Recently in Privacy In the Workplace Category

A Perk of BYOD Policies at Work

Posted by Molly DiBiancaOn October 20, 2014In: Non-Compete Agreements, Policies, Privacy In the Workplace, Privacy Rights of Employees, Social Media in the Workplace

Email This Post | Print this Post

Employers face a serious challenge when trying to prevent employees from taking confidential and proprietary information with them when they leave to join a new employer—particularly when the new employer is a competitor.   When an employer becomes suspicious about an ex-employee’s activities prior to his or her last day of work, there are a limited number of safe avenues for the employer to pursue.  privacy policy with green folder

Generally, an employer should not review the employee’s personal emails or text messages if they were sent or received outside the employer’s network.  But what if the employee turns over his personal emails or text messages without realizing it?  The answer is, as always, “it depends.”  A recent case from a federal court in California addresses the issue in a limited context.

After the employee resigned, the employer sued him for misappropriating trade secrets.  He filed counterclaims, accusing the employer of violating the federal Wiretap Act, the Stored Communications Act (SCA), and state privacy laws.  The employee alleged that the employer had reviewed his text personal text messages on the iPhone issued to him by the former employer after he’d returned it but before he unlinked his Apple account from the phone.

All of the employee’s counter-claims were dismissed by the court.  The court found that the Wiretap Act claim failed because there was no allegation that the employer had intentionally intercepted any messages.  The SCA claims failed because there was no allegation that the employer had accessed any messages.  And, perhaps most obviously, the privacy claims failed because the employee could not have had a reasonable expectation of privacy.

The court specifically found that the employee had “failed to comport himself in a manner consistent with objectively reasonable expectation of privacy” by failing to unlink his old phone from his Apple account, which is what caused the transmission of his text messages to his former employer.

Sunbelt Rentals, Inc. v. Victor, No. C 13-4240-SBA (N.D. Cal. Aug. 28, 2014).

See also

Too Creepy to Win: Employer Access to Employee Emails

Traveling for Work and Late-Night Emails

Lawful Employer Investigations of Facebook . . . Sort Of

Employers, Facebook, and the SCA Do Not a Love Triangle Make

Is It Time to Reconsider Your Personal Email Policy?

Posted by Molly DiBiancaOn April 14, 2014In: Privacy In the Workplace, Privacy Rights of Employees, Social Media in the Workplace

Email This Post | Print this Post

The Heartbleed Internet-security flaw has compromised the security of an unknown number of web servers.  This is just one story in a string of recent headlines involving the vulnerability of the Internet sites.  But consumers aren’t the only ones affected.  The companies whose websites have been attacked are employers, after all. computer help button

Although data security has become increasingly impossible to ensure, it has also become increasingly critical to employers’ viability.  So employers are looking for ways to mitigate the exponentially increasing risks associated with the Internet.

One option being considered by some employers is blocking employees from their personal, web-based email accounts from the company’s servers.  Companies can install powerful (albeit not impenetrable) spamware that can catch and prevent many Internet-based security threats.  But that spamware works only on emails that come through the Company’s email servers.  Email that is opened through a web-based account, such as GMail or Hotmail is not subject to the company’s protective measures.

Which is precisely why many IT professionals see web-based email accounts as a major security threat.  But what’s an employer to do?  Employers have long been trying to prevent the productivity loss associated with employees’ personal use of the Internet during working time.  But now this effort has become a top priority.

Will employees stop checking their personal email at work if they’re asked nicely?  If they understand the risks?  Maybe.  Maybe not.  But it certainly wouldn’t be a bad place to start.  Perhaps your company should consider explaining to its employees exactly why you don’t want them to check their personal email during working time.  Hey, it’s worth a try.

By the way . . .

Data Security is the topic of one of the sessions at this year’s Annual Employment Law Seminar, which is coming up on May 8.  If you haven’t registered, there’s still time.  Just click here to get to the Seminar Registration page.

What Your Employees Steal May Be Used Against You In a Court of Law

Posted by Molly DiBiancaOn December 3, 2013In: Privacy In the Workplace

Email This Post | Print this Post

Can employee theft be a protected activity? Unfortunately, yes.  As I’ve written previously, employee theft of data and documents is so common it’s frightening—or should be—to any employer.  See Your Employees Are Stealing Your Data; Your Employees Are (Still) Stealing Your Data.

When an employer discovers that a recently separated employee has taken with him or her the employer’s data in electronic and/or paper format, there are a few possible outcomes.  Frequently, legal counsel is able to get the documents returned and an affidavit signed by the employee certifying that he no longer has any of the employer’s property in his possession, custody, or control, and that, should he later discover that he does still have such property, that he will contact the employer immediately and cooperate fully in returning it.  In these cases, it is up to the employer whether or not to “go after” the documents (and/or the employee who stole them).   data thief employee

But this is not always the case.  Employees have stolen the employer’s documents only to then attempt to use those documents in litigation against the employer.  Yes, this is as horrible as it sounds.

