Archives: Employee Privacy

Mintz Levin employment lawyer Don Schroeder was recently quoted in this Law360 Article entitled Microsoft Steps in Privacy Quagmire With Email Snooping. The article focuses on the controversial choice by Microsoft Corp. to search a blogger’s e-mail account for evidence of leaked trade secrets by its former employee.  The article also explores whether or not the company will face charges and how it will fare against public opinion.

 

Written by Amy Malone

There’s been a lot of talk about big data over the last few years and the breaches at Target and Neiman Marcus have many companies running in circles trying to figure out how to protect their systems and their data.  So what are some of the big issues in our current technology landscape?

Continue Reading Data: Big, Borderless and Beyond Control? Five Things You Can Do

And, no — it was not a big fat bonus.    On this 10th Day of Privacy, we  look ahead at employment related privacy issues ….

Written by Michael Arnold

As use of social media and other technologies continue to raise serious employment-related privacy issues in the workplace, expect to see a flurry of activity in 2014 from federal and state legislatures, administrative bodies and courthouses throughout the country addressing those issues.  Here are five developments that we are monitoring (pun intended) as we enter the New Year.

1. The Law Starts to Catch up With the Technology

It is axiomatic that the law will always lag behind technology.  This is no less true in the workplace.  Over the last few years, employers have begun infiltrating employee Facebook and other social media (and personal e-mail) accounts to monitor applicant or employee activity.  Typically, the employer will demand that an applicant or employee supply his or her username and password to the account on the basis that it needs to better vet an applicant or to ensure that the current employee has not engaged in any wrongdoing that may hurt the company’s legitimate business interests.  Employees have protested this as an overreach by prying employers intent on invading their right to privacy.

In response, many states have started to pass laws restricting employer access to employee social media and other accounts containing personal information.  According to the National Conference of State Legislatures, ten states passed social media-related privacy legislation in 2013, including New Jersey’s law, which went into effect this month.  But legislation has been introduced or is pending in 36 states, so employers should surely anticipate some of these bills becoming law in 2014.

2. So Tell Us Your Honor, What Do These Laws Mean?

Not surprisingly, each of these state’s social media privacy laws vary in substance.  What one law prohibits, another law permits; what one law defines in a certain way, another law defines differently; where one law provides for exceptions to the rule; another law says no ifs, ands or buts.  Worse yet, as they are apt to do, state legislatures drafted many of these laws utilizing vague or undefined terminology/phraseology.  Thus, in 2014, we expect courts to start interpreting these laws with increasing frequency.

State laws aside, courts have also begun to grapple with whether unauthorized employer access to employee social media information violates other statutes, like the Federal Stored Communications Act, and/or an employee’s common law right to privacy.  A New Jersey Federal Court recently addressed these issues in Ehling v. Monmouth-Ocean Hospital, finding that the employee’s post was covered under the Stored Communications Act, but that the employer escaped liability under the Act’s authorized user exception based on the circumstances there.  This decision should give pause to employers not subject to a state law who are trying to access an employee’s social media or personal email account to investigate employee wrongdoing.

On a related note, if feels like a week doesn’t go by now where we don’t see a court addressing an employer’s request to access an employee’s social media information in discovery during an employment litigation matter.  For example, the employee claims she was unfairly dismissed for taking leave to nurse a back injury.  The employer claims it fired her not for taking the leave, but because it heard through the grapevine that she was out dancing on a table at the trendiest nightclub rather than nursing her injury.  During discovery, the employer demands access to the employee’s Friendster (just kidding, I mean) Facebook account to see whether the employee has posted content on that account that would support its suspicion, while the employee argues that the employer is just engaging in a fishing expedition.  To date, opinions on these issues have varied, but we expect that a body of procedural law will continue to emerge over the next year, allowing defendant employers and plaintiff employees to better understand the role social media will play during discovery.

3. Your Greatest Strength May Be One of Your Biggest Weaknesses

All this talk thus far has been about an employer’s attempt to gain access to their employees’ personal information.  But “privacy” can run both ways.  Recently, the Equal Employment Opportunity Commission, a federal administrative body, accessed an employer’s e-mail servers and sent an e-mail blast to the business accounts of more than 1,300 employees (managerial and non-managerial) without any prior notice or consent of the employer in order to collect evidence and enlist potential claimants to file a class action age discrimination lawsuit against the employer.  The employer, citing privacy violations, sued the EEOC in federal court.  The EEOC has asked the court to dismiss the case saying it acted properly.

