Keyloggers Beware--Companies Risk Being Sued By Employees

Posted on September 27, 2011 by Jason C. Gavejian

A U.S. District Court in Indiana has ruled that a company's use of keylogger software to access an employee's personal e-mail account may have violated the Stored Communications Act (“SCA”).  

Keylogging or keystroke logging is the tracking of the keys struck on a keyboard, typically in a covert manner.  

In Rene v. G.F. Fishers, Inc.,the company utilized keylogger software and was sued by one of its employees for violations of the SCA, the Indiana Wiretap Act (“IWA”), and the Federal Wiretap Act.  The company generally prohibited personal use of its computers, however, it permitted the employee to access her personal checking account and personal e-mail account from the company computer.  The employee was later notified that the company had installed keylogger software on the computer.  Utilizing the keylogger software, the company accessed the employee’s personal e-mail account and personal checking account (acquiring the passwords utilizing the keylogger software), and reviewed and discussed the messages and contents. 

The employee was fired for “poor performance” after complaining about the access. She sued her former employer, alleging the company violated the SCA, IWA, and the Federal Wiretap Act.  While the court did not address certain factual issues under the SCA (e.g., whether the company accessed the employee’s e-mail messages before the employee opened them), it held that by alleging that the employer accessed her e-mail messages the employee had satisfied the burden of asserting a violation of the SCA.  The court also denied the company’s motion to dismiss the former employee’s IWA claim, but it did dismiss the Federal Wiretap Act claim. 

As we have previously discussed, jurisdictions are at odds over the use of keylogger software in the employment context.  Employers should carefully consider their use of keylogger or monitoring technology and consult counsel as to best practices for the jurisdiction in which you are located.   

Tags: , , , , , , , , , , , , , , , , , , , , , , ,

No Discovery of Patient Records In Federal Employment Case

Posted on July 26, 2011 by Jason C. Gavejian

The U.S. District Court for the Southern District of Ohio found the confidentiality rights of patients outweighed a plaintiff’s need to take discovery of patient medical records in Kapp v. Jewish Hospital, Inc.  Plaintiff, a former nurse, brought suit in the federal court in Ohio, alleging she was terminated in violation of federal employment discrimination laws.  Specifically, plaintiff alleged defendant had alternative motives for plaintiff’s termination, including plaintiff’s age, perceived disability, and plaintiff’s request for FMLA leave.  To establish her case, plaintiff sought to ascertain through the discovery process, whether other similarly situated nurses, were treated in a like manner.  To do so, plaintiff filed a motion to compel seeking access to non-party patient records in an attempt to discern if other nurses participated in essentially the same conduct for which defendant terminated plaintiff, but were not themselves terminated.  The Magistrate Judge denied plaintiff’s motion to compel and held that Ohio's strict physician-patient privilege law applied to prevent production of the records.  The plaintiff objected to the Magistrate Judge’s Order, and those objections were heard by the District Court Judge.  The District Court Judge held that “[a]lthough state privilege law does not control…there are abundant and adequate federal principals that protect patient confidentiality.”  The Court went on to state,

the non-party patients’ right to confidentiality outweighs the plaintiff’s proffered justification for accessing the non-party patient medical records. 

The Court went on to say that the Health Insurance Portability and Accountability Act expresses a general federal policy favoring patients' right to confidentiality and HIPAA's Privacy Rule grants federal protections for patients' personal health information held by covered entities and gives patients rights regarding that information. In this case, the plaintiff had other, less-intrusive options for discovering whether the hospital treated similarly situated nurses differently, including, for example, narrowing the scope of the request by deposing other nurses who had worked with the physician in question, the hospital's human resources personnel, or other nurse supervisors.

The broad discovery sought by plaintiff in this matter is not an uncommon approach taken by the plaintiff’s bar in an effort to prove the merits of their client’s claims.  Employers, especially those in the healthcare industry, must be aware of opinions like Kapp in their efforts to limit plaintiff’s unfounded discovery requests and to protect their patients privacy.  

