Is hiring for “digital natives” age discrimination?

Let’s say you’re looking to fill a position at your company that requires a certain degree of technical proficiency. Or, you just want to make sure that the person you hire is comfortable with a computer, an email account, and an iPhone. Is it legal to advertise that the position requires a “digital native?” According to Fortune.com, some companies have begun using this term as a hiring criteria in job postings. Yet, is “digital native” simply code for “younger?”

“Digital native” certainly appears to be a loaded term. According to the Fortune article, some employment attorneys believe that the “trend” towards digital natives is “troubling” and “a veiled form of age discrimination.”

• “This is a very risky area because we’re using the term that has connotations associated with it that are very age-based. It’s kind of a loaded term.” Ingrid Fredeen, attorney and vice president of NAVEX Global

• “I don’t believe using ‘digital native,’ a generational term, as a job requirement would stand up in court. I think older individuals could definitely argue ‘digital native’ requirements are just a pretext for age discrimination.” Christy Holstege, California civil rights attorney

Let me offer a counter-argument. I’m 42 years old, more tech savvy than most, and, by any definition, a digital native. I’ve been using computers since my early grade-school years. I’d fit any criteria seeking a “digital native,” and, yet, I’m also inside the age-protected class. While I do not believe companies should use “digital native” in job advertisement or descriptions (just as I wouldn’t use “recent graduate”), one challenging its use cannot examine that use in a vacuum. Instead, take a look at the hiring demographics. How many employees over 40 (over 50, over 60) hold a position that calls for a digital native. If the answer is “none,” then the employer has a huge problem. If, however, there exists a good mix of ages—both outside and inside the protected class—then there also exists a great argument that the term “digital native” has no loaded, illegal subtext.

Your employees are your biggest security risk

It seems that every week we read a story about another company that has been hacked and had its information and data compromised. Most companies believe that their greatest security risk comes from cyber terrorists overseas—nameless and faceless hackers sitting in some high tech hovel in some foreign country.

Your greatest security risk, however, comes from within—your own employees.

Case in point? This story, via Fusion:

In January, authorities arrested Eddie Raymond Tipton, the Director of Information Security for the Multi-State Lottery Association, a non-profit organization that runs multi-state games for 33 different state lotteries, on charges of fraud.… Tipton is being accused not just of claiming a winning ticket he wasn’t allowed to have, but hacking into the lottery’s random number-generator software to engineer a win for himself.… 

According to the court documents, the Multi-State Lottery Association’s random-number generator computers are disconnected from the Internet and kept in a locked, glass-walled room that is under 24-hour video surveillance. Prosecutors allege that Tipton entered the room on November 20, 2010, changed the camera’s settings to have it record less frequently, and inserted a USB drive containing malware that would manipulate the results of the upcoming lottery drawing.

I'm not saying that the threat from your employees comes from the type of malicious mischief of which Tipton is accused. With data security, sins of omission can be as deadly as sins of commission. Do you have a Bring Your Own Device Policy? Do you have employees sign confidentiality agreements? Do you train your employees on the evils of unsecured WiFi and what to do when a mobile device goes missing? If not, you are being cavalier with your data security, which places your entire business at risk of being the next big data breach story.

Some thoughts on accommodations and flexible workplaces

I’ve been thinking a lot over the past three days about the flexibility that employers afford their employees. I am part of a family with two working professional parents (one of whom travels a great deal), and two young children. If I did not have flexibility in where I perform my job, my life would become exponentially more difficult in light of my wife’ travel schedule. The reality is that technology (specifically iPhones, emails, laptops, and iPads) makes work easier. I no longer need to be tethered to my office to be productive. Yes, I enjoy coming to work. I like the camaraderie of my co-workers. I like seeing and talking to other people. I’m a social person and I like being social. But, I can write a brief, or counsel a client, from anywhere. I don’t need my office to produce. 

Last Friday, the 6th Circuit decided EEOC v. Ford Motor Co., which, according to the Court, applied “common sense” to decide that “regular on-site attendance is required for interactive jobs, and that “regular, in-person attendance is an essential function … of most jobs….” I could not disagree more. When the 6th Circuit originally decided this case one year ago, it relied on technology to determine that employers should at least consider whether telecommuting is a reasonable accommodation for a particular job.

As technology has advanced in the intervening decades, and an ever-greater number of employers and employees utilize remote work arrangements, attendance at the workplace can no longer be assumed to mean attendance at the employer’s physical location. Instead, the law must respond to the advance of technology in the employment context, as it has in other areas of modern life, and recognize that the “workplace” is anywhere that an employee can perform her job duties.

My main problem of the re-hearing panel’s decision is that the “common sense” it is applying is rooted in 1965, not 2015. To paraphrase John Oliver from last night, just as it is no longer acceptable to slap a female co-worker on the backside while calling her “toots,” it is no longer acceptable to assume that work must be performed at work. While I haven’t read the 1,400 page record of the Ford case to determine whether physical attendance at work was essential for this plaintiff’s job, my main critique of this decision is that it swings to needle too far to the side of inflexibility. It sets inflexibility as the rule, and telecommuting as the exception. I would flip the rule.

Telecommuting is an important benefit that promotes work/life balance for employees. It is great benefit that employers should be using to attract and retain employees for whom this benefit matters. With the state of technology in 2015, there is little reason that employer should not be doing so.

