Littler Mendelson’s Privacy and Data Protection Practice Group Chair Philip Gordon Interviewed About Maryland Facebook Password Law

Philip Gordon, Chair of Littler Mendelson's Privacy and Data Protection Practice Group Chair and a frequent contributor to this blog, was recently interviewed by The Lexblog Network about Maryland's recently-enacted Facebook password law and what it accomplishes.

Video courtesy of The Lexblog Network

Enforcement Guidance on the Use of Criminal Records in Employment Approved by EEOC

On Wednesday the Equal Employment Opportunity Commission (EEOC) approved in a 4-1 vote updated enforcement guidance governing the legality of considering a job applicant’s or employee’s criminal history when making hiring or other employment decisions. Commissioner Victoria Lipnic (R) joined the Democrat Commissioners in support of the guidance, while Constance Barker (R) was the lone member to vote against the new guidance. Although the use of credit history for employment screening had been a topic of discussion during an earlier Commission meeting, the Commission has not issued guidance on this topic. Given Commissioner Stuart Ishimaru’s (D) impending resignation, it is likely that any new guidance on credit history would need to be a bipartisan effort with only four Commissioners if such guidance is issued at all anytime soon. To learn more about the revised guidance and its implications for employers, please continue reading at Littler's D.C. Employment Law Update.

Maryland "Facebook Law" Raises New Obstacles For Employers Vetting Applicants And Investigating Employees, But With Important Exceptions

By Philip L. Gordon

The momentum in the media made it almost inevitable: the first state law to expressly restrict employers from asking applicants and employees for social media account log-in credentials has been passed. Not surprisingly, Maryland, where the issue first burst onto the scene in April 2011, wins the “honor.” However, Maryland likely has opened the floodgates. Bills currently are pending in California, Illinois, Minnesota, New Jersey, and Washington. Employers seeking to understand the implications of the Maryland law must look beyond the blaring headlines to the details of the statute.

To begin with, the law’s general prohibition is both broad and narrow. Effective October 1, 2012 (assuming the Governor signs the law), employers are prohibited from requiring, or even asking, that applicants or employees disclose “any means for accessing,” such as a user name or password, for “any personal account or service” accessed through “computers, telephones, personal digital assistants, and other similar devices.”  In other words, the prohibition extends far beyond Facebook and other social media sites to include personal e-mail accounts, personal online banking accounts, and any other online communications or service account.

The Maryland law prohibits an employer from taking or threatening any form of adverse action based on an employee’s or applicant’s refusal to provide a user name or password to a personal account accessed through a communications device. An employer cannot discharge, discipline or otherwise penalize an employee. An employer cannot reject an applicant for engaging in the protected conduct.

Notably, the Maryland law contains no enforcement provision. The law does not authorize applicants or employees to sue. The law does not even delegate authority to the Maryland Department of Labor, Licensing and Regulation, or any other government agency, to enforce it. It is possible that an employee terminated in violation of the law might have a claim for wrongful discharge in violation of public policy. However, because that claim typically applies only to discharge, it is unclear whether an employee who is disciplined short of discharge would have a claim. It also is uncertain whether an applicant who is denied employment in violation of the law would be able to assert a claim.

While the law seems overly broad at first blush, it is critical for employers to understand the types of conduct that the law does not prohibit. Some of these exceptions are expressed in the statute itself; others are implicit.

1. Access To Employer’s Internal Systems: The law expressly permits employers to require that employees disclose log-in credentials “for accessing nonpersonal accounts or services that provide access to the employer’s internal computer or information systems.” In other words, employees cannot rely on the law to prevent employers from gaining access to information stored on the employer’s own information systems.
2. Violations Of Securities Or Financial Laws, Or Regulatory Requirements: If an employer receives information that an employee is using a personal online account for business purposes, the law “does not prevent” an employer from conducting an investigation to ensure that the employee is complying with “securities or financial law, or regulatory requirements.” This exception appears intended to apply in a situation where an employee of a financial services company uses a personal online account to trade securities or engage in other financial transactions on the employer’s behalf.
3. Protection Of Trade Secrets: If an employer receives information that an employee has downloaded the employer’s proprietary information, without authorization, to a personal online account, the law “does not prevent” an employer from conducting an investigation into such suspected misconduct.
4. Passwords To Devices: While the Maryland law bars employers from requesting log-in credentials for “accessing a personal account or service,” the law does not prohibit employers from requesting or requiring log-in credentials to access an employee’s personal device, such as a smartphone or tablet. This distinction is critical as employers increasingly are implementing “Bring-Your-Own-Device” policies.
5. Nonpersonal Accounts: The law protects log-in credentials only for “personal” accounts. Maryland employers should clearly define which accounts are personal and which are nonpersonal. For example, if an employee uses a corporate e-mail address to establish a LinkedIn profile or Twitter account, the employer should ensure that employees know from the outset that such an account is “nonpersonal” for purposes of the Maryland law.

Because the Act’s restrictions on its face arguably apply only to the disclosure of log-in credentials, it remains to be seen through judicial interpretation whether the Act’s restrictions bar an employer from, for example, asking an employee or applicant to log into a personal account without disclosing the log-in credentials to the employer so the employer can observe the content of the personal account or asking an employee or applicant to print the content of a personal account. Before an employer chooses this route, they should speak with their employment counsel to educate themselves about the legal risks of doing so. While Maryland is the first jurisdiction to enact this legislation, it is not likely to be the last. Indeed, bills proposing similar restrictions currently are pending in various states, including but not limited to California, Illinois, Minnesota, New York, and Washington. In addition, U.S. Senator Richard Blumenthal (D–CT) has stated his plan to introduce similar legislation "in the very near future."

Requiring Social Media Information Is a Bad Idea

Employers continue to wrestle with the issue of whether to require employees and prospective employees to divulge their social media passwords. A recent spike in interest by the media, by advocacy groups, legislators and the general public has refocused attention on the issue. Although it may not be unlawful to seek the information to conduct background checks, deter and investigate harassment of coworkers, and discourage employees from posting online content that disparages the employer's products or services, in most situations, it is inadvisable. To learn more about the pitfalls of social media information requests, proposed federal and state bills prohibiting such requests and their potential implications for employers, please continue reading Littler's ASAP, Though Not Yet Banned, Requiring Social Media Information Is a Bad Idea by Chris Leh.

Finding the Messages to Employers in $1.5M HIPAA Settlement

By Philip L. Gordon

Yesterday’s $1.5M “Resolution Agreement” between Blue Cross Blue Shield of Tennessee (“BCBST”) and the U.S. Department of Health and Human Services (“HHS”), the agency responsible for enforcing HIPAA, is the fourth major settlement announced by HHS in the past 15 months and the third to exceed seven figures. This settlement has several important messages for employers.

Before turning to those messages, here are the key facts as set forth in the Resolution Agreement. BCBST stored, in a network data closet, computer equipment which included servers and 57 hard drives. The hard drives were part of a system that recorded customer service calls and contained the protected health information (PHI) of more than one million participants, including member names, member ID numbers, diagnosis codes, dates of birth, and Social Security numbers. The network data closet “was secured by biometric and keycard scan security with a magnetic lock and an additional door with a keyed lock.” The property management company for the leased spaced where the network data closet was located provided security services.

After BCBST vacated most of its office space, but while it still leased the space containing the network data closet, thieves stole the 57 hard drives from the closet. The hard drives were not encrypted. BCBST notified HHS of a security breach in accordance with the HITECH Act’s requirements.

To resolve HHS’s investigation, BCBST agreed not only to pay $1.5 million but also to enter into a corrective action plan (CAP). The CAP requires BCBST to do the following: (a) conduct a risk assessment and engage in a risk management process with respect to electronic PHI (ePHI) in BCBST’s possession; (b) develop facility access controls and a facility security plan to safeguard information systems and equipment containing ePHI; (c) develop physical safeguards for electronic storage media containing ePHI; (d) train all workforce members with access to ePHI in the policies and procedures embodying items (a) through (c); (e) monitor compliance with the policies and procedures; and (f) report to HHS concerning compliance with the CAP.

Employers can draw several lessons from this incident and its resolution:

First, to date, HHS’s monetary settlements with covered entities have focused on health care providers, such as hospitals and pharmacies. This is the first monetary settlement of which we are aware involving a covered health plan. Insurers and self-insured employers offering HIPAA-covered benefits should take note.

Second, this is the first monetary settlement triggered by a covered entity’s report of a security breach to HHS in compliance with the HITECH Act. It is critical for employers with HIPAA-covered plans, as well as other covered entities, to recognize that notifying HHS of a security breach in accordance with the HITECH Act could trigger an investigation into the circumstances underlying the breach and could ultimately result in an enforcement action.

Third, the underlying incident involved the theft of unencrypted hard drives. Had those hard drives been encrypted, BCBST would not have had an obligation to notify HHS of the theft. In other words, the Resolution Agreement highlights the importance of considering the feasibility of encrypting any movable storage media which contain ePHI.

Finally, HHS seems to have set a fairly high standard for adequate physical safeguards. The Resolution Agreement suggests that BCBST had in place fairly robust physical security for the stored hard drives, including “biometric and keycard scan security with a magnetic lock and an additional door with a key card lock” in addition to building security. HHS, nonetheless, appears to have taken the position that this security was inadequate. Consequently, the Resolution Agreement emphasizes the need for covered entities to pay as close attention to physical safeguards for ePHI as they do to administrative and technical safeguards.

Photo credit: MBPHOTO, Inc.

New Obligations for Massachusetts Employers Conducting Criminal Background Checks

Effective May 4, 2012, the Massachusetts Criminal Offender Record Information ("CORI") Reform Act (the Act), which was enacted in August 2010 with the controversial "ban the box" legislation, will significantly change the way employers access, use and maintain information obtained through the Commonwealth's CORI system. The Act will allow all employers access to a new online records system, but also imposes obligations on employers that acquire criminal history information from private sources, such as consumer reporting agencies (background report vendors). Employers should review their hiring and background check policies now to determine whether any updates are necessary. To learn about the Act and its potential implications for employers, please continue reading Littler's ASAP, Massachusetts Employers Face New Obligations When Conducting Background Checks Involving Criminal History Records, by Christopher Kaczmarek, Carie Torrence, and Joseph Lazazzero.

Data Privacy Heat Map highlights challenges of navigating global privacy legislations

Guest post from Researcher Chris Sherman.

Data privacy laws are the champions of citizens' rights in the digital age. However, multi-national organizations often find these laws challenging to navigate given the complex framework of global legal requirements. To help our clients address these challenges, Forrester developed a research and planning tool called the Data Privacy Heat Map (try the demo version here). Leveraging in-depth analyses on the privacy legislation of 54 countries around the world, this product is aimed at helping our clients better strategize their own global privacy and data protection approaches.

Using the tool, one can quickly determine how various countries stack up against each another in terms of their data privacy standards. Each country has been rated across seven key criteria, covering the breadth of law, EU adequacy, data transfer limitations, government surveillance activities, etc. Leveraging this data, our clients will be able to establish their own data privacy "high watermarks", ensuring compliance in all locales in which their organization operates. One such application is in the use of cloud computing. Since the cloud is borderless, jurisdictional-based privacy laws are often a mismatch when applied to clouds. When considering outsourcing to a cloud service, companies should consult Forrester's Privacy Heat Map to determine, for example, whether their data will be at risk of residing in a country with questionable governance surveillance practices.

