The District Court of New Jersey recently denied an employer’s motion to dismiss a former employee’s causes of action for invasion of privacy following a supervisor’s alleged unauthorized access to the employee’s Facebook account. 

In Ehling v. Monmouth-Ocean Hospital Service Corp., the plaintiff, a registered nurse and paramedic, alleged that the defendants engaged in a pattern of retaliatory conduct as soon as she became President of the local union. Specifically, the plaintiff alleged that defendants gained access to her “private” Facebook account by having a supervisor summon another employee, who was “friends” with the plaintiff, into an office and coercing or threatening that employee into accessing their Facebook account so that the supervisor could view those posts which the plaintiff had restricted to only her “friends.”   Plaintiff went on to allege that the supervisor then viewed and copied plaintiff’s Facebook postings. One such post was in regard to a shooting that took place at the Holocaust Museum in Washington, DC and stated:

An 88 yr old sociopath white supremacist opened fire in the Wash D.C. Holocaust Museum this morning and killed an innocent guard (leaving children). Other guards opened fire. The 88 yr old was shot. He survived. I blame the DC paramedics. I wasn’t to say 2 things to the DC medics. 1. WHAT WERE YOU THINKING? and 2. This was your opportunity to really make a different! WTF!!!! And to the other guards…go to target practice.

Ultimately, in June 2009 the Hospital sent letters regarding the above posting to the New Jersey Board of Nursing and the New Jersey Department of Health, Office of Emergency Medical Services as it was concerned that Plaintiff’s Facebook posting showed a disregard for patient safety. Plaintiff alleged the letters were malicious and meant to damage her professionally.

The Court dismissed plaintiff’s New Jersey Wiretapping and Electronic Surveillance Control Act (“NJ Wiretap Act”) claim holding that the NJ Wiretap Act only protects those electronic communications which are in the course of transmission or are backup to that course of transmission. As plaintiff’s allegations involve a “live” posting, it did not fall under the purview of the NJ Wiretap Act. 

However, the Court went on to hold that plaintiff’s common law invasion of privacy claim involving defendants’ unauthorized “accessing of her private Facebook postings” could proceed. In relying on another New Jersey district court case which involved a supervisor’s asking an employee to gain access to a private social media account, the Court held that privacy determinations are made on a case-by-case basis, in light of all the facts presented. The Court went on to hold that the plaintiff had a plausible claim for invasion of privacy as she may have had a reasonable expectation that her Facebook posting would remain private, considering that she actively took steps to protect her Facebook page from public viewing.   

As we have mentioned before, legal guidance involving the utilization of social media in employment decisions is ever evolving and employers must remain vigilant as courts continue to develop these cases.  

 In what could be a portend of broader actions to follow, the Federal Trade Commission (“FTC”) last week has settled a $2.6 million claim against an employment background screening company for perceived violations of the Fair Credit Reporting Act, 15 U.S.C. § 1681s(a) (the “FCRA”). U.S. v. HireRight Solutions, Inc.  This is the second-largest civil penalty obtained by the FTC against a private company for violations of the FCRA.

As employers increasingly rely on databrokers and credit reporting agencies to conduct background checks, they must review their background check providers’, as well as their own, policies and practices for legal compliance. Employer use of background report is increasingly under review by state and federal authorities. Employers that have failed to comply with the FCRA’s procedures in obtaining background reports regarding employees have also been sued and faced liability in several lawsuits in the past several years. 

 

As we have previously written, under recently-issued EEOC enforcement guidance, any employer seeking a criminal background check of a potential employee must engage in an individualized assessment of that individual to determine whether a background check is required. Employers also may want to look more closely at the methodologies their screening companies employ, and related representations made in service agreements, to ensure their vendors meet and continue to meet the increasing scrutiny on the screening process. 