Here’s the nightmarish scenario.  Employee sues employer, alleging that employee was subject to unlawful discrimination based on age.  While still employed, employee steals a copy of her personnel file and the personnel file of the younger co-worker who employee claims was promoted instead of employee.   During discovery in the litigation, employee produces copies of these stolen documents and claims that they support her age-discrimination claim.

You now know that the employee wrongfully accessed the co-worker’s (confidential) personnel file, made a copy of it, and retained that copy (presumably giving a copy to her lawyer, who then produced it to you during discovery).  The rational employer would likely respond to this information by terminating (or at least wanting to terminate) the employee for breaching all sorts of policies.  And, if the file contained certain personal data, the employer would likely have a legal duty to notify the affected co-worker, as well.

But, alas, the law is never as obvious as one may hope.  There is a small body of cases that held that problems can arise if the employer does what most rational employers would want to do—i.e., fire the thief-employee.  For example, in a 2010 decision, the New Jersey Supreme Court held that it was, in fact, unlawful to terminate the employee for precisely the conduct described above.  The court found that the employee gave the documents only to her lawyers, that the documents were directly relevant to the employee’s claim of discrimination, that the disclosure of the documents did not threaten the company’s operations, and the employee had a reasonable basis to believe that the documents would not have been produced during discovery.   Quinlan v. Curtiss-Wright Corp., 204 N.J. 239 (2010).

Ugh.  I should hope that it goes without saying but, wow, that is disturbing.

Thankfully, there are cases and courts that disagree with that approach.  For example, in an opinion from the normally employee-friendly Ninth Circuit, the court held that the plaintiff-employee could not support his age-discrimination claim with documents taken from his supervisor’s office.  Instead, the court explained,

[W]e are loathe to provide employees an incentive to rifle through confidential files looking for evidence that might come in handy in later litigation. The opposition clause protects reasonable attempts to contest an employer’s discriminatory practices; it is not an insurance policy, a license to flaunt company rules or an invitation to dishonest behavior.

O’Day v. McDonnell Douglas Helicopter Co., 79 F.3d 756 (9th Cir. 1996).   The Ninth Circuit is not alone in rejecting the idea that an employee’s theft should be endorsed by the courts.   The Sixth Circuit reached a similar result in Niswander v. Cincinnati Ins. Co., 529 F.3d 714, 718 (6th Cir. 2008).

Nevertheless, if you thought that your employees could not use stolen information against you, you may want to think again.  And then think about whether you have solid confidentiality and privacy policies in place.  More and more employers require employees to sign a confidentiality agreement every year.  And, with cases like Quinlan, this idea seems to be a prudent one.

Your Employees Are (Still) Stealing Your Data

Posted by Molly DiBiancaOn October 29, 2013In: Electronic Monitoring, Policies, Privacy In the Workplace

Email This Post | Print this Post

The Wall Street Journal recently reported some eye-opening results of a survey regarding information theft by employees.  Here are some of the most disturbing (though not surprising) findings from the survey:

  • 50 percent of employees kept confidential information post-separation;
  • 40 percent plan to use confidential information in their future employment; and
  • 60 percent say a co-worker has offered documents from a former employer

So what do these statistics say? In short, they say that your employees are stealing your intellectual propertyEmployee IP Theft

And here are two more interesting findings:

  • 52 percent of employees don’t believe that it’s a crime to use a competitor’s confidential business information; and
  • 68 percent of employees say their organization doesn’t take preventative measures to ensure employees don’t use competitive information.

So what do these statistics say? Well, they say that neither your former employees nor their new employers think there’s anything wrong with stealing and using your intellectual property.

These statistics don’t surprise me at all. Theft of confidential information by departing employees is an epidemic. In my experience, it is one of the biggest challenges faced by employers today. Perhaps the single biggest.

And making matters worse is the fact that most employers don’t know that it’s happening. But it doesn’t have to be this way. Here are some things every employer can do to limit the impact of this epidemic:

Have a policy. Employers should have a confidentiality policy that all employees are required to sign—separate from the employee manual is preferable.

Educate employees. Once is not enough. Employees should be required to re-sign the policy each year. Yes, really. This is a very serious problem and there is no such thing as being too proactive to prevent it.

Use technology. Employees walk away with your data in any number of ways but almost always in a way that involves technology, so put technology to work for you. For example, consider utilizing software that alerts IT any time an employee sends a large number of attachments via email. Limit access to Dropbox and similar cloud-storage sites from work devices.

