Workplace Privacy, Data Management & Security Report

California to Follow Maryland in Prohibiting Employers from Demanding Social Media Passwords From Employees

Joseph Lazzarotti — Sat, 12 May 2012 05:58:09 -0800

Not long after Maryland enacted a law prohibiting employers from demanding passwords to employees' or prospective employees' Facebook and certain other social media accounts, the California State Assembly voted 73-0 in favor of A.B. 1844. The California bill would prohibit an employer from requiring:

an employee or prospective employee to disclose a user name or account password to access a personal social media account that is exclusively used by the employee or prospective employee.

The state's Senate will now need to consider the measure, where a related bill, S. 1349 (named "The Social Media Privacy Act"), would also protect students from having to disclose similar information to school officials. A hearing on S. 1349 is scheduled for May 21. Congress and a number of other states, including, Delaware, Illinois, Michigan, Minnesota, Missouri, New York, and South Carolina are considering similar measures.

Employers will need to monitor these developments carefully and consider how to advise and train their managers and human resources personnel about these new requirements.

Employee's Secretly Tape Recording Manager Can Be Protected Activity, a Federal Appellate Court Rules

Joseph Lazzarotti — Sat, 12 May 2012 05:24:14 -0800

Co-authored with Richard Greenberg

Where no law or employer policy prohibits a worker from recording a conversation with his manager, an employer’s termination of that worker for recording the conversation unlawfully infringed on the worker’s rights under the National Labor Relations Act, the federal appeals court in Washington D.C. has ruled.

According to the U.S. Court of Appeals for the District of Columbia Circuit, in Stephens Media LLC v. NLRB, when the employer denied what the employee believed was his right guaranteed under the Supreme Court’s Weingarten decision to have a witness at a meeting with a supervisor, he conferred with co-workers and decided to secretly record the meeting with his supervisor. The employee used a voice recorder belonging to one of his co-workers to surreptitiously record the meeting. After learning of the taping, the company terminated the employee who taped the meeting and suspended the employee who provided the recorder.

The National Labor Relations Board found these employees were engaged in protected concerted activity under the NLRA when they planned to record the meeting and that by disciplining the employees, the company violated their right to engage in such activity. According to the Board, taping the meeting to document what the employees perceived to be a potential violation of Weingarten qualified as protected activity.

In rejecting the employer's arguments that this was not protected activity, the Board reasoned:

under established Board precedent, there is no per se rule that the making of surreptitious recordings is unprotected activity;
the company had no policy in effect prohibiting audio recordings; and
the recording was not unlawful under state or local law. See HAW. REV. STAT. § 803-42(b)(4).

The federal appeals court agreed. An unanswered question is whether the presence of an employer policy would have resulted in a different outcome.

Massachusetts Company Fined $15,000 Under State's Data Security Law

Joseph Lazzarotti — Tue, 10 Apr 2012 03:35:29 -0800

Written by Keturah Martin

As yet another example of the Massachusetts Attorney General enforcing compliance with the Commonwealth’s data privacy and security laws, that office recently reached a $15,000 settlement in an enforcement action involving Maloney Properties, Inc. (MPI), a property management company based in Massachusetts.

In the lawsuit, the AG alleged that MPI’s policies and procedures failed to adequately protect its customers’ personal information when an MPI employee stored the unencrypted personal information of 621 Massachusetts residents on a company laptop, left the laptop in a personal vehicle overnight, and the laptop was then stolen.

Although there was no indication that any of the personal information on the laptop was acquired or used by an unauthorized person or for an unauthorized purpose, the AG still required MPI to pay a monetary penalty of $15,000 and agree to take certain steps before ending its action against the company.

Some of the steps MPI agreed to take include complying with the Commonwealth’s regulations – including the requirement to encrypt personal information on portable devices, to the extent technically feasible. This also includes encrypting personal information on company-owned portable devices, ensuring that the devices are kept in secure locations, purging personal information when it’s not needed anymore, training its employees at least annually on encryption and proper storage, and performing an annual audit of its compliance with its Written Information Security Program (WISP). In addition, the company must submit the results of its 2012 and 2013 annual WISP audits to the AG’s Office.

