Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

According to a report issued last week by the School District’s attorney and recent news reports, the School District installed a program called Theft Tracker on more than 2,000 laptops issued to students. When activated, the program records the laptop’s Internet address, captures an image of anything on the computer’s screen, and takes a Webcam photo every fifteen minutes until the program is deactivated. Theft Tracker downloaded all captured information and images to the School District’s server and erased them from the laptop’s memory. The program reportedly was responsible for taking 56,000 photographs. Approximately two-thirds were related to six laptops that actually had been stolen. The local police relied on at least some of those photos to recover the stolen laptops. Many of the remaining pictures, however, were taken because School District employees forgot to deactivate Theft Tracker after students reported that they found laptops that had been reported stolen.

Since the story broke, the School District has found itself at the center of a maelstrom. At least one student has sued the School District, alleging invasion of privacy. The FBI is investigating for potential criminal conduct. Congress held hearings on surreptitious surveillance, and Senator Arlen Specter proposed the "Surreptitious Video Surveillance Act," to extend the Federal Wiretap Act to video surveillance without prior notice. Editorialists and the media have hammered the School District. What went wrong?

According to one news report and the School District’s attorney, the School District made several mistakes:

• The School District did not have written policies and procedures regulating the use of Theft Tracker.
• Parents and students were not provided with an explanation of the program and not required to consent to its use.
• Students were asked to sign a policy that related only to use of the School District’s own network and did not mention school-issued laptops.
• There was no written policy concerning disclosure to law enforcement authorities of information obtained through Theft Tracker

In addition, the School District apparently conducted no legal analysis before implementing Theft Tracker to identify and assess the potential legal risks.

Employers who consider implementing a program like Theft Tracker or otherwise want to activate Webcams on company-issued laptops should learn the lessons of Lower Merion School District’s disastrous foray into webcam use. The employer must first have a detailed understanding of the technology’s capabilities and subject the technology to a rigorous legal review. If, for example, the technology is capable of recording audio, its use could constitute unlawful wiretapping, especially in states where consent is not a defense unless all parties to the communication have consented. Running afoul of the two-party consent laws is easy especially when family members, house guests, and others who have not consented to the use of the technology could be recorded. Similarly, non-employees could easily be photographed without their knowledge or consent, potentially giving rise to a claim for invasion of privacy.

If an employer determines that the benefits of the technology outweigh the risks, it still should implement detailed, written policies and procedures concerning the technology’s use to mitigate those risks. The guidelines should address at least the following: (1) identification of the employees authorized to activate the program; (2) identification of the management-level employees that must approve activation of the program; (3) circumstances in which the program may be activated; (4) the duration of the monitoring; (5) security for the fruits of the monitoring; (6) identification of the employees permitted to access the fruits of the monitoring; (7) how the fruits of the monitoring may be used; (8) when the fruits of the monitoring may be disclosed to law enforcement; and (9) how long the fruits of the monitoring will be retained.

The employer also should provide employees with full and fair notice of how the technology will be used and obtain the employee’s affirmative consent to its use. The notice should include, at a minimum, an explanation of the technology, the circumstances in which it will be activated, how the fruits of the monitoring may be used, and to whom they may be disclosed. Employers should beware that even after taking all of these precautions, use of webcams might be illegal in certain non-U.S. countries, such as the member states of the European Union.
 

This entry was written by Philip L. Gordon.

The duty of disclosure applies even when the employee’s endorsement appears on a site that is not maintained by the employer or employee (such as a popular “bulletin board”) and the statement itself is not misleading. See 16 C.F.R. Part 255.5 (entitled “Disclosure of material connections”), Example 8. Failure to make such disclosure may expose the employer to liability under the Act.

If employees make misleading statements about the employer’s products and services that result in injury to consumers, the FTC may bring an enforcement action against the employer. The FTC reports that it has brought enforcement actions against employers “whose failure to establish or maintain appropriate internal procedures” had resulted in consumer injury, but the FTC suggested in comments on the guidelines that it would be unlikely to take action against an employer for the conduct of a single “rogue” employee whose conduct violated an adequate company policy.

Additionally, because postings on blogs and Facebook pages can reach wide audiences, employers may be vulnerable to large-scale liability like class-action lawsuits by consumers and/or legal action by state attorneys general.

