Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

A U.S. District Court in Indiana has ruled that a company's use of keylogger software to access an employee's personal e-mail account may have violated the Stored Communications Act (“SCA”).  

Keylogging or keystroke logging is the tracking of the keys struck on a keyboard, typically in a covert manner.  

In Rene v. G.F. Fishers, Inc.,the company utilized keylogger software and was sued by one of its employees for violations of the SCA, the Indiana Wiretap Act (“IWA”), and the Federal Wiretap Act.  The company generally prohibited personal use of its computers, however, it permitted the employee to access her personal checking account and personal e-mail account from the company computer.  The employee was later notified that the company had installed keylogger software on the computer.  Utilizing the keylogger software, the company accessed the employee’s personal e-mail account and personal checking account (acquiring the passwords utilizing the keylogger software), and reviewed and discussed the messages and contents. 

The employee was fired for “poor performance” after complaining about the access. She sued her former employer, alleging the company violated the SCA, IWA, and the Federal Wiretap Act.  While the court did not address certain factual issues under the SCA (e.g., whether the company accessed the employee’s e-mail messages before the employee opened them), it held that by alleging that the employer accessed her e-mail messages the employee had satisfied the burden of asserting a violation of the SCA.  The court also denied the company’s motion to dismiss the former employee’s IWA claim, but it did dismiss the Federal Wiretap Act claim. 

As we have previously discussed, jurisdictions are at odds over the use of keylogger software in the employment context.  Employers should carefully consider their use of keylogger or monitoring technology and consult counsel as to best practices for the jurisdiction in which you are located.   

• Email This
• Print
• Comments (1)
• Trackbacks

Indiana recently enacted a new law which grants authority to the Indiana Office of the Attorney General's Identity Theft Unit to obtain and secure abandoned records with personally identifying information, including health records, and either destroy them or return them to their owners. Additionally, the new law sets fines and other legal ramifications for violations of the law by health care providers or licensed professionals who leave such records unsecured in violation of state law. In fact, the Attorney General has already utilized this authority to obtain personal records from four entities. 

This additional grant of authority to the Indiana Attorney General, is in addition to the authority previously granted by the Health Information Technology for Economic and Clinical Health (HITECH) Act to enforce the privacy and security protections of HIPAA for protected health information. As we have previously discussed, the Connecticut Attorney General has filed a civil action against Health Net, as well as instituted an investigation against Griffin Hospital for violations of HIPAA. 

The Indiana statute, as with the authority granted to Attorney Generals under HITECH, highlight the need for companies to develop and implement comprehensive data security polices to secure their records. 

• Email This
• Print
• Comments
• Trackbacks

All information from plaintiffs’ social networking profiles and postings that relate to their general emotions, feelings, and mental states must be produced in discovery when they allege severe emotional trauma and harassment against their employer, a federal court in Indiana has ruled. (EEOC v. Simply Storage Management LLC, S.D. Ind., No. 1:09-cv-1223, discovery order 5/11/10).

Social networking sites (SNS) such as Facebook and MySpace are fast becoming a hot topic in litigation as they may contain a wealth of potentially relevant information. In Simply Storage, the Equal Employment Opportunity Commission brought suit on behalf of plaintiffs and other similarly situated employees who claimed their employers were liable for a supervisor’s alleged sexual harassment. The EEOC requested a discovery conference because counsel for the parties disagreed as to whether the two named plaintiffs must produce the Internet social networking site profiles, including postings, pictures, blogs, messages, personal information, lists of “friends,” and of causes joined that the user has placed or created online.

The EEOC objected to production of all SNS content (and to similar deposition questioning). It argued the requests were overbroad, not relevant, unduly burdensome (because they improperly infringe on claimants’ privacy), and would harass and embarrass the claimants. Simply Storage countered that discovery of these matters was proper because certain EEOC discovery responses placed the emotional health of particular claimants at issue, beyond that typically encountered in “garden variety emotional distress claims.”

The court weighed ordering complete discovery of the plaintiffs' Facebook and MySpace account information against limiting discovery to content specifically related to the alleged injury.  It found neither alternative satisfactory. According to the court, limiting discovery to posts that specifically referenced the mental issues and harassment alleged by the plaintiffs would be too narrow, while admitting the full profiles would include likely irrelevant—and potentially inflammatory—content. The court held, “It is reasonable to expect severe emotional or mental injury to manifest itself in some SNS content, and an examination of that content might reveal whether onset occurred, when, and the degree of distress. Further, information that evidences other stressors that could have produced the alleged emotional distress is also relevant.”

The court therefore defined the relevant scope of discovery as including “any profiles, postings, or messages (including status updates, wall comments, causes joined, groups joined, activity streams, blog entries) … that reveal, refer, or relate to any emotion, feeling, or mental state, as well as communications that reveal, refer, or relate to events that could reasonably be expected to produce a significant emotion, feeling, or mental state.”

The court rejected the EEOC’s assertion that broad discovery of this kind would violate the plaintiffs' right to privacy and held that, while potentially relevant content may be embarrassing to the plaintiffs, “this is the inevitable result of alleging these sorts of injuries.” In addressing the argument that the profiles were “private” and password protected, the court held that these protections were insufficient to circumvent discovery. “[A] person's expectation and intent that her communications be maintained as private is not a legitimate basis for shielding those communications from discovery.”

This case illustrates the importance of expanding the traditional thinking behind discoverable information to cover social media. Employers, upon advice of counsel, should consider requesting information of this nature. 

• Email This
• Print
• Comments
• Trackbacks