Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

Anticipated Legal Challenges

KEEP is an apparent response to an NLRB representation election rule that was proposed in June 2011, initially requiring employers to provide a final Excelsior list that includes employees’ names, addresses, telephone numbers, and email addresses to the union within two days after the representative election is scheduled.  Although the NLRB historically has held that unions engaged in organizing campaigns are entitled to employee lists, they have only required that employers provide names and addresses of all eligible bargaining unit employees after an election is scheduled.  The proposed rule would have significantly expanded the amount of personal information that employers are required to provide.  The final rule, which was issued in December 2011 and was subsequently enjoined, does not contain these enhanced provisions regarding Excelsior lists; however, NLRB Chairman Mark Pearce has stated his intention to continue seeking these additional rule changes.  An update on this issue, which was recently addressed at a Senate HELP Committee Hearing, can be found here.

While KEEP’s strict definition of  “personal identifying information” does not conflict with the existing Excelsior rule, if the NLRB changes this rule as proposed, KEEP could become the subject of a preemption battle, focusing on whether such disclosures are “required” by federal law and therefore within the exemption.

Recommendations for Virginia Employers

Pending the outcome of any court challenges, employers in Virginia should consult with counsel to ensure that their practices and policies comply with the new law.  Employers also should monitor developments at the NLRB and in the courts, and revise their policies concerning the confidentiality of personal data and work schedules, and access to personnel files, and similar policies commonly contained in employee handbooks and manuals to ensure information is not released in violation of KEEP.  Employers also should provide training to human resources professionals who are charged with overseeing employee files to ensure that they understand these new obligations.

Additionally, employers should be mindful that KEEP does not prohibit the disclosure of private employee data if an exception does not apply; it merely states employers cannot be “required” to release such information.  Therefore, employers have the discretion to decide their internal policies regarding voluntary disclosure of employee data in circumstances not covered by the Act.  That said, KEEP articulates a public policy of the Commonwealth of Virginia, which means it may be cited by plaintiffs’ attorneys in negligence cases and public policy wrongful discharge cases, among others.  It will be important to ensure that human resources managers are aware of the terms of the statute.

The New Jersey bill adds a new prohibition not seen in any prior law that actually could be detrimental to job applicants and employees. Specifically, employers cannot “[i]n any way require or request that a current or prospective employee disclose whether the employee has a personal account.” Consequently, were an employer to search publicly available social media content for information about an employee or applicant and discover negative information that might relate to the applicant or employee, such as racist comments or a predilection for sex with minors, the employer could not ask whether the account where the content is posted is, in fact, the applicant’s or employee’s personal account. Moreover, if the employer does inquire and the applicant or employee refuses to confirm or deny whether he or she posted the offensive social media content, New Jersey’s law would make it a violation for the employer to then take adverse action based on the individual’s refusal to respond. In other words, the employer would be worse off if it tried to “do the right thing” and attempted to verify the authenticity of information that, if true, would lead to an adverse employment action.

The New Jersey bill also has the most generous remedial scheme. “Facebook” laws in Maryland and California do not expressly provide a private right of action. By contrast, the New Jersey bill confers a private right of action on applicants or employees to recover unlimited compensatory and consequential damages. While the laws in Utah and Michigan  also confer a private right of action, damages are capped at $500 and $1,000 per violation, respectively. Illinois’ law does not cap damages; however, it requires that applicants or employees first attempt to resolve their complaint through the state labor department. No such administrative exhaustion requirement applies under the New Jersey bill.

To be sure, once the bill is likely enacted, it will not entirely handcuff New Jersey employers from performing investigations and background checks necessary to run a safe and efficient operation without running afoul of the law.  However, before investigating information present on an employee's or applicant's "personal account," human resources professionals are encouraged to seek guidance from inside or outside counsel to ensure compliance with this proposed law.  If approved, the law will go into effect on the first day of the fourth month following its enactment.

Photo credit: robas

On November 6, 2012 (as we have discussed here and here), voters in Colorado and Washington approved ballot measures purporting to legalize the distribution, possession, and use of small amounts of marijuana for recreational purposes. Colorado’s Amendment 64 expressly reiterated that it does not “require an employer to permit or accommodate the use, consumption, possession, transfer, display, transportation, sale or growing of marijuana in the workplace." But it provides additional protections for employers. For example, Amendment 64 acknowledges the right of employers and others who occupy, own, or control a property to prohibit the use, possession, and transfer of marijuana there. Amendment 64 affirms prohibitions on driving while impaired by, or under the influence of, marijuana. Most importantly, however, the measure disclaims any intent to "affect the ability of employers to have policies restricting the use of marijuana by employees."

One crucial issue for Colorado employers is the effect of Amendment 64 on their ability to continue to enforce their policies prohibiting marijuana use by employees. With some exceptions, Colorado’s so-called “Lifestyle Discrimination Statute” prohibits employers from discharging employees for engaging in lawful, off-premises activities during non-working hours. The prevailing view among Colorado employers is that because the possession and use of marijuana for any purpose is illegal under federal law, an employee’s possession or use of marijuana off-site and off-duty does not fall within the scope of the law. Consequently, termination for a positive drug test is legal.

