Workplace Privacy Counsel

Seattle Limits Inquiries Into and Use of Criminal Records for Employment Purposes

Privacy and Data Protection Practice Group — Mon, 17 Jun 2013 16:15:13 -0800

Effective November 1, 2013, Seattle, Washington will join various other jurisdictions (most recently Minnesota, Indiana, North Carolina and Buffalo, New York) that limit inquiries into and the use of criminal records for employment purposes. On June 10, 2013, the Seattle City Council adopted Council Bill 117796 (the Ordinance), which Mayor Mike McGinn is expected to sign. The Ordinance provides for administrative enforcement but affords no private right of action. Nonetheless, employers with operations or employees in Seattle should review the prohibitions in the Ordinance and should also continue to monitor related developments across the U.S.

Using criminal record information for employment purposes is currently a hot-button issue. In addition to the passage of ordinances such as this, earlier this week the Equal Employment Opportunity Commission (EEOC) filed two new disparate impact discrimination lawsuits asserting that the employers used criminal records for employment purposes in a manner that violates Title VII of the Civil Rights Act of 1964. There has also been a considerable spike in class action lawsuits filed against employers for using background checks in violation of the federal Fair Credit Reporting Act (FCRA).

To learn more, please see Littler's ASAP, Seattle Adopts Ordinance Limiting Inquiries Into and Use of Criminal Records for Employment Purposes, by Rod Fliegel, Pam Salgado, Dan Thieme, and Jennifer Mora.

Flurry of New Employment Laws Regulating the Use of Criminal Records Continues with Expanded Restrictions in Indiana, North Carolina, Texas, and Buffalo, New York

Privacy and Data Protection Practice Group — Mon, 17 Jun 2013 15:58:26 -0800

The public policy interests supporting employment-related protections for ex-offenders, including encouraging ex-offenders to reenter the workforce, are detailed in the updated EEOC Enforcement Guidance, titled “Consideration of Arrest and Conviction Records in Employment Decisions Under Title VII of the Civil Rights Act of 1964,” released in April 2012. And, while states like California, Massachusetts, New York and Wisconsin already extend such protections to ex-offenders, employers need to be mindful of additional new state and local laws that seek to promote these same public policy interests by restricting inquiries into and the use of criminal records for employment purposes. For example, late last year the City of Newark, New Jersey, enacted a so-called “Ban the Box” ordinance that, with very limited exceptions, prohibits employers from inquiring about an applicant’s criminal history on an employment application, and Minnesota followed suit just last month by enacting the state’s own version of a “Ban the Box” law. The trend continues across the country, and thus now, perhaps more than ever before, employers must stay abreast of these ex-offender protection laws and should closely monitor pending legislation at both the federal, state and local level.

On the reverse side of this issue, recognizing that employers have potential tort exposure for hiring ex-offenders, some state legislatures have taken steps to protect employers from tort claims like negligent hiring and/or retention. One example is a new law pending in Texas. This legislation is intended to further the same public policy interests, but takes a different and more sensible approach: curbing lawsuits against employers rather than denying employers access to potentially salient information about a candidate’s criminal past.

To learn more, please see Littler's ASAP, The Flurry of New Employment Laws Regulating the Use of Criminal Records Continues with Expanded Restrictions in Indiana, North Carolina, Texas, and Buffalo, New York, by Jennifer Mora, Rod Fliegel, and Sherry Travers.

Social Media Password Protection and Privacy -- The Patchwork of State Laws and How It Affects Employers

Privacy and Data Protection Practice Group — Wed, 05 Jun 2013 17:09:01 -0800

Shortly after the Littler Report, Workplace Policy Institute: Social Media Password Protection and Privacy -- The Patchwork of State Laws and How It Affects Employers, by Phillip Gordon, Amber Spataro, and William Simmons was published last month, the legislatures of Arkansas, Colorado, Oregon, and Washington passed social media password protection bills. In addition, New Jersey's Governor conditionally vetoed the bill passed by that state's legislature. The revised Littler Report addresses these new developments. We also have revised our proposed model legislation in light of these developments.

To read the updated Littler Report, click here.

Oregon Passes Social Media in the Workplace Law

Privacy and Data Protection Practice Group — Tue, 04 Jun 2013 11:30:29 -0800

On May 22, 2013, Oregon Governor John Kitzhaber signed into law House Bill 2654, making Oregon the tenth state to enact a law prohibiting employers from accessing employees' private social media sites. The new law, which becomes effective January 1, 2014, makes it an unlawful employment practice for employers to compel employees or applicants for employment to provide access to their personal protected social media accounts.

Continue reading about this development in Littler's ASAP: Oregon Passes Social Media in the Workplace Law by Howard Rubin and Don Stait.

Photo credit: Warchi

Nevada Latest State to Restrict Use of Credit Reports for Employment Purposes

Privacy and Data Protection Practice Group — Thu, 30 May 2013 16:24:28 -0800

On May 25, 2013, Nevada Governor Brian Sandoval signed a new law making Nevada the third state in the last 12 months to enact legislation restricting use by employers of credit reports and other credit history information for hiring and other employment-related purposes. Nevada's new law, which goes into effect October 1, 2013, follows closely on the heels of similar legislation enacted by Colorado in April 2013, and adds Nevada to the handful of other states that have similar laws: California, Connecticut, Hawaii, Illinois, Maryland, Oregon, Vermont, and Washington.

