Articles Posted in Privacy In the Workplace

At our Annual Employment Law Seminar last week, I spoke about the “Facebook Privacy” bill that was then pending in Delaware’s House of Representatives.  The bill passed the House on later that day and is now headed to the Senate.  For those of you who weren’t in attendance last week, here’s a brief recap of the proposed law. 

The stated purpose of HB 109 is to protect individuals’ privacy in their personal social media accounts.  Generally speaking, HB 109 would prohibit employers from requiring or requesting that an employee or applicant give the employer access to their personal social-media accounts-either by giving up their passwords or by logging in and letting the employer take a look (also known as “shoulder surfing”). 

As we all know, though, with any law, the devil is in the details.  And there are, not surprisingly, a few devilish details.  For example. . .

HB 109 prohibits an employer from asking an employee (or applicant) from disclosing “a username . . . for the purpose of enabling the employer to access personal social media.”  As written, that would mean that an employer could not ask a candidate what his or her Twitter handle is.  Twitter is, generally speaking, a publicly available site. 

So an applicant could have a public Twitter account, where he tweets racist or sexist speech or talks about how he likes to steal money from his current employer, but the employer wouldn’t be able to ask about it?  Huh?  I supposed we’d just have to wait till discovery in a lawsuit before we could ask for that (public information)?  Not my favorite part of this law.

There are other confusing parts of HB 109 that I think likely are unintended consequences of the legislation.  But, with 38 votes in favor and none against, it appears that the unintended consequences are well on their way to becoming law.  We’ll see what the Senate has to say about it and will be sure to keep you updated.  In the meantime, you can track HB 109 here.

Employers, do you know what apps your employees are using?  That’s the question posed by a recent article in the WSJ.  (See Companies Don’t Know What Apps Their Employees Are Using).  My guess is that the answer to this important question is, “No.”  Here are my top tips for how not to be the employer discussed in the WSJ article. cloud storage file cabinet drawer and folders_3

First, have a policy about employees’ use of cloud-based apps to save work-related documents.  Consider prohibiting employees from saving work documents to cloud-based storage accounts such as Dropbox, SkyDrive, and  Also consider prohibiting employees from backing up the contents of their work laptops to cloud-based back-up accounts, such as Mozy and Carbonite.

Second, communicate your policy to all affected employees.  If employees don’t know about the prohibitions, your policy is unlikely to have the desired deterrent factor.  This means that your policy needs to be written in plain English and that it should be publicized to employees in a way that will actually be heard.

Third, enforce the policy.  Don’t make exceptions.  If an employee violates the policy, the employee should be disciplined accordingly.  Even if the employee is your favorite employee.  And even if the employee complains a lot about the policy-and claims that he or she needs the online storage and/or back-up accounts.  The answer is “no.”  And that answer must be consistent, regardless of how loudly an employee complains.

As a bonus point, I’ll note that employers should consider having all employees execute a confidentiality agreement.  The agreement can be very brief-a paragraph long does the trick, most of the time.  But the key is to have all employees execute the document.  And, ideally, have the employees reaffirm their adherence to the confidentiality agreement on a yearly basis.

A lot of additional work?   Yes.  But, if you have an employee who defects to a competitor and takes with him several gigabytes worth of your confidential data, the extra “work” will be worthwhile.  You’ll be glad you have taken these steps-and don’t hesitate to thank me for the great suggestions.

Employers face a serious challenge when trying to prevent employees from taking confidential and proprietary information with them when they leave to join a new employer-particularly when the new employer is a competitor.   When an employer becomes suspicious about an ex-employee’s activities prior to his or her last day of work, there are a limited number of safe avenues for the employer to pursue. privacy policy with green folder_thumb

Generally, an employer should not review the employee’s personal emails or text messages if they were sent or received outside the employer’s network.  But what if the employee turns over his personal emails or text messages without realizing it?  The answer is, as always, “it depends.”  A recent case from a federal court in California addresses the issue in a limited context.