The AG’s actions in this matter demonstrate that it does not take lightly the loss of Massachusetts residents’ personal information, even if that loss has not caused any known harm to the affected residents, and that it may remain watchful over the subject of an investigation for years to come. This provides a timely reminder for all companies of the importance of understanding and complying with the Commonwealth’s requirements in this area.

Maryland Prohibits Employers From Demanding Social Media Passwords

Joseph Lazzarotti — Tue, 10 Apr 2012 02:32:29 -0800

UPDATE: Governor Martin O'Malley signed the bills discussed below into law on May 2, 2012.

Maryland will likely become the first state to prohibit employers from demanding usernames, passwords or other means to access any personal account or service through an electronic communication device (computer, phone, PDA, etc.), such as social media sites Facebook or LinkedIn, belonging to employees or job applicants. If signed by Governor Martin O’Mailey, as expected, the new law would become effective October 1, 2012, after being passed unanimously passed in the Senate last week and by a vote of 128-10 in the House. Employers need to monitor developments, as legislatures in other states have taken up similar measures.

S.B. 433/ H.B. 964 applies to any employer engaged in business in Maryland, as well as any unit of state or local government. It also reaches any agent, representative or designee of a covered employer. So, an employer cannot ask a third party to do under the law what the employer cannot do.

Covered employers also are prohibited from discharging, disciplining or otherwise penalizing employees or applicants (or threatening same) who refuse to comply with the requests for access prohibited above. In addition, employers may not fail or refuse to hire applicants to object to similar requests. However, the Maryland law prohibits employees from making unauthorized downloads of company financial or proprietary data, and permits employers to investigate when it receives information about such activities.

Can My Employer Require Me to Turn Over My Facebook Password?

Joseph Lazzarotti — Sun, 25 Mar 2012 18:18:26 -0800

Written by Richard Greenberg

UPDATE - Newly enacted Maryland law prohibits employers from demanding access to Facebook or other on line accounts of employees and applicants.

In this space we have frequently discussed social media issues ranging from legal considerations in policy development, to employers' legal and practical risks attendant to reviewing job applicants' social media presence, to legislative reactions to employers' requiring disclosure of passwords as part of their background check process. Two further reactions to the password disclosure issue are worthy of note.

First, Connecticut Senator Richard Blumenthal has stated he will introduce federal legislation similar to that currently under consideration in the Illinois and Maryland legislatures. Arguing that employers' mandating disclosure of user names and passwords "is a huge invasion of privacy," State Assemblyman John Burzichelli has indicated that he will introduce similar legislation prohibiting the practice in the New Jersey legislature.

Second, in a statement issued this past Friday by Erin Egan, Chief Privacy Officer, Policy, Facebook responded to "a distressing increase in reports of employers or others seeking to gain inappropriate access to people’s Facebook profiles or private information [which] ...undermines the privacy expectations and the security of both the user and the user’s friends [and]...also potentially exposes the employer who seeks this access to unanticipated legal liability." Facebook advised that it is now a violation of its Statement of Rights of Responsibilities to share or solicit a Facebook password since users "shouldn’t be forced to share [their] private information and communications just to get a job" and friends of users shouldn’t have to worry that [their] private information or communications will be revealed to someone [they] don’t know and didn’t intend to share with just because [their friend] is looking for a job."

Employers must stay abreast of these developments as they continue to refine all policies and procedures pertaining to employee social media usage.

Jackson Lewis White Paper Addresses Legal Risks Stemming From Occupational Health Nurses and On-site Health Clinics

Joseph Lazzarotti — Thu, 22 Mar 2012 04:11:03 -0800

Employers increasingly have health professionals on-site providing medical services to employees. For some employers, the reason is to address the rising costs of health care, including uncertainties about the full impact of health care reform, the Affordable Care Act, looming in 2014. For others, more comprehensive approaches to disability and leave management can mitigate compliance and litigation concerns.

