You’d think we’d all know the dangers of “reply all” by now

Is there any more helpless feeling in today’s business world than sending an email, and then immediately realizing that you made a mistake? The biggest cause of an emailer’s stomach sinking through the floor—”reply all.” We’ve all had it happen. This story from the Toronto Star explains how a reply-all mistake brought one company an expensive wrongful discharge lawsuit:

Maria Fernandes … accidentally received an email discussing whether or not she should be fired.

Court documents allege that Linda Guerin, the company’s Director of Operations intended to send the email to the company’s lawyers. Too late she realized Fernandes was also on the list and she unsuccessfully sent three recall notices. She also sent an email to Fernandes asking that she delete the message without opening it.

Fernandes read it, treated the information in the email as a constructive dismissal and hired a lawyer. She had worked for the company for over six years and was earning $145,000 a year.

This case is a great reminder that a mis-addressed email can cost employers dearly in a wrongful discharge lawsuit. Other reply-all risks include the disclosure of trade secrets and other confidential information.

How do you protect against this problem affecting your business? The Toronto Sun article discusses some add-ons for Outlook that will either remove the “reply all” button or require an extra confirming step to use it.

Technology, however, will only mask the symptoms. It will not cure your workplace of this problem. To really attack the problem, you need to educate and train your employees.

• Do you train your employees on proper email etiquette, including when to use (and, more importantly, not use) “reply all?”
• Do you teach your employees to proofread entire emails carefully before they click “send,” including double-checking the “to,” “cc” and “bcc” boxes?

A cautionary tale on what happens when you botch a litigation hold

All the way back in October 2010, I provided 10 tips for issuing an effective litigation hold. What happens, however, if your litigation hold is not effective, or, worse yet, not issued in the first place? EEOC v. JP Morgan Chase Bank (S.D. Ohio 2/28/13) should be required reading for any company on the serious consequences that can occur from a botched litigation hold.

In this Title VII litigation, the EEOC claimed that the bank removed female employees from a mortgage call center queue and instead directed the more lucrative calls to male employees. In support of this claim, the EEOC sought the production of certain records that would show which calls an employee should have received based on their level of skill. According to the EEOC, a statistical analysis of that data would show sex discrimination. When the bank refused to produce the records, the EEOC filed a motion to compel, which the court granted for a limited period. The bank, however, could not produce certain of the records, as it had already destroyed them as the result of its routine purging of electronic records.

The court concluded that the bank’s admitted destruction of evidence was inexcusable:

Plaintiff provided Defendant with notice on numerous occasions of the need to retain the destroyed data…; these notices came immediately prior to the destruction of relevant data from the three years prior. This data likely would inform Plaintiff’s claims and Defendant’s defense….

Defendant’s failure to establish a litigation hold is inexcusable. The multiple notices that should have triggered a hold and Defendant's dubious failure if not outright refusal to recognize or accept the scope of this litigation and that the relevant data reaches beyond the statutory period present exceptional circumstances….

Defendant’s destruction of evidence under the auspices of routine purging has hampered the ease of if not the ability to uncover exactly what if anything impermissible has transpired here.

As a sanction, the court denied the bank’s motion for summary judgment and provided the EEOC with an instruction that the jury could draw an inference adverse against the bank based on its document destruction.

The importance of this lesson cannot be overstated. As soon as you reasonably anticipate litigation, you have an absolute duty to implement a written litigation hold that both instructs employees to preserve paper and electronic records relevant to the case, and suspends any automated processes that otherwise might result in the destruction of such records. If your lawyer is not having this conversation with you, it’s time to find a new lawyer. As JP Morgan Chase illustrates, the penalties for non-compliance can devastate your case.

Do employees have any privacy rights in personal emails sent from corporate accounts?

Earlier this week, a story broke reporting that Harvard University surreptitiously viewed the work emails of 16 residential deans as part of its investigation into a cheating scandal. Your level of outrage at Harvard’s investigation will depend entirely on the degree to which you believe employees have an expectation of privacy in a corporate email account.

According to U.S. v. Finazzo (E.D.N.Y. 2/19/13), employees enjoy no such expectation of privacy, provided that you have the right language in your email policy.

In Finazzo, the U.S. government alleged that Christopher Finazzo, an executive at the clothing retailer Aéropostale, received illegal kickbacks from transactions between his employer and one of its vendors. During an unrelated internal investigation, Aéropostale discovered an email in Finazzo’s Aéropostale email account between him and his personal attorney. That email contained a list of Finazzo’s personal assets, which included several companies he co-owned with the vendor from whom he received the illegal kickbacks.

