Workplace Privacy In the Year 2013

June 18, 2013

Margaret A. KeaneLittler Mendelson, P.C., San Francisco Office

mkeane@littler.comwww.linkedin.com/in/makeane/

Presented to Practicing Law Institute by:

1

2

Today’s program

• Workplace Privacy Issues– The New World

– Hiring Practices, circa 2013• Overview of Social Media in the Hiring Process• Social Media Checks• Password Protection Statutes• FCRA• EEOC Guidance on Criminal Background Checks• Foreign data protection laws

– Employee Monitoring, Whistleblower Hotlines

– Yours, Mine or Ours: BYOD and Other Challenges of Mobile Devices

– Geo-location – GPS, RFID and more

– The NLRA, Drafting Social Media Policies, and Confidentiality

– Ownership and Control of Social Media Accounts

– Genetic Information Non-Discrimination Act

3

No Expectation of Privacy?

Despite diminished expectations of privacy, numerous laws address aspects of workplace privacy. • Federal privacy laws include HIPPA, Gramm-Leach-Bliley (“GLB”),

Children’s On-Line Privacy Protection Act (“COPPA”), Electronic Communications Protection Act (“ECPA”), Stored Communications Act (“SCA”), Fair Credit Reporting Act (“FCRA”), Genetic Information Non-Discrimination Act (“GINA”), Americans with Disabilities Act (“ADA”)

• State privacy and “lifestyle” laws and new state Password Protection laws (ex. CA AB 1844)

• Related Laws– Record Retention Requirements, particularly for government contractors,

medical and financial services sectors

– Security Breach Notification Statutes

– FINRA, FDA and other sector-specific regulations

4

No Expectation of Privacy?

In Europe, employees have privacy expectations, because legal protections do not depend on a “reasonable expectation of privacy”- data protection laws- wiretap, telecommunications secrets- labor & employment laws

5

New Hiring Paradigms

• In many sectors, work no longer needs to be performed in a designated place or at a designated time.– Cloud-based applications can be reached anywhere/anytime

• New work models are prevalent for providing IT and other task or project-based services– Ex. – Elance, oDesk, Collabworks

• On-demand sourcing models are becoming mainstream in legal community – scope goes well beyond e-discovery

• New models challenge legal system of employment laws tied to physical location and fixed hours

6

Today’s Mobile Worker: A World of Sharing

We Love Our Smartphones. . .

7

Source: http://www.slideshare.net/kleinerperkins/kpcb-internet-trends-2013?utm_source=slideshow03&utm_medium=ssemail&utm_campaign=share_slideshow_loggedout

7

8

Are Smartphones An Extension of Our Brains?

Source: http://www.slideshare.net/kleinerperkins/kpcb-internet-trends-2013?utm_source=slideshow03&utm_medium=ssemail&utm_campaign=share_slideshow_loggedout

9

Social Media Use and Channels Continue to Grow

Source: http://www.slideshare.net/kleinerperkins/kpcb-internet-trends-2013?utm_source=slideshow03&utm_medium=ssemail&utm_campaign=share_slideshow_loggedout

What Do You Do When You First Wake Up?

Always Connected, IDC Study,Sponsored by Facebook, March 2013

1010

Blurring The Lines: Work vs. Personal

90% of full-time employees use a personal smartphone for work purposes

– 62% of those use it every day

– 39% don’t use password protection

– 52% access unsecured wifi networks

– 69% believe they are expected to access work emails after hours

1 in 10 workers receive a stipend for their smartphone

(Cisco, BYOD Insights in 2013: A Cisco Partner Network Survey, March 2013)

1111

12

Social Media, Privacy and the Hiring Process

Social Networking in Talent Sourcing and Promotion

• 91% of employers had hired a staff member based on their social networking profile

• 69% decided not to make job offer to candidate after seeing profile (photos of drugs/drinking or inappropriate behavior were the most popular reasons for eliminating candidate)

• 47% of companies check candidates' profiles on social networking sites after they receive an application and 27% review after a screening interview.

Source: Job Screening With Social Networks: How Are Employers Screening Job Applicants, Reppler, October 2011

Source: The Use of Social Networking Websites and Online Search Engines in Screening Job Candidates, Society for Human Resource Management, August 25, 2011

13

Getting to Know You: Risks of Using Social Media in the Hiring Process

• Risk of making employment decisions based on inaccurate, irrelevant or false info

• Online social networking profiles often present personal information not properly subject to inquiry during the hiring process

• Potential to eliminate applicants based on protected class status in violation of federal and state anti-discrimination laws

• Need to balance applicant’s rights with employer’s need to screen candidates thoroughly

• Decisions made based on lawful, off-duty conduct may violate state “lifestyle” laws

14

15

Source: www.facebook.com/blaise.dipersia (Facebook Page Designer -- Sample Page)

Passwords

• At last count, thirteen states have enacted legislation to prohibit employers from asking applicants or employees for social media passwords or other log-in credentials, including CA, CT, CO, HI, IL, MD, MI, NV, NM, OR, UT, VT and VI. Others have pending legislation and federal legislation has also been introduced.

