Featured on Employment Law This Week® –  Pokémon Go creates privacy concerns for employers.

The first mainstream augmented reality game is sweeping the nation, and the game never stops, even during work hours. Despite a recent update to the game that reduces its access to players’ Google accounts, Pokémon Go’s data collection practices are under fire from privacy advocates. The Electronic Privacy Information Center has joined the fray, calling for the FTC to investigate security risks associated with the game. In light of the popularity of the game, employers should consider adding more detail into their policies about how and where business mobile devices can be used.

See the episode below.

DSCN0843Employers in the technology, media and telecommunications industry are faced with many workplace management and legal compliance challenges.  Among these are trends in the shared economy and rise of the contingent workforce, data privacy and security, and use of social media in connection with recruitment, employee monitoring and termination.  At the recent  Epstein Becker Green 34th Annual Workforce Management Briefing held at the New York Hilton, members of the firm’s TMT Group including the authors of this post, along with in-house counsel speakers Rebecca Clar of AOL and Blake Reese of Google provided a panel workshop on these hot-button issues.  Some of the key take-aways from the workshop include:

Shared Economy & Contingent Workforce

As a result of changes in the post-recession, global economy, there has been a tremendous change in how goods and services are delivered and how consumers acquire these goods and services.  As businesses try to meet these demands and save costs associated with full time employees, they have implemented many alternative work arrangements and hired workers through various means including as independent contractors,  through staffing arrangements, or temporary solutions.  Many workers also have become attracted to the flexibility that these work arrangements can provide to them.  However, employers need to be mindful of the potential pitfalls associated with the contingent workforce and take requisite steps to avoid legal risks:

  • Worker misclassifications can lead to back pay, overtime, tax, unemployment insurance, and workers compensation violations as well as employee benefit plan eligibility and coverage errors.  Ensuring that workers are properly classified is mission critical and employers should self-audit their work arrangements and benefit plans periodically for compliance.
  • The NLRB’s decision in Browning-Ferris, coupled with new “quickie” election rules and the Silicon Valley Rising movement have made for a perfect storm of issues.  As a result, TMT employers who may not currently be represented by a labor organization should be mindful that non-traditional workplaces and corporations, such as new media, may be targeted for unionizations, and/or may be brought to the bargaining table as a joint-employer who engages third-party workers.
  • Given the developments at the Department of Labor, and in particular, the proposed increase in the minimum annual salary requirement in order to meet the salary basis test of the white collar exemptions, there has never been a better and more opportune time to conduct a self-assessment audit in conjunction with counsel.

Data Privacy and Security

In the global, digital world, data privacy and security is top of mind for all organizations and their leaders.  Protecting organizational data, as well as that of employees, is imperative and development of data privacy and security policies will become the norm. The issues employers should address in their policies, as well as the ways in which they do business, include:

  • Conduct a self-audit of organizational networks and systems for security vulnerabilities and train workers on information security best practices
  • Establish audit procedures of vendors engaged to provide services to the organization and any employee benefit plan, especially where the vendor stores information in the cloud or remote data centers
  • Address data privacy and security issues in service agreements including notification procedures and indemnification provisions
  • Develop a breach response plan
  • Obtain cybersecurity insurance
  • Remember:  data privacy and security are no longer just CIO/CTO/IT issues – instead, these are topics that are increasingly becoming relevant in the employment law and employee benefits space.

Social Media and the Workplace

The use of social media by employers to review background information of prospective employees in the recruitment process, as well as ongoing activities during the employment or leading up to a termination process is highly prevalent.  It is easy for employers to search an employee’s name, background and activities on the internet but, how that information is used can have legal implications.  Employers should be mindful of the following:

  • Always rely on objective criteria set forth in a job description before conducting an online search and retain information among the recruitment team at the organization
  • Carefully document reasons for all hiring (and termination) decisions that are consistent with the job description and avoid discriminatory decision making
  • Consider separating the search and decision making functions and train employees searching to remove protected categories from summary of results, upon which hiring decision is made
  • Develop a company social media policy with counsel that is narrowly tailored to survive NLRB scrutiny, but that safeguards the company’s treasures and secrets.
  • Employers can continue to discipline employees for their social media activities, provided that the objectionable conduct does not implicate Section 7 behavior – a fact and circumstances based analysis that may be counterintuitive to HR and in-house personnel.

