Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

The law’s numerous and broad exceptions will limit its impact. Significantly for the financial services sector, the law expressly excludes banks, insurers and surety companies from its coverage by excepting them from its definition of “employer.” The following categories of positions also are excluded from the law’s coverage:

• Positions involving access to sensitive information;
• Positions involving unsupervised access to cash or marketable assets valued at more than $2,500;
• Positions with signatory power over business assets of $100 or more per transaction;
• Managers who set the direction of or control a business;
• Positions for which the employer is required by law to obtain a bond;
• Positions for which state or federal law or regulation establishes credit history as a bona fide occupational qualification; and
• Positions for which the employer is required by law to obtain credit history.

The first exception is particularly broad given the many different types of information to which it applies. More specifically, Illinois employers can obtain credit reports and credit history from applicants or employees whose position involves access to any of the following categories of information: (a) sensitive information that a customer gives the employer explicit authorization to process; (b) sensitive information that an employer entrusts only to managers and a select few employees; (c) sensitive information that is secured so as to make it inaccessible to the public and low-level employees; (d) non-public information about the employer’s overall financial direction, including company tax and profit and loss reports; (e) sensitive information regarding an employer’s overall strategy or business plans; and (f) information that would jeopardize national or state security if publicly available. The statute does not define the term “sensitive information” and, therefore, appears to leave the determination of sensitivity to the employer’s reasonable discretion.

When taken together these exceptions appear to permit credit checks on large swaths of an organization’s workforce. At a minimum, all senior executives, in-house attorneys, human resources professionals, and finance department employees, virtually all information technology employees and managers with money-handling responsibilities appear to fall within the scope of the law’s exceptions. By contrast, most lower-level employees — except perhaps customer service positions involving access to sensitive customer information — likely would be covered. Each employer will need to conduct its own analysis to identify the categories of Illinois employees from whom credit information can lawfully be obtained and considered in employment decisions.

For further analysis of this development, see Littler ASAP "New Illinois Law Puts Credit Reports and Credit History Off Limits for Most Employers and Most Positions" by Philip L. Gordon and Jeffrey C. Kauffman.

This entry was written by Philip L. Gordon.

Photo credit: contour 99

In its press release, HHS cryptically explains that the agency withdrew the regulations “to allow for further consideration, given the Department’s experience to date in administering the regulations.” The agency established no deadline for issuing new regulations, stating only that it “intend[s] to publish a final rule in the Federal Register in the coming months.” The agency also provided no guidance concerning its enforcement of the HITECH Act’s security breach notification requirements — which remain in effect despite the absence of regulations — while covered entities await the final rule’s publication.

The impetus behind the HHS’s withdrawal may have been opposition from Congress and from privacy and patient advocacy groups to the “harm standard” contained in the now-withdrawn regulations. Under that standard, a covered entity that discovered unauthorized access to, or acquisition, use or disclosure of, PHI was not required to provide notice of security breach unless the unauthorized conduct “pose[d] a significant risk of financial, reputational or other harm” to the subject of the information. Opponents of the “harm standard” contended that it added an unwarranted gloss to the HITECH Act’s plain language and was not sufficiently protective of patients’ and plan participants’ rights.

If HHS were to eliminate the “harm standard” in its to-be-issued final regulations, the upshot for employers and health care providers would be significant as just one example demonstrates. It is not uncommon for an employee in the health care sector who is involved in a dispute with her employer over performance to take patient records for possible future use in a lawsuit alleging that the employer’s discipline or termination was unfounded and resulted from discrimination. The employee’s acquisition of patient records potentially to advance her own claims of discrimination is an unauthorized acquisition of PHI. Were HHS to issue final regulations that omit a harm standard, health care employers in this situation likely would be required to provide notice of security breach even if the employer never used or disclosed the copied documents and ultimately returned or properly destroyed them. In short, elimination of the “harm standard” could dramatically increase not only the number of notices that employers and health care providers will be required to provide but also the attendant out-of-pocket expense and potential damage to business reputation.

The problem now for employers and health care providers during “the coming months” before HHS publishes a final rule is whether to analyze a security incident with or without a harm standard, a decision which often will be dispositive of the question whether notice will be necessary. On the one hand, HHS itself found — at least at one time — that the HITECH Act’s security breach notification requirement properly could be construed to include a harm standard, and the agency’s cryptic press release does not expressly or implicitly point to the “harm standard” as the reason for withdrawing the interim final regulations. On the other hand, the HITECH Act does not expressly include a harm standard, and given the opposition to the “harm standard,” one fairly can surmise that the final rule to be issued by HHS will not include a harm standard. At least until HHS issues additional clarification of its withdrawal or publishes the final rule, each employer and health care provider confronted by a security incident involving PHI will need to make its own judgment call on whether to ignore the harm standard and potentially “over-notify,” or to apply the standard to justify a decision not to provide notice but run the risk of an enforcement action.

