While these regulations apply only to organizations with Massachusetts employees, even employers without a Massachusetts presence should consider implementing a similar program. These regulations likely will be a model for other jurisdictions and could become the standard against which all information security programs are measured. Continue reading. . .

Employers in more staid industries might shrug off the new survey result as a quirk of professions that appear to be more about creativity than productivity, but that would be too shortsighted. Let’s face it, nearly everyone surfs the Web at work at one point or another. Perhaps more importantly, the first generation to spend adolescence surfing the Web is starting to move into middle management and even senior management. This generational shift is rendering obsolete — in practice if not in form — corporate policies that forbid employees from using corporate electronic resources, i.e., Internet access, for non-business purposes.

Facing reality does not mean that employers must open the floodgates to pornography, fantasy football and online gambling. Instead, employers need to take up the challenging task of establishing rules for acceptable and unacceptable non-business use of the corporate Internet connection. The employer’s existing policies are a good starting point; employees should be barred from accessing any Web sites that communicate information which, if posted on the corporate intranet, would violate the company’s anti-discrimination and anti-harassment policies. Establishing bandwidth limits and prohibitions on Internet use that interferes with network operations should effectively eliminate most streaming media. Requiring employees to limit non-business use of the corporate Internet connection to breaks and meal periods and to no more than thirty minutes daily would permit discipline of employees engaging in potentially addictive and disruptive Internet activities, such as online gambling.

What is left might actually enhance productivity or create some good will. Rather than taking an extended lunch break, employees can spend a few minutes on the Web to order clothes or books. Employees who have been grinding during the week can plan a few weekend activities that will provide a much-needed respite from work. In short, the new survey result emphasize the point that the time has arrived for employers to revisit their business-only, workplace Internet policies.

Apparently not having conducted a background check, Braun gave M.A. ever-increasing responsibilities to the point where M.A. was responsible for order entries, payroll, bank records and the company’s computer system. M.A. repaid Braun’s trust by giving himself an $85,000 raise — without Braun’s authorization. The raise was just the tip of the iceberg, as M.A. defalcated more than $650,000 from Braun’s business. M.A. was prosecuted for his crimes, convicted and sentenced to seven years in prison.

On appeal, M.A. argued that the trial court had improperly denied his motion to suppress personal information stored on a laptop as well as a desktop computer found at Braun’s place of business. The New Jersey appellate court, following several frequently cited federal appellate court decisions, held that M.A. had no reasonable expectation of privacy in his workplace computer and affirmed the conviction. In reaching this conclusion, the court relied on the following facts:

(a) Braun’s business owned the computers;

(b) the computers were kept at Braun’s business;

(c) Braun told M.A. when he was hired that the business owned the computers;

(d) the desktop was connected to the corporate network;

(e) co-workers had access to both computers; and

(f) M.A.’s private office was never closed or locked.

The facts were weighed so heavily against M.A. that this case provides guidance in only the most limited circumstances.

A few minor changes of the facts show why: M.A. marked all of his personal files as “private” when saving them to the company’s document management system. It was well known within the company that system administrators respected the “private” designation. M.A. did not permit any other employees to log into his computer; nor did he share his username or password with any co-workers. When M.A. left his private office, he shut and locked his office door using a combination that was unknown to anyone else in the company. On fairly similar facts, the Florida Court of Appeals recently held that a church pastor had a reasonable expectation of privacy in child pornography stored on his office computer.

The point is that corporate ownership of computers and notice to employees of that ownership will not always open the door to searches with impunity of personal information stored on a business computer. Instead, employers should look more deeply into who, in fact, has or could have access to the information at issue and whether workplace computer use policies actually are put into practice.

According to the GC’s Guideline, employees’ political advocacy can, in some circumstances, constitute “concerted activity” protected by the NLRA. The test is two-fold: First, is there “a direct nexus between the specific issue that is the subject of the advocacy and a specifically identified employment concern of the participating employees.” Put simply, is the political advocacy related to the terms or conditions of employment. Second, has the employee engaged in this protected political advocacy without violating "restrictions imposed by lawful and neutrally applied work rules." In other words, employers can discipline employees who engage in protected political advocacy as long as the rule used to justify the discipline is legal and is applied in a non-discriminatory manner. There’s the rub for employers.

