PRIVACY ANDSOCIAL MEDIAIN THE WORKPLACE2014 ROCHESTERSECURITY SUMMIT

KATE MARTINEZ, ESQ. & JOHN ROMAN, CISSP

15065016.1

BALANCING ANEMPLOYER’S RIGHT TO KNOWVS. EMPLOYEE’S PRIVACY

PRIVACY AND SOCIAL MEDIA IN THE WORKPLACE

2

BALANCING AN EMPLOYER’S RIGHTTO KNOW VS. EMPLOYEE’S PRIVACY

— Privacy-related considerations in theemployment law setting include:

• Monitoring of employee communications orconduct at work (including e-mails, Internetusage, telephone calls, text messaging, etc.)

• Identifying and protecting high-risk dataobtained through, or contained in, employees’electronic devices

• Monitoring, or making employment decisionsbased upon, employees’ use of social media

3

BALANCING AN EMPLOYER’S RIGHTTO KNOW VS. EMPLOYEE’S PRIVACY

— Benefits of Monitoring

• Allows employers to make more informed decisionsregarding applicants’ eligibility and fit

• Provides employers with a means of investigatingimpermissible employee conduct

4

BALANCING AN EMPLOYER’S RIGHTTO KNOW VS. EMPLOYEE’S PRIVACY

— Risks

• Obtaining certain types ofinformation can expose anemployer to potential liability

e.g., Learning about protectedclass information during ahiring period

• Evidence: Investigation;Litigation holds

• Disclosure of employee secretsor employee private data

5

BYOD: RISKS, BEST PRACTICES,AND POLICIES

PRIVACY AND SOCIAL MEDIA IN THE WORKPLACE

6

BRING YOUR OWN DEVICE (BYOD)

— Bring your own device ("BYOD") refers to the policy ofpermitting employees to use personally owned mobiledevices (laptops, tablets and smartphones) to accesscompany information, e-mail, and applications

— Benefits:

• Cost savings/lack of capital

• Increased productivity

• Employee satisfaction and choice

"two pocket problem"

Blackberry v. iPhone

• Wave of the future

7

BRING YOUR OWN DEVICE (BYOD)

— Legal Issues Raised by BYOD

• Employee privacy

• Discrimination/harassment

• Mobile devices and driving

• Wage-hour concerns

• Litigation/e-discovery

• Termination of employees/exit interviews

8

BRING YOUR OWN DEVICE (BYOD)

— Employee Privacy

• An employee does have a reasonableexpectation of privacy in some informationstored on employee-owned device

• Other federal and state laws protecting anemployee’s right to privacy in theircomputer, smartphone, e-mail accounts

Computer Fraud and Abuse Act

Stored Communications Act

9

BRING YOUR OWN DEVICE (BYOD)

— Discrimination/Harassment

• Discrimination

Employer access to employee’s dual-use device couldresult in finding out protected information

Apps could reveal medical information, sexualorientation, etc.

"Textual Harassment"

BYOD and harassment policies should prohibit sexualharassment via texting, sexting, mobile devices, socialmedia, mobile apps, etc.

10

BRING YOUR OWN DEVICE (BYOD)

— Mobile Devices and Driving

• Employers can be held liable for the negligent acts of theiremployees, if the employee was acting within the scope ofemployment while committing the act

• With mobile devices, the workday arguably never ends

• If an employee gets into a car accident while attending to awork-related e-mail, the employee could expose his/heremployer to liability (based on a theory of respondeat superior)

• Texting while driving could give rise to a worker’scompensation claim

• OSHA General Duty Clause and Distracted Driving Initiative:“Employers should prohibit any work policy or practice thatrequires or encourages workers to text while driving”

11

BRING YOUR OWN DEVICE (BYOD)

— Wage hour concerns: FLSAand State Law

• Overview

Employees’ workdays nolonger have a formal beginningor ending

Employees can (and are oftenexpected to) be available at alltimes via their mobile devices

These always-connectedemployees create significantwage-hour compliance issues

12

BRING YOUR OWN DEVICE (BYOD)

— Litigation E-Discovery Process

• Litigation holds, investigations and e-discovery

• Identification of BYOD devices/information

• Collection of data from BYOD devices when notice of alitigation

Back-up of BYOD devices when notice of a litigation

• Personal e-mail accounts and social media accounts mayneed to be preserved

• Employers may not have control over such data andaccounts, information may auto-delete

13

BRING YOUR OWN DEVICE (BYOD)

— Exit Interviews

• No longer just about the return of keys, creditcards, documents

• “Wiping clean” the device upon separation ofemployment

• Obligating employee to “turn over” device forinspection at close of employment relationship

• BYOD policy needs to be clear about clearingthe employer’s data on the device uponseparation of employment

