Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

Anonymous Internet posts attacking employers and executives have become all too common. Until the Ninth Circuit Court of Appeals’ decision last week in Anonymous Online Speakers v. United States District Court for the District of Nevada Reno, courts have relied on the First Amendment right to speak anonymously to set substantial obstacles in the path of employers and executives seeking to compel Internet service providers to disclose the identity of anonymous speakers on the Web. In a case of first impression in the federal appellate courts, the Ninth Circuit appears to have made it significantly easier for employers and executives to unmask the perpetrators of anonymous Internet attacks.

The case arose out of Signature Management TEAM’s alleged smear campaign against Quixtar. According to Quixtar, TEAM was responsible for anonymous posts that accused Quixtar of “systemic dishonesty,” “systemic noncompliance” with regulations, and improperly treating its franchisees. TEAM’s online content manager refused to answer questions at his deposition seeking the anonymous speaker’s identity. Quixtar sought an order compelling disclosure; the anonymous speakers intervened in the proceeding to prevent disclosure.

In a significant victory for employers and executives, the Ninth Circuit rejected the approach to unmasking requests taken by all other courts to date. These courts required the putative victim of an anonymous attack to produce levels of proof that almost always will be unattainable at the early stages of a case when the unmasking issue typically is addressed, so the defendant can be identified, served with the complaint, and subject to discovery. The Ninth Circuit ruled that rather than requiring the victim to prove his claims, trial courts should determine whether the anonymous speech is political, religious or literary and entitled to heightened protection, or commercial and entitled to less protection.

• Email This
• Print
• Trackbacks
• Share Link

In a case with significant implications for all employers, the New Jersey Supreme Court ruled earlier this week that Marina Stengart, a former executive employee of Loving Care Agency, had a reasonable expectation of privacy in e-mail exchanged with her personal attorney through a personal, web-based e-mail account even though those communications were stored on a company-issued laptop. However, rather than limiting its decision to the facts of the case, that court went further, broadly stating that even “a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employees’ attorney-client communications . .. would not be enforceable.” In other words, New Jersey employers cannot properly read their employee’s e-mail exchanges with a personal attorney stored on company equipment — no matter what the employer tells its employees in its electronic resources policy.

Stengart also is significant because it illustrates the circumstances in which a court might find that an employee reasonably could expect privacy in e-mail stored on the employer’s electronic resources. To begin with, the New Jersey Supreme Court relied heavily on Stengart’s efforts to shield her e-mail from Loving Care. She used a private, personal, password-protected, web-based e-mail account, rather than the company’s e-mail server, and she did not save the user ID or password for that account on company-issued equipment. In addition, the New Jersey Supreme Court cited Stengart’s affidavit testimony in the trial court that she did not know that a duplicate of e-mail transmitted through a personal e-mail account would be saved in a temporary file on the company-issued laptop used to transmit the e-mail or that a computer forensic expert (like the one hired by Loving Care) could retrieve the messages. Finally, the court emphasized that reasonable privacy expectations customarily inhere in attorney-client communications (as opposed to communications that are unlawful or otherwise violate company policy), quoting in full the confidentiality notice contained in all e-mails sent by Stengart’s lawyer.

Loving Care’s electronic resources policy only weakened the company’s position. The court noted that the policy did not even mention personal e-mail accounts, let alone notify Stengart of Loving Care’s ability to retrieve from company-issued equipment e-mail transmitted through a personal e-mail account.

• Email This
• Print
• Trackbacks
• Share Link

Employers already face concerns about how to handle employees trash-talking about them on blogs, Facebook and other social media. Now, employers must be cautious of the converse — employee endorsements of their employers’ products and services on social media websites. The Federal Trade Commission (FTC) recently issued updated guidelines aimed at protecting consumers from misleading endorsements and advertising. As these guidelines make clear, employers whose employees use social media like blogs or Facebook to comment on their employer’s products or services face potential liability, even where the employer has not authorized or ratified the employee’s remarks.

The FTC’s revised Guides Concerning the Use of Endorsements and Testimonials in Advertising, published in the Federal Register at 16 C.F.R. Part 255 (the “guidelines”), address the application of Section 5 of the FTC Act (the “Act”) – which prohibits unfair or deceptive acts or practices and unfair competition in or affecting commerce -- to the use of endorsements and testimonials in advertising.