 

READ ON…

 

Continue Reading The FTC Flexes Its Muscle In the Background Screening Industry

The Fourth Circuit recently held that the Consumer Fraud and Abuse Act’s (“CFAA”) prohibitions against unauthorized access or access in excess of authorization were not violated by an employee when the employee used his valid access to employer’s computer network to download confidential business information that he later used while working for a competitor.

Prior to his departure from his former employer, the defendant downloaded proprietary information from the plaintiff’s network which he allegedly used to win a contract for business. The plaintiff filed a civil lawsuit against defendant, alleging, among other things, that he violated the CFAA when he downloaded its proprietary information. Specifically, the plaintiff alleged that its policy prohibited employees from downloading confidential and proprietary information to a personal computer. 

In dismissing the CFAA claim, the trial court held, and the Fourth Circuit affirmed, that this policy only regulated the use of company information, not accessing that information.  Accordingly, a violation of the policy would not support liability under the CFAA’s authorized access provisions. The court ruled that the CFAA prohibits unauthorized acts of obtaining and altering information from a protected computer, not using without authority lawfully accessed information. Because the employee in this case was permitted to have access to the information at the time he downloaded it, his later use of that information for a subsequent employer did not violate the CFAA.

By its holding, the court agreed with the Ninth Circuit.  However, the court rejected the Seventh Circuit’s reading of the CFAA that an employee loses lawful authority to access an employer’s computer network if the access violates the employee’s fiduciary duty of loyalty to the employer. The Fifth and Eleventh Circuit have similarly held that employees will exceed authorized access under the CFAA whenever they go beyond their authorized access. 

While this decision may have limited Fourth Circuit employers’ ability to seek legal action against departing employees under the CFAA, employers in other jurisdictions, as highlighted above, must still consider what remedies may be available under the CFAA.  

Bringing work home is nothing new, but for one Oregon Health & Science University Hospital (OHSU) employee, it resulted in a significant data breach when a flash drive was stolen from the employee’s house containing protected health and other personal information on over 14,000 patients and OHSU employees, as reported by a health information privacy watchdog.

Based on a statement OHSU put out concerning the breach, it appears the organization had taken steps to safeguard the information:

OHSU has several measures in place to protect patient information, including encryption software for computers, password protections and secure programs for managing patient information and tracking usage. The university also provides extensive training to all employees who have access to patient data. In addition, the university has enacted several layers of policy to help protect this information.

However, it remains to be seen whether those safeguards will stand up to scrutiny should the Office of Civil Rights investigate the situation and review with 20/20 hindsight OHSU’s policies and procedures. When developing policies and procedures, covered entities under HIPAA, business associates and any other entity charged with protecting personal information should be thinking about not only whether their safeguards are reasonable and "compliant," but whether they will stand up to the applicable regulatory agency’s scrutiny following a data breach.    

Before addressing the privacy of employee social media activity as in Maryland and Illinois, Delaware has become the first state to prohibit public or nonpublic academic institutions from requesting or requiring current students or applicants to "disclose any password or other related account information in order to gain access to the student’s or applicant’s social networking site profile or account by way of an electronic communication device." The law, called the "Higher Education Privacy Act" was signed into law on July 20 by Gov. Jack Markell and becomes effective upon enactment.

 

Continue Reading Delaware’s Higher Education Privacy Act Becomes Law

The Washington Post reported on Governor Pat Quinn’s signing of HB 3782 on August 1, 2012, at the Illinois Institute of Technology, making Illinois the second state following Maryland to prohibit employers from asking employees or applicants for their Facebook and other social media passwords. The law becomes effective January 1, 2013.

As we reported, HB 3782 amends the State’s Right to Privacy in the Workplace Act to make it illegal for employers to ask potential and current employees for their social media passwords:

It shall be unlawful for any employer to request or require any employee or prospective employee to provide any password or other related account information in order to gain access to the employee’s or prospective employee’s account or profile on a social networking website or to demand access in any manner to an employee’s or prospective employee’s account or profile on a social networking website.