This entry was written by Philip L. Gordon.

According to a report issued last week by the School District’s attorney and recent news reports, the School District installed a program called Theft Tracker on more than 2,000 laptops issued to students. When activated, the program records the laptop’s Internet address, captures an image of anything on the computer’s screen, and takes a Webcam photo every fifteen minutes until the program is deactivated. Theft Tracker downloaded all captured information and images to the School District’s server and erased them from the laptop’s memory. The program reportedly was responsible for taking 56,000 photographs. Approximately two-thirds were related to six laptops that actually had been stolen. The local police relied on at least some of those photos to recover the stolen laptops. Many of the remaining pictures, however, were taken because School District employees forgot to deactivate Theft Tracker after students reported that they found laptops that had been reported stolen.

Since the story broke, the School District has found itself at the center of a maelstrom. At least one student has sued the School District, alleging invasion of privacy. The FBI is investigating for potential criminal conduct. Congress held hearings on surreptitious surveillance, and Senator Arlen Specter proposed the "Surreptitious Video Surveillance Act," to extend the Federal Wiretap Act to video surveillance without prior notice. Editorialists and the media have hammered the School District. What went wrong?

According to one news report and the School District’s attorney, the School District made several mistakes:

• The School District did not have written policies and procedures regulating the use of Theft Tracker.
• Parents and students were not provided with an explanation of the program and not required to consent to its use.
• Students were asked to sign a policy that related only to use of the School District’s own network and did not mention school-issued laptops.
• There was no written policy concerning disclosure to law enforcement authorities of information obtained through Theft Tracker

In addition, the School District apparently conducted no legal analysis before implementing Theft Tracker to identify and assess the potential legal risks.

Employers who consider implementing a program like Theft Tracker or otherwise want to activate Webcams on company-issued laptops should learn the lessons of Lower Merion School District’s disastrous foray into webcam use. The employer must first have a detailed understanding of the technology’s capabilities and subject the technology to a rigorous legal review. If, for example, the technology is capable of recording audio, its use could constitute unlawful wiretapping, especially in states where consent is not a defense unless all parties to the communication have consented. Running afoul of the two-party consent laws is easy especially when family members, house guests, and others who have not consented to the use of the technology could be recorded. Similarly, non-employees could easily be photographed without their knowledge or consent, potentially giving rise to a claim for invasion of privacy.

If an employer determines that the benefits of the technology outweigh the risks, it still should implement detailed, written policies and procedures concerning the technology’s use to mitigate those risks. The guidelines should address at least the following: (1) identification of the employees authorized to activate the program; (2) identification of the management-level employees that must approve activation of the program; (3) circumstances in which the program may be activated; (4) the duration of the monitoring; (5) security for the fruits of the monitoring; (6) identification of the employees permitted to access the fruits of the monitoring; (7) how the fruits of the monitoring may be used; (8) when the fruits of the monitoring may be disclosed to law enforcement; and (9) how long the fruits of the monitoring will be retained.

The employer also should provide employees with full and fair notice of how the technology will be used and obtain the employee’s affirmative consent to its use. The notice should include, at a minimum, an explanation of the technology, the circumstances in which it will be activated, how the fruits of the monitoring may be used, and to whom they may be disclosed. Employers should beware that even after taking all of these precautions, use of webcams might be illegal in certain non-U.S. countries, such as the member states of the European Union.
 

This entry was written by Philip L. Gordon.

While public discussion of the case has revolved principally around the first element of Quon’s claim, i.e., whether Quon reasonably could expect privacy in his text messages, the Supreme Court seemed to focus more heavily on the second element, i.e., whether the City’s review of Quon’s text messages was excessive or unreasonable. During the trial in the case, the jury found that the City’s purpose in searching Quon’s text messages was to determine whether those messages were sent for business or personal reasons. Under persistent questioning from Justices Breyer and Sottomayor, Quon’s counsel struggled to identify a less intrusive means for the City to achieve this indisputably, legitimate purpose than the City’s reading all of Quon’s text messages. The Supreme Court could resolve the case on this initial element of Quon’s claim and not even address whether Quon’s privacy expectation was reasonable.

The Court also appeared skeptical of the Ninth Circuit’s conclusion that Quon reasonably could have expected privacy in his text messages. To reach that conclusion, the Ninth Circuit had relied upon a statement by Lieutenant Duke, the police official responsible for the text messaging program. Duke told Quon that he would not read Quon’s text messages to determine whether they were business-related or personal so long as Quon paid the service provider’s overage charges when Quon exceeded the contractual limit on the number of characters per month. Justices Alito’s and Ginsburg’s questions suggested that they viewed Duke’s statement to be limited to his own actions as opposed to a guarantee of Quon’s privacy against any search by the City. Justices Stevens’ and Kennedy’s questions honed in on the nature of Quon’s SWAT duties, suggesting that Quon could not reasonably expect privacy given that he was on call 24/7 and knew, or should have known, that his text messages might be evidence in criminal proceedings.

