Read about privacy issues related to swine flu.
Once upon a time, workplace privacy wasn’t much of an issue. Sure, there were rules about safeguarding employees’ personal information, but a locked file cabinet would pretty much take care of that.
With the advent of e-mail, the Internet and computer-stored data, employee privacy rights became a little more complicated. Lawyers started advising companies to establish electronic use policies, informing employees of the employer’s right to monitor their e-mail and Web-surfing activities and warning them about using company computers for personal purposes. Data breaches exposed employers to lawsuits from workers concerned about identity theft. Still, it was fairly simple to draw the line between the employer’s right to protect his business and the employee’s right to privacy.
In the past few years, the rapid spread of social networking, blogging, text messaging and tweeting, along with the mobility hand-held communications devices make possible, have taken employee privacy law to a whole new level. The lines between personal and business communication are blurred. And a new generation has entered the workforce tightly tethered to their friends and family 24/7 and accustomed to electronically sharing almost everything that crosses their minds.
These new forms of communication offer employers both opportunity and liability. For in-house counsel, the privacy issues they raise often are confusing. Federal laws governing privacy in communication–such as the Stored Communications Act and the Electronic Communication Privacy Act–were written by Congress in the mid-1980s, long before the age of Facebook and Twitter, and the courts are only now starting to issue rulings in privacy cases involving the new technologies. As a result, even attorneys who specialize in privacy don’t always agree on what makes prudent policy.
“The technology is advancing so quickly that the law is playing catch-up right now,” says Sara Begley, a partner at Reed Smith.
Many employers aren’t waiting for the courts to resolve the legal nuances. They are monitoring social networking sites to find out whether employees are posting negative information or remarks about their company and how they are presenting themselves. And they are seeking out online information about job candidates that isn’t apparent from a resume.
In a recent CareerBuilder survey, 45 percent of hiring managers reported that they use social networking sites to screen potential job applicants. And 35 percent said the information they found–such as indications of drug and alcohol use or provocative pictures or messages–resulted in rejecting a candidate.
The employer’s motivation often comes from pressure to find the perfect candidate, particularly when hiring resumes after a downsizing.
“If an employer has reduced his staff by 25 percent and finally is comfortable about hiring a candidate, they want to be darned sure the new hire is the right fit for the position,” Begley says. “An easy way to get insight is to take a look at what is out there in the social networking universe. Nothing limits an employer from doing that.”
The popularity of such practices has spawned Web sites like Yasni.com that make it easy to turn up personal and professional information and photos posted on social networks and blogs. But with opportunities for more prehiring information comes added risk, especially from the Fair Credit Reporting Act. The FCRA requires notice and consent prior to pulling a report from a consumer reporting agency, and notification if the candidate is rejected based on the report. Issues arise over what is and isn’t a credit report for employment purposes, according to Andrew Serwin, a partner at Foley & Lardner, and several kinds of background checks can generate FCRA claims.
An employer also can run afoul of employment discrimination laws if the snooping reveals information about an applicant’s age, race or other protected category.
“An employer may access a social media site that contains information on how the applicant is dealing with being bulimic or diabetic, which could be information that the employer wouldn’t otherwise have,” says Philip Gordon, who heads Littler Mendelson’s privacy group. “If you reject that applicant, you may have to prove you didn’t rely on that information in violation of the ADA (Americans with Disabilities Act).”
Brian Flock, a member of the employment privacy group at Perkins Coie, suggests that people who screen applicants through an online search limit the information they pass on to the decision makers.
“I don’t think you shouldn’t look at information online,” he says. “But you should redact information that you shouldn’t be considering [in the hiring decision], such as date of birth, or the fact that they are pregnant or have a disability.”
Employers aren’t limiting their social networking searches to prospective employees. According to Deloitte’s 2009 Ethics and Workplace Survey, 60 percent of business executives believe they have a right to know what their existing workers say on such sites about themselves and their organizations.
As long as the information is publicly available, employers don’t run the risk of violating an existing employee’s privacy by accessing a personal blog, for instance. But circumventing the protections of Web sites that are password-protected or that shield information users post may generate risk. Facebook’s system, for instance, can be set to require the originator of the page to accept potential viewers as “friends.”
“There’s a distinction between what’s out there for the world to see, and what is restricted access,” says Christine Lyon, a partner at Morrison & Foerster.
Employers who want to snoop sometimes devise ways to bypass protected sites. For example, they may send a “friend” request under a false name that the unsuspecting employee accepts. Or they may find an employee who is already a friend and use that person to provide access.
In a recent New Jersey case, restaurant employees created a password-protected MySpace page where they complained about their jobs [see 3rd Circuit, October 2009, p. 64]. Two employees were fired for statements they made on the page after an employee gave the password to a manager who asked for it. A federal court allowed the fired employees’ invasion of privacy suit to go to trial to resolve the question of whether management coerced the employee who provided the password. In June, a jury found that the restaurant violated the federal Stored Communications Act and the New Jersey Wiretapping and Electronic Surveillance Control Act, and that management acted maliciously. Because it was one of the first cases to address the issue of employer Web snooping, Pietrylo v. Hillstone Restaurant Group set off alarm bells.
“Until there is more case law, this is a high risk area,” says Gordon.
Existing employees can also claim that an adverse action, such as being passed over for promotion, resulted from a protected status the employer discovered on a Web site.