Last December, the NLRB ruled that employers can implement an e-mail policy whose provisions incidentally prohibit union-related activity. An employer can, for example, promulgate a policy that bans all non-business use of its e-mail system or that bans all solicitations for membership organizations. While such policies effectively ban use of the corporate e-mail system for union-related activities, that result is only incidental to the broader ban directed at both non-union and union activities. Thus, an e-mail policy that bans all political activity using the corporate e-mail system is lawful, even though some of the banned activity may now, according to the GC’s Guideline, be protected concerted activity.

The challenge for employers is ensuring that this lawful policy is “neutrally applied.” During the presidential debate season, an employer can expect to see e-mail cheering and lambasting the candidates, encouraging co-workers to register for a particular party, and attacking or advocating planks in party platforms. If such e-mail traffic goes unpunished even though it violates the company’s ban on political activity over the corporate e-mail network, the trap may be laid for a successful unfair labor practice charge when months later employees are punished for exchanging e-mail about joining in a union-organized protest over a new work-related law advocated by the new President — whoever that might be.

For further analysis on the GC's Guidelines, please see Littler ASAP: Can a Bumper Sticker Get You Bumped? NLRB's General Counsel Issues Guidelines on Political Advocacy by Frank W. Buck and Richard L. Sloane.

We don’t know the answer to those questions, but we do know that any employer seeking to cater to the “twitterites” in its workforce should first consider some tough legal issues. How will the company react when an employee twitters that she is “organizing a union” or “complaining to her buddies about all that overtime”? Would a twitterite ever be so frank or uncool? How does a business respond to a twitter record that, in fact, does show that an employee seems always to be doing something other than work during working hours? Twitter actually is quite good for identifying slackers because each twitter post includes the date and time of posting. Yet this begs another question: How will the company extend a “litigation hold” to Twitter after receiving a preservation demand from a sophisticated plaintiff’s lawyer who specifically identifies "twitter" as one category of information that purportedly must be preserved?

The Ninth Circuit ruled in Quon that a text-message provider, Arch Wireless, violated the federal Stored Communications Act (the “Act”) by disclosing to the City of Ontario Police Department sexually explicit text messages sent by Sgt. Quon using a City-issued text-message pager, even though the City was the subscriber on the service contract. The Court explained that the Act prohibits providers of an “electronic communication service” — Internet Service Providers (ISPs) and text messages services, for example — from disclosing stored e-mail or text messages without the consent of the sender or recipient. At first blush, this ruling appears to present a dramatic shift in the balance of power between employers and employees in the spy vs. spy world of workplace monitoring.

Not so fast: Employers can easily and lawfully circumvent the Court’s ruling. Employers, for example, can prohibit employees from conducting any company business other than over the corporate network, and they can limit company-issued electronic devices to those, such as a Blackberry, that can be configured to route all communications through the corporate network. Notably, the Ninth Circuit’s decision expressly reaffirmed the well established rule that employers can defeat an employee’s expectation of privacy by distributing a policy unambiguously stating that employees communications using corporate resources will be monitored and are not private.

In any event, employers who think they may want to review their employees’ text messages need only condition payment for the cell phone, or for the service, on the employee’s giving written consent to the provider to disclose text messages to the employer; employees who don’t give consent and wish to keep their text messages private would have to pay for the service out of their own pocket. How many employees will be willing to pay $100 or more monthly to be able to send dirty text messages (especially with gas at $4 per gallon)?

There is yet another solution for employers. The Ninth Circuit’s ruling imposes no restriction on an employer’s review of text messages stored on company-issued cell phones. As long as the employer’s electronic resources policy notifies employees that text messages will be searched, the Ninth Circuit’s ruling actually can be used to defeat any privacy-based claim by an employee based upon such a review. In addition, as computer forensic capabilities improve and cell phone memory chips expand, these types of cell phone examinations could easily become routine.

The case is a cautionary tale on another point. The Ninth Circuit also addressed the question whether the City violated Sgt. Quon’s privacy expectations by reviewing his text messages after receiving them from Arch Wireless. On this point, the court noted (as I mentioned above) that in the normal course, the City’s “Computer Use, Internet and E-Mail Policy” would have defeated Sgt. Quon’s privacy-based claim. However, the police lieutenant responsible for overseeing the City’s text-message program had established an informal policy, communicated orally to Sgt. Quon, that the City would not read an officer’s text messages to determine whether they were personal or business-related so long as the officer paid for any over charges. The Ninth Circuit ruled that Sgt. Quon reasonably relied on this informal policy when he sent personal text messages using his City-issued pager, believing that the messages would remain private. Even though the City is a public employer, this holding is most likely is transferable to the private workplace.

