San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

Management-side lawyers and human resources professionals need to start thinking deeply about the key finding in a recent survey by The Creative Group, a staffing service company: more than one-half (57%) of 250 surveyed advertising and marketing executives responded that surfing the web during working hours is acceptable. How does an employer reconcile this apparent new-found acceptance of on-the-job Web surfing with the American Management Association’s finding in its 2007 survey of workplace monitoring that 30% of employers surveyed had fired an employee for Internet surfing at work?

Employers in more staid industries might shrug off the new survey result as a quirk of professions that appear to be more about creativity than productivity, but that would be too shortsighted. Let’s face it, nearly everyone surfs the Web at work at one point or another. Perhaps more importantly, the first generation to spend adolescence surfing the Web is starting to move into middle management and even senior management. This generational shift is rendering obsolete — in practice if not in form — corporate policies that forbid employees from using corporate electronic resources, i.e., Internet access, for non-business purposes.

Facing reality does not mean that employers must open the floodgates to pornography, fantasy football and online gambling. Instead, employers need to take up the challenging task of establishing rules for acceptable and unacceptable non-business use of the corporate Internet connection. The employer’s existing policies are a good starting point; employees should be barred from accessing any Web sites that communicate information which, if posted on the corporate intranet, would violate the company’s anti-discrimination and anti-harassment policies. Establishing bandwidth limits and prohibitions on Internet use that interferes with network operations should effectively eliminate most streaming media. Requiring employees to limit non-business use of the corporate Internet connection to breaks and meal periods and to no more than thirty minutes daily would permit discipline of employees engaging in potentially addictive and disruptive Internet activities, such as online gambling.

What is left might actually enhance productivity or create some good will. Rather than taking an extended lunch break, employees can spend a few minutes on the Web to order clothes or books. Employees who have been grinding during the week can plan a few weekend activities that will provide a much-needed respite from work. In short, the new survey result emphasize the point that the time has arrived for employers to revisit their business-only, workplace Internet policies.

• Print
• Trackbacks

Joseph Braun, the owner of a New Jersey label manufacturer, hired the wrong bookkeeper and paid a hefty price. Before Braun hired the bookkeeper, referred to only as “M.A.” in a New Jersey appellate court opinion published on August 29, 2008, M.A. had completed twelve months in a pretrial intervention program after being charged with forgery and theft. One month after completing the intervention program, M.A. was charged with fourteen counts of forgery and the theft of more than $220,000 from his employer; he served 364 days in jail after a guilty plea. While still on probation, M.A. landed his bookkeeping job with Braun’s company.

Apparently not having conducted a background check, Braun gave M.A. ever-increasing responsibilities to the point where M.A. was responsible for order entries, payroll, bank records and the company’s computer system. M.A. repaid Braun’s trust by giving himself an $85,000 raise — without Braun’s authorization. The raise was just the tip of the iceberg, as M.A. defalcated more than $650,000 from Braun’s business. M.A. was prosecuted for his crimes, convicted and sentenced to seven years in prison.

On appeal, M.A. argued that the trial court had improperly denied his motion to suppress personal information stored on a laptop as well as a desktop computer found at Braun’s place of business. The New Jersey appellate court, following several frequently cited federal appellate court decisions, held that M.A. had no reasonable expectation of privacy in his workplace computer and affirmed the conviction. In reaching this conclusion, the court relied on the following facts:

(a) Braun’s business owned the computers;

(b) the computers were kept at Braun’s business;

(c) Braun told M.A. when he was hired that the business owned the computers;

(d) the desktop was connected to the corporate network;

(e) co-workers had access to both computers; and

(f) M.A.’s private office was never closed or locked.

The facts were weighed so heavily against M.A. that this case provides guidance in only the most limited circumstances.

A few minor changes of the facts show why: M.A. marked all of his personal files as “private” when saving them to the company’s document management system. It was well known within the company that system administrators respected the “private” designation. M.A. did not permit any other employees to log into his computer; nor did he share his username or password with any co-workers. When M.A. left his private office, he shut and locked his office door using a combination that was unknown to anyone else in the company. On fairly similar facts, the Florida Court of Appeals recently held that a church pastor had a reasonable expectation of privacy in child pornography stored on his office computer.

The point is that corporate ownership of computers and notice to employees of that ownership will not always open the door to searches with impunity of personal information stored on a business computer. Instead, employers should look more deeply into who, in fact, has or could have access to the information at issue and whether workplace computer use policies actually are put into practice.

• Print
• Trackbacks

Many employers include in their electronic resources policy a blanket prohibition on “engaging in any political activity.” A recent Guideline Memorandum issued by the NLRB’s General Counsel creates a minefield of potential unfair labor practices for employers who enforce this commonplace ban, especially as the 2008 presidential campaign heads towards its climax.

