NLRB Holds "Facebook" Firing Justified on Alternative Grounds, but Finds Policy Unlawful
As we have discussed on our blog, the National Labor Relations Board (NLRB) has continued a campaign of enforcement actions against employers who, according to the NLRB, have unlawfully terminated employees for discussing working conditions on social media. As we reported, in the first of such “Facebook” enforcement actions to come before an NLRB administrative judge, the employer was ordered to reinstate five employees and to pay back their wages.
On September 28, 2011, in the second “Facebook” case to reach an NLRB administrative judge, an employer was found to have been justified in terminating an employee car salesman for Facebook postings that mocked the employer and did not concern working conditions.
Continue Reading...Restrictions on Use of Consumer Reports in Hiring Process Enacted in California
On October 10, 2011, Governor Brown signed into law a bill, AB22, that restricts the use of consumer credit reports in the hiring and promotion process.
The law prohibits employers, with the exception of certain financial institutions, from obtaining a consumer credit report on the candidate or employee unless the position that the individual is seeking is:
- A position in the California Department of Justice;
- A managerial position, as defined in the statue;
- That of a sworn peace officer or other law enforcement position;
- A position for which the information contained in the report is required by law to be disclosed or obtained;
- A position that involves regular access to certain personal information for any purpose other than the routine solicitation and processing of credit card applications in a retail establishment;
- A position in which the individual is or would be a named signatory on the employer's bank or credit card account, or authorized to transfer money or enter into financial contracts on the employer's behalf;
- A position that involves access to confidential or proprietary information; or
- A position that involves regular access to $10,000 or more of cash.
The law also required employers to provide individuals with a written notice identifying the specific exception in the statute that permits the employer to obtain a report.
Assembly member Mendoza, who sponsored the bill, stated that "a credit report is not a good indicator of a person’s trustworthiness or work ethic.” “Many Californians are still experiencing financial hardships from the economic downturn including layoffs, increasing unemployment rates, and the continuing foreclosure crisis. All of these things make it harder for people to pay their bills,” added Mendoza. The Assembly member's statement echoes the view expressed by the Equal Employment Opportunity Commission (EEOC), which signaled that it believes that employers are denying jobs to applicants with damaged credit histories in cases where creditworthiness does not appear to be directly relevant to the job.
California follows Illinois and Oregon, which enacted in 2010 legislation that limits the use of credit reports for employment purposes. Maryland and Connecticut enacted similar legislation in April and July 2010, respectively. Similar laws are in place in Hawaii and Washington and are being considered in Illinois, Michigan, Missouri, New Jersey, New York, Ohio, Oklahoma, South Carolina, Vermont and Wisconsin. In addition, in December 2010, the EEOC filed an action accusing an employer of discriminating against minority job applicants in the hiring process on the basis of using the applicants’ credit histories. The EEOC has sought injunctive relief in its lawsuit, as well as lost wages and benefits and offers of employment for people who EEOC alleges were not hired because of the employer's use of job applicants’ credit history.
InfoLawGroup Takeaway
With the wind blowing on state and federal level against use of consumer reports for employment purposes, employers should review their HR policies to ensure that they collect consumer report information only in accordance with state and federal requirements. Employers also are well-advised to obtain consumer reports only when necessary to evaluate the fitness of a candidate or existing employee for the position the individual is seeking.
Facebook Firing III -- NLRB Strikes Twice in May!
Yesterday, we reported that the National Labor Relations Board (NLRB) took enforcement action on May 9, 2011 against against Hispanics United of Buffalo, a nonprofit organization that provides social services to low income clients, for firing employees over Facebook comments.
The NLRB announced today that it took yet another "Facebook firing" enforcement action on May 20, 2011. In this latest action, the NLRB alleged that a Chicago area BMW dealership fired an employee for posting critical photos and comments on Facebook.
The car salesman and coworkers were concerned about the quality of food and beverages at a dealership event promoting a new BMW model. The salesmen complained that their sales commissions could suffer as a result. Following the event, one salesman posted photos and commentary on his Facebook page criticizing the employer for serving only hot dogs and bottled water to customers at the event. Other employees had access to the Facebook page.
The following week, the dealership’s management asked the salesman to remove the posts, and he immediately complied. Nevertheless, shortly after a meeting with managers, the employee was terminated for posting the images and comments on Facebook.
The NLRB alleged that the employee’s Facebook posting was protected concerted activity within the meaning of Section 7 of the National Labor Relations Act, because it involved a discussion among employees about their terms and conditions of employment, and did not lose protection based on the nature of the comments.
The case is scheduled to be heard by an administrative law judge on July 21, 2011 in the Chicago Regional office of the NLRB.