In view of this latest possible exposure to employers from employees’ use of blogs and social websites, employers should consider reviewing their electronic communications or social media policies to ensure: (1) that they have policies addressing the use of the company’s name, trademarks, and other proprietary information in blogs and other social media; and (2) that these policies include either prohibitions or appropriate guidance regarding references to company products or services. Such prohibitions and/or guidance should no longer be limited to criticisms of the employer and its products and/or services. Endorsements, if permitted at all, should be limited to truthful and verifiable statements, or should be subject to prior approval by management. And in either event, such statements must be accompanied by an employee’s written disclosure of the employment relationship so that consumers can fairly weigh the testimonial.

This entry was written by Lisa Brauner.

In Convertino v. United States DOJ, 2009 U.S. Dist. LEXIS 115050 (D.C. Dec. 10, 2009), a case decided last week, a former federal prosecutor suing the Justice Department for an allegedly improper leak concerning an investigation into charges that he engaged in prosecutorial misconduct, sought to compel production of e-mails exchanged through the Justice Department’s e-mail system between Jonathan Tukel, a federal prosecutor involved in the investigation, and Tukel’s personal attorney. The federal District Court for the District of Columbia held that Tukel had not waived the privilege. The court determined that Tukel reasonably could expect privacy in the communications with his attorney because the Justice Department’s e-mail policy permitted personal use of its e-mail system, and Tukel stated in an affidavit that he was unaware that the Department regularly monitored his e-mail.

In contrast to this result, a federal district court in Idaho, in Alamar Ranch, LLC v. County of Boise, 2009 U.S. Dist. LEXIS 101866 (D. Idaho Nov. 2, 2009), held just six weeks earlier that an employee had waived the attorney-client privilege by exchanging e-mail with her attorney using her employer’s e-mail system. The court relied on the employer’s e-mail usage policy, which notified the employee that: (1) all e-mail was the employer’s property; (2) the employer reserved the right to monitor e-mail; and (3) employees should not assume that e-mail would be confidential. The court gave no weight to the employee’s testimony, almost identical to Tukel’s in the D.C. case, that she was unaware of the monitoring. The court found her subjective belief “unreasonable . . . in this technological age.”

Although not mentioned in the D.C. court’s opinion, the Justice Department’s e-mail usage policy most likely contains the same language that the Idaho court relied upon to find a waiver. Thus, the principal difference between the two cases appears to be the Justice Department’s express permission of some non-business use of its e-mail system. That said, employers would be short-sighted to think that prohibiting all non-business use in an e-mail policy would ensure a finding of waiver. Courts are likely to look to the employer’s de facto policy regarding non-business use, which, for virtually all employers, will be tacit permission of non-business e-mail despite an express ban on non-business use in the employer’s e-mail policy.

Given the above, employers can strengthen their position in the waiver battler by expressly stating the following in an e-mail policy with respect to non-business use of the employer’s e-mail system:

• Non-business e-mails are not private and are subject to the employer’s electronic resources policy in its entirety, including the employer’s policy on monitoring;
• Employees are prohibited from using the employer’s electronic resources to communicate with a personal attorney;
• Employees who use the employer’s electronic resources to engage in non-business e-mail communications through a personal web-based e-mail account should be aware that duplicates of such e-mail may be stored on the employer’s electronic resources and will be subject to review by the employer in accordance with its electronic resources policy.

This entry was written by Philip L. Gordon.

As security manager at a Polaris Industries facility, Troy Schmidt an employee of Polaris’ security provider, was responsible for creating identification badges of Polaris employees using photographs stored on a Polaris database. Schmidt copied the photographs of approximately thirty, female Polaris employees to a flash drive, printed them at home, ejaculated on them, and posted the adulterated photographs on an adult website that he created through Yahoo!.

Polaris promptly took control of the efforts to reverse the harmful effects of Schmidt’s bizarre conduct. Polaris took the following steps:

• Investigated and determined that Schmidt was the likely perpetrator;
• Contacted Yahoo! to request the removal of the photographs;
• Met with Schmidt and obtained his admission to the conduct;
• Obtained Schmidt’s agreement to de-activate the website;
• Obtained confirmation from Yahoo! that Schmidt had de-activated the website;
• Met with police personnel (who declined to prosecute).

After learning of the matter from Polaris, Schmidt’s employer, the security company, offered to provide assistance, participated in the interview of Schmidt, and fired him shortly after hearing his admission. Notably, the ten plaintiffs sued only the security company and not Polaris.