“You find out more than you wanted to about your employees’ personal lives,” says Lyon. “An employee can later say an adverse action taken against them was because of a protected aspect of their life.”
Many states also have laws protecting employees against adverse actions based on legal off-duty conduct–particularly smoking. That bars employers from taking action against employees for legal activities on their personal time that may surface in online photographs.
While employers have a legitimate interest in comments posted online that hurt their brand, infringe their IP, or include inappropriate remarks about other employees, deciding whether to discipline an employee for comments or behavior not directly related to work is much harder.
“When you are dealing with off-duty conduct, do you even want to go there?” asks Serwin. “A lot of companies say, ‘Off-duty conduct is not our problem. We have enough problems regulating employees here; we don’t want to regulate them when they are not here.’”
Joseph Lazzarotti, a partner at Jackson Lewis, points out that someone else could post false information about an employee, and it may even be difficult to determine whether photos have been altered to make the employee look bad. Trying to take down comments the employer perceives to be defamatory to the company can backfire, he adds, directing attention to something that otherwise might have gone unnoticed.
“It’s all very raw right now,” Lazzarotti says. “There is very little guidance on how to deal with it.”
Lyon suggests that employers step back and consider whether they are getting too much information about their employees’ personal lives.
“Employers should be thoughtful about when they are looking at social networking sites and really consider whether that is something they need to be doing,” says Lyon. “Curiosity is not a sufficient reason because there are drawbacks.”
Social networks, of course, are not the only place where employers can monitor their employees’ thoughts and behavior.
The California Supreme Court recently issued an opinion warning employers about the risks of covertly videotaping their workers. The case, Hernandez v. Hillsides Inc., involved two employees of a facility for abused and neglected children who sued their employer for invasion of privacy after finding a small video camera hidden in their shared office. The employer explained he had installed the camera to find out who was entering the office at night and using the women’s computers to access pornographic Web sites, and that the camera was never turned on when the women were in their office.
The state high court eventually dismissed the case based on the limited nature of the invasion and the employer’s reason for doing it. But the court also warned employers not to engage in surveillance if the employees within camera range aren’t given adequate notice that they are being recorded.
“The message of this case is be very careful before doing video surveillance, particularly in offices or other nonpublic areas,” says Lyon.
While policies informing employees about Internet and e-mail monitoring are almost universal now, such surveillance “is still a very hot topic,” Lyon says.
In one recent case, an employee sued for violations under the Stored Communication Act after discovering that her former employer had accessed her personal e-mail account more than 100 times both during and after her employment [see 4th Circuit, June 2009, p. 67]. A U.S. District Court granted the plaintiff in Van Alstyne v. Electronic Scriptorium Ltd. statutory compensatory and punitive damages. In March, the 4th Circuit vacated the statutory damages award, saying the plaintiff suffered no actual harm. But it asked the district court to reconsider the amount of punitive damages in light of the loss of statutory damages.
Another recent area of litigation involves employers accessing personal e-mail accounts and finding communications between employees and their attorneys. Decisions in such cases have gone both ways, Lazzarotti says. In Stengart v. Loving Care Agency, a New Jersey appellate court found that even though the employer notified employees that their electronic communications would be monitored, accessing an employee’s e-mails sent from her personal account to her attorney wasn’t justified [see 3rd Circuit, September 2009, p. 76]. A New York state appellate court in 2007 ruled just the opposite in Scott v. Beth Israel Medical Center, saying the employee waived attorney-client privilege when he used his work computer to communicate with his attorney because the employer’s policy had warned him such communications would not be private.
“The critical thing is having clear policies, but even then it’s not entirely foolproof,” Lazzarotti says.
For example, courts have found that an electronic use policy can become meaningless if it isn’t consistently communicated and enforced. In Quon v. Arch Wireless [see 9th Circuit, September 2008, p. 73] the 9th Circuit ruled that a police officer had a reasonable expectation that the content of his text messages would be private, even though his employer had a policy to the contrary. The officer’s superior had created the zone of privacy by telling the officer the city would review text messages only if he refused to pay overage charges on the text messaging account, the court said.
The line of reasoning in Quon v. Arch Wireless has led some employers to change their electronic use policies.
“The early policies said the employer will monitor e-mail, Internet use, phone calls and other forms of communication,” Flock says. “In some cases we’ve had to back down on that,” rather than run the risk of creating a zone of privacy by not consistently applying the policy. “Instead, we use language like, ‘The employer reserves the right to monitor.’”
Similar reasoning should guide social networking policies, many privacy experts say. While it is critical to update an existing electronic communication policy to cover social network monitoring and employer expectations of social networking conduct, the employer should also be reasonable, Begley says.
“To keep morale high, employees should not feel they are coming to work at a police state,” she says.
Especially for younger employees, a policy limiting what they say online is a turnoff, Gordon adds.
“It’s like being handed a cocktail party policy telling people what they can and cannot say at a cocktail party,” he adds. “It may cause people to ask, ‘Do I want to be working for this company?’”
In the end, it comes down to a matter of determining what policy provisions are realistic, Lyon adds.
“My viewpoint is that you want the policy to accurately reflect reality,” she says. “If the reality is that employees check their Yahoo e-mail at work, look at CNN online at lunchtime and access Web sites on their breaks, and you don’t object, then it is better to acknowledge that we do permit incidental personal Internet use as long as you don’t do it on work time and you are responsible about it. You don’t want to have a policy so strict that it isn’t enforced.”