Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

The Colorado bill contains the same two exceptions as Maryland’s User Name and Password Privacy Protection Act, H.B. 13-1046.  Specifically, the bill appears to allow an employer to request an employee’s log-in information to investigate suspected violations of securities laws or regulations, or suspected misappropriation of trade secrets when the employer suspects the misconduct involves the employee’s personal social media account.  H.B. 13-1046 does not contain a more generalized exception for an investigation into suspected unlawful conduct or violations of employer policies. 

The Colorado bill has one of the weaker remedial schemes as compared to other recent laws.  H.B. 13-1046 does not confer a private right of action on applicants or employees to recover unlimited compensatory and consequential damages.  Instead, the bill allows an employee or applicant to file a complaint with Colorado's Department of Labor (DOL).  The DOL must investigate the complaint, hold a hearing, and issue findings.  The DOL may promulgate rules authorizing a fine of up to $1,000 for the first offense and up to $5,000 for each subsequent offense.

Approximately one month after sending this e-mail, Messier quit his position with Thrivent, apparently not on good terms, and he began looking for another job. When three consecutive prospective employers rejected Messier after contacting Thrivent for a reference check, Messier hired a reference checking company to call Thrivent, posing as a prospective employer, and inquire about Messier. In response to this inquiry, Messier’s former supervisor at Thrivent stated that Messier “has medical conditions where he gets migraines. I had no issue with that. But he would not call us. It was the letting us know.” Representing Messier, the EEOC took the position that Thrivent’s response violated the ADA’s confidentiality requirement because the ADA protects medical information learned by an employer through any job-related inquiry.

The Seventh Circuit rejected the EEOC’s position based on the ADA’s plain language. More specifically, the ADA’s confidentiality provision, by its plain terms, applies only to medical inquiries. By contrast, when Messier wrote the November 1, 2006 e-mail to his supervisor at Thrivent, Messier was responding to a generalized inquiry about “what was going on,” not to a medical inquiry. Consequently, Messier voluntarily disclosed that he had suffered a severe migraine, and the ADA did not prohibit Thrivent from re-disclosing that information.

The Seventh Circuit’s ruling is significant because employers can receive information about the medical condition of employees from a variety of sources, particularly with the explosion of self-disclosure in social media. By contrast, the ADA permits employers to make medical inquiries of current employees, or to require employees to undergo a medical examination, only: (a) when an employer has objective evidence to question whether an employee can perform essential job functions; (b) when necessary to evaluate an employee’s request for an accommodation; or (c) when necessary to determine whether an employee poses a direct threat of harm to himself or others.

In other words, like HIPAA, the ADA protects only a subset of employee health information that an employer might receive during the course of the employment relationship. As to this subset, the ADA’s confidentiality provision imposes on the employer a legal obligation to keep the information confidential, maintain it separately from the general personnel file, and limit access to those with a need to know. The Seventh Circuit’s ruling makes it easier for employers to establish policies and procedures to satisfy these legal compliance obligations because the decision narrows and specifically identifies the scope of employee health information that is subject to the ADA’s confidentiality requirement.

The Seventh Circuit’s rejection of the EEOC’s broad reading of ADA confidentiality, of course, does not mean that an employer should be careless with employees’ health information not protected by the ADA or HIPAA. State law, such as California’s Confidentiality of Medical Information Act, may still apply. But even when state law provides no protection, disclosing employees’ health information to those without a need to know exposes the employer to the risk that the information will be used improperly and has the potential to create tension and undercut employee morale. To reduce these risks, employers should remind managers who may receive voluntary disclosures of employee health information to limit their disclosure of that information to those with a need to know.

Photo credit: hoch2wo photo & design

Date: February 1, 2012
Conference: ACI Privacy & Security of Consumer and Employee Information (pdf)
Location: The Westin Washington, DC City Center, Washington D.C.
Topic: “Mobile Devices, Applications, and Workforces: Minimizing the Threats Posed Through Proven Security Measures”
Description: Phil Gordon will moderate a panel of experts discussing, among other things, how to:

• Raise employee awareness and educate employees in the handling of sensitive data
• Safeguard company equipment and wireless devices and minimize damage in the event of breach 
• Protect corporate networks from the use of multiple portable devices while preserving employee rights
• Establish policies and procedures to strengthen and maintain data security

For more information and to register, please click here (pdf).