• California’s statute provides an exception that permits employers to “request an employee to divulge personal social media reasonable believed to be relevant to an investigation” of allegations of misconduct.

• California also has an exception for usernames and passwords used to access employer-issued devices.

• Be aware of tensions between State laws and FINRA obligations to supervise and retain records.

16

Passwords

Service providers usually prohibit password sharing in their terms of use; consequently, access by a third party constitutes ‘unauthorized access to’ or ‘interference with’ a computer under trespass laws, such as a the U.S. Computer Fraud and Abuse Act

17

• Build a process for lawful use of social media data– Determine when on-line searches will be used in hiring and

promotion process (ex. after initial screening interviews)– Determine scope of review: what sources will be

checked and what information will be collected?– Decide whether to inform applicants

about on-line searches and whether to ask for email addresses, user names and blog posts

– Give notice and obtain consent where needed and comply with FCRA if using third parties to conduct search

– Do not engage in unauthorized access to password protected sites, “shoulder surf” or require users to disclose passwords unlawfully

– Isolate protected class information from the decision-maker– Update forms for recording information, maintain contemporaneous

documentation and comply with applicable retention requirements

Responsible Use of Social Media in Recruiting, Hiring and Promotions

18

Fair Credit Reporting Act(“FCRA”) Concerns

19

Fair Credit Reporting Act Overview

• Applies to reports prepared by a third party that regularly assembles or evaluates credit or other information on a consumer (“consumer reporting agency” or “CRA”) and includes background screening companies

• Covers any inquiry for employment purposes bearing on an individual’s “credit, general reputation, personal characteristics, or mode of living”

– Criminal history checks, credit checks, sex offender registry, motor vehicle record checks, employment and education verification

• Regulates public records, including criminal records, and is not limited to traditional credit reports

• Does not regulate purely in-house investigations, such as reference checks made by internal human resources personnel

20

FCRA Compliance

1. Obtain informed consent from job applicants

2. Issue "adverse action" letters if the background check will result in disqualification

3. Secure destruction of consumer information

21

FCRA Remedies

• Cases can be based on failure to use FCRA disclosure and authorization forms; failure to give adverse action notices

• Minimum statutory damages of $100 to $1,000 for willful violations– Class action-friendly remedy where CRA’s and employer follow standard

procedures– Low damages add up when multiplied against large applicant pools

• Actual damages for negligent violations• Attorney fees to a successful plaintiff• No statutory cap on defendant’s exposure

22

Class Litigation and FCRA

• Spike in class action filings against employers– FCRA disclosure and authorization forms

– FCRA adverse action notices

– State equivalents

• Several multi-million dollar settlements in nationwide class actions

23

SOCIAL MEDIA AND CRIMINAL BACKGROUND CHECKS

24

25

Updated EEOC Enforcement Guidance

Updated Enforcement Guidance ─ Approved 4-1 on April 25, 2012:

– “EEOC Enforcement Guidance on the Consideration of Arrest and Conviction Records in Employment Decisions Under Title VII of the Civil Rights Act of 1964”

– Accompanying “Questions and Answers About EEOC’s Enforcement Guidance”

See http://www.eeoc.gov/laws/guidance/arrest_conviction.cfm and http://www.eeoc.gov/laws/guidance/qa_arrest_conviction.cfm

2626

EEOC Recommended “Best Practices”

EEOC’s View of “Employer Best Practices”

• Eliminate blanket exclusions “based on any criminal record”• Develop narrowly tailored written policy/procedures excluding individuals from particular

jobs based on a criminal history record

(1) Identify essential job requirements

(2) Identify specific offenses tied to “unfitness” for job

(3) Identify time limits applicable to exclusion

(4) Document research/consultations to support policy/procedures

(5) Provide for individualized assessment before final hiring decision

• When asking questions about criminal records, limit inquiries to records job related/consistent with business necessity

• Make inquiries of criminal record – post application (e.g. “ban the box” approach)• Train managers, hiring officials, and decision-makers on how to implement the policy and

procedures consistent with Title VII. • Maintain confidentiality of criminal records

2727

State EEO Laws

• State counterparts to Title VII• Specific ex-offender protections

– Workplace posting and notice obligations

– Sequencing restrictions (when an employer can ask questions)

– Inquiry restrictions (what employer cannot ask about)

– Source restrictions (what employer cannot access)

– “Job-relatedness” requirements (what discretion employer has to screen out applicants)

28

Employee monitoring and Whistleblower hotlines

29

Employee monitoring, hotlines

• USA: employers can destroy privacy expectations in notices– hardly any limits

– but: notices must be updated regularly

• Rest of the World (ROW)– many jurisdicitons require voluntary employee consent

– EEA+ countries require limitations to monitoring programs and reportable topics for hotlines, notice to employees, consultations with works council and data protection officers, notifications to data protection authorities or applications for prior authorization, labor courts, labor inspectorate, etc.

