Former New York Yankee Lou Gehrig died 71 years ago from amyotrophic lateral sclerosis or ALS, now known as Lou Gehrig's disease. Now some legislators in Minnesota want to make his medical records, maintained at the Mayo Clinic, public. A story in the Star Tribune raises the question of how long a patient's personal health information is private after the patient's death. According to the Mayo Clinic, "only the spouse, parents, or Gehrig's appointed representative have access to his medical records." Phyllis Khan, a Minnesota state Representative, has proposed a state law which would not prohibit the release of medical records of someone who has been dead at least 50 years, does not have a will that blocks the records release, and does not have any direct descendants objecting. A similar proposed federal regulation is also under discussion. Advocates stress that access to medical records after a period of time has elapsed could assist scientific research. The slugger who described himself as the luckiest man on the face of the earth may have more to contribute to privacy regulation, and perhaps medical science. Stay tuned.
Two New Jersey defense lawyers face attorney ethics charges in connection with the way they allegedly accessed Facebook. Regardless of how these charges are resolved, the facts in the case should serve as a reminder to attorneys to become more familiar with social media, and perhaps be more specific in the direction they give to their staff.
The New Jersey Office of Attorney Ethics (OAE) alleges that John Robertelli and Gabriel Adamo caused a paralegal to "friend" the plaintiff in a personal injury case so they could access information on the plaintiff’s Facebook page that was not publicly available. The OAE alleges that the conduct violated Rules of Professional Conduct governing communications with represented parties, along with other rules. Both attorneys deny the charges and claim that they only directed the paralegal to do general internet research, and that they did not tell her to add the plaintiff as a “friend” to gain access to otherwise private information.
The Facebook access came to light during deposition questioning when the plaintiff was asked very specific questions about his travel, dancing, wrestling, or activities which would tend to disprove his claims as to the seriousness of the injuries he allegedly suffered after being struck by a police cruiser while doing push-ups in a driveway.
The attorneys are charged with violating RPC 4.2, concerning communications with represented parties; 5.3(a), (b) and (c), failure to supervise a nonlawyer assistant; 8.4(c), conduct involving dishonesty and violation of ethics rules through someone else's actions or inducing those violations; and 8.4(d), conduct prejudicial to the administration of justice. Mr. Robertelli, the supervising partner, is also charged with breaching RPC 5.1(b) and (c), which impose ethical obligations on lawyers for the actions of attorneys they supervise.
While no New Jersey ethics opinion to date addresses “friending” individuals in connection with litigation, the bars of New York, New York City, Philadelphia, and San Diego have deemed it unethical.
These OAE charges, along with other New Jersey legal precedent, highlights the concerns and issues surrounding improper access to otherwise private social media content.
The District Court of New Jersey recently denied an employer’s motion to dismiss a former employee’s causes of action for invasion of privacy following a supervisor’s alleged unauthorized access to the employee’s Facebook account.
In Ehling v. Monmouth-Ocean Hospital Service Corp., the plaintiff, a registered nurse and paramedic, alleged that the defendants engaged in a pattern of retaliatory conduct as soon as she became President of the local union. Specifically, the plaintiff alleged that defendants gained access to her “private” Facebook account by having a supervisor summon another employee, who was “friends” with the plaintiff, into an office and coercing or threatening that employee into accessing their Facebook account so that the supervisor could view those posts which the plaintiff had restricted to only her “friends.” Plaintiff went on to allege that the supervisor then viewed and copied plaintiff’s Facebook postings. One such post was in regard to a shooting that took place at the Holocaust Museum in Washington, DC and stated:
An 88 yr old sociopath white supremacist opened fire in the Wash D.C. Holocaust Museum this morning and killed an innocent guard (leaving children). Other guards opened fire. The 88 yr old was shot. He survived. I blame the DC paramedics. I wasn’t to say 2 things to the DC medics. 1. WHAT WERE YOU THINKING? and 2. This was your opportunity to really make a different! WTF!!!! And to the other guards…go to target practice.
