Workplace Privacy Issues Archives

October 28, 2011

Will New York Join the Wave of States Passing Laws Restricting Employers' Use of Applicant and Employee Credit History?

Since October 26, 1970, the federal Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq. ("FCRA"), has imposed restrictions and disclosure requirements on employers who seek to procure and use applicant and employee credit history and other information obtained from third-party background checks.  In reaction to the recent economic downturn, a number of states have imposed further restrictions and prohibitions on employer use of applicant and employee credit history in the employment context.  Proponents of these new restrictions argue that in the current economic climate, in which jobs have been lost and investments have tanked, many currently unemployed but otherwise qualified applicants now have low credit scores through no fault of their own.  These applicants - particularly those who have lost their jobs as a result of the economy - should not, according to proponents of the new restrictions, be further penalized by having a poor credit rating impact their chances of obtaining employment. 

Most recently, on October 10, 2011, California passed Assembly Bill No. 22 ("Bill 22"), amending California's Consumer Credit Reporting Agencies Act ("CCRAA").  Bill 22 outright bans California employers, with the exception of certain financial institutions, from requesting a consumer credit report for employment purposes beginning on January 1, 2012, unless one of eight narrow exceptions applies.  And, even if one of the exceptions does apply, Bill 22 imposes additional disclosure requirements on the use of consumer credit reports above-and-beyond those already imposed by the FCRA.  Several other states have passed similar laws, including Connecticut, Hawaii, Illinois, Maryland, Oregon, and Washington.  

In line with this recent trend, three bills have been introduced in New York that would impact New York employers' ability to request and rely on applicant and employee credit history in making employment decisions. 

·        Assembly Bill 4052, introduced on February 1, 2011, would prohibit the use of a job applicant's or employee's personal credit history background check in the hiring or promotion process, unless such information directly relates to the position sought, and even then, the information obtained cannot be a determining factor in the decision-making process.  If an employee or applicant consents to a credit history background check, he or she must sign a consent form that explicitly states the specific purpose, use and limitations on the use of the credit history background information as it pertains to the position sought.  There have been no votes on this bill, but it has been referred to the committee on governmental operations.

·        Assembly Bill 6672 (Senate Bill 1519), introduced on March 24, 2011, would prohibit or severely limit the ability of an employer to use a consumer credit report in making any decisions relating to hiring, promotions, discipline or terminations.  An employer may request and use a consumer credit report only in two limited situations: (1) if the information is substantially related to the position, for instance if the position involves access to money, assets or confidential information; or (2) if the information is for a managerial position, a position in the office of court administration, a position with a law enforcement agency, or a position for which the information contained in such report is required to be disclosed or obtained by the employer.  Before an employer may request or use a consumer credit report, the employee or prospective employee shall be given and sign an authorization of consent form that explicitly states the specific purpose, use and limitations of use of such report as it pertains to the position sought.  There have been no votes on this bill, but it has been referred to the committee on consumer affairs and protection.

·        Assembly Bill 8070 (Senate Bill 4905), introduced on May 27, 2011, known as the Credit Privacy in Employment Act, would prevent an employer from requesting or using information in the credit history of a job applicant or employee in connection with or as a criterion for employment decisions related to hiring, termination, promotion, demotion, discipline, compensation, or the terms, conditions or privileges of employment.  An employer may use such information if required by state or federal law to use such credit history.  If an employer requests a credit history for positions in which such information can be collected, the employee or applicant must sign an authorization of consent form authorizing such use.  As with the other three bills, there have been no votes on it to date, but it has been referred to the committee on consumer affairs and protection.

Despite recent initiatives to restrict employer use of applicant and employee credit history - or perhaps because of them - on July 20, 2011, Governor Cuomo signed into law Assembly Bill 8159 (originally Senate Bill 3987) ("Bill 8159").  This new law amends the New York Education Law to permit background checks, including criminal background and credit checks, of employees and prospective employees of the Higher Education Services Corporation ("HESC").  HESC is the State's student financial aid agency that manages more than 18 grant, scholarship and loan programs, and offers guidance to students, families and counselors.  Although at first blush it may appear that this law runs against the tide of recent legislative initiatives on employee background checks, Bill 8159 actually encompasses the type of exception seen in the recent legislation.  For example, California's Bill 22 contains an exception allowing the collection of consumer credit report information when the information contained in the report is required by law to be disclosed or obtained.  Even the proposed legislation in New York contains exceptions allowing the use of credit information when that information has a direct relationship to the position sought or is required by law. 

In the end, employers in New York and elsewhere should continue to monitor developments in this area to ensure that their practices are in line with the expanding patchwork of state laws on the issue.

This post was authored by Matt Lampe, Joseph Bernasky, and Emilie Hendee of Jones Day.  The views and opinions expressed herein are those of the authors and do not necessarily reflect the views of Jones Day or the New York State Bar Association.



