Managing Employees’ Use of Personal SmartPhones and Tablets for Work

By Philip L. Gordon

A recent article in the Wall Street Journal aptly identified several challenges that employers face when they allow employees to use their personal smartphones and tablets for work. The article, entitled “So You Want To Use Your iPhone For Work? Uh-Oh. How The Smartest Companies Are Letting Employees Use Their Personal Gadgets To Do Their Jobs,” notes several steps employers are taking to reduce privacy and information security risks. These steps include the following: (a) requiring that employees enable passwords, (b) sending a “kill command” to wipe business information from a lost or stolen device, and (c) walling off sensitive data into an “encrypted container.” While these steps are all useful, they comprise only a partial list of critical issues employers should consider before permitting employees to use a personal device for work.

Below are seven key steps that employers should consider taking before allowing employees to use a personal device for work:

1. Demand the Installation of Adequate Malware Protection: Personal devices may be used for activities — such as peer-to-peer file sharing, viewing pornography, or downloading games — that increase the risk of infection by malicious software. Yet, personal devices typically will not have protections against malicious software that are nearly as effective as those loaded on a company-issued device. As a result, the risk that the corporate network will be infected with malware can increase materially if inadequately protected personal devices are connected to the corporate network. One solution is to require that employees load an approved package of malware protection to any personal device that will be connected to the corporate network.

2. Get Consent Before Sending a Kill Command: The Journal article noted that it is illegal in South Korea and in China to send a kill command to an employee’s personal device. Although no U.S. court has yet addressed this specific issue, sending a kill command to an employee’s personal device without the employee’s prior consent runs the risk of violating the federal Computer Fraud and Abuse Act and state computer trespass laws. These laws generally prohibit unauthorized destruction of information stored on someone else’s computer. To avoid potential criminal and civil liability under these statutes, employers should obtain written consent to send a kill command to any personal device that is reported lost or stolen.

3. Get a Release Before Sending a Kill Command: Kill commands typically will wipe not only sensitive corporate information but also the employee’s personal collection of music, videos, photographs, books, and more. That collection often is backed up. If it is not, however, the employer could be facing a significant bill to replace the employee’s electronic library. To avoid such claims, employers should obtain a release from employees for any damage to personal files deleted by a kill command.

4. Prepare Ahead of Time for a Potential Security Incident: A lost or stolen personal device containing personal information, such as employees’ or customers’ Social Security numbers or credit card numbers, could trigger security breach notification obligations. Sending a kill command will not necessarily permit employers to avoid statutory notification obligations because a sophisticated thief might be able to access personal information on the device before the kill command is activated. Requiring that employees activate encryption on a personal device, when available, should eliminate the need for security breach notification because of the “encryption safe harbor” in all security breach notification laws. If encrypting the employee’s personal device is not feasible, the employer should at least require immediate reporting to its security incident response team of any loss or theft of a personal device used for work. In addition, all employees using a personal device for work should be provided with the contact information needed to immediately notify appropriate personnel of the loss or theft.

5. Get Consent to Access the Personal Device for Legitimate Business Purposes: Employers who permit widespread use of personal devices for work almost inevitably will need to access employees’ personal devices during the course of employment. Access may be necessary for a workplace investigation or to implement a litigation hold. Unlike company-issued devices, the employer has no right to access an employee’s personal device, even for a legitimate business purpose. Employers should notify employees up front that their refusal to comply with a reasonable and legitimate request for access to information stored on a personal device could result in discipline up to and including termination of employment.

6. Amend Your Organization’s Electronic Resources Policy to Address Monitoring of Personal Devices: Corporate electronic resources policies commonly speak only in terms of the corporate computer network and company-issued equipment. As a result, a court likely would find that warnings in an electronic resources policy that employees should have no expectation of privacy have no impact on employees’ privacy expectations with respect to information stored on their personal devices. Yet, when an employee connects a personal device to the corporate network, that device likely will be subject to the same invasive monitoring practices as company-owned devices, exposing the employer to privacy-based claims. To reduce this risk, it is suggested that the corporate electronic resources policy be modified to warn employees that the policy applies with equal force to personal devices that are connected to the corporate network.

7. Think About How Your Organization Will Retrieve Business Information When Employment Ends: Having a cache of confidential business information on a personal device provides one of the easiest vehicles for misappropriating trade secrets. Upon termination of employment, the employee can misappropriate simply by keeping his or her personal device. To reduce this risk, employer should consider incorporating the review of information stored on an employee’s personal device used for work into the standard exit interview process. For hostile partings, sending a kill command may be the only feasible way to prevent misappropriation of trade secrets. However, without the consent and release noted above, those actions could strengthen the hand of a hostile former employee in pending or threatened litigation with the employer.

Photo credit: damircudic

Is it Really Illegal to Require an Applicant or Employee to Disclose her Password to a "Friends-Only" Facebook Page?

By Philip Gordon.

Recently, the American Civil Liberties Union of Maryland tried to publicly embarrass the Maryland Department of Public Safety and Correctional Services (the “Maryland Corrections Department”) into suspending its practice of asking job applicants to disclose their Facebook password so that the Department could check whether the applicant’s wall or stored e-mail revealed any connection to criminal activity. According to a letter dated January 25, 2011 (pdf), sent by the ACLU to the Maryland Corrections Department, this practice “is illegal under the federal Stored Communications Act (SCA), 18 U.S.C. §§2701-11 and its state analog, Md. Courts & Jud. Proc. Art., §10-4A-01, et seq.” The ACLU’s contention is inaccurate.

Both of the cited statutes prohibit unauthorized access to electronic communications stored at an electronic communications service provider. Even assuming that these statutes apply to content stored on Facebook’s servers (and that point is far from settled), the Maryland Corrections Department did not gain “unauthorized” access to applicants’ Facebook page. Rather, the Department would access information on Facebook only after the applicant authorized such access by providing the Department with the applicant’s password.

The true core of the ACLU's position is the following assertion contained in its January 25, 2011 letter: “[T]here can be little question but that forced ‘authorization,’ such as that demanded of [the applicant by the Maryland Corrections Department], is not proper authorization under the SCA, given the disparate bargaining power of the employer and employee or applicant.” While rhetorically appealing at first blush, this argument assumes too much, especially with respect to applicants.

Applicants are not “forced” to provide authorization. The Maryland Corrections Department emphasized that applicants could refuse to provide their password and may still be eligible for a position. But, even if the Department’s practice were to require disclosure of the password, an applicant who does not want a prospective employer to view his “friends-only” Facebook page would have the choice to refuse the request and hope to get the position or seek employment elsewhere. Indeed, if the ACLU’s contention were correct, then the millions of authorizations for pre-employment background checks and drug screens that have been executed by applicants since those forms of pre-employment investigations became routine also would be invalid.

Notably, the only case cited by the ACLU in support of its position — Pietrylo v. Hillstone Restaurant Group, 29 IER Cases 1438, 2009 WL 312420 (D.N.J. 2009) — involved an employee, not a job applicant. Thus, a court likely would not hold that an employer who gave an applicant a choice between being disqualified from consideration for a position or disclosing her Facebook password violated the federal Stored Communications Act by using the self-disclosed password to access the applicant’s restricted Facebook page.

Of course, there are other reasons why employers should carefully evaluate the practice, not least of which is avoiding the media spotlight that the ACLU often can attract to an issue, as it did in the case of the Maryland Corrections Department. Accessing an applicant’s restricted Facebook page increases the likelihood that an employer will obtain information, such as family medical history (i.e. “genetic information”) or an undisclosed disability, upon which an employer could not lawfully rely in making an employment decision. Employers also need to consider whether and to what extent information obtained from a medium the very purpose of which is to socialize (rather than to build one’s resume) bears any relevance to the hiring decision. Finally, the employer could gain a bad reputation among potential applicants who — however wrongly — believe the employer is acting unlawfully.

The ACLU’s reference to the Pietrylo case and the purportedly “disparate bargaining power between employers and employees” does raise the important question whether an employer who receives a Facebook password from an employee in response to a request gains “forced authorization” to a restricted Facebook page. In Pietrylo, which we have covered in an earlier blog post, an employee admitted at trial that she gave her password to a restricted MySpace page to the management-level employees who accessed the page and were accused by two other employees of violating the federal Stored Communications Act. The employee also testified that she subjectively feared “something bad might happen to her” if she did not disclose her password. The court found this testimony was sufficient to support the jury’s finding that the employee’s authorization was invalid, even though there was no evidence that the managers had threatened the employee in any way whatsoever. Notably, the court did not cite a single case, any language in the SCA itself, any legislative history, nor any other authority in support of its holding. Needless to say, the question remains wide open whether the purportedly “disparate bargaining power of the employer and employee” does, in fact, convert any employee’s apparently voluntary disclosure of a Facebook password into “forced authorization.”

Until the question has been definitively answered, employers have a simple—if “low tech”—work around: ask the employee who otherwise would be asked for a password to print screen shots of material posted on the restricted Facebook page. It is remarkable how many “friends” who are offended by a co-worker’s posts on a restricted Facebook page will voluntarily print that information and turn it over to HR or a manager. Because the federal Stored Communications Act makes it unlawful only to gain unauthorized access to an electronic communication stored at an electronic communications service provider, reading a printed version of a restricted wall post does not implicate the Act.

Employers also should note that the jury in the Pietrylo case rejected the plaintiffs’ invasion of privacy claim, a fact that the ACLU does not mention in its January 25, 2011 letter. The jury apparently found that the plaintiffs could not reasonably expect their posts on the friends only MySpace page to remain private when anyone on the friends list could disclose the contents of the page without restriction. This finding is consistent with the common sense proposition that an employee or applicant cannot reasonably expect privacy when sharing information with dozens, or even hundreds, of friends, none of whom are under an obligation of confidentiality.

Photo credit: Warchi

HHS’ One-Two HIPAA Penalty Punch Sends a Message to Employers and Providers

By Philip Gordon

Two days after announcing its first-ever HIPAA penalty, a whopping $4.3 million imposed against Cignet Health of Prince George’s County, Maryland, HHS announced that a large Massachusetts hospital had agreed to pay $1 million to avoid a penalty proceeding. Although the hospital did not admit liability and did not pay a penalty, the settlement demonstrates how the significant increase in available HIPAA penalties as a result of the HITECH Act’s enactment has provided HHS with substantial leverage when negotiating a resolution of alleged HIPAA violations. HHS’ settlement with the hospital also is important because it suggests that HHS may not be very forgiving in one area of particularly high risk: the physical removal of protected health information (PHI) from a covered entity’s premises.

The incident that ultimately led to the hospital’s $1 million settlement payment was innocent enough. According to the settlement agreement, which is public, and HHS’ press release announcing the settlement, an employee of the hospital’s outpatient practice took home, for work purposes, paper records containing the PHI of 192 patients, including patients with HIV/AIDS. The settlement agreement states that the “documents consisted of billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis and name of provider of 66 patients and the practice's daily office schedules for three days containing the names and medical record numbers of 192 patients.” On her way into work on the subway, the employee placed the documents, bound by a rubber band, on the seat next to her and forgot them there when she exited the train. The records never were recovered.

While HHS does not reveal the negotiations leading to the $1 million settlement amount, the enhanced HITECH penalties likely figured prominently in the discussion. The HITECH Act gives HHS substantial discretion in deciding what constitutes a single violation. In this situation, HHS likely took the position that there were at least 192 violations, one for each patient whose PHI was lost. In addition, HITECH permits HHS to impose a penalty of up to $50,000 per violation capped at $1.5 million annually for the same violation. Thus, the negotiations over the penalty likely centered around where the settlement should fall in the range between $100 per violation (the minimum penalty) and approximately $7,800 per violation (i.e., $1.5 million divided by 192). The negotiations resulted in a settlement amount of approximately $5,200 per violation. The lesson to be drawn is that the HITECH penalty scheme provides HHS with the leverage to negotiate a substantial settlement payment even for incidents involving a relatively small number of individuals. The fact that the lost records revealed an HIV/AIDS diagnosis, highly sensitive information, for at least some of the 192 affected patients also likely had an impact on HHS’ settlement position.

The settlement between HHS and the hospital also reveals, at least implicitly, HHS’ position that it is unacceptable for employees to remove paper or electronic records containing PHI from a covered entity’s physical premises without taking precautions to safeguard those records. More specifically, the settlement agreement requires that the hospital implement policies and procedures aimed at safeguarding any PHI that leaves the hospital’s premises, including the encryption of any laptop or USB drive containing PHI that is taken off-site. In addition, the hospital must: (a) distribute these policies to all members of its workforce; (b) review and, as necessary, update the policies annually; (c) train all employees with access to PHI in the policies; and (d) review the training annually or as necessary.

Employers and providers can take away several lessons from this incident. First, even innocent mistakes that compromise PHI could result in substantial penalties or settlements. Second, covered entities should implement and enforce policies and procedures that restrict the removal of PHI from their premises and that require strict safeguards for PHI, such as encryption, when it is taken off-site. Third, HHS likely will inquire into the training that has been provided to workforce members whenever an incident involves the loss or theft of PHI that was taken off-site. As a result, that training should be thorough, well documented, and updated as necessary to remain consistent with existing policies, new legal requirements, and evolving best practices.