Nevada Senate Bill 127 amends Chapter 613 ("Employment Practices") of the Nevada Revised Statutes to restrict the ability of employers to use an employee or prospective employee's "consumer credit report" or any "consumer credit information" for employment purposes.

To learn more about the law, please see Littler's ASAP, Nevada is the Latest State to Restrict the Use of Credit Reports for Employment Purposes, by Rod Fliegel, Bruce Young, and Jennifer Mora.

New Employee Privacy Law in Virginia Goes Into Effect July 2013

Privacy and Data Protection Practice Group — Mon, 20 May 2013 12:51:41 -0800

By Thomas Flaherty and Rebecca Roche

Virginia has enacted a new law that is intended to enhance employee protections, particularly during union organizing drives in the Commonwealth. Effective July 1, 2013, the law limits those situations in which an employer may be required to disclose certain information to third parties about current and former employees. Delegate Barbara Comstock, who spearheaded this law, calls it “...a victory for the rights of workers and for protecting employees in the workplace.”

The bill, entitled “Keeping Employees’ Emails and Phones (KEEP) Secure Act,” carries the title and tracks the language of a bill introduced in the U.S. Congress in February 2012 by Rep. Sandy Adams (R-FL), which would have prevented the National Labor Relations Board (the NLRB or Board) from implementing a rule requiring employers to provide to a union or the Board employee telephone numbers or email addresses. The federal bill did not pass. The Virginia law provides that employers cannot be “required to release, communicate, or distribute” to third parties personal identifying information (defined as home and mobile telephone numbers, email addresses, shift times and work schedules) about current or former employees, unless required by federal or state law, ordered by a court of competent jurisdiction, required pursuant to a warrant, or required by a subpoena or discovery in a civil case. These exceptions may largely swallow the rule, particularly if the NLRB changes the election procedures under the National Labor Relations Act (the NLRA) to include, among other things, a requirement that employers disclose employees’ phone numbers and email addresses to labor organizations once an election has been ordered.

Anticipated Legal Challenges

KEEP is an apparent response to an NLRB representation election rule that was proposed in June 2011, initially requiring employers to provide a final Excelsior list that includes employees’ names, addresses, telephone numbers, and email addresses to the union within two days after the representative election is scheduled. Although the NLRB historically has held that unions engaged in organizing campaigns are entitled to employee lists, they have only required that employers provide names and addresses of all eligible bargaining unit employees after an election is scheduled. The proposed rule would have significantly expanded the amount of personal information that employers are required to provide. The final rule, which was issued in December 2011 and was subsequently enjoined, does not contain these enhanced provisions regarding Excelsior lists; however, NLRB Chairman Mark Pearce has stated his intention to continue seeking these additional rule changes. An update on this issue, which was recently addressed at a Senate HELP Committee Hearing, can be found here.

While KEEP’s strict definition of “personal identifying information” does not conflict with the existing Excelsior rule, if the NLRB changes this rule as proposed, KEEP could become the subject of a preemption battle, focusing on whether such disclosures are “required” by federal law and therefore within the exemption.

Recommendations for Virginia Employers

Pending the outcome of any court challenges, employers in Virginia should consult with counsel to ensure that their practices and policies comply with the new law. Employers also should monitor developments at the NLRB and in the courts, and revise their policies concerning the confidentiality of personal data and work schedules, and access to personnel files, and similar policies commonly contained in employee handbooks and manuals to ensure information is not released in violation of KEEP. Employers also should provide training to human resources professionals who are charged with overseeing employee files to ensure that they understand these new obligations.

Additionally, employers should be mindful that KEEP does not prohibit the disclosure of private employee data if an exception does not apply; it merely states employers cannot be “required” to release such information. Therefore, employers have the discretion to decide their internal policies regarding voluntary disclosure of employee data in circumstances not covered by the Act. That said, KEEP articulates a public policy of the Commonwealth of Virginia, which means it may be cited by plaintiffs’ attorneys in negligence cases and public policy wrongful discharge cases, among others. It will be important to ensure that human resources managers are aware of the terms of the statute.

Minnesota Enacts "Ban the Box Law"

Privacy and Data Protection Practice Group — Mon, 20 May 2013 10:01:15 -0800

Effective January 1, 2014, recent amendments to Minnesota law will restrict the timing of pre-employment inquiries by most private employers into a candidate’s criminal past. Employers who are not exempted from the law may not (1) inquire into or consider or require disclosure of criminal record information until the applicant has been selected for an interview or, if there is not an interview, until a conditional job offer of employment has been extended to the applicant, and (2) use any form of employment application that seeks such criminal record information.

The new law does not outright preclude inquiries into or consideration of an applicant’s criminal past. Representative Tim Mahoney, who sponsored the legislation, has stated that the law “does not prohibit private employers from eventually conducting background checks and fully investigating the criminal past of potential employees,” but, “is designed to get applicants past the initial application stage, so that if they qualify for the job, they get a chance to explain themselves.” Further, the statute expressly states that it does not prohibit an employer from notifying applicants that either law or the employer’s policy will disqualify an individual with a particular criminal history background from employment for particular positions. To learn more about the law, please see Littler's ASAP, Minnesota Enacts “Ban the Box Law" Prohibiting Employment Application Criminal History Checkmark Boxes and Restricting Criminal Record Inquiries Until After Interviews or Conditional Job Offers, by Dale Deitchler, Rod Fliegel, Susan Fitzke and Jennifer Mora.