Although there is no controlling case law on the issue, Colorado courts have provided some indirect guidance. In 2011, for example, in Beinor v. Industrial Claims Appeals Board, the Colorado Court of Appeals, in a 2-1 decision, held that an employee terminated for testing positive for marijuana in violation of a zero-tolerance policy may be denied unemployment compensation even if the worker’s use of marijuana is considered “medical use” under state law, and even in the absence of the worker’s impairment. Notably, the court reserved the question of whether Amendment 20 prohibited an employer from discharging an employee for using medical marijuana. A vigorous dissent argued that Amendment 20 did not “encompass the presence of marijuana in one’s blood after the lawful use of medical marijuana at home.”

On December 10, 2012, Colorado Governor John Hickenlooper signed an executive order creating the Task Force on the Implementation of Amendment 64. The task force’s mission is “to identify the legal, policy and procedural issues that need to be resolved, and to offer suggestions and proposals for legislative, regulatory and executive actions that need to be taken, for the effective and efficient implementation” of the Amendment. Comprised of 24 state legislators, executive agency officials, and other stakeholders, the task force is addressing various issues, including the “impact of Amendment 64 on employers and employees and the Colorado economy.” The task force soon will report its recommendations to the governor, the state legislature, and the state attorney general.

On February 5, 2013, the task force considered a recommendation concerning Amendment 64’s impact on employers and employees:

The plain language of Amendment 64 Section 6(a) makes it clear that the intent of the voters was to maintain the status quo for employers and employees, and that employers may maintain, create new, or modify existing policies in response to the passage of the measure. The Amendment 64 Implementation Task Force recommends that employers should be encouraged to review current drug free workplace policies, including but not limited to hiring, sanctioning, termination and drug testing, in response to passage of the measure.

As expected, employee advocates argued that Amendment 64 changed the status quo to give off-the-job pot use the same kind of protection as alcohol use. They also contended that, although employers could restrict marijuana use by employees, they could not prohibit it. On a majority vote, however, the task force accepted the recommendation.
Although the task force’s recommendation lacks the force of law, its implications for employers are important:

• Under Amendment 64, the rights of a person to use and possess small amounts of marijuana for recreational purposes do not trump the rights the amendment reserves to employers to restrict possession and use by its employees, whether that use is on-duty or off-duty, whether it is for medical or recreational purposes.
• Employers should review and update their drug policies to ensure that employees understand that they apply to the use of all drugs that are illegal under state or federal law, including marijuana.
• Employee advocates in Colorado are likely to mount legal challenges on behalf of employees terminated for testing positive for marijuana they used while outside the workplace and during non-working hours. 
• Employers in others states seeking to enact liberalized marijuana laws should work vigilantly to ensure that those measures include strong, clear protections so they will be able to maintain, change, and enforce their drug-free workplace, zero-tolerance, random drug testing, and related policies.

The recommendation augurs well for employers as the debate over the liberalization of marijuana laws continues.

Michigan’s new law, dubbed the “Internet Privacy Protection Act” (IPPA or the “Act”), lays down three straightforward prohibitions. First, employers cannot ask applicants or employees for the user name and password or other log-in credentials to gain access to any of the individual’s personal, Internet-based accounts, i.e., an account for which the user restricts access to content by way of log-in credentials. Second, the Act bars employers from asking applicants or employees to “allow observation of” their account, a practice commonly called “shoulder surfing.” Third, the Act prohibits employers from asking applicants or employees to “grant access to” their personal accounts, thereby baring employers from reviewing content without asking for log-in credentials and without shoulder surfing. Employers can take no adverse action against an applicant or employee who refuses a request in violation of the Act. These prohibitions apply not just to social media accounts but to all Internet-based accounts, including e-mail and cloud storage accounts. All employers, regardless of size, are subject to the Act’s restrictions.

While airtight at first blush, the IPPA’s wall around applicants’ and employees’ personal accounts is more like a sieve upon closer scrutiny. Most importantly, the Act does not prohibit an employer from asking an employee to help the employer view content in another employee’s or in an applicant’s personal account. The Act prohibits access only to the personal content of the applicant or employee who is the subject of the request. Given that employees routinely report social media conduct of coworkers that violates corporate policy or is suspected to be unlawful, this limitation is critical for employers seeking to investigate an employee’s Internet misconduct or compromising Internet postings by a job applicant.

The Act’s express exceptions also create important gaps in the facially broad prohibition. Like California’s law, the IPPA permits an employer to ask an employee for access, by any means, to the employee’s personal account as part of an investigation into workplace misconduct but only “[i]f there is specific information about activity on the employee’s personal internet account.” This exception would, for example, permit an employer to ask an employee for log-in credentials where a coworker reports a social media post that threatens workplace violence or contains racially derogatory comments about the coworker. Like the Maryland law, the Act also permits employers to request access to employees’ personal accounts if the employer has specific information that the employee is using the personal account to misappropriate the employer’s confidential business information. Finally, the Act’s prohibitions do not apply when an employer has a duty under federal law, or to comply with a self-regulatory scheme established under the Securities and Exchange Act, to screen applicants or monitor or retain certain employee communications.

