NLRB Report Challenges Validity of Many Commonly Used Social Media Policies

By Philip Gordon

In its most recent effort to draw lines on the self-described “hot topic” of the “lawfulness of employers’ social media policies and rules,” the National Labor Relations Board’s (NLRB) Office of General Counsel has taken the position that many policy provisions commonly seen in employers’ social media policies violate the National Labor Relations Act (NLRA). This most recent shot across the bow came on January 24, 2012, in the form of a report, issued to senior regional staff, on 14 cases which, according to the General Counsel, “present emerging issues in the context of social media.” This report follows a previous General Counsel report, dated August 18, 2011, which discussed 14 prior NLRB cases involving social media issues.

The cases treated in the report also contain the General Counsel’s opinion on whether the employer in each case violated the NLRA by imposing discipline based on social media conduct. We will cover this aspect of the report in a separate and forthcoming blog post. Here, we will focus on the thicket that the NLRB has created for employers who are trying to gain some reasonable control over what employees publish in social media, often to the world, about co-workers, supervisors, the workplace, and the employer’s products and services.

Each of the headings below reviews the General Counsel’s current position on a particular type of commonly used policy provision. Employers should carefully review their existing policies and any new policy in light of the General Counsel’s most recent report. With careful drafting and the use of examples and limiting language, employers should still be able to achieve their objectives of gaining limited control over the Wild West of social media content while staying within the parameters of the NLRA.

No Defamation/Non-Disparagement: No employer likes seeing its employees or organization trashed in social media, but, according to the General Counsel, a broad non-disparagement policy violates the NLRA on a per se basis because it could inhibit employees from making negative comments about the terms and conditions of their employment. For example, the General Counsel opined in the report that the following policy prohibition is illegal: “[m]aking disparaging comments about the company through any media, including online blogs, other electronic media or through the media.” The General Counsel reached the same conclusion on a policy which prohibits “discriminatory, defamatory, or harassing web entries about specific employees, work environment, or work-related issues on social media sites.”

While the General Counsel’s opinion sounds frustrating, employers should not despair. The General Counsel explains that by including non-disparagement policy language within a list of other forms of unprotected conduct, an employer’s non-disparagement policy will comply with the NLRA. To illustrate the point, the General Counsel pointed to the NLRB’s holding that a policy prohibiting “statements which are slanderous or detrimental to the company” was lawful when it “appeared on a list of prohibited conduct including ‘sexual or racial harassment’ and ‘sabotage.’” Following this authority, the General Counsel gave its stamp of approval in the report to a policy which “prohibited the use of social media to post or display comments about coworkers or supervisors or the Employer that are vulgar, obscene, threatening, intimidating, harassing, or a violation of the Employer’s workplace policies against discrimination, harassment, or hostility on account of age, race, religion, sex, ethnicity, nationality, disability, or other protected class, status, or characteristic.”

Confidentiality: Protecting confidential information and trade secrets from competitors is critical to every organization. According to the General Counsel, however, a confidentiality policy is illegal if it would impinge on employees’ ability to discuss their wages and working conditions with others inside or outside the organization. Consistent with that reasoning, the General Counsel’s report rejected a provision in an employer’s social media policy that prohibited employees from “disclosing or communicating . . . confidential, sensitive, or non-public information concerning the company on or through company property to anyone outside the company without prior approval of senior management or the law department.” By contrast, the General Counsel approved a policy provision that “prohibited employees from using or disclosing confidential and/or proprietary information, including personal health information about customers or patients” as well as “‘embargoed information,’ such as launch and release dates and pending reorganizations.” The General Counsel approved of this policy language based on the following reasoning: “Considering that the Employer sells pharmaceuticals and that the rule contains several references to customers, patients, and health information, employees would reasonably understand that this rule was intended to protect the privacy interests of the Employer's customers and not to restrict Section 7 protected communications.”

The General Counsel’s distinction between the two confidentiality provisions suggests a potential litmus test for confidentiality language in a social media policy: if the policy reasonably could be read to prevent employees from disclosing the amount of their compensation to family members, the General Counsel likely would find the policy to be overbroad.” Employers should note that this same issue could apply to confidentiality agreements signed by hourly workers, and not just to confidentiality requirements in a social media policy.

Logos/Trademarks: Organizations understandably want to control use of their logo and trademarks. Nonetheless, a social media policy which prohibits “use of the company’s name or service marks outside the course of business without prior approval of the law department” is, according to the General Counsel, unlawful. The General Counsel takes the position that employees have the right under the NLRA to use the company’s name and logo “while engaging in protected concerted activity, such as in electronic or paper leaflets, cartoons, or picket signs in connection with a protest involving the terms and conditions of employment.” The General Counsel reasoned that such protected use of a company’s name and logo does not “remotely implicate[]” the company’s interests protected by trademark law, “such as the trademark holder’s interests in protecting the good reputation associated with the mark from the possibility of being tarnished by inferior merchandise sold by another entity using the trademark and in being able to enter a related commercial field and use its well-established trademark.”

This reasoning is wrong. An employee easily could damage brand reputation and engender customer confusion by, for example, creating a Facebook page with the corporate name and logo. At a minimum, an employer should be able to prohibit employees from using the company name or logo when engaging or depicting in social media any conduct which violates the Company’s policies or is unlawful; such a policy would not encompass activity protected by Section 7 of the NLRA. Employers also should consider consulting intellectual property counsel about logo and trademark issues and not necessarily develop a marketing strategy based solely on NLRA issues. However, the General Counsel’s analysis (which is not law, but rather the Office’s view of the law) should not be fully ignored either.

Employee Disclaimers: Social media policies commonly mandate that employees must include a disclaimer in any social media content that relates to the employer. For example, in one of the cases discussed in the General Counsel’s report, the employer’s social media policy required that employees “expressly state that their comments are their personal opinions and do not necessarily reflect the Employer’s opinions.” The General Counsel opined that this policy requirement violates the NLRA because it “would significantly burden the exercise of employees’ Section 7 rights to discuss working conditions and criticize the Employer’s labor policies.” Fortunately, employers can achieve a similar result with a policy that prohibits employees from representing in any way that they are speaking on the Company’s behalf without prior written authorization to do so.

It is worth noting that the General Counsel did approve an employee disclaimer requirement in the section of a social media policy addressing product promotions. The General Counsel explained that in context, this provision could not be read to interfere with Section 7 rights because the policy focused on product promotions and endorsements and was intended to avoid potential liability for unfair and deceptive trade practices under guidance issued by the Federal Trade Commission.

Discussions of Work-Related Concerns: The aphorism, “Don’t hang out your dirty laundry,” may seem antiquated but many employers still say just that in their social media policy. By way of illustration, one policy discussed in the General Counsel’s report “required employees to first discuss with their supervisor or manager any work-related concerns, and it provided that failure to comply could result in corrective action, up to and including termination.” The General Counsel concluded that this policy violated the NLRA because of the threat of discipline. Employers can avoid this potential pitfall by urging, but not mandating, that employees use internal channels, rather than social media, to resolve workplace concerns. In that regard, the General Counsel’s opinion is nothing new, but rather is in line with traditional NLRA law on protected, concerted activity in general.

Communications with the Media: Social media policies often tell employees not to discuss with the media their social media content related to the company. The General Counsel’s report finds such prohibitions illegal. (“An employer’s rule that prohibits employee communications to the media or requires prior authorization for such communications is therefore unlawfully overbroad.”) However, a similar report issued by the General Counsel on August 18, 2011, recognized that “a media policy that simply seeks to ensure a consistent, controlled company message and limits employee contact with the media only to the extent necessary to effect that result cannot be reasonably interpreted to restrict Section 7 communications.” In light of that principle, the General Counsel blessed the media policy in question because the “policy repeatedly stated that the purpose of the policy was to ensure that only one person spoke for the company” and even though “employees were instructed to answer all media/reporter questions in a particular way.” In other words, it appears that employers can still carefully craft a provision on media relations in a social media policy which complies with the NLRA.

“Unprofessional” Content: In several of the reported cases, the General Counsel took issue with policy terms that were undefined, vague, or subjective. These terms included prohibitions on “insubordination or other disrespectful conduct,” “inappropriate conversation,” “unprofessional communication that could negatively impact the Employer’s reputation or interfere with the Employer’s mission,” and “nonprofessional/inappropriate communication regarding members of the Employer’s community” as well as the requirement that social media activity occur in an “honest, professional, and appropriate manner.” Employers can achieve the intended objectives of this disfavored language by using terms that are defined in the social media policy or other policies or by providing examples of prohibited conduct with examples that do not include conduct protected by the NLRA.

Employee’s Self-Identification: Some employers have tried to protect their organization by telling employees not to identify their affiliation with the organization when engaging in social media activity unless there is a legitimate business reason for doing so. In its report, the General Counsel took the position that this type of policy violates the NLRA “because personal profile pages serve an important function in enabling employees to use online social networks to find and communicate with their fellow employees at their own or other locations.” Employers should not view the General Counsel’s position here as a particular setback. Telling employees not to mention their employer by name in a personal profile is akin to telling them not to do the same at a cocktail party; the rule would be honored in the breach.

Securities Blackouts: Publicly traded companies are rightfully concerned that employees may let slip on social media highly sensitive information about a corporate transaction, new product launch, or non-public financial information. Among the few policy provisions with which the General Counsel did not take issue was one which stated that the employer might “request employees to confine their social networking to matters unrelated to the company if necessary to ensure compliance with securities regulations and other laws.” The General Counsel reasoned that “employees reasonably would interpret the rule to address only those communications that could implicate security regulations,” as opposed to the terms and conditions of their employment.

Employer Disclaimers: In the wake of the NLRB’s aggressive position since the AMR case in late 2010 on social media policies and employee discipline based on social media conduct, many employment and labor law practitioners have recommended the inclusion of a disclaimer in social media policies. The disclaimer explains that the employer’s policies are not intended to interfere with employees’ rights under the NLRA. In its first public review of a disclaimer in a social media policy, the Board somewhat surprisingly took the position that such a disclaimer was ineffective. In that case, the disclaimer stated as follows:
 

[T]he policy [will] not be interpreted or applied so as to interfere with employee rights to self-organize, form, join, or assist labor organizations, to bargain collectively through representatives of their choosing, or to engage in other concerted activities for the purpose of collective bargaining or other mutual aid or protection, or to refrain from engaging in such activities.

According to the General Counsel, this disclaimer could not “save” a policy provision prohibiting employees from posting “inappropriate” content because “an employee could not reasonably be expected to know that this language encompasses discussions the Employer deems ‘inappropriate.’” Given the detailed nature of the disclaimer in question, this conclusion suggests the General Counsel, and possibly the Board itself, will view skeptically any effort by an employer to rely upon a disclaimer to protect an otherwise overbroad social media policy. That is an unfortunate result for employers, as a disclaimer seemed to be the answer to keeping a policy simple and uncluttered, without violating the NLRA. Now employers should consider instead replacing such a disclaimer with a list of specific limitations or examples, such as those discussed above which can transform an otherwise overbroad (at least in the eyes of the General Counsel) non-disparagement provision into one that complies fully with the NLRA.

What Does The Supreme Court’s "GPS Decision" Mean For Private Employers?

By Philip L. Gordon

The Supreme Court ruled unanimously yesterday that law enforcement must obtain a search warrant before placing a Global Positioning System (GPS) device on a suspect’s vehicle for purposes of tracking the vehicle’s location. The decision effectively overturned Antoine Jones’s life sentence for drug trafficking which was obtained, in part, through the use of location tracking information generated by a GPS device secretly placed by the FBI, without a search warrant, on Jones’s wife’s Jeep Grand Cherokee. Although the Court’s analysis focuses exclusively on the Fourth Amendment to the U.S. Constitution, which applies only to government actors, the decision has potentially important implications for private employers who are turning increasingly to location-tracking capabilities in vehicles, smartphones, and even laptops to track employees for management and investigative purposes.

To begin with, the Court’s decision highlights the dearth of legislation in the area. None of the Court’s three opinions — the lead opinion by Justice Scalia, a concurrence in that opinion by Justice Sotomayor, and an opinion by Justice Alito concurring in the result but not with Justice Scalia’s reasoning — cited a single federal or state law which regulates location tracking. California’s statute prohibiting the installation of a tracking device on a vehicle without the consent of the vehicle’s owner or lessor appears to be only one of two laws (the other is Texas) on the subject with a significant impact on private employers. In the wake of the Supreme Court’s decision, employers should expect legislative activity in the area.

The decision also is important for private employers because five justices — Justice Alito (joined in his concurrence by Justices Ginsberg, Breyer, and Kagan) as well as Justice Sotomayor — rejected the majority position in the state and federal judiciary on the privacy of location data. Under that view, location tracking does not infringe any privacy interest because the location of a vehicle or a person in a public place is fundamentally not private. This majority view effectively leaves private employees without any remedy for an employer’s use of location tracking because a common law invasion of privacy claim can be asserted only for the breach of a recognized privacy interest, and a statutory remedy for unauthorized location tracking is rarely available.

In rejecting the majority view, the five justices found a protected privacy interest in the patterns of private activity that can be derived from continuous location tracking notwithstanding the public nature of any particular data point. In the words of Justice Sotomayor, “GPS monitoring generates a precise, comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations.” This view likely will have a significant influence on the thinking of trial and appellate court judges when confronted with an invasion of privacy claim based on an employer’s unauthorized tracking of an employee during non-working hours. An employer might be tempted to engage in such tracking, for example, to check for abuse of paid or unpaid leave or to investigate suspected moonlighting or a potentially fraudulent workers’ compensation claim.

