It’s None of Your Business: Privacy Issues · 7 FISHER & PHILLIPS LLP 440-838-8800 Searching Your Employee’s Workplace Computer –One View Stengartv. Loving Care Agency • On

1

www.laborlawyers.comFISHER & PHILLIPS LLP 440-838-8800

October 23, 2015Atlanta • Baltimore • Boston • Charlotte • Chicago • Cleveland • Columbia • Columbus • Dallas • Denver • Fort Lauderdale • Gulfport • Houston

Irvine • Kansas City • Las Vegas • Los Angeles • Louisville • Memphis • New Jersey • New Orleans • Orlando • PhiladelphiaPhoenix • Portland • San Antonio • San Diego • San Francisco • Seattle • Tampa • Washington, DC

It’s None of Your Business: Workplace Privacy Issues

Presented by:

Melanie L. Webber, [email protected]

440/838‐8800

Copyright © 2015 Fisher & Phillips LLP

Not to be reproduced in any manner without prior consent.


Overview

Traditional: Employee Possessions in Employer’s Workplace

Contemporary: Employee Electronic Data in Employer’s Computers and Networks

• Bring Your Own Device

• Social Media

Future:

Employee Right of Privacy

2


Surveillance and Searches

Invasion of Privacy (Unreasonable Intrusion)

• Was there an intrusion?

• If so, was the intrusion intentional?

• Did the employee have an objectively reasonable expectation of privacy into the matter intruded upon?

• Was the intrusion highly offensive to a reasonable person?


Boundaries

Constitution for public employers

National Labor

Relations Act

State statutes

e.g. Statutes limiting access or use of

background checks or

credit histories

e.g. Statutes regarding firearms, tobacco, marijuana

Privacy laws

Other federal laws

3


Traditional Employment Invasion of Privacy Case

Peitsmeyer v. Jackson Twp. Bd. Of Trustees

• Employee alleged invasion of privacy based on:

– The Employer entering the Employee’s locked office,

– Unlocking desk drawers, and

– Searching a storage locker and discarding some personal belongings, including personal and sensitive items related to the Employee’s son’s legal troubles and personal mementos from the employee’s tour of duty in Vietnam.

• Court found: Employee had no reasonable expectation of privacy with respect to his office furniture because he knew the Employer had master keys to the office and the Employee himself often left his office door unlocked.

(Franklin App. 2003‐Ohio 4302)



What about the physical person?

18‐year old McDonald’s employee who was strip‐

searched by assistant manager investigating theft was awarded

$6.1 million. (Ogborn v. McDonald’s Corp., No. 04‐CI‐00769 (Ky. Cir. Ct. Bullitt County Octo. 5, 2007)).

But not if they voluntarily disrobe …

4



Another example: Turner v. Shahed Enterprises

• After $50 went missing, an employee reported seeing another employee take the money and put it in her pants.

• At employee’s suggestion, assistant manager accompanied her to restroom where she undressed to show she did not have the money. $50 found in a food prep area where accused employee and others worked. Accused employee was terminated next day.

• Court held “nobody asked her to undress. Rather…[she] was instructed that she did not have to undress, and she insisted in an attempt to exonerate herself. The expectation of privacy… [she] now seeks to protect was lost when she undressed on her own volition.”

Ohio Ct. App., No. 10AP‐892 (Sept. 15, 2011)


COMPUTERS COMPLICATE INVASION OF PRIVACY CASES

5


Contemporary Employment Invasion of Privacy Cases

Computers created a unique legal question:

If the Employee performs work on an Employer’s computer, is the data created, accessed, or obtained on that computer part of the Employer’s “Physical Workplace” or the Employee’s “Personal Property”?

In other words: When is there a “Reasonable Expectation of Privacy” for personal computer data accessed on an Employer’s Computer?


Employee Expectations of Privacy in Electronic Communications

• 75% of employees accept employer computer monitoring

• 16% of employees are “glad” employers monitor computer activities

• 9% of employees were “mad” about being monitored

Survey Conducted by Spectrosoft, May 23, 2013

6


Employee Expectations of Privacy in Electronic Communications

• 49% of employees said employers monitored their computer activities

• 69% of employers have Internet policies that allow monitoring

• 15% of employers do not have Internet monitoring policiesSurvey Conducted by Spectrosoft, May 23, 2013


Searching Your Employee’s Workplace Computer

Alamar Ranch, LLC v. County of Boise

“It is unreasonable for any employee in this technological age … to believe her communications via work‐issued equipment and email addresses would be confidential and not subject to monitoring.”

This does not represent a majority rule or consensus, but it is part of the evolving law of workplace privacy and monitoring.