30

Bring Your Own Device (“BYOD”) and Beyond

31

Lingo: Dual Use Mobile Devices and BYOD

• Dual Use Mobile Device: Mobile device used to create, store and transmit both personal and work-related data

• BYOD: Bring Your Own Device– A BYOD program includes:

• Policies that govern use of personal devices to access corporate services

• Policies attempt to manage risk associated with storage and transmittal of data using devices that may be outside of the employers control

• Policies to address impact of mobile devices on existing workplace behavior

• COPE: Corporate Owned, Personally Enabled

32

33

What is MDM – Mobile Device Management?

Mobile Device Management: • Software that allows corporate IT to manage use of mobile devices.

Component of BYOD programs. Features may allow an employer to:

– Require users to register devices as condition of network access

– Enable remote locking or wipe of device

– Implement anti-spam solutions, block specific apps, and prevent users from disabling or altering security settings on devices

– Monitor employee use and location of user and device

34

Policies Affected by BYOD:Mobile devices have impact on policies throughout your

business

• Data Privacy & Security

• Harassment, Discrimination & EEO

• Workplace Safety

• Time Recording and Overtime

• Acceptable Use of Technology

• Compliance and Ethics

• Records Management

• Litigation Holds

• Confidentiality & Trade Secret Protection

35

Setting Up a BYOD Program:A Master Plan for mobile device use in your

organization• Need to address challenges of dual use devices, REGARDLESS of whether

you adopt a BYOD program• If you implement BYOD, your policy should be part of an integrated

Information Governance Plan• Determine goals and objectives• Privacy Considerations

– Remote wipes– Containers– Backups

36

Setting Up a BYOD Program

• Who Participates?

• What conditions will be imposed on participants?

• Who pays?

• Program may include limits on acceptable applications, passwords, encryption, employer monitoring, reporting obligations and remote wipes

• Address tradeoffs

– Participation in program is a privilege, not a right

– May have privacy tradeoff for convenience of remote access and device

37

Privacy in a BYOD WorldWill your program distinguish between personal and business use?

Privacy Parameters• Distinguish between data and device

• Device– May require return upon demand or inspection as part of investigation

– May require return, with data intact, upon separation from employment

• Data– Determine whether employer will retain right to review all contents of device or will

exclude categories such as music and photos

– Require employee to provide access to cloud backups or home server?

– Monitor/limit employee’s use of web-based applications? Example: Siri, Dropbox, iCloud, etc.

– Set parameters for timing, terms and extent of remotewipes

Privacy in a BYOD World

1. Remote wipes of lost devices – can be viewed as either pro-privacy or an intrusion. Participation in BYOD program may be conditioned upon consent to remote wipes.

2. Litigation issues:– Identification of BYOD devices/information

– Practical challenges of data collection

– Does the employee “control” data on the devices?

– Will employees be required to produce mobile devices to employer for inspection, preservation and production?

38

Privacy in a BYOD World:What is a Reasonable Expectation of Privacy?

3. Even if your policy gives you access to the device , employees may have privacy expectations in personal data stored with online services. Be careful.

– Pure Power Boot Camp, Inc. v. Warrior Fitness Boot Camp, LLC, 587 F. Supp. 2d 548 (S.D.N.Y. 2008) (employee had reasonable expectation of privacy in password protected emails stored on hotmail and gmail servers, regardless of fact that she accessed them on a work computer)

– Steingart v. Loving Care Agency, Inc., 201 N.J. 300 (NJ 2010) (employee had reasonable expectation of privacy in personal password protected web-based email sent through employer’s computer)

– Pietrylo v. Hillstone Restaurant Group, No. 06-5754, 2008 U.S. Dist. LEXIS 108834, at *20 (D.N.J. July 24, 2008) (question of whether employee had a reasonable expectation of privacy in My Space page is a question of fact)

– Ehling v. Monmouth-Ocean Hospital Service Corp., Civ. No. 2:11-CV 033305 (WJM) (D.N.J. May 30, 2012)(plaintiff may have reasonable expectation of privacy in Facebook posting where she restricted access to her Facebook page)

– Doe v. City of San Francisco, No. C10-04700 THE (N.D. Cal. June 12, 2012)(employee had reasonable expectation of privacy in web-based emails viewed from a shared workplace computer designated for personal use by employees) 39

40

Geolocation Tracking and Telematics

• FTC: Geographic location is sensitive information

• CA Penal Code 637.7. No person or entity in this state shall use an electronic tracking device to determine the location or movement of a person

• Tread carefullySource: CTIA – The Wireless Association, Best Industry Practices and Guidelines for

providers of location based services

41

Social Media, the NLRBand Protected Activity

What is Protected Concerted Activity?