Whether it is a single nurse at a facility providing basic first aid and assisting in fitness-for-duty exams, or a full-scale health clinic staffed with physicians, nurses and others, there are a range of issues the company should be thinking about – e.g., workplace safety, disability/leave management, labor, employee benefits, and privacy. Some of our practice group leaders put together a white paper to aid employers in spotting these issues. We hope you find this helpful and easy to read.

Click here to access the White Paper: An Overview of Legal Considerations When Bringing Health Care "In-House"

FAQs About the Genetic Information Nondiscrimination Act

Joseph Lazzarotti — Wed, 29 Feb 2012 09:19:38 -0800

Complying with the Genetic Information Nondiscrimination Act (GINA) is a growing concern for employers and others. We have developed a comprehensive set of frequently asked questions concerning this new law. If you are interested in learning more about GINA:

Debt Collection Agency Sued by Minnesota Attorney General Over Privacy Breach and Other Concerns

Joseph Lazzarotti — Tue, 14 Feb 2012 14:20:14 -0800

Like any business that handles personal information, debt collection agencies have obligations to maintain reasonable safeguards to protect that information. Recent enforcement activity by the Minnesota Attorney General's office makes this clear. The banks, health care providers and other businesses that utilize collection services are also driving compliance as they demand these companies have written information security programs in place to protect the personal information of their customers/patients. Increasingly, debt collection companies are required to complete comprehensive surveys about their data protection practices, and are not always in the best position to do so.

In the Minnesota case, even where appropriate safeguards may have been in place, a breach resulting from a stolen laptop triggered the state's Attorney General to inquire into not only the company's privacy safeguards, but its business model as well. According to Attorney General's office, the company employee left an unencrypted laptop containing sensitive information on 23,500 Minnesota hospital patients in a rental car in the parking area located in a bar and restaurant district of Minneapolis where it was stolen.

For these companies, the requirements can be complex since they will depend on not only the kinds of information they collect, but also the businesses they serve (and what laws regulate those businesses), the state of residency of the individuals whose records the collection agency maintains, and the states in which the company does business.

Third Party Vendors Equal Data Breach Risk, Massachusetts Vendor Contract Deadline Approaches - March 1, 2012

Joseph Lazzarotti — Mon, 13 Feb 2012 06:04:33 -0800

According to a Ponemon Institute study*, data breaches occurring in the hands of third-party vendors amounted to 39 percent of breaches in 2010. Whether it be cloud service providers, benefits brokers, medical billing services, debt collection companies, consultants, accountants, law firms, staffing services, shredding/data destruction services, cleaning service providers and other businesses, most companies utilize third party vendors to provide an array of services. Those services often involve letting the vendor access, store and/or process personal information, which creates additional risk and legal obligations for the company using the vendor, such as the service provider contract requirement in Massachusetts.

Massachusetts deadline. A number of states have passed laws requiring companies that put personal information in the hands of third party service providers must obtain the written agreement of the third party to safeguard this information. The Massachusetts data security regulations that went into effect March 1, 2010, gave businesses until March 1, 2012 to update contracts with service providers that were entered into no later than March 1, 2010. However, next month that grace period expires. Thus, beginning March 1, 2012, a contract to safeguard personal information must be in place with all service providers who handle personal information concerning a Massachusetts resident on behalf of the company.

Other mandates. Requirements to ensure third party vendors are safeguarding personal information is not limited to Massachusetts. Examples include:

States such as California, Maryland, Nevada, Oregon, and Texas have had for some time a contract requirement similar to the Massachusetts rule.
The privacy and security regulations under HIPAA have a more expansive requirement for “business associates” and “subcontractors.” Businesses subject to HIPAA are anxiously awaiting final regulations under HITECH which will be specifically addressing business associate agreement requirements, among other things.
The Payment Card Industry (PCI) standards require similar agreements.
Law firms in many states are subject to specific state ethical mandates to have written assurances from vendors handling client data (these mandates are not limited to personal information, but seem to apply to all client information). For example, lawyers in states such as ME, MO, NJ, NY, OR, VT, WI are required to make sure that contractors maintain appropriate safeguards through a “legally enforceable obligation.”