NLRB Report Challenges Validity of Many Commonly Used Social Media Policies

By Philip Gordon

In its most recent effort to draw lines on the self-described “hot topic” of the “lawfulness of employers’ social media policies and rules,” the National Labor Relations Board’s (NLRB) Office of General Counsel has taken the position that many policy provisions commonly seen in employers’ social media policies violate the National Labor Relations Act (NLRA). This most recent shot across the bow came on January 24, 2012, in the form of a report, issued to senior regional staff, on 14 cases which, according to the General Counsel, “present emerging issues in the context of social media.” This report follows a previous General Counsel report, dated August 18, 2011, which discussed 14 prior NLRB cases involving social media issues.

The cases treated in the report also contain the General Counsel’s opinion on whether the employer in each case violated the NLRA by imposing discipline based on social media conduct. We will cover this aspect of the report in a separate and forthcoming blog post. Here, we will focus on the thicket that the NLRB has created for employers who are trying to gain some reasonable control over what employees publish in social media, often to the world, about co-workers, supervisors, the workplace, and the employer’s products and services.

Each of the headings below reviews the General Counsel’s current position on a particular type of commonly used policy provision. Employers should carefully review their existing policies and any new policy in light of the General Counsel’s most recent report. With careful drafting and the use of examples and limiting language, employers should still be able to achieve their objectives of gaining limited control over the Wild West of social media content while staying within the parameters of the NLRA.

No Defamation/Non-Disparagement: No employer likes seeing its employees or organization trashed in social media, but, according to the General Counsel, a broad non-disparagement policy violates the NLRA on a per se basis because it could inhibit employees from making negative comments about the terms and conditions of their employment. For example, the General Counsel opined in the report that the following policy prohibition is illegal: “[m]aking disparaging comments about the company through any media, including online blogs, other electronic media or through the media.” The General Counsel reached the same conclusion on a policy which prohibits “discriminatory, defamatory, or harassing web entries about specific employees, work environment, or work-related issues on social media sites.”

While the General Counsel’s opinion sounds frustrating, employers should not despair. The General Counsel explains that by including non-disparagement policy language within a list of other forms of unprotected conduct, an employer’s non-disparagement policy will comply with the NLRA. To illustrate the point, the General Counsel pointed to the NLRB’s holding that a policy prohibiting “statements which are slanderous or detrimental to the company” was lawful when it “appeared on a list of prohibited conduct including ‘sexual or racial harassment’ and ‘sabotage.’” Following this authority, the General Counsel gave its stamp of approval in the report to a policy which “prohibited the use of social media to post or display comments about coworkers or supervisors or the Employer that are vulgar, obscene, threatening, intimidating, harassing, or a violation of the Employer’s workplace policies against discrimination, harassment, or hostility on account of age, race, religion, sex, ethnicity, nationality, disability, or other protected class, status, or characteristic.”

Confidentiality: Protecting confidential information and trade secrets from competitors is critical to every organization. According to the General Counsel, however, a confidentiality policy is illegal if it would impinge on employees’ ability to discuss their wages and working conditions with others inside or outside the organization. Consistent with that reasoning, the General Counsel’s report rejected a provision in an employer’s social media policy that prohibited employees from “disclosing or communicating . . . confidential, sensitive, or non-public information concerning the company on or through company property to anyone outside the company without prior approval of senior management or the law department.” By contrast, the General Counsel approved a policy provision that “prohibited employees from using or disclosing confidential and/or proprietary information, including personal health information about customers or patients” as well as “‘embargoed information,’ such as launch and release dates and pending reorganizations.” The General Counsel approved of this policy language based on the following reasoning: “Considering that the Employer sells pharmaceuticals and that the rule contains several references to customers, patients, and health information, employees would reasonably understand that this rule was intended to protect the privacy interests of the Employer's customers and not to restrict Section 7 protected communications.”

The General Counsel’s distinction between the two confidentiality provisions suggests a potential litmus test for confidentiality language in a social media policy: if the policy reasonably could be read to prevent employees from disclosing the amount of their compensation to family members, the General Counsel likely would find the policy to be overbroad.” Employers should note that this same issue could apply to confidentiality agreements signed by hourly workers, and not just to confidentiality requirements in a social media policy.

Logos/Trademarks: Organizations understandably want to control use of their logo and trademarks. Nonetheless, a social media policy which prohibits “use of the company’s name or service marks outside the course of business without prior approval of the law department” is, according to the General Counsel, unlawful. The General Counsel takes the position that employees have the right under the NLRA to use the company’s name and logo “while engaging in protected concerted activity, such as in electronic or paper leaflets, cartoons, or picket signs in connection with a protest involving the terms and conditions of employment.” The General Counsel reasoned that such protected use of a company’s name and logo does not “remotely implicate[]” the company’s interests protected by trademark law, “such as the trademark holder’s interests in protecting the good reputation associated with the mark from the possibility of being tarnished by inferior merchandise sold by another entity using the trademark and in being able to enter a related commercial field and use its well-established trademark.”

This reasoning is wrong. An employee easily could damage brand reputation and engender customer confusion by, for example, creating a Facebook page with the corporate name and logo. At a minimum, an employer should be able to prohibit employees from using the company name or logo when engaging or depicting in social media any conduct which violates the Company’s policies or is unlawful; such a policy would not encompass activity protected by Section 7 of the NLRA. Employers also should consider consulting intellectual property counsel about logo and trademark issues and not necessarily develop a marketing strategy based solely on NLRA issues. However, the General Counsel’s analysis (which is not law, but rather the Office’s view of the law) should not be fully ignored either.

Employee Disclaimers: Social media policies commonly mandate that employees must include a disclaimer in any social media content that relates to the employer. For example, in one of the cases discussed in the General Counsel’s report, the employer’s social media policy required that employees “expressly state that their comments are their personal opinions and do not necessarily reflect the Employer’s opinions.” The General Counsel opined that this policy requirement violates the NLRA because it “would significantly burden the exercise of employees’ Section 7 rights to discuss working conditions and criticize the Employer’s labor policies.” Fortunately, employers can achieve a similar result with a policy that prohibits employees from representing in any way that they are speaking on the Company’s behalf without prior written authorization to do so.

It is worth noting that the General Counsel did approve an employee disclaimer requirement in the section of a social media policy addressing product promotions. The General Counsel explained that in context, this provision could not be read to interfere with Section 7 rights because the policy focused on product promotions and endorsements and was intended to avoid potential liability for unfair and deceptive trade practices under guidance issued by the Federal Trade Commission.

Discussions of Work-Related Concerns: The aphorism, “Don’t hang out your dirty laundry,” may seem antiquated but many employers still say just that in their social media policy. By way of illustration, one policy discussed in the General Counsel’s report “required employees to first discuss with their supervisor or manager any work-related concerns, and it provided that failure to comply could result in corrective action, up to and including termination.” The General Counsel concluded that this policy violated the NLRA because of the threat of discipline. Employers can avoid this potential pitfall by urging, but not mandating, that employees use internal channels, rather than social media, to resolve workplace concerns. In that regard, the General Counsel’s opinion is nothing new, but rather is in line with traditional NLRA law on protected, concerted activity in general.

Communications with the Media: Social media policies often tell employees not to discuss with the media their social media content related to the company. The General Counsel’s report finds such prohibitions illegal. (“An employer’s rule that prohibits employee communications to the media or requires prior authorization for such communications is therefore unlawfully overbroad.”) However, a similar report issued by the General Counsel on August 18, 2011, recognized that “a media policy that simply seeks to ensure a consistent, controlled company message and limits employee contact with the media only to the extent necessary to effect that result cannot be reasonably interpreted to restrict Section 7 communications.” In light of that principle, the General Counsel blessed the media policy in question because the “policy repeatedly stated that the purpose of the policy was to ensure that only one person spoke for the company” and even though “employees were instructed to answer all media/reporter questions in a particular way.” In other words, it appears that employers can still carefully craft a provision on media relations in a social media policy which complies with the NLRA.

“Unprofessional” Content: In several of the reported cases, the General Counsel took issue with policy terms that were undefined, vague, or subjective. These terms included prohibitions on “insubordination or other disrespectful conduct,” “inappropriate conversation,” “unprofessional communication that could negatively impact the Employer’s reputation or interfere with the Employer’s mission,” and “nonprofessional/inappropriate communication regarding members of the Employer’s community” as well as the requirement that social media activity occur in an “honest, professional, and appropriate manner.” Employers can achieve the intended objectives of this disfavored language by using terms that are defined in the social media policy or other policies or by providing examples of prohibited conduct with examples that do not include conduct protected by the NLRA.

Employee’s Self-Identification: Some employers have tried to protect their organization by telling employees not to identify their affiliation with the organization when engaging in social media activity unless there is a legitimate business reason for doing so. In its report, the General Counsel took the position that this type of policy violates the NLRA “because personal profile pages serve an important function in enabling employees to use online social networks to find and communicate with their fellow employees at their own or other locations.” Employers should not view the General Counsel’s position here as a particular setback. Telling employees not to mention their employer by name in a personal profile is akin to telling them not to do the same at a cocktail party; the rule would be honored in the breach.

Securities Blackouts: Publicly traded companies are rightfully concerned that employees may let slip on social media highly sensitive information about a corporate transaction, new product launch, or non-public financial information. Among the few policy provisions with which the General Counsel did not take issue was one which stated that the employer might “request employees to confine their social networking to matters unrelated to the company if necessary to ensure compliance with securities regulations and other laws.” The General Counsel reasoned that “employees reasonably would interpret the rule to address only those communications that could implicate security regulations,” as opposed to the terms and conditions of their employment.

Employer Disclaimers: In the wake of the NLRB’s aggressive position since the AMR case in late 2010 on social media policies and employee discipline based on social media conduct, many employment and labor law practitioners have recommended the inclusion of a disclaimer in social media policies. The disclaimer explains that the employer’s policies are not intended to interfere with employees’ rights under the NLRA. In its first public review of a disclaimer in a social media policy, the Board somewhat surprisingly took the position that such a disclaimer was ineffective. In that case, the disclaimer stated as follows:
 

[T]he policy [will] not be interpreted or applied so as to interfere with employee rights to self-organize, form, join, or assist labor organizations, to bargain collectively through representatives of their choosing, or to engage in other concerted activities for the purpose of collective bargaining or other mutual aid or protection, or to refrain from engaging in such activities.

According to the General Counsel, this disclaimer could not “save” a policy provision prohibiting employees from posting “inappropriate” content because “an employee could not reasonably be expected to know that this language encompasses discussions the Employer deems ‘inappropriate.’” Given the detailed nature of the disclaimer in question, this conclusion suggests the General Counsel, and possibly the Board itself, will view skeptically any effort by an employer to rely upon a disclaimer to protect an otherwise overbroad social media policy. That is an unfortunate result for employers, as a disclaimer seemed to be the answer to keeping a policy simple and uncluttered, without violating the NLRA. Now employers should consider instead replacing such a disclaimer with a list of specific limitations or examples, such as those discussed above which can transform an otherwise overbroad (at least in the eyes of the General Counsel) non-disparagement provision into one that complies fully with the NLRA.

What Does The Supreme Court’s "GPS Decision" Mean For Private Employers?

By Philip L. Gordon

The Supreme Court ruled unanimously yesterday that law enforcement must obtain a search warrant before placing a Global Positioning System (GPS) device on a suspect’s vehicle for purposes of tracking the vehicle’s location. The decision effectively overturned Antoine Jones’s life sentence for drug trafficking which was obtained, in part, through the use of location tracking information generated by a GPS device secretly placed by the FBI, without a search warrant, on Jones’s wife’s Jeep Grand Cherokee. Although the Court’s analysis focuses exclusively on the Fourth Amendment to the U.S. Constitution, which applies only to government actors, the decision has potentially important implications for private employers who are turning increasingly to location-tracking capabilities in vehicles, smartphones, and even laptops to track employees for management and investigative purposes.