NLRB eviscerates the line between insubordination and protected concerted activity

Employers struggle with how to handle employees to take to social media to vent about work. And, they do so for good reason. For one, employers risk creating a viral nightmare out of a fleeting vent. Also, the NLRB continues to take a long, hard look at Facebook firings.

Case in point: Pier Sixty, LLC [pdf].

A Pier Sixty employee took to his personal Facebook page to vent about how his manager had been talking to co-workers. This employee, however, used what anyone would consider less-than-professional language to express his frustration. 

Bob is such a NASTY MOTHER FUCKER don’t know how to talk to people!!!!!! Fuck his mother and his entire fucking family!!!! What a LOSER!!!! 

Unfortunately for this employer: 1) the company was facing a union election two days later; 2) this employee supported the union; and 3) he ended his post, “Vote YES for the UNION!!!!!!!”

Not so surprisingly, when the employer learned of the Facebook post, it fired the employee. Also not so surprisingly, the foul-mouthed Facebooker filed an unfair labor practice charge with the NLRB.

The NLRB sided with the employee:

[W]hile distasteful, the Respondent tolerated the widespread use of profanity in the workplace, including the words “fuck” and “motherfucker.” Considered in this setting, Perez’ use of those words in his Facebook post would not cause him to lose the protection of the Act.

Even if the air of this workplace is full with tolerated obscenities, should an employer ever have to tolerate this type of language specifically directed at a member of management and his family? More to the point, as the lone dissenter argued:

The language Perez chose to post was not merely obscenity used as curse words or name-calling. The phrases NASTY MOTHER F—er and F—ck his mother and his entire f—ing family are qualitatively different from the use of obscenity that the Respondent appears to have tolerated in this workplace. Perez’ statements were both epithets directed at McSweeney and a slur against his family that also constituted a vicious attack on them.

What are the takeaways for employers?

1. Insubordination is insubordination, period. An employer should not have to put up with this type of harsh language specifically directed at a member of management. Nevertheless, this case illustrates the regulatory environment under which employers currently operate, and the scrutiny that even the safest of terminations might receive.
2. If you want to make sure that you have the freedom to discipline any employee for the use of obscenities, it is safest to apply the same standard to all employees. Nevertheless, I firmly believe that the Board missed the mark in this case. There exists a real and meaningful distinction between the occasional conversational f-bomb and “Fuck his mother and his entire fucking family!!!!“

Are Meerkat and Periscope the “next big thing” for employers to worry about?

Have you downloaded Meerkat or Periscope to your iPhone? Do you even know what Meerkat and Periscope are? They are new apps that permit you to live-stream video. They essentially work the same way—when you launch a live-stream, the app tweets out a link for your followers to watch your video. The only real difference in the experience (aside from the aesthetics of the apps) is that once you stop your stream on Meerkat the link goes dead and the video disappears, while Periscope can keep the link live for 24 hours of replay viewing.

Last week, within hours of Meerkat’s and Periscope’s launches, a massive building explosion on New York’s Lower East Side gave us a glimpse of the potential power of these apps, as they turned everyone with an iPhone into instant video-journalists. As for me, so far I’ve only used them to send out video of my dog sleeping on the couch (although I hope to put Periscope to use for some video legal updates in the near future).

Should employers worry about these apps? They offer employees tremendous power. Imagine your workers live-streaming alleged safety violations in your plant, or active sexual harassment, or a termination meeting, or an employer trying to break up a picket line?

Yet, this technology isn’t the-sky-is-falling for employers. For years, the iPhone has placed this same power into employees’ hands. An iPhone + an active internet connection + a YouTube account isn’t that much different than these new live-streaming apps. These apps remove some of the friction from the posting experience, but otherwise don’t create any new opportunities for your employees to journalize your workplace.

Employers shouldn’t knee-jerk ban these apps (or mobile devices in general) from the workplace. It’s possible that the NLRB would permit employers to ban the use of these apps in the workplace, but it’s just as likely that the NLRB will look at such policies with a harsh eye under its section-7 lens. Until we get some guidance from courts on these issues, there is real risk in broad-based bans of mobile technologies or apps.

Instead of rolling out a reactionary policy that could catch the NLRB’s attention, train your employees on their responsible use of the Internet, and your managers and supervisors on the need to be very aware of the possibility that everything that happens at work no longer necessarily stays at work. Indeed, if it happens at work, it is just as likely to end up on Facebook, Twitter, Instagram, YouTube … or Periscope.

You can follow me on Periscope @jonhyman, and tune in at 5 pm on April 11, where I’ll be broadcasting some of my daughter’s performance live from the Rock and Roll Hall of Fame.

Is your company ready for WYOD?

At 1 pm today, Apple will formally unveil its Watch to the public. While other companies have launched smartwatches, because it’s Apple, today’s launch of the Apple Watch will officially herald the beginning of the era of wearables.

If the era of wearables is upon us, it means that as soon as your first employee wears a smartwatch to work, your HR, legal, and IT departments have a whole host of new issues with which to deal.

Better stated, the issues aren’t new, but their application to an evolving technology is.