Date: February 9-10, 2012
Conference: Littler Global Employer – Latin America Conference
Location: Miami, Florida
Topic: “The Legal and Operational Challenges of Complying with New Latin American Data Protection Laws”
Description: In the past two years, Colombia, Costa Rica, Mexico, Peru, and Uruguay have enacted broad data protection laws which generally follow the E.U. Model but also have a distinct Latin flavor. These laws require employers to fundamentally rethink the way that they handle employees’ personal data in these countries and impose significant restrictions on the transfer of employees’ personal data within the corporate group. This presentation will provide a detailed explanation of the key requirements of Mexico’s new privacy law and pending regulations, identify key similarities and differences among the new privacy laws in these five countries, and make practical recommendations for harmonizing multi-national compliance efforts from a legal and operational perspective. Joining in the discussion are speakers Michael McGuire, Shareholder and Chief Information Officer at Littler, Javiera Medina, Shareholder in Littler’s Mexico office and Dr. Rainer Lorenzo, Senior Director, Legal & Business Affairs, HBO Latin America.
For more information and to register, please visit: www.littler.com/events/global-employer-latin-america.

Date: March 9, 2012
Conference: IAPP Global Privacy Summit
Location: Washington Marriott Wardman Park, Washington D.C.
Topic: “Who Are Your Applicants and Employees Anyway? Conducting Lawful Social
Media, Criminal History and Credit Checks”
Description: This session will examine background checks against the backdrop of vendor limitations, social media, new state laws, and FTC regulation. The presentation will cover recent legal developments affecting the permissible scope of background checks and provide practical steps an organization can take to conduct lawful background checks.
For more information and to register, please visit: www.privacyassociation.org/events_and_programs/global_privacy_summit/.

Photo credit: CrackerClips

Notably, the case did not involve an alleged HIPAA violation at all. Although in-house physicians are health care providers as defined by the HIPAA Privacy Rule, they are not “covered” health care providers required to comply with the Privacy Rule. Only providers who use HIPAA-mandated electronic codes to bill insurance companies and government welfare programs for services are subject to HIPAA. Because virtually all in-house physicians are paid a salary and do not bill for their services, HIPAA does not apply to them, contrary to common misconceptions of HIPAA’s scope.

The ADA’s confidentiality requirement, by contrast, does apply to in-house physicians. The ADA requires that employers separately file employees’ medical information and maintain it as confidential. The ADA carves out only three narrow exceptions to the confidentiality requirement. Employee medical information may be disclosed to managers to the limited extent necessary for them to accommodate an employee with a disability or otherwise be made aware of work restrictions, to first aid and safety personnel who need to know about a disability that might require emergency treatment, and to government officials responsible for enforcing the ADA.

The court in the General Dynamics case read the ADA’s confidentiality requirement to apply not only to disclosures to third parties outside the company (except in the limited circumstances described above), but also to intra-corporate disclosures. More to the point, if the complaint’s allegations turned out to be true, the in-house physician would have violated the ADA because her disclosure of Blanco’s medical information was not necessary for managers in General Dynamics’ Labor Relations Department to accommodate Blanco or to address a work restriction, and the other two exceptions obviously did not apply.

The General Dynamics decision is particularly remarkable because the court held that the ADA protects even false medical information provided by an applicant or employee to an employer. The court explained its reasoning as follows:
 

The ADA clearly protects the confidentiality of Mr. Blanco’s response [to the medical questionnaire] if truthful, and the ADA still protects its confidentiality if not. In other words, there is no prevarication exception to the ADA’s confidentiality mandate for employment entrance examinations, much less for information the company doctor perceives is inaccurate. It is the information, accurate or not, that the statute protects.

(emphasis supplied). While the court acknowledged that this ruling could be troublesome for employers, such as General Dynamics, whose employees operate heavy machinery or are exposed to workplace hazards made even riskier by a disability, the court concluded that it was bound to apply the ADA’s plain language and leave the policymaking to Congress.

The second recent decision establishes a critical limitation on what might otherwise seem like a boundless protection in light of the General Dynamics case. In the second case, Thrivent Financial for Lutherans (Thrivent) had hired a temporary IT consultant, named Messier, through Omni Resources (Omni). When Messier, a typically reliable employee, was “no-call, no-show” for work, Thrivent asked Omni for an explanation. Messier’s manager at Omni sent Messier an e-mail asking him to call because he “need[ed] to know what’s going on.” Messier responded with a lengthy e-mail to both his Omni and Thrivent managers, explaining that he had missed work because of a severe migraine and providing them with a lengthy explanation of his medical history related to migraines. The Thrivent manager later disclosed this information to a reference check company hired by Messier who suspected the Thrivent manager of re-disclosing his medical information. The EEOC, taking up Messier’s cause, sued Thrivent for violating the ADA’s confidentiality requirement.