Photo credit: AtnoYdur

The U.S. Supreme Court Holds that Corporations Do Not Qualify for Personal Privacy Exception Under the Freedom of Information Act

By Christopher E. Cobey

For those who suspect the Roberts Court always sides with business, the March 1 opinion in Federal Communications Commission v. AT&T (pdf) might give them pause.

In this 8-0 opinion, the Court held that the term “personal privacy,” as used in a statutory exception to the Freedom of Information Act (FOIA; 5 U.S.C. § 552), does not apply to corporations. The exception covers law enforcement records, the disclosure of which “could reasonably be expected to constitute an unwarranted invasion of personal privacy.”

The genesis of the case arose seven years ago. In 2004, AT&T was investigated by the FCC for self-reported possible overcharging of the federal government. The company settled the FCC’s investigation at the end of 2004 without admitting liability.Following the investigation, a private industry group submitted a FOIA request to the FCC, seeking materials produced by AT&T to the Commission in the course of the Commission’s investigation. AT&T opposed the group’s request for information.

The FCC disagreed with AT&T’s position, concluding that the information sought by the industry group (which included AT&T’s cost and pricing data, billing-related information, and identifying information about staff, contractors, and customer representatives) did not constitute materials protected under the exception on the basis of AT&T’s “personal privacy.”

AT&T appealed this administrative decision to the Third Circuit Court of Appeals, which found in AT&T’s favor on the disputed issue. The appellate court noted that the legislative definition of “person” included corporations as well as individuals (5 U.S.C. § 551(2)). Hence, it reasoned, the “personal privacy” referenced in the exception could apply to a corporation as well as an individual, and so a corporation could be entitled to “personal privacy” protection under the language of the statute.

The Supreme Court, in a decision penned by Chief Justice John Roberts, rejected the Third Circuit’s decision and AT&T’s position. Roberts observed that the FOIA, elsewhere in its statutory terms, makes reference to “personal privacy.” The context of those other uses of the phrase makes clear that the right to privacy belongs to a person, not a corporation. The Chief Justice gave examples of other adjectives whose sense did not necessarily jibe with the concept of the noun contained within the adjective: “corny” does not always refer to concepts related to the plant corn. Likewise, “cranky” doesn’t always refer to the mechanical device. Accordingly, contrary to AT&T’s argument, “personal” doesn’t necessarily refer only to the legal definition of a person – which can include a corporation. The opinion continued by observing that courts normally give a phrase under analysis “its ordinary meaning.” 

Roberts’ opinion noted that the Court was not considering the scope of a corporation’s “privacy” interests as a matter of constitutional or common law. The only issue in this case was whether the term “personal privacy,” as used in the FOIA, applied to corporations – and the Court concluded emphatically that it did not.  

Photo credit: DNY59

Lessons Galore from Eye-Popping $4.3 Million HIPAA Penalty

By Philip L. Gordon

For the nearly eight years since the HIPAA Privacy Rule went into effect in April 2003, the U.S. Department of Health and Human Services (HHS) did not impose a single civil monetary penalty for HIPAA violations. The story behind HHS’s first penalty — a whopping $4.3 million imposed on February 22, 2011, against Cignet Health of Prince George’s County, Maryland (“Cignet”) —is a playbook on how employers and health care providers should not address HIPAA compliance and should not respond to HIPAA complaints. The tale also provides significant insight into how HHS interprets its power under the HITECH Act to determine the amount of a penalty.

According to HHS’ Notice of Proposed Determination (the “NPD”), to which Cignet did not respond, Cignet’s first mistake was its failure to respond to patients’ requests for access to their medical records. The HIPAA Privacy Rule establishes detailed procedures for handling access requests. The NPD does not identify the total number of patients whose requests went unanswered nor does it reveal why Cignet did not respond. The NPD does disclose that 41 patients filed complaints with HHS. The large number of complaints almost surely was a red flag for HHS.

Furthermore, the large number of complaints resulted in a substantial multiplier effect when HHS calculated the penalty of $1.3 million attributable to this aspect of Cignet’s non-compliance. More specifically, HHS found that each day of failing to respond to a request for access after the required time period had expired was a separate violation for each of the 41 complainants.

What are the take-aways here? First, although to date HHS’s enforcement efforts in the area of information security have received virtually all of the press attention, HHS takes seriously the obligation of covered entities to ensure that plan participants and patients are able to exercise their rights under HIPAA (consisting of the right to receive a notice of privacy practices, the right to access protected health information (PHI), the right to amend PHI, the right to an accounting of disclosures of PHI, the right to request restrictions on the use and disclosure of PHI, and the right to communicate by alternative means or in an alternative location). Second, employers and providers should have written policies and procedures in place so that employees responsible for implementing HIPAA know how to respond properly and in a timely manner to requests to exercise HIPAA rights. Finally, it is never too late to respond to a request. If, for some reason, a covered entity does not timely respond to a request to exercise HIPAA rights, the covered entity can “stop the running of the penalty meter” by responding to the request as promptly as possible.

As the NPD reveals, the lion's share of the penalty imposed on Cignet — $3 million to be precise — resulted from Cignet’s failure to cooperate in HHS’s investigation. HHS’s press release announcing the penalty emphasizes that Cignet did not respond to a letter demand for the complainants’ patient records, did not respond to a subpoena issued by HHS until after a court ordered Cignet to do so, and “made no effort to resolve the complaints through informal means.”

When calculating this portion of the penalty, HHS counted as a separate violation each day from the deadline in the letter demand for producing the complainants’ medical records until the day that Cignet produced the records in response to the court’s order. HHS then multiplied that penalty by 41 for each complainant.

In choosing to impose the maximum penalty of $50,000 per violation for conduct constituting “willful neglect,” HHS noted in the NPD that Cignet’s failure to produce the records sooner had interfered with some complainants’ ability to obtain health care and had forced HHS to seek a court order to obtain patient records that, under the HIPAA Privacy Rule, Cignet was required to produce within 30 days of the request. HHS also noted that Cignet had produced in response to the subpoena medical records of 4,500 patients whose information the agency had not even requested. But for the $1.5 million annual cap in the HITECH Act on penalties resulting from willful neglect, the penalty imposed on Cignet would have exceeded $150 million.

More lessons learned: HHS had not imposed any civil monetary penalties to date, in large part, because the agency has been willing to work with covered entities to resolve complaints informally. When responding to an inquiry from HHS, covered entities should carefully evaluate whether the complaint can be resolved informally. When informal resolution is not possible, covered entities need to carefully toe the line between respectful disagreement coupled with good faith participation in HHS’s formal dispute resolution process and “willful neglect,” i.e., a failure to respond to HHS’s lawful and reasonable demands. An incidental lesson learned from Cignet’s apparent production of every patient record in its possession in response to the subpoena for 41 patient files is the need to scrupulously safeguard the PHI of plan participants and patients whose information is not implicated by the investigation, even when producing PHI to HHS.

The penalty imposed on Cignet is a window into the “worst-case scenario” for covered entities responding to a HIPAA complaint. While the reasons for Cignet’s non-responsiveness remain unknown, the implications could not be more resounding.

Settlement in NLRB’s AMR/Facebook Case Contains Message for Employers About Social Media Policies

By Philip L. Gordon

The NLRB’s unfair labor practices charge against ambulance service provider AMR was a shot across the bow for employers. The complaint was the Board’s response to AMR’s discharge of an employee who called her supervisor a mental patient in a “friends-only” Facebook post in violation of AMR’s social media policy. However, the Region that brought the complaint also contended that any social networking policy that prohibited disparagement was per se unlawful unless it carved out rights under the National Labor Relations Act (NLRA). That element of the case raised broad concerns for employers throughout the U.S.

The Board’s General Counsel took the unusual step of announcing the complaint’s filing in a press release, setting off a buzz in employment, labor, and privacy law circles about the permissible scope of social media policies. The issue has become a hot one as employers seek to reduce the risk that employees’ off-duty social media activity will damage their organization’s reputation or expose the organization to liability. At the same time, the Obama Board appears to be seeking to expand employees’ leeway to use social media for protected labor activity and to require that employers not use broad policies to undercut concerted activity (in a union or non-union environment) protected by the NLRA.

By issuing a press release (pdf) to announce the settlement of its complaint against AMR, the Board is likely to create the same type of buzz as it created by the press release announcing the complaint. In the press release announcing the settlement, the NLRB highlights those terms of the settlement likely to have the most significant impact on employers drafting or revising their social media policy. More specifically, the NLRB’s press release states the following:

Under the terms of the settlement, . . . the company agreed to revise its overly-broad rules to ensure that they do not improperly restrict employees from discussing their wages, hours and working conditions with co-workers and others while not at work, and that they would not discipline or discharge employees for engaging in such discussions.”

Importantly, there was no express finding by any administrative law judge or other court that AMR’s policy was “overly-broad,” nor does the NLRB’s press release identify the specific policy language that the Board considered to fit this characterization. However, the press release may be referring to the social media policy language cited in the original NLRB complaint: “Employees are prohibited from making disparaging, discriminatory or defamatory comments when discussing the Company or the employee's superiors, co-workers and/or competitors.”

In light of the NLRB’s pronouncement, employers whose social media policy contains similar language should analyze carefully whether to carve out NLRA rights under that policy through the use of a disclaimer. Before taking disciplinary action based on the policy, employers should also consider whether an employee’s specific social media activity constitutes protected, concerted activity under the NLRA. At the same time, employers should keep in mind that a range of conduct in violation of this type of policy should not be protected by the Act. In addition, the AMR settlement has no precedential value. However, the AMR case appears to signal the current NLRB’s intention to bring claims seeking to protect employees’ social networking activity even if such activity pushes the boundaries of respect and non-disparagement in the workplace.

Photo credit: sjlocke

Why Corporate Counsel Should Lose Sleep Over the Federal Wiretap Act

This article was written by Philip Gordon, and originally appeared in Corporate Counsel Online. Reprinted with permissed from ALM Media Properties, LLC.

Once seen only in the shadows of the war against organized crime, the Federal Wiretap Act should now be moving steadily and rapidly toward the top of the corporate compliance checklist. Robust civil remedies, recent court decisions and technological developments have transformed the act's risk profile from a nonevent to a statute worthy of significant attention.

Although principally a criminal statute, the Federal Wiretap Act is unique among privacy laws in that it provides for substantial monetary damages without proof of actual harm.

Under the act, an aggrieved party can recover a minimum award of $10,000 or $100 per day of violation — whichever is greater, or, actual damages, plus punitive damages, attorneys' fees and costs. Comparing recent class action litigation involving security breaches with potential class actions involving the Federal Wiretap Act demonstrates the significantly pro-plaintiff aspect of this remedial scheme.

To date, the vast majority of security breach class actions have been dismissed, or resolved in the defendant's favor on summary judgment, because the plaintiff failed to plead or prove that the security breach at issue proximately caused any cognizable damage to class members.

By contrast, under the Federal Wiretap Act, proof that the violation proximately caused cognizable harm is unnecessary, and each individual plaintiff can recover a minimum of $10,000 even in the absence of actual damages.

The act's robust damages scheme triggers a significant risk profile because businesses can now violate the Federal Wiretap Act much more easily and much more frequently than in the past. The act makes it unlawful intentionally to intercept an oral, wire or electronic communication using an electronic, mechanical or other device.

Courts have consistently rejected claims by employees seeking to apply this statutory language to an employer's review of stored e-mail, holding that an "interception" under the act requires the acquisition of the content of an e-mail contemporaneously with transmission, not in storage. Because e-mail, by its very nature, cannot easily be acquired in transmission, this line of authority seemed to insulate employers from the act's rich remedial scheme.

A recent decision by the U.S. Court of Appeals for the Seventh Circuit, however, has raised the specter of substantial civil liability for unlawful interceptions despite extant precedent in the area. In U.S. v. Szymuszkiewicz, the court affirmed the criminal conviction for Federal Wiretap Act violations of an IRS agent who, unbeknownst to his supervisor, activated the supervisor's Microsoft Outlook "autoforwarding" feature.

As a result, duplicates of the supervisor's e-mail were automatically forwarded to the IRS agent without the supervisor's knowledge or consent. The IRS agent received a sentence of 18 months' probation.The Seventh Circuit's decision turned principally on whether autoforwarding e-mail constitutes an "interception" as defined by the Federal Wiretap Act. The court answered that question in the affirmative because the autoforwarding permitted the IRS agent to obtain the content of e-mail stored in his supervisor's e-mail inbox.

The Seventh Circuit's decision is significant for employers because corporate IT departments commonly use Outlook's autoforwarding feature. IT departments, for example, routinely activate this feature after an employee has left an organization, or when an employee is on an extended leave of absence, so that a supervisor or co-worker can promptly respond to e-mail intended for the employee.

