Posts Tagged ‘Workplace Privacy’
NJ Assembly Bill A-1238 requires the destruction of records stored on digital copy machines under certain circumstances in order to prevent identity theft
By Alice Cheng
Last week, the New Jersey Assembly passed Bill-A1238 in an attempt to prevent identity theft. This bill requires that information stored on photocopy machines and scanners to be destroyed before devices change hands (e.g., when resold or returned at the end of a lease agreement).
Under the bill, owners of such devices are responsible for the destruction, or arranging for the destruction, of all records stored on the machines. Most consumers are not aware that digital photocopy machines and scanners store and retain copies of documents that have been printed, scanned, faxed, and emailed on their hard drives. That is, when a document is photocopied, the copier’s hard drive often keeps an image of that document. Thus, anyone with possession of the photocopier (i.e., when it is sold or returned) can obtain copies of all documents that were copied or scanned on the machine. This compilation of documents and potentially sensitive information poses serious threats of identity theft.
Any willful or knowing violation of the bill’s provisions may result in a fine of up to $2,500 for the first offense and $5,000 for subsequent offenses. Identity theft victims may also bring legal action against offenders.
In order for businesses to avoid facing these consequences, they should be mindful of the type of information stored, and to ensure that any data is erased before reselling or returning such devices. Of course, business owners should be especially mindful, as digital copy machines may also contain trade secrets and other sensitive business information as well.
Companies are increasingly allowing their employees to use their own personal mobile devices, such as laptops, tablets, and smartphones, to remotely access work resources.
This “bring your own device” trend can present certain security and privacy risks for companies, especially in regulated industries where different types of data require different levels of security. At the same time, companies need to also be mindful of employee privacy laws.
Most individuals now have personal mobile devices, and companies are finding it increasingly convenient to allow employees (and in certain situations, independent contractors) to access company data and networks through these personally owned devices. However, when an organization agrees to allow employees to use their own personal devices for company business, it loses control over the hardware and how it is used. This creates security and privacy risks with regards to the proprietary and confidential company information stored or accessible on those devices, which can lead to potential legal and liability risk. Similarly, when employees use the same device for both personal and professional use, determining the line between the two becomes difficult. If your company is considering letting its employees use their personal devices in the workplace, you should consult with an attorney to craft a policy that’s right for your business.
I recently had the opportunity to speak with Karen Boman of Rigzone about RFID technology and workplace privacy. Although the article focuses on the oil industry, the best practices of openness and transparency are generally applicable to most workplaces. The entire article can be found here, and makes for an engaging and informative read.
RFID technology in and of itself does not pose a threat to privacy – it’s when the technology is deployed in a way not consistent with responsible privacy information security practices that RFID becomes a problem, said Aaron Messing, associate with Union, N.J.-based OlenderFeldman LLP. Messing handles privacy issues for clients that include manufacturing and e-commerce firms.
Legal issues can arise if a company is tracking its employees secretly, Messing noted, or if it places a tracking device on an employees’ property without permission.
He recommends that clients should follow basic principles of good business practices, including making employees aware they are being monitored and getting written consent.
“Openness and transparency over how data is tracked and what is being used is the best policy, as employees are typically concerned about how information on them is being used,” Messing commented. “We advise clients to limit their tracking of employees to working hours, or when that’s not feasible, they should only access the information they want to track, such as working hours.”
The clients Messing works with that use RFID typically use the technology for tracking inventory, not workers. Messing can see where RFID would have legitimate uses on an oil rig. In the case of oil rigs, RFID tracking can be a good thing in case of emergency, as RFID makes it possible to determine whether all employees have been evacuated or how evacuation plans should be formed, Messing commented.
“It really depends on what the information is being used for,” Messing commented. However, employers that don’t have legitimate reasons for tracking workers can result in loss of morale among workers or loss of workers to other companies.
Workers who have RFID lanyards or tags can leave their tags at home once the work day is over to avoid be tracked off-hours. However, employees generally don’t have a lot of rights in terms of privacy while on the job. ”Since an employee is being paid to work, the expectation is that employers have a right to track employees’ activities,” said Messing. This activity can include monitoring phone conversations, computer activity, movements throughout a building and bathroom breaks.
However, companies should try to design monitoring programs that are respectful of employees.
“Companies that do things such as block personal email or certain websites and place a lot of restrictions on workers may do more harm than good, since workers don’t like feeling like they’re not trusted or working in a nanny state,” Messing commented.
Cctv Camera by Colin Russell
On Tuesday, October 18th, a 40-something year old actress filed a law suit against IMDb and Amazon for publishing her real name and age on IMDb’s website. Entertainment Weekly asked Michael J. Feldman, Esq., CIPP, to weigh in on the merits of the plaintiff’s privacy claim.
Making the case even less promising, Feldman thinks the $1 million price tag on Doe’s suit is unreasonable: “She will have an extremely difficult time proving damages under the facts alleged.” Added Feldman, a founding member of privacy and data protection consulting firm Acentris: “Even if IMDb is at fault, damages are limited to the total amount [she] paid” as an IMDbPro subscriber.
To read more on this intriguing matter, click here.