In the guidelines, the FTC identifies the general principles it will apply when evaluating whether endorsements and testimonials, including those given by employees about their employers’ products and services, are deceptive. The guidelines provide specific examples, and suggest that employees endorsing their employer’s products or services have a duty to disclose to their audience their relationship to an employer at the time they give the endorsement or testimonial. To be an endorsement or testimonial subject to these guidelines, the posting must be a message “that consumers are likely to believe reflects the opinions, beliefs, findings, or experiences of a party other than the sponsoring advertiser, even if the views expressed by that party are identical to those of the sponsoring advertiser. The party whose opinions, beliefs, findings, or experience the message appears to reflect will be called the endorser...” 16 C.F.R. Part 255.01(b).

• Email This
• Print
• Trackbacks
• Share Link

Texas recently enacted a law, effective September 1, 2009, that criminalizes online harassment. Texas joins other states, including Nevada, New York and Tennessee, which have enacted similar legislation criminalizing the use of electronic communication devices to commit criminal stalking and harassment.

Although speaking in terms of “online harassment,” the law is aimed at outlawing online impersonation with the intent to cause harm. Thus, the law outlaws the unauthorized use of another’s name or persona to create a web page, or to post one or more messages on a commercial social networking site, with the intent to defraud, harm, intimidate or threaten another person. This offense is a third-degree felony, punishable by two to ten years imprisonment and a fine not to exceed $10,000.

• Email This
• Print
• Trackbacks
• Share Link

Ranting on the Internet about one’s employer has become commonplace. When these rants appear on publicly accessible Internet pages, employers can access them, and, except in limited circumstances, can take adverse action based on the posting’s contents. As a recent adverse jury verdict demonstrates, employers who access a restricted social networking site without proper authorization can face liability under federal and state laws intended to protect personal privacy. The risk will increase as employees use increasingly sophisticated privacy settings to limit access to their personal social networking pages.

For a detailed discussion of this development, see Littler's ASAP "Verdict Against Houston's Restaurant Demonstrates Risks of Accessing Employee's Restricted Social Networking Sites" by Philip L. Gordon.

For more background on this case, see our prior blog post.

• Email This
• Print
• Trackbacks
• Share Link

Even a brief posting of private information on an Internet site amounts to “publicity per se” sufficient to support a civil action for invasion of privacy, according to a three judge panel of the Minnesota Court of Appeals in Yath v. Fairview Clinics, filed June 23, 2009. Candace Yath was a patient at the defendant clinic, where she sought testing for sexually transmitted diseases because she had a new sex partner. She was observed there by a clinic employee, Tek, who was an acquaintance. Tek later (and in violation of clinic policy) accessed Yath’s medical file, learning of Yath’s new sex partner (Yath was at the time married but estranged from her husband) and that Yath had been diagnosed with a sexually transmitted disease. Tek informed a second person, also an acquaintance (and relative) of Yath about the medical file information. Word soon spread to a group of people, including Yath’s husband.

One month later a web page appeared at MySpace.com bearing the title “Rotten Candy,” and including a photo of Yath and the contents of her medical file. The MySpace page asserted that “Rotten Candy” has a sexually transmitted disease, had recently cheated on her husband and was addicted to plastic surgery. After learning about the Internet posting, the clinic manager investigated. When the manager first accessed the webpage, it listed only six “friends,” indicating that at least six persons had accessed the page. When the manager tried again to access the web page, one or two days later, the webpage had been removed.

• Email This
• Print
• Trackbacks
• Share Link

On June 18, Philip Gordon will present at the International Association of Privacy Professionals (IAPP) Practical Privacy Series on the topic "On the Cutting Edge: The Top Five Developments for 2009" (You may register for the event here). Below, Mr. Gordon answers questions about some of the top HR privacy concerns that every organization is confronting.

IAPP: With so much focus on safeguarding customer information, why is HR privacy even an issue?