To begin with, the Court’s decision highlights the dearth of legislation in the area. None of the Court’s three opinions — the lead opinion by Justice Scalia, a concurrence in that opinion by Justice Sotomayor, and an opinion by Justice Alito concurring in the result but not with Justice Scalia’s reasoning — cited a single federal or state law which regulates location tracking. California’s statute prohibiting the installation of a tracking device on a vehicle without the consent of the vehicle’s owner or lessor appears to be only one of two laws (the other is Texas) on the subject with a significant impact on private employers. In the wake of the Supreme Court’s decision, employers should expect legislative activity in the area.

The decision also is important for private employers because five justices — Justice Alito (joined in his concurrence by Justices Ginsberg, Breyer, and Kagan) as well as Justice Sotomayor — rejected the majority position in the state and federal judiciary on the privacy of location data. Under that view, location tracking does not infringe any privacy interest because the location of a vehicle or a person in a public place is fundamentally not private. This majority view effectively leaves private employees without any remedy for an employer’s use of location tracking because a common law invasion of privacy claim can be asserted only for the breach of a recognized privacy interest, and a statutory remedy for unauthorized location tracking is rarely available.

In rejecting the majority view, the five justices found a protected privacy interest in the patterns of private activity that can be derived from continuous location tracking notwithstanding the public nature of any particular data point. In the words of Justice Sotomayor, “GPS monitoring generates a precise, comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations.” This view likely will have a significant influence on the thinking of trial and appellate court judges when confronted with an invasion of privacy claim based on an employer’s unauthorized tracking of an employee during non-working hours. An employer might be tempted to engage in such tracking, for example, to check for abuse of paid or unpaid leave or to investigate suspected moonlighting or a potentially fraudulent workers’ compensation claim.

Consequently, the most important lesson for private employers to draw from the Court’s decision is the importance of limiting location tracking to working hours when the pattern of location data should not reveal details of an employee’s private life, and if it does, the employer has a legitimate business reason for knowing what the employee is doing other than earning his or her compensation. The New York appellate decision that we covered in last week’s blog post illustrates the point. In that case, the majority did not take issue with the New York State Department of Labor’s 24/7 tracking of a high-level employee’s personal vehicle because the employer had a reasonable suspicion that the employee was not working when he said that he was. Under that reasoning, tracking an employee during working hours clearly would be permissible. On the other hand, the dissenting judges in the New York case found that tracking the employee during non-working hours was excessively intrusive, particularly because the GPS device reported the employee’s location during a week-long family vacation.

Employers should note that many GPS devices are either on at all times or off. In these circumstances, employers should develop controls that will limit access to location tracking information to employees’ scheduled working hours.

Finally, private employers should note Justice Scalia’s reliance on the notion of trespass in finding that the government’s warrantless installation of the GPS device on Jones’s wife’s Jeep violated the Fourth Amendment. Similarly, an employer’s unauthorized placement of a GPS device on an employee’s personal vehicle might support a claim based on a common law trespass theory. As a result, employers should be particularly cautious when using any form of location tracking not associated with company-owned equipment.
 

Is It Legal for an Employer to Secretly Track an Employee’s Personal Vehicle 24/7 for One Month? Perhaps!

By Philip L. Gordon

A recent decision by a New York appellate court is one of the first cases to address the surreptitious use of location tracking for employment purposes. The 3-2 split decision highlights the on-going disagreement among judges over the lawful use of Global Positioning Systems (GPS). The New York case is particularly noteworthy because the U.S. Supreme Court in U.S. v. Jones (argued November 7, 2011)  (Note: the lower court case is U.S. v. Maynard, on cert to the U.S. Supreme Court the case is U.S. v. Jones, referring to respondent Antoine Jones) is currently considering virtually the same issue addressed by the New York court, but in the criminal context. Given the increasing use of GPS in the workplace, employers need to understand the legal risks associated with this highly effective management and investigative tool.

The subject of the New York case was a 30-year employee of New York’s Department of Labor, serving most of that time as the Department’s Director of Staff and Organizational Development. Despite his high-level position, he had been a “problem employee” for nearly a decade, having been disciplined on several occasions. The dispute that ultimately led to the appellate court decision had its inception in the Labor Department’s investigation of the employee for falsifying time records. The Department initially tried to track him the “old-fashioned way,” i.e., by tailing him, but the employee spotted and evaded the tail. The state’s Inspector General, to whom the Labor Department referred the investigation, then secretly planted a GPS device on the employee’s personal vehicle and collected location data 24/7 for a one-month period. Based, in part, on the location data collected, a Labor Department hearing officer recommended the employee’s termination for, among other things, falsifying time records.

Although the employee was a public employee, his case has relevance for private employers for the following reason. On appeal, the employee contended that the Labor Department could not lawfully rely on the location-tracking data to discipline him, invoking the exclusionary rule in New York’s civil service law. Under that rule, the hearing officer and the appellate court had to determine whether the Inspector General’s use of surreptitious location tracking was reasonable at inception and in its scope. That standard is similar to (albeit somewhat lower than) the standard that a court would apply to determine whether a private employer’s use of GPS to track an employee constituted a common law invasion of privacy. Given that no state other than California has enacted a law that prohibits a private employer from tracking an employee’s personal vehicle, a private employee terminated based on location information most likely would rely on a common law invasion of privacy claim to obtain a remedy.

The appellate court’s split decision on the reasonableness of the Inspector General’s use of location tracking highlights the difficult balancing that private employers must conduct when considering whether to use GPS as an investigative tool. All five judges agreed that use of the GPS was reasonable at inception because the Labor Department had a reasonable suspicion of the employee’s wrongdoing. The three-judge majority further concluded that 24/7 location tracking for one month was reasonable because the employee had intentionally undermined less intrusive investigative methods and because “the GPS devices were not constantly monitored;” instead, the Inspector General extracted only location information revealing the employee’s whereabouts during working hours. Rejecting this reason, the two dissenters emphasized that the Labor Department’s “valid interest in [the employee’s] whereabouts extended only to the hours of his workday and yet the tracking had continued for one month.” The dissenters found it particularly troubling that the Inspector General had tracked the employee’s location during a week-long family vacation.

The reasoning on both sides of the decision provides useful guidance for private employers seeking to use location tracking as an investigative tool. At least until the courts provide more guidance, it would be prudent for employers to use surreptitious location tracking only when other, less intrusive methods would be unsuccessful. In addition, where technically feasible, location tracking should be limited to working hours. When not technically feasible, employers should access only location data recorded during working hours.

Photo credit: rrocio

Upcoming Privacy Events

Philip Gordon will be speaking on a range of privacy and data protection issues at the following upcoming events:

Date: January 11, 2012
Conference: BNA
Location: Webinar
Topic: Phil Gordon and Michael McGuire, Shareholder and Chief Information Security Officer at Littler, will co-present “The Challenges of Bring Your Own Device (BYOD) to Work Policies”
Description: With employees demanding the ability to use their personal smart phones and tablets for business purposes and employers looking for new ways to reduce cost and increase productivity, the trend towards “dual-use devices” in the workplace will undoubtedly continue to pick up stream. This webinar will provide practical recommendations for both areas so that your organization understands the risks of saying “yes” to requests from C-level executives or department chiefs to connect their smartphones or tablets to the corporate network.
For more information and to register, please visit: www.bna.com/own-device-19107/.

Date: February 1, 2012
Conference: ACI Privacy & Security of Consumer and Employee Information (pdf)
Location: The Westin Washington, DC City Center, Washington D.C.
Topic: “Mobile Devices, Applications, and Workforces: Minimizing the Threats Posed Through Proven Security Measures”
Description: Phil Gordon will moderate a panel of experts discussing, among other things, how to:

• Raise employee awareness and educate employees in the handling of sensitive data
• Safeguard company equipment and wireless devices and minimize damage in the event of breach 
• Protect corporate networks from the use of multiple portable devices while preserving employee rights
• Establish policies and procedures to strengthen and maintain data security

For more information and to register, please click here (pdf).

Date: February 9-10, 2012
Conference: Littler Global Employer – Latin America Conference
Location: Miami, Florida
Topic: “The Legal and Operational Challenges of Complying with New Latin American Data Protection Laws”
Description: In the past two years, Colombia, Costa Rica, Mexico, Peru, and Uruguay have enacted broad data protection laws which generally follow the E.U. Model but also have a distinct Latin flavor. These laws require employers to fundamentally rethink the way that they handle employees’ personal data in these countries and impose significant restrictions on the transfer of employees’ personal data within the corporate group. This presentation will provide a detailed explanation of the key requirements of Mexico’s new privacy law and pending regulations, identify key similarities and differences among the new privacy laws in these five countries, and make practical recommendations for harmonizing multi-national compliance efforts from a legal and operational perspective. Joining in the discussion are speakers Michael McGuire, Shareholder and Chief Information Officer at Littler, Javiera Medina, Shareholder in Littler’s Mexico office and Dr. Rainer Lorenzo, Senior Director, Legal & Business Affairs, HBO Latin America.
For more information and to register, please visit: www.littler.com/events/global-employer-latin-america.

Date: March 9, 2012
Conference: IAPP Global Privacy Summit
Location: Washington Marriott Wardman Park, Washington D.C.
Topic: “Who Are Your Applicants and Employees Anyway? Conducting Lawful Social
Media, Criminal History and Credit Checks”
Description: This session will examine background checks against the backdrop of vendor limitations, social media, new state laws, and FTC regulation. The presentation will cover recent legal developments affecting the permissible scope of background checks and provide practical steps an organization can take to conduct lawful background checks.
For more information and to register, please visit: www.privacyassociation.org/events_and_programs/global_privacy_summit/.

Photo credit: CrackerClips

New Litter Blog: Employee Benefits Counsel

We are pleased to announce a new addition to Littler's blogroll:

Employee Benefits Counsel

Brought to you by Littler's Employee Benefits, ERISA and Benefit Plan Litigation, and Executive Compensation practice groups, this blog covers:

• Legislative and regulatory developments in the employee benefits arena, including the topics of health care reform; plan design and administration; employee benefits litigation; and
• Executive compensation, providing insight and analysis on legal developments that warrant discussion.

During this time of significant governmental change and shifts in the strategy and style of benefits litigation, Littler's depth of experience in employee benefits, litigation, and executive compensation matters gives our attorneys a distinctly broad perspective with which to provide insight and useful analysis of the latest developments. To subscribe to receive email alerts of new blog posts, please enter your email address in the Subscribe box on the right side of the Employee Benefits Counsel blog homepage.

Photo credit: IdeaBug Media

New Littler Blog: Employee Benefits Counsel

We are pleased to announce a new addition to Littler's blogroll:

Employee Benefits Counsel

Brought to you by Littler's Employee Benefits, ERISA and Benefit Plan Litigation, and Executive Compensation practice groups, this blog covers:

• Legislative and regulatory developments in the employee benefits arena, including the topics of health care reform; plan design and administration; employee benefits litigation; and
• Executive compensation, providing insight and analysis on legal developments that warrant discussion.

During this time of significant governmental change and shifts in the strategy and style of benefits litigation, Littler's depth of experience in employee benefits, litigation, and executive compensation matters gives our attorneys a distinctly broad perspective with which to provide insight and useful analysis of the latest developments. To subscribe to receive email alerts of new blog posts, please enter your email address in the Subscribe box on the right side of the Employee Benefits Counsel blog homepage.