Ultimately, in June 2009 the Hospital sent letters regarding the above posting to the New Jersey Board of Nursing and the New Jersey Department of Health, Office of Emergency Medical Services as it was concerned that Plaintiff’s Facebook posting showed a disregard for patient safety. Plaintiff alleged the letters were malicious and meant to damage her professionally.
The Court dismissed plaintiff’s New Jersey Wiretapping and Electronic Surveillance Control Act (“NJ Wiretap Act”) claim holding that the NJ Wiretap Act only protects those electronic communications which are in the course of transmission or are backup to that course of transmission. As plaintiff’s allegations involve a “live” posting, it did not fall under the purview of the NJ Wiretap Act.
However, the Court went on to hold that plaintiff’s common law invasion of privacy claim involving defendants’ unauthorized “accessing of her private Facebook postings” could proceed. In relying on another New Jersey district court case which involved a supervisor’s asking an employee to gain access to a private social media account, the Court held that privacy determinations are made on a case-by-case basis, in light of all the facts presented. The Court went on to hold that the plaintiff had a plausible claim for invasion of privacy as she may have had a reasonable expectation that her Facebook posting would remain private, considering that she actively took steps to protect her Facebook page from public viewing.
As we have mentioned before, legal guidance involving the utilization of social media in employment decisions is ever evolving and employers must remain vigilant as courts continue to develop these cases.
A Virginia district court recently held that an employee’s clicking of the Facebook “like” button is not comparable to speech. Accordingly, the court affirmed the dismissal of First Amendment retaliation claims brought by employees of a Virginia sheriff’s office finding that the employees’ action was insufficient to merit constitutional protection.
Sheriff B.J. Roberts of the Hampton, Virginia Sheriff’s Office was up for re-election in 2009. Employees within the sheriff’s office alleged that Sheriff Roberts learned that the employees were supporting his opponent when the employees “liked” the opponent's Facebook page. After he was re-elected, Sheriff Roberts terminated the employees allegedly due to staff reductions and performance issues.
The employees sued Sheriff Roberts alleging that he violated their First Amendment rights to freedom of speech and freedom of association when he unlawfully fired them for actively supporting his political opponent.
The U.S. District Court for the Eastern District of Virginia rejected the employees' claims because the employees failed to allege that they had engaged in protected expressive speech when they “liked” the opponent's Facebook page. The court explained that without existing speech warranting First Amendment protection, the employees could not prove a violation of the right to freedom of speech occurred. The court held that “merely ‘liking' a Facebook page is insufficient speech to merit constitutional protection. In cases where courts have found that constitutional speech protections extended to Facebook posts, actual statements existed within the record.”
While this case may be helpful in the context of public employees, private employers must still be conscious of several issues including: how they obtain social media information about their employees; potential NLRB issues if an employee’s “likes” could be considered protected concerted activity; and potential state constitutional protections of an employee's right to privacy.
A U.S. District Court in Indiana has ruled that a company's use of keylogger software to access an employee's personal e-mail account may have violated the Stored Communications Act (“SCA”).
Keylogging or keystroke logging is the tracking of the keys struck on a keyboard, typically in a covert manner.
In Rene v. G.F. Fishers, Inc.,the company utilized keylogger software and was sued by one of its employees for violations of the SCA, the Indiana Wiretap Act (“IWA”), and the Federal Wiretap Act. The company generally prohibited personal use of its computers, however, it permitted the employee to access her personal checking account and personal e-mail account from the company computer. The employee was later notified that the company had installed keylogger software on the computer. Utilizing the keylogger software, the company accessed the employee’s personal e-mail account and personal checking account (acquiring the passwords utilizing the keylogger software), and reviewed and discussed the messages and contents.
