Recently in Privacy Rights of Employees Category

Is It Time to Reconsider Your Personal Email Policy?

Posted by Molly DiBiancaOn April 14, 2014In: Privacy In the Workplace, Privacy Rights of Employees, Social Media in the Workplace

Email This Post | Print this Post

The Heartbleed Internet-security flaw has compromised the security of an unknown number of web servers.  This is just one story in a string of recent headlines involving the vulnerability of the Internet sites.  But consumers aren’t the only ones affected.  The companies whose websites have been attacked are employers, after all. computer help button

Although data security has become increasingly impossible to ensure, it has also become increasingly critical to employers’ viability.  So employers are looking for ways to mitigate the exponentially increasing risks associated with the Internet.

One option being considered by some employers is blocking employees from their personal, web-based email accounts from the company’s servers.  Companies can install powerful (albeit not impenetrable) spamware that can catch and prevent many Internet-based security threats.  But that spamware works only on emails that come through the Company’s email servers.  Email that is opened through a web-based account, such as GMail or Hotmail is not subject to the company’s protective measures.

Which is precisely why many IT professionals see web-based email accounts as a major security threat.  But what’s an employer to do?  Employers have long been trying to prevent the productivity loss associated with employees’ personal use of the Internet during working time.  But now this effort has become a top priority.

Will employees stop checking their personal email at work if they’re asked nicely?  If they understand the risks?  Maybe.  Maybe not.  But it certainly wouldn’t be a bad place to start.  Perhaps your company should consider explaining to its employees exactly why you don’t want them to check their personal email during working time.  Hey, it’s worth a try.

By the way . . .

Data Security is the topic of one of the sessions at this year’s Annual Employment Law Seminar, which is coming up on May 8.  If you haven’t registered, there’s still time.  Just click here to get to the Seminar Registration page.

Boss Hacks Personal Email Account of Employee. Emotional Distress Follows.

Posted by Molly DiBiancaOn October 8, 2013In: Privacy In the Workplace, Privacy Rights of Employees, Social Media in the Workplace

Email This Post | Print this Post

Another case involving employer access to an employee’s personal email account.  And the bad things that follow.

The plaintiff was an administrative assistant to the Athletic Director of a public school district in Tulsa, Oklahoma.  In her complaint, she alleged that she had reported that the Director and two Assistant Directors had “endangered the health and safety of students” and had “misappropriated funds.”  In other words, she was a whistleblower.  email hacked

Shortly after she made these reports, the Director suspended her and recommended that she be terminated.  She grieved the recommendation. 

Apparently during the grievance process, the plaintiff was contacted by the cyber-crimes division of the Tulsa Police Department, who informed her that her private email account had been hacked. 

She filed suit, alleging that the Director and two Assistant Directors intentionally obtained access to her private emails and used the information that they unlawfully obtained in order to pursue the recommendation to terminate her employment.  She brought several claims, including constitutional claims under the 1st and 4th Amendments, statutory claims under the federal and state wiretapping laws, and state tort claims.  The defendants moved to dismiss.

The opinion addresses several arguments on each claim but there are certain holdings that bear mention here. 

First, the plaintiff’s Fourth Amendment claim survived dismissal.  The court found that she had adequately pleaded that she had a reasonable expectation of privacy in her personal email account and that the hacking constituted an unlawful search and seizure of her account and/or emails in the account.

Second,  her privacy claim survived for the same reasons.  Basically, the court found that having your private email hacked and then the contents used against you in proceedings to have you terminated from your employment would be a “highly offensive” intrusion to a reasonable person.  This was further supported by the fact that the Tulsa Police Department considered her to be a victim of cyber-crime.

Third, the claim for intentional infliction of emotional distress survived, again, largely for the same reason.  The court concluded that the conduct could be plausibly deemed outrageous in nature.

I think many of us would agree that this motion to dismiss did not stand much of a chance.  (Although, the opinion is not very detailed in its description of the alleged events and did leave me with some unanswered questions about the actual allegations contained in the complaint.)  If an individual’s personal email account is intentionally targeted for hacking by anyone, it’s going to be a serious source of distress.  If the hacking is done by your direct supervisors for the purpose of making sure you lose your job because you (allegedly) blew the whistle about what you believed to be improper conduct, you are likely to be very close to “extreme” distress.  Wouldn’t you think?  The Northern District of Oklahoma did.

Murphy v. Spring, No. 13-cv-96-TCK-PJC (N.D. Okla. Sept. 12, 2013).

Delaware Chancery Ct. Finds No Privilege for Email Sent from Work Account

Posted by Molly DiBiancaOn September 10, 2013In: Cases of Note, Delaware Specific, Privacy Rights of Employees

Email This Post | Print this Post

Does an employee who communicates with his lawyer from a company email account waive the attorney-client privilege with respect to those communications?  The answer is not terribly well settled—not in Delaware and not in most jurisdictions.  But a recent decision by the Delaware Court of Chancery gives Delaware employers and litigants a pretty good idea of the analysis to be applied.

