Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

Written by Michelle Hackim

In United States v. Jones, the Supreme Court unanimously decided that FBI agents violated the Fourth Amendment when they attached a Global-Positioning-System (GPS) tracking device to a suspected drug dealer’s Jeep Cherokee and monitored the vehicle’s movements on public streets for 28 days without obtaining a warrant to do so. Justice Scalia wrote the Court’s opinion, with four justices joining the opinion – Chief Justice Roberts and Justices Anthony Kennedy, Sonia Sotomayor, and Clarence Thomas.

Sotomayor's concurring opinion is worth noting for its detailed analysis of the chilling effect on associational and expressive freedoms that government monitoring via technology, like GPS surveillance, will have if left unchecked. She wrote:

“GPS monitoring generates a precise, comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious and sexual associations…The Government can store such records and efficiently mine them for information for years into the future…And because GPS monitoring is cheap in comparison to conventional surveillance techniques and, by design, proceeds surreptitiously, it evades the ordinary checks that constrain abusive law enforcement practices: ‘limited police resources and community hostility.’ “

Justice Alito, who also concurred in the majority opinion, argued for warrants based on the “reasonable expectation of privacy” standard, instead of the common law trespass test applied by Scalia. Alito, clearly troubled by the Court’s reliance on the law of trespass, points out that technology today allows for easy electronic monitoring, without any need to come into physical contact with the subject being tracked. He expresses concern over the “increased convenience” of new technology at the “expense of privacy,” and suggests that these “new intrusions on privacy” may motivate Congress to enact legislation addressing these “new intrusions” as it did with wiretapping. Sotomayor clearly agrees, but whether Congress will act obviously remains to be seen.

So, what does U.S. v. Jones mean for employers?

Private employers generally are not subject to the Fourth Amendment’s prohibition against unreasonable search and seizure. However, it is certainly foreseeable that employees of private employers could cite to this case in support of claims that GPS monitoring, or any sort of electronic monitoring for that matter, during non-working hours violated their “reasonable expectation of privacy.” The question of whether this decision might influence courts as technology becomes more powerful, remains to be seen.

As such, it is imperative for employers, especially those who provide smart phones and company vehicles containing GPS monitoring devices to their employees, to adopt policies notifying their employees of the company’s right to monitor their actions while using Company owned property. These policies should also contain language notifying employees about the GPS monitoring capabilities of the Company-issued property and that they should not have an expectation of privacy while using the same.

In light of the contours of a “reasonable expectation of privacy” analysis and concerns over common law claims of intrusion upon one's seclusion, employers should also avoid monitoring during non-work hours. In addition, where the data received from location tracking reveals details of an employee’s personal life, employers should not review it or be prepared to show that they have a legitimate business justification for looking at this type of information.

Finally, private employers in states like California may have more to be concerned about where constitutional privacy protections apply to the private sector. A number of states also have laws prohibiting the installation of a tracking device without the consent of the vehicle’s owner or lessor.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The ECRI Institute recently published an excellent summary of key issues for hospitals concerning social media (registration required), a valuable read for any hospital administrator, risk manager or human resources director. ECRI reports that approximately 4,000 U.S. hospitals own social media sites and that number is sure to grow significantly. One of the reasons for this growth will likely be due in significant part to the increasing number of people looking to social media to research health decisions. According to a National Research Corporation survey cited in the summary, 41% of nearly 23,000 respondents said that they used social media for this purpose.

The summary discusses critical areas for healthcare organizations to consider concerning social media, which can be applied to most other industries:

• Understand the medium - what is social media, what are the different venues (Facebook, LinkedIn, FourSquare etc.), what is the competition doing, what new media is coming.
• Determine desired uses - promotion of services/sales, recruiting, reputation management, community involvement, education, and so on. 
• Assess risks - privacy, network security, employment, reputation, regulatory, malpractice, and protecting the brand.
• Develop policies and procedures - control company message and regulate employee activity.
• Implement and train and reevaluate - limit the number of employees who can speak for the organization, train employees on legal risks (such as with HR looking up applicant/employee background information on line), determine whether social media plan is producing desired results

Businesses in all industries are "going social," and should be developing a comprehensive plan before doing so. The ECRI summary provides a good starting point for thinking through some of the issues, particularly for those in healthcare.   