In his subsequent federal criminal trial, Finazzo attempted to block the government from using that email against him. The trial court denied his motion, holding that he had no expectation of privacy in his work email account.

In reaching this conclusion, the federal court relied upon Aéropostale’s email policies, which stated:

Except for limited and reasonable personal use (e.g., occasional personal phone calls or e-mails), Company Systems should be used for Company business only. Any limited exceptions to this rule must be approved through the IT department. Under no circumstances may Company Systems be used for personal gain or profit; solicitations for commercial ventures; religious or political issues; or outside organizations. Company Systems may not be used to distribute chain letters or copyrighted or otherwise protected materials….

You should have no expectation of privacy when using Company Systems. The Company may monitor, access, delete or disclose all use of the Company Systems, including e-mail, web sites visited, material downloaded or uploaded and the amount of time spent on-line, at any time without notification or your consent.

The court concluded that Aéropostale’s policy, and Finazzo’s knowledge of it, disposed of any claim  that the email exchange with the personal attorney was private and therefore privileged:

Finazzo has no reasonable expectation of privacy or confidentiality in any communications he made through his Aéropostale e-mail account. Aéropostale had a clear and long-consistent policy of limiting an employee's personal use of its systems, reserving its right to monitor an employee's usage of the system, and making abundantly clear to its employees, including Finazzo, that they had no right to privacy when using them.

Do you have an email or workplace technology policy? Do your employees know that you have such a policy? Does  your policy—

1. Warn employees that they have no expectation of privacy in corporate emails or in their use of corporate systems?
2. Ban personal use of corporate systems or email, or limit such personal use to what is reasonable and occasional?
3. Reserve the right of the company to monitor employee use of its systems, including emails?

Following these simple steps will go a long way to dispelling any idea by your employees that their work email is private, while providing you sufficient coverage lest anyone challenge your ownership of employee corporate emails and or your right to search such emails.

Laughing out the door: half of employees admit to stealing corporate data

Do you worry about the information, data, and other property your employees are taking with them after a resignation or termination? If you believe the results of a recent survey conducted by Symantec, if you’re not worried, you should be.

According to the survey, half of employees who left or lost their jobs in the last 12 months kept confidential corporate data, and 40 percent plan to use it in their new jobs. The results are jarring:

• 62 percent of employees believe that it is acceptable to transfer work documents to personal computers, tablets, smartphones, or into the cloud, and most never delete the data they’ve moved.
• 56 percent see nothing wrong with using a competitor’s trade secrets.
• Given the example of a software developer who develops source code for a company, 44 percent believe the employee has some ownership in the work and inventions.
• 51 percent think it is acceptable to take corporate data because their company does not strictly enforce policies.

Based on these results, Symantec makes the following three recommendations for companies hoping to shore up their data:

• Employee education: Organizations need to let their employees know that taking confidential information is wrong. IP theft awareness should be integral to security awareness training.

• Enforce non-disclosure agreements (NDAs): In almost half of insider theft cases, the organization had IP agreements with the employee, which indicates the existence of a policy alone—without employee comprehension and effective enforcement—is ineffective¹. Include stronger, more specific language in employment agreements and ensure exit interviews include focused conversations around employees' continued responsibility to protect confidential information and return all company information and property (wherever stored). Make sure employees are aware that policy violations will be enforced and that theft of company information will have negative consequences to them and their future employer.

• Monitoring technology: Implement a data protection policy that monitors inappropriate access and use of IP and automatically notifies employees of violations, which increases security awareness and deters theft.

Of these three, the enforcement of agreements and other legal rights against the theft of confidential information and other corporate data is the most effective. Companies do not like litigation—it’s expensive, time consuming, and uncertain. Yet, when your intellectual and other property is involved, you have no choice. There exists no greater deterrent to copycat misconduct in the future than putting a thief through the legal wringer. Your employees will know that your agreements have teeth and that you will go to mat to enforce them. The hopeful result is that they will think twice about walking out the door with even a promotional pamphlet, keeping your corporate information and other property secure.

The revolution WILL be televised … Shore up your social media before a termination

Last week, music retailer HMV laid off 190 employees. One of the affected, a former HR employee, hijacked the company's Twitter account and live-tweeted what he described as the “Mass execution, of loyal employees who love the brand. #hmvXFactorFiring ”

In addition to everything else companies have to worry about when terminating employees (lawsuits, sabotage, theft of confidential information, low morale), companies now also have to worry about the maintenance of their public image via social media.

