Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

The District Court of New Jersey recently denied an employer’s motion to dismiss a former employee’s causes of action for invasion of privacy following a supervisor’s alleged unauthorized access to the employee’s Facebook account. 

In Ehling v. Monmouth-Ocean Hospital Service Corp., the plaintiff, a registered nurse and paramedic, alleged that the defendants engaged in a pattern of retaliatory conduct as soon as she became President of the local union. Specifically, the plaintiff alleged that defendants gained access to her “private” Facebook account by having a supervisor summon another employee, who was “friends” with the plaintiff, into an office and coercing or threatening that employee into accessing their Facebook account so that the supervisor could view those posts which the plaintiff had restricted to only her “friends.”   Plaintiff went on to allege that the supervisor then viewed and copied plaintiff’s Facebook postings. One such post was in regard to a shooting that took place at the Holocaust Museum in Washington, DC and stated:

An 88 yr old sociopath white supremacist opened fire in the Wash D.C. Holocaust Museum this morning and killed an innocent guard (leaving children). Other guards opened fire. The 88 yr old was shot. He survived. I blame the DC paramedics. I wasn’t to say 2 things to the DC medics. 1. WHAT WERE YOU THINKING? and 2. This was your opportunity to really make a different! WTF!!!! And to the other guards…go to target practice.

Ultimately, in June 2009 the Hospital sent letters regarding the above posting to the New Jersey Board of Nursing and the New Jersey Department of Health, Office of Emergency Medical Services as it was concerned that Plaintiff’s Facebook posting showed a disregard for patient safety. Plaintiff alleged the letters were malicious and meant to damage her professionally.

The Court dismissed plaintiff’s New Jersey Wiretapping and Electronic Surveillance Control Act (“NJ Wiretap Act”) claim holding that the NJ Wiretap Act only protects those electronic communications which are in the course of transmission or are backup to that course of transmission. As plaintiff’s allegations involve a “live” posting, it did not fall under the purview of the NJ Wiretap Act. 

However, the Court went on to hold that plaintiff’s common law invasion of privacy claim involving defendants’ unauthorized “accessing of her private Facebook postings” could proceed. In relying on another New Jersey district court case which involved a supervisor’s asking an employee to gain access to a private social media account, the Court held that privacy determinations are made on a case-by-case basis, in light of all the facts presented. The Court went on to hold that the plaintiff had a plausible claim for invasion of privacy as she may have had a reasonable expectation that her Facebook posting would remain private, considering that she actively took steps to protect her Facebook page from public viewing.   

As we have mentioned before, legal guidance involving the utilization of social media in employment decisions is ever evolving and employers must remain vigilant as courts continue to develop these cases.  

• Email This
• Print
• Comments
• Trackbacks

The Fourth Circuit recently held that the Consumer Fraud and Abuse Act’s (“CFAA”) prohibitions against unauthorized access or access in excess of authorization were not violated by an employee when the employee used his valid access to employer's computer network to download confidential business information that he later used while working for a competitor.

Prior to his departure from his former employer, the defendant downloaded proprietary information from the plaintiff's network which he allegedly used to win a contract for business. The plaintiff filed a civil lawsuit against defendant, alleging, among other things, that he violated the CFAA when he downloaded its proprietary information. Specifically, the plaintiff alleged that its policy prohibited employees from downloading confidential and proprietary information to a personal computer. 

In dismissing the CFAA claim, the trial court held, and the Fourth Circuit affirmed, that this policy only regulated the use of company information, not accessing that information.  Accordingly, a violation of the policy would not support liability under the CFAA's authorized access provisions. The court ruled that the CFAA prohibits unauthorized acts of obtaining and altering information from a protected computer, not using without authority lawfully accessed information. Because the employee in this case was permitted to have access to the information at the time he downloaded it, his later use of that information for a subsequent employer did not violate the CFAA.

