Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

The New Jersey bill adds a new prohibition not seen in any prior law that actually could be detrimental to job applicants and employees. Specifically, employers cannot “[i]n any way require or request that a current or prospective employee disclose whether the employee has a personal account.” Consequently, were an employer to search publicly available social media content for information about an employee or applicant and discover negative information that might relate to the applicant or employee, such as racist comments or a predilection for sex with minors, the employer could not ask whether the account where the content is posted is, in fact, the applicant’s or employee’s personal account. Moreover, if the employer does inquire and the applicant or employee refuses to confirm or deny whether he or she posted the offensive social media content, New Jersey’s law would make it a violation for the employer to then take adverse action based on the individual’s refusal to respond. In other words, the employer would be worse off if it tried to “do the right thing” and attempted to verify the authenticity of information that, if true, would lead to an adverse employment action.

The New Jersey bill also has the most generous remedial scheme. “Facebook” laws in Maryland and California do not expressly provide a private right of action. By contrast, the New Jersey bill confers a private right of action on applicants or employees to recover unlimited compensatory and consequential damages. While the laws in Utah and Michigan  also confer a private right of action, damages are capped at $500 and $1,000 per violation, respectively. Illinois’ law does not cap damages; however, it requires that applicants or employees first attempt to resolve their complaint through the state labor department. No such administrative exhaustion requirement applies under the New Jersey bill.

To be sure, once the bill is likely enacted, it will not entirely handcuff New Jersey employers from performing investigations and background checks necessary to run a safe and efficient operation without running afoul of the law.  However, before investigating information present on an employee's or applicant's "personal account," human resources professionals are encouraged to seek guidance from inside or outside counsel to ensure compliance with this proposed law.  If approved, the law will go into effect on the first day of the fourth month following its enactment.

Photo credit: robas

Michigan’s new law, dubbed the “Internet Privacy Protection Act” (IPPA or the “Act”), lays down three straightforward prohibitions. First, employers cannot ask applicants or employees for the user name and password or other log-in credentials to gain access to any of the individual’s personal, Internet-based accounts, i.e., an account for which the user restricts access to content by way of log-in credentials. Second, the Act bars employers from asking applicants or employees to “allow observation of” their account, a practice commonly called “shoulder surfing.” Third, the Act prohibits employers from asking applicants or employees to “grant access to” their personal accounts, thereby baring employers from reviewing content without asking for log-in credentials and without shoulder surfing. Employers can take no adverse action against an applicant or employee who refuses a request in violation of the Act. These prohibitions apply not just to social media accounts but to all Internet-based accounts, including e-mail and cloud storage accounts. All employers, regardless of size, are subject to the Act’s restrictions.

While airtight at first blush, the IPPA’s wall around applicants’ and employees’ personal accounts is more like a sieve upon closer scrutiny. Most importantly, the Act does not prohibit an employer from asking an employee to help the employer view content in another employee’s or in an applicant’s personal account. The Act prohibits access only to the personal content of the applicant or employee who is the subject of the request. Given that employees routinely report social media conduct of coworkers that violates corporate policy or is suspected to be unlawful, this limitation is critical for employers seeking to investigate an employee’s Internet misconduct or compromising Internet postings by a job applicant.

The Act’s express exceptions also create important gaps in the facially broad prohibition. Like California’s law, the IPPA permits an employer to ask an employee for access, by any means, to the employee’s personal account as part of an investigation into workplace misconduct but only “[i]f there is specific information about activity on the employee’s personal internet account.” This exception would, for example, permit an employer to ask an employee for log-in credentials where a coworker reports a social media post that threatens workplace violence or contains racially derogatory comments about the coworker. Like the Maryland law, the Act also permits employers to request access to employees’ personal accounts if the employer has specific information that the employee is using the personal account to misappropriate the employer’s confidential business information. Finally, the Act’s prohibitions do not apply when an employer has a duty under federal law, or to comply with a self-regulatory scheme established under the Securities and Exchange Act, to screen applicants or monitor or retain certain employee communications.