The critical dispute between the parties revolved around whether the ADA protected Messier’s medical information in the first instance. The EEOC took the position that the ADA protects any health information provided by an employee in response to an employer-initiated inquiry, such as the inquiry by the Omni manager into the reason for Messier’s absence. Thrivent responded that the ADA protects only information that an employee is required to provide in response to a permissible medical examination or disability-related inquiry, such as a mandatory post-offer, pre-hire medical examination or a request for medical documentation to support a request for an accommodation. Because Messier had volunteered health information in response to the Omni manager’s generalized inquiry into the reasons for Messier’s absence, the ADA did not apply.

The court rejected the EEOC’s broad reading and adopted Thrivent’s narrower construction. The court reasoned as follows:

[A]n employee’s disclosure is voluntary if the disclosure is not preceded by any request or demand for medical information by the employer. Which party initiates the conversation that leads to a disclosure is not relevant; which party initiates or requests the employee’s actual disclosure of medical information is determinative.

Applying this standard to Omni’s inquiry, the court concluded that the ADA’s protections did not attach to Messier’s medical information because Omni had not asked Messier for medical information and Messier could have been absent from work for a “vast number of reasons” unrelated to his health.

HIPAA was not a factor in this case because information received by an employer in its capacity as employer is not subject to HIPAA’s protections. HIPAA applies only to individually identifiable health information created or received by or on behalf of the employer in its capacity as the administrator of a HIPAA-covered plan. Such plans are limited to group health, dental, vision, long-term care, pharmacy benefits, health care reimbursement flexible spending accounts, and employee assistance programs.

This pair of cases provides important guidance for employers on the boundaries of the ADA’s confidentiality requirement. They also reveal, by negative implication, the relatively narrow boundaries of HIPAA’s privacy protection in the employment context. Employers who have not developed policies and procedures for handling employee medical information not protected by HIPAA should consider doing so to ensure that in-house medical staff, HR professionals and managers understand when the ADA protects employee medical information, how that information may be lawfully used, and to whom it may be lawfully disclosed.

Photo credit: hoch2wo photo & design

Although, the Massachusetts Data Security Regulations, 201 CMR 17, do not mention PCI DSS, the Judgment by Consent listed the company’s failure to comply with PCI DSS compliance as a basic flaw in its data security measures. The Judgment by Consent in this incident serves as a warning that companies that accept Payment Cards from Massachusetts residents should include PCI DSS compliance in their data protection strategy. Beyond that, the Judgment by Consent demonstrates the commitment of the Massachusetts Attorney General to enforcing the Data Security Regulations.

What does this mean to my company?

The Judgment by Consent has far reaching consequences for businesses that collect personal information about Massachusetts residents. The regulations apply to any organization in retail, banking, health care, general business and every other industry. What’s more, the regulations apply not only to personal information of customers and patients but also to personal information about an organization’s Massachusetts employees. An organization’s Human Resource files, payroll systems, and benefit systems, are all covered by these laws and regulations.

What should my company do?

Organizations should take a second look at their data protection strategy to ensure it covers all systems that contain personal information about Massachusetts customers and employees, and confirm through a risk analysis that the strategy is appropriate to the size and scope of the business. If security practices were developed several years ago, evaluate whether the strategy needs to be updated to cover new processes, products or services, or new markets or industries entered since the strategy was initially implemented. Is your organization following through on actually implementing and enforcing its security procedures? For example, employees should not be allowed to share passwords, user access should be limited on a need-to-know basis and removed promptly after an employee is terminated, employees need to be trained on your organization’s information security policies and those policies must be enforced. Policies need to be in writing to meet the data security regulations’ requirements for a Written Information Security Plan, and, more importantly, to ensure your business remains in compliance with PCI DSS and retains the ability to accept credit cards and allow transactions to continue.

What are the consequences of not complying?

The Judgment by Consent is based on a violation of M.G.L. c. 93A, which is Massachusetts’ consumer protection law. That law provides a private right of action against businesses that engage in unfair or deceptive acts or practices and allows consumers to seek treble damages for “willful or knowing violations” and to recover attorneys’ fees. By basing the Judgment by Consent on 93A, the court appears to be signaling that it is open to allowing Massachusetts residents to bring claims under M.G.L. c. 93A as long as they can prove that an unfair and deceptive act or practice (failure to comply with 201 CMR 17 or other data security regulations) caused them harm. This is new risk exposure for businesses that fall under other data protection regulations, such as HIPAA, that do not provide a private right of action. 

