The internet might be for porn, but not on work computers

I spent yesterday working from home, as Cleveland got socked with nearly a foot of snow and my kids had the day off from school.

While working from home, I came across an article from Crain’s New York Business, entitled, Porn and the snowbound workforce. The article argued that winter storms lead to increased software security violations, including those on company-owned computers that employees are using to work from home, including a spike in malware infections.

[I]ncreased levels of malware infections go almost hand-in-hand with increased traffic to porn sites. Adult-content platform Pornhub reported a 21% increase in traffic from New York City-based users during this week’s storm…. For randier New Yorkers who might have been home with work-provided laptops, the blizzard malware infections could cause more than just an uncomfortable chat with human resources.

Companies should want employees to have the flexibility to work from home during inclement weather. It’s certainly safer than having them traverse icy or snow-covered roads. Moreover, it enables you to capture some of the productivity you would otherwise lose from childrens’ snow days and other weather-related days off. Companies must, however, make it clear to employees that work computers are for work, and not for play, even if the employee is using the computer at home.

Consider the following Telecommuting Principles, from the Emory WorkLife Resource Center:

• The user’s local IT unit must provide, maintain, and support a computer with an approved Emory configuration defined by the Local IT unit. The configuration must address the Information Security Requirements for Telecommuting Arrangements which includes items such as current security updates and anti-virus capability, removal of administrative rights, proper firewall configuration, and security incident reporting requirements.
• Telecommuters must use only the Emory provided computer for telecommuting.
• Telecommuters must protect the computer issued to them and any sensitive data that it might contain.
• Telecommuters may not store sensitive information on the computer unless authorized to do so, and even then, telecommuters must only store the absolute minimum required.
• Telecommuters must encrypt or password protect documents that contain sensitive information when possible, and upgrade to Full Disk Encryption when an enterprise solution becomes available.
• Telecommuters may not transfer sensitive data to non-Emory owned systems or removable media, and they may not allow unauthorized users to use the computer issued for telecommuting.
• Users must immediately notify their manager and local IT support if a system used to telecommute is lost or stolen or if the system is compromised or suspected of being compromised by a computer virus or hacker.

These types of policies cannot guarantee a malware-free IT infrastructure. They will, however, provide you some sense of security in knowing that your employees are aware of the issue, while at the same time providing you the ammunition you need to support action against a employee who misuses your computers.

New anonymous workplace app raises big workplace issue

Have you heard about Memo? It an iPhone app that allows individuals to post anonymous comments, both positive and negative, about their employers to a specific group page about the company. As you could imagine, it’s the negative posts that will get the lion’s share of attention.

Here’s what a typical company-bashing comment on Memo looks like.

According to Quartz.com, Memo has already “received two cease-and-desist letters, two companies have blocked emails from Memo hitting their servers, and three companies have written memos to employees about the app.”

I want to address the latter—companies that, via policy, fiat, or otherwise, try to stop their employees from using Memo.

As you should know, federal labor law gives employees the right to engage in protected, concerted activity—that is, discussions between or among employees about wages, hours, and other terms and conditions of employment. Employees’ discussions, for example, about an open-door policy, would be a textbook example of protected concerted activity.

Federal labor law prohibits employers from retaliating against employees for engaging in protected concerted activity. Retaliation isn’t Memo’s biggest risk because its posts are (supposedly) anonymous. However, federal labor law also prohibits employers from maintaining or enforcing policies that could chill employees’ right to speak about terms and conditions of employment.

Thus, if you think you can legislate Memo (or other similar apps) out of your workplace, you might want to think again. The NLRB will likely hold a very different opinion about the rights of your employees to talk about your company, anonymously or otherwise.

More on data security as an unfair labor practice

A few months ago, I wrote how the NLRB was exploring new areas of potential protected concerted activity to regulate. One such area is information and data security.

According to Employment Law 360, the NLRB potentially is looking to expand its reach in the area of cybersecurity, this time investigating whether an employer was required to bargain with its labor union over the impact of a data breach on its employees:

A postal workers union has lodged a charge with the National Labor Relations Board over the U.S. Postal Service’s handling of a recent data breach, a novel move that adds union negotiations to the already sprawling list of concerns companies must contend with in their race to mitigate cyberattacks.

In a Nov. 10 charge filed with the NLRB, the American Postal Workers Union accused USPS of engaging in unfair labor practices in violation of the National Labor Relations Act, by failing to give the union advance notice “that would enable it to negotiate the impacts and effects” on employees of the cyberattack….

The union specifically took issue with USPS’ offering employees affected by the incident one year of free credit-monitoring, a decision that the postal workers characterized as a unilateral change to wages, hours and working conditions that an employer is generally not permitted to make without first bargaining with the union.

Responding to a cyber-attack is complicated and complex. The federal FTC, along with a patchwork of divergent state laws, requires quick communication of various levels of detail and complexity to individuals and regulators following a data breach. If employers need to add communications to labor unions to this list of constituents (and this issue remains very much open), it will create additional burdens on employers, which could potentially slow down a company’s other response efforts.

To avoid these issues, employers should consider bargaining these issues into the terms of collective bargaining agreements, so that you have a game plan in place before you have to respond. Otherwise, when faced with a data breach, you could be faced with running your response programs through the filter of your labor unions, which could hamper your other response efforts, and subject your company to potential liability from the cyber breach.

