Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

By Amber Spataro

On March 21, 2013, the New Jersey legislature overwhelmingly passed one of the most pro-employee social media password protection bills in the nation. The bill not only prohibited employers from requesting employee passwords to their personal social media accounts, but also prohibited employers from even asking employees or applicants if they possessed a personal social media account. The bill conferred on applicants and employees the right to sue for damages.

Over May 6, 2013, Governor Chris Christie issued a statement and a “conditional veto” of the measure. The conditional veto means the governor objects to parts of a bill and contains proposed amendments that would make the bill acceptable to him. If the legislature re-enacts the bill with the recommended amendments, the governor will have another opportunity to sign the bill and presumably would sign it.

• Print
• Trackbacks
• Share Link

Social media websites such as Facebook, Twitter, LinkedIn and others have become a part of daily life in the United States and abroad. The unavoidable reach of social media into our personal lives has extended into our professional lives. Facebook claims to have more than 1 billion users. As of December 31, 2012, LinkedIn boasted more than 200 million registered users in over 200 countries and territories and that LinkedIn members performed "over 5.7 billion professionally-oriented searches on the platform in 2012." It is reasonable to infer that those 5.7 billion searches were not limited to individuals seeking jobs, professional connections or merely long lost friends, but also included employer representatives searching for qualified candidates.

In the last decade, most employers, at some point, have reviewed an employee's or applicant's emails, blogs or online social media postings, either in the capacity of "employer" or perhaps as a "friend." Social media monitoring service Reppler recently surveyed over 300 hiring professionals to determine when and how job recruiters are screening job candidates on different social networks. The study found that more than 90 percent of recruiters and hiring managers have visited a potential candidate's profile on a social network as part of the screening process. Moreover, 69 percent of recruiters have rejected a candidate based on content found on his or her social networking profiles—an almost equal proportion of recruiters (68%), though, have hired a candidate based on his or her presence on those networks.

Employers' access to applicants' and employees' social media activity raises two separate but related questions. First, what social media sites can employers lawfully access to obtain information about applicants and employees? Second, to what extent can employers lawfully rely on information obtained through social media to make employment decisions? The second question raises the types of anti-discrimination concerns that employers have been confronting in the off-line world for decades. However, the first question exposes employers to a completely new legal landscape, one which just began to evolve in April 2012, when Maryland enacted the Nation's first "social media password protection law" and has expanded in the past year to include six additional states—California, Illinois, Michigan, New Jersey, New Mexico, and Utah. With password-protection legislation pending in over twenty state legislatures, this legal landscape undoubtedly will become more complex, especially for multi-state employers, over the next one to two years.

To learn more about the history and background of social media password protection legislation, the differences between the state laws, and how those differences create challenges for employer compliance, please see Littler's Report, Workplace Policy Institute: Social Media Password Protection and Privacy — The Patchwork of State Laws and How It Affects Employers, by Phillip Gordon, Amber Spataro, and William Simmons.

• Print
• Trackbacks
• Share Link

By Philip Gordon

New Jersey is expected to shortly join California, Illinois, Maryland, Michigan, and Utah in prohibiting employers from seeking employee or applicant passwords to social media accounts or services. New Jersey’s General Assembly passed its bill on March 21, 2013, and that bill now awaits signature by Governor Christie. Although there is no indication from the governor whether he intends to sign the bill, ignore it, or veto it, any action other than signature would simply be symbolic and almost certainly overruled (the General Assembly passed the bill 75-2). New Jersey’s law is more pro-employee/applicant than any such law enacted to date, providing the broadest protections, the narrowest exceptions, and the most generous remedies.

Specifically, the New Jersey bill would prohibit an employer from requesting or requiring, as a condition of employment, that a current or prospective employee “provide or disclose any user name or password, or in any way provide the employer access to,” any personal social networking account, service or profile. The italicized language appears to prohibit New Jersey employers not only from “shoulder surfing,” i.e., reviewing social media content by observing the individual’s access without requesting login credentials, but also goes one step further. The bill apparently would prohibit an employer from asking an employee who complains about the social media activity of a coworker, such as online sexual harassment, for access to the complaining employee’s personal social media account to observe what the alleged harasser posted. Moreover, unlike similar laws in California, Michigan, and Utah, the New Jersey bill contains no exception for workplace investigation into suspected unlawful conduct or violations of employer policies. Notably, the New Jersey bill does not contain a narrower exception, such as the one in Maryland’s law, which includes a carve-out for investigations into suspected violations of securities laws or regulations or into suspected misappropriation of trade secrets.

• Print
• Trackbacks
• Share Link

By Philip Gordon

Joining California, Illinois, and Maryland, Michigan has enacted its own social media password protection law, which went into effect with the governor’s signing of the bill on December 28, 2012. Michigan’s law, like the others, generally prohibits employers from gaining access to applicants’ or employees’ personal social media accounts. At the same time, Michigan’s law initiates the proverbial “patchwork” of state laws in this area as it introduces important distinctions from the three state laws that preceded it. The headaches, however, are not reserved for multi-state employers trying to implement a uniform strategy for investigating reports of employees’ social media misconduct. Michigan-only employers also will need to grapple with a range of interpretive challenges.

• Print
• Trackbacks
• Share Link

In another decision that affects non-union as well as union employers, the National Labor Relations Board recently ruled that comments posted on Facebook are protected in the same manner and to the same extent as comments made at the "water cooler." In Hispanics United of Buffalo, 359 NLRB No. 37 (Dec. 14, 2012), the Board found that a non-union employer's termination of five employees for Facebook postings was unlawful, awarding the employees full reinstatement and backpay. To learn more about the decision, please see Littler’s ASAP, NLRB Rules Employer’s Termination of Non-Union Employees for Facebook Posts Violated NLRA, by Alan Levins.

• Print
• Trackbacks
• Share Link

Under a new California law, employers cannot request or require that applicants or employees:

• Disclose social media log-in credentials;
• Access personal social media in the employer’s presence; or
• Divulge any personal social media content.

However, an exception permits employers to ask an employee to divulge personal social media content that the employer “reasonably believe[s] to be relevant to an investigation of allegations of employee misconduct or employee violation of applicable laws and regulations.”

To learn more about the law and its potential implications for employers, please continue reading Littler's ASAP, California’s New Social Media “Password Protection” Law Takes a More Balanced Approach by Accounting for Employers’ Legitimate Business Interests, by Philip Gordon and Lauren Woon.