Consequently, the most important lesson for private employers to draw from the Court’s decision is the importance of limiting location tracking to working hours when the pattern of location data should not reveal details of an employee’s private life, and if it does, the employer has a legitimate business reason for knowing what the employee is doing other than earning his or her compensation. The New York appellate decision that we covered in last week’s blog post illustrates the point. In that case, the majority did not take issue with the New York State Department of Labor’s 24/7 tracking of a high-level employee’s personal vehicle because the employer had a reasonable suspicion that the employee was not working when he said that he was. Under that reasoning, tracking an employee during working hours clearly would be permissible. On the other hand, the dissenting judges in the New York case found that tracking the employee during non-working hours was excessively intrusive, particularly because the GPS device reported the employee’s location during a week-long family vacation.

Employers should note that many GPS devices are either on at all times or off. In these circumstances, employers should develop controls that will limit access to location tracking information to employees’ scheduled working hours.

Finally, private employers should note Justice Scalia’s reliance on the notion of trespass in finding that the government’s warrantless installation of the GPS device on Jones’s wife’s Jeep violated the Fourth Amendment. Similarly, an employer’s unauthorized placement of a GPS device on an employee’s personal vehicle might support a claim based on a common law trespass theory. As a result, employers should be particularly cautious when using any form of location tracking not associated with company-owned equipment.
 

Is It Legal for an Employer to Secretly Track an Employee’s Personal Vehicle 24/7 for One Month? Perhaps!

By Philip L. Gordon

A recent decision by a New York appellate court is one of the first cases to address the surreptitious use of location tracking for employment purposes. The 3-2 split decision highlights the on-going disagreement among judges over the lawful use of Global Positioning Systems (GPS). The New York case is particularly noteworthy because the U.S. Supreme Court in U.S. v. Jones (argued November 7, 2011)  (Note: the lower court case is U.S. v. Maynard, on cert to the U.S. Supreme Court the case is U.S. v. Jones, referring to respondent Antoine Jones) is currently considering virtually the same issue addressed by the New York court, but in the criminal context. Given the increasing use of GPS in the workplace, employers need to understand the legal risks associated with this highly effective management and investigative tool.

The subject of the New York case was a 30-year employee of New York’s Department of Labor, serving most of that time as the Department’s Director of Staff and Organizational Development. Despite his high-level position, he had been a “problem employee” for nearly a decade, having been disciplined on several occasions. The dispute that ultimately led to the appellate court decision had its inception in the Labor Department’s investigation of the employee for falsifying time records. The Department initially tried to track him the “old-fashioned way,” i.e., by tailing him, but the employee spotted and evaded the tail. The state’s Inspector General, to whom the Labor Department referred the investigation, then secretly planted a GPS device on the employee’s personal vehicle and collected location data 24/7 for a one-month period. Based, in part, on the location data collected, a Labor Department hearing officer recommended the employee’s termination for, among other things, falsifying time records.

Although the employee was a public employee, his case has relevance for private employers for the following reason. On appeal, the employee contended that the Labor Department could not lawfully rely on the location-tracking data to discipline him, invoking the exclusionary rule in New York’s civil service law. Under that rule, the hearing officer and the appellate court had to determine whether the Inspector General’s use of surreptitious location tracking was reasonable at inception and in its scope. That standard is similar to (albeit somewhat lower than) the standard that a court would apply to determine whether a private employer’s use of GPS to track an employee constituted a common law invasion of privacy. Given that no state other than California has enacted a law that prohibits a private employer from tracking an employee’s personal vehicle, a private employee terminated based on location information most likely would rely on a common law invasion of privacy claim to obtain a remedy.

The appellate court’s split decision on the reasonableness of the Inspector General’s use of location tracking highlights the difficult balancing that private employers must conduct when considering whether to use GPS as an investigative tool. All five judges agreed that use of the GPS was reasonable at inception because the Labor Department had a reasonable suspicion of the employee’s wrongdoing. The three-judge majority further concluded that 24/7 location tracking for one month was reasonable because the employee had intentionally undermined less intrusive investigative methods and because “the GPS devices were not constantly monitored;” instead, the Inspector General extracted only location information revealing the employee’s whereabouts during working hours. Rejecting this reason, the two dissenters emphasized that the Labor Department’s “valid interest in [the employee’s] whereabouts extended only to the hours of his workday and yet the tracking had continued for one month.” The dissenters found it particularly troubling that the Inspector General had tracked the employee’s location during a week-long family vacation.

The reasoning on both sides of the decision provides useful guidance for private employers seeking to use location tracking as an investigative tool. At least until the courts provide more guidance, it would be prudent for employers to use surreptitious location tracking only when other, less intrusive methods would be unsuccessful. In addition, where technically feasible, location tracking should be limited to working hours. When not technically feasible, employers should access only location data recorded during working hours.

Photo credit: rrocio

Upcoming Privacy Events

Philip Gordon will be speaking on a range of privacy and data protection issues at the following upcoming events:

Date: January 11, 2012
Conference: BNA
Location: Webinar
Topic: Phil Gordon and Michael McGuire, Shareholder and Chief Information Security Officer at Littler, will co-present “The Challenges of Bring Your Own Device (BYOD) to Work Policies”
Description: With employees demanding the ability to use their personal smart phones and tablets for business purposes and employers looking for new ways to reduce cost and increase productivity, the trend towards “dual-use devices” in the workplace will undoubtedly continue to pick up stream. This webinar will provide practical recommendations for both areas so that your organization understands the risks of saying “yes” to requests from C-level executives or department chiefs to connect their smartphones or tablets to the corporate network.
For more information and to register, please visit: www.bna.com/own-device-19107/.

Date: February 1, 2012
Conference: ACI Privacy & Security of Consumer and Employee Information (pdf)
Location: The Westin Washington, DC City Center, Washington D.C.
Topic: “Mobile Devices, Applications, and Workforces: Minimizing the Threats Posed Through Proven Security Measures”
Description: Phil Gordon will moderate a panel of experts discussing, among other things, how to:

• Raise employee awareness and educate employees in the handling of sensitive data
• Safeguard company equipment and wireless devices and minimize damage in the event of breach 
• Protect corporate networks from the use of multiple portable devices while preserving employee rights
• Establish policies and procedures to strengthen and maintain data security

For more information and to register, please click here (pdf).

Date: February 9-10, 2012
Conference: Littler Global Employer – Latin America Conference
Location: Miami, Florida
Topic: “The Legal and Operational Challenges of Complying with New Latin American Data Protection Laws”
Description: In the past two years, Colombia, Costa Rica, Mexico, Peru, and Uruguay have enacted broad data protection laws which generally follow the E.U. Model but also have a distinct Latin flavor. These laws require employers to fundamentally rethink the way that they handle employees’ personal data in these countries and impose significant restrictions on the transfer of employees’ personal data within the corporate group. This presentation will provide a detailed explanation of the key requirements of Mexico’s new privacy law and pending regulations, identify key similarities and differences among the new privacy laws in these five countries, and make practical recommendations for harmonizing multi-national compliance efforts from a legal and operational perspective. Joining in the discussion are speakers Michael McGuire, Shareholder and Chief Information Officer at Littler, Javiera Medina, Shareholder in Littler’s Mexico office and Dr. Rainer Lorenzo, Senior Director, Legal & Business Affairs, HBO Latin America.
For more information and to register, please visit: www.littler.com/events/global-employer-latin-america.

Date: March 9, 2012
Conference: IAPP Global Privacy Summit
Location: Washington Marriott Wardman Park, Washington D.C.
Topic: “Who Are Your Applicants and Employees Anyway? Conducting Lawful Social
Media, Criminal History and Credit Checks”
Description: This session will examine background checks against the backdrop of vendor limitations, social media, new state laws, and FTC regulation. The presentation will cover recent legal developments affecting the permissible scope of background checks and provide practical steps an organization can take to conduct lawful background checks.
For more information and to register, please visit: www.privacyassociation.org/events_and_programs/global_privacy_summit/.

Photo credit: CrackerClips

New Litter Blog: Employee Benefits Counsel

We are pleased to announce a new addition to Littler's blogroll:

Employee Benefits Counsel

Brought to you by Littler's Employee Benefits, ERISA and Benefit Plan Litigation, and Executive Compensation practice groups, this blog covers:

• Legislative and regulatory developments in the employee benefits arena, including the topics of health care reform; plan design and administration; employee benefits litigation; and
• Executive compensation, providing insight and analysis on legal developments that warrant discussion.

During this time of significant governmental change and shifts in the strategy and style of benefits litigation, Littler's depth of experience in employee benefits, litigation, and executive compensation matters gives our attorneys a distinctly broad perspective with which to provide insight and useful analysis of the latest developments. To subscribe to receive email alerts of new blog posts, please enter your email address in the Subscribe box on the right side of the Employee Benefits Counsel blog homepage.

Photo credit: IdeaBug Media

New Littler Blog: Employee Benefits Counsel

We are pleased to announce a new addition to Littler's blogroll:

Employee Benefits Counsel

Brought to you by Littler's Employee Benefits, ERISA and Benefit Plan Litigation, and Executive Compensation practice groups, this blog covers:

• Legislative and regulatory developments in the employee benefits arena, including the topics of health care reform; plan design and administration; employee benefits litigation; and
• Executive compensation, providing insight and analysis on legal developments that warrant discussion.

During this time of significant governmental change and shifts in the strategy and style of benefits litigation, Littler's depth of experience in employee benefits, litigation, and executive compensation matters gives our attorneys a distinctly broad perspective with which to provide insight and useful analysis of the latest developments. To subscribe to receive email alerts of new blog posts, please enter your email address in the Subscribe box on the right side of the Employee Benefits Counsel blog homepage.

Photo credit: IdeaBug Media

EEOC Advisory Opinion on Employer Use of Arrest & Conviction Records During Hiring Process

The Equal Employment Opportunity Commission's Office of Legal Counsel released an advisory opinion on employer use of arrest and conviction records during the hiring process. The non-binding letter provides some insight into the Commission's current enforcement position and suggests the Commission: (1) will continue to differentiate between arrest and conviction records; (2) may not be prepared to adopt a presumption of disparate impact in this context; and (3) will in the event of a finding of disparate impact, closely scrutinize the employer's policy with regard to both how long convictions are disqualifying and whether the underlying criminal conduct is related to the job duties for the position in question. To learn more about the EEOC's advisory opinion and its potential impact on employers, please continue reading Littler's Insight, EEOC Advisory Guidance Offers Insight on the Use of Arrest and Conviction Records, by Rod Fliegel and Jennifer Mora.

California Restricts Employer Use of Credit Reports

On October 10, 2011, the Office of California Governor Jerry Brown announced that Governor Brown had signed AB 22, legislation that adds a new provision to the California Labor Code and amends the state's Consumer Credit Reporting Agencies Act to restrict the discretion that private and public sector employers have to use "consumer credit reports" for hiring and personnel decisions. Together, the new laws, which take effect on January 1, 2012, limit when employers lawfully can use consumer credit reports and impose notice and disclosure obligations on employers who intend to do so. To learn more about the laws and their implications for employers, please continue reading Littler's ASAP, California Joins States Restricting Use of Credit Reports for Employment Purposes, by Rod Fliegel and Jennifer Mora.

NLRB Opens Useful Escape Hatch for Employers Responding to Obnoxious Social Media Conduct

By Philip L. Gordon

Selling luxury cars in a down economy can be tough enough without employees mocking a company-sponsored sales event on their Facebook page. An administrative law judge (ALJ) with the National Labor Relations Board (NLRB) issued an opinion last week holding that the National Labor Relations Act (NLRA) protected an employee’s sarcastic post, but nonetheless upheld the dealership’s termination decision because it was based on other, unprotected Facebook content. The decision is an important reminder for employers that when protected and unprotected content appear on the same Facebook wall, the protected content does not shield the employee from discipline based on the unprotected content.

The Knauz BMW dealership in Lake Bluff, Illinois, planned the “Ultimate Driving Event” to introduce the redesigned BMW 5 Series to its customers. At the event, the dealership not only offered BMW representatives, rather than the dealership’s sales staff, to take customers for a test drive, but also served hot dogs from a hot dog car as well as chocolate chip cookies, small bags of Doritos, and water. Upon learning of the dealership’s plans for the event, salesman Bobby Becker, and at least one other salesperson questioned the culinary selection. After the event, Becker tweaked the dealership on his Facebook page: “The small 8 oz. bags of chips, and the $2.00 cookie plate from Sam’s Club, and the semi fresh apples and oranges were such a nice touch . . . but to top it all off . . . the Hot Dog Cart. Where our clients could attain a over cooked weiner and a stale bunn . . . ”

Becker’s rag on the Ultimate Driving Event did not stand alone. On the same day, he also posted about a potentially serious mishap at the nearby Land Rover dealership also owned by Knauz BMW. Becker described the drama on his Facebook page, alongside a photograph with the following comment: “This [photograph shows] what happens when a sales Person sitting in the front passenger seat (Former Sales Person, actually) allows a 13 year old boy to get behind the wheel of a 6000 lb. truck built and designed to pretty much drive over anything. The kid drives over his father’s foot and into the pond in all about 4 seconds and destroys a $50,000 truck. OOOPS!”

In deciding whether Knauz BMW violated the NLRA by discharging Becker, the ALJ agreed with the NLRB’s General Counsel that Becker’s Facebook comments about the food at the Ultimate Drive Event were protected concerted activity, a position previously expressed by the General Counsel in its August 2011 report on the NLRB’s social media cases which we discussed in an earlier blog post. The ALJ reasoned that Becker’s comments were protected because it was possible, albeit not likely, that the food selection could have had an impact on Becker’s commission-based compensation. In the words of the ALJ, “some customers [possibly] were turned off by the food offerings at the sales event and [perhaps] did not purchase a car because of it.” The ALJ also found that Becker’s Facebook posting was concerted activity — even though no co-worker participated in, or commented on, the post — because the post was the “logical outgrowth of” the criticisms by Becker and at least one other co-worker of the food selection during the sales force’s meeting with management before the event. This result demonstrates just how broadly the NLRB interprets the concept of “protected concerted activity” which cannot properly be the subject of employee discipline.

