In 2007, the National Labor Relations Board (NLRB) issued its Register Guard decision allowing employers to prohibit employees from using company email to engage in discussions about the terms and conditions of their work with other employees or unions for purposes of “mutual aid and protection,” which are protected under Section 7 of the National Labor Relations Act. In April 2014, the NLRB issued a notice and invitation to the parties in a case involving Purple Communications, Inc. and interested amici curiae to file briefs on whether Register Guard should be overruled. The NLRB received numerous amici briefs on the issue. Employers were relieved when the NLRB deferred a decision on overruling Register Guard in September of last year.
The relief was short-lived. Just three months later, the NLRB reversed course and overruled Register Guard, noting that email “has become a critical means of communication” and is “a natural gathering place” for employees to communicate with each other. In a 3-2 decision involving Purple Communications, Inc., the NLRB ruled that employees who have access to their employer’s email system for work purposes presumptively have a right to use the system for protected communications on nonwork time.
Here are answers to some basic questions about how Purple Communications impacts company email policies:
Must employers give all their employees access to the company email system?
No. Employees have a right to use corporate email for protected communications only if they already are given access to the system for work or personal reasons. Purple Communications does not force employers to grant email access to anyone. For that matter, employers are not required to grant email access to non-employees, including unions and union organizers.
May employers put restrictions on use of company email for protected discussions during nonwork hours?
Maybe. Employers may restrict use of company email to engage in protected discussions during nonwork time by demonstrating that there are actual (as opposed to theoretical) “special circumstances” that “make the ban necessary to maintain production or discipline.” This appears to be a difficult standard to meet. Employers must establish a connection between the restriction and their interest in imposing the restriction.
Is it ok to ban all nonbusiness use of company email?
A total ban would be subject to the “special circumstances” test discussed above. According to the NLRB, the existence of special circumstances “will be a rare case.”
May employers impose guidelines on using nonbusiness of company email?
Yes. Employers may establish specific guidelines for nonbusiness use of corporate email. Use of corporate e-mail for protected communications may be restricted to nonworking time. Employers also have the right to establish “uniform and consistently enforced controls over its email system to the extent such controls are necessary to maintain production and discipline.” The single example provided by the NLRB is “prohibiting large attachments or audio/video segments, if the employer can demonstrate that they would interfere with the email system’s efficient functioning.”
May employers monitor their employees’ email use?
Yes. Employers may monitor computer and email systems for legitimate management reasons, such as ensuring productivity and preventing email use for harassment or other activities that could give rise to employer liability. However, employers may not change their monitoring practices specifically in response to union or other protected activity. On that note, any modifications to an email policy that targets protected activity for discrimination is likely unlawful.
Do employers need to change their email policies now?
Purple Communications applies retroactively, so unless the decision is appealed and stayed in the interim, employers should seriously consider modifying their company email policy to comply with the decision.
Does Purple Communications apply to other company electronic communications systems like texting or instant messaging?
Currently no, but the NLRB has signaled that it might extend the reasoning in the Purple Communications decision to other forms of electronic communication in the future.
Purple Haze: NLRB Still Unclear on Whether It Will Stop Employers From Limiting Use of Company Email to Business Purposes
Target. Home Depot. Neiman Marcus. This isn’t a list of places to shop. These companies were hit with some of the biggest data breach incidents of 2014. And, as the recent hack on Sony Pictures Entertainment demonstrates, it’s not just the customer information that gets compromised in cyberattacks—employees can also be the victims.
In November, hackers broke into Sony’s computer systems and stole personal information of over 47,000 current and former employees, celebrities, and freelancers. The information included personal emails, budgets, salary information, human resource records, and other private (and embarrassing) documents. Some of the stolen information was leaked online, including a spreadsheet containing names, birth dates, and Social Security numbers of over 3,000 employees. Buzzfeed reports that the 40 gb data dump contains email exchanges between Sony and its employees regarding very sensitive matters, such as their medical treatments, disciplinary action, and inter-office romance.