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Alleged HIPAA Violation Supports State Common Law Negligence Claim

Posted on July 5, 2011 by Jason C. Gavejian

A Missouri federal district court has ruled, in I.S. v. Washington University, that a HIPAA-covered entity's disclosure of protected information can form the basis for a state-law negligence claim.  The Court reached this holding despite the well-accepted principle there is no private cause of action under HIPAA. 

The plaintiff, I.S., was undergoing medical treatment for colon cancer at Washington University.  I.S. gave Washington University a limited authorization to disclose only the dates of her treatments in order to satisfy her employer’s medical leave requirements.  Notwithstanding this limited authorization, plaintiff asserts that Washington University also sent her employer additional medical records and information that far exceeded her authorization. These included I.S.’s HIV status, mental health issues, and insomnia treatments.  Based on that disclosure, I.S. sued Washington University for negligence per se based on a violation of HIPAA. 

Procedurally, Washington University removed the state court action to federal court and sought dismissal of the negligence per se claim, arguing that HIPAA does not create a private cause of action. 

The district court, disagreeing with Washington University, held the plaintiff’s claim could stand despite its exclusive reliance on HIPAA.   The court held that a federal statute that does not provide for a private right of action nevertheless may be a legitimate element of a state law negligence per se claim. 

Under Missouri law, among other things, the plaintiff must show:

·         a violation of a statute or ordinance occurred,

·         the plaintiff was a member of the class of people intended to be protected,

·         the injury complained of was of the type intended to protect against, and

·         the violation was the proximate cause of the plaintiff's injury.  

The Court found that I.S. had met all of the required elements of her claim and remanded the case back to state court. It held that I.S.'s claim, although premised on HIPAA, did not raise a federal question as it did not raise any compelling federal interests or present a substantial federal question.  

This case illustrates the need for HIPAA covered entities to provide training and institute policies and procedures regarding HIPAA compliance.  Here, a process for responding to requests for information would have highlighted the importance of carefully adhering to the limits of the authorization and prevented this alleged unauthorized disclosure, thus precluding I.S.’s claims.  Additionally, employers, and their counsel, must be aware that common law claims may support litigation based on HIPAA, despite the fact HIPAA itself does not provide for a private cause of action. 

Tags: , , , , , , , , , , , , , , , , , , ,

Addressing Social Media Use--Recent Ruling on Students' Social Networking Reaffirms Need for Policies and Training

Posted on June 16, 2011 by Jason C. Gavejian

Co-Author:  Joseph J. Lazzarotti

The pervasiveness of social media in professional and everyday communication is a hot button issue (discussed at length here), particularly for private and public employers and organizations.  In fact, many organizations have adopted, or are considering adopting, social media policies for employees and providing training for how employees should interact in cyberspace.  But what should those policies say and what should the training focus on?

To answer those questions, organizations should, among other things, develop and shape their policies, training and discipline concerning social media with an eye toward their particular businesses, regulatory environments, and whether they are in the public or private sectors. A number of recent developments show why this is critical:

·         Two recent Third Circuit opinions handed down on June 13, 2011-- J.S. v. Blue Mountain School District and Layshock v. Hermitage School District (discussed below)-- illustrate the importance of educating employees (teachers and administrators) about student’s First Amendment rights concerning social media and when discipline is appropriate,

·         FTC’s guidelines for endorsement of products or services are important for businesses whose employees are likely to be commenting online about the company’s products and services,

·         The NLRB’s recent actions regarding social media use and the National Labor Relations Act are important for all employers, particularly those in traditionally union-dominated industries,

·         The use of social media in the health care setting is presenting a range of challenges under HIPAA and patient privacy generally.

In addressing the extent to which school officials can regulate student speech, the Third Circuit Court of Appeals has held that school officials violated students’ First Amendment free speech rights by disciplining students for creating, outside of school, “fake” social networking profiles ridiculing their school principals. 