Colorado Becomes Tenth State to Pass Social Media Password Protection Legislation

Privacy and Data Protection Practice Group — Tue, 14 May 2013 14:39:50 -0800

By Philip L. Gordon, Katherine (Katie) Dix, and Jordan Cornett

The number of states enacting social media password protection laws has risen once again, as such legislation continues to gain traction across the country. On May 1, 2013, Colorado’s General Assembly became the ninth legislature to submit a bill to its governor restricting an employer’s ability to access the personal social media accounts of employees and applicants. The other states are Arkansas, California, Illinois, Maryland, Michigan, New Jersey, New Mexico, Utah and Washington. Compared to several of the more recent social media protection laws, such as New Jersey’s A.B. 2878, Colorado’s bill is relatively weak.

Colorado’s bill, H.B. 13-1046, prohibits an employer from engaging in three activities. First, an employer cannot “suggest, request, or require” an employee or applicant to disclose “any user name, password, or other means for accessing the employee’s or applicant’s personal account or service through the employee’s or applicant’s personal electronic communications device.” Second, H.B. 13-1046 prohibits an employer from compelling an employee or applicant to add anyone, including the employer or its agent, to the employee’s or applicant’s list of contacts associated with a social media account. Third, under the bill, an employer cannot cause an employee or applicant to change the privacy settings associated with a social networking account. An employer, for example, cannot coerce an applicant into making his Facebook page public, which would allow the employer to see his relationship status or posts.

The Colorado bill contains the same two exceptions as Maryland’s User Name and Password Privacy Protection Act, H.B. 13-1046. Specifically, the bill appears to allow an employer to request an employee’s log-in information to investigate suspected violations of securities laws or regulations, or suspected misappropriation of trade secrets when the employer suspects the misconduct involves the employee’s personal social media account. H.B. 13-1046 does not contain a more generalized exception for an investigation into suspected unlawful conduct or violations of employer policies.

The Colorado bill has one of the weaker remedial schemes as compared to other recent laws. H.B. 13-1046 does not confer a private right of action on applicants or employees to recover unlimited compensatory and consequential damages. Instead, the bill allows an employee or applicant to file a complaint with Colorado's Department of Labor (DOL). The DOL must investigate the complaint, hold a hearing, and issue findings. The DOL may promulgate rules authorizing a fine of up to $1,000 for the first offense and up to $5,000 for each subsequent offense.

Washington Adds to Flood of Social Media Password Protection Legislation

Privacy and Data Protection Practice Group — Mon, 13 May 2013 11:54:07 -0800

By Philip L. Gordon and Joanna M. Silverstein

Washington State has joined this spring’s flood of password-protection legislation. Since mid-March of this year, legislatures in Arkansas, Colorado, New Jersey, New Mexico, and Utah also have passed bills restricting employers’ access to applicants’ and employees’ personal social media accounts.

The Washington bill (currently awaiting signature by Governor Inslee)* broadly prohibits employers from accessing employees’ and applicants’ social networking accounts. Employers are prohibited from: (a) requiring disclosure of log-in information; (b) asking for access to the account in the employer’s presence, i.e., shoulder surfing; (c) requiring the acceptance of a “friend” request from the employer; (d) requiring a change in privacy settings to make the account accessible to the employer; and (e) using log-in credentials inadvertently obtained through the employer’s monitoring of corporate electronic resources. Employees or applicants subject to an unlawful demand can recover actual damages in a private lawsuit as well as a $500 penalty, and an award of attorney’s fees and costs.

The Washington bill contains a significant exception for workplace investigations. Employers can require that employees share content from their personal social media accounts in connection with an investigation into workplace misconduct if the investigation is undertaken in response to information received about the employee’s personal social media content and the content is relevant to a factual determination made in the course of the investigation. Even in that scenario, the employer may not ask for the employee’s log-in information. The new law’s prohibitions do not apply to employer-provided accounts or devices.

*The bill was signed into law by Governor Inslee on May 22, 2013.

Status of New Jersey's Social Media Password Protection Law In Flux

Privacy and Data Protection Practice Group — Fri, 10 May 2013 17:29:35 -0800

By Amber Spataro

On March 21, 2013, the New Jersey legislature overwhelmingly passed one of the most pro-employee social media password protection bills in the nation. The bill not only prohibited employers from requesting employee passwords to their personal social media accounts, but also prohibited employers from even asking employees or applicants if they possessed a personal social media account. The bill conferred on applicants and employees the right to sue for damages.

Over May 6, 2013, Governor Chris Christie issued a statement and a “conditional veto” of the measure. The conditional veto means the governor objects to parts of a bill and contains proposed amendments that would make the bill acceptable to him. If the legislature re-enacts the bill with the recommended amendments, the governor will have another opportunity to sign the bill and presumably would sign it.

In his veto statement, Governor Christie acknowledged the bill’s positive objective, i.e., to protect employees and applicants “from overly aggressive invasions by employers.” At the same time, he criticized the bill as overly broad, presenting employers and interviewers with a high risk of lawsuits. In the governor’s words: “Those privacy concerns, however, must be balanced against an employer’s need to hire appropriate personnel, manage its operations, and safeguard its business assets and proprietary information. Unfortunately, this bill paints with too broad a brush.”