Notably, the ALJ rejected Knauz BMW’s argument that Becker’s Facebook post should lose its protection under the NLRA because the post disparaged the dealership. Without much analysis, the ALJ noted that the NLRB had previously rejected the same argument in cases where employees’ protected speech was mocking, sarcastic, satirical, ironic, demeaning or even degrading. It appears that an employee’s protected speech will need to reach a high level of injuriousness before the Board will strip that speech of the NLRA’s protections.

Although Becker had engaged in protected concerted activity, the ALJ still determined that Knauz BMW’s decision to axe Becker was lawful. The ALJ found persuasive the testimony of management employees that Becker’s facetious comments about the serious and potentially deadly Land Rover mishap triggered the termination decision. The ALJ then determined that this post did not constitute protected concerted activity because “it was posted solely by Becker,” “without any discussion with any other employee,” and “had no connection to any other employees’ terms and conditions of employment.”

The lesson for employers? Employees who post some protected social media content do not protect themselves with impunity from adverse employment action. Employers can rely on unrelated, unprotected social media posts to justify termination;they just need to be prepared to prove that the unprotected speech was the driving force behind the disciplinary decision.

California Amends its Security Breach Notification Law

By Ellen M. Giblin

On August 31, 2011, Governor Jerry Brown signed Senate Bill 24, amending California’s security breach notification law. That law was the nation’s first to require data owners to disclose a data breach to any California resident whose unencrypted personal information is reasonably believed to have been acquired by an unauthorized person. Senate Bill 24 applies to breaches occurring on or after January 1, 2012, and makes several important changes to the landmark law.

First, SB 24 enhances the security breach notifications sent to affected individuals. Whereas before the notice law did not impose any requirements for the content of the notice, the amended law requires that the notice contain specific information regarding the breach, including the following: (a) the name and contact information of the reporting person or business; (b) the types of personal information subject to the breach; (c) the date or date range of the breach; (d) whether notification was delayed due to law enforcement investigation; (e) a general description of the breach; and (f) the toll-free telephone numbers and addresses of the three major credit bureaus, if the breach exposed a social security number, driver’s license or California identification card number.

Second, SB 24 adds a requirement to notify the state’s attorney general about a breach. More specifically, the notice law now requires any agency, person, or business that sends a security breach notice to more than 500 California residents to electronically submit a single sample copy of that security breach notification to the attorney general, excluding any personally identifiable information. This change adds California to the list of states that require some type of notice to the state’s primary regulator of security breaches.

Third, this bill deems any HIPAA-covered entity to have complied with California’s new notification requirements if the covered entity complied with the similar breach notification requirements in Section 13402(f) of the federal Health Information Technology for Economic and Clinical Health Act (“HITECH Act”). However, the covered entity is not exempt from any other provision of California’s notice law.

Finally, SB 24 also amends Section 1798.82(j) of California’s security breach notification law regarding substitute notice. Reporting entities which seek to notify individuals of a security breach through the state’s media, rather than directly, must now also notify the Office of Privacy Protection within the State and Consumer Services Agency.

In light of these changes, employers will need to update their incident management plans and add these new requirements into their notification policies to ensure compliance with the many state data breach notification requirements.

California SB 24 takes effect January 1, 2012, providing enhanced notification requirements similar to those required under the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Hard copy breaches are still not covered under the California law.

Photo credit: dra_schwartz

More Guidance from the NLRB on Social Media: When Must Employers Not Fire an Employee for an Offensive Facebook Post?

By Philip Gordon

In a recent blog post, we addressed three Advice Memos issued by the National Labor Relations Board’s (NLRB or the “Board”) Division of Advice, which provided useful guidance on the types of social media conduct that do not enjoy protection under the National Labor Relations Act (NLRA). On August 18, 2011, not long after the publication of those Advice Memos, the NLRB’s General Counsel issued a lengthy memorandum to all Regional Directors that summarizes the Board’s resolution of more than one dozen “social media cases,” including the three cases discussed in our prior blog post. As a contrast to that post, this post will focus on the cases in the August 18, 2011, Memorandum where the General Counsel found that an employer’s discharge of an employee violated the NLRA. The August 18, 2011, Memorandum also provides useful guidance on social media policies, which are addressed below as well.

When Not to Fire an Employee Based on a Social Media Post

The August 18, 2011, Memorandum summarizes four cases that concluded that the employer’s discipline violated the NLRA. In a nutshell, these cases involved the termination of one or more employees based on the following social media conduct:

•  While preparing for a meeting with management, an employee asked coworkers on her Facebook page for their reaction to another employee’s complaints about work quality and staffing levels at the employer;
• An employee complained on her Facebook page about her supervisor’s refusal to permit a union representative to assist her in responding to a customer complaint about the employee;
• A salesmen at a car dealership criticized on his Facebook page the dealership’s handling of a sales event intended to promote a new car model and posted mildly mocking photographs that included his coworkers;
• Employees posted on Facebook about the employer’s failure to withhold state income taxes, resulting in the employees’ receiving payment demands from state tax authorities.

In all of these cases, employees posted on their own Facebook page, on their own time, and using their own equipment.

When viewed as a group, these cases have a common thread that provides substantial insight into how the Board analyzes social media cases. Most importantly, the subject matter of each of these posts related to the terms and conditions of employment, the exercise of rights conferred by the NLRA, or other matters traditionally considered “protected activity” under the Boards’ precedent. The topics included: (a) preparation for a discussion with management about employees’ job performance and the employer’s staffing levels; (b) the right in a unionized workplace to union representation during an investigatory interview by the employer; (c) conduct by the employer (a sales event) that could have an impact on employees’ compensation (their sales commissions); and (d) the employer’s administration of income tax withholdings.

Of equal significance, in each of these situations, the General Counsel concluded that employees were collaborating, otherwise known as “concerted activity.” In the first case, the employee was seeking assistance from coworkers in preparation for a discussion with management. In the second case, the employee was discussing supervisory actions with coworkers who were her Facebook friends. In the third case, the employee was expressing the sentiment of his coworkers about the sales event. In the fourth case, employees were sharing concerns about the employer’s failure to withhold state income taxes. None of these cases could be said to involve individual gripes.

While the fulcrum of these cases is the General Counsel’s determination that the disciplined employees were discussing protected subject matters and doing so in concert with their coworkers, there is one other common thread that can help employers weigh risks when deciding whether an employee’s social media post justifies discipline. In each of the cases, the offending Facebook post was either the culmination of an on-going dispute with the employer or the continuation of a pre-existing conversation among employees. In contrast to these fact patterns, the Facebook posts discussed in our previous blog entry and upon which the Division of Advice relied to justify discipline were relatively spontaneous and had no real history behind them.

Profanity Generally Will Not Justify Discipline for Protected Concerted Activity

According to the General Counsel, the offending Facebook posts in these cases included “swearing and/or sarcasm,” use of a “short-hand expletive,” and references to management personnel as an “asshole” and a “scumbag.” Nonetheless, in each case, the General Counsel concluded that the employer’s termination violated the NLRA.

The General Counsel’s analysis in these cases seems to give employees a license to curse. In finding that an employee did not lose the NLRA’s protections after calling her supervisor a “scumbag,” the General Counsel relied on the following facts: (a) “the Facebook posts did not interrupt the work of any employee because they occurred outside the workplace and during nonworking time;” (b) “the comments were made during an online employee discussion on supervisory action;” (c) “the name-calling was not accompanied by verbal or physical threats;” (d) “the Board has found more egregious name-calling protected;” and (e) “the employee’s Facebook postings were provoked by the supervisor’s unlawful” conduct.

In social media cases, the first three or four factors listed above typically will be present. Thus, the Board effectively is telling employers that they must have a thicker skin when it comes to employees’ raunchy social media posts.

Disclaimers and Carefully Crafted Policies Are Critical

Throughout the August 18, 2011, Memorandum, the General Counsel identified social media policy provisions that the General Counsel deemed overbroad and in violation of the NLRA. At first blush, these determinations are portentous for employers because employers routinely include the challenged provisions in their social media policy. However, the August 18, 2011, Memorandum suggests — at least implicitly — how employers can retain these commonly used policy provisions without running afoul of the NLRA.

The list of policy provisions found to be overbroad is lengthy but worthy of repetition. The list includes the following:

1. Inappropriate Discussions: Prohibition against “inappropriate discussions about the company, management, and/or coworkers;”
2. Defamation: Prohibition on any social media post that “constitutes embarrassment, harassment or defamation of the [company] or of any [company] employee, officer, board member, representative, or staff member;”
3. Disparagement: Prohibition against “employees making disparaging comments when discussing the company or the employee’s superiors, coworkers and/or competitors;”
4. Privacy: Prohibition on “revealing, including through the use of photographs, personal information regarding coworkers, company clients, partners, or customers without their consent;”
5. Confidentiality: Prohibition on “disclosing inappropriate or sensitive information about the Employer;”
6. Contact Information: Prohibition on “using the company name, address, or [related] information on [employees’] personal profiles;”
7. Logo: Prohibition on using “the Employer’s logos and photographs of the Employer’s store, brand, or product, without written authorization;”
8. Photographs: Prohibition against “employees posting pictures of themselves in any media . . . which depict the Company in any way, including company uniform [or] corporate logo.”

Removing all of the prohibitions described above would eviscerate most social media policies. Fortunately, such drastic action does not appear to be necessary.

In finding these rules unlawful, the General Counsel emphasized not only their overbreadth (i.e., “the [rules] utilized broad terms that would commonly apply to protected criticism of . . . terms and conditions of employment”), but also that “the rule[s] contained no limiting language to inform employees that [the rules] did not apply to Section 7 activity.” This italicized language suggests that the rules quoted above will not violate the NLRA as long as the policy contains a disclaimer which explicitly informs employees that the policy will not be construed or applied in a manner that improperly interferes with employees’ rights under Section 7 of the NLRA.

The General Counsel also provided some guidance for policy drafting by rejecting challenges to several other policy provisions. One upheld policy, for example, provided that “no employee could ever be pressured to ‘friend’ or otherwise connect with a coworker via social media.” The General Counsel reasoned that this policy was “sufficiently specific,” “clearly applied only to harassing conduct,” and could not be read to prohibit employees from friending for purposes of engaging in activity protected under the NLRA.

In a second example, the General Counsel approved of a policy that required employees to “maintain confidentiality about sensitive information” and to direct all media inquiries to the company’s public affairs office after stating that the employee was not authorized to comment. The General Counsel determined that this policy did not violate the NLRA because it was intended only “to ensure a consistent, controlled company message,” was not a blanket prohibition on all contact between employees and the media, and “did not convey the impression that employees could not speak out on the terms and conditions of their employment.”

These examples suggest that an employer can increase the likelihood that its social media policy will survive the NLRB’s scrutiny if the policy emphasizes the legitimate purposes that it seeks to achieve, such as protecting the employer’s good will and brand reputation. In addition, restrictions in the policy on employees’ social media conduct should, where practicable, be narrowly tailored to meet those legitimate objectives.

Photo credit: TommL

Telework – The Crisp New Term for "Working from Home"

By Ellen M. Giblin

The Guide to Telework in the Federal Government informs and provides guidance on the Telework Enhancement Act of 2010, which was signed into law on December 9, 2010. The Act establishes baseline expectations for the federal telework program and is a key factor in the federal government’s ability to achieve greater flexibility in managing its workforce. The Telework Guide is an understandable roadmap for other employers to the future of a remote and plugged-in workforce, while complying with the myriad of laws that govern the traditional workplace.

The Telework Enhancement Act of 2010 defines "telework" as a work flexibility arrangement under which an employee performs his or her duties and responsibilities from an approved worksite other than the location from which the employee would otherwise work. The fundamental principle of the telework program is clear: telework is not an employee right. Federal law requires agencies to establish telework programs, but does not give individual employees a legal right to telework. Importantly, the Telework Guide states that telework may not be used as a substitute for dependent care [the Guide specifically states that it may be used as a reasonable accommodation], and that employee participation in telework is voluntary.

Telework is primarily an arrangement established to facilitate the accomplishment of work. Private employers, like federal agencies, retain the discretion and obligation to determine employee eligibility for telework subject to business-related needs. For private employers this guide is a gem; it provides guidance on the policies and procedures that the federal government considers necessary to address the risks and rewards of a remote workforce.

With respect to privacy and information security, the Telework Guide provides guidance on the proper handling of confidential information and training on appropriate safeguards for customer and employee information. The Telework Guide states, under the section entitled “Safeguarding Information and Data,” that “[e]mployees must take responsibility for the security of the data and other information they handle while teleworking.”

Interestingly, the basis of the work relationship is a “Telework Agreement.” Each eligible employee authorized to telework enters into a written agreement with his/her supervisor which includes an interactive telework training program provided to eligible employees and their managers. The program must be successfully completed by employees before entering into the written telework agreement.

Private employers will benefit from the guidance provided in The Telework Guide. Although the Guide applies only to federal employers, there are strong parallels between telework in the private and public sectors, particularly when it comes to safeguarding sensitive customer and employee information.

When Can Employers Lawfully Fire an Employee for an Offensive Facebook Post? Ask the NLRB

By Philip L. Gordon

Ever since the National Labor Relations Board (NLRB) filed a complaint, last November, against ambulance service provider AMR for firing an employee who had called her supervisor a “mental patient” on her Facebook wall, employers have been forced to ask themselves the following question: Do I really need to worry that the NLRB will knock on my door every time I discipline an employee for an obnoxious or offensive Facebook post related to work? Until two weeks ago, there was no easy answer to that question. The AMR case and virtually all of the other “Facebook cases” initiated by the NLRB had either settled or had not yet resulted in a published decision. Then, last month, the NLRB’s Office of General Counsel issued three Advice Memoranda in rapid succession that provide at least some guidance for employers trying to navigate the intersection of social media and labor law.

