EEOC Loss on ADA Confidentiality Provides Useful Win for Employers

Posted on November 26, 2012 by Privacy and Data Protection Practice Group

By Philip Gordon

In the decade since the HIPAA Privacy Rule went into effect, human resources professionals and employment counsel have increasingly grappled with medical confidentiality issues. While HIPAA certainly has heightened awareness of the need to handle employees’ health information with care, HIPAA (perhaps ironically) protects only a very narrow subset of such information, i.e., individually identifiable health information created or received by, or on behalf of, a HIPAA-covered health plan. By contrast, the EEOC has taken the position for years that the Americans with Disabilities Act’s (“ADA”) medical confidentiality provision protects all employee health information received by an employer other than the narrow subset of health benefits information subject to HIPAA. In a ruling handed down just two days before Thanksgiving, the Seventh Circuit rejected the EEOC’s interpretation of the ADA as overbroad, giving employers something to be thankful for.

The Seventh Circuit’s decision addressed the question whether Thrivent Financial for Lutherans (Thrivent) violated the ADA’s confidentiality provision by allegedly disclosing medical information about a former employee, Garry Messier, to Messier’s prospective employers. The case had its genesis on November 1, 2006, when Messier failed to report to work. Thrivent’s agent sent an e-mail to Messier asking him to “give John [his supervisor at Thrivent] a call” because John “need[ed] to know what [was] going on.” Rather than calling John, Messier sent him a lengthy e-mail which revealed that Messier had a “severe migraine,” had taken “Innitrex” to ameliorate the symptoms, is “bedridden” when he suffers migraines of this severity, and that the “migraines are an end result of the head trauma” suffered in a “major car accident in 1984.” Apparently recognizing that he might have crossed the line into TMI (“too much information”), Messier concluded, “Probably a lot more than either of you wanted to know, but I want to be totally honest with both of you.”

Approximately one month after sending this e-mail, Messier quit his position with Thrivent, apparently not on good terms, and he began looking for another job. When three consecutive prospective employers rejected Messier after contacting Thrivent for a reference check, Messier hired a reference checking company to call Thrivent, posing as a prospective employer, and inquire about Messier. In response to this inquiry, Messier’s former supervisor at Thrivent stated that Messier “has medical conditions where he gets migraines. I had no issue with that. But he would not call us. It was the letting us know.” Representing Messier, the EEOC took the position that Thrivent’s response violated the ADA’s confidentiality requirement because the ADA protects medical information learned by an employer through any job-related inquiry.

The Seventh Circuit rejected the EEOC’s position based on the ADA’s plain language. More specifically, the ADA’s confidentiality provision, by its plain terms, applies only to medical inquiries. By contrast, when Messier wrote the November 1, 2006 e-mail to his supervisor at Thrivent, Messier was responding to a generalized inquiry about “what was going on,” not to a medical inquiry. Consequently, Messier voluntarily disclosed that he had suffered a severe migraine, and the ADA did not prohibit Thrivent from re-disclosing that information.

The Seventh Circuit’s ruling is significant because employers can receive information about the medical condition of employees from a variety of sources, particularly with the explosion of self-disclosure in social media. By contrast, the ADA permits employers to make medical inquiries of current employees, or to require employees to undergo a medical examination, only: (a) when an employer has objective evidence to question whether an employee can perform essential job functions; (b) when necessary to evaluate an employee’s request for an accommodation; or (c) when necessary to determine whether an employee poses a direct threat of harm to himself or others.

In other words, like HIPAA, the ADA protects only a subset of employee health information that an employer might receive during the course of the employment relationship. As to this subset, the ADA’s confidentiality provision imposes on the employer a legal obligation to keep the information confidential, maintain it separately from the general personnel file, and limit access to those with a need to know. The Seventh Circuit’s ruling makes it easier for employers to establish policies and procedures to satisfy these legal compliance obligations because the decision narrows and specifically identifies the scope of employee health information that is subject to the ADA’s confidentiality requirement.