We live in a world in which the walls of privacy are not-so-slowly eroding. Nothing can damage a company’s reputation more quickly than a viral campaign. We no longer have to worry about employees merely discussing the nitty-gritty of a termination. Today, we have to worry about our employees broadcasting it to the entire world in 140 character insta-bursts. And, there’s not much you can do about it after the fact. Once the information is out, it’s out. HMV deleted the tweets, but all it took was one person to “print screen,” and the next thing you know bloggers around the world are republishing the information it tried to hide.

While there is not much you do after the fact, there is one thing you can do before the fact. If you are concerned about employees live-tweeting a termination or a mass layoff, disable their access to your social media channels before you tell them. Change their passwords. Remove their logins. Is there a chance they’ll figure out something is afoot before you officially communicate the termination? Absolutely. Does the harm to your business from that risk pale in comparison to the viral harm you will suffer if said employees hijack your official social media channels? You bet.

Damn You Auto Correct! (train your employees to proofread)

Do you have employees under the age of 35? If so, the odds are that they communicate with each other with text messages on their mobile devices. If you’ve ever texted, you know the evils of autocorrect. For the uninitiated, autocorrect is a function of today’s smartphones that automatically changes an unrecognized word to its closest match.

Sometimes, these auto-corrects have hilarious results.

Of course, one employee’s hilarious is another’s offensive, which brings us to today’s HR lesson.

When you hold your annual harassment training (you hold annual harassment training, right?) you might want to consider mentioning the evils of autocorrect. You will never succeed in having the Gen-Y’ers and Gen-Z’ers exchange their iDevices for more face-to-face conversations. You may succeed, however, in educating on the importance of proofreading messages before they are sent, which, in turn, could save you the time and expense of an internal harassment investigation, or, worse, defending a lawsuit.

This post originally appeared on The Legal Workplace Blog.

Your New Year’s resolution: draft a social media policy

Recently, Proskauer Rose published the results of its second survey covering social media in the workplace. Social Media in the Workplace Around the World 2.0 [pdf] questioned 250 multinational businesses on their social media policies and practices.

The results?

• 75 percent of businesses reported using social media for business purposes
• 77 percent permit at least some employee to access social media sites at work for non-business purposes,
• 69 percent have a social media policy,
• 46 percent have a social media policy that covers on-duty and off-duty activities.
• 33 percent their employees on the appropriate use of social media.

Employers, here is your New Year’s Resolution for 2013—draft a social media policy and train your employees on what it means.

Social media is still novel. Most of your employees do not understand how their off-duty online activities can impact their jobs. If you want to hold your employees accountable for what they say and do online both at work and outside of work, establish expectations. Put it in writing and explain to your employees what the policy means. That way, if you have to take action against an employee for something he or she says online, no one has any excuses.

According to a recent study, 88 percent of New Year’s resolutions fail. Strive to be among the minority that succeed in keeping their resolutions. Your employees will thank you.

Happy New Year!

The Internet is today’s employee complaint box

In Amalgamated Transit Union Local 1433 [pdf], an NLRB administrative law judge ruled that a union did not violate federal labor law by failing to disavow threatening posts made by employees on the union’s Facebook. While the legal nuances of the opinion are interesting, this case raises an issue of deeper import for employers. Labor unions are using social media, and using it effectively, to disseminate information to members and to reach potential members during organizing drives.

It is not just labor unions that are using social media and the Internet to engage employees collectively. Employees are using these tools outside the organizational outreach of labor unions.

Case in point—the recent launch of coworker.org. “What is coworker.org,” you’re asking yourself? “I’ve never heard of it.” I never had either until I read a post yesterday on the Workplace Prof Blog. Coworker.org, describes itself as a website that allows employees to start, run, and win campaigns to change their workplaces. Employees accomplish this mission on the website by starting online petitions.

To date, coworker.org only has one active campaign. It’s against Wal-Mart, seeking the reinstatement of an employee allegedly fired for speaking out against having to work on Black Friday.

I’ll be watching coworker.org to see if it gains any traction. Employers should be watching this site too, but not for the reason you think. Retaliation against any employees who post on the site would be illegal under the National Labor Relations Act, as employees have a right to engage in protected concerted activity.

Instead, employers should pay attention to coworker.org for the same reason they should pay attention to the Amalgamated Transit Union Local 1433 case, Facebook, Twitter, and the blogosphere. Employees are online, talking about what is happening in your workplace. The Internet is today’s complaint box. If you want to fix problems before they get out of control, you need only turn to social media sites and sites like coworker.org and Glassdoor. If your employees are online complaining about you, should you be paying attention?

Some workplace social media stats to start your week

Northeast Ohio’s Employers Resource Council recently published the results of its 2012 Social Media in the Workplace Survey [pdf]. Some of the results are eye-popping (and not necessarily in a good way):

For example, I find it hard to believe that only 47% of organizations have a social media policy in place.