If your organization already has a BYOD (Bring Your Own Device) policy, then you are well ahead of the game. You will, however, have to adapt that policy to account for WYOD (Wear Your Own Device). All you’ll have to do is extend your BYOD to expressly cover wearables. These devices will bring email, text messages, financial information, and health data to a smaller, even more portable form. And, the more avenues your employees have to access your network and data, the more ingresses hackers have to steal information and do other bad things. In other words, you need to understand wearables, and account for them in your policies, because your employees aren’t going to wait for an official green light to start using them.

If you don’t have a BYOD policy, what are you waiting for? These issues aren’t going away. What should you be considering? Here is a good starting point.

The internet might be for porn, but not on work computers

I spent yesterday working from home, as Cleveland got socked with nearly a foot of snow and my kids had the day off from school.

While working from home, I came across an article from Crain’s New York Business, entitled, Porn and the snowbound workforce. The article argued that winter storms lead to increased software security violations, including those on company-owned computers that employees are using to work from home, including a spike in malware infections.

[I]ncreased levels of malware infections go almost hand-in-hand with increased traffic to porn sites. Adult-content platform Pornhub reported a 21% increase in traffic from New York City-based users during this week’s storm…. For randier New Yorkers who might have been home with work-provided laptops, the blizzard malware infections could cause more than just an uncomfortable chat with human resources.

Companies should want employees to have the flexibility to work from home during inclement weather. It’s certainly safer than having them traverse icy or snow-covered roads. Moreover, it enables you to capture some of the productivity you would otherwise lose from childrens’ snow days and other weather-related days off. Companies must, however, make it clear to employees that work computers are for work, and not for play, even if the employee is using the computer at home.

Consider the following Telecommuting Principles, from the Emory WorkLife Resource Center:

• The user’s local IT unit must provide, maintain, and support a computer with an approved Emory configuration defined by the Local IT unit. The configuration must address the Information Security Requirements for Telecommuting Arrangements which includes items such as current security updates and anti-virus capability, removal of administrative rights, proper firewall configuration, and security incident reporting requirements.
• Telecommuters must use only the Emory provided computer for telecommuting.
• Telecommuters must protect the computer issued to them and any sensitive data that it might contain.
• Telecommuters may not store sensitive information on the computer unless authorized to do so, and even then, telecommuters must only store the absolute minimum required.
• Telecommuters must encrypt or password protect documents that contain sensitive information when possible, and upgrade to Full Disk Encryption when an enterprise solution becomes available.
• Telecommuters may not transfer sensitive data to non-Emory owned systems or removable media, and they may not allow unauthorized users to use the computer issued for telecommuting.
• Users must immediately notify their manager and local IT support if a system used to telecommute is lost or stolen or if the system is compromised or suspected of being compromised by a computer virus or hacker.

These types of policies cannot guarantee a malware-free IT infrastructure. They will, however, provide you some sense of security in knowing that your employees are aware of the issue, while at the same time providing you the ammunition you need to support action against a employee who misuses your computers.

New anonymous workplace app raises big workplace issue

Have you heard about Memo? It an iPhone app that allows individuals to post anonymous comments, both positive and negative, about their employers to a specific group page about the company. As you could imagine, it’s the negative posts that will get the lion’s share of attention.

Here’s what a typical company-bashing comment on Memo looks like.

According to Quartz.com, Memo has already “received two cease-and-desist letters, two companies have blocked emails from Memo hitting their servers, and three companies have written memos to employees about the app.”

I want to address the latter—companies that, via policy, fiat, or otherwise, try to stop their employees from using Memo.

As you should know, federal labor law gives employees the right to engage in protected, concerted activity—that is, discussions between or among employees about wages, hours, and other terms and conditions of employment. Employees’ discussions, for example, about an open-door policy, would be a textbook example of protected concerted activity.

Federal labor law prohibits employers from retaliating against employees for engaging in protected concerted activity. Retaliation isn’t Memo’s biggest risk because its posts are (supposedly) anonymous. However, federal labor law also prohibits employers from maintaining or enforcing policies that could chill employees’ right to speak about terms and conditions of employment.

Thus, if you think you can legislate Memo (or other similar apps) out of your workplace, you might want to think again. The NLRB will likely hold a very different opinion about the rights of your employees to talk about your company, anonymously or otherwise.

More on data security as an unfair labor practice

A few months ago, I wrote how the NLRB was exploring new areas of potential protected concerted activity to regulate. One such area is information and data security.

According to Employment Law 360, the NLRB potentially is looking to expand its reach in the area of cybersecurity, this time investigating whether an employer was required to bargain with its labor union over the impact of a data breach on its employees:

A postal workers union has lodged a charge with the National Labor Relations Board over the U.S. Postal Service’s handling of a recent data breach, a novel move that adds union negotiations to the already sprawling list of concerns companies must contend with in their race to mitigate cyberattacks.

In a Nov. 10 charge filed with the NLRB, the American Postal Workers Union accused USPS of engaging in unfair labor practices in violation of the National Labor Relations Act, by failing to give the union advance notice “that would enable it to negotiate the impacts and effects” on employees of the cyberattack….

The union specifically took issue with USPS’ offering employees affected by the incident one year of free credit-monitoring, a decision that the postal workers characterized as a unilateral change to wages, hours and working conditions that an employer is generally not permitted to make without first bargaining with the union.