Enhanced by Zemanta

January 3, 2012

Severing the Connection: Who Owns That LinkedIn Account?

An interesting decision from the Eastern District of Pennsylvania is worth noting in this Blog. While its focus is on Pennsylvania common law, the case addresses the novel issue of LinkedIn account ownership, an issue that is likely to arise in multiple jurisdictions throughout the country, including New York.

The case is Eagle v. Morgan, et al., Civil Action No. 11-4303 (E.D.Pa. December 22, 2011), and the general facts will be familiar to anyone with a passing interest in the legal posturing that occurs when a valued employee, particularly a former owner, leaves a long-time employer. Plaintiff Linda Eagle ("Eagle") founded and operated a financial services and training company for over twenty years. She and her partners sold the company, Edcomm, Inc., in October 2010, but remained on as employees until June 2011, when they were fired by the new owner, Sawabah Information Services Company. A lawsuit by the company against Eagle, for securities fraud and other claims relating to the sale of the business, followed a week later, but will not be addressed in this post.

The facts get more interesting when modern technology and new methods of doing business are introduced, in the form of a LinkedIn account. While she owned Edcomm, and later as its employee, Eagle had established a LinkedIn account, which she maintained with the help of her administrative assistant. When Eagle attempted to access her LinkedIn account later that day, access was denied (another founder who was also terminated had the foresight to change his password before the termination meeting). Edcomm had accessed the account with Eagle's password, changed the password and then changed Eagle's account profile to display the name and photo of one of the new owners of Edcomm. Thus, individuals searching for Eagle were routed to a LinkedIn page featuring the name and photo of the Defendant, Morgan, but which included Eagle's resume and CV, her honors and awards, and her connections. Several weeks later, however, Eagle was able to regain control of the account, though the decision does not explain how she did so.

Before regaining control of the account, Eagle brought an action against Edcomm and numerous individual defendants for alleged violations of federal statutes (the Computer Fraud and Abuse Act and the Lanham Act), and various common law torts. Edcomm responded with several counterclaims, including several directed at Eagle's alleged misappropriation of the LinkedIn account in her own name. Many of the claims related to a company-issued cell phone and cell phone number, and will not be addressed in this post, other than to note that most of these claims were dismissed. The more interesting allegations raised by the company relate to the LinkedIn account.

The counterclaim Complaint alleged that while Eagle managed Edcomm the company had required employees to create LinkedIn accounts utilizing their Edcomm email address, utilize a specific template created by the company, with specifically approved language regarding Edcomm's business, the employee's work history and professional activities, photos taken by a company-hired photographer, links to Edcomm's web-site, and a template for replying to inquiries from LinkedIn users. The counterclaim Complaint further alleged that several Edcomm employees were responsible for monitoring the LinkedIn accounts, correcting violations of company policy, and who maintained several accounts on behalf of Edcomm employees. All departing employees were required to return Edcomm-related connections and content from their LinkedIn account.

According to the Court, these factual allegations were sufficient to state a cause of action for Misappropriation of Ideas against Eagle, as well as Unfair Competition. The Misappropriation claim survived because Edcomm sufficiently alleged it had made a substantial investment of time, effort and money into developing Eagle's LinkedIn account, meaning that it was wrong or tortious for Eagle to then access and take the account away from the company after her termination. The tort of Misappropriation of Ideas also requires that the idea be "novel," but the Court did not address how a LinkedIn account could be considered "novel."

The Court rejected, however, the claim that Eagle's retention of the LinkedIn account constituted misappropriation of a "trade secret," because the account information on the LinkedIn account was generally known in the wider business community, or capable of being derived from public information.

Edcomm's unfair competition claim also survived the dismissal motion. Under the Restatement (Third) of Unfair Competition, an unfair competition claim can be made where "the means of competition are otherwise tortious with respect to the injured party." While the Court cautioned that this liberal standard should not act as a "catch-all" for any form of wrongful business conduct, Edcomm's unfair competition claim was viable at the pleading stage because Eagle may have unlawfully misappropriated the LinkedIn account.

Thus, it seems that under the right circumstances, a LinkedIn account may not actually belong to the individual whose name appears on the account's home page, and whose professional history and accomplishments are detailed in the account's profile. This is an interesting development, but one that may not withstand further scrutiny, given the Court's acceptance, without much discussion, of the notion that a LinkedIn account is a "novel" idea worthy of protection. The viability of this decision may also be impacted by the LinkedIn user agreement, which states that the "user" is the owner of the account. The Court did not address this fact in its decision, and in this case, if the company's allegations prove to be true, the company may well be deemed to be the account "user."