Ask the tough questions. Even if you’ve done nothing to limit electronic theft beforehand, there’s no time like the present. Ask every departing employee to confirm in writing that he is not in possession of any company property (including in electronic form) and promise that, should he later discover that he does have your property, that he will return it immediately.

See also  Your Employees Are Stealing Your Data

UD Employees’ Confidential Info Hacked

What to Do If Your Employees’ Confidential Data Is Stolen

Computer Fraud and Abuse Act: Government to the Rescue of Employers?

Putting the Computer Fraud and Abuse Act to Work for Employers

Court Finds Duty to Preserve Personal Emails of Employees

Posted by Molly DiBiancaOn October 15, 2013In: Policies, Privacy In the Workplace, Purely Legal, Social Media in the Workplace

Email This Post | Print this Post

The modern workplace presents a cornucopia of problems thanks to technology.  As much as employers may want to restrict employees from surfing the Internet or checking Facebook during working time, it’s nearly impossible.  After all, employees can just use their personal cellphones to get online.  Add to that reality the fact the growing popularity of BYOD policies. 

So what, you might ask?  Well, one big problem is when an employee uses his personal device or account for company business.  The issue of whether the employer is deemed to have custody or control over an employee’s work-related emails sent to and from the employee’s personal email account. BYOD

In a recent case in Kansas, the court found that the employer did not have possession, custody, or control of employees’ personal emails and therefore did not have to produce the emails in discovery.

But a new case from Puerto Rico takes a different approach.  In P.R. Telephone Co., Inc., v. San Juan Cable LLC, the court found that the company did have a duty to preserve relevant email from the personal email accounts of three of the company’s former officers.  The only facts given by the court as the basis for its decision is that the company “presumably knew” that its officers had used their personal email accounts to manage the company for seven years.

Although the court did not order sanctions, it did find that there was a failure to preserve relevant evidence.  The court denied the motion for sanctions without prejudice, leaving open the possibility that the motion could be renewed if discovery revealed additional evidence of spoliation.

P.R. Telephone Co., Inc., v. San Juan Cable LLC, No. 11-2135 (GAG/BJM), 2013 U.S. Dist. LEXIS 146081 (D.P.R. Oct. 7, 2013).

[H/T Bow Tie Law Blog]

Boss Hacks Personal Email Account of Employee. Emotional Distress Follows.

Posted by Molly DiBiancaOn October 8, 2013In: Privacy In the Workplace, Privacy Rights of Employees, Social Media in the Workplace

Email This Post | Print this Post

Another case involving employer access to an employee’s personal email account.  And the bad things that follow.

The plaintiff was an administrative assistant to the Athletic Director of a public school district in Tulsa, Oklahoma.  In her complaint, she alleged that she had reported that the Director and two Assistant Directors had “endangered the health and safety of students” and had “misappropriated funds.”  In other words, she was a whistleblower.  email hacked

Shortly after she made these reports, the Director suspended her and recommended that she be terminated.  She grieved the recommendation. 

Apparently during the grievance process, the plaintiff was contacted by the cyber-crimes division of the Tulsa Police Department, who informed her that her private email account had been hacked. 

She filed suit, alleging that the Director and two Assistant Directors intentionally obtained access to her private emails and used the information that they unlawfully obtained in order to pursue the recommendation to terminate her employment.  She brought several claims, including constitutional claims under the 1st and 4th Amendments, statutory claims under the federal and state wiretapping laws, and state tort claims.  The defendants moved to dismiss.

The opinion addresses several arguments on each claim but there are certain holdings that bear mention here. 

First, the plaintiff’s Fourth Amendment claim survived dismissal.  The court found that she had adequately pleaded that she had a reasonable expectation of privacy in her personal email account and that the hacking constituted an unlawful search and seizure of her account and/or emails in the account.

Second,  her privacy claim survived for the same reasons.  Basically, the court found that having your private email hacked and then the contents used against you in proceedings to have you terminated from your employment would be a “highly offensive” intrusion to a reasonable person.  This was further supported by the fact that the Tulsa Police Department considered her to be a victim of cyber-crime.

Third, the claim for intentional infliction of emotional distress survived, again, largely for the same reason.  The court concluded that the conduct could be plausibly deemed outrageous in nature.

I think many of us would agree that this motion to dismiss did not stand much of a chance.  (Although, the opinion is not very detailed in its description of the alleged events and did leave me with some unanswered questions about the actual allegations contained in the complaint.)  If an individual’s personal email account is intentionally targeted for hacking by anyone, it’s going to be a serious source of distress.  If the hacking is done by your direct supervisors for the purpose of making sure you lose your job because you (allegedly) blew the whistle about what you believed to be improper conduct, you are likely to be very close to “extreme” distress.  Wouldn’t you think?  The Northern District of Oklahoma did.