The case, In re Information Management Services, is an unusual type of derivative litigation in that it involves two families, each suing the other for breaches of fiduciary duty.  Two of the company’s senior executives, who were alleged to have mismanaged the company in violation of their fiduciary duties, sent emails to their personal lawyers from their company-issued email accounts.  During discovery, the executives refused to produce the emails, claiming them to be protected by the attorney-client privilege.  The plaintiffs sought to compel production of the emails.

The court adopted the four-factor test first enumerated in In re Asia Global Crossing, Ltd. (Bankr. S.D.N.Y. 2005), and applied it to determine whether the executives had a reasonable expectation of privacy in the contents of the emails that they sought to protect.  The court determined that the executives did not have a reasonable expectation of privacy in the contents of the emails because the company’s policy expressly warned that employee emails were “open to access” the company’s staff.  The policy permitted personal use of the company’s computers “after hours” but warned that, if an employee wanted to keep files private, the files should be saved offline.  Thus, the policy was key in ensuring the company can now access emails between the executives and their counsel.

There are a few particularly notable points in the decision that are worth mention. 

First, Delaware law generally provides great deference to the attorney-client privilege.  Usually, the privilege is considered very difficult to waive.  By contrast, this case suggests that a company policy is sufficient to overcome that otherwise difficult hurdle.  The court goes so far as to say that a policy that prohibits all personal use would likely be sufficient to waive the privilege without any further analysis.

Second, the court seemed to place a high burden on the executives. Vice Chancellor Laster recognized that the executives wrote in the subject lines of the emails, “Subject to Attorney Client Privilege” but concluded that the failure to use webmail (such as G-Mail or Yahoo!) or encryption rendered the communications not confidential.  The court wrote that there could be no reasonable expectation of privacy because:

a third party to the communication had the right to access [the] emails when [the executives] communicated using their work accounts.

The “third party” in this case was the company and its IT staff. But the holding raises questions of whether use of a service such as Dropbox, which, by its terms of service, expressly notifies users of its right to access the contents of any account, would also waive the privilege.  In that case, a third party has the right to access contents so, in accordance with the court’s decision, there could be no reasonable expectation of privacy and, therefore, no privilege.

The decision is very well researched and contains a stockpile of case citations and references for those who may be interested in the subject matter.  And even for those who may not be interested in the macro view of this area of the law, there is one key lesson to take away—Delaware employers should carefully review their policies to ensure that the language clearly warns employees that the company reserves the right to monitor, access, and/or review all emails sent or received from a company email account.  Now, the question of whether a personal, web-based email account, accessed via the company’s servers, would be subject to the same analysis is an even trickier one and one that we’ll save for a later date. 

In re Info. Mgmt. Servs., Inc., No. 8168-VCL (Del. Ch. Sept. 5, 2013).

Too Creepy to Win: Employer Access to Employee Email

Posted by Molly DiBiancaOn September 4, 2013In: Privacy In the Workplace, Privacy Rights of Employees

Email This Post | Print this Post

Employee accesses her personal, web-based email account, such as G-Mail, from her employer’s computer. As a result, employer has access to the account. Employee resigns and sues the employer alleging unlawful discrimination, harassment, or other employment-related claim. May the employer lawfully access the emails sent by the employee that are now available via the employer’s computer?

It depends, of course. (You didn’t really think I was going to give you a straight yes or no, did you?)Employee Personal Email

There are a number of factors that go into answering this question. And, although it’s tempting, I’m not going to discuss all of them here. Instead, I am going to discuss a case from a federal court in Ohio that involves some similar—and some different—facts with an important lesson for a holding.

The case is Lazette v. Kulmatycki. The employee-plaintiff, Lazette, alleged that she was issued a Blackberry by her employer, a Verizon affiliate. Lazette claimed that she was permitted to use the phone to access both her work and personal email accounts. She alleged that, at the end of her employment, she turned the phone in to her supervisor, defendant Kulmatycki. At that time, she believed she had disconnected access to her personal G-Mail account.

As it turns out, claims Lazette, she hadn’t. And, for the next 18 months, her former supervisor read “48,000 emails” sent to Lazette’s G-Mail account.

Yikes.

Lazette, not surprisingly, sued the supervisor and her former employer for a variety of privacy-related claims. Somewhat surprisingly, at least to me, the employer moved to dismiss the claims. A motion to dismiss, at least ‘round these parts, is a tough motion to win. The standard is very much in the plaintiff’s favor and, unless there’s really nothing in the complaint that resembles a valid claim, the court is likely to deny a motion seeking dismissal prior to discovery.

But that’s what the employer did. As a result, we get the benefit of the court’s analysis of a question not often addressed in written decisions.

The most interesting part of the analysis to me is the part discussing the plaintiff’s Stored Communications Act (SCA) claim. The plaintiff asserted that the supervisor and employer violated the SCA when the supervisor accessed the plaintiff’s personal email without authorization.

