Recent weeks have seen a flurry of legislative activity aimed at preventing employers from compelling disclosure of passwords to social networking sites as a condition of hire or of continued employment. However, potentially more troubling for employers are concerns related to post-employment password access to, and use of, non-personal, social media accounts used on the employer’s behalf. As a review of recent case law shows, employers who want to ensure uninterrupted and continual access to company social media accounts and to avoid post-employment disputes over ownership of friends, followers and connections would be well advised to plan ahead.Continue Reading...
Littler Report Provides Many Insights and Practical Solutions for Employers Considering a 'Bring Your Own Device' to Work Program
Millions of employees have begun using their personal mobile devices—including iPhones, iPads, Androids, and smartphones—to perform work. According to a global study by the Aberdeen group in July 2011, of 415 companies surveyed, 75% allowed employees to use their personal mobile devices for business purposes. Another survey, by Forrester Research in fall 2011, found that 48% of 1,600 responding information technology professionals were able to purchase the smartphone of their choice and use it for work.
The broad appeal of smartphones and tablets, coupled with their rapid adoption by consumers, has caused many CIOs to begin allowing these devices to interact with corporate IT systems and even replace company-owned devices. In response to this proliferation of personal mobile devices in the workplace, Littler has authored an interdisciplinary white paper, entitled “The ’Bring Your Own Device’ to Work Movement,” which examines the development of this irreversible trend and explores the very real and immediate challenges—both practical and legal—that the trend creates for employers.Continue Reading...
Philip Gordon will be speaking on a range of privacy and data protection issues at the following upcoming events:
Date: January 11, 2012
Topic: Phil Gordon and Michael McGuire, Shareholder and Chief Information Security Officer at Littler, will co-present “The Challenges of Bring Your Own Device (BYOD) to Work Policies”
Description: With employees demanding the ability to use their personal smart phones and tablets for business purposes and employers looking for new ways to reduce cost and increase productivity, the trend towards “dual-use devices” in the workplace will undoubtedly continue to pick up stream. This webinar will provide practical recommendations for both areas so that your organization understands the risks of saying “yes” to requests from C-level executives or department chiefs to connect their smartphones or tablets to the corporate network.
For more information and to register, please visit: www.bna.com/own-device-19107/.
I was recently interviewed by Nymity on the dozen top challenges for employers when developing and enforcing social media/Web 2.0 policies. Part I of the interview [pdf] addresses the following questions:
- Online Background Checks: What are the risks? What are practices that should be curtailed? How can a company gain the benefits of the tools, and minimize those risks?
- Customer‐Facing Company Sites: Such sites and other customer facing tools and techniques can build a brand over night. How does a company avoid the issues and gain the brand lifting benefits?
- Individual Employee Sites for Business Purposes: Who “owns” these sites, such as LinkedIn contacts and Facebook fan pages? Must an employee establish a new account for their work with a company? What are the best practices in these situations?
- Internal Company‐Sponsored Sites: What is special about these that require policy statements or recommendations? Can these sites really be a problem?
- Employees Off‐Duty Social Media Activity: We’ve discussed social media activity for work purposes, what about employees’ off‐duty social media conduct. What are the risks there and how should employers address them?
- Disciplining Employees Based On Off‐Duty Social Media Activity: There seems to be much confusion over when employers can discipline employees for their off‐duty social media activity. What are the key risks to avoid? What are the best practices that can be adopted to avoid what types of risks?
I will post Part II when it becomes available.
Photo credit: CrackerClips
Eleventh Circuit Ruling Strengthens Employers' Hand Against Employees who Abuse Access to Information Systems
Roberto Rodriquez tried to impress female acquaintances with an almost creepy knowledge of their personal information. He sent flowers on Valentine’s Day to one acquaintance who had never revealed her home address to him and called to wish her a happy half-birthday even though she never had revealed that fact to him either. He sent mail to another female acquaintance at her home address even though she directed all of her mail to a post office box, and he jotted her middle initial on the envelope even though she had not used her middle initial since grade school. He gave a female employee at a restaurant that he frequented a pair of earrings on her birthday even though she had not shared her birthday with him.
What was the source of Rodriguez’ apparent omniscience? Databases at the Social Security Administration (SSA), to which Rodriguez had access as a TeleService representative. In 2008 and 2009, Rodriguez accessed those databases for nonbusiness reasons on hundreds of occasions to view sensitive personal information of more than one dozen women. Rodriguez was a serial violator of an SSA policy that prohibited employees from obtaining information from SSA’s databases without a business reason. Mandatory training on the policy, notices posted in SSA’s office, and daily banners that appeared on Rodriguez’ computer did not stop him. Ultimately, Rodriguez was indicted and convicted for obtaining information from the federal government through unauthorized access to a computer in violation of the Computer Fraud and Abuse Act (CFAA).
Rodriguez tried to escape his conviction on appeal by arguing that he had accessed only databases that he was authorized to access as a TeleService representative. Rejecting this argument, the Eleventh Circuit explained (pdf) that the CFAA outlaws not only unauthorized access to a computer system but also access in excess of authorization. The court reasoned that SSA’s policy established the scope of Rodriguez’ authorized excess. By accessing SSA’s databases for purely personal reasons, Rodriguez violated that policy and thus had exceeded his authorized access.Continue Reading...
