Pli workplace privacy in the year 2013 2013-6-13


Published on

Addresses privacy issues associated with hiring in a social media world, privacy issues associated with BYOD programs; employee privacy rights associated with off-duty activity including Facebook postings and activity protected by lifestyle laws.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Pli workplace privacy in the year 2013 2013-6-13

  1. 1. Workplace Privacy In the Year 2013June 18, 2013Margaret A. KeaneLittler Mendelson, P.C., San Francisco to Practicing Law Institute by:1
  2. 2. Today’s program• Workplace Privacy Issues– The New World– Hiring Practices, circa 2013• Overview of Social Media in the Hiring Process• Social Media Checks• Password Protection Statutes• FCRA• EEOC Guidance on Criminal Background Checks• Foreign data protection laws– Employee Monitoring, Whistleblower Hotlines– Yours, Mine or Ours: BYOD and Other Challenges ofMobile Devices– Geo-location – GPS, RFID and more– The NLRA, Drafting Social Media Policies, andConfidentiality– Ownership and Control of Social Media Accounts– Genetic Information Non-Discrimination Act2
  3. 3. No Expectation of Privacy?Despite diminished expectations of privacy, numerous laws addressaspects of workplace privacy.• Federal privacy laws include HIPPA, Gramm-Leach-Bliley (“GLB”),Children’s On-Line Privacy Protection Act (“COPPA”), ElectronicCommunications Protection Act (“ECPA”), Stored Communications Act(“SCA”), Fair Credit Reporting Act (“FCRA”), Genetic Information Non-Discrimination Act (“GINA”), Americans with Disabilities Act (“ADA”)• State privacy and “lifestyle” laws and new state Password Protectionlaws (ex. CA AB 1844)• Related Laws– Record Retention Requirements, particularly for government contractors,medical and financial services sectors– Security Breach Notification Statutes– FINRA, FDA and other sector-specific regulations3
  4. 4. No Expectation of Privacy?In Europe, employees have privacyexpectations, because legal protectionsdo not depend on a “reasonableexpectation of privacy”- data protection laws- wiretap, telecommunications secrets- labor & employment laws4
  5. 5. New Hiring Paradigms• In many sectors, work no longer needs to beperformed in a designated place or at a designatedtime.– Cloud-based applications can be reached anywhere/anytime• New work models are prevalent for providing IT andother task or project-based services– Ex. – Elance, oDesk, Collabworks• On-demand sourcing models are becomingmainstream in legal community – scope goes wellbeyond e-discovery• New models challenge legal system of employmentlaws tied to physical location and fixed hours5
  6. 6. Today’s Mobile Worker:A World of Sharing6
  7. 7. We Love Our Smartphones. . .7Source:
  8. 8. Are Smartphones An Extensionof Our Brains?8Source:
  9. 9. Social Media Use and ChannelsContinue to Grow9Source:
  10. 10. What Do You Do When YouFirst Wake Up?Always Connected, IDC Study,Sponsored by Facebook, March20131010
  11. 11. Blurring The Lines:Work vs. Personal 90% of full-time employees use a personal smartphonefor work purposes– 62% of those use it every day– 39% don’t use password protection– 52% access unsecured wifi networks– 69% believe they are expected to access work emailsafter hours 1 in 10 workers receive a stipend for their smartphone(Cisco, BYOD Insights in 2013: A Cisco Partner Network Survey, March 2013)1111
  12. 12. Social Media, Privacy andthe Hiring Process12
  13. 13. Social Networking in Talent Sourcingand Promotion• 91% of employers had hired a staff memberbased on their social networking profile• 69% decided not to make job offer to candidateafter seeing profile (photos of drugs/drinkingor inappropriate behavior were the mostpopular reasons for eliminating candidate)• 47% of companies check candidates profiles onsocial networking sites after they receive anapplication and 27% review after a screeninginterview.Source: Job Screening With Social Networks: How Are EmployersScreening Job Applicants, Reppler, October 2011Source: The Use of Social Networking Websites and Online SearchEngines in Screening Job Candidates, Society for HumanResource Management, August 25, 201113
  14. 14. Getting to Know You:Risks of Using Social Media in the Hiring Process• Risk of making employment decisions basedon inaccurate, irrelevant or false info• Online social networking profiles oftenpresent personal information not properlysubject to inquiry during the hiring process• Potential to eliminate applicants based onprotected class status in violation of federaland state anti-discrimination laws• Need to balance applicant’s rights withemployer’s need to screen candidatesthoroughly• Decisions made based on lawful, off-dutyconduct may violate state “lifestyle” laws14
  15. 15. 15Source: (Facebook Page Designer -- Sample Page)
  16. 16. Passwords• At last count, thirteen states have enacted legislation to prohibitemployers from asking applicants or employees for social mediapasswords or other log-in credentials, including CA, CT, CO, HI, IL, MD,MI, NV, NM, OR, UT, VT and VI. Others have pending legislation andfederal legislation has also been introduced.• California’s statute provides an exception that permits employers to“request an employee to divulge personal social media reasonablebelieved to be relevant to an investigation” of allegations of misconduct.• California also has an exception forusernames and passwords usedto access employer-issued devices.• Be aware of tensions between Statelaws and FINRA obligations to superviseand retain records.16