Bottom line #1: Employers first need to evaluate whether reviewing messages stored with a service provider is in the employer’s interest. Corporate culture or potential employee rebellion potentially are significant countervailing factors. If the interest is strong enough, then the employer can execute any of the strategies described above to meet those objectives.

Bottom line #2: Instruct your IT personnel and others responsible for workplace monitoring not to make representations to employees that your business’ electronic resources policy will not be followed. Consider modifying your electronic resources policy to state that it can not be modified except by a written communication by a senior executive.

For further analysis of the Quon case, please see Littler ASAP: Employee Text Messages Are Not Inviolate: Understanding and Navigating the Ninth Circuit's Decision in Quon v. Arch Wireless Operating Company by Philip L. Gordon and Justin A. Morello.

For a more detailed discussion of this Act, please see Littler ASAP: Genetic Antidiscrimination Law Creates New Compliance Challenges for Employers by Philip L. Gordon and Jennifer L. Mora.

In today’s world of blogs, personal Web pages, chat rooms, and message boards, that dynamic has been flipped. Employees — and particularly terminated, former employees — are venomously trashing their employers in cyberspace, where anyone who wants to “tell all” can speak freely. Employers have been left desperately searching for the answer to one simple question: “How can I shut that guy up?”

A decision published by the California Court of Appeal earlier this month, Krinsky v. Doe 6, highlights one of the major obstacles to squelching these silicon diatribes, often referred to as “cybersmear.” Who do you shut down? Most current and former employees venting on the Web are cagey enough to hide behind anonymity or veiled identity. In Krinsky, for example, the offending poster dubbed the plaintiff, a departing senior executive, “boobs” and said that he would “reciprocate felatoin [sic] with [her] even though she has fat thighs, a fake medical degree, 'queefs' and ... poor feminine hygiene” but, for obvious reasons, did not take personal responsibility for this juvenile comment.

The Krinsky plaintiff, like other business people on the receiving end of an anonymous or pseudonymous diatribe, are left knocking on the typically sealed door of the Internet Service Provider (ISP) that hosts the server where the post resides. The ISPs, fulfilling assurances of confidentiality in their subscriber agreement or complying with obligations imposed by the Stored Communications Act, typically will disclose the identity of an anonymous or pseudonymous user posting content only in response to a subpoena or court order. The ISP also typically will put its subscriber on notice that a subpoena has been served to give the subscriber an opportunity to ask the issuing court to quash the subpoena.

No matter how obnoxious their posting, current and former employees who speak anonymously or pseudonymously on the Web arrive in court with the upper hand; they are cloaked in the protective garb of the First Amendment. The First Amendment does not protect cybersmearing employees from being terminated (albeit anti-retaliation statutes and other statutes might, depending upon the content of the post). Rather, the First Amendment restricts the power of the judiciary to issue a speech-squelching injunction.

In most circumstances, Point (b) means the target of the cybersmear must establish that the libelous statement is factual (as opposed to non-actionable opinion) and that the libel damaged the plaintiff, e.g., caused plaintiff to lose her job or damaged a customer relationship. These standards can be difficult to satisfy. In Krinsky, for example, the court held that the cybersmear fell “into the category of crude, satirical hyperbole which, while reflecting the immaturity of the speaker, constitute[s] protected opinion under the First Amendment.” Even if a plaintiff, like Krinsky, is the target of an outright factual lie, she often will find it difficult, if not impossible, to link any economic loss to what most likely is a relatively obscure Internet post.

Krinsky teaches that in most cases the target of cybersmear is better off turning the proverbial other cheek (or finding a padded room in which to vent) than resorting to the court system for relief. Eventually, the scurrilous diatribe will be washed away in the muck of self-expression that fills the Web.

In The Guard Publishing Co. d/b/a The Register Guard, the Board, in a 3-2 decision, held that “employees have no statutory right to use an employer’s equipment or media for Section 7 communications.”  Section 7 of the National Labor Relations Act  encompasses communications about virtually all union activities by employees, including solicitation, organizing, grievances, picketing, strikes, and discussions about the terms and conditions of employment.  In light of this ruling, an employer may, in the words of the Board, “lawfully bar employees’ nonwork-related use of its e-mail systems,” including use for union activities.