Gordon: HR privacy should be a major concern of every organization for several reasons. Virtually all class-action litigation involving the compromise of customers’ personal data has been unsuccessful because of the absence of any actual damages. By contrast, privacy violations involving employee personal data often do result in cognizable injuries, including loss of employment and emotional distress. The risk of significant damages is particularly high in the employment context because employers maintain not only the full range of personal identifiers but also financial information and very sensitive health information. In addition, security breaches involving employee personal data can have a negative impact on employee morale, and employees, unlike consumers, can easily express their disgruntlement to senior management. While the potential exposure is high, developments in technology and recently enacted legislation have complicated employer’s compliance obligations, further increasing their exposure to liability.

IAPP: Could you provide some examples of recent developments that have a significant impact on HR privacy compliance and employers’ exposure to liability for privacy violations?

Gordon: Employers are struggling to find the right approach for addressing text messaging in the workplace and the variety of Web 2.0 communications platforms. Unlike e-mail, text messaging almost always is transmitted through, and stored at, a third-party service provider. The laws governing access to electronic communications stored at a service provider impose substantial restrictions on employers. These restrictions do not apply when accessing communications stored on the corporate network. Social networking is particularly challenging for employers, especially as employees form their own networks, because personal profiles often blur the line between “private” and work life while, at the same time, permitting employees to communicate messages that senior management views as contrary to the organization’s interests.

On the legal side, we have the passage in February 2009 of significant amendments to HIPAA, which will have an impact on every employer that sponsors a HIPAA-covered benefit plan. In November, the Genetic Information Non-Discrimination Act of 2009 (GINA) will become effective. GINA will raise significant compliance challenges because the Act defines “genetic information” to include several categories of information that most privacy and HR professionals might not think of as “genetic” in nature, such as certain FMLA certifications. I will cover these technological and legal developments at the Practical Privacy Series in a presentation entitled, “On the Cutting Edge: The Top Five Developments For 2009.”

• Email This
• Print
• Trackbacks
• Share Link

The explosive growth in Facebook and MySpace pages has created a fertile ground for evidence-gathering by trial lawyers. However, these websites enable users to establish privacy settings, and to serve as “gatekeepers,” to control who can gain access to their posted material. One privacy setting limits access to those whom the user has accepted as a “friend.” An attorney who is not on the user’s “friends list,” in theory, could effectively circumvent the user’s gatekeeping by asking a third party to send a friend request to the user. Many social networking users are not particularly selective when it comes to making “friends.”

The Philadelphia Bar Association’s Professional Guidance Committee recently addressed the ethics of this strategem, cautioning that it is unethical for an attorney to use a third party to “friend” a Facebook user who is a litigation witness for purposes of obtaining information that the attorney might use to impeach the witness.

The Committee’s advisory opinion found that an attorney violates rules of professional conduct by gaining access to a private (“invitation only”) social network site by way of deception. Specifically, the opinion explains that by not disclosing to the potential witness the third party’s affiliation with the attorney, the attorney has omitted a “highly material fact” and has “purposefully conceal[ed] that fact from the witness for the purpose of inducing the witness to allow access.” Presumably, had the witness known the “whole story” and the true motivation behind the third party’s friend request, the witness would not have permitted access to his or her social network profile.

• Email This
• Print
• Trackbacks
• Share Link

How far can employers go to access an employee’s restricted social networking profile? A case scheduled for trial next month in New Jersey’s federal district court may give employers and employees alike a better understanding of what it means to engage in “private” on-line social networking.

In March 2006, Brian Pietrylo, an employee at Houston’s Restaurant in Hackensack, New Jersey, created a discussion group about his workplace on his personal MySpace web page. He flagged the group as private and described its purpose as follows: to “talk about all the crap/drama/and gossip occurring in our workplace, without having to worry about outside eyes prying in.” The group was accessible only by invitation. Those who accepted the invitation became members and could log on at any time.

One group member, a Houston’s hostess named Karen St. Jean, showed the discussion group to a manager during a dinner party. The circumstances underlying upper management’s access to the group are disputed, but all parties agree that another restaurant manager soon became aware of the group and asked St. Jean for her sign-in information, which she provided. Houston’s management found sexual comments about employees and customers, disparaging jokes about company practices, references to drugs and violence, as well as a copy of an employee wine test. Because of their findings, the restaurant terminated the employment of Pietrylo and another contributing employee, Doreen Marino.

