Addresses privacy issues associated with hiring in a social media world, privacy issues associated with BYOD programs; employee privacy rights associated with off-duty activity including Facebook postings and activity protected by lifestyle laws.
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Pli workplace privacy in the year 2013 2013-6-13
1. Workplace Privacy In the Year 2013
June 18, 2013
Margaret A. Keane
Littler Mendelson, P.C., San Francisco Office
mkeane@littler.com
www.linkedin.com/in/makeane/
Presented to Practicing Law Institute by:
1
2. Today’s program
• Workplace Privacy Issues
– The New World
– Hiring Practices, circa 2013
• Overview of Social Media in the Hiring Process
• Social Media Checks
• Password Protection Statutes
• FCRA
• EEOC Guidance on Criminal Background Checks
• Foreign data protection laws
– Employee Monitoring, Whistleblower Hotlines
– Yours, Mine or Ours: BYOD and Other Challenges of
Mobile Devices
– Geo-location – GPS, RFID and more
– The NLRA, Drafting Social Media Policies, and
Confidentiality
– Ownership and Control of Social Media Accounts
– Genetic Information Non-Discrimination Act
2
3. No Expectation of Privacy?
Despite diminished expectations of privacy, numerous laws address
aspects of workplace privacy.
• Federal privacy laws include HIPPA, Gramm-Leach-Bliley (“GLB”),
Children’s On-Line Privacy Protection Act (“COPPA”), Electronic
Communications Protection Act (“ECPA”), Stored Communications Act
(“SCA”), Fair Credit Reporting Act (“FCRA”), Genetic Information Non-
Discrimination Act (“GINA”), Americans with Disabilities Act (“ADA”)
• State privacy and “lifestyle” laws and new state Password Protection
laws (ex. CA AB 1844)
• Related Laws
– Record Retention Requirements, particularly for government contractors,
medical and financial services sectors
– Security Breach Notification Statutes
– FINRA, FDA and other sector-specific regulations
3
4. No Expectation of Privacy?
In Europe, employees have privacy
expectations, because legal protections
do not depend on a “reasonable
expectation of privacy”
- data protection laws
- wiretap, telecommunications secrets
- labor & employment laws
4
5. New Hiring Paradigms
• In many sectors, work no longer needs to be
performed in a designated place or at a designated
time.
– Cloud-based applications can be reached anywhere/anytime
• New work models are prevalent for providing IT and
other task or project-based services
– Ex. – Elance, oDesk, Collabworks
• On-demand sourcing models are becoming
mainstream in legal community – scope goes well
beyond e-discovery
• New models challenge legal system of employment
laws tied to physical location and fixed hours
5
7. We Love Our Smartphones. . .
7
Source: http://www.slideshare.net/kleinerperkins/kpcb-internet-trends-2013?utm_source=slideshow03&utm_medium=ssemail&utm_campaign=share_slideshow_loggedout
7
8. Are Smartphones An Extension
of Our Brains?
8
Source: http://www.slideshare.net/kleinerperkins/kpcb-internet-trends-2013?utm_source=slideshow03&utm_medium=ssemail&utm_campaign=share_slideshow_loggedout
9. Social Media Use and Channels
Continue to Grow
9
Source: http://www.slideshare.net/kleinerperkins/kpcb-internet-trends-2013?utm_source=slideshow03&utm_medium=ssemail&utm_campaign=share_slideshow_loggedout
10. What Do You Do When You
First Wake Up?
Always Connected, IDC Study,
Sponsored by Facebook, March
2013
10
10
11. Blurring The Lines:
Work vs. Personal
90% of full-time employees use a personal smartphone
for work purposes
– 62% of those use it every day
– 39% don’t use password protection
– 52% access unsecured wifi networks
– 69% believe they are expected to access work emails
after hours
1 in 10 workers receive a stipend for their smartphone
(Cisco, BYOD Insights in 2013: A Cisco Partner Network Survey, March 2013)
11
11
13. Social Networking in Talent Sourcing
and Promotion
• 91% of employers had hired a staff member
based on their social networking profile
• 69% decided not to make job offer to candidate
after seeing profile (photos of drugs/drinking
or inappropriate behavior were the most
popular reasons for eliminating candidate)
• 47% of companies check candidates' profiles on
social networking sites after they receive an
application and 27% review after a screening
interview.
