Workplace Privacy Counsel

Littler Mendelson's Privacy and Data Protection Practice Group Chair Philip Gordon Interviewed About Maryland Facebook Password Law

Privacy and Data Protection Practice Group — Wed, 02 May 2012 08:22:07 -0800

Philip Gordon, Chair of Littler Mendelson's Privacy and Data Protection Practice Group Chair and a frequent contributor to this blog, was recently interviewed by The Lexblog Network about Maryland's recently-enacted Facebook password law and what it accomplishes.

Video courtesy of The Lexblog Network

Enforcement Guidance on the Use of Criminal Records in Employment Approved by EEOC

Privacy and Data Protection Practice Group — Thu, 26 Apr 2012 09:49:11 -0800

On Wednesday the Equal Employment Opportunity Commission (EEOC) approved in a 4-1 vote updated enforcement guidance governing the legality of considering a job applicant’s or employee’s criminal history when making hiring or other employment decisions. Commissioner Victoria Lipnic (R) joined the Democrat Commissioners in support of the guidance, while Constance Barker (R) was the lone member to vote against the new guidance. Although the use of credit history for employment screening had been a topic of discussion during an earlier Commission meeting, the Commission has not issued guidance on this topic. Given Commissioner Stuart Ishimaru’s (D) impending resignation, it is likely that any new guidance on credit history would need to be a bipartisan effort with only four Commissioners if such guidance is issued at all anytime soon. To learn more about the revised guidance and its implications for employers, please continue reading at Littler's D.C. Employment Law Update.

Maryland "Facebook Law" Raises New Obstacles For Employers Vetting Applicants And Investigating Employees, But With Important Exceptions

Privacy and Data Protection Practice Group — Wed, 11 Apr 2012 07:16:45 -0800

By Philip L. Gordon

The momentum in the media made it almost inevitable: the first state law to expressly restrict employers from asking applicants and employees for social media account log-in credentials has been passed. Not surprisingly, Maryland, where the issue first burst onto the scene in April 2011, wins the “honor.” However, Maryland likely has opened the floodgates. Bills currently are pending in California, Illinois, Minnesota, New Jersey, and Washington. Employers seeking to understand the implications of the Maryland law must look beyond the blaring headlines to the details of the statute.

To begin with, the law’s general prohibition is both broad and narrow. Effective October 1, 2012 (assuming the Governor signs the law), employers are prohibited from requiring, or even asking, that applicants or employees disclose “any means for accessing,” such as a user name or password, for “any personal account or service” accessed through “computers, telephones, personal digital assistants, and other similar devices.” In other words, the prohibition extends far beyond Facebook and other social media sites to include personal e-mail accounts, personal online banking accounts, and any other online communications or service account.

The Maryland law prohibits an employer from taking or threatening any form of adverse action based on an employee’s or applicant’s refusal to provide a user name or password to a personal account accessed through a communications device. An employer cannot discharge, discipline or otherwise penalize an employee. An employer cannot reject an applicant for engaging in the protected conduct.

Notably, the Maryland law contains no enforcement provision. The law does not authorize applicants or employees to sue. The law does not even delegate authority to the Maryland Department of Labor, Licensing and Regulation, or any other government agency, to enforce it. It is possible that an employee terminated in violation of the law might have a claim for wrongful discharge in violation of public policy. However, because that claim typically applies only to discharge, it is unclear whether an employee who is disciplined short of discharge would have a claim. It also is uncertain whether an applicant who is denied employment in violation of the law would be able to assert a claim.

While the law seems overly broad at first blush, it is critical for employers to understand the types of conduct that the law does not prohibit. Some of these exceptions are expressed in the statute itself; others are implicit.

Access To Employer’s Internal Systems: The law expressly permits employers to require that employees disclose log-in credentials “for accessing nonpersonal accounts or services that provide access to the employer’s internal computer or information systems.” In other words, employees cannot rely on the law to prevent employers from gaining access to information stored on the employer’s own information systems.
Violations Of Securities Or Financial Laws, Or Regulatory Requirements: If an employer receives information that an employee is using a personal online account for business purposes, the law “does not prevent” an employer from conducting an investigation to ensure that the employee is complying with “securities or financial law, or regulatory requirements.” This exception appears intended to apply in a situation where an employee of a financial services company uses a personal online account to trade securities or engage in other financial transactions on the employer’s behalf.
Protection Of Trade Secrets: If an employer receives information that an employee has downloaded the employer’s proprietary information, without authorization, to a personal online account, the law “does not prevent” an employer from conducting an investigation into such suspected misconduct.
Passwords To Devices: While the Maryland law bars employers from requesting log-in credentials for “accessing a personal account or service,” the law does not prohibit employers from requesting or requiring log-in credentials to access an employee’s personal device, such as a smartphone or tablet. This distinction is critical as employers increasingly are implementing “Bring-Your-Own-Device” policies.
Nonpersonal Accounts: The law protects log-in credentials only for “personal” accounts. Maryland employers should clearly define which accounts are personal and which are nonpersonal. For example, if an employee uses a corporate e-mail address to establish a LinkedIn profile or Twitter account, the employer should ensure that employees know from the outset that such an account is “nonpersonal” for purposes of the Maryland law.

Because the Act’s restrictions on its face arguably apply only to the disclosure of log-in credentials, it remains to be seen through judicial interpretation whether the Act’s restrictions bar an employer from, for example, asking an employee or applicant to log into a personal account without disclosing the log-in credentials to the employer so the employer can observe the content of the personal account or asking an employee or applicant to print the content of a personal account. Before an employer chooses this route, they should speak with their employment counsel to educate themselves about the legal risks of doing so. While Maryland is the first jurisdiction to enact this legislation, it is not likely to be the last. Indeed, bills proposing similar restrictions currently are pending in various states, including but not limited to California, Illinois, Minnesota, New York, and Washington. In addition, U.S. Senator Richard Blumenthal (D–CT) has stated his plan to introduce similar legislation "in the very near future."

Requiring Social Media Information Is a Bad Idea

Privacy and Data Protection Practice Group — Wed, 28 Mar 2012 09:00:00 -0800

Employers continue to wrestle with the issue of whether to require employees and prospective employees to divulge their social media passwords. A recent spike in interest by the media, by advocacy groups, legislators and the general public has refocused attention on the issue. Although it may not be unlawful to seek the information to conduct background checks, deter and investigate harassment of coworkers, and discourage employees from posting online content that disparages the employer's products or services, in most situations, it is inadvisable. To learn more about the pitfalls of social media information requests, proposed federal and state bills prohibiting such requests and their potential implications for employers, please continue reading Littler's ASAP, Though Not Yet Banned, Requiring Social Media Information Is a Bad Idea by Chris Leh.

Finding the Messages to Employers in $1.5M HIPAA Settlement

Privacy and Data Protection Practice Group — Wed, 14 Mar 2012 12:11:09 -0800

By Philip L. Gordon

Yesterday’s $1.5M “Resolution Agreement” between Blue Cross Blue Shield of Tennessee (“BCBST”) and the U.S. Department of Health and Human Services (“HHS”), the agency responsible for enforcing HIPAA, is the fourth major settlement announced by HHS in the past 15 months and the third to exceed seven figures. This settlement has several important messages for employers.