Although the SCA is a tremendously complicated statute that has been interpreted in more ways than I can count, it seems to easily apply to the facts alleged here. In the simplest terms, the SCA is violated when an individual accesses without authorization an electronic communication in storage.

Surely the employee’s emails constitute electronic communication. Surely they were in storage—the complaint did not allege that the defendants intercepted the emails while they were being transmitted. The complaint alleges that the supervisor read the emails once they’d reached the plaintiff’s G-Mail account. So the question, then, is whether the supervisor was an “authorized user” under the statute.

Folks, let me offer a humble thesis here. If it sounds “bad,” meaning that it is likely to give most people the creeps, the courts will apply the law to remedy that bad act. In other words, a defense of “but the law does not prohibit me from being a slimy character” should be a defense of last resort.

Now, don’t get me wrong—that was not the defense asserted in this case. But it was close. In their motion to dismiss, the defendants argued that the supervisor was “authorized” to access Lazette’s email account because, for example, she failed to properly delete the account from her phone before turning it in. They also argued that she failed to tell them not to access her personal emails during the 18 months following the end of her employment.

Both of these constitute what I like to call a “blame-the-victim” defense. This, too, should be considered a defense of last resort.

At the end of the day, the court was faced with allegations (which the court, at this stage, must take as true), that an employee’s former supervisor essentially spying on the former employee by reading her personal email without her knowledge or consent. And he did so for a year and a half.

It’s creepy. It may not be true. But, as pleaded, it sounds creepy. With allegations like this, it’s hard to imagine that a motion to dismiss would be successful. And it wasn’t.

Now, that doesn’t mean that the employer is lost at sea. The employee still must prove damages, for example. Oh, wait, no it doesn’t. Even if the plaintiff cannot prove actual damages and, therefore, is not entitled to recover statutory damages, she may still be entitled to an award of punitive damages. At least that’s what the Fourth Circuit held in 2009 in Van Alstyne v. Electronic Scriptorium, Ltd., when it upheld an award of punitive damages to an employee whose former employer accessed the employee’s AOL account in search of evidence in defense of the employee’s harassment lawsuit.

I’m all for silver linings but they may be difficult to find in this case.  Just remember, if the alleged conduct gives you the creeps, it’s probably a good idea to consider whether settlement discussions aren’t in order.

Lazette v. Kulmatycki, No. 12-2416 (N.D. Ohio June 5, 2013).

See also

Lawful Employer Investigations of Facebook . . . Sort Of

Employers, Facebook, and the SCA Do Not a Love Triangle Make

UD Employees Confidential Info Hacked

Posted by Molly DiBiancaOn July 31, 2013In: Delaware Specific, Privacy In the Workplace, Privacy Rights of Employees

Email This Post | Print this Post

The University of Delaware announced that confidential employee data was compromised, reports the News Journal. And the breach is a sizeable one—the University estimates that the names, addresses, and social security numbers for more than 72,000 current and former employees may have been stolen. As reported by the News Journal, the university “is working to notify everyone who had their information compromised” and the school will pay for credit-monitoring services. Theft of Employee Data

An employee in the IT Department apparently discovered a possible breach on July 22. At that time, though, the university was not sure about whether a breach had occurred and, if so, the scope of the problem. But a forensic investigation confirmed that the data had been compromised.

Like many other states, Delaware has a computer-breach law that governs how an entity must respond when it suspects that a breach of personal information has occurred. “Personal information” includes, among other things, social security numbers, so the breach at UD triggers the law’s requirements. The university seems to have complied with these requirements by promptly conducting an investigation and then, when the investigation indicated that a breach had occurred, notifying the victims of the breach.

Delaware employers must be aware of their duties when they discover that employee data may have been breached. Importantly, a breach need not occur in the form of a computer hack like what appears to have happened at the University of Delaware. It also can come in the form of an employee who sends herself a copy of payroll data just before she resigns. If the payroll data contains bank-account numbers and/or social-security numbers, and it’s in the possession of a former employee, you have a duty to take immediate action under Delaware law.

See also

What to Do If Your Employees’ Confidential Data Is Stolen

Your Employees Are Stealing Your Data

Delaware Retirees’ Personal Data Accidentally Posted Online

Employers, Facebook, and the SCA Do Not a Love Triangle Make

Posted by Molly DiBiancaOn July 15, 2013In: Privacy In the Workplace, Privacy Rights of Employees, Social Media in the Workplace

Email This Post | Print this Post

Employers’ access to employees’ and applicants’ Facebook accounts is legally limited in 12 states.  The restrictions, though, vary widely.  Most of these laws were, at least according to their proponents, intended to prohibit employers from requesting or requiring an employee’s or applicant’s password or account information for the purpose of gaining access to the account as a sort of back-door background check.  Unfortunately, many of the laws go (or potentially go) far beyond that simple limitation. 