InfoLawGroup Says:
The NLRB's third enforcement action makes a strong statement about the agency's view on the scope of employee social media protections, including the discussion topics the agency views as protected. The action item for employers is to carefully review and, as appropriate, revise their social media and employee conduct policies to ensure consistency with the NLRB guidance.
District Ct. Holds Use of Facebook at Work Does Not Violate the CFAA
Every now and then I wonder what goes through the mind of some litigation parties and their respective attorneys. Case in point the ongoing case of Wendi J. Lee v. PMSI, Inc., 8:10-cv-2904, out of the U.S. Middle District of Florida within the 11th Circuit Court of Appeals.
Ms. Lee filed suit against PMSI, her former employer, in Florida state court after being fired from her position as a Proposal Developer in PMSI’s Marketing Department. In her complaint she alleged violations by PMSI of Title VII of the Civil Rights Act and Florida’s analogous Civil Rights Act of 1992 (FCRA), for “discrimination because of pregnancy.”
After removing to federal court, PMSI moved to dismiss count 2 (the FCRA claim), which was denied, and then answered, which was in turn followed by an amended answer with a counterclaim “for violation of the Computer Fraud and Abuse Act, as amended by the Computer Abuse Amendments Act of 1994, 18 U.S.C. §§ 1030 and 2707.” PMSI’s counterclaim maintained that “Lee’s internet usage substantially exceed the usage of her coworkers in the Marketing Department” and that such usage “exceeded her authorization to use the internet by accessing and spending large amounts of paid work time visiting personal websites such as Facebook . . . while on company paid time and from a company owned computer.”
The Court's Order in response struck PMSI's attempted use of the CFAA with prejudice.
Continue Reading...Israel's National Labor Court Imposes Strict Limits on Employee Monitoring
Dan Or-Hof, a privacy and technology partner at the Israeli law firm Pearl Cohen Zedek Latzer is reporting that a decision by Israel's National Labor Court imposes severe restrictions on the employers' ability to monitor employee emails. Organizations with employees in Israel must promptly take steps to verify that their employee monitoring policies and practices in the country are consistent with the ruling.
Continue Reading...InfoLawGroup's Boris Segalis Interviewed by Fox Live on NLRB Facebook Firing Settlement
Yesterday we wrote on our blog about the NLRB's Facebook firing settlement. I was interviewed on Fox Live this morning about the case, its implications for employees and businesses, and other developments in workplace privacy. You can view the clip by clicking here.
Employer Settles Facebook Firing Suit with NLRB
The National Labor Relations Board (NLRB) has announced that settlement has been reached in the closely watched Facebook firing suit brought by the agency.
We have previously reported that the NLRB filed an administrative complaint against a Connecticut ambulance company alleging that the company violated an employee’s federal rights by firing her for criticizing a manager on Facebook. In the complaint, the NLRB took the position that union and non-union employees have a right to criticize their employers, management or working conditions, and cannot be punished for engaging in such protected activity. The NLRB also alleged that the company maintained overly-broad rules in its employee handbook regarding blogging, Internet posting, and communications between employees. The complaint asserted that an employee’s right to criticize the employer and management is an extension of the federal right to discuss unionization and form unions.
Continue Reading...Employee Privacy Gains in the United States
2010 arguably was a breakout year for consumer privacy in the U.S., but the year also brought about significant changes to the legal landscape of employee privacy. Federal and state court decisions, state legislation and agency actions suggest that the U.S. may be moving towards a greater level of privacy protection for employees. Employers are well-advised to consider these developments in reviewing and revising policies that affect the privacy of their employees.
Continue Reading...Legal Implications of Cloud Computing -- Part Five (Ethics or Why All Lawyers-Not Just Technogeek Lawyers Like Me-Should Care About Data Security)
So, you thought our cloud series was over? Wishful thinking. It is time to talk about ethics. Yes, ethics. Historically, lawyers and technologists lived in different worlds. The lawyers were over here, and IT was over there. Well, maybe not just historically. As recently as last year, I attended an ediscovery CLE where a trial lawyer announced to the audience of litigators, with great emphasis, that they would have to start talking to the "geeks" and understanding technology in order to competently handle ediscovery in almost any commercial litigation. This made the audience laugh. I have found myself on conference calls with seasoned litigators who claim that ediscovery is not their area of practice. As a more general matter, I find that lawyers believe that they do not need to concern themselves with security controls for protecting sensitive information because they are already subject to existing ethics rules and standards governing the protection of privileged information. In the meantime, lawyers everywhere, particularly solo practitioners, are singing the virtues of cloud computing solutions for case management and are casually storing client data - often unencrypted - with a third party.
