Employee Privacy

Last Friday, the National Labor Relations Board (“NLRB”) ruled that two employees of a sports bar and restaurant were unlawfully discharged for their participation in a Facebook discussion criticizing their employer.  In the Facebook discussion that prompted the firings, a former employee complained in a status update that she owed more taxes than expected because of withholding mistakes by the employer.  The employee commented on the status, “I owe too.  Such an asshole,” and was discharged.  A second employee, who “liked” the former employee’s status, was discharged as well.

Section 7 of the National Labor Relations Act provides, in relevant part, “Employees shall have the right to self-organization, to form, join, or assist labor organizations, to bargain collectively through representatives of their own choosing, and to engage in other concerted activities for the purpose of collective bargaining or other mutual aid or protection . . . .”  At issue in this case was not whether the employees’ Facebook activity was “concerted” or whether the employees had a statutorily protected right to engage in a Facebook discussion about the employer’s tax-withholding practices.  Rather, the case centered on whether, as a result of their actions on Facebook, the two employees adopted the allegedly defamatory and disparaging statements contained in the former employee’s Facebook status and therefore lost the protection of the Act.
Continue Reading NLRB Finds Employee’s Facebook “Like” and Comment Protected By Labor Law

By Lindsay Burke and Brian Fitzpatrick

On March 10, 2014, the EEOC and the FTC issued joint guidance on how the anti-discrimination laws and the Fair Credit Reporting Act (“FCRA”) apply to background checks performed by employers for employment application purposes. This guidance is published in two documents, one directed at employers and the other directed at employees and applicants, and aims to provide high-level practical assistance and answers to commonly asked questions that arise during the application process.  The pamphlet directed to employers builds off of the EEOC’s April 25, 2012 guidance regarding employer use of criminal history information, which we summarized here, and addresses the request for, appropriate use of, and disposal of such information.

Employers are reminded of their obligation to treat all applicants and employees equally and to refrain from performing background checks in a selective manner, where that decision is or could be perceived to be based on protected characteristics, including medical history (which implicates genetic information). When using background information to make employment decisions, employers must apply the same standards to all individuals and be cautious of basing employment decisions on background problems that may be more common among people of certain protected categories. If a certain type of background check disproportionately impacts members of a protected group, it must be job-related and consistent with business necessity. The guidance does not explain, however, how employers are to discern whether these warnings apply, nor does it mandate that employers conduct any research to investigate these possibilities. Continue Reading EEOC and FTC Issue Joint Guidance on Background Checks Performed by Employers

New Jersey has enacted restrictions on the ability of employers to access employees’ social media accounts, becoming the twelfth state to enact such legislation. More than 30 state legislatures have considered bills on the topic in 2013, according to the National Conference of State Legislatures.

New Restrictions in New Jersey

New Jersey’s new law, signed by Governor Chris Christie on August 29 and effective December 1, generally prohibits employers from requiring or requesting that employees or prospective employees “provide or disclose any user name or password, or in any way provide the employer access to, a personal account through an electronic communications device.” Employers also may not require individuals to waive the law’s protections or retaliate against individuals who refuse prohibited requests or file complaints with the Commissioner of Labor and Workforce Development about violations of the law. An earlier version of the law, passed by the legislature but vetoed by Gov. Christie, also would have allowed aggrieved individuals to file civil suits for injunctions, damages, and reasonable attorneys’ fees and court costs.Continue Reading New Jersey Restricts Employer Access to Employees’ Personal Online Accounts

A New Jersey federal court recently held that an employee’s Facebook wall posts were protected by the Stored Communications Act (“SCA”), 18 U.S.C. § 2701 et seq., in one of the first cases to analyze the SCA’s application to the Facebook wall.  Ehling v. Monmouth-Ocean Hospital Service Corp.., No. 2:11-cv-3305 (WMJ) (D.N.J. Aug. 20, 2013).  An important factor in the court’s ruling was the fact that the employee had configured her privacy settings to restrict her posts to her Facebook “friends.”

The court found that the employer had not violated the SCA by viewing the employee’s wall, however, because a co-worker, who was one of her Facebook friends, showed the post to their employer without any prior prompting by the employer.  

This ruling provides further reason for employers to avoid unauthorized access to an employee’s social media activities.  The court’s holding is consistent with the passage by 11 states of laws prohibiting employers from demanding social media passwords from employees.  But employers that learn of social media activity by employees through passive means may still be able to take action based on that information.Continue Reading Federal Court Finds Stored Communications Act Applies to Facebook Wall Posts

Many employers have been surprised by recent rulings that two common employment policies run afoul of the National Labor Relations Act (“NLRA”) even if their employees are not union members.  Based on a legitimate interest in preserving confidentiality and privacy, many employers have adopted social media policies limiting what employees may post on Facebook or Twitter about their employer or co-workers.  Based on similar privacy considerations, employer procedures for investigating sexual harassment and other complaints often place restrictions on what employees may reveal to their co-workers or others about the allegations.  According to recent decisions, however, both policies may violate Section 7 of the NLRA, which permits employees to engage in “concerted activity” for “mutual aid and protection.”

Section 7.  It is well established under the NLRA that employees may confer with one another about their wages and other terms of employment and may take  “concerted” action in an effort to improve their working conditions.  Employees (but not managers) are protected by Section 7 of the NLRA, whether or not they are members of a union. But employers rarely face Section 7 issues since claims under Section 7 must be asserted in charges filed with the National Labor Relations Board (“NLRB”), and few employees do so.   