No. CV‐09‐004‐S‐BLW, 2009 U.S. Dist. LEXIS 101866 (D. Idaho, Nov. 2, 2009)

7


Searching Your Employee’s Workplace Computer – One View

Stengart v. Loving Care Agency

• On the Employer’s computer, the Employer found .html files of Yahoo! account emails exchanged between former Employee and her attorney regarding former Employee’s lawsuit against Employer.

• Employee sent emails using Employer’s computers and Internet access but through Employee’s personal, password‐protected email account.

• Employer’s Policy: All data residing on the workplace computers is the property of the Employer.

• Emphasizing importance of privacy concerns inherent in attorney‐client communications, the New Jersey Supreme Court held that such communications were privileged – even though on Employer’s computer.

201 N.J. 300, 990 A.2d 650 (2010)


Searching Your Employee’s Workplace Computer – Another View

Holmes v. Petrovich Dev’t. Co., LLC

• Employer found emails exchanged between Employee and her attorney regarding suit against Employer.

• Employee sent emails using the Employer’s email and computer systems.

• California appellate court held that such communications were not protected by the attorney‐client privilege.

191 Cal. App. 4th 1047, 119 Cal Rptr. 3d 878 (Cal. App. 2011)

8


Searching Your Employee’s Workplace Computer

Stored Communications Act

Federal statute prohibiting intentional, unauthorized access to private electronic communications (i.e., Facebook or Hotmail).

Creates privacy expectation in private electronic communications.

Computer Fraud and Abuse Act

Criminal statute that provides a civil cause of action for anyone whose computer system or network has been damaged or accessed without authorization, provided certain requirements are met.

Traditionally thought of as a form of relief for those who fall victim to "hackers," the Act has seen increased use in the employer‐employee context.


Searching YourEmployee’s Workplace Computer

Pietrylo, et al. v. Hillstone Rest. Group

• Password‐protected chat forum and blog for employees

• Management requested access to the blog

• Employees terminated based on content found on blog

• Jury found in favor of employees and a violation of the Stored Communications Act

No. 06‐5754, 2009 U.S. Dist. LEXIS 88702 (D. N.J., Sept. 25, 2009)

9


Searching YourEmployee’s Workplace Computer

Pure Power Bootcamp, Inc., et. al. v. Warrior Fitness Boot Camp, LLC

• Employer logged into employee’s Hotmail account Employee had used during work hours and on work computer

• Employee left username and password on the workplace computer

• Court found violation of the Stored Communications Act

759 F. Supp. 2d417 (S.D.N.Y. 2010)


Asking for Employee and Applicant Passwords

• Best Advice: Do Not Do It!

– Arguably illegal under federal law.

– At least 22 states have passed laws prohibiting it.

• Example: Virginia law passed in 2015. Virginia Employers:

– Cannot require current or prospective employee to share login credentials or add a supervisor as a contact on their personal account.

– Cannot retaliate against employees or refuse to hire applicants for exercising their social media privacy rights.

– Law contains exceptions permitting employers to comply with federal, state or local laws, rules and regulations.

10


Best Practices for Computer Usage Policies

Make clear employees have no expectation of privacy when it comes to using employer equipment.

State reason for policy so employees do not feel their right to privacy is being needlessly infringed.

Describe what constitutes improper use of employer‐owned equipment

• Harassment

• Accessing explicit conduct

• Removing employer’s software programs and data


Best Practices for Computer Usage Policies

Include description of proper employee computer use.

• Business purposes during working time

Prohibit unauthorized encryption of company

information such as email.

Make it possible to enforce your policy by stating that violating the policy can

lead to disciplinary action. Be specific.

11


BYOD: LOL!


Future Employment Invasion of Privacy Cases

• Bring‐Your‐Own Device:

– “BYOD” – term of art used to describe the practice of allowing employees to use personal handheld devices to access employer networks and create business information

– According to 2014 Cisco survey, up to 78% of white‐collar employees use a personal, non‐employer provided mobile device for work purposes

12



Turnover rate in hospitality is estimated anywhere between 60‐300%

HR policy makers: consider policies that serve best interests of organization while engaging employees

Next generation of hospitality workers has grown up with technology (in school and at home) and expect to be connected



• 52% said Anti‐BYOD policies are outdated

• 57.3% said they would have more positive impression of employer if allowed access to mobile devices

• 92.1% agreed that ignoring a guest due to a mobile device would be inappropriate

In a study of undergraduate hospitality college students:

The Impact of Anti‐BYOD Policies on Generation Z Hospitality Employee’s Engagement,

Danny Crinson, University of Nevada, Las Vegas, 2013

13



• Cost Savings

• Employee demand – employees do not want to carry two devices

• Ability to instantly communicate with employees anywhere on the property

• Real‐time notice of customer complaints

• Cost Savings

• Employee demand – employees do not want to carry two devices

• Ability to instantly communicate with employees anywhere on the property

• Real‐time notice of customer complaints

Why Allow BYOD:

But You Need to Understand and Mitigate the Risks


Future EmploymentInvasion of Privacy Cases

• A typical handheld device (smartphone, tablet, phablet) has multiple mechanisms for communication (text, instant message, e‐mail, phone, social media).