Murphy v. Spring, No. 13-cv-96-TCK-PJC (N.D. Okla. Sept. 12, 2013).

No Privacy Claim for Use of Student Facebook Picture

Posted by Molly DiBiancaOn October 6, 2013In: Privacy In the Workplace, Public Sector, Social Media in the Workplace

Email This Post | Print this Post

At a seminar about Internet safety, the District’s IT Director gave a presentation designed to illustrate the permanent nature of social-media posts and how your posts could be embarrassing if published by third parties.  One of the slides in the Director’s presentation, titled, “Once It’s There—It’s There to Stay",” showed a photo of a student in a bikini and standing next to a life-size cut-out of the rapper Snoop Dog. camera lens

The Director found the picture by browsing students’ Facebook pages for pictures to use in his presentation.  Paper copies of the presentation, including the slide featuring the student’s picture, which also identified her by name, were distributed to attendees. 

As you may imagine, the student, Chelsea Chaney, was not happy about her cameo.  She filed suit against the district and against the IT Director, alleging violations of her constitutional rights protected by the 4th and 14th Amendments, as well as state-law tort claims.  The District moved to dismiss.

First, the plaintiff contended that the public display of her picture constituted an unlawful search and seizure in violation of the 4th Amendment.  In order for the 4th Amendment to apply, there must be a reasonable expectation of privacy.  Here, the court held that no reasonable expectation of privacy could exist in the picture because the plaintiff had voluntarily made it available to her friends and, because of her Facebook settings, to her friends’ friends, as well.  By doing so, Chaney surrendered any reasonable expectation of privacy in the picture.  Thus, the 4th Amendment claim was dismissed.

The court reached the same conclusion with respect to the 14th Amendment claim. The 14th Amendment protects an individual’s interest in avoiding the disclosure of personal matters and in making certain decisions.  But the constitution does not create a blanket right of privacy.  Nor does it create a right to be free from public embarrassment or damage to reputation. 

So, what are the lessons to be learned from this case?  Well, if nothing else, it serves as yet another reminder about the permanent and public nature of social-media content.  Once you post it, it is out of your hands and you have no legal recourse if it is republished to others.

From an employment-law perspective, there is another twist.  The District had various social-media and Internet acceptable-use policies, each of which would seem to have been violated by the IT Director.  For example, District employees were required to notify a student’s parents prior to “use of and interaction with a student’s social-media page.”  Here, the Director searched students’ pages for content he could use in his presentation. 

Call me crazy but this seems like a major lapse of judgment on the part of the IT Director.  It’s one thing to give real-life examples but altogether a different thing to use as one of those examples an actual student who will be present in the audience.  Seriously?  As if high school is not hard enough, man.

Chaney v. Fayette County Pub. Sch. Dist., No. 3:13-cv-89-TCB (N.D. Ga. Sept. 30, 2013).

See also Is There a Reasonable Expectation of Privacy In Your Tweets?

Too Creepy to Win: Employer Access to Employee Email

Posted by Molly DiBiancaOn September 4, 2013In: Privacy In the Workplace, Privacy Rights of Employees

Email This Post | Print this Post

Employee accesses her personal, web-based email account, such as G-Mail, from her employer’s computer. As a result, employer has access to the account. Employee resigns and sues the employer alleging unlawful discrimination, harassment, or other employment-related claim. May the employer lawfully access the emails sent by the employee that are now available via the employer’s computer?

It depends, of course. (You didn’t really think I was going to give you a straight yes or no, did you?)Employee Personal Email

There are a number of factors that go into answering this question. And, although it’s tempting, I’m not going to discuss all of them here. Instead, I am going to discuss a case from a federal court in Ohio that involves some similar—and some different—facts with an important lesson for a holding.

The case is Lazette v. Kulmatycki. The employee-plaintiff, Lazette, alleged that she was issued a Blackberry by her employer, a Verizon affiliate. Lazette claimed that she was permitted to use the phone to access both her work and personal email accounts. She alleged that, at the end of her employment, she turned the phone in to her supervisor, defendant Kulmatycki. At that time, she believed she had disconnected access to her personal G-Mail account.

As it turns out, claims Lazette, she hadn’t. And, for the next 18 months, her former supervisor read “48,000 emails” sent to Lazette’s G-Mail account.

Yikes.