In reversing the large judgment against the security company, the Wisconsin Court of Appeals pronounced a rule that should provide a measure of relief for all employers: “[E]mployers have no duty to supervise employees' private conduct or to persistently scan the world wide web to ferret out potential employee misconduct.”

Beyond that pronouncement, the court emphasized several other factors. Schmidt’s conduct was “bizarre and unexpected,” indeed “unimaginable.” The security company had trained Schmidt in sexual harassment, employee theft, and his duty to comply with Polaris’ computer usage policy. The security company had no reason to know that Schmidt might engage in Internet abuse. The security company cooperated in Polaris’ response to the incident to the extent permitted by Polaris.

The court’s rejection of a duty to monitor employees’ off-duty Internet activities appears to provide employers with an unbeatable defense in cases like this one. Still, the result might have been different had Schmidt’s employer not provided training, or if Polaris and the security company had not acted promptly once the offending conduct became known. Consequently, when there is a tight nexus between an employee’s job duties and an employee’s off-duty Internet abuse, employers should consider taking some of the proactive measures that Polaris and the security company took. Such measures might not only help to defeat liability but prevent the filing of a lawsuit in the first place.

This entry was written by Philip L. Gordon.

Photo Credit: Matthew Bowden

The EEOC had a deadline of May 21, 2009, to issue final regulations interpreting GINA’s employment-related provisions. With the Act’s effective date less than one week away, the EEOC still had not published final regulations. Further guidance on GINA’s requirements will be provided when the EEOC issues its final regulations. In the meantime, employers will find below a number of suggestions for complying with GINA.

Have You Taken These Steps to Comply with GINA Yet?

• Train human resources personnel, managers and recruiters about compliance with GINA, especially the provisions generally prohibiting deliberate acquisition of genetic information.

• Post a new EEO nondiscrimination poster prohibiting information based on genetic information.

• Revise EEO policies to include prohibitions against discrimination based on genetic information and associated retaliation.

• Discontinue requests to applicants and employees for family medical history except in the limited circumstances permitted in connection with a wellness or disease management program. (See Littler’s recent ASAP, which explains this exception.)

• Whenever requesting an employee to have medical professionals provide documentation, such as in connection with a fitness-for-duty exam or a request for a reasonable accommodation or leave, add a statement that family medical history or other genetic information should not be provided.

• Inventory personnel records--such as FMLA certifications seeking leave for the serious illness of a family member--that contain genetic information about an employee, store those records in a confidential medical file, and strictly limit access to those with a need to know.

• Implement procedures to prevent the disclosure of genetic information in response to a subpoena or civil discovery and to permit disclosure only when specifically required to comply with a court order. 

This entry was written by Ilyse Schuman and Philip Gordon.

Photo by Jonathan Lenz.

Key to the decision was the following company policy: “[I]nternet use and communication . . . are considered part of the company’s business and client records. Such communications are not to be considered private or personal to any individual employee.” Put another way, Loving Care told its employees that their Internet use is not private. Stengart’s Internet-based e-mail fell squarely within the policy. As a result, she could not claim the e-mail was protected by attorney-client privilege.

There are two important takeaways for employers. First, be specific about online privacy using the company’s electronic resources. In particular, tell employees that they should not use the company’s Internet connection to access personal e-mail accounts for purposes of conducting company business or to send any e-mail that they wish to keep private.

Second, ensure that you can prove each employee knows the rules. Stengart tried to claim that she was not aware of Loving Care’s Internet policy. The trial court rejected that argument because she was a long-time employee with significant management responsibility. Lower-level, shorter-term employees may have a more credible argument. To defeat that argument before it is made, employers should document that each employee has acknowledged receipt of the company’s electronic resources policy.

This entry was co-authored by Philip L. Gordon and Kate H. Bally.

• Consider making reasonable counterproposals to customers. Expressing a concern for the confidentiality and security of the sensitive, personal information of your employees demonstrates awareness of the importance of information security. It also provides you with the opportunity to reinforce your commitment to protecting your customers’ privacy.
• Do not automatically agree to demands without first determining whether they would require your organization to violate often-stringent drug-testing and background check laws. Businesses engaged in vendor management sometimes make broad demands without considering the nuances of state and federal privacy laws.
• Consider implementing a drug testing policy and a background check policy. Distribution of these policies provides an opportunity to communicate the important business interests at stake and the efforts being made to protect employees. At the same time, the policies can be used in contract proposals to demonstrate the company’s commitment to providing only trustworthy employees to work on customer accounts. And, in some states, distribution of a written drug testing policy is required by law.