Workplace Privacy Laws and New Technologies

www.schwabe.comWorkplace Privacy Law and New Technologies Presented by: Jean Ohman Back & Devon Zastrow Newman Schwabe, Williamson & Wyatt Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.com Agenda• Introduction to “Cloud Computing” and Technologies that Employ the Cloud• Challenges faced by Security Professionals in Protecting Employer Assets and Data Privacy• Legal Sources for Employee Privacy Rights in the Workplace Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.com What is “Cloud Computing”?The delivery of computing as a service rather than a product, whereby shared resources, software, and information are provided to computers andother devices as a utility (like the electric grid) over a network (typically the Internet)Briefly: purchase of external computing power Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.com © Wikipedia Commons, Sam Johnston 2009 Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comWhat are the benefits of “Cloud Computing”?Centralized management of IT resources – Increase resource utilization rates (with faster speeds) – Lower costs (renting vs. owning resources)  Workplace IT focused on policy management Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comWhat are the downsides of Cloud Computing?• Reliability of resources out of direct control• Need to monitor/control resource use by users• Data privacy concerns – Workplace confidential material – Intellectual property protection Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comDevices that use Cloud Computing• Smart phones• Laptops• Tablets• Home computersGenerally: Internet-available devices that connect to workplace infrastructure Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comWhat these devices also access• Facebook• Twitter• MySpace• Tumblr• Google+• LinkedIn – “Apps” providing direct links to Internet from device with confidential material stored/accessed Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comBenefits and downfalls of social media• Benefits: new marketing opportunities, timeliness, reaching “younger” generation with marketing messages• Downfalls: potential for IP infringement, defamation, claims against employer, increased platform for litigation hold Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comLitigation hold• Duty to retain documents that could reasonably relate to an issue in litigation – Duty lasts through conclusion of case• Duty triggered when a business is sued (or has a reasonable apprehension of being sued)• Retention obligation applies to all “data” accessible by a company – Includes smart phones, tablets, computers – Can include social media platforms Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comDocument retention policy• Businesses should have a document retention policy – Example: all emails not permanently needed should be deleted after 30 days – Obligations for what to retain clearly defined• Businesses should follow their document retention policy Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comManaging workplace data privacy concerns– What does the law PERMIT employers to regulate?– What does the law REQUIRE employers to do in order to regulate data privacy? Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comPrivacy Issues & Sources of Law Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comEmployer MonitoringEmployers may generallymonitor emails sent andreceived on company-owned systems.Can be used to enforcedata privacyobligations/needs.Spell out actions &intervals in policyDo not target employees Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comMechanisms for protecting employer data• Employment agreement – Employee contract: defines the employer’s rights (e.g. monitoring computer activity) – Confidentiality agreement: spells out actions required to protect employer’s confidential information and/or intellectual property (trade secrets protection by independent contractor) • If you will enforce legally, should be a stand-alone agreement and not part of an employment manual. Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comMechanisms for protecting employer data• Data management policy – Mobile device usage policy (if you want to use your iPhone, you’ll have to agree to …) – Can further address monitoring of employee activity that will occur • Case law: existing but “stale” policy is not effective: employees must be aware of policy and that it is regularly enforced Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comEmployer MonitoringEmployers withElectronicCommunications Policycan monitor telephonecalls on their own phonesystems-Spell out intendedactions in the policy Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.com Employer MonitoringCity of Ontario v. Quon• Alleged 4th amendment privacy right violation where employer reviewed Quon’s private text messages on employer-issued device due to coverage charges and punished him for sexually explicit content• U.S. Supreme Court held review of message was incident to reasonable, work-related audit, and employee and no right of privacy in text messages on employer-owned devices• Public Employee Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comEmployer Monitoring• Recording telephone calls allowed in Oregon as long as all participants in the call are in Oregon, and as long as one person consents.• But – it is illegal to obtain or attempt to obtain any part of a telecommunication or radio communication in which the person recording is not a participant. Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comEmployer Monitoring• Increasingly, employers use technology to track keystrokes, and to monitor the time that an employee spends on a computer.