A decision against the employer will have serious implications.  Among other things, the EEOC (or other administrative bodies), in accessing an employer’s e-mail servers, could significantly disrupt an employer’s operations and impair its working relationship with a (likely confused) workforce.  Employees may feel compelled to respond to an e-mail from the government, and this could be especially troublesome for employers when managers, who may bind the corporation, feel compelled to respond.  Further, this investigation method may allow the EEOC to obtain evidence of wrongdoing outside the scope of its original investigation (here, the e-mail did not tell the employees that the EEOC was investigating age discrimination only).

Meanwhile, another federal administrative agency, the United States Department of Labor is busy working with third-parties software developers to develop smartphone social media applications designed to “internet shame” employers who fail to comply with wage and hour and other employment laws.  We wrote about the disconcerting implications of this strategy here.

And then there is threat to employers that someone will violate their “privacy” by hacking into their electronic systems.  While we don’t have the space in this entry to address this topic at length, it is worth noting that last year, the Federal Financial Institutions Examination Council (FFIEC) issued a report entitled “Social Media: Consumer Compliance Risk Management Guidance”, whereby it warned that a financial institution’s use of social media can greatly expose it to external attacks by hackers, resulting in the possible theft of employer and/or employee confidential information.  All employers, not just financial institutions, should take note of the warnings set forth in this report.

4. Wait, Our Employees work in an office not in a factory, what’s the NLRB doing here?  

The past few years have seen the National Labor Relations Board devote significant attention to traditionally non-unionized workplaces.  In particular, NLRB has focused on, among other things, employer restrictions on employee social media use and investigation confidentiality.

The NLRB will continues to attack and strike down employer social media policies and related disciplinary decisions that penalize employees who seek to speak freely over social media regarding the terms and conditions of their employment without employer intrusion or other interference.  Further, the NLRB has also sought to strike down employer policies that require employees, upon the threat of discipline, not to discuss the details of any ongoing investigation because, once again, in some cases, it will unlawfully infringe on their right to freely discuss the terms and conditions of their employment.

A newly-confirmed employee-friendly Board member has recently confirmed that the Board expects to continue devoting resources to these types of issues into 2014 and beyond.

5. When did We Start Living in the World of George Jetson?

The Genetic Information Nondiscrimination Act of 2008 (GINA) prohibits employers from using an employee’s genetic information when making employment-related decisions and from requesting or requiring an employee to supply genetic information about the employee or the employee’s family.  Congress passed the law, in part, in response to employers using genetic testing to control expenses — e.g., an employer refuses to hire an individual that testing revealed was susceptible to cancer in order to save on potential healthcare premiums in the future.

One issue that has arisen from this law relates to whether an employer would be in violation when it needs to request private health related information to process an employee’s request for medical leave or for a reasonable accommodation.  In those cases, to avoid liability, employers must make sure that they satisfy GINA’s safe harbor rule, which will treat the disclosure of such information as “inadvertent” as long as the employer previously informed the employee that they (or their health care provider) should not provide genetic information when responding to these health information requests.  However, for those employers that do inadvertently receive this information, they should take the necessary steps to keep the information private, including by keeping it in a separate file.

Further, while GINA has been in effect for about five years, we are finally starting to see the first enforcement actions brought by the EEOC (see here and here for some examples).  We expect the EEOC to file additional cases in 2014.  The EEOC is taking a serious stance that an employee’s genetic information should remain private and not part of any employer decision-making process.

* * * * *

What all these issues have in common is that, as we head into 2014, they demonstrate that now is as good a time as any to review your existing policies that address employee and employer confidential information to ensure compliance with federal and state laws and regulations, and in order to better protect your legitimate business interests.

. . .  a delayed delivery notice for the biggest package of the holiday season!

Written by Susan Foster, Solicitor, England & Wales/Admitted in California, CIPP-E

(LONDON) Major changes are on the way in Europe that will have a significant impact on companies anywhere in the world that collect or process personal data of residents of the EU.  But what will the precise nature of those changes be . . . and when will they arrive?  The draft Data Protection Regulation is still being negotiated by the various political institutions of the EU.  While there is a slim chance that the final version will be promulgated before the next EU parliamentary elections in 2014, many commentators think that’s unlikely.  If the Regulation is not finalized before the elections, it will be subject to further discussion by the new parliamentary members and will roll into 2015.  (The political process is recapped below.)

However, even without a final draft of the Regulation, we can be reasonably certain about a number of features of the new legislation. And 2014 will almost certainly see changes to the US Safe Harbor regime in response to the EU’s pointed criticisms and recommendations that need to be addressed (under the threat that the Safe Harbor regime could be revoked by the EU).  See our previous commentary on potential Safe Harbor changes and recommendations for action here.

