Articles Posted in Privacy Rights of Employees

At our Annual Employment Law Seminar last week, I spoke about the “Facebook Privacy” bill that was then pending in Delaware’s House of Representatives.  The bill passed the House on later that day and is now headed to the Senate.  For those of you who weren’t in attendance last week, here’s a brief recap of the proposed law. 

The stated purpose of HB 109 is to protect individuals’ privacy in their personal social media accounts.  Generally speaking, HB 109 would prohibit employers from requiring or requesting that an employee or applicant give the employer access to their personal social-media accounts-either by giving up their passwords or by logging in and letting the employer take a look (also known as “shoulder surfing”). 

As we all know, though, with any law, the devil is in the details.  And there are, not surprisingly, a few devilish details.  For example. . .

HB 109 prohibits an employer from asking an employee (or applicant) from disclosing “a username . . . for the purpose of enabling the employer to access personal social media.”  As written, that would mean that an employer could not ask a candidate what his or her Twitter handle is.  Twitter is, generally speaking, a publicly available site. 

So an applicant could have a public Twitter account, where he tweets racist or sexist speech or talks about how he likes to steal money from his current employer, but the employer wouldn’t be able to ask about it?  Huh?  I supposed we’d just have to wait till discovery in a lawsuit before we could ask for that (public information)?  Not my favorite part of this law.

There are other confusing parts of HB 109 that I think likely are unintended consequences of the legislation.  But, with 38 votes in favor and none against, it appears that the unintended consequences are well on their way to becoming law.  We’ll see what the Senate has to say about it and will be sure to keep you updated.  In the meantime, you can track HB 109 here.

Employers, do you know what apps your employees are using?  That’s the question posed by a recent article in the WSJ.  (See Companies Don’t Know What Apps Their Employees Are Using).  My guess is that the answer to this important question is, “No.”  Here are my top tips for how not to be the employer discussed in the WSJ article. cloud storage file cabinet drawer and folders_3

First, have a policy about employees’ use of cloud-based apps to save work-related documents.  Consider prohibiting employees from saving work documents to cloud-based storage accounts such as Dropbox, SkyDrive, and  Also consider prohibiting employees from backing up the contents of their work laptops to cloud-based back-up accounts, such as Mozy and Carbonite.

Second, communicate your policy to all affected employees.  If employees don’t know about the prohibitions, your policy is unlikely to have the desired deterrent factor.  This means that your policy needs to be written in plain English and that it should be publicized to employees in a way that will actually be heard.

Third, enforce the policy.  Don’t make exceptions.  If an employee violates the policy, the employee should be disciplined accordingly.  Even if the employee is your favorite employee.  And even if the employee complains a lot about the policy-and claims that he or she needs the online storage and/or back-up accounts.  The answer is “no.”  And that answer must be consistent, regardless of how loudly an employee complains.

As a bonus point, I’ll note that employers should consider having all employees execute a confidentiality agreement.  The agreement can be very brief-a paragraph long does the trick, most of the time.  But the key is to have all employees execute the document.  And, ideally, have the employees reaffirm their adherence to the confidentiality agreement on a yearly basis.

A lot of additional work?   Yes.  But, if you have an employee who defects to a competitor and takes with him several gigabytes worth of your confidential data, the extra “work” will be worthwhile.  You’ll be glad you have taken these steps-and don’t hesitate to thank me for the great suggestions.

Employers face a serious challenge when trying to prevent employees from taking confidential and proprietary information with them when they leave to join a new employer-particularly when the new employer is a competitor.   When an employer becomes suspicious about an ex-employee’s activities prior to his or her last day of work, there are a limited number of safe avenues for the employer to pursue. privacy policy with green folder_thumb

Generally, an employer should not review the employee’s personal emails or text messages if they were sent or received outside the employer’s network.  But what if the employee turns over his personal emails or text messages without realizing it?  The answer is, as always, “it depends.”  A recent case from a federal court in California addresses the issue in a limited context.

After the employee resigned, the employer sued him for misappropriating trade secrets.  He filed counterclaims, accusing the employer of violating the federal Wiretap Act, the Stored Communications Act (SCA), and state privacy laws.  The employee alleged that the employer had reviewed his text personal text messages on the iPhone issued to him by the former employer after he’d returned it but before he unlinked his Apple account from the phone.

All of the employee’s counter-claims were dismissed by the court.  The court found that the Wiretap Act claim failed because there was no allegation that the employer had intentionally intercepted any messages.  The SCA claims failed because there was no allegation that the employer had accessed any messages.  And, perhaps most obviously, the privacy claims failed because the employee could not have had a reasonable expectation of privacy.

