Tag Archives: privacy

Federal contractors now must provide training to their employees on protection of Personally Identifiable Information

New requirements were placed on Federal contractors this year, to train their employees on the protection of personally identifiable information (known as “PII”).  Under a new rule that went into effect in January 2017, all federal contractors that handle or have access to the personally identifiable information of others must provide training to their employees.  The rule applies not only to large government contractors, but also to contractors “at or below the simplified acquisition threshold (SAT), and to contracts and subcontracts for commercial-items, including contracts and subcontracts for commercially available off-the-shelf (COTS) items.” The rule requires prime contractors to flow down these privacy training requirements to their subcontractors.  Personal identifiable information (“PPI”) is any type of information that may be used to trace or distinguish an individual’s identity.

Government contractors and subcontractors must ensure that their employees complete an initial privacy training course, and thereafter undergo annual refresher training. An employee must receive training if they:

  • Have access to any system of records
  • Design, maintain, develop, or operate the contractor’s system of records
  • Store, collect, create, use, maintain, or dispose of personal identifiable information on behalf of the contractor.

The training is to include:

  • Explanation of the authorized and official use of personal identifiable information, and of records containing such information
  • How to appropriately safeguard and handle private information
  • Applicable restrictions of the use, collection, access, disclosure, and disposal of personal identifiable information
  • Procedures to be followed during a suspected or confirmed breach of security for personal identifiable information

Contractors are required to customize their privacy training to fit particular employee’s duties, and the training must include foundational levels of privacy training, as well as advanced privacy training where appropriate. Employees must be tested to ensure they have the level of knowledge necessary to keep personal identifiable information private. Contractors are required to keep records of training to show what type of training particular employees received, and these records are subject to audit by the government.

Federal contractors and subcontractors need to consider which of their employees (if any) handle or have access to the personally identifiable information of others, and prime contractors need to ensure that their subcontractors comply with these new training requirements.  In addition to providing the required training, contractors and subcontractors also must comply with the record-keeping requirements in the new rule.

Leave a comment

Filed under Contracts, News and Events

Prosecution of an Occupy Wall Street protestor may lead to clarification of privacy rights for social media accounts

The Twitterverse has been abuzz about an ongoing criminal prosecution in New York City of an Occupy Wall Street protester named Matthew Harris, and his effort to stop the government from obtaining information from his Twitter account.  Mr. Harris was one of hundreds of protesters arrested during a march across the Brooklyn Bridge. He was charged with disorderly conduct for allegedly walking in the street instead of on the sidewalk. Many of the protesters, including Mr. Harris, maintain that the police directed them off the sidewalk and into to the street.   The case has received a great deal of attention recently because the District Attorney subpoenaed Twitter records related to Mr. Harris’s account, in the hope that his tweets might refute his claim that the police directed him to move onto the roadway. Harris moved to quash the subpoena.

There isn’t a lot of reported case law on whether people have a legitimate expectation of privacy in information that they voluntarily post on social media sites such as Facebook or Twitter, but the limited number of reported court decisions so far have generally found little or no privacy protection for a social media site user.  It was not entirely surprising, therefore, that the judge in Mr. Harris’ case declined to quash the subpoena, finding that Mr. Harris lacked standing to oppose a subpoena directed toward Twitter.  The judge reasoned that Twitter, not Harris, owns any information that Harris posted on his Twitter account, because the Twitter terms of service grant Twitter a license to distribute all tweets.

The denial of the motion to quash that was brought by Mr. Harris didn’t end the matter, however, because Twitter then filed its own motion to quash the subpoena.  Twitter argued in its motion that, despite the license rights that Twitter users grant to Twitter, the users themselves “own” their posts under Twitter’s terms of service. Twitter also argued that the Stored Communications Act allows users to challenge requests for their material, and that federal law requires a warrant (not just a subpoena) to access users’ communications. The distinction is important because warrants require probable cause, while a subpoena may be issued if authorities merely have a supportable belief that they are likely to uncover relevant information through issuance of a subpoena.  A number of privacy organizations, including the ACLU, the Electronic Frontier Foundation, and Public Citizen, have now filed their own submissions with the court.

Although this case is only in the pre-trial stage, the high visibility that it has garnered and the efforts by multiple organizations to use it as a vehicle for highlighting these privacy issues, mean that this could end up being an important step in the process of sorting out privacy rights of social media users.

Leave a comment

Filed under News and Events, Privacy, Social Media