Like the password protection laws that preceded it, the IPPA carefully carves out the employer’s own systems and equipment from the Act’s purview. The Act does not bar Michigan employers from requesting, in any way, access to any device or account provided, or paid for, by the employer, or from monitoring or accessing communications or information stored on employer-provided devices, communications networks, or information systems.

Importantly, Michigan’s law contains unique provisions that should serve as a model for future legislation in the area. The Act expressly “does not create a duty” for employers to search or monitor employees’ personal Internet activity and discharges employers from liability for failing to request an applicant’s or employee’s log-in credentials. In other words, the victims of workplace violence presaged by the perpetrator-employee’s ranting social media content could not assert a negligence claim against the employer based on the employer’s failure to ask the perpetrator for access to his personal social media account. While the exact contours of these provisions are unclear, they provide important protections for employers.

The IPPA’s remedial provisions, though relatively weak, do have the potential to deter violations. Most importantly from a deterrence perspective, the Act exposes individual employees to criminal prosecution for a misdemeanor offense, but the punishment is limited to a fine of not more than $1,000. Similarly, the Act’s civil remedy provisions caps damages at $1,000 and an award of attorneys’ fees and costs. Potential plaintiffs must serve a written demand on the employer at least 60 days before asserting the claim. This provision gives employers the opportunity to forestall a claim by offering $1,000 in response to a demand.

In sum, Michigan employers should be able to obtain information about employees’ Internet conduct in many circumstances where they need it. However, before investigating an employee’s or applicant’s personal Internet activity, they should carefully scrutinize the precise contours of the IPAA’s prohibitions to avoid exposing human resources professionals to a potential misdemeanor prosecution.

For additional discussion about the law, please see Littler's ASAP, Michigan's New "Internet Privacy Protection Act" Sets Limitations for Employers and Employees, by William Balke and Philip Gordon. 

Photo credit: robas

Subsequently, the California legislature, often hostile to employer interests, amended its then-pending bill to adopt a more balanced and reasonable approach. The approved bill does generally prohibit employers from requesting or requiring that employees or applicants (a) disclose their user name or password to gain access to personal social media content; (b) access their personal social media in the employer’s presence, i.e., permit “shoulder surfing;” or (c) divulge any personal social media, which apparently would bar an employer from asking an employee to provide the personal social media content of a co-worker who is a Facebook friend. At the same time, however, the pending law permits employers to request that “an employee divulge personal social media reasonably believed to be relevant to an investigation of allegations of employee misconduct or employee violation of applicable laws and regulations.”

While this exception is a vast improvement over the Illinois and Maryland laws, California employers should beware that the exception does not open the door all the way. To begin with, the exception does not apply to job applicants. Thus, even if a current employee were to report seeing racist or threatening content on a job applicant’s restricted access social media site, a California employer still could not gain access to the troublesome social media content unless the reporting employee voluntary provided it. In addition, employers remain barred from asking current employees to disclose their social media log-in credentials or to permit the employer to “shoulder surf.” Nevertheless, the exception does permit California employers to ask a co-worker to provide content from the personal social media site of an employee suspected of misconduct.

California employers also should note that the California law, like the Illinois and Maryland laws, appears to have an unintended and unsupportable consequence in the context of litigation. These statutes impose no restriction on an employer’s ability to request in civil discovery that a former employee produce personal social media, log-in credentials; however, all three statutes bar such requests in litigation with a current employee. Obtaining log-in credentials can be important in employment litigation so that employers’ counsel can confirm that the current or former employee has produced all discoverable information posted on his or her restricted-access social media page.

California’s pending password protection law has another unusual twist. The bill expressly relieves California’s Labor Commissioner from having to investigate complaints that the law has been violated, whereas the Labor Commissioner is required to investigate certain other violations of the Labor Code. The pending law itself also does not create a private right of action. Consequently, it remains unclear what remedies an employee could pursue were the Labor Commissioner to decline to investigate.

Employers should expect other states to enact this form of popular legislation. If the password protection laws that are on the horizon are to follow California’s more balanced approach rather than the draconian Illinois law, employers and employer groups will need to highlight the critical distinctions between the two laws through participation in the legislative process.