Two of the Advice Memoranda draw the same bright line rule: an employee who communicates about work through Facebook but only with family or friends cannot invoke the protections of the National Labor Relations Act (NLRA) to avoid dismissal. In one of these two cases, an employee of a residential home for homeless individuals with significant mental illness posted facetious comments about residents on her Facebook wall. Only a personal friend responded to the Facebook posts, and none of the employee’s coworkers were her Facebook friends. The General Counsel concluded that the employee’s Facebook posts were not protected because the employee was merely communicating with personal friends about work. In addition: (a) her posts did not relate to the terms or conditions of employment; (b) the employee did not discuss her posts with coworkers, and no coworkers responded to them; and (c) the employee was not seeking to induce collective action and her posts were not an outgrowth of collective concerns.

The second case was a slightly tougher one. There, a bartender complained through Facebook to his step-sister about this employer’s policy barring him from sharing in tips given to servers even though the bartenders helped to serve food. The General Counsel concluded that the bartender could not rely on the NLRA to reverse his firing, even though the post related to the terms of employment, for the same reasons that the employee of the residential home could not do so – the employee did not discuss his post with coworkers and the employee was not seeking to induce collective actions.

The third case provides the most useful guidance, drawing the line between individual gripes (unprotected) and collective activity (protected). In that case, the employee made the following comments about her store’s Assistant Manager:

I swear if this tyranny doesn’t end in this store, they are about to get a wakeup call because lots are about to quit.
* * * *
[Assistant Manager] is being a super mega puta! Its retarded I get chewed out cuz we got people putting stuff in the wrong spot and then the customer wanting it for that price . . . . I’m talking to [Store Manager] about this shit because if it don’t change [Company] can kiss my royal white ass.

The General Counsel concluded that the employer could lawfully fire the employee because the posts expressed only an individual gripe, i.e., the employee’s own “frustration regarding his individual dispute with the Assistant Manager over mispriced or misplaced sale items.” The General Counsel also concluded that the responses to the posts by the employee’s coworkers did not convert these individual gripes into collective action because those comments reflected the coworkers’ understanding that the employee was speaking only on behalf of himself. One coworker laughed (“bahaha like!”); one coworker asked why the employee was so “wound up;” and a third expressed only emotional support (i.e., “hang in there”).
In each of the three Advice Memoranda, the General Counsel referred to the same or similar legal standards. These standards also provide useful guidance and include the following

• Protected: When the employee “acting with or the authority of” coworkers (a) “seeks to initiate, induce or prepare for group action,” or (b) “brings truly group complaints to the attention of management.”
• Protected: The employee’s activities are “the logical outgrowth of concerns expressed by the employees collectively.”
• Unprotected: The employee is engaging in activity “solely by and on behalf of the employee himself.”
• Unprotected: The employee’s comments are “mere griping” as opposed to “group action.”

While these guidelines and the Advice Memoranda obviously do not address the full range of Facebook conduct that intersects with the workplace, they do at least provide some guideposts for employers when deciding whether to discipline or fire an employee based on his or her obnoxious or offensive Facebook post.

EEOC Holds Meeting on Use of Arrest and Conviction Records During Hiring Process

On Tuesday, July 26, 2011, the Equal Employment Opportunity Commission (EEOC) held its latest meeting on the topic of protections for job applicants with arrest and conviction records under Title VII of the Civil Rights Act of 1964. The full Commission heard remarks from the panelists related to three areas: "Best Practices From Employers," "An Overview of Local, State and Federal Programs and Policies" and "Legal Standards Governing Employers' Consideration of Criminal Arrest and Conviction Records."

Although for the past few years the EEOC has renewed its focus on the hiring process, including Title VII protections for ex-offenders, the current Commissioners (Jaqueline Berrien, Stuart Ishimaru, Constance Barker, Chai Feldblum and Victoria Lipnic) have not indicated whether the EEOC will update its 1987 Policy Statement on the Issue of Conviction Records under Title VII, and did not do so at the July 26 meeting. As a result, it remains important for employers who may be the target of disparate impact claims or charges challenging their conviction-based screening policies to: (1) understand the current state of the case law; and (2) continue to closely monitor developments at the federal, state and local levels in this dynamic area of the law.

To learn more about the EEOC's meeting on employers' use of criminal arrest and conviction records during the hiring process, and the potential implications for employers, please continue reading Littler's ASAP, The EEOC's Priorities Still Include Regulating the Use of Criminal Records by Employers, by Rod Fliegel and Barry Hartstein.

Connecticut Law Restricts Employer Use of Credit Reports

Effective October 1, 2011, employers in Connecticut will face new restrictions on the use of credit reports regarding current or prospective employees as a result of the recent enactment this month of Connecticut Public Act 11-223. In enacting the new law, Connecticut becomes the sixth state limiting employers' use of credit reports, following Hawaii, Washington, Oregon, Illinois, and Maryland. Similar laws are pending in several other states and at the federal level. The Equal Employment Opportunity Commission (EEOC) is also conducting related investigations and pursuing at least one disparate impact claim based on the use of credit reports. Thus, employers who use credit history information to inform hiring or personnel decisions in states that have enacted credit check laws should review their policies for compliance, and employers everywhere should continue to monitor developments in this evolving area of the law. To learn more about the Connecticut law and its implications for employers, please continue reading Littler's ASAP, Use of Credit Reports by Employers Will Soon Be Restricted in Connecticut, by Rod Fliegel and William Simmons.

Photo credit: Pawel Gaul

Two Recent Decisions Illuminate for Employers the Broad Contours of ADA Confidentiality vs. the Narrow Boundaries of HIPAA Privacy

By Philip Gordon

Ever since the HIPAA Privacy Rule first went into effect for larger health plans in April 2003, HR professionals and in-house employment counsel often warn of the proverbial “HIPAA violation” when discussing employee medical information. However, one recent federal decision demonstrates that the greater risk for many employers is a violation of the ADA’s confidentiality requirement, that can protect even false information disclosed by an employee to an in-house physician. The second recent decision highlights a critical limitation on the ADA’s broad confidentiality requirement.

The first case arose out of General Dynamics’ decision to terminate the employment of Guillermo Blanco (Blanco) for failing to disclose his Attention Deficit Hyperactivity Disorder (ADHD) when he responded to the company’s post-offer, pre-hire Medical Surveillance History Questionnaire. According to Blanco’s complaint, the in-house physician with whom Blanco discussed his post-employment request for a reasonable accommodation accused Blanco of failing to disclose his ADHD on the medical questionnaire. Blanco further alleged that the in-house physician discussed Blanco’s allegedly false responses to the questionnaire with management in General Dynamics’ Labor Relations Department. Blanco claimed that General Dynamics terminated his employment as a result of the disclosure. 

Notably, the case did not involve an alleged HIPAA violation at all. Although in-house physicians are health care providers as defined by the HIPAA Privacy Rule, they are not “covered” health care providers required to comply with the Privacy Rule. Only providers who use HIPAA-mandated electronic codes to bill insurance companies and government welfare programs for services are subject to HIPAA. Because virtually all in-house physicians are paid a salary and do not bill for their services, HIPAA does not apply to them, contrary to common misconceptions of HIPAA’s scope.

The ADA’s confidentiality requirement, by contrast, does apply to in-house physicians. The ADA requires that employers separately file employees’ medical information and maintain it as confidential. The ADA carves out only three narrow exceptions to the confidentiality requirement. Employee medical information may be disclosed to managers to the limited extent necessary for them to accommodate an employee with a disability or otherwise be made aware of work restrictions, to first aid and safety personnel who need to know about a disability that might require emergency treatment, and to government officials responsible for enforcing the ADA.

The court in the General Dynamics case read the ADA’s confidentiality requirement to apply not only to disclosures to third parties outside the company (except in the limited circumstances described above), but also to intra-corporate disclosures. More to the point, if the complaint’s allegations turned out to be true, the in-house physician would have violated the ADA because her disclosure of Blanco’s medical information was not necessary for managers in General Dynamics’ Labor Relations Department to accommodate Blanco or to address a work restriction, and the other two exceptions obviously did not apply.

The General Dynamics decision is particularly remarkable because the court held that the ADA protects even false medical information provided by an applicant or employee to an employer. The court explained its reasoning as follows:
 

The ADA clearly protects the confidentiality of Mr. Blanco’s response [to the medical questionnaire] if truthful, and the ADA still protects its confidentiality if not. In other words, there is no prevarication exception to the ADA’s confidentiality mandate for employment entrance examinations, much less for information the company doctor perceives is inaccurate. It is the information, accurate or not, that the statute protects.

(emphasis supplied). While the court acknowledged that this ruling could be troublesome for employers, such as General Dynamics, whose employees operate heavy machinery or are exposed to workplace hazards made even riskier by a disability, the court concluded that it was bound to apply the ADA’s plain language and leave the policymaking to Congress.

The second recent decision establishes a critical limitation on what might otherwise seem like a boundless protection in light of the General Dynamics case. In the second case, Thrivent Financial for Lutherans (Thrivent) had hired a temporary IT consultant, named Messier, through Omni Resources (Omni). When Messier, a typically reliable employee, was “no-call, no-show” for work, Thrivent asked Omni for an explanation. Messier’s manager at Omni sent Messier an e-mail asking him to call because he “need[ed] to know what’s going on.” Messier responded with a lengthy e-mail to both his Omni and Thrivent managers, explaining that he had missed work because of a severe migraine and providing them with a lengthy explanation of his medical history related to migraines. The Thrivent manager later disclosed this information to a reference check company hired by Messier who suspected the Thrivent manager of re-disclosing his medical information. The EEOC, taking up Messier’s cause, sued Thrivent for violating the ADA’s confidentiality requirement.

The critical dispute between the parties revolved around whether the ADA protected Messier’s medical information in the first instance. The EEOC took the position that the ADA protects any health information provided by an employee in response to an employer-initiated inquiry, such as the inquiry by the Omni manager into the reason for Messier’s absence. Thrivent responded that the ADA protects only information that an employee is required to provide in response to a permissible medical examination or disability-related inquiry, such as a mandatory post-offer, pre-hire medical examination or a request for medical documentation to support a request for an accommodation. Because Messier had volunteered health information in response to the Omni manager’s generalized inquiry into the reasons for Messier’s absence, the ADA did not apply.

The court rejected the EEOC’s broad reading and adopted Thrivent’s narrower construction. The court reasoned as follows:

[A]n employee’s disclosure is voluntary if the disclosure is not preceded by any request or demand for medical information by the employer. Which party initiates the conversation that leads to a disclosure is not relevant; which party initiates or requests the employee’s actual disclosure of medical information is determinative.

Applying this standard to Omni’s inquiry, the court concluded that the ADA’s protections did not attach to Messier’s medical information because Omni had not asked Messier for medical information and Messier could have been absent from work for a “vast number of reasons” unrelated to his health.

HIPAA was not a factor in this case because information received by an employer in its capacity as employer is not subject to HIPAA’s protections. HIPAA applies only to individually identifiable health information created or received by or on behalf of the employer in its capacity as the administrator of a HIPAA-covered plan. Such plans are limited to group health, dental, vision, long-term care, pharmacy benefits, health care reimbursement flexible spending accounts, and employee assistance programs.

This pair of cases provides important guidance for employers on the boundaries of the ADA’s confidentiality requirement. They also reveal, by negative implication, the relatively narrow boundaries of HIPAA’s privacy protection in the employment context. Employers who have not developed policies and procedures for handling employee medical information not protected by HIPAA should consider doing so to ensure that in-house medical staff, HR professionals and managers understand when the ADA protects employee medical information, how that information may be lawfully used, and to whom it may be lawfully disclosed.

Photo credit: hoch2wo photo & design

"Social Checks" Come of Age: What Does It Mean for Employers?

By Philip Gordon

Last month, the Federal Trade Commission (FTC) published a letter closing its investigation into whether an “Internet and social media background screening service used by employers in pre-employment background screening” complied with the Fair Credit Reporting Act (FCRA). At first blush, the letter appears to be a non-event. The FTC did not impose a penalty but also admonished that its “action is not to be construed as a determination that a violation may not have occurred.” While not much can be drawn from this equivocal result, the FTC’s letter does contain the following important conclusion: the “social check” service in question, known as Social Intelligence, “is a consumer reporting agency because it assembles or evaluates consumer report information that is furnished to third parties that use such information as a factor in establishing a consumer’s eligibility for employment.” Put into plain English, employers that rely on a social check service, like Social Intelligence, to search social media for information about job candidates must comply with the FCRA.

This conclusion likely will have an impact on a substantial number of employers. According to a recent study by the Society of Human Resources Management (SHRM), more than 50% of employers are relying on social media for recruitment purposes, up from 34% in 2008, and another 20% plan to use social media for recruiting in the future. The SHRM study does not address the percentage of employers that conduct these searches exclusively in-house, in which case the FCRA would not apply, as compared to those that rely on a third-party service, in which case the FCRA likely would apply. However, the fact that the social check space is beginning to fill with new enterprises, like Social Intelligence, suggests that the number of employers that are relying on third parties to conduct social checks has grown significantly.

When the FCRA does apply, employers will need to take the following steps vis-à-vis any applicant who is the subject of a social check. First, review the notice and authorization currently provided to applicants before more traditional background checks are conducted to ensure that those documents encompass social media searches. Second, ensure that applicants who may be eliminated from consideration based in whole or in part on the results of a social check receive a pre-adverse action notice which provides the applicant with the report received by the employer, the FTC’s “A Summary Of Your Rights Under the FCRA,” and an opportunity to dispute the apparently adverse information with the service provider which ran the social check. Third, upon rejecting the applicant, send a final adverse action notice to the applicant containing the language required by the FCRA.