By its holding, the court agreed with the Ninth Circuit.  However, the court rejected the Seventh Circuit’s reading of the CFAA that an employee loses lawful authority to access an employer's computer network if the access violates the employee's fiduciary duty of loyalty to the employer. The Fifth and Eleventh Circuit have similarly held that employees will exceed authorized access under the CFAA whenever they go beyond their authorized access. 

While this decision may have limited Fourth Circuit employers’ ability to seek legal action against departing employees under the CFAA, employers in other jurisdictions, as highlighted above, must still consider what remedies may be available under the CFAA.  

• Email This
• Print
• Comments
• Trackbacks

A Virginia district court recently held that an employee’s clicking of the Facebook “like” button is not comparable to speech. Accordingly, the court affirmed the dismissal of First Amendment retaliation claims brought by employees of a Virginia sheriff’s office finding that the employees’ action was insufficient to merit constitutional protection.

Sheriff B.J. Roberts of the Hampton, Virginia Sheriff’s Office was up for re-election in 2009. Employees within the sheriff’s office alleged that Sheriff Roberts learned that the employees were supporting his opponent when the employees “liked” the opponent's Facebook page. After he was re-elected, Sheriff Roberts terminated the employees allegedly due to staff reductions and performance issues.

The employees sued Sheriff Roberts alleging that he violated their First Amendment rights to freedom of speech and freedom of association when he unlawfully fired them for actively supporting his political opponent.

The U.S. District Court for the Eastern District of Virginia rejected the employees' claims because the employees failed to allege that they had engaged in protected expressive speech when they “liked” the opponent's Facebook page. The court explained that without existing speech warranting First Amendment protection, the employees could not prove a violation of the right to freedom of speech occurred. The court held that “merely ‘liking' a Facebook page is insufficient speech to merit constitutional protection. In cases where courts have found that constitutional speech protections extended to Facebook posts, actual statements existed within the record.”

While this case may be helpful in the context of public employees, private employers must still be conscious of several issues including: how they obtain social media information about their employees; potential NLRB issues if an employee’s “likes” could be considered protected concerted activity; and potential state constitutional protections of an employee's right to privacy.

• Email This
• Print
• Comments
• Trackbacks

A U.S. District Court in Indiana has ruled that a company's use of keylogger software to access an employee's personal e-mail account may have violated the Stored Communications Act (“SCA”).  

Keylogging or keystroke logging is the tracking of the keys struck on a keyboard, typically in a covert manner.  

In Rene v. G.F. Fishers, Inc.,the company utilized keylogger software and was sued by one of its employees for violations of the SCA, the Indiana Wiretap Act (“IWA”), and the Federal Wiretap Act.  The company generally prohibited personal use of its computers, however, it permitted the employee to access her personal checking account and personal e-mail account from the company computer.  The employee was later notified that the company had installed keylogger software on the computer.  Utilizing the keylogger software, the company accessed the employee’s personal e-mail account and personal checking account (acquiring the passwords utilizing the keylogger software), and reviewed and discussed the messages and contents. 

The employee was fired for “poor performance” after complaining about the access. She sued her former employer, alleging the company violated the SCA, IWA, and the Federal Wiretap Act.  While the court did not address certain factual issues under the SCA (e.g., whether the company accessed the employee’s e-mail messages before the employee opened them), it held that by alleging that the employer accessed her e-mail messages the employee had satisfied the burden of asserting a violation of the SCA.  The court also denied the company’s motion to dismiss the former employee’s IWA claim, but it did dismiss the Federal Wiretap Act claim. 

As we have previously discussed, jurisdictions are at odds over the use of keylogger software in the employment context.  Employers should carefully consider their use of keylogger or monitoring technology and consult counsel as to best practices for the jurisdiction in which you are located.   