What to do next? Vendor management should be part of an overall strategy to safeguard company and personal information. It is important to add that while personal information typically is the focus of this risk because of the breach reporting obligations across the country, confidential and proprietary company data is, of course, also at risk in the hands of vendors.

Companies should develop a list of all of their vendors and require all that have access to sensitive personal or company information to agree to amend the services agreement to include a requirement that the vendor have in place appropriate data privacy and security safeguards. Careful negotiations and drafting is critical to ensure legal compliance and protection/indemnity in the event of a data breach. In addition, some business might want to maintain a right to audit operations and require certain specific safeguards, depending on the volume and sensitivity of the information at issue. Companies also have developed comprehensive questionnaires and assessments for their vendors to complete to obtain a more complete picture of the vendors' data security protocols.

Whatever the approach, companies should at a minimum obtain written assurances from their vendors concerning the safeguarding of personal information.

*Ponemon Institute, LLC. 2010 Annual Study: U.S. Cost of a Data Breach, March 2011.

Prepare Now for Employee Disputes Over Ownership of Social Media Accounts

Joseph Lazzarotti — Thu, 09 Feb 2012 09:25:29 -0800

Prepared by Alexander Nemiroff

A number of courts throughout the nation are grappling with disputes between employers and departing employees over the ownership of social media accounts. These employers are attempting to seek ownership over company Twitter and LinkedIn profiles claiming, among other things, that these contain “trade secrets.” Employees dispute these contentions by pointing out that there is nothing “secret” about social media profiles and that employers have no inherent property interests in Twitter and LinkedIn accounts.

For example, in Phonedog v. Kravitz, No. 3:11-cv-03475 (MEJ) (N.D. Cal., Nov. 8, 2011), a federal court in California denied a motion to dismiss where the employer sought damages for each Twitter follower that a departing employee took with him. The employee was given use of and maintained a Twitter account for the employer’s business during his employment. When he left, he changed the Twitter account handle and continued to use the account. Phonedog and its former employee do not have a written agreement pertaining to ownership of the disputed Twitter account. The company alleged several claims against the departing employee, including misappropriation of trade secrets, conversion, and tortious interference with prospective advantage.

Another such pending dispute is Eagle v. Morgan, No. 2:11-cv-04303 (RB) (E.D. Pa., Dec. 22, 2011). A federal court in Pennsylvania denied a motion to dismiss in a dispute over an employee’s LinkedIn account. The disputed LinkedIn account was used for company business and developed by company personnel. As in Phonedog, the parties do not have a written agreement as to ownership of the disputed LinkedIn account. Both the company and the employee brought claims against one another over use of this LinkedIn account.

The above cases are headed into prolonged discovery and extensive litigation. These disputes may have been avoidable had the parties entered into a clear written agreement at or near the inception of the employment relationship. Such an agreement was upheld in Ardis Health, LLC v. Nankivell, No. 1:11-cv-05013 (NRB) (S.D.N.Y., Oct. 19, 2011). A federal court in New York granted a preliminary injunction and required an employee to turn over access to social media sites to her employer pursuant to the obligations under the written Non-Disclosure and Rights to Work Product Agreement between the parties.

All employers who profit from their employees’ use of social media should be aware of and carefully analyze these issues. In many cases, a properly drafted agreement delineating the property interests of employee work product will save employers from time-consuming and expensive litigation over ownership of social media accounts.

Maryland and Illinois Seek to Protect Employee Social Media Activity

Joseph Lazzarotti — Sat, 04 Feb 2012 06:15:41 -0800

Have you ever reviewed the Facebook or LinkedIn profile or other social media activity of an employee or applicant? How about requiring employees or applicants to provide access to social media activity as a condition of employment. The Maryland and Illinois legislatures would like to limit employers' ability to engage in this kind of activity with new laws that would be the first of their kind in the nation.