Before turning to those messages, here are the key facts as set forth in the Resolution Agreement. BCBST stored, in a network data closet, computer equipment which included servers and 57 hard drives. The hard drives were part of a system that recorded customer service calls and contained the protected health information (PHI) of more than one million participants, including member names, member ID numbers, diagnosis codes, dates of birth, and Social Security numbers. The network data closet “was secured by biometric and keycard scan security with a magnetic lock and an additional door with a keyed lock.” The property management company for the leased spaced where the network data closet was located provided security services.

After BCBST vacated most of its office space, but while it still leased the space containing the network data closet, thieves stole the 57 hard drives from the closet. The hard drives were not encrypted. BCBST notified HHS of a security breach in accordance with the HITECH Act’s requirements.

To resolve HHS’s investigation, BCBST agreed not only to pay $1.5 million but also to enter into a corrective action plan (CAP). The CAP requires BCBST to do the following: (a) conduct a risk assessment and engage in a risk management process with respect to electronic PHI (ePHI) in BCBST’s possession; (b) develop facility access controls and a facility security plan to safeguard information systems and equipment containing ePHI; (c) develop physical safeguards for electronic storage media containing ePHI; (d) train all workforce members with access to ePHI in the policies and procedures embodying items (a) through (c); (e) monitor compliance with the policies and procedures; and (f) report to HHS concerning compliance with the CAP.

Employers can draw several lessons from this incident and its resolution:

First, to date, HHS’s monetary settlements with covered entities have focused on health care providers, such as hospitals and pharmacies. This is the first monetary settlement of which we are aware involving a covered health plan. Insurers and self-insured employers offering HIPAA-covered benefits should take note.

Second, this is the first monetary settlement triggered by a covered entity’s report of a security breach to HHS in compliance with the HITECH Act. It is critical for employers with HIPAA-covered plans, as well as other covered entities, to recognize that notifying HHS of a security breach in accordance with the HITECH Act could trigger an investigation into the circumstances underlying the breach and could ultimately result in an enforcement action.

Third, the underlying incident involved the theft of unencrypted hard drives. Had those hard drives been encrypted, BCBST would not have had an obligation to notify HHS of the theft. In other words, the Resolution Agreement highlights the importance of considering the feasibility of encrypting any movable storage media which contain ePHI.

Finally, HHS seems to have set a fairly high standard for adequate physical safeguards. The Resolution Agreement suggests that BCBST had in place fairly robust physical security for the stored hard drives, including “biometric and keycard scan security with a magnetic lock and an additional door with a key card lock” in addition to building security. HHS, nonetheless, appears to have taken the position that this security was inadequate. Consequently, the Resolution Agreement emphasizes the need for covered entities to pay as close attention to physical safeguards for ePHI as they do to administrative and technical safeguards.

Photo credit: MBPHOTO, Inc.

New Obligations for Massachusetts Employers Conducting Criminal Background Checks

Privacy and Data Protection Practice Group — Thu, 08 Mar 2012 15:28:43 -0800

Effective May 4, 2012, the Massachusetts Criminal Offender Record Information ("CORI") Reform Act (the Act), which was enacted in August 2010 with the controversial "ban the box" legislation, will significantly change the way employers access, use and maintain information obtained through the Commonwealth's CORI system. The Act will allow all employers access to a new online records system, but also imposes obligations on employers that acquire criminal history information from private sources, such as consumer reporting agencies (background report vendors). Employers should review their hiring and background check policies now to determine whether any updates are necessary. To learn about the Act and its potential implications for employers, please continue reading Littler's ASAP, Massachusetts Employers Face New Obligations When Conducting Background Checks Involving Criminal History Records, by Christopher Kaczmarek, Carie Torrence, and Joseph Lazazzero.

NLRB Report Challenges Validity of Many Commonly Used Social Media Policies

Privacy and Data Protection Practice Group — Fri, 27 Jan 2012 15:29:31 -0800

By Philip Gordon

In its most recent effort to draw lines on the self-described “hot topic” of the “lawfulness of employers’ social media policies and rules,” the National Labor Relations Board’s (NLRB) Office of General Counsel has taken the position that many policy provisions commonly seen in employers’ social media policies violate the National Labor Relations Act (NLRA). This most recent shot across the bow came on January 24, 2012, in the form of a report, issued to senior regional staff, on 14 cases which, according to the General Counsel, “present emerging issues in the context of social media.” This report follows a previous General Counsel report, dated August 18, 2011, which discussed 14 prior NLRB cases involving social media issues.

The cases treated in the report also contain the General Counsel’s opinion on whether the employer in each case violated the NLRA by imposing discipline based on social media conduct. We will cover this aspect of the report in a separate and forthcoming blog post. Here, we will focus on the thicket that the NLRB has created for employers who are trying to gain some reasonable control over what employees publish in social media, often to the world, about co-workers, supervisors, the workplace, and the employer’s products and services.

Each of the headings below reviews the General Counsel’s current position on a particular type of commonly used policy provision. Employers should carefully review their existing policies and any new policy in light of the General Counsel’s most recent report. With careful drafting and the use of examples and limiting language, employers should still be able to achieve their objectives of gaining limited control over the Wild West of social media content while staying within the parameters of the NLRA.

No Defamation/Non-Disparagement: No employer likes seeing its employees or organization trashed in social media, but, according to the General Counsel, a broad non-disparagement policy violates the NLRA on a per se basis because it could inhibit employees from making negative comments about the terms and conditions of their employment. For example, the General Counsel opined in the report that the following policy prohibition is illegal: “[m]aking disparaging comments about the company through any media, including online blogs, other electronic media or through the media.” The General Counsel reached the same conclusion on a policy which prohibits “discriminatory, defamatory, or harassing web entries about specific employees, work environment, or work-related issues on social media sites.”

While the General Counsel’s opinion sounds frustrating, employers should not despair. The General Counsel explains that by including non-disparagement policy language within a list of other forms of unprotected conduct, an employer’s non-disparagement policy will comply with the NLRA. To illustrate the point, the General Counsel pointed to the NLRB’s holding that a policy prohibiting “statements which are slanderous or detrimental to the company” was lawful when it “appeared on a list of prohibited conduct including ‘sexual or racial harassment’ and ‘sabotage.’” Following this authority, the General Counsel gave its stamp of approval in the report to a policy which “prohibited the use of social media to post or display comments about coworkers or supervisors or the Employer that are vulgar, obscene, threatening, intimidating, harassing, or a violation of the Employer’s workplace policies against discrimination, harassment, or hostility on account of age, race, religion, sex, ethnicity, nationality, disability, or other protected class, status, or characteristic.”

Confidentiality: Protecting confidential information and trade secrets from competitors is critical to every organization. According to the General Counsel, however, a confidentiality policy is illegal if it would impinge on employees’ ability to discuss their wages and working conditions with others inside or outside the organization. Consistent with that reasoning, the General Counsel’s report rejected a provision in an employer’s social media policy that prohibited employees from “disclosing or communicating . . . confidential, sensitive, or non-public information concerning the company on or through company property to anyone outside the company without prior approval of senior management or the law department.” By contrast, the General Counsel approved a policy provision that “prohibited employees from using or disclosing confidential and/or proprietary information, including personal health information about customers or patients” as well as “‘embargoed information,’ such as launch and release dates and pending reorganizations.” The General Counsel approved of this policy language based on the following reasoning: “Considering that the Employer sells pharmaceuticals and that the rule contains several references to customers, patients, and health information, employees would reasonably understand that this rule was intended to protect the privacy interests of the Employer's customers and not to restrict Section 7 protected communications.”