• Email This
• Print
• Comments (1)
• Trackbacks

The U.S. District Court for the Southern District of Ohio found the confidentiality rights of patients outweighed a plaintiff’s need to take discovery of patient medical records in Kapp v. Jewish Hospital, Inc.  Plaintiff, a former nurse, brought suit in the federal court in Ohio, alleging she was terminated in violation of federal employment discrimination laws.  Specifically, plaintiff alleged defendant had alternative motives for plaintiff’s termination, including plaintiff’s age, perceived disability, and plaintiff’s request for FMLA leave.  To establish her case, plaintiff sought to ascertain through the discovery process, whether other similarly situated nurses, were treated in a like manner.  To do so, plaintiff filed a motion to compel seeking access to non-party patient records in an attempt to discern if other nurses participated in essentially the same conduct for which defendant terminated plaintiff, but were not themselves terminated.  The Magistrate Judge denied plaintiff’s motion to compel and held that Ohio's strict physician-patient privilege law applied to prevent production of the records.  The plaintiff objected to the Magistrate Judge’s Order, and those objections were heard by the District Court Judge.  The District Court Judge held that “[a]lthough state privilege law does not control…there are abundant and adequate federal principals that protect patient confidentiality.”  The Court went on to state,

the non-party patients’ right to confidentiality outweighs the plaintiff’s proffered justification for accessing the non-party patient medical records. 

The Court went on to say that the Health Insurance Portability and Accountability Act expresses a general federal policy favoring patients' right to confidentiality and HIPAA's Privacy Rule grants federal protections for patients' personal health information held by covered entities and gives patients rights regarding that information. In this case, the plaintiff had other, less-intrusive options for discovering whether the hospital treated similarly situated nurses differently, including, for example, narrowing the scope of the request by deposing other nurses who had worked with the physician in question, the hospital's human resources personnel, or other nurse supervisors.

The broad discovery sought by plaintiff in this matter is not an uncommon approach taken by the plaintiff’s bar in an effort to prove the merits of their client’s claims.  Employers, especially those in the healthcare industry, must be aware of opinions like Kapp in their efforts to limit plaintiff’s unfounded discovery requests and to protect their patients’ privacy.  

• Email This
• Print
• Comments
• Trackbacks

A Missouri federal district court has ruled, in I.S. v. Washington University, that a HIPAA-covered entity's disclosure of protected information can form the basis for a state-law negligence claim.  The Court reached this holding despite the well-accepted principle there is no private cause of action under HIPAA. 

The plaintiff, I.S., was undergoing medical treatment for colon cancer at Washington University.  I.S. gave Washington University a limited authorization to disclose only the dates of her treatments in order to satisfy her employer’s medical leave requirements.  Notwithstanding this limited authorization, plaintiff asserts that Washington University also sent her employer additional medical records and information that far exceeded her authorization. These included I.S.’s HIV status, mental health issues, and insomnia treatments.  Based on that disclosure, I.S. sued Washington University for negligence per se based on a violation of HIPAA. 

Procedurally, Washington University removed the state court action to federal court and sought dismissal of the negligence per se claim, arguing that HIPAA does not create a private cause of action. 

The district court, disagreeing with Washington University, held the plaintiff’s claim could stand despite its exclusive reliance on HIPAA.   The court held that a federal statute that does not provide for a private right of action nevertheless may be a legitimate element of a state law negligence per se claim. 

Under Missouri law, among other things, the plaintiff must show:

·         a violation of a statute or ordinance occurred,

·         the plaintiff was a member of the class of people intended to be protected,

·         the injury complained of was of the type intended to protect against, and

·         the violation was the proximate cause of the plaintiff's injury.  

The Court found that I.S. had met all of the required elements of her claim and remanded the case back to state court. It held that I.S.'s claim, although premised on HIPAA, did not raise a federal question as it did not raise any compelling federal interests or present a substantial federal question.  

This case illustrates the need for HIPAA covered entities to provide training and institute policies and procedures regarding HIPAA compliance.  Here, a process for responding to requests for information would have highlighted the importance of carefully adhering to the limits of the authorization and prevented this alleged unauthorized disclosure, thus precluding I.S.’s claims.  Additionally, employers, and their counsel, must be aware that common law claims may support litigation based on HIPAA, despite the fact HIPAA itself does not provide for a private cause of action. 