Governor Christie noted, for example, that as currently drafted, the bill would prohibit an employer interviewing an applicant for a marketing position from asking about the applicant’s use of social media so that the employer could gauge the applicant’s technological skills and media savvy. “Such a relevant and innocuous inquiry would, under this bill, subject an employer to protracted litigation, compensatory damages, and attorneys’ fees — a result that could not have been the sponsors’ intent," the governor said. Additionally, the governor stated:

"In view of the over-breadth of this well-intentioned bill, I return it with my recommendations that it be more properly balanced between protecting the privacy of employees and job candidates, while ensuring that employers may appropriately screen job candidates, manage their personnel, and protect their business assets and proprietary information."

Governor Christie recommended eliminating the private right of action and replacing it with potential penalties and a fine from the New Jersey Department of Labor and Workforce Development.

However, as noted in a previous entry, the original bill passed 75-2 in the General Assembly, so if the legislature wants to ignore the governor and pass the bill as-is, it likely can because only a two-thirds majority is needed to override the veto. As of May 7, 2013, the legislature had asked for two readings of the veto message and proposed changes, thereby signaling that perhaps it intends to seriously consider the governor’s well-founded concerns.

Patchwork of Social Media Password Protections Laws Impacts Employers

Privacy and Data Protection Practice Group — Thu, 02 May 2013 12:22:29 -0800

Social media websites such as Facebook, Twitter, LinkedIn and others have become a part of daily life in the United States and abroad. The unavoidable reach of social media into our personal lives has extended into our professional lives. Facebook claims to have more than 1 billion users. As of December 31, 2012, LinkedIn boasted more than 200 million registered users in over 200 countries and territories and that LinkedIn members performed "over 5.7 billion professionally-oriented searches on the platform in 2012." It is reasonable to infer that those 5.7 billion searches were not limited to individuals seeking jobs, professional connections or merely long lost friends, but also included employer representatives searching for qualified candidates.

In the last decade, most employers, at some point, have reviewed an employee's or applicant's emails, blogs or online social media postings, either in the capacity of "employer" or perhaps as a "friend." Social media monitoring service Reppler recently surveyed over 300 hiring professionals to determine when and how job recruiters are screening job candidates on different social networks. The study found that more than 90 percent of recruiters and hiring managers have visited a potential candidate's profile on a social network as part of the screening process. Moreover, 69 percent of recruiters have rejected a candidate based on content found on his or her social networking profiles—an almost equal proportion of recruiters (68%), though, have hired a candidate based on his or her presence on those networks.

Employers' access to applicants' and employees' social media activity raises two separate but related questions. First, what social media sites can employers lawfully access to obtain information about applicants and employees? Second, to what extent can employers lawfully rely on information obtained through social media to make employment decisions? The second question raises the types of anti-discrimination concerns that employers have been confronting in the off-line world for decades. However, the first question exposes employers to a completely new legal landscape, one which just began to evolve in April 2012, when Maryland enacted the Nation's first "social media password protection law" and has expanded in the past year to include six additional states—California, Illinois, Michigan, New Jersey, New Mexico, and Utah. With password-protection legislation pending in over twenty state legislatures, this legal landscape undoubtedly will become more complex, especially for multi-state employers, over the next one to two years.

To learn more about the history and background of social media password protection legislation, the differences between the state laws, and how those differences create challenges for employer compliance, please see Littler's Report, Workplace Policy Institute: Social Media Password Protection and Privacy — The Patchwork of State Laws and How It Affects Employers, by Phillip Gordon, Amber Spataro, and William Simmons.

Colorado Enacts Law Restricting the Use of Credit Reports for Employment Purposes

Privacy and Data Protection Practice Group — Fri, 26 Apr 2013 09:36:35 -0800

On April 19, 2013, Colorado Governor John W. Hickenlooper signed into law Senate Bill 13-018 (the "Employment Opportunity Act"), which will significantly restrict the ability of Colorado employers to use “consumer credit information” for hiring and other employment purposes unless use of the information is limited to the narrow category of positions set forth in the statute. With this law, Colorado becomes the ninth state to regulate the use of credit-related information for employment purposes, following laws enacted in California, Connecticut, Hawaii, Illinois, Maryland, Oregon, Vermont and Washington. Colorado’s law goes into effect July 1, 2013. To learn more about the law, please see Littler’s ASAP, Colorado is the Latest and Ninth State to Enact Legislation Restricting the Use of Credit Reports for Employment Purposes, by Rod Fliegel, Philip Gordon, and Jennifer Mora.

Mexico Issues New Privacy Notice Guidelines

Privacy and Data Protection Practice Group — Mon, 08 Apr 2013 08:48:42 -0800

On April 17, 2013, Mexico's new Privacy Notice Guidelines will go into effect. The Guidelines impose extensive requirements for furnishing adequate data privacy notices and obtaining consent before personal data is collected directly from a person or electronically via "cookies," "web beacons" or other automated means. The Guidelines are mandatory and particularly important to employers that regularly collect, process, and/or transfer personal data about employees or job applicants, and to companies operating or advertising in Mexico that use media technology that automatically collects personal data online. To learn more about the Guidelines, please see Littler's ASAP, Mexico's New Privacy Notice Guidelines Require Immediate Action, by Javiera Medina Reza and Eduardo Osornio Garcia.