It’s also hard to believe that only 27% of organizations in Northeast Ohio are using social media for recruiting. Some surveys peg the national number at closer to 90%. Is it possible that our region is that far behind the curve on this issue?

Consider these numbers on the prohibition on the use of social media in the workplace:

• 55% prohibit employee use of social media during work hours on a company-issued computer
• 43% prohibit employee use of social media during work hours on a company-issued mobile device
• 32% prohibit employee use of social media during work hours on a personal mobile device

How about the percentage of companies that block access to various social media sites on company computers:

• 26% block employee access to Facebook
• 18% block YouTube
• 17% block Twitter
• 11% block blogs and wikis
• 9% block photo-sharing sites
• 7% block LinkedIn (Who is blocking LinkedIn, and why?)

With most employees keeping iPhones or Androids in their pockets, it is simply not feasible to prohibit the use of social media in the workplace, or block access to sites. The work-around via a mobile phone is just too easy for an employee to accomplish and too difficult for a company to police.

I also found enlightening the answers to this question—of organizations with a social media policy, what percentage contain these provisions:

• Guidelines for employees professional social media use — 43%
• Disclosure that social media use may be monitored — 35%
• Guidelines for employees personal social media use — 32%
• Guidelines for photo/video postings — 19%
• Guidelines for disclosing sponsorships and affiliations — 18%
• Guidelines over supervisor-employee social media interaction— 5%

If you are one of the 53% of companies that has a social media policy, and yet that policy is missing any of these key provisions, what is left for it to say?

Reading the results of this survey make it clear to me that businesses have a lot to learn about the intersection between social media and the workplace. Yet, companies are not necessarily at fault for being behind the 8-ball on these issues. The reality is that the technology is evolving more quickly than businesses can keep up with the resulting issues. After all, companies have issues on their plates other than employees’ Facebook pages. Yet, the more you fall behind, the harder it becomes to catch up. The pace of these issues will not slow in the coming years. In other words, companies need to get their arms around these issues now, or risk falling off the workplace social media precipice.

Whether your managers should “friend” subordinates may be gender based.

I’ve written before about whether you should allow your employees to connect with each across the various social networks (here and here).

Last week, The Washington Post reported on the upcoming publication of a white paper by Wharton School professor Nancy Rothbard, entitled, “OMG My Boss Just Friended Me.” In this white paper, professor Rothbard argues that an employee's decision of whether to accept the friend request made by a manager or supervisor depends on the “creep” factor—the gender of the person making the request:

The boss’s gender plays a role in an employee’s willingness to accept the invitation. In one experiment, Rothbard found that participants were more likely to accept Facebook friend requests from female bosses when the women disclosed more information about themselves online. When male bosses disclosed more information about themselves, however, participants were less likely to want to virtually connect with them.

What does this mean for your business's social media policy? It means you have lots to think about when adopting the right social media policy for your organization. For example, social media use has a generational component. Baby Boomers have a much different conception of how much is appropriate to share online than Gen-Xers, who, in turn, are more guarded than Gen-Yers and Millennials. Your social media policy has to account for these generational differences.

If professor Rothbard is correct, your social media policy also has to account for gender differences. Needless to say, there is no right or wrong answer to this question. As professor Rothbard’s whitepaper illustrates, however, these issues are highly nuanced, and need to be understood and accounted for in your workplace.

Some social media stats to chew on

Last week, Facebook announced that there are more than 1 billion people using Facebook actively each month. Think about that number for a second. It means that 1 out of every 7 people on Earth are active on Facebook. When you consider the vastness of our planet and the diversity of its social-economics, that number is staggering.

Of course, a number is nothing more than a number. What does that number mean to you, as an employer? It means that most of your employees are on Facebook (and Twitter, and LinkedIn, and YouTube, and Pinterest, and blogs, and, well, you get the point).

It also means that a lot of your employees will get themselves in trouble on social media. IIndeed, according to a recent survey published by Blogging4Jobs, 46% of company leaders believe that their employees will misuse social media and other workplace technology.

Some companies will react to this statistic by turning off the switch in their businesses—blocking social media websites and issuing policies prohibiting their access by employees at work. If you are inclined to go that route, consider these statistics, which come, via TLNT, from the SilkRoad Social Media and Workplace 2012 Report:

• Only 43 percent of employees responding to the survey report working in companies in which social media access was completely open in the workplace.
• Yet, 60 percent say that they check social media multiple times throughout the day on their mobile devices, with 75 percent checking it at least once a day or more.

