Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

Roberto Rodriquez tried to impress female acquaintances with an almost creepy knowledge of their personal information. He sent flowers on Valentine’s Day to one acquaintance who had never revealed her home address to him and called to wish her a happy half-birthday even though she never had revealed that fact to him either. He sent mail to another female acquaintance at her home address even though she directed all of her mail to a post office box, and he jotted her middle initial on the envelope even though she had not used her middle initial since grade school. He gave a female employee at a restaurant that he frequented a pair of earrings on her birthday even though she had not shared her birthday with him.

What was the source of Rodriguez’ apparent omniscience? Databases at the Social Security Administration (SSA), to which Rodriguez had access as a TeleService representative. In 2008 and 2009, Rodriguez accessed those databases for nonbusiness reasons on hundreds of occasions to view sensitive personal information of more than one dozen women. Rodriguez was a serial violator of an SSA policy that prohibited employees from obtaining information from SSA’s databases without a business reason. Mandatory training on the policy, notices posted in SSA’s office, and daily banners that appeared on Rodriguez’ computer did not stop him. Ultimately, Rodriguez was indicted and convicted for obtaining information from the federal government through unauthorized access to a computer in violation of the Computer Fraud and Abuse Act (CFAA).

Rodriguez tried to escape his conviction on appeal by arguing that he had accessed only databases that he was authorized to access as a TeleService representative. Rejecting this argument, the Eleventh Circuit explained (pdf) that the CFAA outlaws not only unauthorized access to a computer system but also access in excess of authorization. The court reasoned that SSA’s policy established the scope of Rodriguez’ authorized excess. By accessing SSA’s databases for purely personal reasons, Rodriguez violated that policy and thus had exceeded his authorized access.

Continue Reading...

• Print
• Share Link

Even if your organization already has revised its electronic resources policy — as prior blog posts suggest — to address personal e-mail accounts in light of the New Jersey Supreme Court’s decision in Stengart v. Loving Care Agency and to address text messages in light of the U.S. Supreme Court’s decision in Quon v. City of Ontario, you still should consider revisiting that policy yet again in light of the U.S. Court of Appeals for the Seventh Circuit’s decision on September 9, 2010, in United States v. Szymuszkiewicz (pdf). The court’s decision affirmed the criminal conviction for Federal Wiretap Act violations of an IRS agent who, unbeknownst to his supervisor, activated the supervisor’s Microsoft Outlook autoforwarding feature. As a result, duplicates of the supervisor’s e-mail were automatically forwarded to the IRS agent without the supervisor’s knowledge or consent. The IRS agent received a sentence of eighteen months probation.

The Seventh Circuit’s decision turned principally on whether “auto forwarding” e-mail constitutes an “interception” as defined by the Federal Wiretap Act. The court answered that question in the affirmative because the auto forwarding permitted the IRS agent to obtain the content of e-mail stored in his supervisor’s e-mail inbox.

For employers, the court’s decision highlights the risk of Federal Wiretap Act liability arising from commonplace IT functions. Corporate IT departments routinely activate “auto forwarding” after an employee has left an organization so that a supervisor or co-worker can promptly respond to e-mail intended for the former employee. It also is not uncommon for corporate IT departments to rely on “e-mail journaling” to create a duplicate set of out-going and incoming e-mail for archival purposes. Journaling essentially functions the same as auto forwarding except that the duplicate e-mail content is stored on a server for possible future retrieval rather than being transmitted directly to a third party’s e-mail inbox.

Continue Reading...

• Print
• Share Link

In its first foray into the potentially treacherous intersection of workplace monitoring of electronic communications and employee privacy expectations, the United States Supreme Court considered whether the City of Ontario Police Department violated the privacy rights of Sergeant Jeff Quon by reviewing sexually explicit text messages sent by Quon using a City-issued pager. The Court declined to issue any broad pronouncements concerning the permissible scope of workplace monitoring. The Court's decision, nonetheless, provides useful guidance for employers — whether governmental or private — on steps they can take to reduce their exposure to privacy-based claims arising from their review of employees' text messages, e-mail, and other electronic communications. To learn more about this decision and its implications for employers, please continue reading Littler's ASAP, U.S. Supreme Court Ruling Provides Guidance on Monitoring Employee Texts and E-Mails, by Philip L. Gordon and Denise Drake. 