Responding to a cyber-attack is complicated and complex. The federal FTC, along with a patchwork of divergent state laws, requires quick communication of various levels of detail and complexity to individuals and regulators following a data breach. If employers need to add communications to labor unions to this list of constituents (and this issue remains very much open), it will create additional burdens on employers, which could potentially slow down a company’s other response efforts.

To avoid these issues, employers should consider bargaining these issues into the terms of collective bargaining agreements, so that you have a game plan in place before you have to respond. Otherwise, when faced with a data breach, you could be faced with running your response programs through the filter of your labor unions, which could hamper your other response efforts, and subject your company to potential liability from the cyber breach.

Are you doing enough to protect your trade secrets from theft in the cloud?

Do your employees use Dropbox (or Google Drive, or Box, or iCloud, etc.) to store work documents? The appeal of these cloud services is easy to see. Because they provide the ability to store electronic files and access them across multiple devices linked to the same account (i.e., one’s office PC, home computer, iPhone, and iPad), they have exponentially increased the work-life balance of employees who need to work beyond the traditional 9-5. With that benefit, however, comes significant risk to employers.

You may think Dropbox and other cloud services don’t present a risk. After you, your employees are loyal and trustworthy. But, it only takes one layoff to turn a loyal employee into a desperate job seeker looking to provide value to turn a prospective employer into a new job. In that instance, the trade secret cat is out of the bag, and you are spending, and spending, and spending, to try to wrangle it back in.

I’ve seen two cases in which a company alleged that an employee absconded with trade secrets or other confidential information by storing them remotely on a cloud service.

• In a lawsuit filed last week, Lyft accused its former COO of snatching thousands of sensitive documents when he left to work for its chief competitor, Uber. The mode of theft? The downloading of emails and documents to his personal Dropbox account in the months leading up to his defection.
• Last year, Zynga settled a lawsuit it had filed against a former manager whom it alleged had used Dropbox to steal its trade secrets upon leaving for a rival startup.

What can an employer do to minimize risk of trade-secret misappropriation or other breach of confidentiality, short of filing expensive and protracted litigation? Consider these 8 steps, courtesy of the ABA Section of Litigation’s Intellectual Property Committee:

1. Limit access to trade-secrets on a need-to-know basis. The fewer people with access to trade secrets, the more likely the information will remain secret.
2. Limit access to cloud-based solutions on company computers and prohibit any use of personal cloud solutions for company materials. Consider installing software to limit access to any cloud solutions that are not approved by the company.
3. Implement policies and train employees about the use (or non-use) of cloud solutions and, more generally, about the protection of confidential information. Employee handbooks, new-employee orientations, posted company policies, and annual employee training sessions all provide opportunities to address these issues.
4. Monitor when files are accessed or downloaded, and by whom. This will allow the company to take immediate action in the event it discovers suspicious activity.
5. Require employees to sign NDAs. All employees should sign NDAs prohibiting them from taking or using company information for any purpose other than their work for the company. These obligations should extend beyond termination.
6. Conduct exit interviews. This will allow the company to explore whether the employee retained any confidential information and to instruct him or her that any such information should be immediately returned or destroyed.
7. Collect and secure computers used by terminated employees. By examining the computer of a former employee, a company can often determine if any information was taken before the employee’s departure and what that information was.
8. Label or name files containing trade secrets as “Confidential” or “Trade Secret.” While this probably will not prevent unauthorized use or access, it may help a company to persuade a court that any misappropriated information still qualifies for trade-secret protection. This is because confidentiality labels help show that the company took reasonable steps to maintain secrecy by notifying the employee as to the sensitivity of the information.

You cannot absolutely protect against the use of the cloud by your employees. All an employee has to do is email a file to a personal email account, and your control over that file is gone. Implementing these 8 measures, however, will place your business in the best position possible to limit your risk, and secure against theft of sensitive information by exiting or otherwise disgruntled employees.

What if…? Internet use as a disability

Last year I reported on the possibility that Internet use could become an ADA-protected disability. Now, we have one of the first documented cases of this phenomenon. From CNN:

A man who checked in to the Navy’s Substance Abuse and Recovery Program for alcoholism treatment was also treated for a Google Glass addiction, according to a new study.

San Diego doctors say the 31-year-old man “exhibited significant frustration and irritability related to not being able to use his Google Glass.” He has a history of substance abuse, depressive disorder, anxiety disorder and obsessive-compulsive disorder, they say.

The man was using his Google Glass for up to 18 hours a day in the two months leading up to his admission in September 2013, according to the study…. “He reported that if he had been prevented from wearing the device while at work, he would become extremely irritable and argumentative,” the doctors write.

The Guardian adds that “the patient repeatedly tapped his right temple with his index finger, … an involuntary mimic of the motion regularly used to switch on the heads-up display on his Google Glass.”

This supposed addiction is not limited to wearables like Google Glass. For example, CBS News recently reported on the physiological changes to the brain that could result from too much Facebook use.

What results when we toss this story into the employment-law blender?

• Do you have employees who seem to spend an inordinate amount of time online? Is it affecting their performance and inhibiting their ability to perform the essential functions of their jobs? If so, you may have to engage them in the interactive process to determine if there exists a reasonable accommodation that enables them to perform those essential functions? For example, could you deny computer access to employees who do not need to use a computer for their jobs, and require that such employees leave their cell phones outside the work area?