I’ve been opposed to these bills since they first hit the legislative radar and continue to think they are unnecessary.  For one, they attempt to fix a problem that does not exist—employers are not asking for applicants’ Facebook passwords.  The handful of reported incidents across the country should not prompt a flurry of legislative initiatives.

And, second, the law already prohibits such conduct.  As I’ve previously written, I believe that, at least arguably, the Stored Communications Act (SCA), which is a part of the federal wiretap statute, would prohibit employers from gaining access to an account in this way. 

Now there is a case that takes that idea one step further. In Rodriguez v. Widener University, the Eastern District of Pennsylvania declined to dismiss a claim brought under the SCA based on allegedly unlawful access to the plaintiff’s Facebook account.

Specifically, the student-employee alleged that his employer obtained access to his Facebook account and suspended him because he was perceived to be a threat to the community due to posts displaying images of weapons.  The employer moved to dismiss the Complaint and was successful on all but one count—the count brought under the SCA alleging unlawful access to his Facebook posts.  The employer argued that the posts “were accessible to the general public and/or forwarded to [the defendants] by concerned students who had equal and permitted access to Plaintiff’s Facebook postings.”

Unfortunately for the employer, on a motion to dismiss, facts not alleged in the Complaint (i.e., the Facebook posts were public and, therefore, not accessed unlawfully), cannot be considered by the court.  Instead, only the allegations in the Complaint itself can be considered.  And, here, the plaintiff’s complaint did not allege that they were publicly available.  Hence, because there was no factual basis in the complaint to support the public or non-public nature of the plaintiff’s Facebook page, the court declined to dismiss that count.

So, what does this mean?  Most important, and most unfortunately for employers, it means that there are likely more suits like this to come.  When an employer receives a complaint from another employee about a potential threat or similar concern about potential workplace violence by another employee, the employer must investigate it.  The same rule applies for complaints about inappropriate conduct that could be or give rise to unlawful harassment or discrimination.  The employer has a legal duty to investigate.

And if the complaint is brought to the attention of an employer via a forwarded or printed copy of a Facebook post, the employer cannot (nor should it) ignore it.  So long as the employer does not access the post or page without authorization, the employer has not violated the law.  If a third party, such as a coworker, brings the Facebook post to the attention of the employer, there’s been no unlawful conduct by the employer.  Unfortunately, that does not mean the employer won’t get sued, which appears to be what happened in this case.

So what’s an employer to do?  It’s a very difficult line to walk. The safest thing, at this stage in the still-developing legal landscape, seems to be one of two things. First, to not show the employee the copy of the posts at all.  Instead, simply state that you’ve received credible information regarding XYZ conduct and that you are investigating that complaint.  Second, you could show the employee the posts during the course of your investigation and make clear that the posts were provided to you by a credible source but that you did not access the Facebook page. 

Either way, the employer is between a rock and a hard place.  On one hand, the employer has a duty to investigate. On the other, the employee is not obligated to allege in his complaint whether or not the posts were publicly available, thereby avoiding dismissal at the early stage of the case.

Rodriguez v. Widener Univ., No. 13-1336 (E.D. Pa. June 17, 2013).

Michigan Enacts Social-Media Privacy Law

Posted by Molly DiBiancaOn December 30, 2012In: Electronic Monitoring, Privacy In the Workplace, Privacy Rights of Employees, Social Media in the Workplace

Email This Post | Print this Post

Michigan is the latest State to pass a "Facebook-privacy" law. The law, called the Internet Privacy Protection Act, was signed by Gov. Rick Snyder last Friday. The law prohibits employers and educational institutions from asking applicants, employees, and students for information about the individual's social-media accounts, reports The Detroit News.

The Michigan law contains four important exceptions. Specifically, the law does not apply when:

1. An employee "transfers" (i.e., steals) the employer's "proprietary or confidential information or financial data" to the employee's personal Internet account;

2. The employer is conducting a workplace investigation, provided that the employer has "specific information about activity on the employee's personal internet account;"

3. The employer pays for the device (i.e., computer, smartphone, or tablet), in whole or in part; or

4. The employer is "monitoring, reviewing, or accessing electronic data" traveling through its network.

The enactment of Michigan's Social Network Account Privacy Act makes Michigan the fifth State this year to enact legislation that prohibits employers from requiring or requesting an employee or applicant to disclose a username or password to a personal social-media account. Maryland, Illinois, California, and New Jersey were the first four. California and Delaware passed similar legislation applicable to educational institutions. Notably, new legislation was introduced in California on December 3, which would extend that State's law to public employers.

I continue to believe that these laws are unnecessary and do nothing more than expose employers to legal risk with no real benefit to the citizenry. However, of all of the states to have passed such "internet-password-protection" laws, Michigan's is the first to contain these critically important exceptions. Without them, the laws have the potential to paralyze employers from conducting internal investigations that are necessary to protect both the organization as a whole and individual employees.

Problems With Delaware's Proposed Social-Media Law

Lawfulness of Employers' Demands for Facebook Passwords

Should Employer Cyberscreening Be Legislated?

