Today, one of the most critical risks a company can face is the cyber risks associated with its own employees or contractors.  Companies are confronting an increasingly complex series of cybersecurity challenges with employees in the workplace, including employees failing to comply with established cybersecurity policies, accidentally downloading an attachment containing malware or providing their credentials in response to a phishing scam, or intentionally stealing company information for the benefit of themselves or the company’s competitors by simply copying information to their email or a thumb drive and leaving the company.  Contractors or consultants with access to company systems can pose these same challenges. To guard against these risks, companies can implement various policies and procedures to address an employee’s tenure, from pre-hiring to post-employment, and can implement many of these same precautions with respect to contractors, consultants, or any other third parties with access to company systems.
Continue Reading Cyber Risks in the Workplace: Managing Insider Threats

On September 5, 2017, the Grand Chamber of the European Court of Human Rights (“ECtHR”) issued its ruling on appeal in the case of Bărbulescu v. Romania, concerning alleged unlawful workplace monitoring of Mr. Barbulescu’s private communications.

Overturning the ECtHR’s prior ruling in the case (covered by Inside Privacy here), the Grand Chamber held that Romanian courts had not adequately and fairly weighed up the competing interests of Mr Barbulescu and his employer.  That defect of justice meant that Romania had failed to proactively protect Mr Barbulescu’s right to privacy, as required by its membership of the European Convention on Human Rights.

The Grand Chamber held that Mr Barbulescu’s right to privacy extended to his workplace, despite his private use of a work computer constituting a breach of his rules of employment.  The Grand Chamber held that while privacy in the workplace can be restricted “as necessary,” “an employer’s instructions cannot reduce private social life in the workplace to zero,” since the right to privacy does not necessarily depend on an individual’s reasonable expectations, and can be enjoyed in public and in the workplace, notwithstanding prohibitions and warnings given to the individual.  A fulsome balancing exercise was therefore required in cases such as these.

The Grand Chamber underlined that provided national courts undertake an adequate balancing exercise, they have some discretion as to the actual result (i.e. whether the employer’s or employee’s rights prevail in a given case).  Similar discretion is also enjoyed by national legislators and constitutions when setting underlying rules on workplace privacy, provided such rules – and a means to enforce them – are actually in place.

Nevertheless, the ruling states that workplace monitoring must always be limited to what is necessary for a legitimate purpose, and should be accompanied by a range of safeguards, normally including prior notice to employees – particularly when the content of communications is concerned.
Continue Reading New Ruling in European Employee Monitoring Case

By Dan Cooper and Rosie Klement

The EU’s Article 29 Working Party (“WP29”) has issued new guidance on data processing in the employment context.  Adopted on June 8, 2017, the guidance primarily takes account of the existing data protection framework under the EU Data Protection Directive (Directive 95/46/EC), but also considers the developments coming into force on May 25, 2018 under the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).

The WP29 released the guidance partly as a result of the GDPR, but also due to the number of new technologies that have been adopted since previous WP29 publications relating to personal data in the workplace (see Opinion 8/2001 on the processing of personal data in the employment context and the 2002 Working Document on the surveillance of electronic communications in the workplace).  As the WP29 observes, these new technologies enable extensive systematic processing of employees’ personal data and present significant challenges to privacy and data protection.

The new guidance is not restricted to the protection of persons with an employment contract, but is more expansive in scope and intended to cover a range of individuals in an employment relationship with an organization, such as applicants and part-time workers (the term “employee” applies broadly in all such contexts).  The guidance discusses a number of distinct employment scenarios: processing operations during the recruitment and employee screening stage; processing for monitoring ICT usage in and out of the workplace; time, attendance and video monitoring; processing relating to employees’ use of vehicles; as well as the disclosure of employee data to third parties and international transfers of personal data.
Continue Reading EU Article 29 Working Party Releases Extensive GDPR Guidance on Data Processing at Work

Last Friday, the National Labor Relations Board (“NLRB”) ruled that two employees of a sports bar and restaurant were unlawfully discharged for their participation in a Facebook discussion criticizing their employer.  In the Facebook discussion that prompted the firings, a former employee complained in a status update that she owed more taxes than expected because of withholding mistakes by the employer.  The employee commented on the status, “I owe too.  Such an asshole,” and was discharged.  A second employee, who “liked” the former employee’s status, was discharged as well.