• Do you have a policy that prohibits non-work-related Internet use? If so, it might run afoul of the ADA, just like hard-capped leave absence of policies. It’s not that employers cannot place reasonable limits on workplace computer use. By instituting a ban, however, employers are avoiding their obligations to engage in the interactive process, thereby violating the ADA.

These are difficult issues, exacerbated by the novelty of the concept. Nevertheless, the more the Internet becomes entrenched in our lives (if that possible), the greater the likelihood that employees will begin embracing ideas such as Internet addiction as a disability and the need for employers to consider and provide reasonable accommodations. It’s a brave new world, we just happen to work in it.

Do your BYOD employees understand the remote-wipe?

My kids are growing up. For example, we’ve now graduated from me having to wake them up in the morning for school and helping my son get dressed, to his big sister setting the alarm on her iPod, and both kids waking up and dressing without parental supervision. There is one area, however, for which my 6-year-old still requires help. Every now and again, I will hear the familiar cry of, “Daddy, I went poopies,” which beckons me into the bathroom to inspect, and, if necessary, aid his wiping technique.

Employers and employees are getting used to wiping of another kind—the remote wiping of employees’ personal mobile devices.

More and more employers are embracing BYOD (“bring your own device”) as a win-win for employers and employees. Employees get to use the device of their choice, without having to juggle multiple gadgets, while employers save on hardware costs. One survey I read (as cited by the Wall Street Journal) suggested that by 2017, half of all employers will stop providing mobile devices to employees and require them to use their own for work.

The use of personal devices for work, however, raises an important issue. How do employer ensure that company information is removed from a device if it goes missing or if an employee leaves the business. The answer is the employer must have the ability to remote-wipe the device to remove its data. What happens, however, if a remote-wipe compromises an employee’s personal data? I would argue that it is the risk employees take for BYODing. Employer have to be able to guarantee the security of their own information, even if it might compromise employee’s personal data.

SHRM predicts that “as state and federal regulations struggle to keep up with new technology, an employer’s ability to wipe employee personal cell phones and devices will likely be tested through the courts.” How can you best protect your organization from the risk of lawsuit by an employee who loses personal data through your remote-wipe of a mobile device? Have a BYOD policy—upon which employees place their John Hancock attesting to having read and understood the policy—which unequivocally states that:

1. the employee’s phone will be wiped (remotely or otherwise) of all company-related information if the device is reported lost or stolen and upon the termination of employment;
2. the employee understands that this wiping could result in the loss of personal data or information; and
3. the employee indemnifies the company for an loss or damage that may result from the wiping of the phone under the policy.

With those protection in place before an employee decides to use his or her own personal device for work, an employee will have a harder time challenging the after-effects of a remote wipe.

As for my son, that’s for another day…

[Image by Intel Free Press [CC-BY-2.0], via Wikimedia Commons]

The Supreme Court’s opinion on cell phone privacy is a must-read for all employers

It’s a rare day that I write a post of which the vast majority is a 900-word quote from a court opinion. Yesterday’s decision by the U.S. Supreme Court in Riley v. California [pdf], however, is significant enough to cede my space to the words of Chief Justice Roberts:

Cell phones differ in both a quantitative and a qualitative sense from other objects.… The term “cell phone” is itself misleading shorthand; many of these devices are in fact minicomputers that also happen to have the capacity to be used as a telephone. They could just as easily be called cameras, video players, rolodexes, calendars, tape recorders, libraries, diaries, albums, televisions, maps, or newspapers.

One of the most notable distinguishing features of modern cell phones is their immense storage capacity.… Most people cannot lug around every piece of mail they have received for the past several months, every picture they have taken, or every book or article they have read—nor would they have any reason to attempt to do so.…

But the possible intrusion on privacy is not physically limited in the same way when it comes to cell phones. The current top-selling smart phone has a standard capacity of 16 gigabytes (and is available with up to 64 gigabytes). Sixteen gigabytes translates to millions of pages of text, thousands of pictures, or hundreds of videos.… Cell phones couple that capacity with the ability to store many different types of information: Even the most basic phones that sell for less than $20 might hold photographs, picture messages, text messages, Internet browsing history, a calendar, a thousand entry phone book, and so on.… We expect that the gulf between physical practicability and digital capacity will only continue to widen in the future.

The storage capacity of cell phones has several interrelated consequences for privacy. First, a cell phone collects in one place many distinct types of information—an address, a note, a prescription, a bank statement, a video—that reveal much more in combination than any isolated record. Second, a cell phone’s capacity allows even just one type of information to convey far more than previously possible. The sum of an individual’s private life can be reconstructed through a thousand photographs labeled with dates, locations, and descriptions; the same cannot be said of a photograph or two of loved ones tucked into a wallet. Third, the data on a phone can date back to the purchase of the phone, or even earlier. A person might carry in his pocket a slip of paper reminding him to call Mr. Jones; he would not carry a record of all his communications with Mr. Jones for the past several months, as would routinely be kept on a phone. 