Here's the reality: Technology - whether we are talking cloud computing, ediscovery or data security generally - IS very much the business of lawyers. This is true both from a legal ethics point of view and from a best practices data security point of view. The issue of ethics and the use of cloud by lawyers is not new - I recommend this piece by Jeremy Feinberg and Maura Grossman and this blog post by E. Michael Power. A few State Bar associations have opined on the subject of lawyer use of cloud computing and other technologies. This blog post does not purport to cover that entire universe. Instead, this post focuses on three recent documents, ranging from formal opinions to draft issue papers, issued by three very prominent Bar associations -- the American Bar Association (ABA), the New York State Bar Association (NYSBA), and the State Bar of California (CA Bar). These opinions and papers all drive home the following points: as succinctly stated by the ABA, "[l]awyers must take reasonable precautions to ensure that their clients’ confidential information remains secure"; AND lawyers must keep themselves educated on changes in technology and in the law relating to technology. The question, as always, is what is "reasonable"? Also, what role should Bar associations play in providing guidelines/best practices and/or mandating compliance with particular data security rules? Technology, and lawyer use of technology, is evolving at a pace that no Bar association can hope to meet. At the end of the day, do the realities of the modern business world render moot any effort by the Bar(s) to provide guidance or impose restrictions? Read on and tell us - and the ABA - what you think.
Continue Reading...European Reservations?
German state data protection authorities have recently criticized both cloud computing and the EU-US Safe Harbor Framework. From some of the reactions, you would think that both are in imminent danger of a European crackdown. That’s not likely, but the comments reflect some concerns with recent trends in outsourcing and transborder data flows that multinationals would be well advised to address in their planning and operations.
In April, the Düsseldorfer Kreis, an informal group of state data protection officials that attempts to coordinate approaches to international data transfers under Germany’s federal system, called on the US Federal Trade Commission to increase its monitoring and enforcement of Safe Harbor commitments by US companies handling European personal data. On July 23, Dr. Thilo Weichert, head of the data protection commission in the northernmost German state of Schleswig-Holstein (capital: Kiel), issued a press release provocatively titled “10th Anniversary of Safe Harbor – many reasons to act but none to celebrate.” Dr. Weichert cites an upcoming report by an Australian consultancy (Galexia) asserting that hundreds of American companies claiming to be part of the Safe Harbor program are not currently certified, and that many Safe Harbor companies fail to provide information to individuals on how to enforce their rights or refer them to costly self-regulatory dispute resolution programs. Dr. Weichert urges a radical solution: “From a privacy perspective there is only one conclusion to be drawn from the lessons learned – to terminate safe harbor immediately.”
Dr. Weichert also attracted international attention with another press release issued this summer, entitled (translating loosely) “Data protection in cloud computing? So far, nil!” The press release refers to his recently published opinion on “Cloud Computing und Datenschutz,” which is deeply skeptical about the ability of cloud customers to assure compliance with European data protection laws.
Quon: US Supreme Court Rules Against Privacy on Employer-Issued Devices
The United States Supreme Court issued its decision today in City of Ontario, California v. Quon, ruling that a public employer's examination of an employee's personal text messages on a government-issued pager did not violate the Fourth Amendment. Justice Kennedy's opinion for the Court remarked that a review of messages on an employer-provided device would similarly be regarded as “reasonable and normal in the private-employer context.”
Continue Reading...Do the New EU Processing Clauses Apply to You?
A new set of EU standard contract clauses (“SCCs” or “model contracts”) for processing European personal data abroad came into effect on May 15, 2010. Taken together with a recent opinion by the official EU “Article 29” working group on the concepts of “controller” and “processor” under the EU Data Protection Directive, this development suggests that it is time to review arrangements for business process outsourcing, software as a service (SaaS), cloud computing, and even interaffiliate support services, when they involve storing or processing personal data from Europe in the United States, India, and other common outsourcing locations.
Continue Reading...Social Networking: Setting Boundaries in a Borderless Brave New World
The explosive growth and morphing applications of social media such as Facebook and Twitter create new opportunities and challenges for individual users, parents, employers, organizations, governments, and marketers. Where a social phenomenon has such a wide and unpredictable impact, it almost inevitably attracts a retinue of lawmakers and regulators, as well as lawyers and HR managers struggling to craft appropriate policies for employees. And given the globalization of social media, those policies have to take account of the evolving rules in multiple jurisdictions.
Continue Reading...Information Governance
When it comes to creating policies for handling personal data in an organization, who decides? How are those policy decisions made and kept up to date?