Photo credit: dra_schwartz 

To address privacy issues, the FTC has focused on two regulatory models:

• The notice-and-choice mode “encourages companies to develop privacy notices describing their information collection and use practices to consumers, so that consumers can make informed choices.” (Report at iii.)
• The harm-based model “focuses on protecting consumers from specific harms – physical security, economic injury, and unwanted intrusions into their daily lives.” (Id.)

Rather than advocating abandonment of these approaches, the report notes the drawbacks of each one: the notice-and-choice model has led to lengthy privacy policies that are neither read nor understood by consumers; the harm-based model has failed to adequately protect privacy interests that cannot be easily measured in monetary terms, such as reputational harm and the fear of being subjected to unwanted tracking in cyberspace. (Id.) Further, technological advancements have challenged both models:

• Companies can collect, store, manipulate and share consumer data at minimal cost.
• Companies can collect and use consumers’ information in ways that often are invisible to consumers.
• The distinctions between personally identifiable information and non-personally identifiable information has become blurred. Customers are very interested in strong privacy protections. At the same time, however, the free flow of information is critical to providing the goods and services.
   

The report proposes an alternative, three-part framework for future privacy regulation by the FTC:

1. Privacy by Design, an approach in which companies would promote consumer privacy throughout their organizations and at every stage of the development of their products and services. They would build into their everyday practices privacy protections, such as reasonable security for consumer data, collection of only the data needed for a specific business purpose, retention of data only as long as necessary to fulfill that purpose, safe disposal of data no longer being used, and implementation of reasonable procedures to promote data accuracy. (Report at v.) This approach also would include the assignment of privacy officers, privacy training, and internal privacy reviews when new products and services are developed.
2. Simplified Consumer Choices. Companies would not need to provide choices to consumers before collecting and using their data for commonly accepted practices such as purchase order fulfillment. But for practices that would result in a material change from a customer’s expected use of personal data, companies would offer the choice at a time and in a context in which the consumer made a decision about providing and authorizing the use of his or her data.
3. Greater Transparency in Data Practices. Companies would clarify, shorten and standardize privacy notices, provide reasonable access to the personal data they maintain about a person based on the sensitivity of the kind of data and the nature of its use; provide prominent disclosures; and obtain affirmative express consent before using consumer data in a materially different manner than claimed when the data was collected.
    

Whether the FTC will adopt the framework outlined in the preliminary staff report after the public comment period ends on January 31, 2011, is unclear. But if the report is adopted, it likely will be over objection. Two of the five Commissioners issued concurring written statements to the report in which they questioned whether a new or modified model is necessary or desirable.

If the report is adopted, employers would need to consider the following implications:

• Increased Need for Privacy Training for All Employees. “Privacy by design” entails efforts at every level of a business to protect the private information of consumers during the entire data life cycle, from collection to use to transfer to storage to destruction. The population of employees who should receive privacy training likely will expand materially.
• Institution of Privacy Reviews During Product and Service Development. Another implication of “privacy by design” is the need to scrutinize privacy issues during the service- or product-development process. That would necessarily require a broader group of employees with expertise in the area of privacy than most organizations currently have.
• Increased Need for Employee Sensitivity to Private Customer Information at Key Points in Business Transactions. The FTC’s new framework would require a business to give customers “just in time” choices about whether and how to use sensitive data. Automated notices and prompts would help solve some of these issues in online transactions. But with respect to phone or face-to-face transactions, employees would have to be vigilant to both identify those key decision points in business transactions and then respond appropriately.

This entry was written by Christopher M. Leh.

The law’s numerous and broad exceptions will limit its impact. Significantly for the financial services sector, the law expressly excludes banks, insurers and surety companies from its coverage by excepting them from its definition of “employer.” The following categories of positions also are excluded from the law’s coverage:

• Positions involving access to sensitive information;
• Positions involving unsupervised access to cash or marketable assets valued at more than $2,500;
• Positions with signatory power over business assets of $100 or more per transaction;
• Managers who set the direction of or control a business;
• Positions for which the employer is required by law to obtain a bond;
• Positions for which state or federal law or regulation establishes credit history as a bona fide occupational qualification; and
• Positions for which the employer is required by law to obtain credit history.

