by Joan Tupponce
For Virginia Business
The gray line between the public’s right to security and an individual’s right to privacy has come under increased scrutiny since last April when a mentally disturbed Virginia Tech student, Seung-Hui Cho, killed 32 people before taking his own life. The massacre raised questions about how far an institution should go in getting treatment for the mentally ill and making sure they cannot harm others.
“One of the prerogatives of colleges and universities is to identify troubled students and to intervene when they have concerns without violating reasonable expectations of privacy,” says Richard J. Bonnie, chair of the state Commission on Mental Health Law Reform and director of the University of Virginia’s Institute of Law, Psychiatry and Public Policy. “With Virginia Tech, the dots just never got connected. There was abundant evidence about Cho, but the information was never shared and therefore there were numerous missed opportunities for intervention.”
A state commission that investigated the shootings found that school officials believed they couldn’t share information about Cho’s mental condition because of federal laws governing the privacy of health and education records. In reality, there is “ample leeway to share information,” the commission concluded, when a situation is potentially dangerous.
“People have misunderstood what the federal legislation requires,” Bonnie says. “They were interpreting it to be more restrictive than it is. There is clearly a lack of clarity regarding right to privacy.”
Privacy issues in the workplace
That lack of clarity carries over to the corporate world where businesses face a number of privacy issues relating to technology, trade secrets, intellectual property, breaches of security and the sharing of company, employee or customer information. There is also the issue of an employee’s right to privacy at work.
“Advances in technology give us the technical ability to monitor the activity of employees and customers with a breadth and a depth that would simply have not been feasible even 10 years ago,” says Rod Smolla, dean of the Washington and Lee University School of Law and an expert on privacy law. Monitoring someone’s every move or keystroke can be “chaffing on most of us. It offends our sense of dignity and freedom,” he says.
The Virginia Tech incident highlights the dilemma that universities and businesses face when disclosure of protected medical or mental health information could potentially prevent harm to the patient and others. Businesses that are privy to medical or mental health records must comply with the Health Insurance Portability and Accountability Act (HIPAA), which protects the privacy of an individual’s information. It is a federal offense to knowingly disclose information covered by HIPAA for an unlawful purpose.
“That’s a challenge for all of us,” says Phil Stone, president of Bridgewater College. “To what extent can employment records be used? If we see someone with a troubled history, how can we intervene? The only way is to have information that is deemed private and legally protected.”
‘There has to be a balance’
Melanie C. Holloway, director of the Intellectual Property Institute at the University of Richmond, believes that Virginia legislators debating changes in state law are apt to move toward the “disclosure of private information, namely mental health records, for the protection of the public.”
“I don’t think it is black and white as to where privacy for an individual ends and disclosure begins,” she says. “There has to be a balance. You have to weigh the danger to the public against an individual’s right to privacy.”
The right to privacy was the central issue explored by the Virginia Bar Association at a conference held last month in Williamsburg. David Craig Landin, chairman of the VBA’s Committee on Special Issues of National and State Importance, opened the program. “Once 9/11 occurred and Homeland Security was created, we found that a number of what people viewed as clear privacy rights weren’t viewed by the government as being clear rights,” says Landin, a senior partner at Hunton & Williams in Richmond. “They were viewed as rights that needed to give way to changed circumstances.”
One of the privacy issues raised since 9/11 concerns customer data collected by companies. In 2006, several of the nation’s largest telecommunication companies were sued after they reportedly turned over information to the National Security Agency.
In terrorism and national security cases, the Patriot Act allows FBI agents armed with a National Security Letter (NSL) to demand that a company turn over data, including Web site visits and e-mails. Currently, businesses are forbidden from disclosing that they have received NSLs. “From the business perspective, if a business can’t explain to its customers why it is releasing information, it becomes a public relations issue,” says Holloway. “The company is subject to public scrutiny because it has disclosed personally identifying information to the government.”
Protecting trade secrets
Cases regarding right to privacy rarely make it to the courtroom of Judge R. Terrence Ney of the Circuit Court of Fairfax County. When they do, they usually involve confidential information such as trade secrets. This information comes into play, for example, when an employee who has signed a noncompete agreement leaves the company. “Anything that looks like a restraint of trade is looked at with scrutiny and skepticism,” Ney says.
To protect confidential information from becoming public record, attorneys for a company usually ask the court to seal the file. “It takes a compelling argument for a judge to seal a file because courts are supposed to be open to the public,” Ney says. “We often say when you find yourself in a lawsuit, you have given up the right to privacy.”
The evolving attitudes toward the right to privacy are as much a result of changing generations as they are of changing circumstances, says Circuit Judge Louis Lerner of Hampton. “I’ve come to the conclusion that things that may be private for our generation aren’t nearly as private to our children,” he says, citing easy access to information on Web sites such as MySpace and Facebook. “I also think consumers of business have a lower expectation of privacy than they once did. [That coupled with the] tragedy of 9/11 and Virginia Tech make us aware of the eroding of what we may hold to be private.”
The roots to the right to privacy
by Joan Tupponce
The right to privacy is a concept rooted in the Bill of Rights, and numerous cases have been built around it for more than 40 years. “The U.S. Supreme Court first cited the right in the bill during the 1965 case of Griswold v. Connecticut,” says Melanie C. Holloway, director of the Intellectual Property Institute at the University of Richmond. In that case, the Supreme Court held that a Connecticut law forbidding use of contraceptives unconstitutionally intruded upon the right of marital privacy.
Another milestone in the evolution of the right to privacy was the Roe v. Wade decision in 1973 legalizing abortion. The court also recognized that “a right of personal privacy, or a guarantee of certain areas or zones of privacy, does exist under the Constitution,” Holloway says.
In the past dozen years, Congress has passed laws related to the right to privacy, including:
• the Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996;
• the Children’s Online Privacy Protection Act (COPPA), enacted in 1998;
• the Gramm-Leach-Bliley Act of 1999, which requires transparency from financial institutions;
• the Do-Not-Call Registry, opened in 2003; and
• the CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing) Act of 2003, which restricts unsolicited e-mails.