• The NLRA prohibits discipline against employees who engage in “protected concerted activity”

Protected = related to the terms or conditions of employment, unionization, or an on-going labor dispute

Concerted = “with, or on the authority of, other employees and not solely by and on behalf of the employee himself.”

Meyers Industries, 268 NLRB 493, 497 (1984)

Note: Employees in a non-unionized workplace can engage in protected, concerted activity 42

What is Protected Activity?

1. What is the subject matter of the post?– Union organizing or exercise of rights under CBA or labor law– Work hours, wages, tax administration– Job performance or meetings with management

2. Who is participating in the discussion?– Only personal friends/relatives or co-workers included?

3. Is the employee expressing only an individual gripe?

4. Are employees acting collectively?– Preparing for discussion with management or otherwise acting on

behalf of group

5. Are the social media posts a direct outgrowth of prior group discussions? 43

44

Drafting and Enforcing Your Social Media Policy

NLRB: Unlawful Policy Provisions

1. Inappropriate Discussions2. Defamation3. Disparagement4. Privacy5. Confidentiality6. Contact Information7. Logo Restrictions8. Photographs

45

Social Media Policies:

General Rule:

An employer’s social media policy may run afoul of the NLRA if it infringes on an employee’s ability to engage in protected activity.

Employers should be careful not to make their policies too broad, and should also include specific language that they do not mean for the policy to prohibit or restrict any lawfully protected activity.

46

Disclaimer Options

Board’s repeated comment: “[T]he rules contained no limiting language to inform employees that [the rules] did not apply to Section 7 activity.”

Use a disclaimer: This policy will not be construed or applied in a way that improperly interferes with (A) employees’ exercise of their rights under the NLRA or any other law, or (B) employees’ legally protected social media discussions regarding wages, hours, or working conditions.

47

Unlawful Lawful

No posting of confidential information

No posting trade secrets and private and confidential information with examples

No “inappropriate conduct” or “be respectful”

Examples prohibiting discriminatory remarks, harassment and threats of violence or similar inappropriate conduct

“Be respectful”

No malicious, obscene, threatening or intimidating conduct, harassing or bullying, posting intentionally meant to harm a co-workers’ reputation or could contribute to hostile work environment

Use of employer name or logoEnsuring postings are consistent with the code of ethics or conduct

48

Affirmative Guidelines

1. Require compliance with all Company policies (e.g. confidentiality, harassment)

2. Include: “Do not claim to be acting on the Company’s behalf without prior authorization;”

3. Require that employees disclose affiliation with the Company whenever endorsing its products or services;

49

Affirmative Guidelines

4. Remember:

Blanket policy that requires employee confidentiality during an HR investigation is deemed to violate the National Labor Relations Act and employees’ rights to engage in concerted activity – must be case-by-case determination.

5. If a Policy explicitly restricts activities protected by NLRA, NLRB will find it unlawful...and will also find unlawful if:

--employees would reasonably construe language to prohibit protected activity; Policy issued in response to Union activity; or Policy has been

applied to restrict protected rights....AND, FINALLY: 50

51

Breaking Up is Hard to Do:Clarify your right to wipe devices and ownership of social

media assets before the breakup

• Clarify ownership of social media assets. Maintain access to, and right to change, passwords to corporate accounts.

52

Genetic Information Nondiscrimination Act of 2008 (GINA)

• Illegal to discriminate against employees or applicants because of genetic information

• Employers may not use genetic information in making employment decisions and may not request, require or purchase genetic information

• Any employer that possesses genetic information about an employee must maintain such information in separate files; and must treat it as a confidential medical record and may disclose it only under very limited circumstances

• Prohibition on requesting information defines “request” to include “conducting an internet search on an individual in a way that is likely to result in a covered entity obtaining genetic information.” 29 C.F.R. §1635

• Safe harbor for inadvertent acquisition applies where employer “inadvertently learns genetic information from a social media platform where he or she was given permission to access by the creator of the profile at issue (e.g., a supervisor and employee are connected on a social networking site and the employee provides family medical history on his page).” 29 C.F.R. §1634

53

Questions?

54

Margaret A. KeaneShareholder

Littler Mendelson, P.C.San Francisco Office

415.288.6303 mkeane@littler.com