It also is not uncommon for corporate IT departments to rely on "e-mail journaling" to create a duplicate set of outgoing and incoming e-mail for archival purposes. Journaling essentially functions the same as autoforwarding except that the duplicate e-mail content is stored on a server for possible future retrieval rather than being transmitted directly to a third party's e-mail inbox.

E-mail journaling is a basic tool of electronic discovery as it permits the automated preservation of e-mail. E-mail journaling is particularly useful for preserving the e-mail of an employee who is unaware that he is the target of an investigation because e-mail journaling eliminates the need for the target of the investigation to be involved in preservation efforts.

Additionally, businesses that rely on a third party to archive e-mail often will rely on autoforwarding to transfer e-mail from the corporate e-mail server to the third party's archive server.

Activating Microsoft's autoforwarding feature is just one way that employers can effectuate an interception of e-mail under the Federal Wiretap Act. Increasingly sophisticated e-mail monitoring programs are capable of capturing e-mail content in real-time.

At least two domestic relations cases, for example, have held that one spouse unlawfully intercepted another spouse's e-mail or Internet chat by installing SpectorSoft software, a commercially available real-time monitoring program, on the other spouse's personal computer. Although statistics are not publicly available, a significant number of corporate IT departments likely have installed SpectorSoft or similar real-time, e-mail monitoring products.

Because consent to an interception by one party to a communication is a defense to liability under the Federal Wiretap Act, employers can reduce the risk of liability by providing employees with notice of the IT processes that constitute an interception and obtaining their express or implied consent.

A recent decision by a Texas federal district court, however, demonstrates that relying on an electronic resource's policy that was drafted without the specific purpose of creating a defense to a Federal Wiretap Act claim could be shortsighted.

In that case, Garza v. Bexar Metropolitan Water District, the employee handbook warned employees that the employer "reserved the right to monitor and access any phone or email messages stored on its voicemail and email systems."

The court rejected the contention that this policy language established the plaintiff-employee's consent to the alleged real-time interception of his telephone calls, reasoning that "[d]efendants did not simply listen to [the employee's] stored voice mail messages; instead, they intercepted and listened to entire telephone conversations."

Following this reasoning, an electronic resources policy that informs employees that they have no reasonable expectation of privacy in their e-mail or that the employer reserves the right to monitor or review their e-mail messages (as most such policies typically do) would not provide a basis for establishing consent to the employer's use of Outlook's autoforwarding feature or the interception of e-mail by a real-time monitoring program, such as SpectorSoft.

Consequently, to provide a more robust defense, an employer should consider revising any such policy to specifically explain how and when the employer will intercept e-mail.

Notably, federal courts will not lightly imply consent to an interception that otherwise would violate the Federal Wiretap Act.

As a result, there remains an open question whether a court would find, for example, that an employee who acknowledged receipt of an electronic resources policy on his first day of employment thereby consented to the interception of his e-mail five or ten years later in the course of the employer's investigation of allegations of sexual harassment. To strengthen its position in this regard, the employer can include notification of e-mail interception in a splash screen each time employees log into the employer's computer system.

Revising the employee handbook and using a splash screen or similar warning may not, however, be enough.

Corporate counsel should encourage IT leaders routinely to communicate how and when the corporate IT department is intercepting employees' e-mail. Corporate counsel can then analyze whether the existing policy provides sufficient notice to establish consent to the interception and, if not, can revise the existing notice or provide individualized notice to targeted employees.

One final caveat: The wiretap laws of 13 states — California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, and Washington — provide that consent is a defense to an interception only if all parties to the communication consent.

Employers can satisfy this all-party consent requirement in the context of telephone monitoring by distributing a telephone monitoring policy to their own workforce and notifying incoming callers by automated means that their call will be monitored. In the context of e-mail, however, notifying the sender that his e-mail will be intercepted may not be technically feasible.

To be sure, our research has not uncovered any published decision in any of the all-party consent states upholding a criminal conviction or imposing civil liability for e-mail interception. Nonetheless, the risk remains and should be considered before an organization activates autoforwarding, e-mail journaling or real-time e-mail monitoring software.

Supreme Court Permits Background Checks of NASA Government Contractors

By Philip Gordon and Katherine Dix

Earlier this week, the United States Supreme Court in NASA v. Nelson (pdf) upheld the National Aeronautics and Space Administration’s (NASA) right to conduct reasonable background checks on the employees of government contractors. While the case focused on the scope of background checks conducted by the federal government, the Court’s ruling provides some useful guidance for private employers as well.

The case arises from NASA’s decision to unilaterally amend its contract with the California Institute of Technology (“Caltech”) — which operates the Jet Propulsion Laboratory (JPL) for NASA — to require that all JPL employees working at JPL undergo broad background checks. In addition to requesting relatively basic background information, the background check asks whether the employee has “used, possessed, supplied, or manufactured illegal drugs” in the last year. If the answer is “yes,” the employee must provide information about “any treatment or counseling received,” which, according to NASA, would be used only as a mitigating factor.

As part of the background check, the government also sends form questionnaires to the employee’s former employers, schools, landlords, and references. The form questionnaire asks whether the reference has “any reason to question” the employee’s “honesty or trustworthiness.” It further seeks “adverse information” about the employee’s “violations of the law,” “financial integrity,” “abuse of alcohol and/or drugs,” “mental or emotional stability,” and “general behavior or conduct.” The questionnaire then provides the reference the ability to provide “additional information” — derogatory or favorable — that may bear on “suitability for government employment or security clearance.”

The Supreme Court reversed the Ninth Circuit’s ruling that these questions violated JPL employees’ constitutional right to privacy. The Court assumed, without deciding, that the Constitution recognizes a “privacy ‘interest in avoiding disclosure of personal matters.’’ The Court, nonetheless, found no privacy violation. The Court reasoned that inquiries into drug treatment or counseling were a reasonable follow-up to questions about illegal drug use and noted that these same questions were part of a standard background check used by millions of private employers: “Like any employer, the government is entitled to have its projects staffed by reliable, law-abiding persons who will ‘efficiently and effectively’ discharge their duties. . . . Questions about illegal drug use are a useful way of figuring out which persons have these characteristics.” Similarly, open-ended inquiries about job suitability are, the Court found, a reasonable and effective tool for identifying strong candidates, a tool which is commonly used in the private sector: “The reasonableness of such open-ended questions is illustrated by their pervasiveness in the public and private sectors. In addition, the use of open-ended questions in employment checks appears to be equally commonplace in the private sector.”

The case is noteworthy for private employers because it recognizes the strong interest of all employers in conducting “[r]easonable investigations of applicants and employees” to meet their interests in “the security of [their] facilities and in employing a competent, reliable workforce.” More broadly, the Court's analysis in Nelson, like its analysis in last term's decision in the Quon text-messaging case, assumed that the employees in question had a reasonable expectation of privacy but nonetheless found no privacy violation because the government employer had a legitimate justification for its search and conducted the search in a reasonable manner. This analysis highlights the fact that private employers similarly can avoid liability on privacy-based claims, even when they intrude upon an employee's privacy interests, if the intrusion is for a legitimate purpose and done in a reasonable manner.

For further reading about this development, please see U.S. Supreme Court Holds that Constitutional Privacy Rights Do Not Restrict the Government's Discretion to Background Check Federal Contractors by Rod Fliegel and William Simmons.

Upcoming Events on Workplace Privacy Issues

Philip Gordon will be speaking at the following events in January and February:

Date: January 25, 2011; 4:00 p.m. – 5:15 p.m. (EST)
Live Event: ACI’s 10th Annual Legal and Compliance Forum on Privacy & Security of Consumer and Employee Information
Location: Hilton Washington Embassy Row, Washington D.C.
Presentation: A Focus on Workplace Privacy: To What Extent May Employers Monitor E-Mail, Social Media Accounts & Texts and Conduct Background Checks of Employees?
More information can be found on the American Conference Institute website

Date: January 26, 2011; 10:00 a.m. – 11:30 a.m. (EST)
Live Event: ACI’s 16th Annual Conference on Employment Practices Liability Insurance
Location: The Helmsley Park Lane Hotel, New York City
Presentation: Addressing EPL Concerns Arising from Employee and Employer Use of Social Networking/Social Media
More information can be found on the American Conference Institute website

Date: February 10, 2011; 1:00 p.m. – 2:30 p.m. (EST)
Event: BNA Webinar
Presentation: Criminal and Credit History Checks on Applicants and Employees: New Laws and Tough Everyday Issues
More information can be found on the BNA website

Image credit: JuSun

Eleventh Circuit Ruling Strengthens Employers’ Hand Against Employees who Abuse Access to Information Systems

Roberto Rodriquez tried to impress female acquaintances with an almost creepy knowledge of their personal information. He sent flowers on Valentine’s Day to one acquaintance who had never revealed her home address to him and called to wish her a happy half-birthday even though she never had revealed that fact to him either. He sent mail to another female acquaintance at her home address even though she directed all of her mail to a post office box, and he jotted her middle initial on the envelope even though she had not used her middle initial since grade school. He gave a female employee at a restaurant that he frequented a pair of earrings on her birthday even though she had not shared her birthday with him.

What was the source of Rodriguez’ apparent omniscience? Databases at the Social Security Administration (SSA), to which Rodriguez had access as a TeleService representative. In 2008 and 2009, Rodriguez accessed those databases for nonbusiness reasons on hundreds of occasions to view sensitive personal information of more than one dozen women. Rodriguez was a serial violator of an SSA policy that prohibited employees from obtaining information from SSA’s databases without a business reason. Mandatory training on the policy, notices posted in SSA’s office, and daily banners that appeared on Rodriguez’ computer did not stop him. Ultimately, Rodriguez was indicted and convicted for obtaining information from the federal government through unauthorized access to a computer in violation of the Computer Fraud and Abuse Act (CFAA).

Rodriguez tried to escape his conviction on appeal by arguing that he had accessed only databases that he was authorized to access as a TeleService representative. Rejecting this argument, the Eleventh Circuit explained (pdf) that the CFAA outlaws not only unauthorized access to a computer system but also access in excess of authorization. The court reasoned that SSA’s policy established the scope of Rodriguez’ authorized excess. By accessing SSA’s databases for purely personal reasons, Rodriguez violated that policy and thus had exceeded his authorized access.

The case is significant because it is the first federal appellate court decision to hold that an employer can use a policy to establish the scope of authorized access for purposes of the CFAA. Private employers have increasingly invoked the CFAA’s civil remedies to support claims against disloyal employees who steal or delete information stored on their employer’s computer system. However, the Ninth Circuit recently created some doubt as to the viability of these claims in LVRC Holdings, LLC v. Brekka. In Brekka, the Ninth Circuit held that an employee did not violate the CFAA by e-mailing to his personal account confidential business information that he was authorized to access even though he did so with the intent of using the information to advance his personal interests. In the Rodriguez case, the Eleventh Circuit distinguished Brekka on the ground that the employer in that case had no policy expressly informing employees that they could not access confidential business information for nonbusiness purposes.

The upshot for employers seems straightforward. Stating in a policy the permissible scope of an employees’ authorization to access information stored on the employer’s computer system should support a CFAA claim in the Eleventh Circuit and possibly would give the employer a leg to stand on in the Ninth Circuit. How the employer would fare in other federal circuit courts is yet to be seen. However, it cannot be gainsaid that having a policy that specifies the permissible scope of access — as well as training employees on that policy and reminding them of it through different forms of notice — would put the employer in a stronger position than having no policy at all.

This entry was written by Philip Gordon and William Simmons.

Photo credit: contour99

What Does the "Year of the Tablet" (or of the iPad) Mean for Employers?

On the first business day of 2011, the New York Times reported that Apple’s rivals had proclaimed 2011 to be their year to recapture a slice of the computer tablet market, currently dominated by the iPad. Since the iPad’s launch in late 2010, Apple has sold more than 4 million of its tablets; some commentators predict that Apple will sell tens of millions more iPads in 2011. Adding to the flood of tablets into the marketplace — and into the workplace –- corporate IT departments are getting into the act. According to a recent report by ChangeWave, only 1% of corporate IT buyers reported in August 2010 that their organization provided employees with a tablet, but that number jumped to 7% in November 2010, and 14% of respondents stated that their organization plans to buy tablets in Q1 of 2011. Even the public sector is turning to the iPad. The Virginia legislature recently purchased 45 iPads for selected legislators and staffers in an effort to reduce the use of paper.

These trends pose serious challenges for corporate HR, Legal, and IT departments that should be addressed — or at least considered — before the “tablet tsunami” hits with full force. To begin with, employees in many organizations — often senior executives who scored an iPad as a holiday present — are clamoring to connect their iPad to the corporate network or are using the iPad for work even if the IT department refuses a connection. In fact, the iPad may represent a turning point in the battle between businesses and their workforce over the use of personal devices to conduct business. According to a November 2010 study by Ovum, approximately 50% of employees already are permitted to connect their personal devices to the corporate network. Because the iPad is so enjoyable and easy to use, that percentage is likely to surge in the next year or two as organizations bow to employee demands to use their personal iPad (or other tablet) for work.