New Jersey Poised to Enact the Most Aggressive Social Media Password Protection Law to Date, Adding to a Patchwork of Conflicting Laws Across the U.S.

Privacy and Data Protection Practice Group — Mon, 01 Apr 2013 13:33:30 -0800

By Philip Gordon

New Jersey is expected to shortly join California, Illinois, Maryland, Michigan, and Utah in prohibiting employers from seeking employee or applicant passwords to social media accounts or services. New Jersey’s General Assembly passed its bill on March 21, 2013, and that bill now awaits signature by Governor Christie. Although there is no indication from the governor whether he intends to sign the bill, ignore it, or veto it, any action other than signature would simply be symbolic and almost certainly overruled (the General Assembly passed the bill 75-2). New Jersey’s law is more pro-employee/applicant than any such law enacted to date, providing the broadest protections, the narrowest exceptions, and the most generous remedies.

Specifically, the New Jersey bill would prohibit an employer from requesting or requiring, as a condition of employment, that a current or prospective employee “provide or disclose any user name or password, or in any way provide the employer access to,” any personal social networking account, service or profile. The italicized language appears to prohibit New Jersey employers not only from “shoulder surfing,” i.e., reviewing social media content by observing the individual’s access without requesting login credentials, but also goes one step further. The bill apparently would prohibit an employer from asking an employee who complains about the social media activity of a coworker, such as online sexual harassment, for access to the complaining employee’s personal social media account to observe what the alleged harasser posted. Moreover, unlike similar laws in California, Michigan, and Utah, the New Jersey bill contains no exception for workplace investigation into suspected unlawful conduct or violations of employer policies. Notably, the New Jersey bill does not contain a narrower exception, such as the one in Maryland’s law, which includes a carve-out for investigations into suspected violations of securities laws or regulations or into suspected misappropriation of trade secrets.

The New Jersey bill adds a new prohibition not seen in any prior law that actually could be detrimental to job applicants and employees. Specifically, employers cannot “[i]n any way require or request that a current or prospective employee disclose whether the employee has a personal account.” Consequently, were an employer to search publicly available social media content for information about an employee or applicant and discover negative information that might relate to the applicant or employee, such as racist comments or a predilection for sex with minors, the employer could not ask whether the account where the content is posted is, in fact, the applicant’s or employee’s personal account. Moreover, if the employer does inquire and the applicant or employee refuses to confirm or deny whether he or she posted the offensive social media content, New Jersey’s law would make it a violation for the employer to then take adverse action based on the individual’s refusal to respond. In other words, the employer would be worse off if it tried to “do the right thing” and attempted to verify the authenticity of information that, if true, would lead to an adverse employment action.

The New Jersey bill also has the most generous remedial scheme. “Facebook” laws in Maryland and California do not expressly provide a private right of action. By contrast, the New Jersey bill confers a private right of action on applicants or employees to recover unlimited compensatory and consequential damages. While the laws in Utah and Michigan also confer a private right of action, damages are capped at $500 and $1,000 per violation, respectively. Illinois’ law does not cap damages; however, it requires that applicants or employees first attempt to resolve their complaint through the state labor department. No such administrative exhaustion requirement applies under the New Jersey bill.

To be sure, once the bill is likely enacted, it will not entirely handcuff New Jersey employers from performing investigations and background checks necessary to run a safe and efficient operation without running afoul of the law. However, before investigating information present on an employee's or applicant's "personal account," human resources professionals are encouraged to seek guidance from inside or outside counsel to ensure compliance with this proposed law. If approved, the law will go into effect on the first day of the fourth month following its enactment.

Photo credit: robas

Survey Reports High Percentage of Employee Misuse and Theft of Company Data

Privacy and Data Protection Practice Group — Tue, 19 Mar 2013 10:14:33 -0800

A recent study by independent data privacy research firm Ponemon Institute of 3,317 individuals in six industrialized countries found that employees are moving intellectual property, including trade secrets, outside their companies in all directions.

Over half of those surveyed admitted they had emailed business documents to their personal email accounts; 41% said they do this at least once a week. The same percentage of respondents confessed they downloaded company IP to personally-owned tablets or smartphones. A majority of those surveyed did not believe this was “wrong.”

To learn more about the survey results, and what employers can do to minimize data theft, please read more at Littler's Unfair Competition & Trade Secrets Counsel.

Colorado's Marijuana "Legalization" Amendment Task Force OKs Recommendation to Permit Employers to Terminate Employees for Off-Duty Marijuana Use

Privacy and Data Protection Practice Group — Tue, 12 Feb 2013 11:02:36 -0800

By Chris Leh

On February 5, 2013, a task force convened by Colorado’s governor to address issues arising out of Amendment 64, a state constitutional amendment that purports to legalize the recreational use of marijuana by adults in Colorado, recommended that “employers may maintain, create new, or modify existing policies in response to the passage” of the law. The recommendation is a preliminary signal that even as the state liberalizes its marijuana laws concerning medical and recreational use, employers still may regulate all marijuana use, even off-duty and off-premises use, by their employees.