• Print
• Trackbacks
• Share Link

By Philip L. Gordon

Between summer 2011 and spring 2012, the National Labor Relations Board’s (NLRB) Acting General Counsel drew substantial attention in his direction by publishing three lengthy Advice Memos, which expressed his views on the application of the National Labor Relations Act (NLRA) to social media policy provisions and employers’ discipline based on employees’ personal social media content. These memoranda, however, revealed only the litigation positions that the NLRB’s cadre of enforcement attorneys would take in this new and evolving area of the law. The views expressed in the memos did not, and do not, bind the Board. Last week, however, the Board issued an opinion, which, albeit not analyzing the employer’s social media policy per se, revealed the Board’s thinking on several employment policies commonly found in employers’ social media policies. Costco Wholesale Corporation, 358 N.L.R.B. No. 106 (Sept. 7, 2012).

Policy Prohibiting Damaging Statements about About the Company or Its Employees

No employer likes to see its own employees publicly post content damaging to the employer or any member of its workforce. The Board, however, ruled that employers generally cannot prohibit such speech because the prohibition would violate Section 7 of the NLRA by chilling employees from publicly commenting about the terms or conditions of employment. More specifically, the Board held that the following policy language violates the NLRA: “Employees should be aware that statements posted electronically (such as [to] online message boards or discussion groups) that damage the Company, defame any individual or damage any person’s reputation . . . may be subject to discipline . . . .”

Significantly, in disapproving this policy language, the Board suggested policy language that would be permissible. The Board cited to prior decisions that approved prohibitions on speech that is: (a) “malicious, abusive or unlawful;” (b) “profane language” and “harassment;” (c) “injurious, offensive, threatening, intimidating, coercing, or interfering with” other employees; and (d) “slanderous or detrimental to the company” when “among a list of 19 rules which prohibited egregious conduct such as ‘sabotage or sexual or racial harassment’.” (Emphasis supplied)

The critical take away for employers is that social media policy provisions that prohibit damaging or defamatory speech must be contained within a list of categories of speech that unequivocally are not protected under the NLRA. The Board would presumably then read the language prohibiting defamation in its context and conclude that no reasonable employee would understand the policy to prohibit true, or inadvertently false, statements about the terms or conditions of employment, which the NLRA protects.

• Print
• Trackbacks
• Share Link

By Philip L. Gordon

Following the lead of Maryland and Illinois, California’s legislature, last week, sent to the governor for signature the nation’s third “password protection” law. Unlike the Maryland and Illinois laws, California’s pending statute takes into account employers’ legitimate business interests.

The Illinois law broadly prohibits employers from requesting or requiring that applicants or employees disclose their personal social media log-in credentials. Maryland’s law has two narrow exceptions for investigations into suspected securities violations or misappropriation of trade secrets, without any legislative findings explaining why these two categories of workplace misconduct should be exempted from the statute’s purview while other forms of workplace misconduct, such as a threat posted on social media to kill co-workers, is not. Earlier versions of the California bill, like the Illinois law and more than one dozen bills currently pending in other states, imposed a blanket prohibition on all employer requests for personal social media log-in credentials, without consideration of employers’ legitimate need to make such requests. In a July article entitled, “Rethinking and Rejecting Social Media Password Protection Laws,” we challenged the myopic view implicit in these laws and bills, i.e., that employers rarely or never have a good reason to investigate the content of an applicant’s or employee’s restricted-access social media site.
 

• Print
• Trackbacks
• Share Link

By Philip Gordon and Inna Shelley

When the photographs and videos flooding social media include images of patients or the victims of an accident or crime, it gives human resources professionals, compliance officers and in-house employment counsel at health care facilities heartburn and forces them to spring into action. In the past several years, dozens of snap-happy health care workers have been fired for using smartphones to photograph patients and then upload the images to their social media page. One startling illustration of this phenomenon occurred when emergency room workers and staff at a medical center in California photographed an urgent care patient’s gruesome stab wounds and posted the photos on the web. In another example, an Oregon nursing assistant received an eight-day prison sentence after posting graphic photographs of nursing home residents on her social media site. Given these types of stories, it is not surprising that, according to a PricewaterhouseCoopers study published in April 2012, 63% of health care consumers expressed concern about personal health information being shared in public.

Many health care workers mistakenly believe that posting a patient’s image on a social media site does not violate HIPAA’s privacy requirements if the post excludes the patient’s name and other identifying information. To the contrary, an image that includes a patient’s face is not de-identified under HIPAA. Even when the face is obscured, the image still could be entitled to protection under HIPAA if the patient reasonably could be identified, for example, where the image reveals a distinguishing tattoo or scar.

• Print
• Trackbacks
• Share Link

On August 1, 2012, Illinois Governor Pat Quinn signed into law a bill modifying Illinois' Right to Privacy in the Workplace Act to limit employers' access to applicants' and employees' restricted social media accounts. The Illinois bill applies to both public sector and private sector employers.  The law makes Illinois the second state in recent months (after Maryland) to forbid employers from requesting or requiring log-in credentials for an applicant's or employee's social networking sites.

Specifically, Illinois' new law makes it unlawful for an employer to:

• "request or require any employee or prospective employee to provide any password or other related account information in order to gain access to the employee's or prospective employee's account or profile on a social networking website[;]" or
• "demand access in any manner to an employee's or prospective employee's account or profile on a social networking website."

To learn more about the law and its potential implications for employers, please continue reading Littler's ASAP, Illinois' New Social Media Password Protection Law Handicaps Employers' Legitimate Business Activities, by Philip Gordon and Kathryn Siegel.

• Print
• Trackbacks
• Share Link

Reproduced with permission from the HR Library. Copyright © 2012 The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com

By Philip Gordon and Lauren Woon

The story went viral, and legislators around the country caught the virus. On March 21, 2012, the Associated Press reported a few incidents where employers had requested or required log-in credentials from applicants or employees to access their personal social media account. Over the next three weeks, more stories were published; some regurgitating the incidents originally reported by the A.P., and others reporting on additional, alleged inquiries. The media frenzy stoked public outrage. Legislators around the country and in Congress sought to ride the wave of public sentiment by introducing legislation to slam the door on the perceived abuse. The result has been one state law as well as bills pending in eleven states and in Congress that are unnecessary, radically rewrite the law of privacy, and unfairly expose private employers to potential liability.