Source: Job Screening With Social Networks: How Are Employers
Screening Job Applicants, Reppler, October 2011
Source: The Use of Social Networking Websites and Online Search
Engines in Screening Job Candidates, Society for Human
Resource Management, August 25, 2011
13
14. Getting to Know You:
Risks of Using Social Media in the Hiring Process
• Risk of making employment decisions based
on inaccurate, irrelevant or false info
• Online social networking profiles often
present personal information not properly
subject to inquiry during the hiring process
• Potential to eliminate applicants based on
protected class status in violation of federal
and state anti-discrimination laws
• Need to balance applicant’s rights with
employer’s need to screen candidates
thoroughly
• Decisions made based on lawful, off-duty
conduct may violate state “lifestyle” laws
14
16. Passwords
• At last count, thirteen states have enacted legislation to prohibit
employers from asking applicants or employees for social media
passwords or other log-in credentials, including CA, CT, CO, HI, IL, MD,
MI, NV, NM, OR, UT, VT and VI. Others have pending legislation and
federal legislation has also been introduced.
• California’s statute provides an exception that permits employers to
“request an employee to divulge personal social media reasonable
believed to be relevant to an investigation” of allegations of misconduct.
• California also has an exception for
usernames and passwords used
to access employer-issued devices.
• Be aware of tensions between State
laws and FINRA obligations to supervise
and retain records.
16
17. Passwords
Service providers usually prohibit password sharing in
their terms of use; consequently, access by a third
party constitutes ‘unauthorized access to’ or
‘interference with’ a computer under trespass laws,
such as a the U.S. Computer Fraud and Abuse Act
17
18. • Build a process for lawful use of social media data
– Determine when on-line searches will be used in hiring and
promotion process (ex. after initial screening interviews)
– Determine scope of review: what sources will be
checked and what information will be collected?
– Decide whether to inform applicants
about on-line searches and whether to
ask for email addresses, user names
and blog posts
– Give notice and obtain consent
where needed and comply with FCRA if using third
parties to conduct search
– Do not engage in unauthorized access to password protected sites,
“shoulder surf” or require users to disclose passwords unlawfully
– Isolate protected class information from the decision-maker
– Update forms for recording information, maintain
contemporaneous documentation and comply with applicable
retention requirements
Responsible Use of Social Media in Recruiting,
Hiring and Promotions
18
20. Fair Credit Reporting Act Overview
• Applies to reports prepared by a third party that regularly assembles or
evaluates credit or other information on a consumer (“consumer
reporting agency” or “CRA”) and includes background screening
companies
• Covers any inquiry for employment purposes bearing on an individual’s
“credit, general reputation, personal characteristics, or mode of living”
– Criminal history checks, credit checks, sex offender registry, motor vehicle
record checks, employment and education verification
• Regulates public records, including criminal records, and is not limited to
traditional credit reports
• Does not regulate purely in-house investigations, such as reference
checks made by internal human resources personnel
20
21. FCRA Compliance
1. Obtain informed consent
from job applicants
2. Issue "adverse action"
letters if the background
check will result in
disqualification
3. Secure destruction of
consumer information
21
22. FCRA Remedies
• Cases can be based on failure to use FCRA disclosure and authorization
forms; failure to give adverse action notices
• Minimum statutory damages of $100 to $1,000 for willful violations
– Class action-friendly remedy where CRA’s and employer follow standard
procedures
– Low damages add up when multiplied against large applicant pools
• Actual damages for negligent violations
• Attorney fees to a successful plaintiff
• No statutory cap on defendant’s exposure
22
23. Class Litigation and FCRA
• Spike in class action filings against employers
– FCRA disclosure and authorization forms
– FCRA adverse action notices
– State equivalents
• Several multi-million dollar settlements in
nationwide class actions
23
26. Updated EEOC Enforcement Guidance
Updated Enforcement Guidance ─ Approved 4-1 on April
25, 2012:
– “EEOC Enforcement Guidance on the Consideration of
Arrest and Conviction Records in Employment
Decisions Under Title VII of the Civil Rights Act of
1964”
– Accompanying “Questions and Answers About
EEOC’s Enforcement Guidance”
See http://www.eeoc.gov/laws/guidance/arrest_conviction.cfm and
http://www.eeoc.gov/laws/guidance/qa_arrest_conviction.cfm
26
26
27. EEOC Recommended “Best Practices”
EEOC’s View of “Employer Best Practices”
• Eliminate blanket exclusions “based on any criminal record”
• Develop narrowly tailored written policy/procedures excluding individuals from particular
jobs based on a criminal history record
(1) Identify essential job requirements
(2) Identify specific offenses tied to “unfitness” for job
(3) Identify time limits applicable to exclusion
(4) Document research/consultations to support policy/procedures
(5) Provide for individualized assessment before final hiring decision
• When asking questions about criminal records, limit inquiries to records job
related/consistent with business necessity
• Make inquiries of criminal record – post application (e.g. “ban the box” approach)
• Train managers, hiring officials, and decision-makers on how to implement the policy and
procedures consistent with Title VII.