After the employee resigned, the employer sued him for misappropriating trade secrets.  He filed counterclaims, accusing the employer of violating the federal Wiretap Act, the Stored Communications Act (SCA), and state privacy laws.  The employee alleged that the employer had reviewed his text personal text messages on the iPhone issued to him by the former employer after he’d returned it but before he unlinked his Apple account from the phone.

All of the employee’s counter-claims were dismissed by the court.  The court found that the Wiretap Act claim failed because there was no allegation that the employer had intentionally intercepted any messages.  The SCA claims failed because there was no allegation that the employer had accessed any messages.  And, perhaps most obviously, the privacy claims failed because the employee could not have had a reasonable expectation of privacy.

The court specifically found that the employee had “failed to comport himself in a manner consistent with objectively reasonable expectation of privacy” by failing to unlink his old phone from his Apple account, which is what caused the transmission of his text messages to his former employer.

Sunbelt Rentals, Inc. v. Victor, No. C 13-4240-SBA (N.D. Cal. Aug. 28, 2014).

See also

Too Creepy to Win: Employer Access to Employee Emails

Traveling for Work and Late-Night Emails

Lawful Employer Investigations of Facebook . . . Sort Of

Employers, Facebook, and the SCA Do Not a Love Triangle Make

Delaware’s Governor has signed legislation related to the safe destruction of documents containing personal identifying information. The bill is effective January 1, 2015, and requires that commercial entities take all reasonable steps to destroy a consumer’s personal identifying information within the business’s custody and control, when the information is no longer to be retained. Destruction includes shredding, erasing, or otherwise destroying or modifying the personal identifying information to make it entirely unreadable or indecipherable through any means.crumbled paper trash_3

Personal identifying information includes, but is not limited to, a consumer’s first name or first initial and last name in combination with any one of the following: a signature; date of birth; social security number; passport number; driver’s license number, insurance policy number; or financial information (such as a credit card number).

There are exceptions for federally regulated financial institutions, healthcare organizations subject to HIPAA, consumer reporting agencies subject to the FCRA, and governmental bodies.

Violation of the statute carries stiff penalties, including treble damages.

The legislation is not a model of clarity, and leaves a lot of questions as to how it will be applied to Delaware businesses. Until the courts provide additional guidance, Delaware businesses are well advised to carefully review their document security.

During the 2007-2008 school year, Ms. Kimble was employed as a cook and cheerleading coach at a high school.  In December 2007, she took the cheerleaders on an overnight Christmas party held in a cabin located outside the county.  The trip was not approved as was required by district policy.  When administration learned about the trip, Ms. Kimble was instructed that all future out-of-county trips must have prior approval.

The following year, Ms. Kimble worked as a cook at an elementary school and as the cheerleading coach at the same high school at which she had coached the prior year.  In December 2008, Ms. Kimble took the cheerleaders to the same cabin for another overnight Christmas party.  Ms. Kimble and a parent went as “chaperones” but Ms. Kimble did not seek or obtain approval for the trip.

During the party, Ms. Kimble was photographed in the hot tub, surrounded by several female cheerleaders.  Although Ms. Kimble was clothed, most of the girls were topless.  All of the girls were minors. 

Ms. Kimble posted several photos of the party on her MySpace page, although the girls were fully clothed in all of the pictures that she posted.  To one of the photos, in which the girls were wearing Santa Claus hats, Ms. Kimble added the caption:

my girls acting like their self[sic] . . . hoes.

The photos were discovered and reported to the school and Ms. Kimble was suspended without pay.  After a hearing, she was terminated from both her position as cook and as coach based on the determination that she had committed insubordination, immoral conduct, and sexual harassment. 