Photo credit: IdeaBug Media

EEOC Advisory Opinion on Employer Use of Arrest & Conviction Records During Hiring Process

The Equal Employment Opportunity Commission's Office of Legal Counsel released an advisory opinion on employer use of arrest and conviction records during the hiring process. The non-binding letter provides some insight into the Commission's current enforcement position and suggests the Commission: (1) will continue to differentiate between arrest and conviction records; (2) may not be prepared to adopt a presumption of disparate impact in this context; and (3) will in the event of a finding of disparate impact, closely scrutinize the employer's policy with regard to both how long convictions are disqualifying and whether the underlying criminal conduct is related to the job duties for the position in question. To learn more about the EEOC's advisory opinion and its potential impact on employers, please continue reading Littler's Insight, EEOC Advisory Guidance Offers Insight on the Use of Arrest and Conviction Records, by Rod Fliegel and Jennifer Mora.

California Restricts Employer Use of Credit Reports

On October 10, 2011, the Office of California Governor Jerry Brown announced that Governor Brown had signed AB 22, legislation that adds a new provision to the California Labor Code and amends the state's Consumer Credit Reporting Agencies Act to restrict the discretion that private and public sector employers have to use "consumer credit reports" for hiring and personnel decisions. Together, the new laws, which take effect on January 1, 2012, limit when employers lawfully can use consumer credit reports and impose notice and disclosure obligations on employers who intend to do so. To learn more about the laws and their implications for employers, please continue reading Littler's ASAP, California Joins States Restricting Use of Credit Reports for Employment Purposes, by Rod Fliegel and Jennifer Mora.

NLRB Opens Useful Escape Hatch for Employers Responding to Obnoxious Social Media Conduct

By Philip L. Gordon

Selling luxury cars in a down economy can be tough enough without employees mocking a company-sponsored sales event on their Facebook page. An administrative law judge (ALJ) with the National Labor Relations Board (NLRB) issued an opinion last week holding that the National Labor Relations Act (NLRA) protected an employee’s sarcastic post, but nonetheless upheld the dealership’s termination decision because it was based on other, unprotected Facebook content. The decision is an important reminder for employers that when protected and unprotected content appear on the same Facebook wall, the protected content does not shield the employee from discipline based on the unprotected content.

The Knauz BMW dealership in Lake Bluff, Illinois, planned the “Ultimate Driving Event” to introduce the redesigned BMW 5 Series to its customers. At the event, the dealership not only offered BMW representatives, rather than the dealership’s sales staff, to take customers for a test drive, but also served hot dogs from a hot dog car as well as chocolate chip cookies, small bags of Doritos, and water. Upon learning of the dealership’s plans for the event, salesman Bobby Becker, and at least one other salesperson questioned the culinary selection. After the event, Becker tweaked the dealership on his Facebook page: “The small 8 oz. bags of chips, and the $2.00 cookie plate from Sam’s Club, and the semi fresh apples and oranges were such a nice touch . . . but to top it all off . . . the Hot Dog Cart. Where our clients could attain a over cooked weiner and a stale bunn . . . ”

Becker’s rag on the Ultimate Driving Event did not stand alone. On the same day, he also posted about a potentially serious mishap at the nearby Land Rover dealership also owned by Knauz BMW. Becker described the drama on his Facebook page, alongside a photograph with the following comment: “This [photograph shows] what happens when a sales Person sitting in the front passenger seat (Former Sales Person, actually) allows a 13 year old boy to get behind the wheel of a 6000 lb. truck built and designed to pretty much drive over anything. The kid drives over his father’s foot and into the pond in all about 4 seconds and destroys a $50,000 truck. OOOPS!”

In deciding whether Knauz BMW violated the NLRA by discharging Becker, the ALJ agreed with the NLRB’s General Counsel that Becker’s Facebook comments about the food at the Ultimate Drive Event were protected concerted activity, a position previously expressed by the General Counsel in its August 2011 report on the NLRB’s social media cases which we discussed in an earlier blog post. The ALJ reasoned that Becker’s comments were protected because it was possible, albeit not likely, that the food selection could have had an impact on Becker’s commission-based compensation. In the words of the ALJ, “some customers [possibly] were turned off by the food offerings at the sales event and [perhaps] did not purchase a car because of it.” The ALJ also found that Becker’s Facebook posting was concerted activity — even though no co-worker participated in, or commented on, the post — because the post was the “logical outgrowth of” the criticisms by Becker and at least one other co-worker of the food selection during the sales force’s meeting with management before the event. This result demonstrates just how broadly the NLRB interprets the concept of “protected concerted activity” which cannot properly be the subject of employee discipline.

Notably, the ALJ rejected Knauz BMW’s argument that Becker’s Facebook post should lose its protection under the NLRA because the post disparaged the dealership. Without much analysis, the ALJ noted that the NLRB had previously rejected the same argument in cases where employees’ protected speech was mocking, sarcastic, satirical, ironic, demeaning or even degrading. It appears that an employee’s protected speech will need to reach a high level of injuriousness before the Board will strip that speech of the NLRA’s protections.

Although Becker had engaged in protected concerted activity, the ALJ still determined that Knauz BMW’s decision to axe Becker was lawful. The ALJ found persuasive the testimony of management employees that Becker’s facetious comments about the serious and potentially deadly Land Rover mishap triggered the termination decision. The ALJ then determined that this post did not constitute protected concerted activity because “it was posted solely by Becker,” “without any discussion with any other employee,” and “had no connection to any other employees’ terms and conditions of employment.”

The lesson for employers? Employees who post some protected social media content do not protect themselves with impunity from adverse employment action. Employers can rely on unrelated, unprotected social media posts to justify termination;they just need to be prepared to prove that the unprotected speech was the driving force behind the disciplinary decision.

California Amends its Security Breach Notification Law

By Ellen M. Giblin

On August 31, 2011, Governor Jerry Brown signed Senate Bill 24, amending California’s security breach notification law. That law was the nation’s first to require data owners to disclose a data breach to any California resident whose unencrypted personal information is reasonably believed to have been acquired by an unauthorized person. Senate Bill 24 applies to breaches occurring on or after January 1, 2012, and makes several important changes to the landmark law.

First, SB 24 enhances the security breach notifications sent to affected individuals. Whereas before the notice law did not impose any requirements for the content of the notice, the amended law requires that the notice contain specific information regarding the breach, including the following: (a) the name and contact information of the reporting person or business; (b) the types of personal information subject to the breach; (c) the date or date range of the breach; (d) whether notification was delayed due to law enforcement investigation; (e) a general description of the breach; and (f) the toll-free telephone numbers and addresses of the three major credit bureaus, if the breach exposed a social security number, driver’s license or California identification card number.

Second, SB 24 adds a requirement to notify the state’s attorney general about a breach. More specifically, the notice law now requires any agency, person, or business that sends a security breach notice to more than 500 California residents to electronically submit a single sample copy of that security breach notification to the attorney general, excluding any personally identifiable information. This change adds California to the list of states that require some type of notice to the state’s primary regulator of security breaches.

Third, this bill deems any HIPAA-covered entity to have complied with California’s new notification requirements if the covered entity complied with the similar breach notification requirements in Section 13402(f) of the federal Health Information Technology for Economic and Clinical Health Act (“HITECH Act”). However, the covered entity is not exempt from any other provision of California’s notice law.

Finally, SB 24 also amends Section 1798.82(j) of California’s security breach notification law regarding substitute notice. Reporting entities which seek to notify individuals of a security breach through the state’s media, rather than directly, must now also notify the Office of Privacy Protection within the State and Consumer Services Agency.

In light of these changes, employers will need to update their incident management plans and add these new requirements into their notification policies to ensure compliance with the many state data breach notification requirements.

California SB 24 takes effect January 1, 2012, providing enhanced notification requirements similar to those required under the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Hard copy breaches are still not covered under the California law.

Photo credit: dra_schwartz

More Guidance from the NLRB on Social Media: When Must Employers Not Fire an Employee for an Offensive Facebook Post?

By Philip Gordon

In a recent blog post, we addressed three Advice Memos issued by the National Labor Relations Board’s (NLRB or the “Board”) Division of Advice, which provided useful guidance on the types of social media conduct that do not enjoy protection under the National Labor Relations Act (NLRA). On August 18, 2011, not long after the publication of those Advice Memos, the NLRB’s General Counsel issued a lengthy memorandum to all Regional Directors that summarizes the Board’s resolution of more than one dozen “social media cases,” including the three cases discussed in our prior blog post. As a contrast to that post, this post will focus on the cases in the August 18, 2011, Memorandum where the General Counsel found that an employer’s discharge of an employee violated the NLRA. The August 18, 2011, Memorandum also provides useful guidance on social media policies, which are addressed below as well.

When Not to Fire an Employee Based on a Social Media Post

The August 18, 2011, Memorandum summarizes four cases that concluded that the employer’s discipline violated the NLRA. In a nutshell, these cases involved the termination of one or more employees based on the following social media conduct:

•  While preparing for a meeting with management, an employee asked coworkers on her Facebook page for their reaction to another employee’s complaints about work quality and staffing levels at the employer;
• An employee complained on her Facebook page about her supervisor’s refusal to permit a union representative to assist her in responding to a customer complaint about the employee;
• A salesmen at a car dealership criticized on his Facebook page the dealership’s handling of a sales event intended to promote a new car model and posted mildly mocking photographs that included his coworkers;
• Employees posted on Facebook about the employer’s failure to withhold state income taxes, resulting in the employees’ receiving payment demands from state tax authorities.

In all of these cases, employees posted on their own Facebook page, on their own time, and using their own equipment.

When viewed as a group, these cases have a common thread that provides substantial insight into how the Board analyzes social media cases. Most importantly, the subject matter of each of these posts related to the terms and conditions of employment, the exercise of rights conferred by the NLRA, or other matters traditionally considered “protected activity” under the Boards’ precedent. The topics included: (a) preparation for a discussion with management about employees’ job performance and the employer’s staffing levels; (b) the right in a unionized workplace to union representation during an investigatory interview by the employer; (c) conduct by the employer (a sales event) that could have an impact on employees’ compensation (their sales commissions); and (d) the employer’s administration of income tax withholdings.

Of equal significance, in each of these situations, the General Counsel concluded that employees were collaborating, otherwise known as “concerted activity.” In the first case, the employee was seeking assistance from coworkers in preparation for a discussion with management. In the second case, the employee was discussing supervisory actions with coworkers who were her Facebook friends. In the third case, the employee was expressing the sentiment of his coworkers about the sales event. In the fourth case, employees were sharing concerns about the employer’s failure to withhold state income taxes. None of these cases could be said to involve individual gripes.

While the fulcrum of these cases is the General Counsel’s determination that the disciplined employees were discussing protected subject matters and doing so in concert with their coworkers, there is one other common thread that can help employers weigh risks when deciding whether an employee’s social media post justifies discipline. In each of the cases, the offending Facebook post was either the culmination of an on-going dispute with the employer or the continuation of a pre-existing conversation among employees. In contrast to these fact patterns, the Facebook posts discussed in our previous blog entry and upon which the Division of Advice relied to justify discipline were relatively spontaneous and had no real history behind them.

Profanity Generally Will Not Justify Discipline for Protected Concerted Activity

According to the General Counsel, the offending Facebook posts in these cases included “swearing and/or sarcasm,” use of a “short-hand expletive,” and references to management personnel as an “asshole” and a “scumbag.” Nonetheless, in each case, the General Counsel concluded that the employer’s termination violated the NLRA.