Interestingly, Chief Justice Roberts’ questioning suggested that he was somewhat sympathetic to Quon’s contention that he reasonably could expect privacy in his text messages. The Chief Justice noted in his questions that Quon paid the City for his personal text messages, sent at least some of the texts while off-duty, and was told by Duke that he (Duke) would not audit them. The Chief Justice also noted that the Internal Affairs investigators who reviewed the transcripts of Quon’s text messages had redacted the personal ones, suggesting that these investigators considered the personal messages to be private.

In another noteworthy twist, the United States Government, arguing alongside the City, asked the Court to adopt a bright-line rule that employers can defeat the reasonableness of any employee’s expectation of privacy by issuing a policy informing employees that they have no privacy in their communications over employer-provided equipment. The Court did not seem receptive to this position. Justice Sottomayor noted the Court’s well established precedent — O’Connor v. Ortega — holding that “operational realities” of an office are a factor in determining whether an employee had a reasonable expectation of privacy in the workplace and that the employer’s policy is just one factor to consider.

Perhaps most telling of the Court’s likely hesitance to adopt a bright-line rule in either direction were comments by Justice Alito and the Chief Justice. Justice Alito emphasized the newness of the communications technology in the following statement:

[E]lectronic communications are stored all over the place in – and there isn't a history — these are — these are relatively new. There isn't a well-established understanding about what is private and what isn't private. It's a little different from putting garbage out in front of your house, which has happened for along time.

The Chief Justice emphasized the evolving nature of communications technology in response to the federal government’s advocacy of a bright-line rule, stating, “We are dealing with [the Fourth] [A]mendment that looks to whether something is reasonable. And I think it might be the better course to say that the Constitution applies, but we are going to be more flexible in determining what is reasonable because we are dealing with evolving technology.” (emphasis supplied).

A ruling will be issued by the end of the Court's term in June 2010.

This entry was written by Philip L. Gordon.

The convictions have wide ranging implications for e-commerce, but what are the implications for global businesses with employees in the European Union?

First, the Google convictions serve as an important reminder that government authorities in the E.U. are serious about enforcing data protection laws. Thus, U.S.-based multi-nationals need to confirm that their local affiliates are complying with local data protection law. Of equal importance, international transfers of employee data to the U.S. — for example, for inclusion in a centralized human resources data base — must satisfy local data protection requirements. Even after the employee data has been received in the U.S., data protection requirements (in addition to any imposed by U.S. law) will apply.

Second, the Google convictions highlight for U.S. employers a critical distinction between U.S. and E.U. privacy law. Under U.S. law, an employer’s legitimate business interests typically trump an employee’s countervailing privacy interests. U.S. employers, for example, have substantial leeway in conducting workplace video surveillance and searches of employees to prevent theft or deter workplace violence. In the E.U., privacy is a fundamental right that, as the Google convictions demonstrate, does not give way even to the freedom of expression so cherished and zealously protected in the U.S. According to the Italian prosecutor, protecting the dignity of the bullying victim took precedence over Google’s commercial interests, including its interest in being a platform for expression and communication over the Internet.

Finally, “privacy” in the E.U. is conceptually far broader than the “right to be left alone” underpinning U.S. privacy law. In the E.U., “privacy” encompasses the notion of data protection. Consequently, any use of individually identifiable information about a natural person — even a business e-mail address and phone number — is presumed unlawful unless the possessor of that information (known in E.U. law as the “data controller”) has a lawful justification for using the information. This prophylactic approach contrasts starkly with U.S. law which permits the use of personal information at the possessor’s discretion unless the law expressly prohibits or restricts the use. Moreover, such prohibitions and restrictions typically are confined to discrete categories of employee information, such as health information.

In short, the Google convictions should serve as a blinking yellow light to every U.S. employer with operations in the E.U., warning employers to consider potential implications under E.U. data protection law before using individually identifiable information about any employee who resides in the E.U.

This entry was written by Philip L. Gordon.

In Convertino v. United States DOJ, 2009 U.S. Dist. LEXIS 115050 (D.C. Dec. 10, 2009), a case decided last week, a former federal prosecutor suing the Justice Department for an allegedly improper leak concerning an investigation into charges that he engaged in prosecutorial misconduct, sought to compel production of e-mails exchanged through the Justice Department’s e-mail system between Jonathan Tukel, a federal prosecutor involved in the investigation, and Tukel’s personal attorney. The federal District Court for the District of Columbia held that Tukel had not waived the privilege. The court determined that Tukel reasonably could expect privacy in the communications with his attorney because the Justice Department’s e-mail policy permitted personal use of its e-mail system, and Tukel stated in an affidavit that he was unaware that the Department regularly monitored his e-mail.