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Employers need to exercise care when accessing employees’ e-mails, particularly e-mails on personal e-mail accounts. In Pure Power Boot Camp Inc. v. Warrior Fitness Boot Camp LLC, a non-compete case that turned into a case about the privacy of stored e-mails and violations of the federal Stored Communications Act (SCA), the court held:

1. SCA statutory damages can be recovered by plaintiffs, even if they suffered no actual damages, and
2. the calculation of statutory damages ($1,000 per violation), generally is based on the number of times the “electronic communications facility” (or personal e-mail account, e.g., Hotmail) is accessed, not the number of emails accessed.

The dispute arose when two employees of a fitness facility, Pure Power Boot Camp Inc., left to start their own fitness facility, Warrior Fitness Boot Camp LLC. A non-compete action followed because Pure Power learned through 546 mails it had accessed over a nine-day period that its former employees had taken customer lists, training and instruction materials, and solicited Pure Power customers. The e-mails were from four personal accounts belonging to the former employees’  – Hotmail, Gmail, Warrior Fitness, and an unrelated corporate account. Pure Power was able to access these accounts because the former employees stored their usernames and passwords on its computers; when Pure Power accessed the particular site, the username and password automatically populated.

The former employees learned of Pure Power’s accessing their personal e-mail accounts and filed counterclaims, including allegations of violations of the Stored Communications Act.

The court ruled in the non-compete action that accessing the former employees’ four accounts violated the SCA. Two of the issues before Judge Theodore H. Katz were whether statutory damages could be recovered in the absence of actual damages and, if so, how to calculate those damages. The SCA provides that “in no case shall a person entitled to recover receive less than the sum of $1,000,” but there is little guidance as to whether this minimum should be awarded for each violation, or what constitutes distinct and independent violations as opposed to a single continuous violation.

SCA Statutory Damages Without Actual Damages. Judge Katz disagreed with a ruling by the Fourth Circuit of the U.S. Court of Appeal, Van Alstyne v. Elec. Scriptorium, Ltd. 560 F.3d 199 (4th Cir. 2009), which held that statutory damages under the SCA can be recovered only where the plaintiff also has suffered actual damages.

Van Alstyne based its holding (i) on a decision by the U.S. Supreme Court in Doe v. Chao, 540 U.S. 614 (2004), which reached a similar conclusion for statutory damages under the Privacy Act of 1974, and (2) on the fact that the language concerning damages in these two statutes (SCA and Privacy Act) were nearly identical.

However, Judge Katz cited a number of other federal court decisions holding that while the language in the two statutes are similar, they are different statutes with different purposes and penalize different behaviors. Rejecting the Doe analysis, he concluded statutory damages were recoverable for SCA violations in the absence of actual damages.

Calculating Statutory Damages. Judge Katz said the SCA punishes anyone who “intentionally accesses without authorization a facility through which an electronic communication service is provided . . . and thereby obtains . . . access to a wire or electronic communication while it is in electronic storage.” 18 U.S.C. Section 2701(a). Based on this language, he rejected the two former employees’ argument that the number of violations should be measured by the number of e-mails accessed, 546, adopting Pure Power’s argument, instead. Accordingly, when an account is accessed multiple times over a short period of time, it should constitute only a single violation of the SCA. Noting the SCA targets the unauthorized access of an electronic communication facility (not the e-mails themselves), and because there was nothing to indicate the number of times each of the four accounts were accessed over the short nine-day period, the court found four violations.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In the name of vehicle safety, California Assembly Bill 1942 will permit among other things “driver cams” to be mounted on vehicle windshields beginning on January 1, 2011. Formally known as “video event recorders,” these devices can continuously record audio, video, and G-force levels in a digital loop in order to help identify bad driver habits or other factors that lead to vehicle accidents. Well intended, the new law certainly will create a range of privacy issues for employers, particularly those in the transportation and delivery business.