The General Counsel’s distinction between the two confidentiality provisions suggests a potential litmus test for confidentiality language in a social media policy: if the policy reasonably could be read to prevent employees from disclosing the amount of their compensation to family members, the General Counsel likely would find the policy to be overbroad.” Employers should note that this same issue could apply to confidentiality agreements signed by hourly workers, and not just to confidentiality requirements in a social media policy.

Logos/Trademarks: Organizations understandably want to control use of their logo and trademarks. Nonetheless, a social media policy which prohibits “use of the company’s name or service marks outside the course of business without prior approval of the law department” is, according to the General Counsel, unlawful. The General Counsel takes the position that employees have the right under the NLRA to use the company’s name and logo “while engaging in protected concerted activity, such as in electronic or paper leaflets, cartoons, or picket signs in connection with a protest involving the terms and conditions of employment.” The General Counsel reasoned that such protected use of a company’s name and logo does not “remotely implicate[]” the company’s interests protected by trademark law, “such as the trademark holder’s interests in protecting the good reputation associated with the mark from the possibility of being tarnished by inferior merchandise sold by another entity using the trademark and in being able to enter a related commercial field and use its well-established trademark.”

This reasoning is wrong. An employee easily could damage brand reputation and engender customer confusion by, for example, creating a Facebook page with the corporate name and logo. At a minimum, an employer should be able to prohibit employees from using the company name or logo when engaging or depicting in social media any conduct which violates the Company’s policies or is unlawful; such a policy would not encompass activity protected by Section 7 of the NLRA. Employers also should consider consulting intellectual property counsel about logo and trademark issues and not necessarily develop a marketing strategy based solely on NLRA issues. However, the General Counsel’s analysis (which is not law, but rather the Office’s view of the law) should not be fully ignored either.

Employee Disclaimers: Social media policies commonly mandate that employees must include a disclaimer in any social media content that relates to the employer. For example, in one of the cases discussed in the General Counsel’s report, the employer’s social media policy required that employees “expressly state that their comments are their personal opinions and do not necessarily reflect the Employer’s opinions.” The General Counsel opined that this policy requirement violates the NLRA because it “would significantly burden the exercise of employees’ Section 7 rights to discuss working conditions and criticize the Employer’s labor policies.” Fortunately, employers can achieve a similar result with a policy that prohibits employees from representing in any way that they are speaking on the Company’s behalf without prior written authorization to do so.

It is worth noting that the General Counsel did approve an employee disclaimer requirement in the section of a social media policy addressing product promotions. The General Counsel explained that in context, this provision could not be read to interfere with Section 7 rights because the policy focused on product promotions and endorsements and was intended to avoid potential liability for unfair and deceptive trade practices under guidance issued by the Federal Trade Commission.

Discussions of Work-Related Concerns: The aphorism, “Don’t hang out your dirty laundry,” may seem antiquated but many employers still say just that in their social media policy. By way of illustration, one policy discussed in the General Counsel’s report “required employees to first discuss with their supervisor or manager any work-related concerns, and it provided that failure to comply could result in corrective action, up to and including termination.” The General Counsel concluded that this policy violated the NLRA because of the threat of discipline. Employers can avoid this potential pitfall by urging, but not mandating, that employees use internal channels, rather than social media, to resolve workplace concerns. In that regard, the General Counsel’s opinion is nothing new, but rather is in line with traditional NLRA law on protected, concerted activity in general.

Communications with the Media: Social media policies often tell employees not to discuss with the media their social media content related to the company. The General Counsel’s report finds such prohibitions illegal. (“An employer’s rule that prohibits employee communications to the media or requires prior authorization for such communications is therefore unlawfully overbroad.”) However, a similar report issued by the General Counsel on August 18, 2011, recognized that “a media policy that simply seeks to ensure a consistent, controlled company message and limits employee contact with the media only to the extent necessary to effect that result cannot be reasonably interpreted to restrict Section 7 communications.” In light of that principle, the General Counsel blessed the media policy in question because the “policy repeatedly stated that the purpose of the policy was to ensure that only one person spoke for the company” and even though “employees were instructed to answer all media/reporter questions in a particular way.” In other words, it appears that employers can still carefully craft a provision on media relations in a social media policy which complies with the NLRA.

“Unprofessional” Content: In several of the reported cases, the General Counsel took issue with policy terms that were undefined, vague, or subjective. These terms included prohibitions on “insubordination or other disrespectful conduct,” “inappropriate conversation,” “unprofessional communication that could negatively impact the Employer’s reputation or interfere with the Employer’s mission,” and “nonprofessional/inappropriate communication regarding members of the Employer’s community” as well as the requirement that social media activity occur in an “honest, professional, and appropriate manner.” Employers can achieve the intended objectives of this disfavored language by using terms that are defined in the social media policy or other policies or by providing examples of prohibited conduct with examples that do not include conduct protected by the NLRA.

Employee’s Self-Identification: Some employers have tried to protect their organization by telling employees not to identify their affiliation with the organization when engaging in social media activity unless there is a legitimate business reason for doing so. In its report, the General Counsel took the position that this type of policy violates the NLRA “because personal profile pages serve an important function in enabling employees to use online social networks to find and communicate with their fellow employees at their own or other locations.” Employers should not view the General Counsel’s position here as a particular setback. Telling employees not to mention their employer by name in a personal profile is akin to telling them not to do the same at a cocktail party; the rule would be honored in the breach.

Securities Blackouts: Publicly traded companies are rightfully concerned that employees may let slip on social media highly sensitive information about a corporate transaction, new product launch, or non-public financial information. Among the few policy provisions with which the General Counsel did not take issue was one which stated that the employer might “request employees to confine their social networking to matters unrelated to the company if necessary to ensure compliance with securities regulations and other laws.” The General Counsel reasoned that “employees reasonably would interpret the rule to address only those communications that could implicate security regulations,” as opposed to the terms and conditions of their employment.

Employer Disclaimers: In the wake of the NLRB’s aggressive position since the AMR case in late 2010 on social media policies and employee discipline based on social media conduct, many employment and labor law practitioners have recommended the inclusion of a disclaimer in social media policies. The disclaimer explains that the employer’s policies are not intended to interfere with employees’ rights under the NLRA. In its first public review of a disclaimer in a social media policy, the Board somewhat surprisingly took the position that such a disclaimer was ineffective. In that case, the disclaimer stated as follows:

[T]he policy [will] not be interpreted or applied so as to interfere with employee rights to self-organize, form, join, or assist labor organizations, to bargain collectively through representatives of their choosing, or to engage in other concerted activities for the purpose of collective bargaining or other mutual aid or protection, or to refrain from engaging in such activities.

According to the General Counsel, this disclaimer could not “save” a policy provision prohibiting employees from posting “inappropriate” content because “an employee could not reasonably be expected to know that this language encompasses discussions the Employer deems ‘inappropriate.’” Given the detailed nature of the disclaimer in question, this conclusion suggests the General Counsel, and possibly the Board itself, will view skeptically any effort by an employer to rely upon a disclaimer to protect an otherwise overbroad social media policy. That is an unfortunate result for employers, as a disclaimer seemed to be the answer to keeping a policy simple and uncluttered, without violating the NLRA. Now employers should consider instead replacing such a disclaimer with a list of specific limitations or examples, such as those discussed above which can transform an otherwise overbroad (at least in the eyes of the General Counsel) non-disparagement provision into one that complies fully with the NLRA.