The Seventh Circuit’s rejection of the EEOC’s broad reading of ADA confidentiality, of course, does not mean that an employer should be careless with employees’ health information not protected by the ADA or HIPAA. State law, such as California’s Confidentiality of Medical Information Act, may still apply. But even when state law provides no protection, disclosing employees’ health information to those without a need to know exposes the employer to the risk that the information will be used improperly and has the potential to create tension and undercut employee morale. To reduce these risks, employers should remind managers who may receive voluntary disclosures of employee health information to limit their disclosure of that information to those with a need to know.

Photo credit: hoch2wo photo & design
Tags: , , , , , , , , ,
  • Print
  • Trackbacks
  • Share Link

Why Corporate Counsel Should Lose Sleep Over the Federal Wiretap Act

Posted on January 27, 2011 by Privacy and Data Protection Practice Group

This article was written by Philip Gordon, and originally appeared in Corporate Counsel Online. Reprinted with permissed from ALM Media Properties, LLC.

Typing emailOnce seen only in the shadows of the war against organized crime, the Federal Wiretap Act should now be moving steadily and rapidly toward the top of the corporate compliance checklist. Robust civil remedies, recent court decisions and technological developments have transformed the act's risk profile from a nonevent to a statute worthy of significant attention.

Although principally a criminal statute, the Federal Wiretap Act is unique among privacy laws in that it provides for substantial monetary damages without proof of actual harm.

Under the act, an aggrieved party can recover a minimum award of $10,000 or $100 per day of violation — whichever is greater, or, actual damages, plus punitive damages, attorneys' fees and costs. Comparing recent class action litigation involving security breaches with potential class actions involving the Federal Wiretap Act demonstrates the significantly pro-plaintiff aspect of this remedial scheme.

To date, the vast majority of security breach class actions have been dismissed, or resolved in the defendant's favor on summary judgment, because the plaintiff failed to plead or prove that the security breach at issue proximately caused any cognizable damage to class members.

By contrast, under the Federal Wiretap Act, proof that the violation proximately caused cognizable harm is unnecessary, and each individual plaintiff can recover a minimum of $10,000 even in the absence of actual damages.

The act's robust damages scheme triggers a significant risk profile because businesses can now violate the Federal Wiretap Act much more easily and much more frequently than in the past. The act makes it unlawful intentionally to intercept an oral, wire or electronic communication using an electronic, mechanical or other device.

Courts have consistently rejected claims by employees seeking to apply this statutory language to an employer's review of stored e-mail, holding that an "interception" under the act requires the acquisition of the content of an e-mail contemporaneously with transmission, not in storage. Because e-mail, by its very nature, cannot easily be acquired in transmission, this line of authority seemed to insulate employers from the act's rich remedial scheme.

A recent decision by the U.S. Court of Appeals for the Seventh Circuit, however, has raised the specter of substantial civil liability for unlawful interceptions despite extant precedent in the area. In U.S. v. Szymuszkiewicz, the court affirmed the criminal conviction for Federal Wiretap Act violations of an IRS agent who, unbeknownst to his supervisor, activated the supervisor's Microsoft Outlook "autoforwarding" feature.

As a result, duplicates of the supervisor's e-mail were automatically forwarded to the IRS agent without the supervisor's knowledge or consent. The IRS agent received a sentence of 18 months' probation.The Seventh Circuit's decision turned principally on whether autoforwarding e-mail constitutes an "interception" as defined by the Federal Wiretap Act. The court answered that question in the affirmative because the autoforwarding permitted the IRS agent to obtain the content of e-mail stored in his supervisor's e-mail inbox.

The Seventh Circuit's decision is significant for employers because corporate IT departments commonly use Outlook's autoforwarding feature. IT departments, for example, routinely activate this feature after an employee has left an organization, or when an employee is on an extended leave of absence, so that a supervisor or co-worker can promptly respond to e-mail intended for the employee.