In contrast to this result, a federal district court in Idaho, in Alamar Ranch, LLC v. County of Boise, 2009 U.S. Dist. LEXIS 101866 (D. Idaho Nov. 2, 2009), held just six weeks earlier that an employee had waived the attorney-client privilege by exchanging e-mail with her attorney using her employer’s e-mail system. The court relied on the employer’s e-mail usage policy, which notified the employee that: (1) all e-mail was the employer’s property; (2) the employer reserved the right to monitor e-mail; and (3) employees should not assume that e-mail would be confidential. The court gave no weight to the employee’s testimony, almost identical to Tukel’s in the D.C. case, that she was unaware of the monitoring. The court found her subjective belief “unreasonable . . . in this technological age.”

Although not mentioned in the D.C. court’s opinion, the Justice Department’s e-mail usage policy most likely contains the same language that the Idaho court relied upon to find a waiver. Thus, the principal difference between the two cases appears to be the Justice Department’s express permission of some non-business use of its e-mail system. That said, employers would be short-sighted to think that prohibiting all non-business use in an e-mail policy would ensure a finding of waiver. Courts are likely to look to the employer’s de facto policy regarding non-business use, which, for virtually all employers, will be tacit permission of non-business e-mail despite an express ban on non-business use in the employer’s e-mail policy.

Given the above, employers can strengthen their position in the waiver battler by expressly stating the following in an e-mail policy with respect to non-business use of the employer’s e-mail system:

• Non-business e-mails are not private and are subject to the employer’s electronic resources policy in its entirety, including the employer’s policy on monitoring;
• Employees are prohibited from using the employer’s electronic resources to communicate with a personal attorney;
• Employees who use the employer’s electronic resources to engage in non-business e-mail communications through a personal web-based e-mail account should be aware that duplicates of such e-mail may be stored on the employer’s electronic resources and will be subject to review by the employer in accordance with its electronic resources policy.

This entry was written by Philip L. Gordon.

Why is this massive review of Facebook privacy settings significant to employers? Facebook’s default privacy setting is, perhaps ironically, “Everyone.” In other words, job applicants and employees who do not change their default privacy settings on Facebook permit the general public, including recruiters, human resources professionals, in-house employment counsel, and employment litigators to view all information posted on their profile. Because the information is readily accessible to the general public, the law imposes no restriction on these viewers, even when their interests may be adverse to those of the applicant or employee.

Facebook’s privacy settings include an option that permits a user to restrict viewing to “Only Friends,” i.e., only those people whom the user has permitted to access her profile. While some users exercise little or no discretion in accepting friend requests and have hundreds of friends, many users restrict their friends to those whom the user can trust to further disclose information posted on the user’s profile page only with permission. Employers face significant legal restrictions on access to a user’s restricted Facebook page. One of our recent blog posts highlighted an adverse jury verdict against Houston’s restaurants where two managers who were not on the friends list of a MySpace group page, nonetheless, gained access to the page and fired two of the group’s members who were Houston’s employees based on their postings.

Even if only one-quarter of the Facebook users who recently changed their privacy settings restricted access to “Only Friends,” that change would translate into approximately 44 million users. Put another way, employers may be seeing the start of a cultural shift in which social networking users become far more careful before posting information about themselves that could be lawfully accessed without their knowledge or consent and used against them in employment-related decisions.

This entry was written by Philip L. Gordon

Image credit: DaytonChildrens

The matter might have ended there but for the hospital’s termination of its contract with the pathology group that worked in the lab. The pathologists allege that the contract termination constituted retaliation for their pushing the hospital to disclose the incident. It appears that after the contract termination, the pathologists reported the incident to government officials.

While we do not question the motives of the New Hampshire pathologists, this incident demonstrates the importance for employers of documenting any decision not to provide security breach notification when a security incident occurs. Under many state security breach notification laws as well as HIPAA’s new security breach notification requirements, notice is required only if a security incident poses a material risk of harm to the individuals whose information has been compromised. Whether a material risk of harm exists often is a judgment call.

An employee who is aware of a security incident and a related decision not to provide notice could easily second guess that decision after being disciplined or terminated. As in the New Hampshire incident, a complaint about a decision not to notify could trigger an investigation by federal or state authorities months or years after the incident occurred. Without contemporaneous and thorough documentation of the decision-making process, an employer could have difficulty responding to an investigator’s demands for an explanation of the decision not to notify affected individuals or, where required, state or federal agencies.

This entry was written by Philip L. Gordon