The General Counsel’s analysis in these cases seems to give employees a license to curse. In finding that an employee did not lose the NLRA’s protections after calling her supervisor a “scumbag,” the General Counsel relied on the following facts: (a) “the Facebook posts did not interrupt the work of any employee because they occurred outside the workplace and during nonworking time;” (b) “the comments were made during an online employee discussion on supervisory action;” (c) “the name-calling was not accompanied by verbal or physical threats;” (d) “the Board has found more egregious name-calling protected;” and (e) “the employee’s Facebook postings were provoked by the supervisor’s unlawful” conduct.

In social media cases, the first three or four factors listed above typically will be present. Thus, the Board effectively is telling employers that they must have a thicker skin when it comes to employees’ raunchy social media posts.

Disclaimers and Carefully Crafted Policies Are Critical

Throughout the August 18, 2011, Memorandum, the General Counsel identified social media policy provisions that the General Counsel deemed overbroad and in violation of the NLRA. At first blush, these determinations are portentous for employers because employers routinely include the challenged provisions in their social media policy. However, the August 18, 2011, Memorandum suggests — at least implicitly — how employers can retain these commonly used policy provisions without running afoul of the NLRA.

The list of policy provisions found to be overbroad is lengthy but worthy of repetition. The list includes the following:

1. Inappropriate Discussions: Prohibition against “inappropriate discussions about the company, management, and/or coworkers;”
2. Defamation: Prohibition on any social media post that “constitutes embarrassment, harassment or defamation of the [company] or of any [company] employee, officer, board member, representative, or staff member;”
3. Disparagement: Prohibition against “employees making disparaging comments when discussing the company or the employee’s superiors, coworkers and/or competitors;”
4. Privacy: Prohibition on “revealing, including through the use of photographs, personal information regarding coworkers, company clients, partners, or customers without their consent;”
5. Confidentiality: Prohibition on “disclosing inappropriate or sensitive information about the Employer;”
6. Contact Information: Prohibition on “using the company name, address, or [related] information on [employees’] personal profiles;”
7. Logo: Prohibition on using “the Employer’s logos and photographs of the Employer’s store, brand, or product, without written authorization;”
8. Photographs: Prohibition against “employees posting pictures of themselves in any media . . . which depict the Company in any way, including company uniform [or] corporate logo.”

Removing all of the prohibitions described above would eviscerate most social media policies. Fortunately, such drastic action does not appear to be necessary.

In finding these rules unlawful, the General Counsel emphasized not only their overbreadth (i.e., “the [rules] utilized broad terms that would commonly apply to protected criticism of . . . terms and conditions of employment”), but also that “the rule[s] contained no limiting language to inform employees that [the rules] did not apply to Section 7 activity.” This italicized language suggests that the rules quoted above will not violate the NLRA as long as the policy contains a disclaimer which explicitly informs employees that the policy will not be construed or applied in a manner that improperly interferes with employees’ rights under Section 7 of the NLRA.

The General Counsel also provided some guidance for policy drafting by rejecting challenges to several other policy provisions. One upheld policy, for example, provided that “no employee could ever be pressured to ‘friend’ or otherwise connect with a coworker via social media.” The General Counsel reasoned that this policy was “sufficiently specific,” “clearly applied only to harassing conduct,” and could not be read to prohibit employees from friending for purposes of engaging in activity protected under the NLRA.

In a second example, the General Counsel approved of a policy that required employees to “maintain confidentiality about sensitive information” and to direct all media inquiries to the company’s public affairs office after stating that the employee was not authorized to comment. The General Counsel determined that this policy did not violate the NLRA because it was intended only “to ensure a consistent, controlled company message,” was not a blanket prohibition on all contact between employees and the media, and “did not convey the impression that employees could not speak out on the terms and conditions of their employment.”

These examples suggest that an employer can increase the likelihood that its social media policy will survive the NLRB’s scrutiny if the policy emphasizes the legitimate purposes that it seeks to achieve, such as protecting the employer’s good will and brand reputation. In addition, restrictions in the policy on employees’ social media conduct should, where practicable, be narrowly tailored to meet those legitimate objectives.

Photo credit: TommL

Telework – The Crisp New Term for "Working from Home"

By Ellen M. Giblin

The Guide to Telework in the Federal Government informs and provides guidance on the Telework Enhancement Act of 2010, which was signed into law on December 9, 2010. The Act establishes baseline expectations for the federal telework program and is a key factor in the federal government’s ability to achieve greater flexibility in managing its workforce. The Telework Guide is an understandable roadmap for other employers to the future of a remote and plugged-in workforce, while complying with the myriad of laws that govern the traditional workplace.

The Telework Enhancement Act of 2010 defines "telework" as a work flexibility arrangement under which an employee performs his or her duties and responsibilities from an approved worksite other than the location from which the employee would otherwise work. The fundamental principle of the telework program is clear: telework is not an employee right. Federal law requires agencies to establish telework programs, but does not give individual employees a legal right to telework. Importantly, the Telework Guide states that telework may not be used as a substitute for dependent care [the Guide specifically states that it may be used as a reasonable accommodation], and that employee participation in telework is voluntary.

Telework is primarily an arrangement established to facilitate the accomplishment of work. Private employers, like federal agencies, retain the discretion and obligation to determine employee eligibility for telework subject to business-related needs. For private employers this guide is a gem; it provides guidance on the policies and procedures that the federal government considers necessary to address the risks and rewards of a remote workforce.

With respect to privacy and information security, the Telework Guide provides guidance on the proper handling of confidential information and training on appropriate safeguards for customer and employee information. The Telework Guide states, under the section entitled “Safeguarding Information and Data,” that “[e]mployees must take responsibility for the security of the data and other information they handle while teleworking.”

Interestingly, the basis of the work relationship is a “Telework Agreement.” Each eligible employee authorized to telework enters into a written agreement with his/her supervisor which includes an interactive telework training program provided to eligible employees and their managers. The program must be successfully completed by employees before entering into the written telework agreement.

Private employers will benefit from the guidance provided in The Telework Guide. Although the Guide applies only to federal employers, there are strong parallels between telework in the private and public sectors, particularly when it comes to safeguarding sensitive customer and employee information.

When Can Employers Lawfully Fire an Employee for an Offensive Facebook Post? Ask the NLRB

By Philip L. Gordon

Ever since the National Labor Relations Board (NLRB) filed a complaint, last November, against ambulance service provider AMR for firing an employee who had called her supervisor a “mental patient” on her Facebook wall, employers have been forced to ask themselves the following question: Do I really need to worry that the NLRB will knock on my door every time I discipline an employee for an obnoxious or offensive Facebook post related to work? Until two weeks ago, there was no easy answer to that question. The AMR case and virtually all of the other “Facebook cases” initiated by the NLRB had either settled or had not yet resulted in a published decision. Then, last month, the NLRB’s Office of General Counsel issued three Advice Memoranda in rapid succession that provide at least some guidance for employers trying to navigate the intersection of social media and labor law.

Two of the Advice Memoranda draw the same bright line rule: an employee who communicates about work through Facebook but only with family or friends cannot invoke the protections of the National Labor Relations Act (NLRA) to avoid dismissal. In one of these two cases, an employee of a residential home for homeless individuals with significant mental illness posted facetious comments about residents on her Facebook wall. Only a personal friend responded to the Facebook posts, and none of the employee’s coworkers were her Facebook friends. The General Counsel concluded that the employee’s Facebook posts were not protected because the employee was merely communicating with personal friends about work. In addition: (a) her posts did not relate to the terms or conditions of employment; (b) the employee did not discuss her posts with coworkers, and no coworkers responded to them; and (c) the employee was not seeking to induce collective action and her posts were not an outgrowth of collective concerns.

The second case was a slightly tougher one. There, a bartender complained through Facebook to his step-sister about this employer’s policy barring him from sharing in tips given to servers even though the bartenders helped to serve food. The General Counsel concluded that the bartender could not rely on the NLRA to reverse his firing, even though the post related to the terms of employment, for the same reasons that the employee of the residential home could not do so – the employee did not discuss his post with coworkers and the employee was not seeking to induce collective actions.

The third case provides the most useful guidance, drawing the line between individual gripes (unprotected) and collective activity (protected). In that case, the employee made the following comments about her store’s Assistant Manager:

I swear if this tyranny doesn’t end in this store, they are about to get a wakeup call because lots are about to quit.
* * * *
[Assistant Manager] is being a super mega puta! Its retarded I get chewed out cuz we got people putting stuff in the wrong spot and then the customer wanting it for that price . . . . I’m talking to [Store Manager] about this shit because if it don’t change [Company] can kiss my royal white ass.

The General Counsel concluded that the employer could lawfully fire the employee because the posts expressed only an individual gripe, i.e., the employee’s own “frustration regarding his individual dispute with the Assistant Manager over mispriced or misplaced sale items.” The General Counsel also concluded that the responses to the posts by the employee’s coworkers did not convert these individual gripes into collective action because those comments reflected the coworkers’ understanding that the employee was speaking only on behalf of himself. One coworker laughed (“bahaha like!”); one coworker asked why the employee was so “wound up;” and a third expressed only emotional support (i.e., “hang in there”).
In each of the three Advice Memoranda, the General Counsel referred to the same or similar legal standards. These standards also provide useful guidance and include the following

• Protected: When the employee “acting with or the authority of” coworkers (a) “seeks to initiate, induce or prepare for group action,” or (b) “brings truly group complaints to the attention of management.”
• Protected: The employee’s activities are “the logical outgrowth of concerns expressed by the employees collectively.”
• Unprotected: The employee is engaging in activity “solely by and on behalf of the employee himself.”
• Unprotected: The employee’s comments are “mere griping” as opposed to “group action.”

While these guidelines and the Advice Memoranda obviously do not address the full range of Facebook conduct that intersects with the workplace, they do at least provide some guideposts for employers when deciding whether to discipline or fire an employee based on his or her obnoxious or offensive Facebook post.

EEOC Holds Meeting on Use of Arrest and Conviction Records During Hiring Process

On Tuesday, July 26, 2011, the Equal Employment Opportunity Commission (EEOC) held its latest meeting on the topic of protections for job applicants with arrest and conviction records under Title VII of the Civil Rights Act of 1964. The full Commission heard remarks from the panelists related to three areas: "Best Practices From Employers," "An Overview of Local, State and Federal Programs and Policies" and "Legal Standards Governing Employers' Consideration of Criminal Arrest and Conviction Records."

Although for the past few years the EEOC has renewed its focus on the hiring process, including Title VII protections for ex-offenders, the current Commissioners (Jaqueline Berrien, Stuart Ishimaru, Constance Barker, Chai Feldblum and Victoria Lipnic) have not indicated whether the EEOC will update its 1987 Policy Statement on the Issue of Conviction Records under Title VII, and did not do so at the July 26 meeting. As a result, it remains important for employers who may be the target of disparate impact claims or charges challenging their conviction-based screening policies to: (1) understand the current state of the case law; and (2) continue to closely monitor developments at the federal, state and local levels in this dynamic area of the law.

To learn more about the EEOC's meeting on employers' use of criminal arrest and conviction records during the hiring process, and the potential implications for employers, please continue reading Littler's ASAP, The EEOC's Priorities Still Include Regulating the Use of Criminal Records by Employers, by Rod Fliegel and Barry Hartstein.

Connecticut Law Restricts Employer Use of Credit Reports

Effective October 1, 2011, employers in Connecticut will face new restrictions on the use of credit reports regarding current or prospective employees as a result of the recent enactment this month of Connecticut Public Act 11-223. In enacting the new law, Connecticut becomes the sixth state limiting employers' use of credit reports, following Hawaii, Washington, Oregon, Illinois, and Maryland. Similar laws are pending in several other states and at the federal level. The Equal Employment Opportunity Commission (EEOC) is also conducting related investigations and pursuing at least one disparate impact claim based on the use of credit reports. Thus, employers who use credit history information to inform hiring or personnel decisions in states that have enacted credit check laws should review their policies for compliance, and employers everywhere should continue to monitor developments in this evolving area of the law. To learn more about the Connecticut law and its implications for employers, please continue reading Littler's ASAP, Use of Credit Reports by Employers Will Soon Be Restricted in Connecticut, by Rod Fliegel and William Simmons.