Ms. Kimble challenged the termination.  An administrative law judge overturned the board’s decision to terminate her from her position as cook.  The board appealed and the circuit court affirmed the finding of the ALJ.  The board appealed to the state’s highest court, which reversed, siding with the board and finding the termination lawful. 

As the grounds for its opinion, the state’s Supreme Court held that Ms. Kimble had been insubordinate by ignoring the directive and policy to first obtain permission from the school prior to taking students on any out-of-county trip.  That was the easy part.

The more difficult part (at least for the ALJ and the lower court), was the finding that Ms. Kimble had, indeed, engaged in immoral conduct by:

sitting in a hot tub surrounded, literally, by several topless female students.

The court also found that calling your minor students “hoes” also is relevant to the immorality question. 

Finally, the court rejected Ms. Kimble’s argument that she could not be disciplined for conduct that occurred off duty.  This argument is a favorite among plaintiff-employees everywhere but always a loser.  The conduct was within the scope of Ms. Kimble’s employment–she, as cheerleading coach, took cheerleaders on an authorized trip outside the county, was photographed with several of them topless, and then called them “hoes” on her MySpace page. 

The fact that she was not on duty at the time of these acts does not serve as a defense.  This case serves as yet another example of how off-duty conduct can (and should) serve as a basis for discipline and/or termination.  When an employee engages in conduct off-duty that undermines or interferes with his or her ability to effectively carry out his or her job duties, discipline is appropriate . . . and lawful.  The same rule applies when the conduct is carried out in cyberspace, particularly on social-media sites.

On the most basic level, it’s difficult to imagine that the parents of the female students would appreciate their daughters being called “hoes” by anyone but especially not by their cheerleading coach. 

Kanawha County Bd. of Ed. v. Kimble, No. 13-0810, 2014 W. Va. LEXIS 584 (W. Va. May 30, 2014).

The Heartbleed Internet-security flaw has compromised the security of an unknown number of web servers.  This is just one story in a string of recent headlines involving the vulnerability of the Internet sites.  But consumers aren’t the only ones affected.  The companies whose websites have been attacked are employers, after help button_3

Although data security has become increasingly impossible to ensure, it has also become increasingly critical to employers’ viability.  So employers are looking for ways to mitigate the exponentially increasing risks associated with the Internet.

One option being considered by some employers is blocking employees from their personal, web-based email accounts from the company’s servers.  Companies can install powerful (albeit not impenetrable) spamware that can catch and prevent many Internet-based security threats.  But that spamware works only on emails that come through the Company’s email servers.  Email that is opened through a web-based account, such as GMail or Hotmail is not subject to the company’s protective measures.

Which is precisely why many IT professionals see web-based email accounts as a major security threat.  But what’s an employer to do?  Employers have long been trying to prevent the productivity loss associated with employees’ personal use of the Internet during working time.  But now this effort has become a top priority.

Will employees stop checking their personal email at work if they’re asked nicely?  If they understand the risks?  Maybe.  Maybe not.  But it certainly wouldn’t be a bad place to start.  Perhaps your company should consider explaining to its employees exactly why you don’t want them to check their personal email during working time.  Hey, it’s worth a try.

By the way . . .

Data Security is the topic of one of the sessions at this year’s Annual Employment Law Seminar, which is coming up on May 8.  If you haven’t registered, there’s still time.  Just click here to get to the Seminar Registration page.

Delaware Chief Medical Examiner Richard T. Callery has made news headlines for his off-duty conduct.  According to The News Journal, Callery is the subject of a criminal investigation relating to his testimony as an expert witness in cases outside of Delaware. 

In short, the claim is that Callery spent a lot of time serving as a paid witness in cases in other States, while neglecting his own duties.  And, to add insult to injury, Callery apparently testified on behalf of the defense in several cases, which, some argue, diminishes his credibility when called to testify in Delaware on behalf of the State.

The lesson to be learned for employers is an important one.  Many employers put limitations on moonlighting by employees.  Such limits may be included in an employment contract or in a personnel handbook. 