Are you doing enough to protect your trade secrets from theft in the cloud?

Do your employees use Dropbox (or Google Drive, or Box, or iCloud, etc.) to store work documents? The appeal of these cloud services is easy to see. Because they provide the ability to store electronic files and access them across multiple devices linked to the same account (i.e., one’s office PC, home computer, iPhone, and iPad), they have exponentially increased the work-life balance of employees who need to work beyond the traditional 9-5. With that benefit, however, comes significant risk to employers.

You may think Dropbox and other cloud services don’t present a risk. After you, your employees are loyal and trustworthy. But, it only takes one layoff to turn a loyal employee into a desperate job seeker looking to provide value to turn a prospective employer into a new job. In that instance, the trade secret cat is out of the bag, and you are spending, and spending, and spending, to try to wrangle it back in.

I’ve seen two cases in which a company alleged that an employee absconded with trade secrets or other confidential information by storing them remotely on a cloud service.

• In a lawsuit filed last week, Lyft accused its former COO of snatching thousands of sensitive documents when he left to work for its chief competitor, Uber. The mode of theft? The downloading of emails and documents to his personal Dropbox account in the months leading up to his defection.
• Last year, Zynga settled a lawsuit it had filed against a former manager whom it alleged had used Dropbox to steal its trade secrets upon leaving for a rival startup.

What can an employer do to minimize risk of trade-secret misappropriation or other breach of confidentiality, short of filing expensive and protracted litigation? Consider these 8 steps, courtesy of the ABA Section of Litigation’s Intellectual Property Committee:

1. Limit access to trade-secrets on a need-to-know basis. The fewer people with access to trade secrets, the more likely the information will remain secret.
2. Limit access to cloud-based solutions on company computers and prohibit any use of personal cloud solutions for company materials. Consider installing software to limit access to any cloud solutions that are not approved by the company.
3. Implement policies and train employees about the use (or non-use) of cloud solutions and, more generally, about the protection of confidential information. Employee handbooks, new-employee orientations, posted company policies, and annual employee training sessions all provide opportunities to address these issues.
4. Monitor when files are accessed or downloaded, and by whom. This will allow the company to take immediate action in the event it discovers suspicious activity.
5. Require employees to sign NDAs. All employees should sign NDAs prohibiting them from taking or using company information for any purpose other than their work for the company. These obligations should extend beyond termination.
6. Conduct exit interviews. This will allow the company to explore whether the employee retained any confidential information and to instruct him or her that any such information should be immediately returned or destroyed.
7. Collect and secure computers used by terminated employees. By examining the computer of a former employee, a company can often determine if any information was taken before the employee’s departure and what that information was.
8. Label or name files containing trade secrets as “Confidential” or “Trade Secret.” While this probably will not prevent unauthorized use or access, it may help a company to persuade a court that any misappropriated information still qualifies for trade-secret protection. This is because confidentiality labels help show that the company took reasonable steps to maintain secrecy by notifying the employee as to the sensitivity of the information.

You cannot absolutely protect against the use of the cloud by your employees. All an employee has to do is email a file to a personal email account, and your control over that file is gone. Implementing these 8 measures, however, will place your business in the best position possible to limit your risk, and secure against theft of sensitive information by exiting or otherwise disgruntled employees.

What if…? Internet use as a disability

Last year I reported on the possibility that Internet use could become an ADA-protected disability. Now, we have one of the first documented cases of this phenomenon. From CNN:

A man who checked in to the Navy’s Substance Abuse and Recovery Program for alcoholism treatment was also treated for a Google Glass addiction, according to a new study.

San Diego doctors say the 31-year-old man “exhibited significant frustration and irritability related to not being able to use his Google Glass.” He has a history of substance abuse, depressive disorder, anxiety disorder and obsessive-compulsive disorder, they say.

The man was using his Google Glass for up to 18 hours a day in the two months leading up to his admission in September 2013, according to the study…. “He reported that if he had been prevented from wearing the device while at work, he would become extremely irritable and argumentative,” the doctors write.

The Guardian adds that “the patient repeatedly tapped his right temple with his index finger, … an involuntary mimic of the motion regularly used to switch on the heads-up display on his Google Glass.”

This supposed addiction is not limited to wearables like Google Glass. For example, CBS News recently reported on the physiological changes to the brain that could result from too much Facebook use.

What results when we toss this story into the employment-law blender?

• Do you have employees who seem to spend an inordinate amount of time online? Is it affecting their performance and inhibiting their ability to perform the essential functions of their jobs? If so, you may have to engage them in the interactive process to determine if there exists a reasonable accommodation that enables them to perform those essential functions? For example, could you deny computer access to employees who do not need to use a computer for their jobs, and require that such employees leave their cell phones outside the work area?

• Do you have a policy that prohibits non-work-related Internet use? If so, it might run afoul of the ADA, just like hard-capped leave absence of policies. It’s not that employers cannot place reasonable limits on workplace computer use. By instituting a ban, however, employers are avoiding their obligations to engage in the interactive process, thereby violating the ADA.