Like the password protection laws that preceded it, the IPPA carefully carves out the employer’s own systems and equipment from the Act’s purview. The Act does not bar Michigan employers from requesting, in any way, access to any device or account provided, or paid for, by the employer, or from monitoring or accessing communications or information stored on employer-provided devices, communications networks, or information systems.

Importantly, Michigan’s law contains unique provisions that should serve as a model for future legislation in the area. The Act expressly “does not create a duty” for employers to search or monitor employees’ personal Internet activity and discharges employers from liability for failing to request an applicant’s or employee’s log-in credentials. In other words, the victims of workplace violence presaged by the perpetrator-employee’s ranting social media content could not assert a negligence claim against the employer based on the employer’s failure to ask the perpetrator for access to his personal social media account. While the exact contours of these provisions are unclear, they provide important protections for employers.

The IPPA’s remedial provisions, though relatively weak, do have the potential to deter violations. Most importantly from a deterrence perspective, the Act exposes individual employees to criminal prosecution for a misdemeanor offense, but the punishment is limited to a fine of not more than $1,000. Similarly, the Act’s civil remedy provisions caps damages at $1,000 and an award of attorneys’ fees and costs. Potential plaintiffs must serve a written demand on the employer at least 60 days before asserting the claim. This provision gives employers the opportunity to forestall a claim by offering $1,000 in response to a demand.

In sum, Michigan employers should be able to obtain information about employees’ Internet conduct in many circumstances where they need it. However, before investigating an employee’s or applicant’s personal Internet activity, they should carefully scrutinize the precise contours of the IPAA’s prohibitions to avoid exposing human resources professionals to a potential misdemeanor prosecution.

For additional discussion about the law, please see Littler's ASAP, Michigan's New "Internet Privacy Protection Act" Sets Limitations for Employers and Employees, by William Balke and Philip Gordon. 

Photo credit: robas

Subsequently, the California legislature, often hostile to employer interests, amended its then-pending bill to adopt a more balanced and reasonable approach. The approved bill does generally prohibit employers from requesting or requiring that employees or applicants (a) disclose their user name or password to gain access to personal social media content; (b) access their personal social media in the employer’s presence, i.e., permit “shoulder surfing;” or (c) divulge any personal social media, which apparently would bar an employer from asking an employee to provide the personal social media content of a co-worker who is a Facebook friend. At the same time, however, the pending law permits employers to request that “an employee divulge personal social media reasonably believed to be relevant to an investigation of allegations of employee misconduct or employee violation of applicable laws and regulations.”

While this exception is a vast improvement over the Illinois and Maryland laws, California employers should beware that the exception does not open the door all the way. To begin with, the exception does not apply to job applicants. Thus, even if a current employee were to report seeing racist or threatening content on a job applicant’s restricted access social media site, a California employer still could not gain access to the troublesome social media content unless the reporting employee voluntary provided it. In addition, employers remain barred from asking current employees to disclose their social media log-in credentials or to permit the employer to “shoulder surf.” Nevertheless, the exception does permit California employers to ask a co-worker to provide content from the personal social media site of an employee suspected of misconduct.

California employers also should note that the California law, like the Illinois and Maryland laws, appears to have an unintended and unsupportable consequence in the context of litigation. These statutes impose no restriction on an employer’s ability to request in civil discovery that a former employee produce personal social media, log-in credentials; however, all three statutes bar such requests in litigation with a current employee. Obtaining log-in credentials can be important in employment litigation so that employers’ counsel can confirm that the current or former employee has produced all discoverable information posted on his or her restricted-access social media page.

California’s pending password protection law has another unusual twist. The bill expressly relieves California’s Labor Commissioner from having to investigate complaints that the law has been violated, whereas the Labor Commissioner is required to investigate certain other violations of the Labor Code. The pending law itself also does not create a private right of action. Consequently, it remains unclear what remedies an employee could pursue were the Labor Commissioner to decline to investigate.

Employers should expect other states to enact this form of popular legislation. If the password protection laws that are on the horizon are to follow California’s more balanced approach rather than the draconian Illinois law, employers and employer groups will need to highlight the critical distinctions between the two laws through participation in the legislative process.

Photo credit: Asilvero

The exception for consumer and investigative consumer reports covers the various types of pre-employment background checks — such as criminal history, motor vehicle records, and educational and prior employment checks — that most employers now conduct through a pre-employment screening firm. Significantly, the terms “consumer report” and “investigative consumer report” apply only to background checks conducted by a third-party consumer reporting agency. Consequently, the new law appears to prohibit employers from requesting an applicant’s SSN so that the employer can conduct its own background check. This exception’s narrow scope means that an employer cannot rely on it to justify a request for an applicant’s SSN on any form besides a background check authorization form or at any other point in the hiring process.

It is possible that additional legislative materials to be published several weeks after the new law takes effect on December 12, 2012, will clarify this issue. (Note: There are two different sections numbered 399-ddd that take effect this year. Section 399-ddd – Confidentiality of Social Security Numbers (emphasis added) – is a distinct statute on the confidentiality of Social Security numbers; amendments to this statute take effect on November 12, 2012. These amendments are directed at restricting access by inmates to SSNs and are not relevant to employers. The statute that is discussed herein refers to section 399-ddd – Disclosure of Social Security Numbers (emphasis added) – which takes effect on December 12, 2012.)

