A recent National Labor Relations Board Shore Point Advisory Letter gives a bit of good news to employers who want to use modern monitoring technology to monitor employees that they suspect are breaking work rules. On November 2, 2015, the NLRB concluded that an alcoholic beverage distributor (Shore Point), did not violate labor laws by failing to negotiate with its employees’ union before installing a GPS tracking device on an employee’s company truck. Shore Point suspected that the employee was stealing time while on his work routes. Shore Point’s collective bargaining agreement contains rules against stealing time.
Shore Point hired a private investigator to follow the employee to collect evidence for disciplinary purposes, an established practice the union had not objected to in the past. The investigator placed a GPS tracking device on the employee’s truck to maintain and regain visual contact. The GPS was only installed on the employee’s vehicle on the days when the investigator was following the employee, and was used as a backup method in case the investigator lost visual sight of the employee and his truck. Based on the investigator’s observations of the employee engaging in misconduct, Shore Point terminated the employee. The union filed a charge alleging that the employer unilaterally engaged in electronic surveillance without bargaining in violation of the National Labor Relations Act.
The NLRB determined that Shore Point did not have an obligation to bargain over the installation and use of the GPS device. Although the use of the device was a mandatory subject of bargaining, it did not amount to a material, substantial, and significant change in the terms and conditions of employment. Shore Point had an existing practice of using a personal investigator to monitor employees suspected of misconduct. Using a GPS tracking device was just “a mechanical method to assist in the enforcement of an established policy,” and therefore was not a material, substantial, or significant change in policy. The NLRB also noted that the GPS device only added to information that the private investigator had collected through personal observation, did not increase the likelihood of employee discipline, and did not provide an independent basis for termination.
At least two lessons can be learned from this case. First, when crafting employee work rules subject to bargaining, build in flexibility to allow for use of technological advances in enforcement methods. Second, disciplinary action against an employee should be supported with various types of evidence if possible. Just relying on evidence collected with a controversial or untested method is risky because if the use of the method is determined unlawful, the basis for the disciplinary action disappears.
You’ve adopted a social media policy after hearing all the warnings about employees behaving badly on social media. But do you enforce the policy consistently? Failure to do so can be risky business, as illustrated by a recent federal court decision, Redford v. KTBS, LLC, 2015 WL 5708218 (W.D. La. Sept. 28, 2015). The court in Redford allowed an employment discrimination claim to continue because of management’s uneven enforcement of its social media policy.
The social media policy of KTBS, a Louisiana TV station, instructs employees not to respond to viewer complaints on social media. Chris Redford, an on-air crime reporter for KTBS and a white male, posted a negative comment on his Facebook page in response to a viewer’s comment on a KTBS story. Redford was fired for violating the KTBS social media policy.
Redford sued KTBS for race and sex-based employment discrimination. Redford pointed to KTBS’ treatment of two other employees for their social media conduct. Lee, an on-air personality and an African-American female, responded multiple times to negative viewer comments on the official KTBS Facebook page. She received numerous warnings from management before being fired on the same day as Redford. Sarah Machi, an on-air personality and a white female, responded negatively to a KTBS viewer’s comment on her personal Facebook page, but received no warning or discipline. Based on this evidence, Redford argued that KTBS fired him not for violating the social media policy, but to prevent a potential lawsuit by Lee for race or sex discrimination. According to the court, Redford had a viable claim that he was treated less favorably than Lee and Machi because of his race or sex.
KTBS argued that it took no action against Machi because she posted her comments on her personal Facebook page, which was set to “private” so that only her Facebook friends could access it. Redford’s Facebook page did not have privacy filters turned on, and he often used his page to promote his work at KTBS. Since KTBS apparently considered comments posted on an employee’s “private” Facebook page to be outside the scope of its social media policy, the court reasoned that KTBS’ stated reason for firing Redford could be pretextual if Redford’s Facebook page was considered “private.” This issue had to be resolved at trial, so the court denied summary judgment to KTBS on the pretext issue.
Redford is a good reminder of the importance of consistent enforcement of social media policies. Even-handed enforcement is made easier by clearly spelling out the scope of the policy. If the policy makes a distinction between “company” and “personal” pages, for example, describe the specifically and consider providing examples. Ambiguity and inconsistency are your worst enemies when it comes to enforcing a social media policy.
One of the bombshells in the DeflateGate saga was the revelation that Tom Brady had his cell phone destroyed shortly before meeting with the National Football League’s investigators. According to the NFL’s written decision suspending Brady, Brady knew that the investigators wanted access to text messages on the phone he had when the AFC Championship was played. Even so, Brady instructed his assistant to dispose of the phone—just four months after starting to use it. The dubious circumstances surrounding the disappearance of the phone greatly hurt Brady’s credibility in NFL Commissioner Roger Goodell’s eyes, and was instrumental to his eventual decision to discipline Brady.
There are HR lessons to be learned from this story. An employee’s mobile device can contain information you need for an investigation or lawsuit. So what can you do to get access to the device or the data on it now that employees frequently use their personal devices for work?
Adopting a Bring Your Own Device (BYOD) work policy is a good start. At a minimum, a BYOD policy should reserve the company’s right to access any electronic device an employee uses for work, even if the employee owns it. The policy should also state upfront that employees have no expectation of privacy to data stored on their personal devices – that’s the tradeoff for letting them connect to the company network.