• Employers may not obtain employee passwords using keystroke monitoring Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comPrivacy Guidelines• Inform employees in • Consistently apply writing of the ways any monitoring that you plan to policies across all monitor them; employees;• Have a • Justify monitoring in comprehensive your policies by electronic including the communication policy legitimate business interests that supports monitoring activities Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.com Sources of Privacy Rights Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comSources of Privacy Rights• 4th Amendment• Common Law• Statutory Law• National Labor Relations Act Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comSources of Privacy Rights4th Amendment for Public EmployeesPublic employees have privacy rightsunder the 4th Amendment if they have areasonable expectation of privacy. Butthere are no privacy rights to employer-owned systems where employer hascommunicated this and follows policy. Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comCommon Law Privacy Rights• Includes specific causes of action in tort law (invasion of privacy, intrusion upon seclusion, false light)• Employees have a general right to privacy where there is a reasonable expectation of privacy.• An employee’s right to privacy in social media is governed by the nature of the social media site (i.e., is it publicly available?).• The employer’s workplace policies. Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comCommon Law Privacy Rights• An employee does not have a privacy right to information that he or she posts to a public social media site.• An employee may have a privacy right to a web site that restricts access to certain users, or that is password protected.• Employer policies can dispel right of privacy for employer-owned systems or devices. Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comSources of Privacy Rights Electronic Communications Privacy Act (“ECPA”)• Pertains to interception of the content of a communication contemporaneous with the communication.• Less likely to occur in employment setting. Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comSources of Privacy Rights Stored Communications Act (“SCA”)• Prohibits third parties from intentionally accessing electronically stored communications.• Includes emails or entries on private websites, without proper authorization Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comSources of Privacy Rights Stored Communications Act (“SCA”) Allows authorized permission to access stored communications if:  (i) the person is the provider of the service; or  (ii) the person is a user of the service and the communication is from or intended for that user. Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comSources of Privacy Rights Stored Communications Act (“SCA”) An employer may not intentionally access stored communications that are maintained by a third- party service provider without the user’s authorization Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comSources of Privacy Rights Stored Communications Act (“SCA”)• “User Authorization” Exception is extremely narrow:  Employee must actually be a user in order to give authorization – he or she must have actually logged on.  Court may not apply the exception where an employee is compelled to give access under threat of termination. Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comSources of Privacy Rights Stored Communications Act (“SCA”)• Consequences of violation are serious  Criminal liability for intentional unauthorized access.  Punitive damages and attorneys’ fees even without showing of actual damages. Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comSCA – Employment Decisions with Attendant Risk• Pietrylo v. Hillstone Restaurant Group, 2009 US Dist LEXIS 88702 (D.M.J. Sept. 29, 2009).• A supervisor obtained a user name and password to a MySpace web page from a hostess who felt coerced into providing the information.• The Plaintiff, who created the web page was discharged for violating policy requiring professionalism and positive attitude.• Jury awarded $3,403 plus punitive damages of $13,612 Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comSCA – Employment Decisions with Attendant Risk• Konop v. Hawaiian Airlines Inc., 302 F.3d 868 (9th Cir. 2002).• Company accessed an employee’s secure website using other employee’s login information (with his permission) even though the site’s terms prohibited access by management and prohibited authorized users from allowing others to access the site.• Court found the airline violated the SCA and that the exception to the act (where permission to view is granted by a “user”) did not apply because the authorized employees had not actually “used” the site themselves. Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comConcerted Activity under the NLRA• In both Union and Non-Union settings, Employees have the right to engage in concerted activity relating to the terms and conditions of employment, including:  2 or more employees addressing their employer about improving their working conditions and pay;  1 employee speaking to his or her employer on behalf of himself or herself and one or more coworkers about improving workplace conditions;  2 or more employees discussing pay or other work- related issues with each other. Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comConcerted Activity• Concerted activity does not generally include the actions of a single employee unless he or she is attempting to enlist others, or unless acting based on prior concerted activity.• Concerted activity may not include egregious or profane statements made in the heat of discussion. Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comConcerted Activity Protected by the NLRB• The NLRB protects discussions or statements by employees in a social media platform if the discussion or statement is “protected.”• Discussions are protected if they involve terms and conditions of employment. Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comConcerted Activity Protected by the NLRBThe NLRB has taken action in two areas: 1) Where the employer’s social media policy is overbroad and violates Section 7 of the NLRA on its face, or chills the 2) Where the employer’s discipline or discharge of an employee based on social media activity violates the NLRA because it concerns protected concerted activity. Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comNLRA example – Souza v. AMR• Employee was upset with her supervisor because he would not allow her union representative to assist her in preparation of a response to a consumer complaint.