There is a caveat, but as defined by the Board, the caveat is a narrow one:  Employers can not act “in a manner that discriminates against Section 7 activity.” (emphasis supplied).  Significantly, the Guard Publishing decision substantially narrows the prior definition of “discrimination” for purposes of analyzing whether an e-mail policy (or any other policy restricting Section 7 activities) on its face, or as enforced by the employer, interferes with Section 7 rights.

The Board overruled this prior precedent, explaining that “unlawful discrimination consists of disparate treatment of activities or communication of a similar character because of their union or other Section 7-protected status.”  The Board provided several examples to illustrate this much narrower definition of “discrimination”:  “an employer clearly would violate the [NLRA] if it permitted employees to use e-mail to solicit for one union but not another, or if it permitted solicitation by antiunion employees but not by prounion employees.”  By contract, the Board explained, any of the following policies would be permissible (i.e., non-discriminatory), even if the policy incidentally interfered with union communications:

Ø      A policy permitting only business-related communications

Ø      A policy barring all solicitations

Ø      A policy permitting only charitable solicitations

Ø      A policy permitting solicitations only of a personal nature

The one remaining catch is that an employer’s motivation for line-drawing can not be anti-union animus.  In other words, an employer can not promulgate a policy that permits only charitable solicitations as a subterfuge for suppressing union-related communications over the corporate e-mail system.

What does Guard Publishing mean, in practical terms, for employers?

First, existing corporate e-mail policies most likely do not need to be revised (except in the unlikely event that the policy expressly prohibits union-related communications while permitting communications related to other membership organizations).  Employers should review their existing polices to ensure that they comply with the Board’s decision in Guard Publishing.

Second, employers who revise their e-mail policy, or prepare one for the first time, can impose broad prohibitions, such as e-mail only for work-related purposes, even if the prohibition incidentally interferes with Section 7 communications.

Third, when promulgating a new or revised e-mail policy, employers should have legitimate, non-discriminatory justification for their line drawing, such as preserving server space, protecting against computer viruses, dissemination of confidential information, preventing losses of productivity, and avoiding company liability for employees’ inappropriate e-mail.

Fourth, before disciplining an employee for using corporate e-mail to communicate about union-related activities, an employer should confirm that the communication, in fact, violated existing policy.  In Guard Publishing, the NLRB found that the employer had violated the NLRA by disciplining an employee who sent an e-mail which did relate to union matters but did not solicit employees to join the union and, therefore, did not violate the newspaper’s policy barring “non-job-related solicitations.”

Fifth, employers can discipline employees for using corporate e-mail to send union-related communications in violation of the employer's e-mail policy as long as employees engaged in similar conduct also are disciplined.  In other words, an employee can be disciplined for soliciting union participation only if employees who solicit participation in other membership organizations also are, or will be, disciplined.  Employers should implement procedures to ensure that they enforce their e-mail policy in a non-discriminatory manner.

The Board’s decision may be appealed. We will continue to comment on developments in this important case.  (For more in-depth analysis of this decision, see Littler ASAP "NLRB Rules That Employers May Implement a Corporate E-mail Policy That Has the Effect of Barring Union-Related Communications" by Philip Gordon and Michael Mankes.)

Before business executives start using on-board Internet access to conduct business, employers should examine the risks that this latest wave of technological conveniences creates.  Bear in mind that the risks will include not just the possible inadvertent disclosure of confidential business information but also, for example, the possible continued storage of that information on the airline’s e-mail servers and the possible increased risk of interception during transmission.  Once the service and the attendant risks are better understood, employers can modify existing electronic resources policies, or prepare new policies, to address the most recent risk to privacy in the wired business world.

The legal analyses related to this issue are among the most complex in the area of workplace privacy, involving the interplay of the Americans with Disabilities Act (ADA); the Family and Medical Leave Act (FMLA); the Health Insurance Portability and Accountability Act of 1996 (HIPAA); state privacy statutes, such as California’s Confidentiality of Medical Information Act; state common law; and, at least in California, state constitutional law. 

Before wading into this quagmire, HR professionals should consider the following guidelines for balancing the privacy interests of potentially infected workers and the health interests of co-workers.

1.      Investigate:  Learn the facts; do not rely on rumors.

2.      Interview The Possibly Infected  Employee:  If the facts indicate that an employee might be infected with the MRSA Superbug, designate a manager with the appropriate level of responsibility to get more information directly from the employee.

