Over on our sister blog, Privacy and Security Matters, Cynthia Larose has just published an article that will be of interest to any employer using or considering using biometric identifiers such as fingerprints, facial recognition, or retina scans in connection with employee identification, access and security protocols. The article discusses the recent rash of class action litigation against employers arising out of Illinois’ biometric privacy law. Read the full blog post here.
Our colleagues over at the Privacy & Security Matters blog wrote a really good piece entitled “It’s Tax Time – Don’t be Phished,” which guides employers on how to avoid phishing scams during this tax season. It’s a must read because the targets of these scams are HR and payroll departments, and employer awareness is necessary not only to protect employees, but also because responding to one of these scam emails constitutes a reportable data breach under state laws. Employers could have significant liability for failure to provide notice to employees and/or state regulators (where required).
From: Ned Help
To: Carrie Counselor
Date: June 1, 2016
Subject: Lost laptop containing European customer information
A couple of weeks ago, you wrote me about an employee who will be engaging in a six-month temporary assignment around Europe to scope market opportunities. The employee was Abbie Absent-Minded. Well, we hit a snag pretty quickly. Abbie just e-mailed me to say that she left her laptop on a train in London last evening and it hasn’t turned up yet in the train company’s lost-and-found. It was a brand-new laptop that we had given her for her European assignment, so fortunately it didn’t have a lot on it. Abbie said that the laptop had contact information for her various marketing prospects, plus some sample customer data that she was given by one of her prospects to use in a demo of our web-based advertising product. She thinks that the customer data included around 200 records with the customer’s name, age, gender, e-mail address and the history of purchases that the customer made from our prospective client’s retail stores.
I assume that we should tell our prospective client that the laptop with their customer data was lost. What else do we need to think about?
From: Carrie Counselor
To: Ned Help
Date: May 19, 2016
Subject: RE: Privacy considerations for employees working abroad
I understand that one of your employees will be engaging a six-month temporary assignment around Europe to scope market opportunities, and you’d like to have a better understanding of what to be thinking about in terms of privacy. Great question! This is an area where many employers struggle because other jurisdictions protect privacy and personal data quite differently than we do here in the United States.
Everyone loves a good courtroom drama. So just imagine this pitch: henchmen of an evil dictator hack their way into a movie studio computer system. Once inside, they steal the most sensitive personal information of the studio’s stars, executives and employees. Their most intimate secrets, spilled over the Internet. Who can help these poor souls? Why, the brave and hard working class action lawyers, that’s who. Through grit, pluck and lawyerly derring-do, our intrepid heroes soon bring the evil wrongdoers to justice. Think “The Manchurian Candidate” meets “Erin Brockovitch”.
But real life is rarely like the movies, even when it involves the movies. Yes, Sony Pictures Entertainment (“SPE”) did suffer a cyberattack that disclosed employees’ personally identifiable information (“PII”). The data breach was allegedly perpetrated by North Korean hackers in retaliation for SPE’s release of “The Interview,” a satirical comedy depicting an attempt on the life of North Korean dictator Kim Jong-Un. And class action litigation predictably followed. But the evil wrongdoers who faced the wrath of class counsel? Alas, the hackers were inconveniently beyond the reach of our legal system and, thus, unavailable to answer for their crime. So SPE, the studio victimized by the hack, would have to do.
And the result of this drama?
My colleague Mitch Danzig, was quoted in a SHRM article entitled, Keep Employees on the Ball During March Madness, in which he provides strategies for employers to avoid legal claims when monitoring employees’ computer use. The article outlines ways employers can both manage “cyberslacking” and boost morale in the workplace during March Madness.
My colleague, Sue Foster, is out with a quick, but important post on our sister blog, Privacy and Security Matters, about a European Court of Human Rights decision that approved employer access to personal employee communications under limited circumstances. You can read it here. As Sue notes, the decision serves as a reminder that employers should consult local counsel before monitoring of employee communications.
In a sign of the growing trend of states enacting statutes protecting employee privacy, Maine became the latest state to prohibit employers from requiring employees and job applicants to provide passwords to their personal Facebook and other social media accounts. Since 2012, nearly half of the states have passed such laws. Indeed, since February alone, when we discussed this issue in our employment privacy webinar, three states enacted social media privacy laws, including Connecticut. We briefly outline Maine’s new law below.
The NLRB continued its assault on employee handbooks and policies, as an administrative law judge recently found several provisions in the Macy’s handbook, including the confidential information policy, to be unlawful, as employees would reasonably read them to restrict protected concerted activity. Specifically, the judge ruled: “The Respondent violated Section 8(a)(1) of the Act by unlawfully restricting its employees’ use of information regarding their fellow employees and the Respondent’s customers, the use of the Respondent’s logo, and requiring the employees to notify Respondent’s Human Resources representative prior to providing information for a government investigation.”
These days most employers manage a vast amount of electronic information about their employees, including the employees’ personal identifying information. But, what obligations do employers have to unionized employees with respect to managing that information and bargaining with them in the event of a breach of their private information?