Photo credit: Pawel Gaul

Two Recent Decisions Illuminate for Employers the Broad Contours of ADA Confidentiality vs. the Narrow Boundaries of HIPAA Privacy

By Philip Gordon

Ever since the HIPAA Privacy Rule first went into effect for larger health plans in April 2003, HR professionals and in-house employment counsel often warn of the proverbial “HIPAA violation” when discussing employee medical information. However, one recent federal decision demonstrates that the greater risk for many employers is a violation of the ADA’s confidentiality requirement, that can protect even false information disclosed by an employee to an in-house physician. The second recent decision highlights a critical limitation on the ADA’s broad confidentiality requirement.

The first case arose out of General Dynamics’ decision to terminate the employment of Guillermo Blanco (Blanco) for failing to disclose his Attention Deficit Hyperactivity Disorder (ADHD) when he responded to the company’s post-offer, pre-hire Medical Surveillance History Questionnaire. According to Blanco’s complaint, the in-house physician with whom Blanco discussed his post-employment request for a reasonable accommodation accused Blanco of failing to disclose his ADHD on the medical questionnaire. Blanco further alleged that the in-house physician discussed Blanco’s allegedly false responses to the questionnaire with management in General Dynamics’ Labor Relations Department. Blanco claimed that General Dynamics terminated his employment as a result of the disclosure. 

Notably, the case did not involve an alleged HIPAA violation at all. Although in-house physicians are health care providers as defined by the HIPAA Privacy Rule, they are not “covered” health care providers required to comply with the Privacy Rule. Only providers who use HIPAA-mandated electronic codes to bill insurance companies and government welfare programs for services are subject to HIPAA. Because virtually all in-house physicians are paid a salary and do not bill for their services, HIPAA does not apply to them, contrary to common misconceptions of HIPAA’s scope.

The ADA’s confidentiality requirement, by contrast, does apply to in-house physicians. The ADA requires that employers separately file employees’ medical information and maintain it as confidential. The ADA carves out only three narrow exceptions to the confidentiality requirement. Employee medical information may be disclosed to managers to the limited extent necessary for them to accommodate an employee with a disability or otherwise be made aware of work restrictions, to first aid and safety personnel who need to know about a disability that might require emergency treatment, and to government officials responsible for enforcing the ADA.

The court in the General Dynamics case read the ADA’s confidentiality requirement to apply not only to disclosures to third parties outside the company (except in the limited circumstances described above), but also to intra-corporate disclosures. More to the point, if the complaint’s allegations turned out to be true, the in-house physician would have violated the ADA because her disclosure of Blanco’s medical information was not necessary for managers in General Dynamics’ Labor Relations Department to accommodate Blanco or to address a work restriction, and the other two exceptions obviously did not apply.

The General Dynamics decision is particularly remarkable because the court held that the ADA protects even false medical information provided by an applicant or employee to an employer. The court explained its reasoning as follows:
 

The ADA clearly protects the confidentiality of Mr. Blanco’s response [to the medical questionnaire] if truthful, and the ADA still protects its confidentiality if not. In other words, there is no prevarication exception to the ADA’s confidentiality mandate for employment entrance examinations, much less for information the company doctor perceives is inaccurate. It is the information, accurate or not, that the statute protects.

(emphasis supplied). While the court acknowledged that this ruling could be troublesome for employers, such as General Dynamics, whose employees operate heavy machinery or are exposed to workplace hazards made even riskier by a disability, the court concluded that it was bound to apply the ADA’s plain language and leave the policymaking to Congress.

The second recent decision establishes a critical limitation on what might otherwise seem like a boundless protection in light of the General Dynamics case. In the second case, Thrivent Financial for Lutherans (Thrivent) had hired a temporary IT consultant, named Messier, through Omni Resources (Omni). When Messier, a typically reliable employee, was “no-call, no-show” for work, Thrivent asked Omni for an explanation. Messier’s manager at Omni sent Messier an e-mail asking him to call because he “need[ed] to know what’s going on.” Messier responded with a lengthy e-mail to both his Omni and Thrivent managers, explaining that he had missed work because of a severe migraine and providing them with a lengthy explanation of his medical history related to migraines. The Thrivent manager later disclosed this information to a reference check company hired by Messier who suspected the Thrivent manager of re-disclosing his medical information. The EEOC, taking up Messier’s cause, sued Thrivent for violating the ADA’s confidentiality requirement.

The critical dispute between the parties revolved around whether the ADA protected Messier’s medical information in the first instance. The EEOC took the position that the ADA protects any health information provided by an employee in response to an employer-initiated inquiry, such as the inquiry by the Omni manager into the reason for Messier’s absence. Thrivent responded that the ADA protects only information that an employee is required to provide in response to a permissible medical examination or disability-related inquiry, such as a mandatory post-offer, pre-hire medical examination or a request for medical documentation to support a request for an accommodation. Because Messier had volunteered health information in response to the Omni manager’s generalized inquiry into the reasons for Messier’s absence, the ADA did not apply.

The court rejected the EEOC’s broad reading and adopted Thrivent’s narrower construction. The court reasoned as follows:

[A]n employee’s disclosure is voluntary if the disclosure is not preceded by any request or demand for medical information by the employer. Which party initiates the conversation that leads to a disclosure is not relevant; which party initiates or requests the employee’s actual disclosure of medical information is determinative.

Applying this standard to Omni’s inquiry, the court concluded that the ADA’s protections did not attach to Messier’s medical information because Omni had not asked Messier for medical information and Messier could have been absent from work for a “vast number of reasons” unrelated to his health.

HIPAA was not a factor in this case because information received by an employer in its capacity as employer is not subject to HIPAA’s protections. HIPAA applies only to individually identifiable health information created or received by or on behalf of the employer in its capacity as the administrator of a HIPAA-covered plan. Such plans are limited to group health, dental, vision, long-term care, pharmacy benefits, health care reimbursement flexible spending accounts, and employee assistance programs.

This pair of cases provides important guidance for employers on the boundaries of the ADA’s confidentiality requirement. They also reveal, by negative implication, the relatively narrow boundaries of HIPAA’s privacy protection in the employment context. Employers who have not developed policies and procedures for handling employee medical information not protected by HIPAA should consider doing so to ensure that in-house medical staff, HR professionals and managers understand when the ADA protects employee medical information, how that information may be lawfully used, and to whom it may be lawfully disclosed.

Photo credit: hoch2wo photo & design

"Social Checks" Come of Age: What Does It Mean for Employers?

By Philip Gordon

Last month, the Federal Trade Commission (FTC) published a letter closing its investigation into whether an “Internet and social media background screening service used by employers in pre-employment background screening” complied with the Fair Credit Reporting Act (FCRA). At first blush, the letter appears to be a non-event. The FTC did not impose a penalty but also admonished that its “action is not to be construed as a determination that a violation may not have occurred.” While not much can be drawn from this equivocal result, the FTC’s letter does contain the following important conclusion: the “social check” service in question, known as Social Intelligence, “is a consumer reporting agency because it assembles or evaluates consumer report information that is furnished to third parties that use such information as a factor in establishing a consumer’s eligibility for employment.” Put into plain English, employers that rely on a social check service, like Social Intelligence, to search social media for information about job candidates must comply with the FCRA.

This conclusion likely will have an impact on a substantial number of employers. According to a recent study by the Society of Human Resources Management (SHRM), more than 50% of employers are relying on social media for recruitment purposes, up from 34% in 2008, and another 20% plan to use social media for recruiting in the future. The SHRM study does not address the percentage of employers that conduct these searches exclusively in-house, in which case the FCRA would not apply, as compared to those that rely on a third-party service, in which case the FCRA likely would apply. However, the fact that the social check space is beginning to fill with new enterprises, like Social Intelligence, suggests that the number of employers that are relying on third parties to conduct social checks has grown significantly.

When the FCRA does apply, employers will need to take the following steps vis-à-vis any applicant who is the subject of a social check. First, review the notice and authorization currently provided to applicants before more traditional background checks are conducted to ensure that those documents encompass social media searches. Second, ensure that applicants who may be eliminated from consideration based in whole or in part on the results of a social check receive a pre-adverse action notice which provides the applicant with the report received by the employer, the FTC’s “A Summary Of Your Rights Under the FCRA,” and an opportunity to dispute the apparently adverse information with the service provider which ran the social check. Third, upon rejecting the applicant, send a final adverse action notice to the applicant containing the language required by the FCRA.

These legal compliance requirements are straightforward enough, but they, and in particular, the pre-adverse action notice requirement, highlight vexing practical issues: What social media information should be reported in the first place? Is the information relevant to the hiring decision? Is the information reliable? There can be no question that social media posts may contain information that employers may not lawfully consider when vetting an applicant, such as disability, protected and lawful off-duty conduct, or genetic information. There also can be no question that social media posts often contain information that warrants rejection of a candidate. According to a recent study by the Society of Corporate Compliance and Ethics, more than 40% of respondents had disciplined an employee based on his or her social media conduct. However, these two groups of information set only the polar extremes; employers still must determine what, if anything, will be reported concerning the vast range of social media content falling in the middle and how they will fairly evaluate that information. Social Intelligence, for example, notes on its Web site that its customer set-up tools leave to the employer responsibility for “defining screening filters (for evaluating individuals) and redaction criteria (for censoring information).”

Reliability is another critical issue for employers using social media to evaluate job candidates. In the case of more traditional pre-employment screening, the nature of the information itself engenders a higher probability, albeit not certainty, that information is accurate. Court systems, educational institutions, and employers, for example, have an inherent interest in maintaining accurate records for their own legitimate business purposes. By contrast, social media are replete with false, doctored, and biased information about others. Social Intelligence suggests a solution to this issue by noting on its Web site that it reports “only information the applicant has created himself.” However, completely eliminating social media information posted by third persons arguably reduces the effectiveness of a social check to some extent. Perhaps more importantly, social media posts apparently created by the author can be forged. I have recently counseled clients on two separate occasions where employees denied having posted on their Facebook wall negative information about the employer or co-workers, credibly claiming that others had stolen their log-in credentials or hacked into their account.

The absence of any inherent reliability in most social media information emphasizes the importance of providing applicants with a pre-adverse notice even when there is no legal obligation to do so. Employers easily could lose potentially outstanding employees by relying on social media content that is false, misleading or inaccurate. Even if apparently adverse information turns out to be accurate and true, the applicant’s explanation of that information could demonstrate maturity and honesty as opposed to evasiveness and bad character.

With use of social media for hiring becoming increasingly common, human resources professionals and in-house employment counsel need to scrutinize their organization’s use, or potential use, of this new tool and answer several challenging questions. Most importantly, how should social checks supplement more traditional means of vetting applicants’ credentials and pre-employment screening for adverse information? What types of information does the organization need and how will that information be weighted? Next, will the information be gathered through in-house resources or an external service provider, such as Social Intelligence? If the latter, how will FCRA compliance be worked into the social check process? Finally, particularly given the newness of social checks, employers should evaluate them at least annually with one key question in mind: Have the social checks improved the effectiveness of the organization’s hiring process and the quality of new hires?