UPDATE - Newly enacted Maryland law prohibits employers from demanding access to Facebook or other on line accounts of employees and applicants.

Maryland. Under one version of the law in Maryland, H.B. 364, employers would not be permitted to

require an employee or applicant . . . to disclose any user name, password, or other means for accessing any internet site or electronic account through an electronic device, or
require an employee to install on the employee's personal electronic device software that monitors or tracks the content of the electronic device.

Under this bill, the employer could not discipline the employee or refuse or fail to hire the applicant for not complying with such requests. However, an employer could require an employee to disclose username, password or other means of access to the employer's internal computer or information systems.

The provision that would prohibit employers from monitoring or tracking content on electronic devices would present a dilemma for employers faced with various legal and ethical obligations to safeguard personal and other confidential data. Many employers are struggling to find ways to track, limit, and in some cases encrypt, personal and other confidential information maintained on portable electroinc devices, including the personal devices of employees. This bill would make that process more challenging, particulalry for businesses with nationwide operations in heavily regulated businesses such as healthcare, insurance, finance and so on.

Two other bills (H.B. 310, S.B. 434) also are being considered that would prohibit public and nonpublic colleges and universities from making similar demands on students and applicants.

Illinois. The Illinois law being considered (H.B. 3782) would make it unlawful for "any employer to ask any prospective employee to provide any username, password, or other related account information in order to gain access to a social networking website where that prospective employee maintains an account or profile."

Existing Risks with Searching/Monitoring the Social Media Activity of Employees or Applicants. The Maryland and Illinois laws, if passed, may be the first of their kind, but they certainly are not the first risks employers have faced when engaging in this kind of activity. In fact, there are a range of existing risks employers must consider, such as

Finding medical information protected under the American with Disabilities Act or the Genetic Information Nondiscrimination Act.
Acting inconsistently when similar information is found about different applicants/employees/executives.
Acting on information that is not true.
Intruding into private areas.
Failure to document the steps taken in conducting the search.
Not realizing the Fair Credit Reporting Act may apply and require consent and notice requirements.
Unlawfully limiting protected concerted activity under the National Labor Relations Act.

Employers therefore need to proceed carefully when using social media as a tool for making decisions concerning hiring, promotion, discipline, and termination. Assessing whether to engage in such activity, how and when to do so, who should be authorized to search and monitor in this way, and what training should be provided can go a long way to minimizing these risks.

Supreme Court Says Warrants Are Required For GPS Monitoring by Police

Joseph Lazzarotti — Thu, 02 Feb 2012 10:17:44 -0800

Written by Michelle Hackim

In United States v. Jones, the Supreme Court unanimously decided that FBI agents violated the Fourth Amendment when they attached a Global-Positioning-System (GPS) tracking device to a suspected drug dealer’s Jeep Cherokee and monitored the vehicle’s movements on public streets for 28 days without obtaining a warrant to do so. Justice Scalia wrote the Court’s opinion, with four justices joining the opinion – Chief Justice Roberts and Justices Anthony Kennedy, Sonia Sotomayor, and Clarence Thomas.

Sotomayor's concurring opinion is worth noting for its detailed analysis of the chilling effect on associational and expressive freedoms that government monitoring via technology, like GPS surveillance, will have if left unchecked. She wrote:

“GPS monitoring generates a precise, comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious and sexual associations…The Government can store such records and efficiently mine them for information for years into the future…And because GPS monitoring is cheap in comparison to conventional surveillance techniques and, by design, proceeds surreptitiously, it evades the ordinary checks that constrain abusive law enforcement practices: ‘limited police resources and community hostility.’ “

Justice Alito, who also concurred in the majority opinion, argued for warrants based on the “reasonable expectation of privacy” standard, instead of the common law trespass test applied by Scalia. Alito, clearly troubled by the Court’s reliance on the law of trespass, points out that technology today allows for easy electronic monitoring, without any need to come into physical contact with the subject being tracked. He expresses concern over the “increased convenience” of new technology at the “expense of privacy,” and suggests that these “new intrusions on privacy” may motivate Congress to enact legislation addressing these “new intrusions” as it did with wiretapping. Sotomayor clearly agrees, but whether Congress will act obviously remains to be seen.