The ease with which the hackers did their dirty work is eye-opening. The attack was carried out with widely available malware. It didn’t help that Sony’s security measures were shockingly subpar. Sony had failed to encrypt the leaked files. One of the stolen files containing login credentials to Sony computers and servers and other online accounts was quite obviously named “Passwords.”
Sony apparently made a conscious decision not to beef up its security. In 2007, Sony’s then-executive director information security, Jason Spaltro, said in an interview that it was a “valid business decision to accept the risk” of a security breach, and that he would not invest $10 million to avoid a possible $1 million in loss. A team of just 11 employees was responsible for maintaining the security systems for Sony’s 7,000 employees. A September 2014 security audit report showed gaps in Sony’s security procedures, such as failure to monitor one firewall and more than 100 other devices.
In the aftermath of the attack, Sony is facing four lawsuits. Three of the lawsuits allege that Sony failed to take adequate precautions to guard against known weaknesses in the security of its computer systems. Another lawsuit accuses Sony of waiting too long to notify employees that their personal data had been stolen.
What should companies do to protect themselves against a data breach like Sony’s? Be sure to develop administrative, physical, and technical safeguards over personal information handled by your company. At minimum, use encryption technology. If a third party handles personal information of your employees or customers, contractually require them to exercise reasonable care and to report security breaches immediately. Another precautionary measure is to conduct periodic security audits and risk analyses of information systems.
If a data breach involves a business located in Hawaii or one that does business in Hawai‘i and maintains or possesses personal information of Hawaii residents, Hawaii law requires the business to notify persons affected by the breach. If notice is provided to 1,000 persons or more at once, the State Office of Consumer Protection and credit reporting agencies must also be notified. Companies should prepare data breach procedures in advance so that a clearly charted process for complying with applicable notification laws is available in the chaos ensuing after a data breach incident.
Federal law clearly gives employees the right to communicate with each other and with unions about work-related matters for purposes of “mutual aid and protection.” Commiseration among co-workers about working conditions, work policies, wages, and the like are concerted, protected activity under the National Labor Relations Act (NLRA). But must an employer allow employees to use its computer equipment for such communications? Employers breathed a sigh of relief when the National Labor Relations Board (NLRB) answered “no” in its Register Guard decision issued in 2007. Under Register Guard, employees generally don’t have a right to use their employer’s electronic equipment and systems to engage in protected activity, and employers may adopt a policy prohibiting employees from using company email for non-work purposes, including communications concerning protected activity.
Seven years later, the Register Guard rule is cast into doubt. In Purple Communications, Inc., an employee handbook declared that all company computers, Internet access, voice mail, and the e-mail system were the exclusive property of the company and were to be used only for business purposes. The employer prohibited employees from using such company property to engage in activities on behalf of organizations or persons with no business affiliation with the company. Appling Register Guard, the Administrative Law Judge in the case dismissed a union’s claim that Purple Communications’ employee handbook violated the NLRA. The NLRB’s General Counsel appealed the decision, asking the NLRB to overrule Register Guard.
The NLRB invited interested groups to file briefs addressing whether the Register Guard rule should be overturned. Over twenty organizations representing a broad range of union and management interests accepted the invitation and filed amicus briefs with the NLRB. However, the NLRB ultimately chose to defer deciding the issue. See Purple Communications, Inc., 361 NLRB 43 (Sept. 24, 2014).
The NLRB decided the appeal without reaching the controversial issue of whether to overturn Register Guard because it found that the employer had committed other unfair labor practices. A footnote in the decision noted that the NLRB would “sever and hold for further consideration the question whether Purple’s electronic communications policy was unlawful.” This signals that the NLRB is still open to overruling Register Guard, perhaps when a case involving what it considers a more appropriate factual scenario comes along.
For now at least, employers may lawfully adopt work rules restricting use of its email and other electronic equipment and systems to business purposes, and employees may be disciplined for violating such rules. How much longer such rules will stand remains to be seen.
In the last few years, we’ve seen how the private social media activity of employees can get employers in trouble for violating a variety of laws. The National Labor Relations Act. HIPAA. Title VII. Now you can add the Americans With Disabilities Act (ADA) to the list.
