Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

In connection with its coverage of national signing day, ESPN.com recently highlighted that social media is increasingly being utilized by coaches to contact, recruit and gather information about players. For players, it's a way to get recruited, control the message and interact with fans and other recruits at unprecedented levels.  And, like in the workplace, misuse of the media can have unfortunate consequences. A New Jersey high school prospect recently found this out when he was expelled from Don Bosco Preparatory after questionable posts were viewed on his Twitter account.  We have noticed similar trends and similar missteps in the employment context, where social media is often being utilized by companies and employees without first being well thought out. 

While the NCAA does provide some social media regulations, online interaction is far less regulated than more “old fashioned” forms of communication. According to Gregg Clifton, Co-chair of the Jackson Lewis’ Collegiate and Professional Sports Industry Group, “The days of face-to-face interaction between coach and recruit have been forever transformed. While the NCAA limits direct phone contact and texting by coaches to recruits, current NCAA regulatory freedom still permits coaches to use social media to contact, recruit, and gather information about players they are considering for their programs.” Similarly, both state and federal employment law struggle to keep up with the ever expanding social media realm.  This was most recently highlighted by the NLRB General Counsel’s report on social media. Consequently, even for employers that do have social media policies, they often do not address key issues such as the company’s presence on-line, regulatory requirements that apply in their industry, and how managers and supervisors should and should not be using the medium. In fact, as shown by many of the NLRB’s rulings discussed in the recent report, many policies contain overbroad proscriptions that violate a variety of laws.  

To keep up with social media, some schools are hiring individuals to monitor the social media of prospective student-athletes and to make sure that improper interaction is not occurring, as well as to ensure confidential information, such as under FERPA, is not being disclosed.  Employers too are seeking to hire individuals to not only assist in utilizing social media for marketing, but also individuals who can monitor how social media is and should be utilized in employment decisions.  This is particularly true for statutes and regulations which one may not necessary link with social media.  For example, employers often don’t realize that they may improperly acquire genetic information in violation of the GINA by “friending” or “following” employees or applicants. 

Of course, schools also are employers…so, while universities and colleges need to institute effective policies and procedures to address their use of social media in recruiting, they also must address social media usage in the employment context.  

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A registered nurse terminated from employment for posting on Facebook while dispensing medication to a patient could not collect unemployment benefits in Pennsylvania. Chapman v. Unemployment Comp. Bd. of Review. This case is another example why it is critical to have clear, written electronic communication and social media policies in place that are reasonable and enforced consistently. Without the policy in place, this employer surely would have had a more difficult time defending the unemployment claim.

In this case:

• the employer's policies provided that (i) it may immediately discharge an employee who engages in conduct that could cause a life threatening situation and (ii) cell phone usage is prohibited while on duty;
• the employee was aware of these policies and had previoulsy been warned about them;
• while on duty and dispensing medicine to patients, the employee used her personal cell phone to post comments on her Facebook page about an unpleasant and embarrasing incident experienced by a coworker;
• the nursing director heard other nurses speaking about the Facebook posts in the hall and asked one of the nurses to show them to her; and
• the employer terminated the nurse who made the posts on grounds that her conduct could cause a life threatening situation to patients.  

Reversing an earlier decision that would have allowed the employee to receive unemployment because her actions did not constitute "willful misconduct," Pennsylvania's Unemployment Compensation Board of Review noted that the nurse "was aware of the employer's policy prohibiting the use of cell phones while on duty, yet she violated that policy despite having been previously warned for doing so.” The Pennsylvania Commonwealth Court agreed.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Supreme Court today issued its decision in City of Ontario, California v. Quon.  In a unanimous decision, the Court held that the search of Quon's text messages, sent or received on his department issued pager, was reasonable and did not violate Quon's Fourth Amendment rights. 

As set forth in the opinion, the Court did not resolve the parties disagreement over Quon's privacy expectations, and instead disposed the case on the narrower grounds of the reasonableness of the search.  While the Court chose not to utilize the facts of this case to establish far-reaching premises that define the existence, and extent, of privacy expectations of employees using employer-provided communication devices, the Court did note that 

Employer policies concerning communications will of course shape the reasonable expectations of their employees, especially to the extent that such policies are clearly communicated.

Click here for a more in depth analysis of the decision. See our previous posts on Quon, here and here. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Co-author: Joseph J. Lazzarotti

The New Jersey’s highest Court has concluded that an employee, Marina Stengart, could reasonably expect that e-mail communication with her lawyer through her personal, password-protected, web-based e-mail account would remain private, and that sending and receiving them using a company laptop did not eliminate the attorney-client privilege that protected them. The Court went on to say that her employer’s counsel had violated the rules of professional conduct by reading her e-mails. The Supreme Court decided Stengart v. Loving Care on March 30, 2010 upholding the June 2009 decision of the state Appellate Division. 