Social Media “Password Protection” Laws Are Unnecessary

Neither the A.P. article nor any other article from a major U.S. news outlet comprising the media frenzy of spring 2012 cites a single study proving that private employers routinely ask applicants or employees for log-in credentials to their personal social media accounts. In fact, a careful review of the anecdotal “evidence” contained in these news stories demonstrates that the exact opposite is true. All of the media coverage combined reported one instance in which a private employer requested log-in credentials. All but this one reported incident involved public employers, such as corrections departments and police forces. The overwhelming buzz drowned out this distinction.

The only empirical data of which we are aware is fully consistent with this anecdotal evidence demonstrating that private employers do not ask for log-in credentials. Littler Mendelson’s Executive Employer Survey Report, published in June 2012, asked nearly 1,000 C-suite executives, corporate counsel, and human resources professionals from corporations throughout the United States and ranging in market capitalization from less than $1 billion to more than $4 billion the following question: “Has your organization requested social media logins as part of the hiring or onboarding process?”¹ The response: 99% of respondents answered the question in the negative.

• Print
• Trackbacks
• Share Link

It has been over one month since we discussed Illinois’s proposed social media password law. On May 22, 2012, both state legislative houses passed HB 3782, a bill that would amend the state’s Right to Privacy in the Workplace Act to prohibit employers from requesting applicant and employee social media login credentials. At that point it looked like Illinois would become the second state to enact such a law – on May 2, 2012, Maryland became the first state to prohibit such conduct. However, the bill was not sent to the governor until June 20, 2012. Moreover, the waiting game may continue because the governor has 60 days to sign, veto, or take no action on the bill. If no action is taken during the 60-day period, the bill becomes law. From a compliance readiness standpoint, because of the bill’s slow movement, if the governor signs the bill (or takes no action), employers will have more time to review and revise relevant policies because the law will not become effective until June 1, 2013; compared to January 1, 2013, had the law been signed before June 1, 2012.

• Print
• Trackbacks
• Share Link

By Margaret Keane

Recent weeks have seen a flurry of legislative activity aimed at preventing employers from compelling disclosure of passwords to social networking sites as a condition of hire or of continued employment. However, potentially more troubling for employers are concerns related to post-employment password access to, and use of, non-personal, social media accounts used on the employer’s behalf. As a review of recent case law shows, employers who want to ensure uninterrupted and continual access to company social media accounts and to avoid post-employment disputes over ownership of friends, followers and connections would be well advised to plan ahead.

• Print
• Trackbacks
• Share Link

On May 30, 2012, the National Labor Relations Board's Acting General Counsel issued his third guidance document on social media since August 2011. In that report, he took the opportunity to approve one employer's social media policy, a move that finally provides employers clear guidance in connection with the regulation of this rapidly evolving area of the law. The Acting GC's guidance, which was published in the form of an Operations Management Memorandum, was accompanied by an Advice Memorandum in Walmart, Case No. 11-CA-067171. It is in this case that the agency articulated its reasoning and found, for the first time, a social media policy that was acceptable in its entirety. To learn more about the guidance and its potential implications for employers, please continue reading Littler's ASAP, Three's a Charm: NLRB’s Acting General Counsel Issues Third Guidance Document on Social Media and Approves One Policy, by Philip Gordon.

• Print
• Trackbacks
• Share Link

The Illinois Senate and House passed a bill that will soon make their state the second in the country to have a law prohibiting employers from asking employees for their credentials to social networking sites. While this surely makes employees happy, the law and ones like it have the potential to inhibit legitimate business activities. In an interview with The Lexblog Network, Philip Gordon—Chair of the Privacy and Data Protection Practice Group at Littler—explains the basics of the Illinois law, how it could potentially inhibit businesses and where we might find some kind of happy medium.

• Print
• Trackbacks
• Share Link

By Philip L. Gordon

With last week’s approval by Illinois’ Senate of a House bill entitled, “The Right to Privacy in the Workplace Act,” Illinois (assuming the Governor signs the bill) will soon become the second state, joining Maryland, to forbid employers from requesting or requiring log-in credentials for an applicant’s or employee’s social networking site. This bill, like Maryland’s law, raises significant interpretative challenges for employers while imposing unjustified and overbroad restrictions on their ability to run their own business.

Remarkably, the Illinois bill (like the Maryland law) contains no legislative findings supporting the need for the law. To be sure, in March and April of this year, there was a media frenzy aimed at creating the impression that private employers routinely request access to applicants’ and employees’ social networking accounts. This stir, however, was substantially overblown. It was based on a small number of news stories, virtually all of which involved job applicants, not employees, and public, not private, employers. To date, we have seen no empirical evidence suggesting that private employers are engaging in the practice which is the subject of legislation not only in Illinois and Maryland, but also of pending bills in ten other states (California, Delaware, Michigan, Minnesota, Missouri, New Jersey, New York, Ohio, South Carolina and Washington) and in both houses of Congress.

• Print
• Trackbacks
• Share Link

Philip Gordon, Chair of Littler Mendelson's Privacy and Data Protection Practice Group Chair and a frequent contributor to this blog, was recently interviewed by The Lexblog Network about Maryland's recently-enacted Facebook password law and what it accomplishes.

Video courtesy of The Lexblog Network

• Print
• Trackbacks
• Share Link

By Philip L. Gordon

The momentum in the media made it almost inevitable: the first state law to expressly restrict employers from asking applicants and employees for social media account log-in credentials has been passed. Not surprisingly, Maryland, where the issue first burst onto the scene in April 2011, wins the “honor.” However, Maryland likely has opened the floodgates. Bills currently are pending in California, Illinois, Minnesota, New Jersey, and Washington. Employers seeking to understand the implications of the Maryland law must look beyond the blaring headlines to the details of the statute.

To begin with, the law’s general prohibition is both broad and narrow. Effective October 1, 2012 (assuming the Governor signs the law), employers are prohibited from requiring, or even asking, that applicants or employees disclose “any means for accessing,” such as a user name or password, for “any personal account or service” accessed through “computers, telephones, personal digital assistants, and other similar devices.”  In other words, the prohibition extends far beyond Facebook and other social media sites to include personal e-mail accounts, personal online banking accounts, and any other online communications or service account.