• Maintain confidentiality of criminal records
27
27
28. State EEO Laws
• State counterparts to Title VII
• Specific ex-offender protections
– Workplace posting and notice obligations
– Sequencing restrictions (when an employer can
ask questions)
– Inquiry restrictions (what employer cannot ask about)
– Source restrictions (what employer cannot access)
– “Job-relatedness” requirements (what discretion employer
has to screen out applicants)
28
30. Employee monitoring, hotlines
• USA: employers can destroy privacy
expectations in notices
– hardly any limits
– but: notices must be updated regularly
• Rest of the World (ROW)
– many jurisdicitons require voluntary employee consent
– EEA+ countries require limitations to monitoring programs and reportable
topics for hotlines, notice to employees, consultations with works council
and data protection officers, notifications to data protection authorities or
applications for prior authorization, labor courts, labor inspectorate, etc.
30
32. Lingo:
Dual Use Mobile Devices and BYOD
• Dual Use Mobile Device: Mobile device used to create, store
and transmit both personal and work-related data
• BYOD: Bring Your Own Device
– A BYOD program includes:
• Policies that govern use of personal devices to
access corporate services
• Policies attempt to manage risk associated with
storage and transmittal of data using devices that
may be outside of the employers control
• Policies to address impact of mobile devices on existing
workplace behavior
• COPE: Corporate Owned, Personally Enabled
32
33. What is MDM – Mobile Device
Management?
Mobile Device Management:
• Software that allows corporate IT to manage use of mobile devices.
Component of BYOD programs. Features may allow an employer to:
– Require users to register devices as condition of network access
– Enable remote locking or wipe of device
– Implement anti-spam solutions, block specific apps,
and prevent users from disabling or altering
security settings on devices
– Monitor employee use and location of user
and device
33
34. Policies Affected by BYOD:
Mobile devices have impact on policies throughout your
business
• Data Privacy & Security
• Harassment, Discrimination & EEO
• Workplace Safety
• Time Recording and Overtime
• Acceptable Use of Technology
• Compliance and Ethics
• Records Management
• Litigation Holds
• Confidentiality & Trade Secret Protection
34
35. Setting Up a BYOD Program:
A Master Plan for mobile device use in your
organization
• Need to address challenges of dual use devices, REGARDLESS of whether
you adopt a BYOD program
• If you implement BYOD, your policy should be part of an integrated
Information Governance Plan
• Determine goals and objectives
• Privacy Considerations
– Remote wipes
– Containers
– Backups
35
36. Setting Up a BYOD Program
• Who Participates?
• What conditions will be imposed on participants?
• Who pays?
• Program may include limits on acceptable
applications, passwords, encryption,
employer monitoring, reporting obligations and remote
wipes
• Address tradeoffs
– Participation in program is a privilege,
not a right
– May have privacy tradeoff for convenience of
remote access and device 36
37. Privacy in a BYOD World
Will your program distinguish between personal and business use?
Privacy Parameters
• Distinguish between data and device
• Device
– May require return upon demand or inspection as part of investigation
– May require return, with data intact, upon separation from employment
• Data
– Determine whether employer will retain right to review all contents of
device or will exclude categories such as music and photos
– Require employee to provide access to cloud
backups or home server?
– Monitor/limit employee’s use of web-based
applications? Example: Siri, Dropbox, iCloud, etc.
– Set parameters for timing, terms and extent of remote
wipes 37
38. Privacy in a BYOD World
1. Remote wipes of lost devices – can be
viewed as either pro-privacy or an
intrusion. Participation in BYOD program
may be conditioned upon consent to
remote wipes.
2. Litigation issues:
– Identification of BYOD devices/information
– Practical challenges of data collection
– Does the employee “control” data on the
devices?
– Will employees be required to produce mobile
devices to employer for inspection, preservation
and production?
38
39. Privacy in a BYOD World:
What is a Reasonable Expectation of Privacy?
3. Even if your policy gives you access to the device , employees may have
privacy expectations in personal data stored with online services. Be
careful.
– Pure Power Boot Camp, Inc. v. Warrior Fitness Boot Camp, LLC, 587 F. Supp. 2d 548 (S.D.N.Y. 2008)
(employee had reasonable expectation of privacy in password protected emails stored on hotmail
and gmail servers, regardless of fact that she accessed them on a work computer)
– Steingart v. Loving Care Agency, Inc., 201 N.J. 300 (NJ 2010) (employee had reasonable expectation
of privacy in personal password protected web-based email sent through employer’s computer)
– Pietrylo v. Hillstone Restaurant Group, No. 06-5754, 2008 U.S. Dist. LEXIS 108834, at *20 (D.N.J. July
24, 2008) (question of whether employee had a reasonable expectation of privacy in My Space page
is a question of fact)
– Ehling v. Monmouth-Ocean Hospital Service Corp., Civ. No. 2:11-CV 033305 (WJM) (D.N.J. May
30, 2012)(plaintiff may have reasonable expectation of privacy in Facebook posting where she
restricted access to her Facebook page)
– Doe v. City of San Francisco, No. C10-04700 THE (N.D. Cal. June 12, 2012)(employee had reasonable
expectation of privacy in web-based emails viewed from a shared workplace computer designated
for personal use by employees)
39
40. Geolocation Tracking and Telematics
• FTC: Geographic location is sensitive information
• CA Penal Code 637.7. No person or entity in this
state shall use an electronic tracking device to
determine the location or movement of a person
• Tread carefully
Source: CTIA – The Wireless Association, Best Industry Practices and Guidelines for
