Articles Posted in Privacy In the Workplace

At our Annual Employment Law Seminar last week, I spoke about the “Facebook Privacy” bill that was then pending in Delaware’s House of Representatives.  The bill passed the House on later that day and is now headed to the Senate.  For those of you who weren’t in attendance last week, here’s a brief recap of the proposed law. 

The stated purpose of HB 109 is to protect individuals’ privacy in their personal social media accounts.  Generally speaking, HB 109 would prohibit employers from requiring or requesting that an employee or applicant give the employer access to their personal social-media accounts-either by giving up their passwords or by logging in and letting the employer take a look (also known as “shoulder surfing”). 

As we all know, though, with any law, the devil is in the details.  And there are, not surprisingly, a few devilish details.  For example. . .

Employers, do you know what apps your employees are using?  That’s the question posed by a recent article in the WSJ.  (See Companies Don’t Know What Apps Their Employees Are Using).  My guess is that the answer to this important question is, “No.”  Here are my top tips for how not to be the employer discussed in the WSJ article. cloud storage file cabinet drawer and folders_3

First, have a policy about employees’ use of cloud-based apps to save work-related documents.  Consider prohibiting employees from saving work documents to cloud-based storage accounts such as Dropbox, SkyDrive, and Box.net.  Also consider prohibiting employees from backing up the contents of their work laptops to cloud-based back-up accounts, such as Mozy and Carbonite.

Second, communicate your policy to all affected employees.  If employees don’t know about the prohibitions, your policy is unlikely to have the desired deterrent factor.  This means that your policy needs to be written in plain English and that it should be publicized to employees in a way that will actually be heard.

Employers face a serious challenge when trying to prevent employees from taking confidential and proprietary information with them when they leave to join a new employer-particularly when the new employer is a competitor.   When an employer becomes suspicious about an ex-employee’s activities prior to his or her last day of work, there are a limited number of safe avenues for the employer to pursue. privacy policy with green folder_thumb

Generally, an employer should not review the employee’s personal emails or text messages if they were sent or received outside the employer’s network.  But what if the employee turns over his personal emails or text messages without realizing it?  The answer is, as always, “it depends.”  A recent case from a federal court in California addresses the issue in a limited context.

After the employee resigned, the employer sued him for misappropriating trade secrets.  He filed counterclaims, accusing the employer of violating the federal Wiretap Act, the Stored Communications Act (SCA), and state privacy laws.  The employee alleged that the employer had reviewed his text personal text messages on the iPhone issued to him by the former employer after he’d returned it but before he unlinked his Apple account from the phone.

Delaware’s Governor has signed legislation related to the safe destruction of documents containing personal identifying information. The bill is effective January 1, 2015, and requires that commercial entities take all reasonable steps to destroy a consumer’s personal identifying information within the business’s custody and control, when the information is no longer to be retained. Destruction includes shredding, erasing, or otherwise destroying or modifying the personal identifying information to make it entirely unreadable or indecipherable through any means.crumbled paper trash_3

Personal identifying information includes, but is not limited to, a consumer’s first name or first initial and last name in combination with any one of the following: a signature; date of birth; social security number; passport number; driver’s license number, insurance policy number; or financial information (such as a credit card number).

There are exceptions for federally regulated financial institutions, healthcare organizations subject to HIPAA, consumer reporting agencies subject to the FCRA, and governmental bodies.

During the 2007-2008 school year, Ms. Kimble was employed as a cook and cheerleading coach at a high school.  In December 2007, she took the cheerleaders on an overnight Christmas party held in a cabin located outside the county.  The trip was not approved as was required by district policy.  When administration learned about the trip, Ms. Kimble was instructed that all future out-of-county trips must have prior approval.

The following year, Ms. Kimble worked as a cook at an elementary school and as the cheerleading coach at the same high school at which she had coached the prior year.  In December 2008, Ms. Kimble took the cheerleaders to the same cabin for another overnight Christmas party.  Ms. Kimble and a parent went as “chaperones” but Ms. Kimble did not seek or obtain approval for the trip.

During the party, Ms. Kimble was photographed in the hot tub, surrounded by several female cheerleaders.  Although Ms. Kimble was clothed, most of the girls were topless.  All of the girls were minors. 

The Heartbleed Internet-security flaw has compromised the security of an unknown number of web servers.  This is just one story in a string of recent headlines involving the vulnerability of the Internet sites.  But consumers aren’t the only ones affected.  The companies whose websites have been attacked are employers, after all.computer help button_3

Although data security has become increasingly impossible to ensure, it has also become increasingly critical to employers’ viability.  So employers are looking for ways to mitigate the exponentially increasing risks associated with the Internet.

One option being considered by some employers is blocking employees from their personal, web-based email accounts from the company’s servers.  Companies can install powerful (albeit not impenetrable) spamware that can catch and prevent many Internet-based security threats.  But that spamware works only on emails that come through the Company’s email servers.  Email that is opened through a web-based account, such as GMail or Hotmail is not subject to the company’s protective measures.

Delaware Chief Medical Examiner Richard T. Callery has made news headlines for his off-duty conduct.  According to The News Journal, Callery is the subject of a criminal investigation relating to his testimony as an expert witness in cases outside of Delaware. 

In short, the claim is that Callery spent a lot of time serving as a paid witness in cases in other States, while neglecting his own duties.  And, to add insult to injury, Callery apparently testified on behalf of the defense in several cases, which, some argue, diminishes his credibility when called to testify in Delaware on behalf of the State.

The lesson to be learned for employers is an important one.  Many employers put limitations on moonlighting by employees.  Such limits may be included in an employment contract or in a personnel handbook. 

Can employee theft be a protected activity? Unfortunately, yes.  As I’ve written previously, employee theft of data and documents is so common it’s frightening-or should be-to any employer.  See Your Employees Are Stealing Your Data; Your Employees Are (Still) Stealing Your Data.

When an employer discovers that a recently separated employee has taken with him or her the employer’s data in electronic and/or paper format, there are a few possible outcomes.  Frequently, legal counsel is able to get the documents returned and an affidavit signed by the employee certifying that he no longer has any of the employer’s property in his possession, custody, or control, and that, should he later discover that he does still have such property, that he will contact the employer immediately and cooperate fully in returning it.  In these cases, it is up to the employer whether or not to “go after” the documents (and/or the employee who stole them).  data thief robber_3

But this is not always the case.  Employees have stolen the employer’s documents only to then attempt to use those documents in litigation against the employer.  Yes, this is as horrible as it sounds.

The Wall Street Journal recently reported some eye-opening results of a survey regarding information theft by employees.  Here are some of the most disturbing (though not surprising) findings from the survey:

  • 50 percent of employees kept confidential information post-separation;
  • 40 percent plan to use confidential information in their future employment; and

The modern workplace presents a cornucopia of problems thanks to technology.  As much as employers may want to restrict employees from surfing the Internet or checking Facebook during working time, it’s nearly impossible.  After all, employees can just use their personal cellphones to get online.  Add to that reality the fact the growing popularity of BYOD policies.

So what, you might ask?  Well, one big problem is when an employee uses his personal device or account for company business.  The issue of whether the employer is deemed to have custody or control over an employee’s work-related emails sent to and from the employee’s personal email account.byod security_thumb

In a recent case in Kansas, the court found that the employer did not have possession, custody, or control of employees’ personal emails and therefore did not have to produce the emails in discovery.

Contact Information