On the first business day of 2011, the New York Times reported that Apple’s rivals had proclaimed 2011 to be their year to recapture a slice of the computer tablet market, currently dominated by the iPad. Since the iPad’s launch in late 2010, Apple has sold more than 4 million of its tablets; some commentators predict that Apple will sell tens of millions more iPads in 2011. Adding to the flood of tablets into the marketplace — and into the workplace –- corporate IT departments are getting into the act. According to a recent report by ChangeWave, only 1% of corporate IT buyers reported in August 2010 that their organization provided employees with a tablet, but that number jumped to 7% in November 2010, and 14% of respondents stated that their organization plans to buy tablets in Q1 of 2011. Even the public sector is turning to the iPad. The Virginia legislature recently purchased 45 iPads for selected legislators and staffers in an effort to reduce the use of paper.
These trends pose serious challenges for corporate HR, Legal, and IT departments that should be addressed — or at least considered — before the “tablet tsunami” hits with full force. To begin with, employees in many organizations — often senior executives who scored an iPad as a holiday present — are clamoring to connect their iPad to the corporate network or are using the iPad for work even if the IT department refuses a connection. In fact, the iPad may represent a turning point in the battle between businesses and their workforce over the use of personal devices to conduct business. According to a November 2010 study by Ovum, approximately 50% of employees already are permitted to connect their personal devices to the corporate network. Because the iPad is so enjoyable and easy to use, that percentage is likely to surge in the next year or two as organizations bow to employee demands to use their personal iPad (or other tablet) for work.Continue Reading...
Commonplace IT Functions Raise the Risk of Federal Wiretap Act Liability Under Recent Seventh Circuit Decision
Even if your organization already has revised its electronic resources policy — as prior blog posts suggest — to address personal e-mail accounts in light of the New Jersey Supreme Court’s decision in Stengart v. Loving Care Agency and to address text messages in light of the U.S. Supreme Court’s decision in Quon v. City of Ontario, you still should consider revisiting that policy yet again in light of the U.S. Court of Appeals for the Seventh Circuit’s decision on September 9, 2010, in United States v. Szymuszkiewicz (pdf). The court’s decision affirmed the criminal conviction for Federal Wiretap Act violations of an IRS agent who, unbeknownst to his supervisor, activated the supervisor’s Microsoft Outlook autoforwarding feature. As a result, duplicates of the supervisor’s e-mail were automatically forwarded to the IRS agent without the supervisor’s knowledge or consent. The IRS agent received a sentence of eighteen months probation.
The Seventh Circuit’s decision turned principally on whether “auto forwarding” e-mail constitutes an “interception” as defined by the Federal Wiretap Act. The court answered that question in the affirmative because the auto forwarding permitted the IRS agent to obtain the content of e-mail stored in his supervisor’s e-mail inbox.
For employers, the court’s decision highlights the risk of Federal Wiretap Act liability arising from commonplace IT functions. Corporate IT departments routinely activate “auto forwarding” after an employee has left an organization so that a supervisor or co-worker can promptly respond to e-mail intended for the former employee. It also is not uncommon for corporate IT departments to rely on “e-mail journaling” to create a duplicate set of out-going and incoming e-mail for archival purposes. Journaling essentially functions the same as auto forwarding except that the duplicate e-mail content is stored on a server for possible future retrieval rather than being transmitted directly to a third party’s e-mail inbox.Continue Reading...
In its first foray into the potentially treacherous intersection of workplace monitoring of electronic communications and employee privacy expectations, the United States Supreme Court considered whether the City of Ontario Police Department violated the privacy rights of Sergeant Jeff Quon by reviewing sexually explicit text messages sent by Quon using a City-issued pager. The Court declined to issue any broad pronouncements concerning the permissible scope of workplace monitoring. The Court's decision, nonetheless, provides useful guidance for employers — whether governmental or private — on steps they can take to reduce their exposure to privacy-based claims arising from their review of employees' text messages, e-mail, and other electronic communications. To learn more about this decision and its implications for employers, please continue reading Littler's ASAP, U.S. Supreme Court Ruling Provides Guidance on Monitoring Employee Texts and E-Mails, by Philip L. Gordon and Denise Drake.
Quon Decision Provides Useful Guidance for Private Employers While Skirting Broad Pronouncements on Employee Privacy Rights
As anticipated in our blog post describing the oral argument before the U.S. Supreme Court in City of Ontario v. Quon (pdf), the Court declined today to make any broad pronouncements concerning employee privacy rights in electronic communications using employer-issued equipment. The Court reserved expressing an opinion given the newness and evolving nature of cell phone and text message communications. Instead, the Court held that the City of Ontario Police Department did not violate the Fourth Amendment rights of a SWAT team member, Sgt. Jeff Quon, by reviewing text messages sent and received by Quon on a department-issued pager because, even assuming that Quon had a reasonable privacy expectation, the City’s review of his text messages was motivated by a legitimate work-related purpose and was not excessive in scope. Notwithstanding its narrow and fact-specific nature, the Court’s ruling still provides useful guidance for private employers.
Most importantly, the Court emphasized, in the following language, the importance of a well crafted and broadly distributed electronic resources policy when defending against an employee’s claim that an employer tortiously reviewed the employee’s electronic communications:
[E]mployer policies concerning communications will of course shape the reasonable expectations of their employees, especially to the extent that such policies are clearly communicated.”
The Court also highlighted a key distinction between corporate e-mail and text messages sent by cell phone, i.e., such text messages typically are transmitted through the cell phone provider’s server, rather than an employer-owned server. In Quon, this distinction was important because the department’s e-mail policy focused on e-mail sent through the department’s server and did not mention text messages. However, the Court emphasized that the department had informed SWAT team members, when issuing pagers to them, that the e-mail policy would be applied to text messages transmitted through the service provider. Similarly, private employers should ensure that their electronic resources policy is not limited to e-mail or to communications transmitted through the company’s e-mail server.Continue Reading...