Finally, there is an element of pervasiveness that characterizes cell phones but not physical records. Prior to the digital age, people did not typically carry a cache of sensitive personal information with them as they went about their day. Now it is the person who is not carrying a cell phone, with all that it contains, who is the exception.According to one poll, nearly three-quarters of smart phone users report being within five feet of their phones most of the time, with 12% admitting that they even use their phones in the shower. See Harris Interactive, 2013 Mobile Consumer Habits Study (June 2013).… Today … it is no exaggeration to say that many of the more than 90% of American adults who own a cell phone keep on their person a digital record of nearly every aspect of their lives—from the mundane to the intimate.… 

Although the data stored on a cell phone is distinguished from physical records by quantity alone, certain types of data are also qualitatively different. An Internet search and browsing history, for example, can be found on an Internet-enabled phone and could reveal an individual’s private interests or concerns—perhaps a search for certain symptoms of disease, coupled with frequent visits to WebMD. Data on a cell phone can also reveal where a person has been. Historic location information is a standard feature on many smart phones and can reconstruct someone’s specific movements down to the minute, not only around town but also within a particular building.…

Mobile application software on a cell phone, or “apps,” offer a range of tools for managing detailed information about all aspects of a person’s life. There are apps for Democratic Party news and Republican Party news; apps for alcohol, drug, and gambling addictions; apps for sharing prayer requests; apps for tracking pregnancy symptoms; apps for planning your budget; apps for every conceivable hobby or pastime; apps for improving your romantic life. There are popular apps for buying or selling just about anything, and the records of such transactions may be accessible on the phone indefinitely. There are over a million apps available in each of the two major app stores; the phrase “there’s an app for that” is now part of the popular lexicon. The average smart phone user has installed 33 apps, which together can form a revealing montage of the user’s life.… 

To further complicate the scope of the privacy interests at stake, the data a user views on many modern cell phones may not in fact be stored on the device itself.… Cloud computing is the capacity of Internet-connected devices to display data stored on remote servers rather than on the device itself. Cell phone users often may not know whether particular information is stored on the device or in the cloud, and it generally makes little difference.… Moreover, the same type of data may be stored locally on the device for one user and in the cloud for another.

Riley is a 4th Amendment search-and-seizure case. It’s not an employment case. So, why, you ask, is it so important? For the first time, our highest court is recognizing, in great detail, the significant privacy interests we expect in our mobile devices. Does your company have a cell phone or mobile device policy? Does it explain to your employees that they are giving up certain expectations of privacy if they accept your phone or connect their own phones to your network? In light of Riley, if you don’t have this policy containing these disclaimers, you better, because courts are going to become increasingly hostile to claims that individuals do not have privacy expectations in their mobile devices.

Firing of county employee teaches important lesson about use of mobile technology

We love our phones. We are an iPhone society. I’ve referred to the phenomenon as “iPhone-ification.” Do you know that there are more mobile phones than people in the United States? Moreover, 90% of American adults own mobile phones, and nearly 60% are “smart.”

Not these phones.

Despite the proliferation of mobile phones, and their use in work and for work, many employees still do not understand the difference between work use and personal use.

Case in point? Yesterday, the Cleveland Plain Dealer reported that Cuyahoga County suspended a supervisor for using his county-issued cell phone to send unwelcome sexual text messages to a co-worker. According to the County [pdf], the employee used his phone to flirt and text sexual innuendo, even after the recipient told him to stop.

From this story, I offer two lessons—one for employees and one for employers.

• For employees, please stop using your work phones (and that includes your own personal devices that your employer allows you to connect to its network, i.e, BYOD) for personal business that will get you in trouble at work. If you wouldn’t say it to someone’s face, don’t email it, text it, Facebook it, or otherwise send it via your phone. Just because we treat our phones like members of our families does not mean that their content are off limits to employers. They’re not. 
• For employers, communicate this message to your employees. Trust me, they don’t get it. They think the four-inch device in their pockets is theres, and what they email, text, Facebook, etc., is not your business. Spell it out, in plain English in a mobile device policy. And reinforce that message in training sessions.

Photo used with permission / original here.

The NLRB is looking to overturn email solicitation rules

In Register Guard, the NLRB held that an employer’s solicitation or other communication policy can lawfully bar employees’ non-work related use of an employer-owned email system, unless, on its face, it discriminates against employees’ exercise of Section 7 rights. Thus, under Register Guard, a policy that prohibits employee use of an email system for “non-job-related solicitations” does not violate the NLRA, even if the very nature of that ban includes union-related solicitations.

The NLRB decided Register Guard in 2007, near the tail-end of the Bush-era Board. Now, it’s 2014, and the current Obama-era Board is taking a look at Register Guard. 

The Board has posted a notice [pdf] asking advocates to submit position briefs covering each of the following five issues:

1. Should the Board reconsider its conclusion in Register Guard that employees do not have a statutory right to use their employer’s email system (or other electronic communications systems) for Section 7 purposes?
2. If the Board overrules Register Guard, what standard(s) of employee access to the employer’s electronic communications systems should be established? What restrictions, if any, may an employer place on such access, and what factors are relevant to such restrictions?
3. In deciding the above questions, to what extent and how should the impact on the employer of employees’ use of an employer’s electronic communications technology affect the issue?
4. Do employee personal electronic devices (e.g., phones, tablets), social media accounts, and/or personal email accounts affect the proper balance to be struck between employers’ rights and employees’ Section 7 rights to communicate about work-related matters? If so, how?
5. Identify any other technological issues concerning email or other electronic communications systems that the Board should consider in answering the foregoing questions, including any relevant changes that may have occurred in electronic communications technology since Register Guard was decided. How should these affect the Board’s decision?