The court specifically found that the employee had “failed to comport himself in a manner consistent with objectively reasonable expectation of privacy” by failing to unlink his old phone from his Apple account, which is what caused the transmission of his text messages to his former employer.

Sunbelt Rentals, Inc. v. Victor, No. C 13-4240-SBA (N.D. Cal. Aug. 28, 2014).

See also

Too Creepy to Win: Employer Access to Employee Emails

Traveling for Work and Late-Night Emails

Lawful Employer Investigations of Facebook . . . Sort Of

Employers, Facebook, and the SCA Do Not a Love Triangle Make

Delaware’s Governor has signed legislation related to the safe destruction of documents containing personal identifying information. The bill is effective January 1, 2015, and requires that commercial entities take all reasonable steps to destroy a consumer’s personal identifying information within the business’s custody and control, when the information is no longer to be retained. Destruction includes shredding, erasing, or otherwise destroying or modifying the personal identifying information to make it entirely unreadable or indecipherable through any means.crumbled paper trash_3

Personal identifying information includes, but is not limited to, a consumer’s first name or first initial and last name in combination with any one of the following: a signature; date of birth; social security number; passport number; driver’s license number, insurance policy number; or financial information (such as a credit card number).

There are exceptions for federally regulated financial institutions, healthcare organizations subject to HIPAA, consumer reporting agencies subject to the FCRA, and governmental bodies.

Violation of the statute carries stiff penalties, including treble damages.

The legislation is not a model of clarity, and leaves a lot of questions as to how it will be applied to Delaware businesses. Until the courts provide additional guidance, Delaware businesses are well advised to carefully review their document security.

The Heartbleed Internet-security flaw has compromised the security of an unknown number of web servers.  This is just one story in a string of recent headlines involving the vulnerability of the Internet sites.  But consumers aren’t the only ones affected.  The companies whose websites have been attacked are employers, after help button_3

Although data security has become increasingly impossible to ensure, it has also become increasingly critical to employers’ viability.  So employers are looking for ways to mitigate the exponentially increasing risks associated with the Internet.

One option being considered by some employers is blocking employees from their personal, web-based email accounts from the company’s servers.  Companies can install powerful (albeit not impenetrable) spamware that can catch and prevent many Internet-based security threats.  But that spamware works only on emails that come through the Company’s email servers.  Email that is opened through a web-based account, such as GMail or Hotmail is not subject to the company’s protective measures.

Which is precisely why many IT professionals see web-based email accounts as a major security threat.  But what’s an employer to do?  Employers have long been trying to prevent the productivity loss associated with employees’ personal use of the Internet during working time.  But now this effort has become a top priority.

Will employees stop checking their personal email at work if they’re asked nicely?  If they understand the risks?  Maybe.  Maybe not.  But it certainly wouldn’t be a bad place to start.  Perhaps your company should consider explaining to its employees exactly why you don’t want them to check their personal email during working time.  Hey, it’s worth a try.

By the way . . .

Data Security is the topic of one of the sessions at this year’s Annual Employment Law Seminar, which is coming up on May 8.  If you haven’t registered, there’s still time.  Just click here to get to the Seminar Registration page.

Another case involving employer access to an employee’s personal email account.  And the bad things that follow.

The plaintiff was an administrative assistant to the Athletic Director of a public school district in Tulsa, Oklahoma.  In her complaint, she alleged that she had reported that the Director and two Assistant Directors had “endangered the health and safety of students” and had “misappropriated funds.”  In other words, she was a whistleblower. email hacked_thumb

Shortly after she made these reports, the Director suspended her and recommended that she be terminated.  She grieved the recommendation.

Apparently during the grievance process, the plaintiff was contacted by the cyber-crimes division of the Tulsa Police Department, who informed her that her private email account had been hacked.

She filed suit, alleging that the Director and two Assistant Directors intentionally obtained access to her private emails and used the information that they unlawfully obtained in order to pursue the recommendation to terminate her employment.  She brought several claims, including constitutional claims under the 1st and 4th Amendments, statutory claims under the federal and state wiretapping laws, and state tort claims.  The defendants moved to dismiss.

The opinion addresses several arguments on each claim but there are certain holdings that bear mention here.

First, the plaintiff’s Fourth Amendment claim survived dismissal.  The court found that she had adequately pleaded that she had a reasonable expectation of privacy in her personal email account and that the hacking constituted an unlawful search and seizure of her account and/or emails in the account.