3.      Consult Counsel On How To Handle An Uncooperative Employee: If the employee refuses to disclose information, consult counsel regarding whether the employee can be required to provide health information before taking any adverse action is against the employee.  If the employee already has been sent home, promptly involve counsel to minimize or resolve any possible liability risks.  

4.      Provide Notice Of Disclosure To A Cooperative Employee:  If an employee voluntarily discloses infection with MRSA, explain that (a) the employer may need to disclose limited information about the employee’s health condition to those with a need to know, such as government health officials and health care providers of co-workers to take precautions against the spread of the infection and to facilitate any needed treatment of others, and (b) the employer will limit disclosure to those with a need to know and then will disclose only the minimum information necessary.

5.      Request Consent To Disclose:  Ask the employee for permission to make the limited disclosures described above.  If the employee refuses to consent, tell the employee that the entity may have no choice but to share information about the infection with others but will do so only to the extent permitted or required by law.

6.      Avoid Identifying The Infected Employee:  When disclosing information about the infected employee, avoid identification by name except when necessary to protect the health of co-workers who might have been infected or as required by law.

7.      Instruct Supervisors On Confidentiality And Retaliation Risks:  Instruct supervisors about the need to maintain the confidentiality of employee health information and provide guidance on how to respond to questions from other employees and supervisors so as to avoid undue panic and concern.  Supervisors should be reminded of the need to avoid any claim of retaliation by the possibly infected employee or his/her family members.  Educate supervisors on the spread of MRSA infections, types of treatment, and the Company’s planned preventative steps.

There is no one-size-fits-all solution to the many complicated privacy issues that a Superbug infection in the workplace can raise.  These guidelines, however, provide a starting point for what most likely will be a tense and fast-moving situation that raises a wide range of benefits issues and employment-related liability risks. 

My colleagues in Littler's Workplace Safety Practice Group, Don Benson and Pete Rice, are OSHA experts who will be presenting a webinar on Wednesday, December 12, 2007, on how to reduce the risks of an MRSA outbreak in your workplace and how to respond when one occurs. 

Mirroring this sentiment, in early September, the California Legislature sent to Governor Schwarzenegger for signature a bill which would prohibit any person from requiring, coercing or compelling “any other individual to undergo the subcutaneous implanting of an identification device.” [UPDATE:  Governor Schwarzenneger signed the bill into law].  An “identification device” is defined as one capable of transmitting personal information by radio frequency (RFID) or other means. 

The only surprise about this bill is that California — the state most protective of individual privacy — is not the first to ban mandatory microchipping legislatively.  North Dakota and Wisconsin grabbed that honor, passing prohibitions on mandatory microchipping in April and May 2006, respectively.  Legislatures in seventeen other states — including Georgia, Michigan and New Jersey — are considering similar laws. 

Employees who might consider, and benefit from, voluntary implantation include:

• Employees with a medical condition, such as epilepsy or diabetes, that could render them unconscious and in need of emergency medical attention;
• Employees who are at a heightened risk of significant memory loss, such as those with Alzheimer’s disease, who might wander off-site;
• Employees, such as commercial pilots, miners and oil rig workers, at a heightened risk of a serious injury that could render them unconscious;
• Employees who need access to highly secured areas of a facility (albeit only as a voluntary alternative to some other form of identification; and
• Employees who travel to parts of the world where there is a high risk of being kidnapped and who prefer not to carry badges that reveal corporate affiliation.

Employers and employees may be surprised that there actually are some potentially beneficial and sensible uses of microchipping.  Microchipping highlights the need for  employers and employees to get past the initial, knee-jerk reaction against workplace technologies that can be invasive of privacy, such as Global Position Systems (GPS) and camera phones.  Rather, employers should focus on implementing such technology within the framework of policies and procedures that minimize or eliminate unnecessary intrusions while reaping the technology’s benefits.

            Blogging:  Blogging by employees is common.  With more than 70 million blogs on the World Wide Web and nearly 1.4 million new blog entries daily, employers need to consider the impact that employee blogging may have on their business and workplace.  Employers who do not endorse blogging should consider adding to their electronic resources policy a provision which bars employees from using corporate communications resources to view or post to any blog that is unrelated to work.  Employers also should consider a separate blogging policy to address off-duty blogging on the employee’s own time. 