The notice is in response to an ALJ’s decision in Purple Communications, Inc., holding that an employer did not violate the Act by prohibiting use of its electronic equipment and email systems for activity unrelated to its business purposes. 

By all appearances, the NLRB appears to be looking for a reason to reverse Register Guard, and issue a rule under which a facially neutral email policy is nevertheless illegal if one could reasonably read it to restrict employees’ rights to engage in protected concerted activity. While this re-imagining of Register Guard would be consistent with the NLRB’s more recent positions in social media and other workplace communication cases, it is nevertheless concerning for employers and bears monitoring as this important issue weaves its way through the NLRB. 

NLRB judge says employee cannot require its employees to disclaim social media posts

The postings on this site are my own and do not necessarily represent the postings, strategies or opinions of The Kroger Co. family of stores.

In The Kroger Company of Michigan [pdf], and NLRB administrative law judge concluded that Kroger’s Online Communications Policy—which required that it’s employees post the above-quoted disclaimer along with the publishing of any work-related online content—was illegal.

The ALJ conceded that Kroger’s has a legitimate interest in limiting unauthorized communications. Nevertheless, the perceived over-breadth of the policy trumped the employer’s legitimate interest:

An ever increasing amount of social, political, and personal communication, increasingly by people of all ages, takes place online.… A rule that required Kroger employees, who are identified as such, to mouth a disclaimer whenever they conversed with others about “work-related information,” while standing on a street corner, picket line, in church, in a union meeting, or in their home, would never—ever—withstand scrutiny. As with traditional, in-person communication, this required online disclaimer has no significant legitimate justification and is, indeed, burdensome to the point that it would have a tendency to chill legitimate section 7 speech. 

How does a statement by an employee, on the employee’s personal Facebook page, that the posts are his and not his employer’s, chill an employee from expressing an opinion about work? To the contrary, this disclaimer would seem to have the opposite effect, freeing the employee to talk about work because he or she has already disclaimed that the post is merely the employee’s personal opinion, and not an official statement of the employer.

As Eric Meyer pointed out in discussing this decision last week, Kroger merely serves to add to the confusion that already exists around workplace social media policies. As for me, I see little harm in these types of disclaimers.

Please, please, please … be careful what you email

Darren Wyss claims that his former employer, Compact Industries, demoted him on the basis of his gender and replaced him with a female. Wyss’s immediate supervisor was Tracey Brown, one of the company’s owners, and the sister of Michael Brown, another owner. After Wyss’s demotion, Michael emailed his sister, “You demoted Darren without telling me? … Darren is a good worker, too bad he’s male.”

Based on that email, the court—in Wyss v. Compact Indus. (S.D. Ohio 3/12/14)—had little trouble denying the company’s motion to dismiss the sex discrimination lawsuit.

It is reasonable to infer that Michael Brown knew of his sister’s motive for demoting Wyss and was referring to that motive in this email. This plausibly suggests that the decision to demote Wyss, who was otherwise a “good worker,” was motivated by Tracey’s intent to discriminate against men. 

Nothing good comes from putting statements like “too bad he’s male” in emails, or text messages, or voice mails, or any other form of communication. Those words should never leave your lips, let alone flow forth from your fingers in anything typed. Michael Brown may have a logical, non-discriminatory explanation for his statement … or at least he better before he gives his deposition. Even with an explanation, however, his misstep makes his company’s case that much more difficult. Do your damndest to avoid the same miscue.

Read this post before you access your employee’s social media accounts

Susan Fredman Design Group employed Jill Maremont as its Director of Marketing, Public Relations, and E-Commerce. In that capacity, she used her own personal Twitter account and Facebook page to promote SFDG’s business. To keep track of the various social media campaigns she was conducting for SFDG, Maremont created an electronic spreadsheet, on SFDG’s computer and saved on SFDG’s server, in which she stored the passwords for her accounts. It appears that Maremont provided access to, or copies of, the spreadsheet to other SFDG employees to assist in her social media posts on behalf of the company.

Maremont suffered injuries in a serious car accident that kept her out of work. During that time, she claimed that SFDG employees, without her permission, accessed her Facebook and Twitter accounts and posted on her behalf.

In the ensuing lawsuit—Maremont v. Susan Fredman Design Group (N.D. Ill. 3/4/14)—Maremont alleged violations of the Lanham Act (that SFDG unlawfully passed itself off as Maremont), and the Stored Communications Act (that SFDG unlawfully accessed her electronic accounts without her permission). The district court dismissed the Lanham Act claim, but permitted the Stored Communications Act claim to proceed to trial.

Legal intricacies aside, the case is both instructive and troubling.

This case is instructive because it shows the danger when a company fails to brings its social media accounts in-house. Maremont used her personal Facebook and Twitter accounts for her employer. When she was out of the office for an extended period of time, instead of letting its social media presence falter, SFDG used Maremont’s account information to continue posting. How could SFDG have avoided these potential legal traps and an expensive lawsuit? Either by requiring that Maremont use its own social media accounts for official company business, or by having a written agreement with her that it had the right to access her mixed-use personal accounts. The former is cleaner and less risky, but the latter would have still likely kept it out of court, even if mixed-use accounts are harder to untangle at the end of employment.