It also is not uncommon for corporate IT departments to rely on "e-mail journaling" to create a duplicate set of outgoing and incoming e-mail for archival purposes. Journaling essentially functions the same as autoforwarding except that the duplicate e-mail content is stored on a server for possible future retrieval rather than being transmitted directly to a third party's e-mail inbox.

E-mail journaling is a basic tool of electronic discovery as it permits the automated preservation of e-mail. E-mail journaling is particularly useful for preserving the e-mail of an employee who is unaware that he is the target of an investigation because e-mail journaling eliminates the need for the target of the investigation to be involved in preservation efforts.

Additionally, businesses that rely on a third party to archive e-mail often will rely on autoforwarding to transfer e-mail from the corporate e-mail server to the third party's archive server.

Activating Microsoft's autoforwarding feature is just one way that employers can effectuate an interception of e-mail under the Federal Wiretap Act. Increasingly sophisticated e-mail monitoring programs are capable of capturing e-mail content in real-time.

At least two domestic relations cases, for example, have held that one spouse unlawfully intercepted another spouse's e-mail or Internet chat by installing SpectorSoft software, a commercially available real-time monitoring program, on the other spouse's personal computer. Although statistics are not publicly available, a significant number of corporate IT departments likely have installed SpectorSoft or similar real-time, e-mail monitoring products.

Because consent to an interception by one party to a communication is a defense to liability under the Federal Wiretap Act, employers can reduce the risk of liability by providing employees with notice of the IT processes that constitute an interception and obtaining their express or implied consent.

A recent decision by a Texas federal district court, however, demonstrates that relying on an electronic resource's policy that was drafted without the specific purpose of creating a defense to a Federal Wiretap Act claim could be shortsighted.

In that case, Garza v. Bexar Metropolitan Water District, the employee handbook warned employees that the employer "reserved the right to monitor and access any phone or email messages stored on its voicemail and email systems."

The court rejected the contention that this policy language established the plaintiff-employee's consent to the alleged real-time interception of his telephone calls, reasoning that "[d]efendants did not simply listen to [the employee's] stored voice mail messages; instead, they intercepted and listened to entire telephone conversations."

Following this reasoning, an electronic resources policy that informs employees that they have no reasonable expectation of privacy in their e-mail or that the employer reserves the right to monitor or review their e-mail messages (as most such policies typically do) would not provide a basis for establishing consent to the employer's use of Outlook's autoforwarding feature or the interception of e-mail by a real-time monitoring program, such as SpectorSoft.

Consequently, to provide a more robust defense, an employer should consider revising any such policy to specifically explain how and when the employer will intercept e-mail.

Notably, federal courts will not lightly imply consent to an interception that otherwise would violate the Federal Wiretap Act.

As a result, there remains an open question whether a court would find, for example, that an employee who acknowledged receipt of an electronic resources policy on his first day of employment thereby consented to the interception of his e-mail five or ten years later in the course of the employer's investigation of allegations of sexual harassment. To strengthen its position in this regard, the employer can include notification of e-mail interception in a splash screen each time employees log into the employer's computer system.

Revising the employee handbook and using a splash screen or similar warning may not, however, be enough.

Corporate counsel should encourage IT leaders routinely to communicate how and when the corporate IT department is intercepting employees' e-mail. Corporate counsel can then analyze whether the existing policy provides sufficient notice to establish consent to the interception and, if not, can revise the existing notice or provide individualized notice to targeted employees.

One final caveat: The wiretap laws of 13 states — California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, and Washington — provide that consent is a defense to an interception only if all parties to the communication consent.

Employers can satisfy this all-party consent requirement in the context of telephone monitoring by distributing a telephone monitoring policy to their own workforce and notifying incoming callers by automated means that their call will be monitored. In the context of e-mail, however, notifying the sender that his e-mail will be intercepted may not be technically feasible.

