Employer Law Report : Employment and Labor Relations Lawyer & Attorney : Porter Wright's Employer Law Report : Employment Litigation, Non-Compete, Trade Secrets

While attending a Mixed Martial Arts event in Miami, New York Jets head coach, Rex Ryan, apparently made an obscene gesture at some Miami Dolphin fans who were taunting him. Yesterday, the Jets fined Ryan $50,000. Ryan was attending the event, which was neither team nor NFL-sponsored, on his own time, but the team obviously felt that as head coach, Ryan is their representative even when he is "off duty" and that he must conduct himself accordingly.

In the real world, most employees are not celebrities that the general public will try to egg on until they do or say something stupid. Nevertheless, it is important for all of us to remember that the world is now filled with opportunists with camera phones and easy access to YouTube and other media outlets. Though we should not be expecting to see a rash of employers firing factory workers for flipping off a bunch of bar patrons after work, there are real world lessons to be learned from this episode. First, employees need to recognize when they are out in public that there is a significant risk that anything that they do or say that either embarrasses or otherwise reflects poorly on their employer ultimately may get back to the employer. On the other hand, employers should exercise restraint before taking disciplinary action against employees for their off duty conduct to make sure that the conduct truly does negatively impact the company's business or reputation.

• Email This
• Print
• Comments
• Trackbacks

On Monday, December 14, 2009, the United States Supreme Court agreed to hear a case that will permit it to provide guidance to employers about their right to monitor its employees' electronic communications. Specifically, the Court has accepted for review the City of Ontario's appeal of the Ninth Circuit's decision in Quon v. Arch Wireless Operating Co. finding that a city police officer had a reasonable expectation of privacy in personal text messages that were sent from his city-issued pager.

Like most employers, the City of Ontario had a written electronics communications policy that expressly prohibited personal use of its computers and notified employees that they had no expectation of privacy with respect to any communications using the city's computer systems. The City's policy, however, did not make clear that this policy applied to its police officers' pagers or to text messaging. Instead, because the city's pager service contract with Arch Wireless charged the city additionally for each pager that exceeded 25,000 characters per month, the city informally permitted employees who exceed their monthly character limit to simply pay the overage charge. Despite this informal practice, the city contacted Arch Wireless to determine whether the pagers were being used primarily for personal reasons and Arch Wireless provided transcripts to enable the city to do so.  After receiving these transcripts, the city learned that many of Sergeant Quon's texts were personal and even sexually explicit in nature. Upon learning that their texts had been reviewed, Sergeant Quon and others sued the city and the police department under the Fourth Amendment for an illegal search and seizure and the Stored Communications Act "SCA" and Arch Wireless for violating the SCA by turning the transcripts over to the city.

It is somewhat surprising that the Supreme Court accepted this case for further decision. Many initially were concerned when the Ninth Circuit's Quon decision was announced because it seemed contrary to the general trend permitting employers to monitor and review employee's emails on employer computers once they put employees on such notice. To me, Quon does not present a radical departure at all. First, the City's electronics communications policy did not explicitly address text messages. Then, the City complicated matters by permitting an informal practice to develop that strongly suggested to employees that their text messages would not be reviewed so long as they paid the overage charges from Arch Wireless. Simply put, by not updating its electronics communications policy and by permitting informal practices to develop, the City created a problem for itself that did not need to exist. As a result, the Supreme Court easily can decide Quon based on current judicial philosophy without breaking new ground.

• Email This
• Print
• Comments
• Trackbacks

Facebook has announced that it is implementing new privacy controls beginning today that will give its more than 350 million users more control over the privacy of what they post to their Facebook pages. As reported, Facebook will now give its users the ability to set up lists that, for instance, can place their "friends" into separate groups such as family, high school buddies, and work friends and to choose who to share content with each time they post something. As a result, people easily should be able to choose to share family photos with only family and close friends and other less wholesome postings with whomever they choose. Of course, Facebook also will give users the option of choosing to share a post with "Everyone."

From an employment standpoint, these privacy control changes could make it more difficult for those employers who like to use Facebook as a surveillance tool. For instance, the employee who requested bereavement leave while he actually was on a hunting trip should be able to choose to post comments or photos without sharing them with the boss or co-workers who happen to be Facebook "friends." On the other hand, someone who posts a comment that is disparaging of or detrimental to his employer will have a hard time arguing that the comment was not intended to be widely distributed if he chose to share it with "Everyone" when he posted it.

As with all things social media, only time will tell what impact these changes will have on what we post and what is available for us to see on Facebook.