However, the law would not limit an employer’s right to:

  • have policies to regulate employees’ use of the employer’s electronic equipment, Internet use, social networking site use, and electronic mail use; or
  • monitor the employee’s use of the employer’s electronic equipment and the employer’s electronic mail.

The law also would not prohibit employers from reviewing information about employees or applicants that is in the public domain, so long as the employer complies with other applicable law. Of course, even information in the public domain can have traps for the unwary employer, such as learning about an applicant’s family medical history on his or her Facebook site which would raise issues under the Genetic Information Nondiscrimination Act.

Recruiters are increasingly turning to social media to screen and recruit candidates. Jobvite’s 2012 Social Recruiting Survey found that 92% of respondents plan to use social media for recruiting.  Often, recruiters are viewing and considering information that should not be utilized in the hiring process.  LinkedIn is replete with information that should not be considered when searching for or selecting candidates.  Yet, the same survey found that LinkedIn is the most popular social networking site for recruiters. 

LinkedIn profiles likely contain photos of candidates and other information identifying a candidate’s race, ethnicity, age, disability, pregnancy, or religion.  Federal and state anti-discrimination laws prohibit companies from using such non-work-related information when hiring.  Additionally, the Equal Employment Opportunity Commission (EEOC) has issued regulations for the employment provisions of the Genetic Information Nondiscrimination Act (GINA) that prohibit acquisition of “genetic information” through social media.  

The EEOC also has made clear that it is focusing its litigation efforts on eliminating systemic discrimination, such as discriminatory barriers in recruitment and hiring. The EEOC’s Compliance Manual states that bias is not always conscious, and that actions infected by stereotyped thinking or other forms of less conscious bias are discriminatory.  It further states that it is discriminatory to use a screening procedure that has a significantly disparate impact.

Employers can separate recruiters who screen applicants through social media from individuals who are making the hiring decision.  This would require a recruiter to search applicants online, scrub prohibited information, and deliver scrubbed profiles to a decision maker. This may be difficult for employers to act on without careful attention to details and legal guidance to avoid significant risks.  The process relies heavily upon a recruiter’s knowledge of employment laws to scrub prohibited information. Avoiding the issue because of its burdensomeness is fast being scrubbed as an option for employers.

Companies also can utilize third parties to screen applicants through social media as long as they are aware of the pitfalls.  First, many employers make little or no effort to determine whether the third party recruiters have developed appropriate safeguards.  Second, the Federal Trade Commission (FTC) has stated that employers who rely upon third parties for social media information about candidates must comply with the Fair Credit Reporting Act (FCRA).  

FCRA requires that an employer notify an applicant when it takes adverse actions based upon a consumer report.  Employers also must provide the rejected applicant with notice of his or her right to view the data relied upon as well as give the individual the opportunity to dispute any inaccurate or incorrect information.  Employers failing to comply with FCRA can be subject to tremendous liability.  For example, Spokeo, Inc., a website that collects and sells detailed consumer information by compiling online data, recently agreed to pay $800,000 to settle FTC charges alleging that it violated FCRA in the employment screening context

The EEOC, OFCCP (Office of Federal Contract Compliance Programs), and FTC are beginning to scrutinize employers that use social media to screen applicants.  Unfortunately, LinkedIn and other social media sites do not yet maintain a “safe” site for recruiters.  Employers need to anticipate government inquiry and not await the knock on the door.  Recruiters should be restricted from considering prohibited information about applicants, whether they are working on company time or researching an applicant on their own time.  They need appropriate social media guidelines and policies that are compliant with a host of laws.  Further, they need to be properly trained. 

Ignoring this problem or simply outsourcing recruitment to a third party without careful consideration of these issues and a recruiter’s qualifications is a recipe for lawsuits.

An employee’s claim that he did not realize his employer could view posts he made to a co-worker’s Facebook wall did not support his claim that the employer intruded upon the employee’s seclusion, a Texas Court of Appeals held last week. Sumien v. Careflite (Tex. App. 2012).