Section 7 of the National Labor Relations Act provides, in relevant part, “Employees shall have the right to self-organization, to form, join, or assist labor organizations, to bargain collectively through representatives of their own choosing, and to engage in other concerted activities for the purpose of collective bargaining or other mutual aid or protection . . . .”  At issue in this case was not whether the employees’ Facebook activity was “concerted” or whether the employees had a statutorily protected right to engage in a Facebook discussion about the employer’s tax-withholding practices.  Rather, the case centered on whether, as a result of their actions on Facebook, the two employees adopted the allegedly defamatory and disparaging statements contained in the former employee’s Facebook status and therefore lost the protection of the Act.
Continue Reading NLRB Finds Employee’s Facebook “Like” and Comment Protected By Labor Law

Employees’ use of social media and other online services in their professional and personal lives has increased the risk of an employee bringing claims against a current or former employer.  In the past three years, for example, employers have had to defend against claims related to ownership of social media accounts used by former employees

Last week, Judge Ungaro of the Southern District of Florida granted in part and denied in part a motion to dismiss in Burrows v. Purchasing Power, LLC.  The court found that the plaintiff had asserted a plausible claim under the Florida Deceptive and Unfair Trade Practices Act (FDUTPA), granted the plaintiff leave to amend his claims for negligence and common-law invasion of privacy, and dismissed without leave to amend his claims under the Stored Communications Act (SCA) and Florida Constitution.

According to the Amended Complaint, defendant Winn-Dixie Stores, Inc. transferred employees’ personally identifiable information (PII) to a third-party service provider named Purchasing Power, which allows employees to purchase goods via automatic payroll deductions.  The Amended Complaint alleges that a Purchasing Power employee inappropriately accessed the Winn-Dixie employees’ PII, and that Winn-Dixie learned about the data breach in October 2011 but failed to notify employees until January 2012.  Plaintiff Patrick Burrows, who was a Winn-Dixie employee, claimed that an unknown person used his compromised PII to file a false tax return under his name, leaving him unable to collect his tax refund.

Continue Reading Florida Data Security Claims Survive Motion to Dismiss

Yesterday, the Federal Trade Commission entered into a consent decree with Spokeo, Inc., for violations of the Fair Credit Reporting Act.  As reflected in the FTC staff blog post, the FTC’s action against Spokeo is the first FCRA case to address the sale of data collected from online sources, including social media, in the

A federal district court in New Jersey ruled this week that an employer might have invaded an employee’s common-law privacy rights by coercing a co-worker into giving the employer access to the employee’s Facebook profile.

The plaintiff, a nurse and paramedic employed by a non-profit hospital service corporation, alleges that her supervisor forced a co-worker who was one of the plaintiff’s Facebook friends to log into Facebook in front of the supervisor so the supervisor could see the plaintiff’s postings. The complaint alleges the supervisor viewed and copied several of the plaintiff’s posts, including a comment implying that paramedics should not have saved a man who shot and killed a guard at the United States Holocaust Memorial Museum in Washington, D.C. The complaint alleges that the employer sent letters about the post to state regulators in a “malicious” attempt to damage the plaintiff’s reputation and employment opportunities. The defendants asked the court to dismiss the plaintiff’s common law invasion of privacy claim and her claim under New Jersey’s Wiretapping and Electronic Surveillance Control Act.

Continue Reading N.J. Federal Court: Privacy Claim Based on Coerced Access to Employee’s Facebook Posts May Proceed

Lawmakers in Maryland and Illinois have introduced bills that would prohibit employers from requiring job applicants or employees to grant access to their social networking accounts.  The bills arose from reports that employers have impliedly or explicitly required access to social networking accounts as a condition of hiring or employment.

A few bills have been