According to the GC’s Guideline, employees’ political advocacy can, in some circumstances, constitute “concerted activity” protected by the NLRA. The test is two-fold: First, is there “a direct nexus between the specific issue that is the subject of the advocacy and a specifically identified employment concern of the participating employees.” Put simply, is the political advocacy related to the terms or conditions of employment. Second, has the employee engaged in this protected political advocacy without violating "restrictions imposed by lawful and neutrally applied work rules." In other words, employers can discipline employees who engage in protected political advocacy as long as the rule used to justify the discipline is legal and is applied in a non-discriminatory manner. There’s the rub for employers.

Last December, the NLRB ruled that employers can implement an e-mail policy whose provisions incidentally prohibit union-related activity. An employer can, for example, promulgate a policy that bans all non-business use of its e-mail system or that bans all solicitations for membership organizations. While such policies effectively ban use of the corporate e-mail system for union-related activities, that result is only incidental to the broader ban directed at both non-union and union activities. Thus, an e-mail policy that bans all political activity using the corporate e-mail system is lawful, even though some of the banned activity may now, according to the GC’s Guideline, be protected concerted activity.

The challenge for employers is ensuring that this lawful policy is “neutrally applied.” During the presidential debate season, an employer can expect to see e-mail cheering and lambasting the candidates, encouraging co-workers to register for a particular party, and attacking or advocating planks in party platforms. If such e-mail traffic goes unpunished even though it violates the company’s ban on political activity over the corporate e-mail network, the trap may be laid for a successful unfair labor practice charge when months later employees are punished for exchanging e-mail about joining in a union-organized protest over a new work-related law advocated by the new President — whoever that might be.

For further analysis on the GC's Guidelines, please see Littler ASAP: Can a Bumper Sticker Get You Bumped? NLRB's General Counsel Issues Guidelines on Political Advocacy by Frank W. Buck and Richard L. Sloane.

• Print
• Trackbacks

Some companies, like on-line retailer Zappos.com, are sponsoring corporate twitter sites. What is “twitter”? According to Twitter.com, “twitter” is “a service for friends, family, and co–workers to communicate and stay connected through the exchange of quick, frequent answers to one simple question: “What are you doing?” A review of Zappos’ twitter site suggests the answer to that question rarely is “working.” Are Zappos employees unwittingly creating the justification for terminating their employment, or has Zappos—in an effort to foster unrestrained twittering—assured its employees that their “twitter” would not be used against them in a court of law?

We don’t know the answer to those questions, but we do know that any employer seeking to cater to the “twitterites” in its workforce should first consider some tough legal issues. How will the company react when an employee twitters that she is “organizing a union” or “complaining to her buddies about all that overtime”? Would a twitterite ever be so frank or uncool? How does a business respond to a twitter record that, in fact, does show that an employee seems always to be doing something other than work during working hours? Twitter actually is quite good for identifying slackers because each twitter post includes the date and time of posting. Yet this begs another question: How will the company extend a “litigation hold” to Twitter after receiving a preservation demand from a sophisticated plaintiff’s lawyer who specifically identifies "twitter" as one category of information that purportedly must be preserved?

• Print
• Trackbacks

With the State of Connecticut reeling from a series of massive security breaches that have exposed the personal information of hundreds of thousands of state residents, Connecticut's Governor and General Assembly joined forces in mid-June to make Connecticut only the second state (after Michigan) to mandate that private employers publish a policy on the protection of employee Social Security numbers (SSNs). The new Connecticut law — entitled, "An Act Concerning the Confidentiality of Social Security Numbers" (the "Act"), and effective October 1, 2008 — also imposes on private employers a statutory duty to safeguard, and properly dispose of, personal information more broadly defined. Continue reading. . .

• Print
• Trackbacks

The Los Angeles Times reported on June 19, 2008, that the Ninth Circuit’s decision in Quon v. Arch Wireless Operating Co., “sharply limited the ability of employers to obtain e-mails and text messages sent by employees on company-financed accounts.” And many major news outlets echoed this sentiment: "Court Rules Employee Text Messages Are Private," "SF Court Protects Privacy of Work Communications," "Stop Snooping on Email, Court Tells Some Nosy Bosses." However, the assertion of the LA Times reporter, while literally true, is pure hyperbole when viewed in the context of a real-world workplace.

The Ninth Circuit ruled in Quon that a text-message provider, Arch Wireless, violated the federal Stored Communications Act (the “Act”) by disclosing to the City of Ontario Police Department sexually explicit text messages sent by Sgt. Quon using a City-issued text-message pager, even though the City was the subscriber on the service contract. The Court explained that the Act prohibits providers of an “electronic communication service” — Internet Service Providers (ISPs) and text messages services, for example — from disclosing stored e-mail or text messages without the consent of the sender or recipient. At first blush, this ruling appears to present a dramatic shift in the balance of power between employers and employees in the spy vs. spy world of workplace monitoring.