What Does The Supreme Court's "GPS Decision" Mean For Private Employers?

Privacy and Data Protection Practice Group — Tue, 24 Jan 2012 11:48:27 -0800

By Philip L. Gordon

The Supreme Court ruled unanimously yesterday that law enforcement must obtain a search warrant before placing a Global Positioning System (GPS) device on a suspect’s vehicle for purposes of tracking the vehicle’s location. The decision effectively overturned Antoine Jones’s life sentence for drug trafficking which was obtained, in part, through the use of location tracking information generated by a GPS device secretly placed by the FBI, without a search warrant, on Jones’s wife’s Jeep Grand Cherokee. Although the Court’s analysis focuses exclusively on the Fourth Amendment to the U.S. Constitution, which applies only to government actors, the decision has potentially important implications for private employers who are turning increasingly to location-tracking capabilities in vehicles, smartphones, and even laptops to track employees for management and investigative purposes.

To begin with, the Court’s decision highlights the dearth of legislation in the area. None of the Court’s three opinions — the lead opinion by Justice Scalia, a concurrence in that opinion by Justice Sotomayor, and an opinion by Justice Alito concurring in the result but not with Justice Scalia’s reasoning — cited a single federal or state law which regulates location tracking. California’s statute prohibiting the installation of a tracking device on a vehicle without the consent of the vehicle’s owner or lessor appears to be only one of two laws (the other is Texas) on the subject with a significant impact on private employers. In the wake of the Supreme Court’s decision, employers should expect legislative activity in the area.

The decision also is important for private employers because five justices — Justice Alito (joined in his concurrence by Justices Ginsberg, Breyer, and Kagan) as well as Justice Sotomayor — rejected the majority position in the state and federal judiciary on the privacy of location data. Under that view, location tracking does not infringe any privacy interest because the location of a vehicle or a person in a public place is fundamentally not private. This majority view effectively leaves private employees without any remedy for an employer’s use of location tracking because a common law invasion of privacy claim can be asserted only for the breach of a recognized privacy interest, and a statutory remedy for unauthorized location tracking is rarely available.

In rejecting the majority view, the five justices found a protected privacy interest in the patterns of private activity that can be derived from continuous location tracking notwithstanding the public nature of any particular data point. In the words of Justice Sotomayor, “GPS monitoring generates a precise, comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations.” This view likely will have a significant influence on the thinking of trial and appellate court judges when confronted with an invasion of privacy claim based on an employer’s unauthorized tracking of an employee during non-working hours. An employer might be tempted to engage in such tracking, for example, to check for abuse of paid or unpaid leave or to investigate suspected moonlighting or a potentially fraudulent workers’ compensation claim.

Consequently, the most important lesson for private employers to draw from the Court’s decision is the importance of limiting location tracking to working hours when the pattern of location data should not reveal details of an employee’s private life, and if it does, the employer has a legitimate business reason for knowing what the employee is doing other than earning his or her compensation. The New York appellate decision that we covered in last week’s blog post illustrates the point. In that case, the majority did not take issue with the New York State Department of Labor’s 24/7 tracking of a high-level employee’s personal vehicle because the employer had a reasonable suspicion that the employee was not working when he said that he was. Under that reasoning, tracking an employee during working hours clearly would be permissible. On the other hand, the dissenting judges in the New York case found that tracking the employee during non-working hours was excessively intrusive, particularly because the GPS device reported the employee’s location during a week-long family vacation.

Employers should note that many GPS devices are either on at all times or off. In these circumstances, employers should develop controls that will limit access to location tracking information to employees’ scheduled working hours.

Finally, private employers should note Justice Scalia’s reliance on the notion of trespass in finding that the government’s warrantless installation of the GPS device on Jones’s wife’s Jeep violated the Fourth Amendment. Similarly, an employer’s unauthorized placement of a GPS device on an employee’s personal vehicle might support a claim based on a common law trespass theory. As a result, employers should be particularly cautious when using any form of location tracking not associated with company-owned equipment.

Is It Legal for an Employer to Secretly Track an Employee's Personal Vehicle 24/7 for One Month? Perhaps!

Privacy and Data Protection Practice Group — Fri, 20 Jan 2012 14:05:01 -0800

By Philip L. Gordon

A recent decision by a New York appellate court is one of the first cases to address the surreptitious use of location tracking for employment purposes. The 3-2 split decision highlights the on-going disagreement among judges over the lawful use of Global Positioning Systems (GPS). The New York case is particularly noteworthy because the U.S. Supreme Court in U.S. v. Jones (argued November 7, 2011) (Note: the lower court case is U.S. v. Maynard, on cert to the U.S. Supreme Court the case is U.S. v. Jones, referring to respondent Antoine Jones) is currently considering virtually the same issue addressed by the New York court, but in the criminal context. Given the increasing use of GPS in the workplace, employers need to understand the legal risks associated with this highly effective management and investigative tool.

The subject of the New York case was a 30-year employee of New York’s Department of Labor, serving most of that time as the Department’s Director of Staff and Organizational Development. Despite his high-level position, he had been a “problem employee” for nearly a decade, having been disciplined on several occasions. The dispute that ultimately led to the appellate court decision had its inception in the Labor Department’s investigation of the employee for falsifying time records. The Department initially tried to track him the “old-fashioned way,” i.e., by tailing him, but the employee spotted and evaded the tail. The state’s Inspector General, to whom the Labor Department referred the investigation, then secretly planted a GPS device on the employee’s personal vehicle and collected location data 24/7 for a one-month period. Based, in part, on the location data collected, a Labor Department hearing officer recommended the employee’s termination for, among other things, falsifying time records.

Although the employee was a public employee, his case has relevance for private employers for the following reason. On appeal, the employee contended that the Labor Department could not lawfully rely on the location-tracking data to discipline him, invoking the exclusionary rule in New York’s civil service law. Under that rule, the hearing officer and the appellate court had to determine whether the Inspector General’s use of surreptitious location tracking was reasonable at inception and in its scope. That standard is similar to (albeit somewhat lower than) the standard that a court would apply to determine whether a private employer’s use of GPS to track an employee constituted a common law invasion of privacy. Given that no state other than California has enacted a law that prohibits a private employer from tracking an employee’s personal vehicle, a private employee terminated based on location information most likely would rely on a common law invasion of privacy claim to obtain a remedy.

The appellate court’s split decision on the reasonableness of the Inspector General’s use of location tracking highlights the difficult balancing that private employers must conduct when considering whether to use GPS as an investigative tool. All five judges agreed that use of the GPS was reasonable at inception because the Labor Department had a reasonable suspicion of the employee’s wrongdoing. The three-judge majority further concluded that 24/7 location tracking for one month was reasonable because the employee had intentionally undermined less intrusive investigative methods and because “the GPS devices were not constantly monitored;” instead, the Inspector General extracted only location information revealing the employee’s whereabouts during working hours. Rejecting this reason, the two dissenters emphasized that the Labor Department’s “valid interest in [the employee’s] whereabouts extended only to the hours of his workday and yet the tracking had continued for one month.” The dissenters found it particularly troubling that the Inspector General had tracked the employee’s location during a week-long family vacation.