• Print
• Trackbacks
• Share Link

Employers continue to wrestle with the issue of whether to require employees and prospective employees to divulge their social media passwords. A recent spike in interest by the media, by advocacy groups, legislators and the general public has refocused attention on the issue. Although it may not be unlawful to seek the information to conduct background checks, deter and investigate harassment of coworkers, and discourage employees from posting online content that disparages the employer's products or services, in most situations, it is inadvisable. To learn more about the pitfalls of social media information requests, proposed federal and state bills prohibiting such requests and their potential implications for employers, please continue reading Littler's ASAP, Though Not Yet Banned, Requiring Social Media Information Is a Bad Idea by Chris Leh.

• Print
• Trackbacks
• Share Link

Philip Gordon will be speaking on a range of privacy and data protection issues at the following upcoming events:

Date: January 11, 2012
Conference: BNA
Location: Webinar
Topic: Phil Gordon and Michael McGuire, Shareholder and Chief Information Security Officer at Littler, will co-present “The Challenges of Bring Your Own Device (BYOD) to Work Policies”
Description: With employees demanding the ability to use their personal smart phones and tablets for business purposes and employers looking for new ways to reduce cost and increase productivity, the trend towards “dual-use devices” in the workplace will undoubtedly continue to pick up stream. This webinar will provide practical recommendations for both areas so that your organization understands the risks of saying “yes” to requests from C-level executives or department chiefs to connect their smartphones or tablets to the corporate network.
For more information and to register, please visit: www.bna.com/own-device-19107/.

• Print
• Trackbacks
• Share Link

By Philip L. Gordon

Selling luxury cars in a down economy can be tough enough without employees mocking a company-sponsored sales event on their Facebook page. An administrative law judge (ALJ) with the National Labor Relations Board (NLRB) issued an opinion last week holding that the National Labor Relations Act (NLRA) protected an employee’s sarcastic post, but nonetheless upheld the dealership’s termination decision because it was based on other, unprotected Facebook content. The decision is an important reminder for employers that when protected and unprotected content appear on the same Facebook wall, the protected content does not shield the employee from discipline based on the unprotected content.

The Knauz BMW dealership in Lake Bluff, Illinois, planned the “Ultimate Driving Event” to introduce the redesigned BMW 5 Series to its customers. At the event, the dealership not only offered BMW representatives, rather than the dealership’s sales staff, to take customers for a test drive, but also served hot dogs from a hot dog car as well as chocolate chip cookies, small bags of Doritos, and water. Upon learning of the dealership’s plans for the event, salesman Bobby Becker, and at least one other salesperson questioned the culinary selection. After the event, Becker tweaked the dealership on his Facebook page: “The small 8 oz. bags of chips, and the $2.00 cookie plate from Sam’s Club, and the semi fresh apples and oranges were such a nice touch . . . but to top it all off . . . the Hot Dog Cart. Where our clients could attain a over cooked weiner and a stale bunn . . . ”

• Print
• Trackbacks
• Share Link

By Philip Gordon

In a recent blog post, we addressed three Advice Memos issued by the National Labor Relations Board’s (NLRB or the “Board”) Division of Advice, which provided useful guidance on the types of social media conduct that do not enjoy protection under the National Labor Relations Act (NLRA). On August 18, 2011, not long after the publication of those Advice Memos, the NLRB’s General Counsel issued a lengthy memorandum to all Regional Directors that summarizes the Board’s resolution of more than one dozen “social media cases,” including the three cases discussed in our prior blog post. As a contrast to that post, this post will focus on the cases in the August 18, 2011, Memorandum where the General Counsel found that an employer’s discharge of an employee violated the NLRA. The August 18, 2011, Memorandum also provides useful guidance on social media policies, which are addressed below as well.

• Print
• Trackbacks
• Share Link

By Philip L. Gordon

Ever since the National Labor Relations Board (NLRB) filed a complaint, last November, against ambulance service provider AMR for firing an employee who had called her supervisor a “mental patient” on her Facebook wall, employers have been forced to ask themselves the following question: Do I really need to worry that the NLRB will knock on my door every time I discipline an employee for an obnoxious or offensive Facebook post related to work? Until two weeks ago, there was no easy answer to that question. The AMR case and virtually all of the other “Facebook cases” initiated by the NLRB had either settled or had not yet resulted in a published decision. Then, last month, the NLRB’s Office of General Counsel issued three Advice Memoranda in rapid succession that provide at least some guidance for employers trying to navigate the intersection of social media and labor law.

• Print
• Trackbacks
• Share Link

By Philip L. Gordon

I was recently interviewed by Nymity on the dozen top challenges for employers when developing and enforcing social media/Web 2.0 policies. Part I of the interview [pdf] addresses the following questions: 

• Online Background Checks: What are the risks? What are practices that should be curtailed? How can a company gain the benefits of the tools, and minimize those risks?
• Customer‐Facing Company Sites: Such sites and other customer facing tools and techniques can build a brand over night. How does a company avoid the issues and gain the brand lifting benefits?
• Individual Employee Sites for Business Purposes: Who “owns” these sites, such as LinkedIn contacts and Facebook fan pages? Must an employee establish a new account for their work with a company? What are the best practices in these situations?
• Internal Company‐Sponsored Sites: What is special about these that require policy statements or recommendations? Can these sites really be a problem?
• Employees Off‐Duty Social Media Activity: We’ve discussed social media activity for work purposes, what about employees’ off‐duty social media conduct. What are the risks there and how should employers address them?
• Disciplining Employees Based On Off‐Duty Social Media Activity: There seems to be much confusion over when employers can discipline employees for their off‐duty social media activity. What are the key risks to avoid? What are the best practices that can be adopted to avoid what types of risks?

I will post Part II when it becomes available. 

Photo credit: CrackerClips

• Print
• Trackbacks
• Share Link

By Philip Gordon

The National Labor Relations Board created a stir in late 2010 by filing an unfair labor practice charge against ambulance company, AMR, for firing an employee who, among other things, called her supervisor a “mental patient” in a Facebook post read by many co-workers. As it turns out, the “Facebook case” was just the beginning of what appears to be a trend by the Board, subsequently joined by unions, to restrict employers’ ability to promulgate and enforce social media policies that, in the Board’s view, impinge on employees’ rights under the National Labor Relations Act. Several recent developments provide a window into the Board’s intentions.