Not so fast: Employers can easily and lawfully circumvent the Court’s ruling. Employers, for example, can prohibit employees from conducting any company business other than over the corporate network, and they can limit company-issued electronic devices to those, such as a Blackberry, that can be configured to route all communications through the corporate network. Notably, the Ninth Circuit’s decision expressly reaffirmed the well established rule that employers can defeat an employee’s expectation of privacy by distributing a policy unambiguously stating that employees communications using corporate resources will be monitored and are not private.

• Print
• Trackbacks

Philip Gordon will present at the International Association of Privacy Professionals' (IAPP) human resources event on June 17 on the topics "Sex Offenders, Terrorists, And Video Resumes: How Far Can You Go To Get Information About Prospective, Current, And Former Employees?" and "It's 10:00 AM: Do You Know Where Your Employees Are And What They Are Doing?" Below, Mr. Gordon answers questions about workplace privacy.
 
IAPP: The IAPP is sponsoring its first ever Practical Privacy Series on Human Resources (HR) privacy. Why should privacy professionals be concerned about HR privacy?

Philip Gordon: There are many reasons. Here are just a few: First, privacy breaches involving employees are becoming a much more significant risk to organizations. Virtually every security breach involving employees triggers a notice obligation because of the prevalence of Social Security numbers, driver’s license numbers and financial account information in corporate HR departments. Also, sensitive health and disciplinary information can be much more easily disseminated through social networking sites or Web postings, raising the risks of litigation and substantial damages awards.

Second, employees are more likely to respect consumer privacy in an organization that is concerned about employee privacy. Demonstrating a commitment to addressing HR privacy issues establishes a culture that will enhance protection of consumer data.

Third, an employer’s commitment to HR privacy can provide an edge in recruiting and retaining employees, especially younger employees. In April 2007, Littler Mendelson and the Ponemon Institute published a study entitled “Workplace Survey on the Privacy Age Gap.” The study revealed that 85 percent of respondents under the age of 30 believed that their employer’s commitment to employee privacy was important, but only 20 percent believed that their employer was committed to protecting their privacy. Perhaps more to the point, 27 percent of respondents under age 30 said that they would find another job if their employer committed what they perceived to be a privacy violation.

Finally, HR privacy tends to fall into the gap between the chief privacy officer’s and the human resources director’s areas of responsibility. By way of illustration, in the Littler/Ponemon study, two-thirds of respondents said that their employer had a consumer privacy policy, but only 22 percent stated that their employer had an employee privacy policy. Along the same lines, only 6 percent of respondents said that they would contact a privacy professional in their organization if they had a question about workplace privacy.

IAPP: What do you see as some of the cutting-edge issues in the area of HR privacy?

Philip Gordon: Ironically, some of the most cutting-edge issues arise out of relatively public conduct on the Internet, such as social networking and blogging. Many employees perceive their off-duty blogging and social networking as private, but their postings often can have a significant impact on the workplace, for example, when they post photos of themselves with guns or in sexually provocative poses. Another example of this somewhat ironic twist on “privacy” can be seen when employers attempt to introduce location tracking devices into the workplace. The privacy implications of electronic monitoring also are becoming increasingly complex as employees rely more heavily on personal cell phones, PDAs, and Web-based e-mail accounts to conduct company business. Gary Clayton, founder of the Privacy Compliance Group, and I are going to delve into these issues in our presentations at the Practical Privacy Series, respectively entitled “It’s 10 AM: Do You Know Where Your Employees Are and What They Are Doing?” and “Sex Offenders, Terrorists and Video Résumés: How Far Can You Go to Get Information About Employees?”

IAPP: So much of the focus on consumer privacy revolves around data protection. How is data protection implicated in the area of HR Privacy?

Philip Gordon: Organizations tend to have more sensitive information about their employees than about their customers. State notice and data security laws have forced employers to focus more attention on safeguarding employee data. Global employers accustomed to the greater emphasis on employee data protection in the European Union also are turning their attention to employee data protection. Two of the presentations at the HR Practical Privacy Series will focus on these issues. Peter Rabinowitz, Privacy, Governance & Risk Compliance Consultant at PricewaterhouseCoopers, LLP and Lydia Payne-Johnson, CIPP, Financial Services Privacy Consultant at PricewaterhouseCoopers and former CPO at Morgan Stanley, will explain how to conduct an HR privacy risk assessment. Brian O’Conner, former CPO at Eastman Kodak, and Rick Dakin, founder of Coalfire Systems, will present on security incident response when a breach involves employee data.

IAPP: Congress recently put the spotlight on the privacy of employee health information by enacting the Genetic Information Non-Discrimination Act (GINA). What is the current regulatory environment in the area of employee health information privacy and why is it important for privacy professionals to understand that environment?