Specifically, the law will permit the monitoring of driver performance through video event recorders so long as the following are satisfied:

• Size limitation – The recorder must be mounted either (i) in a seven-inch square in the lower corner of the windshield farthest removed from the driver, (ii) in a five-inch square in the lower corner of the windshield nearest to the driver and outside of an airbag deployment zone, or (iii) in a five-inch square mounted to the center uppermost portion of the interior of the windshield.
• Notice requirement – A notice must be posted in a visible location informing passengers that their conversations may be recorded.
• Length of recording – No more than 30 seconds may be recorded before or after a triggering event, e.g., a collision.
• Driver for hire rights – Employers that install a video event recorder in vehicles of their employees driving for hire must provide those employees with unedited copies of the recordings upon the request of the employee or the employee’s representative. These copies must be provided free of charge to the employee and within five (5) days of the request.

There are a number of obvious issues that face employers interested in utilizing video event recorders, such as not knowing what information will be captured by these devices and how to discipline employees who violate policy as shown in the recording. There are other less obvious issues which employers should consider when deciding to implement this technology.

For example, the law does not provide a period after which employees can no longer request a copy of the recording. This raises the question of how long recordings must be maintained. Another concern is whether information captured in a recording could be used against the employer, such as in a wage and hour class actions or violations of common carrier or vehicle safety requirements. Because the law is designed to address vehicle safety, a question exists as to whether the law implies a training requirement on employers aware of bad driving habits of employees from the recordings.

For these and other reasons, employers ought to think carefully before implementing this technology.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Welcome to the next advancement in the delivery of health services -

monitoring patients and promoting healthy behavior through mobile phones and other portable devices

The Washington Post reported today about a service offered through Voxiva whereby expectant mothers receive free text messages concerning prenatal health advice. The pilot program has been in place since February and since then more than 100,000 expectant mothers are reported to have participated in the program. These technologies clearly are in line with initiatives in this country to move to electronic health records. However, whether these methods for delivering health care take hold remains to be seen. As the WP notes, while these technologies are attractive, there are challenges:

• As noted by WP reporter Steven Overly, communicating to a wide variety of patients through a "wide variety of mobile devices, operating systems and network speeds" raises significant challenges. 
• Another issue, of course, is HIPAA and how these communications and devices will meet the privacy and security requirements under those regulations.
• Human error easily could cause the wrong messages to be sent to the wrong patients creating data breach, malpractice and other risks.
• One of our more recent posts highlights the concern about information maintained on cellphones and other mobile devices and what happens to that information when the phones are discarded. 
• Employers who provide phones to their employees and have the right to review text messages, see recent U.S. Supreme Court decision in Quon v. City of Ontario, can easily find themselves with access to all kinds of medical information of employees and possibly their dependents who give their doctors their cell phone number. This risks here could be significant.   

As with the adoption of any new technology or new application of technology, companies and employers should be careful to think through all of the issues and take appropriate preventive steps toward minimizing risks.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Keystroke logging (or “keylogging”) is the noting (or logging) of the keys struck on a computer keyboard. Typically, this is done secretly, so  the keyboard user is unaware his activities are being monitored.

Several cases throughout the country have examined an employer’s use of keylogging.  Recently, the Criminal Court of the City of New York held in New York v. Klapper  that an employer who installed keylogging software on office computers and subsequently monitored an employee's e-mail activity did not, absent some showing of contrary e-mail protections or acceptable use policies, access a computer “without authorization” in violation of New York law. 

In some of the strongest language against the premise of e-mail privacy to date, the Court stated in its April 28, 2010 opinion:

[t]he concept of internet privacy is a fallacy upon which no one should rely. It is today’s reality that a reasonable expectation of internet privacy is lost, upon your affirmative keystroke. 