The reasoning on both sides of the decision provides useful guidance for private employers seeking to use location tracking as an investigative tool. At least until the courts provide more guidance, it would be prudent for employers to use surreptitious location tracking only when other, less intrusive methods would be unsuccessful. In addition, where technically feasible, location tracking should be limited to working hours. When not technically feasible, employers should access only location data recorded during working hours.

Photo credit: rrocio

Upcoming Privacy Events

Privacy and Data Protection Practice Group — Tue, 20 Dec 2011 10:10:24 -0800

Philip Gordon will be speaking on a range of privacy and data protection issues at the following upcoming events:

Date: January 11, 2012
Conference: BNA
Location: Webinar
Topic: Phil Gordon and Michael McGuire, Shareholder and Chief Information Security Officer at Littler, will co-present “The Challenges of Bring Your Own Device (BYOD) to Work Policies”
Description: With employees demanding the ability to use their personal smart phones and tablets for business purposes and employers looking for new ways to reduce cost and increase productivity, the trend towards “dual-use devices” in the workplace will undoubtedly continue to pick up stream. This webinar will provide practical recommendations for both areas so that your organization understands the risks of saying “yes” to requests from C-level executives or department chiefs to connect their smartphones or tablets to the corporate network.
For more information and to register, please visit: www.bna.com/own-device-19107/.

Date: February 1, 2012
Conference: ACI Privacy & Security of Consumer and Employee Information (pdf)
Location: The Westin Washington, DC City Center, Washington D.C.
Topic: “Mobile Devices, Applications, and Workforces: Minimizing the Threats Posed Through Proven Security Measures”
Description: Phil Gordon will moderate a panel of experts discussing, among other things, how to:

Raise employee awareness and educate employees in the handling of sensitive data
Safeguard company equipment and wireless devices and minimize damage in the event of breach
Protect corporate networks from the use of multiple portable devices while preserving employee rights
Establish policies and procedures to strengthen and maintain data security

For more information and to register, please click here (pdf).

Date: February 9-10, 2012
Conference: Littler Global Employer – Latin America Conference
Location: Miami, Florida
Topic: “The Legal and Operational Challenges of Complying with New Latin American Data Protection Laws”
Description: In the past two years, Colombia, Costa Rica, Mexico, Peru, and Uruguay have enacted broad data protection laws which generally follow the E.U. Model but also have a distinct Latin flavor. These laws require employers to fundamentally rethink the way that they handle employees’ personal data in these countries and impose significant restrictions on the transfer of employees’ personal data within the corporate group. This presentation will provide a detailed explanation of the key requirements of Mexico’s new privacy law and pending regulations, identify key similarities and differences among the new privacy laws in these five countries, and make practical recommendations for harmonizing multi-national compliance efforts from a legal and operational perspective. Joining in the discussion are speakers Michael McGuire, Shareholder and Chief Information Officer at Littler, Javiera Medina, Shareholder in Littler’s Mexico office and Dr. Rainer Lorenzo, Senior Director, Legal & Business Affairs, HBO Latin America.
For more information and to register, please visit: www.littler.com/events/global-employer-latin-america.

Date: March 9, 2012
Conference: IAPP Global Privacy Summit
Location: Washington Marriott Wardman Park, Washington D.C.
Topic: “Who Are Your Applicants and Employees Anyway? Conducting Lawful Social
Media, Criminal History and Credit Checks”
Description: This session will examine background checks against the backdrop of vendor limitations, social media, new state laws, and FTC regulation. The presentation will cover recent legal developments affecting the permissible scope of background checks and provide practical steps an organization can take to conduct lawful background checks.
For more information and to register, please visit: www.privacyassociation.org/events_and_programs/global_privacy_summit/.

Photo credit: CrackerClips

New Littler Blog: Employee Benefits Counsel

Privacy and Data Protection Practice Group — Wed, 30 Nov 2011 17:04:13 -0800

We are pleased to announce a new addition to Littler's blogroll:

Employee Benefits Counsel

Brought to you by Littler's Employee Benefits, ERISA and Benefit Plan Litigation, and Executive Compensation practice groups, this blog covers:

Legislative and regulatory developments in the employee benefits arena, including the topics of health care reform; plan design and administration; employee benefits litigation; and
Executive compensation, providing insight and analysis on legal developments that warrant discussion.

During this time of significant governmental change and shifts in the strategy and style of benefits litigation, Littler's depth of experience in employee benefits, litigation, and executive compensation matters gives our attorneys a distinctly broad perspective with which to provide insight and useful analysis of the latest developments. To subscribe to receive email alerts of new blog posts, please enter your email address in the Subscribe box on the right side of the Employee Benefits Counsel blog homepage.

Photo credit: IdeaBug Media

EEOC Advisory Opinion on Employer Use of Arrest & Conviction Records During Hiring Process

Privacy and Data Protection Practice Group — Tue, 25 Oct 2011 15:37:50 -0800

The Equal Employment Opportunity Commission's Office of Legal Counsel released an advisory opinion on employer use of arrest and conviction records during the hiring process. The non-binding letter provides some insight into the Commission's current enforcement position and suggests the Commission: (1) will continue to differentiate between arrest and conviction records; (2) may not be prepared to adopt a presumption of disparate impact in this context; and (3) will in the event of a finding of disparate impact, closely scrutinize the employer's policy with regard to both how long convictions are disqualifying and whether the underlying criminal conduct is related to the job duties for the position in question. To learn more about the EEOC's advisory opinion and its potential impact on employers, please continue reading Littler's Insight, EEOC Advisory Guidance Offers Insight on the Use of Arrest and Conviction Records, by Rod Fliegel and Jennifer Mora.

California Restricts Employer Use of Credit Reports

Privacy and Data Protection Practice Group — Mon, 10 Oct 2011 09:53:22 -0800

On October 10, 2011, the Office of California Governor Jerry Brown announced that Governor Brown had signed AB 22, legislation that adds a new provision to the California Labor Code and amends the state's Consumer Credit Reporting Agencies Act to restrict the discretion that private and public sector employers have to use "consumer credit reports" for hiring and personnel decisions. Together, the new laws, which take effect on January 1, 2012, limit when employers lawfully can use consumer credit reports and impose notice and disclosure obligations on employers who intend to do so. To learn more about the laws and their implications for employers, please continue reading Littler's ASAP, California Joins States Restricting Use of Credit Reports for Employment Purposes, by Rod Fliegel and Jennifer Mora.

NLRB Opens Useful Escape Hatch for Employers Responding to Obnoxious Social Media Conduct

Privacy and Data Protection Practice Group — Mon, 03 Oct 2011 12:40:22 -0800

By Philip L. Gordon

Selling luxury cars in a down economy can be tough enough without employees mocking a company-sponsored sales event on their Facebook page. An administrative law judge (ALJ) with the National Labor Relations Board (NLRB) issued an opinion last week holding that the National Labor Relations Act (NLRA) protected an employee’s sarcastic post, but nonetheless upheld the dealership’s termination decision because it was based on other, unprotected Facebook content. The decision is an important reminder for employers that when protected and unprotected content appear on the same Facebook wall, the protected content does not shield the employee from discipline based on the unprotected content.