Philip Gordon: Employee health information is subject to a very complex regulatory environment involving a variety of federal and state laws in addition to GINA. Employers are being inundated with employee health information as the American workforce ages. Employers also are increasingly relying upon drug and alcohol tests to weed out applicants and employees who might pose a threat to sensitive customer and employee data. Understanding the interplay of these health privacy laws and the web of restrictions on drug and alcohol testing is particularly important for employers because breaches of privacy in this area often result in litigation. Nancy Delogu, a partner at Littler Mendelson and a national expert on drug and alcohol testing, will be addressing this complex area of privacy at the Practical Privacy Series in a presentation entitled, “HIPAA, FMLA, ADA, CMIA: How to Handle Employee Health Information and Drug and Alcohol Testing in Compliance with Confidentiality Requirements.”
 

• Print
• Trackbacks

On April 25, 2008, the House passed H.R. 493, The Genetic Information Nondiscrimination Act of 2008 (GINA), a bill that President Bush is expected to sign barring private employers from engaging in genetic discrimination. On first read, I have spotted at least one potential trap for unsuspecting employers if the bill is enacted as drafted.

Section 206(b) of the Act permits disclosure of "genetic information" in only very limited circumstances, which do not include responding to a subpoena or a civil discovery request. Employment litigators, particularly on the defense side, commonly subpoena personnel files, including all medical information from a plaintiff's former employers -- for example, to test a plaintiff's allegation that the defendant/current employer's alleged actions caused emotional distress. Under the bill, as written, an employer who inadvertently produces "genetic information" in response to such a subpoena would violate the Act because the statute does not require a knowing disclosure to support a claim.

The possibility of an inadvertent disclosure of "genetic information" is not hypothetical. As defined in the House bill, that term encompasses "the manifestation of a disease or disorder in family members" of an employee, which could include, for example, an FMLA certification stating that an employee needs FMLA leave because a spouse or child has sickle-cell anemia or Tay-Sachs disease.

If the bill is enacted as written, employers should strongly consider screening all medical information upon receipt to determine whether that information might fall within the broad definition of "genetic information." If so, the information should be filed separately from all other medical information with a note that the information should not be produced except in response to a court order.
 

For a more detailed discussion of this Act, please see Littler ASAP: Genetic Antidiscrimination Law Creates New Compliance Challenges for Employers by Philip L. Gordon and Jennifer L. Mora.

• Print
• Trackbacks

The balance of power has shifted. In the “old days” -- before the Internet explosion -- a disgruntled current or former employee did not have many outlets. She might complain to a spouse, a cadre of sympathetic co-workers or a union representative. But her employer had little fear that her scalding criticism of her direct report, the company’s business strategy or senior management would be front-page news or fodder for radio talk shows.

In today’s world of blogs, personal Web pages, chat rooms, and message boards, that dynamic has been flipped. Employees — and particularly terminated, former employees — are venomously trashing their employers in cyberspace, where anyone who wants to “tell all” can speak freely. Employers have been left desperately searching for the answer to one simple question: “How can I shut that guy up?”

A decision published by the California Court of Appeal earlier this month, Krinsky v. Doe 6, highlights one of the major obstacles to squelching these silicon diatribes, often referred to as “cybersmear.” Who do you shut down? Most current and former employees venting on the Web are cagey enough to hide behind anonymity or veiled identity. In Krinsky, for example, the offending poster dubbed the plaintiff, a departing senior executive, “boobs” and said that he would “reciprocate felatoin [sic] with [her] even though she has fat thighs, a fake medical degree, 'queefs' and ... poor feminine hygiene” but, for obvious reasons, did not take personal responsibility for this juvenile comment.

The Krinsky plaintiff, like other business people on the receiving end of an anonymous or pseudonymous diatribe, are left knocking on the typically sealed door of the Internet Service Provider (ISP) that hosts the server where the post resides. The ISPs, fulfilling assurances of confidentiality in their subscriber agreement or complying with obligations imposed by the Stored Communications Act, typically will disclose the identity of an anonymous or pseudonymous user posting content only in response to a subpoena or court order. The ISP also typically will put its subscriber on notice that a subpoena has been served to give the subscriber an opportunity to ask the issuing court to quash the subpoena.

No matter how obnoxious their posting, current and former employees who speak anonymously or pseudonymously on the Web arrive in court with the upper hand; they are cloaked in the protective garb of the First Amendment. The First Amendment does not protect cybersmearing employees from being terminated (albeit anti-retaliation statutes and other statutes might, depending upon the content of the post). Rather, the First Amendment restricts the power of the judiciary to issue a speech-squelching injunction.

• Print
• Trackbacks

• Print
• Trackbacks