Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

Certain provisions of employer policies governing the use of electronic resources have become mantra:  “Employees should have no expectation of privacy in their e-mail or Internet use”; “Employer reserves the right to access, monitor, and review any communication sent or received using corporate communications resources”; “Corporate communications resources can not be used to send or receive harassing, pornographic, or offensive messages,” etc.  But, employers who do not want their policies to become anachronistic should review and update those policies regularly to stay abreast of new technologies and new uses of technologies flooding the workplace as well as recent developments in pertinent case law.  Here are a few changes to consider.  We will follow with more in future blog entries:

            Blogging:  Blogging by employees is common.  With more than 70 million blogs on the World Wide Web and nearly 1.4 million new blog entries daily, employers need to consider the impact that employee blogging may have on their business and workplace.  Employers who do not endorse blogging should consider adding to their electronic resources policy a provision which bars employees from using corporate communications resources to view or post to any blog that is unrelated to work.  Employers also should consider a separate blogging policy to address off-duty blogging on the employee’s own time. 

            Video In The Workplace:  That employee who has spent the last three hours glued to her computer monitor without pause may be watching Gone With The Wind.  According to a recent Pew Foundation study, 57% of online adults have used the Internet to watch or download video, and 19% do so on a typical day.  Three-quarters of broadband users (74%) who enjoy high-speed connections at both home and work watch or download video online.  Employers who do not currently prohibit viewing or downloading video unrelated to work should now consider doing so before “bandwidth hogs” interfere with business operations.

            Web-Based E-Mail:  According to a report in the New York Times earlier this year, employees frequently rely on their personal Web-based e-mail accounts to conduct business or to store business-related material.  This trend raises a host of issues for employers including the inability to monitor the messages, if necessary, and the difficulty of preserving the messages as part of the litigation hold process.  Employers should consider barring employees from using personal Web-based e-mail for business purposes.

• Email This
• Print
• Trackbacks (1)
• Share Link

On August 3, 2007, Governor Deval Patrick enrolled Massachusetts as the 39^th member in the soon-to-be nationwide club of states with laws requiring notice of a security breach.  While these laws vary — sometimes materially — from one another, they share a common thread: at a minimum, they require employers to notify employees (and customers) when an unauthorized person acquires unencrypted, computerized “personal information,” creating a risk of identity theft.  In all 39 states that have adopted this law, “personal information” includes (again at a minimum) the affected individual’s first name or initial and last name plus social security number, driver’s license number, or credit card, debit card, or financial account number in combination with any required security code. 

Here are five key points for employers to consider as they confront these statutes.

•  Be Prepared.  Responding to a security incident can create a pressure cooker, especially when the personal information of senior corporate executives is among the compromised data.  Identify the members of your incident response team — typically from HR, IT, Legal, and Public Relations — and do a dry run of how your organization would respond if, for example, a payroll database had been stored on a stolen laptop.
• Train  HR Professionals.  In the employment context, a security breach can take many forms — a misdirected e-mail, a CD lost by a courier service, a stolen BlackBerry, or a successful hack are just a few examples.  HR employees and others who work with personal information should  be trained that these types of occurrences, which in the past might not have been taken seriously, now pose compliance risks.  The training should help employees identify a possible security breach, list the type of information which should be reported, and explain to whom the report should be made.
• Determine Your Notice Obligations.  When a breach does occur, consult knowledgeable counsel (whether in-house or outside) to determine the organization’s obligations under all potentially applicable notice laws.  To do so, counsel will need to know all the facts related to the incident, the states of residence of affected employees, and the number of affected employees in each state.  In some circumstances, a security breach may not trigger a legal obligation to notify  — for example, the theft of a hard copy (as opposed to computerized) payroll spreadsheet -- but the employer still may decide to provide notice as an employee relations matter.
• Help Your Employees.  Employees may view themselves as innocent victims when their employer suffers a security breach and  expect their employer to protect them and foot the bill. Providing free access to a credit monitoring service is the most commonly offered form of assistance.  Employers may want to consider a new service offered by MyIDentityIQ, Inc. and National ID Recovery: 1-877-252-9891.  This service not only alerts employees to possible misuse of their personal information (like credit monitoring), it also provides fully managed identity theft recovery services for employees after their personal information has been misused.
• Learn From Your Mistakes.  After the storm subsides, figure out what went wrong, what you did right, and how you can adjust your security incident response plan (or put one in place) to improve your response the next time around.