Second,  her privacy claim survived for the same reasons.  Basically, the court found that having your private email hacked and then the contents used against you in proceedings to have you terminated from your employment would be a “highly offensive” intrusion to a reasonable person.  This was further supported by the fact that the Tulsa Police Department considered her to be a victim of cyber-crime.

Third, the claim for intentional infliction of emotional distress survived, again, largely for the same reason.  The court concluded that the conduct could be plausibly deemed outrageous in nature.

I think many of us would agree that this motion to dismiss did not stand much of a chance.  (Although, the opinion is not very detailed in its description of the alleged events and did leave me with some unanswered questions about the actual allegations contained in the complaint.)  If an individual’s personal email account is intentionally targeted for hacking by anyone, it’s going to be a serious source of distress.  If the hacking is done by your direct supervisors for the purpose of making sure you lose your job because you (allegedly) blew the whistle about what you believed to be improper conduct, you are likely to be very close to “extreme” distress.  Wouldn’t you think?  The Northern District of Oklahoma did.

Murphy v. Spring, No. 13-cv-96-TCK-PJC (N.D. Okla. Sept. 12, 2013).

Does an employee who communicates with his lawyer from a company email account waive the attorney-client privilege with respect to those communications?  The answer is not terribly well settled-not in Delaware and not in most jurisdictions.  But a recent decision by the Delaware Court of Chancery gives Delaware employers and litigants a pretty good idea of the analysis to be applied.

The case, In re Information Management Services, is an unusual type of derivative litigation in that it involves two families, each suing the other for breaches of fiduciary duty.  Two of the company’s senior executives, who were alleged to have mismanaged the company in violation of their fiduciary duties, sent emails to their personal lawyers from their company-issued email accounts.  During discovery, the executives refused to produce the emails, claiming them to be protected by the attorney-client privilege.  The plaintiffs sought to compel production of the emails.

The court adopted the four-factor test first enumerated in In re Asia Global Crossing, Ltd. (Bankr. S.D.N.Y. 2005), and applied it to determine whether the executives had a reasonable expectation of privacy in the contents of the emails that they sought to protect.  The court determined that the executives did not have a reasonable expectation of privacy in the contents of the emails because the company’s policy expressly warned that employee emails were “open to access” the company’s staff.  The policy permitted personal use of the company’s computers “after hours” but warned that, if an employee wanted to keep files private, the files should be saved offline.  Thus, the policy was key in ensuring the company can now access emails between the executives and their counsel.

There are a few particularly notable points in the decision that are worth mention. 

First, Delaware law generally provides great deference to the attorney-client privilege.  Usually, the privilege is considered very difficult to waive.  By contrast, this case suggests that a company policy is sufficient to overcome that otherwise difficult hurdle.  The court goes so far as to say that a policy that prohibits all personal use would likely be sufficient to waive the privilege without any further analysis.

Second, the court seemed to place a high burden on the executives. Vice Chancellor Laster recognized that the executives wrote in the subject lines of the emails, “Subject to Attorney Client Privilege” but concluded that the failure to use webmail (such as G-Mail or Yahoo!) or encryption rendered the communications not confidential.  The court wrote that there could be no reasonable expectation of privacy because:

a third party to the communication had the right to access [the] emails when [the executives] communicated using their work accounts.

The “third party” in this case was the company and its IT staff. But the holding raises questions of whether use of a service such as Dropbox, which, by its terms of service, expressly notifies users of its right to access the contents of any account, would also waive the privilege.  In that case, a third party has the right to access contents so, in accordance with the court’s decision, there could be no reasonable expectation of privacy and, therefore, no privilege.

The decision is very well researched and contains a stockpile of case citations and references for those who may be interested in the subject matter.  And even for those who may not be interested in the macro view of this area of the law, there is one key lesson to take away-Delaware employers should carefully review their policies to ensure that the language clearly warns employees that the company reserves the right to monitor, access, and/or review all emails sent or received from a company email account.  Now, the question of whether a personal, web-based email account, accessed via the company’s servers, would be subject to the same analysis is an even trickier one and one that we’ll save for a later date. 

In re Info. Mgmt. Servs., Inc., No. 8168-VCL (Del. Ch. Sept. 5, 2013).

Employee accesses her personal, web-based email account, such as G-Mail, from her employer’s computer. As a result, employer has access to the account. Employee resigns and sues the employer alleging unlawful discrimination, harassment, or other employment-related claim. May the employer lawfully access the emails sent by the employee that are now available via the employer’s computer?