So, what does U.S. v. Jones mean for employers?

Private employers generally are not subject to the Fourth Amendment’s prohibition against unreasonable search and seizure. However, it is certainly foreseeable that employees of private employers could cite to this case in support of claims that GPS monitoring, or any sort of electronic monitoring for that matter, during non-working hours violated their “reasonable expectation of privacy.” The question of whether this decision might influence courts as technology becomes more powerful, remains to be seen.

As such, it is imperative for employers, especially those who provide smart phones and company vehicles containing GPS monitoring devices to their employees, to adopt policies notifying their employees of the company’s right to monitor their actions while using Company owned property. These policies should also contain language notifying employees about the GPS monitoring capabilities of the Company-issued property and that they should not have an expectation of privacy while using the same.

In light of the contours of a “reasonable expectation of privacy” analysis and concerns over common law claims of intrusion upon one's seclusion, employers should also avoid monitoring during non-work hours. In addition, where the data received from location tracking reveals details of an employee’s personal life, employers should not review it or be prepared to show that they have a legitimate business justification for looking at this type of information.

Finally, private employers in states like California may have more to be concerned about where constitutional privacy protections apply to the private sector. A number of states also have laws prohibiting the installation of a tracking device without the consent of the vehicle’s owner or lessor.

Social Media For Universities and Colleges--Beyond Recruiting

Jason C. Gavejian — Wed, 01 Feb 2012 10:49:51 -0800

In connection with its coverage of national signing day, ESPN.com recently highlighted that social media is increasingly being utilized by coaches to contact, recruit and gather information about players. For players, it's a way to get recruited, control the message and interact with fans and other recruits at unprecedented levels. And, like in the workplace, misuse of the media can have unfortunate consequences. A New Jersey high school prospect recently found this out when he was expelled from Don Bosco Preparatory after questionable posts were viewed on his Twitter account. We have noticed similar trends and similar missteps in the employment context, where social media is often being utilized by companies and employees without first being well thought out.

While the NCAA does provide some social media regulations, online interaction is far less regulated than more “old fashioned” forms of communication. According to Gregg Clifton, Co-chair of the Jackson Lewis’ Collegiate and Professional Sports Industry Group, “The days of face-to-face interaction between coach and recruit have been forever transformed. While the NCAA limits direct phone contact and texting by coaches to recruits, current NCAA regulatory freedom still permits coaches to use social media to contact, recruit, and gather information about players they are considering for their programs.” Similarly, both state and federal employment law struggle to keep up with the ever expanding social media realm. This was most recently highlighted by the NLRB General Counsel’s report on social media. Consequently, even for employers that do have social media policies, they often do not address key issues such as the company’s presence on-line, regulatory requirements that apply in their industry, and how managers and supervisors should and should not be using the medium. In fact, as shown by many of the NLRB’s rulings discussed in the recent report, many policies contain overbroad proscriptions that violate a variety of laws.

To keep up with social media, some schools are hiring individuals to monitor the social media of prospective student-athletes and to make sure that improper interaction is not occurring, as well as to ensure confidential information, such as under FERPA, is not being disclosed. Employers too are seeking to hire individuals to not only assist in utilizing social media for marketing, but also individuals who can monitor how social media is and should be utilized in employment decisions. This is particularly true for statutes and regulations which one may not necessary link with social media. For example, employers often don’t realize that they may improperly acquire genetic information in violation of the GINA by “friending” or “following” employees or applicants.

Of course, schools also are employers…so, while universities and colleges need to institute effective policies and procedures to address their use of social media in recruiting, they also must address social media usage in the employment context.

What's On Your Mind?