The fundamental problem with the trend toward employee use of personal devices is the organization’s potential loss of control over its information and its information security. Employees, for example, might not take steps, such as activating a log-in screen, to secure their personal devices against unauthorized access. Employees can refuse to permit access to their personal device when the organization needs it to conduct a workplace investigation or to satisfy its e-discovery obligations. As a third example, an employee who loses a personal device may be loathe to send a “kill command” (assuming the employee has enabled the ability to do so) out of concern for losing personal files, e-books, music, photos, and video, even if the lost device puts corporate information at risk.

Organizations can try to regain a modicum of control by issuing corporate iPads or other tablets, but that will not solve all of the problems. Anyone who has used an iPad knows that a no-personal use policy would be like telling Adam not to take a bite of the biblical apple. Indeed, according to the Ovum study referenced above, 70% of employee-respondents stated that their organization (apparently bowing to the inevitable) permits them to use company-issued devices for personal purposes. Thus, company-owned tablets likely will have an agglomeration of personal and business documents, complicating searches, electronic discovery, and access to business information when an employee is unavailable.

What issues should HR, Legal, and IT be considering? They include the following:

• How can the organization help its workforce enable the security features of their personal devices to make them more secure?
• Should the organization require employees to load anti-malware software (to the extent available) onto their personal devices to reduce the risk of infecting corporate networks?
• To what extent is information stored on employees’ personal devices encrypted so that the organization can benefit from the “encryption safe harbor” in security breach notification laws if a device is lost or stolen?
• If the personal device is not, or cannot be, encrypted, how will the organization determine the full scope of business information stored on the device to satisfy its breach notification obligations?
• How can the organization arrange to send a “kill command” to an employee’s personal device without violating state and federal computer trespass laws as well as potential liability for destruction of the employee’s digital belongings stored on the device?
• What type of monitoring, if any, will the organization conduct when an employee connects a personal device to the corporate network?
• How will the organization ensure that the monitoring of a personal device, which likely includes substantial information that the employee considers to be private, does not violate applicable privacy laws?
• How will the organization gain access to relevant information stored on the personal device when needed for a workplace investigation, especially where the employee-owner of the personal device is the target of an unannounced investigation?
• Will the organization be responsible for preserving business information stored on the personal device when the organization is sued or threatened with a lawsuit?
• How will the organization collect discoverable information from a personal device while avoiding allegations of invasion of privacy by the employee-owner?

Grappling with these issues in advance — before a personal device loaded with sensitive employee, customer or business information is lost or stolen and before a complaint that a manager propositioned his subordinate through his “mixed-use” personal device is made — will go a long way towards protecting the organization’s interests.

This entry was written by Philip Gordon.

Photo credit: kupicoo

Massachusetts Attorney General Reviews 2010 Data Breach and Data Security Regulations Compliance

With the first anniversary of the Massachusetts Data Security Regulations, 201 CMR 17 (pdf) (“Regulations”), coming in March, the International Association of Privacy Professionals (IAPP) recently hosted a panel discussion providing direct access to the Massachusetts Attorney General's Office and the Office of Consumer Affairs and Business Regulation to discuss their investigations to date and their current approach to enforcement. Panelists included Scott Schafer, Chief of the Consumer Protection Division, Massachusetts Attorney General's Office; Shannon Choy-Seymour, Assistant Attorney General, Consumer Protection Division, Massachusetts Attorney General's Office; Jason Egan, Deputy General Counsel, Massachusetts Office of Consumer Affairs and Business Regulation; and Lam Nguyen, Director (Digital Forensics), Stroz Friedberg LLP.

Scott Schafer opened with an overview of the enforcement actions to date and the daily reviews his office conducts. Schafer noted at the outset, the Attorney General’s (AG) current enforcement approach is not audit based due to insufficient resources. However, the AG is receiving a daily average of three to four data breach notifications pursuant to Massachusetts General Laws Ch. 93H (the “Notice Law”), and each breach report is closely reviewed. According to Schafer, the AG’s Office is looking for warning signals that may indicate noncompliance with the Regulations that would trigger a detailed investigation. Some of the circumstances likely to trigger a detailed investigation include:

• The reporting entity knew of the breach, but failed to notify affected individuals as required by the Notice Law.
• A Written Information Security Plan (WISP) cannot be produced.
• The WISP is inadequate, or had significant gaps because of a lack of due diligence in the risk assessment process.
• The compromised data was stored or maintained in circumstances not compliant with the “reasonable” security required by the Regulations.
• Unfairness or deception around the purpose for which the data was originally collected.
• Collected data that was subsequently used for purposes not disclosed to consumers, or where the collection itself is not disclosed leading to unfairness or deception to Massachusetts residents.

Shannon Choy-Seymour stated that she typically will ask to review a business’ WISP if the notification of security breach submitted to the AG revealed non-compliance with the Regulations. According to Choy-Seymour, she takes into account the size and scope of the business in question and the sensitivity of the data compromised when deciding whether to ask the business to submit its WISP. The AG recognizes that achieving full compliance may be a longer process for small businesses. In particular, Choy-Seymour stated the WISP must identify who is in charge of the businesses’ information security program, demonstrate the required risk assessment to create a reasonable plan, and include employee training. Further, “reasonable” steps toward compliance with the relevant policies should be evident, and when in place can reduce the risk of enforcement actions even if full compliance has not yet been achieved.

Businesses should carefully review the data handling and protection practices of vendors. If a business notifies the AG of a security breach caused by a vendor, the AG likely will not subject the business to a full investigation where the business can produce (a) evidence of due diligence conducted by the business before selecting the vendor, or (b) a contract that addresses the vendor’s obligations to protect the security of personal information received from the business.

Scott Schafer advised businesses to notify his office in virtually all cases of a suspected breach. He stated that

[E]veryone should know that not notifying us is the first mistake.”

He pointed out that although encryption can be regarded as a “safe harbor” from the statutory breach notification obligation, that is not the case where the breach also compromised the encryption key, which (according to Schafer) occurs with relative frequency. Schafer pointedly advised that all back-up media tapes should be encrypted and handled with appropriate safeguards while in transit to a vendor for disposal. Further, Schafer opined that encryption algorithms that are unbreakable today are likely to be broken in the near future as computing power continues to increase. If a business relies upon inadequate encryption to justify a decision not to comply with the Notice Law, the AG will view the failure to notify as a violation subject to fine. The AG will assist businesses by reviewing and suggesting revisions to proposed breach notices that must be sent to Massachusetts residents to report a data breach under the Notice Law.

The implementation of the Regulations is still evolving, but the Massachusetts Attorney General's Office and the Office of Consumer Affairs and Business Regulation is taking a collaborative approach to enforcement. They are working with businesses to improve administrative, physical and technical safeguards for personal information of Massachusetts’ residents and to create and maintain the policies and practices that ensure the protections remain current. Schafer noted in closing that he is in frequent contact with his counterparts in other states and territories with data breach notification laws. He often compares notes on which businesses have given notice of recent incidents. Schafer noted that data breach notifications are public record and are accessible under the Freedom of Information Act.

The AG’s office continues to meet with local Chambers of Commerce and small businesses in Massachusetts to close the gap between education and compliance. Businesses that have the resources and are of medium and large scope and size should not expect the same leniency. Such businesses must have the required administrative, physical and technical safeguards in place and conduct the appropriate risk assessment with respect to their employee and customer information. They also must provide privacy training to their telecommuting workforce subject to the Regulations. Businesses should ensure that they have the necessary policies and risk assessments in place to protect valuable employee and customer information and offer training for employees in the policies that are implemented to safeguard that information.

This entry was written by Ellen M. Giblin.

Photo credit: callum bennetts

After Starbucks Laptop Is Stolen, Alleged Victims of Identity Theft Win Pyrrhic Victory

In a recent published decision, the Ninth Circuit court of appeals held that the threat of identity theft arising from stolen personal information about current and former Starbucks’ employees contained on a company laptop computer was enough of an injury to establish the plaintiffs’ standing to sue the company in federal court. This victory was short-lived, however, because the court also held — consistent with many other courts deciding security breach notification cases — that the plaintiffs had not pleaded, and could not prove, that Starbucks’ actions caused them any cognizable harm under state tort or contract law.

In 2008, someone stole a laptop computer from Starbucks containing the unencrypted names, addresses, and social security numbers of nearly 100,000 Starbucks employees. The company informed all affected employees of the theft and offered them one year of free credit monitoring services. Three current and former Starbucks employees who were affected brought two nearly identical putative class action lawsuits against Starbucks, alleging that the compromise of their personal information amounted to negligence and a breach of an implied contract:

• One plaintiff asserted she had been “extra vigilant about watching her banking and 401(k) accounts,” spent a “substantial amount of time doing so,” and will pay out-of pocket for credit monitoring services once the free service expires.
• The second plaintiff alleged he “spent and continues to spend substantial amounts of time checking his 401(k) and bank accounts,” placed fraud alerts on his credit cards, and “has generalized anxiety and stress regarding the situation.”
• The third plaintiff maintained that his bank notified him in December 2008 that someone had attempted to open a new account using his social security number. The bank closed the account, and he did not allege that he suffered any financial loss.

In its decision, the Ninth Circuit addressed the issue of whether the plaintiffs had standing to sue Starbucks. All parties agreed that standing requires a plaintiff to show that: (1) he or she has suffered an injury that is concrete and particularized, as well as actual or imminent rather than conjectural or hypothetical (injury in fact); (2) the injury in fact is fairly traceable to the challenged action of the defendant (causation); and (3) it is likely that the injury will be redressed by a favorable decision (redressability).

Starbucks conceded both causation and redressability, so the Ninth Circuit addressed only injury in fact. It noted that the alleged victim of identity theft would have an injury in fact when he or she faces a credible threat of harm. It then held that each of the plaintiffs below had alleged a credible threat of real and immediate harm stemming from the theft of the Starbucks laptop. In so doing, the Ninth Circuit reached a result similar to that of the Seventh Circuit, but contrary to the application of what appears to be a stricter standard in the Sixth Circuit.

In a second, unpublished memorandum opinion issued the same day, the Ninth Circuit held that even if the plaintiffs' allegations were true, they would not support a claim under state tort or contract law. Under Washington law, said the court, “[t]he mere danger of future harm, unaccompanied by present damage,” was insufficient to support a negligence claim. The court then rejected the plaintiffs’ argument that there was an implied contract between the plaintiffs and Starbucks and dismissed both claims.

Although Starbucks ultimately prevailed, this case underscores three practical lessons. First, employers continue to incur attorneys’ fees, litigation and credit monitoring costs, and the imputed costs associated with staff resources that must be devoted to defending against such class action lawsuits. Second, the prospect of having to incur such costs creates a strong incentive to mitigate the potential risk of a security breach by proactively implementing safeguards for employee data now. Third, the putative plaintiff class included former employees, highlighting the need to extend safeguards to the personal information not only of current employees but also of job applicants and former employees.

This entry was written by Christopher M. Leh and Philip L. Gordon.
 

Third Circuit Clarifies that Bankruptcy Code Does Not Prohibit Employers from Considering Previous Bankruptcies in Hiring Decisions

In Rea v. Federated Investors, No. 10-1440 (3d Cir. Dec. 15, 2010), the U.S. Court of Appeals for the Third Circuit weighed in on a timely issue for private sector employers: whether Section 525 of the Bankruptcy Code prohibits a private employer from rejecting job applicants based on a bankruptcy filing. The Third Circuit held that the statute's reach does not extend to the hiring process, and it affirmed the district court's order dismissing the case on the pleadings. The court's decision is plainly favorable to private sector employers with operations in the Third Circuit, but employers still should be mindful of several related legal considerations. To learn more about the decision and its implication for employers, please continue reading Littler's ASAP, Third Circuit Clarifies that Bankruptcy Code Does Not Prohibit Employers from Considering Previous Bankruptcies in Hiring Decisions by Rod Fliegel and William Simmons. 

Photo credit: contour99

FTC Releases Privacy Report Advocating Modified Regulatory Approach

Earlier this month, the Federal Trade Commission (FTC) released a preliminary staff report entitled “Protecting Consumer Privacy in an Era of Rapid Change.” The report advocates a regulatory framework that, if adopted, would modify the FTC’s previous approach toward the privacy issues over which it has jurisdiction. If the FTC were to adopt the new privacy framework, employers would need to focus new and greater attention on training their workforce about privacy and instilling attention to privacy into the business process that their workforce is required to execute.

The FTC is empowered to take action against deceptive or unfair acts or practices. It also has authority to regulate privacy issues through enforcement of statutes regarding specific business sectors, including certain financial institutions, children’s online activities, e-mail marketing, and telemarketing. The Commission’s primary role in workplace privacy arises from the Fair Credit Reporting Act (FCRA), which protects consumers’ sensitive credit, insurance and employment information and, for example, requires an employer to obtain written authorizations from job applicants and employees before obtaining background information about them through third parties and to provide notice to applicants if they decline to hire because of that information.
 

