According to the plaintiff-employees, Peacock Foods used their fingerprints for a time tracking system without explaining in writing how the saved fingerprints would be used, or if they would be shared with third parties. According to the employees, this violated BIPA’s requirement for explaining -in the consent request- how information would be used and how long it would be kept. The employees also alleged that Peacock Foods did not have a retention schedule and program in place for deleting biometric data. The employees are currently seeking class certification.

Putting it Into Practice: This case is a reminder that plaintiffs’ class action lawyers are looking at BIPA and possible complaints that can be brought under the law. To address the Illinois law – and similar ones in Texas and Washington – companies should look at the notice and consent process they have in place.   

This post was written by Liisa M. Thomas & Mukund H. Sharma of Sheppard Mullin Richter & Hampton LLP., Copyright © 2017

For more Labor & Employment legal analysis, go to The National Law Review

Recording Conversations with Your Cellphone: with Great Power Comes Potential Legal Liability

In the cellphone age, nearly everyone walks around with a multi-tasking recording device in their pocket or purse, and it comes in handy for many of our modern problems: Your dog suddenly started doing something adorable? Open your video app and start rolling. Need to share that epic burger you just ordered with your foodie friends? There’s an app for that. Want to remember the great plot twist you just thought of for that novel you’ve been working on? Record a voice memo.

Sometimes, though, the need arises to record more serious matters. Many people involved in lawsuits choose to record conversations with their phones, all in the name of preserving evidence that might be relevant in court. People involved in contentious divorce or child custody cases, for example, might try to record a hostile confrontation that occurred during a pickup for visitation. Conversely, others might be worried that an ex-spouse has secretly recorded a conversation and plans to use it against them out of context.

But while everyone has the power to record just about anything with few swipes on their phone, do they have the legal right to do so? If not, what are the possible consequences? Can you even use recorded conversations in court? Consider these important questions before your press record.

Criminal Liability: Can you go to jail just for recording someone’s conversation?

The short answer: Yes. Under Michigan’s Eavesdropping law,[1] it is a felony punishable by up to two years and $2,000 to willfully use any device to eavesdrop on (meaning to overhear, record, amplify, or transmit) a conversation without the consent of all participants in that conversation.[2]It is also a felony for a person to “use or divulge” any information that they know was obtained through illegal eavesdropping.[3]

But there is one important distinction that Michigan courts have recognized: if you are a participant in the conversation, then you do not need permission of other participants to record the conversation (at least not when it comes to the eavesdropping law; there may be other laws that apply, as discussed below).[4] This makes sense given the purposes of the law. The theory is that if you are a participant in the conversation, then other participants at least have a chance to judge your character and determine if you are the kind of person who might relay the conversation to others (either verbally or by making a recording).

The bottom line is that if you use a device, like your cellphone, to record, overhear, amplify, or transmit a conversation that you are not a part of without the permission of all participants, you could face criminal consequences.

Civil Liability: If someone records your private conversation, can you file a lawsuit against them?

The short answer: Yes. The eavesdropping statute allows eavesdropping victims to bring a civil lawsuit against the perpetrator.[5] But the same distinction applies; you cannot sue someone for recording a conversation that they participated in.

Before filing a civil eavesdropping claim, though, consider what if anything there is to gain. The eavesdropping statute permits a judge to issue an injunction prohibiting the perpetrator from further eavesdropping. This may be a valuable remedy if there is a risk that the eavesdropper would otherwise continue eavesdropping on your conversations. The statue also allows a plaintiff to recover actual damages and punitive damages from the wrongdoer. In many cases, actual damages will likely be minimal, and punitive damages are subject to the whims of the judge or jury deciding the case. A result, the cost of litigation may exceed any monetary recovery unless actual damages are significant or the eavesdropper’s conduct was egregious enough to elicit a large punitive award from a jury.

Evidence and Admissibility: Can I use a recorded conversation in court?

Many people are familiar with the exclusionary rule that arises from the Fourth Amendment of the United States Constitution, which provides that if police officers obtain evidence as a result of an illegal search or seizure, then the prosecution is prohibited from using that evidence to support their case. This raises the question:

If a regular civilian obtains evidence by recording a conversation in violation of the eavesdropping statute, is that evidence automatically excluded from court proceedings?