Lazette, not surprisingly, sued the supervisor and her former employer for a variety of privacy-related claims. Somewhat surprisingly, at least to me, the employer moved to dismiss the claims. A motion to dismiss, at least ‘round these parts, is a tough motion to win. The standard is very much in the plaintiff’s favor and, unless there’s really nothing in the complaint that resembles a valid claim, the court is likely to deny a motion seeking dismissal prior to discovery.

But that’s what the employer did. As a result, we get the benefit of the court’s analysis of a question not often addressed in written decisions.

The most interesting part of the analysis to me is the part discussing the plaintiff’s Stored Communications Act (SCA) claim. The plaintiff asserted that the supervisor and employer violated the SCA when the supervisor accessed the plaintiff’s personal email without authorization.

Although the SCA is a tremendously complicated statute that has been interpreted in more ways than I can count, it seems to easily apply to the facts alleged here. In the simplest terms, the SCA is violated when an individual accesses without authorization an electronic communication in storage.

Surely the employee’s emails constitute electronic communication. Surely they were in storage—the complaint did not allege that the defendants intercepted the emails while they were being transmitted. The complaint alleges that the supervisor read the emails once they’d reached the plaintiff’s G-Mail account. So the question, then, is whether the supervisor was an “authorized user” under the statute.

Folks, let me offer a humble thesis here. If it sounds “bad,” meaning that it is likely to give most people the creeps, the courts will apply the law to remedy that bad act. In other words, a defense of “but the law does not prohibit me from being a slimy character” should be a defense of last resort.

Now, don’t get me wrong—that was not the defense asserted in this case. But it was close. In their motion to dismiss, the defendants argued that the supervisor was “authorized” to access Lazette’s email account because, for example, she failed to properly delete the account from her phone before turning it in. They also argued that she failed to tell them not to access her personal emails during the 18 months following the end of her employment.

Both of these constitute what I like to call a “blame-the-victim” defense. This, too, should be considered a defense of last resort.

At the end of the day, the court was faced with allegations (which the court, at this stage, must take as true), that an employee’s former supervisor essentially spying on the former employee by reading her personal email without her knowledge or consent. And he did so for a year and a half.

It’s creepy. It may not be true. But, as pleaded, it sounds creepy. With allegations like this, it’s hard to imagine that a motion to dismiss would be successful. And it wasn’t.

Now, that doesn’t mean that the employer is lost at sea. The employee still must prove damages, for example. Oh, wait, no it doesn’t. Even if the plaintiff cannot prove actual damages and, therefore, is not entitled to recover statutory damages, she may still be entitled to an award of punitive damages. At least that’s what the Fourth Circuit held in 2009 in Van Alstyne v. Electronic Scriptorium, Ltd., when it upheld an award of punitive damages to an employee whose former employer accessed the employee’s AOL account in search of evidence in defense of the employee’s harassment lawsuit.

I’m all for silver linings but they may be difficult to find in this case.  Just remember, if the alleged conduct gives you the creeps, it’s probably a good idea to consider whether settlement discussions aren’t in order.

Lazette v. Kulmatycki, No. 12-2416 (N.D. Ohio June 5, 2013).

See also

Lawful Employer Investigations of Facebook . . . Sort Of

Employers, Facebook, and the SCA Do Not a Love Triangle Make

Kansas Court Mitigates the Risks of a BYOD Workforce

Posted by Molly DiBiancaOn August 12, 2013In: Policies, Privacy In the Workplace, Purely Legal, Social Media in the Workplace

Email This Post | Print this Post

BYOD at work is all the rage. What is BYOD, exactly? Well, it stands for “Bring Your Own Device” and, put simply, it means that an employee uses his own smartphone, tablet, or laptop for work as well as for his personal purposes.  BYOD policies raise several concerns, including increased security risks and wage-and-hour issues for work performed at home.  Another issue is one of particular interest to litigators like me—the question of how BYOD policies will affect e-discovery.  In other words, will an employer be on the hook for the preservation of its employees’ personal devices if those devices are used for work and for personal purposes? Discovery of text messages

The answer to this question can have wide-reaching impacts. For example, if the answer is, “yes,” the employer would be responsible for ensuring that each such device is preserved immediately upon the threat of litigation. But telling your employees to submit their personal smartphones to the company’s lawyers is probably not going to go over so well. 

A recent case from a federal court in Kansas gives hope to employers who want to permit employees to use their own devices without risking liability for failing to preserve those devices should litigation arise.  In Cotton v. Costco Wholesale Corp., the District of Kansas denied the employee-plaintiff’s motion to compel text messages sent or received by employees on their personal cell phones. The court’s decision was based on the fact that the employee had not shown that the employer had any legal right to obtain the text messages.  In other words, that the phones and the data they contained were not in the “possession, custody, or control” of the employer.