In other words, unless you require that your employees check their mobile devices at the door (and suffer the anarchy that would likely ensue) it is impossible to prohibit employees from accessing personal social media accounts during the workday. And, if its impossible to monitor or enforce a policy, why have it in the first place?

Employers are increasingly worried about social media and workplace technology

What policy will cause employers to lose the most sleep in the coming year? According to a recent survey conducted by BLR, social media will be the most formidable challenge for businesses in 2013.

The complete answers to the question of which policy presents the biggest challenge to employers:

• social media: 47.1%
• cell phone use and distracted driving: 21.6%
• attendance and punctuality: 17.4%
• computer and Internet: 15.9%
• FMLA: 15.9%

Perhaps what’s more interesting, however, is that if you look at these issues more broadly, they fall into two main categories: technology and attendance. Amazingly, technology trumps attendance by more than 2.5 to 1 margin. You may not be convinced that workplace technology (which includes social media and mobile devices) is not the key issue currently facing employer. This survey, however, says otherwise.

Are you allowed to use social media at work?

This week, Lifehacker has been running a poll asking this question — are you allowed to use social networks at work? The results so far (from nearly 3,100 votes):

• 58.63% = Yes
• 25.8% = No
• 5.89% = Only at specific times
• 9.68% = Only on personal devices

What’s more interesting to me, though, is the comments posted by Lifehacker’s readers. I’ve chosen three to reprint, each of which illustrates an important point about employers’ attempts to regulate social media in the workplace.

1. My employer blocks everything but linkedin, yet they promote internally how they use and we are to use social media to promote and otherwise discuss (in a good manner of course) the company. It’s kind of ridiculous when you get an internal company wide email saying follow us, like us, etc and when you click on it, you get good ole’ websense saying “Denied.” (comment by SpiffyMcDougal)

Companies cannot promulgate a disconnect between their external social media efforts and their internal social media policies. Openness to the public at-large will cause resentment among your employees if you restrict internal access. It sends a mixed (and wrong) message.

2. I can use FB and other sites all I want on my phone because it's not connected to anything in the office. I'm sure it's not allowed but no one really cares. (comment by Dear Zeus)

Bans on the internal use of social media are mostly worthless. Employees are increasingly technologically savvy, and will figure out work-arounds. Why implement a policy that you cannot monitor or control?

3. As the IT Administrator, it was my call whether or not to block social media. I chose not to since I work with a bunch of responsible adults who put their work ahead of their social life. If they need to take a peek a few times a day, no one cares, and it's never become a problem. (comment by Sergio526)

This commenter absolutely hits the nail on the head. The issue of whether to ban or limit access to social media in the workplace is not a black or white issue. It’s an employee-by-employee issue. I am reasonably certain you don’t have a policy telling employees that they are forbidden from reading the newspaper all day long. Yet, if an employee’s productivity or performance is suffering because they can’t pry themselves away from the New York Times, you deal with the problem with that particular employee. The same holds true for Facebook, Twitter, YouTube, or Amazon. It’s only an issue if an employee makes it an issue. Deal with it as a performance problem for that employee, not as a systemic problem that might not exist across your workforce at large.

The language of the modern workplace

Merriam-Webster's Collegiate® Dictionary just released its list of new words for 2012. Three caught my eye.

According to the publisher, Merriam-Webster adopts new words based on usage:

To decide which words to include in the dictionary and to determine what they mean, Merriam-Webster editors study the language as it's used. They carefully monitor which words people use most often and how they use them….

To be included in a Merriam-Webster dictionary, a word must be used in a substantial number of citations that come from a wide range of publications over a considerable period of time. Specifically, the word must have enough citations to allow accurate judgments about its establishment, currency, and meaning.

Because these words have crept into the American lexicon, they should be accounted for in your workplace policies. Technology policies should cover information stored in and accessed from the cloud. Harassment policies and training should teach employees about the dangers of texting and other co-worker communications via mobile phones, email, and social media. And, if you get into a hot legal mess because you omitted these ideas from your policies, drop a few f-bombs (then call your lawyer).

Don’t forget these 5 security issues in your BYOD policy

BYOD might be the corporate buzz word for 2012. If you’re in the dark, BYOD stands for Bring Your Own Device. It represents employees connecting their own mobile devices to corporate networks, instead of using employer-issued devices. There was a time, not all that long ago, when Blackberry was the mobile device of corporate America. Once iOS and Android started supporting email via Exchange, however, executives started questioning why they needed to carry a work device and a personal device. In short, they wanted their email and Angry Birds wrapped up in one tidy mobile package. Thus, the birth of BYOD. Today, Blackberry is going they way of Betamax, and BYOD is here to stay. I call the iPhone-ification of corporate America.