Employers that address these issues head-on will be able to benefit from the advent of new technologies in the workplace and stay in compliance with applicable laws.

IMG_0019IMG_0023IMG_0029IMG_0030

Our colleagues Brandon C. Ge, Steven M. Swirsky, Daniel J. Green, Lori A. Medley, and Valerie N. Butera (with Theresa E. Thompson, a Summer Associate) contributed to Epstein Becker Green’s recent issue of Take 5 newsletter. In this edition, we address important employment, labor, and workforce management issues in the technology, media, and telecommunications industry:

  1. BYOD Programs: Privacy and Security Issues and Minimizing the Risk
  2. High Tech and New Media: Organized Labor’s New Frontier
  3. A Growing Role for the FTC in Regulating Workforce Management
  4. Avoiding Age Discrimination Complaints in an Industry Noted for a Lack of Age Diversity
  5. Robotics in the Workplace: How to Keep Employees Safe and Limit Exposure to OSHA Citations

Read the Full Take 5 here.

With the ever-increasing amount of information available on social media, employers should remember to exercise caution when utilizing social media as a part of their Human Resources/ Recruitment related activities.  As we have discussed in a prior blog post, “Should Employers and Facebook Be Friends?” we live in a digital-age, and how people choose to define themselves is often readily showcased on social networking sites.  Whether – and how – employers choose to interact with the online presence of their workforce will continue to develop as the relevant legal standards try to catch up.

A recent federal court filing in the Northern District of California against LinkedIn Corp. provides yet another example of the growing interaction between online personas and real-world employment law implications.  There, in Sweet, et al v. LinkedIn Corp., the plaintiffs sought to expand the application of the Fair Credit Reporting Act (“FCRA”) by alleging that LinkedIn’s practice of providing “reference reports” to members that subscribe to LinkedIn’s program for a fee, brought LinkedIn within the coverage of the FCRA as a Credit Reporting Agency (“CRA”).  Briefly, the FCRA (and relevant state statutes like it) imposes specific requirements on an employer when working with “any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.” In other words, there are rules – such as providing requisite disclosures and obtaining prior authorization – that apply when an employer engages a CRA to perform background checks, reference checks and related inquiries.

In the lawsuit, the plaintiffs alleged that LinkedIn was a CRA – and that these various rules should apply – because LinkedIn collected and distributed consumer information to third parties and the resulting reference reports “bear on a consumer’s character, general reputation, mode of living, or personal characteristics, and/or other factors listed in 15 U.S.C. § 1681a(d).”  Further, according to the complaint, LinkedIn violated the FCRA because it should have provided FCRA compliant disclosure and followed the reporting obligations applicable to CRAs.

LinkedIn, which is touted as the “world’s largest professional network,” does not portray itself as a CRA and moved to dismiss the complaint.  LinkedIn argued that the plaintiffs’ interpretation of the statute was too broad and, moreover, was inconsistent with the facts.  A federal judge agreed and dismissed the complaint (although the plaintiffs have the opportunity to file another complaint).  The Court ruled that these reference searches could not be considered “consumer reports” under the law – and LinkedIn was not acting as a CRA – because, in part, the plaintiffs had voluntarily provided their information to LinkedIn with the intention of it being published online.  (The FCRA excludes from the definition of a consumer report a report that contains “information solely as to transactions or experiences between the consumer and the person making the report.”) The Court also noted that the allegations suggested that LinkedIn “gathers the information about the employment histories of the subjects of the Reference Searches not to make consumer reports but to ‘carry out consumers’ information-sharing objectives.’”