• Email This
• Print
• Comments
• Trackbacks

CBC News in Canada is reporting that a Canadian long-term disability insurance carrier recently terminated the long-term disability benefits a Quebec woman was receiving for "major depression" after photos she posted on her Facebook page showed her "having a good time at a Chippendales bar show, at her birthday party and on a sun holiday." According to the CBC, the woman, 29-year-old Nathalie Blanchard, contends that her doctor recommended that she try "to have fun, including nights out at her local bar with friends and short getaways to sun destinations, as a way to forget her problems." Nevertheless, Manulife, the insurance carrier, which acknowledges that it uses Facebook for investigation purposes, terminated her long-term disability benefits.

Though anecdotal news flashes like this one may embolden employers to use Facebook and other social media to investigate employee activity while they are on a medical leave of absence or workers' compensation leave, caution is still necessary. For instance, Manulife confirmed that ít "would not deny or terminate a valid claim solely based on information published on websites such as Facebook." Presumably, Manulife forwarded Ms. Blanchard's Facebook photos and perhaps other evidence to a medical professional for an opinion as to whether the photos evidenced Ms. Blanchard's ability to return to work. Similarly, employers should resist the urge to make their own medical judgments as to an employee's ability to work when they obtain this kind of photographic or video evidence.

In addition, Ms. Blanchard apparently contends that she kept her Facebook photos private and does not understand how the insurance carrier obtained them. As I have preached before on this blog, employers should not circumvent an employee's Facebook privacy settings in order to investigate alleged misconduct. In this instance, a co-worker or other Facebook "friend" of Ms. Blanchard likely dropped the dime on her. When faced with this kind of evidence, employers and their insurance carriers would be wise to consider the motivations of the person providing the evidence and to conduct its own investigation. If employers avoid the temptation to immediately jump to conclusions, they will find that Facebook can be their "friend" when conducting investigations of workers' compensation or medical leave fraud.

• Email This
• Print
• Comments
• Trackbacks

On October 7, 2009, the DOL, IRS, and HHS issued interim final regulations implementing Sections 101 to 103 of the Genetic Information Nondiscrimination Act of 2008 (GINA). For group health plans, these regulations become effective on the first day of the plan year beginning on or after December 7, 2009. For the individual market, the regulations are effective December 7, 2009. The new regulations broaden GINA’s general prohibition on requesting or requiring an individual or their family member to undergo genetic testing. Of note is the new rule that health plans may not provide incentives to induce participants to fill out health risk assessments that ask for family medical history. Under the regulations’ expanded definition of "underwriting purposes", providing an incentive under these circumstances violates GINA’s prohibition against requesting genetic information for underwriting purposes. The regulations also clarify that sponsors and administrator may obtain and use the results of genetic tests to aid in payment determinations so long as they only request the minimum amount of information necessary to make the determination. In nearly all other cases, sponsors and administrators may not request or require that an individual or their family member undergo genetic testing.

To ensure compliance with these new regulations, sponsors and administrators must familiarize themselves with the new regulations and update their policies and procedures. They must also examine their health risk assessments and wellness programs to ensure they do not violate the new rules. A copy of Porter Wright's Employee Benefits Practice Group's Law Alert, which addresses some of the major changes included in the regulations, can be found here.

In addition, keep in mind that Title II of GINA, which prohibits employers from discriminating on the basis of genetic information goes into effect on November 21, 2009. Generally, Title II prohibits employers from discharging, refusing to hire, or otherwise taking adverse employment action against applicants or employees based on their genetic information. It also prohibits employers from intentionally acquiring or disclosing genetic information about applicants and employees. Finally, Title II requires employers to maintain any genetic information in its possession separate from employee personnel files in accordance with the medical confidentiality provisions of the ADA.

• Email This
• Print
• Comments
• Trackbacks

In a case that has been widely followed by employment lawyers in the hope of gaining some clarity as to employees' privacy rights on personal social media sites, the federal district court in New Jersey recently upheld the jury's verdict finding Hillstone Restaurant Group liable for violations of the Stored Communications Act and New Jersey's parallel electronic surveillance statute.

In Pietrylo v. Hillstone Restaurant Group, two employees created a MySpace page that they used to air their grievances against their employer in a password protected environment and invited other employees -- but not managers -- to join. At some point along the way, one of the managers learned of the site and its sometimes profane content when one of the invited employees showed him a posting from it. That manager told another and then the two of them twice requested the employee's log-in ID and password to the site. Eventually the employee gave them the information and the managers logged into the site a few times before firing the site's creators for damaging employee morale and for violating the restaurant's "core values."

