Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back

New Privacy Concerns Emerge As Businesses Reopen

Written by: Cameron G. Shilling & John Weaver

Published in NH Business Review (5/21/2020)

As the Coronavirus crises transitions into its next phase and the economy starts to reopen, businesses face significant new information privacy laws.  

They will be collecting sensitive personal and health information about employees, customers, vendors and other individuals who work at or enter their facilities. That will include information like body temperature, past and present symptoms and illnesses, Covid-19 test results, existing health conditions that make individuals vulnerable, and the social interactions and travel histories of individuals. Most businesses are unaccustomed to the rules for properly handling such information, and are unaware of the privacy law requirements that apply to it.

Collection, use and disclosure of health information about employees is strictly limited by the Americans with Disabilities Act.
Under the ADA, requests for health information must be either related to an employee’s fitness for duty or job-related and consistent with business necessity, including to determine if employees pose a direct threat to others.

In response to the current crisis, the Equal Employment Opportunity Commission and Centers for Disease Control and Prevention are permitting the widespread gathering of health information about employees to stem the spread of the coronavirus. However, when doing so, employers still must comply with ADA privacy requirements, including gathering only the health information necessary to address Covid-19 issues, ensuring only the proper and limited use and strict confidentiality of such information, and securely retaining health information separate from other records.

Personal and health information about employees, customers, vendors and other individuals also is governed by a multiplicity of varying state, federal and foreign privacy regulations.

A few prominent examples are HIPPA, the Massachusetts Right of Privacy Act, the California Consumer Privacy Act, the New York Stop Hacks and Improve Electronic Data Security Act, or SHIELD Act, the European Union General Data Protection Regulation, or GDPR, and the Canadian Personal Information Protection and Electronic Documents Act or PIPEDA. These laws generally apply to information that any business collects and uses about individuals who reside in those jurisdictions, even if the businesses have no physical presence there.

Privacy regulations require businesses to implement significant controls with respect to personal and health information. The most meaningful requirements include the following:

  • Notify individuals about the purposes for the collection, use and disclosure of personal and health information, and with respect to certain sensitive such information, obtain consent from individuals before engaging in such activity.
  • Ensure that the collection, use and disclosure of such information is only for legitimate purposes that are specifically permitted by applicable privacy regulations.
  • Notify individuals of their rights with respect to such information, and honor those rights whenever exercised by individuals.
  • Implement security controls that are appropriate to protect the sensitive of the information collected, used, and disclosed by the business.

 

Because many businesses have not previously engaged in the widespread handling of sensitive personal and health information, they likely are unfamiliar with the privacy requirements that apply to such information, and are unaware of and unprepared to implement the controls required by such regulations. Consequently, before and as businesses reopen, they should work with an experienced cybersecurity attorney to conduct a rapid privacy risk assessment, implement the controls that can be implemented within the next several weeks, and address additional privacy law requirements over a more extended period of time.

When doing so, businesses must identify an appropriate privacy standard to use for compliance. The National Institute of Standards and Technology, or NIST — a non-regulatory technical agency that is part of the U.S. Department of Commerce – recently promulgated a comprehensive standard called the Privacy Framework. Whereas NIST’s existing standard, the Cybersecurity Framework, focused primarily on security controls, the Privacy Framework provides a useful regime for businesses to use to start to come into compliance with the multitude of differing existing and forthcoming privacy laws.

The next phase of our “new normal” will inevitably involve businesses collecting, using and disclosing a greater volume and wider variety of sensitive personal and health information. Existing privacy regulations are strict, and new such laws are emerging routinely from state legislatures. Now is the time to make your business information privacy compliant.

Cam Shilling chairs and John Weaver is a member of McLane Middleton’s Information Privacy and Security Practice Group.

Integrity and trust

At McLane Middleton we establish and maintain long-standing relationships with our clients to help us better achieve their unique goals over time. This approach to building trust requires that our esteemed lawyers and professionals use their broad, in-depth knowledge and work together with integrity to ascertain sound resolutions to legal matters for their clients.

Strength in numbers

McLane Middleton is made up of more than 105 attorneys who represent a broad range of clients throughout the region, delivering customized solutions. As a firm we are recognized as having the highest legal ability rating. The firm is rated Preeminent by Martindale Hubbell and is recognized as one of the nation's leading law firms in Chambers USA. Our attorneys are distinguished leaders in their respective practice areas.

Meet Our People

Commitment and collaboration

McLane Middleton's versatile group of attorneys and paralegals become trusted authorities on each case through collaboration. We work with our clients to learn their individual needs first and foremost and, together, we develop comprehensive solutions to their specific legal matters. This approach helps us exceed our clients' expectations efficiently and effectively, client by client, case by case.

Practice Areas

A history of excellence

McLane Middleton was established in 1919 in New Hampshire, and has five offices across two states. However, deep historical roots don't allow you to become innate. Our firm is organized, technological, and knowledgeable. Our history means we are recognized. But our reputation is built on the highest quality of service and experience in very specific areas of law.

The Firm

Intelligence paired with action

Our team continuously seeks opportunities to enhance their professional development and put key learnings to action. The pursuit of further insight guides us to volunteer service opportunities, speaking engagements, and teaching roles. Our lawyers are sought after thought leaders across their industries, and recipients of leadership awards throughout the region.