School District's Woes from Using Webcams to Track School-Issued Laptops Should Be an Eye-Opener for Employers
According to a report issued by Gartner Dataquest, telecommuters constitute more than one-quarter of the U.S. workforce. That number likely will increase substantially as new, mobile technologies make it easier for employees to work anywhere at any time; a new generation of tech savvy employees enters the workforce; and employers embrace alternative work arrangements. With employees absent from corporate offices, how can an employer ensure that its mobile workforce is, in fact, working. The public relations debacle recently confronted by the Lower Merion School District in Philadelphia’s Main Line suburbs highlights what employers should and should not do.Continue Reading...
Employers Should Act Promptly in Response to NJ High Court's Recognition of Employee's Right to Privacy in Lawyer-Client Emails Stored on Company Computers
In a case with significant implications for all employers, the New Jersey Supreme Court ruled earlier this week that Marina Stengart, a former executive employee of Loving Care Agency, had a reasonable expectation of privacy in e-mail exchanged with her personal attorney through a personal, web-based e-mail account even though those communications were stored on a company-issued laptop. However, rather than limiting its decision to the facts of the case, that court went further, broadly stating that even “a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employees’ attorney-client communications . .. would not be enforceable.” In other words, New Jersey employers cannot properly read their employee’s e-mail exchanges with a personal attorney stored on company equipment — no matter what the employer tells its employees in its electronic resources policy.
Stengart also is significant because it illustrates the circumstances in which a court might find that an employee reasonably could expect privacy in e-mail stored on the employer’s electronic resources. To begin with, the New Jersey Supreme Court relied heavily on Stengart’s efforts to shield her e-mail from Loving Care. She used a private, personal, password-protected, web-based e-mail account, rather than the company’s e-mail server, and she did not save the user ID or password for that account on company-issued equipment. In addition, the New Jersey Supreme Court cited Stengart’s affidavit testimony in the trial court that she did not know that a duplicate of e-mail transmitted through a personal e-mail account would be saved in a temporary file on the company-issued laptop used to transmit the e-mail or that a computer forensic expert (like the one hired by Loving Care) could retrieve the messages. Finally, the court emphasized that reasonable privacy expectations customarily inhere in attorney-client communications (as opposed to communications that are unlawful or otherwise violate company policy), quoting in full the confidentiality notice contained in all e-mails sent by Stengart’s lawyer.
Loving Care’s electronic resources policy only weakened the company’s position. The court noted that the policy did not even mention personal e-mail accounts, let alone notify Stengart of Loving Care’s ability to retrieve from company-issued equipment e-mail transmitted through a personal e-mail account.Continue Reading...
Employers already face concerns about how to handle employees trash-talking about them on blogs, Facebook and other social media. Now, employers must be cautious of the converse — employee endorsements of their employers’ products and services on social media websites. The Federal Trade Commission (FTC) recently issued updated guidelines aimed at protecting consumers from misleading endorsements and advertising. As these guidelines make clear, employers whose employees use social media like blogs or Facebook to comment on their employer’s products or services face potential liability, even where the employer has not authorized or ratified the employee’s remarks.
The FTC’s revised Guides Concerning the Use of Endorsements and Testimonials in Advertising, published in the Federal Register at 16 C.F.R. Part 255 (the “guidelines”), address the application of Section 5 of the FTC Act (the “Act”) – which prohibits unfair or deceptive acts or practices and unfair competition in or affecting commerce -- to the use of endorsements and testimonials in advertising.
In the guidelines, the FTC identifies the general principles it will apply when evaluating whether endorsements and testimonials, including those given by employees about their employers’ products and services, are deceptive. The guidelines provide specific examples, and suggest that employees endorsing their employer’s products or services have a duty to disclose to their audience their relationship to an employer at the time they give the endorsement or testimonial. To be an endorsement or testimonial subject to these guidelines, the posting must be a message “that consumers are likely to believe reflects the opinions, beliefs, findings, or experiences of a party other than the sponsoring advertiser, even if the views expressed by that party are identical to those of the sponsoring advertiser. The party whose opinions, beliefs, findings, or experience the message appears to reflect will be called the endorser...” 16 C.F.R. Part 255.01(b).Continue Reading...
Federal Courts' Disagreement Over E-Mail Privacy Highlights Employers' Need to Revisit E-Mail Policies
As the Supreme Court prepares to address the question whether public employees can expect privacy in text messages sent by government-issued phones through a service provider under contract with the government, federal district courts continue to reach conflicting results when addressing whether private employees waive the attorney-client privilege by communicating with a personal attorney using their employer’s electronic resources. With yet another federal court recently finding no waiver, employers should revisit and revise their electronic resources policies to increase their chances of winning the waiver battle.Continue Reading...
On September 29, 2009, Littler Mendelson presented a webinar, hosted by HR.com, entitled, “Legal Perils of Social Media & Social Networking: What Every Employer Needs to Know.” Several of the attendees submitted questions by e-mail that could not be answered during the time allotted for the webinar. The answers to those questions are below.
Question: Because of the sketchy and inconsistent nature of HR policy around this topic, it seems reasonable for employees to ask for definition from their employers regarding use of social media to avoid being surprised should there be a potential issue. Would you agree?
