Posts Tagged ‘Information Protection’
The plaintiff, Kevin Sporer contended that his former employer, United Air Lines invaded his privacy by viewing a pornographic video attached to an e-mail that Sporer sent from his work account to his personal account. Sporer also contended that United wrongfully terminated his employment. Sporer was a supervisor at the time of the discharge.
Sporer received an e-mail entitled “Amazing oral talent!!!!!!!!!!” on his work e-mail account from a friend. Sporer then sent this e-mail from his work computer, over United’s server, to his personal e-mail account. The trial court noted that the e-mail “contained a pornographic movie of a woman orally copulating a man in various acrobatic positions.” (Imagine if you were the judge explaining to your significant other: “Honestly, honey, I have to watch this for work.”).
A few minutes after transmitting the email to his personal e-mail account, Sporer emailed his friend that sent the e-mail: “Thank you for the spiritual lift. However, I need you to use my home E-mail address…. Apparently United Air Lines, Inc. has a strict computer security policy and these babies will get me fired.”
During a routine audit (yes, employers actually do this), United’s Information Security department came across the pornographic e-mail Sporer sent to his personal e-mail account, which eventually resulted in Sporer’s discharge for violating United’s e-mail policy.
The E-mail Policy:
UAL’s e-mail policy provided, in relevant part:
Message content must always be professional. It is strictly prohibited to transmit or store any messages or data that compromises or embarrasses the Company, contains explicit or implicit threats, obscene, derogatory, profane or otherwise offensive language or graphics, defames, abuses, harasses, or violates the legal rights of others.
United’s Information Security Policy also prohibited the transmission of obscene, derogatory, profane or otherwise offensive language or graphics. United’s information security policies are established to: “(1) protect the company’s investment in its human and financial resources expended to create its systems; (2) safeguard its information; (3) reduce business and legal risk; and (4) maintain public trust and the reputation of the company.” Under the heading “Privacy and Monitoring,” United’s Electronic Communications Standards provides:
The company reserves the right to monitor all e-mail on the company e-mail system-In other words, as an employee you should assume no right of privacy on e-mail transmitted on the company system. In addition, and messages sent or received, for business or personal reasons, may be disclosed to law enforcement officials or third parties without your prior consent.
Sporer admitted to having received reminders about United’s e-mail policy and that he understood that the content of his emails should not be less than professional. In fact, to turn on and use his work computer, Sporer had to click “OK” to clear the Warning Notice, informing him that the computer system is monitored.
Plaintiff’s Arguments Against Discharge
Sporer argued that his termination was wrongful because it was in violation of his right to privacy and in violation of a federal statute (18 U.S.C. § 2511, et seq.), which prohibits the interception and disclosure of wire, oral (Amazing or otherwise), or electronic communications. An invasion of privacy claim under California law requires a plaintiff to demonstrate: “(1) a legally protected privacy interest; (2) a reasonable expectation of privacy in the circumstances; and (3) conduct by defendant constituting a serious invasion of privacy.” Hill v. National Collegiate Athletic Assn., 7 Cal.4th 1, 39-40, 26 Cal.Rptr.2d 834, 865 P.2d 633 (1994). The Court quickly dismissed Sporer’s invasion of privacy claim noting that in 2001, “more than three-quarters of this country’s major firms monitor, record, and review employee communications and activities on the job, including their telephone calls, e-mails, Internet connections, and computer files.” Id. at 451, 117 Cal.Rptr.2d 155. The court further noted that there can be serious consequences for employers who do not monitor their employee’s communications and activities on the job. Id. at 452 n. 7, 117 Cal.Rptr.2d 155. Further, the advance notice that United monitored computer use for compliance with its policies, including a prohibition against use for “obscene or other inappropriate purposes,” and Sporer having an opportunity to consent to such monitoring, further undercut any reasonable expectation of privacy. Additionally, and this is a key point for employers, United had a policy of monitoring its employee’s computer use, warned employees that they had no expectation of privacy on e-mail transmitted on the company system, and provided its employees with a daily opportunity to consent to such monitoring. In light of these facts, the Court found that Sporer had no reasonable expectation of privacy in the use of his work email.
