In Strategic CIO 360, Fran Faircloth Discusses the Patchwork Quilt of Employee Privacy Laws
With an abundance of new electronic forms of communication, data being produced at ever-inclining volumes, and privacy regulations differing from state-to-state-to-country, businesses are increasingly faced with ethical challenges to assure employee confidentiality, data and biometric oversight, and corporate compliance.
Partner and core member of Ropes & Gray’s data, privacy & cybersecurity practice Fran Faircloth told Strategic CIO 360, “The U.S. doesn’t have a comprehensive employee privacy law. [Employers must comply with] a patchwork quilt of privacy laws that can vary widely. States like Utah, Virginia, Colorado and Connecticut have passed similar laws, and other states have bills circulating, but until they make it through [the legislative process], it’s a waiting game to learn what they will cover.”
The only federal law limiting employer surveillance is the 1986 Electronic Communications Privacy Act (ECPA), which forbids an employer from eavesdropping on spoken personal conversations, but not their electronic communications. By contrast, the General Data Protection Regulation (GDPR) in the EU stipulates that any information relating to an identifiable person, such as an employee’s name or online identifier, must be secured, protected, and kept confidential.
As privacy laws continue to be defined and refined at the state level, Fran recommends that CIOs assemble a well-crafted data access authorization governance program. “It’s the most important first step in securing and protecting all corporate data,” she said.