As it currently stands, the decision may impact how employers do business. In the typical non-compete case, especially in the sales arena, the legal battle often focuses on the former employee's "contacts." This decision may embolden employers to take a more active role in the initiation, development and/or maintenance of LinkedIn accounts by and for their employees, in order to prevent employees from keeping those contacts that are stored on LinkedIn, and strengthen post-departure claims of misappropriation and unfair competition.

January 12, 2012

Spotlight On Legal Complexities Of Telecommuting After Second Circuits Calls It Potential Reasonable Accommodation

            The Second Circuit Court of Appeals recently ruled that telecommuting is a potential reasonable accommodation under the Americans with Disabilities Act ("ADA") and the Rehabilitation Act.  Although new technologies have made telecommuting more commonplace, not all employers have embraced the work-from-home concept.  The Second Circuit's recent opinion, as well as recently proposed and enacted telework legislation, highlight that employers cannot ignore telecommuting, and should consider the myriad legal issues that telecommuting presents, including wage-and-hour liability, privacy and data protection concerns, workplace safety, and other obligations. 


The Second Circuit's Opinion on Telecommuting as a Reasonable Accommodation


            In Nixon-Tinkelman v. N.Y. City Dep't of Health & Mental Hygiene, No. 10-3317-cv, 2011 WL 3489001 (2d Cir. Aug. 10, 2011), the plaintiff suffered from several physical ailments including cancer, heart problems, hearing impairment, and asthma.  The plaintiff had worked at the New York City Department of Health and Mental Hygiene ("DOHMH" or the "Department") since 1984 and had worked out of DOHMH's Queens office for 21 years as a Regional Director.  In January 2006, she was transferred to the Department's Manhattan location.  The transfer resulted in a longer and more difficult commute for Ms. Nixon-Tinkelman.  As a result, she requested, as an accommodation for her disability, to be reassigned to a "work location closer to home in order to reduce the stress and anxiety associated with the hour and a half commute each way every day."  Representatives from the Department met with Ms. Nixon-Tinkelman to discuss possible alternative assignments.  DOHMH concluded that one of the assignments in which Plaintiff expressed an interest was "inappropriate" because the job required extensive travel and therefore would not resolve Ms. Nixon-Tinkelman's commuting issue.  DOHMH further concluded that Ms. Nixon-Tinkelman's suggestion of a transfer to the Department's Pest Control Office in Queens was not a "viable" option.  Because the Department believed that there was no suitable reassignment that could be made within the organization to accommodate Ms. Nixon-Tinkelman, they denied her request.  Ms. Nixon-Tinkelman filed suit under the ADA and sections 501 and 504 of the Rehabilitation Act, alleging that the Department failed to make a reasonable accommodation.


            Under the ADA and Rehabilitation Act, an employer has an affirmative duty to provide a reasonable accommodation when it is aware that an employee has a qualifying disability that prevents the employee from performing essential job functions, so long as the accommodation does not unduly burden the employer.  Granting summary judgment for the defendant, the Southern District of New York ruled that commuting was beyond the scope of the plaintiff's job, and "not within the province of an employer's obligations under the ADA and the Rehabilitation Act."  The Second Circuit reversed, relying on two prior cases in which the Second Circuit ruled that an employer might have an obligation to assist with an employer's commute:  Lyons v. Legal Aid Soc'y, 68 F.3d 1512 (2d Cir. 1995); and DeRosa v. Natl's Envelope Corp, 595 F.3d 99 (2d Cir. 2010). 


            In Lyons, the Second Circuit reversed the dismissal of an ADA claim alleging that Plaintiff's employer failed to accommodate her request for a parking space near her office.  The district court dismissed the case on the ground that the accommodation requested by Lyons was unreasonable as a matter of law; however, on appeal, the Second Circuit ruled that the complaint stated a claim on which relief could be granted, holding that "there is nothing inherently unreasonable . . . in requiring an employer to furnish an otherwise qualified disabled employee with assistance related to her ability to get to work."  In DeRosa, the Second Circuit suggested that permitting a disabled employee to work from home was a reasonable accommodation.  The DeRosa court vacated an award of summary judgment for the employer, in which the district court ruled that the plaintiff was judicially estopped from bringing an ADA claim.  In so doing, the Second Circuit did not question the reasonable accommodation--working from home--that the Plaintiff sought.  The Nixon-Tinkelman court's reliance on DeRosa implies that the Second Circuit interprets the decision as standing for the proposition that working from home can be a reasonable accommodation.


            In Nixon-Tinkelman, the Court of Appeals explained that the determination of whether an accommodation is "reasonable" must be made on a case-by-case basis and remanded the case back to the trial court to conduct the required "fact-specific inquiry."  The Second Circuit made clear that employers cannot categorically deny requests for an accommodation to work from home or to receive other commuting accommodations.  Rather, employers must assess the circumstances of such requests on an individualized basis as they would with any other request for an accommodation.  The Second Circuit suggested a non-exhaustive list of factors for the trial court to use in evaluating the reasonableness of a potential accommodation, such as:


·        The number of individuals employed by the employer;

·        The number and location of the employer's offices;

·        Whether other available positions existed for which the employee was qualified;

·        Whether the employee could have shifted to a more convenient office without unduly burdening the employer's operations; and

·        The reasonableness of allowing the employee to work from home without on-site supervision.