The Court found that e-mails are more akin to a postcard than a letter, as they are less secure and can easily be viewed by a passerby. An employee who sends an e-mail from a work computer sends a communication that will travel through the employer's central computer and will be commonly stored on the employer's server even after it is received and read. Once stored on the server, the employer can easily scan or read all stored e-mails or data. The same holds true once the e-mail reaches its destination, as it travels through the Internet via an Internet service provider. Accordingly, this process diminishes an individual's expectation of privacy in e-mail communications.

In contrast to the strong language from New York, the U.S. District Court for the Northern District of California ruled in Brahmana v. Lembo that a plaintiff could proceed to trial in his case alleging his employer committed an impermissible “interception” under the Electronic Communications Privacy Act (ECPA) by using keylogging to discover the password to his personal e-mail account, and using the logged password, accessed his personal e-mail.  However, another California District Court found in United States v. Ropp that because the keylogger recorded the keystroke information in transit between the keyboard and the CPU, the system transmitting the information did not affect interstate commerce as the required by the ECPA.  Further complicating the issue, a federal court in Ohio questioned Ropp, suggesting in Porter v. Havlicek that it read the statute too narrowly by requiring the communication to be traveling in interstate commerce as opposed to merely “affecting interstate commerce.”

Because of the numerous issues arising from the use of electronic communications, and the varying court opinions on these questions, employers would do well to reexamine their use of keystroke monitoring or logging technology on a regular basis.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As highlighted by many news sources, including CNN.com and MSNBC.com, the United States Supreme Court listened to oral argument (pdf) today in the case of City of Ontario v. Quon today. This is the case involving a police officer who claimed his employer violated his privacy when it read the personal text messages (which happened to be sexually explicit in nature) which he sent and received using his department issued pager.  For further information concerning this case, see our prior analysis, as well as the discussion at Inc.com. Stay tuned for an update following the Supreme Court's decision. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Co-author: Joseph J. Lazzarotti

The New Jersey’s highest Court has concluded that an employee, Marina Stengart, could reasonably expect that e-mail communication with her lawyer through her personal, password-protected, web-based e-mail account would remain private, and that sending and receiving them using a company laptop did not eliminate the attorney-client privilege that protected them. The Court went on to say that her employer’s counsel had violated the rules of professional conduct by reading her e-mails. The Supreme Court decided Stengart v. Loving Care on March 30, 2010 upholding the June 2009 decision of the state Appellate Division. 

This case makes two important points for employers: 

1) The Court stated that even a more clearly written and unambiguous policy regarding employer monitoring of emails would not be enforceable. That is, a clear policy stating that the employer could retrieve and read an employee’s attorney-client communication, accessed through a personal, password-protected e-mail account using the company’s computer system will not overcome an employee’s expectation of privacy and the privilege would remain. 

2) The Court's opinion seems to suggest that employers cannot discipline employees for simply spending some time at work receiving personal, confidential legal advice from a private lawyer, although the Court noted that an employee who “spends long stretches of the workday” doing so may be disciplined. 

Loving Care's employee handbook’s “Electronic Communication” policy governed employees’ use of company computers. The policy stated, among other things, “internet use and communication … are considered part of the company’s business” and “such communication are not to be considered private or personal to any individual employee.” However, the policy also provided, “[o]ccasional personal use is permitted.”

The Court found the Policy does not give express notice to employees that messages exchanged on a personal, password-protected, web-based e-mail account are subject to monitoring if company equipment is used. Although the Policy states that the company may review matters on “the company’s media systems and services,” those terms are not defined. The prohibition of certain uses of “the e-mail system” appears to refer to a company e-mail account, not personal accounts. Similarly, the Policy does not warn that the contents of personal, web-based e-mails are stored on a hard drive and can be forensically retrieved and read. The Court also found the Policy creates ambiguity by declaring that e-mails “are not to be considered private or personal,” while also permitting “occasional personal use” of e-mail.