• Email This
• Print
• Comments
• Trackbacks

Co-Author:  Joseph J. Lazzarotti

The pervasiveness of social media in professional and everyday communication is a hot button issue (discussed at length here), particularly for private and public employers and organizations.  In fact, many organizations have adopted, or are considering adopting, social media policies for employees and providing training for how employees should interact in cyberspace.  But what should those policies say and what should the training focus on?

To answer those questions, organizations should, among other things, develop and shape their policies, training and discipline concerning social media with an eye toward their particular businesses, regulatory environments, and whether they are in the public or private sectors. A number of recent developments show why this is critical:

·         Two recent Third Circuit opinions handed down on June 13, 2011-- J.S. v. Blue Mountain School District and Layshock v. Hermitage School District (discussed below)-- illustrate the importance of educating employees (teachers and administrators) about student’s First Amendment rights concerning social media and when discipline is appropriate,

·         FTC’s guidelines for endorsement of products or services are important for businesses whose employees are likely to be commenting online about the company’s products and services,

·         The NLRB’s recent actions regarding social media use and the National Labor Relations Act are important for all employers, particularly those in traditionally union-dominated industries,

·         The use of social media in the health care setting is presenting a range of challenges under HIPAA and patient privacy generally.

In addressing the extent to which school officials can regulate student speech, the Third Circuit Court of Appeals has held that school officials violated students’ First Amendment free speech rights by disciplining students for creating, outside of school, “fake” social networking profiles ridiculing their school principals. 

In Blue Mountain School District, 8^th grader J.S., using her home computer, created a MySpace profile in the name of her principal.  The profile was presented as a self-portrayal of a bisexual Alabama middle-school principal named “M-Hoe,” and contained crude and vulgar content. Upon learning of the content, the School District suspended J.S. for 10 days.  The Court held that because J.S. was suspended for speech that caused no substantial disruption in school and that could not reasonably have led school officials to forecast substantial disruption in school, the School District’s actions violated J.S.’s First Amendment free speech rights.  

In Layshock, Justin Layshock, a high school senior, using his grandmother’s computer, also created a MySpace profile in the name of his principal.  The profile included “degrading” content regarding the principal.  Upon learning of the profile, the School District suspended Justin for 10 days.  In analyzing whether a school district may punish a student for expressive conduct that originated outside of the schoolhouse, did not disturb the school environment, and was not related to any school-sponsored event, the Court found the School District was prohibited from reaching beyond the school yard.  

These decisions were based on the Supreme Court’s landmark case on the First Amendment’s application to public schools is Tinker v. Des Moines Indep. Cmty. Sch. Dist., 393 U.S. 503 (1969).  In Tinker, a group of high school students decided to wear black armbands to school to protest the war in Vietnam.  When school officials learned of the plan, they preemptively prohibited students from wearing armbands.  Several students who ignored the prohibition and wore armbands to school were suspended.  Eventually, the students brought suit alleging their First Amendment rights had been violated.  The Supreme Court overruled the district and circuit courts, holding that student expression may not be suppressed unless school officials reasonably conclude that such expression will “materially and substantially" disrupt the work and discipline of the school. 

These cases demonstrate the court's struggle in addressing social media content, especially where there are additional constitutional concerns when a party is a public entity.  For many organizations, First Amendment issues will not be at issue, but there likely will be other considerations.  As each and every industry is impacted by social media, attempting to address it in a one-size-fits-all manner without taking appropriate considerations into account is not only impractical, but in some cases unlawful.  As these developments have shown, efforts to address social media must include an effective industry specific social media policy coupled with training programs to educate employees on the use of social media in all facets of employment and conducting the entity's business. 

• Email This
• Print
• Comments
• Trackbacks

Trying to keep up with the fast-moving world of social media, the Kentucky Court of Appeals has ruled that “tagged” or captioned photographs posted on Facebook may be admitted as evidence. The ruling in the case has implications for employers.  In LaLonde v. LaLonde, the appellant-wife objected to the trial court’s admitting into evidence photographs taken from Facebook that identified her by “tagging.”  The photographs appeared to show her consuming alcohol in contradiction to the advice of her mental health providers—a key issue in the custody dispute.     