To address privacy issues, the FTC has focused on two regulatory models:

• The notice-and-choice mode “encourages companies to develop privacy notices describing their information collection and use practices to consumers, so that consumers can make informed choices.” (Report at iii.)
• The harm-based model “focuses on protecting consumers from specific harms – physical security, economic injury, and unwanted intrusions into their daily lives.” (Id.)

Rather than advocating abandonment of these approaches, the report notes the drawbacks of each one: the notice-and-choice model has led to lengthy privacy policies that are neither read nor understood by consumers; the harm-based model has failed to adequately protect privacy interests that cannot be easily measured in monetary terms, such as reputational harm and the fear of being subjected to unwanted tracking in cyberspace. (Id.) Further, technological advancements have challenged both models:

• Companies can collect, store, manipulate and share consumer data at minimal cost.
• Companies can collect and use consumers’ information in ways that often are invisible to consumers.
• The distinctions between personally identifiable information and non-personally identifiable information has become blurred. Customers are very interested in strong privacy protections. At the same time, however, the free flow of information is critical to providing the goods and services.
   

The report proposes an alternative, three-part framework for future privacy regulation by the FTC:

1. Privacy by Design, an approach in which companies would promote consumer privacy throughout their organizations and at every stage of the development of their products and services. They would build into their everyday practices privacy protections, such as reasonable security for consumer data, collection of only the data needed for a specific business purpose, retention of data only as long as necessary to fulfill that purpose, safe disposal of data no longer being used, and implementation of reasonable procedures to promote data accuracy. (Report at v.) This approach also would include the assignment of privacy officers, privacy training, and internal privacy reviews when new products and services are developed.
2. Simplified Consumer Choices. Companies would not need to provide choices to consumers before collecting and using their data for commonly accepted practices such as purchase order fulfillment. But for practices that would result in a material change from a customer’s expected use of personal data, companies would offer the choice at a time and in a context in which the consumer made a decision about providing and authorizing the use of his or her data.
3. Greater Transparency in Data Practices. Companies would clarify, shorten and standardize privacy notices, provide reasonable access to the personal data they maintain about a person based on the sensitivity of the kind of data and the nature of its use; provide prominent disclosures; and obtain affirmative express consent before using consumer data in a materially different manner than claimed when the data was collected.
    

Whether the FTC will adopt the framework outlined in the preliminary staff report after the public comment period ends on January 31, 2011, is unclear. But if the report is adopted, it likely will be over objection. Two of the five Commissioners issued concurring written statements to the report in which they questioned whether a new or modified model is necessary or desirable.

If the report is adopted, employers would need to consider the following implications:

• Increased Need for Privacy Training for All Employees. “Privacy by design” entails efforts at every level of a business to protect the private information of consumers during the entire data life cycle, from collection to use to transfer to storage to destruction. The population of employees who should receive privacy training likely will expand materially.
• Institution of Privacy Reviews During Product and Service Development. Another implication of “privacy by design” is the need to scrutinize privacy issues during the service- or product-development process. That would necessarily require a broader group of employees with expertise in the area of privacy than most organizations currently have.
• Increased Need for Employee Sensitivity to Private Customer Information at Key Points in Business Transactions. The FTC’s new framework would require a business to give customers “just in time” choices about whether and how to use sensitive data. Automated notices and prompts would help solve some of these issues in online transactions. But with respect to phone or face-to-face transactions, employees would have to be vigilant to both identify those key decision points in business transactions and then respond appropriately.

This entry was written by Christopher M. Leh.

Credit Check Lawsuit Signals Potential New Wave of Class Actions

Close on the heels of the EEOC’s October 20, 2010, public meeting on the use of credit checks by employers, Loudy Appolon filed a putative class action against the University of Miami and the Leonard M. Miller School of Medicine alleging that the schools utilized credit checks in a manner that discriminates against African American and Latino applicants.

The complaint alleges that in 2009, Appolon, an African American, applied for a senior medical collector position with the University of Miami, Miller School of Medicine. She received a conditional offer of employment, contingent on a background check. Prior to beginning her employment — but after she quit her employment with North Shore Medical Center — the University withdrew its offer of employment as a result of her credit report. The credit report on which the University relied contained errors. Appolon corrected the errors with the credit reporting agencies. She also attempted to notify the University of the errors to no avail. According to Appolon, the corrected report showed she had no active credit problems or other problems relevant to the senior medical collector position.

Appolon bases her putative class action on the premise that the University’s use of credit reports in hiring disparately impacts African American and Latino applicants. She postulates that African Americans and Latinos suffer more economic hardships that adversely impact credit ratings, such as job losses and health-related bankruptcies, and that these economic hardships result in significantly lower credit ratings. Hence, Appolon contends that the use of credit reports discriminates against African Americans and Latinos.

Yet, as detailed in our blog post on the EEOC’s public meeting in October, there is a dearth of reliable studies bearing on whether use of credit history in employment decisions has an adverse impact on African Americans or Latinos. Participants at the EEOC’s public meeting noted that African Americans and Latinos do tend to have lower credit scores than Caucasians. However, employers do not receive credit scores as part of a credit history check. Consequently, studies that focus on disparities in credit scores have little to no utility when evaluating whether employers’ use of credit history has a disparate impact on these protected classes.

Appolon further postulates that credit backgrounds do not accurately predict job performance or workplace crime. She alleges that reliance on such information, therefore, is discriminatory because it is not job-related. However, participants at the EEOC meeting also addressed the lack of evidence on this point. Indeed, the meeting participants could not point to a single study that proved or disproved a link between poor credit history and poor job performance and/or workplace crime.

Even in light of the uncertainty over whether the use of credit history reports actually disproportionately impacts any protected class(es), employers should expect that Appolon’s lawsuit will be the first of many. The EEOC has strongly suggested that it will scrutinize the use of credit history reports by employers. Plaintiffs class action lawyers likely will be following Apollon’s counsel in response to this not-so-subtle cue. Accordingly, employers should re-evaluate their use of credit history in employment decisions to ensure that they are in the best possible position to defend against this next anticipated wave of employment litigation.

This entry was written by Katherine Dix.

Photo credit: contour99

10 Tips For Avoiding GINA Violations

The Equal Employment Opportunity Commission, on Nov. 9, 2010, published its long-awaited regulations implementing those portions of the Genetic Information Non-Discrimination Act of 2008 (GINA) applicable to employers. GINA prohibits employers from discriminating on the basis of genetic information and generally prohibits employers from acquiring or disclosing genetic information. GINA applies to all employers subject to Title VII of the Civil Rights Act of 1964 and adopts Title VII’s enforcement schemes except that disparate claims are not permitted.

Simple as GINA’s general rules might sound, their application to specific factual circumstances can be baffling and counterintuitive. The fundamental challenge for employers lies in the definition of “genetic information,” which is far broader than what common sense would advise, i.e., that genetic information is limited to the results of tests that reveal an employee’s genetic composition or a heightened risk of an inherited disease.

The 10 tips below address those aspects of GINA and the EEOC’s implementing regulations that employers likely will find most challenging and encounter on a recurring basis, and provides practical recommendations on how to handle those challenges.

1) Understand the Definition of “Genetic Information”

As noted above, “genetic information” encompasses far more than the results of a genetic test. Genetic information includes family medical history, and that term is very broadly defined.

Family members include: a spouse; children (natural and adopted); siblings and half-siblings; aunts, uncles, nieces and nephews; grandparents and grandchildren; great- and great-great-grandparents and grandchildren; and first cousins and first cousins once removed. Medical history includes information concerning any disease or disorder that any of these individuals has suffered — whether or not hereditary — as long as the disease or disorder has been diagnosed or the symptoms have sufficiently manifested themselves that the disease or disorder could reasonably be diagnosed.

The fact that an employee’s adopted child has the chicken pox, father was deaf, grandmother died of breast cancer or great-great grandfather died of gangrene after being shot in the Spanish-American War constitutes “genetic information under GINA and the EEOC’s implementing regulations.”

2) Warn Health Care Providers Not to Share Family Medical History

Doctors are trained to collect family medical history. Employers routinely request from doctors health information about employees, for example, for purposes of evaluating a request for a reasonable accommodation or for leave, or in connection with a workers’ compensation claim. An employer who asks a physician to provide health information about an employee runs the risk of violating GINA’s prohibition against requesting genetic information — even if the employer does not expressly ask for genetic information.

According to the EEOC, employers generally should anticipate that health care providers may disclose genetic information in response to a general request for health information related to an employee. The regulations, however, provide employers with a “safe harbor” if they include in their request to the provider the following instruction found in the EEOC’s implementing regulations (or similar language):

"The Genetic Information Nondiscrimination Act of 2008 (GINA) prohibits employers and other entities covered by GINA Title II from requesting or requiring genetic information of an individual or family member of the individual, except as specifically allowed by this law. To comply with this law, we are asking that you not provide any genetic information when responding to this request for medical information. 'Genetic information' as defined by GINA, includes an individual's family medical history, the results of an individual's or family member's genetic tests, the fact that an individual or an individual's family member sought or received genetic services, and genetic information of a fetus carried by an individual or an individual's family member or an embryo lawfully held by an individual or family member receiving assistive reproductive services."

3) Instruct Health Care Providers Not to Take Family Medical History When Conducting a Fitness-For-Duty Exam

The regulations take it one step further when a health care provider is performing a medical examination to determine an applicant’s or employee’s ability to perform a job. These situations would include a pre-hire physical examination of an applicant who has received a conditional job offer, a fitness-for-duty exam of a current employee or an examination to determine whether a current employee poses a direct threat to himself or others. In these circumstances, the regulations require that employers instruct the health care provider not even to collect family medical history or other genetic information.

4) Be Polite But Not Overly Inquisitive

GINA contains an exception to its prohibition against acquiring genetic information for the “inadvertent acquisition of genetic information.” The EEOC’s strained efforts in its regulations to highlight the distinction between unlawful and permissible acquisition demonstrates that most employers will need to provide “genetic etiquette” lessons to their managers.

According to the EEOC’s regulations, managers need not be heartless. They can ask a subordinate recently diagnosed with cancer, “How are you?”, and “Did they catch it early?”, or if the subordinate’s child is the subject of the diagnosis, “Will your daughter be OK?” However, managers who do not cut the conversation short run the risk of crossing the line by asking, for example, “Do you have cancer in your family?”, or “Are you worried that your other children might have cancer?”

In other words, managers will need to distinguish between generalized questions and what the EEOC characterizes as “probing” questions to avoid GINA’s prohibition against acquiring genetic information.

5) Overhear But Don’t Actively Listen

Identifying yet another social pirouette for managers, the EEOC regulations explain that managers who happen to overhear a conversation between employees about genetic information, such as a discussion about their respective families’ history of cancer, does not violate GINA.

However, a manager who “actively listens” to such a conversation does violate GINA. In other words, the regulations implicitly direct managers either to remove themselves from the area where the employees are engaging in the hypothetical discussion or to ask the employees to stop discussing genetic information where the manager can “actively listen” to the discussion.

6) Beware of Social Media

GINA excepts from its prohibition against acquisition of genetic information for obtaining genetic information that is publicly and commercially available. Under the EEOC’s regulations, this exception does not apply to the acquisition of genetic information from “social networking sites and online media sources which require permission to access from a specific individual.”

In other words, such sites are not publicly available. As applied to real life, this regulation means that a manager who reads about an employee’s family medical history on the employee’s Facebook page will not be able to invoke the “commercially and publicly available” exception if the employee has set the privacy settings for his or her Facebook page to “friends only” so that the manager was able to access the page only because the employee previously had accepted a “friend request,” from the manager.

Fortunately, the EEOC regulations also state that this manager still could benefit from the “inadvertent acquisition” exception described above. For example, if the employee previously “friended” a manager who happens to view family history on the employee’s Facebook page, that acquisition of genetic information would be considered inadvertent and, therefore, not in violation of GINA.

The same manger might be at risk of violating GINA, however, if the employee’s Facebook wall suggests an ongoing discussion about family medical history among coworkers who are the employee’s Facebook friends. The employees might argue that because the manager could anticipate future posts about genetic information, his or her acquisition was not inadvertent. In short, managers who have social media relationships with subordinates must be wary of collecting too much information (TMI).

7) Tightly Control Access to Genetic Information

Genetic information, when acquired in paper or electronic form, must be placed in a confidential medical file that is separate from the personnel file but could be the same file where other employee medical information is retained. Genetic information received by an employer before GINA went into effect on Nov. 21, 2009, does not have to be removed from the general personnel file if filed there, but it still must be treated as a confidential medical record with access limited to those with a need to know. Managers who acquire genetic information by hearing or reading it are not required to document what they have heard or read, but they are prohibited from using or disclosing the information in a manner that violates GINA.

8) Do Not Disclose Genetic Information in Response to a Subpoena or Civil Discovery Request

Employers routinely receive subpoenas and discovery requests that call for the production of employees’ medical information. GINA and the EEOC’s implementing regulations prohibit disclosure of genetic information in litigation except in response to a court order that specifically calls for its disclosure.