The Second Circuit further provided illustrative examples of commuting accommodations that the district court should consider, including whether DOHMH could: (1) transfer Ms. Nixon-Tinkelman back to Queens, (2) permit her to work from home, or (3) provide her a car or parking permit to minimize the burden of her commute and make it easier for her to travel to and from her doctor's appointments.


Recent Legislative Initiatives to Increase the Availability of Telecommuting


            The Second Circuit's decision is in line with a recent trend favoring telecommuting.  On December 9, 2010, President Obama signed into law the Telework Enhancement Act, which gave federal agencies a six-month window of time to establish a telework policy and notify employees of their eligibility under the policy.  The new law requires each agency to implement a telework policy, designate a telework managing officer to oversee the agency's telework program, and ensure continuity-of-operations planning, particularly when employees' commutes are affected by inclement weather.  Several states, including Connecticut, Florida and Virginia, have also recently implemented or proposed legislation regarding telecommuting.  For example, New Jersey has proposed legislation that provides private sector tax incentives for certain business telecommuting program development and implementation costs and a separate bill that requires state agencies to adopt telecommuting programs.  In June 2010, Connecticut enacted a law to develop and implement telecommuting guidelines for state employees with the goal of having a positive effect on worker efficiency, the environment, and traffic congestion.  In New York, legislation has been proposed to require public employers to establish policies and programs allowing public employees to perform all or a portion of their duties remotely (see, e.g., A00206 / S 1381) as well as establishing tax credits for employers who enact policies to encourage teleworking (see S 2065).  This wave of legislative activity, along with the Second Circuit's recent opinion, provide a good opportunity for employers to consider the legal, operational, and administrative issues related to telecommuting.


Wage-and-Hour Concerns Arising from Telecommuting


            The Nixon-Tinkelman decision acknowledges that lack of supervision may pose difficultly in allowing an employee to work from home.  This may be particularly true for non-exempt employees.  Aside from the more obvious concern of some employers about a loss of productivity absent on-site supervision, there is also a converse risk that overzealous non-exempt employees would work "off-the-clock," i.e., engage in work without reporting their time, absent on-site supervision.  In the work-from-home context, where the ability of employers to monitor an employee's activity is limited, allegations of violations of federal and state wage and hour laws for such off-the-clock work may prove more difficult to refute than those brought by employees who work at an employer site under direct supervision.  Given this reality, it is important for employers to have specific, well enforced wage and hour policies governing work-from-home employees. 


Privacy and Data Security Concerns Arising from Telecommuting


            In addition, employees who do work from home are most likely able to do so via remote electronic access to the employer's network, which can raise  a whole host of concerns over the privacy and security of personal information and confidential company information that the employee may be able to access remotely: 


·        Whether the remote access to the employer's network will be made via secure connection, which decreases the risk of a security breach while information is in transit, and whether employees will be able to download files directly to their personal computer, reducing the employer's ability to protect the security of those files. 

·        Whether the employee will be using a company-issued computer or a personal computer.  Employee-owned computers increase security risks because the employer has limited ability to monitor the software on the computer and restrict user access.  For example, a personal computer might contain third-party data sharing software that could access company information that has been downloaded to the computer.  Moreover, employers have limited ability to ensure that other home users of an employee-owned computer would not be able to access company files if, for example, the remote connection is left open.  Either situation could trigger notice obligations under state data breach notification statutes if covered personal information is accessed or acquired by an unauthorized person.

·        Whether necessary files and data can be transferred only via a secure network or whether portable media, such as thumb drives, will also be permitted for file and data transfers, and if so, what level of security, such as encryption and password protection, will be required.  The shrinking size of portable media provide greater freedom, flexibility, and mobility, but also pose greater risk of loss or theft due to their diminutive size.

·        How to ensure the security of a work-from-home employee's workstation.  For example, will the screen be visible to others and how will the remote employee secure paper files? 


Employers will need to develop and implement both administrative mechanisms, such as clear policies that put employees on notice of their rights and responsibilities, and operational mechanisms, such as implementing encryption and monitoring technology and other electronic security measures, that balance the need to preserve confidentiality and maintain security while allowing for the flexibility and mobility the employer's off-site employees' need.