The wife argued the photographs should not be admitted because Facebook allows anyone to post pictures and then “tag” or identify people in the pictures and she never gave permission for the photographs to be published in this manner on.  Rejecting this argument, the appellate court held, “There is nothing in the law that requires permission when someone takes a picture and posts it on a Facebook page.  There is nothing that requires her permission when she was ‘tagged’ or identified as a person in those pictures.”  The Court acknowledged that modern digital photography techniques may allow for alteration of the photograph, but pointed out that the wife never suggested such techniques were used, instead acknowledging the pictures were accurate.

The potential implications of this holding are numerous.  As we have previously discussed, employers may be able to use social media (which arguably includes tagged pictures) to fight emotional distress damages.  Similarly, as we described here, Facebook content has been utilized by employers in disciplinary decisions.   Our Social Media White Paper provides a helpful discussion of this and other issues employers should think about when it comes to social media.

• Email This
• Print
• Comments
• Trackbacks

In another favorable decision for companies, the Maine Supreme Court ruled on September 21, 2010 that consumers affected by a data breach could not claim damages from the company unless they suffered uncompensated financial losses or some other tangible injury. 

The Maine Supreme Court addressed the following:

In the absence of physical harm or economic loss or identity

theft, do time and effort alone, spent in a reasonable effort to

avoid or remediate reasonably foreseeable harm, constitute a

cognizable injury for which damages may be recovered under

Maine law of negligence and/or implied contract?

The Court ruled they do not. Additionally, the Court went on to state that "[t]he tort of negligence does not compensate individuals for the typical annoyances or inconveniences that are a part of everyday life….An individual's time alone, is not legally protected from the negligence of others."

The underlying suits were filed following a breach, and fraudulent use, which resulted when card holder data of nearly 4.2 million people was stolen. The lawsuits alleged the company was negligent in protecting card holder data and failed to notify of the breach in a timely fashion.  The above holding was issued when the District Court Judge who heard the underlying case, agreed to let the state Supreme Court decide whether the plaintiffs could sue the company for the time and effort put into avoiding or mitigating harm from fraudulent charges on their cards.

Two other cases are similarly instructive. In 2003 the Minnesota Supreme Court found that an invasion of privacy cause of action requires that the dissemination resulted in “publicity” of private facts. Because the disclosure was internal to other employees, and not to the public at large, the Court held the dissemination was insufficient publicity to support an invasion of privacy claim against the employer. Further, in Guin v. Brazos Higher Educ. Serv. Corp. Inc., 2006 U.S.Dist. LEXIS 4846(D. Minn. Feb. 2, 2006), the District Court dismissed plaintiff’s negligence claim holding that the threat of future harm not yet realized will not support a claim for negligence which requires a showing of an injury.

Companies and employers must be on notice of these decisions when faced with individual lawsuits following data breaches. 

• Email This
• Print
• Comments
• Trackbacks

All information from plaintiffs’ social networking profiles and postings that relate to their general emotions, feelings, and mental states must be produced in discovery when they allege severe emotional trauma and harassment against their employer, a federal court in Indiana has ruled. (EEOC v. Simply Storage Management LLC, S.D. Ind., No. 1:09-cv-1223, discovery order 5/11/10).

Social networking sites (SNS) such as Facebook and MySpace are fast becoming a hot topic in litigation as they may contain a wealth of potentially relevant information. In Simply Storage, the Equal Employment Opportunity Commission brought suit on behalf of plaintiffs and other similarly situated employees who claimed their employers were liable for a supervisor’s alleged sexual harassment. The EEOC requested a discovery conference because counsel for the parties disagreed as to whether the two named plaintiffs must produce the Internet social networking site profiles, including postings, pictures, blogs, messages, personal information, lists of “friends,” and of causes joined that the user has placed or created online.

The EEOC objected to production of all SNS content (and to similar deposition questioning). It argued the requests were overbroad, not relevant, unduly burdensome (because they improperly infringe on claimants’ privacy), and would harass and embarrass the claimants. Simply Storage countered that discovery of these matters was proper because certain EEOC discovery responses placed the emotional health of particular claimants at issue, beyond that typically encountered in “garden variety emotional distress claims.”

