Workplace Privacy: New Technology, New Challenges

Transcription

1 Workplace Privacy: New Technology, New Challenges Second Quarter Roundtable June 23, 2015 Mary Will

2 What s Keeping You Up at Night? 2

3 Employers Dilemma Employers have many reasons to engage in activities that arguably intrude on employee privacy Federally-mandated drug testing FMLA certifications Pre-employment background checks Negligent hiring What is personal information? SSN DOB Medical

4 Topics to Cover Employer surveillance and monitoring of employees Applicable laws Practical considerations Data collection, sharing, and retention Keeping information secure Recordkeeping and discovery obligations Handling a compromise of information 4

5 Why This is Important for Employers Data security incidents are on the rise. Billions lost in cyber theft of intellectual property Breach costs as high as $200 per record Impact on product or customer loyalty Lawsuits and regulatory enforcement actions Increased focus on privacy Legislative and regulatory responses from policymakers Specific protections required for certain types of information Lawsuits and regulatory enforcement actions Employee morale 5

6 Applicable Laws U.S. Constitution (public employers) First Free Speech Fourth Unreasonable Searches and Seizures Ninth and Fourteenth - Privacy Interests Federal laws Electronic Communications Privacy Act Stored Communications Act Federal Wiretap Act Computer Fraud and Abuse Act Sector-specific laws (e.g., HIPAA) 6

7 Applicable Laws ECPA Exceptions (e.g., consent, business purpose) State law Delaware and Connecticut have legislation requiring employers to provide notice to employees prior to monitoring communications or internet access Computer Fraud and Abuse Act Civil and criminal penalties Used to support claims against employees / former employees for misappropriating confidential information Difficult to prove: (1) without authorization; and (2) damage or loss

8 Workplace Considerations Privacy in the workplace Balance: Employer s right to control workplace and employees expectation of privacy Employers generally have the right to monitor activity conducted on employer s equipment and to inspect and review all related records, ongoing debate by lawmakers on employees rights to online privacy As a general rule, surveillance and monitoring of employees private electronic communications in the workplace must be reasonable in scope and done for legitimate business purposes Employees should be informed in writing that their communications may be intercepted and recorded with a signed acknowledgement from each employee

9 Applicable Laws Employment-Based Laws Federal State-specific laws Discrimination Medical inquiries and examinations Protected categories Laws regulating how information is stored and used Background checks Criminal convictions Credit history

10 Applicable Laws National Labor Relations Act Concerted activity Employers that allow employee access to systems for business purposes must also allow employees to use that system during non-work time for union-organizing Social media guidance Overly broad policies limiting employee actions on social media can violate NLRA A policy requiring employees to maintain the confidentiality of trade secrets and private confidential information may be lawful if it contains examples or otherwise makes it clear that it does not apply to protected communications

11 Applicable Laws State constitutions 10 states have explicit guarantee of privacy AK, AZ, CA, FL, HI, IL, LA, MT, SC, WA State laws* Employer access to employee online accounts CO, MI Collection / use of SSNs CO IN (public employers only) MI MN 11

12 Applicable Laws Common Law Torts Invasion of Privacy Intrusion upon solitude or seclusion Appropriation Public disclosure of private facts False-light privacy invasion 12

13 Scenario #1 Bob works as a nurse at a hospital. He maintains a personal Facebook page, which is restricted such that only his friends may view posts on his wall. Bob friends a co-worker, John. Bob posts stories to his wall about events and patients at the hospital, including: My heart goes out to Bob, a cancer patient who has been under my care this week. Please keep him in your thoughts and prayers as his condition continues to deteriorate. I don t know he will make it through the week. John prints out copies of Bob s posts and sends them to Bob s manager. When the manager sees the post, he terminates Bob s employment based on his violation of the hospital s patient privacy policies.

14 Scenario #2 Sue s post: An 88-year-old sociopath white supremacist opened fire in the Wash D.C. Holocaust Museum this morning and killed an innocent guard The 88-year-old was shot. He survived. I blame the DC paramedics. Manager suspends Sue without pay and warns her that her posts reflect a disregard for patient safety.

15 Scenario #2 Sue files a lawsuit alleging the following: Violation of the Federal Stored Communications Act Violation of the New Jersey Law Against Discrimination Violation of the Conscientious Employee Protection Act Invasion of Privacy Sue also files a complaint with the NLRB alleging violations of the NLRA.

16 Scenario #3 Carol used a company-provided cell phone for work. Carol set up the phone to receive s from both her company account and her personal Gmail account. Carol resigned her employment and turned in her cell phone in accordance with company policy. Following her resignation, Carol s manager suspected she had been soliciting customers in violation of her employment agreement. The manager reviewed Carol s personal s stored on the company cell phone.

17 Scenario #4 Nancy works in sales and spends about 50% of her time out of the office visiting customers. It is important for Nancy to be able to access her company while out on the road, and so the company provides her access to its systems on her personal iphone. Nancy loses her iphone while on vacation. The company accesses the device remotely and wipes all data from the device, including Nancy s personal data stored on the phone.