  17. 17. PasswordsService providers usually prohibit password sharing intheir terms of use; consequently, access by a thirdparty constitutes ‘unauthorized access to’ or‘interference with’ a computer under trespass laws,such as a the U.S. Computer Fraud and Abuse Act17
  18. 18. • Build a process for lawful use of social media data– Determine when on-line searches will be used in hiring andpromotion process (ex. after initial screening interviews)– Determine scope of review: what sources will bechecked and what information will be collected?– Decide whether to inform applicantsabout on-line searches and whether toask for email addresses, user namesand blog posts– Give notice and obtain consentwhere needed and comply with FCRA if using thirdparties to conduct search– Do not engage in unauthorized access to password protected sites,“shoulder surf” or require users to disclose passwords unlawfully– Isolate protected class information from the decision-maker– Update forms for recording information, maintaincontemporaneous documentation and comply with applicableretention requirementsResponsible Use of Social Media in Recruiting,Hiring and Promotions18
  19. 19. Fair Credit Reporting Act(“FCRA”) Concerns19
  20. 20. Fair Credit Reporting Act Overview• Applies to reports prepared by a third party that regularly assembles orevaluates credit or other information on a consumer (“consumerreporting agency” or “CRA”) and includes background screeningcompanies• Covers any inquiry for employment purposes bearing on an individual’s“credit, general reputation, personal characteristics, or mode of living”– Criminal history checks, credit checks, sex offender registry, motor vehiclerecord checks, employment and education verification• Regulates public records, including criminal records, and is not limited totraditional credit reports• Does not regulate purely in-house investigations, such as referencechecks made by internal human resources personnel20
  21. 21. FCRA Compliance1. Obtain informed consentfrom job applicants2. Issue "adverse action"letters if the backgroundcheck will result indisqualification3. Secure destruction ofconsumer information21
  22. 22. FCRA Remedies• Cases can be based on failure to use FCRA disclosure and authorizationforms; failure to give adverse action notices• Minimum statutory damages of $100 to $1,000 for willful violations– Class action-friendly remedy where CRA’s and employer follow standardprocedures– Low damages add up when multiplied against large applicant pools• Actual damages for negligent violations• Attorney fees to a successful plaintiff• No statutory cap on defendant’s exposure22
  23. 23. Class Litigation and FCRA• Spike in class action filings against employers– FCRA disclosure and authorization forms– FCRA adverse action notices– State equivalents• Several multi-million dollar settlements innationwide class actions23
  25. 25. 25
  26. 26. Updated EEOC Enforcement GuidanceUpdated Enforcement Guidance ─ Approved 4-1 on April25, 2012:– “EEOC Enforcement Guidance on the Consideration ofArrest and Conviction Records in EmploymentDecisions Under Title VII of the Civil Rights Act of1964”– Accompanying “Questions and Answers AboutEEOC’s Enforcement Guidance”See and
  27. 27. EEOC Recommended “Best Practices”EEOC’s View of “Employer Best Practices”• Eliminate blanket exclusions “based on any criminal record”• Develop narrowly tailored written policy/procedures excluding individuals from particularjobs based on a criminal history record(1) Identify essential job requirements(2) Identify specific offenses tied to “unfitness” for job(3) Identify time limits applicable to exclusion(4) Document research/consultations to support policy/procedures(5) Provide for individualized assessment before final hiring decision• When asking questions about criminal records, limit inquiries to records jobrelated/consistent with business necessity• Make inquiries of criminal record – post application (e.g. “ban the box” approach)• Train managers, hiring officials, and decision-makers on how to implement the policy andprocedures consistent with Title VII.• Maintain confidentiality of criminal records2727
  28. 28. State EEO Laws• State counterparts to Title VII• Specific ex-offender protections– Workplace posting and notice obligations– Sequencing restrictions (when an employer canask questions)– Inquiry restrictions (what employer cannot ask about)– Source restrictions (what employer cannot access)– “Job-relatedness” requirements (what discretion employerhas to screen out applicants)28
  29. 29. Employee monitoring andWhistleblower hotlines29
  30. 30. Employee monitoring, hotlines• USA: employers can destroy privacyexpectations in notices– hardly any limits– but: notices must be updated regularly• Rest of the World (ROW)– many jurisdicitons require voluntary employee consent– EEA+ countries require limitations to monitoring programs and reportabletopics for hotlines, notice to employees, consultations with works counciland data protection officers, notifications to data protection authorities orapplications for prior authorization, labor courts, labor inspectorate, etc.30