The central issue at trial was whether the employee was coerced into giving the managers her log-in ID and password information to permit them to enter the site. The employee testified that she felt pressure to give the manager her password and that she felt she would have gotten into trouble had she not done so. There, of course, was no documentary evidence that she willingly authorized the managers to enter the site and, in any event, it would have been just as easy to claim that her signature on any documentation had been coerced. In light of the employee's testimony, the court found that the jury had reasonably concluded that the managers had not been authorized to enter the site and refused to toss out their verdict.

• Email This
• Print
• Comments
• Trackbacks

As we previously have noted, the Department of Health and Human Services recently issued an interim final rule under the HITECH Act requiring HIPAA-covered entities to notify each individual whose unsecured PHI has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of a breach of unsecured protected health information.  Employers who sponsor self-insured group health plans need to take immediate action to ensure compliance with the new rule. Among other things, employers should be modifying written HIPAA privacy policies and procedures, training plan sponsor workforce members who are authorized to have access to protected health information, and modifying business associate agreements. A copy of Porter Wright's Employee Benefits Practice Group's Law Alert, which addresses the interim final rule from the perspective of the self-insured group health plan, can be found here.

• Email This
• Print
• Comments
• Trackbacks

Earlier this week, The Columbus Dispatch reported that the Ohio State Highway Patrol has enacted a policy that will prevent state troopers from "posting pictures of themselves or others in uniform and from using the patrol's 'flying wheel' insignia on social-networking sites without approval."  Ironically, the policy appears to have been prompted by a trooper who apparently posted "inappropriate" photos of herself with another trooper which the Dispatch described in a manner that suggests she was not wearing her uniform.   Nevertheless, the trooper apparently identified herself as a trooper on her MySpace page.  The Dispatch reports, however, that the trooper did not realize that the photos could be viewed by the public. 

As the article points out, the policy's requirement that any social networking references to the patrol be pre-screened to ensure that they do not cause a loss of public confidence in or respect for the agency may raise some First Amendment free speech issues.  The concern is understandable, however, in light of reports from CNN that the city of Philadelphia has been sued for alleged racial discrimination and harassment stemming from a social networking site operated by some of its police officers. 

Though private sector employers do not face the same First Amendment issues that public employers like the Highway Patrol do, the prospect of previewing employees' personal social networking sites for employer references is daunting in and of itself. Rather than prescreening, which is largely impractical, there are services that will permit businesses to monitor what is being said about them on social media. 

Regardless, it is important that employees understand that when they reference their employer on their various social networks sites, what they say will reflect not only on themselves but on their employer. 

A copy of the Dispatch article can be found here.

• Email This
• Print
• Comments
• Trackbacks

On August 24, 2009, the U.S. Department of Health and Human Services ("HHS") published its interim final rule in the Federal Register, thereby implementing the HITECH Act. The Act's breach notification rules will become effective on September 23, 2009 -- fewer than 30 days away. 

Therefore, as the Act relates to employer-sponsored group health plans and health care providers, any breaches of protected health information (PHI) that occur on or after September 23rd must be reported to the affected individuals and, when the breach impacts 500 or more individuals, to HHS and the media. Covered entities must make annual reports of breaches of PHI impacting fewer than 500 individuals. Beginning on September 23rd, business associates also will be required to notify the group health plan or health care provider for which they are providing services of any breaches occurring at or caused by the business associate.

Porter Wright has issued two Client Alerts on the HITECH Act, one at the time the statute was enacted and one earlier this week when the interim final rule was published. Those Alerts, which more fully discuss the impact of the HITECH Act, can be found here and here.

• Email This
• Print
• Comments
• Trackbacks

Concerns about H1N1 Influenza are beginning to creep back into everyone's consciousness as summer is drawing to a close. The U.S. Department of Health and Human Services has issued updated guidance for businesses and employers, which can be found at:

CDC Guidance for Businesses, Employers, and Workplaces to Plan and Respond to 2009 H1N1 Influenza

Preparing for the Flu: A Communication Toolkit for Businesses and Employers

Employers should be ready to implement strategies to protect their workforces while ensuring continuity of operations. Most of the recommendations boil down to simple common sense:

1. Encourage workers who are sick to stay home (or go home if they've reported to work);
    
2. Encourage good hygiene in the workplace;
    
3. Prepare for increased numbers of employee absences due to illness in employees and their family members, and plan ways for essential business functions to continue;
    
4. Prepare for the possibility of school and daycare dismissal and closure; and
    
5. Encourage workers to get vaccinated.

• Email This
• Print
• Comments
• Trackbacks

Concerned that someone had been using a computer in the plaintiffs’ office to access pornography after work hours, a California employer set up a hidden surveillance camera in an effort to catch the perpetrator. The camera was never used during business hours while the plaintiffs were in their office and, as a result, their activities were not viewed or recorded via the surveillance system. Nevertheless, after discovering the hidden camera, the plaintiffs -- two female clerical workers -- filed suit, alleging among other things an invasion of their privacy. 