Given the broad and counterintuitive definition of “genetic information,” compliance with this requirement may be easier said than done. For example, an employee’s Family and Medial Leave Act (FMLA) certification for leave to care for the serious health condition of a family member would contain genetic information about the employee if the certification reveals the family member’s manifested disease or disorder.

Given the above, employers should consider a) permitting only designated employees to disclose information in response to a subpoena or discovery request calling for the production of an employee’s medical information, and b) training those employees on how to distinguish genetic information from other types of medical information.

9) Reevaluate Your Wellness Program

The “health risk assessment” (HRA) has become a standard weapon in employers’ battle to reduce the cost of health benefits. To motivate employees to complete an HRA, employers frequently offer financial inducements, such as a cash prize or a reduction in the employee’s monthly premium contribution.

The EEOC’s implementing regulations allow the inclusion in an HRA of questions seeking family medical history (or other genetic information) but prohibit employers from offering any financial inducement to employees to encourage them to disclose genetic information.

Thus, the regulations state that an employer may offer a financial inducement to complete the portion of the HRA that does not request family medical history as long as the HRA explicitly informs employees that they are eligible for the inducement even if they do not respond to the questions that request genetic information.

10) Be Cautious During Corporate Transactions

Neither GINA nor the EEOC’s implementing regulations address corporate transactions, yet both sets of rules pose risks to each side of the transaction. For example, neither GINA nor its implementing regulations contain an exception to the general prohibition against disclosing genetic information that would permit disclosure to a party conducting due diligence in a corporate transaction. Similarly, neither GINA nor its implementing regulations permit an acquiring company in an asset purchase transaction who will offer jobs to the target company’s employees to obtain those employees’ genetic information from the target company.

In fact, the EEOC’s regulations implicitly suggest that the acquiring company in this example should specifically tell the target company not to disclose the genetic information of its employees even if the acquiring company will become their employer. Arguably, the target company could avoid potential liability for disclosing genetic information to the acquiring company by requesting and obtaining each employee’s consent to the disclosure.

Significantly, neither GINA nor the EEOC’s implementing regulations expressly permit disclosure of genetic information with the employee’s consent. Given GINA’s very tight restrictions on disclosure of genetic information, the EEOC may take the position that a disclosure of genetic information even with the employee’s consent violates the act.

Conclusion

Complying with GINA and the EEOC’s implementing regulations will require some significant changes to “business as usual.” Given the difficult distinctions that these rules require employers to draw, employers should consider providing training to all affected employees before the EEOC’s regulations go into effect on Jan. 9, 2011.

This article was written by Philip L. Gordon for Law 360. Reprinted with express permission from the publisher.

Copyright © Portfolio Media, Inc. Content may not be shared or redistributed in any fashion without the express permission of Portfolio Media. For inquiries regarding rights and reprints, please contact reprints@law360.com.

Photo credit: Michael Siegmund

Case To Watch: NLRB Challenges Employer’s Termination of Employee Based on Violation of Social Media Policy

Labor law attorneys at Littler Mendelson have been predicting for months that the National Labor Relations Board, now dominated by Obama appointees, would take aim at employer policies that could be applied to restrict employees’ use of social media for purposes protected by the National Labor Relations Act. In what appears to be the first shot in an approaching battle, the NLRB’s Office of General Counsel issued a press release on November 2, 2010, announcing that the Board’s Hartford Regional Office had filed a complaint alleging that American Medical Response of Connecticut, Inc. (AMR) violated the NLRA by terminating an employee for posting negative comments about her supervisor on her Facebook page. Continue reading on Littler's Labor Relations Counsel blog.

EEOC Meeting Keeps Spotlight on Employers’ Use of Credit History

The EEOC’s decision to dedicate its first public meeting in more than a year, held on October 20, 2010, to employers’ use of credit history as an employment screening tool magnified the recent focus of legislators and regulators on that topic. As discussed in several recent posts, four states — Hawaii, Illinois, Oregon, and Washington — have recently imposed significant restrictions on employers’ use of credit history for employment purposes. Similar legislation is pending in more than fifteen states, and federal legislation, which would impose restrictions even broader than existing state laws, is pending in Congress. In light of these legislative developments, the EEOC meeting was particularly significant for two reasons.

First, none of the participants, comprising representatives of consumer and business interests as well as two academics, were able to cite a single study that proved or disproved the existence of a specific link between any particular credit profile and poor job performance or a propensity to engage in dishonest or criminal conduct. In fact, the two academics’ prepared statements emphasized the dearth of empirical data in this area.

For employers, the absence of reliable studies highlights the need to tread cautiously when using credit history to make employment decisions. Jumping to conclusions not supported by empirical data could, for example, result in the rejection of an applicant whose financial difficulties might actually have motivated the applicant to exceed expectations. In addition, the employer could open itself to allegations that its purported reliance on credit history was a subterfuge for discrimination against the rejected applicant.

For legislators, the danger is that they will write into law restrictions on the use of credit history that are far too broad. The recently enacted state laws generally prohibit the use of credit history for employment decisions based on the premise that credit generally is not a relevant factor in employment decision-making subject to certain narrow exceptions, such as jobs involving substantial financial responsibilities. If future studies demonstrate that credit history is a reliable predictor, these exceptions could, in retrospect, be far too narrow. Alternatively, the undeveloped state of the evidence arguably supports an approach, like Washington’s, which prohibits the use of credit history unless “substantially job related” without attempting to define that phrase’s meaning. This approach creates some uncertainty but also leaves room for interpretation by the courts as reliable, empirical data is developed.

The second reason employers should take note of the EEOC meeting is the expressed concern of the EEOC and consumer representatives that employers’ use of credit history has a “disparate impact” on African Americans, Hispanics, and the disabled. The term “disparate impact” connotes a facially neutral policy, such as disqualification of all applicants who have filed for bankruptcy or had wages garnished in the preceding twelve months, that disproportionately excludes from a benefit, such as employment, one or more classes of individuals protected by anti-discrimination laws.

Here again, the EEOC meeting highlighted the absence of reliable studies proving the point one way or the other. Participants in the meeting, for example, cited to studies by the Federal Reserve Board and Fannie Mae showing that African Americans and Hispanics tend to have lower credit scores than Caucasians. However, as representatives of business interests pointed out, the credit bureaus do not disclose credit scores to employers as part of a background check report that includes credit history. Consequently, studies that focus on disparities in credit scores based on race or ethnicity have little or no utility when addressing the question whether employers’ use of credit history has a disparate impact on any protected class.

At bottom, the EEOC meeting appears to be the start of the agency’s effort to scrutinize employers’ use of credit history for employment decisions. That effort likely will have momentum for as long as millions of Americans with damaged credit struggle to find work and provides yet another reason for employers to use credit history cautiously.

This entry was written by Philip L. Gordon.

New Littler Blogs: Labor Relations Counsel and Digital Workplace Blog

We are pleased to announce two new additions to the Littler blogroll:

Labor Relations Counsel
Brought to you by Littler's Labor Management Relations Practice Group, the Labor Relations Counsel blog targets meaningful legal developments, including appellate court decisions, NLRB and NMB decisions, and administrative rules and regulations. During this time of enormous governmental change and shifts in strategy and style of powerful labor unions, Littler's history and depth of experience in labor relations gives its attorneys a distinctly broad perspective with which to provide insight and useful analysis of the latest developments.

Digital Workplace Blog
The Digital Workplace Blog is a unique collaboration between Littler Mendelson and Stuart N. Brotman Communications, bringing together legal and business minds to address issues arising in the digital workplace. This approach is designed to provide readers with a comprehensive understanding of the issues, with Stuart N. Brotman Communications covering developments from a management perspective, and Littler examining the legal implications of technology in the workplace.

To receive email alerts of new postings, please enter your email address in the Subscribe box on each blog’s homepage.

Photo credit: ideabug
 

New California Law Illustrates Challenges of Background Check Compliance for Employers

Background checks seem to be a hot topic in state legislatures these days. In the past six months, for example, several states — including Illinois, Massachusetts, Oregon, and most recently California — have enacted laws bearing upon the process of checking the backgrounds of job applicants and employees. Under the new California law (pdf), effective January 1, 2012, background check authorizations must include the “Internet Web site address . . . where the consumer may find information about the investigative reporting agency’s privacy practices.” This seemingly trivial change is endemic to the challenges that employers confront in the area of background check compliance.

No case of which we are aware addresses the question whether an employer’s background check procedures must comply with only the law of the state(s) in which the employer is located, only the law of the state where the applicant or employee resides, or both. The question is far from academic. Even employers located in a single state routinely advertise positions on a company-sponsored web site, or through third-party web sites, accessible to applicants in all fifty states. Further, given the high unemployment rate and the general mobility of the U.S. workforce, job applicants for virtually any position could reside in any state.

In light of these factors, the most conservative employer — even if located in a single state — would conduct background screening in a manner that complies with the laws of all fifty states. However, as noted above, state legislatures are enacting new restrictions on, or requirements for, pre-employment background checks at an accelerated rate. In addition to the challenge of remaining up to date with this surge of legislation, employers face the difficulty of generating compliance forms that are not encyclopedic and that applicants of all educational levels can easily comprehend.

Some employers have responded to this compliance challenge simply by relying upon the forms received from their background check company. These employers should keep in mind that background check laws impose compliance requirements on employers themselves, independent of the requirements applicable to background check companies. Consequently, the employer, not the background check company, could be liable if the forms received from the background check company do not comply with applicable law. In addition, background check companies routinely warn their employer-clients that the background check company cannot provide legal advice, so employers should rely on their own legal counsel to vet all forms received from the background check company.

An alternative approach for smaller employers that do not have in-house legal resources and may have limited budget for outside counsel would be to identify the states from which the employer receives the lion’s share of job applications. The employer can then focus on tracking legal developments in those states as well as in the states where it is located. Although this approach would not be foolproof, it should substantially reduce the risk of liability from non-compliant forms, practices, or procedures without sapping resources out of proportion to risk.

Large, multi-state employers who conduct hundreds, if not thousands, of background checks annually may have no realistic alternative, given the potential for class action litigation, to regularly monitoring state legislative activity in this area on a national basis and routinely updating background check forms, practices and procedures to address material changes in the law.
 

This entry was written by Philip L. Gordon.

UPDATE: U.S. Supreme Court’s Decision in NASA Case Could Have Significant Implications for Private Employers

Yesterday, the U.S. Supreme Court heard oral argument in a case challenging NASA’s background checks of “low risk” private contractors working at the agency’s Jet Propulsion Laboratory (JPL). At first blush, the case does not appear to be particularly relevant to private employers given that NASA is a public employer and, as the oral argument revealed, the appeal will turn principally on the Supreme Court’s interpretation of the federal constitutional right to information privacy applicable only to public employers. Deeper consideration suggests, however, that the Court’s decision could have significant implications for private sector employers.

The case arises from NASA’s decision to unilaterally amend its contract with the California Institute of Technology (“Caltech”) — which operates JPL for NASA — to require that all JPL employees working at JPL undergo broad background checks. After NASA rejected Caltech’s objections to the background check policy, Caltech adopted a policy — not required by NASA — that all JPL employees who did not successfully complete the background check process and receive a federal identification badge would be deemed to have voluntarily resigned their Caltech employment. JPL employees who work at JPL sought to enjoin implementation of NASA’s background check policy.

The U.S. Court of Appeals for the Ninth Circuit held (pdf) that NASA’s policy should be enjoined, pending further proceedings, because the JPL employees have a reasonable likelihood of demonstrating that the policy violates their federal constitutional right to information privacy. The appeals court found particularly objectionable questions in NASA’s background check forms that asked (a) JPL employees to disclose "any treatment or counseling received for their [illegal] drug problems,” (b) third parties to disclose "any adverse information" concerning "’financial integrity,’ ‘abuse of alcohol and/or drugs,’ ‘mental or emotional stability,’ ‘general behavior or conduct,’ and ‘other matters,’” and (c) asked the JPL employees to explain any adverse information disclosed by the third party. The court reasoned that these questions were not narrowly tailored to meet NASA’s legitimate objectives given that the JPL employees did not have access to classified information and, therefore, were classified as “low risk”.

Caltech sought to extricate itself from the litigation by arguing that it could not be held responsible for the apparently unconstitutional background checks because NASA had unilaterally imposed them on Caltech. While the Ninth Circuit expressed sympathy for Caltech’s position in light of its initial objections to NASA’s background check policy, the court ruled that Caltech also could be held responsible for NASA’s apparent constitutional violations because Caltech “established, on its own initiative, a policy that JPL employees who failed to obtain federal identification badges would not simply be denied access to JPL, they would be terminated entirely from Caltech's employment.”