• Making a copy of the employer’s data on thedevice if employer believes that litigation willbe likely

14

BYOD BEST PRACTICES

— BYOD policy should be in writing

— BYOD policy should be separate from policy relating tocompany-owned/issued devices

— Require employee-owned devices to be password-protected

— Policy should allow for remote "wiping" of device in theevent that it is lost or stolen to avoid disclosure ofconfidential, proprietary information

— Require immediate notification of lost or stolen devices

— Require employees to consent, in writing, to allow thecompany’s access to its data on their devices

15

BYOD BEST PRACTICES

— No expectation of privacy

— Disclose monitoring

— Restrict the use of mobile devices forwork-related matters while driving oroperating heavy machinery

— Discipline employees who do notcomply with BYOD policies

16

USE OF SOCIAL NETWORKINGSITES IN THE EMPLOYMENTCONTEXT: RISKS, BESTPRACTICES, AND POLICIES

PRIVACY AND SOCIAL MEDIA IN THE WORKPLACE

17

PRE-EMPLOYMENT (RECRUITING AND HIRING)

— Searching for an applicant on social media

• Benefits

Being able to base hiring decisions on a widerrange of information

Helping to avoid negligent-hiring lawsuits

18

PRE-EMPLOYMENT (RECRUITING AND HIRING)

— Federal Statutory Restrictions

• Privacy and Fair Credit Reporting Act (FCRA)

Under FCRA it is lawful for an employer to conduct athird party background check using social media so longas the employer:

• Notifies the applicant that a background check will take place

• Obtains consent from the applicant to conduct thebackground check

• Notifies the applicant that negative information has beenfound, and

• Allows time for the applicant to correct any incorrectinformation reported

19

PRE-EMPLOYMENT (RECRUITING AND HIRING)

— Practice suggestions to avoid legal disputes (continued)

• Don’t ask for applicants’ usernames and passwords orshoulder surf

Stored Communications Act (SCA), existing state privacylaws

• SCA general prohibits intentional, unauthorized access toelectronic information. Courts recently have started applyingthe SCA to social media

Pending/prospective federal password protection bills.State password protection bills

Washington state password protection law – Rev. CodeWash. 49.44

• Construct a clear policy outlining acceptable practices

20

PRE-EMPLOYMENT (RECRUITING AND HIRING)

— Pre-Employment: Creating the Policy

• When screening applicants’ social media data, regardlessof whether the screening is internal or external, employersshould:

Screen applicants in a uniform manner

Create a list of social media sites that will be searchedfor each applicant

Create a list of lawful information about applicantsdesired from every search

Screen all applicants (or a non-discriminatory subset)using that lawful criteria

21

PRE-EMPLOYMENT (RECRUITING AND HIRING)

— Pre-Employment: Applying the Policy

• Train all supervisors and HR professionals on policy

Make sure those responsible for hiring know theapplicable protected classes

• Apply policy in uniform and non-discriminatory manner

• Ensure that hiring decisions are supported by

Legitimate, non-discriminatory reason(s); and

Documentation

• Consult with employment or in-house counsel beforemaking an employment decision based on informationfound in social media

22

DURING EMPLOYMENT

— During Employment: Employee/Employer Use andMisuse

• Opportunities/Benefits

Create collegial/community atmosphere

Share experiences and strengthen working relationships

Engage with Employees

Utilize as a communication/PR tool

"Listen" and respond to employees, applicants,customers, and competitors

Develop business and promote brand

Use for recruiting and hiring purposes

23

DURING EMPLOYMENT

— During Employment: Employee/Employer Use andMisuse (continued)

• Internal Risks

Awkward/potentially harassing situations

Having to act on information learned through socialmedia

Decrease in efficiency/productivity

Wage/hour violations

24

DURING EMPLOYMENT

— During Employment: Employee/Employer Use andMisuse (continued)

• External Risks

Unauthorized disclosure of confidential or proprietary info

Corporate embarrassment, PR issues

Brand destruction/erosion

Unauthorized disclosure regarding layoffs, litigation,mergers, acquisitions, negotiations

25

DURING EMPLOYMENT

— During Employment: Investigations

• Types of Investigations

Theft, misconduct, sexual harassment, drug or alcoholuse, harm to property, safety concerns,productivity/performance, leak of confidential info

• Potential Sources of Data

E-mail, remote access logs, Internet access logs,computer/laptop, PDA/Blackberry/iPad, social media,other cloud data

26

DURING EMPLOYMENT

— During Employment: Investigations (continued)

• Legal Considerations

State invasion of privacy, password laws

• Rev. Code Wash. 49.44

Computer Fraud and Abuse Act (18 U.S.C. §1030)addresses hacking of computers used by federalgovernment and financial institutions, and those ininterstate commerce