What should US companies who deal with EU personal data do now (well, as soon as the holidays are over)?

Without a definitive draft of the Regulation or confirmation as to how Safe Harbor will change, the best way to prepare for the new Regulation and potential changes to Safe Harbor is to get a very thorough knowledge of data flows within your organization and to or from third parties.  Companies should have a comprehensive grasp of what  personal data is collected, where it came from, how it is used and for what purposes, whether any consents have been obtained, and how it is stored (including security measures).  What contractual protections are in place to govern how data is used and protected when there are transfers between companies (either within a corporate group or outside of a group)?  Is any of the data “sensitive” personal data under the current EU Directive?  Can you articulate “legitimate purposes” for your use of the data (again, per the current Directive)?  Do you have good records of consent that can be tied to particular data?

In other words, if you audit your company’s compliance with the current Directive (and Safe Harbor, if you are registered) and get a thorough understanding of your data flows, it will be much easier to figure out what you might need to change under the new Regulation.  Perhaps a good New Year’s resolution for 2014.

After all of the political wrangling of 2013, what’s likely to be in the new Regulation?

The negotiations aren’t over yet, but here are some key principles upon which the Parliament and the Commission seem to generally agree.

  • Substantial fines for non-compliance.  The Parliament wants fines of up to 5% of global turnover.  The Commission had proposed 2%.  Even if the final percentage is between those two figures, the fact that fines can be levied on global turnover means that we are talking about potentially huge fines.
  • Expansion of definition of “Personal Data.” As explained by the Commission, “personal data” is defined as “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, your bank details, your posts on social networking websites, your medical information, or your computer’s IP address.”  Genetic and biometric data will be specifically addressed in the Regulation.
  • One-Stop Shop.  The latest draft of the Regulation keeps the concept of allowing companies to sign up with a single national regulator in the EU, which would greatly simplify compliance in terms of logistics.  However, this key pro-business principle was recently attacked by the legal advisor to the Council of the European Union (which is effectively the voice of the individual governments of the Member States) as potentially contrary to European human rights.  If the one-stop shop is not included in the Regulation, one of the primary pro-business benefits of the new law will be lost.
  • Express Consent Requirement To Process Personal Data – but you may not be able to rely on consent in many situation.  Data controllers (e.g., any company that collects personal information) are required to obtain (and not assume) the express consent of the data subject to the processing of his/her personal data for one or more specific purposes, unless processing is required for certain limited purposes such as compliance with a legal obligation of the business or to protect the vital interests of the individual. However, the individual may withdraw the consent at any time and consent is essentially not valid where there is an “imbalance” between the position of the individual and the business.
  • Breach Notification Requirement: Businesses must notify the supervisory authority (i.e., the public authority established by each Member State) of a personal data breach “without undue delay,” which, per the Parliament’s draft, generally means not later than 72 hours after becoming aware of the breach. 
  • Requirement to Adopt Policies and Implement Measures to Ensure and Demonstrate Compliance with the Regulation. Businesses must adopt policies and implement appropriate measures to ensure and be able to demonstrate that their processing of personal data is performed in compliance with the Regulation, including maintaining documentation of processing activity. The key principle is a high level of transparency so data subjects will know what data are to be collected, and by whom, how and where the data will be used or stored.
  • Binding Corporate Rules. Under the new Regulation, Binding Corporate Rules (“BCRs”), the tool used by companies with global operations to transfer personal data of EU residents within their corporate group to entities located in countries which do not have an adequate level of data protection, will no longer need to be approved by each Data Protection Authority in each applicable EU Member State (unless the “one-stop shop” concept is not adopted, as discussed above). Under the proposed regime, BCRs that meet the requirements described in the Regulation will need to be approved by one authority and, once approved, the BCRs will be recognized by the rest of the authorities in each applicable Member State. More importantly, the approved BCRs would also cover third parties that process personal data of EU residents on behalf of the business, such as cloud service providers.
  • Data Security Obligations.  Businesses are required to implement appropriate technical and organizational measures “to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected, having regard to the state of the art and the costs of their implementation.”
  • Data Protection Impact Assessment Requirement.   Businesses with processing operations that “present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes” are required to conduct a data protection impact assessment.
  • Requirement to Appoint Data Protection Officer.   Businesses with more than 250 employees and certain other organizations are required to appoint a data protection officer responsible for monitoring data processing activities.  The Parliament’s draft requires even small businesses to appoint a Data Protection Officer if they process the data of more than 5000 individuals.
  • Transfers of Personal Data to Third Countries. Although the restriction on the transfer of personal data to  third countries that do not offer an adequate level of protection (as determined by the Commission) remains in place, under the proposed Regulation, transfers based on standard data protection clauses adopted by the Commission or based on binding corporate rules will require approval by just one supervisory authority instead of multiple national authorities.