While the oral argument swirled largely around whether a constitutional right to information privacy exists and, if so, what are its contours, several Justices, on more than one occasion, drew a comparison between employment screening by private employers and the questions that the Ninth Circuit had ruled as likely to be unconstitutional. Ironically, these remarks mistakenly suggested that private employers could ask those questions. For example, employers who inquire into an employee’s treatment for substance abuse run the risk of violating the Americans with Disabilities Act’s prohibition against disability-related inquiries where the question is phrased (like NASA’s) so as to require an employee to disclose that he is a recovering or recovered drug addict who does not currently use illegal drugs. In addition, a private employer who requires that an applicant or employee explain “adverse information” concerning that person’s “financial integrity,” “abuse of alcohol and/or drugs,” or “mental or emotional stability” could violate a range of federal and state laws, including the ADA; state laws restricting inquiries into criminal history, such as California’s law prohibiting inquiries into certain minor marijuana-related offenses; and laws recently enacted in Hawaii, Illinois, Oregon, and Washington restricting certain inquiries into an applicant’s credit history. After further analysis, the Court may address these restrictions on private employers in its published decision.

How else might the Supreme Court’s ruling impact private employers?

All Employers: Requests similar to NASA’s request for information about the JPL employees have become increasingly common in the private sector. Organizations seeking to protect their facilities, employees and information assets routinely ask a wide range of vendors to provide background information on the vendor’s employees before permitting them access to premises or sensitive information. Some organizations are conducting their own background checks of vendors just as NASA seeks to do with respect to the JPL employees. Further, like Caltech, vendors often must now confront the question whether to terminate an employee who is denied access to a customer’s site or to reassign that employee to another customer. The Court’s decision — albeit in the context of federal constitutional law — might provide guidance on how vendors should handle this difficult situation in a manner that reduces risk.

California Employers: California has a constitutional right to information privacy that private employees can enforce against private employers. While the federal and California constitutional rights to information privacy do not precisely mirror each other, they are sufficiently similar that, depending upon the outcome in the Supreme Court, California courts might look to the Supreme Court’s decision for guidance on claims where employers themselves have conducted overly intrusive background checks or have assisted their customers in doing so.

Federal Government Contractors: Other agencies of the federal government likely use the same background check forms as those used by NASA to regulate access to agency facilities by “low risk” employees. Federal contractors who, like Caltech, condition employment of “low risk” employees on the issuance of a federal identification badge could be put at risk of liability for violating their employees’ federal constitutional right to information privacy in the same way that Caltech is at risk of liability were the Supreme Court to affirm the Ninth Circuit’s decision.

This entry was written by Philip L. Gordon.

Photo credit: fotosipsak
 

U.S. Supreme Court’s Decision in NASA Case Could Have Significant Implications for Private Employers

Later this week, the U.S. Supreme Court will hear oral argument in a case challenging NASA’s background checks of “low risk” private contractors working at the agency’s Jet Propulsion Laboratory (JPL). At first blush, the case does not appear to be particularly relevant to private employers given that NASA is a public employer and the appeal will turn principally on the Supreme Court’s interpretation of the federal constitutional right to information privacy applicable only to public employers. Deeper consideration suggests, however, that the Court’s decision could have significant implications for private sector employers.

The case arises from NASA’s decision to unilaterally amend its contract with the California Institute of Technology (“Caltech”) — which operates JPL for NASA — to require that all Caltech employees who work at JPL (hereinafter "JPL employees") undergo broad background checks. After NASA rejected Caltech’s objections to the background check policy, Caltech adopted a policy — not required by NASA — that all JPL employees who did not successfully complete the background check process and receive a federal identification badge would be deemed to have voluntarily resigned their Caltech employment. The JPL employees sought to enjoin implementation of NASA’s background check policy.

The U.S. Court of Appeals for the Ninth Circuit held (pdf) that NASA’s policy should be enjoined, pending further proceedings, because the JPL employees have a reasonable likelihood of demonstrating that the policy violates their federal constitutional right to information privacy. The appeals court found particularly objectionable questions in NASA’s background check forms that asked (a) JPL employees to disclose "any treatment or counseling received for their drug problems,” and (b) third parties to disclose "any adverse information" concerning "’financial integrity,’ ‘abuse of alcohol and/or drugs,’ ‘mental or emotional stability,’ ‘general behavior or conduct,’ and ‘other matters.’” The court reasoned that these questions were not narrowly tailored to meet NASA’s legitimate objectives given that the JPL employees did not have access to classified information and, therefore, were classified as “low risk.”

Caltech sought to extricate itself from the litigation by arguing that it could not be held responsible for the apparently unconstitutional background checks because NASA had unilaterally imposed them on Caltech. While the Ninth Circuit expressed sympathy for Caltech’s position in light of its initial objections to NASA’s background check policy, the court ruled that Caltech also could be held responsible for NASA’s apparent constitutional violations because Caltech “established, on its own initiative, a policy that JPL employees who failed to obtain federal identification badges would not simply be denied access to JPL, they would be terminated entirely from Caltech's employment.”

How might the Supreme Court’s ruling impact private employers?

• All Employers: Requests similar to NASA’s request for information about the JPL employees have become increasingly common in the private sector. Organizations seeking to protect their facilities, employees and information assets routinely ask a wide range of vendors to provide background information on the vendor’s employees before permitting them access to premises or sensitive information. Some organizations are conducting their own background checks of vendors just as NASA seeks to do with respect to the JPL employees. Further, like Caltech, vendors often must now confront the question whether to terminate an employee who is denied access to a customer’s site or to reassign that employee to another customer. The Court’s decision — albeit in the context of federal constitutional law — might provide guidance on how vendors should handle this difficult situation in a manner that reduces risk.

• California Employers: California has a constitutional right to information privacy that private employees can enforce against private employers. While the federal and California constitutional rights to information privacy do not precisely mirror each other, they are sufficiently similar that, depending upon the outcome in the Supreme Court, California courts might look to the Supreme Court’s decision for guidance on claims where employers themselves have conducted overly intrusive background checks or have assisted their customers in doing so.

• Federal Government Contractors: Other agencies of the federal government likely use the same background check forms as those used by NASA to regulate access to agency facilities by “low risk” employees. Federal contractors who, like Caltech, condition employment of “low risk” employees on the issuance of a federal identification badge could be put at risk of liability for violating their employees’ federal constitutional right to information privacy in the same way that Caltech is at risk of liability were the Supreme Court to affirm the Ninth Circuit’s decision.

This entry was written by Philip L. Gordon.

Photo credit: fotosipsak
 

What’s Left of Employee Consent as Grounds for Data Processing After Recent European Court of Justice Decision on Attorney-Client Privilege?

U.S. corporations routinely rely on domestic employees’ consent to searches and disclosure of their personal information to avoid liability for privacy-based claims. In the European Union, by contrast, national data protection authorities and the Article 29 Working Party, which issues guidance on the implementation of the European Union Data Protection Directive, have repeatedly warned employers against relying on employees’ consent to provide a legitimate basis for processing personal data. In the European view, the balance of power in the employer-employee relationship so disproportionately favors the employer that an employee’s consent to an employer’s processing of personal data typically cannot be truly voluntary.

The recent decision by the European Court of Justice (ECJ) in Akzo Nobel Chemicals Ltd. v. EU (pdf), albeit addressing attorney-client privilege (known as the “legal professional privilege” in the E.U.) demonstrates just how risky it can be for employers to rely on the consent of E.U. employees as a legitimate ground for data processing. In Akzo, the ECJ rejected the assertion of the legal professional privilege to protect from disclosure communications between in-house counsel and their internal business clients in an anti-trust investigation. The following quotation reflects the logical fulcrum of the court’s decision:

[A]n in-house lawyer cannot, whatever guarantees he has in the exercise of his profession, be treated in the same way as an external lawyer, because he occupies the position of an employee which, by its very nature, does not allow him to ignore the commercial strategies pursued by his employer, and thereby affects his ability to exercise professional independence.”

In other words, according to the ECJ, the employer’s commercial interests so cloud the judgment of in-house attorneys that they are incapable of providing unbiased legal advice to their employer.

The implications of this line of reasoning on E.U. data protection law are potentially profound. Attorneys often will be among the most highly educated members of an employer’s workforce. They have been trained to exercise independent judgment and, of course, have an ethical obligation to their client to do so. If Europe’s highest court has concluded that the employer–employee relationship fundamentally compromises an attorney’s ability to engage in independent decision-making — notwithstanding their education and professional responsibilities, employers can expect to face a heavy burden in persuading E.U. data protection authorities that factory workers, customer sales representatives, or even low- or mid-level managers voluntarily consented to the processing of their personal data.

For further analysis of this development, see Littler ASAP The European Court of Justice Reaffirms that Communications with In-House Counsel May Not Be Privileged in Europe by Nick Linn.

This entry was written by Philip L. Gordon.

Photo credit: FotografiaBasica

Commonplace IT Functions Raise the Risk of Federal Wiretap Act Liability Under Recent Seventh Circuit Decision

Even if your organization already has revised its electronic resources policy — as prior blog posts suggest — to address personal e-mail accounts in light of the New Jersey Supreme Court’s decision in Stengart v. Loving Care Agency and to address text messages in light of the U.S. Supreme Court’s decision in Quon v. City of Ontario, you still should consider revisiting that policy yet again in light of the U.S. Court of Appeals for the Seventh Circuit’s decision on September 9, 2010, in United States v. Szymuszkiewicz (pdf). The court’s decision affirmed the criminal conviction for Federal Wiretap Act violations of an IRS agent who, unbeknownst to his supervisor, activated the supervisor’s Microsoft Outlook autoforwarding feature. As a result, duplicates of the supervisor’s e-mail were automatically forwarded to the IRS agent without the supervisor’s knowledge or consent. The IRS agent received a sentence of eighteen months probation.

The Seventh Circuit’s decision turned principally on whether “auto forwarding” e-mail constitutes an “interception” as defined by the Federal Wiretap Act. The court answered that question in the affirmative because the auto forwarding permitted the IRS agent to obtain the content of e-mail stored in his supervisor’s e-mail inbox.

For employers, the court’s decision highlights the risk of Federal Wiretap Act liability arising from commonplace IT functions. Corporate IT departments routinely activate “auto forwarding” after an employee has left an organization so that a supervisor or co-worker can promptly respond to e-mail intended for the former employee. It also is not uncommon for corporate IT departments to rely on “e-mail journaling” to create a duplicate set of out-going and incoming e-mail for archival purposes. Journaling essentially functions the same as auto forwarding except that the duplicate e-mail content is stored on a server for possible future retrieval rather than being transmitted directly to a third party’s e-mail inbox.

Even if the IT department activates these features (which are standard-issue for Microsoft Outlook) for legitimate business purposes, the employer remains at risk of civil liability under the Federal Wiretap Act. The Act’s damages provision is plaintiff-friendly, permitting recovery of $10,000 in statutory damages without proof of actual harm, $100 per day of violation, or actual damages, whichever is greatest, plus attorneys fees and costs. If auto forwarding or e-mail journaling is activated on an enterprisewide basis, the potential exposure could be substantial.

Because consent to an interception by one party to a communication is a defense to liability under the Federal Wiretap Act, employers can reduce the risk of harm by providing employees with notice of the IT processes that constitute an interception and obtaining their express or implied consent. The notice could take the form of language in the employer’s electronic resources policy. In that case, the policy should unambiguously explain the nature and scope of the interception, and the policy should be distributed in a way that permits the employer to prove receipt. In addition, it is critical that representatives of the IT Department, human resources professionals, and in-house counsel communicate when autoforwarding or e-mail journaling is implemented so that employees’ consent can be obtained.

Significantly, in the course of reaching its decision, the Seventh Circuit rejected decisions of the Third, Fifth, Ninth and Eleventh Circuits holding that an actionable “interception” occurs only when the content of an electronic communication is acquired contemporaneously with transmission. This seemingly academic distinction has potentially significant implications for employers. To illustrate its interpretation of the Act in this regard, the appellate court explained that listening to voicemail without the consent of the sender or recipient would constitute an unlawful interception even if the third-party listener (e.g., a member of the HR department) did not hear the recorded message simultaneously with its being left for the intended recipient. While this aspect of the opinion appears to be non-binding dicta, organizations with employees in states within the Seventh Circuit — Indiana, Illinois, and Wisconsin — should, nonetheless, consider obtaining consent to review employees’ voicemail through their electronic resources policy as described above.

This entry was written by Philip L. Gordon.

Photo credit: Pgiam

As Germany Considers Restrictions on Use of Social Media for Recruiting, Multi-National Employers Need to Start Thinking About Social Media Policy 2.0

A bill approved on August 25, 2010, by Germany’s cabinet for introduction to the German Parliament would restrict employers’ use of social media in the recruitment process. Many multi-national employers are still struggling to implement a policy governing the use of social media in their U.S. workplace. Before multi-national employers even complete that task, or catch their breath from doing so, they need to confront the question, as the German proposal suggests, whether the version 1.0 social media policy addressing only U.S. employees can be lawfully applied to non-U.S. employees.

The issue is far from academic. Facebook, which surpassed 500 million users earlier this summer, has hundreds of millions of non-U.S. users. In fact, according to a survey by NielsenWire, monthly time per user spent on Facebook exceeds the U.S. average of 6 hours and 43 minute in Australia (7 hours 45 minutes), and Italy (7 hours) with the United Kingdom not far behind at 6 hours 19 minutes. Latin America was Twitter’s fastest-growing market between June 2009 and 2010 with users increasing by 300%, followed by Asia Pacific with a 240% growth rate, and the Middle East and Africa where users more than doubled.