• Unlike standard office computer and email account, it is uncommon for an employer to routinely (if ever) retain its employees’ non‐email handheld communications.

• The handheld device, although linked to an employer’s network or Intranet, it is often the private property of the employees.

Handheld devices are unique from standard office computer and email account.

14



As of 2014, recent study shows 120 emails are received/sent per “white‐collar” employee per day.Same study projects there will be 1.2 billion email addresses with wireless access by end of 2015. (The Radicati Group, Email Statistics Report, 2011‐2015)

2011 Pew Research Center report found persons aged 18‐24 send/receive approx. 3,000 texts per month; 25‐34 years send/receive approx. 2,240 texts per month; 35‐44 years send/receive approx. 1,557 text per month; 45‐54 years send/receive approx. 998 texts per month; and 55+ send/receive approx. 491 texts per month.

Deloitte estimated that by end of 2014 approx. 50 billion daily instant messages via mobile applications.

Emails

TextMessages

InstantMessaging

Today’s professional (and personal) communications revolve around technology



Traditional and contemporary IOP cases concern the

inclusion of private employee information within the confines of employer’s

workplace – whether physical or electronic.

Traditional and contemporary IOP cases concern the

inclusion of private employee information within the confines of employer’s

workplace – whether physical or electronic.

BYOD concerns the inclusion of private employer information within the confines of an

employee’s personal electronic device.

BYOD concerns the inclusion of private employer information within the confines of an

employee’s personal electronic device.

15



• By authorizing employees to use their own devices for work, and subjecting such devices to monitoring and investigation, employers risk violating employee privacy rights related to such devices

• Hidden Costs to Employers:

– Violation of privacy claims by employees

– Stengart v. Loving Care communications on devices

– Federal Stored Communications Act claims

– Federal Computer Fraud and Abuse Act claims


BYOD Additional Considerations

→Wage and hour claims (non‐exempt use outside work hours)

→ Confidential information/trade secrets loss

→ Third‐party data breach

→ Electronic discovery / litigation hold burdens

→ Employee distractions, which could be an issue for guest‐facing employees

→ Safety issues, particularly for employees who are working in kitchens or operating vehicles

16


BYOD Policy

• BYOD Policy should be a separate document to account for difference in privacy expectations between employer‐owned equipment and employee‐owned equipment

• Include specific monitoring and no expectation of privacy provisions in your BYOD policy

• Address remote wiping of personal devices


BYOD Policy

• Include provisions in your BYOD policy that notify employees of litigation hold/preservation duties in personal devices

• Require compliance with employer security software

• Address personal device usage during non‐working time

• Require reporting of lost devices

• Require written acknowledgement and consent to BYOD Policy

17


DAWN OF A NEW AGE…


Careful With That Facebook Account

The Ehling Case:

• An Employee‐nurse sued for wrongful termination

• The Employee’s Facebook page was set for “Friends” only, which included some co‐workers but no managers

• One “Friend” captured screen shots of the plaintiff’s wall and emailed them to managers

• The managers never asked for the screen shots

18


Careful With That Facebook Account

The Ehling Case:

• The Employee’s argument: the Stored Communications Act applies to non‐public Facebook settings and there was an improper access here because of the “Friends” only setting

• The Court held that the Facebook wall posts were covered by the Stored Communications Act BUT the SCA’sauthorized‐user exception applied because a “Friend” voluntarily emailed the screen shot to a manager without any request or coercion

• Motion for summary judgment was granted

Ehling v. Monmouth‐Ocean Hospital Service Corp.,

No. 2:11 CV 03305 (D.N.J. Aug. 20, 2013)


Social Media & The National Labor Relations Act (NLRA)

Employees’ statutory rights have not changed since 1935

• §7‐ “Employees shall have the right … to engage in other concerted activities for the purpose of collective bargaining or for mutual aid or protection.”

• §8(a)(1) – “It shall be an unfair labor practice for an employer to interfere with, refrain, or coerce employees in the exercise of rights guaranteed in §7 of this Act.”