Joseph Lazzarotti — Fri, 27 Jan 2012 11:50:31 -0800

In recognition of Data Privacy Day (January 28, 2012) and to facilitate a more interactive experience for our readers and subscribers, we want to extend to you the opportunity to tell us what is on your mind in the world of data privacy, social media and information management.

For the last two years, we have brought you developments on a wide range of issues concerning these topics. We realize many of you might like us to report on or provide information concerning certain issues/topics that we have not covered before. If so, please tell us!

To submit a topic, you can email us at informationrisk@jacksonlewis.com, or reach out to us through our Workplace Privacy Report on Facebook and Twitter. Feel free to “Like” our Facebook page and “Follow” us on Twitter by clicking on the corresponding buttons on the right below. If we select your topic, we will reach out to you privately to see if you would like us to identify you in the responsive post.

Of course, what would any communication from a lawyer be without a DISCLAIMER?

We look forward to hearing from you!

Second Social Media Report From NLRB Acting General Counsel

Joseph Lazzarotti — Wed, 25 Jan 2012 11:27:53 -0800

Today, the NLRB's Acting General Counsel posted a second report concerning social media issues and the National Labor Relations Act. The cases discussed in this report should provide further guidance to employers struggling with developing strategies for using social media in their business, developing employee policies regulating activity in social media, and enforcing those policies. Look for follow up analysis from us and our Labor partners.

Check out our prior reporting on related developments.

Social Media Guide for Hospitals

Joseph Lazzarotti — Sat, 21 Jan 2012 13:04:17 -0800

The ECRI Institute recently published an excellent summary of key issues for hospitals concerning social media (registration required), a valuable read for any hospital administrator, risk manager or human resources director. ECRI reports that approximately 4,000 U.S. hospitals own social media sites and that number is sure to grow significantly. One of the reasons for this growth will likely be due in significant part to the increasing number of people looking to social media to research health decisions. According to a National Research Corporation survey cited in the summary, 41% of nearly 23,000 respondents said that they used social media for this purpose.

The summary discusses critical areas for healthcare organizations to consider concerning social media, which can be applied to most other industries:

Understand the medium - what is social media, what are the different venues (Facebook, LinkedIn, FourSquare etc.), what is the competition doing, what new media is coming.
Determine desired uses - promotion of services/sales, recruiting, reputation management, community involvement, education, and so on.
Assess risks - privacy, network security, employment, reputation, regulatory, malpractice, and protecting the brand.
Develop policies and procedures - control company message and regulate employee activity.
Implement and train and reevaluate - limit the number of employees who can speak for the organization, train employees on legal risks (such as with HR looking up applicant/employee background information on line), determine whether social media plan is producing desired results

Businesses in all industries are "going social," and should be developing a comprehensive plan before doing so. The ECRI summary provides a good starting point for thinking through some of the issues, particularly for those in healthcare.

Mere Placement of Surveillance Cameras in Restroom Sufficient for Iowa Invasion-of-Privacy Claim

V. John Ella — Tue, 03 Jan 2012 12:41:25 -0800

An invasion-of-privacy claim against an insurance agent brought by his former employee should proceed even where a surveillance camera placed by the agent in the workplace’s unisex bathroom was faulty, the Iowa Supreme Court has ruled. Koeppel v. Speirs, No. 08-1927.

The district court dismissed the invasion-of-privacy claim on summary judgment because there was no proof that the equipment was operational or that the employer had actually viewed any recordings of the employees. The Court of Appeals reversed the dismissal, and on December 23, 2011, the Iowa Supreme Court affirmed the reversal and remanded the employee’s common law privacy claim to the district court.

The issue before the Iowa Supreme Court was whether an actual "viewing" was a necessary element of an invasion-of-privacy claim involving hidden monitoring equipment. Courts in other states have split on the issue. After analyzing decisions from other states and law review articles on privacy law as well as the origin of the term, "peeping Tom," the Iowa Supreme Court held that an actual viewing was not required. Following the reasoning of a 1964 New Hampshire Supreme Court decision, it concluded an intrusion occurs when the defendant performs an act that has the "potential to impair a person's state of mind and comfort associated with the expectation of privacy."