Photo credit: robas

Location, Location, Location: Recent Developments in "GeoPrivacy" and the Impact on the Use of GPS in the U.S. Workplace

By Philip L. Gordon

Ever since revelations in May that smartphones track the location of their users, location privacy has been a red hot issue in virtually every forum — except the U.S. workplace. Just last week, for example, the U.S. Supreme Court agreed to review a federal circuit court decision (covered by our blog when decided last August), holding that the federal government’s warrantless use of 24/7 location tracking for more than a month violated the Fourth Amendment rights of a criminal suspect. The Wall Street Journal dubbed June 15, 2011, “location privacy day on Capitol Hill” after two bills were introduced to limit the use of location data by industry and by law enforcement. And, in the European Union, the Article 29 Working Party, which is responsible for providing guidance on the application of the European Union Data Protection Directive, recently published its “Opinion 13/2011 on Geolocation Services on smart mobile devices.” While none of these developments directly implicate the U.S. workplace, U.S. employers should closely monitor the location privacy debate, particularly given their increasingly common reliance on GPS-enabled smartphones and vehicles to track employees.

The European guidance is especially noteworthy for multi-national employers. Although this guidance, as its title suggests, deals almost exclusively with tracking consumers, the guidance contains a short section—which received scant public attention—that squarely addresses tracking employees. The guidance explains that it is unlawful for employers in the E.U. to track their employees unless “it is demonstrably necessary to supervise the exact locations of employees for a legitimate [business] purpose.” Even then, continuous monitoring generally is impermissible, and employees must be able to turn off location tracking during non-work hours. The guidance also discourages employers from using vehicle tracking devices to monitor the behavior of employees by, for example, recording the vehicle’s speed. Given this guidance, multinational employers should closely scrutinize the nature and scope of any location-tracking program before implementing it in the European Union.

The U.S. Supreme Court’s decision next term in U.S. v. Maynard also could have an impact on U.S. employers. As we explained in our blog post on the D.C. Circuit’s decision that is subject to Supreme Court review, a ruling that law enforcement’s 24/7 use of surreptitious location tracking violates the Fourth Amendment arguably could be used to support a claim against employers that engage in 24/7 location tracking without notice to employees. The rationale for such a decision likely would be that continuous tracking establishes a pattern of activity over a period of time which reveals private information about the target of the tracking, such as whether the person is a recovering alcoholic as reflected by regular visits to Alcoholics Anonymous meetings, is considering pregnancy as suggested by weekly trips to a fertility clinic, or is having an extra-marital affair. Despite the distinctions between Fourth Amendment standards and the elements of the common law tort of invasion of privacy, this rationale likely would apply with equal force in the common law context.

Finally, while the Congressional activity to date has focused on consumer privacy, it would not require a substantial leap in legislative drafting to extend the coverage of these bills to location tracking of employees. Alternatively, state legislators, taking the cue from Congress, might implement state-specific requirements, which could result in an unwanted patchwork of requirements for multi-state employers.

While U.S. employers currently are subject to virtually no regulation when tracking employees, the keen focus on the issue in Europe, in the criminal context, and in the consumer sphere very well may spill over to the U.S. workplace. Employers that use, or that are considering using, location tracking in their workplaces should continue to monitor these developments closely.

Photo credit: binabina

Some Smoke Clears in Washington: State Supreme Court Holds Employee Has No Claim After Being Terminated for Medical Marijuana Use

By Christopher M. Leh

On June 9, in Roe v. TeleTech Customer Care Mgmt (Colo.), LLC, the Washington State Supreme Court held that the state’s Medical Use of Marijuana Act (MUMA): (1) does not prohibit an employer from discharging an employee for medical marijuana use or provide a civil remedy for such a discharge; and (2) does not “proclaim a sufficient public policy to give rise to a tort action for wrongful termination for authorized use of medical marijuana.” Like the decisions in Ragingwire (pdf)i n California, Emerald Steel Fabricators in Oregon, and Columbia Falls Aluminum Company (pdf) in Montana, which we discussed here, here and, most recently, here, TeleTech gives wide berth to employers that discharge employees who use drugs.

Washington voters adopted the MUMA in 1998. It provides an affirmative defense to a physician authorizing the use of medical marijuana and to qualified patients and caregivers engaging in the medical use of marijuana who are accused of marijuana-related crimes in Washington. The law expressly provides that employers are not required to accommodate “any medical marijuana use in any place of employment….” In 2007, MUMA was amended to clarify that employers are not required to accommodate any “on-site” use of medical marijuana in the workplace.

Roe, who used a pseudonym in the case because use of medical marijuana remains illegal under federal law, had debilitating migraine headaches. Conventional treatments did not alleviate the pain, but marijuana did. In June 2006, a physician issued her a written authorization under MUMA to use marijuana for medical purposes, which she did. In October 2006, TeleTech, a business outsourcing company, hired Roe as a customer service representative. Roe’s job offer was contingent on a negative drug test. She informed TeleTech of her use of medical marijuana outside the workplace and subsequently failed the drug test, and the company fired her.

Roe filed suit against TeleTech, asserting that the company terminated her employment in violation of MUMA and wrongfully discharged her in violation of public policy. The trial court granted summary judgment in TeleTech’s favor, and the Washington Court of Appeals upheld the decision.

The Washington Supreme Court affirmed. Roe first argued that TeleTech violated the MUMA itself. But the court held that the Act unambiguously provided only an affirmative defense to a criminal marijuana charge, not a civil claim against an employer. The court explained that if the employer was not required to accommodate on-site medical marijuana use, it was not required to accommodate medical marijuana use off site, as Roe was asking it to do. Finally, the court noted that the fact that Roe used marijuana at home without being impaired in the workplace was irrelevant because regardless of Roe’s ability to do her job, the statute did not confer on her a right to sue her employer.

Roe then argued that even if TeleTech had not violated MUMA, the court should recognize a civil tort claim for wrongful termination in violation of public policy based on her discharge. Quoting MUMA, she urged that the public policy proclaimed by the law was that that “the medical use of marijuana by patients with terminal or debilitating illnesses is a personal, individual decision.” But the court held that the language of the MUMA “do[es] not recognize a broad policy that would remove any impediment to medical marijuana use or impose an obligation that employers accommodate such use, and that Washington patients have no legal right to use marijuana under federal law.”

Along with Ragingwire and Steel Fabricators, the TeleTech decision is the third in a string of appellate victories for employers in cases involving the termination of employment of employees for use of medical marijuana, whether or not on site and whether or not the employee is impaired during work. But any sigh of relief by employers may be premature:

• In the future, Washington medical marijuana users may seek to bring claims based on a recent change in MUMA that was not argued in Roe. Less than two months ago, Washington amended MUMA to provide expressly that the law does not require any accommodation of an employee’s medical marijuana use if the employer has a drug-free workplace policy. In the future, employees terminated for medical marijuana use by an employer lacking such a policy may render their discharges illegal under the revised statute. Employers that do not have drug-free workplace policies should consider implementing them to avoid falling prey to such a claim in the future.
• The highest courts in only 4 of the 15 jurisdictions (14 states and the District of Columbia) that have medical marijuana laws have ruled on any of the questions at issue in TeleTech. Courts in other states may reach contrary conclusions under their own laws. Some states, like Colorado, enshrine their medical marijuana law in the state constitution, a source of law that employees are likely to assert is deserving of greater deference than a statute.
• Stay tuned because any federal law developments may change the legal landscape in state courts. Medical and other use, possession and distribution of marijuana continues to violate federal law. New legislation recently introduced in Congress, if it ultimately becomes law, is likely to change this. If that happens, many states are likely to follow suit, creating new challenges for employers in addressing employment issues raised by the use of medical marijuana by prospective or current employees.
• There are other issues employers may confront even if state medical marijuana law does not create any employer liability for discharge for use of medical marijuana, for example:
  • Disabilities, serious health conditions, and genetic information of which the employer becomes aware because an employee discloses them in describing use of medical marijuana;
  • Government contracts requiring employers to observe drug-free workplace requirements; and
  • Occupational safety and health issues involving workers who use medical marijuana.
• Even wary employers may find their drug-free workplace policies jeopardized by managers who sympathize with colleagues who use medical marijuana. Such managers may create liability if they are insufficiently or inconsistently committed to enforcing their employer’s drug-free policies.
   

The long-term legal effects of medical marijuana in the workplace continue to be hashed out in elections, legislatures and courts. But at least for now, the Washington Supreme Court’s decision in Roe helps clear the air for employers in that state to exercise substantial discretion in enforcing their drug-free workplace rules.

For additional analysis on this development, see Littler ASAP "Washington Supreme Court Blunt in Ruling: No Claim for Wrongful Discharge Under State's Medical Use of Marijuana Act” by Dale L. Deitchler and Daniel L. Thieme.

Photo credit: Sebastien Roche-Lochen Photography

Employer Challenges to Developing and Enforcing Social Media/Web 2.0 Policies

By Philip L. Gordon

I was recently interviewed by Nymity on the dozen top challenges for employers when developing and enforcing social media/Web 2.0 policies. Part I of the interview [pdf] addresses the following questions: 

• Online Background Checks: What are the risks? What are practices that should be curtailed? How can a company gain the benefits of the tools, and minimize those risks?
• Customer?Facing Company Sites: Such sites and other customer facing tools and techniques can build a brand over night. How does a company avoid the issues and gain the brand lifting benefits?
• Individual Employee Sites for Business Purposes: Who “owns” these sites, such as LinkedIn contacts and Facebook fan pages? Must an employee establish a new account for their work with a company? What are the best practices in these situations?
• Internal Company?Sponsored Sites: What is special about these that require policy statements or recommendations? Can these sites really be a problem?
• Employees Off?Duty Social Media Activity: We’ve discussed social media activity for work purposes, what about employees’ off?duty social media conduct. What are the risks there and how should employers address them?
• Disciplining Employees Based On Off?Duty Social Media Activity: There seems to be much confusion over when employers can discipline employees for their off?duty social media activity. What are the key risks to avoid? What are the best practices that can be adopted to avoid what types of risks?

I will post Part II when it becomes available. 

Photo credit: CrackerClips

Massachusetts Extends Reach of Data Protection Regulations

By Ellen Giblin

The first anniversary of the effective date of 201 CMR 17.00 went by with little fanfare, then came the Final Judgment by Consent (“Judgment by Consent”) stating that a Boston-based restaurant chain engaged in “unfair or deceptive practices, in violation of Massachusetts General Laws c. 93A, §2” by accepting credit and debit cards from customers at its bars and restaurants after a known breach, yet failing to take reasonable steps to protect the personal information obtained from its patrons as required under 201 CMR 17.00.

In support of its decree, the Judgment by Consent lists basic data security measures that the company failed to implement: (a) failing to change default usernames and passwords on its point-of-sale computer system, (b) allowing multiple employees to share common usernames and passwords, (c) failing to properly secure its remote access utilities and wireless network, (d) continuing to accept credit and debit cards from customers after the company knew that its systems were compromised but had not yet been secured, (e) storing payment card personal information in clear (i.e., unencrypted) text on its servers, and (f) failing to comply with the Payment Card Industry Data Security Standards (“PCI DSS”).

Although, the Massachusetts Data Security Regulations, 201 CMR 17, do not mention PCI DSS, the Judgment by Consent listed the company’s failure to comply with PCI DSS compliance as a basic flaw in its data security measures. The Judgment by Consent in this incident serves as a warning that companies that accept Payment Cards from Massachusetts residents should include PCI DSS compliance in their data protection strategy. Beyond that, the Judgment by Consent demonstrates the commitment of the Massachusetts Attorney General to enforcing the Data Security Regulations.

What does this mean to my company?