BYOD, however, is not without its risks. Over at The HR Capitalist, Kris Dunn offers the following sample BYOD Policy (c/o Scott Stone):

We expect each team member to provide their own device – you select it, you buy it, you pick the plan that makes the most sense for you.  Your phone, your phone number, your provider of choice, your contract with the provider

We strongly recommend a “Smartphone” of some type, to ensure you can receive emails or other critical communications on the device.

Our Company will provide you access to your work email address on the device, including assisting you with the setup.

If your device is a “Smartphone”, our company will reimburse you $75 per month to cover all work related communications on the device (email, text, voice, communications, etc).  We expect you to select a plan which can accommodate your business and personal needs for voice and data

If you select a PO Phone (plain ‘ol phone) which lacks the ability to receive and send emails, our company will reimburse you $15 per month for all work related communications

We won’t provide a “company phone” to anyone, preferring to allow you to “BYOD”, and provide everyone maximum flexibility.

If you ever choose to leave the company, take your phone, your number, and your existing agreement with a provider – no hassle, no number change, no problem.

These seven points have one glaring omission—security. The biggest risk that BYOD creates is the seemingly uncontrolled access to your network, both in terms of what information is accessed and take from it, and what happens to that information if a device is lost or stolen. In light of these security risks, any BYOD program should answer the following 5 questions:

1. What devices are permitted? Does BYOD mean any device, or does it simply mean iPhones or Androids? What about iPads or other tablets? Employee-owned laptops? Stick drives and other portable memory?

2. Are you going to mandate passwords or other security-screens on network-connected devices? Employees generally resist having to enter a four-digit pin code every time they turn on their iPhones. Your IT, legal, and risk management departments, however, should require them, since they make it that much harder for someone to access data on a lost or stolen device. If your organization deals in confidential information (e.g., doctors, lawyers, etc.), this requirement is that much more important (and might be mandated by law). Also, your BYOD policy should reference any other policies that address the handling of confidential and proprietary information.

3. What happens when a device is lost or stolen? IT must have the ability to remote-wipe a missing mobile device. Guess what happens, though, if an employee’s first call upon losing a phone is to their mobile carrier? The carrier turns off the device, and your organization loses the ability to remote wipe any data from it. Employees should be told that if they lose a mobile device, their first call should be to IT so that the device can be wiped of any corporate data.

4. Will you ban jailbreaks, roots, and other hacks? These practices void the phone’s warranty. Also, consider banning the installation of apps other than from the official iTunes App Store or Google Play. It will limit the risk of the installation of viruses, malware, and other malicious code on the devices.

5. What happens when an employee leaves? You should not only address what happens with the physical device, but also what happens with the data that lives on the device. You need a protocol to re-acquire or wipe all corporate information on the device. Otherwise, you are putting your confidentiality at risk.

Any successful BYOD program results from a synergy among the C-suite, legal, IT, HR, and risk management. Involve all of these departments to make sure that your BYOD program is successful, and addresses all necessary security issues.

Telecommuting as a reasonable accommodation

More than two years ago, I hypothesized that the breadth of the ADA’s 2009 amendments would likely cover fringe medical conditions such as chemical sensitivities. I wrote:

The ADA amendments are intended to make it much easier for individuals to demonstrate that they meet the definition of “disability.” To have a disability, an individual must be “substantially limited” in performing a “major life activity” as compared to most people in the general population. An impairment need not prevent, or even significantly or severely restrict, the individual’s performance of a major life activity…. Major life activities include daily functions, as well as the operation of major bodily functions (which would include, for example, the respiratory system).If an employee has a chemical sensitivity to certain smells, that allergy will likely substantially affect the employee’s respiratory system, thus rendering the employee “disabled” under the ADA.

Core v. Champaign County Board of County Commissioners (S.D. Ohio 7/30/12) [pdf], confirms my prediction. In that case, an Ohio federal court ruled that an employee sufficiently pleaded a claim for disability discrimination under the ADA based on an alleged sensitivity to perfume. The plaintiff, Pamela Core, claims that her employer failed to accommodate her chemical sensitivity to certain perfumes worn by her co-workers. She had asked that her employer ban certain scents in the workplace. When it ignored her requests, she asked to be allowed to work from home as an accommodation, which the employer rejected.