The employee was fired for “poor performance” after complaining about the access. She sued her former employer, alleging the company violated the SCA, IWA, and the Federal Wiretap Act. While the court did not address certain factual issues under the SCA (e.g., whether the company accessed the employee’s e-mail messages before the employee opened them), it held that by alleging that the employer accessed her e-mail messages the employee had satisfied the burden of asserting a violation of the SCA. The court also denied the company’s motion to dismiss the former employee’s IWA claim, but it did dismiss the Federal Wiretap Act claim.
As we have previously discussed, jurisdictions are at odds over the use of keylogger software in the employment context. Employers should carefully consider their use of keylogger or monitoring technology and consult counsel as to best practices for the jurisdiction in which you are located.
The U.S. District Court for the Southern District of Ohio found the confidentiality rights of patients outweighed a plaintiff’s need to take discovery of patient medical records in Kapp v. Jewish Hospital, Inc. Plaintiff, a former nurse, brought suit in the federal court in Ohio, alleging she was terminated in violation of federal employment discrimination laws. Specifically, plaintiff alleged defendant had alternative motives for plaintiff’s termination, including plaintiff’s age, perceived disability, and plaintiff’s request for FMLA leave. To establish her case, plaintiff sought to ascertain through the discovery process, whether other similarly situated nurses, were treated in a like manner. To do so, plaintiff filed a motion to compel seeking access to non-party patient records in an attempt to discern if other nurses participated in essentially the same conduct for which defendant terminated plaintiff, but were not themselves terminated. The Magistrate Judge denied plaintiff’s motion to compel and held that Ohio's strict physician-patient privilege law applied to prevent production of the records. The plaintiff objected to the Magistrate Judge’s Order, and those objections were heard by the District Court Judge. The District Court Judge held that “[a]lthough state privilege law does not control…there are abundant and adequate federal principals that protect patient confidentiality.” The Court went on to state,
the non-party patients’ right to confidentiality outweighs the plaintiff’s proffered justification for accessing the non-party patient medical records.
The Court went on to say that the Health Insurance Portability and Accountability Act expresses a general federal policy favoring patients' right to confidentiality and HIPAA's Privacy Rule grants federal protections for patients' personal health information held by covered entities and gives patients rights regarding that information. In this case, the plaintiff had other, less-intrusive options for discovering whether the hospital treated similarly situated nurses differently, including, for example, narrowing the scope of the request by deposing other nurses who had worked with the physician in question, the hospital's human resources personnel, or other nurse supervisors.
The broad discovery sought by plaintiff in this matter is not an uncommon approach taken by the plaintiff’s bar in an effort to prove the merits of their client’s claims. Employers, especially those in the healthcare industry, must be aware of opinions like Kapp in their efforts to limit plaintiff’s unfounded discovery requests and to protect their patients’ privacy.
A Missouri federal district court has ruled, in I.S. v. Washington University, that a HIPAA-covered entity's disclosure of protected information can form the basis for a state-law negligence claim. The Court reached this holding despite the well-accepted principle there is no private cause of action under HIPAA.
The plaintiff, I.S., was undergoing medical treatment for colon cancer at Washington University. I.S. gave Washington University a limited authorization to disclose only the dates of her treatments in order to satisfy her employer’s medical leave requirements. Notwithstanding this limited authorization, plaintiff asserts that Washington University also sent her employer additional medical records and information that far exceeded her authorization. These included I.S.’s HIV status, mental health issues, and insomnia treatments. Based on that disclosure, I.S. sued Washington University for negligence per se based on a violation of HIPAA.
Procedurally, Washington University removed the state court action to federal court and sought dismissal of the negligence per se claim, arguing that HIPAA does not create a private cause of action.
The district court, disagreeing with Washington University, held the plaintiff’s claim could stand despite its exclusive reliance on HIPAA. The court held that a federal statute that does not provide for a private right of action nevertheless may be a legitimate element of a state law negligence per se claim.
Under Missouri law, among other things, the plaintiff must show:
· a violation of a statute or ordinance occurred,
· the plaintiff was a member of the class of people intended to be protected,
· the injury complained of was of the type intended to protect against, and
· the violation was the proximate cause of the plaintiff's injury.