The Judgment by Consent has far reaching consequences for businesses that collect personal information about Massachusetts residents. The regulations apply to any organization in retail, banking, health care, general business and every other industry. What’s more, the regulations apply not only to personal information of customers and patients but also to personal information about an organization’s Massachusetts employees. An organization’s Human Resource files, payroll systems, and benefit systems, are all covered by these laws and regulations.

What should my company do?

Organizations should take a second look at their data protection strategy to ensure it covers all systems that contain personal information about Massachusetts customers and employees, and confirm through a risk analysis that the strategy is appropriate to the size and scope of the business. If security practices were developed several years ago, evaluate whether the strategy needs to be updated to cover new processes, products or services, or new markets or industries entered since the strategy was initially implemented. Is your organization following through on actually implementing and enforcing its security procedures? For example, employees should not be allowed to share passwords, user access should be limited on a need-to-know basis and removed promptly after an employee is terminated, employees need to be trained on your organization’s information security policies and those policies must be enforced. Policies need to be in writing to meet the data security regulations’ requirements for a Written Information Security Plan, and, more importantly, to ensure your business remains in compliance with PCI DSS and retains the ability to accept credit cards and allow transactions to continue.

What are the consequences of not complying?

The Judgment by Consent is based on a violation of M.G.L. c. 93A, which is Massachusetts’ consumer protection law. That law provides a private right of action against businesses that engage in unfair or deceptive acts or practices and allows consumers to seek treble damages for “willful or knowing violations” and to recover attorneys’ fees. By basing the Judgment by Consent on 93A, the court appears to be signaling that it is open to allowing Massachusetts residents to bring claims under M.G.L. c. 93A as long as they can prove that an unfair and deceptive act or practice (failure to comply with 201 CMR 17 or other data security regulations) caused them harm. This is new risk exposure for businesses that fall under other data protection regulations, such as HIPAA, that do not provide a private right of action. 

Photo credit: dra_schwartz 

New Maryland Statute Further Complicates Patchwork of "Credit Privacy" Laws

by Philip L. Gordon

When Maryland enacted its law (pdf) restricting the use of credit history for employment purposes on April 12, 2011, it became the fifth state – joining Hawaii, Illinois, Oregon, and Washington – to enact a credit privacy law. Maryland’s law transforms what was a mildly complicated compliance challenge for multi-state employers into an expanding morass. With credit privacy bills currently pending in more than twenty states, multi-state employers should expect that it will become increasingly difficult to establish company-wide policies on the use of credit history for employment purposes.

The core issue for employers who use credit checks for employment purposes (other than financial institutions which are carved out from each of the laws) is the scope of the exception to the general prohibition against using credit checks for employment purposes. At first blush, there appears to be uniformity because all five states permit employers to use credit checks for employment purposes when the check is “substantially related” to the applicant’s or employee’s job responsibilities.

The crux of the problem is the near total discordance over how “substantially related” should be defined. To begin with, the laws in Washington and Oregon provide no definition at all of “substantially related.” Oregon’s Bureau of Labor and Industry (BOLI), by regulation, defines “substantially related” to mean that an essential function of the job require access to financial information, but the regulations do not define the term “financial information.” Illinois’ law also permits credit checks for positions that “involve access to . . . financial information.” However, it is not clear whether the access must be an essential job function (as is the case in Oregon). Furthermore, Illinois narrowly defines “financial information” to mean “non-public information on the overall financial direction of an organization, including, but not limited to, company taxes or profit and loss reports.” At least as of now, employers have no way of knowing whether Oregon’s BOLI intended to define “financial information” more broadly than Illinois’ legislature.

Three states — Hawaii, Illinois, and Maryland — consider credit checks on managers or supervisors to be “substantially related” to employment, but the commonality ends there. Illinois’ law applies only to managers whose job involves “setting the direction or control of the business.” Maryland’s law appears to sweep more broadly, applying not only to those with authority over the business but also to those with authority over “a department, division, unit, or agency of a business.” Hawaii’s similar exception is even more expansive, encompassing not only the direction setters included in the Illinois and Maryland laws, but also those who have authority to “hire, transfer, suspend, lay off, recall, discharge, assign, reward, or discipline other employees” as well as those who “adjust grievances.”

As a third example, only Maryland and Illinois define “substantially related” to include positions that involve access to certain categories of sensitive information, but those categories differ between the two states. Maryland’s law includes the “personal information ... of a customer, employee, or employer,” whereas Illinois’ law includes “sensitive information of a customer or client of the employing organization,” but not of an employee. In addition, Maryland defines “personal information” to mean Social Security number, driver’s license number, financial account number, or Taxpayer Identification Number. By contrast, Illinois defines “sensitive information” to mean information that “the employer entrusts only to managers and a select few employees; or that is stored in some repositories not accessible by the public or low-level employees.” Similarly, both laws define “substantially related’ to encompass positions involving access to trade secrets and other confidential business information, but the two laws define “trade secrets” and “confidential business information” differently.

Not surprisingly, there also is no consistency among these laws in terms of their remedial schemes. Maryland’s law appears to permit only the filing of an administrative complaint and the imposition of a $500 penalty for the first violation and a $2,500 penalty for repeat violations. The remaining four states permit individuals to file an action in court. However, in Hawaii and Oregon, monetary damages are limited to no more than two years’ back pay, whereas Illinois and Washington permit an award of all actual damages caused by the violation.

Starting to pull your hair out? Just wait until a few of the pending bills are enacted into law. Although no one can predict exactly what those laws will provide, they ineluctably will broaden and deepen the credit check quagmire that Hawaii, Illinois, Maryland, Oregon, and Washington already have managed to create. Perhaps intentionally, the states are effectively forcing multi-state, and especially national, employers to address the fundamental question: Do the benefits of credit checks for employment purposes warrant the compliance burden? Given the difficulty of effectively using credit checks for employment purposes – as explained in our article entitled, “Incipient Legislative Trend Toward ‘Credit Privacy’ Compels Restraint in the Use of Credit Checks for Employment Purposes,” (pdf) BNA's Privacy & Security Law Report, Vol. 9, No. 27, (July 5, 2010) – for many employers the answer likely will be “no.”

The Latest from the NLRB on Social Media

By Philip Gordon

The National Labor Relations Board created a stir in late 2010 by filing an unfair labor practice charge against ambulance company, AMR, for firing an employee who, among other things, called her supervisor a “mental patient” in a Facebook post read by many co-workers. As it turns out, the “Facebook case” was just the beginning of what appears to be a trend by the Board, subsequently joined by unions, to restrict employers’ ability to promulgate and enforce social media policies that, in the Board’s view, impinge on employees’ rights under the National Labor Relations Act. Several recent developments provide a window into the Board’s intentions.

Last week, the NLRB’s Hartford Regional Director, who was responsible for filing the Facebook case, provided useful information about the Board’s intentions, both in comments and in handout materials, while speaking on a panel for the Connecticut Bar Association. Below are some of the highlights:

• Protected Concerted Activity: In a discipline case, the Board will take a very broad view when deciding whether the employee’s social media activities constituted “protected concerted activity” under the NLRA. The Regional Director’s handout states, “It doesn’t take much to establish the concerted nature of the discussion, so long as it involved or touched upon a term or condition of employment,” and “anything short of physically threatening activity will likely be protected.”
• Recent Cases: The NLRB continues to be active in the area. The handout provides four examples of recently filed complaints, or threatened complaints, involving social media in addition to the case against AMR. These cases show just how broadly the Board construes “protected concerted activity.” They involved, according to the handout, negative comments about a supervisor posted on Facebook, a posted cartoon video about a dispute between two departments, a Facebook discussion about the employer’s withholding of taxes, and a Facebook discussion about the employer’s decision to fill an open position with an outside, rather than an inside, applicant.
• Disclaimers: The Hartford Region will consider a disclaimer when evaluating whether an employer’s social media policy violates the NLRA. According to the Regional Director, the disclaimer should become more specific as the policy becomes broader and more general. For policies that are narrow and easily understood, a disclaimer that the policy is not intended to violate the NLRA may suffice. For broader policies that employees might reasonably believe apply to protected concerted activity, the Region will require a disclaimer which states either that the rule does not apply to “discussions or activities involving your terms and conditions of employment” or that the policy does not apply to “discussions and activities involving your wages, hours and working conditions.” Notably, the Regional Director stopped short of taking the position that to be effective a disclaimer must specifically mention union activity, as another NLRB region recently insisted.
• Litigation Strategy: In the AMR case, the Region subpoenaed online posts of AMR supervisors in an effort to obtain evidence that they made comments about their subordinates similar to the comment that the fired employee had made about her supervisor. In addition, the Region repeatedly told the fired employee to stop posting on Facebook while the litigation was pending (but she ignored the request).

In a development that could resonate beyond social media, the Regional Director also revealed that the Regions, at the direction of the Board’s Acting General Counsel, are filing complaints to set the stage to reverse the Board’s December 2007 decision in Register Guard. In that case, a Republican-dominated Board held that an employer can lawfully impose a broad ban on employee’s use of the corporate e-mail system for solicitations and other non-business reasons as long as the policy on its face does not discriminate against union activity and is enforced in a non-discriminatory manner. A reversal of Register Guard could severely crimp employers’ ability to regulate employees' social media activity while using corporate electronic resources.

In another recent development, the NLRB’s Acting General Counsel added social media to the list of subjects in which he is taking particular interest. While there was virtually no commentary or explanation accompanying this development, it likely reflects that the Board is pursuing a uniform, nationwide strategy on social media.

In a third development in April, the Board threatened to file a complaint against Thomson Reuters for allegedly disciplining an employee based on a Twitter post. The employer had invited employees to post on a corporate-sponsored Twitter feed their thoughts on how the company could be made the best place to work. An employee who also is the Newspaper Guild’s representative tweeted, "One way to make this the best place to work is to deal honestly with Guild members." The Board appears to take issue with the fact that, in response to the post, the employee’s supervisor called to remind her about the company’s policy prohibiting employees from posting content that would damage the company’s reputation. According to a report in the New York Times, an NLRB source stated that the Board viewed this call as potentially having a chilling effect on the employee’s exercise of her rights under the NLRA. On May 2, 2011, it was announced that Thomson Reuters and the Newspaper Guild reached a tentative settlement of their disagreements, heading off an NLRB complaint. If a complaint had been filed, it would have been the first NLRB action based on a Twitter post.

What should employers do?

There can be no question that the Board appears to want to take the law in a direction that will open social media to virtually unfettered use by employees to communicate about work conditions, defined very broadly. However, employers should also recognize that social media buzz (including blogs like this one), press releases, and unproven allegations may be prematurely persuading employers to loosen social media polices that were drafted before the AMR case. As far as we are aware, there has not been a single fact-finding hearing to date in a case where an employee was disciplined for social media conduct, let alone a published decision by even an administrative law judge. The actual limits on an employer’s ability to regulate the use of social media by its employees are still to be developed and refined by the NLRB and by the federal appeals courts that will review its decisions.

Given this uncertainty, employers should continue to watch developments in the area closely, consult counsel before imposing discipline based on social media activity, and review their social media policies. If the policy contains any provision that could be read to limit employees’ ability to communicate about the terms or conditions of employment while using the employee’s own resources during non-working hours, strongly consider adding a disclaimer to the policy. The content of the disclaimer should vary depending upon the nature of the policy. A starting point would be a disclaimer to the effect that the policy will not be applied in a manner that improperly interferes with employees’ rights under the National Labor Relations Act. A more robust disclaimer might be advisable depending upon the breadth of the policy, whether the employer already is unionized, and the degree to which the employer, or the employer’s industry, has been the focus of organizing activity.