The first exception is particularly broad given the many different types of information to which it applies. More specifically, Illinois employers can obtain credit reports and credit history from applicants or employees whose position involves access to any of the following categories of information: (a) sensitive information that a customer gives the employer explicit authorization to process; (b) sensitive information that an employer entrusts only to managers and a select few employees; (c) sensitive information that is secured so as to make it inaccessible to the public and low-level employees; (d) non-public information about the employer’s overall financial direction, including company tax and profit and loss reports; (e) sensitive information regarding an employer’s overall strategy or business plans; and (f) information that would jeopardize national or state security if publicly available. The statute does not define the term “sensitive information” and, therefore, appears to leave the determination of sensitivity to the employer’s reasonable discretion.

When taken together these exceptions appear to permit credit checks on large swaths of an organization’s workforce. At a minimum, all senior executives, in-house attorneys, human resources professionals, and finance department employees, virtually all information technology employees and managers with money-handling responsibilities appear to fall within the scope of the law’s exceptions. By contrast, most lower-level employees — except perhaps customer service positions involving access to sensitive customer information — likely would be covered. Each employer will need to conduct its own analysis to identify the categories of Illinois employees from whom credit information can lawfully be obtained and considered in employment decisions.

For further analysis of this development, see Littler ASAP "New Illinois Law Puts Credit Reports and Credit History Off Limits for Most Employers and Most Positions" by Philip L. Gordon and Jeffrey C. Kauffman.

This entry was written by Philip L. Gordon.

Photo credit: contour 99

In its press release, HHS cryptically explains that the agency withdrew the regulations “to allow for further consideration, given the Department’s experience to date in administering the regulations.” The agency established no deadline for issuing new regulations, stating only that it “intend[s] to publish a final rule in the Federal Register in the coming months.” The agency also provided no guidance concerning its enforcement of the HITECH Act’s security breach notification requirements — which remain in effect despite the absence of regulations — while covered entities await the final rule’s publication.

The impetus behind the HHS’s withdrawal may have been opposition from Congress and from privacy and patient advocacy groups to the “harm standard” contained in the now-withdrawn regulations. Under that standard, a covered entity that discovered unauthorized access to, or acquisition, use or disclosure of, PHI was not required to provide notice of security breach unless the unauthorized conduct “pose[d] a significant risk of financial, reputational or other harm” to the subject of the information. Opponents of the “harm standard” contended that it added an unwarranted gloss to the HITECH Act’s plain language and was not sufficiently protective of patients’ and plan participants’ rights.

If HHS were to eliminate the “harm standard” in its to-be-issued final regulations, the upshot for employers and health care providers would be significant as just one example demonstrates. It is not uncommon for an employee in the health care sector who is involved in a dispute with her employer over performance to take patient records for possible future use in a lawsuit alleging that the employer’s discipline or termination was unfounded and resulted from discrimination. The employee’s acquisition of patient records potentially to advance her own claims of discrimination is an unauthorized acquisition of PHI. Were HHS to issue final regulations that omit a harm standard, health care employers in this situation likely would be required to provide notice of security breach even if the employer never used or disclosed the copied documents and ultimately returned or properly destroyed them. In short, elimination of the “harm standard” could dramatically increase not only the number of notices that employers and health care providers will be required to provide but also the attendant out-of-pocket expense and potential damage to business reputation.

The problem now for employers and health care providers during “the coming months” before HHS publishes a final rule is whether to analyze a security incident with or without a harm standard, a decision which often will be dispositive of the question whether notice will be necessary. On the one hand, HHS itself found — at least at one time — that the HITECH Act’s security breach notification requirement properly could be construed to include a harm standard, and the agency’s cryptic press release does not expressly or implicitly point to the “harm standard” as the reason for withdrawing the interim final regulations. On the other hand, the HITECH Act does not expressly include a harm standard, and given the opposition to the “harm standard,” one fairly can surmise that the final rule to be issued by HHS will not include a harm standard. At least until HHS issues additional clarification of its withdrawal or publishes the final rule, each employer and health care provider confronted by a security incident involving PHI will need to make its own judgment call on whether to ignore the harm standard and potentially “over-notify,” or to apply the standard to justify a decision not to provide notice but run the risk of an enforcement action.

This entry was written by Philip L. Gordon.

According to a report issued last week by the School District’s attorney and recent news reports, the School District installed a program called Theft Tracker on more than 2,000 laptops issued to students. When activated, the program records the laptop’s Internet address, captures an image of anything on the computer’s screen, and takes a Webcam photo every fifteen minutes until the program is deactivated. Theft Tracker downloaded all captured information and images to the School District’s server and erased them from the laptop’s memory. The program reportedly was responsible for taking 56,000 photographs. Approximately two-thirds were related to six laptops that actually had been stolen. The local police relied on at least some of those photos to recover the stolen laptops. Many of the remaining pictures, however, were taken because School District employees forgot to deactivate Theft Tracker after students reported that they found laptops that had been reported stolen.