• Print
• Trackbacks
• Share Link

As anticipated in our blog post describing the oral argument before the U.S. Supreme Court in City of Ontario v. Quon (pdf), the Court declined today to make any broad pronouncements concerning employee privacy rights in electronic communications using employer-issued equipment. The Court reserved expressing an opinion given the newness and evolving nature of cell phone and text message communications. Instead, the Court held that the City of Ontario Police Department did not violate the Fourth Amendment rights of a SWAT team member, Sgt. Jeff Quon, by reviewing text messages sent and received by Quon on a department-issued pager because, even assuming that Quon had a reasonable privacy expectation, the City’s review of his text messages was motivated by a legitimate work-related purpose and was not excessive in scope. Notwithstanding its narrow and fact-specific nature, the Court’s ruling still provides useful guidance for private employers.

Most importantly, the Court emphasized, in the following language, the importance of a well crafted and broadly distributed electronic resources policy when defending against an employee’s claim that an employer tortiously reviewed the employee’s electronic communications:

[E]mployer policies concerning communications will of course shape the reasonable expectations of their employees, especially to the extent that such policies are clearly communicated.”

The Court also highlighted a key distinction between corporate e-mail and text messages sent by cell phone, i.e., such text messages typically are transmitted through the cell phone provider’s server, rather than an employer-owned server. In Quon, this distinction was important because the department’s e-mail policy focused on e-mail sent through the department’s server and did not mention text messages. However, the Court emphasized that the department had informed SWAT team members, when issuing pagers to them, that the e-mail policy would be applied to text messages transmitted through the service provider. Similarly, private employers should ensure that their electronic resources policy is not limited to e-mail or to communications transmitted through the company’s e-mail server.

Continue Reading...

• Print
• Trackbacks
• Share Link

In a case with significant implications for all employers, the New Jersey Supreme Court ruled earlier this week that Marina Stengart, a former executive employee of Loving Care Agency, had a reasonable expectation of privacy in e-mail exchanged with her personal attorney through a personal, web-based e-mail account even though those communications were stored on a company-issued laptop. However, rather than limiting its decision to the facts of the case, that court went further, broadly stating that even “a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employees’ attorney-client communications . .. would not be enforceable.” In other words, New Jersey employers cannot properly read their employee’s e-mail exchanges with a personal attorney stored on company equipment — no matter what the employer tells its employees in its electronic resources policy.

Stengart also is significant because it illustrates the circumstances in which a court might find that an employee reasonably could expect privacy in e-mail stored on the employer’s electronic resources. To begin with, the New Jersey Supreme Court relied heavily on Stengart’s efforts to shield her e-mail from Loving Care. She used a private, personal, password-protected, web-based e-mail account, rather than the company’s e-mail server, and she did not save the user ID or password for that account on company-issued equipment. In addition, the New Jersey Supreme Court cited Stengart’s affidavit testimony in the trial court that she did not know that a duplicate of e-mail transmitted through a personal e-mail account would be saved in a temporary file on the company-issued laptop used to transmit the e-mail or that a computer forensic expert (like the one hired by Loving Care) could retrieve the messages. Finally, the court emphasized that reasonable privacy expectations customarily inhere in attorney-client communications (as opposed to communications that are unlawful or otherwise violate company policy), quoting in full the confidentiality notice contained in all e-mails sent by Stengart’s lawyer.

Loving Care’s electronic resources policy only weakened the company’s position. The court noted that the policy did not even mention personal e-mail accounts, let alone notify Stengart of Loving Care’s ability to retrieve from company-issued equipment e-mail transmitted through a personal e-mail account.

Continue Reading...

• Print
• Trackbacks
• Share Link

Texas recently enacted a law, effective September 1, 2009, that criminalizes online harassment. Texas joins other states, including Nevada, New York and Tennessee, which have enacted similar legislation criminalizing the use of electronic communication devices to commit criminal stalking and harassment.

Although speaking in terms of “online harassment,” the law is aimed at outlawing online impersonation with the intent to cause harm. Thus, the law outlaws the unauthorized use of another’s name or persona to create a web page, or to post one or more messages on a commercial social networking site, with the intent to defraud, harm, intimidate or threaten another person. This offense is a third-degree felony, punishable by two to ten years imprisonment and a fine not to exceed $10,000.

Continue Reading...