The court also based its decision on the absence of any evidence that the employees had used their phones for work-related business. Although it wasn’t the controlling factor in the outcome of the case, the fact that it was mentioned by the court is likely enough to give future litigants grounds to argue that where BYOD is the standard policy—officially or unofficially—there is a basis to compel production. But, for now, this decision is definitely a positive sign for risk-adverse employers.

Cotton v. Costco Wholesale Corp., No. 12-2731 (D. Kan. July 24, 2013).

H/T Jay Yurkiw at Porter' Wright’s Technology Law Source blog.

UD Employees Confidential Info Hacked

Posted by Molly DiBiancaOn July 31, 2013In: Delaware Specific, Privacy In the Workplace, Privacy Rights of Employees

Email This Post | Print this Post

The University of Delaware announced that confidential employee data was compromised, reports the News Journal. And the breach is a sizeable one—the University estimates that the names, addresses, and social security numbers for more than 72,000 current and former employees may have been stolen. As reported by the News Journal, the university “is working to notify everyone who had their information compromised” and the school will pay for credit-monitoring services. Theft of Employee Data

An employee in the IT Department apparently discovered a possible breach on July 22. At that time, though, the university was not sure about whether a breach had occurred and, if so, the scope of the problem. But a forensic investigation confirmed that the data had been compromised.

Like many other states, Delaware has a computer-breach law that governs how an entity must respond when it suspects that a breach of personal information has occurred. “Personal information” includes, among other things, social security numbers, so the breach at UD triggers the law’s requirements. The university seems to have complied with these requirements by promptly conducting an investigation and then, when the investigation indicated that a breach had occurred, notifying the victims of the breach.

Delaware employers must be aware of their duties when they discover that employee data may have been breached. Importantly, a breach need not occur in the form of a computer hack like what appears to have happened at the University of Delaware. It also can come in the form of an employee who sends herself a copy of payroll data just before she resigns. If the payroll data contains bank-account numbers and/or social-security numbers, and it’s in the possession of a former employee, you have a duty to take immediate action under Delaware law.

See also

What to Do If Your Employees’ Confidential Data Is Stolen

Your Employees Are Stealing Your Data

Delaware Retirees’ Personal Data Accidentally Posted Online

Employers, Facebook, and the SCA Do Not a Love Triangle Make

Posted by Molly DiBiancaOn July 15, 2013In: Privacy In the Workplace, Privacy Rights of Employees, Social Media in the Workplace

Email This Post | Print this Post

Employers’ access to employees’ and applicants’ Facebook accounts is legally limited in 12 states.  The restrictions, though, vary widely.  Most of these laws were, at least according to their proponents, intended to prohibit employers from requesting or requiring an employee’s or applicant’s password or account information for the purpose of gaining access to the account as a sort of back-door background check.  Unfortunately, many of the laws go (or potentially go) far beyond that simple limitation. 

I’ve been opposed to these bills since they first hit the legislative radar and continue to think they are unnecessary.  For one, they attempt to fix a problem that does not exist—employers are not asking for applicants’ Facebook passwords.  The handful of reported incidents across the country should not prompt a flurry of legislative initiatives.

And, second, the law already prohibits such conduct.  As I’ve previously written, I believe that, at least arguably, the Stored Communications Act (SCA), which is a part of the federal wiretap statute, would prohibit employers from gaining access to an account in this way. 

Now there is a case that takes that idea one step further. In Rodriguez v. Widener University, the Eastern District of Pennsylvania declined to dismiss a claim brought under the SCA based on allegedly unlawful access to the plaintiff’s Facebook account.

Specifically, the student-employee alleged that his employer obtained access to his Facebook account and suspended him because he was perceived to be a threat to the community due to posts displaying images of weapons.  The employer moved to dismiss the Complaint and was successful on all but one count—the count brought under the SCA alleging unlawful access to his Facebook posts.  The employer argued that the posts “were accessible to the general public and/or forwarded to [the defendants] by concerned students who had equal and permitted access to Plaintiff’s Facebook postings.”

Unfortunately for the employer, on a motion to dismiss, facts not alleged in the Complaint (i.e., the Facebook posts were public and, therefore, not accessed unlawfully), cannot be considered by the court.  Instead, only the allegations in the Complaint itself can be considered.  And, here, the plaintiff’s complaint did not allege that they were publicly available.  Hence, because there was no factual basis in the complaint to support the public or non-public nature of the plaintiff’s Facebook page, the court declined to dismiss that count.

So, what does this mean?  Most important, and most unfortunately for employers, it means that there are likely more suits like this to come.  When an employer receives a complaint from another employee about a potential threat or similar concern about potential workplace violence by another employee, the employer must investigate it.  The same rule applies for complaints about inappropriate conduct that could be or give rise to unlawful harassment or discrimination.  The employer has a legal duty to investigate.