19


Social Media & The NLRA

• Policy Provision No. 1: Employees are prohibited from disclosing or communicating information of a confidential or sensitive nature, or non‐public information concerning the company, on or through company property to anyone outside of the company without the prior approval of senior management or the law department.

Lawful or unlawful under the NLRA?

Unlawful



• Policy Provision No. 2: Employees are prohibited from using the company’s name or service mark outside the course of business without prior approval of the law department.


Unlawful

20



• Policy Provision No. 3: Employees are prohibited from publishing any representation about the company without prior approval by senior management and the law department. This prohibition includes statements to the media, media advertisements, electronic bulletin boards, weblogs, and voicemail.


Unlawful



• Policy Provision No. 4: Social networking communications must be made in an honest, professional, and appropriate manner, without defamatory or inflammatory comments regarding the employer, its subsidiaries, their shareholders, officers, employees, customers, contractors, and patients.

Lawful or unlawful under NLRA?

Unlawful

21



• Policy Provision No. 5: Employees should not make comments or otherwise communicate about customers, coworkers, supervisors, the company, or the company’s vendors or suppliers in a manner that is vulgar, obscene, threatening, intimidating, harassing, libelous, or discriminatory on the basis of age, race, religion, sex, sexual orientation, gender identity or expression, genetic information, disability, national origin, ethnicity, citizenship, marital status, or any other legally recognized protected basis under federal, state or law laws, regulations, or ordinances. Those communications are disrespectful and unprofessional and will not be tolerated by the company.


Unlawful


Elements of a NLRA Compliant Social Media Policy

Not overly broad so that policy could be interpreted as restricting protected activity;

Includes limiting language clarifying that policy does not restrict protected activity; and,

Clarifies and restricts policy’s scope by including examples of improper conduct.

22


Today’s Use of Technology – An Example

• Two days before union election:

– Perez is working as a server at a fundraising event

– Assistant Director of Banquets approaches Perez and two other servers and addresses their “chitchatting”

– Perez complains to Gonzalez, who is head of the employees’ union organizing effort

– Gonzalez encourages Perez to take a break


Today’s Use of Technology – An Example (Con’t)

• Perez took a break proceeding to the bathroom and then outside of the Employer’s facility.

• Using his iPhone, Perez posted a message on his personal Facebook page, stating: “Bob is such a NASTY MOTHER F*** don’t know how to talk to people!!!!!! F*** his mother and his entire f*ing family!!! What a LOSER!!!! Vote YES for the UNION!!!!!!!”

• Perez was discharged because his Facebook comments allegedly violated Employer’s policy. However, the managers declined to provide the policy of explain the basis for the termination.

23


Today’s Use of Technology – An Example (Con’t)

• NLRB: Discharge constituted an unfair labor practice.

– Perez engaged in protected, concerted activity.

– Comments were not “so egregious” that they exceeded the protection of the NLRA.

• NLRB considered activity in light of the totality of the circumstances.

• NLRB noted that the Employer tolerated widespread profanity in the workplace.

Pier Sixty, LLC, 362 NLRB 59 (2015)


Practical Guidance – Whether Online Activity is Concerted Activity

• What is the subject matter of the employee’s online post – does the post address terms and conditions of employment, such as wages or working conditions;

• Who made the post (employee or supervisor);

• Whether the online post suggests collective action by employees;

• Whether the online post references earlier discussions among employees;

• Did other employee respond to posting; and,

• What was the content of the responses from other employees – did the responses indicate agreement or were they expressions of sympathy.

24


Virtual Workplace Policies Checklist

• Acceptable Use Guidelines for information, equipment and network

• No Privacy Expectations

• Information Security and Privacy Protection Policy

• Compliant Social Media Policy

• Bring Your Own Device Policy

• Use of Electronic Devices at Work and While Driving Policy

• Record Retention Policy

• Exit Policy


Exit Interview Checklist

• Employee reaffirm in writing ongoing contractual and legal obligations (i.e., confidentiality)

• Conduct audit of Employer information on Employee devices

• Return Employer‐provided equipment

• Employee acknowledge that all Employer information has been returned or destroyed in accordance with Employer instructions and Employee has not retained any copies.

• Review litigation holds to determine whether information and/or devices need to be preserved

• Notify information services to terminate Employee access

25


Thank you…

Presented by:

Melanie L. Webber

Documents

It’s None of Your Business: Privacy Issues · 7 FISHER & PHILLIPS LLP 440-838-8800 Searching Your Employee’s Workplace Computer –One View Stengartv. Loving Care Agency • On