Sporer’s contention that United violated the federal statute (18 U.S.C. § 2511) by monitoring his work e-mail also failed. The statute excludes surveillance of communications where there is consent. The Court construed “consent” to express and implicit consent and that implied consent may be inferred “from surrounding circumstances indicating that the [party] knowingly agreed to the surveillance.” Id at 116-117. Circumstances showing consent will ordinarily include “language or acts which tend to prove … that a party knows of, or assents to, encroachments on the routine expectation that conversations are private.” Id. at 117. In regard to Sporer, he had been repeatedly informed that United monitored use of its computers, including emails and he had to click “OK” to clear the Warning Notice informing him that the computer system is monitored. Sporer also knew from past experience that United monitors work e-mail accounts. In fact, he was previously disciplined for sending an e-mail with a sexual video from his work account to his personal account. And the e-mail Sporer wrote to his friend minutes after he received the inappropriate email made clear that Sporer was aware of United’s strict computer policy and that United monitored work email accounts. The Court, therefore, found that because Sporer knew his work e-mail account was not private and was being monitored by United his consent to such monitoring may be implied. Accordingly, United did not violate 18 U.S.C. § 2511 by monitoring Sporer’s work e-mail account.
While monitoring employer provided e-mail accounts is (or should be) the norm, courts can reach conflicting decisions as to when and under what circumstances such monitoring is permissible. See How Far Can Employers Go in Reading Employee E-mail? For this reason, it is important for employers to reduce the risk that a Court will “second guess” such monitoring. The Sporer/United decision provides a text book roadmap for “getting it right” when it comes to employer e-mail policies and employee monitoring. In that regard, a few “take-aways” are as follows:
- Have a written policy: Employers must have a written e-mail policy that explains how company e-mail should be used. The overall theme of this policy should be that e-mail must be used for business purposes. Ideally, this e-mail policy will be part of an overall technology policy that establishes a road map with respect to the intended use of IT resources and what is prohibited. For example, limitations for accessing certain Websites and restrictions for loading unauthorized software into the company IT environment. See “How High Can Damages go for Unlicensed Software Use.“
- Writing the Email Policy: Your e-mail policy will depend upon your organizational needs. Generally it makes sense to get input from upper management in drafting a policy that supports the company’s overall mission. IT professionals can make recommendations as to what is technologically possible. And human Resource professionals should also be consulted because the policy will affect every employee. Equally important are recommendations from legal counsel. Aside from selfish job security motivations, legal counsel will provide valuable insight as to what is permitted, what is not permitted, and overall compliance recommendations. While not required, getting input from employees increase the chances of the policy ultimately being followed by employees.
- Communicate and Explain the Policy: Employers must communicate the policy to all stakeholders, including employees. It is also a good practice to document the employee has read and understands the policy by obtaining signed acknowledgment forms.
- Communicating the Policy is not a One Time Event: While it is not necessary, periodically communicating the existence of the policy is a good practice. First, it is a reminder to employees of what is expected in regard to e-mail/technology use and what is prohibited. Second, if your company ever needs to rely upon it in litigation, it just “looks better” if an employee was “reminded” about the policy. For example, United’s log-in procedure required employees to click a button (“OK”) to clear the notice that the employee’s email may be monitored. In other instances, employers have actually displayed random provisions of their overall employee policy at the log in screen, which also had to be cleared through clicking a button similar to “OK.” This random display also directed the employee to a link for the full policy for more information.
- Providing an Employee Out: It is a fact of Internet life that unsolicited e-mail is a given (I’m always amazed at how many women are waiting to hear from me or the number of Nigerian businessmen that need my assistance). And a lot of this unsolicited email is along the lines of the “Amazing” video of the pseudo-acrobat. Accordingly, chances are an employee will receive an e-mail that violates the company’s e-mail use policy. In that event, make sure employees understand what is expected, e.g., deleting it, contacting a supervisor., contacting IT, or whatever reporting requirements that are determined to be appropriate. Applying this to Mr. Sporer’s situation, his mistake was not in receiving the email, but rather forwarding it on to his personal email account and then deleting it. Presumably had he just deleted the email he would not have violated the policy. This goes back to effectively communicating what is expected of employees.
For more information on comprehensive technology policies or specific questions about e-mail policies, please feel free to contact me.
BusinessWeek’s CEO Guide To Technology reported that – based on data from the security firm Symantec – about 66% of all identities exposed in 2008 were from the theft or loss of laptops, USB keys, and other backup devices. Against this backdrop, BusinessWeek presented an interesting podcast about data breaches based on Rachael King’s interview with the Ponemon Institute’s founder Larry Ponemon. The Ponemon Institute is a pre-eminent research center dedicated to privacy, data protection and information security policy. Click here for a link to the podcast and here to download BusinessWeek’s podcast. Definitely worth a listen.
Employers routinely face situations where they must investigate an employee suspected of misconduct. Such investigations increasingly – if not always – involve email. But do employers become guilty of misconduct or otherwise risk liability if they access an employee’s email account? Does it matter if the company has a policy regarding email privacy? What if the policy is inconsistent or not enforced? Does it matter if the the email account is a company provided account or accessed using company computers/Internet connections? While the answers to these questions will, unfortunately, depend upon the circumstances, a great overview of issues employers should consider prior to investigating employee email is found at Investigating Personal Web-Based E-Mail.