Workplace Safety Issues and Liabilities Arising from Telecommuting


            Further, although telecommuters are not at the workplace, employers must still be concerned with workplace safety issues.  Workers compensation laws, OSHA and other workplace safety regulations can still apply to remote employees, so employers must develop ways to ensure that work-from-home employees comply with relevant safety protocols even in their home offices.  Although OSHA has announced that it will not conduct inspections of employees' home offices, and does not expect employers to conduct inspections, the agency will hold employers responsible for injuries or hazards at remote locations, including home offices, if they are caused or created by materials, equipment, or work processes that the employer provides or requires the employee to use at the remote location.  As well, OSHA will conduct inspections of home-based work sites when it receives a complaint or referral that indicates a violation of a safety or health standard that threatens physical harm.   Most state workers' compensation laws, including New York, are not limited to work related injuries that occur at the employer's fixed physical location, and therefore can apply to work-related injuries occurring at a home office or other work location.  The employee will still have to establish that the injury arose out of and in the course of employment, and not during a break or other non-work related activity. 


            Another recent area of liability, brought about by the technologies that have helped expand the mobile workforce, stems from injuries and damages caused by employees texting and talking while driving.  For example, in Bustos v. Dyke Industries Inc., Miami Dade Case No. 01-13370 (2001), an employer settled for over $16 million, after a jury initially awarded over $21 million in damages to an elderly woman who was hit and severely disabled by a salesman who was making a work related call on his cell phone while driving, resulting in the accident.  Again, due to the lack of on-site supervision, employers should, at minimum, enact clear policies on workplace safety issues that consider the particular circumstances of remote employees.    


            There may certainly be other concerns associated with remote employees in particular industries, and the issues noted above are but a sample of the concerns that telecommuting can raise.  Given the recent trend towards telecommuting, and the Second Circuit's decision clarifying that, in certain circumstances, it can be required as a reasonable accommodation, employers should take the opportunity to review their own telecommuting policies and procedures and consider the various issues that may arise when their own employees work from home or other remote locations. 


            This post was authored by Matt Lampe, Joseph Bernasky, David Krieger, and Mariya Nazginova of Jones Day.  The views and opinions expressed herein are those of the authors and do not necessarily reflect the views of Jones Day or the New York State Bar Association.

Enhanced by Zemanta

March 26, 2012


As employers continue to grapple with use of social media by employees for business, for pleasure, and in and outside the workplace, the National Labor Relations Board (the "Board") has issued another report on social media cases (Memorandum OM 12-31), updating a prior report (Memorandum OM 11-74), which we discussed in an earlier post.  In its news release on the updated report, the Board offers two key take-aways: 

1.            "Employer policies should not be so sweeping that they prohibit the kinds of activity protected by federal labor law, such as the discussion of wages or working conditions among employees."


2.            "An employee's comments on social media are generally not protected if they are mere gripes not made in relation to group activity among employees."


The updated report covers 14 cases in total, which involve disciplinary action, including discharges, for employee social media activity.  The conclusions in the report demonstrate the fact-specific nature of an inquiry into whether an employer is enforcing its social media policy in a discriminatory manner, which essentially turns on whether the social media activity that is regulated through the policy is group activity protected by Section 7 of the National Labor Relations Act ("NLRA"), as opposed to individual activity (or "gripes" as they are sometimes referred to in the report).  Of the 14 cases discussed in the report, seven address whether the employer's social media policy was lawful on its face, and five of the policies addressed were found to be unlawfully broad for one reason or another.  Although the Board's news release offers the two main take-aways noted above, there are several other issues and pitfalls addressed in the report that employers need to be aware of when drafting a social media policy:


·        Non-Union Employees.  Both union and non-union employees' social media activities are protected by the NLRA.  The report makes no distinction between union and non-union employees in analyzing whether a social media policy is lawful on its face or in its application. 


·        Disparaging Comments.  The report considers several examples of policies prohibiting disparaging comments in one way or another, such as general prohibitions on "defamatory" language, "inappropriate conversations," or using "unprofessional communications," or requiring social media communications to be "professional."  The report emphasizes that these types of blanket prohibitions can chill employees in the exercise of their rights under Section 7 of the NLRA to "engage in ... concerted activities for the purpose of collective bargaining or other mutual aid or protection," and were therefore found to be unlawful.  For example, the Board held that a rule prohibiting "[m]aking disparaging comments about the company through any media, including online blogs, other electronic media or through the media" would reasonably chill Section 7 rights because it could reasonably be construed to prohibit an employee from criticizing the employer's pay practices, and did not include any limiting language or examples of prohibited commentary.  Of course, a social media policy still needs to be consistent the employer's policies against harassment and discrimination, which is where limiting language, an issued discussed below, comes into play.   