The policies vary.  For example, some employers prohibit employees from working in a second job altogether.  Others prohibit only secondary employment in the same field or with the same duties that the employee performs in his or her full-time employment.  And others only prohibit secondary employment that conflicts with the employee’s job duties. 

The State of Delaware, like many employers, does not have such a policy.  But, if it had, it would likely have prohibited Callery from working as an expert witness, even in his off-duty time.  Do you have such a policy?   Should you?

See ME’s side work under criminal investigation, by Jonathan Starkey and Sean O’Sullivan.

Can employee theft be a protected activity? Unfortunately, yes.  As I’ve written previously, employee theft of data and documents is so common it’s frightening-or should be-to any employer.  See Your Employees Are Stealing Your Data; Your Employees Are (Still) Stealing Your Data.

When an employer discovers that a recently separated employee has taken with him or her the employer’s data in electronic and/or paper format, there are a few possible outcomes.  Frequently, legal counsel is able to get the documents returned and an affidavit signed by the employee certifying that he no longer has any of the employer’s property in his possession, custody, or control, and that, should he later discover that he does still have such property, that he will contact the employer immediately and cooperate fully in returning it.  In these cases, it is up to the employer whether or not to “go after” the documents (and/or the employee who stole them).  data thief robber_3

But this is not always the case.  Employees have stolen the employer’s documents only to then attempt to use those documents in litigation against the employer.  Yes, this is as horrible as it sounds.

Here’s the nightmarish scenario.  Employee sues employer, alleging that employee was subject to unlawful discrimination based on age.  While still employed, employee steals a copy of her personnel file and the personnel file of the younger co-worker who employee claims was promoted instead of employee.   During discovery in the litigation, employee produces copies of these stolen documents and claims that they support her age-discrimination claim.

You now know that the employee wrongfully accessed the co-worker’s (confidential) personnel file, made a copy of it, and retained that copy (presumably giving a copy to her lawyer, who then produced it to you during discovery).  The rational employer would likely respond to this information by terminating (or at least wanting to terminate) the employee for breaching all sorts of policies.  And, if the file contained certain personal data, the employer would likely have a legal duty to notify the affected co-worker, as well.

But, alas, the law is never as obvious as one may hope.  There is a small body of cases that held that problems can arise if the employer does what most rational employers would want to do-i.e., fire the thief-employee.  For example, in a 2010 decision, the New Jersey Supreme Court held that it was, in fact, unlawful to terminate the employee for precisely the conduct described above.  The court found that the employee gave the documents only to her lawyers, that the documents were directly relevant to the employee’s claim of discrimination, that the disclosure of the documents did not threaten the company’s operations, and the employee had a reasonable basis to believe that the documents would not have been produced during discovery.   Quinlan v. Curtiss-Wright Corp., 204 N.J. 239 (2010).

Ugh.  I should hope that it goes without saying but, wow, that is disturbing.

Thankfully, there are cases and courts that disagree with that approach.  For example, in an opinion from the normally employee-friendly Ninth Circuit, the court held that the plaintiff-employee could not support his age-discrimination claim with documents taken from his supervisor’s office.  Instead, the court explained,

[W]e are loathe to provide employees an incentive to rifle through confidential files looking for evidence that might come in handy in later litigation. The opposition clause protects reasonable attempts to contest an employer’s discriminatory practices; it is not an insurance policy, a license to flaunt company rules or an invitation to dishonest behavior.

O’Day v. McDonnell Douglas Helicopter Co., 79 F.3d 756 (9th Cir. 1996).   The Ninth Circuit is not alone in rejecting the idea that an employee’s theft should be endorsed by the courts.   The Sixth Circuit reached a similar result in Niswander v. Cincinnati Ins. Co., 529 F.3d 714, 718 (6th Cir. 2008).