In 2000, Colorado voters approved Amendment 20, which created a legal framework regarding medical marijuana. The law did not purport to legalize the drug. But those who suffered from “debilitating medical conditions” and whose physicians stated that they “might benefit from the medical use of marijuana” could obtain state registry cards that permit them to possess, grow, and use small amounts of the drug for medicinal purposes. Amendment 20 immunized users and their caregivers from prosecution for minor state law marijuana crimes. It contained a single brief reference to employment issues: “Nothing in this section shall require any employer to accommodate the medical use of marijuana in any work place.” During the 12 years since Amendment 20’s passage, Colorado employers have continued to create and enforce zero-tolerance policies and discipline employees for testing positive for marijuana, whether they were medical marijuana patients or not. With the exception of a case in which the drug test of a medical marijuana patient failed to pass statutory muster to support disqualification for unemployment benefits, the Colorado Court of Appeals has supported this approach.

On November 6, 2012 (as we have discussed here and here), voters in Colorado and Washington approved ballot measures purporting to legalize the distribution, possession, and use of small amounts of marijuana for recreational purposes. Colorado’s Amendment 64 expressly reiterated that it does not “require an employer to permit or accommodate the use, consumption, possession, transfer, display, transportation, sale or growing of marijuana in the workplace." But it provides additional protections for employers. For example, Amendment 64 acknowledges the right of employers and others who occupy, own, or control a property to prohibit the use, possession, and transfer of marijuana there. Amendment 64 affirms prohibitions on driving while impaired by, or under the influence of, marijuana. Most importantly, however, the measure disclaims any intent to "affect the ability of employers to have policies restricting the use of marijuana by employees."

One crucial issue for Colorado employers is the effect of Amendment 64 on their ability to continue to enforce their policies prohibiting marijuana use by employees. With some exceptions, Colorado’s so-called “Lifestyle Discrimination Statute” prohibits employers from discharging employees for engaging in lawful, off-premises activities during non-working hours. The prevailing view among Colorado employers is that because the possession and use of marijuana for any purpose is illegal under federal law, an employee’s possession or use of marijuana off-site and off-duty does not fall within the scope of the law. Consequently, termination for a positive drug test is legal.

Although there is no controlling case law on the issue, Colorado courts have provided some indirect guidance. In 2011, for example, in Beinor v. Industrial Claims Appeals Board, the Colorado Court of Appeals, in a 2-1 decision, held that an employee terminated for testing positive for marijuana in violation of a zero-tolerance policy may be denied unemployment compensation even if the worker’s use of marijuana is considered “medical use” under state law, and even in the absence of the worker’s impairment. Notably, the court reserved the question of whether Amendment 20 prohibited an employer from discharging an employee for using medical marijuana. A vigorous dissent argued that Amendment 20 did not “encompass the presence of marijuana in one’s blood after the lawful use of medical marijuana at home.”

On December 10, 2012, Colorado Governor John Hickenlooper signed an executive order creating the Task Force on the Implementation of Amendment 64. The task force’s mission is “to identify the legal, policy and procedural issues that need to be resolved, and to offer suggestions and proposals for legislative, regulatory and executive actions that need to be taken, for the effective and efficient implementation” of the Amendment. Comprised of 24 state legislators, executive agency officials, and other stakeholders, the task force is addressing various issues, including the “impact of Amendment 64 on employers and employees and the Colorado economy.” The task force soon will report its recommendations to the governor, the state legislature, and the state attorney general.

On February 5, 2013, the task force considered a recommendation concerning Amendment 64’s impact on employers and employees:

The plain language of Amendment 64 Section 6(a) makes it clear that the intent of the voters was to maintain the status quo for employers and employees, and that employers may maintain, create new, or modify existing policies in response to the passage of the measure. The Amendment 64 Implementation Task Force recommends that employers should be encouraged to review current drug free workplace policies, including but not limited to hiring, sanctioning, termination and drug testing, in response to passage of the measure.

As expected, employee advocates argued that Amendment 64 changed the status quo to give off-the-job pot use the same kind of protection as alcohol use. They also contended that, although employers could restrict marijuana use by employees, they could not prohibit it. On a majority vote, however, the task force accepted the recommendation.
Although the task force’s recommendation lacks the force of law, its implications for employers are important:

Under Amendment 64, the rights of a person to use and possess small amounts of marijuana for recreational purposes do not trump the rights the amendment reserves to employers to restrict possession and use by its employees, whether that use is on-duty or off-duty, whether it is for medical or recreational purposes.
Employers should review and update their drug policies to ensure that employees understand that they apply to the use of all drugs that are illegal under state or federal law, including marijuana.
Employee advocates in Colorado are likely to mount legal challenges on behalf of employees terminated for testing positive for marijuana they used while outside the workplace and during non-working hours.
Employers in others states seeking to enact liberalized marijuana laws should work vigilantly to ensure that those measures include strong, clear protections so they will be able to maintain, change, and enforce their drug-free workplace, zero-tolerance, random drug testing, and related policies.

The recommendation augurs well for employers as the debate over the liberalization of marijuana laws continues.

What Employers Really Need to Know About the New HIPAA/HITECH Omnibus Final Rule

Privacy and Data Protection Practice Group — Tue, 05 Feb 2013 20:12:51 -0800

The Health Insurance Portability and Accountability Act/Health Information Technology for Economic and Clinical Health Act Omnibus Rule, published in the Federal Register Jan. 25, makes many changes to the HIPAA Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule, with substantial impact on employers. While these changes do not alter the fundamental structure of HIPAA compliance, employers still face a relatively lengthy "to do" list to comply with all of the new requirements. Perhaps, even more importantly, once the revised regulations go into effect, employers will confront much higher enforcement risk and significantly increased exposure to six- and seven-figure civil monetary penalties.