The issue of whether a sensitivity to perfume qualifies as a disability protected by the ADA only begs this question—what is the appropriate accommodation for this disability? The court in Core concluded that telecommuting may be a reasonable accommodation in this case:

With regard to the assertion that working from home is an unreasonable accommodation as a matter of law, such blanket assertion is not necessarily supported by Sixth Circuit precedent. Certainly, the Sixth Circuit has agreed with the general proposition that an employer is not required “to allow disabled workers to work at home[;]” however, the court also recognizes the possibility of exceptions to the general rule “in the unusual case where an employee can effectively perform all work-related duties at home[.]”

Certainly, communications technology has advanced to such a state that the proposition of employees working from home is not quite as burdensome or untenable…. Today, in this Court’s view, it may not “take a very extraordinary case for the employee to be able to create a triable issue of the employer’s failure to allow the employee to work at home.” Nevertheless, the ultimate determination of reasonableness is a fact specific inquiry and a question for the fact-finder.

The Court did not go as far to conclude that telecommuting is a proper reasonable accommodation in this or any other case, but instead ruled that a jury should decide the reasonableness of the accommodation in this case.

Some employers, rightly or wrongly, believe that employees need to be present in the workplace to effectively perform their jobs. If you fall on this side of the debate, what steps can you take to safeguard against a court second-guessing your decision to deny a telecommuting request as a reasonable accommodation?

1. Prepare job descriptions that detail the need for time spent in the office.
2. Document the cost of establishing and monitoring an effective telecommuting program.
3. Engage in a dialogue with disabled employees to agree upon an alternative accommodation with which both sides can live.

The appropriateness of telecommuting as a reasonable accommodation will vary from case to case. As Core points out, telecommuting as a reasonable accommodation remains the exception, not the rule. The line that separates exception from rule, however, will continue to shift as technology makes telecommuting more feasible, widespread, and accepted.

[Hat tip: Employer Law Report]

Plagiarism (a story with a happy ending)

I made a startling discovery on Friday. In last week’s WIRTW, I gave a shout out to the Meritas Social Media Guide for Lawyers v. 2.0. (In the name of full disclosure, my law firm, Kohrman Jackson & Krantz, is the Cleveland member firm of Meritas, an international alliance of full-service law firms, and its Social Media Guide features my blog.) One of the guide’s authors, Ethan Wall, took to Twitter to thank Daily Legal Law for mentioning the Social Media Guide. The only problem is that Daily Legal Law had plagiarized my column from Friday, reprinting it word for word.

I am all for other websites and blogs being so enamored with my content that they want to run it on their sites. Please, have the kindness to email me first to ask permission (I rarely say no), and then provide proper attribution. Don’t copy and paste my copyrighted content, and exacerbate your evilness by listing someone else as the author.

This story has a happy ending. Five minutes of easy research led me to DailyLegalLaw.com’s web host, HostGator, to whom I sent a takedown letter under the Digital Millennium Copyright Act. Yesterday, I received the following email from HostGator:

HostGator took down the entire website. If you visit DailyLegalLaw.com, this message is all you will find:

If you have employees posting content for your business online, remind them that plagiarism is illegal, that copyrights have meaning, that violating others intellectual property rights has consequences for the company (such as infringement lawsuits, civil fines, and criminal penalties), and that plagiarism is a terminable offense. Build these ideas into your social media, online communication, or similar policy, and re-enforce the concept in the training of your employees on responsible and legal online communications. Also, if you are regularly publishing content, it is wise to monitor the Web to check for stolen content, so that you can act swiftly to protect your IP.

To the proprietors of DailyLegalLaw.com: If you are going to steal copyrighted material, at least have enough common sense not to steal it from the one group certain enough to know how to protect their IP rights—attorneys. DailyLegalLaw.com, you are free to copy this post (and only this post) and paste it, in its entirety, on any of your other websites.

Terminated CFO illustrates the confidentiality risks social media pose

According to a recent survey by Intel (h/t: Lifehacker), 85% of American adults share information about themselves online, while 90% think others are sharing too much. Maybe the former CFO of Francesca’s Holdings Corp., Gene Morphis, should have heeded the latter and shared less about his company’s inner workings.

On Monday, Francesca’s announced that it fired Morphis for improperly communicating company information through social media. A quick review of Morphis’s Twitter feed and (very public) Facebook Wall offers some possible suspects.

Maybe it was this tweet:

Or maybe it was this one:

Or maybe this one:

Or, maybe it was this Facebook post:

Or, maybe it was this one:

Social media presents a real risk of corporate breaches of confidentiality. It is easy to tell your employees, “Think before you click.” (Hey, that’s a catchy title for a book.) Yet, 76% of the Inc. 500 lack a social media policy for their employees, and 73% of all employers conduct no social media training. If you aren’t educating your employees about the risks and benefits of social media, both in and out of the workplace, you are not only missing a golden opportunity, but you also leaving yourself exposed to breaches of confidentiality such as that which befell Francesca’s. These issues are not going away.