The Court determined that an employee’s reasonable expectation of privacy in a particular work setting must be addressed on a case-by-case basis, but stated that by using a personal e-mail account and not saving the password, Stengart had a subjectively reasonable expectation of privacy in the e-mails exchanged with her attorney on her personal, password-protected, web-based e-mail account, which was accessed on a company laptop. This subjective expectation of privacy was objectively reasonable in light of the ambiguous language of the Policy and the attorney-client nature of the communication.

This decision, and others highlighted previously in this blog, present numerous issues for employers.  While it may not be enforceable in New Jersey, we recommend, in light of the reasoning in this decision, that employers consider modifying their existing electronic communication policies to include:

• Clear notice that personal, web-based emails accessed using company networks and stored on company networks or company computers can be monitored and reviewed by the company (of course, care should be taken here to avoid concerns under the Electronic Communications Privacy Act and the Stored Communications Act);
• Definitions of the specific technologies and devices to which the policies apply;
• Warnings that web-based, personal e-mail can be stored on the hard-drive of a computer and forensically accessed;
• No ambiguities about personal use. 

See our sample electronic communication policy outline for more information. However, even with such a policy in place, employers and their lawyers must be aware of the potential liability they face for improperly accessing information on the employers' systems which may later be deemed “private” or subject to a privilege.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

New mobile phone technology may allow employers to track very precise movements and activities of employees, such as walking, climbing stairs or even cleaning. As reported by Michael Fitzpatrick of BBC News, the technology developed by KDDI Corporation, a Japanese company, “works by analyzing the movement of accelerometers, found in many handsets.” This enhanced level of monitoring likely will raise serious concerns for courts seeking to balance an employer’s legitimate need to monitor employees with an employee’s expectation of privacy.

To get a sense of how sensitive this technology is, Mr. Fitzpatrick notes that a KDDI mobile phone

strapped to a cleaning worker's waist can tell the difference between actions performed such as scrubbing, sweeping, walking and even emptying a rubbish bin.

Employers should proceed with caution. There certainly are legitimate business reasons for gathering and analyzing this kind of data:

• Improving customer service
• Enhancing employee productivity
• Identifying safety concerns and rectifying them
• Ensuring employees are performing only assigned tasks
• Confirming employees are working when they say that they are

At the same time, significant concerns about the technology and how it is implemented, together with the potential for unintended consequences, should motivate employers to think carefully before using this equipment:

• Does the technology really work as advertised?
• Can employees manipulate the “accelerometers,” creating false positives for employers?
• When should/must employers turn the monitoring off?
• Will effects will data capable of showing the time, date and duration of certain activities have in the areas of wage and hour law, collective bargaining, classification of workers as employees versus independent contractors, workers’ compensation, administration of leaves of absence, and so on?
• Will data collected constitute personal information to be safeguarded and retained?
• Will employers be required to produce information collected through these mobile phones in unrelated litigation, such as where an employee’s spouse seeking to prove claims of adultery in a divorce action seeks “phone” records to show the location and activity of the employee-spouse?
• Some states already have laws dealing with electronic monitoring, but it is unclear how those laws will apply to this new technology. For example, a Connecticut statute prohibits employers from recording or monitoring the activities of employees in areas designed for the health or personal comfort of the employees or for safeguarding of their possessions, such as rest rooms, locker rooms or lounges operating.  When Connecticut employers perform permissible electronic monitoring on their premises, they must provide employees with prior written notice. 

However, if these phones work as intended, the level of intrusiveness likely will spur opposition by privacy advocates and additional legislation. It also is possible that the U.S. Supreme Court’s decision in City of Ontario, Ontario Police Department, and Lloyd Scharf v. Jeff Quon, et al., currently before the Court, will provide guidance for employers and lower courts as they consider the effects new technologies have on workplace privacy issues. In that case, one issue the Court is considering is whether a California police department violated the privacy of one of its officers when it read the personal text messages on his department issued pager.