  31. 31. Bring Your Own Device(“BYOD”) and Beyond31
  32. 32. Lingo:Dual Use Mobile Devices and BYOD• Dual Use Mobile Device: Mobile device used to create, storeand transmit both personal and work-related data• BYOD: Bring Your Own Device– A BYOD program includes:• Policies that govern use of personal devices toaccess corporate services• Policies attempt to manage risk associated withstorage and transmittal of data using devices thatmay be outside of the employers control• Policies to address impact of mobile devices on existingworkplace behavior• COPE: Corporate Owned, Personally Enabled32
  33. 33. What is MDM – Mobile DeviceManagement?Mobile Device Management:• Software that allows corporate IT to manage use of mobile devices.Component of BYOD programs. Features may allow an employer to:– Require users to register devices as condition of network access– Enable remote locking or wipe of device– Implement anti-spam solutions, block specific apps,and prevent users from disabling or alteringsecurity settings on devices– Monitor employee use and location of userand device33
  34. 34. Policies Affected by BYOD:Mobile devices have impact on policies throughout yourbusiness• Data Privacy & Security• Harassment, Discrimination & EEO• Workplace Safety• Time Recording and Overtime• Acceptable Use of Technology• Compliance and Ethics• Records Management• Litigation Holds• Confidentiality & Trade Secret Protection34
  35. 35. Setting Up a BYOD Program:A Master Plan for mobile device use in yourorganization• Need to address challenges of dual use devices, REGARDLESS of whetheryou adopt a BYOD program• If you implement BYOD, your policy should be part of an integratedInformation Governance Plan• Determine goals and objectives• Privacy Considerations– Remote wipes– Containers– Backups35
  36. 36. Setting Up a BYOD Program• Who Participates?• What conditions will be imposed on participants?• Who pays?• Program may include limits on acceptableapplications, passwords, encryption,employer monitoring, reporting obligations and remotewipes• Address tradeoffs– Participation in program is a privilege,not a right– May have privacy tradeoff for convenience ofremote access and device 36
  37. 37. Privacy in a BYOD WorldWill your program distinguish between personal and business use?Privacy Parameters• Distinguish between data and device• Device– May require return upon demand or inspection as part of investigation– May require return, with data intact, upon separation from employment• Data– Determine whether employer will retain right to review all contents ofdevice or will exclude categories such as music and photos– Require employee to provide access to cloudbackups or home server?– Monitor/limit employee’s use of web-basedapplications? Example: Siri, Dropbox, iCloud, etc.– Set parameters for timing, terms and extent of remotewipes 37
  38. 38. Privacy in a BYOD World1. Remote wipes of lost devices – can beviewed as either pro-privacy or anintrusion. Participation in BYOD programmay be conditioned upon consent toremote wipes.2. Litigation issues:– Identification of BYOD devices/information– Practical challenges of data collection– Does the employee “control” data on thedevices?– Will employees be required to produce mobiledevices to employer for inspection, preservationand production?38
  39. 39. Privacy in a BYOD World:What is a Reasonable Expectation of Privacy?3. Even if your policy gives you access to the device , employees may haveprivacy expectations in personal data stored with online services. Becareful.– Pure Power Boot Camp, Inc. v. Warrior Fitness Boot Camp, LLC, 587 F. Supp. 2d 548 (S.D.N.Y. 2008)(employee had reasonable expectation of privacy in password protected emails stored on hotmailand gmail servers, regardless of fact that she accessed them on a work computer)– Steingart v. Loving Care Agency, Inc., 201 N.J. 300 (NJ 2010) (employee had reasonable expectationof privacy in personal password protected web-based email sent through employer’s computer)– Pietrylo v. Hillstone Restaurant Group, No. 06-5754, 2008 U.S. Dist. LEXIS 108834, at *20 (D.N.J. July24, 2008) (question of whether employee had a reasonable expectation of privacy in My Space pageis a question of fact)– Ehling v. Monmouth-Ocean Hospital Service Corp., Civ. No. 2:11-CV 033305 (WJM) (D.N.J. May30, 2012)(plaintiff may have reasonable expectation of privacy in Facebook posting where sherestricted access to her Facebook page)– Doe v. City of San Francisco, No. C10-04700 THE (N.D. Cal. June 12, 2012)(employee had reasonableexpectation of privacy in web-based emails viewed from a shared workplace computer designatedfor personal use by employees)39
  40. 40. Geolocation Tracking and Telematics• FTC: Geographic location is sensitive information• CA Penal Code 637.7. No person or entity in thisstate shall use an electronic tracking device todetermine the location or movement of a person• Tread carefullySource: CTIA – The Wireless Association, Best Industry Practices and Guidelines forproviders of location based services40