The short answer: No. The exclusionary rule is specifically designed to curb the potentially oppressive power of the government in order to guarantee the protections of the Fourth Amendment, at the expense of excluding potentially valuable evidence from court proceedings. Since the Fourth Amendment only restricts government conduct, the exclusionary rule only applies to evidence obtained as a result of unconstitutional government action. As a result, even if a private citizen breaks the law and records your conversation, that recording is not automatically excluded from court.[6]

So does this mean you can use any recorded conversation in court whenever you want?

The short answer: No. Anything presented in court still needs to comply with the Rules of Evidence, and in many cases recorded conversations will not make the cut. A big reason is the hearsay rule, which says that out of court statements cannot be used to prove the truth of the matter asserted.[7] In other words, you can’t use a recording of your neighbor saying “I use my neighbor’s Wi-Fi” as evidence to prove that he was, in fact, using your Wi-Fi.

But there are many exceptions to the hearsay rule which might allow a recorded conversation into court. Salient among these exceptions is the rule that admissions of a party-opponent are not hearsay.[8] Consequently, if a man records his ex-wife’s conversation with her current husband, the hearsay rule will not prevent the man from using the recording of his ex-wife against her in a child custody case; the ex-wife is a “party-opponent” and her out-of-court statements are not considered hearsay.

Continuing this same example, note that the man’s actions would violate the eavesdropping statute (assuming he didn’t have permission to make the recording) because he was not a participant in the hypothetical conversation. But this violation would not keep the recording out of court. Nevertheless, if a prosecutor wanted to press charges, the man could be subject to criminal liability. And if the ex-wife was so inclined, she could file a civil lawsuit against the man and ask for an injunction and monetary damages.

Other Law: Is the eavesdropping statute the only law you need to worry about before recording all of your conversations?

The short answer: No, don’t hit record just yet. Even if you comply with the eavesdropping statute, there are still other potential pitfalls to be aware of. For instance, wiretapping laws govern the recording and interception of telephone calls and electronic communications, and carry criminal penalties. For inter-state phone calls, the laws of other states will come into play as well. And depending on the means you use to obtain a recording and what you do with the recording once you have it, you risk incurring civil liability for a variety of privacy torts, such as intrusion upon seclusion or public disclosure of private facts.

The safest route is to always get permission from everyone involved before recording a conversation or sharing a recorded conversation with anyone. If that’s not an option, consult with a lawyer who has had an opportunity to consider all of the facts involved in your case.

________________________________

[1] MCL 750.539 et seq.
[2] MCL 750.539a; MCL 570.539c.
[3] MCL 750.539e.
[4] See Sullivan v. Gray, 117 Mich. App. 476, 324 N.W.2d 58, 59 – 61 (1982).
[5] MCL 750.539h.
[6] See, e.g., Swan v. Bob Maxey Lincoln Mercury, No. 216564, 2001 WL 682371, at *2 n3 (Mich. Ct. App. Apr. 24, 2001)
[7] MRE 802.
[8] MRE 801(d)(2).

This post was written by Jeffrey D. Koelzer of  Varnum LLP © 2017
For more legal analysis go to The National Law Review

Employees Celebrate Chip Party: Embedding RFID Chips – Would You Agree to This?

On 1 August 2017, employees of a Wisconsin-based technology company enjoyed a “Chip Party” – but not the salty kind.  21 of Three Square Market’s 85 employees agreed to allow their employer to embed radio frequency identification chips in their bodies. We are familiar with the Internet of Things, is this the Internet of People?

Three Square Market (known as 32M) highlighted the convenience of microchipping their employees, reporting that they will be able to use the RFID chip to make purchases in the company break room, open doors, access copy machines and log in to their computers.

While the “chipped” employees reported that they felt only a brief sting when the chips were inserted, chipping employees draws deeper cuts through ethical and privacy issues.

One such issue is the potential for the technology to gradually encroach with further applications not contemplated by its original purpose. RFID technology has the potential to be used for surveillance and location-tracking purposes, similar to GPS technology. It also has potential to be used as a password or authentication tool, to store health information, access public transport or even as a passport.

While these potential applications will offer convenience to employers and consumers, the value of the information generated by each transaction is arguably greater for the marketers, data brokers and law enforcement entities that use it for their own purposes. Once data like this exists it can be accessed in all manner of circumstances.  Can you ever provide sufficient advice and counselling to employees to create informed consent free from the power imbalance of the employment relationship?