• Print
• Trackbacks
• Share Link

By Philip Gordon.

Recently, the American Civil Liberties Union of Maryland tried to publicly embarrass the Maryland Department of Public Safety and Correctional Services (the “Maryland Corrections Department”) into suspending its practice of asking job applicants to disclose their Facebook password so that the Department could check whether the applicant’s wall or stored e-mail revealed any connection to criminal activity. According to a letter dated January 25, 2011 (pdf), sent by the ACLU to the Maryland Corrections Department, this practice “is illegal under the federal Stored Communications Act (SCA), 18 U.S.C. §§2701-11 and its state analog, Md. Courts & Jud. Proc. Art., §10-4A-01, et seq.” The ACLU’s contention is inaccurate.

Both of the cited statutes prohibit unauthorized access to electronic communications stored at an electronic communications service provider. Even assuming that these statutes apply to content stored on Facebook’s servers (and that point is far from settled), the Maryland Corrections Department did not gain “unauthorized” access to applicants’ Facebook page. Rather, the Department would access information on Facebook only after the applicant authorized such access by providing the Department with the applicant’s password.

The true core of the ACLU's position is the following assertion contained in its January 25, 2011 letter: “[T]here can be little question but that forced ‘authorization,’ such as that demanded of [the applicant by the Maryland Corrections Department], is not proper authorization under the SCA, given the disparate bargaining power of the employer and employee or applicant.” While rhetorically appealing at first blush, this argument assumes too much, especially with respect to applicants.

Applicants are not “forced” to provide authorization. The Maryland Corrections Department emphasized that applicants could refuse to provide their password and may still be eligible for a position. But, even if the Department’s practice were to require disclosure of the password, an applicant who does not want a prospective employer to view his “friends-only” Facebook page would have the choice to refuse the request and hope to get the position or seek employment elsewhere. Indeed, if the ACLU’s contention were correct, then the millions of authorizations for pre-employment background checks and drug screens that have been executed by applicants since those forms of pre-employment investigations became routine also would be invalid.

• Print
• Share Link

By Philip L. Gordon

The NLRB’s unfair labor practices charge against ambulance service provider AMR was a shot across the bow for employers. The complaint was the Board’s response to AMR’s discharge of an employee who called her supervisor a mental patient in a “friends-only” Facebook post in violation of AMR’s social media policy. However, the Region that brought the complaint also contended that any social networking policy that prohibited disparagement was per se unlawful unless it carved out rights under the National Labor Relations Act (NLRA). That element of the case raised broad concerns for employers throughout the U.S.

The Board’s General Counsel took the unusual step of announcing the complaint’s filing in a press release, setting off a buzz in employment, labor, and privacy law circles about the permissible scope of social media policies. The issue has become a hot one as employers seek to reduce the risk that employees’ off-duty social media activity will damage their organization’s reputation or expose the organization to liability. At the same time, the Obama Board appears to be seeking to expand employees’ leeway to use social media for protected labor activity and to require that employers not use broad policies to undercut concerted activity (in a union or non-union environment) protected by the NLRA.

• Print
• Share Link

The Equal Employment Opportunity Commission, on Nov. 9, 2010, published its long-awaited regulations implementing those portions of the Genetic Information Non-Discrimination Act of 2008 (GINA) applicable to employers. GINA prohibits employers from discriminating on the basis of genetic information and generally prohibits employers from acquiring or disclosing genetic information. GINA applies to all employers subject to Title VII of the Civil Rights Act of 1964 and adopts Title VII’s enforcement schemes except that disparate claims are not permitted.

Simple as GINA’s general rules might sound, their application to specific factual circumstances can be baffling and counterintuitive. The fundamental challenge for employers lies in the definition of “genetic information,” which is far broader than what common sense would advise, i.e., that genetic information is limited to the results of tests that reveal an employee’s genetic composition or a heightened risk of an inherited disease.

The 10 tips below address those aspects of GINA and the EEOC’s implementing regulations that employers likely will find most challenging and encounter on a recurring basis, and provides practical recommendations on how to handle those challenges.

1) Understand the Definition of “Genetic Information”

As noted above, “genetic information” encompasses far more than the results of a genetic test. Genetic information includes family medical history, and that term is very broadly defined.

• Print
• Share Link

Labor law attorneys at Littler Mendelson have been predicting for months that the National Labor Relations Board, now dominated by Obama appointees, would take aim at employer policies that could be applied to restrict employees’ use of social media for purposes protected by the National Labor Relations Act. In what appears to be the first shot in an approaching battle, the NLRB’s Office of General Counsel issued a press release on November 2, 2010, announcing that the Board’s Hartford Regional Office had filed a complaint alleging that American Medical Response of Connecticut, Inc. (AMR) violated the NLRA by terminating an employee for posting negative comments about her supervisor on her Facebook page. Continue reading on Littler's Labor Relations Counsel blog.

• Print
• Share Link

A bill approved on August 25, 2010, by Germany’s cabinet for introduction to the German Parliament would restrict employers’ use of social media in the recruitment process. Many multi-national employers are still struggling to implement a policy governing the use of social media in their U.S. workplace. Before multi-national employers even complete that task, or catch their breath from doing so, they need to confront the question, as the German proposal suggests, whether the version 1.0 social media policy addressing only U.S. employees can be lawfully applied to non-U.S. employees.

The issue is far from academic. Facebook, which surpassed 500 million users earlier this summer, has hundreds of millions of non-U.S. users. In fact, according to a survey by NielsenWire, monthly time per user spent on Facebook exceeds the U.S. average of 6 hours and 43 minute in Australia (7 hours 45 minutes), and Italy (7 hours) with the United Kingdom not far behind at 6 hours 19 minutes. Latin America was Twitter’s fastest-growing market between June 2009 and 2010 with users increasing by 300%, followed by Asia Pacific with a 240% growth rate, and the Middle East and Africa where users more than doubled.

At the same time, the social media juggernaut has been so rapid that no one body of law in any country yet governs an employer’s ability to access and use social media content for hiring and disciplinary purposes. In the U.S., for example, private employers need to consider the federal Stored Communications Act and state computer trespass laws, the Fair Credit Reporting Act, the National Labor Relations Act, federal anti-discrimination laws, state laws protecting employees against adverse action based on lawful, off-duty conduct, and potential common law claims for invasion of privacy and unreasonable disclosure of private facts.