The Court found that I.S. had met all of the required elements of her claim and remanded the case back to state court. It held that I.S.'s claim, although premised on HIPAA, did not raise a federal question as it did not raise any compelling federal interests or present a substantial federal question.
This case illustrates the need for HIPAA covered entities to provide training and institute policies and procedures regarding HIPAA compliance. Here, a process for responding to requests for information would have highlighted the importance of carefully adhering to the limits of the authorization and prevented this alleged unauthorized disclosure, thus precluding I.S.’s claims. Additionally, employers, and their counsel, must be aware that common law claims may support litigation based on HIPAA, despite the fact HIPAA itself does not provide for a private cause of action.
The Maryland Senate recently referred Senate Bill 971 which prohibits Maryland employers from demanding that workers and job applicants turn over their passwords to specific websites or web-based accounts.
Under the bill, employers would be prohibited from refusing to hire applicants and disciplining, terminating, or taking other adverse employment action against employees who refuse to provide their passwords. The bill also bans employers’ threats of such action.
The bill was introduced in response to employers’ asking applicants and employees for their passwords as part of background checks to see the content posted by the individuals on social networking sites (e.g., Facebook ). S.B. 971 would, however, permit employers to require workers to disclose their passwords only to the employers’ internal computer systems.
This proposed Maryland law, and case law from New Jersey, should alert employers that utilizing social media in their hiring, discipline, or termination decisions is under scrutiny.
Today the White House issued a Cybersecurity Legislative Proposal. The proposed legislation focuses on protecting the American people, the nation’s critical infrastructure, and the federal government's computers and networks. While legislation of this nature would simplify the breach reporting process for businesses, and overall streamline cybersecurity laws, a number of legislative attempts to do this have previously failed. It is important to note that while this proposal sets forth some guidelines, the specific details of how each provision would be instituted are not yet clear
Our critical infrastructure – such as the electricity grid, financial sector, and transportation networks that sustain our way of life – have suffered repeated cyber intrusion, and cyber crime has increased dramatically over the law decade. The President has thus made cybersecurity an Administration priority.
- To protect the American people, the proposed legislation calls for a national data breach reporting law which would simplify and standardize the existing patchwork of 47 state laws that contain these requirements. Additionally, the proposal calls for penalties for computer criminals and clarifies the penalties for computer crimes, synchronizes them with other crimes, and sets mandatory minimums for cyber intrusions into critical infrastructure.
- To protect our nation’s critical infrastructure the proposal calls on legislative changes to fully protect this infrastructure. Specifically, proposal will enable the Department of Homeland Security (DHS) to quickly help a private-sector company, state, or local government when that organization asks for its help. It also clarifies the type of assistance that DHS can provide to the requesting organization.
Additionally, the proposal permits businesses, states, and local governments to share information about cyber threats or incidents with DHS. To fully address these entities’ concerns, it also provides them with immunity when sharing cybersecurity information with DHS. At the same time, the proposal mandates robust privacy oversight to ensure that the voluntarily shared information does not impinge on individual privacy and civil liberties.
Further, the proposal emphasizes transparency to help market forces ensure that critical-infrastructure operators are accountable for their cybersecurity.
Finally, the proposal requires DHS to work with industry to identify the core critical-infrastructure operators and to prioritize the most important cyber threats and vulnerabilities for those operators. Critical infrastructure operators would then take steps to address cyber threats, develop risk mitigation plans, and permit DHS to modify the processes which are implemented if they are insufficient.
- To protect federal government computers and networks the legislative proposal includes: an update to the Federal Information Security Management Act (FISMA) as well as formalizing DHS’ current role in managing cybersecurity for the Federal Government’s civilian computers and networks, in order to provide departments and agencies with a shared source of expertise; giving DHS more flexibility in hiring highly-qualified cybersecurity professionals; the permanency of DHS’s authority to oversee intrusion prevention systems for all Federal Executive Branch civilian computers while codifying strong privacy and civil liberties protections, congressional reporting requirements, and an annual certification process; and preventions on states requiring companies to build their data centers in that state, as opposed to in the cloud, except where expressly authorized by federal law.