All keen on tech here at K&L Gates, but no one was putting their hand up for a similar program here, we’ll all just use our pass card to open the door, thanks.  We were left brainstorming films that use implants to see where this technology could take us as it is all too common in Sci-Fi films.  Have a look at The Final Cut, 2004 (warning 37% Rotten Tomato rating), where implants took centre stage by storing people’s experiences.  We are not there yet, but we have taken the first wobbly step on the path.

Read more about 32M’s use of RFID chips here.

See here to find out more about tracking employees with other technologies.

Read more legal analysis on the National Law Review.

Olivia Coburn and Cameron Abbott of K&L Gates contributed this article.

Privacy Hat Trick: Three New State Laws to Juggle

Nevada, Oregon and New Jersey recently passed laws focusing on the collection of consumer information, serving as a reminder for advertisers, retailers, publishers and data collectors to keep up-to-date, accurate and compliant privacy and information collection policies.

Nevada: A Website Privacy Notice is Required

Nevada joined California and Delaware in explicitly requiring websites and online services to post an accessible privacy notice. The Nevada law, effective October 1, 2017, requires disclosure of the following:

  • The categories of “covered information” collected about consumers who visit the website or online service;

  • The categories of third parties with whom the operator may share such information;

  • A description of the process, if any, through which consumers may review and request changes to their information;

  • A description of the process by which operators will notify consumers of material changes to the notice;

  • Whether a third party may collect covered information about the consumer’s online activities over time and across different Internet websites or online services; and

  • The effective date of the notice.

“Covered Information” is defined to include a consumer’s name, address, email address, telephone number, social security number, an identifier that allows a specific person to be contacted physically or online, and any other information concerning a person maintained by the operator in combination with an identifier.

Takeaway: Website and online service operators (including Ad Techs and other data collectors) should review their privacy policies to ensure they are disclosing all collection of information that identifies, can be used to contact, or that is combined with information that identifies consumers. Website operators should also be sure that they are aware of, and are properly disclosing, any information that is shared with or collected by their third-party service providers and how that information is used.

Oregon: Misrepresentation of Privacy Practices = Unlawful Trade Practice.

Oregon expanded its definition of an “unlawful trade practice”, effective January 1, 2018, to expressly include using, disclosing, collecting, maintaining, deleting or disposing of information in a manner materially inconsistent with any statement or representation published on a business’s website or in a consumer agreement related to a consumer transaction.The new Oregon law is broader than other similar state laws, which limit their application to “personal information”. Oregon’s law, which does not define “information”, could apply to misrepresentations about any information collection practices, even if not related to consumer personal information.

Takeaway: Businesses should be mindful when drafting privacy policies, terms of use, sweepstakes and contest rules and other consumer-facing policies and statements not to misrepresent their practices with respect to any information collected, not just personal information.

New Jersey: ID Cards Can Only be Scanned for Limited Purposes (not Advertising)

New Jersey’s new Personal Information and Privacy Protection Act, effective October 1, 2017, limits the purposes for which a retail establishment may scan a person’s identification card to the following:

  • To verify the authenticity of the card or the identity of the person paying for goods or services with a method other than cash, returning an item or requesting a refund or exchange;

  • To verify the person’s age when providing age-restricted goods or services to the person;

  • To prevent fraud or other criminal activity using a fraud prevention service company or system if the person returns an item or requests a refund or exchange;

  • To prevent fraud or other criminal activity related to a credit transaction to open or manage a credit account;

  • To establish or maintain a contractual relationship;

  • To record, retain, or transmit information required by State or federal law;

  • To transmit information to a consumer reporting agency, financial institution, or debt collector to be used as permitted by the Fair Credit Reporting Act and the Fair Debt Collection Practices Act; or

  • To record, retain, or transmit information governed by the medical privacy and security rules of the Health Insurance Portability and Accountability Act.

The law also prohibits the retention of information scanned from an identification card for verification purposes and specifically prohibits the sharing of information scanned from an identification card with a third party for marketing, advertising or promotional activities, or any other purpose not specified above. The law does make an exception to permit a retailer’s automated return fraud system to share ID information with a third party for purposes of issuing a reward coupon to a loyal customer.