Nevertheless, if you thought that your employees could not use stolen information against you, you may want to think again.  And then think about whether you have solid confidentiality and privacy policies in place.  More and more employers require employees to sign a confidentiality agreement every year.  And, with cases like Quinlan, this idea seems to be a prudent one.

The Wall Street Journal recently reported some eye-opening results of a survey regarding information theft by employees.  Here are some of the most disturbing (though not surprising) findings from the survey:

  • 50 percent of employees kept confidential information post-separation;
  • 40 percent plan to use confidential information in their future employment; and
  • 60 percent say a co-worker has offered documents from a former employer

So what do these statistics say? In short, they say that your employees are stealing your intellectual property. data thief robber_3

And here are two more interesting findings:

  • 52 percent of employees don’t believe that it’s a crime to use a competitor’s confidential business information; and
  • 68 percent of employees say their organization doesn’t take preventative measures to ensure employees don’t use competitive information.

So what do these statistics say? Well, they say that neither your former employees nor their new employers think there’s anything wrong with stealing and using your intellectual property.

These statistics don’t surprise me at all. Theft of confidential information by departing employees is an epidemic. In my experience, it is one of the biggest challenges faced by employers today. Perhaps the single biggest.

And making matters worse is the fact that most employers don’t know that it’s happening. But it doesn’t have to be this way. Here are some things every employer can do to limit the impact of this epidemic:

Have a policy. Employers should have a confidentiality policy that all employees are required to sign-separate from the employee manual is preferable.

Educate employees. Once is not enough. Employees should be required to re-sign the policy each year. Yes, really. This is a very serious problem and there is no such thing as being too proactive to prevent it.

Use technology. Employees walk away with your data in any number of ways but almost always in a way that involves technology, so put technology to work for you. For example, consider utilizing software that alerts IT any time an employee sends a large number of attachments via email. Limit access to Dropbox and similar cloud-storage sites from work devices.

Ask the tough questions. Even if you’ve done nothing to limit electronic theft beforehand, there’s no time like the present. Ask every departing employee to confirm in writing that he is not in possession of any company property (including in electronic form) and promise that, should he later discover that he does have your property, that he will return it immediately.

See also  Your Employees Are Stealing Your Data

UD Employees’ Confidential Info Hacked

What to Do If Your Employees’ Confidential Data Is Stolen

Computer Fraud and Abuse Act: Government to the Rescue of Employers?

Putting the Computer Fraud and Abuse Act to Work for Employers

The modern workplace presents a cornucopia of problems thanks to technology.  As much as employers may want to restrict employees from surfing the Internet or checking Facebook during working time, it’s nearly impossible.  After all, employees can just use their personal cellphones to get online.  Add to that reality the fact the growing popularity of BYOD policies.

So what, you might ask?  Well, one big problem is when an employee uses his personal device or account for company business.  The issue of whether the employer is deemed to have custody or control over an employee’s work-related emails sent to and from the employee’s personal email account.byod security_thumb

In a recent case in Kansas, the court found that the employer did not have possession, custody, or control of employees’ personal emails and therefore did not have to produce the emails in discovery.

But a new case from Puerto Rico takes a different approach.  In P.R. Telephone Co., Inc., v. San Juan Cable LLC, the court found that the company did have a duty to preserve relevant email from the personal email accounts of three of the company’s former officers.  The only facts given by the court as the basis for its decision is that the company “presumably knew” that its officers had used their personal email accounts to manage the company for seven years.

Although the court did not order sanctions, it did find that there was a failure to preserve relevant evidence.  The court denied the motion for sanctions without prejudice, leaving open the possibility that the motion could be renewed if discovery revealed additional evidence of spoliation.

P.R. Telephone Co., Inc., v. San Juan Cable LLC, No. 11-2135 (GAG/BJM), 2013 U.S. Dist. LEXIS 146081 (D.P.R. Oct. 7, 2013).

[H/T Bow Tie Law Blog]

Contact Information