• Print
• Trackbacks
• Share Link

Many had anticipated a dramatic rejection of Register-Guard, the National Labor Relations Board's landmark December 2007 decision, which held that employees could not use their employer's e-mail system as a matter of right to engage in union-related activities or union solicitation (see our previous blog entry). Instead, on July 7, 2009, the D.C. Circuit let that decision stand, effectively holding that the newspaper in that case did not violate federal law by issuing a policy banning all solicitations, including union solicitations, from its corporate e-mail system.

The court nonetheless concluded that the newspaper had engaged in unfair labor practices in the way it applied the policy. The court found that one of the e-mails that resulted in discipline of the employee—who was also the union president—was union-related, but was not a solicitation. Consequently, the union president did not violate the newspaper’s electronic resources policy by sending it. The other two e-mails upon which the newspaper had relied to discipline the employee were solicitations that violated the company’s policy. However, the newspaper's lax enforcement of the policy vis-à-vis non-union-related messages and its after-the-fact justification for applying the policy to the employee's messages demonstrated unlawful discrimination against union activities. 

Continue Reading...

• Print
• Trackbacks
• Share Link

UPDATE: The New Jersey Supreme Court has agreed to review this decision. We will continue to monitor the case and provide insight on significant developments.

Before resigning from Loving Care Agency and suing the company for discrimination, Marina Stengart used her company-issued laptop to exchange e-mail with her attorney through her personal Yahoo! e-mail account. Loving Care’s computer forensic expert recovered these e-mails from the laptop. Loving Care’s counsel referenced some of them during discovery; Stengart’s counsel demanded the return of all of the e-mail. In a prior blog entry, we discussed the trial court’s ruling that Stengart had waived the attorney-client privilege in light of certain warnings in Loving Care’s computer use policy.

Last week, a New Jersey appellate court reversed the trial court’s ruling. According to the appellate court, Loving Care failed to show that Stengart ever had received the computer use policy. The court also found that the policy did not adequately warn Stengart that Loving Care might read e-mail sent through her personal e-mail account. Employers can address these shortcoming in the following ways:

• obtain from each employee an executed acknowledgement of receipt of the corporate computer use policy;
• inform employees that the employer will, in its discretion, review any communication or file stored on any company-owed device;
• specifically warn employees that the policy applies to copies of e-mail sent through a personal e-mail account that remain on company computers;
• inform employees that corporate electronic resources cannot be used, without authorization, to consult with an attorney.

Significantly, the New Jersey court suggested that even if Loving Care had taken all of the steps listed above, Stengart still would not have waived attorney-client privilege. The court based that conclusion on the following language:

When an employee, at work, engages in personal communications via a company computer, the company's interest . . . is not in the content of those communications; the company's legitimate interest is in the fact that the employee is engaging in business other than the company's business. Certainly, an employer may monitor whether an employee is distracted from the employer's business and may take disciplinary action if an employee engages in personal matters during work hours; that right to discipline or terminate, however, does not extend to the confiscation of the employee's personal communications.

In other words, according to the court, an employer cannot read an employee’s personal e-mail, even when the employer has a policy stating that the employee has no reasonable expectation of privacy, except when the content of the e-mail needs to be known to determine whether the employee violated company policy or acted unlawfully. This aspect of the court’s opinion, which appears to be non-binding dicta (except when applied to communications between an employee and her attorney) is groundbreaking. If the decision is not reversed on appeal to the New Jersey Supreme Court, employers should expect to see the Stengart case resurface in future employment litigation contending that employer’s improperly accessed employees’ “personal e-mail.”

This entry was co-authored by Philip L. Gordon and Paul H. Mazer.

For a comprehensive analysis of this development, see Littler's ASAP "Employer's Electronic Communications Policy Did Not Allow Company to Review Employee's E-mail Exchange with Her Attorney" by Philip L. Gordon, Eric A. Savage and Paul H. Mazer.
 

• Print
• Trackbacks
• Share Link

In a cautionary tale for all employers, the United States Court of Appeals for the Fourth Circuit recently held that an employer who accessed a former employee's personal e-mail account could be held liable for punitive damages and attorneys' fees under the federal Stored Communications Act, even without the employee proving any actual damages. Continue reading Littler ASAP, Recent Fourth Circuit Ruling Demonstrates Risks to Employers of Accessing Employees' Personal E-Mail Accounts, by Philip L. Gordon and Justin A. Morello.