            Video In The Workplace:  That employee who has spent the last three hours glued to her computer monitor without pause may be watching Gone With The Wind.  According to a recent Pew Foundation study, 57% of online adults have used the Internet to watch or download video, and 19% do so on a typical day.  Three-quarters of broadband users (74%) who enjoy high-speed connections at both home and work watch or download video online.  Employers who do not currently prohibit viewing or downloading video unrelated to work should now consider doing so before “bandwidth hogs” interfere with business operations.

            Web-Based E-Mail:  According to a report in the New York Times earlier this year, employees frequently rely on their personal Web-based e-mail accounts to conduct business or to store business-related material.  This trend raises a host of issues for employers including the inability to monitor the messages, if necessary, and the difficulty of preserving the messages as part of the litigation hold process.  Employers should consider barring employees from using personal Web-based e-mail for business purposes.

Here are five key points for employers to consider as they confront these statutes.

•  Be Prepared.  Responding to a security incident can create a pressure cooker, especially when the personal information of senior corporate executives is among the compromised data.  Identify the members of your incident response team — typically from HR, IT, Legal, and Public Relations — and do a dry run of how your organization would respond if, for example, a payroll database had been stored on a stolen laptop.
• Train  HR Professionals.  In the employment context, a security breach can take many forms — a misdirected e-mail, a CD lost by a courier service, a stolen BlackBerry, or a successful hack are just a few examples.  HR employees and others who work with personal information should  be trained that these types of occurrences, which in the past might not have been taken seriously, now pose compliance risks.  The training should help employees identify a possible security breach, list the type of information which should be reported, and explain to whom the report should be made.
• Determine Your Notice Obligations.  When a breach does occur, consult knowledgeable counsel (whether in-house or outside) to determine the organization’s obligations under all potentially applicable notice laws.  To do so, counsel will need to know all the facts related to the incident, the states of residence of affected employees, and the number of affected employees in each state.  In some circumstances, a security breach may not trigger a legal obligation to notify  — for example, the theft of a hard copy (as opposed to computerized) payroll spreadsheet -- but the employer still may decide to provide notice as an employee relations matter.
• Help Your Employees.  Employees may view themselves as innocent victims when their employer suffers a security breach and  expect their employer to protect them and foot the bill. Providing free access to a credit monitoring service is the most commonly offered form of assistance.  Employers may want to consider a new service offered by MyIDentityIQ, Inc. and National ID Recovery: 1-877-252-9891.  This service not only alerts employees to possible misuse of their personal information (like credit monitoring), it also provides fully managed identity theft recovery services for employees after their personal information has been misused.
• Learn From Your Mistakes.  After the storm subsides, figure out what went wrong, what you did right, and how you can adjust your security incident response plan (or put one in place) to improve your response the next time around.

The demands vary based upon the industry and the company.  At a minimum, these businesses require their vendors to certify that employees who will be working on the customer’s account have successfully completed a background check and a drug screen.  At the other end of the spectrum, businesses specify the contents of background and drug screens and demand the right to audit the results or even conduct their own background checks and drug tests of the vendor’s employees.

These demands put vendors “between a rock and a hard place.”  On the one hand, vendors want to maintain strong relationships with valued customers and win contracts with new customers.  On the other hand, turning over background checks and drug test results to a customer can raise red flags with the vendor’s workforce regarding their privacy.  And, if not properly handled, the issue can mushroom into an employee relations nightmare and expose the vendor to privacy-based claims.  The problem is particularly acute for vendors who have not previously required current employees, or even job applicants, to submit to background checks or drug tests.

Here are three of the steps vendors might consider to avoid this catch 22:

The Oregon law requires employers who maintain personal information on Oregon residents to do the following:

• Designate a security officer
• Conduct a risk assessment
• Assess the safeguards in place to manage the risks
• Train employees in security policies and procedures
• Require by contract that service providers maintain adequate security (note the connection to the trend discussed above)
• Adjust the security program over time to meet changing circumstances
• Implement adequate physical and technical safeguards
• Properly dispose of personal information

While Oregon may be one of the less populous states, state legislators appear to be engaging in “one-upmanship” as they enact new data protection statutes. Employers can expect other states to attempt to match or exceed Oregon’s legislation. Consequently, employers can expect that, in the near future, they will need to take a closer look at their information security practices for employee data and take steps to better safeguard that information not as some extra effort but simply to be in compliance with newly enacted state data protection legislation.