In Blue Mountain School District, 8th grader J.S., using her home computer, created a MySpace profile in the name of her principal.  The profile was presented as a self-portrayal of a bisexual Alabama middle-school principal named “M-Hoe,” and contained crude and vulgar content. Upon learning of the content, the School District suspended J.S. for 10 days.  The Court held that because J.S. was suspended for speech that caused no substantial disruption in school and that could not reasonably have led school officials to forecast substantial disruption in school, the School District’s actions violated J.S.’s First Amendment free speech rights.  

In Layshock, Justin Layshock, a high school senior, using his grandmother’s computer, also created a MySpace profile in the name of his principal.  The profile included “degrading” content regarding the principal.  Upon learning of the profile, the School District suspended Justin for 10 days.  In analyzing whether a school district may punish a student for expressive conduct that originated outside of the schoolhouse, did not disturb the school environment, and was not related to any school-sponsored event, the Court found the School District was prohibited from reaching beyond the school yard.  

These decisions were based on the Supreme Court’s landmark case on the First Amendment’s application to public schools is Tinker v. Des Moines Indep. Cmty. Sch. Dist., 393 U.S. 503 (1969).  In Tinker, a group of high school students decided to wear black armbands to school to protest the war in Vietnam.  When school officials learned of the plan, they preemptively prohibited students from wearing armbands.  Several students who ignored the prohibition and wore armbands to school were suspended.  Eventually, the students brought suit alleging their First Amendment rights had been violated.  The Supreme Court overruled the district and circuit courts, holding that student expression may not be suppressed unless school officials reasonably conclude that such expression will “materially and substantially" disrupt the work and discipline of the school. 

These cases demonstrate the court's struggle in addressing social media content, especially where there are additional constitutional concerns when a party is a public entity.  For many organizations, First Amendment issues will not be at issue, but there likely will be other considerations.  As each and every industry is impacted by social media, attempting to address it in a one-size-fits-all manner without taking appropriate considerations into account is not only impractical, but in some cases unlawful.  As these developments have shown, efforts to address social media must include an effective industry specific social media policy coupled with training programs to educate employees on the use of social media in all facets of employment and conducting the entity's business. 

Tags: , , , , , , , , , , , , , , , , , , , , ,

"Tagged" Facebook Photos Admissible as Evidence

Posted on March 29, 2011 by Jason C. Gavejian

Trying to keep up with the fast-moving world of social media, the Kentucky Court of Appeals has ruled that “tagged” or captioned photographs posted on Facebook may be admitted as evidence. The ruling in the case has implications for employers.  In LaLonde v. LaLonde, the appellant-wife objected to the trial court’s admitting into evidence photographs taken from Facebook that identified her by “tagging.”  The photographs appeared to show her consuming alcohol in contradiction to the advice of her mental health providers—a key issue in the custody dispute.     

The wife argued the photographs should not be admitted because Facebook allows anyone to post pictures and then “tag” or identify people in the pictures and she never gave permission for the photographs to be published in this manner on.  Rejecting this argument, the appellate court held, “There is nothing in the law that requires permission when someone takes a picture and posts it on a Facebook page.  There is nothing that requires her permission when she was ‘tagged’ or identified as a person in those pictures.”  The Court acknowledged that modern digital photography techniques may allow for alteration of the photograph, but pointed out that the wife never suggested such techniques were used, instead acknowledging the pictures were accurate.

The potential implications of this holding are numerous.  As we have previously discussed, employers may be able to use social media (which arguably includes tagged pictures) to fight emotional distress damages.  Similarly, as we described here, Facebook content has been utilized by employers in disciplinary decisions.   Our Social Media White Paper provides a helpful discussion of this and other issues employers should think about when it comes to social media.