Response: I would agree. The intersection of social networking sites and work is so new that accepted etiquette, custom, or norms have not yet developed. Employers can address this problem by establishing a policy that provides easily understood guidelines for employees’ social media activities whether authorized by the employer or not. Training also is very important in this area. Employers need to train managers and employees on how to respond to and handle the many complicated issues raised by the intersection of work and social media activity.Continue Reading...
The D.C. Circuit Leaves Undisturbed the Ability of Employers to Ban Union Communications Using Corporate E-Mail
Many had anticipated a dramatic rejection of Register-Guard, the National Labor Relations Board's landmark December 2007 decision, which held that employees could not use their employer's e-mail system as a matter of right to engage in union-related activities or union solicitation (see our previous blog entry). Instead, on July 7, 2009, the D.C. Circuit let that decision stand, effectively holding that the newspaper in that case did not violate federal law by issuing a policy banning all solicitations, including union solicitations, from its corporate e-mail system.
The court nonetheless concluded that the newspaper had engaged in unfair labor practices in the way it applied the policy. The court found that one of the e-mails that resulted in discipline of the employee—who was also the union president—was union-related, but was not a solicitation. Consequently, the union president did not violate the newspaper’s electronic resources policy by sending it. The other two e-mails upon which the newspaper had relied to discipline the employee were solicitations that violated the company’s policy. However, the newspaper's lax enforcement of the policy vis-à-vis non-union-related messages and its after-the-fact justification for applying the policy to the employee's messages demonstrated unlawful discrimination against union activities.Continue Reading...
UPDATE: The New Jersey Supreme Court has agreed to review this decision. We will continue to monitor the case and provide insight on significant developments.
Before resigning from Loving Care Agency and suing the company for discrimination, Marina Stengart used her company-issued laptop to exchange e-mail with her attorney through her personal Yahoo! e-mail account. Loving Care’s computer forensic expert recovered these e-mails from the laptop. Loving Care’s counsel referenced some of them during discovery; Stengart’s counsel demanded the return of all of the e-mail. In a prior blog entry, we discussed the trial court’s ruling that Stengart had waived the attorney-client privilege in light of certain warnings in Loving Care’s computer use policy.
Last week, a New Jersey appellate court reversed the trial court’s ruling. According to the appellate court, Loving Care failed to show that Stengart ever had received the computer use policy. The court also found that the policy did not adequately warn Stengart that Loving Care might read e-mail sent through her personal e-mail account. Employers can address these shortcoming in the following ways:
- obtain from each employee an executed acknowledgement of receipt of the corporate computer use policy;
- inform employees that the employer will, in its discretion, review any communication or file stored on any company-owed device;
- specifically warn employees that the policy applies to copies of e-mail sent through a personal e-mail account that remain on company computers;
- inform employees that corporate electronic resources cannot be used, without authorization, to consult with an attorney.
Significantly, the New Jersey court suggested that even if Loving Care had taken all of the steps listed above, Stengart still would not have waived attorney-client privilege. The court based that conclusion on the following language:
When an employee, at work, engages in personal communications via a company computer, the company's interest . . . is not in the content of those communications; the company's legitimate interest is in the fact that the employee is engaging in business other than the company's business. Certainly, an employer may monitor whether an employee is distracted from the employer's business and may take disciplinary action if an employee engages in personal matters during work hours; that right to discipline or terminate, however, does not extend to the confiscation of the employee's personal communications.
In other words, according to the court, an employer cannot read an employee’s personal e-mail, even when the employer has a policy stating that the employee has no reasonable expectation of privacy, except when the content of the e-mail needs to be known to determine whether the employee violated company policy or acted unlawfully. This aspect of the court’s opinion, which appears to be non-binding dicta (except when applied to communications between an employee and her attorney) is groundbreaking. If the decision is not reversed on appeal to the New Jersey Supreme Court, employers should expect to see the Stengart case resurface in future employment litigation contending that employer’s improperly accessed employees’ “personal e-mail.”
For a comprehensive analysis of this development, see Littler's ASAP "Employer's Electronic Communications Policy Did Not Allow Company to Review Employee's E-mail Exchange with Her Attorney" by Philip L. Gordon, Eric A. Savage and Paul H. Mazer.
Recent Fourth Circuit Ruling Demonstrates Risks to Employers of Accessing Employees' Personal E-Mail Accounts
In a cautionary tale for all employers, the United States Court of Appeals for the Fourth Circuit recently held that an employer who accessed a former employee's personal e-mail account could be held liable for punitive damages and attorneys' fees under the federal Stored Communications Act, even without the employee proving any actual damages. Continue reading Littler ASAP, Recent Fourth Circuit Ruling Demonstrates Risks to Employers of Accessing Employees' Personal E-Mail Accounts, by Philip L. Gordon and Justin A. Morello.
Employers often put employees on notice, through an electronic resources policy, that communication via company e-mail accounts is not private. Far fewer policies, however, address employees’ use of their personal Internet-based e-mail accounts using company computer resources. What should an electronic resources policy tell employees on that subject?
A recent New Jersey case, Stengart v. Loving Care, sheds some light on the answer. Before Maria Stengart resigned and sued Loving Care, her employer, she e-mailed her lawyer through her personal web-based account from her company-issued computer with Loving Care’s Internet access. With the help of a computer forensic expert, Loving Care was able to recover temporary files stored on the hard drive of the company-issued computer which contained copies of Stengart’s attorney-client communications. (Employers should note that many web-based e-mail applications leave such temporary files on the hard drive of the sender’s computer).
When Stengart discovered that Loving Care’s lawyers planned to use her e-mail in the litigation, she objected. The trial court was asked to decide whether the e-mail, sent during work hours on a company laptop, was protected by the attorney-client privilege. The court held that it was not.