The Iowa Supreme Court said, "[W]e think it is important to keep in mind that the tort [of invasion of privacy] protects against acts that interfere with a person's mental well-being by intentionally exposing the person in an area cloaked with privacy." It determined that “[a]n electronic invasion occurs under the intrusion on solitude or seclusion component of the tort of invasion of privacy when the plaintiff establishes by a preponderance of evidence that the electronic device or equipment used by a defendant could have invaded privacy in some way.” Thus, under Koeppel, a victim's mental state can be more important to an invasion of privacy claim than what the defendant actually viewed, accessed, or shared. (The employee here also sued for sexual harassment, but that claim was dismissed because an employer with fewer than four employees is not liable for sexual harassment under Iowa law.)

An invasion-of-privacy claim in Iowa, therefore, need not include a showing that the monitoring device was functioning at the time it was discovered or that it was ever used. It is sufficient that the device was capable of functioning.

School Kids' Data at Risk

Joseph Lazzarotti — Sat, 17 Dec 2011 06:17:56 -0800

In addition to concerns about social media, school districts across the country need to address a growing interest in the personal data of the students they educate. No, this interest does not stem from a desire to see if kids are reading at the desired level, or if the children have the resources they need to receive an adequate education. Data thieves want this information to commit identity theft.

As reported by the Huffington Post:

Identity theft in schools is more than theoretical. Last July, Sheyla Diaz, 44, a former Broward County, Florida high school teacher, was sentenced to six months of house arrest for stealing the identities of former students. In 2009, Jonathan E. Kelly, who worked as a police officer for the Palm Beach County School District, was sentenced to eight years in prison for stealing the identities of former students and teachers.

The thieves know that children have pristine credit and that school districts, hampered by substantial budget cuts, may not be doing all they could to safeguard this information. Parents and school districts need to take steps to address this growing risk.

Wall Street Journal Article Is Reminder to Employers Concerning NLRB Focus On Social Media

Joseph Lazzarotti — Wed, 07 Dec 2011 19:43:23 -0800

A Wall Street Journal article on December 2 discusses the National Labor Relations Board's emergence into social media and non-union workplaces. For employers that have not looked at their policies and practices concerning employee activity in social media, this article serves as a good reminder.

Click here for more information.

The Consumer Fraud and Abuse Act -- Does It Apply To An Employee's Personal Computer?

Jason C. Gavejian — Mon, 28 Nov 2011 13:36:38 -0800

Many employers often question what recourse is available when faced with the destruction or alteration of company data by former employees. This question is made more complicated when employees use their own personal computer for work. In addressing this issue, the U.S. District Court for the Northern District of Illinois, Eastern division held that an employee's use of her personal computer to delete e-mails on her employer's computer servers may support an unauthorized access claim under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”).

Plaintiffs, a group of real estate companies, allege that several of their former employees, on company resources and company time, founded a competing business and stole customers. Plaintiffs claim that one of the defendants told the others to delete e-mails related to their “scheme”, and then delete them again from the “deleted items” folder. This “hard delete” made the files hard to retrieve.

Defendants sought to dismiss the CFAA claims. Specifically, defendants claimed that “unauthorized access” is impossible because the individual defendant had used her own personal computer for work, and plaintiffs thus lost nothing when she left with it. Although defendants cited to no cases, some District Courts (Keystone Fruit Marketing, Inc. v. Brownfield) have concluded that using one’s personal computer will not support a CFAA unauthorized access claim. Here, the Court found that the CFAA appears to prohibit damaging (not accessing) a computer without authorization and the definition of “protected computer” does not specify whose computer it must be. While the Court ultimately dismissed plaintiffs’ claim as not sufficiently alleged, the Court did rule that plaintiffs may be able to make out a claim against the individual defendant by showing that she impermissibly destroyed files or other data belonging to them.

Companies must be aware of jurisdictional nuances as they strive to protect themselves. Stay tuned as we address similar issues in an upcoming series of posts!