However, if the apparent meaning of the statute reflects the legislature’s actual intention, many New York employers likely would be required to materially revise their hiring process. For example, the box or field seeking an applicant’s SSN would have to be removed from the job application. Moreover, any request for an applicant’s SSN on any form besides the authorization form for the employer to procure a background check from a background check vendor would need to be eliminated. Oral requests for applicants’ SSNs would be prohibited. While these changes already have been adopted by many employers seeking to avoid unnecessary collection of the SSN, these practices are not universal.

Unsuspecting employers face potentially substantial penalties for violating this law. Although there is no private right of action, the New York Attorney General can recover a civil penalty of up to $500 for each infraction. Given that a job application which requests the SSN could, for a large employer, result in thousands of violations, the potential exposure is significant.

New York employers will need to scrutinize their organization’s collection of the SSN in the hiring process. Employers who request the SSN in the job application process or conduct background checks outside requesting a consumer or investigative consumer report before making a conditional offer of employment will need to carefully consider whether to revamp those procedures to avoid the risk of potentially large penalties that could be imposed under new section 399-ddd.

Photo credit: Kameleon007

Beyond the privacy issues, snap-happy health care workers undermine patient perceptions of a provider’s quality of care. Patients are left to ask themselves why health care workers are taking pictures when they should be providing care. These unauthorized photo shoots also show a fundamental disrespect for the patient, creating the impression that patients are being used for the health care workers’ entertainment.

On August 8, 2012, New Jersey took a step towards addressing this problem by criminalizing unauthorized photo shoots at emergency and accident scenes. Under the new law, first responders are prohibited from taking pictures or video of victims and from disclosing such images without the victim’s consent. First responders covered by the new law include: law enforcement officers; paid or volunteer firefighters; paid or volunteer members of a duly incorporated first aid, emergency, ambulance, or rescue squad association; or any other individual who, in the course of their employment, is dispatched to the scene of an accident or emergency to provide medical care or other assistance. The new law’s broad definition of “disclose” covers, among other actions, the posting of an image on the Internet. Underscoring the importance of establishing workplace policies on the issue, the new law allows first responders to take images at emergency scenes in accordance with their employers’ rules, regulations, or operating procedures.

Violation of the New Jersey law is classified as a disorderly conduct offense. In addition, a person whose image is unlawfully taken or disclosed can recover from the first responder minimum liquidated damages of $1,000 per violation or actual damages, whichever is greater, as well as punitive damages and reasonable attorneys’ fees. These remedies are in addition to any other right of action or recovery that may be available under New Jersey law.

While the New Jersey law does not apply to most health care workers, it highlights the public indignation over a practice that reflects poorly on all health care providers. Even health care employers outside of New Jersey and without employees who fall within the new law’s definition of “first responder” should confirm that their policies adequately restrict employees from posting images of patients on the Internet. One such policy provision could be to prohibit employees from using a personal cell phone, smartphone, tablet or camera to take or post any photographs or video recordings of patients to the Internet.

Image credit: Pablo del Rio

In sum, at least as far as private employers are concerned, there is no proven need for password protection laws. Both the available anecdotal and empirical evidence, albeit limited, compel the conclusion that private employers are not asking applicants or employees for personal social media log-in credentials.

Social Media “Password Protection” Legislation Radically Rewrites the Common Law of Privacy

The one password protection bill that has been enacted, in Maryland, as well as the password protection legislation pending in eleven states — California, Delaware, Illinois, Michigan, Minnesota, New Jersey, New York, Ohio, Pennsylvania, South Carolina, and Washington — and in Congress, generally prohibit employers from requesting or requiring that employees or applicants provide the log-in credentials for a personal social media account. The underlying premise of these bills is that an employer invades an applicant’s or employee’s privacy by viewing content on a restricted access social media account without the voluntary consent of the account holder. Digging one step deeper, these bills, at their core, are saying that the content of a restricted access social media account is private no matter how many people the user invites to view that content and regardless of the relationship between the user and the viewer. Put more plainly, these bills declare, for example, that a Facebook user who has more than 500 “friends,” including current and former supervisors and other executives at his current employer, can establish the “privacy” of his content by using Facebook’s privacy settings to restrict access to “Friends Only.”

No court has ever construed the tort of invasion of privacy by intrusion upon seclusion so broadly. That tort requires, in the first instance, a “private fact” which can be the subject of an intrusion. The vast majority of courts have held that, if the fact that is the subject of the claim has been disclosed to even a small number of people not under a legal or contractual obligation of confidentiality, the fact is not private and the intrusion upon seclusion claim fails.² To be sure, a small number of cases have permitted an intrusion upon seclusion claim to proceed even though the plaintiff had shared the private fact with others. However, in virtually all of these cases, the private fact was shared within a group that had a very specific relationship with the plaintiff, such as co-workers or participants in an in vitro fertilization program.³ We are not aware of any case holding that facts disclosed to dozens or hundreds of people who do not form a cohesive group are private from a private employer, especially when that group includes management-level employees of the employer who is the defendant on the privacy claim. In sum, the password protection laws create a “ring of privacy” with a circumference that is far larger than any court has recognized to date.