First Federal Court Decision to Uphold "Termination" Based on MySpace Content Rejects First Amendment Claim of the "Drunken Pirate"
Student teacher Stacey Snyder lost her chance to earn a teaching certificate largely because of content that she posted on her MySpace page. The page included a picture of Snyder, captioned “Drunken Pirate,” in which, according to Snyder’s trial testimony, she wore a pirate’s hat, was drinking a “mixed beverage,” and had a “stupid expression on my face . . . giving the peace sign . . . expressing myself at the moment, basically peace, love happiness . . . .” The page also contained a post in which Snyder implied that the teacher who was supervising Snyder’s participation in the student teacher program, Nicole Reinking, was the reason that Snyder would not apply for a job at Conestoga Valley (CV) High School in Pennsylvania after completing the program.
Unfortunately for Snyder, a CV High teacher viewed the picture and the post and gave a copy of both to Reinking. Reinking, who had not been pleased with Snyder’s performance even before receiving the MySpace content, promptly complained to her supervisor who, in turn, brought the MySpace content to the attention of the school’s superintendent. He suspended Snyder from the student teacher program. In her final evaluation from Reinking and from her supervisor at Millersville University — where Snyder was pursuing her teaching certificate — Snyder received an “unsatisfactory” rating for “professionalism.” That rating disqualified Snyder from earning a teaching certificate.
Snyder sued Millersville University in federal district court in Philadelphia, alleging that the university had violated her First Amendment rights by denying the teaching certificate based largely on the MySpace content. In what appears to be the first published decision addressing an adverse action (at least akin to an adverse employment action) based upon content on a social networking site, the court, after a two-day bench trial, rejected Snyder’s First Amendment claim and denied Snyder’s request for an order compelling Millersville University to award her a teaching certificate.
The decision is important for private employers, but not because of its legal underpinnings, which turned largely on legal issues that are irrelevant to the private workplace (i.e., state regulations applicable to student teachers and First Amendment jurisprudence concerning speech by public employees and students at public schools). While the applicable legal framework created substantial obstacles, the more significant problem for Snyder (apparent to any experienced trial lawyer reading between the lines of a carefully crafted opinion) was the unsympathetic posture of her factual position.Continue Reading...
Management-side lawyers and human resources professionals need to start thinking deeply about the key finding in a recent survey by The Creative Group, a staffing service company: more than one-half (57%) of 250 surveyed advertising and marketing executives responded that surfing the web during working hours is acceptable. How does an employer reconcile this apparent new-found acceptance of on-the-job Web surfing with the American Management Association’s finding in its 2007 survey of workplace monitoring that 30% of employers surveyed had fired an employee for Internet surfing at work?
Employers in more staid industries might shrug off the new survey result as a quirk of professions that appear to be more about creativity than productivity, but that would be too shortsighted. Let’s face it, nearly everyone surfs the Web at work at one point or another. Perhaps more importantly, the first generation to spend adolescence surfing the Web is starting to move into middle management and even senior management. This generational shift is rendering obsolete — in practice if not in form — corporate policies that forbid employees from using corporate electronic resources, i.e. Internet access, for non-business purposes.
Facing reality does not mean that employers must open the floodgates to pornography, fantasy football and online gambling. Instead, employers need to take up the challenging task of establishing rules for acceptable and unacceptable non-business use of the corporate Internet connection. The employer’s existing policies are a good starting point; employees should be barred from accessing any Web sites that communicate information which, if posted on the corporate intranet, would violate the company’s anti-discrimination and anti-harassment policies. Establishing bandwidth limits and prohibitions on Internet use that interferes with network operations should effectively eliminate most streaming media. Requiring employees to limit non-business use of the corporate Internet connection to breaks and meal periods and to no more than thirty minutes daily would permit discipline of employees engaging in potentially addictive and disruptive Internet activities, such as online gambling.
What is left might actually enhance productivity or create some good will. Rather than taking an extended lunch break, employees can spend a few minutes on the Web to order clothes or books. Employees who have been grinding during the week can plan a few weekend activities that will provide a much-needed respite from work. In short, the new survey result emphasize the point that the time has arrived for employers to revisit their business-only, workplace Internet policies.
Joseph Braun, the owner of a New Jersey label manufacturer, hired the wrong bookkeeper and paid a hefty price. Before Braun hired the bookkeeper, referred to only as “M.A.” in a New Jersey appellate court opinion published on August 29, 2008, M.A. had completed twelve months in a pretrial intervention program after being charged with forgery and theft. One month after completing the intervention program, M.A. was charged with fourteen counts of forgery and the theft of more than $220,000 from his employer; he served 364 days in jail after a guilty plea. While still on probation, M.A. landed his bookkeeping job with Braun’s company.
Apparently not having conducted a background check, Braun gave M.A. ever-increasing responsibilities to the point where M.A. was responsible for order entries, payroll, bank records and the company’s computer system. M.A. repaid Braun’s trust by giving himself an $85,000 raise — without Braun’s authorization. The raise was just the tip of the iceberg, as M.A. defalcated more than $650,000 from Braun’s business. M.A. was prosecuted for his crimes, convicted and sentenced to seven years in prison.
On appeal, M.A. argued that the trial court had improperly denied his motion to suppress personal information stored on a laptop as well as a desktop computer found at Braun’s place of business. The New Jersey appellate court, following several frequently cited federal appellate court decisions, held that M.A. had no reasonable expectation of privacy in his workplace computer and affirmed the conviction. In reaching this conclusion, the court relied on the following facts:
(a) Braun’s business owned the computers;
(b) the computers were kept at Braun’s business;
(c) Braun told M.A. when he was hired that the business owned the computers;
(d) the desktop was connected to the corporate network;
(e) co-workers had access to both computers; and
(f) M.A.’s private office was never closed or locked.