The Administration’s proposal also attempts to ensure the protection of individuals’ privacy and civil liberties through a framework designed expressly to address the challenges of cybersecurity. Some of these provisions include: requiring federal agencies (and likely federal contractors) to follow privacy and civil liberties procedures; limitations on monitoring, collecting, using, retaining, and sharing of information; requiring efforts to remove identifying information unrelated to cybersecurity threats; as well as immunity provisions for those business which comply with the proposal’s requirements.
As the proposal concludes:
Our Nation is at risk… [t]he Administration has responded to Congress’ call for input on the cybersecurity legislation that our Nation needs, and we look forward to engaging with Congress as they move forward on this issue.
Two Senators who clearly did not let the potential government work stoppage affect them, formally introduced the Commercial Privacy Bill of Rights Act of 2011 on April 12. In a bipartisan effort, Senators John Kerry (D-Mass.) and John McCain (R-Arizona) introduced the legislation which sets forth privacy rules governing businesses that collect, use, or share personal data.
Under the bill, the Federal Trade Commission is given rulemaking and enforcement power. Additionally, the bill would require covered entities to implement comprehensive privacy by design programs and provide clear disclosures of their data-collection practices. Further, the FTC would be given authority to approve nongovernmental organizations to oversee safe harbor programs for firms that complied with approved self-regulatory schemes.
While passage of national privacy legislation has proven difficult in the past, companies must remain aware of these legislative updates, especially when they are of a bi-partisan nature.
Trying to keep up with the fast-moving world of social media, the Kentucky Court of Appeals has ruled that “tagged” or captioned photographs posted on Facebook may be admitted as evidence. The ruling in the case has implications for employers. In LaLonde v. LaLonde, the appellant-wife objected to the trial court’s admitting into evidence photographs taken from Facebook that identified her by “tagging.” The photographs appeared to show her consuming alcohol in contradiction to the advice of her mental health providers—a key issue in the custody dispute.
The wife argued the photographs should not be admitted because Facebook allows anyone to post pictures and then “tag” or identify people in the pictures and she never gave permission for the photographs to be published in this manner on. Rejecting this argument, the appellate court held, “There is nothing in the law that requires permission when someone takes a picture and posts it on a Facebook page. There is nothing that requires her permission when she was ‘tagged’ or identified as a person in those pictures.” The Court acknowledged that modern digital photography techniques may allow for alteration of the photograph, but pointed out that the wife never suggested such techniques were used, instead acknowledging the pictures were accurate.
The potential implications of this holding are numerous. As we have previously discussed, employers may be able to use social media (which arguably includes tagged pictures) to fight emotional distress damages. Similarly, as we described here, Facebook content has been utilized by employers in disciplinary decisions. Our Social Media White Paper provides a helpful discussion of this and other issues employers should think about when it comes to social media.
In a uniquely timed second showing of enforcement authority, the Department of Health and Human Services (HHS) announced on February 24, 2011 a one million dollar settlement with a Massachusetts hospital that allegedly breached patient data. This settlement announcement comes only days after HHS announced a 4.3 million dollar HIPAA Privacy Rule fine. The Massachusetts hospital settlement resulted from a hospital employee who took home documents containing sensitive personal information on patients. The employee then lost those documents while commuting to work.
While the settlement did not include an admission of liability, in addition to the monetary settlement, and submitting to HHS oversight, the hospital must also adopt more stringent privacy practices and retain an independent security and privacy monitor. The investigation of the incident found the hospital failed to implement reasonable and appropriate standards to protect the privacy of patient information removed from the facility. Under the settlement, the hospital must present new privacy and data security administrative, physical, and technical safeguards policies and procedures for HHS approval. Specifically, these policies and procedures must address the physical removal and transportation of protected health information and encryption of portable storage devices. Despite a general prohibition on employees physically removing protected health information from the hospital, HHS permitted an exception when the information is removed by an employee to perform his or her job duties. Additionally, the hospital must implement training for all employees.