The California Supreme Court in Hernandez v. Hillsides Children Center concluded that the trial court improperly failed to grant the employer's summary judgment motion. In reaching this conclusion, the court held that the surveillance was done in a manner that was "drastically limited in nature and scope" to avoid any surveillance of the plaintiffs themselves and that the employer, a private nonprofit residential facility for neglected and abused children, including the victims of sexual abuse, had strong countervailing concerns for the safety of children under its responsibility that justified the employer's actions.

• Email This
• Print
• Comments
• Trackbacks

On July 30, 2009, the Department of Transportation issued a final rule reinstating the direct observation drug testing procedures recently approved by the U.S. Court of Appeals for the District of Columbia. The final rule, which goes into effect on August 31, 2009, requires that all return-to-duty and follow-up tests be conducted in a manner that permits the direct observation of specimen collection to prevent the use of prosthetic or other cheating devices.

• Email This
• Print
• Comments
• Trackbacks

Back in December 2007, we wrote about the NLRB's decision in The Guard Publishing Company, d/b/a The Register-Guard, 351 NLRB No. 70, which held that employees do not have a protected right to use employer email systems for solicitations or communications regarding union-related topics. In addition, the Board applied a new standard for determining when employers discriminatorily enforce email policies and, thus, violate Section 8(a)(3) of the NLRA. Specifically, as to the 8(a)(3) standard, the Board held that, in determining whether a policy had been discriminatorily enforced against the union, it looked to whether there had been "unequal treatment of equals."  Then, the Board upheld Register-Guard's enforcement of its email policy against an employee who was soliciting support for the union because there was no evidence that the company had permitted solicitation on behalf of other non-union groups (even though it had permitted various other personal uses of the email system, including personal solicitations for sports tickets and the like.) 

On July 7, 2009, however, the Court of Appeals for the D.C. Circuit refused to uphold the Board's conclusion as to whether the employer discriminatorily enforced its email policy but did not explicitly overrule the standard announced by the Board in December.   (On appeal, the union did not challenge the lawfulness of the email policy itself).   In short, the court held that the the company's discipline of an employee for using the email system to solicit employees to wear green in support of the union and to seek volunteers to help with the union's entry in a city parade violated 8(a)(3). Calling the distinction between organizational and personal solicitation a "post-hoc invention" that did not actually exist in the company's email policy, the court found that the company policy prohibiting non-work-related solicitations "made no distinction between solicitations for groups and for individuals."  Equally significant, the court noted that the company’s disciplinary warning" did not invoke the organization-versus-individual line drawn by the Board. To the contrary, the company told the employee in question to “refrain from using the Company’s systems for union/personal business.”

Because it is so fact-specific, the court's decision should not cause employers much concern.   In fact, the email policy at issue, which prohibited use of the company's communications systems “to solicit or proselytize for commercial ventures, religious or political causes, outside organizations, or other non-job-related solicitations,” would seem to be equally applicable to personal solicitations of a non-work nature as it is to organizational solicitations.   The good news here is that the court's decision does not disturb the underlying premise that employers may prohibit union access to its email system so long as it does so in a nondiscriminatory manner.  

• Email This
• Print
• Trackbacks

May an employer access an employee's emails sent using a company-issued laptop via a personal, password-protected, web-based email account? And, if those emails were sent to the employee's attorney for the purpose of obtaining legal advice, does the employee's use of the company laptop waive the attorney-client privilege? Those questions recently were addressed by a New Jersey appellate court in Stengart v. Loving Care Agency, Inc.

The plaintiff in Stengart sent the emails to her attorney regarding her intent to sue her employer for discrimination . After the lawsuit was filed, the company created a forensic image of the laptop's hard drive and discovered the emails. When plaintiff's counsel first learned that these emails were in the possession of the company's counsel, plaintiff's counsel requested that the original emails and all copies be turned over based on the attorney-client privilege, but the company's counsel refused.