Employers Who Demand Facebook Passwords from Employees. Oy Vey.

NJ Passes Password-Protection Law for Employees and Students

Posted by Molly DiBiancaOn October 30, 2012In: Privacy In the Workplace, Privacy Rights of Employees, Social Media in the Workplace

Email This Post | Print this Post

New Jersey is the latest State to prohibit employers from requesting the passwords of employees and applicants. The N.J. Senate passed A2878 on October 25, 2012. The bill also prohibits employers from any kind of inquiry into whether the employee has an account on a social-networking site and from requiring that the employee or applicant grant the employer access to his or her social-networking account.
Although the Bill passed the Senate unopposed, the added exemption of law-enforcement agencies requires that the Bill be returned to the Assembly for approval before being sent to the Governor for approval, reports CBS New York.

Following Maryland, Illinois, and California, New Jersey is the fourth State in the country to pass a "Facebook-privacy" law applicable to employers.

New Jersey also passed a piece of sister legislation extending the prohibition to colleges and universities. That law passed the N.J. Senate unanimously and will prohibits educational instiuttions from requiring a student to disclose any user name, password or other means for accessing a personal social-networking site. Delaware and California are the only other states in the country with similar prohibiitons.

It's no secret that I am hardly a fan of these laws, which attempt to vigorously legislate a problem that does not exist. When I think of my friends and loved ones who have just experienced the loss and devastation resulting from Hurricane Sandy, I can't help but wonder whether the New Jersey legislature couldn't have found something better to make laws about.

A Really Bad Boss and a Really Awful Invasion of Privacy

Posted by Molly DiBiancaOn October 21, 2012In: Jerks at Work, Privacy In the Workplace, Privacy Rights of Employees

Email This Post | Print this Post

This lawsuit, which we'll file in the category of "Ultimate Jerks at Work," was reported by Kashmir Hill on Forbes.com. Here's the story, as alleged in the lawsuit.

Jonathan Bruns was working for a staffing agency when he was placed with a company in Houston, Texas. According to the complaint, Bruns asked if he could charge his cellphone in a wall outlet. His supervisor, Pete Offenhauser, obliged.

Apparently, after Offenhauser approved the request, he unplugged the phone from the wall and into his laptop. Once the phone was connected, Offenhauser had access to the pictures Bruns had stored on his phone. Among them were photos of Bruns' fiancee.

In the photos, Bruns' fiancee was, er, uh, nude.

What did Offenhauser do next? Oh, come on, I think we all know. He called everyone in the office over to his laptop. Once the whole group was gathered 'round, he showed them Bruns' photos. Bruns walked in and saw the goings on. When he asked what all the excitement was about, he was greeted with "laughs and inappropriate comments," many of which were made by his boss.

Bruns and his fiancee filed suit against the company, alleging invasion of privacy. This is not exactly a surprise, I'd say. But why not sue the supervisor, Offenhauser, individually? Well, presumably, because he was acting in his capacity as a supervisor at the time of the alleged conduct. But the alleged acts were, after all, tortious in nature, so there would likely be a claim against him, as well as against the company. The company, however, is more likely to have the money to pay.

And that, dear readers, is how the pixels crumble.

You Can Leave the Light On . . . But Be Sure to Log Out

Posted by Molly DiBiancaOn July 25, 2012In: Electronic Monitoring, Privacy In the Workplace, Privacy Rights of Employees

Email This Post | Print this Post

You can, according to Joe Cocker, leave a light on. But, if you want a second opinion, I'd suggest that you be sure you log out before you leave the computer room. The case of discussion in today's post, Marcus v. Rogers, was brought by a group of New Jersey public-school teachers. The District made computers with Internet access available for teachers to use during breaks. One of the teachers was in the "computer lab" (my phrase) to check his email when he bumped the mouse connected to the computer next to the one he was using, turning off the screensaver. On the screen, the teacher saw the Yahoo! inbox of a colleague, who had, apparently, failed to log out of her email account before she left.

The teacher recognized his own name in the subject lines of several of the emails. Too curious to resist the temptation, he opened, read, and printed the emails that made reference to him planning to use them at an upcoming staff meeting.

When his colleague learned that her emails had been discovered, she filed suit. The case was tried before a jury, who found in favor of the nosy teacher-defendant. The colleague-plaintiff appealed the decision. On appeal, the question before the court was whether the defendant was acting "without authorization" or whether his access of the emails had "exceeded [his] authorization."

On the first question, the court held that the defendant was not "without authorization" when he accessed the emails because the emails in the inbox were available for anyone to see, since the colleague had failed to log out of her account.

The court upheld the jury's decision on the second question, as well. Specifically, the court found that the defendant had not exceed his authorization because his colleague had "tacitly" authorized the access when she failed to log out.