This settlement, when considered with the 4.3 million dollar fine, likely signals how HHS will approach future enforcement actions. In light of this, covered entities must seriously examine their privacy and security obligations, including implementing appropriate policies and procedures regarding the safeguarding of information.
In another favorable decision for companies, the Maine Supreme Court ruled on September 21, 2010 that consumers affected by a data breach could not claim damages from the company unless they suffered uncompensated financial losses or some other tangible injury.
The Maine Supreme Court addressed the following:
In the absence of physical harm or economic loss or identity
theft, do time and effort alone, spent in a reasonable effort to
avoid or remediate reasonably foreseeable harm, constitute a
cognizable injury for which damages may be recovered under
Maine law of negligence and/or implied contract?
The Court ruled they do not. Additionally, the Court went on to state that "[t]he tort of negligence does not compensate individuals for the typical annoyances or inconveniences that are a part of everyday life….An individual's time alone, is not legally protected from the negligence of others."
The underlying suits were filed following a breach, and fraudulent use, which resulted when card holder data of nearly 4.2 million people was stolen. The lawsuits alleged the company was negligent in protecting card holder data and failed to notify of the breach in a timely fashion. The above holding was issued when the District Court Judge who heard the underlying case, agreed to let the state Supreme Court decide whether the plaintiffs could sue the company for the time and effort put into avoiding or mitigating harm from fraudulent charges on their cards.
Two other cases are similarly instructive. In 2003 the Minnesota Supreme Court found that an invasion of privacy cause of action requires that the dissemination resulted in “publicity” of private facts. Because the disclosure was internal to other employees, and not to the public at large, the Court held the dissemination was insufficient publicity to support an invasion of privacy claim against the employer. Further, in Guin v. Brazos Higher Educ. Serv. Corp. Inc., 2006 U.S.Dist. LEXIS 4846(D. Minn. Feb. 2, 2006), the District Court dismissed plaintiff’s negligence claim holding that the threat of future harm not yet realized will not support a claim for negligence which requires a showing of an injury.
Companies and employers must be on notice of these decisions when faced with individual lawsuits following data breaches.
Indiana recently enacted a new law which grants authority to the Indiana Office of the Attorney General's Identity Theft Unit to obtain and secure abandoned records with personally identifying information, including health records, and either destroy them or return them to their owners. Additionally, the new law sets fines and other legal ramifications for violations of the law by health care providers or licensed professionals who leave such records unsecured in violation of state law. In fact, the Attorney General has already utilized this authority to obtain personal records from four entities.
This additional grant of authority to the Indiana Attorney General, is in addition to the authority previously granted by the Health Information Technology for Economic and Clinical Health (HITECH) Act to enforce the privacy and security protections of HIPAA for protected health information. As we have previously discussed, the Connecticut Attorney General has filed a civil action against Health Net, as well as instituted an investigation against Griffin Hospital for violations of HIPAA.
The Indiana statute, as with the authority granted to Attorney Generals under HITECH, highlight the need for companies to develop and implement comprehensive data security polices to secure their records.
Employees Claiming Emotional Distress Must Produce Social Network (Facebook and MySpace) Information In Discovery
All information from plaintiffs’ social networking profiles and postings that relate to their general emotions, feelings, and mental states must be produced in discovery when they allege severe emotional trauma and harassment against their employer, a federal court in Indiana has ruled. (EEOC v. Simply Storage Management LLC, S.D. Ind., No. 1:09-cv-1223, discovery order 5/11/10).