Takeaway: Retail establishments with locations in New Jersey should review their point-of-sale practices to ensure they are not scanning ID cards for marketing, advertising, promotional or any other purposes not permitted by the New Jersey law.

Read more legal analysis at the National Law Review.

This post was written byJulie Erin Rubash of  Sheppard Mullin Richter & Hampton LLP.

Weapons in the Cyber Defense Arsenal

In May 2017, the world experienced an unprecedented global cyberattack that targeted the public and private sectors, including an auto factory in France, dozens of hospitals and health care facilities in the United Kingdom, gas stations in China and banks in Russia. This is just the tip of the iceberg and more attacks are certain to follow. As this experience shows, companies of all sizes, across all industries, in every country are vulnerable to cyberattacks that can have devastating consequences for their businesses and operations.

The Malware Families

Exploiting vulnerabilities in Microsoft® software, hackers launched a widespread ransomware attack targeting hundreds of thousands of companies worldwide. The vector, “WannaCry” malware, encrypts electronic files and locks them until released by the hacker after a ransom is paid in untraceable Bitcoin. The malware also has the ability to spread to all other computer systems on a network. On the heels of WannaCry, a new attack called “Adylkuzz” is crippling computers by diverting their processing power.

The most prevalent types of ransomware found in 2016 were Cerber and Locky. Microsoft detected Cerber, used in spam campaigns, in more than 600,000 computers and observed that it was one of the most profitable of 2016. Spread via malicious spam emails that have an executable virus file, Cerber has gained increasing popularity due to its Ransomware-as-a-Service (RaaS) business model, which enables less sophisticated hackers to lease the malware.

data security privacy FCC cybersecurityCheck Point Software indicated that Locky was the second most prevalent piece of malware worldwide in November 2016.  Microsoft detected Locky in more than 500,000 computers in 2016. First discovered in February 2016, Locky is typically delivered via an email attachment (including Microsoft Office documents and compressed attachments) in phishing campaigns designed to entice unsuspecting individuals to click on the attachment. Of course, as the most recent global attacks demonstrate, hackers are devising and deploying new variants of ransomware with different capabilities all the time.

The Rise of Ransomware Attacks

The rise in ransomware attacks is directly related to the ease with which it is deployed and the quick return for the attackers. The U.S. Department of Justice has reported that there was an average of more than 4,000 ransomware attacks daily in 2016, a 300 percent increase over the prior year. Some experts believe that ransomware may be one of the most profitable cybercrime tactics in history, earning approximately $1 billion in 2016. Worse yet, even with the ransom paid, some data already may have been compromised or may never be recovered.

The risk is even greater if your ransom-encrypted data contains protected health information (PHI). In July 2016, the U.S. Department of Health and Human Services, Office of Civil Rights (HHS/OCR) advised that the encryption or permanent loss of PHI would trigger HIPAA’s Breach Notification Rule for the affected population, unless a low probability that the recovered PHI had been compromised could be demonstrated. This means a mandated investigation to confirm the likelihood that the PHI was not accessed or otherwise compromised.

Ransomware Statistics

According to security products and solutions provider Symantec Corporation, ransomware was the most dangerous cybercrime threat facing consumers and businesses in 2016:

  • The majority of 2016 ransomware infections happened in consumer computers, at 69 percent, with enterprises at 31 percent.

  • The average ransom demanded in 2016 rose to $1,077, up from $294 in 2015.

  • There was a 36 percent increase in ransomware infections from 340,665 in 2015 to 463,841 in 2016.

  • The number of ransomware “families” found totaled 101 in 2016, triple the 30 found in 2015.

  • The biggest event of 2016 was the beginning of RaaS, or the development of malware packages that can be sold to attackers in return for a percentage of the profits.

  • Since January 1, 2016, more than 4,000 ransomware attacks have occurred − a 300 percent increase over the 1,000 daily attacks seen in 2015.

  • In the second half of 2016, the percentage of recognized ransomware attacks from all malware attacks globally doubled from 5.5 percent to 10.5 percent.