This case makes two important points for employers: 

1) The Court stated that even a more clearly written and unambiguous policy regarding employer monitoring of emails would not be enforceable. That is, a clear policy stating that the employer could retrieve and read an employee’s attorney-client communication, accessed through a personal, password-protected e-mail account using the company’s computer system will not overcome an employee’s expectation of privacy and the privilege would remain. 

2) The Court's opinion seems to suggest that employers cannot discipline employees for simply spending some time at work receiving personal, confidential legal advice from a private lawyer, although the Court noted that an employee who “spends long stretches of the workday” doing so may be disciplined. 

Loving Care's employee handbook’s “Electronic Communication” policy governed employees’ use of company computers. The policy stated, among other things, “internet use and communication … are considered part of the company’s business” and “such communication are not to be considered private or personal to any individual employee.” However, the policy also provided, “[o]ccasional personal use is permitted.”

The Court found the Policy does not give express notice to employees that messages exchanged on a personal, password-protected, web-based e-mail account are subject to monitoring if company equipment is used. Although the Policy states that the company may review matters on “the company’s media systems and services,” those terms are not defined. The prohibition of certain uses of “the e-mail system” appears to refer to a company e-mail account, not personal accounts. Similarly, the Policy does not warn that the contents of personal, web-based e-mails are stored on a hard drive and can be forensically retrieved and read. The Court also found the Policy creates ambiguity by declaring that e-mails “are not to be considered private or personal,” while also permitting “occasional personal use” of e-mail.

The Court determined that an employee’s reasonable expectation of privacy in a particular work setting must be addressed on a case-by-case basis, but stated that by using a personal e-mail account and not saving the password, Stengart had a subjectively reasonable expectation of privacy in the e-mails exchanged with her attorney on her personal, password-protected, web-based e-mail account, which was accessed on a company laptop. This subjective expectation of privacy was objectively reasonable in light of the ambiguous language of the Policy and the attorney-client nature of the communication.

This decision, and others highlighted previously in this blog, present numerous issues for employers.  While it may not be enforceable in New Jersey, we recommend, in light of the reasoning in this decision, that employers consider modifying their existing electronic communication policies to include:

• Clear notice that personal, web-based emails accessed using company networks and stored on company networks or company computers can be monitored and reviewed by the company (of course, care should be taken here to avoid concerns under the Electronic Communications Privacy Act and the Stored Communications Act);
• Definitions of the specific technologies and devices to which the policies apply;
• Warnings that web-based, personal e-mail can be stored on the hard-drive of a computer and forensically accessed;
• No ambiguities about personal use. 

See our sample electronic communication policy outline for more information. However, even with such a policy in place, employers and their lawyers must be aware of the potential liability they face for improperly accessing information on the employers' systems which may later be deemed “private” or subject to a privilege.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

 According to the newly revised Federal Trade Commission (“FTC”) Guides, employers may face liability for employees’ commenting on their employer’s services or products on “new media,” such as blogs or social networking sites, if the employment relationship is not disclosed. Potential liability may exist even if the comments were not sponsored or authorized by the employer. 

The revised Guides took effect December 1, 2009. They address the application of Section 5 of the FTC Act (15 U.S.C 45) to the use of endorsements and testimonials in advertising and provide examples of the application of Section 5, including examples that could lead to potential employer liability. One such example specifies liability for an employee’s blog posting concerning his employers’ product, where the employment relationship is not previously disclosed:

An online message board designated for discussions of new music download technology is frequented by MP3 player enthusiasts. They exchange information about new products, utilities, and the functionality of numerous playback devices. Unbeknownst to the message board community, an employee of a leading playback device manufacturer has been posting messages on the discussion board promoting the manufacturer’s product. Knowledge of this poster’s employment likely would affect the weight or credibility of her endorsement. Therefore, the poster should clearly and conspicuously disclose her relationship to the manufacturer to members and readers of the message board.”

In comments to the proposed revisions, the Commission agreed that the establishment of appropriate procedures governing “new media” would be a factor in its determination as to whether law enforcement action is appropriate. Tellingly, the Commission stated that it has brought enforcement actions against companies “whose failure to establish or maintain appropriate internal procedures” had resulted in consumer injury. However, the Commission refused to spell out the procedures companies should put in place to monitor compliance with the principles set forth in the Guides, leaving companies to determine for themselves the process that would best fulfill their responsibilities. 

In light of the FTC’s clear recognition of “new media” and enforcement goal, employers should adopt social media and blogging policies as soon as possible. Employers should consider policies and procedures which address employee use of blog or social networking sites. Those policies, like this sample policy, should articulate the types of disclosure employees must include when they discuss their employers or their employers’ products or services. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The New Jersey Appellate Division (Doe v. XYC Corporation) and the Court of Appeals of Wisconsin (Maypark v. Securitas Serv. USA Inc. & Sigler v. Kobinsky) have both examined an employer’s duty to monitor employees conduct while at work, and have reached drastically different results. Additionally, at least seven states—Arkansas, Illinois, Missouri, North Carolina, Oklahoma, South Carolina, and South Dakota—have enacted laws requiring computer technicians or Internet service providers to report child pornography if they encounter it in the scope of their work. 