• Print
• Trackbacks
• Share Link

Employers often put employees on notice, through an electronic resources policy, that communication via company e-mail accounts is not private. Far fewer policies, however, address employees’ use of their personal Internet-based e-mail accounts using company computer resources. What should an electronic resources policy tell employees on that subject?

A recent New Jersey case, Stengart v. Loving Care, sheds some light on the answer. Before Maria Stengart resigned and sued Loving Care, her employer, she e-mailed her lawyer through her personal web-based account from her company-issued computer with Loving Care’s Internet access. With the help of a computer forensic expert, Loving Care was able to recover temporary files stored on the hard drive of the company-issued computer which contained copies of Stengart’s attorney-client communications. (Employers should note that many web-based e-mail applications leave such temporary files on the hard drive of the sender’s computer).

When Stengart discovered that Loving Care’s lawyers planned to use her e-mail in the litigation, she objected. The trial court was asked to decide whether the e-mail, sent during work hours on a company laptop, was protected by the attorney-client privilege. The court held that it was not.
 

Continue Reading...

• Print
• Trackbacks
• Share Link

Many employers include in their electronic resources policy a blanket prohibition on “engaging in any political activity.” A recent Guideline Memorandum issued by the NLRB’s General Counsel creates a minefield of potential unfair labor practices for employers who enforce this commonplace ban, especially as the 2008 presidential campaign heads towards its climax.

According to the GC’s Guideline, employees’ political advocacy can, in some circumstances, constitute “concerted activity” protected by the NLRA. The test is two-fold: First, is there “a direct nexus between the specific issue that is the subject of the advocacy and a specifically identified employment concern of the participating employees.” Put simply, is the political advocacy related to the terms or conditions of employment. Second, has the employee engaged in this protected political advocacy without violating "restrictions imposed by lawful and neutrally applied work rules." In other words, employers can discipline employees who engage in protected political advocacy as long as the rule used to justify the discipline is legal and is applied in a non-discriminatory manner. There’s the rub for employers.

 

Last December, the NLRB ruled that employers can implement an e-mail policy whose provisions incidentally prohibit union-related activity. An employer can, for example, promulgate a policy that bans all non-business use of its e-mail system or that bans all solicitations for membership organizations. While such policies effectively ban use of the corporate e-mail system for union-related activities, that result is only incidental to the broader ban directed at both non-union and union activities. Thus, an e-mail policy that bans all political activity using the corporate e-mail system is lawful, even though some of the banned activity may now, according to the GC’s Guideline, be protected concerted activity.

 

The challenge for employers is ensuring that this lawful policy is “neutrally applied.” During the presidential debate season, an employer can expect to see e-mail cheering and lambasting the candidates, encouraging co-workers to register for a particular party, and attacking or advocating planks in party platforms. If such e-mail traffic goes unpunished even though it violates the company’s ban on political activity over the corporate e-mail network, the trap may be laid for a successful unfair labor practice charge when months later employees are punished for exchanging e-mail about joining in a union-organized protest over a new work-related law advocated by the new President — whoever that might be.

 

For further analysis on the GC's Guidelines, please see Littler ASAP: Can a Bumper Sticker Get You Bumped? NLRB's General Counsel Issues Guidelines on Political Advocacy by Frank W. Buck and Richard L. Sloane.

• Print
• Trackbacks
• Share Link

While the case is still in the early stages, Sidell v. Structured Settlement Investments, LP et al, Case No. 3:08-cv-00710-VLB (D.Conn 2008), is shaping up to be a case to watch. Recently covered by The New York Times, the lawsuit involves an interesting twist on workplace monitoring; namely, what are the limits on an employer’s access, using its own computer equipment, to an employee’s e-mail stored in an employee’s personal e-mail account. Ultimately, the case may add to the growing list of decisions regulating electronic communications in the workplace. See, e.g., Quon v. Arch Wireless; Scott v. Beth Israel. The Ninth Circuit decision in Quon was discussed in our prior blog entry, Ninth Circuit Ruling Not a Significant Obstacle to Employers' Accessing Text Messages.