These are difficult issues, exacerbated by the novelty of the concept. Nevertheless, the more the Internet becomes entrenched in our lives (if that possible), the greater the likelihood that employees will begin embracing ideas such as Internet addiction as a disability and the need for employers to consider and provide reasonable accommodations. It’s a brave new world, we just happen to work in it.

Do your BYOD employees understand the remote-wipe?

My kids are growing up. For example, we’ve now graduated from me having to wake them up in the morning for school and helping my son get dressed, to his big sister setting the alarm on her iPod, and both kids waking up and dressing without parental supervision. There is one area, however, for which my 6-year-old still requires help. Every now and again, I will hear the familiar cry of, “Daddy, I went poopies,” which beckons me into the bathroom to inspect, and, if necessary, aid his wiping technique.

Employers and employees are getting used to wiping of another kind—the remote wiping of employees’ personal mobile devices.

More and more employers are embracing BYOD (“bring your own device”) as a win-win for employers and employees. Employees get to use the device of their choice, without having to juggle multiple gadgets, while employers save on hardware costs. One survey I read (as cited by the Wall Street Journal) suggested that by 2017, half of all employers will stop providing mobile devices to employees and require them to use their own for work.

The use of personal devices for work, however, raises an important issue. How do employer ensure that company information is removed from a device if it goes missing or if an employee leaves the business. The answer is the employer must have the ability to remote-wipe the device to remove its data. What happens, however, if a remote-wipe compromises an employee’s personal data? I would argue that it is the risk employees take for BYODing. Employer have to be able to guarantee the security of their own information, even if it might compromise employee’s personal data.

SHRM predicts that “as state and federal regulations struggle to keep up with new technology, an employer’s ability to wipe employee personal cell phones and devices will likely be tested through the courts.” How can you best protect your organization from the risk of lawsuit by an employee who loses personal data through your remote-wipe of a mobile device? Have a BYOD policy—upon which employees place their John Hancock attesting to having read and understood the policy—which unequivocally states that:

1. the employee’s phone will be wiped (remotely or otherwise) of all company-related information if the device is reported lost or stolen and upon the termination of employment;
2. the employee understands that this wiping could result in the loss of personal data or information; and
3. the employee indemnifies the company for an loss or damage that may result from the wiping of the phone under the policy.

With those protection in place before an employee decides to use his or her own personal device for work, an employee will have a harder time challenging the after-effects of a remote wipe.

As for my son, that’s for another day…

[Image by Intel Free Press [CC-BY-2.0], via Wikimedia Commons]

The Supreme Court’s opinion on cell phone privacy is a must-read for all employers

It’s a rare day that I write a post of which the vast majority is a 900-word quote from a court opinion. Yesterday’s decision by the U.S. Supreme Court in Riley v. California [pdf], however, is significant enough to cede my space to the words of Chief Justice Roberts:

Cell phones differ in both a quantitative and a qualitative sense from other objects.… The term “cell phone” is itself misleading shorthand; many of these devices are in fact minicomputers that also happen to have the capacity to be used as a telephone. They could just as easily be called cameras, video players, rolodexes, calendars, tape recorders, libraries, diaries, albums, televisions, maps, or newspapers.

One of the most notable distinguishing features of modern cell phones is their immense storage capacity.… Most people cannot lug around every piece of mail they have received for the past several months, every picture they have taken, or every book or article they have read—nor would they have any reason to attempt to do so.…

But the possible intrusion on privacy is not physically limited in the same way when it comes to cell phones. The current top-selling smart phone has a standard capacity of 16 gigabytes (and is available with up to 64 gigabytes). Sixteen gigabytes translates to millions of pages of text, thousands of pictures, or hundreds of videos.… Cell phones couple that capacity with the ability to store many different types of information: Even the most basic phones that sell for less than $20 might hold photographs, picture messages, text messages, Internet browsing history, a calendar, a thousand entry phone book, and so on.… We expect that the gulf between physical practicability and digital capacity will only continue to widen in the future.

The storage capacity of cell phones has several interrelated consequences for privacy. First, a cell phone collects in one place many distinct types of information—an address, a note, a prescription, a bank statement, a video—that reveal much more in combination than any isolated record. Second, a cell phone’s capacity allows even just one type of information to convey far more than previously possible. The sum of an individual’s private life can be reconstructed through a thousand photographs labeled with dates, locations, and descriptions; the same cannot be said of a photograph or two of loved ones tucked into a wallet. Third, the data on a phone can date back to the purchase of the phone, or even earlier. A person might carry in his pocket a slip of paper reminding him to call Mr. Jones; he would not carry a record of all his communications with Mr. Jones for the past several months, as would routinely be kept on a phone. 

