In connection with its coverage of national signing day, ESPN.com recently highlighted that social media is increasingly being utilized by coaches to contact, recruit and gather information about players. For players, it’s a way to get recruited, control the message and interact with fans and other recruits at unprecedented levels.  And, like in the workplace, misuse of the media can have unfortunate consequences. A New Jersey high school prospect recently found this out when he was expelled from Don Bosco Preparatory after questionable posts were viewed on his Twitter account.  We have noticed similar trends and similar missteps in the employment context, where social media is often being utilized by companies and employees without first being well thought out. 

While the NCAA does provide some social media regulations, online interaction is far less regulated than more “old fashioned” forms of communication. According to Gregg Clifton, Co-chair of the Jackson Lewis’ Collegiate and Professional Sports Industry Group, “The days of face-to-face interaction between coach and recruit have been forever transformed. While the NCAA limits direct phone contact and texting by coaches to recruits, current NCAA regulatory freedom still permits coaches to use social media to contact, recruit, and gather information about players they are considering for their programs.” Similarly, both state and federal employment law struggle to keep up with the ever expanding social media realm.  This was most recently highlighted by the NLRB General Counsel’s report on social media. Consequently, even for employers that do have social media policies, they often do not address key issues such as the company’s presence on-line, regulatory requirements that apply in their industry, and how managers and supervisors should and should not be using the medium. In fact, as shown by many of the NLRB’s rulings discussed in the recent report, many policies contain overbroad proscriptions that violate a variety of laws.  

To keep up with social media, some schools are hiring individuals to monitor the social media of prospective student-athletes and to make sure that improper interaction is not occurring, as well as to ensure confidential information, such as under FERPA, is not being disclosed.  Employers too are seeking to hire individuals to not only assist in utilizing social media for marketing, but also individuals who can monitor how social media is and should be utilized in employment decisions.  This is particularly true for statutes and regulations which one may not necessary link with social media.  For example, employers often don’t realize that they may improperly acquire genetic information in violation of the GINA by “friending” or “following” employees or applicants. 

Of course, schools also are employers…so, while universities and colleges need to institute effective policies and procedures to address their use of social media in recruiting, they also must address social media usage in the employment context.  

In recognition of Data Privacy Day (January 28, 2012) and to facilitate a more interactive experience for our readers and subscribers, we want to extend to you the opportunity to tell us what is on your mind in the world of data privacy, social media and information management.

For the last two years, we have brought you developments on a wide range of issues concerning these topics. We realize many of you might like us to report on or provide information concerning certain issues/topics that we have not covered before. If so, please tell us!

To submit a topic, you can email us at informationrisk@jacksonlewis.com, or reach out to us through our Workplace Privacy Report on Facebook and Twitter. Feel free to “Like” our Facebook page and “Follow” us on Twitter by clicking on the corresponding buttons on the right below. If we select your topic, we will reach out to you privately to see if you would like us to identify you in the responsive post.

Of course, what would any communication from a lawyer be without a DISCLAIMER?

We look forward to hearing from you!

Today, the NLRB‘s Acting General Counsel posted a second report concerning social media issues and the National Labor Relations Act. The cases discussed in this report should provide further guidance to employers struggling with developing strategies for using social media in their business, developing employee policies regulating activity in social media, and enforcing those policies. Look for follow up analysis from us and our Labor partners.

Check out our prior reporting on related developments.

The ECRI Institute recently published an excellent summary of key issues for hospitals concerning social media (registration required), a valuable read for any hospital administrator, risk manager or human resources director. ECRI reports that approximately 4,000 U.S. hospitals own social media sites and that number is sure to grow significantly. One of the reasons for this growth will likely be due in significant part to the increasing number of people looking to social media to research health decisions. According to a National Research Corporation survey cited in the summary, 41% of nearly 23,000 respondents said that they used social media for this purpose.

The summary discusses critical areas for healthcare organizations to consider concerning social media, which can be applied to most other industries:

  • Understand the medium – what is social media, what are the different venues (Facebook, LinkedIn, FourSquare etc.), what is the competition doing, what new media is coming.
  • Determine desired uses – promotion of services/sales, recruiting, reputation management, community involvement, education, and so on. 
  • Assess risks – privacy, network security, employment, reputation, regulatory, malpractice, and protecting the brand.
  • Develop policies and procedures – control company message and regulate employee activity.
  • Implement and train and reevaluate – limit the number of employees who can speak for the organization, train employees on legal risks (such as with HR looking up applicant/employee background information on line), determine whether social media plan is producing desired results

Businesses in all industries are "going social," and should be developing a comprehensive plan before doing so. The ECRI summary provides a good starting point for thinking through some of the issues, particularly for those in healthcare.   