Notably, the one reported case where a jury considered whether an employer committed an intrusion upon seclusion by accessing two employees’ restricted-access social media site resulted in a verdict on that claim for the employer. In that case, Pietrylo v. Hillstone Restaurant Group, a group of employees at a Houston’s restaurant (the chain owned by the Hillstone Restaurant Group) established an invitation-only, password-protected MySpace page.⁴ In the words of the site’s founder, the page would permit group members to “vent about any BS we deal with [at] work without any outside eyes spying in on us.” The founder emphasized in his first post that “[t]his group is entirely private.” Houston’s accessed the site after a group member shared her log-in credentials with management. After viewing the venting about the company, management, and customers, the restaurant fired the site’s founder and another group member. Both responded by suing Hillstone for, among other claims, violating the federal Stored Communications Act (the “SCA”) and common law invasion of privacy.

While the jury’s verdict for the fired employees on their SCA claim has received substantial press and academic attention, the jury’s verdict for Hillstone on the invasion of privacy claim seems to have been lost in the shuffle. The jury’s verdict form reveals the jury rejected that claim based on its finding that the fired employees did not have a reasonable expectation of privacy in the content they posted on their site. The jury reached this conclusion despite the password protection, despite the invitation-only rule, and despite the founder’s pronouncement that the site was “entirely private.” A fair inference is that the jurors believed the fired employees could not reasonably expect privacy in content that was available to numerous group members and that could be further disclosed by any group member to anyone, including journalists, without restriction.

Legislators, of course, are free to create a public policy that overturns decades of common law jurisprudence, particularly when necessary to address new technology not yet considered by common law courts. However, the validity of a new public policy should be closely scrutinized when there is no apparent need for it, it is so broad that it leads to absurd results, and, as explained below, it potentially exposes all private employers to substantial liability.

Social Media Password Protection Legislation Exposes Private Employers to Liability

Legislators appear to have been so swept up by the media frenzy over the perceived, but unproven, injustice of private employers asking for personal social media log-in credentials that they drafted legislation with little consideration of employers’ legitimate interests. To illustrate the point, virtually all of the pending password protection bills applicable to private employers prohibit requests for personal, social media log-in credentials without exception. In other words, these bills effectively find that private employers never have a legitimate business reason to require, or even request, such log-in credentials.

Notably, the one state which has actually enacted a password protection law recognized that a blanket prohibition is unjustified. Under Maryland’s password protection law, an employer can ask for personal social media log-in credentials when needed to investigate securities law violations or a misappropriation of trade secrets. Delaware’s pending bill, alone among the pending bills, carves out an exception for securities-related investigations.

These exceptions, however, are unjustifiably narrow. There is no reasoned basis for distinguishing between investigations into securities fraud or misappropriation of trade secrets and those into other forms of unlawful or even criminal conduct. To illustrate the point, in all states, including Maryland, an employer could not fully investigate potential workplace violence. The password protection legislation would prevent an employer from going to the source if an employee were to report that a co-worker had posted on his restricted-access social media account the following: “I’m so angry I want to kill my boss” or “I hate work. I’m gonna blow the place up.” Thus, the employer would lose the benefit of critical information, such as the context of the post and other indicia of the seriousness of the threat revealed by the actual content.

It is unclear whether the survivors of murdered employees could hold the employer legally responsible in this scenario for failing to investigate the incident adequately, but no one wants to see a test case. Critically, these examples are not hypothetical hyperbole. According to one of the foremost experts in the field of workplace violence, James Turner, Ph.D., president of the International Assessment Services and one of the foremost experts in the field of workplace violence, it is not uncommon for those planning to commit murder to provide clues to their homicidal intent in Internet postings before they pull the trigger. For example, a gunman wrote a series of posts to an online bulletin board, the last of which stated “It’s time,” before murdering seven people in a Tokyo shopping mall.⁵ Another gunman posted “I wonder if I’d make the six o’clock news if I just starting popping people off” before killing three guards and wounding a fourth on the University of Alberta campus.⁶

The password protection bills, as currently drafted, as well as the Maryland law, also thwart investigations into workplace harassment. It would be naïve to believe that the bullying which used to happen on the shop floor or in the break room has not moved to social media. Indeed, the California Court of Appeals recently affirmed a jury’s verdict holding an employer responsible for its employees’ bullying of a co-worker with a disfigured hand. The court relied heavily on co-workers’ scathing blog posts that referred to the employee as “The Claw” and ruthlessly ridiculed him because of his disability.⁷ In the California case, the employee was able to discover and report the bullying to his employer because the blog posts were public. Password protection laws, however, would throw a cloak of secrecy around this type of illegal conduct when conducted through a restricted-access social media account.

As with the workplace violence scenario, it is unclear whether an employer could be held responsible for work-related harassment that is inaccessible to the employer. The plaintiffs’ bar can be expected to try. Putting aside legal liability, workplace harassment and threats of workplace violence that are visible to co-workers, but invisible to the employer, will have intangible costs for the workplace, such as undercutting employee morale, causing tension among co-workers, and distracting employees from their work. Given the absence of any proof that private employers are asking for social media log-in credentials, there is no justification for legislatures to impose on employers those costs or the potential liability arising from an inadequate investigation of employees’ unlawful work-related social media conduct.