When it comes to investigating employees and email, employers will often feel as if they are shooting at a moving target in the dark when it comes to “getting it right.” That is because court opinions addressing employee email investigation often become very fact specific and reach conflicting results.
For example, in Stengart v Loving Care Agency, Inc. (New Jersey 2009), the employer provided plaintiff with a laptop computer and a work email address. Prior to plaintiff’s resignation, she communicated with her attorneys about her anticipated suit against her employer. These email communications were sent from plaintiff’s work-issued laptop but through her personal, web-based, password-protected Yahoo email account. After plaintiff filed suit, the company created a forensic image of the hard drive from plaintiff’s computer. In reviewing plaintiff’s Internet browsing history, the employer’s attorney discovered and read numerous communications between plaintiff and her attorney.
The trial judge found in favor of the employer noting that the company’s policy put employees on sufficient notice that electronic communications, “whether made from her company E-mail address or an Internet based E-mail address would be subject to review as company property.”In reaching this conclusion, the judge stated that the company policy “specifically place[d] plaintiff on notice that all of her Internet based communications [we]re not to be considered private or personal” and that the policy “put employees on notice that the technology resources made available to employees were to be used for work related purposes, particularly during business hours.”
The Court of Appeals, however, reversed this decision noting that “there is much about the language of the policy that would convey to an objective reader that personal emails, such as those in question, do not become company property when sent on a company computer, and little to suggest that an employee would not retain an expectation of privacy in such emails.” The Court further based its decision on the “important societal considerations that undergird the attorney-client privilege.” This opinion is available here and is worth reviewing for its interesting discussion of the competing interests between employers’ interest in maintaining its business operations and employee privacy against the backdrop of digital communication (yes, I’ve been told I’m a dork for finding this stuff interesting).
In contrast to Stengart, the court in Scott v. Beth Israel Med. Center Inc., (N.Y. Sup. Ct. 2007) sided in favor of the employer and decided that email communications between plaintiff and his attorney exchanged over the employer’s email system was not protected by attorney-client privilege or work product doctrine. The emails in question were were all sent over the employer’s email server. And the employer’s email policy stated, among other things, that the electronic mail systems were the property of the employer and should be used for business purposes only, that employees “have no personal privacy right in any material created, received, saved or sent using [employer's] communication or computer systems,” and that the employer reserved the right to access and disclose such material at any time without prior notice.
The take away for employers is that it takes planning to bench the judicial-Monday-morning quarterback scrutinizing your investigation decisions. This planning starts with a well-written policy clearly advising employees of how company computers, Internet resources, and email will be treated. An employer should obtain the employee’s signed acknowledgement that the policy was received and understood. And, the policy must be enforced. See Privacy in the Digital Workplace – Oxymoron? Maybe Not, where an employer had such a policy in place, but represented it would not be enforced, which – under the facts of that case – created an “expectation of privacy” for the plaintiff employee.
Employers find they are walking a tightrope when it comes to balancing employee privacy, information protection, and not creating ammunition for retaliation claims
It is increasingly common for companies to require employees to use “web-based” company portals to access company information, such as HR policies, training materials, wage information, 401K accounts, and processing applications. This is in addition to personal information, e.g., social security numbers, contact information, drivers license numbers, etc., that companies maintain in company databases. The use of such measures provide numerous benefits, including cost-savings and providing employees with convenient access to such information. But employers increasingly find thy are walking a tightrope when it comes to balancing employee privacy concerns, information protection laws, and avoid providing ammunition to prospective retaliation claims by current or former employees.
In regard to retaliation claims, at least in Michigan, they follow a basic fact pattern: (1) The plaintiff claims he or she was engaged in a “protected activity”; (2) The plaintiff was discharged or otherwise discriminated against regarding the employee’s compensation, terms, conditions, location, or privileges of employment; and (3) There was a “causal connection” between the protected activity and the discharge. Under Michigan law, “protected activity” may include reporting to a public body a violation of a law, regulation, or rule; about to report such a violation to a public body; or being asked by a public body to participate in an investigation.”
A recent decision, Zungoli v United Parcel Service (New Jersey, 2009), provides new twist on this basic retaliation fact pattern and potentially expands the universe of “protected activity” that employers will have to manage.
In Zungoli, a former United Parcel Service (UPS) employee claimed that he was retaliated against for refusing to use UPS’s web-based employee portal. This portal provided access to UPS information related to HR, payroll, and training materials. Plaintiff also refused to use UPS’s employee management database that debuted in May 2006. In August 2006, Plaintiff received a less than satisfactory performance rating that was expressly based in part upon his refusal to register and use the UPS portals.