• Email This
• Print
• Trackbacks
• Share Link

A California appellate court rejected the invasion of privacy claims of a UC Berkeley student whose online rant against her hometown resulted in a firestorm of negative publicity and fierce reaction from local residents. Cynthia Moreno wrote “An Ode to Coalinga” and posted it on her online journal on her MySpace page. In the ode to her hometown located in central California, Moreno ranted against the town and its inhabitants. The local newspaper published the ode after the town’s high school principal sent the newspaper a copy printed off the internet. Unfortunately for Moreno and her family, the town’s residents reacted violently and forced Moreno’s family to shut down their business and move out of town.

In  Moreno v. Hanford Sentinel, Inc., et al., the California court of appeal held that Moreno cannot state a claim for invasion of privacy because her MySpace posting was available to the public. This was the case even though she had intended the posting only for her MySpace friends, removed the posting after six days, and the posting did not include her last name. The court found that once the ode was posted on MySpace, it was available to the public; and her MySpace page included her identity and her picture. Therefore, the court held that she could not have had a reasonable expectation of privacy. Nor could her family state a privacy claim because the right of privacy is purely personal. The appellate court did, however, send the case back to the lower court to decide Moreno’s claim for intentional infliction of emotional distress.

The decision confirms that employers can review a prospective or current employee’s online postings that are readily accessible to the public, even if intended for just the author’s friends on a social networking site. Employers do need to tread with more caution, however, before accessing a social networking profile or other on-line forum that is password protected or otherwise restricted. The decision in Moreno would not apply to such sites because access to the MySpace page in that case was unrestricted.

This entry was written by Gregory Iskander, Of Counsel in Littler's Walnut Creek office.

• Email This
• Print
• Trackbacks
• Share Link

Management-side lawyers and human resources professionals need to start thinking deeply about the key finding in a recent survey by The Creative Group, a staffing service company: more than one-half (57%) of 250 surveyed advertising and marketing executives responded that surfing the web during working hours is acceptable. How does an employer reconcile this apparent new-found acceptance of on-the-job Web surfing with the American Management Association’s finding in its 2007 survey of workplace monitoring that 30% of employers surveyed had fired an employee for Internet surfing at work?

Employers in more staid industries might shrug off the new survey result as a quirk of professions that appear to be more about creativity than productivity, but that would be too shortsighted. Let’s face it, nearly everyone surfs the Web at work at one point or another. Perhaps more importantly, the first generation to spend adolescence surfing the Web is starting to move into middle management and even senior management. This generational shift is rendering obsolete — in practice if not in form — corporate policies that forbid employees from using corporate electronic resources, i.e. Internet access, for non-business purposes.

Facing reality does not mean that employers must open the floodgates to pornography, fantasy football and online gambling. Instead, employers need to take up the challenging task of establishing rules for acceptable and unacceptable non-business use of the corporate Internet connection. The employer’s existing policies are a good starting point; employees should be barred from accessing any Web sites that communicate information which, if posted on the corporate intranet, would violate the company’s anti-discrimination and anti-harassment policies. Establishing bandwidth limits and prohibitions on Internet use that interferes with network operations should effectively eliminate most streaming media. Requiring employees to limit non-business use of the corporate Internet connection to breaks and meal periods and to no more than thirty minutes daily would permit discipline of employees engaging in potentially addictive and disruptive Internet activities, such as online gambling.

What is left might actually enhance productivity or create some good will. Rather than taking an extended lunch break, employees can spend a few minutes on the Web to order clothes or books. Employees who have been grinding during the week can plan a few weekend activities that will provide a much-needed respite from work. In short, the new survey result emphasize the point that the time has arrived for employers to revisit their business-only, workplace Internet policies.

• Email This
• Print
• Trackbacks (1)
• Share Link

Many employers include in their electronic resources policy a blanket prohibition on “engaging in any political activity.” A recent Guideline Memorandum issued by the NLRB’s General Counsel creates a minefield of potential unfair labor practices for employers who enforce this commonplace ban, especially as the 2008 presidential campaign heads towards its climax.