While the risks arguably are not as serious, the application process still can present situations where an employer justifiably seeks access to content posted on a restricted-access social media account. For example, if a current employee were to inform her human resources manager that she has seen content on an applicant’s “friends-only” Facebook page that raises serious questions about the applicant’s suitability for employment with the employer, the employer should be able to gain access to that information whether by asking the applicant or the employee for log-in credentials, for permission to “shoulder surf,” or for a hard copy or screen shot of the content in question. While the phrasing of the Maryland law and the pending password protection bills is somewhat ambiguous, they all appear to put the applicant’s social media content completely off-limits, regardless of which of these methods the employer wishes to use. Given the substantial disruption and cost to private employers of a “bad hire,” they should not be completely foreclosed from this source of information, particularly given that a host of laws — such as Title VII of the Civil Rights Act of 1964, the Americans with Disabilities Act, the Age Discrimination in Employment Act, and the Genetic Information Non-Discrimination Act of 2008 — already substantially restrict an employer’s ability to use social media content for employment decisions.

Conclusion

State and federal legislators should recognize that they may have “jumped the gun” by relying on hype rather than facts in their hurried attempt to get ahead of a public outcry. At this point, there is no empirical data suggesting that private employers are routinely or even occasionally requesting or requiring personal social media log-in credentials. Consequently, it is not necessary to enact legislation that would radically expand the definition of “privacy” and substantially impede employers’ ability to investigate potentially unlawful and even criminal conduct.

¹ Littler Mendelson Executive Employer Survey Report (June 2012), available at http://www.littler.com/content/littler-mendelson-executive-employer-survey-report-2012.

² See, e.g., Duran v. Detroit News, Inc., 200 Mich. App. 622 (1993) (intrusion claims failed because the information defendants obtained was either available via public record or had been disclosed by plaintiffs such that it was “open to the public eye”); Fletcher v. Price Chopper Foods of Trumann, Inc., 220 F.3d 871, 877-78 (8th Cir. 2000) (intrusion claim failed where plaintiff asserted a privacy interest in the medical fact that she had a staph virus at the time of her employment termination because plaintiff revealed this information to her co-workers); cf. Nader v. Gen. Motors Corp., 25 N.Y.2d 560, 568-69 (1970) (intrusion claim was unsupported by allegations that defendants interviewed people who knew plaintiff and thereby obtained information of a private nature because plaintiff assumed the risk that those he confided in may breach that confidence; plaintiff’s claim was supported on other grounds such as unauthorized wiretapping).

³ See, e.g., Sanders v. Amer. Broadcasting Cos., 20 Cal. 4th 907 (1999) (even though the plaintiff’s conversation could be seen and overheard by co-workers, plaintiff’s intrusion claim could proceed where media reporter covertly taped plaintiff’s conversation). Cf. Y.G. v. Jewish Hosp. of St. Louis, 795 S.W.2d 488, 502 (Mo. Ct. App. 1990) (plaintiffs use of in vitro fertilization was a private matter even though they attended a social function for participants in the hospital’s in vitro fertilization program).

⁴ Pietrylo v. Hillstone Rest. Group, No. 2:06-cv-05754-FSH-PS (D.N.J. 2008).

⁵ Norimitsu Onishi, Man who killed 7 in Tokyo left online warnings, N.Y. TIMES (June 9, 2008), http://www.nytimes.com/2008/06/09/world/asia/09iht-09tokyo.13575210.html.

⁶ Michelle McQuigge, Chilling Facebook comment preceding armed guard murders stokes employee online privacy debate, THE CANADIAN PRESS (June 23, 2012), http://news.nationalpost.com/2012/06/23/chilling-facebook-comment-preceding-armed-guard-murders-stokes-employee-online-privacy-debate/.

⁷ Espinoza v. County of Orange, No. G043067 (consol. with G043345) (Cal. Ct. App. 2012).

Despite the absence of a proven need, the Illinois bill imposes apparently broad restrictions on employers. The bill prohibits an employer from “request[ing] or require[ing] any employee or prospective employee to provide any password or other related account information in order to gain access to the employee’s or prospective employee’s account or profile on a social networking website.” The bill also forbids employers from “demand[ing] access in any manner to an employee’s or prospective employee’s account or profile on a social networking website.”

While the first prohibition is clear enough, the scope of the second is ambiguous. The second prohibition appears to be aimed at “shoulder surfing,” i.e., an employer’s asking an applicant or employee to log into a social networking site without revealing log-in credentials so that the employer can review the site. Similarly, this prohibition appears to reach an employer’s asking an employee or applicant to print a hard copy of his or her own social networking site or to e-mail screen shots of that site to the employer. Assuming this prohibition is intended to reach such conduct, it remains unclear whether the prohibition applies only to content posted on the applicant’s or employee’s own social networking site or extends to the restricted social networking sites of co-workers who are not the subject of the request.