Since the story broke, the School District has found itself at the center of a maelstrom. At least one student has sued the School District, alleging invasion of privacy. The FBI is investigating for potential criminal conduct. Congress held hearings on surreptitious surveillance, and Senator Arlen Specter proposed the "Surreptitious Video Surveillance Act," to extend the Federal Wiretap Act to video surveillance without prior notice. Editorialists and the media have hammered the School District. What went wrong?

According to one news report and the School District’s attorney, the School District made several mistakes:

• The School District did not have written policies and procedures regulating the use of Theft Tracker.
• Parents and students were not provided with an explanation of the program and not required to consent to its use.
• Students were asked to sign a policy that related only to use of the School District’s own network and did not mention school-issued laptops.
• There was no written policy concerning disclosure to law enforcement authorities of information obtained through Theft Tracker

In addition, the School District apparently conducted no legal analysis before implementing Theft Tracker to identify and assess the potential legal risks.

Employers who consider implementing a program like Theft Tracker or otherwise want to activate Webcams on company-issued laptops should learn the lessons of Lower Merion School District’s disastrous foray into webcam use. The employer must first have a detailed understanding of the technology’s capabilities and subject the technology to a rigorous legal review. If, for example, the technology is capable of recording audio, its use could constitute unlawful wiretapping, especially in states where consent is not a defense unless all parties to the communication have consented. Running afoul of the two-party consent laws is easy especially when family members, house guests, and others who have not consented to the use of the technology could be recorded. Similarly, non-employees could easily be photographed without their knowledge or consent, potentially giving rise to a claim for invasion of privacy.

If an employer determines that the benefits of the technology outweigh the risks, it still should implement detailed, written policies and procedures concerning the technology’s use to mitigate those risks. The guidelines should address at least the following: (1) identification of the employees authorized to activate the program; (2) identification of the management-level employees that must approve activation of the program; (3) circumstances in which the program may be activated; (4) the duration of the monitoring; (5) security for the fruits of the monitoring; (6) identification of the employees permitted to access the fruits of the monitoring; (7) how the fruits of the monitoring may be used; (8) when the fruits of the monitoring may be disclosed to law enforcement; and (9) how long the fruits of the monitoring will be retained.

The employer also should provide employees with full and fair notice of how the technology will be used and obtain the employee’s affirmative consent to its use. The notice should include, at a minimum, an explanation of the technology, the circumstances in which it will be activated, how the fruits of the monitoring may be used, and to whom they may be disclosed. Employers should beware that even after taking all of these precautions, use of webcams might be illegal in certain non-U.S. countries, such as the member states of the European Union.
 

This entry was written by Philip L. Gordon.

While public discussion of the case has revolved principally around the first element of Quon’s claim, i.e., whether Quon reasonably could expect privacy in his text messages, the Supreme Court seemed to focus more heavily on the second element, i.e., whether the City’s review of Quon’s text messages was excessive or unreasonable. During the trial in the case, the jury found that the City’s purpose in searching Quon’s text messages was to determine whether those messages were sent for business or personal reasons. Under persistent questioning from Justices Breyer and Sottomayor, Quon’s counsel struggled to identify a less intrusive means for the City to achieve this indisputably, legitimate purpose than the City’s reading all of Quon’s text messages. The Supreme Court could resolve the case on this initial element of Quon’s claim and not even address whether Quon’s privacy expectation was reasonable.

The Court also appeared skeptical of the Ninth Circuit’s conclusion that Quon reasonably could have expected privacy in his text messages. To reach that conclusion, the Ninth Circuit had relied upon a statement by Lieutenant Duke, the police official responsible for the text messaging program. Duke told Quon that he would not read Quon’s text messages to determine whether they were business-related or personal so long as Quon paid the service provider’s overage charges when Quon exceeded the contractual limit on the number of characters per month. Justices Alito’s and Ginsburg’s questions suggested that they viewed Duke’s statement to be limited to his own actions as opposed to a guarantee of Quon’s privacy against any search by the City. Justices Stevens’ and Kennedy’s questions honed in on the nature of Quon’s SWAT duties, suggesting that Quon could not reasonably expect privacy given that he was on call 24/7 and knew, or should have known, that his text messages might be evidence in criminal proceedings.