This case is troubling because it sets the precedent that an employer to which an employee provides passwords to the employee’s social media accounts cannot access those accounts for business purposes. By all appearances, Maremont provided her account information and passwords to her coworkers. SFDG could not have foreseen that it would violate federal law by using them to continue Maremont’s work while she was incapacitated. Yet, that is exactly what happened.

What’s the main takeaway here? If you are going to permit your employees to use their personal social media accounts for business purposes, get it in writing that you have rights to the accounts. Define who else can access the accounts, and what happens with them if the employee is incapacitated or no longer employed. Otherwise, you are potentially exposing yourself to an expensive and uncertain lawsuit to define these rights in court after the fact.

[Hat tip: Internet Cases]

Mind your internal emails to avoid discrimination issues

Shazor v. Professional Transit Mgmt., Inc. (6th Cir. 2/19/14), interests me for two reasons. First, it discusses and applies a “sex-plus” theory of discrimination to save a plaintiff’s race discrimination and sex discrimination claims from the summary-judgment scrap heap. “Sex-plus” recognizes that race and sex are not mutually exclusive, and protects African-American woman as a class of their own. I commend Shazor to your reading list for its interesting narrative on this issue.

I want to discuss, however, the other interesting aspect of Shazor—the evidence the plaintiff used to avoid summary judgment. She submitted various emails between two corporate executives, in which they unflatteringly referred to her as a “prima donna,” “disloyal, disrespectful,” and a “hellava bitch.” Shazor successfully argued that these emails were code for “angry black woman” or “uppity black woman.” The court used these emails as prima-facie evidence of discrimination in support of her “sex-plus” claim.

Emails is a powerful communication tool. It’s also very permanent. I’ve been saying this about social media for years, but perhaps it’s time to remind employers that communication is communication, no matter how it’s transmitted. If you don’t want something to appear on the front page of the newspaper, or to be read in front of a judge or jury, don’t put it in writing. Don’t email it, don’t text it, don’t Facebook it, and don’t tweet it.

“I have a solution,” you say. “What about apps like Confide, which erases a text message as soon as the recipient reads it.”

While these apps seem like a perfect way to communicate under the radar, their use for business purposes gives me great pause. The intent of this class of apps is to delete communications. I could very easily see a court, confronted with evidence that people have this app on their iPhones and use it for business communications, have willfully destroyed evidence. Spoliation and evidence destruction discovery sanctions would result. For this reason, I believe that company mobile-device policies should police the use of apps like Confide, Snapchat, and their message erasing ilk. And, while your reviewing your policies, mix in some training for your employees about the responsible use of electronic communications.

NLRB ALJ upholds workplace ban on recording devices

Two months ago I wrote the following, concerning whether employers should be thinking about implementing bans on employees using recording devices in the workplace:

If you do not have a policy against employees recording conversations in the workplace, you might want to consider drafting one. You never know when an employee is going to try to smuggle a recording device into a termination or other meeting. The proliferation of smart phones has only made it easier for employees to make recordings, both audio and video. Why not address this issue head-on with a policy? Unless, of course, the NLRB gets its way and renders these policies per se illegal.

At least as to the last point (the legality of such bans under the National Labor Relations Act), we now have the beginnings of an answer, via the decision of an NLRB Administrative Law Judge (the finality of which depends on whether the union appeals the decision to the full Board in Washington D.C.).

In Whole Foods Market, Inc. (NLRB Case No. 01-CA-096965 10/30/13) [pdf], the union challenged the following no-recording policy:

It is a violation of Whole Foods Market policy to record conversations with a tape recorder or other recording device (including a cell phone or any electronic device) unless prior approval is received from your store or facility leadership. The purpose of this policy is to eliminate a chilling effect to the expression of views that may exist when one person is concerned that his or her conversation with another is being secretly recorded. This concern can inhibit spontaneous and honest dialogue especially when sensitive or confidential matters are being discussed.

Violation of this policy will result in corrective action up to and including discharge.

The ALJ concluded that this policy did not violate the rights of the employees of Whole Foods to engage in protected concerted activity under the National Labor Relations Act:

I have found no cases, and none have been cited, in which the Board has found that making recordings of conversations in the workplace is a protected right…. Even if recording a conversation is a protected right, the Respondent is entitled to make a valid rule, such as the one in question here, to regulate its workplace, and in doing so, prohibit such activity….

The rule does not prohibit employees from engaging in protected, concerted activities, or speaking about them. It does not expressly mention any Section 7 activity. The only activity the rule forbids is recording conversations or activities with a recording device. Thus, an employee is free to speak to other employees and engage in protected, concerted activities in those conversations….

There is no basis for a finding that a reasonable employee would interpret this rule as prohibiting Section 7 activity.

In light of this decision, what is an employer to do?

1. Review any existing workplace recording policies to ensure that the stated reasons for the policy is clear. For example, in Whole Foods, the company relied on the protection of “candor and forthrightness in employee opinions.”

2. Do not institute a new recording ban, or amend an existing policy, in response to union activity.

3. Do not apply a recording ban to limit or prohibit the recording of protected Section 7 activity (wages, benefits, terms and conditions of employment, union issues, etc.).

4. Limit the prohibition to working time and work spaces.

This case offers hope to employers that there exists a more reasonable analysis of the application of Section 7 rights to workplace policies other than suggested by the Board’s recent actions.