The court weighed ordering complete discovery of the plaintiffs' Facebook and MySpace account information against limiting discovery to content specifically related to the alleged injury.  It found neither alternative satisfactory. According to the court, limiting discovery to posts that specifically referenced the mental issues and harassment alleged by the plaintiffs would be too narrow, while admitting the full profiles would include likely irrelevant—and potentially inflammatory—content. The court held, “It is reasonable to expect severe emotional or mental injury to manifest itself in some SNS content, and an examination of that content might reveal whether onset occurred, when, and the degree of distress. Further, information that evidences other stressors that could have produced the alleged emotional distress is also relevant.”

The court therefore defined the relevant scope of discovery as including “any profiles, postings, or messages (including status updates, wall comments, causes joined, groups joined, activity streams, blog entries) … that reveal, refer, or relate to any emotion, feeling, or mental state, as well as communications that reveal, refer, or relate to events that could reasonably be expected to produce a significant emotion, feeling, or mental state.”

The court rejected the EEOC’s assertion that broad discovery of this kind would violate the plaintiffs' right to privacy and held that, while potentially relevant content may be embarrassing to the plaintiffs, “this is the inevitable result of alleging these sorts of injuries.” In addressing the argument that the profiles were “private” and password protected, the court held that these protections were insufficient to circumvent discovery. “[A] person's expectation and intent that her communications be maintained as private is not a legitimate basis for shielding those communications from discovery.”

This case illustrates the importance of expanding the traditional thinking behind discoverable information to cover social media. Employers, upon advice of counsel, should consider requesting information of this nature. 

• Email This
• Print
• Comments
• Trackbacks

As highlighted by many news sources, including CNN.com and MSNBC.com, the United States Supreme Court listened to oral argument (pdf) today in the case of City of Ontario v. Quon today. This is the case involving a police officer who claimed his employer violated his privacy when it read the personal text messages (which happened to be sexually explicit in nature) which he sent and received using his department issued pager.  For further information concerning this case, see our prior analysis, as well as the discussion at Inc.com. Stay tuned for an update following the Supreme Court's decision. 

• Email This
• Print
• Comments
• Trackbacks

Co-author: Joseph J. Lazzarotti

The New Jersey’s highest Court has concluded that an employee, Marina Stengart, could reasonably expect that e-mail communication with her lawyer through her personal, password-protected, web-based e-mail account would remain private, and that sending and receiving them using a company laptop did not eliminate the attorney-client privilege that protected them. The Court went on to say that her employer’s counsel had violated the rules of professional conduct by reading her e-mails. The Supreme Court decided Stengart v. Loving Care on March 30, 2010 upholding the June 2009 decision of the state Appellate Division. 

This case makes two important points for employers: 

1) The Court stated that even a more clearly written and unambiguous policy regarding employer monitoring of emails would not be enforceable. That is, a clear policy stating that the employer could retrieve and read an employee’s attorney-client communication, accessed through a personal, password-protected e-mail account using the company’s computer system will not overcome an employee’s expectation of privacy and the privilege would remain. 

2) The Court's opinion seems to suggest that employers cannot discipline employees for simply spending some time at work receiving personal, confidential legal advice from a private lawyer, although the Court noted that an employee who “spends long stretches of the workday” doing so may be disciplined. 

Loving Care's employee handbook’s “Electronic Communication” policy governed employees’ use of company computers. The policy stated, among other things, “internet use and communication … are considered part of the company’s business” and “such communication are not to be considered private or personal to any individual employee.” However, the policy also provided, “[o]ccasional personal use is permitted.”