According to the GC’s Guideline, employees’ political advocacy can, in some circumstances, constitute “concerted activity” protected by the NLRA. The test is two-fold: First, is there “a direct nexus between the specific issue that is the subject of the advocacy and a specifically identified employment concern of the participating employees.” Put simply, is the political advocacy related to the terms or conditions of employment. Second, has the employee engaged in this protected political advocacy without violating "restrictions imposed by lawful and neutrally applied work rules." In other words, employers can discipline employees who engage in protected political advocacy as long as the rule used to justify the discipline is legal and is applied in a non-discriminatory manner. There’s the rub for employers.

Last December, the NLRB ruled that employers can implement an e-mail policy whose provisions incidentally prohibit union-related activity. An employer can, for example, promulgate a policy that bans all non-business use of its e-mail system or that bans all solicitations for membership organizations. While such policies effectively ban use of the corporate e-mail system for union-related activities, that result is only incidental to the broader ban directed at both non-union and union activities. Thus, an e-mail policy that bans all political activity using the corporate e-mail system is lawful, even though some of the banned activity may now, according to the GC’s Guideline, be protected concerted activity.

The challenge for employers is ensuring that this lawful policy is “neutrally applied.” During the presidential debate season, an employer can expect to see e-mail cheering and lambasting the candidates, encouraging co-workers to register for a particular party, and attacking or advocating planks in party platforms. If such e-mail traffic goes unpunished even though it violates the company’s ban on political activity over the corporate e-mail network, the trap may be laid for a successful unfair labor practice charge when months later employees are punished for exchanging e-mail about joining in a union-organized protest over a new work-related law advocated by the new President — whoever that might be.

For further analysis on the GC's Guidelines, please see Littler ASAP: Can a Bumper Sticker Get You Bumped? NLRB's General Counsel Issues Guidelines on Political Advocacy by Frank W. Buck and Richard L. Sloane.

• Email This
• Print
• Trackbacks
• Share Link

Some companies, like on-line retailer Zappos.com, are sponsoring corporate twitter sites. What is “twitter”? According to Twitter.com, “Twitter” is “a service for friends, family, and co–workers to communicate and stay connected through the exchange of quick, frequent answers to one simple question: “What are you doing?” A review of Zappos’ twitter site suggests the answer to that question rarely is “working.” Are Zappos employees unwittingly creating the justification for terminating their employment, or has Zappos—in an effort to foster unrestrained twittering—assured its employees that their “twittering” would not be used against them in a court of law?

We don’t know the answer to those questions, but we do know that any employer seeking to cater to the “Twitterites” in its workforce should first consider some tough legal issues. How will the company react when an employee twitters that she is “organizing a union” or “complaining to her buddies about all that overtime”? Would a Twitterite ever be so frank or uncool? How does a business respond to a Twitter record that, in fact, does show that an employee seems always to be doing something other than work during working hours? Twitter actually is quite good for identifying slackers because each Twitter post includes the date and time of posting. Yet this begs another question: How will the company extend a “litigation hold” to Twitter after receiving a preservation demand from a sophisticated plaintiff’s lawyer who specifically identifies "Twitter" as one category of information that purportedly must be preserved?

The point of this post is not to provide answers, but rather to highlight that each new generation of “cool corporate communications tools” brings some tough legal issues to the forefront. Those issues should be thoroughly discussed before an employer rushes headlong into an embrace of the next new thing.

• Email This
• Print
• Trackbacks
• Share Link

Even though people surfing the Internet often leave a trail of data on the web sites they visit, the New Jersey Supreme Court has found a constitutionally protected privacy interest in their anonymity. Rejecting uniform federal court precedent holding that Internet users do not have a reasonable expectation of privacy under the U.S. Constitution in subscriber information stored by their Internet Service Provider (ISP), the state Supreme Court held on April 21 that New Jersey’s Constitution does protect this information against unreasonable searches by law enforcement authorities. While focused on criminal enforcement, the decision most likely will make it even more difficult for employers to identify employees and former employees who anonymously use the Internet to damage companies.

