Written by Michael Arnold
As use of social media and other technologies continue to raise serious employment-related privacy issues in the workplace, expect to see a flurry of activity in 2014 from federal and state legislatures, administrative bodies and courthouses throughout the country addressing those issues. Here are five developments that we are monitoring (pun intended) as we enter the New Year.
1. The Law Starts to Catch up With the Technology
It is axiomatic that the law will always lag behind technology. This is no less true in the workplace. Over the last few years, employers have begun infiltrating employee Facebook and other social media (and personal e-mail) accounts to monitor applicant or employee activity. Typically, the employer will demand that an applicant or employee supply his or her username and password to the account on the basis that it needs to better vet an applicant or to ensure that the current employee has not engaged in any wrongdoing that may hurt the company’s legitimate business interests. Employees have protested this as an overreach by prying employers intent on invading their right to privacy.
In response, many states have started to pass laws restricting employer access to employee social media and other accounts containing personal information. According to the National Conference of State Legislatures, ten states passed social media-related privacy legislation in 2013, including New Jersey’s law, which went into effect this month. But legislation has been introduced or is pending in 36 states, so employers should surely anticipate some of these bills becoming law in 2014.
2. So Tell Us Your Honor, What Do These Laws Mean?
Not surprisingly, each of these state’s social media privacy laws vary in substance. What one law prohibits, another law permits; what one law defines in a certain way, another law defines differently; where one law provides for exceptions to the rule; another law says no ifs, ands or buts. Worse yet, as they are apt to do, state legislatures drafted many of these laws utilizing vague or undefined terminology/phraseology. Thus, in 2014, we expect courts to start interpreting these laws with increasing frequency.
State laws aside, courts have also begun to grapple with whether unauthorized employer access to employee social media information violates other statutes, like the Federal Stored Communications Act, and/or an employee’s common law right to privacy. A New Jersey Federal Court recently addressed these issues in Ehling v. Monmouth-Ocean Hospital, finding that the employee’s post was covered under the Stored Communications Act, but that the employer escaped liability under the Act’s authorized user exception based on the circumstances there. This decision should give pause to employers not subject to a state law who are trying to access an employee’s social media or personal email account to investigate employee wrongdoing.
On a related note, if feels like a week doesn’t go by now where we don’t see a court addressing an employer’s request to access an employee’s social media information in discovery during an employment litigation matter. For example, the employee claims she was unfairly dismissed for taking leave to nurse a back injury. The employer claims it fired her not for taking the leave, but because it heard through the grapevine that she was out dancing on a table at the trendiest nightclub rather than nursing her injury. During discovery, the employer demands access to the employee’s Friendster (just kidding, I mean) Facebook account to see whether the employee has posted content on that account that would support its suspicion, while the employee argues that the employer is just engaging in a fishing expedition. To date, opinions on these issues have varied, but we expect that a body of procedural law will continue to emerge over the next year, allowing defendant employers and plaintiff employees to better understand the role social media will play during discovery.
3. Your Greatest Strength May Be One of Your Biggest Weaknesses
All this talk thus far has been about an employer’s attempt to gain access to their employees’ personal information. But “privacy” can run both ways. Recently, the Equal Employment Opportunity Commission, a federal administrative body, accessed an employer’s e-mail servers and sent an e-mail blast to the business accounts of more than 1,300 employees (managerial and non-managerial) without any prior notice or consent of the employer in order to collect evidence and enlist potential claimants to file a class action age discrimination lawsuit against the employer. The employer, citing privacy violations, sued the EEOC in federal court. The EEOC has asked the court to dismiss the case saying it acted properly.
A decision against the employer will have serious implications. Among other things, the EEOC (or other administrative bodies), in accessing an employer’s e-mail servers, could significantly disrupt an employer’s operations and impair its working relationship with a (likely confused) workforce. Employees may feel compelled to respond to an e-mail from the government, and this could be especially troublesome for employers when managers, who may bind the corporation, feel compelled to respond. Further, this investigation method may allow the EEOC to obtain evidence of wrongdoing outside the scope of its original investigation (here, the e-mail did not tell the employees that the EEOC was investigating age discrimination only).
Meanwhile, another federal administrative agency, the United States Department of Labor is busy working with third-parties software developers to develop smartphone social media applications designed to “internet shame” employers who fail to comply with wage and hour and other employment laws. We wrote about the disconcerting implications of this strategy here.
And then there is threat to employers that someone will violate their “privacy” by hacking into their electronic systems. While we don’t have the space in this entry to address this topic at length, it is worth noting that last year, the Federal Financial Institutions Examination Council (FFIEC) issued a report entitled “Social Media: Consumer Compliance Risk Management Guidance”, whereby it warned that a financial institution’s use of social media can greatly expose it to external attacks by hackers, resulting in the possible theft of employer and/or employee confidential information. All employers, not just financial institutions, should take note of the warnings set forth in this report.
4. Wait, Our Employees work in an office not in a factory, what’s the NLRB doing here?
The past few years have seen the National Labor Relations Board devote significant attention to traditionally non-unionized workplaces. In particular, the NLRB has focused on, among other things, employer restrictions on employee social media use and investigation confidentiality.
The NLRB will continues to attack and strike down employer social media policies and related disciplinary decisions that penalize employees who seek to speak freely over social media regarding the terms and conditions of their employment without employer intrusion or other interference. Further, the NLRB has also sought to strike down employer policies that require employees, upon the threat of discipline, not to discuss the details of any ongoing investigation because, once again, in some cases, it will unlawfully infringe on their right to freely discuss the terms and conditions of their employment.
A newly-confirmed employee-friendly Board member has recently confirmed that the Board expects to continue devoting resources to these types of issues into 2014 and beyond.
5. When did We Start Living in the World of George Jetson?
The Genetic Information Nondiscrimination Act of 2008 (GINA) prohibits employers from using an employee’s genetic information when making employment-related decisions and from requesting or requiring an employee to supply genetic information about the employee or the employee’s family. Congress passed the law, in part, in response to employers using genetic testing to control expenses — e.g., an employer refuses to hire an individual that testing revealed was susceptible to cancer in order to save on potential healthcare premiums in the future.
One issue that has arisen from this law relates to whether an employer would be in violation when it needs to request private health related information to process an employee’s request for medical leave or for a reasonable accommodation. In those cases, to avoid liability, employers must make sure that they satisfy GINA’s safe harbor rule, which will treat the disclosure of such information as “inadvertent” as long as the employer previously informed the employee that they (or their health care provider) should not provide genetic information when responding to these health information requests. However, for those employers that do inadvertently receive this information, they should take the necessary steps to keep the information private, including by keeping it in a separate file.
Further, while GINA has been in effect for about five years, we are finally starting to see the first enforcement actions brought by the EEOC (see here and here for some examples). We expect the EEOC to file additional cases in 2014. The EEOC is taking a serious stance that an employee’s genetic information should remain private and not part of any employer decision making process.
* * * * *
What all these issues have in common is that, as we head into 2014, they demonstrate that now is as good a time as any to review your existing policies that address employee and employer confidential information to ensure compliance with federal and state laws and regulations, and in order to better protect your legitimate business interests.
Note: This entry was originally posted on Mintz’s Privacy & Security Matters blog, which is currently counting down the “12 Days of Privacy” by looking ahead to what we might expect in 2014 on the privacy front.