• Print
• Share Link

Employees who post reviews of their employer’s products and services on social media sites, without disclosing their corporate affiliation, can land their employer in an FTC enforcement action. The FTC’s second enforcement action for violation of the agency’s endorsement guidelines, announced on August 26, makes this point.

According to the FTC, Reverb Communications, an on-line public relations firm, sought to boost sales of its clients’ gaming applications by having its employees post positive reviews on iTunes. Over the course of nine months, Reverb employees, posing as disinterested users, gave clients’ games a rating of 4 or 5 and posted comments, such as “Amazing new game,” “ONE of the BEST,” and “Really Cool Game.” According to the FTC, these reviews were misleading because they did not, as suggested, come from independent, ordinary consumers, but from Reverb employees who had a financial incentive to provide a positive endorsement.

In the agreement resolving the FTC’s complaint, Reverb agreed, among other things, (a) not to permit its employees to endorse any product without conspicuously disclosing the employee’s connection to Reverb and/or the manufacturer or advertiser of the product; (b) to take reasonable steps to remove the endorsements that were posted without full disclosure; (c) to maintain for five years all documents related to the company’s compliance with the agreement; and (d) to obtain for five years all current and future employees’ acknowledgement of receipt of the company’s agreement with the FTC.

• Print
• Share Link

“BeenVerified” is a new mobile Web application that allows users to conduct background checks on any individual by merely entering the name or email address of the individual. Users get three free background checks monthly and unlimited checks for a monthly fee of only $8. BeenVerified has been a smashing success, with more than one million checks run to date.

HR professionals, recruiters, managers, and co-workers may find BeenVerified hard to resist. According to the application, users can check an individual’s “Criminal History, Property Records, Current Contact Info, Relatives, Neighbors, and more,” merely by entering an individual’s name. By entering an email address, the user can find out about the individual’s social networking activities and view “their online photos, websites, blog posts, and entire online presence.” All of the data is compiled into a concise report.

Despite its ease of use and apparent low cost, the BeenVerified app may expose employers to liability under the federal Fair Credit Reporting Act (FCRA) and analogous state laws. These laws prohibit background checks for employment purposes without providing notice and obtaining the subject’s prior, written authorization. The FCRA permits recovery of compensatory damages, including statutory damages for willful violations, and a fee award.

Although BeenVerified states that information obtained “should not be used for employment, tenant screening, or any FCRA related purposes,” the potential for abuse exists. HR professionals, recruiters, managers, and co-workers now have the ability to review financial, criminal, and other personal information about subordinates, co-workers, and applicants without any safeguards to protect against violations of federal and state background check laws. As a result, employers should consider implementing a policy that prohibits employees from using the application to obtain information about any other employee unless the user has complied with the FCRA’s notice and authorization requirements.

This entry was written by Philip L. Gordon and Jennifer L. Mora.

Photo credit: HelleM 

• Print
• Trackbacks
• Share Link

Employers already face concerns about how to handle employees trash-talking about them on blogs, Facebook and other social media. Now, employers must be cautious of the converse — employee endorsements of their employers’ products and services on social media websites. The Federal Trade Commission (FTC) recently issued updated guidelines aimed at protecting consumers from misleading endorsements and advertising. As these guidelines make clear, employers whose employees use social media like blogs or Facebook to comment on their employer’s products or services face potential liability, even where the employer has not authorized or ratified the employee’s remarks.

The FTC’s revised Guides Concerning the Use of Endorsements and Testimonials in Advertising, published in the Federal Register at 16 C.F.R. Part 255 (the “guidelines”), address the application of Section 5 of the FTC Act (the “Act”) – which prohibits unfair or deceptive acts or practices and unfair competition in or affecting commerce -- to the use of endorsements and testimonials in advertising.

In the guidelines, the FTC identifies the general principles it will apply when evaluating whether endorsements and testimonials, including those given by employees about their employers’ products and services, are deceptive. The guidelines provide specific examples, and suggest that employees endorsing their employer’s products or services have a duty to disclose to their audience their relationship to an employer at the time they give the endorsement or testimonial. To be an endorsement or testimonial subject to these guidelines, the posting must be a message “that consumers are likely to believe reflects the opinions, beliefs, findings, or experiences of a party other than the sponsoring advertiser, even if the views expressed by that party are identical to those of the sponsoring advertiser. The party whose opinions, beliefs, findings, or experience the message appears to reflect will be called the endorser...” 16 C.F.R. Part 255.01(b).

• Print
• Trackbacks
• Share Link

This past week, Facebook asked each of its 350 million users whether they wanted to change their privacy settings to new settings offered by Facebook. The request ignited a firestorm among privacy advocates who believed that the changes meant less privacy for users. At the same time, the request forced users to consider their old settings and whether to change them to the new ones. The Financial Times reported that, according to Facebook, before this week’s rollout of the new settings, only 15% to 20% of users had changed their default privacy settings, but in response to the inquiry about changing their privacy settings, 50% of users — approximately 175 million users — had made changes.

• Print
• Trackbacks
• Share Link

On September 29, 2009, Littler Mendelson presented a webinar, hosted by HR.com, entitled, “Legal Perils of Social Media & Social Networking: What Every Employer Needs to Know.” Several of the attendees submitted questions by e-mail that could not be answered during the time allotted for the webinar. The answers to those questions are below.

Question: Because of the sketchy and inconsistent nature of HR policy around this topic, it seems reasonable for employees to ask for definition from their employers regarding use of social media to avoid being surprised should there be a potential issue. Would you agree?

Response: I would agree. The intersection of social networking sites and work is so new that accepted etiquette, custom, or norms have not yet developed. Employers can address this problem by establishing a policy that provides easily understood guidelines for employees’ social media activities whether authorized by the employer or not. Training also is very important in this area. Employers need to train managers and employees on how to respond to and handle the many complicated issues raised by the intersection of work and social media activity.

• Print
• Share Link

Several employment lawyers recently have debated whether employers should permit their employees to “recommend” a former employee on LinkedIn. The debate began after a National Law Journal article quoted two management-side attorneys who counseled against permitting such recommendations. According to these lawyers, a positive recommendation arguably could provide evidence of pretext in a discrimination lawsuit if the former employee who is the subject of  the recommendation had been terminated for poor performance. The contrarians in the debate contend that this scenario is unlikely to occur and even if it did, the LinkedIn recommendation would not be particularly persuasive evidence of pretext.