To learn more about the Omnibus Rule, please see Littler's ASAP, What Do Employers Really Need to Know About the New HIPAA/HITECH Omnibus Final Rule?, by Philip Gordon.

Court Dismisses EEOC Suit Against Employer Screening Applicants Based on Credit History Information

Privacy and Data Protection Practice Group — Mon, 04 Feb 2013 18:07:34 -0800

In April 2012, the Equal Employment Opportunity Commission (EEOC) issued its updated enforcement guidance concerning how, in its view, Title VII of the Civil Rights Act of 1964 (Title VII) restricts an employer's discretion to consider criminal records relative to employment decisions. The EEOC was scheduled to release at the same time its updated guidance concerning the use of credit history information, but at the last minute decided (without explanation) not to do so. Even before April 2012, however, the EEOC filed lawsuits against a handful of employers, including Kaplan Higher Education Corporation (Kaplan), for allegedly violating Title VII by relying on criminal and credit records.

On January 28, 2013, the district court judge in EEOC v. Kaplan Higher Education Corp. granted Kaplan's motion to dismiss the case without a trial, holding the EEOC failed to meet its threshold burden as the plaintiff to prove that Kaplan's screening practices disproportionately excluded protected class members (i.e., had the requisite "disparate impact"). The opinion is significant for employers because: (1) the subject of background checks remains high on the EEOC's agenda (in fact there is an ongoing case in Maryland); and (2) at least for employers who are not government contractors, the EEOC may face more hurdles than it expected in proving disparate impact. Because the court decided the matter based solely on the threshold question of disparate impact, it unfortunately did not reach other important issues, such as whether the EEOC can challenge an employer's use of credit history information when the Commission itself relies on such information in the hiring process. This uncertainty reinforces the benefit to employers of reviewing their background check and related programs.

To learn more about the decision, please continue reading Littler's ASAP, EEOC Suit Against Employer Screening Applicants Based on Credit History Information Dismissed, by Rod Fliegel, Jennifer Mora, and William Simmons.

D.C. Circuit Rules DEA's Denial of Petition to Reschedule Marijuana Was Not Arbitrary and Capricious

Privacy and Data Protection Practice Group — Fri, 25 Jan 2013 11:53:10 -0800

By Katie Goetzl

The U.S. Court of Appeals for the District of Columbia Circuit, in Americans for Safe Access v. Drug Enforcement Agency, No. 11-1265 (Jan. 22, 2013), ruled that the Drug Enforcement Administration’s (DEA) denial of a petition to initiate proceedings to reschedule marijuana was not arbitrary and capricious. The court’s decision means that the rejected petition will not be sent back to the DEA for reconsideration.

Marijuana is currently classified as a Schedule I drug under the Controlled Substances Act (CSA). A Schedule I drug has, among other things, a high potential for abuse and no currently accepted medical use in treatment in the United States. Non-Schedule I drugs may be obtained for personal medical use by prescription. Interested parties can petition the DEA to reclassify drugs to less restrictive schedules. In 2002, the Coalition to Reschedule Cannabis petitioned the DEA to reschedule marijuana. As required, the DEA submitted the petition to the Department of Health and Human Services (HHS) for scientific and medical evaluation and a recommendation regarding the appropriate schedule. HHS’s recommendation is binding on the DEA as long as it is based on scientific and medical determinations. In 2006, HHS concluded that marijuana lacks a currently accepted medical use in the United States. Five years later, the DEA denied the petition, finding that “[t]he limited existing clinical evidence is not adequate to warrant rescheduling of marijuana under the CSA.” The Coalition to Reschedule Cannabis, two other advocacy groups, and several individuals petitioned for review of the DEA’s action.

The petitioners argued that the denial was arbitrary and capricious because the DEA ignored the scientific studies showing that marijuana is effective to treat various medical conditions. The DEA responded that studies showing marijuana’s safety and effectiveness as a medicine were not available and that experts had not reached a consensus on the issue.

The court ruled that the DEA’s action was not arbitrary and capricious. The petition requested that marijuana be classified as a Schedule III, IV, or V drug. However, under the CSA, drugs in those schedules must have a “currently accepted medical use.” The DEA’s regulations define “currently accepted medical use” to require, among other things, “adequate and well-controlled studies proving efficacy.” As required by the procedural posture of the case, the court deferred to the DEA’s decision that such studies do not exist.

Despite recent state activity purporting to legalize marijuana use for medical and recreational purposes, it appears that from a federal law perspective marijuana will remain a controlled substance that cannot be legally obtained, for now.