An invasion-of-privacy claim against an insurance agent brought by his former employee should proceed even where a surveillance camera placed by the agent in the workplace’s unisex bathroom was faulty, the Iowa Supreme Court has ruled. Koeppel v. Speirs, No. 08-1927.

The district court dismissed the invasion-of-privacy claim on summary judgment because there was no proof that the equipment was operational or that the employer had actually viewed any recordings of the employees. The Court of Appeals reversed the dismissal, and on December 23, 2011, the Iowa Supreme Court affirmed the reversal and remanded the employee’s common law privacy claim to the district court.

The issue before the Iowa Supreme Court was whether an actual "viewing" was a necessary element of an invasion-of-privacy claim involving hidden monitoring equipment. Courts in other states have split on the issue. After analyzing decisions from other states and law review articles on privacy law as well as the origin of the term, "peeping Tom," the Iowa Supreme Court held that an actual viewing was not required. Following the reasoning of a 1964 New Hampshire Supreme Court decision, it concluded an intrusion occurs when the defendant performs an act that has the "potential to impair a person’s state of mind and comfort associated with the expectation of privacy."

The Iowa Supreme Court said, "[W]e think it is important to keep in mind that the tort [of invasion of privacy] protects against acts that interfere with a person’s mental well-being by intentionally exposing the person in an area cloaked with privacy." It determined that “[a]n electronic invasion occurs under the intrusion on solitude or seclusion component of the tort of invasion of privacy when the plaintiff establishes by a preponderance of evidence that the electronic device or equipment used by a defendant could have invaded privacy in some way.” Thus, under Koeppel, a victim’s mental state can be more important to an invasion of privacy claim than what the defendant actually viewed, accessed, or shared. (The employee here also sued for sexual harassment, but that claim was dismissed because an employer with fewer than four employees is not liable for sexual harassment under Iowa law.)

An invasion-of-privacy claim in Iowa, therefore, need not include a showing that the monitoring device was functioning at the time it was discovered or that it was ever used. It is sufficient that the device was capable of functioning.

In addition to concerns about social media, school districts across the country need to address a growing interest in the personal data of the students they educate. No, this interest does not stem from a desire to see if kids are reading at the desired level, or if the children have the resources they need to receive an adequate education. Data thieves want this information to commit identity theft. 

As reported by the Huffington Post:

Identity theft in schools is more than theoretical. Last July, Sheyla Diaz, 44, a former Broward County, Florida high school teacher, was sentenced to six months of house arrest for stealing the identities of former students. In 2009, Jonathan E. Kelly, who worked as a police officer for the Palm Beach County School District, was sentenced to eight years in prison for stealing the identities of former students and teachers.

The thieves know that children have pristine credit and that school districts, hampered by substantial budget cuts, may not be doing all they could to safeguard this information. Parents and school districts need to take steps to address this growing risk.

A Wall Street Journal article on December 2 discusses the National Labor Relations Board’s emergence into social media and non-union workplaces. For employers that have not looked at their policies and practices concerning employee activity in social media, this article serves as a good reminder. 

Click here for more information.   

Many employers often question what recourse is available when faced with the destruction or alteration of company data by former employees.  This question is made more complicated when employees use their own personal computer for work. In addressing this issue, the U.S. District Court for the Northern District of Illinois, Eastern division held that an employee’s use of her personal computer to delete e-mails on her employer’s computer servers may support an unauthorized access claim under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”).  

Plaintiffs, a group of real estate companies, allege that several of their former employees, on company resources and company time, founded a competing business and stole customers.  Plaintiffs claim that one of the defendants told the others to delete e-mails related to their “scheme”, and then delete them again from the “deleted items” folder.  This “hard delete” made the files hard to retrieve.  

Defendants sought to dismiss the CFAA claims.  Specifically, defendants claimed that “unauthorized access” is impossible because the individual defendant had used her own personal computer for work, and plaintiffs thus lost nothing when she left with it.  Although defendants cited to no cases, some District Courts (Keystone Fruit Marketing, Inc. v. Brownfieldhave concluded that using one’s personal computer will not support a CFAA unauthorized access claim.  Here, the Court found that the CFAA appears to prohibit damaging (not accessing) a computer without authorization and the definition of “protected computer” does not specify whose computer it must be. While the Court ultimately dismissed plaintiffs’ claim as not sufficiently alleged, the Court did rule that plaintiffs may be able to make out a claim against the individual defendant by showing that she impermissibly destroyed files or other data belonging to them. 