• Email This
• Print
• Trackbacks

It's hard to believe that fewer than 10 years ago, there was widespread concern that our computers were all going to blow up and there would be anarchy in the streets. Since the clock struck midnight on January 1, 2000, we have seen an unprecedented technology boom that has had a widespread impact on the workplace. Remember the anxiety caused by cameras on our cell phones due to their impact on protecting trade secrets and our privacy in the locker rooms? Since then, we have grown comfortable with workers using laptops offsite though we still need to concentrate better on keeping track of them and what is on them!

Now, the social media craze -- Facebook, Linked-In, Twitter, etc. -- seems to be causing employers the most recent concern. As editor of employerlawreport.com, I have come to achieve a certain comfort level with social media, but I think that what primarily is keeping many employers up at night is fear of the unknown. That is why I'm going to summer camp! Starting this past Tuesday and running through the second Tuesday in August, I will be attending Social Media Summer Camp, a Columbus Business First initiative. The first session, "Social Media 101," provided a nice overview of everything that is out there and how businesses have been and could be using social media to market their services and products. The attractiveness of social media from a marketing perspective is often easy to see and hopefully we will be able to use some of what we learn at camp to improve our blog and to otherwise better communicate with our clients and friends.

In addition, I'm keeping my employment lawyer hat on to identify potential issues for employers that are encouraging their employees to "friend" others or to "tweet" or are attempting to regulate how and when they do it. This past Tuesday's session left me with one particular impression: Whether or not companies choose to use social media to foster their business, they would be wise to monitor the various social media outlets to make sure that others, including disgruntled and former employees, are not messing with their messages or creating unwanted ones.

So that's why I'm going to summer camp. I'm taking my laptop with me, but fortunately for all involved, I'm leaving my bathing suit at home.

• Email This
• Print
• Trackbacks

In a decision released May 15, 2009, the U.S. Court of Appeals for the District of Columbia upheld a Department of Transportation (DOT) regulation that requires employees who are returning to safety-sensitive duties after having completed a drug treatment program due to failing or refusing to take a drug test, to submit to return to duty and follow up testing under "direct observation" conditions. This decision and the regulation it upholds applies to employers in the aviation, rail, motor carrier, mass transit, maritime and pipeline industries that are subject to the DOT drug-testing regime. Under the regulation’s "direct observation" procedures, the employer must require a same-gender observer to “watch the urine go from the employee’s body into the collection container.” To comply, employees must raise their shirts above the waist and lower their clothing so as to expose their genitals and allow the observers to verify the absence of any devices that would permit the employee to cheat the test. 

Previously, the employer had the option to require direct observation, but this was not mandatory under the former regulation. Concerned that employers were reticent to require direct observation and in light of the rise in commercially available devices, such as the "Whizzinator," that enable people to cheat on their drug tests, the DOT promulgated this new regulation requiring direct observation for all return to work and follow up tests conducted under the DOT's auspices as of November 1, 2008.

• Email This
• Print
• Trackbacks

Perhaps it's the economy. Perhaps it's the lure of trying to catch someone in the act. Perhaps it's something else entirely, but we’re starting to see more instances of employers getting themselves in trouble because they’re monitoring employee use of employer technological resources to investigate possible employee misconduct without first seeking legal advice. Two fairly recent examples: Hay v. Burns Cascade Co., Inc. out of the Northern District of New York and Van Alstyne v. Electronic Scriptorium, Ltd. out of the Fourth Circuit.

In Hay, the employer, concerned that the plaintiff, one its customer service employees, was bad-mouthing it to customers, began monitoring her telephone calls. While listening to one telephone call, the president of the company determined that the conversation was between plaintiff and a male customer and overheard her saying that she "can't believe these guys are managers" and that she had "lost all respect" for the company's CEO. The president testified that he knew it was a customer because it was during work hours, and “there was nothing to indicate that it was anything other than a business call.”  The president did not ascertain, however, which company the customer was affiliated with or whether the company was an existing or prospective customer. According to the court's decision, the president listened to the conversation for 30-40 seconds before he stopped monitoring. Based apparently on this one telephone call, the company decided to terminate the plaintiff's employment due to "poor performance."

• Email This
• Print
• Trackbacks

Resolving a split among the circuit courts, the U.S. Supreme Court yesterday in Flores-Figueroa v. United States significantly limited a tactic used by U.S. Immigrations and Customs Enforcement (ICE) to address the issue of undocumented workers. 
 