• She posted her annoyance on Facebook from her home computer. Other employees commented on her post in her favor.• AMR fired the employee after her post, but allegedly based on many different employment issues.• The NLRB took issue with the termination arguing that AMR fired her because she had requested a union representative and because she complained about her workplace on her Facebook Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comNLRA example – Souza v. AMR• AMR’s policy provides that “Employees are prohibited from making disparaging, discriminatory or defamatory comments when discussing the Company or the employees superiors, co-workers and/or competitors.”• The NLRB complaint charges that AMRs application of its policy unlawfully interfered with the employees right under Section 7 of the NLRA to engage in “concerted, protected activity,” i.e., to communicate with coworkers about the terms and conditions of employment.• AMR and the NLRB settled this complaint, so we do not know what an Administrative Law Judge would decide. Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comExamples of conduct that the NLRBhad determined are protected• Statements related to staffing levels;• Statements related to choice of food as a sales event that could impact the level of commission on sales;• Statements about the employer’s administration of income tax withholdings;• Complaints about a supervisor’s refusal to provide a union representative in meetings. Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comConcerted Activity• Be careful about disciplining or discharging based on one or more employees posting to a site where they are complaining about the terms and conditions of employment.• Best practice – obtain legal advice, or refer discipline or discharge to HR before taking action. Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comShould you have a Social Media Policy?• The NLRB has placed increased scrutiny on social media policies;• But, social media policies are still the best way to protect your company’s trade secrets and intellectual property• Social media policies are recommended if carefully drafted, and reviewed often Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comDrafting a social media policy• Your social media policy should include a statement setting out a narrowly drawn purpose for the policy;• Include examples of activity that will and will not violate the policy provision;• Include clear limited language – Ex: Nothing in this policy prohibits employees from discussing wages, working conditions, or terms of employment with each other. Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comThe Computer Fraud and Abuse Act• Enacted by Congress in 1984 as an anti-hacking statute.• Provides in part that – “Whoever * * * knowingly and with intent to defraud accesses a protected computer without authorization, or exceeds authorized access and by means of such conduct furthers the intended fraud and obtains anything of value * * * shall be punished”• This is a criminal provision, and violation could mean jail time. Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comThe Computer Fraud and Abuse Act• The CFAA further defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to obtain or alter.” Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comThe Computer Fraud and Abuse Act• Some cases have found that employees who exceed authorization under a workplace computer use policy have violated the act and committed a crime.• These cases are in other Federal Circuits: – United States v. Rodriguez – 11th Cir. – United States v. John – 5th Cir. – Int’l Airport Ctrs., v. Citrin – 7th Cir. Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comThe Computer Fraud and Abuse Act• United States v. Nosal• On April 12, 2012, The 9th Circuit Court of Appeals rejected the argument that the CFAA applies to situations where employees with permission to access a company computer and unrestricted access to data, forwarded confidential information to former employee so that he could compete against the company. Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comSummary on Sources of Privacy Rights• The 4th Amendment for Public employees• Common law privacy rights• Statutory rights (ECPA; SCA)• Concerted activity under the NLRA5. No criminal violation in the 9th Circuit for employees who exceed computer access under the Computer Fraud and Abuse Act Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comHelpful Resources• http://www.iacpsocialmedia.org/ IACP Center for Social Media (law enforcement)• National Institute of Standards and Technology Publication 800-144 (web): Guidelines on Security and Privacy in Public Cloud Computing• http://business.ftc.gov/privacy-and-security Federal Trade Commission/Bureau of Consumer Protection: tracks what information can be collected from websites; information regarding regulations for data storage about consumers by companies which collect data Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.comHelpful Resources• Advisen – Online Social Networking:A Brave New World of Liability. https://advisen.com/downloads/SocialNetworking.pdf• Department of Justice – Obtaining and Using Evidence from Social Networking Sites. http://www.eff.org/files/filenode/social_network/20100303_cirm_socialne• Florida Department of Law Enforcement – Social Networking Sites – How they are used to Perpetrate Criminal Activity and how Law Enforcement uses them as an Investigative tool.• http://www.fdle.state.fl.us/Content/Analyst-Academy/Documents/Social- Networking-Sites.apx Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.com Questions? Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

www.schwabe.com Contact Information Jean Ohman Back JBack@schwabe.com (503) 796-2960 Devon Zastrow Newman DNewman@schwabe.com (503) 796-2944 Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA

Workplace Privacy Laws and New Technologies

by InnoTech

Accessibility

Categories

Upload Details

Usage Rights

Statistics

Workplace Privacy Laws and New Technologies Presentation Transcript