The Knauz BMW dealership in Lake Bluff, Illinois, planned the “Ultimate Driving Event” to introduce the redesigned BMW 5 Series to its customers. At the event, the dealership not only offered BMW representatives, rather than the dealership’s sales staff, to take customers for a test drive, but also served hot dogs from a hot dog car as well as chocolate chip cookies, small bags of Doritos, and water. Upon learning of the dealership’s plans for the event, salesman Bobby Becker, and at least one other salesperson questioned the culinary selection. After the event, Becker tweaked the dealership on his Facebook page: “The small 8 oz. bags of chips, and the $2.00 cookie plate from Sam’s Club, and the semi fresh apples and oranges were such a nice touch . . . but to top it all off . . . the Hot Dog Cart. Where our clients could attain a over cooked weiner and a stale bunn . . . ”

Becker’s rag on the Ultimate Driving Event did not stand alone. On the same day, he also posted about a potentially serious mishap at the nearby Land Rover dealership also owned by Knauz BMW. Becker described the drama on his Facebook page, alongside a photograph with the following comment: “This [photograph shows] what happens when a sales Person sitting in the front passenger seat (Former Sales Person, actually) allows a 13 year old boy to get behind the wheel of a 6000 lb. truck built and designed to pretty much drive over anything. The kid drives over his father’s foot and into the pond in all about 4 seconds and destroys a $50,000 truck. OOOPS!”

In deciding whether Knauz BMW violated the NLRA by discharging Becker, the ALJ agreed with the NLRB’s General Counsel that Becker’s Facebook comments about the food at the Ultimate Drive Event were protected concerted activity, a position previously expressed by the General Counsel in its August 2011 report on the NLRB’s social media cases which we discussed in an earlier blog post. The ALJ reasoned that Becker’s comments were protected because it was possible, albeit not likely, that the food selection could have had an impact on Becker’s commission-based compensation. In the words of the ALJ, “some customers [possibly] were turned off by the food offerings at the sales event and [perhaps] did not purchase a car because of it.” The ALJ also found that Becker’s Facebook posting was concerted activity — even though no co-worker participated in, or commented on, the post — because the post was the “logical outgrowth of” the criticisms by Becker and at least one other co-worker of the food selection during the sales force’s meeting with management before the event. This result demonstrates just how broadly the NLRB interprets the concept of “protected concerted activity” which cannot properly be the subject of employee discipline.

Notably, the ALJ rejected Knauz BMW’s argument that Becker’s Facebook post should lose its protection under the NLRA because the post disparaged the dealership. Without much analysis, the ALJ noted that the NLRB had previously rejected the same argument in cases where employees’ protected speech was mocking, sarcastic, satirical, ironic, demeaning or even degrading. It appears that an employee’s protected speech will need to reach a high level of injuriousness before the Board will strip that speech of the NLRA’s protections.

Although Becker had engaged in protected concerted activity, the ALJ still determined that Knauz BMW’s decision to axe Becker was lawful. The ALJ found persuasive the testimony of management employees that Becker’s facetious comments about the serious and potentially deadly Land Rover mishap triggered the termination decision. The ALJ then determined that this post did not constitute protected concerted activity because “it was posted solely by Becker,” “without any discussion with any other employee,” and “had no connection to any other employees’ terms and conditions of employment.”

The lesson for employers? Employees who post some protected social media content do not protect themselves with impunity from adverse employment action. Employers can rely on unrelated, unprotected social media posts to justify termination;they just need to be prepared to prove that the unprotected speech was the driving force behind the disciplinary decision.

California Amends its Security Breach Notification Law

Privacy and Data Protection Practice Group — Fri, 09 Sep 2011 12:55:55 -0800

By Ellen M. Giblin

On August 31, 2011, Governor Jerry Brown signed Senate Bill 24, amending California’s security breach notification law. That law was the nation’s first to require data owners to disclose a data breach to any California resident whose unencrypted personal information is reasonably believed to have been acquired by an unauthorized person. Senate Bill 24 applies to breaches occurring on or after January 1, 2012, and makes several important changes to the landmark law.

First, SB 24 enhances the security breach notifications sent to affected individuals. Whereas before the notice law did not impose any requirements for the content of the notice, the amended law requires that the notice contain specific information regarding the breach, including the following: (a) the name and contact information of the reporting person or business; (b) the types of personal information subject to the breach; (c) the date or date range of the breach; (d) whether notification was delayed due to law enforcement investigation; (e) a general description of the breach; and (f) the toll-free telephone numbers and addresses of the three major credit bureaus, if the breach exposed a social security number, driver’s license or California identification card number.

Second, SB 24 adds a requirement to notify the state’s attorney general about a breach. More specifically, the notice law now requires any agency, person, or business that sends a security breach notice to more than 500 California residents to electronically submit a single sample copy of that security breach notification to the attorney general, excluding any personally identifiable information. This change adds California to the list of states that require some type of notice to the state’s primary regulator of security breaches.

Third, this bill deems any HIPAA-covered entity to have complied with California’s new notification requirements if the covered entity complied with the similar breach notification requirements in Section 13402(f) of the federal Health Information Technology for Economic and Clinical Health Act (“HITECH Act”). However, the covered entity is not exempt from any other provision of California’s notice law.

Finally, SB 24 also amends Section 1798.82(j) of California’s security breach notification law regarding substitute notice. Reporting entities which seek to notify individuals of a security breach through the state’s media, rather than directly, must now also notify the Office of Privacy Protection within the State and Consumer Services Agency.

In light of these changes, employers will need to update their incident management plans and add these new requirements into their notification policies to ensure compliance with the many state data breach notification requirements.

California SB 24 takes effect January 1, 2012, providing enhanced notification requirements similar to those required under the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Hard copy breaches are still not covered under the California law.

Photo credit: dra_schwartz

More Guidance from the NLRB on Social Media: When Must Employers Not Fire an Employee for an Offensive Facebook Post?

Privacy and Data Protection Practice Group — Mon, 22 Aug 2011 15:05:08 -0800

By Philip Gordon

In a recent blog post, we addressed three Advice Memos issued by the National Labor Relations Board’s (NLRB or the “Board”) Division of Advice, which provided useful guidance on the types of social media conduct that do not enjoy protection under the National Labor Relations Act (NLRA). On August 18, 2011, not long after the publication of those Advice Memos, the NLRB’s General Counsel issued a lengthy memorandum to all Regional Directors that summarizes the Board’s resolution of more than one dozen “social media cases,” including the three cases discussed in our prior blog post. As a contrast to that post, this post will focus on the cases in the August 18, 2011, Memorandum where the General Counsel found that an employer’s discharge of an employee violated the NLRA. The August 18, 2011, Memorandum also provides useful guidance on social media policies, which are addressed below as well.

When Not to Fire an Employee Based on a Social Media Post

The August 18, 2011, Memorandum summarizes four cases that concluded that the employer’s discipline violated the NLRA. In a nutshell, these cases involved the termination of one or more employees based on the following social media conduct:

While preparing for a meeting with management, an employee asked coworkers on her Facebook page for their reaction to another employee’s complaints about work quality and staffing levels at the employer;
An employee complained on her Facebook page about her supervisor’s refusal to permit a union representative to assist her in responding to a customer complaint about the employee;
A salesmen at a car dealership criticized on his Facebook page the dealership’s handling of a sales event intended to promote a new car model and posted mildly mocking photographs that included his coworkers;
Employees posted on Facebook about the employer’s failure to withhold state income taxes, resulting in the employees’ receiving payment demands from state tax authorities.

In all of these cases, employees posted on their own Facebook page, on their own time, and using their own equipment.