• Email This
• Print
• Trackbacks
• Share Link

More and more businesses — especially those in highly regulated industries such as banking, telecommunications, and health care — are engaging in “vendor management” as they implement increasingly rigorous information security programs.  Confirming the trustworthiness of vendors’ employees who are permitted on premises or who are authorized access to sensitive information is a cornerstone of such programs.  Consequently, these businesses are starting to make a variety of demands in contract negotiations and requests for proposals (RFPs) for background checks and drug-testing of vendor employees.

The demands vary based upon the industry and the company.  At a minimum, these businesses require their vendors to certify that employees who will be working on the customer’s account have successfully completed a background check and a drug screen.  At the other end of the spectrum, businesses specify the contents of background and drug screens and demand the right to audit the results or even conduct their own background checks and drug tests of the vendor’s employees.

These demands put vendors “between a rock and a hard place.”  On the one hand, vendors want to maintain strong relationships with valued customers and win contracts with new customers.  On the other hand, turning over background checks and drug test results to a customer can raise red flags with the vendor’s workforce regarding their privacy.  And, if not properly handled, the issue can mushroom into an employee relations nightmare and expose the vendor to privacy-based claims.  The problem is particularly acute for vendors who have not previously required current employees, or even job applicants, to submit to background checks or drug tests.

Here are three of the steps vendors might consider to avoid this catch 22:

• Email This
• Print
• Trackbacks
• Share Link

An Oregon law, signed by Governor Ted Kulongoski in mid-July and effective January 1, 2008, establishes the strictest information security requirements imposed by any state law to date. This new law is especially significant for multi-state employers, as the statute applies to any business which maintains the “personal information” of an Oregon resident regardless of the size of the company’s presence in Oregon. Personal information is defined to include precisely the type of information which all employers maintain about every employee, i.e., first name or initial and last name plus social security number, driver’s license number, or financial account number.

The Oregon law requires employers who maintain personal information on Oregon residents to do the following:

• Designate a security officer
• Conduct a risk assessment
• Assess the safeguards in place to manage the risks
• Train employees in security policies and procedures
• Require by contract that service providers maintain adequate security (note the connection to the trend discussed above)
• Adjust the security program over time to meet changing circumstances
• Implement adequate physical and technical safeguards
• Properly dispose of personal information

While Oregon may be one of the less populous states, state legislators appear to be engaging in “one-upmanship” as they enact new data protection statutes. Employers can expect other states to attempt to match or exceed Oregon’s legislation. Consequently, employers can expect that, in the near future, they will need to take a closer look at their information security practices for employee data and take steps to better safeguard that information not as some extra effort but simply to be in compliance with newly enacted state data protection legislation.

• Email This
• Print
• Trackbacks
• Share Link

Genetic tests are available today for more than 1000 diseases and counting. Individuals can use genetic testing to better identify and manage their risk of developing specific medical conditions before those conditions manifest themselves. For better or worse, such information may also have value to employers desiring to know whether an employee (or candidate) may be genetically inclined to ailments like carpel-tunnel syndrome or long-term illness from exposure to workplace toxins. However, given the fact that 84% of Americans mistrust their employers when it comes to having access to their genetic information, the data are not easy to use. To be sure, the controversy over genetic screening in the workplace is palpable and raises questions such as: Can (or should) genetic information be used in making employment decisions? What qualifies as sensitive “genetic information”? With what level of care must an employer handle genetic information already in its possession? 

While state law may resolve one or more of these questions in nearly 40 states, no federal legislation exists on the topic. That is likely to change soon. In April, the House passed the Genetic Information Nondiscrimination Act (“GINA”) of 2007 (H.R. 493) by a vote of 420-3, and the Senate is nearly certain to follow suit on its companion legislation (S. 358). With President Bush having already endorsed GINA, the debate is turning to what day-to-day effects GINA would have on the workplace. As it stands, GINA would: (1) prohibit employers from purposely acquiring genetic information about employees; (2) prohibit employers from making employment decisions based on an employee’s genetic information or use of genetic testing services; and (3) compel employers to treat genetic information in their possession as “health information” under HIPAA and the rules governing “confidential medical records” under the ADA.                       

• Email This
• Print
• Trackbacks
• Share Link