There is no doubt technology will continue to advance and bring with it enhanced functionality and capabilities. While the law will try to keep pace, employers will be challenged to apply these technologies in ways that meet the demands of their business, while avoiding the pitfalls of law not yet clearly established.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The U.S. Supreme Court’s recent grant of certiorari in City of Ontario, Ontario Police Department, and Lloyd Scharf v. Jeff Quon, et al. highlights the effects new technologies continue to have on workplace privacy issues. One issue the Court will consider is whether a California police department violated the privacy of one of its officers when it read the personal text messages on his department issued pager. The U.S. Court of Appeals for the Ninth Court sided with the police officer when it ruled that users of text messaging services “have a reasonable expectation of privacy” regarding messages stored on the service provider’s network.

The underlying suit was filed by police Sgt. Jeff Quon, his wife, his girlfriend, and another police sergeant after one of Quon’s superiors audited his messages and found that many of them were sexually explicit and personal in nature.   Among the defendants were the City of Ontario, the Ontario Police Department, and Arch Wireless Operating. Co. Inc. Plaintiffs sought damages for alleged violation of their privacy rights.

While this case involves a public sector entity, its outcome is likely to affect electronic communications policies and practices across the country, whether by public or privacy employers.  

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The New Jersey Appellate Division (Doe v. XYC Corporation) and the Court of Appeals of Wisconsin (Maypark v. Securitas Serv. USA Inc. & Sigler v. Kobinsky) have both examined an employer’s duty to monitor employees conduct while at work, and have reached drastically different results. Additionally, at least seven states—Arkansas, Illinois, Missouri, North Carolina, Oklahoma, South Carolina, and South Dakota—have enacted laws requiring computer technicians or Internet service providers to report child pornography if they encounter it in the scope of their work. 

New Jersey. In Doe v. XYC, the company’s IT department noticed an employee was accessing pornographic web pages while at work. Despite numerous complaints and suspicious usage by the employee, management took no formal action except to instruct the employee to stop visiting inappropriate web pages. Following the employee’s marriage to the Plaintiff, the employee took nude and semi-nude pictures of Plaintiff’s 10-year-old daughter and uploaded the photos to child porn web pages using his work computer. The employee was arrested and charged, and the Plaintiff sued the company, alleging that it knew or should have known of the employee’s conduct and had a duty to report it. The state Appellate Division reversed the trial court’s decision that no duty existed. It held that XYC Corporation knew or should have known the employee was accessing child pornography at work, and further had a duty to investigate and report it. Thus, in New Jersey, where an employer has the right and ability to monitor Internet usage and the employee has no expectation of privacy, employers have a duty to investigate and report the access of child pornography if they know or should have known an employee was doing so. For a detailed analysis of Doe, click here. 

Wisconsin. In Maypark v. Securitas, the plaintiff sued an employer for allowing a former employee, a security guard, to post photographs of the plaintiff’s employees on an adult website.   An earlier Wisconsin case, Sigler v. Kobinsky, held that a company could not be held liable for alleged negligent supervision leading to an employee's use of a company computer to harass plaintiffs where there is no probability of harm. Specifically, a company had no duty to monitor because it was not reasonably foreseeable that providing employees with unsupervised Internet access would probably result in harm.   Relying on Sigler, the Court in Maypark overturned a $1.4 million negligence verdict against the security company, finding the guard’s action were not foreseeable.

Given the unsettled law on this issue, employers should consider several important factors when it comes to monitoring of employees. The Society for Human Resource Management published an article (*registration required) analyzing this issue. The article provides a number of suggestions, including that of our own Nadine Abrahams, a Jackson Lewis Partner in our Chicago office, who suggests the first step should be setting up a procedure for the immediate reporting of child pornography that has been discovered and the designation of a company representative who should be notified.   Additional steps include:

• Institution of clear, effective and thorough computer usage and monitoring polices, which also address employee expectation of privacy;
• Training of employees conducting any monitoring;
• Prompt investigation of computer usage and allegations of unlawful conduct; and
• Consultation with legal counsel regarding the duty to report to authorities. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link