  41. 41. Social Media, the NLRBand Protected Activity41
  42. 42. What is Protected Concerted Activity?• The NLRA prohibits discipline against employeeswho engage in “protected concerted activity”Protected = related to the terms or conditions ofemployment, unionization, or an on-going labor disputeConcerted = “with, or on the authority of, other employeesand not solely by and on behalf of the employee himself.”Meyers Industries, 268 NLRB 493, 497 (1984)Note: Employees in a non-unionized workplace canengage in protected, concerted activity42
  43. 43. What is Protected Activity?1. What is the subject matter of the post?– Union organizing or exercise of rights under CBA or labor law– Work hours, wages, tax administration– Job performance or meetings with management2. Who is participating in the discussion?– Only personal friends/relatives or co-workers included?3. Is the employee expressing only an individual gripe?4. Are employees acting collectively?– Preparing for discussion with management or otherwise acting on behalfof group5. Are the social media posts a direct outgrowth of prior groupdiscussions?43
  44. 44. Drafting and EnforcingYour Social Media Policy44
  45. 45. NLRB: Unlawful Policy Provisions1. Inappropriate Discussions2. Defamation3. Disparagement4. Privacy5. Confidentiality6. Contact Information7. Logo Restrictions8. Photographs45
  46. 46. Social Media Policies:General Rule:An employer’s social media policy mayrun afoul of the NLRA if it infringes onan employee’s ability to engage inprotected activity.Employers should be careful not tomake their policies too broad, andshould also include specific languagethat they do not mean for the policy toprohibit or restrict any lawfullyprotected activity.46
  47. 47. Disclaimer OptionsBoard’s repeated comment: “*T+he rules containedno limiting language to inform employees that [therules+ did not apply to Section 7 activity.”Use a disclaimer: This policy will not be construedor applied in a way that improperly interferes with(A) employees’ exercise of their rights under theNLRA or any other law, or (B) employees’ legallyprotected social media discussions regarding wages,hours, or working conditions.47
  48. 48. Unlawful LawfulNo posting of confidentialinformationNo posting trade secrets and private andconfidential information with examplesNo “inappropriate conduct” or “berespectful”Examples prohibiting discriminatory remarks,harassment and threats of violence or similarinappropriate conduct“Be respectful”No malicious, obscene, threatening orintimidating conduct, harassing or bullying,posting intentionally meant to harm a co-workers’ reputation or could contribute tohostile work environmentUse of employer name or logoEnsuring postings are consistent with thecode of ethics or conduct48
  49. 49. Affirmative Guidelines1. Require compliance with allCompany policies (e.g.confidentiality, harassment)2. Include: “Do not claim to beacting on the Company’sbehalf without priorauthorization;”3. Require that employeesdisclose affiliation with theCompany whenever endorsingits products or services;49
  50. 50. Affirmative Guidelines4. Remember:Blanket policy that requires employeeconfidentiality during an HR investigation isdeemed to violate the National LaborRelations Act and employees’ rights toengage in concerted activity – must be case-by-case determination.5. If a Policy explicitly restricts activitiesprotected by NLRA, NLRB will find itunlawful...and will also find unlawful if:--employees would reasonably construe languageto prohibit protected activity; Policy issued inresponse to Union activity; or Policy has beenapplied to restrict protected rights....AND,FINALLY:50
  51. 51. Breaking Up is Hard to Do:Clarify your right to wipe devices and ownership of socialmedia assets before the breakup• Clarify ownership of social mediaassets. Maintain access to, andright to change, passwords tocorporate accounts.51
  52. 52. Genetic InformationNondiscrimination Act of 2008 (GINA)• Illegal to discriminate against employees or applicants because of geneticinformation• Employers may not use genetic information in making employment decisions andmay not request, require or purchase genetic information• Any employer that possesses genetic information about an employee mustmaintain such information in separate files; and must treat it as a confidentialmedical record and may disclose it only under very limited circumstances• Prohibition on requesting information defines “request” to include “conductingan internet search on an individual in a way that is likely to result in a coveredentity obtaining genetic information.” 29 C.F.R. §1635• Safe harbor for inadvertent acquisition applies where employer “inadvertentlylearns genetic information from a social media platform where he or she wasgiven permission to access by the creator of the profile at issue (e.g., a supervisorand employee are connected on a social networking site and the employeeprovides family medical history on his page).” 29 C.F.R. §163452
  53. 53. Questions?53
  54. 54. Margaret A. KeaneShareholderLittler Mendelson, P.C.San Francisco Office415.288.6303mkeane@littler.com54