The case arises out of a run-of-the-mill employee vendetta. After defendant Shirley Reid had an argument with the owner of Jersey Diesel, where she was employed, Reid allegedly tried to sabotage the company’s operations. Using her home computer and the unique user ID and password that she had established as part of her job, Reid accessed the web sites of Jersey Diesel’s suppliers and changed the company’s shipping address to a non-existent address. One of Jersey Diesel’s suppliers reported the change to Jersey Diesel and gave the company’s owner the Internet Protocol (IP) address assigned to the computer used to access the supplier’s web site. Jersey Diesel, apparently using an IP Address Locator web site (which is similar to a reverse telephone directory), determined that the IP address was registered to Comcast. Comcast, however, refused to disclose the identity of the subscriber to Jersey Diesel’s owner. The owner then reported the activity to local police. In response to a municipal subpoena served by the local police, Comcast disclosed that Reid was the subscriber associated with the IP address. The local prosecutor indicted Reid on charges of criminal theft.
 

• Email This
• Print
• Trackbacks
• Share Link

Our last blog entry discussed the First Amendment shield that covers current and former employees who use anonymous or pseudonymous Internet postings to trash their employers. Today’s cautionary tale highlights the practical challenges employers face in court even when a current or former employee posts confidential records on the Web in violation of confidentiality agreements and laws.

Bank Julius Baer & Co., a Cayman Island subsidiary of a Swiss bank, fired a disgruntled vice president. On her way out, she took confidential documents she believed show that her former employer engaged in unlawful conduct. The next day, she posted those documents on a public website devoted to leaking confidential documents.

Instead of pursuing the disgruntled vice president, the Bank filed a lawsuit seeking to enjoin the leaking website, Wikileaks.org, and its domain name registrar, Dynadot. The Wikileaks website enables users to anonymously publish submissions, including alleged confidential corporate and government documents. The site aims to be an “untraceable version of Wikipedia for untraceable mass document leaking and analysis.” The site runs on modified MediaWiki software, similar to the software that runs Wikipedia.

• Email This
• Print
• Trackbacks
• Share Link

The balance of power has shifted. In the “old days” -- before the Internet explosion -- a disgruntled current or former employee did not have many outlets. She might complain to a spouse, a cadre of sympathetic co-workers or a union representative. But her employer had little fear that her scalding criticism of her direct report, the company’s business strategy or senior management would be front-page news or fodder for radio talk shows.

In today’s world of blogs, personal Web pages, chat rooms, and message boards, that dynamic has been flipped. Employees — and particularly terminated, former employees — are venomously trashing their employers in cyberspace, where anyone who wants to “tell all” can speak freely. Employers have been left desperately searching for the answer to one simple question: “How can I shut that guy up?”

A decision published by the California Court of Appeal earlier this month, Krinsky v. Doe 6, highlights one of the major obstacles to squelching these silicon diatribes, often referred to as “cybersmear.” Who do you shut down? Most current and former employees venting on the Web are cagey enough to hide behind anonymity or veiled identity. In Krinsky, for example, the offending poster dubbed the plaintiff, a departing senior executive, “boobs” and said that he would “reciprocate felatoin [sic] with [her] even though she has fat thighs, a fake medical degree, 'queefs' and ... poor feminine hygiene” but, for obvious reasons, did not take personal responsibility for this juvenile comment.

The Krinsky plaintiff, like other business people on the receiving end of an anonymous or pseudonymous diatribe, are left knocking on the typically sealed door of the Internet Service Provider (ISP) that hosts the server where the post resides. The ISPs, fulfilling assurances of confidentiality in their subscriber agreement or complying with obligations imposed by the Stored Communications Act, typically will disclose the identity of an anonymous or pseudonymous user posting content only in response to a subpoena or court order. The ISP also typically will put its subscriber on notice that a subpoena has been served to give the subscriber an opportunity to ask the issuing court to quash the subpoena.

No matter how obnoxious their posting, current and former employees who speak anonymously or pseudonymously on the Web arrive in court with the upper hand; they are cloaked in the protective garb of the First Amendment. The First Amendment does not protect cybersmearing employees from being terminated (albeit anti-retaliation statutes and other statutes might, depending upon the content of the post). Rather, the First Amendment restricts the power of the judiciary to issue a speech-squelching injunction.

• Email This
• Print
• Trackbacks (2)
• Share Link