Photo credit: Asilvero

The decision also is important for private employers because five justices — Justice Alito (joined in his concurrence by Justices Ginsberg, Breyer, and Kagan) as well as Justice Sotomayor — rejected the majority position in the state and federal judiciary on the privacy of location data. Under that view, location tracking does not infringe any privacy interest because the location of a vehicle or a person in a public place is fundamentally not private. This majority view effectively leaves private employees without any remedy for an employer’s use of location tracking because a common law invasion of privacy claim can be asserted only for the breach of a recognized privacy interest, and a statutory remedy for unauthorized location tracking is rarely available.

In rejecting the majority view, the five justices found a protected privacy interest in the patterns of private activity that can be derived from continuous location tracking notwithstanding the public nature of any particular data point. In the words of Justice Sotomayor, “GPS monitoring generates a precise, comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations.” This view likely will have a significant influence on the thinking of trial and appellate court judges when confronted with an invasion of privacy claim based on an employer’s unauthorized tracking of an employee during non-working hours. An employer might be tempted to engage in such tracking, for example, to check for abuse of paid or unpaid leave or to investigate suspected moonlighting or a potentially fraudulent workers’ compensation claim.

Consequently, the most important lesson for private employers to draw from the Court’s decision is the importance of limiting location tracking to working hours when the pattern of location data should not reveal details of an employee’s private life, and if it does, the employer has a legitimate business reason for knowing what the employee is doing other than earning his or her compensation. The New York appellate decision that we covered in last week’s blog post illustrates the point. In that case, the majority did not take issue with the New York State Department of Labor’s 24/7 tracking of a high-level employee’s personal vehicle because the employer had a reasonable suspicion that the employee was not working when he said that he was. Under that reasoning, tracking an employee during working hours clearly would be permissible. On the other hand, the dissenting judges in the New York case found that tracking the employee during non-working hours was excessively intrusive, particularly because the GPS device reported the employee’s location during a week-long family vacation.

Employers should note that many GPS devices are either on at all times or off. In these circumstances, employers should develop controls that will limit access to location tracking information to employees’ scheduled working hours.

Finally, private employers should note Justice Scalia’s reliance on the notion of trespass in finding that the government’s warrantless installation of the GPS device on Jones’s wife’s Jeep violated the Fourth Amendment. Similarly, an employer’s unauthorized placement of a GPS device on an employee’s personal vehicle might support a claim based on a common law trespass theory. As a result, employers should be particularly cautious when using any form of location tracking not associated with company-owned equipment.
 

Second, SB 24 adds a requirement to notify the state’s attorney general about a breach. More specifically, the notice law now requires any agency, person, or business that sends a security breach notice to more than 500 California residents to electronically submit a single sample copy of that security breach notification to the attorney general, excluding any personally identifiable information. This change adds California to the list of states that require some type of notice to the state’s primary regulator of security breaches.

Third, this bill deems any HIPAA-covered entity to have complied with California’s new notification requirements if the covered entity complied with the similar breach notification requirements in Section 13402(f) of the federal Health Information Technology for Economic and Clinical Health Act (“HITECH Act”). However, the covered entity is not exempt from any other provision of California’s notice law.

Finally, SB 24 also amends Section 1798.82(j) of California’s security breach notification law regarding substitute notice. Reporting entities which seek to notify individuals of a security breach through the state’s media, rather than directly, must now also notify the Office of Privacy Protection within the State and Consumer Services Agency.

In light of these changes, employers will need to update their incident management plans and add these new requirements into their notification policies to ensure compliance with the many state data breach notification requirements.

California SB 24 takes effect January 1, 2012, providing enhanced notification requirements similar to those required under the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Hard copy breaches are still not covered under the California law.

Photo credit: dra_schwartz

Washington voters adopted the MUMA in 1998. It provides an affirmative defense to a physician authorizing the use of medical marijuana and to qualified patients and caregivers engaging in the medical use of marijuana who are accused of marijuana-related crimes in Washington. The law expressly provides that employers are not required to accommodate “any medical marijuana use in any place of employment….” In 2007, MUMA was amended to clarify that employers are not required to accommodate any “on-site” use of medical marijuana in the workplace.