Finally, there is an element of pervasiveness that characterizes cell phones but not physical records. Prior to the digital age, people did not typically carry a cache of sensitive personal information with them as they went about their day. Now it is the person who is not carrying a cell phone, with all that it contains, who is the exception.According to one poll, nearly three-quarters of smart phone users report being within five feet of their phones most of the time, with 12% admitting that they even use their phones in the shower. See Harris Interactive, 2013 Mobile Consumer Habits Study (June 2013).… Today … it is no exaggeration to say that many of the more than 90% of American adults who own a cell phone keep on their person a digital record of nearly every aspect of their lives—from the mundane to the intimate.… 

Although the data stored on a cell phone is distinguished from physical records by quantity alone, certain types of data are also qualitatively different. An Internet search and browsing history, for example, can be found on an Internet-enabled phone and could reveal an individual’s private interests or concerns—perhaps a search for certain symptoms of disease, coupled with frequent visits to WebMD. Data on a cell phone can also reveal where a person has been. Historic location information is a standard feature on many smart phones and can reconstruct someone’s specific movements down to the minute, not only around town but also within a particular building.…

Mobile application software on a cell phone, or “apps,” offer a range of tools for managing detailed information about all aspects of a person’s life. There are apps for Democratic Party news and Republican Party news; apps for alcohol, drug, and gambling addictions; apps for sharing prayer requests; apps for tracking pregnancy symptoms; apps for planning your budget; apps for every conceivable hobby or pastime; apps for improving your romantic life. There are popular apps for buying or selling just about anything, and the records of such transactions may be accessible on the phone indefinitely. There are over a million apps available in each of the two major app stores; the phrase “there’s an app for that” is now part of the popular lexicon. The average smart phone user has installed 33 apps, which together can form a revealing montage of the user’s life.… 

To further complicate the scope of the privacy interests at stake, the data a user views on many modern cell phones may not in fact be stored on the device itself.… Cloud computing is the capacity of Internet-connected devices to display data stored on remote servers rather than on the device itself. Cell phone users often may not know whether particular information is stored on the device or in the cloud, and it generally makes little difference.… Moreover, the same type of data may be stored locally on the device for one user and in the cloud for another.

Riley is a 4th Amendment search-and-seizure case. It’s not an employment case. So, why, you ask, is it so important? For the first time, our highest court is recognizing, in great detail, the significant privacy interests we expect in our mobile devices. Does your company have a cell phone or mobile device policy? Does it explain to your employees that they are giving up certain expectations of privacy if they accept your phone or connect their own phones to your network? In light of Riley, if you don’t have this policy containing these disclaimers, you better, because courts are going to become increasingly hostile to claims that individuals do not have privacy expectations in their mobile devices.

Firing of county employee teaches important lesson about use of mobile technology

We love our phones. We are an iPhone society. I’ve referred to the phenomenon as “iPhone-ification.” Do you know that there are more mobile phones than people in the United States? Moreover, 90% of American adults own mobile phones, and nearly 60% are “smart.”

Not these phones.

Despite the proliferation of mobile phones, and their use in work and for work, many employees still do not understand the difference between work use and personal use.

Case in point? Yesterday, the Cleveland Plain Dealer reported that Cuyahoga County suspended a supervisor for using his county-issued cell phone to send unwelcome sexual text messages to a co-worker. According to the County [pdf], the employee used his phone to flirt and text sexual innuendo, even after the recipient told him to stop.

From this story, I offer two lessons—one for employees and one for employers.

• For employees, please stop using your work phones (and that includes your own personal devices that your employer allows you to connect to its network, i.e, BYOD) for personal business that will get you in trouble at work. If you wouldn’t say it to someone’s face, don’t email it, text it, Facebook it, or otherwise send it via your phone. Just because we treat our phones like members of our families does not mean that their content are off limits to employers. They’re not. 
• For employers, communicate this message to your employees. Trust me, they don’t get it. They think the four-inch device in their pockets is theres, and what they email, text, Facebook, etc., is not your business. Spell it out, in plain English in a mobile device policy. And reinforce that message in training sessions.

Photo used with permission / original here.

The NLRB is looking to overturn email solicitation rules

In Register Guard, the NLRB held that an employer’s solicitation or other communication policy can lawfully bar employees’ non-work related use of an employer-owned email system, unless, on its face, it discriminates against employees’ exercise of Section 7 rights. Thus, under Register Guard, a policy that prohibits employee use of an email system for “non-job-related solicitations” does not violate the NLRA, even if the very nature of that ban includes union-related solicitations.

The NLRB decided Register Guard in 2007, near the tail-end of the Bush-era Board. Now, it’s 2014, and the current Obama-era Board is taking a look at Register Guard. 

The Board has posted a notice [pdf] asking advocates to submit position briefs covering each of the following five issues:

1. Should the Board reconsider its conclusion in Register Guard that employees do not have a statutory right to use their employer’s email system (or other electronic communications systems) for Section 7 purposes?
2. If the Board overrules Register Guard, what standard(s) of employee access to the employer’s electronic communications systems should be established? What restrictions, if any, may an employer place on such access, and what factors are relevant to such restrictions?
3. In deciding the above questions, to what extent and how should the impact on the employer of employees’ use of an employer’s electronic communications technology affect the issue?
4. Do employee personal electronic devices (e.g., phones, tablets), social media accounts, and/or personal email accounts affect the proper balance to be struck between employers’ rights and employees’ Section 7 rights to communicate about work-related matters? If so, how?
5. Identify any other technological issues concerning email or other electronic communications systems that the Board should consider in answering the foregoing questions, including any relevant changes that may have occurred in electronic communications technology since Register Guard was decided. How should these affect the Board’s decision?

The notice is in response to an ALJ’s decision in Purple Communications, Inc., holding that an employer did not violate the Act by prohibiting use of its electronic equipment and email systems for activity unrelated to its business purposes. 