Photo credit: Sebastien Roche-Lochen Photography

Five Key Takeaways For Employers Confronting The Massive, Omnibus HIPAA/HITECH Final Rule

Privacy and Data Protection Practice Group — Tue, 22 Jan 2013 07:31:33 -0800

By Philip Gordon

At approximately one-half the length of War and Peace, the recently published Omnibus Final Rule, which modifies the HIPAA Privacy, Security and Enforcement Rules and implements the HIPAA Breach Notification Rule, can overwhelm in-house employment, benefits, and privacy counsel as well as human resources and benefits professionals trying to discern the Rule’s practical implications for employers who sponsor HIPAA-covered plans, which are “covered entities” under HIPAA. Like most HIPAA-related guidance, the Omnibus Final Rule tends to focus on health care providers, with only a small portion of the ample regulatory commentary aimed at the employer community. Moreover, a detailed reading of the Omnibus Final Rule reveals dozens of technical changes with little or no practical impact on employers and numerous granular modifications that may be relevant to employers, if at all, only with limited frequency.

Stepping back from this superabundance of detail, we have identified the following five “big picture” takeaways for employers who sponsor HIPAA-covered plans:

Not That Much Has Changed For Employers: Although the Omnibus Final Rule modifies all current sets of HIPAA regulations and adds to them, the compliance framework remains fundamentally unchanged for employers. HIPAA’s coverage of employee health benefits information has not been materially expanded; employers have substantially the same compliance obligations; and plan participants have substantially the same rights with respect to their protected health information (“PHI”).
Slow Down; Employers Have Some Time To Comply: The earliest compliance deadline is September 23, 2013. Employers generally will have additional time to comply with the changes likely to have the greatest impact on them, i.e., the distribution of updated privacy notices and the modification of business associate agreements (discussed in more detail below).
Not Every “HIPAA Violation” Is A Security Breach: The Interim Final Rule on breach notification contained a “harm threshold,” which excluded from HIPAA’s security breach notification obligation any unauthorized use or disclosure of PHI that did not pose a significant risk of financial, reputational, or other harm to the plan participant or patient. During the more than two years that the Omnibus Final Rule had been pending, there was much speculation that the Department of Health and Human Services (HHS) would eliminate this harm threshold. The practical effect of such a modification would have been to substantially increase covered entities’ security breach notification obligations because almost any unauthorized use or disclosure of PHI — such as a misdirected e-mail, fax, or letter containing PHI — would trigger a notice obligation. While the Omnibus Final Rule eliminates the harm standard, the revised regulation still contains a brake on the security breach notification obligation. Now, a covered entity confronted with an unauthorized use or disclosure of PHI can avoid providing notice of a security breach if, after conducting a risk assessment that at a minimum addresses four factors identified in the Omnibus Final Rule, determines that there is a low probability the PHI has been compromised. The four risk factors include the following: (1) the nature and extent of the PHI involved; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to the PHI has been mitigated. This new “low probability” standard provides an important check on the potential security breach notification obligations of employers who sponsor HIPAA-covered plans.
Employers Will Need To Issue Revised Privacy Notices: While not fundamentally changing employers’ HIPAA compliance obligations, the Omnibus Final Rule does make some changes deemed sufficiently material by HHS to warrant mandatory distribution of an updated notice of privacy practices. The revised notices will need to inform recipients of (a) their right to receive security breach notification, (b) HIPAA’s new prohibition on the use of genetic information for underwriting purposes, and (c) the requirement that the employer obtain the subject’s authorization before using PHI for marketing purposes and before selling PHI. Fortunately, the deadline for distributing these revised notices should align with most employers’ 2013 open enrollment season. Under the Privacy Rule, employers who maintain a benefits website must post the revised notice by September 23, 2013, and include the revised notice in their next annual mailing to plan participants. Employers who do not maintain a benefits website but wait until September 23, 2013, for their revised privacy notice to become effective will have until December 22, 2013, to distribute the updated notice.
Employers Should Review And Possibly Amend Business Associate Agreements: The Omnibus Final Rule modifies the minimum required contents of agreements with service providers, known in HIPAA parlance as “business associates,” who receive PHI from a covered entity, such as third-party administrators and insurance brokers. In addition to previously required provisions, these business associate agreements must now include provisions that require business associates to (a) comply with the HIPAA Security Rule’s requirements, (b) report any security breach to the covered entity, (c) enter into a business associate agreement with any subcontractor that receives the covered entity’s PHI, and (d) comply with the provisions of the HIPAA Privacy Rule applicable to any obligation which the covered entity delegates to the business associate, such as the obligation to provide an individual with access to his or her PHI. Fortunately, many employers who sponsor HIPAA-covered plans started to include in their business associate agreements provisions addressing these requirements after the HITECH Act was enacted in February 2009 or went into effect the following year. For those business associate agreements that do not contain some or all of these newly required provisions, the covered entity has until September 22, 2014, to amend the agreement unless the existing agreement is modified after September 23, 2013, in which case any previously omitted provisions must be included in the updated agreement.

It is worth noting that the Omnibus Final Rule does implement fundamental changes for business associates and their subcontractors. These entities must now comply with the HIPAA Security Rule when they receive PHI in electronic form and, for the first time, are subject to direct regulation by HHS. In addition, business associates must now enter “downstream” business associate agreements with their subcontractors who receive PHI. However, the Omnibus Final Rule expressly provides that covered entities do not have any compliance obligations with respect to the subcontractors of their business associates.

The massive Omnibus Final Rule, of course, contains other regulatory revisions that are relevant to employers who sponsor HIPAA-covered health plans. We will be addressing those changes comprehensively in future publications at this site. In the meantime, the five key takeaways described above are the changes with the most significant practical impact on HIPAA-covered employers.

Photo credit: peepo