New Jersey. In Doe v. XYC, the company’s IT department noticed an employee was accessing pornographic web pages while at work. Despite numerous complaints and suspicious usage by the employee, management took no formal action except to instruct the employee to stop visiting inappropriate web pages. Following the employee’s marriage to the Plaintiff, the employee took nude and semi-nude pictures of Plaintiff’s 10-year-old daughter and uploaded the photos to child porn web pages using his work computer. The employee was arrested and charged, and the Plaintiff sued the company, alleging that it knew or should have known of the employee’s conduct and had a duty to report it. The state Appellate Division reversed the trial court’s decision that no duty existed. It held that XYC Corporation knew or should have known the employee was accessing child pornography at work, and further had a duty to investigate and report it. Thus, in New Jersey, where an employer has the right and ability to monitor Internet usage and the employee has no expectation of privacy, employers have a duty to investigate and report the access of child pornography if they know or should have known an employee was doing so. For a detailed analysis of Doe, click here. 

Wisconsin. In Maypark v. Securitas, the plaintiff sued an employer for allowing a former employee, a security guard, to post photographs of the plaintiff’s employees on an adult website.   An earlier Wisconsin case, Sigler v. Kobinsky, held that a company could not be held liable for alleged negligent supervision leading to an employee's use of a company computer to harass plaintiffs where there is no probability of harm. Specifically, a company had no duty to monitor because it was not reasonably foreseeable that providing employees with unsupervised Internet access would probably result in harm.   Relying on Sigler, the Court in Maypark overturned a $1.4 million negligence verdict against the security company, finding the guard’s action were not foreseeable.

Given the unsettled law on this issue, employers should consider several important factors when it comes to monitoring of employees. The Society for Human Resource Management published an article (*registration required) analyzing this issue. The article provides a number of suggestions, including that of our own Nadine Abrahams, a Jackson Lewis Partner in our Chicago office, who suggests the first step should be setting up a procedure for the immediate reporting of child pornography that has been discovered and the designation of a company representative who should be notified.   Additional steps include:

• Institution of clear, effective and thorough computer usage and monitoring polices, which also address employee expectation of privacy;
• Training of employees conducting any monitoring;
• Prompt investigation of computer usage and allegations of unlawful conduct; and
• Consultation with legal counsel regarding the duty to report to authorities. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As the holidays approach, more of us will be utilizing work time, and likely work resources, to handle our holiday shopping. Some of us may even post our shopping successes or gift ideas on Facebook or email coupons to friends. Doing so not only results in a loss of employee productivity, but also creates significant risk that personal data will be breached, or employers’ software or hardware compromised. 

A recent survey conducted on behalf of the Information Systems Audit and Control Association (“ISACA”) found that over half of employees surveyed planned to shop online from a work computer this holiday season, spending nearly two full working days (14.4 hours) doing so. With convenience and boredom listed as the biggest motivators, one in 10 planned to spend at least 30 hours shopping online at work. 

The survey also found that those who shop online are more likely to engage in other high-risk behaviors, such as banking online, clicking on links from social networking sites like Facebook, and clicking e-mail links redirecting them to shopping sites. Employees engage in these high-risk behaviors with nearly universal disregard for the safety of the employer’s IT infrastructure. This is highlighted  by the fact that one in 10 Americans who use a mobile work device, such as a Blackberry or iPhone, plan to use it for holiday shopping, notwithstanding the lack of security measures on those devices.

Robert Stroud, international VP of ISACA and VP of IT service management and governance for the service management business unit at CA Inc., in connection with the survey above was quoted as saying,

[I]t’s unrealistic to think that companies can completely stop the use of work computers for online shopping…[W]hat companies can and should do is educate employees about the risks…and remind them of their company’s security policy. This is especially important this year, when the convenience of shopping online may be very appealing to employees whose workloads have doubled or tripled because of downsizing.

The Wall Street Journal recently published an article highlighting employers’ efforts to monitor employees’ usage of company time and resources for personal e-mail exchanges, and suggesting a trend that courts seem to be more protective of employee privacy rights than in years past. The WSJ article raised a number of concerns for employers, including that of our own Jane McFetridge, a Jackson Lewis partner in our Chicago office - 

Employers are right to expect their employees when they are paid for their time at work are actually working.

What ever a company's policies are concerning managing or monitoring employee communications, now is as good a time as any to revisit those policies and remind employees of their existence. With the use of technology increasing and the position of the courts appearing to shift toward employees, it is becoming more difficult for employers to manage the employee use of their electronic systems. Having and communicating a clear and comprehensive electronic communications policy is critical.

Steps an employer can take include having acceptable-use policies, reviewing those policies with employees to educate them about the risks, and familiarizing themselves with state laws governing the monitoring of employee computer usage.  

• Email This
• Print
• Comments
• Trackbacks
• Share Link