In particular, ICE has used the Identity Theft Penalty Enhancement Act as a way to pressure undocumented workers.  That Act created the crime of “aggravated identity theft,” which occurs when a person “knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person” in connection with the commission of certain enumerated felonies, including immigration violations. Because violation of the Act carries a mandatory two-year jail sentence, ICE had been using the threat of prosecution for aggravated identity theft to convince undocumented workers to plead guilty to other lesser immigration offenses such as the misuse of social security numbers. 
 

Under the Court’s decision, however, the Act requires the Government to prove that the defendant-worker knew that the means of identification at issue actually belonged to another person, not merely that the worker knew that the means of identification used to obtain employment were fraudulent. This holding makes the threat of prosecution under the Act much less realistic because ICE will have to prove that the individual using the false identification information also knew that the information belonged to a specific individual – as opposed to information relating to an entirely fictitious identity.
 

• Email This
• Print
• Trackbacks

More and more federal non-employment statutes, regulations and programs are coming with strings attached for human resources professionals to grapple with. For instance, who would have expected that the federal plan for rescuing troubled financial institutions would have anything to do with immigration, that the federal stimulus statute would include whistleblower provisions and changes to COBRA benefits laws, or that consumer protection laws would contain whistleblower provisions? Now comes the Customs and Border Protection's (CBP's) Customs Trade Partnership Against Terrorism (CTPAT) program, which grew out of September 11 to help improve supply-chain security, and its employment-related provisions. CTPAT is a voluntary partnership program between the private sector and CBP to secure the supply chain for products entering commerce in the United States. Many view CTPAT certification as the equivalent of an ISO certification, and it can be a significant marketing tool. Companies that want to obtain CTPAT certification, in addition to implementing various security measures, must meet certain minimum criteria for personnel security including background checks, reference checks, exit interviews, procedures for providing employee ID, keys and fobs etc. If you are a human resources professional in the transportation and logistics industry, you should check with the business or operations side of your organization to find out whether your company is planning to participate in the CTPAT program so that you can get a jump on aligning your employee security procedures with the program's requirements.

• Email This
• Print
• Trackbacks

The Ruiz v. Gap, Inc. et al. decision, rendered earlier this week by a federal court in California, is another in a long series of cases that dismisses lawsuits brought by data-breach victims when those victims cannot establish that they were actual identity theft victims with actual damages. In this case, the plaintiff was an applicant for employment at The Gap whose personal information was compromised when two laptops belonging to Vantage, Inc, the company that processed job applications for The Gap, were stolen.

Going along with the vast majority of courts to date, the Ruiz court held that, although the plaintiff faced an increased risk of future identity theft, that risk did not rise to the level of appreciable harm necessary to assert a negligence claim. In addition, the court held that the lack of proof of actual damages was fatal to the plaintiff's claim that he was a third party beneficiary to the agreement between The Gap and Vantage.

• Email This
• Print
• Trackbacks

Ohio State Senator Ray Miller (D), 15th District, has introduced Senate Bill 91, which would prohibit discrimination by an employer against any person because of that person's credit history. In short, the bill would amend Ohio's discrimination laws to include the use of "a person's credit rating or score or consumer credit history as a factor in making decisions regarding that person's employment, including hiring, tenure, terms, conditions, or privileges of employment, or any matter directly or indirectly related to employment."

Though the bill may be well intended, it creates in its current form bad policy for the State of Ohio. There certainly are many jobs out there where an individual's creditworthiness should have no impact on their ability to successfully perform the functions of their job. On the other hand, certain jobs, such as those that require handling or accounting for the employer's or the public's money, do appear to require at least some consideration of the individual's ability to manage money. The individual's own personal credit history may be an appropriate indicator of the person's ability to do those kinds of jobs. The EEOC, which enforces Title VII and other federal discrimination laws, as well as the federal courts, have recognized that employer credit checks can have an unlawful disparate impact against racial and ethnic minorities, but they permit employers to defend the practice by establishing that the individual's creditworthiness is job related for the position in question and consistent with business necessity. S.B. 91, however, contains no similar exception based on job-relatedness and instead absolutely prohibits employment decisions based on an individual's credit information. As a result, S.B. 91, in its current form, is another unnecessary and unrestrained limitation on Ohio businesses' ability to manage their workforce and to compete in our currently dismal economy.