It depends, of course. (You didn’t really think I was going to give you a straight yes or no, did you?)email_3

There are a number of factors that go into answering this question. And, although it’s tempting, I’m not going to discuss all of them here. Instead, I am going to discuss a case from a federal court in Ohio that involves some similar-and some different-facts with an important lesson for a holding.

The case is Lazette v. Kulmatycki. The employee-plaintiff, Lazette, alleged that she was issued a Blackberry by her employer, a Verizon affiliate. Lazette claimed that she was permitted to use the phone to access both her work and personal email accounts. She alleged that, at the end of her employment, she turned the phone in to her supervisor, defendant Kulmatycki. At that time, she believed she had disconnected access to her personal G-Mail account.

As it turns out, claims Lazette, she hadn’t. And, for the next 18 months, her former supervisor read “48,000 emails” sent to Lazette’s G-Mail account.


Lazette, not surprisingly, sued the supervisor and her former employer for a variety of privacy-related claims. Somewhat surprisingly, at least to me, the employer moved to dismiss the claims. A motion to dismiss, at least ’round these parts, is a tough motion to win. The standard is very much in the plaintiff’s favor and, unless there’s really nothing in the complaint that resembles a valid claim, the court is likely to deny a motion seeking dismissal prior to discovery.

But that’s what the employer did. As a result, we get the benefit of the court’s analysis of a question not often addressed in written decisions.

The most interesting part of the analysis to me is the part discussing the plaintiff’s Stored Communications Act (SCA) claim. The plaintiff asserted that the supervisor and employer violated the SCA when the supervisor accessed the plaintiff’s personal email without authorization.

Although the SCA is a tremendously complicated statute that has been interpreted in more ways than I can count, it seems to easily apply to the facts alleged here. In the simplest terms, the SCA is violated when an individual accesses without authorization an electronic communication in storage.

Surely the employee’s emails constitute electronic communication. Surely they were in storage-the complaint did not allege that the defendants intercepted the emails while they were being transmitted. The complaint alleges that the supervisor read the emails once they’d reached the plaintiff’s G-Mail account. So the question, then, is whether the supervisor was an “authorized user” under the statute.

Folks, let me offer a humble thesis here. If it sounds “bad,” meaning that it is likely to give most people the creeps, the courts will apply the law to remedy that bad act. In other words, a defense of “but the law does not prohibit me from being a slimy character” should be a defense of last resort.

Now, don’t get me wrong-that was not the defense asserted in this case. But it was close. In their motion to dismiss, the defendants argued that the supervisor was “authorized” to access Lazette’s email account because, for example, she failed to properly delete the account from her phone before turning it in. They also argued that she failed to tell them not to access her personal emails during the 18 months following the end of her employment.

Both of these constitute what I like to call a “blame-the-victim” defense. This, too, should be considered a defense of last resort.

At the end of the day, the court was faced with allegations (which the court, at this stage, must take as true), that an employee’s former supervisor essentially spying on the former employee by reading her personal email without her knowledge or consent. And he did so for a year and a half.

It’s creepy. It may not be true. But, as pleaded, it sounds creepy. With allegations like this, it’s hard to imagine that a motion to dismiss would be successful. And it wasn’t.

Now, that doesn’t mean that the employer is lost at sea. The employee still must prove damages, for example. Oh, wait, no it doesn’t. Even if the plaintiff cannot prove actual damages and, therefore, is not entitled to recover statutory damages, she may still be entitled to an award of punitive damages. At least that’s what the Fourth Circuit held in 2009 in Van Alstyne v. Electronic Scriptorium, Ltd., when it upheld an award of punitive damages to an employee whose former employer accessed the employee’s AOL account in search of evidence in defense of the employee’s harassment lawsuit.

I’m all for silver linings but they may be difficult to find in this case.  Just remember, if the alleged conduct gives you the creeps, it’s probably a good idea to consider whether settlement discussions aren’t in order.

Lazette v. Kulmatycki, No. 12-2416 (N.D. Ohio June 5, 2013).

See also

Lawful Employer Investigations of Facebook . . . Sort Of

Employers, Facebook, and the SCA Do Not a Love Triangle Make

The University of Delaware announced that confidential employee data was compromised, reports the News Journal. And the breach is a sizeable one-the University estimates that the names, addresses, and social security numbers for more than 72,000 current and former employees may have been stolen. As reported by the News Journal, the university “is working to notify everyone who had their information compromised” and the school will pay for credit-monitoring services.police line tape_3

An employee in the IT Department apparently discovered a possible breach on July 22. At that time, though, the university was not sure about whether a breach had occurred and, if so, the scope of the problem. But a forensic investigation confirmed that the data had been compromised.