Interestingly, Chief Justice Roberts’ questioning suggested that he was somewhat sympathetic to Quon’s contention that he reasonably could expect privacy in his text messages. The Chief Justice noted in his questions that Quon paid the City for his personal text messages, sent at least some of the texts while off-duty, and was told by Duke that he (Duke) would not audit them. The Chief Justice also noted that the Internal Affairs investigators who reviewed the transcripts of Quon’s text messages had redacted the personal ones, suggesting that these investigators considered the personal messages to be private.

In another noteworthy twist, the United States Government, arguing alongside the City, asked the Court to adopt a bright-line rule that employers can defeat the reasonableness of any employee’s expectation of privacy by issuing a policy informing employees that they have no privacy in their communications over employer-provided equipment. The Court did not seem receptive to this position. Justice Sottomayor noted the Court’s well established precedent — O’Connor v. Ortega — holding that “operational realities” of an office are a factor in determining whether an employee had a reasonable expectation of privacy in the workplace and that the employer’s policy is just one factor to consider.

Perhaps most telling of the Court’s likely hesitance to adopt a bright-line rule in either direction were comments by Justice Alito and the Chief Justice. Justice Alito emphasized the newness of the communications technology in the following statement:

[E]lectronic communications are stored all over the place in – and there isn't a history — these are — these are relatively new. There isn't a well-established understanding about what is private and what isn't private. It's a little different from putting garbage out in front of your house, which has happened for along time.

The Chief Justice emphasized the evolving nature of communications technology in response to the federal government’s advocacy of a bright-line rule, stating, “We are dealing with [the Fourth] [A]mendment that looks to whether something is reasonable. And I think it might be the better course to say that the Constitution applies, but we are going to be more flexible in determining what is reasonable because we are dealing with evolving technology.” (emphasis supplied).

A ruling will be issued by the end of the Court's term in June 2010.

This entry was written by Philip L. Gordon.

The convictions have wide ranging implications for e-commerce, but what are the implications for global businesses with employees in the European Union?

First, the Google convictions serve as an important reminder that government authorities in the E.U. are serious about enforcing data protection laws. Thus, U.S.-based multi-nationals need to confirm that their local affiliates are complying with local data protection law. Of equal importance, international transfers of employee data to the U.S. — for example, for inclusion in a centralized human resources data base — must satisfy local data protection requirements. Even after the employee data has been received in the U.S., data protection requirements (in addition to any imposed by U.S. law) will apply.

Second, the Google convictions highlight for U.S. employers a critical distinction between U.S. and E.U. privacy law. Under U.S. law, an employer’s legitimate business interests typically trump an employee’s countervailing privacy interests. U.S. employers, for example, have substantial leeway in conducting workplace video surveillance and searches of employees to prevent theft or deter workplace violence. In the E.U., privacy is a fundamental right that, as the Google convictions demonstrate, does not give way even to the freedom of expression so cherished and zealously protected in the U.S. According to the Italian prosecutor, protecting the dignity of the bullying victim took precedence over Google’s commercial interests, including its interest in being a platform for expression and communication over the Internet.

Finally, “privacy” in the E.U. is conceptually far broader than the “right to be left alone” underpinning U.S. privacy law. In the E.U., “privacy” encompasses the notion of data protection. Consequently, any use of individually identifiable information about a natural person — even a business e-mail address and phone number — is presumed unlawful unless the possessor of that information (known in E.U. law as the “data controller”) has a lawful justification for using the information. This prophylactic approach contrasts starkly with U.S. law which permits the use of personal information at the possessor’s discretion unless the law expressly prohibits or restricts the use. Moreover, such prohibitions and restrictions typically are confined to discrete categories of employee information, such as health information.

In short, the Google convictions should serve as a blinking yellow light to every U.S. employer with operations in the E.U., warning employers to consider potential implications under E.U. data protection law before using individually identifiable information about any employee who resides in the E.U.

This entry was written by Philip L. Gordon.

In Convertino v. United States DOJ, 2009 U.S. Dist. LEXIS 115050 (D.C. Dec. 10, 2009), a case decided last week, a former federal prosecutor suing the Justice Department for an allegedly improper leak concerning an investigation into charges that he engaged in prosecutorial misconduct, sought to compel production of e-mails exchanged through the Justice Department’s e-mail system between Jonathan Tukel, a federal prosecutor involved in the investigation, and Tukel’s personal attorney. The federal District Court for the District of Columbia held that Tukel had not waived the privilege. The court determined that Tukel reasonably could expect privacy in the communications with his attorney because the Justice Department’s e-mail policy permitted personal use of its e-mail system, and Tukel stated in an affidavit that he was unaware that the Department regularly monitored his e-mail.