These legal compliance requirements are straightforward enough, but they, and in particular, the pre-adverse action notice requirement, highlight vexing practical issues: What social media information should be reported in the first place? Is the information relevant to the hiring decision? Is the information reliable? There can be no question that social media posts may contain information that employers may not lawfully consider when vetting an applicant, such as disability, protected and lawful off-duty conduct, or genetic information. There also can be no question that social media posts often contain information that warrants rejection of a candidate. According to a recent study by the Society of Corporate Compliance and Ethics, more than 40% of respondents had disciplined an employee based on his or her social media conduct. However, these two groups of information set only the polar extremes; employers still must determine what, if anything, will be reported concerning the vast range of social media content falling in the middle and how they will fairly evaluate that information. Social Intelligence, for example, notes on its Web site that its customer set-up tools leave to the employer responsibility for “defining screening filters (for evaluating individuals) and redaction criteria (for censoring information).”

Reliability is another critical issue for employers using social media to evaluate job candidates. In the case of more traditional pre-employment screening, the nature of the information itself engenders a higher probability, albeit not certainty, that information is accurate. Court systems, educational institutions, and employers, for example, have an inherent interest in maintaining accurate records for their own legitimate business purposes. By contrast, social media are replete with false, doctored, and biased information about others. Social Intelligence suggests a solution to this issue by noting on its Web site that it reports “only information the applicant has created himself.” However, completely eliminating social media information posted by third persons arguably reduces the effectiveness of a social check to some extent. Perhaps more importantly, social media posts apparently created by the author can be forged. I have recently counseled clients on two separate occasions where employees denied having posted on their Facebook wall negative information about the employer or co-workers, credibly claiming that others had stolen their log-in credentials or hacked into their account.

The absence of any inherent reliability in most social media information emphasizes the importance of providing applicants with a pre-adverse notice even when there is no legal obligation to do so. Employers easily could lose potentially outstanding employees by relying on social media content that is false, misleading or inaccurate. Even if apparently adverse information turns out to be accurate and true, the applicant’s explanation of that information could demonstrate maturity and honesty as opposed to evasiveness and bad character.

With use of social media for hiring becoming increasingly common, human resources professionals and in-house employment counsel need to scrutinize their organization’s use, or potential use, of this new tool and answer several challenging questions. Most importantly, how should social checks supplement more traditional means of vetting applicants’ credentials and pre-employment screening for adverse information? What types of information does the organization need and how will that information be weighted? Next, will the information be gathered through in-house resources or an external service provider, such as Social Intelligence? If the latter, how will FCRA compliance be worked into the social check process? Finally, particularly given the newness of social checks, employers should evaluate them at least annually with one key question in mind: Have the social checks improved the effectiveness of the organization’s hiring process and the quality of new hires?

Photo credit: robas

Location, Location, Location: Recent Developments in "GeoPrivacy" and the Impact on the Use of GPS in the U.S. Workplace

By Philip L. Gordon

Ever since revelations in May that smartphones track the location of their users, location privacy has been a red hot issue in virtually every forum — except the U.S. workplace. Just last week, for example, the U.S. Supreme Court agreed to review a federal circuit court decision (covered by our blog when decided last August), holding that the federal government’s warrantless use of 24/7 location tracking for more than a month violated the Fourth Amendment rights of a criminal suspect. The Wall Street Journal dubbed June 15, 2011, “location privacy day on Capitol Hill” after two bills were introduced to limit the use of location data by industry and by law enforcement. And, in the European Union, the Article 29 Working Party, which is responsible for providing guidance on the application of the European Union Data Protection Directive, recently published its “Opinion 13/2011 on Geolocation Services on smart mobile devices.” While none of these developments directly implicate the U.S. workplace, U.S. employers should closely monitor the location privacy debate, particularly given their increasingly common reliance on GPS-enabled smartphones and vehicles to track employees.

The European guidance is especially noteworthy for multi-national employers. Although this guidance, as its title suggests, deals almost exclusively with tracking consumers, the guidance contains a short section—which received scant public attention—that squarely addresses tracking employees. The guidance explains that it is unlawful for employers in the E.U. to track their employees unless “it is demonstrably necessary to supervise the exact locations of employees for a legitimate [business] purpose.” Even then, continuous monitoring generally is impermissible, and employees must be able to turn off location tracking during non-work hours. The guidance also discourages employers from using vehicle tracking devices to monitor the behavior of employees by, for example, recording the vehicle’s speed. Given this guidance, multinational employers should closely scrutinize the nature and scope of any location-tracking program before implementing it in the European Union.

The U.S. Supreme Court’s decision next term in U.S. v. Maynard also could have an impact on U.S. employers. As we explained in our blog post on the D.C. Circuit’s decision that is subject to Supreme Court review, a ruling that law enforcement’s 24/7 use of surreptitious location tracking violates the Fourth Amendment arguably could be used to support a claim against employers that engage in 24/7 location tracking without notice to employees. The rationale for such a decision likely would be that continuous tracking establishes a pattern of activity over a period of time which reveals private information about the target of the tracking, such as whether the person is a recovering alcoholic as reflected by regular visits to Alcoholics Anonymous meetings, is considering pregnancy as suggested by weekly trips to a fertility clinic, or is having an extra-marital affair. Despite the distinctions between Fourth Amendment standards and the elements of the common law tort of invasion of privacy, this rationale likely would apply with equal force in the common law context.

Finally, while the Congressional activity to date has focused on consumer privacy, it would not require a substantial leap in legislative drafting to extend the coverage of these bills to location tracking of employees. Alternatively, state legislators, taking the cue from Congress, might implement state-specific requirements, which could result in an unwanted patchwork of requirements for multi-state employers.

While U.S. employers currently are subject to virtually no regulation when tracking employees, the keen focus on the issue in Europe, in the criminal context, and in the consumer sphere very well may spill over to the U.S. workplace. Employers that use, or that are considering using, location tracking in their workplaces should continue to monitor these developments closely.

Photo credit: binabina

Some Smoke Clears in Washington: State Supreme Court Holds Employee Has No Claim After Being Terminated for Medical Marijuana Use

By Christopher M. Leh

On June 9, in Roe v. TeleTech Customer Care Mgmt (Colo.), LLC, the Washington State Supreme Court held that the state’s Medical Use of Marijuana Act (MUMA): (1) does not prohibit an employer from discharging an employee for medical marijuana use or provide a civil remedy for such a discharge; and (2) does not “proclaim a sufficient public policy to give rise to a tort action for wrongful termination for authorized use of medical marijuana.” Like the decisions in Ragingwire (pdf)i n California, Emerald Steel Fabricators in Oregon, and Columbia Falls Aluminum Company (pdf) in Montana, which we discussed here, here and, most recently, here, TeleTech gives wide berth to employers that discharge employees who use drugs.

Washington voters adopted the MUMA in 1998. It provides an affirmative defense to a physician authorizing the use of medical marijuana and to qualified patients and caregivers engaging in the medical use of marijuana who are accused of marijuana-related crimes in Washington. The law expressly provides that employers are not required to accommodate “any medical marijuana use in any place of employment….” In 2007, MUMA was amended to clarify that employers are not required to accommodate any “on-site” use of medical marijuana in the workplace.

Roe, who used a pseudonym in the case because use of medical marijuana remains illegal under federal law, had debilitating migraine headaches. Conventional treatments did not alleviate the pain, but marijuana did. In June 2006, a physician issued her a written authorization under MUMA to use marijuana for medical purposes, which she did. In October 2006, TeleTech, a business outsourcing company, hired Roe as a customer service representative. Roe’s job offer was contingent on a negative drug test. She informed TeleTech of her use of medical marijuana outside the workplace and subsequently failed the drug test, and the company fired her.

Roe filed suit against TeleTech, asserting that the company terminated her employment in violation of MUMA and wrongfully discharged her in violation of public policy. The trial court granted summary judgment in TeleTech’s favor, and the Washington Court of Appeals upheld the decision.

The Washington Supreme Court affirmed. Roe first argued that TeleTech violated the MUMA itself. But the court held that the Act unambiguously provided only an affirmative defense to a criminal marijuana charge, not a civil claim against an employer. The court explained that if the employer was not required to accommodate on-site medical marijuana use, it was not required to accommodate medical marijuana use off site, as Roe was asking it to do. Finally, the court noted that the fact that Roe used marijuana at home without being impaired in the workplace was irrelevant because regardless of Roe’s ability to do her job, the statute did not confer on her a right to sue her employer.

Roe then argued that even if TeleTech had not violated MUMA, the court should recognize a civil tort claim for wrongful termination in violation of public policy based on her discharge. Quoting MUMA, she urged that the public policy proclaimed by the law was that that “the medical use of marijuana by patients with terminal or debilitating illnesses is a personal, individual decision.” But the court held that the language of the MUMA “do[es] not recognize a broad policy that would remove any impediment to medical marijuana use or impose an obligation that employers accommodate such use, and that Washington patients have no legal right to use marijuana under federal law.”

Along with Ragingwire and Steel Fabricators, the TeleTech decision is the third in a string of appellate victories for employers in cases involving the termination of employment of employees for use of medical marijuana, whether or not on site and whether or not the employee is impaired during work. But any sigh of relief by employers may be premature:

• In the future, Washington medical marijuana users may seek to bring claims based on a recent change in MUMA that was not argued in Roe. Less than two months ago, Washington amended MUMA to provide expressly that the law does not require any accommodation of an employee’s medical marijuana use if the employer has a drug-free workplace policy. In the future, employees terminated for medical marijuana use by an employer lacking such a policy may render their discharges illegal under the revised statute. Employers that do not have drug-free workplace policies should consider implementing them to avoid falling prey to such a claim in the future.
• The highest courts in only 4 of the 15 jurisdictions (14 states and the District of Columbia) that have medical marijuana laws have ruled on any of the questions at issue in TeleTech. Courts in other states may reach contrary conclusions under their own laws. Some states, like Colorado, enshrine their medical marijuana law in the state constitution, a source of law that employees are likely to assert is deserving of greater deference than a statute.
• Stay tuned because any federal law developments may change the legal landscape in state courts. Medical and other use, possession and distribution of marijuana continues to violate federal law. New legislation recently introduced in Congress, if it ultimately becomes law, is likely to change this. If that happens, many states are likely to follow suit, creating new challenges for employers in addressing employment issues raised by the use of medical marijuana by prospective or current employees.
• There are other issues employers may confront even if state medical marijuana law does not create any employer liability for discharge for use of medical marijuana, for example:
  • Disabilities, serious health conditions, and genetic information of which the employer becomes aware because an employee discloses them in describing use of medical marijuana;
  • Government contracts requiring employers to observe drug-free workplace requirements; and
  • Occupational safety and health issues involving workers who use medical marijuana.
• Even wary employers may find their drug-free workplace policies jeopardized by managers who sympathize with colleagues who use medical marijuana. Such managers may create liability if they are insufficiently or inconsistently committed to enforcing their employer’s drug-free policies.
   

The long-term legal effects of medical marijuana in the workplace continue to be hashed out in elections, legislatures and courts. But at least for now, the Washington Supreme Court’s decision in Roe helps clear the air for employers in that state to exercise substantial discretion in enforcing their drug-free workplace rules.

For additional analysis on this development, see Littler ASAP "Washington Supreme Court Blunt in Ruling: No Claim for Wrongful Discharge Under State's Medical Use of Marijuana Act” by Dale L. Deitchler and Daniel L. Thieme.

Photo credit: Sebastien Roche-Lochen Photography

Employer Challenges to Developing and Enforcing Social Media/Web 2.0 Policies

By Philip L. Gordon

I was recently interviewed by Nymity on the dozen top challenges for employers when developing and enforcing social media/Web 2.0 policies. Part I of the interview [pdf] addresses the following questions: 

• Online Background Checks: What are the risks? What are practices that should be curtailed? How can a company gain the benefits of the tools, and minimize those risks?
• Customer?Facing Company Sites: Such sites and other customer facing tools and techniques can build a brand over night. How does a company avoid the issues and gain the brand lifting benefits?
• Individual Employee Sites for Business Purposes: Who “owns” these sites, such as LinkedIn contacts and Facebook fan pages? Must an employee establish a new account for their work with a company? What are the best practices in these situations?
• Internal Company?Sponsored Sites: What is special about these that require policy statements or recommendations? Can these sites really be a problem?
• Employees Off?Duty Social Media Activity: We’ve discussed social media activity for work purposes, what about employees’ off?duty social media conduct. What are the risks there and how should employers address them?
• Disciplining Employees Based On Off?Duty Social Media Activity: There seems to be much confusion over when employers can discipline employees for their off?duty social media activity. What are the key risks to avoid? What are the best practices that can be adopted to avoid what types of risks?

I will post Part II when it becomes available. 

Photo credit: CrackerClips

Massachusetts Extends Reach of Data Protection Regulations

By Ellen Giblin

The first anniversary of the effective date of 201 CMR 17.00 went by with little fanfare, then came the Final Judgment by Consent (“Judgment by Consent”) stating that a Boston-based restaurant chain engaged in “unfair or deceptive practices, in violation of Massachusetts General Laws c. 93A, §2” by accepting credit and debit cards from customers at its bars and restaurants after a known breach, yet failing to take reasonable steps to protect the personal information obtained from its patrons as required under 201 CMR 17.00.

In support of its decree, the Judgment by Consent lists basic data security measures that the company failed to implement: (a) failing to change default usernames and passwords on its point-of-sale computer system, (b) allowing multiple employees to share common usernames and passwords, (c) failing to properly secure its remote access utilities and wireless network, (d) continuing to accept credit and debit cards from customers after the company knew that its systems were compromised but had not yet been secured, (e) storing payment card personal information in clear (i.e., unencrypted) text on its servers, and (f) failing to comply with the Payment Card Industry Data Security Standards (“PCI DSS”).

Although, the Massachusetts Data Security Regulations, 201 CMR 17, do not mention PCI DSS, the Judgment by Consent listed the company’s failure to comply with PCI DSS compliance as a basic flaw in its data security measures. The Judgment by Consent in this incident serves as a warning that companies that accept Payment Cards from Massachusetts residents should include PCI DSS compliance in their data protection strategy. Beyond that, the Judgment by Consent demonstrates the commitment of the Massachusetts Attorney General to enforcing the Data Security Regulations.