• Email This
• Print
• Trackbacks

On Wednesday, February 4, 2009, Google launched a new feature called Latitude. Latitude apparently will enable users of smartphones, including most Blackberries, most phones using Microsoft Windows Mobile and, eventually, iPhones, to transmit their locations to another smartphone or desktop computer.

Much like most social networking conventions, Latitude operates on an opt-in basis, which enables smartphone users to share their locations with only certain chosen recipients. Teenagers will undoubtedly find this application "cool" as will the parents of many of those teenagers who may use Latitude to keep tabs on their kids. In addition, many smaller businesses may use the feature to efficiently dispatch delivery and repair crews.

And therein lies the potential privacy problem. Although Latitude is designed to be used only by those who choose to do so, some employers may seek to require their workers to use Latitude so that work activities can be monitored and directed. Requiring employees to put Latitude on their personal cell phones is rife with potential invasions of privacy during nonworking hours. Therefore, employers that choose to use Latitude should plan on issuing company phones to monitored employees and should obtain written employee acknowledgment of and consent to the use of this technology. Furthermore, although Latitude requires an affirmative opt-in, smartphone users must disable the service when they do not wish to be monitored, such as when employees are off the clock. As a result, employers will need to create policies to ensure that appropriate worker privacy is maintained during non-work hours.

Employers should also understand the limitations of location-monitoring services. For instance, Latitude's accuracy is dependent on multiple factors such as whether Google is able to rely on smartphone GPS capabilities or whether Google must rely on cell phone tower triangulation to place the user. Employers must also understand that Latitude and other location-monitoring technology is capable only of identifying a person's location, not what that person is doing. Therefore, employers should be careful about coming to any rush to judgment based on the results of location monitoring.

• Email This
• Print
• Comments
• Trackbacks (1)

Many thanks to our associate Justin Root for referring this article which again highlights the risks to a company's computer system posed by disgruntled employees. (Previously, we reported on the vulnerability from disgruntled employees of personal information contained in human resources records.)

Last week, a contractor at Fannie Mae was indicted under the Computer Fraud and Abuse Act for burying a malicious code in an otherwise legitimate computer script after having been fired earlier in the day. Unfortunately, according to the FBI's affidavit in support of the indictment, Fannie Mae did not require the contractor to turn in his badge or his laptop or terminate his network access until more than two hours after his termination. The FBI's affidavit goes on to allege that "had this malicious script executed, [Fannie Mae] engineers expect it would have caused millions of dollars of damage and reduced if not shutdown operations at [Fannie Mae] for at least one week."

While employers certainly want to be sure to treat terminated employees with dignity on their way out the door, this incident underscores the need also to be sure, once the termination decision has been made and communicated, to immediately take all necessary action to eliminate the employee's computer and other systems or premises access that might give the terminated employee the ability to cause widespread damage before he or she is gone.

• Email This
• Print
• Comments
• Trackbacks

Back in October, the FTC announced with great fanfare a delay until May 1, 2009 for enforcing the FACTA Red Flag rules. Those rules require financial institutions and creditors to establish written programs for identifying, detecting, and responding to patterns, practices, or specific activities that are warning signs of identity theft. In contrast, the infrequently discussed Address Discrepancy rules that were issued at the same time as the Red Flag rules quietly went into effect as originally scheduled on November 1, 2008. The Address Discrepancy rules, found at 16 C.F.R. §681.1, apply not only to financial institutions and creditors but, potentially, to all employers that use consumer reporting agencies to conduct background checks on applicants and employees.

• Email This
• Print
• Comments
• Trackbacks

On December 1, 2008, we blogged about the risks of insiders improperly accessing personal data belonging to customers and the general public. Last Thursday's Washington Post highlighted the vulnerability of human resources files to misuse by insiders. The Post reported that a human resources worker at the Library of Congress was charged with, and likely entered into a plea arrangement regarding, conspiracy to commit wire fraud. The worker allegedly accessed a Library of Congress database and obtained personal information, including Social Security numbers, of at least 10 Library employees. The information was then passed on to a third person who opened retail charge accounts in the names of the victims. In a separate matter, the Post also reported the sentencing of a former D.C. public schools employee for stealing the identities of 65 job applicants and co-workers to make retail purchases. According to the article, prosecutors stated that the employee's job gave her access to documents containing the names, birthdates and Social Security numbers of employees and job applicants.

These types of incidents are not isolated events. What are you doing to protect the personal information belonging to your applicants and employees?