What needs to happen before we know for sure what the new law is in Europe?

To recap the legislative process very briefly, the Commission was responsible for generating the initial draft.  The European Parliament then proposed and discussed over 3,000 amendments, ultimately producing a revised draft with increased protections for individuals and a higher burden on business.  Now a parliamentary committee will negotiate with the Council (the forum for the views of the national governments of the Member States) with the goal of having a definitive vote in April 2014.  However, there’s a very substantial likelihood that agreement will not be reached with the Council prior to the parliamentary elections in May 2014, which will introduce more uncertainty into the timeline and with respect to the substance of the final Regulation.

So, in summary, your delivery from Europe is likely to arrive sometime in 2015.  Also, we are not entirely certain what we are sending you or how much it will cost.  But it will be big (whatever we finally decide to put into the box).  We apologize for any inconvenience.

Time for some tips to keep your company (and your employees) safe online —

Are your employees trained to maintain company privacy standards?

Conduct employee training on privacy as it relates to employment, helping employees learn how to protect the privacy of clients’ and customers’ personal information and teaching employees how to manage their own privacy at work.  Data Privacy Day is a good opportunity to send out an email reminder.

Do you remind your employees to make their passwords long, strong and unique?

Making passwords long and strong, with a mix of uppercase and lowercase letters, numbers and symbols, along with changing them routinely and keeping them private are the easiest and most effective steps your employees can take to protect your data.

Mintz Levin is a Data Privacy Day Champion, recognizing and supporting the National Cyber Security Alliance’s initiative to promote messages about the importance of data protection and controlling one’s digital footprint.  Individuals, organizations, business and government all share the responsibility to be aware of privacy challenges and we encourage everyone to bring information privacy into daily thoughts, conversations and actions.

 

Our series over the next 10 days will highlight the top issues, as we see them, in privacy and security for 2013.    Yesterday, we looked at the increase in cybersecurity disclosure by public companies, triggered by the Securities and Exchange Commission’s Cybersecurity Guidance.

Privacy 2013 – What to Expect in the Employment Arena

Written by Jennifer Rubin and Michael Arnold

As more and more employees take to social media to conduct business, questions remain about how, if at all, employers may legally regulate and monitor employees’ conduct on social media. For example, employees use LinkedIn, not just for networking, but to conduct business – whether mining potential sales contacts and growing pipelines.  But who owns the contacts and what can employers tell employees about how to conduct themselves while mining them?  And what happens when an employee leaves?  Can the employee take “their” contacts on LinkedIn or does the employer “own” those contacts? Is ownership truly in question if an employee uses LinkedIn to obtain the contacts at the employer’s behest, utilizing the employer’s resources and while on the employer’s payroll?  These are questions some courts are beginning to address.

Related to this issue is the National Labor Relations Board’s growing interest in defining what employers with unionized and non-unionized workforces can and cannot do with respect to limiting communications in the workplace. The NLRB says that employees may air grievances about wages and working conditions without employer restriction – note the now infamous “Facebook” firings and related cases.  The NLRB has also invalidated employer social media policies for failing to comply with the National Labor Relations Act.  Twitter seems to be the next natural stop for the NLRB’s growing influence.  Many people “tweet” at their employer’s behest and with their employer’s blessings. What happens when the employee strays from the script? And who has the time and energy to undertake the “community curation” required to keep the employer’s finger on the pulse of these communications in a consistent and non-discriminatory manner?

Then, of course, there is the issue of an employer’s right to monitor an employee’s use of social media in the first instance.  In order to protect the corporate reputation, prohibit unlawful competitive activity, including the theft of trade secrets, or to affirmatively comply with certain government regulations, some employers now require employees (and prospective employees) to provide their social media passwords or other account information.  Fourteen state legislatures (like California) have recently enacted laws prohibiting this practice, and other states are likely to follow suit.  Social media privacy bills are under consideration in Missouri, Texas, and other jurisdictions. Whether a particular state prohibits this practice or not, employers must give serious thought before implementing (or continuing to implement) this practice.  Specifically, they must be mindful of the “Big Brother” perception and the potential exposure to claims under the anti-discrimination laws, labor laws, and state privacy laws.

