Employers find they are walking a tightrope when it comes to balancing employee privacy, information protection, and not creating ammunition for retaliation claims
It is increasingly common for companies to require employees to use “web-based” company portals to access company information, such as HR policies, training materials, wage information, 401K accounts, and processing applications. This is in addition to personal information, e.g., social security numbers, contact information, drivers license numbers, etc., that companies maintain in company databases. The use of such measures provide numerous benefits, including cost-savings and providing employees with convenient access to such information. But employers increasingly find thy are walking a tightrope when it comes to balancing employee privacy concerns, information protection laws, and avoid providing ammunition to prospective retaliation claims by current or former employees.
In regard to retaliation claims, at least in Michigan, they follow a basic fact pattern: (1) The plaintiff claims he or she was engaged in a “protected activity”; (2) The plaintiff was discharged or otherwise discriminated against regarding the employee’s compensation, terms, conditions, location, or privileges of employment; and (3) There was a “causal connection” between the protected activity and the discharge. Under Michigan law, “protected activity” may include reporting to a public body a violation of a law, regulation, or rule; about to report such a violation to a public body; or being asked by a public body to participate in an investigation.”
A recent decision, Zungoli v United Parcel Service (New Jersey, 2009), provides new twist on this basic retaliation fact pattern and potentially expands the universe of “protected activity” that employers will have to manage.
In Zungoli, a former United Parcel Service (UPS) employee claimed that he was retaliated against for refusing to use UPS’s web-based employee portal. This portal provided access to UPS information related to HR, payroll, and training materials. Plaintiff also refused to use UPS’s employee management database that debuted in May 2006. In August 2006, Plaintiff received a less than satisfactory performance rating that was expressly based in part upon his refusal to register and use the UPS portals.
In response, Plaintiff filed suit alleging that he believed (this belief has important implications discussed below) UPS was violating public policy because UPSers.com and the UPSnetwork were not secure and could expose personal confidential employee information. In support of his claim, Plaintiff pointed to: (1) the fact that the terms and conditions of UPSers.com specifically informed employees that they had no reasonable expectation of privacy when using UPS portals; (2) the fact that for most users, UPSers.com did not have a user authentication system to protect its users’ confidential information; and (3) that UPSers.com allowed another individual to be contemporaneously logged on with the same username and password without notifying the user.
UPS brought a motion to dismiss the claim and thereby avoid further litigation, which the Court rejected. In reaching this decision, the Court noted that “there is a substantial causal nexus between the complained of conduct by UPS and a law, rule or mandate of public policy.” In this regard, the Court pointed to New Jersey’s Identity Theft Protection Act, (N.J.S.A. 56:11-44), which is a legislative recognition that it is necessary to restrict access to citizens’ social security numbers “in order to detect and prevent identity theft and to enact certain other protections and remedies related thereto and thereby further the public safety.”
The Zungoli decision is significant for employers on two fronts: First, for employers that have established similar web-based portals for their employees or that maintain confidential employee information on databases:
- As a best practice – and in light of the Zungoli decision and data breach laws – employers should assess their existing security measures protecting personal employee and customer information (as well as information critical to business success), have a written security policy in place for such information, a written breach response procedure, evaluate whether only necessary employee information is collected by the employer, and educate employees about data security. Companies should also review and update data security and privacy practices on a regular basis.
- Evaluate what employee information is collected and how such information is maintained. Michigan, like many other states, have laws pertaining to the use, display, and handling of social security numbers and other “personal information.” In addition, the majority of states have adopted data breach notification laws, which require companies to notify individuals whose personal information has been breached.
- Employers should consider allowing employees in states with identity protection and privacy protection laws to opt-out without fear of discipline or other adverse employment action if an employee expresses concern that the employer failed to implement appropriate security protections. This opt-out consideration may not be practical, however, if significant cost savings would be lost if employees broadly opted-out. Refusing an op-out procedure must be carefully assessed against the backdrop that – at least in Michigan – a whistle blower generally does not have to be correct in making his or her claim. Instead, the complaining employee must only have a “reasonable belief” that the complained-of activity is illegal or a violation. Thus, an employee may erroneously assert that a given employee database lacked adequate security, but still be entitled to whistle blower protection and damages if the employee can show he or she was retaliated against by the employer. Further, it is not uncommon for a an employer to obtain a favorable judgment as to a whistle blower claim, but still lose as to retaliation. See Weishuhn v Catholic Diocese of Lansing (Mich App, 2008) (trial court granted dispositive motion with respect to the Whistleblowers’ Protection Act claim, but it denied the motion with respect to the retaliation claim. Court of Appeals, vacated the trial court’s decision on other grounds).
- If opting out is not practical, is it possible to limit the company web portal to information specific to the company as opposed to the individual employee? For example, company training materials or HR information could be made available through a web portal, accessible upon the creation of a basic user profile that did not depend upon the disclosure of personally identifiable employee information.
- Any disclaimer language companies use should be carefully evaluated in light of privacy, security, and employee expectation. For example, the disclaimers used by the UPS portals advised users that they have no reasonable expectation of privacy with respect to their personal information, yet the plaintiff was still required to use the portal. While no system can guarantee security and privacy, implementing reasonable and appropriate technical, administrative and physical security measures should be instituted to safeguard employee (and customer) information). Otherwise, as in Zungoli, companies may unintentionally invite whistle blower and privacy lawsuits by employees.
The second important consideration for companies to consider is that while Zungoli involved a retaliation claim based on information security measures for an employee web portal, it is not difficult to envision a former employee/plaintiff making similar allegations as to information security measures for customer information. In that regard, the New Jersey ID Theft Protection Statute referenced in Zungoli is one of over 40 state data breach laws that could form the “causal connection” necessary to assert a retaliation claim. And in that scenario, a company would not only be required to respond to the employment litigation, but also potential downstream issues of public relations with its customers, new litigation filed by customers, or applicable regulatory investigation into a plaintiff’s allegations. These are certainly “worst case scenarios,” but scenarios that can quickly develop into an expensive reality.
Feel free to contact me for a copy of the Zungoli opinion or with any questions or concerns about this post. Thanks.