Both sides have their points, but, in my view, neither side has the answer. Experienced employment litigators know that in the “wrong case” a positive LinkedIn recommendation could result in the denial of summary judgment — or worse, an adverse jury verdict — and accompanying recriminations for not having advised the defendant to prohibit such recommendations. At the same time, implementing a policy to avoid the unusual case where a manager is willing to make positive public proclamations about a litigious poor performer denies the employer the benefit of whatever good will might result from these LinkedIn recommendations.

• Print
• Trackbacks
• Share Link

Ranting on the Internet about one’s employer has become commonplace. When these rants appear on publicly accessible Internet pages, employers can access them, and, except in limited circumstances, can take adverse action based on the posting’s contents. As a recent adverse jury verdict demonstrates, employers who access a restricted social networking site without proper authorization can face liability under federal and state laws intended to protect personal privacy. The risk will increase as employees use increasingly sophisticated privacy settings to limit access to their personal social networking pages.

For a detailed discussion of this development, see Littler's ASAP "Verdict Against Houston's Restaurant Demonstrates Risks of Accessing Employee's Restricted Social Networking Sites" by Philip L. Gordon.

For more background on this case, see our prior blog post.

• Print
• Trackbacks
• Share Link

Even a brief posting of private information on an Internet site amounts to “publicity per se” sufficient to support a civil action for invasion of privacy, according to a three judge panel of the Minnesota Court of Appeals in Yath v. Fairview Clinics, filed June 23, 2009. Candace Yath was a patient at the defendant clinic, where she sought testing for sexually transmitted diseases because she had a new sex partner. She was observed there by a clinic employee, Tek, who was an acquaintance. Tek later (and in violation of clinic policy) accessed Yath’s medical file, learning of Yath’s new sex partner (Yath was at the time married but estranged from her husband) and that Yath had been diagnosed with a sexually transmitted disease. Tek informed a second person, also an acquaintance (and relative) of Yath about the medical file information. Word soon spread to a group of people, including Yath’s husband.

One month later a web page appeared at MySpace.com bearing the title “Rotten Candy,” and including a photo of Yath and the contents of her medical file. The MySpace page asserted that “Rotten Candy” has a sexually transmitted disease, had recently cheated on her husband and was addicted to plastic surgery. After learning about the Internet posting, the clinic manager investigated. When the manager first accessed the webpage, it listed only six “friends,” indicating that at least six persons had accessed the page. When the manager tried again to access the web page, one or two days later, the webpage had been removed.

• Print
• Trackbacks
• Share Link

On June 18, Philip Gordon will present at the International Association of Privacy Professionals (IAPP) Practical Privacy Series on the topic "On the Cutting Edge: The Top Five Developments for 2009" (You may register for the event here). Below, Mr. Gordon answers questions about some of the top HR privacy concerns that every organization is confronting.

IAPP: With so much focus on safeguarding customer information, why is HR privacy even an issue?

Gordon: HR privacy should be a major concern of every organization for several reasons. Virtually all class-action litigation involving the compromise of customers’ personal data has been unsuccessful because of the absence of any actual damages. By contrast, privacy violations involving employee personal data often do result in cognizable injuries, including loss of employment and emotional distress. The risk of significant damages is particularly high in the employment context because employers maintain not only the full range of personal identifiers but also financial information and very sensitive health information. In addition, security breaches involving employee personal data can have a negative impact on employee morale, and employees, unlike consumers, can easily express their disgruntlement to senior management. While the potential exposure is high, developments in technology and recently enacted legislation have complicated employer’s compliance obligations, further increasing their exposure to liability.

IAPP: Could you provide some examples of recent developments that have a significant impact on HR privacy compliance and employers’ exposure to liability for privacy violations?

Gordon: Employers are struggling to find the right approach for addressing text messaging in the workplace and the variety of Web 2.0 communications platforms. Unlike e-mail, text messaging almost always is transmitted through, and stored at, a third-party service provider. The laws governing access to electronic communications stored at a service provider impose substantial restrictions on employers. These restrictions do not apply when accessing communications stored on the corporate network. Social networking is particularly challenging for employers, especially as employees form their own networks, because personal profiles often blur the line between “private” and work life while, at the same time, permitting employees to communicate messages that senior management views as contrary to the organization’s interests.

On the legal side, we have the passage in February 2009 of significant amendments to HIPAA, which will have an impact on every employer that sponsors a HIPAA-covered benefit plan. In November, the Genetic Information Non-Discrimination Act of 2009 (GINA) will become effective. GINA will raise significant compliance challenges because the Act defines “genetic information” to include several categories of information that most privacy and HR professionals might not think of as “genetic” in nature, such as certain FMLA certifications. I will cover these technological and legal developments at the Practical Privacy Series in a presentation entitled, “On the Cutting Edge: The Top Five Developments For 2009.”

• Print
• Trackbacks
• Share Link

The explosive growth in Facebook and MySpace pages has created a fertile ground for evidence-gathering by trial lawyers. However, these websites enable users to establish privacy settings, and to serve as “gatekeepers,” to control who can gain access to their posted material. One privacy setting limits access to those whom the user has accepted as a “friend.” An attorney who is not on the user’s “friends list,” in theory, could effectively circumvent the user’s gatekeeping by asking a third party to send a friend request to the user. Many social networking users are not particularly selective when it comes to making “friends.”

The Philadelphia Bar Association’s Professional Guidance Committee recently addressed the ethics of this strategem, cautioning that it is unethical for an attorney to use a third party to “friend” a Facebook user who is a litigation witness for purposes of obtaining information that the attorney might use to impeach the witness.

The Committee’s advisory opinion found that an attorney violates rules of professional conduct by gaining access to a private (“invitation only”) social network site by way of deception. Specifically, the opinion explains that by not disclosing to the potential witness the third party’s affiliation with the attorney, the attorney has omitted a “highly material fact” and has “purposefully conceal[ed] that fact from the witness for the purpose of inducing the witness to allow access.” Presumably, had the witness known the “whole story” and the true motivation behind the third party’s friend request, the witness would not have permitted access to his or her social network profile.