Roe, who used a pseudonym in the case because use of medical marijuana remains illegal under federal law, had debilitating migraine headaches. Conventional treatments did not alleviate the pain, but marijuana did. In June 2006, a physician issued her a written authorization under MUMA to use marijuana for medical purposes, which she did. In October 2006, TeleTech, a business outsourcing company, hired Roe as a customer service representative. Roe’s job offer was contingent on a negative drug test. She informed TeleTech of her use of medical marijuana outside the workplace and subsequently failed the drug test, and the company fired her.

Roe filed suit against TeleTech, asserting that the company terminated her employment in violation of MUMA and wrongfully discharged her in violation of public policy. The trial court granted summary judgment in TeleTech’s favor, and the Washington Court of Appeals upheld the decision.

The Washington Supreme Court affirmed. Roe first argued that TeleTech violated the MUMA itself. But the court held that the Act unambiguously provided only an affirmative defense to a criminal marijuana charge, not a civil claim against an employer. The court explained that if the employer was not required to accommodate on-site medical marijuana use, it was not required to accommodate medical marijuana use off site, as Roe was asking it to do. Finally, the court noted that the fact that Roe used marijuana at home without being impaired in the workplace was irrelevant because regardless of Roe’s ability to do her job, the statute did not confer on her a right to sue her employer.

Roe then argued that even if TeleTech had not violated MUMA, the court should recognize a civil tort claim for wrongful termination in violation of public policy based on her discharge. Quoting MUMA, she urged that the public policy proclaimed by the law was that that “the medical use of marijuana by patients with terminal or debilitating illnesses is a personal, individual decision.” But the court held that the language of the MUMA “do[es] not recognize a broad policy that would remove any impediment to medical marijuana use or impose an obligation that employers accommodate such use, and that Washington patients have no legal right to use marijuana under federal law.”

Along with Ragingwire and Steel Fabricators, the TeleTech decision is the third in a string of appellate victories for employers in cases involving the termination of employment of employees for use of medical marijuana, whether or not on site and whether or not the employee is impaired during work. But any sigh of relief by employers may be premature:

• In the future, Washington medical marijuana users may seek to bring claims based on a recent change in MUMA that was not argued in Roe. Less than two months ago, Washington amended MUMA to provide expressly that the law does not require any accommodation of an employee’s medical marijuana use if the employer has a drug-free workplace policy. In the future, employees terminated for medical marijuana use by an employer lacking such a policy may render their discharges illegal under the revised statute. Employers that do not have drug-free workplace policies should consider implementing them to avoid falling prey to such a claim in the future.
• The highest courts in only 4 of the 15 jurisdictions (14 states and the District of Columbia) that have medical marijuana laws have ruled on any of the questions at issue in TeleTech. Courts in other states may reach contrary conclusions under their own laws. Some states, like Colorado, enshrine their medical marijuana law in the state constitution, a source of law that employees are likely to assert is deserving of greater deference than a statute.
• Stay tuned because any federal law developments may change the legal landscape in state courts. Medical and other use, possession and distribution of marijuana continues to violate federal law. New legislation recently introduced in Congress, if it ultimately becomes law, is likely to change this. If that happens, many states are likely to follow suit, creating new challenges for employers in addressing employment issues raised by the use of medical marijuana by prospective or current employees.
• There are other issues employers may confront even if state medical marijuana law does not create any employer liability for discharge for use of medical marijuana, for example:
  • Disabilities, serious health conditions, and genetic information of which the employer becomes aware because an employee discloses them in describing use of medical marijuana;
  • Government contracts requiring employers to observe drug-free workplace requirements; and
  • Occupational safety and health issues involving workers who use medical marijuana.
• Even wary employers may find their drug-free workplace policies jeopardized by managers who sympathize with colleagues who use medical marijuana. Such managers may create liability if they are insufficiently or inconsistently committed to enforcing their employer’s drug-free policies.
   

The long-term legal effects of medical marijuana in the workplace continue to be hashed out in elections, legislatures and courts. But at least for now, the Washington Supreme Court’s decision in Roe helps clear the air for employers in that state to exercise substantial discretion in enforcing their drug-free workplace rules.