Like many other states, Delaware has a computer-breach law that governs how an entity must respond when it suspects that a breach of personal information has occurred. “Personal information” includes, among other things, social security numbers, so the breach at UD triggers the law’s requirements. The university seems to have complied with these requirements by promptly conducting an investigation and then, when the investigation indicated that a breach had occurred, notifying the victims of the breach.

Delaware employers must be aware of their duties when they discover that employee data may have been breached. Importantly, a breach need not occur in the form of a computer hack like what appears to have happened at the University of Delaware. It also can come in the form of an employee who sends herself a copy of payroll data just before she resigns. If the payroll data contains bank-account numbers and/or social-security numbers, and it’s in the possession of a former employee, you have a duty to take immediate action under Delaware law.

See also

What to Do If Your Employees’ Confidential Data Is Stolen

Your Employees Are Stealing Your Data

Delaware Retirees’ Personal Data Accidentally Posted Online

Employers’ access to employees’ and applicants’ Facebook accounts is legally limited in 12 states.  The restrictions, though, vary widely.  Most of these laws were, at least according to their proponents, intended to prohibit employers from requesting or requiring an employee’s or applicant’s password or account information for the purpose of gaining access to the account as a sort of back-door background check.  Unfortunately, many of the laws go (or potentially go) far beyond that simple limitation. 

I’ve been opposed to these bills since they first hit the legislative radar and continue to think they are unnecessary.  For one, they attempt to fix a problem that does not exist-employers are not asking for applicants’ Facebook passwords.  The handful of reported incidents across the country should not prompt a flurry of legislative initiatives.

And, second, the law already prohibits such conduct.  As I’ve previously written, I believe that, at least arguably, the Stored Communications Act (SCA), which is a part of the federal wiretap statute, would prohibit employers from gaining access to an account in this way. 

Now there is a case that takes that idea one step further. In Rodriguez v. Widener University, the Eastern District of Pennsylvania declined to dismiss a claim brought under the SCA based on allegedly unlawful access to the plaintiff’s Facebook account.

Specifically, the student-employee alleged that his employer obtained access to his Facebook account and suspended him because he was perceived to be a threat to the community due to posts displaying images of weapons.  The employer moved to dismiss the Complaint and was successful on all but one count-the count brought under the SCA alleging unlawful access to his Facebook posts.  The employer argued that the posts “were accessible to the general public and/or forwarded to [the defendants] by concerned students who had equal and permitted access to Plaintiff’s Facebook postings.”

Unfortunately for the employer, on a motion to dismiss, facts not alleged in the Complaint (i.e., the Facebook posts were public and, therefore, not accessed unlawfully), cannot be considered by the court.  Instead, only the allegations in the Complaint itself can be considered.  And, here, the plaintiff’s complaint did not allege that they were publicly available.  Hence, because there was no factual basis in the complaint to support the public or non-public nature of the plaintiff’s Facebook page, the court declined to dismiss that count.

So, what does this mean?  Most important, and most unfortunately for employers, it means that there are likely more suits like this to come.  When an employer receives a complaint from another employee about a potential threat or similar concern about potential workplace violence by another employee, the employer must investigate it.  The same rule applies for complaints about inappropriate conduct that could be or give rise to unlawful harassment or discrimination.  The employer has a legal duty to investigate.

And if the complaint is brought to the attention of an employer via a forwarded or printed copy of a Facebook post, the employer cannot (nor should it) ignore it.  So long as the employer does not access the post or page without authorization, the employer has not violated the law.  If a third party, such as a coworker, brings the Facebook post to the attention of the employer, there’s been no unlawful conduct by the employer.  Unfortunately, that does not mean the employer won’t get sued, which appears to be what happened in this case.

So what’s an employer to do?  It’s a very difficult line to walk. The safest thing, at this stage in the still-developing legal landscape, seems to be one of two things. First, to not show the employee the copy of the posts at all.  Instead, simply state that you’ve received credible information regarding XYZ conduct and that you are investigating that complaint.  Second, you could show the employee the posts during the course of your investigation and make clear that the posts were provided to you by a credible source but that you did not access the Facebook page. 

Either way, the employer is between a rock and a hard place.  On one hand, the employer has a duty to investigate. On the other, the employee is not obligated to allege in his complaint whether or not the posts were publicly available, thereby avoiding dismissal at the early stage of the case.

Rodriguez v. Widener Univ., No. 13-1336 (E.D. Pa. June 17, 2013).

Contact Information