·        Confidential Information.  The report's conclusions on prohibitions on discussing "confidential information" illustrate the careful balance that must be struck between an employer's duty or desire to protect certain information, such as trade secrets, non-public financial information, protected personal information, and the like, on the one hand, and an employee's right to discuss terms and conditions of employment, such as wages, on the other hand.  One policy addressed by the report prohibited employees from disclosing or communicating information of a confidential, sensitive nature, or non-public information concerning the company on or through company property to anyone outside the company without prior approval of senior management or the law department.  The policy was found unlawful because it did not define confidential, sensitive, or non-public information and could therefore reasonably be construed to prohibit employee from discussing matters such as wages and working conditions, which may be non-public but are discussions protected by the NLRA.  Again, limiting language and explanatory definitions can remedy the issue.


·        Company Name, Logo, & Marks.  Many organizations seek to limit the use of their company name, logo, and trade or service marks, but the report makes clear that employees have a Section 7 right to use their employer's name or logo in conjunction with protected concerted activity, such as communicating with co-workers or the public in general about a labor dispute.  Accordingly, a policy prohibiting the use of the company name or service mark outside the course of business without approval of the law department was held unlawful. 


·        Media Communications.  Restrictions on communications with the media can be another difficult area to navigate.  The report explains that employees have the right to communicate with the public regarding an on-going labor dispute, and that for this reason blanket prohibitions on communicating with the media or requiring prior authorizations will be held to be unlawfully overbroad. 


·        Identifying the Employment Relationship.  The report found a policy that required that employees always identify themselves as the employer's employees on social media and state that their views were their own when posting about job-related matters was both (1) unlawfully overbroad, because the Board views personal profile pages as an important function in enabling employees to communicate on social media with co-workers at their own or other locations (although the Board does not explain how the policy impeded this function), and (2) unlawfully burdensome on Section 7 communications because it required employees to repeat that their views are their own in every communication.  In the context of another policy, however, the Board recognized that employers need to carefully navigate between allowing communications protected under the NLRA and the Federal Trade Commission's guidelines on endorsements and testimonials,  pursuant to which individuals who have a relationship to a company, such as employees, must disclosure that relationship when discussing the company's products or services or those of its competitors.  Thus, the Board found lawful a policy that required employees to state that their views were their own and not those of the employer when discussing "promotional content" via social media, and defined "promotional content" as communications designed to endorse, promote, sell, advertise or otherwise support the employer and its products and services, referring to the Federal Trade Commission's regulations. 


·        Savings Clauses.  Although the report emphasizes that limiting language can cure overbroad language in a social media policy, a general savings clause may be insufficient to render a social media policy lawful under the NLRA.  For example, one policy discussed in the report stated that "in external social networking situations, employees should generally avoid identifying themselves as the Employer's employees, unless there was a legitimate business need to do so or when discussing terms and conditions of employment in an appropriate manner."  The Board found the policy unlawful because it did not define or explain what was "appropriate," either through specific examples or limiting language, which could chill employees from criticizing the employer's labor policies, treatment of employees, or other terms and conditions of employment.  The policy had a savings clause that provided that the policy would not be interpreted or applied so as to interfere with employee rights to self-organize, form, join, or assist labor organizations, to bargain collectively though representatives of their choosing, or to engage in other concerted activities, or to refrain from engaging in such activities.  The Board concluded that an employee could not reasonably be expected to know that this language encompassed discussions the employer deemed "inappropriate" and thus the savings clause was insufficient to render lawful the otherwise overbroad policy. 


·        Limiting Language and Examples.  Although the report includes several examples of overbroad policies, it also includes examples of lawful policies that restrict social media communications on the above-discussed topics, but included limiting language or examples, which kept the policy within the bounds of the NLRA.  For example, a policy that prohibited social media communications that are vulgar, obscene, threatening, intimidating, harassing, or a violation of company policies against discrimination, harassment, or hostility on account of age, race, religion, sex, ethnicity, nationality, disability, or other protected class, status or characteristic, was held lawful because it provided examples of the egregious conduct it prohibited.  Similarly, a policy that prohibited employees from using or disclosing confidential and/or proprietary information was found lawful where it defined confidential and/or proprietary information as including personal health information about customers or patients, and "embargoed information" such as launch release dates and pending reorganizations.  The report explains that the limiting language and examples made clear that the policy was intended to protect the employer's legitimate interest in keeping certain information confidential and the privacy interests of the customers, and the prohibitions would not reasonably be understood to restrict communications protected under Section 7 of the NLRA. 

Appropriate policing of employees' social media activities is necessary given the speed at which online communications are spread, and the potential impact that such communications may have on an employer's operations and reputation.  To be sure, there are a host of legal and business concerns that need to be addressed in a comprehensive social media policy, but the two Board reports are a helpful starting place for employers looking to create or amend social media policies.   


This post was authored by Matt Lampe, Joseph Bernasky, and Michele Bradley of Jones Day.  The views and opinions expressed herein are those of the authors and do not necessarily reflect the views of Jones Day or the New York State Bar Association.

August 17, 2012

Employer Lawsuits Against Employees Under the Computer Fraud and Abuse Act

The Computer Fraud and Abuse Act, 18 U.S.C. 1030 (the "CFAA"), prohibits the fraudulent access of computer data by individuals "without authorized access" or who "exceed[] authorized access" of a "protected computer," which is defined by the CFAA as either a government computer or one used in or affecting interstate commerce.  The CFAA provided only for criminal penalties until amendments in 1994 added civil remedies, prompting employers to file actions under the CFAA against current and former employees who misappropriate or misuse confidential computer data.  On August 2, 2012, the Department of Justice announced that it would not seek Supreme Court review of a closely watched decision, U.S. v. Nosal,  in which the Ninth Circuit ruled on the application of the CFAA in the employment context.  The Ninth Circuit's decision in U.S. v. Nosal departed from the interpretations of other Circuits, and the federal courts, including the Second Circuit district courts, are split on whether and to what extent an employer can bring an action against an employee under the CFAA.


The Ninth Circuit Narrowly Interprets CFAA

In U.S. v. Nosal, the Ninth Circuit considered whether defendant David Nosal violated CFAA by enlisting his former colleagues at Korn/Ferry to download lists, names, and information from a confidential database on his former employer's computer.  676 F.3d 854, 856 (9th Cir. 2012).  The Ninth Circuit upheld the district court's dismissal of the employer's cause of action under CFAA, interpreting the phrases "without authorized access" and "exceeds authorized access" in the CFAA as prohibiting violations of access but not use restrictions.  Id. at *863-864.  The Ninth Circuit pointed out that the CFAA criminalizes improper "access" of protected computers but fails to speak directly about the "misuse" or "misappropriation" of the data found on such computers.  Applying what it deemed to be a "narrower interpretation" of this language, the court reasoned that the statute's phrase "without authorized access" contemplates the "outside hacker," or an individual without any authorization to access the protected computer in the first instance, and the phrase "exceeds authorized access" contemplates the "insider hacker," or one who has limited or restricted access to the protected computer but accesses information not within the scope of his or her authorized access.  Id. at *858.  According to the Ninth Circuit, the CFAA did not cover the situation before the court in which Nosal's colleagues had permission to access their employer's database and the information within that database, by way of a protected computer that they were also authorized to access, but used the information contained therein in an unauthorized manner. The Ninth Circuit expressed concern that reading the CFAA to prohibit unauthorized use of protected computers (as opposed to unauthorized access in the first instance) could effectively criminalize a wide range of common "minor dalliances" by employees, such as shopping on the internet or chatting with friends on a computer that they are authorized to access but are not authorized to use for such purposes.   


The Second Circuit District Court Split

The Second Circuit has not yet addressed this issue and the district courts in the Second Circuit are split on whether an employer has a cause of action against an employee under the CFAA for violating his or her use rights under employer policy.  Like the Ninth Circuit, some district courts have rejected claims under the CFAA where an employee has permission or authority to retrieve the confidential information at issue, regardless of whether the employee subsequently misuses the information.  See, e.g. University Sports Publications Co. v. Playmakers Media Co., 725 F. Supp. 2d 378, 385-387 (S.D.N.Y. 2010); Westbrook Techs., Inc. v. Wesler, 2010 WL 2826280 (D.Conn. July 15, 2010).  Further, in one decision, the Southern District of New York observed that the Second Circuit's interpretation of damages under the CFAA in Nexans Wires S.A. v. Sark-USA, Inc., 166 Fed.Appx. 559 (2d Cir. 2006), was consistent with a narrower interpretation of the statute's application.  See Orbit One Comm'ns, Inc. v. Numerex Corp., 692 F.Supp.2d 373, 386-87 (S.D.N.Y. 2010).  In Nexans, the Second Circuit upheld damages under the CFAA for losses in connection with hacking computer information but denied recovery under the CFAA for the misuse of computer information.  Id. 


By contrast, in an action against former employees accused of transferring trade secrets to their new employer, the court found that the defendant-former employee exceeded his authorized access of the company computer when he violated the broad confidentiality section of his employment agreement, and in doing so violated the CFAA.  Marketing Tech. Solutions, Inc. v. Medizine LLC, 2010 WL 2034404, at *7 (S.D.N.Y. May 18, 2010).  In another case in which an employee copied and e-mailed proprietary company information (which he was otherwise authorized to access) in violation of his company e-mail policy, the court defined "exceeds authorized access" to include actions whereby an employee has "reason to know" that his access of documents is in "contravention of the wishes and interests of his employer."  Calyon v. Mizuho Securities U.S.A., Inc., 2007 WL 2618658, at *1 (S.D.N.Y. Sept. 5, 2007). 


The Federal Circuit Split

Since the Ninth Circuit's ruling in U.S. v. Nosal, the Fourth Circuit has also applied "a narrow reading" of the terms "without authorization" and "exceeds authorized access" in the CFAA, rejecting a cause of action against employees accused of misappropriating computer information, where the employees had permission to access the information at issue.  WEC Carolina Energy Solutions, LLC, 2012 WL 3039213, at *6 (4th Cir. July 26, 2012).  Observing that the CFAA was "meant to cover hackers," the Fourth Circuit declined to apply the statute to employees who "access computers or information in bad faith or [] disregard a use policy."  Id. at *7. 


Other Circuit Courts of Appeal, including the Fifth and Seventh Circuits, have applied broader interpretations of the CFAA.  For instance, the Fifth Circuit allowed a cause of action under the CFAA to proceed against an employee who retrieved confidential customer account information, which she was authorized to access, and subsequently transferred to her half-brother for the purpose of committing a fraud.  U.S. v. John, 597 F.3d 263, 272 (5th Cir. 2010).  Interpreting the CFAA clause "exceeds authorized access," the Fifth Circuit found that an employee exceeds authorized access when he or she has reason to know that he or she is not authorized to access such information in furtherance of a criminal scheme.  Id. at 273.   In Int'l Airport Centers, LLC. v. Citrin, the Seventh Circuit upheld the district court's finding that an employee violated the CFAA when, prior to leaving the company to start his own business, he deleted confidential company information on his assigned company computer that he knew the company would have wanted. 440 F.3d 418, 419-20 (7th Cir. 2006).  Although during the course of his employment the employee was authorized to access the company information on his work computer, the Seventh Circuit reasoned that the difference between the CFAA phrases "without authorized access" and "exceeds authorized access" is "paper thin," and concluded that any authority to access the confidential computer information terminated when the employee breached his duty of loyalty to the employer, thereby falling within the scope of the CFAA.  Id. at 420.


Practical Implications

Storing company confidential information, customer and employee personal information, and other business records electronically has become the norm.  By extension, maintaining the security of such electronic data has become increasingly important and mandatory in some jurisdictions if such data includes employee or customer personal information.  Effectively maintaining the security of company electronic data of course starts with effective internal policies and procedures; however, legal recourse, such as an action under the CFAA, also presents an effective deterrent for potential violations of company security policies.  As a result of the decision by the Department of Justice not to pursue Supreme Court review of the Ninth Circuit decision in U.S. v. Nosal, the circuit split is sure to remain for the foreseeable future and the application of the CFAA to the employment context will be unresolved.  Although the Ninth and Fourth Circuits' recent decisions applied a "narrower interpretation" of the CFAA than opinions in other Circuits, hinging on the distinction between unauthorized access and unauthorized use, these decisions still leave open the possibility of employer causes of action under the CFAA against employees who breach access restrictions.  Unfortunately, these decisions do not answer what level of access restrictions would be required in order to trigger the protections of the CFAA:  Would an employer policy on access rights alone be sufficient?  Or are technical access restrictions, such as password protection, required?  In this regard, until these questions are answered by the courts, employers should consider access restrictions imposed by company policy and whether technical access restrictions would be beneficial for certain types of sensitive company data. 


This post was authored by Matt Lampe, Joseph Bernasky, and Karen Rosenfield of Jones Day.  The views and opinions expressed herein are those of the authors and do not necessarily reflect the views of Jones Day or the New York State Bar Association.


January 10, 2013

EEOC Announces $2 Million Settlement of ADA Class Action Against Dillard's Inc.

The EEOC has reported that Dillard's Inc., a national retail chain, agreed to pay $2 million and adopt company-wide policy changes to settle a class action disability discrimination lawsuit filed by the agency in 2008. The suit stemmed from Dillard's long-standing national policy of requiring employees to disclose personal and confidential medical information as a condition of being approved for sick leave. The settlement also disposes of claims that Dillard's violated the ADA by terminating a class of employees for exceeding their maximum sick leave.

Under Dillard's policy, employees were required to disclose the specifics of their medical condition when requesting sick leave even though they had provided a doctor's statement confirming that their absence was due to medical reasons. The EEOC maintained that the policy violated the ADA's prohibition against inquiring as to an employee's disability except where job-related and necessary for the conduct of business.

Commenting on the settlement, EEOC regional attorney Anna Park stated, "Policies and practices that permit medical inquiries without proof of a valid business necessity run afoul of the law, often having large-scale consequences. All employers should carefully examine their own policies and practices to ensure compliance with federal law."

About Workplace Privacy Issues

This page contains an archive of all entries posted to Labor & Employment N.Y. ("LENY") in the Workplace Privacy Issues category. They are listed from oldest to newest.

New York Wage & Hour Law is the previous category.

Many more can be found on the main index page or by looking through the archives.