Companies must be aware of jurisdictional nuances as they strive to protect themselves.  Stay tuned as we address similar issues in an upcoming series of posts! 

 As the holidays approach, I am reminded of an employment law attorney I used to know who wrote a column about this time of year about holiday parties. He would warn Human Resources (“HR”) professionals to beware of sexual harassment issues as the punch flows and inhibitions dissipate at the annual office get-together.  How things have changed. In this era of Facebook and I-phones, every day is a holiday party in terms of potential liability. It used to be the only photographic evidence of employee carousal was a black and white photocopy of someone’s derriere. Now, smart phones capture everything in full color pixilation and the evidence is posted instantly. We may never know what Herman Cain and his associates were up to in the 1990s, but if it had happened now, you can bet there would be a text, tweet, or digital photo to add fuel to the Yule log fire.

As 2011 draws to a close, most employers have realized they cannot ignore social media. Social media exponentially increases a company’s opportunity for marketing. But HR folks also know that social media exponentially increases the opportunities for employees to do silly things and get in trouble. More than one fast food franchise has had to respond to digital photos posted on line of teen-aged employees bathing in a restaurant sink. Even folks who ought to know better, including an NFL quarterback and a United States Congressman, allegedly sent digital photos of their sugarplums to women who either did not want them, or did not mind sharing them on the Internet.

Based on my conversations with members of corporate HR departments, in the 2012 New Year they will be facing Social Media 2.0 – Rise of the Smart Phones.  Anyone who does not already have a smart phone will probably get one for Hanukkah or Christmas. All employers should already have a social media policy addressing expectations of privacy, anti-harassment, overtime, trade secret protection, Federal Trade Commission (FTC) restrictions, and exceptions for concerted activity and protected speech under the National Labor Relations Act.  Next year, employers will need to consider whether certain categories of employees should be required to keep smart phones locked away during business hours and will also need to respond to the growing demands by employees that they be allowed to conduct confidential company business on their personal I-phone.

Many employment law attorneys and HR managers may be asking Santa for a respite from the technology onslaught, and may need a drink at the holiday party as much as the next employee.

 

 

The Minnesota Supreme Court issued a decision on November 16, 2011 holding that the state’s Genetic Privacy Act, Minn. Stat. Section 13.386 (2010) restricts the collection and use of blood samples taken from newborns pursuant to the state’s Newborn Screening Statutes, Minn. Stat. Section 144.125-128.  The litigation, captioned Bearder et al v. State of Minnesota, was initiated by a group of families with children born between 1998 and 2008 who challenged the newborn screening program run by the Minnesota Department of Health ("DOH"). The DOH’s program requires the collection of blood samples from newborn children within the fifth day of birth. The DOH analyzes the sample for the presence of substances that indicate the presence of a metabolic disorder. Only one of the many tests, a second level test for cystic fibrosis, analyzes DNA or RNA.  If a portion of any blood sample remained after screening tests were completed, the DOH either stored the sample indefinitely or allowed the Mayo Clinic to use the samples for unrelated studies, provided the samples had been either de-identified or Mayo had received written consent from the child’s legal guardian.

Plaintiff’s claimed that the Minnesota Genetic Privacy Act required the DOH to obtain informed consent before it could collect, use, store, or disseminate the samples that remained after the newborn health screening was complete. The trial court and Minnesota Court of Appeals rejected plaintiffs’ argument, but the Minnesota Supreme Court reversed, holding that the Genetic Privacy Act placed limits on the DOH’s practices. A central question in the case was whether a blood sample was properly considered "genetic information" as the term is defined in the state law. The Court held that it was, with one justice dissenting on that question.

Minnesota’s Genetic Privacy Act was passed in 2006 as part of the Data Practices Act which governs the use and disclosure of information by state and local government.  Although it is unclear whether the Minnesota Legislature intended to limit section 13.386 to public entities, the plan language of the statute suggests it may govern the collection of genetic information by private companies and employers as well. It certainly serves as a reminder that there is a growing body of federal and state regulation in the area of medical privacy. The lawsuit also highlights the public’s growing concern about the use of genetic information and may portend more litigation under federal laws such as GINA – the Genetic Information Nondiscrimination Act.