providers of location based services
40
42. What is Protected Concerted Activity?
• The NLRA prohibits discipline against employees
who engage in “protected concerted activity”
Protected = related to the terms or conditions of
employment, unionization, or an on-going labor dispute
Concerted = “with, or on the authority of, other employees
and not solely by and on behalf of the employee himself.”
Meyers Industries, 268 NLRB 493, 497 (1984)
Note: Employees in a non-unionized workplace can
engage in protected, concerted activity
42
43. What is Protected Activity?
1. What is the subject matter of the post?
– Union organizing or exercise of rights under CBA or labor law
– Work hours, wages, tax administration
– Job performance or meetings with management
2. Who is participating in the discussion?
– Only personal friends/relatives or co-workers included?
3. Is the employee expressing only an individual gripe?
4. Are employees acting collectively?
– Preparing for discussion with management or otherwise acting on behalf
of group
5. Are the social media posts a direct outgrowth of prior group
discussions?
43
46. Social Media Policies:
General Rule:
An employer’s social media policy may
run afoul of the NLRA if it infringes on
an employee’s ability to engage in
protected activity.
Employers should be careful not to
make their policies too broad, and
should also include specific language
that they do not mean for the policy to
prohibit or restrict any lawfully
protected activity.
46
47. Disclaimer Options
Board’s repeated comment: “*T+he rules contained
no limiting language to inform employees that [the
rules+ did not apply to Section 7 activity.”
Use a disclaimer: This policy will not be construed
or applied in a way that improperly interferes with
(A) employees’ exercise of their rights under the
NLRA or any other law, or (B) employees’ legally
protected social media discussions regarding wages,
hours, or working conditions.
47
48. Unlawful Lawful
No posting of confidential
information
No posting trade secrets and private and
confidential information with examples
No “inappropriate conduct” or “be
respectful”
Examples prohibiting discriminatory remarks,
harassment and threats of violence or similar
inappropriate conduct
“Be respectful”
No malicious, obscene, threatening or
intimidating conduct, harassing or bullying,
posting intentionally meant to harm a co-
workers’ reputation or could contribute to
hostile work environment
Use of employer name or logo
Ensuring postings are consistent with the
code of ethics or conduct
48
49. Affirmative Guidelines
1. Require compliance with all
Company policies (e.g.
confidentiality, harassment)
2. Include: “Do not claim to be
acting on the Company’s
behalf without prior
authorization;”
3. Require that employees
disclose affiliation with the
Company whenever endorsing
its products or services;
49
50. Affirmative Guidelines
4. Remember:
Blanket policy that requires employee
confidentiality during an HR investigation is
deemed to violate the National Labor
Relations Act and employees’ rights to
engage in concerted activity – must be case-
by-case determination.
5. If a Policy explicitly restricts activities
protected by NLRA, NLRB will find it
unlawful...and will also find unlawful if:
--employees would reasonably construe language
to prohibit protected activity; Policy issued in
response to Union activity; or Policy has been
applied to restrict protected rights....AND,
FINALLY:
50
51. Breaking Up is Hard to Do:
Clarify your right to wipe devices and ownership of social
media assets before the breakup
• Clarify ownership of social media
assets. Maintain access to, and
right to change, passwords to
corporate accounts.
51
52. Genetic Information
Nondiscrimination Act of 2008 (GINA)
• Illegal to discriminate against employees or applicants because of genetic
information
• Employers may not use genetic information in making employment decisions and
may not request, require or purchase genetic information
• Any employer that possesses genetic information about an employee must
maintain such information in separate files; and must treat it as a confidential
medical record and may disclose it only under very limited circumstances
• Prohibition on requesting information defines “request” to include “conducting
an internet search on an individual in a way that is likely to result in a covered
entity obtaining genetic information.” 29 C.F.R. §1635
• Safe harbor for inadvertent acquisition applies where employer “inadvertently
learns genetic information from a social media platform where he or she was
given permission to access by the creator of the profile at issue (e.g., a supervisor
and employee are connected on a social networking site and the employee
provides family medical history on his page).” 29 C.F.R. §1634
52