18 Bring Your Own Device Do you have a policy about how personal devices may be used? Does the policy address acceptable use/access to employer systems? Does the policy address when the company may monitor or access the device? How is company data secured on the device? Passwords Encryption Viruses/breaches What happens when the employee loses the device or leaves the company? Are employees being properly compensated for time spent working on a personal device?

19 Scenario #5 Steve uses his personal cell phone for work purposes, including s, text message, and phone calls with his co-workers and customers. Steve s coworker, Becky, reports to HR that Steve has been sending her inappropriate s and text messages, and believes he has been sending the same types of messages to other female coworkers and customers. Becky provides copies of some s and text messages. When Steve is interviewed by HR, he denies the accusations and says Becky has forged the s.

20 Scenario #5 What can the employer do? Search his work computer for s Search his cell phone for s and text messages Search his office for evidence of inappropriate communications Conduct a criminal background check to verify whether Steve has any relevant criminal history

21 Scenario #6 The company has had concerns about the productivity of its sales representatives while out on the road. The sales manager asks IT to purchase new software that monitors activity and tracks the location of employee laptops and cellphones. From this data, the sales manager analyzes employee efficiencies and makes recommendations to his sales force, which results in more sales and lower expenses for his division.

22 Employee Monitoring Advances in technology Employee location Activity on computer and cell phone Type of information accessed Conversation styles Risky behaviors Theft

23 Employee Monitoring Don t go too far What is necessary from a business perspective Consider notifying employees or requesting employee consent Type of information being collected How the information will be used Be aware of state law limitations Eavesdropping laws Privacy restrictions Example: Video monitoring near restrooms

24 Scenario #7 Jill applies for an administrative assistant job at the company. In this role, Jill would be responsible for managing the day-to-day affairs of an executive and would have regular contact with senior-level employees and some clients. Based on Jill s resume and interview, she is the most qualified applicant for the job. Following her interview, the manager Googles Jill s name and finds pictures of Jill at a party with a beer in her hand dated within the last two months. The manager decides not to hire Jill for the position.

25 Employer considerations Acceptable use policy How may employees use company computers, phones and other equipment Primary purpose is business No right to privacy Explicitly state employer has the right to access and monitor Maintain integrity and efficiency of system Prevent or discourage unauthorized access and use Retrieve business information Investigate misconduct or misuse Respond to lawful requests for information Tie to other company policies (anti-discrimination, harassment) Deletion may not fully remove from system

26 Employer considerations Mobile device/byod policy Explicitly state employer has the right to access and monitor Use of devices outside of working hours Non-exempt employees Protection of confidential or proprietary information Prohibit downloading of sensitive information onto devices Employer ability to wipe device in the event of loss or termination of employment May impact personal information stored on the device Recording in the workplace

27 Employer considerations Vendor arrangements Background checks Drug testing Employee health plans Maintaining personal information Separate files Limiting access to those files Computer systems Security Encryption Off-site access Destruction practices

28 Beyond the U.S. Privacy laws can vary greatly from country to country Policies may need to be adapted depending on employee location Privacy protections outside the U.S. can be challenging Required consent to use or share employee information Ability to transfer information outside of certain countries may be limited

29 Data Collection, Sharing and Retention Know your organization Increased regulatory focus on tone at the top Know your data Understand all the different types of employee, consumer or proprietary information your company may hold Understand and implement safeguards, as required or appropriate Know your risks Insider threat Including inadvertent Cyber attack Physical threats Natural disaster 29

30 Know Your Organization Who in management is responsible for data security and privacy issues? How is that conveyed to employees? Does your organization have an updated incident response plan? Practice, practice, practice Has your organization developed and circulated data security and privacy policies and practices? Update as data sets or circumstances change Convey clearly to employees Does your organization have insurance, or appropriate legal protections, to cover the costs of responding to and mitigating a breach? 30

31 Know Your Data Who is collecting your data? Employees, vendors, third parties What type of information is it? Personal information Different definitions under state laws Social security numbers Protected health information Proprietary information Where is the data coming from? International privacy considerations Why are you collecting, sharing, or retaining the data? 31

32 Know Your Risks Is management kept informed about potential threats and vulnerabilities? e.g., data breaches, employee error, natural disasters How is your data being used or accessed? Understand risks from vendors, affiliates, bring-your-own-device Make sure that uses are appropriate and consistent with stated policies Discovery obligations Third-party requests administrative agencies, former employees legal counsel Corporate transactions and personnel files Stock v. Asset purchases 32

33 Know Your Risks Are your employees properly trained on privacy and data security? Proper and current training Encourage compliance Immediate reporting of security / data breaches Specific state requirements 33

34 QUESTIONS?

35 Here to Help Mary Will Partner Denver Labor and Employment FaegreBD.com/mary-will T: