1. www.schwabe.com
Workplace Privacy Law and
New Technologies
Presented by:
Jean Ohman Back & Devon Zastrow Newman
Schwabe, Williamson & Wyatt
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
2. www.schwabe.com
Agenda
• Introduction to “Cloud Computing” and
Technologies that Employ the Cloud
• Challenges faced by Security Professionals in
Protecting Employer Assets and Data Privacy
• Legal Sources for Employee Privacy Rights in
the Workplace
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
3. www.schwabe.com
What is “Cloud Computing”?
The delivery of computing as a service rather than
a product, whereby shared resources, software,
and information are provided to computers and
other devices as a utility (like the electric grid) over
a network (typically the Internet)
Briefly: purchase of external computing power
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
5. www.schwabe.com
What are the benefits of “Cloud Computing”?
Centralized management of IT resources
– Increase resource utilization rates (with faster
speeds)
– Lower costs (renting vs. owning resources)
Workplace IT focused on policy management
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
6. www.schwabe.com
What are the downsides of Cloud Computing?
• Reliability of resources out of direct control
• Need to monitor/control resource use by
users
• Data privacy concerns
– Workplace confidential material
– Intellectual property protection
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
7. www.schwabe.com
Devices that use Cloud Computing
• Smart phones
• Laptops
• Tablets
• Home computers
Generally: Internet-available devices that
connect to workplace infrastructure
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
8. www.schwabe.com
What these devices also access
• Facebook
• Twitter
• MySpace
• Tumblr
• Google+
• LinkedIn
– “Apps” providing direct links to Internet from device
with confidential material stored/accessed
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
9. www.schwabe.com
Benefits and downfalls of social media
• Benefits: new marketing opportunities,
timeliness, reaching “younger” generation
with marketing messages
• Downfalls: potential for IP infringement,
defamation, claims against employer,
increased platform for litigation hold
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
10. www.schwabe.com
Litigation hold
• Duty to retain documents that could reasonably
relate to an issue in litigation
– Duty lasts through conclusion of case
• Duty triggered when a business is sued (or has a
reasonable apprehension of being sued)
• Retention obligation applies to all “data”
accessible by a company
– Includes smart phones, tablets, computers
– Can include social media platforms
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
11. www.schwabe.com
Document retention policy
• Businesses should have a document
retention policy
– Example: all emails not permanently needed
should be deleted after 30 days
– Obligations for what to retain clearly defined
• Businesses should follow their document
retention policy
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
12. www.schwabe.com
Managing workplace data privacy concerns
– What does the law PERMIT employers
to regulate?
– What does the law REQUIRE employers
to do in order to regulate data privacy?
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
14. www.schwabe.com
Employer Monitoring
Employers may generally
monitor emails sent and
received on company-
owned systems.
Can be used to enforce
data privacy
obligations/needs.
Spell out actions &
intervals in policy
Do not target employees
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
15. www.schwabe.com
Mechanisms for protecting employer data
• Employment agreement
– Employee contract: defines the employer’s
rights (e.g. monitoring computer activity)
– Confidentiality agreement: spells out actions
required to protect employer’s confidential
information and/or intellectual property (trade
secrets protection by independent contractor)
• If you will enforce legally, should be a stand-alone
agreement and not part of an employment manual.
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
16. www.schwabe.com
Mechanisms for protecting employer data
• Data management policy
– Mobile device usage policy (if you want to use
your iPhone, you’ll have to agree to …)
– Can further address monitoring of employee
activity that will occur
• Case law: existing but “stale” policy is not effective:
employees must be aware of policy and that it is
regularly enforced
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
18. www.schwabe.com
Employer Monitoring
City of Ontario v. Quon
• Alleged 4th amendment privacy
right violation where employer
reviewed Quon’s private text
messages on employer-issued
device due to coverage charges
and punished him for sexually
explicit content
• U.S. Supreme Court held review
of message was incident to
reasonable, work-related audit,
and employee and no right of
privacy in text messages on
employer-owned devices
• Public Employee
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
19. www.schwabe.com
Employer Monitoring
• Recording telephone calls allowed in
Oregon as long as all participants in the
call are in Oregon, and as long as one
person consents.
• But – it is illegal to obtain or attempt to
obtain any part of a telecommunication or
radio communication in which the person
recording is not a participant.
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
20. www.schwabe.com
Employer Monitoring
• Increasingly, employers use technology to
track keystrokes, and to monitor the time
that an employee spends on a computer.
• Employers may not obtain employee
passwords using keystroke monitoring
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
21. www.schwabe.com
Privacy Guidelines
• Inform employees in • Consistently apply
writing of the ways any monitoring
that you plan to policies across all
monitor them; employees;
• Have a • Justify monitoring in
comprehensive your policies by
electronic including the
communication policy legitimate business
interests that supports
monitoring activities
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
22. www.schwabe.com
Sources of Privacy Rights
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
23. www.schwabe.com
Sources of Privacy Rights
• 4th Amendment
• Common Law
• Statutory Law
• National Labor Relations Act
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
24. www.schwabe.com
Sources of Privacy Rights
4th Amendment for Public Employees
Public employees have privacy rights
under the 4th Amendment if they have a
reasonable expectation of privacy. But
there are no privacy rights to employer-
owned systems where employer has
communicated this and follows policy.
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
25. www.schwabe.com
Common Law Privacy Rights
• Includes specific causes of action in tort law (invasion of
privacy, intrusion upon seclusion, false light)
• Employees have a general right to privacy where there is
a reasonable expectation of privacy.
• An employee’s right to privacy in social media is
governed by the nature of the social media site (i.e., is it
publicly available?).
• The employer’s workplace policies.
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
26. www.schwabe.com
Common Law Privacy Rights
• An employee does not have a privacy right to
information that he or she posts to a public social
media site.
• An employee may have a privacy right to a web
site that restricts access to certain users, or that
is password protected.
• Employer policies can dispel right of privacy for
employer-owned systems or devices.
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
27. www.schwabe.com
Sources of Privacy Rights
Electronic Communications
Privacy Act (“ECPA”)
• Pertains to interception of the content of a
communication contemporaneous with the
communication.
• Less likely to occur in employment setting.
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
28. www.schwabe.com
Sources of Privacy Rights
Stored Communications Act
(“SCA”)
• Prohibits third parties from intentionally
accessing electronically stored
communications.
• Includes emails or entries on private
websites, without proper authorization
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
29. www.schwabe.com
Sources of Privacy Rights
Stored Communications Act
(“SCA”)
Allows authorized permission to access
stored communications if:
(i) the person is the provider of the service; or
(ii) the person is a user of the service and the
communication is from or intended for that user.
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
30. www.schwabe.com
Sources of Privacy Rights
Stored Communications Act
(“SCA”)
An employer may not intentionally access stored
communications that are maintained by a third-
party service provider without the user’s
authorization
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
31. www.schwabe.com
Sources of Privacy Rights
Stored Communications Act
(“SCA”)
• “User Authorization” Exception is extremely
narrow:
Employee must actually be a user in order to give
authorization – he or she must have actually logged on.
Court may not apply the exception where an employee
is compelled to give access under threat of termination.
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
32. www.schwabe.com
Sources of Privacy Rights
Stored Communications Act
(“SCA”)
• Consequences of violation are serious
Criminal liability for intentional unauthorized access.
Punitive damages and attorneys’ fees even without
showing of actual damages.
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
33. www.schwabe.com
SCA – Employment Decisions with Attendant Risk
• Pietrylo v. Hillstone Restaurant Group, 2009 US Dist
LEXIS 88702 (D.M.J. Sept. 29, 2009).
• A supervisor obtained a user name and password to a
MySpace web page from a hostess who felt coerced into
providing the information.
• The Plaintiff, who created the web page was discharged
for violating policy requiring professionalism and positive
attitude.
• Jury awarded $3,403 plus punitive damages of $13,612
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
34. www.schwabe.com
SCA – Employment Decisions with Attendant Risk
• Konop v. Hawaiian Airlines Inc., 302 F.3d 868 (9th Cir.
2002).
• Company accessed an employee’s secure website using
other employee’s login information (with his permission)
even though the site’s terms prohibited access by
management and prohibited authorized users from
allowing others to access the site.
• Court found the airline violated the SCA and that the
exception to the act (where permission to view is granted
by a “user”) did not apply because the authorized
employees had not actually “used” the site themselves.
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
35. www.schwabe.com
Concerted Activity under the NLRA
• In both Union and Non-Union settings, Employees have
the right to engage in concerted activity relating to the
terms and conditions of employment, including:
2 or more employees addressing their employer about
improving their working conditions and pay;
1 employee speaking to his or her employer on behalf
of himself or herself and one or more coworkers about
improving workplace conditions;
2 or more employees discussing pay or other work-
related issues with each other.
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
36. www.schwabe.com
Concerted Activity
• Concerted activity does not generally include the
actions of a single employee unless he or she is
attempting to enlist others, or unless acting
based on prior concerted activity.
• Concerted activity may not include egregious or
profane statements made in the heat of
discussion.
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
37. www.schwabe.com
Concerted Activity Protected by the NLRB
• The NLRB protects discussions or
statements by employees in a social media
platform if the discussion or statement is
“protected.”
• Discussions are protected if they involve
terms and conditions of employment.
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
38. www.schwabe.com
Concerted Activity Protected by the NLRB
The NLRB has taken action in two areas:
1) Where the employer’s social media policy is
overbroad and violates Section 7 of the
NLRA on its face, or chills the
2) Where the employer’s discipline or discharge
of an employee based on social media
activity violates the NLRA because it
concerns protected concerted activity.
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
39. www.schwabe.com
NLRA example – Souza v. AMR
• Employee was upset with her supervisor because he would not allow
her union representative to assist her in preparation of a response to
a consumer complaint.
• She posted her annoyance on Facebook from her home computer.
Other employees commented on her post in her favor.
• AMR fired the employee after her post, but allegedly based on many
different employment issues.
• The NLRB took issue with the termination arguing that AMR fired her
because she had requested a union representative and because she
complained about her workplace on her Facebook
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
40. www.schwabe.com
NLRA example – Souza v. AMR
• AMR’s policy provides that “Employees are prohibited from making
disparaging, discriminatory or defamatory comments when
discussing the Company or the employee's superiors, co-workers
and/or competitors.”
• The NLRB complaint charges that AMR's application of its policy
unlawfully interfered with the employee's right under Section 7 of the
NLRA to engage in “concerted, protected activity,” i.e., to
communicate with coworkers about the terms and conditions of
employment.
• AMR and the NLRB settled this complaint, so we do not know what
an Administrative Law Judge would decide.
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
41. www.schwabe.com
Examples of conduct that the NLRB
had determined are protected
• Statements related to staffing levels;
• Statements related to choice of food as a sales event that
could impact the level of commission on sales;
• Statements about the employer’s administration of
income tax withholdings;
• Complaints about a supervisor’s refusal to provide a
union representative in meetings.
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
42. www.schwabe.com
Concerted Activity
• Be careful about disciplining or discharging
based on one or more employees posting
to a site where they are complaining about
the terms and conditions of employment.
• Best practice – obtain legal advice, or refer
discipline or discharge to HR before taking
action.
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
43. www.schwabe.com
Should you have a Social Media Policy?
• The NLRB has placed increased scrutiny on
social media policies;
• But, social media policies are still the best way to
protect your company’s trade secrets and
intellectual property
• Social media policies are recommended if
carefully drafted, and reviewed often
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
44. www.schwabe.com
Drafting a social media policy
• Your social media policy should include a statement
setting out a narrowly drawn purpose for the policy;
• Include examples of activity that will and will not violate
the policy provision;
• Include clear limited language – Ex: Nothing in this policy
prohibits employees from discussing wages, working
conditions, or terms of employment with each other.
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
45. www.schwabe.com
The Computer Fraud and Abuse Act
• Enacted by Congress in 1984 as an anti-hacking statute.
• Provides in part that
– “Whoever * * * knowingly and with intent to defraud
accesses a protected computer without authorization,
or exceeds authorized access and by means of such
conduct furthers the intended fraud and obtains
anything of value * * * shall be punished”
• This is a criminal provision, and violation could mean jail
time.
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
46. www.schwabe.com
The Computer Fraud and Abuse Act
• The CFAA further defines “exceeds
authorized access” as “to access a
computer with authorization and to use
such access to obtain or alter information
in the computer that the accesser is not
entitled to obtain or alter.”
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
47. www.schwabe.com
The Computer Fraud and Abuse Act
• Some cases have found that employees
who exceed authorization under a
workplace computer use policy have
violated the act and committed a crime.
• These cases are in other Federal Circuits:
– United States v. Rodriguez – 11th Cir.
– United States v. John – 5th Cir.
– Int’l Airport Ctrs., v. Citrin – 7th Cir.
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
48. www.schwabe.com
The Computer Fraud and Abuse Act
• United States v. Nosal
• On April 12, 2012, The 9th Circuit Court of
Appeals rejected the argument that the CFAA
applies to situations where employees with
permission to access a company computer and
unrestricted access to data, forwarded
confidential information to former employee so
that he could compete against the company.
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
49. www.schwabe.com
Summary on Sources of Privacy Rights
• The 4th Amendment for Public employees
• Common law privacy rights
• Statutory rights (ECPA; SCA)
• Concerted activity under the NLRA
5. No criminal violation in the 9th Circuit for
employees who exceed computer access
under the Computer Fraud and Abuse
Act
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
50. www.schwabe.com
Helpful Resources
• http://www.iacpsocialmedia.org/ IACP Center for Social
Media (law enforcement)
• National Institute of Standards and Technology
Publication 800-144 (web): Guidelines on Security and
Privacy in Public Cloud Computing
• http://business.ftc.gov/privacy-and-security Federal Trade
Commission/Bureau of Consumer Protection: tracks what
information can be collected from websites; information
regarding regulations for data storage about consumers
by companies which collect data
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
51. www.schwabe.com
Helpful Resources
• Advisen – Online Social Networking:A Brave New World of Liability.
https://advisen.com/downloads/SocialNetworking.pdf
• Department of Justice – Obtaining and Using Evidence from Social
Networking Sites.
http://www.eff.org/files/filenode/social_network/20100303_cirm_socialne
• Florida Department of Law Enforcement – Social Networking Sites –
How they are used to Perpetrate Criminal Activity and how Law
Enforcement uses them as an Investigative tool.
• http://www.fdle.state.fl.us/Content/Analyst-Academy/Documents/Social-
Networking-Sites.apx
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
52. www.schwabe.com
Questions?
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA
53. www.schwabe.com
Contact Information
Jean Ohman Back
JBack@schwabe.com
(503) 796-2960
Devon Zastrow Newman
DNewman@schwabe.com
(503) 796-2944
Bend, OR | Portland, OR | Salem, OR | Seattle, WA | Vancouver, WA