For additional analysis on this development, see Littler ASAP "Washington Supreme Court Blunt in Ruling: No Claim for Wrongful Discharge Under State's Medical Use of Marijuana Act” by Dale L. Deitchler and Daniel L. Thieme.

Photo credit: Sebastien Roche-Lochen Photography

The U.S. Court of Appeals for the Ninth Circuit held (pdf) that NASA’s policy should be enjoined, pending further proceedings, because the JPL employees have a reasonable likelihood of demonstrating that the policy violates their federal constitutional right to information privacy. The appeals court found particularly objectionable questions in NASA’s background check forms that asked (a) JPL employees to disclose "any treatment or counseling received for their [illegal] drug problems,” (b) third parties to disclose "any adverse information" concerning "’financial integrity,’ ‘abuse of alcohol and/or drugs,’ ‘mental or emotional stability,’ ‘general behavior or conduct,’ and ‘other matters,’” and (c) asked the JPL employees to explain any adverse information disclosed by the third party. The court reasoned that these questions were not narrowly tailored to meet NASA’s legitimate objectives given that the JPL employees did not have access to classified information and, therefore, were classified as “low risk”.

Caltech sought to extricate itself from the litigation by arguing that it could not be held responsible for the apparently unconstitutional background checks because NASA had unilaterally imposed them on Caltech. While the Ninth Circuit expressed sympathy for Caltech’s position in light of its initial objections to NASA’s background check policy, the court ruled that Caltech also could be held responsible for NASA’s apparent constitutional violations because Caltech “established, on its own initiative, a policy that JPL employees who failed to obtain federal identification badges would not simply be denied access to JPL, they would be terminated entirely from Caltech's employment.”

While the oral argument swirled largely around whether a constitutional right to information privacy exists and, if so, what are its contours, several Justices, on more than one occasion, drew a comparison between employment screening by private employers and the questions that the Ninth Circuit had ruled as likely to be unconstitutional. Ironically, these remarks mistakenly suggested that private employers could ask those questions. For example, employers who inquire into an employee’s treatment for substance abuse run the risk of violating the Americans with Disabilities Act’s prohibition against disability-related inquiries where the question is phrased (like NASA’s) so as to require an employee to disclose that he is a recovering or recovered drug addict who does not currently use illegal drugs. In addition, a private employer who requires that an applicant or employee explain “adverse information” concerning that person’s “financial integrity,” “abuse of alcohol and/or drugs,” or “mental or emotional stability” could violate a range of federal and state laws, including the ADA; state laws restricting inquiries into criminal history, such as California’s law prohibiting inquiries into certain minor marijuana-related offenses; and laws recently enacted in Hawaii, Illinois, Oregon, and Washington restricting certain inquiries into an applicant’s credit history. After further analysis, the Court may address these restrictions on private employers in its published decision.

How else might the Supreme Court’s ruling impact private employers?

All Employers: Requests similar to NASA’s request for information about the JPL employees have become increasingly common in the private sector. Organizations seeking to protect their facilities, employees and information assets routinely ask a wide range of vendors to provide background information on the vendor’s employees before permitting them access to premises or sensitive information. Some organizations are conducting their own background checks of vendors just as NASA seeks to do with respect to the JPL employees. Further, like Caltech, vendors often must now confront the question whether to terminate an employee who is denied access to a customer’s site or to reassign that employee to another customer. The Court’s decision — albeit in the context of federal constitutional law — might provide guidance on how vendors should handle this difficult situation in a manner that reduces risk.

California Employers: California has a constitutional right to information privacy that private employees can enforce against private employers. While the federal and California constitutional rights to information privacy do not precisely mirror each other, they are sufficiently similar that, depending upon the outcome in the Supreme Court, California courts might look to the Supreme Court’s decision for guidance on claims where employers themselves have conducted overly intrusive background checks or have assisted their customers in doing so.

Federal Government Contractors: Other agencies of the federal government likely use the same background check forms as those used by NASA to regulate access to agency facilities by “low risk” employees. Federal contractors who, like Caltech, condition employment of “low risk” employees on the issuance of a federal identification badge could be put at risk of liability for violating their employees’ federal constitutional right to information privacy in the same way that Caltech is at risk of liability were the Supreme Court to affirm the Ninth Circuit’s decision.