After establishing the ability to take possession of employee-owned devices, think through the steps for preserving data on the devices before it’s too late. One measure is to issue a “litigation hold” instructing employees not to destroy a device or delete data from it. Be specific about the kinds of data they need to preserve. A crucial element of a litigation hold is an instruction to suspend routine purging of data or equipment – much like Brady’s practice of destroying his old phone whenever he got a new one. The litigation hold should be issued as soon as you know that a lawsuit or investigation is coming.
Next, determine the kind of electronic information you want. Preservation and extraction methods differ depending on the kind of data. Text messages need to be preserved quickly because once they’re deleted off a phone or tablet, it’s difficult to find a copy of them elsewhere. As Brady learned when he tried accessing text messages on his missing phone through his wireless carrier, carriers don’t keep subscribers’ text messages on their servers for very long, and they typically delete the messages after delivery to the recipient. Emails have a longer shelf life, especially if they’re stored in a web-based account like Gmail or Yahoo or transmitted through company servers.
Be proactive and act quickly. Don’t let your hopes of getting the electronic evidence you need get deflated.
Have you ever been tempted to delete a social media message you posted that exposes you or your company to liability? That post that seemed like a harmless joke but now could turn into evidence in a wrongful termination lawsuit. Or that photo that could cast you in an unflattering light. If it ever crossed your mind that no one will notice if you simply pressed the “delete” button, here’s a case illustrating why succumbing to the temptation doesn’t end well.
In Crowe v. Marquette Transportation Company, Gulf-Inland, LLC, 2015 WL 254633 (E.D. La. Jan. 20, 2015), Brannon Crowe sued his employer, Marquette, for injuries he sustained due to an accident that allegedly occurred at work. Marquette discovered a Facebook message Crowe had allegedly sent to a co-worker in which he admitted injuring himself while fishing. This prompted Marquette’s lawyers to serve Crowe with a discovery request for a complete copy of Crowe’s Facebook history.
Crowe’s response to the request was that he didn’t “presently” have a Facebook account. When confronted in his deposition with a printout of a Facebook message that appeared to have been sent from an account with the username “Brannon CroWe,” Crowe claimed that he stopped having a Facebook account around October 2014, and that his account had been hacked. To substantiate his hacking claim, Crowe pointed out rather unconvincingly that, unlike the username on the printout, there’s no capital “W” in his name.
Crowe wasn’t entirely forthcoming. Although Crowe was technically correct that he didn’t have an active Facebook account when he responded to the request in December 2014, the truth was that Crowe deactivated his Facebook account four days after receiving the discovery request in October 2014. To make things worse for Crowe, data in a deactivated Facebook account isn’t deleted. A deactivated Facebook account can be reactivated at any time. Needless to say, the court was displeased with Crowe’s attempts to evade discovery. The court ordered Crowe to provide Marquette with his entire Facebook account history and the login information for all his Facebook accounts.
Although Crowe involved an employee who tried to hide unhelpful social media information, the lessons from the case apply equally to employers. Deactivating a social media account doesn’t necessarily shield information in the account from discovery because the information is probably still available. Deleting a social media account also doesn’t always mean the information in the account is gone forever. It’s not unusual for social media providers to store deleted user data in its servers before permanently deleting the information. And even if social media information is truly deleted, that in itself can be problematic. A person (or company) has a duty to preserve evidence that’s relevant to reasonably anticipated litigation. Violating the duty to preserve can lead to unpleasant consequences, including court sanctions.
Learn from Crowe’s example. The next time you’re tempted to dispose of an incriminating Facebook post, deactivate the temptation, not your Facebook account.
The National Labor Relations Board (NLRB) recently took the unprecedented position that an employer violated federal law by failing to engage its employees’ union in collective bargaining regarding its response to a data breach. The U.S. Postal Service (USPS) was the target of a 2014 data breach affecting over 800,000 of its current and former employees. The NLRB filed complaints against the USPS claiming that it executed its response to the breach without engaging in collective bargaining with the union. That’s a violation of National Labor Relations Act (NLRA) provisions mandating collective bargaining for any issue that relates to the “wages, hours, and other terms and conditions of employment,” the NLRA alleged.
The NLRB complaints specifically allege that the USPS violated the NLRA by failing to collectively bargain with the union about the impact of the breach on union members. The USPS also allegedly violated the NLRA by unilaterally providing a remedy for the breach (one year of credit monitoring services and fraud insurance at no cost to employees) without giving prior notice to the union and providing it with an opportunity to negotiate the remedy. The NLRB complaints arose from charges filed by the American Postal Workers Union and the National Rural Letter Carriers’ Association regarding the manner in which the USPS handled the breach.
This marks the first time the NLRB has suggested that data breach response and notification measures affecting employees relate “to the wages, hours, and other terms and conditions of employment” under the NLRA. If the NLRB’s position is found to have merit, that potentially makes the breach response process more complicated and costly for unionized organizations. Union negotiations would need to be conducted at the same time the organization is dealing with fallout from the data breach, such as repairing damage to internal systems, investigating the breach, and complying with breach notification laws. Union negotiations could put tremendous pressure on organizations trying to comply with data breach laws that require notification within a short time period after discovery of the breach. There is also a heightened risk of leaks to the press if organizations must notify unions before giving formal notification as required by law.
The NLRB’s complaints against the USPS reinforce the urgency of developing well-crafted breach response plans. Union organizations might wish to add items to their response plans that engage employee unions in the response process. Another precautionary measure is to solicit the input of the union in developing acceptable breach response protocols before a breach occurs rather than in the midst of a crisis situation.