In Shoun v. Best Formed Plastics, Inc., 2014 WL 2815483 (N.D. Ind. June 23, 2014), a federal judge held that an employer may be liable under the ADA for an employee’s Facebook comments about the medical condition of a co-worker. George Shoun, an employee at Best Formed Plastics, sustained a workplace injury and took leave to recover. Shoun’s co-worker, Jane Stewart, learned about his injury because she processed his worker’s compensation claim and monitored his medical treatment for the company. Stewart posted this snarky message on her personal Facebook account: “Isn’t [it] amazing how Jimmy experienced a 5 way heart bypass just one month ago and is back to work, especially when you consider George Shoun’s shoulder injury kept him away from work for 11 months and now he is trying to sue us.”
Shoun sued the company, alleging that Stewart’s post made it liable for violating the ADA. According to Shoun, the post was visible to the business community. Shoun claimed that prospective employers refused to hire him because of the post, causing him emotional distress and mental pain and suffering.
The court refused to dismiss the ADA claim against the company, reasoning that Stewart obtained the information through an employment-related medical inquiry and then wrongfully disclosed it. As a result, Shoun could sue for violation of Section 102 of the ADA, which provides that any information relating to a medical condition of an employee obtained by an employer during “voluntary medical examinations, including voluntary work histories, which are part of an employee health program available to employees at that work site,” must be “collected and maintained on separate forms and in separate medical files and [be] treated as a confidential medical record.” Moreover, the company could be liable for Stewart’s actions even though she posted the message on her private Facebook account in her own time.
Shoun is another reminder of how easily the lines between personal and professional conduct can get blurred on social media. Employers must train their employees about what they may and may not disclose on social media. It is almost never proper for an employee to share medical information obtained at work on his or her personal social media account. The confidential nature of medical information needs to be emphasized especially when training employees who handle workers’ compensation claims, medical leave requests, billing for health services, FMLA claims, etc.
Employees can get carried away on social media. US Airways learned this the hard way when its employee responded to a customer complaint on Twitter with an obscene picture of a woman and a toy jet. An apology and deletion of the tweet followed an hour later (an eternity in cyberspace). US Airways claims its employee made an “honest mistake,” and the incident has not spawned a lawsuit, but one can imagine situations in which the malicious online statements of an employee land the employer in legal trouble.
So what’s an employer to do? Thankfully, employers can find some solace in Section 230 of the federal Communications Decency Act (“CDA”), as a recent Indiana case illustrates. In Miller v. Federal Express Corp., an employee of a non-profit organization, 500 Festival, Inc. (“500 Festival”), and an employee of FedEx separately posted comments on media websites criticizing the plaintiff’s leadership of Junior Achievement of Central Indiana, which he ran from 1994 to 2008. Although the employees posted the comments using aliases, the plaintiff traced the comments back to IP addresses assigned to 500 Festival and FedEx and sued them for defamation.
The Indiana Court of Appeals affirmed the trial court’s dismissal of the defamation claims against 500 Festival and FedEx based on the Section 230 of the CDA. Congress passed Section 230 to protect companies that serve as intermediaries for online speech from liability for harmful content posted by third parties. A defendant claiming Section 230 immunity must show that: (1) it is a provider or user of an interactive computer service; (2) the plaintiff’s claim treats it as the publisher or speaker of information; and (3) another information at issue was provided by another content provider. Satisfying these three elements immunizes the defendant from suit, although the author of the offensive content could still be held liable.
It’s not difficult to see how Section 230 applies where, for instance, the operator of an online discussion forum is sued for defamation based on a comment posted by a forum member. The operator easily qualifies as an “interactive computer service” and can argue it is not liable for content that someone else published. But could a corporate employer qualify for Section 230 immunity? The court in Miller said yes, siding with precedent set by California and Illinois courts. An employer that provides or enables multiple users on a computer network with Internet access qualifies as a provider of an interactive computer service. Since the defamation claims tried to hold 500 Festival and FedEx liable for allegedly publishing statements made by their employees, Section 230 barred the claims.
Controlling what employees say online can be a daunting task, but it’s nice to know that employers have some protection from legal liability for the “honest” (or not so honest) mistakes of employees.