When viewed as a group, these cases have a common thread that provides substantial insight into how the Board analyzes social media cases. Most importantly, the subject matter of each of these posts related to the terms and conditions of employment, the exercise of rights conferred by the NLRA, or other matters traditionally considered “protected activity” under the Boards’ precedent. The topics included: (a) preparation for a discussion with management about employees’ job performance and the employer’s staffing levels; (b) the right in a unionized workplace to union representation during an investigatory interview by the employer; (c) conduct by the employer (a sales event) that could have an impact on employees’ compensation (their sales commissions); and (d) the employer’s administration of income tax withholdings.

Of equal significance, in each of these situations, the General Counsel concluded that employees were collaborating, otherwise known as “concerted activity.” In the first case, the employee was seeking assistance from coworkers in preparation for a discussion with management. In the second case, the employee was discussing supervisory actions with coworkers who were her Facebook friends. In the third case, the employee was expressing the sentiment of his coworkers about the sales event. In the fourth case, employees were sharing concerns about the employer’s failure to withhold state income taxes. None of these cases could be said to involve individual gripes.

While the fulcrum of these cases is the General Counsel’s determination that the disciplined employees were discussing protected subject matters and doing so in concert with their coworkers, there is one other common thread that can help employers weigh risks when deciding whether an employee’s social media post justifies discipline. In each of the cases, the offending Facebook post was either the culmination of an on-going dispute with the employer or the continuation of a pre-existing conversation among employees. In contrast to these fact patterns, the Facebook posts discussed in our previous blog entry and upon which the Division of Advice relied to justify discipline were relatively spontaneous and had no real history behind them.

Profanity Generally Will Not Justify Discipline for Protected Concerted Activity

According to the General Counsel, the offending Facebook posts in these cases included “swearing and/or sarcasm,” use of a “short-hand expletive,” and references to management personnel as an “asshole” and a “scumbag.” Nonetheless, in each case, the General Counsel concluded that the employer’s termination violated the NLRA.

The General Counsel’s analysis in these cases seems to give employees a license to curse. In finding that an employee did not lose the NLRA’s protections after calling her supervisor a “scumbag,” the General Counsel relied on the following facts: (a) “the Facebook posts did not interrupt the work of any employee because they occurred outside the workplace and during nonworking time;” (b) “the comments were made during an online employee discussion on supervisory action;” (c) “the name-calling was not accompanied by verbal or physical threats;” (d) “the Board has found more egregious name-calling protected;” and (e) “the employee’s Facebook postings were provoked by the supervisor’s unlawful” conduct.

In social media cases, the first three or four factors listed above typically will be present. Thus, the Board effectively is telling employers that they must have a thicker skin when it comes to employees’ raunchy social media posts.

Disclaimers and Carefully Crafted Policies Are Critical

Throughout the August 18, 2011, Memorandum, the General Counsel identified social media policy provisions that the General Counsel deemed overbroad and in violation of the NLRA. At first blush, these determinations are portentous for employers because employers routinely include the challenged provisions in their social media policy. However, the August 18, 2011, Memorandum suggests — at least implicitly — how employers can retain these commonly used policy provisions without running afoul of the NLRA.

The list of policy provisions found to be overbroad is lengthy but worthy of repetition. The list includes the following:

Inappropriate Discussions: Prohibition against “inappropriate discussions about the company, management, and/or coworkers;”
Defamation: Prohibition on any social media post that “constitutes embarrassment, harassment or defamation of the [company] or of any [company] employee, officer, board member, representative, or staff member;”
Disparagement: Prohibition against “employees making disparaging comments when discussing the company or the employee’s superiors, coworkers and/or competitors;”
Privacy: Prohibition on “revealing, including through the use of photographs, personal information regarding coworkers, company clients, partners, or customers without their consent;”
Confidentiality: Prohibition on “disclosing inappropriate or sensitive information about the Employer;”
Contact Information: Prohibition on “using the company name, address, or [related] information on [employees’] personal profiles;”
Logo: Prohibition on using “the Employer’s logos and photographs of the Employer’s store, brand, or product, without written authorization;”
Photographs: Prohibition against “employees posting pictures of themselves in any media . . . which depict the Company in any way, including company uniform [or] corporate logo.”

Removing all of the prohibitions described above would eviscerate most social media policies. Fortunately, such drastic action does not appear to be necessary.

In finding these rules unlawful, the General Counsel emphasized not only their overbreadth (i.e., “the [rules] utilized broad terms that would commonly apply to protected criticism of . . . terms and conditions of employment”), but also that “the rule[s] contained no limiting language to inform employees that [the rules] did not apply to Section 7 activity.” This italicized language suggests that the rules quoted above will not violate the NLRA as long as the policy contains a disclaimer which explicitly informs employees that the policy will not be construed or applied in a manner that improperly interferes with employees’ rights under Section 7 of the NLRA.

The General Counsel also provided some guidance for policy drafting by rejecting challenges to several other policy provisions. One upheld policy, for example, provided that “no employee could ever be pressured to ‘friend’ or otherwise connect with a coworker via social media.” The General Counsel reasoned that this policy was “sufficiently specific,” “clearly applied only to harassing conduct,” and could not be read to prohibit employees from friending for purposes of engaging in activity protected under the NLRA.

In a second example, the General Counsel approved of a policy that required employees to “maintain confidentiality about sensitive information” and to direct all media inquiries to the company’s public affairs office after stating that the employee was not authorized to comment. The General Counsel determined that this policy did not violate the NLRA because it was intended only “to ensure a consistent, controlled company message,” was not a blanket prohibition on all contact between employees and the media, and “did not convey the impression that employees could not speak out on the terms and conditions of their employment.”

These examples suggest that an employer can increase the likelihood that its social media policy will survive the NLRB’s scrutiny if the policy emphasizes the legitimate purposes that it seeks to achieve, such as protecting the employer’s good will and brand reputation. In addition, restrictions in the policy on employees’ social media conduct should, where practicable, be narrowly tailored to meet those legitimate objectives.

Photo credit: TommL

Telework - The Crisp New Term for "Working from Home"

Privacy and Data Protection Practice Group — Mon, 22 Aug 2011 13:04:18 -0800

By Ellen M. Giblin

The Guide to Telework in the Federal Government informs and provides guidance on the Telework Enhancement Act of 2010, which was signed into law on December 9, 2010. The Act establishes baseline expectations for the federal telework program and is a key factor in the federal government’s ability to achieve greater flexibility in managing its workforce. The Telework Guide is an understandable roadmap for other employers to the future of a remote and plugged-in workforce, while complying with the myriad of laws that govern the traditional workplace.

The Telework Enhancement Act of 2010 defines "telework" as a work flexibility arrangement under which an employee performs his or her duties and responsibilities from an approved worksite other than the location from which the employee would otherwise work. The fundamental principle of the telework program is clear: telework is not an employee right. Federal law requires agencies to establish telework programs, but does not give individual employees a legal right to telework. Importantly, the Telework Guide states that telework may not be used as a substitute for dependent care [the Guide specifically states that it may be used as a reasonable accommodation], and that employee participation in telework is voluntary.

Telework is primarily an arrangement established to facilitate the accomplishment of work. Private employers, like federal agencies, retain the discretion and obligation to determine employee eligibility for telework subject to business-related needs. For private employers this guide is a gem; it provides guidance on the policies and procedures that the federal government considers necessary to address the risks and rewards of a remote workforce.