The facts were weighed so heavily against M.A. that this case provides guidance in only the most limited circumstances.
A few minor changes of the facts show why: M.A. marked all of his personal files as “private” when saving them to the company’s document management system. It was well known within the company that system administrators respected the “private” designation. M.A. did not permit any other employees to log into his computer; nor did he share his username or password with any co-workers. When M.A. left his private office, he shut and locked his office door using a combination that was unknown to anyone else in the company. On fairly similar facts, the Florida Court of Appeals recently held that a church pastor had a reasonable expectation of privacy in child pornography stored on his office computer.
The point is that corporate ownership of computers and notice to employees of that ownership will not always open the door to searches with impunity of personal information stored on a business computer. Instead, employers should look more deeply into who, in fact, has or could have access to the information at issue and whether workplace computer use policies actually are put into practice.
Many employers include in their electronic resources policy a blanket prohibition on “engaging in any political activity.” A recent Guideline Memorandum issued by the NLRB’s General Counsel creates a minefield of potential unfair labor practices for employers who enforce this commonplace ban, especially as the 2008 presidential campaign heads towards its climax.
According to the GC’s Guideline, employees’ political advocacy can, in some circumstances, constitute “concerted activity” protected by the NLRA. The test is two-fold: First, is there “a direct nexus between the specific issue that is the subject of the advocacy and a specifically identified employment concern of the participating employees.” Put simply, is the political advocacy related to the terms or conditions of employment. Second, has the employee engaged in this protected political advocacy without violating "restrictions imposed by lawful and neutrally applied work rules." In other words, employers can discipline employees who engage in protected political advocacy as long as the rule used to justify the discipline is legal and is applied in a non-discriminatory manner. There’s the rub for employers.
Last December, the NLRB ruled that employers can implement an e-mail policy whose provisions incidentally prohibit union-related activity. An employer can, for example, promulgate a policy that bans all non-business use of its e-mail system or that bans all solicitations for membership organizations. While such policies effectively ban use of the corporate e-mail system for union-related activities, that result is only incidental to the broader ban directed at both non-union and union activities. Thus, an e-mail policy that bans all political activity using the corporate e-mail system is lawful, even though some of the banned activity may now, according to the GC’s Guideline, be protected concerted activity.
The challenge for employers is ensuring that this lawful policy is “neutrally applied.” During the presidential debate season, an employer can expect to see e-mail cheering and lambasting the candidates, encouraging co-workers to register for a particular party, and attacking or advocating planks in party platforms. If such e-mail traffic goes unpunished even though it violates the company’s ban on political activity over the corporate e-mail network, the trap may be laid for a successful unfair labor practice charge when months later employees are punished for exchanging e-mail about joining in a union-organized protest over a new work-related law advocated by the new President — whoever that might be.
For further analysis on the GC's Guidelines, please see Littler ASAP: Can a Bumper Sticker Get You Bumped? NLRB's General Counsel Issues Guidelines on Political Advocacy by Frank W. Buck and Richard L. Sloane.
Some companies, like on-line retailer Zappos.com, are sponsoring corporate twitter sites. What is “twitter”? According to Twitter.com, “Twitter” is “a service for friends, family, and co–workers to communicate and stay connected through the exchange of quick, frequent answers to one simple question: “What are you doing?” A review of Zappos’ twitter site suggests the answer to that question rarely is “working.” Are Zappos employees unwittingly creating the justification for terminating their employment, or has Zappos—in an effort to foster unrestrained twittering—assured its employees that their “twittering” would not be used against them in a court of law?
We don’t know the answer to those questions, but we do know that any employer seeking to cater to the “Twitterites” in its workforce should first consider some tough legal issues. How will the company react when an employee twitters that she is “organizing a union” or “complaining to her buddies about all that overtime”? Would a Twitterite ever be so frank or uncool? How does a business respond to a Twitter record that, in fact, does show that an employee seems always to be doing something other than work during working hours? Twitter actually is quite good for identifying slackers because each Twitter post includes the date and time of posting. Yet this begs another question: How will the company extend a “litigation hold” to Twitter after receiving a preservation demand from a sophisticated plaintiff’s lawyer who specifically identifies "Twitter" as one category of information that purportedly must be preserved?
The point of this post is not to provide answers, but rather to highlight that each new generation of “cool corporate communications tools” brings some tough legal issues to the forefront. Those issues should be thoroughly discussed before an employer rushes headlong into an embrace of the next new thing.
While the case is still in the early stages, Sidell v. Structured Settlement Investments, LP et al, Case No. 3:08-cv-00710-VLB (D.Conn 2008), is shaping up to be a case to watch. Recently covered by The New York Times, the lawsuit involves an interesting twist on workplace monitoring; namely, what are the limits on an employer’s access, using its own computer equipment, to an employee’s e-mail stored in an employee’s personal e-mail account. Ultimately, the case may add to the growing list of decisions regulating electronic communications in the workplace. See, e.g., Quon v. Arch Wireless; Scott v. Beth Israel. The Ninth Circuit decision in Quon was discussed in our prior blog entry, Ninth Circuit Ruling Not a Significant Obstacle to Employers' Accessing Text Messages.