What does this mean to my company?

The Judgment by Consent has far reaching consequences for businesses that collect personal information about Massachusetts residents. The regulations apply to any organization in retail, banking, health care, general business and every other industry. What’s more, the regulations apply not only to personal information of customers and patients but also to personal information about an organization’s Massachusetts employees. An organization’s Human Resource files, payroll systems, and benefit systems, are all covered by these laws and regulations.

What should my company do?

Organizations should take a second look at their data protection strategy to ensure it covers all systems that contain personal information about Massachusetts customers and employees, and confirm through a risk analysis that the strategy is appropriate to the size and scope of the business. If security practices were developed several years ago, evaluate whether the strategy needs to be updated to cover new processes, products or services, or new markets or industries entered since the strategy was initially implemented. Is your organization following through on actually implementing and enforcing its security procedures? For example, employees should not be allowed to share passwords, user access should be limited on a need-to-know basis and removed promptly after an employee is terminated, employees need to be trained on your organization’s information security policies and those policies must be enforced. Policies need to be in writing to meet the data security regulations’ requirements for a Written Information Security Plan, and, more importantly, to ensure your business remains in compliance with PCI DSS and retains the ability to accept credit cards and allow transactions to continue.

What are the consequences of not complying?

The Judgment by Consent is based on a violation of M.G.L. c. 93A, which is Massachusetts’ consumer protection law. That law provides a private right of action against businesses that engage in unfair or deceptive acts or practices and allows consumers to seek treble damages for “willful or knowing violations” and to recover attorneys’ fees. By basing the Judgment by Consent on 93A, the court appears to be signaling that it is open to allowing Massachusetts residents to bring claims under M.G.L. c. 93A as long as they can prove that an unfair and deceptive act or practice (failure to comply with 201 CMR 17 or other data security regulations) caused them harm. This is new risk exposure for businesses that fall under other data protection regulations, such as HIPAA, that do not provide a private right of action. 

Photo credit: dra_schwartz 

New Maryland Statute Further Complicates Patchwork of "Credit Privacy" Laws

by Philip L. Gordon

When Maryland enacted its law (pdf) restricting the use of credit history for employment purposes on April 12, 2011, it became the fifth state – joining Hawaii, Illinois, Oregon, and Washington – to enact a credit privacy law. Maryland’s law transforms what was a mildly complicated compliance challenge for multi-state employers into an expanding morass. With credit privacy bills currently pending in more than twenty states, multi-state employers should expect that it will become increasingly difficult to establish company-wide policies on the use of credit history for employment purposes.

The core issue for employers who use credit checks for employment purposes (other than financial institutions which are carved out from each of the laws) is the scope of the exception to the general prohibition against using credit checks for employment purposes. At first blush, there appears to be uniformity because all five states permit employers to use credit checks for employment purposes when the check is “substantially related” to the applicant’s or employee’s job responsibilities.

The crux of the problem is the near total discordance over how “substantially related” should be defined. To begin with, the laws in Washington and Oregon provide no definition at all of “substantially related.” Oregon’s Bureau of Labor and Industry (BOLI), by regulation, defines “substantially related” to mean that an essential function of the job require access to financial information, but the regulations do not define the term “financial information.” Illinois’ law also permits credit checks for positions that “involve access to . . . financial information.” However, it is not clear whether the access must be an essential job function (as is the case in Oregon). Furthermore, Illinois narrowly defines “financial information” to mean “non-public information on the overall financial direction of an organization, including, but not limited to, company taxes or profit and loss reports.” At least as of now, employers have no way of knowing whether Oregon’s BOLI intended to define “financial information” more broadly than Illinois’ legislature.

Three states — Hawaii, Illinois, and Maryland — consider credit checks on managers or supervisors to be “substantially related” to employment, but the commonality ends there. Illinois’ law applies only to managers whose job involves “setting the direction or control of the business.” Maryland’s law appears to sweep more broadly, applying not only to those with authority over the business but also to those with authority over “a department, division, unit, or agency of a business.” Hawaii’s similar exception is even more expansive, encompassing not only the direction setters included in the Illinois and Maryland laws, but also those who have authority to “hire, transfer, suspend, lay off, recall, discharge, assign, reward, or discipline other employees” as well as those who “adjust grievances.”

As a third example, only Maryland and Illinois define “substantially related” to include positions that involve access to certain categories of sensitive information, but those categories differ between the two states. Maryland’s law includes the “personal information ... of a customer, employee, or employer,” whereas Illinois’ law includes “sensitive information of a customer or client of the employing organization,” but not of an employee. In addition, Maryland defines “personal information” to mean Social Security number, driver’s license number, financial account number, or Taxpayer Identification Number. By contrast, Illinois defines “sensitive information” to mean information that “the employer entrusts only to managers and a select few employees; or that is stored in some repositories not accessible by the public or low-level employees.” Similarly, both laws define “substantially related’ to encompass positions involving access to trade secrets and other confidential business information, but the two laws define “trade secrets” and “confidential business information” differently.

Not surprisingly, there also is no consistency among these laws in terms of their remedial schemes. Maryland’s law appears to permit only the filing of an administrative complaint and the imposition of a $500 penalty for the first violation and a $2,500 penalty for repeat violations. The remaining four states permit individuals to file an action in court. However, in Hawaii and Oregon, monetary damages are limited to no more than two years’ back pay, whereas Illinois and Washington permit an award of all actual damages caused by the violation.

Starting to pull your hair out? Just wait until a few of the pending bills are enacted into law. Although no one can predict exactly what those laws will provide, they ineluctably will broaden and deepen the credit check quagmire that Hawaii, Illinois, Maryland, Oregon, and Washington already have managed to create. Perhaps intentionally, the states are effectively forcing multi-state, and especially national, employers to address the fundamental question: Do the benefits of credit checks for employment purposes warrant the compliance burden? Given the difficulty of effectively using credit checks for employment purposes – as explained in our article entitled, “Incipient Legislative Trend Toward ‘Credit Privacy’ Compels Restraint in the Use of Credit Checks for Employment Purposes,” (pdf) BNA's Privacy & Security Law Report, Vol. 9, No. 27, (July 5, 2010) – for many employers the answer likely will be “no.”

The Latest from the NLRB on Social Media

By Philip Gordon

The National Labor Relations Board created a stir in late 2010 by filing an unfair labor practice charge against ambulance company, AMR, for firing an employee who, among other things, called her supervisor a “mental patient” in a Facebook post read by many co-workers. As it turns out, the “Facebook case” was just the beginning of what appears to be a trend by the Board, subsequently joined by unions, to restrict employers’ ability to promulgate and enforce social media policies that, in the Board’s view, impinge on employees’ rights under the National Labor Relations Act. Several recent developments provide a window into the Board’s intentions.

Last week, the NLRB’s Hartford Regional Director, who was responsible for filing the Facebook case, provided useful information about the Board’s intentions, both in comments and in handout materials, while speaking on a panel for the Connecticut Bar Association. Below are some of the highlights:

• Protected Concerted Activity: In a discipline case, the Board will take a very broad view when deciding whether the employee’s social media activities constituted “protected concerted activity” under the NLRA. The Regional Director’s handout states, “It doesn’t take much to establish the concerted nature of the discussion, so long as it involved or touched upon a term or condition of employment,” and “anything short of physically threatening activity will likely be protected.”
• Recent Cases: The NLRB continues to be active in the area. The handout provides four examples of recently filed complaints, or threatened complaints, involving social media in addition to the case against AMR. These cases show just how broadly the Board construes “protected concerted activity.” They involved, according to the handout, negative comments about a supervisor posted on Facebook, a posted cartoon video about a dispute between two departments, a Facebook discussion about the employer’s withholding of taxes, and a Facebook discussion about the employer’s decision to fill an open position with an outside, rather than an inside, applicant.
• Disclaimers: The Hartford Region will consider a disclaimer when evaluating whether an employer’s social media policy violates the NLRA. According to the Regional Director, the disclaimer should become more specific as the policy becomes broader and more general. For policies that are narrow and easily understood, a disclaimer that the policy is not intended to violate the NLRA may suffice. For broader policies that employees might reasonably believe apply to protected concerted activity, the Region will require a disclaimer which states either that the rule does not apply to “discussions or activities involving your terms and conditions of employment” or that the policy does not apply to “discussions and activities involving your wages, hours and working conditions.” Notably, the Regional Director stopped short of taking the position that to be effective a disclaimer must specifically mention union activity, as another NLRB region recently insisted.
• Litigation Strategy: In the AMR case, the Region subpoenaed online posts of AMR supervisors in an effort to obtain evidence that they made comments about their subordinates similar to the comment that the fired employee had made about her supervisor. In addition, the Region repeatedly told the fired employee to stop posting on Facebook while the litigation was pending (but she ignored the request).

In a development that could resonate beyond social media, the Regional Director also revealed that the Regions, at the direction of the Board’s Acting General Counsel, are filing complaints to set the stage to reverse the Board’s December 2007 decision in Register Guard. In that case, a Republican-dominated Board held that an employer can lawfully impose a broad ban on employee’s use of the corporate e-mail system for solicitations and other non-business reasons as long as the policy on its face does not discriminate against union activity and is enforced in a non-discriminatory manner. A reversal of Register Guard could severely crimp employers’ ability to regulate employees' social media activity while using corporate electronic resources.

In another recent development, the NLRB’s Acting General Counsel added social media to the list of subjects in which he is taking particular interest. While there was virtually no commentary or explanation accompanying this development, it likely reflects that the Board is pursuing a uniform, nationwide strategy on social media.

In a third development in April, the Board threatened to file a complaint against Thomson Reuters for allegedly disciplining an employee based on a Twitter post. The employer had invited employees to post on a corporate-sponsored Twitter feed their thoughts on how the company could be made the best place to work. An employee who also is the Newspaper Guild’s representative tweeted, "One way to make this the best place to work is to deal honestly with Guild members." The Board appears to take issue with the fact that, in response to the post, the employee’s supervisor called to remind her about the company’s policy prohibiting employees from posting content that would damage the company’s reputation. According to a report in the New York Times, an NLRB source stated that the Board viewed this call as potentially having a chilling effect on the employee’s exercise of her rights under the NLRA. On May 2, 2011, it was announced that Thomson Reuters and the Newspaper Guild reached a tentative settlement of their disagreements, heading off an NLRB complaint. If a complaint had been filed, it would have been the first NLRB action based on a Twitter post.

What should employers do?

There can be no question that the Board appears to want to take the law in a direction that will open social media to virtually unfettered use by employees to communicate about work conditions, defined very broadly. However, employers should also recognize that social media buzz (including blogs like this one), press releases, and unproven allegations may be prematurely persuading employers to loosen social media polices that were drafted before the AMR case. As far as we are aware, there has not been a single fact-finding hearing to date in a case where an employee was disciplined for social media conduct, let alone a published decision by even an administrative law judge. The actual limits on an employer’s ability to regulate the use of social media by its employees are still to be developed and refined by the NLRB and by the federal appeals courts that will review its decisions.

Given this uncertainty, employers should continue to watch developments in the area closely, consult counsel before imposing discipline based on social media activity, and review their social media policies. If the policy contains any provision that could be read to limit employees’ ability to communicate about the terms or conditions of employment while using the employee’s own resources during non-working hours, strongly consider adding a disclaimer to the policy. The content of the disclaimer should vary depending upon the nature of the policy. A starting point would be a disclaimer to the effect that the policy will not be applied in a manner that improperly interferes with employees’ rights under the National Labor Relations Act. A more robust disclaimer might be advisable depending upon the breadth of the policy, whether the employer already is unionized, and the degree to which the employer, or the employer’s industry, has been the focus of organizing activity.
 

Managing Employees’ Use of Personal SmartPhones and Tablets for Work

By Philip L. Gordon

A recent article in the Wall Street Journal aptly identified several challenges that employers face when they allow employees to use their personal smartphones and tablets for work. The article, entitled “So You Want To Use Your iPhone For Work? Uh-Oh. How The Smartest Companies Are Letting Employees Use Their Personal Gadgets To Do Their Jobs,” notes several steps employers are taking to reduce privacy and information security risks. These steps include the following: (a) requiring that employees enable passwords, (b) sending a “kill command” to wipe business information from a lost or stolen device, and (c) walling off sensitive data into an “encrypted container.” While these steps are all useful, they comprise only a partial list of critical issues employers should consider before permitting employees to use a personal device for work.

Below are seven key steps that employers should consider taking before allowing employees to use a personal device for work:

1. Demand the Installation of Adequate Malware Protection: Personal devices may be used for activities — such as peer-to-peer file sharing, viewing pornography, or downloading games — that increase the risk of infection by malicious software. Yet, personal devices typically will not have protections against malicious software that are nearly as effective as those loaded on a company-issued device. As a result, the risk that the corporate network will be infected with malware can increase materially if inadequately protected personal devices are connected to the corporate network. One solution is to require that employees load an approved package of malware protection to any personal device that will be connected to the corporate network.

2. Get Consent Before Sending a Kill Command: The Journal article noted that it is illegal in South Korea and in China to send a kill command to an employee’s personal device. Although no U.S. court has yet addressed this specific issue, sending a kill command to an employee’s personal device without the employee’s prior consent runs the risk of violating the federal Computer Fraud and Abuse Act and state computer trespass laws. These laws generally prohibit unauthorized destruction of information stored on someone else’s computer. To avoid potential criminal and civil liability under these statutes, employers should obtain written consent to send a kill command to any personal device that is reported lost or stolen.

3. Get a Release Before Sending a Kill Command: Kill commands typically will wipe not only sensitive corporate information but also the employee’s personal collection of music, videos, photographs, books, and more. That collection often is backed up. If it is not, however, the employer could be facing a significant bill to replace the employee’s electronic library. To avoid such claims, employers should obtain a release from employees for any damage to personal files deleted by a kill command.