In 2013, employers, employees, lawmakers, regulatory authorities and courts will continue to struggle to strike the right balance between privacy, corporate culture, ownership of business information, free expression, and creativity. Recommendation for action in 2013:  If your business has a social media policy, review it in light of emerging state laws and the NLRB cases.   If your business does not have a social media policy, 2013 is the time to take another look.

Our colleagues over at Mintz’s Employment Matters Blog have written about yet another finding from the National Labor Relations Board relating to a workplace social media policy.    Have you looked at your company’s policy lately in light of these rulings?

By Martha J. Zackin

The NLRB has again weighed in on workplace social media policies.  And, consistent with its recent decisions in Costco Wholesale Corp. and Karl Knauz Motors, Inc., found DISH Network’s social media policy unlawful.  Specifically, citing both cases, the Board found that DISH Network’s social media policy improperly banned employees from making “disparaging or defamatory comments about DISH Network.”  The Board further found that the policy’s ban on negative electronic activities during “Company time” was unlawful because it failed to convey that negative discussion can occur during breaks and other non-working hours.

You may read the DISH Network Corp.. decision here.  You may also read our blog entries about Costco, Karl Knauz Motors, and NLRB guidance on social media policies here, here, and here.

Written by Jake Romero

Facebook announced last week that it now has upwards of 1 billion active users.  That same week, over 10 million Twitter messages were sent during the U.S. presidential debate .  With the number and use of social media websites rapidly expanding, your privacy rights with respect to your tweets, “likes” and status updates, even the ones about being hungry and/or sleepy, are the focus of new legislation enacted in California.

Assembly Bill No. 1844  prohibits an employer from “requiring or requesting an employee or applicant for employment to disclose a username or password for the purpose of accessing personal social media, to access personal social media in the presence of the employer, or to divulge any personal social media.”  AB-1844 also prohibits retaliation by the employer against any employee or applicant for not complying with employer demands that violate this prohibition.  A companion bill that was also enacted last week, Senate Bill No. 1349 , prohibits similar requests and requirements made by certain colleges of their students.

The greater likelihood is that in your hiring and retention practices, you are not specifically requiring employees and prospective employees to hand over their user names and passwords.  However, AB-1844 defines “social media” as “an electronic service or account, or electronic content, including, but not limited to, video, still photographs, blogs, video blogs, podcasts, instant and text messages, email, online services or accounts, or Internet Web site profiles or locations.”  This definition is quite broad, and can potentially be applied to a large swath of digital content that is not traditionally thought of as “social media.”  As a result, we recommend that you consider the following steps to ensure that you do not inadvertently violate AB-1844 or lose control of or access to your business’s social media presence:

  • Your business should have a comprehensive, easy to understand Internet usage policy in place (sometimes referred to as an “acceptable use policy”).  A strong Internet usage policy will help you manage and track where your employees keep and retain company information and can set boundaries regarding the use of personal social media sites during work hours and using work devices.  We recommend that each of your employees and, as of their start date, all new hires, receive a copy of the policy and sign an acknowledgment of having read it.  All of your employees should have access to your Internet usage policy on an ongoing basis.
  • Review any agreements you have in place with employees who develop, manage or contribute to social media content on behalf of your business or as part of the services they provide.  AB-1844 applies only to “personal” social media accounts but there is no guidance regarding what constitutes a personal account.  Your agreements with any employee who creates or manages social media content on behalf of your business should explicitly provide that that account or content is not personal to the employee and is the property of the employer.
  • Consider the manner in which your social media presence is managed and updated.  AB-1844 explicitly provides that nothing in AB-1844 “precludes an employer from requiring or requesting an employee to disclose a username, password, or other method for the purpose of accessing an employer-issued electronic device.”  If, however, you have a “bring your own device” policy that allows employees who manage your social media presence to do so from a device that is owned by that employee and also used for personal activities, distinguishing an employee’s personal account from your business’s data may become increasingly difficult.

Of course, if you are reading this and your company does not have a comprehensive Internet usage policy or social media policy at all, you might want to consider calling a member of the Mintz Levin Privacy and Data Security team.

 

We have two “Save the Date” announcements today – for registration information click on the links below:

October 18, 2012 — San Diego — The Era of Big Data — Governance, Risk and Compliance

October 25, 2012 — Webinar — Data Privacy and Security Issues for the Nonprofit

Join the Mintz Levin Privacy team at one of these upcoming events!