According to the complaint, this is what happened: A company closed a branch and fired the office manager. The company claimed that the termination was for cause and explained the facts supporting its decision to the manager. Before the company had changed the locks, the office manager entered his old office, logged on to his computer, and sent an e-mail to his personal attorney regarding his potential claims against the company. The office manager did not log-off from his Yahoo! account, nor did he turn off his computer. As a result, this e-mail remained accessible through the computer in the office manager’s former office. Over the next few weeks while using the same e-mail account, the office manager sent his personal attorney numerous additional e-mails regarding his termination.Continue Reading...
The Los Angeles Times reported on June 19, 2008, that the Ninth Circuit’s decision in Quon v. Arch Wireless Operating Co., “sharply limited the ability of employers to obtain e-mails and text messages sent by employees on company-financed accounts.” And many major news outlets echoed this sentiment: "Court Rules Employee Text Messages Are Private," "SF Court Protects Privacy of Work Communications," "Stop Snooping on Email, Court Tells Some Nosy Bosses." However, the assertion of the LA Times reporter, while literally true, is pure hyperbole when viewed in the context of a real-world workplace.
The Ninth Circuit ruled in Quon that a text-message provider, Arch Wireless, violated the federal Stored Communications Act (the “Act”) by disclosing to the City of Ontario Police Department sexually explicit text messages sent by Sgt. Quon using a City-issued text-message pager, even though the City was the subscriber on the service contract. The court explained that the Act prohibits providers of an “electronic communication service” — Internet Service Providers (ISPs) and text messages services, for example — from disclosing stored e-mail or text messages without the consent of the sender or recipient. At first blush, this ruling appears to present a dramatic shift in the balance of power between employers and employees in the spy vs. spy world of workplace monitoring.
Not so fast: Employers can easily and lawfully circumvent the court’s ruling. Employers, for example, can prohibit employees from conducting any company business other than over the corporate network, and they can limit company-issued electronic devices to those, such as a Blackberry, that can be configured to route all communications through the corporate network. Notably, the Ninth Circuit’s decision expressly reaffirmed the well established rule that employers can defeat an employee’s expectation of privacy by distributing a policy unambiguously stating that employees communications using corporate resources will be monitored and are not private.Continue Reading...
In a highly anticipated decision, the National Labor Relations Board has emphatically landed on the side of employers whose policies bar employees from using corporate e-mail resources for union activities.
In The Guard Publishing Co. d/b/a The Register Guard, the Board, in a 3-2 decision, held that “employees have no statutory right to use an employer’s equipment or media for Section 7 communications.” Section 7 of the National Labor Relations Act encompasses communications about virtually all union activities by employees, including solicitation, organizing, grievances, picketing, strikes, and discussions about the terms and conditions of employment. In light of this ruling, an employer may, in the words of the Board, “lawfully bar employees’ nonwork-related use of its e-mail systems,” including use for union activities.
There is a caveat, but as defined by the Board, the caveat is a narrow one: Employers can not act “in a manner that discriminates against Section 7 activity.” (emphasis supplied). Significantly, the Guard Publishing decision substantially narrows the prior definition of “discrimination” for purposes of analyzing whether an e-mail policy (or any other policy restricting Section 7 activities) on its face, or as enforced by the employer, interferes with Section 7 rights.Continue Reading...
It will soon be easier to conduct business on airline flights, and a lot riskier from a privacy perspective. The New York Times ran a story the other day – “Some Airlines to Offer In-Flight Internet Service” – describing Jet Blue’s plans to begin offering free in-flight e-mail and instant messaging service. Several other airlines also have announced plans to offer Internet service on their planes. While the convenience may be welcome news to busy executives who criss-cross the country on non-stop business trips, employers should be concerned about the security of private workplace communications and confidential business information in the cramped confines of an airline cabin.Consider the number and proximity of work-related travelers —especially in business class. Now imagine linking the traveler’s laptop or Blackberry to seat-back entertainment systems (Virgin America has plans to implement a system that allows passengers to send messages during a flight). And now envision your company’s strategic business plan, or non-public profit figures, on display, like an in-flight movie. Add to this the passenger’s oblivion to his surroundings and the scrutiny of other bored and seemingly harmless passengers. Without determined efforts, inadvertent in-flight disclosure of confidential business information could become as commonplace as data breaches caused by stolen laptops. Continue Reading...
NLRB Puts a Speed Bump in the Path of Unionized Employers Trying to Keep Their Electronic Resources Policy in Pace with Technological Change
Employers, for the most part, are the kings of the road when it comes to regulating the use of their electronic resources. However, several recent cases suggest that the National Labor Relations Board (NLRB or “the Board”) may soon be playing the role of traffic cop on the employer-provided segment of the information highway. In Media General Operation v. NLRB, the Fourth Circuit affirmed the NLRB’s finding of an unfair labor practice against a newspaper which had instructed union members to stop using the company’s e-mail system to distribute union-related messages. The Fourth Circuit relied upon the well established rule that an employer who permits any non-union use of its e-mail system — even if that non-union use violates a business-use only policy — cannot discriminate against union-related communications. Around the same time, the Board heard oral arguments on the question whether employers violate the National Labor Relations Act (NLRA) by enforcing a prohibition against all non-business use — whether union or non-union — of their e-mail system. See Guard Publishing Co. d/b/a The Register-Guard.
On September 10, 2007, the Board highlighted another NLRA-based restriction on the ability of employer’s to set rules for employee use of employer-provided electronic resources. The Board held that a union employer violated the NLRA by implementing a revised e-mail policy without first reaching agreement or impasse with the union. This ruling will be a speed bump for unionized employers struggling to keep current their policies regulating the use in the workplace of rapidly evolving communications technology and of an ever expanding menu of personal “gadgets” (iPods, Blackberries, camera phones, etc.).