And if the complaint is brought to the attention of an employer via a forwarded or printed copy of a Facebook post, the employer cannot (nor should it) ignore it.  So long as the employer does not access the post or page without authorization, the employer has not violated the law.  If a third party, such as a coworker, brings the Facebook post to the attention of the employer, there’s been no unlawful conduct by the employer.  Unfortunately, that does not mean the employer won’t get sued, which appears to be what happened in this case.

So what’s an employer to do?  It’s a very difficult line to walk. The safest thing, at this stage in the still-developing legal landscape, seems to be one of two things. First, to not show the employee the copy of the posts at all.  Instead, simply state that you’ve received credible information regarding XYZ conduct and that you are investigating that complaint.  Second, you could show the employee the posts during the course of your investigation and make clear that the posts were provided to you by a credible source but that you did not access the Facebook page. 

Either way, the employer is between a rock and a hard place.  On one hand, the employer has a duty to investigate. On the other, the employee is not obligated to allege in his complaint whether or not the posts were publicly available, thereby avoiding dismissal at the early stage of the case.

Rodriguez v. Widener Univ., No. 13-1336 (E.D. Pa. June 17, 2013).

Your Employees Are Stealing Your Data

Posted by Molly DiBiancaOn March 25, 2013In: Electronic Monitoring, Policies, Privacy In the Workplace

Email This Post | Print this Post

Employee resigns. But before her last day of work, Employee copies thousands of emails and documents from Employer’s computer.  Off goes Employee into the sunset.

How often is this scenario?  I bet most employers think this never happens in their workplace. I’d be willing to bet that it happens in almost every workplace.  It happens with such regularity, yet most employers are absolutely stunned to discover that it’s happened to them. 3d thief cracks safe

If you think it doesn’t happen pretty much all of the time, check out this post at the uber-popular website, Lifehacker.com, titled, How Can I Save All My Work Emails for a Personal Backup?  A reader submitted the following question:

I'm leaving my job and want to take my work emails with me. I've been burned at jobs before, and it became very useful to have an email paper trail behind me. How can I save all the emails so I can access them in the future, just in case I need them?

The author of the piece responds back, providing detailed, step-by-step instructions for how to do exactly that—take with you each and every email you sent and/or received during the course of your employment.

Putting aside how terrible of an idea this is on Lifehacker’s part (can you say, “promoting or endorsing illegal activity?), let’s focus just on the reality—which is, clearly, that your employees are taking your stuff!

What remedies are available to the employer?  Well, most immediately, there’s the demand that the items be returned.  Lawyers have a particular flair when it comes to a well-crafted cease-and-desist letter, so consider having your employment counsel get involved from the outset.

But if the employee refuses to return the documents or ignores your demand, then what? One option is to sue.  A variety of claims may be applicable, depending on the precise nature of the documents and information and on what the employee has done with them since her departure.  For example, the employer may have claims like conversion (civil theft, generally speaking), misappropriation of trade secrets, tortious interference, etc. 

And, depending on where the employee worked, there also may be a claim under the state and/or federal computer-misuse statutes.  In Delaware, for example, we have computer-misuse statutes that provide for recovery of an award of treble damages and attorney’s fees.  And, because Delaware is in the Third Circuit, we have the Computer Fraud and Abuse Act. 

This statute has limited application in other states—including those within in the Fourth and Ninth Circuits, where the Courts of Appeals have rejected the application of the CFAA in the employee-traitor context.  Instead, in those states, the statute is construed as applying only to the true computer hacker. 

The CFAA is a fascinating statute with complex provisions.  The Florida Bar Journal has an excellent analysis of the law—and of the different interpretations of the various Courts of Appeals—for those who may be interested.

For the rest of you, though, now is the time to implement a confidentiality agreement if you don’t already have one in place and to consider just how certain you are about what employees can and cannot take at the end of employment.

See also

Judge's Porn Habit Results In Suspension

Computer Fraud and Abuse Act: Government to the Rescue of Employers?

Putting the Computer Fraud and Abuse Act to Work for Employers

Putting the CFAA to Use, TV Style

Michigan Enacts Social-Media Privacy Law

Posted by Molly DiBiancaOn December 30, 2012In: Electronic Monitoring, Privacy In the Workplace, Privacy Rights of Employees, Social Media in the Workplace

Email This Post | Print this Post

Michigan is the latest State to pass a "Facebook-privacy" law. The law, called the Internet Privacy Protection Act, was signed by Gov. Rick Snyder last Friday. The law prohibits employers and educational institutions from asking applicants, employees, and students for information about the individual's social-media accounts, reports The Detroit News.