The LinkedIn case should still serve as a reminder of several important and interrelated trends.  First, as it concerns the FCRA, the statute is broadly worded to cover “any written, oral or other communication of any information by a consumer reporting agency . . .” and the equally expansive definition of a CRA can apply in numerous situations that extend beyond the traditional notion of a consumer reporting agency.  If applicable, the requirements of the FCRA must be followed.  Second, employers need to continue to be mindful of the fact that their online activity can have real-world employment law implications.  Third, as the law governing traditional employment law continues to evolve in response to online developments, the challenges to that activity will evolve as well.

As these trends continue to develop, it is important to confer with legal representation to ensure compliance.

My colleagues Steven M. Swirsky and Adam C. Abrahms published a Management Memo blog post that will be of interest to many of our readers: “NLRB Issues Critical Guidance on Employer Handbooks, Rules and Policies Including “Approved” Language.”

Following is an excerpt:

On March 18, 2015, NLRB General Counsel Richard F. Griffin, Jr. issued General Counsel Memorandum GC 15-04 containing extensive guidance as to the General Counsel’s views as to what types employer polices and rules, in handbooks and otherwise, will be considered by the NLRB investigators and regional offices to be lawful and which are likely to be found to unlawfully interfere with employees’ rights under the National Labor Relations Act (“NLRA” or the Act”).

This GC Memo is highly relevant to all employers in all industries that are under the jurisdiction of the National Labor Relations Board, regardless of whether they have union represented employees.

Because the Office of the General Counsel investigates unfair labor practice charges and the NLRB’s Regional Directors act on behalf of the General Counsel when they determine whether a charge has legal merit, the memo is meaningful to all employers and offers important guidance as to what language and policies are likely to be found to interfere with employees’ rights under the Act, and what type of language the NLRB will find does not interfere and may be lawfully maintained, so long as it is consistently and non-discriminatorily applied and enforced.

Read the full blog post here.

Virginia has now joined the chorus of jurisdictions that ban social media snooping by employers.  As we previously reported here and here, in a growing trend a number of states prohibit employers from requiring prospective or current employees to provide access to their social media accounts during the hiring process.  On March 7, 2015, the Virginia legislature passed H. 2081, a law prohibiting employers from asking or requiring employees or applicants (1) to disclose the username and password to their social media accounts, and (2) to add an employer to the list of contacts associated with their social media accounts.  This law will take effect upon signature by Governor Terry McAuliffe or, if he does not sign or veto the bill, on March 29, 2015.

Regardless of whether employers review individuals’ social media accounts as an applicant-screening tool or as a method to protect proprietary information or trade secrets, companies doing business in Virginia must cease asking these workers for their social media usernames and passwords once the law takes effect.  The new law does not prevent employers from reviewing any public posts made by the employee or applicant, nor does it penalize an employer that inadvertently receives login information through the employee’s use of an employer-monitored electronic device or network, as long as the employer does not use this login information to access an employee’s social media account.

Importantly, employers may still request an employee’s login information if necessary to comply with applicable law, or if the employee’s social media activity is “reasonably believed” to be relevant to a formal investigation conducted by the employer into allegations of the employee’s unlawful activity or violation of the employer’s written policies.

With the passage of this new law, Virginia employers should educate their recruiters not to ask for passwords to applicant’s personal social media accounts (or even to stand over an applicant’s shoulder while logging in).  Any background research on an applicant should be limited to publicly available information.  Employers also should review their social media and electronic communications policies to ensure that employees’ rights to confidentiality in their social media accounts is properly protected, while preserving the employer’s rights to oversee its electronic systems and to request the production of login information as part of formal investigations into unlawful conduct.

Also keep in mind the other jurisdictions that have passed or are considering similar legislation.  In addition to Virginia, thirteen other states have now enacted social media privacy laws: Arkansas, California, Colorado, Illinois, Maryland, Michigan, Nevada, New Jersey, New Mexico, Oregon, Utah, Washington, and Wisconsin  According to the National Conference of State Legislatures, in 2015 alone, twenty states have introduced or considered legislation regarding access to social media accounts.  Employers must be aware of the various levels of privacy protections afforded to social media accounts in each state in which they operate or do business.  Epstein Becker & Green, P.C., attorneys can assist with navigating the various applicable state laws and with updating existing, or developing new, social media and electronic communications policies to comply with these laws.