The Court found the Policy does not give express notice to employees that messages exchanged on a personal, password-protected, web-based e-mail account are subject to monitoring if company equipment is used. Although the Policy states that the company may review matters on “the company’s media systems and services,” those terms are not defined. The prohibition of certain uses of “the e-mail system” appears to refer to a company e-mail account, not personal accounts. Similarly, the Policy does not warn that the contents of personal, web-based e-mails are stored on a hard drive and can be forensically retrieved and read. The Court also found the Policy creates ambiguity by declaring that e-mails “are not to be considered private or personal,” while also permitting “occasional personal use” of e-mail.

The Court determined that an employee’s reasonable expectation of privacy in a particular work setting must be addressed on a case-by-case basis, but stated that by using a personal e-mail account and not saving the password, Stengart had a subjectively reasonable expectation of privacy in the e-mails exchanged with her attorney on her personal, password-protected, web-based e-mail account, which was accessed on a company laptop. This subjective expectation of privacy was objectively reasonable in light of the ambiguous language of the Policy and the attorney-client nature of the communication.

This decision, and others highlighted previously in this blog, present numerous issues for employers.  While it may not be enforceable in New Jersey, we recommend, in light of the reasoning in this decision, that employers consider modifying their existing electronic communication policies to include:

• Clear notice that personal, web-based emails accessed using company networks and stored on company networks or company computers can be monitored and reviewed by the company (of course, care should be taken here to avoid concerns under the Electronic Communications Privacy Act and the Stored Communications Act);
• Definitions of the specific technologies and devices to which the policies apply;
• Warnings that web-based, personal e-mail can be stored on the hard-drive of a computer and forensically accessed;
• No ambiguities about personal use. 

See our sample electronic communication policy outline for more information. However, even with such a policy in place, employers and their lawyers must be aware of the potential liability they face for improperly accessing information on the employers' systems which may later be deemed “private” or subject to a privilege.

• Email This
• Print
• Comments
• Trackbacks

The U.S. Supreme Court’s recent grant of certiorari in City of Ontario, Ontario Police Department, and Lloyd Scharf v. Jeff Quon, et al. highlights the effects new technologies continue to have on workplace privacy issues. One issue the Court will consider is whether a California police department violated the privacy of one of its officers when it read the personal text messages on his department issued pager. The U.S. Court of Appeals for the Ninth Court sided with the police officer when it ruled that users of text messaging services “have a reasonable expectation of privacy” regarding messages stored on the service provider’s network.

The underlying suit was filed by police Sgt. Jeff Quon, his wife, his girlfriend, and another police sergeant after one of Quon’s superiors audited his messages and found that many of them were sexually explicit and personal in nature.   Among the defendants were the City of Ontario, the Ontario Police Department, and Arch Wireless Operating. Co. Inc. Plaintiffs sought damages for alleged violation of their privacy rights.

While this case involves a public sector entity, its outcome is likely to affect electronic communications policies and practices across the country, whether by public or privacy employers.  

• Email This
• Print
• Comments
• Trackbacks

The New Jersey Appellate Division (Doe v. XYC Corporation) and the Court of Appeals of Wisconsin (Maypark v. Securitas Serv. USA Inc. & Sigler v. Kobinsky) have both examined an employer’s duty to monitor employees conduct while at work, and have reached drastically different results. Additionally, at least seven states—Arkansas, Illinois, Missouri, North Carolina, Oklahoma, South Carolina, and South Dakota—have enacted laws requiring computer technicians or Internet service providers to report child pornography if they encounter it in the scope of their work. 

New Jersey. In Doe v. XYC, the company’s IT department noticed an employee was accessing pornographic web pages while at work. Despite numerous complaints and suspicious usage by the employee, management took no formal action except to instruct the employee to stop visiting inappropriate web pages. Following the employee’s marriage to the Plaintiff, the employee took nude and semi-nude pictures of Plaintiff’s 10-year-old daughter and uploaded the photos to child porn web pages using his work computer. The employee was arrested and charged, and the Plaintiff sued the company, alleging that it knew or should have known of the employee’s conduct and had a duty to report it. The state Appellate Division reversed the trial court’s decision that no duty existed. It held that XYC Corporation knew or should have known the employee was accessing child pornography at work, and further had a duty to investigate and report it. Thus, in New Jersey, where an employer has the right and ability to monitor Internet usage and the employee has no expectation of privacy, employers have a duty to investigate and report the access of child pornography if they know or should have known an employee was doing so. For a detailed analysis of Doe, click here. 