By all appearances, the NLRB appears to be looking for a reason to reverse Register Guard, and issue a rule under which a facially neutral email policy is nevertheless illegal if one could reasonably read it to restrict employees’ rights to engage in protected concerted activity. While this re-imagining of Register Guard would be consistent with the NLRB’s more recent positions in social media and other workplace communication cases, it is nevertheless concerning for employers and bears monitoring as this important issue weaves its way through the NLRB. 

NLRB judge says employee cannot require its employees to disclaim social media posts

The postings on this site are my own and do not necessarily represent the postings, strategies or opinions of The Kroger Co. family of stores.

In The Kroger Company of Michigan [pdf], and NLRB administrative law judge concluded that Kroger’s Online Communications Policy—which required that it’s employees post the above-quoted disclaimer along with the publishing of any work-related online content—was illegal.

The ALJ conceded that Kroger’s has a legitimate interest in limiting unauthorized communications. Nevertheless, the perceived over-breadth of the policy trumped the employer’s legitimate interest:

An ever increasing amount of social, political, and personal communication, increasingly by people of all ages, takes place online.… A rule that required Kroger employees, who are identified as such, to mouth a disclaimer whenever they conversed with others about “work-related information,” while standing on a street corner, picket line, in church, in a union meeting, or in their home, would never—ever—withstand scrutiny. As with traditional, in-person communication, this required online disclaimer has no significant legitimate justification and is, indeed, burdensome to the point that it would have a tendency to chill legitimate section 7 speech. 

How does a statement by an employee, on the employee’s personal Facebook page, that the posts are his and not his employer’s, chill an employee from expressing an opinion about work? To the contrary, this disclaimer would seem to have the opposite effect, freeing the employee to talk about work because he or she has already disclaimed that the post is merely the employee’s personal opinion, and not an official statement of the employer.

As Eric Meyer pointed out in discussing this decision last week, Kroger merely serves to add to the confusion that already exists around workplace social media policies. As for me, I see little harm in these types of disclaimers.

Please, please, please … be careful what you email

Darren Wyss claims that his former employer, Compact Industries, demoted him on the basis of his gender and replaced him with a female. Wyss’s immediate supervisor was Tracey Brown, one of the company’s owners, and the sister of Michael Brown, another owner. After Wyss’s demotion, Michael emailed his sister, “You demoted Darren without telling me? … Darren is a good worker, too bad he’s male.”

Based on that email, the court—in Wyss v. Compact Indus. (S.D. Ohio 3/12/14)—had little trouble denying the company’s motion to dismiss the sex discrimination lawsuit.

It is reasonable to infer that Michael Brown knew of his sister’s motive for demoting Wyss and was referring to that motive in this email. This plausibly suggests that the decision to demote Wyss, who was otherwise a “good worker,” was motivated by Tracey’s intent to discriminate against men. 

Nothing good comes from putting statements like “too bad he’s male” in emails, or text messages, or voice mails, or any other form of communication. Those words should never leave your lips, let alone flow forth from your fingers in anything typed. Michael Brown may have a logical, non-discriminatory explanation for his statement … or at least he better before he gives his deposition. Even with an explanation, however, his misstep makes his company’s case that much more difficult. Do your damndest to avoid the same miscue.

Read this post before you access your employee’s social media accounts

Susan Fredman Design Group employed Jill Maremont as its Director of Marketing, Public Relations, and E-Commerce. In that capacity, she used her own personal Twitter account and Facebook page to promote SFDG’s business. To keep track of the various social media campaigns she was conducting for SFDG, Maremont created an electronic spreadsheet, on SFDG’s computer and saved on SFDG’s server, in which she stored the passwords for her accounts. It appears that Maremont provided access to, or copies of, the spreadsheet to other SFDG employees to assist in her social media posts on behalf of the company.

Maremont suffered injuries in a serious car accident that kept her out of work. During that time, she claimed that SFDG employees, without her permission, accessed her Facebook and Twitter accounts and posted on her behalf.

In the ensuing lawsuit—Maremont v. Susan Fredman Design Group (N.D. Ill. 3/4/14)—Maremont alleged violations of the Lanham Act (that SFDG unlawfully passed itself off as Maremont), and the Stored Communications Act (that SFDG unlawfully accessed her electronic accounts without her permission). The district court dismissed the Lanham Act claim, but permitted the Stored Communications Act claim to proceed to trial.

Legal intricacies aside, the case is both instructive and troubling.

This case is instructive because it shows the danger when a company fails to brings its social media accounts in-house. Maremont used her personal Facebook and Twitter accounts for her employer. When she was out of the office for an extended period of time, instead of letting its social media presence falter, SFDG used Maremont’s account information to continue posting. How could SFDG have avoided these potential legal traps and an expensive lawsuit? Either by requiring that Maremont use its own social media accounts for official company business, or by having a written agreement with her that it had the right to access her mixed-use personal accounts. The former is cleaner and less risky, but the latter would have still likely kept it out of court, even if mixed-use accounts are harder to untangle at the end of employment.

This case is troubling because it sets the precedent that an employer to which an employee provides passwords to the employee’s social media accounts cannot access those accounts for business purposes. By all appearances, Maremont provided her account information and passwords to her coworkers. SFDG could not have foreseen that it would violate federal law by using them to continue Maremont’s work while she was incapacitated. Yet, that is exactly what happened.