Tags: , , , , , , , , , , , , , ,

Supreme Court Issues Decision in City of Ontario v. Quon - Search of Text Messages Held Reasonable, Ninth Circuit Reversed

Posted on June 17, 2010 by Jason C. Gavejian

The Supreme Court today issued its decision in City of Ontario, California v. Quon.  In a unanimous decision, the Court held that the search of Quon's text messages, sent or received on his department issued pager, was reasonable and did not violate Quon's Fourth Amendment rights. 

As set forth in the opinion, the Court did not resolve the parties disagreement over Quon's privacy expectations, and instead disposed the case on the narrower grounds of the reasonableness of the search.  While the Court chose not to utilize the facts of this case to establish far-reaching premises that define the existence, and extent, of privacy expectations of employees using employer-provided communication devices, the Court did note that 

Employer policies concerning communications will of course shape the reasonable expectations of their employees, especially to the extent that such policies are clearly communicated.

Click here for a more in depth analysis of the decision. See our previous posts on Quon, here and here

Tags: , , , , , , , ,

Employees Claiming Emotional Distress Must Produce Social Network (Facebook and MySpace) Information In Discovery

Posted on June 15, 2010 by Jason C. Gavejian

All information from plaintiffs’ social networking profiles and postings that relate to their general emotions, feelings, and mental states must be produced in discovery when they allege severe emotional trauma and harassment against their employer, a federal court in Indiana has ruled. (EEOC v. Simply Storage Management LLC, S.D. Ind., No. 1:09-cv-1223, discovery order 5/11/10).

Social networking sites (SNS) such as Facebook and MySpace are fast becoming a hot topic in litigation as they may contain a wealth of potentially relevant information. In Simply Storage, the Equal Employment Opportunity Commission brought suit on behalf of plaintiffs and other similarly situated employees who claimed their employers were liable for a supervisor’s alleged sexual harassment. The EEOC requested a discovery conference because counsel for the parties disagreed as to whether the two named plaintiffs must produce the Internet social networking site profiles, including postings, pictures, blogs, messages, personal information, lists of “friends,” and of causes joined that the user has placed or created online.

The EEOC objected to production of all SNS content (and to similar deposition questioning). It argued the requests were overbroad, not relevant, unduly burdensome (because they improperly infringe on claimants’ privacy), and would harass and embarrass the claimants. Simply Storage countered that discovery of these matters was proper because certain EEOC discovery responses placed the emotional health of particular claimants at issue, beyond that typically encountered in “garden variety emotional distress claims.”

The court weighed ordering complete discovery of the plaintiffs' Facebook and MySpace account information against limiting discovery to content specifically related to the alleged injury.  It found neither alternative satisfactory. According to the court, limiting discovery to posts that specifically referenced the mental issues and harassment alleged by the plaintiffs would be too narrow, while admitting the full profiles would include likely irrelevant—and potentially inflammatory—content. The court held, “It is reasonable to expect severe emotional or mental injury to manifest itself in some SNS content, and an examination of that content might reveal whether onset occurred, when, and the degree of distress. Further, information that evidences other stressors that could have produced the alleged emotional distress is also relevant.”

The court therefore defined the relevant scope of discovery as including “any profiles, postings, or messages (including status updates, wall comments, causes joined, groups joined, activity streams, blog entries) … that reveal, refer, or relate to any emotion, feeling, or mental state, as well as communications that reveal, refer, or relate to events that could reasonably be expected to produce a significant emotion, feeling, or mental state.”

The court rejected the EEOC’s assertion that broad discovery of this kind would violate the plaintiffs' right to privacy and held that, while potentially relevant content may be embarrassing to the plaintiffs, “this is the inevitable result of alleging these sorts of injuries.” In addressing the argument that the profiles were “private” and password protected, the court held that these protections were insufficient to circumvent discovery. “[A] person's expectation and intent that her communications be maintained as private is not a legitimate basis for shielding those communications from discovery.”

This case illustrates the importance of expanding the traditional thinking behind discoverable information to cover social media. Employers, upon advice of counsel, should consider requesting information of this nature. 

Tags: , , , , , , , , , , ,