The Best Defense Is a Good Offense

While no perfectly secure computer system exists, companies can take precautionary measures to increase their preparedness and reduce their exposure to potentially crippling cyberattacks. While Microsoft no longer supports Windows XP operating systems, which were hit the hardest by WannaCry, Microsoft has made an emergency patch available to protect against WannaCry. However, those still using Windows XP should upgrade all devices to a more current operating system that is still fully supported by Microsoft to ensure protection against emerging threats. Currently, that means upgrading to Windows 7, Windows 8 or Windows 10.

Even current, supported software needs to be updated when prompted by the computer. Those who delay installing updates may find themselves at risk. Microsoft issued a patch for supported operating systems in March 2017 to protect against the vulnerability that WannaCry exploited. Needless to say, many companies did not bother to patch their systems in a timely manner.

Ransomware creates even greater business disruption when a company does not have secure backups of files that are critical to key business functions and operations. It also is important for companies to back up files frequently, because a stale backup that is several months old or older may not be particularly useful. Companies also should make certain that their antivirus and anti-malware software is current to protect against emerging threats.

In addition, companies need to train their employees on detecting and mitigating potential cyber threats. Employees are frequently a company’s first line of defense against many forms of routine cyberattacks that originate from seemingly innocuous emails, attachments and links from unknown sources. Indeed, many cyberattacks can be avoided if employees are simply trained not to click on suspicious links or attachments that could surreptitiously install malware.

Last but not least, companies should consider purchasing cyber liability insurance coverage, which is readily available. While cyber policies are still evolving and there are no standardized policy forms, coverage can be purchased at varying price points with different levels of coverage. Some of the more comprehensive forms of coverage provide additional “bells and whistles” such as immediate access to preapproved professionals that can guide companies through the legal and technical web of cybersecurity events and incident response.

Other cyber policies afford bundled coverages that may include:

  • The costs of a forensics investigation to identify the source and scope of an incident

  • Notification to affected individuals

  • Remediation in the form of credit monitoring and identity theft restoration services

  • Costs to restore lost, stolen or corrupted data and computer equipment

  • Defense of third-party claims and regulatory investigations arising out of a cyberattack.

 

This post was written by Anjali C. Das, Kevin M. Scott and John Busch of Wilson Elser Moskowitz Edelman & Dicker LLP.data security privacy FCC cybersecurity

Sharing Cyber Threat Information

HIPAA PRIVACY ISAOsThe Information Sharing and Analysis Organization-Standards Organization (ISAO-SO) was set up under the aegis of the Department of Homeland Security pursuant to a Presidential Executive Order intended to foster threat vector sharing among private entities and with the government. ISAOs are proliferating in many critical infrastructure fields, including health care, where cybersecurity and data privacy are particularly sensitive issues given HIPAA requirements and disproportionate industry human and systems vulnerabilities.  Therefore, in advising their companies’ management, general counsel and others  might benefit from reviewing the FAQ’s and answers contained in the draft document that can be accessed at the link below.

Announcing the April 20 – May 5, 2017 comment period, the Standards Organization has noted the following:

Broadening participation in voluntary information sharing is an important goal, the success of which will fuel the creation of an increasing number of Information Sharing and Analysis Organizations (ISAOs) across a wide range of corporate, institutional and governmental sectors. While information sharing had been occurring for many years, the Cybersecurity Act of 2015 (Pub. L. No. 114-113) (CISA) was intended to encourage participation by even more entities by adding certain express liability protections that apply in several certain circumstances. As such proliferation continues, it likely will be organizational general counsel who will be called upon to recommend to their superiors whether to participate in such an effort.

With the growth of the ISAO movement, it is possible that joint private-public information exchange as contemplated under CISA will result in expanded liability protection and government policy that favors cooperation over an enforcement mentality.

To aid in that decision making, we have set forth a compilation of frequently asked questions and related guidance that might shed light on evaluating the potential risks and rewards of information sharing and the development of policies and procedures to succeed in it. We do not pretend that the listing of either is exhaustive, and nothing contained therein should be considered to contain legal advice. That is the ultimate prerogative of the in-house and outside counsel of each organization. And while this memorandum is targeted at general counsels, we hope that it also might be useful to others who contribute to decisions about cyber-threat information sharing and participation in ISAOs.

The draft FAQ’s can be accessed at :  https://www.isao.org/drafts/isao-sp-8000-frequently-asked-questions-for-isao-general-counsels-v0-01/

©2017 Epstein Becker & Green, P.C. All rights reserved.