This entry was written by Philip L. Gordon.

Photo credit: fotosipsak
 

Notably, despite its finding concerning the private nature of the office, the court held that the employees had no claim because the employer did not act in a manner that would be considered “highly offensive to a reasonable person,” the second essential element of a privacy claim. The court based that conclusion on the following key findings:

• Hillsides had a legitimate business reason for installing the video camera;
• the camera was activated only at night, when the perpetrator might be present;
• the surveillance was directed only at the computer that had been used for unauthorized viewing of pornography;
• the surveillance was disclosed only to four individuals; and
• the video equipment was locked in a storage closet with limited access.

In sum, even when employers do need to intrude upon an employee’s privacy to conduct an investigation, they will not be subject to liability as long as the investigation is legitimate, narrowly tailored and tightly controlled.

For further discussion of this decision, see Littler ASAP California Supreme Court Provides Useful Guidance for Employers Engaging in Video Surveillance and Other Workplace Searches by Philip L. Gordon and Gregory G. Iskander.

Dynadot, a small company not interested in a protracted legal battle, stipulated to a permanent injunction that required it to shut down the website instead of fighting the Bank. Judge Jeffrey White of the federal district court in San Francisco signed the stipulated permanent injunction. The Bank dismissed its lawsuit against Dynadot with prejudice, and Dynadot shut down the website. The Bank appeared to have silenced its disgruntled vice-president, quickly, quietly and at minimal cost.

But the next day, Wikileaks was up and running through multiple mirror sites. Mirror sites use a similar domain name that is registered through a different domain name registrar. Wikileaks, for example, also used the domain name Wikileaks.cx through a domain registrar in the Christmas Islands. Wikileaks posted the Bank’s confidential documents on these mirror sites. 

Within the week, the New York Times, while neglecting to mention the agreement between the Bank and Dynadot, reported that Judge White’s approval of the stipulated permanent injunction “present[ed] a major test of First Amendment rights.” Also failing to mention the agreement between the parties, blogs buzzed about apparent constitutional violations. 

Not long after publication of the Times article, heavy hitters such as the ACLU, Project on Government Oversight, and the Electronic Frontier Foundation, came out with statements against the Bank. In response to their court papers, Judge White abnegated the agreement the Bank had negotiated with Dynadot, dissolved the permanent injunction, denied the Bank's request for a restraining order, noted the injunction may involve impermissible prior restraints, pondered whether an injunction would serve any purpose and questioned whether the Court had subject matter jurisdiction to hear the dispute. In the meantime, the Wikileaks site, complete with the Bank's stolen documents, is still up and running. On March 5, 2008, the Bank voluntarily dismissed its lawsuit, apparently concluding that litigation was no longer worth the cost.

Employers should view the Bank’s experience as a cautionary tale. What started as a quick agreement and apparent resolution literally, as the saying goes, ended up on the front page of the New York Times. The case also shows how quickly journalists will publicize a story that can be portrayed as “an attack on the First Amendment.” Sometimes filing suit is not the best way for an employer to protect its interest.

These guidelines would apply regardless of the type of infection — MRSA, Hepatitis A, TB, HIV, etc.

1.      Investigate:  Learn the facts; do not rely on rumors.

2.      Interview The Possibly Infected  Employee:  If the facts indicate that an employee might be infected with the MRSA Superbug, designate a manager with the appropriate level of responsibility to get more information directly from the employee.

3.      Consult Counsel On How To Handle An Uncooperative Employee: If the employee refuses to disclose information, consult counsel regarding whether the employee can be required to provide health information before taking any adverse action is against the employee.  If the employee already has been sent home, promptly involve counsel to minimize or resolve any possible liability risks.  

4.      Provide Notice Of Disclosure To A Cooperative Employee:  If an employee voluntarily discloses infection with MRSA, explain that (a) the employer may need to disclose limited information about the employee’s health condition to those with a need to know, such as government health officials and health care providers of co-workers to take precautions against the spread of the infection and to facilitate any needed treatment of others, and (b) the employer will limit disclosure to those with a need to know and then will disclose only the minimum information necessary.