What’s the main takeaway here? If you are going to permit your employees to use their personal social media accounts for business purposes, get it in writing that you have rights to the accounts. Define who else can access the accounts, and what happens with them if the employee is incapacitated or no longer employed. Otherwise, you are potentially exposing yourself to an expensive and uncertain lawsuit to define these rights in court after the fact.

[Hat tip: Internet Cases]

Mind your internal emails to avoid discrimination issues

Shazor v. Professional Transit Mgmt., Inc. (6th Cir. 2/19/14), interests me for two reasons. First, it discusses and applies a “sex-plus” theory of discrimination to save a plaintiff’s race discrimination and sex discrimination claims from the summary-judgment scrap heap. “Sex-plus” recognizes that race and sex are not mutually exclusive, and protects African-American woman as a class of their own. I commend Shazor to your reading list for its interesting narrative on this issue.

I want to discuss, however, the other interesting aspect of Shazor—the evidence the plaintiff used to avoid summary judgment. She submitted various emails between two corporate executives, in which they unflatteringly referred to her as a “prima donna,” “disloyal, disrespectful,” and a “hellava bitch.” Shazor successfully argued that these emails were code for “angry black woman” or “uppity black woman.” The court used these emails as prima-facie evidence of discrimination in support of her “sex-plus” claim.

Emails is a powerful communication tool. It’s also very permanent. I’ve been saying this about social media for years, but perhaps it’s time to remind employers that communication is communication, no matter how it’s transmitted. If you don’t want something to appear on the front page of the newspaper, or to be read in front of a judge or jury, don’t put it in writing. Don’t email it, don’t text it, don’t Facebook it, and don’t tweet it.

“I have a solution,” you say. “What about apps like Confide, which erases a text message as soon as the recipient reads it.”

While these apps seem like a perfect way to communicate under the radar, their use for business purposes gives me great pause. The intent of this class of apps is to delete communications. I could very easily see a court, confronted with evidence that people have this app on their iPhones and use it for business communications, have willfully destroyed evidence. Spoliation and evidence destruction discovery sanctions would result. For this reason, I believe that company mobile-device policies should police the use of apps like Confide, Snapchat, and their message erasing ilk. And, while your reviewing your policies, mix in some training for your employees about the responsible use of electronic communications.

NLRB ALJ upholds workplace ban on recording devices

Two months ago I wrote the following, concerning whether employers should be thinking about implementing bans on employees using recording devices in the workplace:

If you do not have a policy against employees recording conversations in the workplace, you might want to consider drafting one. You never know when an employee is going to try to smuggle a recording device into a termination or other meeting. The proliferation of smart phones has only made it easier for employees to make recordings, both audio and video. Why not address this issue head-on with a policy? Unless, of course, the NLRB gets its way and renders these policies per se illegal.

At least as to the last point (the legality of such bans under the National Labor Relations Act), we now have the beginnings of an answer, via the decision of an NLRB Administrative Law Judge (the finality of which depends on whether the union appeals the decision to the full Board in Washington D.C.).

In Whole Foods Market, Inc. (NLRB Case No. 01-CA-096965 10/30/13) [pdf], the union challenged the following no-recording policy:

It is a violation of Whole Foods Market policy to record conversations with a tape recorder or other recording device (including a cell phone or any electronic device) unless prior approval is received from your store or facility leadership. The purpose of this policy is to eliminate a chilling effect to the expression of views that may exist when one person is concerned that his or her conversation with another is being secretly recorded. This concern can inhibit spontaneous and honest dialogue especially when sensitive or confidential matters are being discussed.

Violation of this policy will result in corrective action up to and including discharge.

The ALJ concluded that this policy did not violate the rights of the employees of Whole Foods to engage in protected concerted activity under the National Labor Relations Act:

I have found no cases, and none have been cited, in which the Board has found that making recordings of conversations in the workplace is a protected right…. Even if recording a conversation is a protected right, the Respondent is entitled to make a valid rule, such as the one in question here, to regulate its workplace, and in doing so, prohibit such activity….

The rule does not prohibit employees from engaging in protected, concerted activities, or speaking about them. It does not expressly mention any Section 7 activity. The only activity the rule forbids is recording conversations or activities with a recording device. Thus, an employee is free to speak to other employees and engage in protected, concerted activities in those conversations….

There is no basis for a finding that a reasonable employee would interpret this rule as prohibiting Section 7 activity.

In light of this decision, what is an employer to do?

1. Review any existing workplace recording policies to ensure that the stated reasons for the policy is clear. For example, in Whole Foods, the company relied on the protection of “candor and forthrightness in employee opinions.”

2. Do not institute a new recording ban, or amend an existing policy, in response to union activity.

3. Do not apply a recording ban to limit or prohibit the recording of protected Section 7 activity (wages, benefits, terms and conditions of employment, union issues, etc.).

4. Limit the prohibition to working time and work spaces.

This case offers hope to employers that there exists a more reasonable analysis of the application of Section 7 rights to workplace policies other than suggested by the Board’s recent actions.