In contrast to this result, a federal district court in Idaho, in Alamar Ranch, LLC v. County of Boise, 2009 U.S. Dist. LEXIS 101866 (D. Idaho Nov. 2, 2009), held just six weeks earlier that an employee had waived the attorney-client privilege by exchanging e-mail with her attorney using her employer’s e-mail system. The court relied on the employer’s e-mail usage policy, which notified the employee that: (1) all e-mail was the employer’s property; (2) the employer reserved the right to monitor e-mail; and (3) employees should not assume that e-mail would be confidential. The court gave no weight to the employee’s testimony, almost identical to Tukel’s in the D.C. case, that she was unaware of the monitoring. The court found her subjective belief “unreasonable . . . in this technological age.”

Although not mentioned in the D.C. court’s opinion, the Justice Department’s e-mail usage policy most likely contains the same language that the Idaho court relied upon to find a waiver. Thus, the principal difference between the two cases appears to be the Justice Department’s express permission of some non-business use of its e-mail system. That said, employers would be short-sighted to think that prohibiting all non-business use in an e-mail policy would ensure a finding of waiver. Courts are likely to look to the employer’s de facto policy regarding non-business use, which, for virtually all employers, will be tacit permission of non-business e-mail despite an express ban on non-business use in the employer’s e-mail policy.

Given the above, employers can strengthen their position in the waiver battler by expressly stating the following in an e-mail policy with respect to non-business use of the employer’s e-mail system:

• Non-business e-mails are not private and are subject to the employer’s electronic resources policy in its entirety, including the employer’s policy on monitoring;
• Employees are prohibited from using the employer’s electronic resources to communicate with a personal attorney;
• Employees who use the employer’s electronic resources to engage in non-business e-mail communications through a personal web-based e-mail account should be aware that duplicates of such e-mail may be stored on the employer’s electronic resources and will be subject to review by the employer in accordance with its electronic resources policy.

This entry was written by Philip L. Gordon.

Why is this massive review of Facebook privacy settings significant to employers? Facebook’s default privacy setting is, perhaps ironically, “Everyone.” In other words, job applicants and employees who do not change their default privacy settings on Facebook permit the general public, including recruiters, human resources professionals, in-house employment counsel, and employment litigators to view all information posted on their profile. Because the information is readily accessible to the general public, the law imposes no restriction on these viewers, even when their interests may be adverse to those of the applicant or employee.

Facebook’s privacy settings include an option that permits a user to restrict viewing to “Only Friends,” i.e., only those people whom the user has permitted to access her profile. While some users exercise little or no discretion in accepting friend requests and have hundreds of friends, many users restrict their friends to those whom the user can trust to further disclose information posted on the user’s profile page only with permission. Employers face significant legal restrictions on access to a user’s restricted Facebook page. One of our recent blog posts highlighted an adverse jury verdict against Houston’s restaurants where two managers who were not on the friends list of a MySpace group page, nonetheless, gained access to the page and fired two of the group’s members who were Houston’s employees based on their postings.

Even if only one-quarter of the Facebook users who recently changed their privacy settings restricted access to “Only Friends,” that change would translate into approximately 44 million users. Put another way, employers may be seeing the start of a cultural shift in which social networking users become far more careful before posting information about themselves that could be lawfully accessed without their knowledge or consent and used against them in employment-related decisions.

This entry was written by Philip L. Gordon

Image credit: DaytonChildrens

The matter might have ended there but for the hospital’s termination of its contract with the pathology group that worked in the lab. The pathologists allege that the contract termination constituted retaliation for their pushing the hospital to disclose the incident. It appears that after the contract termination, the pathologists reported the incident to government officials.

While we do not question the motives of the New Hampshire pathologists, this incident demonstrates the importance for employers of documenting any decision not to provide security breach notification when a security incident occurs. Under many state security breach notification laws as well as HIPAA’s new security breach notification requirements, notice is required only if a security incident poses a material risk of harm to the individuals whose information has been compromised. Whether a material risk of harm exists often is a judgment call.

An employee who is aware of a security incident and a related decision not to provide notice could easily second guess that decision after being disciplined or terminated. As in the New Hampshire incident, a complaint about a decision not to notify could trigger an investigation by federal or state authorities months or years after the incident occurred. Without contemporaneous and thorough documentation of the decision-making process, an employer could have difficulty responding to an investigator’s demands for an explanation of the decision not to notify affected individuals or, where required, state or federal agencies.

This entry was written by Philip L. Gordon