Confidentiality of Complaint Investigations.  Enforcement Guidance issued by the EEOC directs employers conducting investigations of workplace harassment to assure complainants that they “will protect the confidentiality of harassment complaints to the extent possible.”  Employers routinely adopt policies asking employees who are part of workplace investigations, either as complainant or witness, to keep such investigations confidential.  Such policies help ensure the integrity of investigations, prevent workplace retaliation for participation in investigations, protect the privacy of complainants, and foster an environment where employees will readily report harassment concerns.Continue Reading The NLRB Strikes Down Employer Policies on Social Media and the Confidentiality of Complaint Investigations

After gaining prominence in 2012, state legislation restricting access to personal social media accounts by employers and schools has remained active.  Three more states have enacted their own restrictions thus far in 2013, and bills are pending in more than two dozen other states, according to the National Conference of State Legislatures. In 2012, Illinois and Maryland  enacted social media privacy laws restricting employers, Delaware and New Jersey enacted laws restricting academic institutions, and California and Michigan enacted both employer- and school-focused restrictions.

So far this year, Utah, New Mexico, and Arkansas have enacted their own restrictions. Utah enacted two laws — the Internet Employment Privacy Act and the Internet Postsecondary Education Privacy Act — as part of one bill, HB100, which was signed into law on March 26 and takes effect May 14. New Mexico enacted two separate bills — SB 371 and SB 422 — focusing on employers and post-secondary schools, respectively. Both bills were signed April 5 and take effect on June 14. In Arkansas, a bill imposing restrictions on public and private post-secondary schools was enacted as Act 998 on April 8.  Below is more information about each.Continue Reading Utah, New Mexico, Arkansas are Latest States to Restrict Access by Employers or Schools to Personal Social Media Accounts

On 7 March 2013, the UK Information Commissioner’s Office (ICO) issued new guidance on the use of personal devices for business purposes. The guidance is largely informed by a survey commissioned by the ICO and carried out by the market research firm YouGov. According to the survey, 47% of adults in the UK use personal smart mobile phones, laptops or tablets for work purposes, but less than 30% are given guidance on secure use and the risks relating to personal data loss or theft.

UK companies have in recent years been increasingly amenable to allowing employees to use personal devices for business purposes, a practice known as “bring your own device” to work, or BYOD. The driving forces behind the trend for BYOD include cost considerations and a rise in flexible working practices. The ICO guidance reminds employers that their responsibilities as data controllers apply equally in the context of BYOD. In other words, employers remain liable for any data loss, theft, or damage to personal data that occurs, regardless of whether processing takes place in their secure corporate IT environment or on the personal devices of their employees.Continue Reading New ICO Guidance Offers Employers Practical Advice on Implementing Safer “Bring Your Own Device” Policies

A bill reintroduced in the U.S. House of Representatives on Wednesday would prohibit employers and schools from requesting or demanding access to employees’ or students’ personal social-media accounts.

The bill, titled the “Social Networking Online Protection Act,” would bar employers from requesting or requiring that employees or job applicants provide the employer access to personal e-mail or social-networking accounts.  The bill also would bar employers from firing or otherwise retaliating against an employee or applicant for refusing or complaining about such a request. Violations would carry a civil penalty of up to $10,000, and the bill would authorize the Secretary of Labor to seek an injunction against practices that violate the law.

The bill would establish similar protections for students or applicants at colleges and K-12 schools receiving federal funds. Continue Reading Bill Would Set Federal Restrictions on Employer, School Access to Personal Online Accounts

New Jersey earlier this month became the latest state to bar college and university officials from demanding access to students’ or applicants’ personal online accounts.  Gov. Chris Christie signed the law, which takes effect immediately, on Dec. 3.

Under the new law, which applies to public and private higher-education institutions, schools cannot require a student or applicant to “in any way provide access” to “a personal account or service through an electronic communications device,” nor may schools “in any way inquire as to whether a student or applicant” has a social-media account. Schools may not retaliate against students who refuse to provide access to their accounts, and the law voids any agreement to waive the statute’s protections.Continue Reading New Jersey Restricts Colleges’ Access to Students’ Personal Accounts, Considers Similar Protections for Employees

Last week, Judge Ungaro of the Southern District of Florida granted in part and denied in part a motion to dismiss in Burrows v. Purchasing Power, LLC.  The court found that the plaintiff had asserted a plausible claim under the Florida Deceptive and Unfair Trade Practices Act (FDUTPA), granted the plaintiff leave to amend his claims for negligence and common-law invasion of privacy, and dismissed without leave to amend his claims under the Stored Communications Act (SCA) and Florida Constitution.

According to the Amended Complaint, defendant Winn-Dixie Stores, Inc. transferred employees’ personally identifiable information (PII) to a third-party service provider named Purchasing Power, which allows employees to purchase goods via automatic payroll deductions.  The Amended Complaint alleges that a Purchasing Power employee inappropriately accessed the Winn-Dixie employees’ PII, and that Winn-Dixie learned about the data breach in October 2011 but failed to notify employees until January 2012.  Plaintiff Patrick Burrows, who was a Winn-Dixie employee, claimed that an unknown person used his compromised PII to file a false tax return under his name, leaving him unable to collect his tax refund.Continue Reading Florida Data Security Claims Survive Motion to Dismiss