5.      Request Consent To Disclose:  Ask the employee for permission to make the limited disclosures described above.  If the employee refuses to consent, tell the employee that the entity may have no choice but to share information about the infection with others but will do so only to the extent permitted or required by law.

6.      Avoid Identifying The Infected Employee:  When disclosing information about the infected employee, avoid identification by name except when necessary to protect the health of co-workers who might have been infected or as required by law.

7.      Instruct Supervisors On Confidentiality And Retaliation Risks:  Instruct supervisors about the need to maintain the confidentiality of employee health information and provide guidance on how to respond to questions from other employees and supervisors so as to avoid undue panic and concern.  Supervisors should be reminded of the need to avoid any claim of retaliation by the possibly infected employee or his/her family members.  Educate supervisors on the spread of MRSA infections, types of treatment, and the Company’s planned preventative steps.

There is no one-size-fits-all solution to the many complicated privacy issues that a Superbug infection in the workplace can raise.  These guidelines, however, provide a starting point for what most likely will be a tense and fast-moving situation that raises a wide range of benefits issues and employment-related liability risks. 

My colleagues in Littler's Workplace Safety Practice Group, Don Benson and Pete Rice, are OSHA experts who will be presenting a webinar on Wednesday, December 12, 2007, on how to reduce the risks of an MRSA outbreak in your workplace and how to respond when one occurs. 

RagingWire’s attorney argued that employers have an interest in ensuring that employees are not using drugs illegally, and should not have to tolerate off-work drug use by workers simply because state law considers such use lawful.  These arguments were persuasive in the lower courts, and several Justices participating in the oral argument appeared to agree that the federal-state law conflict posed a problem for employers.

Ross’s attorneys pointed out, however, that RagingWire had no obligation to drug test Mr. Ross under federal law, and that there was little risk that the Company could be held liable for accommodating his off-job drug use.  In addition, California public policy strongly supports an individual’s right to employment absent discrimination on the basis of disability, and further contains provisions protecting individuals’ rights to make basic decisions regarding their medical care.  Ross’ attorneys further argued that the California Constitution’s privacy protections also militated in favor of Ross, absent evidence that he was impaired by his marijuana use while at work.

Significantly, Ross’s advocates did not challenge an employer's right to conduct the drug test in the first place, and both agreed that the California Supreme Court's decision in Loder v. City of Glendale remains good law.  The Loder decision established that California employers may conduct workplace drug testing in circumstances that do not unduly intrude upon an individual's right to privacy.  The opinion discusses at length the various ways in which illegal drug use adversely affects employers, and concludes that attempts to detect such use may be tolerable incursions upon an employee's right to autonomy privacy.  The fact that medicinal use of marijuana is now technically not unlawful as a matter of California law begs the question of whether, and to what extent, employers must accommodate that use like any other prescription medication which may have adverse effects on an individual's behavior or job performance.

Ultimately, many of the questions raised by the Justices were not adequately addressed by Ross’s attorneys:  If the test is lawful under California law, and the drug use is arguably lawful under California law, what, if anything, must the employer do to accommodate such use?  Can permitting the off-duty use of marijuana ever be deemed a reasonable accommodation?  As a practical matter, RagingWire had not considered whether to accommodate Ross’s marijuana use, and neither side appeared willing to compromise its position regarding Ross’s right to use marijuana.  Interestingly, the attorneys for Ross agreed that an employee who came to work under the influence of drugs could be disciplined by his employer, but failed to explain the difference between a positive drug test and evidence of impairment.  If that line of reasoning is adopted, it may have the curious result of barring employers from refusing to hire individuals who use marijuana pursuant to the Compassionate Use Act, but permitting employers to discharge such individuals for testing positive after a workplace accident or other incident suggestive of impairment.

Ultimately, court-watchers came away with no clear sense of how the California Supreme Court might rule.  Given both parties’ support for the Loder case, however, it appears unlikely that the privacy analysis applied to workplace drug testing, which balances the needs of the employer against the privacy interests of the employee, will be revised.