• Print
• Trackbacks
• Share Link

How far can employers go to access an employee’s restricted social networking profile? A case scheduled for trial next month in New Jersey’s federal district court may give employers and employees alike a better understanding of what it means to engage in “private” on-line social networking.

In March 2006, Brian Pietrylo, an employee at Houston’s Restaurant in Hackensack, New Jersey, created a discussion group about his workplace on his personal MySpace web page. He flagged the group as private and described its purpose as follows: to “talk about all the crap/drama/and gossip occurring in our workplace, without having to worry about outside eyes prying in.” The group was accessible only by invitation. Those who accepted the invitation became members and could log on at any time.

One group member, a Houston’s hostess named Karen St. Jean, showed the discussion group to a manager during a dinner party. The circumstances underlying upper management’s access to the group are disputed, but all parties agree that another restaurant manager soon became aware of the group and asked St. Jean for her sign-in information, which she provided. Houston’s management found sexual comments about employees and customers, disparaging jokes about company practices, references to drugs and violence, as well as a copy of an employee wine test. Because of their findings, the restaurant terminated the employment of Pietrylo and another contributing employee, Doreen Marino.

• Print
• Trackbacks
• Share Link

A California appellate court rejected the invasion of privacy claims of a UC Berkeley student whose online rant against her hometown resulted in a firestorm of negative publicity and fierce reaction from local residents. Cynthia Moreno wrote “An Ode to Coalinga” and posted it on her online journal on her MySpace page. In the ode to her hometown located in central California, Moreno ranted against the town and its inhabitants. The local newspaper published the ode after the town’s high school principal sent the newspaper a copy printed off the internet. Unfortunately for Moreno and her family, the town’s residents reacted violently and forced Moreno’s family to shut down their business and move out of town.

In  Moreno v. Hanford Sentinel, Inc., et al., the California court of appeal held that Moreno cannot state a claim for invasion of privacy because her MySpace posting was available to the public. This was the case even though she had intended the posting only for her MySpace friends, removed the posting after six days, and the posting did not include her last name. The court found that once the ode was posted on MySpace, it was available to the public; and her MySpace page included her identity and her picture. Therefore, the court held that she could not have had a reasonable expectation of privacy. Nor could her family state a privacy claim because the right of privacy is purely personal. The appellate court did, however, send the case back to the lower court to decide Moreno’s claim for intentional infliction of emotional distress.

The decision confirms that employers can review a prospective or current employee’s online postings that are readily accessible to the public, even if intended for just the author’s friends on a social networking site. Employers do need to tread with more caution, however, before accessing a social networking profile or other on-line forum that is password protected or otherwise restricted. The decision in Moreno would not apply to such sites because access to the MySpace page in that case was unrestricted.

This entry was written by Gregory Iskander, Of Counsel in Littler's Walnut Creek office.

• Print
• Trackbacks
• Share Link

Student teacher Stacey Snyder lost her chance to earn a teaching certificate largely because of content that she posted on her MySpace page. The page included a picture of Snyder, captioned “Drunken Pirate,” in which, according to Snyder’s trial testimony, she wore a pirate’s hat, was drinking a “mixed beverage,” and had a “stupid expression on my face . . . giving the peace sign . . . expressing myself at the moment, basically peace, love happiness . . . .” The page also contained a post in which Snyder implied that the teacher who was supervising Snyder’s participation in the student teacher program, Nicole Reinking, was the reason that Snyder would not apply for a job at Conestoga Valley (CV) High School in Pennsylvania after completing the program.

Unfortunately for Snyder, a CV High teacher viewed the picture and the post and gave a copy of both to Reinking. Reinking, who had not been pleased with Snyder’s performance even before receiving the MySpace content, promptly complained to her supervisor who, in turn, brought the MySpace content to the attention of the school’s superintendent. He suspended Snyder from the student teacher program. In her final evaluation from Reinking and from her supervisor at Millersville University — where Snyder was pursuing her teaching certificate — Snyder received an “unsatisfactory” rating for “professionalism.” That rating disqualified Snyder from earning a teaching certificate.

Snyder sued Millersville University in federal district court in Philadelphia, alleging that the university had violated her First Amendment rights by denying the teaching certificate based largely on the MySpace content. In what appears to be the first published decision addressing an adverse action (at least akin to an adverse employment action) based upon content on a social networking site, the court, after a two-day bench trial, rejected Snyder’s First Amendment claim and denied Snyder’s request for an order compelling Millersville University to award her a teaching certificate.

The decision is important for private employers, but not because of its legal underpinnings, which turned largely on legal issues that are irrelevant to the private workplace (i.e., state regulations applicable to student teachers and First Amendment jurisprudence concerning speech by public employees and students at public schools). While the applicable legal framework created substantial obstacles, the more significant problem for Snyder (apparent to any experienced trial lawyer reading between the lines of a carefully crafted opinion) was the unsympathetic posture of her factual position.

• Print
• Trackbacks
• Share Link

Some companies, like on-line retailer Zappos.com, are sponsoring corporate twitter sites. What is “twitter”? According to Twitter.com, “Twitter” is “a service for friends, family, and co–workers to communicate and stay connected through the exchange of quick, frequent answers to one simple question: “What are you doing?” A review of Zappos’ twitter site suggests the answer to that question rarely is “working.” Are Zappos employees unwittingly creating the justification for terminating their employment, or has Zappos—in an effort to foster unrestrained twittering—assured its employees that their “twittering” would not be used against them in a court of law?

We don’t know the answer to those questions, but we do know that any employer seeking to cater to the “Twitterites” in its workforce should first consider some tough legal issues. How will the company react when an employee twitters that she is “organizing a union” or “complaining to her buddies about all that overtime”? Would a Twitterite ever be so frank or uncool? How does a business respond to a Twitter record that, in fact, does show that an employee seems always to be doing something other than work during working hours? Twitter actually is quite good for identifying slackers because each Twitter post includes the date and time of posting. Yet this begs another question: How will the company extend a “litigation hold” to Twitter after receiving a preservation demand from a sophisticated plaintiff’s lawyer who specifically identifies "Twitter" as one category of information that purportedly must be preserved?

The point of this post is not to provide answers, but rather to highlight that each new generation of “cool corporate communications tools” brings some tough legal issues to the forefront. Those issues should be thoroughly discussed before an employer rushes headlong into an embrace of the next new thing.

• Print
• Trackbacks
• Share Link