By Anna A. Cohen

As we previously reported, social media privacy has become the latest issue to be regulated by state legislation. Last week, Wisconsin jumped on the social media privacy bandwagon. On April 8, 2014, Wisconsin Governor Scott Walker signed legislation that in most cases prohibits employers, among others, from requesting or requiring passwords or other protected access to “Personal Internet Accounts” of current employees and applicants for employment.

What is a “Personal Internet Account”?

A “Personal Internet Account” is an Internet-based account that is created and used by an individual exclusively for purposes of personal communications. Examples of Personal Internet Accounts include Facebook and LinkedIn. The law, however, does not apply to a Personal Internet Account of an employee engaged in providing financial services who uses the account to conduct the business of an employer that is subject to requirements imposed by federal securities laws (e.g. content, supervision and retention requirements) or rules of a self-regulatory organization, such as FINRA.

What Type of Conduct is Prohibited by the Law?

The law prohibits employers from requesting or requiring an employee or applicant for employment, as a condition of employment, to disclose “access information” for a Personal Internet Account or to otherwise grant access to or allow observation of that account. “Access information” means a user name, password or any other security information that protects access to a Personal Internet Account.

Employers are also prohibited from refusing to hire an applicant, terminating an employee’s employment or otherwise discriminating against an employee or applicant for refusing to disclose access information for, grant access to, or allow observation of the employee or applicant’s Personal Internet Account. Employers are also prohibited from retaliating against an applicant or employee who opposes an employer’s request for such information, files a complaint, or testifies or assists in any action or proceeding to enforce such privacy rights.

Are There Any Exceptions?

Among other exceptions, employers may request disclosure of access information in connection with an investigation of or discipline relating to an employee’s suspected transfer of the employer’s proprietary or confidential information or financial data to the employee’s Personal Internet Account or in connection with employment-related misconduct, violation of the law, or violation of the employer’s work rules as specified in an employee handbook. To avail themselves of this exception, however, employers must have reasonable cause to believe that the activity on the employee’s Personal Internet Account relating to the misconduct has occurred. The law also permits employers to request or require applicants and employees to disclose personal e-mail addresses and access employer-supplied equipment and accounts used for business purposes.

What Happens if an Employer Accidentally Accesses Protected Information?

If an employer inadvertently obtains access information for an employee’s Personal Internet Account, the employer will not be liable for possessing that access information, so long as the employer does not use that access information to access the employee’s Personal Internet Account.

Is There Any Obligation to Monitor Employee Personal Internet Accounts?

Notably, the law makes clear that it does not create a duty for an employer to search or monitor the activity of any Personal Internet Account.

What Should an Employer Do?

In light of this new legislation, and as we previously advised, employers should review application forms and interview scripts to ensure that all inquiries made to applicants are lawful with respect to social media and other areas as state laws continue to evolve. Additionally, before performing any investigation of workplace misconduct involving an employee’s Personal Internet Account, employers should ensure that they have reasonable suspicion to conduct the investigation and that the misconduct is specified in an employee handbook or other written policy.

By Anna A. Cohen and Nancy L. Gunzenhauser

As an increasing number of employers use social media to screen prospective employees and to monitor the activities of current employees, several states have enacted social media privacy laws, including Arkansas, California, Colorado, Illinois, Maryland, Michigan, Nevada, New Jersey, New Mexico, Utah and Washington.  Oregon joins those states in 2014. 

Oregon’s new law is highly protective of employee and applicant privacy.  Employers in Oregon are prohibited from requesting that an employee or applicant disclose a username or password to social media accounts.  The law also prohibits employers from compelling employees or applicants to access a personal social media account in the presence of the employer and in a manner that enables the employer to view the contents of the personal social media account that are visible only when the account is accessed by the account holder.  Employers cannot retaliate against applicants and employees — whether in the form of refusal to hire, termination, discipline or otherwise — where the applicant or employee refuses to disclose or provide access to social media.  Nor may an employer retaliate when an applicant or employee refuses to add the employer to the employee’s list of contacts associated with the social media account (e.g. as a friend on Facebook or a connection on LinkedIn).  Exceptions apply for accounts provided by the employer, investigations of work-related employee misconduct, and for compliance with state and federal laws, rules and regulations and the rules of self-regulatory organizations.      