4. Prepare Ahead of Time for a Potential Security Incident: A lost or stolen personal device containing personal information, such as employees’ or customers’ Social Security numbers or credit card numbers, could trigger security breach notification obligations. Sending a kill command will not necessarily permit employers to avoid statutory notification obligations because a sophisticated thief might be able to access personal information on the device before the kill command is activated. Requiring that employees activate encryption on a personal device, when available, should eliminate the need for security breach notification because of the “encryption safe harbor” in all security breach notification laws. If encrypting the employee’s personal device is not feasible, the employer should at least require immediate reporting to its security incident response team of any loss or theft of a personal device used for work. In addition, all employees using a personal device for work should be provided with the contact information needed to immediately notify appropriate personnel of the loss or theft.

5. Get Consent to Access the Personal Device for Legitimate Business Purposes: Employers who permit widespread use of personal devices for work almost inevitably will need to access employees’ personal devices during the course of employment. Access may be necessary for a workplace investigation or to implement a litigation hold. Unlike company-issued devices, the employer has no right to access an employee’s personal device, even for a legitimate business purpose. Employers should notify employees up front that their refusal to comply with a reasonable and legitimate request for access to information stored on a personal device could result in discipline up to and including termination of employment.

6. Amend Your Organization’s Electronic Resources Policy to Address Monitoring of Personal Devices: Corporate electronic resources policies commonly speak only in terms of the corporate computer network and company-issued equipment. As a result, a court likely would find that warnings in an electronic resources policy that employees should have no expectation of privacy have no impact on employees’ privacy expectations with respect to information stored on their personal devices. Yet, when an employee connects a personal device to the corporate network, that device likely will be subject to the same invasive monitoring practices as company-owned devices, exposing the employer to privacy-based claims. To reduce this risk, it is suggested that the corporate electronic resources policy be modified to warn employees that the policy applies with equal force to personal devices that are connected to the corporate network.

7. Think About How Your Organization Will Retrieve Business Information When Employment Ends: Having a cache of confidential business information on a personal device provides one of the easiest vehicles for misappropriating trade secrets. Upon termination of employment, the employee can misappropriate simply by keeping his or her personal device. To reduce this risk, employer should consider incorporating the review of information stored on an employee’s personal device used for work into the standard exit interview process. For hostile partings, sending a kill command may be the only feasible way to prevent misappropriation of trade secrets. However, without the consent and release noted above, those actions could strengthen the hand of a hostile former employee in pending or threatened litigation with the employer.

Photo credit: damircudic

Is it Really Illegal to Require an Applicant or Employee to Disclose her Password to a "Friends-Only" Facebook Page?

By Philip Gordon.

Recently, the American Civil Liberties Union of Maryland tried to publicly embarrass the Maryland Department of Public Safety and Correctional Services (the “Maryland Corrections Department”) into suspending its practice of asking job applicants to disclose their Facebook password so that the Department could check whether the applicant’s wall or stored e-mail revealed any connection to criminal activity. According to a letter dated January 25, 2011 (pdf), sent by the ACLU to the Maryland Corrections Department, this practice “is illegal under the federal Stored Communications Act (SCA), 18 U.S.C. §§2701-11 and its state analog, Md. Courts & Jud. Proc. Art., §10-4A-01, et seq.” The ACLU’s contention is inaccurate.

Both of the cited statutes prohibit unauthorized access to electronic communications stored at an electronic communications service provider. Even assuming that these statutes apply to content stored on Facebook’s servers (and that point is far from settled), the Maryland Corrections Department did not gain “unauthorized” access to applicants’ Facebook page. Rather, the Department would access information on Facebook only after the applicant authorized such access by providing the Department with the applicant’s password.

The true core of the ACLU's position is the following assertion contained in its January 25, 2011 letter: “[T]here can be little question but that forced ‘authorization,’ such as that demanded of [the applicant by the Maryland Corrections Department], is not proper authorization under the SCA, given the disparate bargaining power of the employer and employee or applicant.” While rhetorically appealing at first blush, this argument assumes too much, especially with respect to applicants.

Applicants are not “forced” to provide authorization. The Maryland Corrections Department emphasized that applicants could refuse to provide their password and may still be eligible for a position. But, even if the Department’s practice were to require disclosure of the password, an applicant who does not want a prospective employer to view his “friends-only” Facebook page would have the choice to refuse the request and hope to get the position or seek employment elsewhere. Indeed, if the ACLU’s contention were correct, then the millions of authorizations for pre-employment background checks and drug screens that have been executed by applicants since those forms of pre-employment investigations became routine also would be invalid.

Notably, the only case cited by the ACLU in support of its position — Pietrylo v. Hillstone Restaurant Group, 29 IER Cases 1438, 2009 WL 312420 (D.N.J. 2009) — involved an employee, not a job applicant. Thus, a court likely would not hold that an employer who gave an applicant a choice between being disqualified from consideration for a position or disclosing her Facebook password violated the federal Stored Communications Act by using the self-disclosed password to access the applicant’s restricted Facebook page.

Of course, there are other reasons why employers should carefully evaluate the practice, not least of which is avoiding the media spotlight that the ACLU often can attract to an issue, as it did in the case of the Maryland Corrections Department. Accessing an applicant’s restricted Facebook page increases the likelihood that an employer will obtain information, such as family medical history (i.e. “genetic information”) or an undisclosed disability, upon which an employer could not lawfully rely in making an employment decision. Employers also need to consider whether and to what extent information obtained from a medium the very purpose of which is to socialize (rather than to build one’s resume) bears any relevance to the hiring decision. Finally, the employer could gain a bad reputation among potential applicants who — however wrongly — believe the employer is acting unlawfully.

The ACLU’s reference to the Pietrylo case and the purportedly “disparate bargaining power between employers and employees” does raise the important question whether an employer who receives a Facebook password from an employee in response to a request gains “forced authorization” to a restricted Facebook page. In Pietrylo, which we have covered in an earlier blog post, an employee admitted at trial that she gave her password to a restricted MySpace page to the management-level employees who accessed the page and were accused by two other employees of violating the federal Stored Communications Act. The employee also testified that she subjectively feared “something bad might happen to her” if she did not disclose her password. The court found this testimony was sufficient to support the jury’s finding that the employee’s authorization was invalid, even though there was no evidence that the managers had threatened the employee in any way whatsoever. Notably, the court did not cite a single case, any language in the SCA itself, any legislative history, nor any other authority in support of its holding. Needless to say, the question remains wide open whether the purportedly “disparate bargaining power of the employer and employee” does, in fact, convert any employee’s apparently voluntary disclosure of a Facebook password into “forced authorization.”

Until the question has been definitively answered, employers have a simple—if “low tech”—work around: ask the employee who otherwise would be asked for a password to print screen shots of material posted on the restricted Facebook page. It is remarkable how many “friends” who are offended by a co-worker’s posts on a restricted Facebook page will voluntarily print that information and turn it over to HR or a manager. Because the federal Stored Communications Act makes it unlawful only to gain unauthorized access to an electronic communication stored at an electronic communications service provider, reading a printed version of a restricted wall post does not implicate the Act.

Employers also should note that the jury in the Pietrylo case rejected the plaintiffs’ invasion of privacy claim, a fact that the ACLU does not mention in its January 25, 2011 letter. The jury apparently found that the plaintiffs could not reasonably expect their posts on the friends only MySpace page to remain private when anyone on the friends list could disclose the contents of the page without restriction. This finding is consistent with the common sense proposition that an employee or applicant cannot reasonably expect privacy when sharing information with dozens, or even hundreds, of friends, none of whom are under an obligation of confidentiality.

Photo credit: Warchi

HHS’ One-Two HIPAA Penalty Punch Sends a Message to Employers and Providers

By Philip Gordon

Two days after announcing its first-ever HIPAA penalty, a whopping $4.3 million imposed against Cignet Health of Prince George’s County, Maryland, HHS announced that a large Massachusetts hospital had agreed to pay $1 million to avoid a penalty proceeding. Although the hospital did not admit liability and did not pay a penalty, the settlement demonstrates how the significant increase in available HIPAA penalties as a result of the HITECH Act’s enactment has provided HHS with substantial leverage when negotiating a resolution of alleged HIPAA violations. HHS’ settlement with the hospital also is important because it suggests that HHS may not be very forgiving in one area of particularly high risk: the physical removal of protected health information (PHI) from a covered entity’s premises.

The incident that ultimately led to the hospital’s $1 million settlement payment was innocent enough. According to the settlement agreement, which is public, and HHS’ press release announcing the settlement, an employee of the hospital’s outpatient practice took home, for work purposes, paper records containing the PHI of 192 patients, including patients with HIV/AIDS. The settlement agreement states that the “documents consisted of billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis and name of provider of 66 patients and the practice's daily office schedules for three days containing the names and medical record numbers of 192 patients.” On her way into work on the subway, the employee placed the documents, bound by a rubber band, on the seat next to her and forgot them there when she exited the train. The records never were recovered.

While HHS does not reveal the negotiations leading to the $1 million settlement amount, the enhanced HITECH penalties likely figured prominently in the discussion. The HITECH Act gives HHS substantial discretion in deciding what constitutes a single violation. In this situation, HHS likely took the position that there were at least 192 violations, one for each patient whose PHI was lost. In addition, HITECH permits HHS to impose a penalty of up to $50,000 per violation capped at $1.5 million annually for the same violation. Thus, the negotiations over the penalty likely centered around where the settlement should fall in the range between $100 per violation (the minimum penalty) and approximately $7,800 per violation (i.e., $1.5 million divided by 192). The negotiations resulted in a settlement amount of approximately $5,200 per violation. The lesson to be drawn is that the HITECH penalty scheme provides HHS with the leverage to negotiate a substantial settlement payment even for incidents involving a relatively small number of individuals. The fact that the lost records revealed an HIV/AIDS diagnosis, highly sensitive information, for at least some of the 192 affected patients also likely had an impact on HHS’ settlement position.

The settlement between HHS and the hospital also reveals, at least implicitly, HHS’ position that it is unacceptable for employees to remove paper or electronic records containing PHI from a covered entity’s physical premises without taking precautions to safeguard those records. More specifically, the settlement agreement requires that the hospital implement policies and procedures aimed at safeguarding any PHI that leaves the hospital’s premises, including the encryption of any laptop or USB drive containing PHI that is taken off-site. In addition, the hospital must: (a) distribute these policies to all members of its workforce; (b) review and, as necessary, update the policies annually; (c) train all employees with access to PHI in the policies; and (d) review the training annually or as necessary.

Employers and providers can take away several lessons from this incident. First, even innocent mistakes that compromise PHI could result in substantial penalties or settlements. Second, covered entities should implement and enforce policies and procedures that restrict the removal of PHI from their premises and that require strict safeguards for PHI, such as encryption, when it is taken off-site. Third, HHS likely will inquire into the training that has been provided to workforce members whenever an incident involves the loss or theft of PHI that was taken off-site. As a result, that training should be thorough, well documented, and updated as necessary to remain consistent with existing policies, new legal requirements, and evolving best practices.

Photo credit: AtnoYdur

The U.S. Supreme Court Holds that Corporations Do Not Qualify for Personal Privacy Exception Under the Freedom of Information Act

By Christopher E. Cobey

For those who suspect the Roberts Court always sides with business, the March 1 opinion in Federal Communications Commission v. AT&T (pdf) might give them pause.

In this 8-0 opinion, the Court held that the term “personal privacy,” as used in a statutory exception to the Freedom of Information Act (FOIA; 5 U.S.C. § 552), does not apply to corporations. The exception covers law enforcement records, the disclosure of which “could reasonably be expected to constitute an unwarranted invasion of personal privacy.”

The genesis of the case arose seven years ago. In 2004, AT&T was investigated by the FCC for self-reported possible overcharging of the federal government. The company settled the FCC’s investigation at the end of 2004 without admitting liability.Following the investigation, a private industry group submitted a FOIA request to the FCC, seeking materials produced by AT&T to the Commission in the course of the Commission’s investigation. AT&T opposed the group’s request for information.

The FCC disagreed with AT&T’s position, concluding that the information sought by the industry group (which included AT&T’s cost and pricing data, billing-related information, and identifying information about staff, contractors, and customer representatives) did not constitute materials protected under the exception on the basis of AT&T’s “personal privacy.”

AT&T appealed this administrative decision to the Third Circuit Court of Appeals, which found in AT&T’s favor on the disputed issue. The appellate court noted that the legislative definition of “person” included corporations as well as individuals (5 U.S.C. § 551(2)). Hence, it reasoned, the “personal privacy” referenced in the exception could apply to a corporation as well as an individual, and so a corporation could be entitled to “personal privacy” protection under the language of the statute.

The Supreme Court, in a decision penned by Chief Justice John Roberts, rejected the Third Circuit’s decision and AT&T’s position. Roberts observed that the FOIA, elsewhere in its statutory terms, makes reference to “personal privacy.” The context of those other uses of the phrase makes clear that the right to privacy belongs to a person, not a corporation. The Chief Justice gave examples of other adjectives whose sense did not necessarily jibe with the concept of the noun contained within the adjective: “corny” does not always refer to concepts related to the plant corn. Likewise, “cranky” doesn’t always refer to the mechanical device. Accordingly, contrary to AT&T’s argument, “personal” doesn’t necessarily refer only to the legal definition of a person – which can include a corporation. The opinion continued by observing that courts normally give a phrase under analysis “its ordinary meaning.” 

Roberts’ opinion noted that the Court was not considering the scope of a corporation’s “privacy” interests as a matter of constitutional or common law. The only issue in this case was whether the term “personal privacy,” as used in the FOIA, applied to corporations – and the Court concluded emphatically that it did not.  