In response, Plaintiff filed suit alleging that he believed (this belief has important implications discussed below) UPS was violating public policy because UPSers.com and the UPSnetwork were not secure and could expose personal confidential employee information. In support of his claim, Plaintiff pointed to: (1) the fact that the terms and conditions of UPSers.com specifically informed employees that they had no reasonable expectation of privacy when using UPS portals; (2) the fact that for most users, UPSers.com did not have a user authentication system to protect its users’ confidential information; and (3) that UPSers.com allowed another individual to be contemporaneously logged on with the same username and password without notifying the user.
UPS brought a motion to dismiss the claim and thereby avoid further litigation, which the Court rejected. In reaching this decision, the Court noted that “there is a substantial causal nexus between the complained of conduct by UPS and a law, rule or mandate of public policy.” In this regard, the Court pointed to New Jersey’s Identity Theft Protection Act, (N.J.S.A. 56:11-44), which is a legislative recognition that it is necessary to restrict access to citizens’ social security numbers “in order to detect and prevent identity theft and to enact certain other protections and remedies related thereto and thereby further the public safety.”
The Zungoli decision is significant for employers on two fronts: First, for employers that have established similar web-based portals for their employees or that maintain confidential employee information on databases:
- As a best practice – and in light of the Zungoli decision and data breach laws – employers should assess their existing security measures protecting personal employee and customer information (as well as information critical to business success), have a written security policy in place for such information, a written breach response procedure, evaluate whether only necessary employee information is collected by the employer, and educate employees about data security. Companies should also review and update data security and privacy practices on a regular basis.
- Evaluate what employee information is collected and how such information is maintained. Michigan, like many other states, have laws pertaining to the use, display, and handling of social security numbers and other “personal information.” In addition, the majority of states have adopted data breach notification laws, which require companies to notify individuals whose personal information has been breached.
- Employers should consider allowing employees in states with identity protection and privacy protection laws to opt-out without fear of discipline or other adverse employment action if an employee expresses concern that the employer failed to implement appropriate security protections. This opt-out consideration may not be practical, however, if significant cost savings would be lost if employees broadly opted-out. Refusing an op-out procedure must be carefully assessed against the backdrop that – at least in Michigan – a whistle blower generally does not have to be correct in making his or her claim. Instead, the complaining employee must only have a “reasonable belief” that the complained-of activity is illegal or a violation. Thus, an employee may erroneously assert that a given employee database lacked adequate security, but still be entitled to whistle blower protection and damages if the employee can show he or she was retaliated against by the employer. Further, it is not uncommon for a an employer to obtain a favorable judgment as to a whistle blower claim, but still lose as to retaliation. See Weishuhn v Catholic Diocese of Lansing (Mich App, 2008) (trial court granted dispositive motion with respect to the Whistleblowers’ Protection Act claim, but it denied the motion with respect to the retaliation claim. Court of Appeals, vacated the trial court’s decision on other grounds).
- If opting out is not practical, is it possible to limit the company web portal to information specific to the company as opposed to the individual employee? For example, company training materials or HR information could be made available through a web portal, accessible upon the creation of a basic user profile that did not depend upon the disclosure of personally identifiable employee information.
- Any disclaimer language companies use should be carefully evaluated in light of privacy, security, and employee expectation. For example, the disclaimers used by the UPS portals advised users that they have no reasonable expectation of privacy with respect to their personal information, yet the plaintiff was still required to use the portal. While no system can guarantee security and privacy, implementing reasonable and appropriate technical, administrative and physical security measures should be instituted to safeguard employee (and customer) information). Otherwise, as in Zungoli, companies may unintentionally invite whistle blower and privacy lawsuits by employees.
The second important consideration for companies to consider is that while Zungoli involved a retaliation claim based on information security measures for an employee web portal, it is not difficult to envision a former employee/plaintiff making similar allegations as to information security measures for customer information. In that regard, the New Jersey ID Theft Protection Statute referenced in Zungoli is one of over 40 state data breach laws that could form the “causal connection” necessary to assert a retaliation claim. And in that scenario, a company would not only be required to respond to the employment litigation, but also potential downstream issues of public relations with its customers, new litigation filed by customers, or applicable regulatory investigation into a plaintiff’s allegations. These are certainly “worst case scenarios,” but scenarios that can quickly develop into an expensive reality.
Feel free to contact me for a copy of the Zungoli opinion or with any questions or concerns about this post. Thanks.
As a follow up to two prior posts on the FTC’s Red Flags Rule (here and here), a friend over at Kroll Fraud Solutions, was kind enough to forward me additional Red Flag Resources relating to resources from Kroll that explain how to comply with the new regulations: Kroll’s FAQ on the Red Flag Rules and Kroll’s podcast on the Red Flag Rule. Enjoy.