Social networking sites (SNS) such as Facebook and MySpace are fast becoming a hot topic in litigation as they may contain a wealth of potentially relevant information. In Simply Storage, the Equal Employment Opportunity Commission brought suit on behalf of plaintiffs and other similarly situated employees who claimed their employers were liable for a supervisor’s alleged sexual harassment. The EEOC requested a discovery conference because counsel for the parties disagreed as to whether the two named plaintiffs must produce the Internet social networking site profiles, including postings, pictures, blogs, messages, personal information, lists of “friends,” and of causes joined that the user has placed or created online.
The EEOC objected to production of all SNS content (and to similar deposition questioning). It argued the requests were overbroad, not relevant, unduly burdensome (because they improperly infringe on claimants’ privacy), and would harass and embarrass the claimants. Simply Storage countered that discovery of these matters was proper because certain EEOC discovery responses placed the emotional health of particular claimants at issue, beyond that typically encountered in “garden variety emotional distress claims.”
The court weighed ordering complete discovery of the plaintiffs' Facebook and MySpace account information against limiting discovery to content specifically related to the alleged injury. It found neither alternative satisfactory. According to the court, limiting discovery to posts that specifically referenced the mental issues and harassment alleged by the plaintiffs would be too narrow, while admitting the full profiles would include likely irrelevant—and potentially inflammatory—content. The court held, “It is reasonable to expect severe emotional or mental injury to manifest itself in some SNS content, and an examination of that content might reveal whether onset occurred, when, and the degree of distress. Further, information that evidences other stressors that could have produced the alleged emotional distress is also relevant.”
The court therefore defined the relevant scope of discovery as including “any profiles, postings, or messages (including status updates, wall comments, causes joined, groups joined, activity streams, blog entries) … that reveal, refer, or relate to any emotion, feeling, or mental state, as well as communications that reveal, refer, or relate to events that could reasonably be expected to produce a significant emotion, feeling, or mental state.”
The court rejected the EEOC’s assertion that broad discovery of this kind would violate the plaintiffs' right to privacy and held that, while potentially relevant content may be embarrassing to the plaintiffs, “this is the inevitable result of alleging these sorts of injuries.” In addressing the argument that the profiles were “private” and password protected, the court held that these protections were insufficient to circumvent discovery. “[A] person's expectation and intent that her communications be maintained as private is not a legitimate basis for shielding those communications from discovery.”
This case illustrates the importance of expanding the traditional thinking behind discoverable information to cover social media. Employers, upon advice of counsel, should consider requesting information of this nature.
Keystroke logging (or “keylogging”) is the noting (or logging) of the keys struck on a computer keyboard. Typically, this is done secretly, so the keyboard user is unaware his activities are being monitored.
Several cases throughout the country have examined an employer’s use of keylogging. Recently, the Criminal Court of the City of New York held in New York v. Klapper that an employer who installed keylogging software on office computers and subsequently monitored an employee's e-mail activity did not, absent some showing of contrary e-mail protections or acceptable use policies, access a computer “without authorization” in violation of New York law.
In some of the strongest language against the premise of e-mail privacy to date, the Court stated in its April 28, 2010 opinion:
[t]he concept of internet privacy is a fallacy upon which no one should rely. It is today’s reality that a reasonable expectation of internet privacy is lost, upon your affirmative keystroke.
The Court found that e-mails are more akin to a postcard than a letter, as they are less secure and can easily be viewed by a passerby. An employee who sends an e-mail from a work computer sends a communication that will travel through the employer's central computer and will be commonly stored on the employer's server even after it is received and read. Once stored on the server, the employer can easily scan or read all stored e-mails or data. The same holds true once the e-mail reaches its destination, as it travels through the Internet via an Internet service provider. Accordingly, this process diminishes an individual's expectation of privacy in e-mail communications.