Businesses that ignore the possibility that their employees can divulge trade secrets and other confidential and proprietary information via Twitter, Facebook, and other social media do so at their own peril. Did Morphis’s disclosure harm his ex-employer? Probably not. But, the company’s swift and decisive reaction to any breach of confidentiality will make it easier down the road for it to protect its confidential information when it really matters. Mark my words. The day will come when a court will invalidate a corporate trade secret because of a lax social media policy.

As an aside, I’m leading off tomorrow’s NLRB Region 8 Labor Law Conference [pdf], discussing social media policies and protected concerted activity. NLRB Acting General Counsel Lafe Solomon is the lunch speaker. I am very interested to hear his thoughts on how employers can balance their right to limit disclosures of confidential information against his perception that social media policies that prohibit such disclosures violate the NLRA.

Maryland becomes 1st state to ban requiring employees’ social media passwords

The public outcry against employers requiring the job applicants turn over their Facebook passwords has resulted in legislation. Maryland has become the first state to prohibit employers from requiring or seeking user names, passwords, or any other means to access Internet sites such as Facebook as a condition of employment. Demonstrating the outrage over this issue, the measure passed both house of Maryland’s General Assembly with 96% support.

The law—entitled, “User Name and Password Privacy Protection and Exclusions” (full text here [pdf])—prohibits Maryland employers:

• from requesting or requiring that an employee or applicant disclose any user name, password, or other means to access a personal Internet account;
• from taking, or threatening to take, disciplinary actions for an employee’s refusal to disclose certain password and related information; and
• from failing or refusing to hire an applicant as a result of the applicant’s refusal to disclose certain password and related information.

The law exempts employers that are conducting investigations into compliance with securities or financial laws or regulations, and investigations into the unauthorized downloading of the employer’s proprietary information or financial data to an employee’s personal website.

Eric Meyer, at The Employer Handbook blog, nicely summarizes the main critiques of this bill:

[T]he Maryland Chamber of Commerce opposed the prohibition because the bills did not acknowledge there could be legitimate issues for some employers to want to review applicants' or workers' social media messages.

What concerns me is that there are no carve-outs for public agencies that protect and serve the public. I can understand why a police department may need to fully vet its candidates by making sure that applicants and officers don’t have hate speech towards a particular protected class, for example, on their Facebook page. As I imagine that this information could be used to overturn arrests and indictments.

While I agree with Eric’s take, my critique is more about the small percentage of employers who engage in this practice:

Legal issues aside, this story raises another, more fundamental, question—what type of employer do you want to be? Do you want to be viewed as Big Brother? Do you want a paranoid workforce? Do you want your employees to feel invaded and victimized as soon as they walk in the door, with no sense of personal space or privacy? Or, do you value transparency? Do you want HR practices that engender honesty, and openness, and that recognize that employees are entitled to a life outside of work? … Requiring passwords is not smart.

This law affects you only if: 1) you engage in business in Maryland; and 2) you are among what I believe is the small minority of business that are requiring applicants and employees to turn over social media logins and passwords. Nevertheless, I would expect other states to follow suit, and use the Maryland legislation as a model.

Even if few public sector employers, and fewer private sector employers, are engaging in this practice, this issue bears monitoring.

[Hat tip: The Hill]

Disturbing study about the (mis)use of employers’ confidential information

Here’s the good news: According to a recent survey conducted by FileTrek, 79% of Americans believe that removing confidential files from the office is grounds for termination. Here’s the bad news: 90% think that employees do it anyway. What is the most popular method of removing information? Exporting it to a USB drive.

Some more scary numbers? How about the answers to the question, “When is it acceptable to remove confidential company information out of the office?”

• 48% — When boss says it’s okay
• 32% — To finish a late night project from home
• 30% — To work over the weekend or while on vacation
• 16% — When the confidential information about themselves
• 2% — When it can be brought back to the office before the boss knows it was gone
• 2% — To show something to family or friends who promise to keep it confidential
• 40% — Never

According to Dale Quayle, CEO of FileTrek, “Today’s workforce believes information is an asset to be shared…. It’s critical for today’s management teams to be more IP aware to ensure data security.”

Where does this IP awareness start? With a clear set of policies and agreements that prioritize the confidentiality of your information and data. You need to set the expectation in your organization that you take confidentiality seriously, and those that do not should not expect to remain employed. You also need to be prepared to enforce that confidentiality with litigation when necessary. Otherwise, the agreements may not be worth the paper on which they are printed.

[Hat tip: Huffington Post]