Photo credit: DNY59

Lessons Galore from Eye-Popping $4.3 Million HIPAA Penalty

By Philip L. Gordon

For the nearly eight years since the HIPAA Privacy Rule went into effect in April 2003, the U.S. Department of Health and Human Services (HHS) did not impose a single civil monetary penalty for HIPAA violations. The story behind HHS’s first penalty — a whopping $4.3 million imposed on February 22, 2011, against Cignet Health of Prince George’s County, Maryland (“Cignet”) —is a playbook on how employers and health care providers should not address HIPAA compliance and should not respond to HIPAA complaints. The tale also provides significant insight into how HHS interprets its power under the HITECH Act to determine the amount of a penalty.

According to HHS’ Notice of Proposed Determination (the “NPD”), to which Cignet did not respond, Cignet’s first mistake was its failure to respond to patients’ requests for access to their medical records. The HIPAA Privacy Rule establishes detailed procedures for handling access requests. The NPD does not identify the total number of patients whose requests went unanswered nor does it reveal why Cignet did not respond. The NPD does disclose that 41 patients filed complaints with HHS. The large number of complaints almost surely was a red flag for HHS.

Furthermore, the large number of complaints resulted in a substantial multiplier effect when HHS calculated the penalty of $1.3 million attributable to this aspect of Cignet’s non-compliance. More specifically, HHS found that each day of failing to respond to a request for access after the required time period had expired was a separate violation for each of the 41 complainants.

What are the take-aways here? First, although to date HHS’s enforcement efforts in the area of information security have received virtually all of the press attention, HHS takes seriously the obligation of covered entities to ensure that plan participants and patients are able to exercise their rights under HIPAA (consisting of the right to receive a notice of privacy practices, the right to access protected health information (PHI), the right to amend PHI, the right to an accounting of disclosures of PHI, the right to request restrictions on the use and disclosure of PHI, and the right to communicate by alternative means or in an alternative location). Second, employers and providers should have written policies and procedures in place so that employees responsible for implementing HIPAA know how to respond properly and in a timely manner to requests to exercise HIPAA rights. Finally, it is never too late to respond to a request. If, for some reason, a covered entity does not timely respond to a request to exercise HIPAA rights, the covered entity can “stop the running of the penalty meter” by responding to the request as promptly as possible.

As the NPD reveals, the lion's share of the penalty imposed on Cignet — $3 million to be precise — resulted from Cignet’s failure to cooperate in HHS’s investigation. HHS’s press release announcing the penalty emphasizes that Cignet did not respond to a letter demand for the complainants’ patient records, did not respond to a subpoena issued by HHS until after a court ordered Cignet to do so, and “made no effort to resolve the complaints through informal means.”

When calculating this portion of the penalty, HHS counted as a separate violation each day from the deadline in the letter demand for producing the complainants’ medical records until the day that Cignet produced the records in response to the court’s order. HHS then multiplied that penalty by 41 for each complainant.

In choosing to impose the maximum penalty of $50,000 per violation for conduct constituting “willful neglect,” HHS noted in the NPD that Cignet’s failure to produce the records sooner had interfered with some complainants’ ability to obtain health care and had forced HHS to seek a court order to obtain patient records that, under the HIPAA Privacy Rule, Cignet was required to produce within 30 days of the request. HHS also noted that Cignet had produced in response to the subpoena medical records of 4,500 patients whose information the agency had not even requested. But for the $1.5 million annual cap in the HITECH Act on penalties resulting from willful neglect, the penalty imposed on Cignet would have exceeded $150 million.

More lessons learned: HHS had not imposed any civil monetary penalties to date, in large part, because the agency has been willing to work with covered entities to resolve complaints informally. When responding to an inquiry from HHS, covered entities should carefully evaluate whether the complaint can be resolved informally. When informal resolution is not possible, covered entities need to carefully toe the line between respectful disagreement coupled with good faith participation in HHS’s formal dispute resolution process and “willful neglect,” i.e., a failure to respond to HHS’s lawful and reasonable demands. An incidental lesson learned from Cignet’s apparent production of every patient record in its possession in response to the subpoena for 41 patient files is the need to scrupulously safeguard the PHI of plan participants and patients whose information is not implicated by the investigation, even when producing PHI to HHS.

The penalty imposed on Cignet is a window into the “worst-case scenario” for covered entities responding to a HIPAA complaint. While the reasons for Cignet’s non-responsiveness remain unknown, the implications could not be more resounding.

Settlement in NLRB’s AMR/Facebook Case Contains Message for Employers About Social Media Policies

By Philip L. Gordon

The NLRB’s unfair labor practices charge against ambulance service provider AMR was a shot across the bow for employers. The complaint was the Board’s response to AMR’s discharge of an employee who called her supervisor a mental patient in a “friends-only” Facebook post in violation of AMR’s social media policy. However, the Region that brought the complaint also contended that any social networking policy that prohibited disparagement was per se unlawful unless it carved out rights under the National Labor Relations Act (NLRA). That element of the case raised broad concerns for employers throughout the U.S.

The Board’s General Counsel took the unusual step of announcing the complaint’s filing in a press release, setting off a buzz in employment, labor, and privacy law circles about the permissible scope of social media policies. The issue has become a hot one as employers seek to reduce the risk that employees’ off-duty social media activity will damage their organization’s reputation or expose the organization to liability. At the same time, the Obama Board appears to be seeking to expand employees’ leeway to use social media for protected labor activity and to require that employers not use broad policies to undercut concerted activity (in a union or non-union environment) protected by the NLRA.

By issuing a press release (pdf) to announce the settlement of its complaint against AMR, the Board is likely to create the same type of buzz as it created by the press release announcing the complaint. In the press release announcing the settlement, the NLRB highlights those terms of the settlement likely to have the most significant impact on employers drafting or revising their social media policy. More specifically, the NLRB’s press release states the following:

Under the terms of the settlement, . . . the company agreed to revise its overly-broad rules to ensure that they do not improperly restrict employees from discussing their wages, hours and working conditions with co-workers and others while not at work, and that they would not discipline or discharge employees for engaging in such discussions.”

Importantly, there was no express finding by any administrative law judge or other court that AMR’s policy was “overly-broad,” nor does the NLRB’s press release identify the specific policy language that the Board considered to fit this characterization. However, the press release may be referring to the social media policy language cited in the original NLRB complaint: “Employees are prohibited from making disparaging, discriminatory or defamatory comments when discussing the Company or the employee's superiors, co-workers and/or competitors.”

In light of the NLRB’s pronouncement, employers whose social media policy contains similar language should analyze carefully whether to carve out NLRA rights under that policy through the use of a disclaimer. Before taking disciplinary action based on the policy, employers should also consider whether an employee’s specific social media activity constitutes protected, concerted activity under the NLRA. At the same time, employers should keep in mind that a range of conduct in violation of this type of policy should not be protected by the Act. In addition, the AMR settlement has no precedential value. However, the AMR case appears to signal the current NLRB’s intention to bring claims seeking to protect employees’ social networking activity even if such activity pushes the boundaries of respect and non-disparagement in the workplace.

Photo credit: sjlocke

Why Corporate Counsel Should Lose Sleep Over the Federal Wiretap Act

This article was written by Philip Gordon, and originally appeared in Corporate Counsel Online. Reprinted with permissed from ALM Media Properties, LLC.

Once seen only in the shadows of the war against organized crime, the Federal Wiretap Act should now be moving steadily and rapidly toward the top of the corporate compliance checklist. Robust civil remedies, recent court decisions and technological developments have transformed the act's risk profile from a nonevent to a statute worthy of significant attention.

Although principally a criminal statute, the Federal Wiretap Act is unique among privacy laws in that it provides for substantial monetary damages without proof of actual harm.

Under the act, an aggrieved party can recover a minimum award of $10,000 or $100 per day of violation — whichever is greater, or, actual damages, plus punitive damages, attorneys' fees and costs. Comparing recent class action litigation involving security breaches with potential class actions involving the Federal Wiretap Act demonstrates the significantly pro-plaintiff aspect of this remedial scheme.

To date, the vast majority of security breach class actions have been dismissed, or resolved in the defendant's favor on summary judgment, because the plaintiff failed to plead or prove that the security breach at issue proximately caused any cognizable damage to class members.

By contrast, under the Federal Wiretap Act, proof that the violation proximately caused cognizable harm is unnecessary, and each individual plaintiff can recover a minimum of $10,000 even in the absence of actual damages.

The act's robust damages scheme triggers a significant risk profile because businesses can now violate the Federal Wiretap Act much more easily and much more frequently than in the past. The act makes it unlawful intentionally to intercept an oral, wire or electronic communication using an electronic, mechanical or other device.

Courts have consistently rejected claims by employees seeking to apply this statutory language to an employer's review of stored e-mail, holding that an "interception" under the act requires the acquisition of the content of an e-mail contemporaneously with transmission, not in storage. Because e-mail, by its very nature, cannot easily be acquired in transmission, this line of authority seemed to insulate employers from the act's rich remedial scheme.

A recent decision by the U.S. Court of Appeals for the Seventh Circuit, however, has raised the specter of substantial civil liability for unlawful interceptions despite extant precedent in the area. In U.S. v. Szymuszkiewicz, the court affirmed the criminal conviction for Federal Wiretap Act violations of an IRS agent who, unbeknownst to his supervisor, activated the supervisor's Microsoft Outlook "autoforwarding" feature.

As a result, duplicates of the supervisor's e-mail were automatically forwarded to the IRS agent without the supervisor's knowledge or consent. The IRS agent received a sentence of 18 months' probation.The Seventh Circuit's decision turned principally on whether autoforwarding e-mail constitutes an "interception" as defined by the Federal Wiretap Act. The court answered that question in the affirmative because the autoforwarding permitted the IRS agent to obtain the content of e-mail stored in his supervisor's e-mail inbox.

The Seventh Circuit's decision is significant for employers because corporate IT departments commonly use Outlook's autoforwarding feature. IT departments, for example, routinely activate this feature after an employee has left an organization, or when an employee is on an extended leave of absence, so that a supervisor or co-worker can promptly respond to e-mail intended for the employee.

It also is not uncommon for corporate IT departments to rely on "e-mail journaling" to create a duplicate set of outgoing and incoming e-mail for archival purposes. Journaling essentially functions the same as autoforwarding except that the duplicate e-mail content is stored on a server for possible future retrieval rather than being transmitted directly to a third party's e-mail inbox.

E-mail journaling is a basic tool of electronic discovery as it permits the automated preservation of e-mail. E-mail journaling is particularly useful for preserving the e-mail of an employee who is unaware that he is the target of an investigation because e-mail journaling eliminates the need for the target of the investigation to be involved in preservation efforts.

Additionally, businesses that rely on a third party to archive e-mail often will rely on autoforwarding to transfer e-mail from the corporate e-mail server to the third party's archive server.

Activating Microsoft's autoforwarding feature is just one way that employers can effectuate an interception of e-mail under the Federal Wiretap Act. Increasingly sophisticated e-mail monitoring programs are capable of capturing e-mail content in real-time.

At least two domestic relations cases, for example, have held that one spouse unlawfully intercepted another spouse's e-mail or Internet chat by installing SpectorSoft software, a commercially available real-time monitoring program, on the other spouse's personal computer. Although statistics are not publicly available, a significant number of corporate IT departments likely have installed SpectorSoft or similar real-time, e-mail monitoring products.

Because consent to an interception by one party to a communication is a defense to liability under the Federal Wiretap Act, employers can reduce the risk of liability by providing employees with notice of the IT processes that constitute an interception and obtaining their express or implied consent.

A recent decision by a Texas federal district court, however, demonstrates that relying on an electronic resource's policy that was drafted without the specific purpose of creating a defense to a Federal Wiretap Act claim could be shortsighted.

In that case, Garza v. Bexar Metropolitan Water District, the employee handbook warned employees that the employer "reserved the right to monitor and access any phone or email messages stored on its voicemail and email systems."

The court rejected the contention that this policy language established the plaintiff-employee's consent to the alleged real-time interception of his telephone calls, reasoning that "[d]efendants did not simply listen to [the employee's] stored voice mail messages; instead, they intercepted and listened to entire telephone conversations."

Following this reasoning, an electronic resources policy that informs employees that they have no reasonable expectation of privacy in their e-mail or that the employer reserves the right to monitor or review their e-mail messages (as most such policies typically do) would not provide a basis for establishing consent to the employer's use of Outlook's autoforwarding feature or the interception of e-mail by a real-time monitoring program, such as SpectorSoft.

Consequently, to provide a more robust defense, an employer should consider revising any such policy to specifically explain how and when the employer will intercept e-mail.

Notably, federal courts will not lightly imply consent to an interception that otherwise would violate the Federal Wiretap Act.

As a result, there remains an open question whether a court would find, for example, that an employee who acknowledged receipt of an electronic resources policy on his first day of employment thereby consented to the interception of his e-mail five or ten years later in the course of the employer's investigation of allegations of sexual harassment. To strengthen its position in this regard, the employer can include notification of e-mail interception in a splash screen each time employees log into the employer's computer system.

Revising the employee handbook and using a splash screen or similar warning may not, however, be enough.

Corporate counsel should encourage IT leaders routinely to communicate how and when the corporate IT department is intercepting employees' e-mail. Corporate counsel can then analyze whether the existing policy provides sufficient notice to establish consent to the interception and, if not, can revise the existing notice or provide individualized notice to targeted employees.

One final caveat: The wiretap laws of 13 states — California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, and Washington — provide that consent is a defense to an interception only if all parties to the communication consent.

Employers can satisfy this all-party consent requirement in the context of telephone monitoring by distributing a telephone monitoring policy to their own workforce and notifying incoming callers by automated means that their call will be monitored. In the context of e-mail, however, notifying the sender that his e-mail will be intercepted may not be technically feasible.

To be sure, our research has not uncovered any published decision in any of the all-party consent states upholding a criminal conviction or imposing civil liability for e-mail interception. Nonetheless, the risk remains and should be considered before an organization activates autoforwarding, e-mail journaling or real-time e-mail monitoring software.