In contrast to the strong language from New York, the U.S. District Court for the Northern District of California ruled in Brahmana v. Lembo that a plaintiff could proceed to trial in his case alleging his employer committed an impermissible “interception” under the Electronic Communications Privacy Act (ECPA) by using keylogging to discover the password to his personal e-mail account, and using the logged password, accessed his personal e-mail. However, another California District Court found in United States v. Ropp that because the keylogger recorded the keystroke information in transit between the keyboard and the CPU, the system transmitting the information did not affect interstate commerce as the required by the ECPA. Further complicating the issue, a federal court in Ohio questioned Ropp, suggesting in Porter v. Havlicek that it read the statute too narrowly by requiring the communication to be traveling in interstate commerce as opposed to merely “affecting interstate commerce.”
Because of the numerous issues arising from the use of electronic communications, and the varying court opinions on these questions, employers would do well to reexamine their use of keystroke monitoring or logging technology on a regular basis.
Co-author: Joseph J. Lazzarotti
The New Jersey’s highest Court has concluded that an employee, Marina Stengart, could reasonably expect that e-mail communication with her lawyer through her personal, password-protected, web-based e-mail account would remain private, and that sending and receiving them using a company laptop did not eliminate the attorney-client privilege that protected them. The Court went on to say that her employer’s counsel had violated the rules of professional conduct by reading her e-mails. The Supreme Court decided Stengart v. Loving Care on March 30, 2010 upholding the June 2009 decision of the state Appellate Division.
This case makes two important points for employers:
1) The Court stated that even a more clearly written and unambiguous policy regarding employer monitoring of emails would not be enforceable. That is, a clear policy stating that the employer could retrieve and read an employee’s attorney-client communication, accessed through a personal, password-protected e-mail account using the company’s computer system will not overcome an employee’s expectation of privacy and the privilege would remain.
2) The Court's opinion seems to suggest that employers cannot discipline employees for simply spending some time at work receiving personal, confidential legal advice from a private lawyer, although the Court noted that an employee who “spends long stretches of the workday” doing so may be disciplined.
Loving Care's employee handbook’s “Electronic Communication” policy governed employees’ use of company computers. The policy stated, among other things, “internet use and communication … are considered part of the company’s business” and “such communication are not to be considered private or personal to any individual employee.” However, the policy also provided, “[o]ccasional personal use is permitted.”
The Court found the Policy does not give express notice to employees that messages exchanged on a personal, password-protected, web-based e-mail account are subject to monitoring if company equipment is used. Although the Policy states that the company may review matters on “the company’s media systems and services,” those terms are not defined. The prohibition of certain uses of “the e-mail system” appears to refer to a company e-mail account, not personal accounts. Similarly, the Policy does not warn that the contents of personal, web-based e-mails are stored on a hard drive and can be forensically retrieved and read. The Court also found the Policy creates ambiguity by declaring that e-mails “are not to be considered private or personal,” while also permitting “occasional personal use” of e-mail.
The Court determined that an employee’s reasonable expectation of privacy in a particular work setting must be addressed on a case-by-case basis, but stated that by using a personal e-mail account and not saving the password, Stengart had a subjectively reasonable expectation of privacy in the e-mails exchanged with her attorney on her personal, password-protected, web-based e-mail account, which was accessed on a company laptop. This subjective expectation of privacy was objectively reasonable in light of the ambiguous language of the Policy and the attorney-client nature of the communication.
This decision, and others highlighted previously in this blog, present numerous issues for employers. While it may not be enforceable in New Jersey, we recommend, in light of the reasoning in this decision, that employers consider modifying their existing electronic communication policies to include:
- Clear notice that personal, web-based emails accessed using company networks and stored on company networks or company computers can be monitored and reviewed by the company (of course, care should be taken here to avoid concerns under the Electronic Communications Privacy Act and the Stored Communications Act);
- Definitions of the specific technologies and devices to which the policies apply;
- Warnings that web-based, personal e-mail can be stored on the hard-drive of a computer and forensically accessed;
- No ambiguities about personal use.
See our sample electronic communication policy outline for more information. However, even with such a policy in place, employers and their lawyers must be aware of the potential liability they face for improperly accessing information on the employers' systems which may later be deemed “private” or subject to a privilege.