Wisconsin. In Maypark v. Securitas, the plaintiff sued an employer for allowing a former employee, a security guard, to post photographs of the plaintiff’s employees on an adult website.   An earlier Wisconsin case, Sigler v. Kobinsky, held that a company could not be held liable for alleged negligent supervision leading to an employee's use of a company computer to harass plaintiffs where there is no probability of harm. Specifically, a company had no duty to monitor because it was not reasonably foreseeable that providing employees with unsupervised Internet access would probably result in harm.   Relying on Sigler, the Court in Maypark overturned a $1.4 million negligence verdict against the security company, finding the guard’s action were not foreseeable.

Given the unsettled law on this issue, employers should consider several important factors when it comes to monitoring of employees. The Society for Human Resource Management published an article (*registration required) analyzing this issue. The article provides a number of suggestions, including that of our own Nadine Abrahams, a Jackson Lewis Partner in our Chicago office, who suggests the first step should be setting up a procedure for the immediate reporting of child pornography that has been discovered and the designation of a company representative who should be notified.   Additional steps include:

• Institution of clear, effective and thorough computer usage and monitoring polices, which also address employee expectation of privacy;
• Training of employees conducting any monitoring;
• Prompt investigation of computer usage and allegations of unlawful conduct; and
• Consultation with legal counsel regarding the duty to report to authorities. 

• Email This
• Print
• Comments
• Trackbacks

Joining the growing number of states which have enacted laws regulating the destruction of records to prevent possible identity theft, the Rhode Island Legislature passed H. 5092 on October 29, 2009. The bill requires businesses and government agencies to completely destroy records containing personal information, or render the personal information unusable, before disposing of records whether in electronic and paper form. Not surprisingly, H. 5092 comes on the heels of Texas’s Attorney General settling related violations for nearly $1,000,000 with Select Medical, and over $600,000 with Radio Shack.

As with most legislation of this nature, including the FTC’s data disposal rule, the law provides two means by which covered entities may destroy records: either by modifying the personal data to make it entirely unreadable or indecipherable through any means, or by taking reasonable steps to shred, erase, or otherwise destroy records. The bill also exempts certain covered entities whose destruction practices are covered by federal law or who contract with data disposal firms (who would be subject to the data disposal law). The need for such measures is further underlined by the overzealous office workers who used documents containing personal information as “confetti” during the New York Yankees World Series parade. 

Underlying the consequential nature of proper destruction, this bill permits individuals to sue to recover actual damages, and permits the state attorney general to seek fines or sue on behalf of individuals, with each record not properly disposed of being counted as a separate violation.

• Email This
• Print
• Comments
• Trackbacks

A New Jersey restaurant has been hit with a jury verdict in favor of two waiters who were fired after the restaurant’s managers accessed a private social networking site where the waiters were criticizing management.

As the social networking (e.g., MySpace and Facebook) “craze” continues to expand, employers must be more mindful of privacy concerns relating to content made available in these media by applicants and employees. Hiring and other job decisions often seem based on information obtained from employees’ or applicants’ social interactions on the Internet, at least to some degree. Generally, employment decisions are more supportable where there is a social networking policy that has been communicated to employees. 

In Brian Pietrylo, et al. v. Hillstone Restaurant Group d/b/a Houston’s, a federal court in New Jersey rejected the employer’s attempt to throw out the jury verdict that managers at a Houston's restaurant intentionally and without authorization accessed a private, invitation-only chat group on MySpace in violation of the federal Stored Communications Act (SCA). The SCA prohibits unauthorized access of stored communications such as e-mail and Internet accounts. The Court also upheld the jury’s award of compensatory and punitive damages against Hillstone. 

This case reminds employers to consider carefully any decision to monitor employees’ use of social networking sites.  Mistakes may be costly.

• Email This
• Print
• Comments
• Trackbacks