This is an interesting case that provides some good news for employers. Some good news--but not much. The question of whether an employer can access an employee's personal email account that the employee accessed through the employer's equipment is far from settled. The answer is very fact specific. For example, the answer may be different where, like here, the employee fails to log out when she leaves the computer, versus where the employer uses software to discover the employee's password and then uses the password to access the account.

The answer also can change depending on the jurisdiction. New Jersey has been an outlier in several of the employee-email cases and employers in other states should be cautious about relying on this decision for much more than its interesting set of facts.

[H/T Evan Brown, Internet Cases, which I first heard him discuss on a recent edition of This Week In Law]

Marcus v. Rogers, 2012 WL 2428046 (N.J.Super.A.D. June 28, 2012).

E-Law Mid-Week Recap

Posted by Molly DiBiancaOn May 16, 2012In: Delaware Specific, Legislative Update, Privacy Rights of Employees, Social Media in the Workplace

Email This Post | Print this Post

It’s only Wednesday but this has been a busy week already. If time allowed, I could write posts on several important employment-law-related topics. But, alas, my day job is keeping me busy, so this short-form recap of some of the more notable items will have to suffice.

Delaware’s Pending Password-Privacy Legislation

As I’ve written recently, there is a bill pending in Delaware’s House of Representatives that is intended to prohibit employers from requesting or requiring that an employee or applicant turn over his or her password. If you’ve read my posts on this topic, you know that I have significant concerns about the scope of the bill and its potential consequences for both employers and employees. This afternoon, the bill will be presented for vote to the Telecommunications, Internet, and Technology Committee.  I will keep you posted about the results of that hearing as soon as possible. Until then, you should consider reaching out to your State Representative and voice any concern you may have with the bill.

Pretexting Via Social Media

I wrote earlier this week about a high-school principal in Missouri, who is alleged to have created a fake Facebook account for the purpose of spying on students in her school. As I stated in that post, using deceit about your identity for the purpose of obtaining information about someone, known as pretexting, is a wholly unacceptable practice.

On her Ride the Lightning blog, Sharon Nelson writes of a story with similarly disturbing facts.  In the case that she discusses, an insurer in a dog-bite case permitted its private investigator to lie about his identity on Facebook so he could spy on the plaintiff—a 12-year-old girl.  Folks, if it’s not obvious already, this type of dishonesty is despicable and those who engage in it should not be surprised at the negative repercussions that result. 

Show Me the Numbers

The EEOC has released a new set of statistics relating to Charges of Discrimination filed in FY 2011.  What is notable about this data is that it marks the first time the EEOC has published private-sector statistics for each of the states and territories.  The statistics provide the total number of charges filed in each state and a breakdown of charge by type of discrimination.  This is the first time that state-specific information has been released and it offers helpful insight on a more granular level.

Lots of blawgers have reviewed this data as it relates to their particular states. For example, Dan Schwartz wrote about the Connecticut numbers and McAfee & Taft’s EmployerLINC blog posted about the Oklahoma stats.  And Chris DeGroff and Matthew Gagnon, of Seyfarth Shaw’s Workplace Class Action blog wrote about the significance of this data.

Another One Bites the Dust

Because I just never seem to grow weary of stories involving smart people who fail to exercise good judgment when using social media, I’ll toss this one to my loyal readers for good measure.  In this social-media saga, it’s a CFO who was terminated for improperly communicating company information through his Twitter feed and public Facebook profile. Jon Hyman and Phil Miles recap the story in more detail.

Facebook-Privacy Laws: Update

Posted by Molly DiBiancaOn May 11, 2012In: Privacy In the Workplace, Privacy Rights of Employees, Social Media in the Workplace

Email This Post | Print this Post

Legislation, both state and federal, prohibiting employers from requesting an employee's or applicant's password continues to make progress. In Particular, the pending bills in California and New Jersey passed to the next level of their respective legislatures yesterday. The first two federal bills of this type of failed but, fear not, a new version has been introduced. Gone is SNOPA; the Password Protection Act of 2012 was introduced earlier this week. In an effort to keep up, I've put together the list below, which includes a reference to each of the states with pending legislation of which I'm aware:


California
Bill: Social Media Privacy Act
Date: May 10
Status: Unanimiously passed the State Assembly
Applies to: Employers; Post-secondar educational institutions
Other: Prohibition against "otherwise asking for access" to an account


Delaware
Bill: HB 308
Date: Apr. 26
Status: Referred to Committee
Applies to: Employers
Other: Multiple other provisions


Federal
Bill: Password Protection Act of 2012
Date: May 9
Status: Introduced
Applies to: Employers
Other: Prohibits requests for "access"


Illinois
Bill: HB 3782
Date: Mar. 29
Status: Passed House; pending in Senate
Applies to: Employers
Other: "or other account information for the purpose of gaining access"


Maryland
Bill: SB 433
Date: Apr. 9
Status: Approved by Gov.; Enacted
Applies to: Employers
Other: Prohibits: (a) any request for access to an account; (b) request for user name.