The Michigan law contains four important exceptions. Specifically, the law does not apply when:

1. An employee "transfers" (i.e., steals) the employer's "proprietary or confidential information or financial data" to the employee's personal Internet account;

2. The employer is conducting a workplace investigation, provided that the employer has "specific information about activity on the employee's personal internet account;"

3. The employer pays for the device (i.e., computer, smartphone, or tablet), in whole or in part; or

4. The employer is "monitoring, reviewing, or accessing electronic data" traveling through its network.

The enactment of Michigan's Social Network Account Privacy Act makes Michigan the fifth State this year to enact legislation that prohibits employers from requiring or requesting an employee or applicant to disclose a username or password to a personal social-media account. Maryland, Illinois, California, and New Jersey were the first four. California and Delaware passed similar legislation applicable to educational institutions. Notably, new legislation was introduced in California on December 3, which would extend that State's law to public employers.

I continue to believe that these laws are unnecessary and do nothing more than expose employers to legal risk with no real benefit to the citizenry. However, of all of the states to have passed such "internet-password-protection" laws, Michigan's is the first to contain these critically important exceptions. Without them, the laws have the potential to paralyze employers from conducting internal investigations that are necessary to protect both the organization as a whole and individual employees.

Problems With Delaware's Proposed Social-Media Law

Lawfulness of Employers' Demands for Facebook Passwords

Should Employer Cyberscreening Be Legislated?

Employers Who Demand Facebook Passwords from Employees. Oy Vey.

NJ Passes Password-Protection Law for Employees and Students

Posted by Molly DiBiancaOn October 30, 2012In: Privacy In the Workplace, Privacy Rights of Employees, Social Media in the Workplace

Email This Post | Print this Post

New Jersey is the latest State to prohibit employers from requesting the passwords of employees and applicants. The N.J. Senate passed A2878 on October 25, 2012. The bill also prohibits employers from any kind of inquiry into whether the employee has an account on a social-networking site and from requiring that the employee or applicant grant the employer access to his or her social-networking account.
Although the Bill passed the Senate unopposed, the added exemption of law-enforcement agencies requires that the Bill be returned to the Assembly for approval before being sent to the Governor for approval, reports CBS New York.

Following Maryland, Illinois, and California, New Jersey is the fourth State in the country to pass a "Facebook-privacy" law applicable to employers.

New Jersey also passed a piece of sister legislation extending the prohibition to colleges and universities. That law passed the N.J. Senate unanimously and will prohibits educational instiuttions from requiring a student to disclose any user name, password or other means for accessing a personal social-networking site. Delaware and California are the only other states in the country with similar prohibiitons.

It's no secret that I am hardly a fan of these laws, which attempt to vigorously legislate a problem that does not exist. When I think of my friends and loved ones who have just experienced the loss and devastation resulting from Hurricane Sandy, I can't help but wonder whether the New Jersey legislature couldn't have found something better to make laws about.

A Really Bad Boss and a Really Awful Invasion of Privacy

Posted by Molly DiBiancaOn October 21, 2012In: Jerks at Work, Privacy In the Workplace, Privacy Rights of Employees

Email This Post | Print this Post

This lawsuit, which we'll file in the category of "Ultimate Jerks at Work," was reported by Kashmir Hill on Forbes.com. Here's the story, as alleged in the lawsuit.

Jonathan Bruns was working for a staffing agency when he was placed with a company in Houston, Texas. According to the complaint, Bruns asked if he could charge his cellphone in a wall outlet. His supervisor, Pete Offenhauser, obliged.

Apparently, after Offenhauser approved the request, he unplugged the phone from the wall and into his laptop. Once the phone was connected, Offenhauser had access to the pictures Bruns had stored on his phone. Among them were photos of Bruns' fiancee.

In the photos, Bruns' fiancee was, er, uh, nude.

What did Offenhauser do next? Oh, come on, I think we all know. He called everyone in the office over to his laptop. Once the whole group was gathered 'round, he showed them Bruns' photos. Bruns walked in and saw the goings on. When he asked what all the excitement was about, he was greeted with "laughs and inappropriate comments," many of which were made by his boss.

Bruns and his fiancee filed suit against the company, alleging invasion of privacy. This is not exactly a surprise, I'd say. But why not sue the supervisor, Offenhauser, individually? Well, presumably, because he was acting in his capacity as a supervisor at the time of the alleged conduct. But the alleged acts were, after all, tortious in nature, so there would likely be a claim against him, as well as against the company. The company, however, is more likely to have the money to pay.

And that, dear readers, is how the pixels crumble.