• Email This
• Print
• Comments
• Trackbacks

This past week's national and local news have both included accounts of employees being disciplined for allowing their curiosity to get the best of them. According to CNN.com, Verizon Wireless has fired an undisclosed number of its employees for accessing cell phone records of President-Elect Obama without authorization. In addition, on November 22nd, the Columbus Dispatch reported that four senior managers at the Ohio Department of Job and Family Services have been disciplined for improperly mining state computers for confidential information on "Joe the Plumber." Previously, Governor Strickland had suspended the OJFS director for her role in the incident.

These incidents demonstrate the privacy and confidentiality risks posed by a company’s own employees. Coincidentally, this week Cisco Systems, Inc. released the third in a series of white papers arising out of its global study of data leakage. Cisco's findings suggest that data losses caused by employee behavior -- whether malicious or inadvertent -- have the potential to cause greater financial losses than attacks that originate outside the company. Employee behaviors not only put customer (e.g. Obama) and general public ("Joe the Plumber") data at risk but also corporate trade secret information. The Cisco data suggests that, although it remains important to plug any holes in computer systems to protect against outside intrusions, employers should be spending more time addressing employee behaviors that are putting data at risk. For those who are interested, the Cisco papers can be found at http://cisco.com/en/US/netsol/ns895/index.html.

• Email This
• Print
• Comments
• Trackbacks

Starting in 2002, in an effort to organize employees at a Cintas Corporation facility in Pennsylvania, UNITE union organizers began recording the license plate numbers of vehicles located in the Cintas parking lot.  The organizers then accessed, either directly or through information brokers, state motor vehicle records to identify the employees’ names and home addresses. Ultimately, through this process, which is known as “tagging”, the union obtained the addresses for approximately 2000 workers (or their relatives or friends) and began visiting their homes with an eye toward convincing them to sign authorization cards. 

Unhappy with these tactics, several employees (together with family and friends whose cars also had been “tagged”) filed a class action lawsuit against UNITE under the federal Driver’s Privacy Protection Act.  That Act provides that a “person who knowingly obtains, discloses or uses personal information, from a motor vehicle record, for a purpose not permitted under this chapter shall beliable to the individual to whom the information pertains, who may bring a civil action. . . .”

The federal district court found UNITE liable under the DPPA back in 2005, awarded most of the named plaintiffs the statutory $2,500 in damages but deferred consideration of classwide relief.   Finding that the union’s organizing efforts did not constitute a “permissible use” under the DPPA, the Third Circuit, on September 10, 2008, upheld the finding of liability in a decision that can be read here. In addition, the court remanded the case back to the district court to consider whether any of the plaintiffs were entitled to multiple damage awards for multiple DPPA violations and to determine whether to hold a jury trial on punitive damages. 

• Email This
• Print
• Comments
• Trackbacks

A recent Sixth Circuit decision addressed the issue of whether the disclosure of confidential, proprietary documents by an employee to her attorneys constitutes a protected activity for which the employee cannot be terminated or otherwise disciplined. In 2000, numerous individuals filed a class action against the Cincinnati Insurance Company (CIC), alleging that CIC had discriminated against women in violation of the Equal Pay Act (EPA). Kathy Niswander, a claims manager at CIC, was one of the plaintiffs in the class action. 

In order to respond to CIC’s discovery requests, the plaintiffs’ attorneys asked each of the plaintiffs, including Ms. Niswander, to send them any documents in their possession that related to the case or that might support their discrimination claims. In response, Ms. Niswander sent the attorneys any documents she had that could potentially be relevant, but she also submitted confidential claim-file documents that did not contain any information relevant to the alleged discrimination.

• Email This
• Print
• Comments
• Trackbacks

Does your company have a policy for disposing of human resources records that contain employee social security numbers and other personal information? A recent Fair Trade Commission (FTC) enforcement action may make such policies a priority for companies in 2008. 

The FTC just agreed to a settlement with American United Mortgage Company of Northbrook, Illinois.  The FTC accused American United of violating the FTC’s Disposal Rule (http://www.ftc.gov/os/2004/11/041118disposalfrn.pdf), which requires companies to dispose of credit reports and credit report information in a safe and appropriate manner. According to the FTC’s Complaint, American United repeatedly disposed of intact consumer credit reports, which contained consumers’ personal information, in an unsecured dumpster near its office. The settlement, which was announced by the FTC on December 18, 2007, requires, among other things, that American Mortgage pay a $50,000 civil penalty for violations of the Disposal Rule and obtain, every two years for the next 10 years, an audit from a qualified, independent, third-party professional to ensure that its security program meets the standards of the settlement order.

• Email This
• Print
• Trackbacks