Massachusetts
Bill: HD 4323
Date: Mar. 23
Status: Filed
Applies to: Employers
Other: Prohibits any request for access to an account


Michigan
Bill: HB 5523
Date: Mar. 29
Status: Introduced; referred to Committee
Applies to: Employers; Educational Institutions
Other: Prohibition against requesting user to "disclose access information


Minnesota
Bill: HF 2963; HF 2982; SF 2565
Date: Mar. 26; Mar. 29; Mar. 27
Status: Referred to Committee
Applies to: Employers
Other: None


New Jersey
Bill: Bill A-2878
Date: May 10
Status: Approved by Committee
Applies to: Employers and Educational Institutions
Other: Prohibits asking if user has an account; law-enforcement exemption


New York
Bill: Sen. 6983
Date: Apr. 13
Status: Referred to Committee
Applies to: Employers
Other: (a) Prohibits asking for (i) log-in name, or (ii) "other means for accessing; (b) Exempts accounts owned by employer


South Carolina
Bill: HB 5105
Date: Mar. 29
Status: Referred to Committee
Applies to: Employers
Other: Prohibition against asking for "other related information" to access an account


Washington
Bill: SB 6637
Date: Apr. 11
Status: Reintroduced
Applies to: Employers
Other: Prohibition against asking for "other related information" to access an account


Delaware employers should be most interested (and concerned) with the legislation introduced by Rep. Darryl Scott (Dover). As I've written previously, I believe the proposed law goes far beyond what is necessary and would have significant negative implications for Delaware employers.

Delaware Proposes Facebook-Privacy Law

Posted by Molly DiBiancaOn May 3, 2012In: Delaware Specific, Privacy Rights of Employees, Social Media in the Workplace

Email This Post | Print this Post

Delaware has joined several other States in proposing a Facebook privacy law, which would prohibit Delaware employers from requesting access to a candidate's Facebook or other social-networking site.

The proposed law, the "Workplace Privacy Act" (H.B. 308) is sponsored by Reps. Darryl M. Scott and William J. Carson and was introduced on Tuesday, May 1.

In some ways, the bill is similar to the Maryland law, which was the first of its kind to be passed into law, and the federal version currently pending in Congress (SNOPA). For example, the Delaware bill would prohibit employers from "requiring or requesting" that any "employee or applicant" disclose his or her social-networking-site password.

The bill goes further, though. Here are some of the more troublesome provisions of the proposed law:

1. The law prohibits employers from requiring or requesting that the user disclose "any other related account information."

This would seem to prohibit an employer from even asking whether the candidate has a Facebook account. There does not seem to be a legitimate reason for such a broad-sweeping prohibition. Moreoever, employers may have good reason to want to know whether an applicant has a Facebook or LinkedIn account. Additionally, isn't this information public in any event, even if access to the account's contents may be restricted?

2. The law also prohibits employers from requiring or requesting that a user log into a social-networking account in the empoyer's presence "so as to provide the employer access" to the user's account or profile.
This, in my opinion goes too far. Although I am not an advocate of this approach, it is not and should not be unlawful. There are certain industries and professions (i.e., the financial sector and law enforcement), that, in some cases, have a legitimate interest in a candidate's online activities. The employer should have the right to gain limited and temporary access the candidate's profile, provided the employer does so in a legitimate and responsible manner.

3. The law also prohibits employers from "accessing" a user's social-networking profile or account "indirectly" through the user's online friend or connection.
Again, this goes too far. And, in my opinion, has deeply troubling (and, likely, unintended), potential consequences. The worst-case scenario would go as follows: Employee reports to Employer that Coworker Posted on Coworker's Facebook profile that Coworker intends to cause harm to his supervisor. The employer has not just a right but a legal duty to prevent workplace violence and would be legally obligated to take stepst to prevent Coworker from carrying out this threat.

But the employer cannot simply fire Coworker based only on Employee's unverified report. It would need to first investigate the Coworker's claim. Most commonly, an employer will do this by asking the reporting Employee to pull up his own Facebook account for the purpose of showing Employer the allegedly threatening post of Coworker. But this provision of the proposed law would prohibit the employer from doing this.

Alternatively, Employer could call in Coworker and ask him whether he posted the threat as reported by Employee. But if Coworker denies making the post, Employer has no recourse and is forced to take him at his word because Employer would be prohibited from "requiring or requesting" that Employee log into the account to clear up the allegation. This, also, is an unsatisfactory result.

The scenarios go on and on. Consider, for example, a report of employee theft. Or an employee who is posting HIPPA-protected personal health information. Or an employee who is posting the employer's trade secrets? The employer would be without recourse in each scenario.

4. Anti-Retaliation
And, making it worse yet, the law would prohibit employers from "discharging, disciplining, or otherwise penalizing, or threatening to discharging, disciplining, or otherwise penalizing" an employee for his or her refusal to provide access.

Although I am not opposed to laws that prohibit employers and educational institutions from demanding an individual's password or log-on information, this bill, as currently drafted, goes far, far beyond what its sponsors likely intended.