Big verdict underscores danger of recording devices in the workplace

A couple of years ago, I asked the following question: Are your employees recording you? In that post, I discussed an ABC News story, which noted that employees are using their smartphones to digitally record workplace events to gather evidence for future discrimination lawsuits.

Yesterday, news broke of a $280,000 verdict against a New York non-profit in a racial harassment case, in which the African-American plaintiff claimed that her boss, also African-American, called her a n****r. Her evidence? A four-minute audio recording the employee surreptitiously made on her iPhone. (If you’re curious, you can listen to some of audio on CNN.com).

With the proliferation of iPhones and Androids, most employees have a high-tech, high-clarity recording device in their pockets. How do you protect your business against the possibility of employees using these devices to gather damaging evidence against you?

1. If you do not have a policy against employees recording conversations in the workplace, you might want to consider drafting one. You never know when an employee is going to try to smuggle a recording device into a termination or other meeting. The proliferation of smart phones has only made it easier for employees to make recordings, both audio and video. Why not address this issue head-on with a policy? Unless, of course, the NLRB gets its way and renders these policies per se illegal.

2. If the legality of workplace recording bans is up in the air, then you need to train your managers and supervisors to understand and assume that everything they say is being recorded, if not electronically, then via a mental note that an employee can later jot down. You would be surprised how many plaintiffs keep copious, contemporaneous journals of the goings-on in the workplace. Managers and supervisors need to be vigilant in making sure that they do not say anything that could come back and bite your company in later litigation.

Or, just use the cone of silence for all workplace conversations.

Private eyes, they’re watching you…

No one likes the idea of a workplace in which managers keep a constant eye on employees. Workers find it creepy, and it’s not as if ambitious managers clawed their way up the ladder just to snoop on their underlings all day. Still, much of the surveillance now takes place electronically—in theory, freeing bosses to focus on other matters while monitoring software keeps everyone in line. So office spying isn’t going away.

So says this article on Businessweek.com, which nevertheless concludes that “electronic surveillance in the workplace is strikingly effective,” citing a survey [pdf] jointly conducted by professors at Washington University, BYU, and MIT.

I’m pretty sure, however, the type of workplace surveillance noted in a lawsuit filed by the EEOC falls on the creepy side of the line, as opposed to the effective. From the EEOC’s press release:

According to the EEOC’s lawsuit, between March and July 2010, Davis Typewriter Company’s operations manager commandeered the company’s security camera system to stream hours of footage of former employee Tracey Kelley’s breasts and body onto his office computer.

Surveillance and privacy have been hot topics of discussion of late. How you handle these issues in your workplace will depend, in large part, on how you want your employees to perceive  you as an employer—as a partner in trust, or as a distrustful watchdog.

Rather than watching everyone, the more prudent course of action is only to watch when an employee gives you a reason to do so. Do you have reason to believe an employee is stealing from you? Then watch that employee. Do you think an employee is fraudulently using FMLA leave? Then watch that employees. Do you believe an employee is leaking secrets to a competitor? Then watch that employee.

To watch everyone, however, without reason, leads to “distrust, conformity, and mediocrity,” three traits to which you should not want your employees to strive, and which will not help you run a successful business.

The DOL’s “Fair Labor Data Challenge” presents an interesting strategy, but is it fair?

The Department of Labor is asking for help to create an iPhone/Android app to aid employees in tracking corporate wage-and-hour compliance.

The DOL Fair Labor Data Challenge will “help consumers locate … establishments and view their federal enforcement and violations history as well as read consumer reviews to help them decide where to spend their hard-earned wages.”

According to the DOL, the “app … would work with existing social media and would allow consumers to see if an establishment that they want to frequent has been in compliance with federal labor laws.” Its hope is that by “providing consumers with information at their fingertips about which businesses have treated their workers fairly and lawfully, the app will empower them to make informed choices about where to shop, eat, or even vacation.” Thankfully, in addition to flagging underpaying scofflaws, it “also will recognize those employers who are doing the right thing and playing by the rules.”

In other words, the DOL wants to shame employers into wage-and-hour compliance. The DOL itself says, “Our investigators can’t be in every workplace, and we’ll never reach every establishment through our traditional forms of outreach.” So, to compensate for its enforcement black-hole, the DOL is turning to viral outreach to create a way for people to soft-boycott those businesses that employees say do not comply with the wage-and-hour laws.

I will be very curious to see what this final product looks like if it ever hits the App Store. For this app to live up to its “fair” name, it must provide employers the ability to rebut negative comments. Otherwise, this app will be nothing more than a one-sided vent for disgruntled employees. Regardless, employers should keep this issue on their radars as yet another reason to get their wage-and-hour practices in line.

Who owns personal email on an employer-issued smartphone?

The following scenario is playing out in companies all over America. A company issues a smartphone to an employee. The company owns and pay for the device, but allows the employee to use the device for personal reasons, including accessing a personal email account, such as Gmail. The employee returns the phone, but does not first erase her personal email from the device. Is it legal for the employer, who owns and pays for the phone, to access the employee’s personal email account after the device’s return?

According to Lazette v. Kulmatycki (N.D. Ohio 6/5/13), the answer is no. In Lazette, the facts alleged are significantly worse than my fact-pattern above. After Lazette returned the phone, her supervisor, over the course of 18 months, surreptitiously read 48,000 of Lazette’s personal emails, including those involving her family, career, financials, health, and other personal matters.