Illinois, the third state to enact a law that pertains to social media privacy, has amended its Right to Privacy in the Workplace Act, effective January 1, 2014.  The amendment differentiates between a “personal account” and a “professional account” used by an applicant or employee exclusively for personal communications, unrelated to any business purpose of the employer.  Employers will now be permitted to request access to an applicant or employee’s “professional” social media account, which is defined as an account “created, maintained, used, or accessed by a current or prospective employee for business purposes of the employer.”  It is important to note that the law’s definition of a social networking site does not include e-mail and it does not prevent employers from obtaining information in the public domain about current or prospective employees.   

Several more states will likely join the social media privacy trend as similar legislation has been introduced in at least 30 states.  As these laws evolve, employers should develop, communicate and enforce clear policies with respect to the purposes for which social networking sites may be mined for data about job candidates and should review application forms and interview scripts to ensure that all inquiries made to applicants are lawful with respect to social media and other areas. 

By  James P. Flynn

The New Jersey Legislature was overwhelmingly in favor of a measure that would have barred employers from obtaining social media IDs and other social media related information from employees and applicants. Click here for A2878 as passed. But Governor Chris Christie vetoed A-2878 because it would frustrate a business’s ability “to safeguard its business assets and proprietary information” and potentially conflict with regulatory requirements on businesses in regulated industries such as finance and healthcare. Click here for the Governor’s Veto Statement. While the Governor thought the bill well-intentioned, he conditionally vetoed it for painting “with too broad a brush,” citing the trade secrets/proprietary information concern as a primary motivation: “In view of the over-breadth of this well-intentioned bill, I return it with my recommendations that it be more properly balanced between protecting the privacy of employees and job candidates, while ensuring that employers may appropriately screen job candidates, manage their personnel, and protect their business assets and proprietary information.”

The Governor specifically recommended the bill be revised to:

  • Create an exception to allow investigation of work place misconduct or unauthorized transfer of confidential or proprietary data to a personal account;
  • Add language confirming that an employer may view, access, or utilize information about a current or prospective employee that can be obtained in the public domain;
  • Carve out of the definition of “personal account” any account, service or profile created, maintained, used or accessed by a current or prospective employee for business purposes of the employer or to engage in business related communications;
  • Eliminate provisions that would create a civil cause of action for affected employees or applicants;
  • Add a proviso stating that nothing in the act shall prevent an employer from implementing and enforcing a policy pertaining to the use of an employer issued electronic communications device or any accounts or services provided by the employer or that the employee uses for business purposes; and
  • Add a proviso stating that nothing in the act should be construed to prevent an employer from complying with the requirements of State or federal statutes, rules or regulations, case law or rules of self-regulatory organizations.

Click here for the bill as revised after the Governor’s veto statement.

These last two provisos are important ones, especially for the financial services industry and the healthcare industry. They are important because FINRA, for example, has laid out certain monitoring and record keeping requirements concerning social media used to communicate with clients and prospective clients concerning potential financial transactions. See, e.g., FINRA Guidance here.

There are likewise data security requirements emerging out of HIPAA and other bodies of law that may require security and monitoring of social media. Click here for a discussion of such issues by Dan Goldman (@danielg280), legal counsel at Mayo Clinic and Advisory Board member to the Mayo Clinic Center for Social Media. In an age of BYOD (Bring Your Own Device) and the consolidation of business and personal activity to a single mobile device, failure to include such exceptions would force employers into hard choices between required monitoring and desired seamlessness of the business/personal transition.

While many states have in the last year adopted such statutes, the interplay between the Governor and the Legislature in New Jersey plays out the competing interests nicely, and hopefully starts a trend toward a more measured approach to such questions. Accommodating these competing interests is not only a legislative challenge, but is one faced by employers and businesses every day.