To put the ambiguity into sharper focus, consider the following scenario. An employee reports to his human resources manager that a co-worker, who is a Facebook friend, has commented on his own wall, which is restricted to “Friends Only,” that he is so angry at the company he could “blow the place up.” The Illinois law appears to prohibit the HR manager from asking the reporting employee to permit the HR manager to view the posting co-worker’s post on the reporting employee’s own newsfeed and from asking the reporting employee to print a hard copy of the post or to e-mail a screen shot of the post to the HR manager. The Illinois law also appears to prohibit the HR manager from asking the posting co-worker for access to his social networking site so the HR manager can investigate the reporting employee’s allegation. However, it is unclear whether the Illinois law would prohibit the HR manager from asking the reporting employee, without disclosing his own log-in credentials or any information on his own news feed, to access the posting co-worker’s “Friends Only” Facebook wall so the HR manager could corroborate and further investigate the allegation.

While this point, at first blush, may appear to be hair splitting, it is critical for employers because the Illinois law contains no exception for legitimate workplace investigations. In fact, the Illinois law contains no exceptions at all to its general prohibitions. Instead, the law merely emphasizes that it is not intended to restrict an employer’s right to promulgate policies regulating use of the employer’s own electronic resources or from monitoring usage of the employer’s own electronic resources, including e-mail. The bill also expressly states that it does not apply to “information that is in the public domain,” i.e., social networking sites for which the account holder has not used privacy settings to restrict access. However, this limitation provides little aid to employers as applicants and employees increasingly activate privacy settings to restrict access to their social media accounts. In sum, the Illinois law shuts off most, if not all, access by employers to a potentially important source of information when conducting legitimate investigations into misconduct related to work, such as workplace violence, unlawful harassment, and misappropriation of trade secrets.

The absence of any exceptions to the general prohibition in the Illinois bill highlights another challenge for employers raised by this new genre of workplace regulation. The Maryland law contains exceptions for investigations of suspected securities fraud violations and suspected misappropriation of trade secrets. While these exceptions themselves are overly narrow, their absence from the Illinois bill suggest that the states are beginning to weave yet another inconsistent patchwork of laws that will further complicate for employers the already daunting challenge of regulating new technology in the workplace.

Date: February 1, 2012
Conference: ACI Privacy & Security of Consumer and Employee Information (pdf)
Location: The Westin Washington, DC City Center, Washington D.C.
Topic: “Mobile Devices, Applications, and Workforces: Minimizing the Threats Posed Through Proven Security Measures”
Description: Phil Gordon will moderate a panel of experts discussing, among other things, how to:

• Raise employee awareness and educate employees in the handling of sensitive data
• Safeguard company equipment and wireless devices and minimize damage in the event of breach 
• Protect corporate networks from the use of multiple portable devices while preserving employee rights
• Establish policies and procedures to strengthen and maintain data security

For more information and to register, please click here (pdf).

Date: February 9-10, 2012
Conference: Littler Global Employer – Latin America Conference
Location: Miami, Florida
Topic: “The Legal and Operational Challenges of Complying with New Latin American Data Protection Laws”
Description: In the past two years, Colombia, Costa Rica, Mexico, Peru, and Uruguay have enacted broad data protection laws which generally follow the E.U. Model but also have a distinct Latin flavor. These laws require employers to fundamentally rethink the way that they handle employees’ personal data in these countries and impose significant restrictions on the transfer of employees’ personal data within the corporate group. This presentation will provide a detailed explanation of the key requirements of Mexico’s new privacy law and pending regulations, identify key similarities and differences among the new privacy laws in these five countries, and make practical recommendations for harmonizing multi-national compliance efforts from a legal and operational perspective. Joining in the discussion are speakers Michael McGuire, Shareholder and Chief Information Officer at Littler, Javiera Medina, Shareholder in Littler’s Mexico office and Dr. Rainer Lorenzo, Senior Director, Legal & Business Affairs, HBO Latin America.
For more information and to register, please visit: www.littler.com/events/global-employer-latin-america.

Date: March 9, 2012
Conference: IAPP Global Privacy Summit
Location: Washington Marriott Wardman Park, Washington D.C.
Topic: “Who Are Your Applicants and Employees Anyway? Conducting Lawful Social
Media, Criminal History and Credit Checks”
Description: This session will examine background checks against the backdrop of vendor limitations, social media, new state laws, and FTC regulation. The presentation will cover recent legal developments affecting the permissible scope of background checks and provide practical steps an organization can take to conduct lawful background checks.
For more information and to register, please visit: www.privacyassociation.org/events_and_programs/global_privacy_summit/.

Photo credit: CrackerClips

Second, SB 24 adds a requirement to notify the state’s attorney general about a breach. More specifically, the notice law now requires any agency, person, or business that sends a security breach notice to more than 500 California residents to electronically submit a single sample copy of that security breach notification to the attorney general, excluding any personally identifiable information. This change adds California to the list of states that require some type of notice to the state’s primary regulator of security breaches.

Third, this bill deems any HIPAA-covered entity to have complied with California’s new notification requirements if the covered entity complied with the similar breach notification requirements in Section 13402(f) of the federal Health Information Technology for Economic and Clinical Health Act (“HITECH Act”). However, the covered entity is not exempt from any other provision of California’s notice law.