The recent decision involved California Newspaper Partnership d/b/a ANG Newspapers (ANG), a publisher of five newspapers in the San Francisco Bay Area. The newspaper company faced a grievance from the Media Workers’ Union for disciplining a reporter who had sent an e-mail to several other union members/employees about union matters in violation of ANG’s policy prohibiting all employees from sending such “broadcast e-mails” on any subject matter. The union attacked the discipline by arguing that the policy which the reporter allegedly had violated (the “ challenged policy”) was unlawful. To support that position, the union contended that the challenged policy was a revision of a prior policy and that the newspaper had commenced bargaining over the challenged policy but implemented it unilaterally before reaching agreement or impasse with the union.Continue Reading...
Certain provisions of employer policies governing the use of electronic resources have become mantra: “Employees should have no expectation of privacy in their e-mail or Internet use”; “Employer reserves the right to access, monitor, and review any communication sent or received using corporate communications resources”; “Corporate communications resources can not be used to send or receive harassing, pornographic, or offensive messages,” etc. But, employers who do not want their policies to become anachronistic should review and update those policies regularly to stay abreast of new technologies and new uses of technologies flooding the workplace as well as recent developments in pertinent case law. Here are a few changes to consider. We will follow with more in future blog entries:
Blogging: Blogging by employees is common. With more than 70 million blogs on the World Wide Web and nearly 1.4 million new blog entries daily, employers need to consider the impact that employee blogging may have on their business and workplace. Employers who do not endorse blogging should consider adding to their electronic resources policy a provision which bars employees from using corporate communications resources to view or post to any blog that is unrelated to work. Employers also should consider a separate blogging policy to address off-duty blogging on the employee’s own time.
Video In The Workplace: That employee who has spent the last three hours glued to her computer monitor without pause may be watching Gone With The Wind. According to a recent Pew Foundation study, 57% of online adults have used the Internet to watch or download video, and 19% do so on a typical day. Three-quarters of broadband users (74%) who enjoy high-speed connections at both home and work watch or download video online. Employers who do not currently prohibit viewing or downloading video unrelated to work should now consider doing so before “bandwidth hogs” interfere with business operations.
Web-Based E-Mail: According to a report in the New York Times earlier this year, employees frequently rely on their personal Web-based e-mail accounts to conduct business or to store business-related material. This trend raises a host of issues for employers including the inability to monitor the messages, if necessary, and the difficulty of preserving the messages as part of the litigation hold process. Employers should consider barring employees from using personal Web-based e-mail for business purposes.Electronic Communications May Be Disclosed To Law Enforcement: Recent cases, such as United States v. Ziegler, Doe v. XYC Corp., and United States v. Angevine, suggest that child pornography in the workplace is becoming all too common. When the child porn is disclosed to law enforcement authorities without a warrant, the employee may be able to succeed in suppressing the evidence, thereby defeating the criminal investigation – as happened in United States v. Long, 64 M.J. 57 (C.A.A.F. 2006). Employers can make this result less likely by warning employees that their electronic communications may be disclosed to law enforcement authorities if they create a suspicion of criminal conduct.
“You have no right to privacy in your e-mail using corporate resources”
“The Company reserves the right to monitor your Internet access at any time”
So chimes policy after policy after policy. But, is the mantra really true?
Several recent cases suggest that answer is “not always.” In United States v. Long, the highest military court (not exactly a known bastion of privacy protection), recently held that a Marine Corps investigator violated a soldier’s privacy rights by obtaining inculpatory e-mail from the system administrator. The Department of Defense had an e-mail policy that was as draconian as any private employer’s, but the policy said nothing about turning over e-mail to criminal investigators, and the system administrator admitted that he did not read individual e-mails when monitoring the system because he felt they were private. Sound familiar?
At the start of 2007, the Ninth Circuit Court of Appeals in United States v. Ziegler held that an employee caught viewing child porn on his work computer had a reasonable expectation of privacy in the computer because it was stationed in his locked office. The court stated more generally, “in the private employer context, employees retain at least some expectation of privacy in their office,” which, for most employees in today’s working world includes a computer with stored e-mail.Continue Reading...
For years now, employers have been warned that a detailed, electronic resources policy is the best defense against vicarious liability for the actions of employees who use corporate e-mail or Internet access like a bully in a sandbox. A recent decision from the California Court of Appeals highlights a potentially more potent defense that has received little attention in employment law circles.
The Communications Decency Act of 1996, 47 U.S.C. §230 [CDA] immunizes any “provider . . . of an interactive computer service” from liability under any state law for information published on the service by someone else. In Delfino v. Agilent Technologies, the plaintiffs sued Agilent for intentional infliction of emotional distress because a former Agilent employees had used Agilent’s e-mail system and Internet access to communicate numerous threatening messages to the plaintiffs. The California Court of Appeals affirmed summary judgment for Agilent based on the CDA.
As a matter of first impression, the court held that a corporate employer, like Agilent, who offers e-mail and Internet access is an interactive computer service provider for purposes of the Act. Because the employee, not Agilent, provided the threatening messages, and the plaintiffs sought relief only under state tort law, the CDA immunized Agilent from liability. By analogy, the CDA can be used to get rid of those pesky state law claims, like negligent hiring, negligent supervision, intentional infliction of emotional distress, and defamation, that tend to accompany Title VII claims alleging harassment through an employee’s use of corporate electronic resources.