These are questions of governance – I would call it “information governance.” Most large enterprises have established responsibilities and procedures for information technology governance and specifically for IT security policies, procedures, procurement, management, and training. In many cases, however, these have not been fully mapped to personal data compliance and risk management requirements, which should be defined and monitored by a somewhat different group of people, from departments beyond IT and security. Unless privacy issues are visible in the internal governance process, the organization – and the individuals that deal with it -- may be exposed to some nasty surprises.
My Notes from the IAPP Global Privacy Summit 2010
As some of you know, I tweeted my notes from the IAPP Global Privacy Summit 2010 yesterday and today (@Forsheit for those of you on Twitter). Since many of our readers are not on Twitter, I thought I would provide you with those notes here (minus the usual Twitter hashtags and abbreviations). Please note that there were multiple sessions, and this reflects only those I was able to attend, and only the information I could quickly record, putting virtual pen to paper. These are not direct quotes, unless specifically designated as such. Overall, I think it was a great conference, a wonderful opportunity to reconnect with other lawyers and privacy professionals, and to meet students, lawyers, and others looking to learn more about this constantly evolving legal and compliance space. For me, the conference highlight was Viktor Mayer-Schonberger's keynote this morning on The Virtue of Forgetting in the Digital Age. Without further ado, here are my notes. Would love to hear your thoughts/reactions.
Continue Reading...Live from the IAPP Global Privacy Summit in Washington, DC, It's Monday Afternoon
This week, I will be providing short updates from the IAPP Global Privacy Summit in Washington, DC. The conference will be in full swing tomorrow, and I will report on various panels and topics of interest. In the meantime, as I prepare to see old and new friends at the Welcome Reception this evening, a few thoughts on what I expect to see and hear a lot over the next few days:
- How can we harmonize the EU Data Protection Directive and EU member country privacy laws with the flow of data in today's global economy? It is unfortunate that a number of IAPP participants from the EU will not make it to DC for the Summit this year due to the Icelandic volcano. Nonetheless, I expect active dialogue regarding cross-border data transfers, safe harbor v. standard contractual clauses v. binding corporate rules, and, in particular, the impact of the growth of cloud computing and other outsourcing arrangements (or, at least, the growth of the hype around cloud computing). It would also be nice to hear more about the EU Cookie Consent law - there is a panel scheduled to take place, but unknown if that will happen in light of the volcano debacle.
- HIPAA/HITECH and Medical Identity Theft: Health care privacy topics are hotter than ever, especially with the growing number of reported security breaches affecting more than 500 individuals under the new HHS breach notification rules promulgated pursuant to the HITECH Act.
- "Reasonable Security": What does Massachusetts think? What does the FTC think? What in the world is it and how in the world can organizations comply?
- On a related note, FTC Enforcement, with a focus on behavioral marketing issues and evolving notions of notice and consent. What trends will we see over the next several years, particularly with the growth of social media and online behavioral advertising?
- Social media: how it affects the workplace, corporate policies and procedures, and "reasonable expectations" of privacy.
- The forecast for federal legislation - not just on breach notification, but security requirements, online behavioral marketing and, getting lots of media attention these days, potential revisions to ECPA (being driven, once again, by the cloud computing explosion).
- Breaches, breaches, and more breaches. Of course.
A few things that appear to be missing from this year's agenda - the FTC's current review of the rules under the Children's Online Privacy Protection Act (COPPA), enforcement of the Red Flags Rule (the FTC will start enforcing the Rule June 1), and the growing number of state laws (Washington, Nevada, Minnesota) requiring compliance with the PCI Standard.
Stay tuned, I will endeavor to post developments on a daily basis.
Privacy, Privilege, and the Cloud, Oh My: Taking LovingCare to Heart
What does workplace privacy have to do with the cloud? Everything. On Tuesday, the New Jersey Supreme Court issued its opinion in Stengart v. LovingCare Agency, Inc., --- A.2d ----, 2010 WL 1189458 (N.J. March 30, 2010), and came out on the side of protecting employee privacy and the attorney-client privilege in personal Yahoo! webmail (a cloud service) even though the employee used a company computer. While everyone has been busy writing about the implications of LovingCare for company policies governing employee expectations of privacy (and for good reason), few have stopped to note that LovingCare is a cloud case. LovingCare is one of only a few published opinions addressing the difficult issues surrounding employee use of webmail and other cloud services on company computers where the attorney-client privilege is at stake, and the impact of the LovingCare decision will undoubtedly be felt for years to come by nearly every employer across the country, both in crafting policies for employee use of company computer systems and in conducting discovery in nearly every employment-related litigation.
The machine may be the employer's, but, in the post-LovingCare world, the data may be the employee's - at least where the cloud and the attorney-client privilege are involved. You can read my detailed case analysis below.
Continue Reading...