Finally, SB 24 also amends Section 1798.82(j) of California’s security breach notification law regarding substitute notice. Reporting entities which seek to notify individuals of a security breach through the state’s media, rather than directly, must now also notify the Office of Privacy Protection within the State and Consumer Services Agency.

In light of these changes, employers will need to update their incident management plans and add these new requirements into their notification policies to ensure compliance with the many state data breach notification requirements.

California SB 24 takes effect January 1, 2012, providing enhanced notification requirements similar to those required under the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Hard copy breaches are still not covered under the California law.

Photo credit: dra_schwartz

Although, the Massachusetts Data Security Regulations, 201 CMR 17, do not mention PCI DSS, the Judgment by Consent listed the company’s failure to comply with PCI DSS compliance as a basic flaw in its data security measures. The Judgment by Consent in this incident serves as a warning that companies that accept Payment Cards from Massachusetts residents should include PCI DSS compliance in their data protection strategy. Beyond that, the Judgment by Consent demonstrates the commitment of the Massachusetts Attorney General to enforcing the Data Security Regulations.

What does this mean to my company?

The Judgment by Consent has far reaching consequences for businesses that collect personal information about Massachusetts residents. The regulations apply to any organization in retail, banking, health care, general business and every other industry. What’s more, the regulations apply not only to personal information of customers and patients but also to personal information about an organization’s Massachusetts employees. An organization’s Human Resource files, payroll systems, and benefit systems, are all covered by these laws and regulations.

What should my company do?

Organizations should take a second look at their data protection strategy to ensure it covers all systems that contain personal information about Massachusetts customers and employees, and confirm through a risk analysis that the strategy is appropriate to the size and scope of the business. If security practices were developed several years ago, evaluate whether the strategy needs to be updated to cover new processes, products or services, or new markets or industries entered since the strategy was initially implemented. Is your organization following through on actually implementing and enforcing its security procedures? For example, employees should not be allowed to share passwords, user access should be limited on a need-to-know basis and removed promptly after an employee is terminated, employees need to be trained on your organization’s information security policies and those policies must be enforced. Policies need to be in writing to meet the data security regulations’ requirements for a Written Information Security Plan, and, more importantly, to ensure your business remains in compliance with PCI DSS and retains the ability to accept credit cards and allow transactions to continue.

What are the consequences of not complying?

The Judgment by Consent is based on a violation of M.G.L. c. 93A, which is Massachusetts’ consumer protection law. That law provides a private right of action against businesses that engage in unfair or deceptive acts or practices and allows consumers to seek treble damages for “willful or knowing violations” and to recover attorneys’ fees. By basing the Judgment by Consent on 93A, the court appears to be signaling that it is open to allowing Massachusetts residents to bring claims under M.G.L. c. 93A as long as they can prove that an unfair and deceptive act or practice (failure to comply with 201 CMR 17 or other data security regulations) caused them harm. This is new risk exposure for businesses that fall under other data protection regulations, such as HIPAA, that do not provide a private right of action. 

Photo credit: dra_schwartz 

• Break For Small Businesses: The prior regulations applied equally to businesses of all seizes. The revised regulations are scalable. In other words, the “appropriate” administrative, technical and physical safeguards may vary depending on (a) “the size, type and scope of business” involved; (b) the business’ available resources; (c) “the amount of stored data”; and (d) “the need for security and confidentiality of both consumer and employee information.”

• Elimination Of Several Onerous Requirements: OCABR has completely deleted requirements that data owners (a) collect only the minimum necessary personal information, (b) retain such information for only as long as is necessary to achieve the purpose for which the information was collected, (c) restrict access to personal information to those with a need to know, and (d) identify all locations and devices where personal information is stored. These requirements were among the most burdensome in the regulations as previously drafted.

• Less Prescription: The revised regulations eliminate several provisions which specified how certain safeguards should be accomplished. First, the requirement to provide physical safeguards previously mandated “a written procedure that sets forth the manner in which access to . . . records [containing personal information] is restricted.” The revised regulations merely require “[r]easonable restrictions upon physical access to records containing personal information. Second, the previous regulations required that data owners restrict terminated employees’ access to personal information “by immediately terminating their physical access and electronic access to such records, including deactivating their passwords and user names,” whereas the revised regulations eliminates the quoted language. Third, rather than requiring a “comprehensive, written information security program,” the revised regulations now require a comprehensive information security program “that is written in one or more readily accessible parts.” Finally, the definition of “encryption” no longer requires “the use of an algorithmic process” so long as the process results in “the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key.”

• Consider making reasonable counterproposals to customers. Expressing a concern for the confidentiality and security of the sensitive, personal information of your employees demonstrates awareness of the importance of information security. It also provides you with the opportunity to reinforce your commitment to protecting your customers’ privacy.
• Do not automatically agree to demands without first determining whether they would require your organization to violate often-stringent drug-testing and background check laws. Businesses engaged in vendor management sometimes make broad demands without considering the nuances of state and federal privacy laws.
• Consider implementing a drug testing policy and a background check policy. Distribution of these policies provides an opportunity to communicate the important business interests at stake and the efforts being made to protect employees. At the same time, the policies can be used in contract proposals to demonstrate the company’s commitment to providing only trustworthy employees to work on customer accounts. And, in some states, distribution of a written drug testing policy is required by law.