Electronic Communications Privacy Act:

• Wiretap Act (18 U.S.C. §2510): governs wire, oral, andelectronic communications in transit

• Stored Communications Act (18 U.S.C. §2701): governscommunications held in electronic storage

27

DURING EMPLOYMENT

— Best Practices:

• Ensure review of data is consistent with the purpose ofthe investigation

Consider which data may lawfully be reviewed

Create/follow written protocol for review of documents,e-mail, and other data

Choose transactional data over content, where possible

28

DURING EMPLOYMENT

— Best Practices:

• Decrease employees’ expectation of privacy by creating aclear policy in advance

• Cover all forms of technology/media: Internet, computer,social media, PDAs, etc.

• Review/modify existing policies: IT/computer use, sexualharassment, code of conduct, violence in the workplace,confidentiality, and social media

• Use caution with password-protected, invitation-only, orotherwise "private" websites

29

DURING EMPLOYMENT

— Employers may not:

• Restrict non-commercial use of their companylogo/trademark

• Require employees to secure permission from the employerbefore posting content to social media

• Contact with the media permission provisions must onlyrestrict speaking on behalf of the company

• Broadly prohibit employees from discussing legal matters ordisclosing confidential information

• Must define confidential information and give examples

30

DURING EMPLOYMENT

— Employers may not:

• Tell employees to use a “friendly tone” online

• But can tell employees to use “appropriate businessdecorum” in online communications for business purposes

• Suggest that employees try to resolve workplace problemsby speaking in person (rather than online) with co-workers,supervisors, or managers

• Broadly prohibit “disparaging or defamatory” comments

• Prohibit social media use during “company time”

— Must have carve-out for use during rest/meal breaksand other non-working hours

31

DURING EMPLOYMENT

— Employers may:

• Prohibit employees from postingunauthorized statements in thename of the employer, as thepolicy or view of the employer,or in a manner that couldreasonably be attributed to theemployer

• Prohibit disclosure of attorney-client privileged information,trade secrets, or information thatwould violate financialdisclosure laws

32

DURING EMPLOYMENT

— During Employment: Creating a Policy

• Broadly define "social media"

• Address personal/professional andon/off duty use of social media

Applicability: to all employees usingsocial media during working hoursOR during non-working hours,regardless of company of personalequipment

Regulate at the nexus betweenposted content and the employer

33

POST-EMPLOYMENT

— Post-Employment: References

• LinkedIn

Supervisor/co-worker asked to "recommend" formeremployee on LinkedIn

Positive recommendation on LinkedIn could conflict withcompany position regarding performance

Positive recommendation on LinkedIn could harmemployer in employment discrimination litigation

Should be treated the same as an employment reference

34

POST-EMPLOYMENT

— Post-Employment: “Portability” Concerns

• Social media use for business purposes:

Who owns the content after the employee departs?

Who owns the connections/followers?

Is “connecting” with professional contacts via LinkedIn aviolation of former employee’s non-solicitation provision?

35

POST-EMPLOYMENT

— Best Practices to protect social media "assets"

• Company should set up accounts, maintain passwords, anddirect content

• Communicate that the Company owns the content and thatcontributing content is part of employment

• Company should maintain central database of contacts

• Incorporate social media language into confidentiality,separation, settlement, and non-solicitation agreements

36

OFF THE JOB BEHAVIOR(E.G., BLOGGING AND DATING)

PRIVACY AND SOCIAL MEDIA IN THE WORKPLACE

37

EMPLOYEES’ EXPECTATION OF PRIVACY

— Many state and local laws prohibitemployment policies that restrictemployees’ lawful, off-duty conduct

— The types of conduct protected underthese laws vary widely by state

• The majority of states have enacted lawsprohibiting discrimination based on off-duty tobacco use

• More than half of states protect sexualorientation or marital status

38

EMPLOYER’S RIGHTS

— Employers should not take adverse action against anemployee for the employee’s off the job behaviorunless

— Employee’s out of work behavior violates a Section 7compliant social media policy

— In all cases, employers should only take adverseactions against an employee when the employee’sbehavior has implicated a legitimate business interest

39

This presentation contains images used under license. Retransmission, republication, redistribution, and downloadingof this presentation, including any of the images as stand-alone files, is prohibited.

This presentation may be considered advertising under certain rules of professional conduct. The content should not beconstrued as legal advice, and readers should not act upon information in this publication without professional counsel.©2014. Nixon Peabody LLP. All rights reserved.

THANK YOU Kate Martinez, Esq.

T 585-263-1332kmartinez@nixonpeabody.com

John Roman, CISSP

T 585-263-1378jroman@nixonpeabody.com

1300 Clinton SquareRochester, NY14604