According to the complaint, this is what happened: A company closed a branch and fired the office manager. The company claimed that the termination was for cause and explained the facts supporting its decision to the manager. Before the company had changed the locks, the office manager entered his old office, logged on to his computer, and sent an e-mail to his personal attorney regarding his potential claims against the company. The office manager did not log-off from his Yahoo! account, nor did he turn off his computer. As a result, this e-mail remained accessible through the computer in the office manager’s former office. Over the next few weeks while using the same e-mail account, the office manager sent his personal attorney numerous additional e-mails regarding his termination.

Continue Reading...

• Print
• Trackbacks
• Share Link

The Los Angeles Times reported on June 19, 2008, that the Ninth Circuit’s decision in Quon v. Arch Wireless Operating Co., “sharply limited the ability of employers to obtain e-mails and text messages sent by employees on company-financed accounts.” And many major news outlets echoed this sentiment: "Court Rules Employee Text Messages Are Private," "SF Court Protects Privacy of Work Communications," "Stop Snooping on Email, Court Tells Some Nosy Bosses." However, the assertion of the LA Times reporter, while literally true, is pure hyperbole when viewed in the context of a real-world workplace.

The Ninth Circuit ruled in Quon that a text-message provider, Arch Wireless, violated the federal Stored Communications Act (the “Act”) by disclosing to the City of Ontario Police Department sexually explicit text messages sent by Sgt. Quon using a City-issued text-message pager, even though the City was the subscriber on the service contract. The court explained that the Act prohibits providers of an “electronic communication service” — Internet Service Providers (ISPs) and text messages services, for example — from disclosing stored e-mail or text messages without the consent of the sender or recipient. At first blush, this ruling appears to present a dramatic shift in the balance of power between employers and employees in the spy vs. spy world of workplace monitoring.

Not so fast: Employers can easily and lawfully circumvent the court’s ruling. Employers, for example, can prohibit employees from conducting any company business other than over the corporate network, and they can limit company-issued electronic devices to those, such as a Blackberry, that can be configured to route all communications through the corporate network. Notably, the Ninth Circuit’s decision expressly reaffirmed the well established rule that employers can defeat an employee’s expectation of privacy by distributing a policy unambiguously stating that employees communications using corporate resources will be monitored and are not private.

Continue Reading...

• Print
• Trackbacks
• Share Link

In a highly anticipated decision, the National Labor Relations Board has emphatically landed on the side of employers whose policies bar employees from using corporate e-mail resources for union activities.

In The Guard Publishing Co. d/b/a The Register Guard, the Board, in a 3-2 decision, held that “employees have no statutory right to use an employer’s equipment or media for Section 7 communications.”  Section 7 of the National Labor Relations Act  encompasses communications about virtually all union activities by employees, including solicitation, organizing, grievances, picketing, strikes, and discussions about the terms and conditions of employment.  In light of this ruling, an employer may, in the words of the Board, “lawfully bar employees’ nonwork-related use of its e-mail systems,” including use for union activities.

There is a caveat, but as defined by the Board, the caveat is a narrow one:  Employers can not act “in a manner that discriminates against Section 7 activity.” (emphasis supplied).  Significantly, the Guard Publishing decision substantially narrows the prior definition of “discrimination” for purposes of analyzing whether an e-mail policy (or any other policy restricting Section 7 activities) on its face, or as enforced by the employer, interferes with Section 7 rights.

Continue Reading...

• Print
• Trackbacks (1)
• Share Link

It will soon be easier to conduct business on airline flights, and a lot riskier from a privacy perspective.  The New York Times ran a story the other day – “Some Airlines to Offer In-Flight Internet Service” – describing Jet Blue’s plans to begin offering free in-flight e-mail and instant messaging service.  Several other airlines also have announced plans to offer Internet service on their planes.  While the convenience may be welcome news to busy executives who criss-cross the country on non-stop business trips, employers should be concerned about the security of private workplace communications and confidential business information in the cramped confines of an airline cabin.  

Consider the number and proximity of work-related travelers —especially in business class.  Now imagine linking the traveler’s laptop or Blackberry to seat-back entertainment systems (Virgin America has plans to implement a system that allows passengers to send messages during a flight).  And now envision your company’s strategic business plan, or non-public profit figures, on display, like an in-flight movie.  Add to this the passenger’s oblivion to his surroundings and the scrutiny of other bored and seemingly harmless passengers.  Without determined efforts, inadvertent in-flight disclosure of confidential business information could become as commonplace as data breaches caused by stolen laptops. Continue Reading...

• Print
• Trackbacks
• Share Link