The meat of the decision concerns whether the employer violated the Stored Communications Act (although Lazette also brought federal- and state-law wiretap claims, and common law claims for invasion of privacy and intentional infliction of emotional distress. The Stored Communications Act prohibits the unauthorized access of personal email and other Internet accounts. Think of it as an anti-wiretapping law for the Internet. The court refused to dismiss the Stored Communications Act claim, concluding that Lazette had pleaded sufficient facts in her complaint for the case to proceed to discovery. if you are at all interested in the SCA, what it covers, and how it works, I commend this case to your reading list.

Aside from the legal intricacies of the Stored Communications Act, this case raises important practical considerations about the risks companies are taking via the use of mobile devices at work. Smartphones aren’t going away. Indeed, if you’re anything like me, it’s become more of an appendage than a phone. So, how should companies manage the risks of these devices under increasing judicial scrutiny and application of the Stored Communications Act? Let me offer three practical tips:

1. Draft a policy. Under the Stored Communications Act, personal data is sacred. Telling employees that they do not have any expectation of privacy in company-owned mobile devices might not save you from a Stored-Communications-Act claim if one employee surreptitiously accesses another employee’s personal email account. For sure, have a policy that spells out an employee’s reasonable lack-of-privacy expectations, but have a similar policy statement prohibiting employees from accessing the personal email or other Internet account of others.
2. Wipe the device. Curiosity might have killed the cat, but you shouldn’t let it kill your company. Left to their own devices, people will snoop. Don’t give them the opportunity to do so. When a mobile device is returned by an employee, wipe it clean of all personal information and data.
3. But, quarantine it first. I suggest, however, that before you wipe a device you pause to make sure that you don’t need any data on the device. Once it’s wiped, it’s going to be very hard, if not impossible, to recover that data. Are there pending lawsuits for which data on that phone might be discoverable? If so, you better save it until you can determine what, if anything, needs to be preserved or produced. Are you concerned that the ex-employee might have been talking to a competitor or walked off with your trade secrets or other confidential or proprietary information? if so, you better check the phone to see if there is any evidence you can use to build your claim before you wipe it clean.

(Hat tip: Privacy & Information Security Law Blog)

Your employees are BYODing, whether you like it or not

According to a survey released yesterday by the Pew Internet & American Life Project, 61 percent of Americans own a smartphone. Employers need to pay attention to this number. Ownership of smartphones has reached a critical mass in our society.

Given the proliferation of these devices, it makes sense that employees are bringing them to work, whether employers permit it or not. According to another recent survey, conducted by analyst house Ovum [h/t: ZD Net], 56.8 percent of employees use personal devices at work. Seventy percent of those employees who use personal devices at work are using a smartphone, and of those smartphone-owning employees, more than one-third bring them to work either without the knowledge of their IT department, or in spite of an outright corporate ban on personal devices in the workplace.

These numbers mean that a Bring Your Own Device program is no longer an option, but should be required. If employees are going to bring personal devices into the workplace, and use them to connect to your network, you need to deploy reasonable policies  to govern their use and protect your network and security, instead of ignoring the issue or instituting prohibitions that employees will ignore anyway.

To put it another way, consider this thought from Adrian Drury, practice leader for consumer impact IT with Ovum, as quoted by ZD Net, “If you take the King Canute approach and try and drive that behaviour underground you just lose control of it.” Regain the control you need by rolling out a BYOD program.

If you are considering implementing a BYOD program, start with these posts from the archives to gain some background on the issues you should be thinking about:

• Don’t forget these 5 security issues in your BYOD policy
• 10 thoughts for your mobile device policy

My latest book — The Employer Bill of Rights: A Manager’s Guide to Workplace Law — also contains a sample BYOD policy for you to consider.

Email surveillance as evidence of retaliation

Employees should not operate under any false ideas that they enjoy an expectation of privacy in their work email accounts. Just because an employer has the right to snoop through an employee’s email, however, does not mean the practice does not carry some degree of risk.

Consider, for example, Fields v. Fairfield County Board of Developmental Disabilities (6th Cir. 12/6/12). Fields claimed that her employer retaliated against her after it discovered an email she sent to some co-workers threatening a lawsuit against the Board. The court concluded that the email surveillance was insufficient evidence of pretext.

Simple enough? What if, however, the claim was that the company only started watching her email after it learned of the protected activity, and used evidence of misconduct in the email to support the termination decision. Could the email surveillance, in and of itself, be an adverse action sufficient to support a claim of retaliation? The legal standard for an adverse action sufficient to support a claim of retaliation is very broad. Anything that “might have dissuaded a reasonable worker from making or supporting a charge of discrimination,” qualifies as a retaliatory adverse action. If you don’t regularly review employee email accounts, and only start examining an employee’s electronic activities after that employee engages in some protected activity, might that dissuade others from engaging in protected activity?

If you are going to enforce a policy or exercise some employer right (like surveillance of corporate email or computer systems), do it consistently, not selectively and only after an employee complains about discrimination. Otherwise, you could change a legal and reasonable act (e.g., email surveillance) into evidence of unlawful retaliation.