To be sure, our research has not uncovered any published decision in any of the all-party consent states upholding a criminal conviction or imposing civil liability for e-mail interception. Nonetheless, the risk remains and should be considered before an organization activates autoforwarding, e-mail journaling or real-time e-mail monitoring software.
Tags: , , , , ,
  • Print
  • Share Link

After Starbucks Laptop Is Stolen, Alleged Victims of Identity Theft Win Pyrrhic Victory

Posted on January 4, 2011 by Privacy and Data Protection Practice Group

In a recent published decision, the Ninth Circuit court of appeals held that the threat of identity theft arising from stolen personal information about current and former Starbucks’ employees contained on a company laptop computer was enough of an injury to establish the plaintiffs’ standing to sue the company in federal court. This victory was short-lived, however, because the court also held — consistent with many other courts deciding security breach notification cases — that the plaintiffs had not pleaded, and could not prove, that Starbucks’ actions caused them any cognizable harm under state tort or contract law.

In 2008, someone stole a laptop computer from Starbucks containing the unencrypted names, addresses, and social security numbers of nearly 100,000 Starbucks employees. The company informed all affected employees of the theft and offered them one year of free credit monitoring services. Three current and former Starbucks employees who were affected brought two nearly identical putative class action lawsuits against Starbucks, alleging that the compromise of their personal information amounted to negligence and a breach of an implied contract:

  • One plaintiff asserted she had been “extra vigilant about watching her banking and 401(k) accounts,” spent a “substantial amount of time doing so,” and will pay out-of pocket for credit monitoring services once the free service expires.
  • The second plaintiff alleged he “spent and continues to spend substantial amounts of time checking his 401(k) and bank accounts,” placed fraud alerts on his credit cards, and “has generalized anxiety and stress regarding the situation.”
  • The third plaintiff maintained that his bank notified him in December 2008 that someone had attempted to open a new account using his social security number. The bank closed the account, and he did not allege that he suffered any financial loss.

In its decision, the Ninth Circuit addressed the issue of whether the plaintiffs had standing to sue Starbucks. All parties agreed that standing requires a plaintiff to show that: (1) he or she has suffered an injury that is concrete and particularized, as well as actual or imminent rather than conjectural or hypothetical (injury in fact); (2) the injury in fact is fairly traceable to the challenged action of the defendant (causation); and (3) it is likely that the injury will be redressed by a favorable decision (redressability).

Starbucks conceded both causation and redressability, so the Ninth Circuit addressed only injury in fact. It noted that the alleged victim of identity theft would have an injury in fact when he or she faces a credible threat of harm. It then held that each of the plaintiffs below had alleged a credible threat of real and immediate harm stemming from the theft of the Starbucks laptop. In so doing, the Ninth Circuit reached a result similar to that of the Seventh Circuit, but contrary to the application of what appears to be a stricter standard in the Sixth Circuit.

In a second, unpublished memorandum opinion issued the same day, the Ninth Circuit held that even if the plaintiffs' allegations were true, they would not support a claim under state tort or contract law. Under Washington law, said the court, “[t]he mere danger of future harm, unaccompanied by present damage,” was insufficient to support a negligence claim. The court then rejected the plaintiffs’ argument that there was an implied contract between the plaintiffs and Starbucks and dismissed both claims.

Although Starbucks ultimately prevailed, this case underscores three practical lessons. First, employers continue to incur attorneys’ fees, litigation and credit monitoring costs, and the imputed costs associated with staff resources that must be devoted to defending against such class action lawsuits. Second, the prospect of having to incur such costs creates a strong incentive to mitigate the potential risk of a security breach by proactively implementing safeguards for employee data now. Third, the putative plaintiff class included former employees, highlighting the need to extend safeguards to the personal information not only of current employees but also of job applicants and former employees.

This entry was written by Christopher M. Leh and Philip L. Gordon.
 
Tags: , , , , , , , , ,
  • Print
  • Share Link