With respect to privacy and information security, the Telework Guide provides guidance on the proper handling of confidential information and training on appropriate safeguards for customer and employee information. The Telework Guide states, under the section entitled “Safeguarding Information and Data,” that “[e]mployees must take responsibility for the security of the data and other information they handle while teleworking.”

Interestingly, the basis of the work relationship is a “Telework Agreement.” Each eligible employee authorized to telework enters into a written agreement with his/her supervisor which includes an interactive telework training program provided to eligible employees and their managers. The program must be successfully completed by employees before entering into the written telework agreement.

Private employers will benefit from the guidance provided in The Telework Guide. Although the Guide applies only to federal employers, there are strong parallels between telework in the private and public sectors, particularly when it comes to safeguarding sensitive customer and employee information.

When Can Employers Lawfully Fire an Employee for an Offensive Facebook Post? Ask the NLRB

Privacy and Data Protection Practice Group — Mon, 01 Aug 2011 11:00:24 -0800

By Philip L. Gordon

Ever since the National Labor Relations Board (NLRB) filed a complaint, last November, against ambulance service provider AMR for firing an employee who had called her supervisor a “mental patient” on her Facebook wall, employers have been forced to ask themselves the following question: Do I really need to worry that the NLRB will knock on my door every time I discipline an employee for an obnoxious or offensive Facebook post related to work? Until two weeks ago, there was no easy answer to that question. The AMR case and virtually all of the other “Facebook cases” initiated by the NLRB had either settled or had not yet resulted in a published decision. Then, last month, the NLRB’s Office of General Counsel issued three Advice Memoranda in rapid succession that provide at least some guidance for employers trying to navigate the intersection of social media and labor law.

Two of the Advice Memoranda draw the same bright line rule: an employee who communicates about work through Facebook but only with family or friends cannot invoke the protections of the National Labor Relations Act (NLRA) to avoid dismissal. In one of these two cases, an employee of a residential home for homeless individuals with significant mental illness posted facetious comments about residents on her Facebook wall. Only a personal friend responded to the Facebook posts, and none of the employee’s coworkers were her Facebook friends. The General Counsel concluded that the employee’s Facebook posts were not protected because the employee was merely communicating with personal friends about work. In addition: (a) her posts did not relate to the terms or conditions of employment; (b) the employee did not discuss her posts with coworkers, and no coworkers responded to them; and (c) the employee was not seeking to induce collective action and her posts were not an outgrowth of collective concerns.

The second case was a slightly tougher one. There, a bartender complained through Facebook to his step-sister about this employer’s policy barring him from sharing in tips given to servers even though the bartenders helped to serve food. The General Counsel concluded that the bartender could not rely on the NLRA to reverse his firing, even though the post related to the terms of employment, for the same reasons that the employee of the residential home could not do so – the employee did not discuss his post with coworkers and the employee was not seeking to induce collective actions.

The third case provides the most useful guidance, drawing the line between individual gripes (unprotected) and collective activity (protected). In that case, the employee made the following comments about her store’s Assistant Manager:

I swear if this tyranny doesn’t end in this store, they are about to get a wakeup call because lots are about to quit.
* * * *
[Assistant Manager] is being a super mega puta! Its retarded I get chewed out cuz we got people putting stuff in the wrong spot and then the customer wanting it for that price . . . . I’m talking to [Store Manager] about this shit because if it don’t change [Company] can kiss my royal white ass.

The General Counsel concluded that the employer could lawfully fire the employee because the posts expressed only an individual gripe, i.e., the employee’s own “frustration regarding his individual dispute with the Assistant Manager over mispriced or misplaced sale items.” The General Counsel also concluded that the responses to the posts by the employee’s coworkers did not convert these individual gripes into collective action because those comments reflected the coworkers’ understanding that the employee was speaking only on behalf of himself. One coworker laughed (“bahaha like!”); one coworker asked why the employee was so “wound up;” and a third expressed only emotional support (i.e., “hang in there”).
In each of the three Advice Memoranda, the General Counsel referred to the same or similar legal standards. These standards also provide useful guidance and include the following

Protected: When the employee “acting with or the authority of” coworkers (a) “seeks to initiate, induce or prepare for group action,” or (b) “brings truly group complaints to the attention of management.”
Protected: The employee’s activities are “the logical outgrowth of concerns expressed by the employees collectively.”
Unprotected: The employee is engaging in activity “solely by and on behalf of the employee himself.”
Unprotected: The employee’s comments are “mere griping” as opposed to “group action.”

While these guidelines and the Advice Memoranda obviously do not address the full range of Facebook conduct that intersects with the workplace, they do at least provide some guideposts for employers when deciding whether to discipline or fire an employee based on his or her obnoxious or offensive Facebook post.

EEOC Holds Meeting on Use of Arrest and Conviction Records During Hiring Process

Privacy and Data Protection Practice Group — Wed, 27 Jul 2011 13:34:42 -0800

On Tuesday, July 26, 2011, the Equal Employment Opportunity Commission (EEOC) held its latest meeting on the topic of protections for job applicants with arrest and conviction records under Title VII of the Civil Rights Act of 1964. The full Commission heard remarks from the panelists related to three areas: "Best Practices From Employers," "An Overview of Local, State and Federal Programs and Policies" and "Legal Standards Governing Employers' Consideration of Criminal Arrest and Conviction Records."

Although for the past few years the EEOC has renewed its focus on the hiring process, including Title VII protections for ex-offenders, the current Commissioners (Jaqueline Berrien, Stuart Ishimaru, Constance Barker, Chai Feldblum and Victoria Lipnic) have not indicated whether the EEOC will update its 1987 Policy Statement on the Issue of Conviction Records under Title VII, and did not do so at the July 26 meeting. As a result, it remains important for employers who may be the target of disparate impact claims or charges challenging their conviction-based screening policies to: (1) understand the current state of the case law; and (2) continue to closely monitor developments at the federal, state and local levels in this dynamic area of the law.

To learn more about the EEOC's meeting on employers' use of criminal arrest and conviction records during the hiring process, and the potential implications for employers, please continue reading Littler's ASAP, The EEOC's Priorities Still Include Regulating the Use of Criminal Records by Employers, by Rod Fliegel and Barry Hartstein.

Connecticut Law Restricts Employer Use of Credit Reports

Privacy and Data Protection Practice Group — Mon, 25 Jul 2011 08:14:21 -0800

Effective October 1, 2011, employers in Connecticut will face new restrictions on the use of credit reports regarding current or prospective employees as a result of the recent enactment this month of Connecticut Public Act 11-223. In enacting the new law, Connecticut becomes the sixth state limiting employers' use of credit reports, following Hawaii, Washington, Oregon, Illinois, and Maryland. Similar laws are pending in several other states and at the federal level. The Equal Employment Opportunity Commission (EEOC) is also conducting related investigations and pursuing at least one disparate impact claim based on the use of credit reports. Thus, employers who use credit history information to inform hiring or personnel decisions in states that have enacted credit check laws should review their policies for compliance, and employers everywhere should continue to monitor developments in this evolving area of the law. To learn more about the Connecticut law and its implications for employers, please continue reading Littler's ASAP, Use of Credit Reports by Employers Will Soon Be Restricted in Connecticut, by Rod Fliegel and William Simmons.

Photo credit: Pawel Gaul