I'll be sure to keep readers posted as developments occur.

In the meantime, you can read about what is happening around the country with regard to the issue of "Facebook-privacy laws" here:

Maryland Law Makes It Unlawful to Request Facebook Passwords
Employers Who Demand Facebook Passwords from Employees. Oy Vey.
California Law Moves Closer to Prohibiting Employers From Requesting Facebook Passwords From Applicants
More States Consider Facebook-Privacy Laws
Should Cyberscreening by Employers Be Legislated?
Lawfulness of Employers' Demands for Employees' Facebook Passwords
Federal Legislation, SNOPA, Would Prohibit Employers from Facebook Snooping

Work Email and the Attorney-Client Privilege Do Not Mix

Posted by Lauren Moak RussellOn January 23, 2011In: Electronic Monitoring, Privacy In the Workplace, Privacy Rights of Employees

Email This Post | Print this Post

An appeals court in California recently decided that emails sent by an employee from her work email address to her attorney are not protected by the attorney-client privilege. In the case of Holmes v. Petrovich Development Company, LLC, an employee sued her employer for wrongful termination. Prior to filing her lawsuit, she had exchanged emails with her attorney, using her office email account. The employer used the emails in its defense, and the employee objected, claiming that they were protected by attorney-client privilege.

The Court disagreed and found that the emails were not protected by the privilege.  The court relied on the fact that the employer’s handbook expressly stated that an employee’s emails might be monitored. Such a warning, the Court concluded, made the employee’s emails akin a conversation held in the company’s conference room, with the door open, speaking in a loud voice. The California Court’s decision is in keeping with the Supreme Court’s 2010 decision in City of Ontario v. Quon, in which the Court held that an employee did not have an expectation of privacy in his text messages, sent using an employer-provided pager. This case, however, takes Quon to its logical conclusion, holding that in the absence of a reasonable expectation of privacy, the attorney-client privilege cannot attach.

As Delaware employers should know, they are required by statute to inform employees prior to monitoring an employee’s telephone, email, or internet use. 19 Del. C. § 705. Thus, under the California Court’s logic, any Delaware employee who has received notice of email monitoring under Delaware law has waived the attorney-client privilege as to any emails exchanged with the employee’s attorney, using his or her work email account. It is important to remember that the Delaware courts have not ruled on the issue of attorney-client privilege for work emails. However, this case is a valuable reminder that electronic communications are rarely as private as they appear, and we should all conduct ourselves accordingly.

Delaware Events to Fight Identity Theft

Posted by Molly DiBiancaOn October 6, 2010In: Privacy In the Workplace, Privacy Rights of Employees

Email This Post | Print this Post

Delaware readers may be interested a few upcoming events designed to help prevent identity theft. Delaware’s Identity Theft Working Group is sponsoring these events during the week of October 18-24, which is National Protect Your Identity Week.

Oct. 20:  Senior Identity Theft & Fraud

This educational event will take place from 10:30 a.m. – 12:30 p.m. at the Modern Maturity Center in Dover, located at 1121 Forrest Avenue.  You can RSVP for this event and get more information by calling 302-734-1200.

Oct. 21:  Protecting Small Business from Identity Theft

This event is sponsored by the Better Business Bureau of Delaware and will be held at the Wilmington Double Tree Hotel, located at 700 N. King Street from 7:45 a.m. till 10 a.m.  RSVP for the event by calling 302-230-0112 ext. 19.

Oct. 22:  Working Together to Combat Identity Theft

The Federal Bar Association is co-sponsoring a Law Enforcement and Financial Institution training titled “Working Together to Combat Identity Theft” on October 22, 2010, from 8:00 a.m. to 12:30 p.m. at Theatre N, First Floor, 1007 Orange Street, Wilmington, DE 19801.  The October 22 training will include the following discussion topics:

  • Elements of Proof of Identity Theft Crimes:  A Federal and State Overview
  • An Identity Theft Investigation Case Study:  What Worked and Why
  • Addressing Expectations of Both Financial Institutions and Law Enforcement In Investigating Identity Theft Cases
  • Panel Discussion:   Financial Institution Investigators and Federal and State Investigators

In order to register for this training, which will be of primary interest to prosecutors and those lawyers who work with clients to investigate matters relating to identity theft, submit this registration form by October 18, 2010.  If you RSVP for the training, please indicate that you are an attorney who will wish to seek Delaware CLE credit for the training.  The training is free.

Oct. 23:  Shred Event

Consumers may bring up to 3 file-size boxes of documents for shredding to the Boscov’s at the Dover Mall between 9 a.m. and 1 p.m.  The Delaware Attorney General is the sponsor of this event and more information can be found at www.attorneygeneral.delaware.gov.

You can print the following poster, which includes information about all of these events. 

Identity Theft Event Poster

Employers in any state can celebrate National Protect Your Identity Week by educating employees about how to protect themselves from identity theft.