At the same time, the social media juggernaut has been so rapid that no one body of law in any country yet governs an employer’s ability to access and use social media content for hiring and disciplinary purposes. In the U.S., for example, private employers need to consider the federal Stored Communications Act and state computer trespass laws, the Fair Credit Reporting Act, the National Labor Relations Act, federal anti-discrimination laws, state laws protecting employees against adverse action based on lawful, off-duty conduct, and potential common law claims for invasion of privacy and unreasonable disclosure of private facts.

The German bill appears to be one of the first pieces of national legislation aimed specifically at regulating employers’ use of social media content for employment purposes. Under the current version of the bill, employers would be permitted to access only social media content that the applicant makes publicly available; social media content limited to “friends only” would be off limits. Ironically, a case last summer that resulted in a verdict against Houston’s Restaurants for unauthorized access to an employee’s friends-only site effectively drew the same distinction, albeit based on the federal Stored Communications Act, which was enacted in 1986, long before the Internet as we know it had evolved.

While the German law still needs to work its way through the legislative process, U.S. employers should expect that data protection authorities and privacy advocates in other countries and in the United States are watching. It likely is just a matter of time before many countries have enacted a body of “social media law” that will make drafting a global social media policy as challenging as drafting a global privacy policy. In the meantime, multi-national employers should consider surveying foreign laws in the areas of access to electronic communications, privacy and data protection, and labor rights before applying a U.S.-based social media policy to applicants or employees located in other parts of the world.

This entry was written by Philip L. Gordon.

Photo credit: anati

Enforcement Action by Federal Trade Commission Highlights Importance of Social Media Guidelines for Employees

Employees who post reviews of their employer’s products and services on social media sites, without disclosing their corporate affiliation, can land their employer in an FTC enforcement action. The FTC’s second enforcement action for violation of the agency’s endorsement guidelines, announced on August 26, makes this point.

According to the FTC, Reverb Communications, an on-line public relations firm, sought to boost sales of its clients’ gaming applications by having its employees post positive reviews on iTunes. Over the course of nine months, Reverb employees, posing as disinterested users, gave clients’ games a rating of 4 or 5 and posted comments, such as “Amazing new game,” “ONE of the BEST,” and “Really Cool Game.” According to the FTC, these reviews were misleading because they did not, as suggested, come from independent, ordinary consumers, but from Reverb employees who had a financial incentive to provide a positive endorsement.

In the agreement resolving the FTC’s complaint, Reverb agreed, among other things, (a) not to permit its employees to endorse any product without conspicuously disclosing the employee’s connection to Reverb and/or the manufacturer or advertiser of the product; (b) to take reasonable steps to remove the endorsements that were posted without full disclosure; (c) to maintain for five years all documents related to the company’s compliance with the agreement; and (d) to obtain for five years all current and future employees’ acknowledgement of receipt of the company’s agreement with the FTC.

With social media sites offering endless opportunities to recommend and review products and services, and employers increasingly pushing into Web 2.0 to promote their own products and services, well intentioned but misleading endorsements can easily mushroom throughout the Web. Employers can reduce this risk by explaining in a social media policy how the FTC defines an endorsement and by requiring any employee who provides an endorsement to disclose conspicuously his or her corporate affiliation. In addition, employers, as part of their social media training, should explain that even a numerical score or a brief comment about the employer’s products or services on a site not sponsored by the company could constitute an “endorsement” under the FTC’s guidance. The training also can provide the employee with different ways to disclose their affiliation with the employer, such as by stating, “I work in Employer’s product development department, and I think our product is the best in its class,” or by including the employer’s name and the employee’s job title when posting a comment.

This entry was written by Philip L. Gordon.

Photo credit: parasoley

Multi-State Employers Must Revise Job Applications to Address New Massachusetts Background Check Law

Recently enacted legislation in Massachusetts will significantly affect employers’ use of criminal history information for employment purposes. While most provisions of the new law (pdf) do not go into effect until February 2012, one provision, effective on November 4, 2010, requires the immediate attention of multi-state employers.

This provision generally prohibits employers from inquiring in an “initial written application form” about an applicant’s criminal history. Two narrow exceptions permit questions about criminal history if a federal or state regulation (1) disqualifies the applicant from employment in the open position based on a criminal conviction; or (2) bars the employer from hiring for one or more positions an individual with a criminal conviction. The second exception, as written in the statute, is ambiguous. It is unclear whether an employer who is barred from hiring a convicted criminal for certain positions may inquire into an applicants’ criminal history on the initial employment application used for a variety of positions, including those that can be filled by a convicted criminal. This issue is particularly important for multi-state employers who use a standard job application form for all jurisdictions.

Before the new law’s November effective date, all multi-state employers should carefully reviewany job application form that is completed by Massachusetts applicants. If the employer has no position for which federal or state law prohibits the hiring of a convicted criminal, the employer should add an instruction to Massachusetts applicants, immediately below any question seeking information about criminal history, directing Massachusetts applicants not to respond. If the employer has one or more positions for which federal or state law prohibits the hiring of a convicted criminal, the employer should consider an instruction which directs Massachusetts applicants not to answer the question unless they are applying for one or more of a list of specified positions. The list would include those positions for which state or federal law prohibits the hiring of a convicted criminal.

Notably, the new law imposes no restriction on an employer’s ability to inquire into an applicant’s criminal history at any point in the hiring process after the initial written employment application has been submitted. Multi-state employers should note, however, that Massachusetts law prohibits employers from asking applicants about certain criminal records at any stage of the hiring process. To comply with these restrictions, employers must refrain from asking about any of the categories of criminal history listed below, or if asking a broad question that might otherwise call for disclosure, instruct the applicant not to disclose any of the below-listed categories:

• arrests not resulting in a conviction;
• sealed records;
• crimes committed while a juvenile unless charged as an adult;
• convictions for misdemeanors where the date of conviction precedes the question by more than five years; and
• first convictions for misdemeanors involving drunkenness, simple assault, speeding, minor traffic violations, affray, or disturbance of the peace.

In light of these restrictions, employers should exercise caution when making any oral inquiry related to criminal history. A better approach would be to move the written question about criminal history from the initial application to a later stage of the hiring process. For example, employers who require applicants to complete a background check authorization after screening the initial written application could add to the background check paperwork provided to Massachusetts applicants a written inquiry into the applicant’s criminal history. That inquiry would include a listing of the categories of criminal history that the applicant should not disclose. This approach allows employers to require a written answer to an inquiry into criminal history before making the final employment decision while complying with the new Massachusetts restriction.

To learn more about this legislation and its implications for employers, please see Littler ASAP, “Massachusetts Becomes the Second State to ‘Ban the Box’ on All Employment Applications” by Carie Torrence.

This entry was written by Philip L. Gordon and Carie Torrence.

Photo credit: petebax

Illinois Continues State Law Trend Towards Restrictions on the Use of Credit History in Employment Decisions

An article that I recently published in BNA’s Privacy & Security Law Report examined the incipient trend towards state law restrictions on the use of credit history in employment decisions. Illinois has now become the fourth state — following Hawaii, Oregon, and Washington — to impose such restrictions, and similar bills are pending in nearly one dozen other states.

The Illinois law, enacted on August 10 and effective on January 1, 2011, generally prohibits employers from making any employment decision based upon an individual’s credit report or credit history. While the term “credit report” is limited to credit information provided by a consumer reporting agency (e.g., a background check vendor), the statute broadly defines “credit history” to include “an individual’s past borrowing and repaying behavior, including paying bills on time and managing debt and other financial obligations.” The new law also generally prohibits employers from obtaining a credit report on an applicant or employee and from asking an applicant or employee about his credit history.

The law’s numerous and broad exceptions will limit its impact. Significantly for the financial services sector, the law expressly excludes banks, insurers and surety companies from its coverage by excepting them from its definition of “employer.” The following categories of positions also are excluded from the law’s coverage:

• Positions involving access to sensitive information;
• Positions involving unsupervised access to cash or marketable assets valued at more than $2,500;
• Positions with signatory power over business assets of $100 or more per transaction;
• Managers who set the direction of or control a business;
• Positions for which the employer is required by law to obtain a bond;
• Positions for which state or federal law or regulation establishes credit history as a bona fide occupational qualification; and
• Positions for which the employer is required by law to obtain credit history.

The first exception is particularly broad given the many different types of information to which it applies. More specifically, Illinois employers can obtain credit reports and credit history from applicants or employees whose position involves access to any of the following categories of information: (a) sensitive information that a customer gives the employer explicit authorization to process; (b) sensitive information that an employer entrusts only to managers and a select few employees; (c) sensitive information that is secured so as to make it inaccessible to the public and low-level employees; (d) non-public information about the employer’s overall financial direction, including company tax and profit and loss reports; (e) sensitive information regarding an employer’s overall strategy or business plans; and (f) information that would jeopardize national or state security if publicly available. The statute does not define the term “sensitive information” and, therefore, appears to leave the determination of sensitivity to the employer’s reasonable discretion.

When taken together these exceptions appear to permit credit checks on large swaths of an organization’s workforce. At a minimum, all senior executives, in-house attorneys, human resources professionals, and finance department employees, virtually all information technology employees and managers with money-handling responsibilities appear to fall within the scope of the law’s exceptions. By contrast, most lower-level employees — except perhaps customer service positions involving access to sensitive customer information — likely would be covered. Each employer will need to conduct its own analysis to identify the categories of Illinois employees from whom credit information can lawfully be obtained and considered in employment decisions.

For further analysis of this development, see Littler ASAP "New Illinois Law Puts Credit Reports and Credit History Off Limits for Most Employers and Most Positions" by Philip L. Gordon and Jeffrey C. Kauffman.

This entry was written by Philip L. Gordon.

Photo credit: contour 99

D.C. Circuit Decision Ratchets Up the Risk for Employers Who Use Location Tracking

Employers are increasingly tracking their employees’ whereabouts as smartphones, laptops, and vehicles equipped with location-tracing technology become ever more prevalent. Statutes restricting the use of location-tracking devices typically do not impinge upon such tracking because the law’s definition of a tracking device does not encompass phones or laptops enabled with Global Positioning System (GPS) technology or because the law permits the vehicle’s owner to install a tracking device. The question remains, however, whether tracking employees’ location constitutes a common law invasion of privacy.

A recent decision by the federal court of appeals in the District of Columbia suggests that, in certain circumstances, employers who track their employees’ location could face liability for invasion of privacy. In U.S. v Maynard (pdf), the court held that the FBI had infringed upon the criminal defendant's reasonable expectation of privacy by “tracking his movements 24 hours a day for four weeks with a GPS device they had installed on his Jeep without a valid warrant.” Key to the court’s decision was the intimate knowledge of the suspect’s life that could be gleaned from pervasive location-tracking as opposed to observing the suspect’s public movements for a short period of time:

Repeated visits to a church, a gym, a bar, or a bookie tell a story not told by any single visit, as does one's not visiting any of these places over the course of a month. The sequence of a person's movements can reveal still more; a single trip to a gynecologist's office tells little about a woman, but that trip followed a few weeks later by a visit to a baby supply store tells a different story. A person who knows all of another's travels can deduce whether he is a weekly church goer, a heavy drinker, a regular at the gym, an unfaithful husband, an outpatient receiving medical treatment, an associate of particular individuals or political groups — and not just one such fact about a person, but all such facts.

Based on this distinction between pervasive and non-pervasive tracking, the court concluded that a “reasonable person does not expect anyone to monitor and retain a record of every time he drives his car, including his origin, route, destination, and each place he stops and how long he stays there; rather, he expects each of those movements to remain ‘disconnected and anonymous.’”

While the court’s decision construes only Fourth Amendment protections against government intrusions, the court’s observations clearly could be used to support a common law claim for invasion of privacy against an employer that uses GPS-enabled vehicles, laptops or smartphones to engage in surreptitious, 24/7 location tracking of its employees. That being said, the D.C. Circuit’s decision splits from the rulings of three other circuits — the Seventh, Eighth, and Ninth, making it likely that the D.C. Circuit’s decision will be subject to U.S. Supreme Court review. These other courts held that the warrantless use of a location-tracing device does not violate the Fourth Amendment because a criminal suspect cannot reasonably suspect privacy in his public movements. These cases, therefore, can be used to defeat an invasion-of-privacy claim based on an employer's use of pervasive location tracking.

Nonetheless, the D.C. Circuit’s decision highlights several steps employers can take to reduce the risk of privacy-based claims arising from location tracking: location-tracking in a manner that would make an invasion of privacy claim far less likely:

• Avoid surreptitious location tracking
• Provide employees with detailed, written notice of any location tracking
• When practical, have employees acknowledge receipt of the notice
• Limit location-tracking, when technically feasible, to working hours
• Restrict access to location-tracking information to those with a need to know

This entry was written by Philip L. Gordon.

Photo credit: Paul Downey