In this case, the plaintiff and some of his emergency medical technician co-workers were commenting on Facebook about wanting to "slap" or otherwise constrain patients who are difficult to control while they are being transported. The company terminated Sumien and another technician following the company’s Compliance Officer learning of these posts and receiving complaints about the comments.

In addition to wrongful termination and other claims, the plaintiff alleged that the employer’s viewing these comments amounted to an impermissible "intrusion upon seclusion." To prove an intrusion upon seclusion claim, the former employee needed to show "(i) an intentional intrusion, physical or otherwise, upon another’s solitude, seclusion, or private affairs or concerns that (ii) would be highly offensive to a reasonable person." The court found that not knowing his employer could view his comments did nothing to support the employee’s claims that the employer intentionally intruded upon his seclusion, and denied the appeal.

In addition to providing some authority to defend intrusion upon seclusion claims in similar circumstances, this case also shows that employers need to think through whether and to what extent they need to be more involved in controlling and shaping employee activity on social media. This case involved complaints from other employees about the posts, but also could have involved patient complaints relating to disclosures of protected health information under HIPAA. The posts also could have been viewed by the company’s business partners or potential business partners in a negative light, adversely affecting the company’s reputation. A well-drafted policy, training and consistent enforcement generally are good steps to minimizing these risks.

When an electronic storage device potentially containing ePHI was stolen from the vehicle of an Alaska Department of Health and Social Services (DHSS) employee on October 12, 2009, DHSS reported the breach to the Office of Civil Rights (OCR) pursuant to the HIPAA breach notification rule. The breach reportedly affected 501 individuals. However, according to a resolution agreement, OCR’s subsequent investigation found significant violations of some of the most basic HIPAA rules. Without admitting liability, DHSS agreed to pay $1,700,000 and to comply with a three-year corrective action plan.

After four rounds of written responses from DHSS, and a two-day on-site visit, OCR found that  DHSS had not:

  1. completed a risk analysis;
  2. implemented sufficient risk management measures;
  3. completed security training for DHSS workforce members;
  4. implemented device and media controls; or
  5. addressed device and media encryption.

Data breaches continue to occur on a fairly regular basis, and the ubiquity of electronic storage devices, particularly those that are not encrypted, make these incidents even more likely. This and other cases should help covered entities to realize that enforcement agencies are acting on notices they receive under the applicable breach notification statutes or regulations to find compliance violations.

This kind of enforcement activity, as with this case, could turn out to be quite a lucrative practice for cash strapped federal and state agencies. It is no wonder that some states are amending their statutes to require Attorney General notification. Accordingly, because data breaches can and will occur, HIPAA covered entities and businesses subject to HIPAA and state data breach notification statutes should be doing more to be prepared for the audit that may follow the reporting of a data breach. That is, they should be doing more to safeguard personal information and PHI pursuant to the applicable standards.  

As we previously discussed, the Office of Civil Rights (“OCR”) continues to push forward with the HIPAA audits required by the HITECH Act.  To this end, the OCR recently posted the protocol which is used to conduct the HIPAA audits on its website. 

The HITECH Act requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards.  To implement this mandate, OCR piloted a program to perform audits of covered entities to assess privacy and security compliance.   This HIPAA audit program analyzes processes, controls, and policies of selected covered entities (e.g., health plans, health care clearinghouses, and certain health care providers) as well as the requirements to be assessed through these performance audits. The audit protocol is organized around “modules,” as follows:

  • The first audit protocol covers Privacy Rule requirements for (1) notice of privacy practices for Protected Health Information (“PHI”), (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
  • The second protocol covers Security Rule requirements for administrative, physical, and technical safeguards.
  • The third protocol covers requirements for the Breach Notification Rule.

Notably, the combination of these multiple requirements may vary based on the type of covered entity selected for review.  Healthcare providers, health plans, and business associates, all who could be affected by the HIPAA audits, need to not only be aware of the OCR’s audit activities, but also HHS’s efforts to increase enforcement of HIPAA.