It’s time to roundup the bills related to computer technology that the Hawai‘i legislature is considering in its 2014 regular session. Click here for a chart summarizing the proposed legislation. Here are the highlights:
Social Media and Internet Account Passwords: Several bills to prohibit improper requests for access to personal social media accounts of employees and students were introduced in the 2013 session. None of the them passed. This year, HB2415 renews the effort to outlaw improper social media password requests.
Internet Sales Tax: HB1651 would require online companies with arrangements with Hawaii merchants for referral of business to collect use taxes on sales made in Hawaii. This bill would affect online retailers like Amazon, who allows local merchants to sell their products through Amazon Marketplace.
Restrictive Covenants: In an effort to encourage the development of technology business in Hawai‘i, a state with a relatively small geographic area, two bills (HB2617 and SB3126) would prohibit technology businesses from requiring employees to enter into noncompete agreements and restrictive covenants. “Technology business” is defined as “a trade or business that relies on software development, information technology, or both.”
Cybersquatting: SB2958 would put the burden on a cybersquatter to prove that it did not register a domain name in bad faith or with intent to use it in an unlawful manner, provided that the person claiming cybersquatting can demonstrate the potential of immediate and irreparable harm through misuse of the domain name.
Cybersecurity Council: SB2474 would establish the Hawai‘i cybersecurity, economic, education, anfrastructure security council.
Mobile Devices: Three bills (HB1509, HB1896, and SB2729) would make it a State offense to use a mobile electronic device while operating a motor vehicle. Certain counties already have similar laws.
3D Printing: In response to the rising availability of 3D printers, HB1802 would make it a crime to create, possess, sell, trade, or give another person a firearm made with digital manufacturing technology.
Computer crimes: A series of bills criminalizes various kinds of computer activity, including unauthorized access to a computer or network and damage to a “critical infrastructure computer” (HB1640); theft of a computer (HB1644); or personal electronic device for storing or retrieving personal information (HB2080); and revenge porn (SB2319).
(Photo credit: Wikipedia)
“Smile, you’re on Candid Camera.” Originally coined on the eponymous TV show, that catchphrase is becoming more of common refrain in the workplace. Any employee with a smartphone can easily record an office conversation in secret. But are such covert recordings legal? And what control, if any, does management have over the making of such recordings?
The Law of Recording Face-to-Face Conversations
A majority of states (approximately 37) follow the one-person consent rule for recording face-to-face conversations. This rule authorizes the recording of a conversation so as long as one person in the conversation consents. The consenting party can also be the person recording the conversation. Practically speaking, this means it is legal to record a conversation with another person without his or her knowledge.
Most other states require the consent of all participants in the conversation. Covert recording of face-to-face conversations would not be permitted in states that follow the all-party consent rule.
Workplace Bans on Covert Recordings
Even if covert recordings are legal, management may regulate the practice if done so consistently with the right of employees to engage in concerted activity, which is protected under Section 7 of the National Labor Relations Act (NLRA). A recent National Labor Relations Board decision illustrates this. Whole Foods Market, Inc., Case No. 01-CA-096965 (Oct. 30, 2013). The case involved a challenge to a company policy that banned employees from recording conversations without prior management approval. The company’s stated purpose for the policy was “to eliminate a chilling effect to the expression of views that may exist when one person is concerned that his or her conversation with another is being secretly recorded.”
The administrative law judge (ALJ) in the case upheld the policy. The ALJ noted that there is no protected right to record conversations in the workplace, but even if there were such a right, management may regulate the exercise of that right. It was not adopted in response to union activity, and it was clearly tied to the company’s core value of fostering open and honest dialogue about company matters. The ALJ disagreed that the policy could reasonably be interpreted as a restriction on using social media to communicate and share information about work conditions through video recordings made at the workplace. The policy regulated a means of communication as opposed to the protected activity itself. It also did not prohibit employees from making recordings during non-work time. The policy therefore did not violate Section 7 rights.
The Whole Foods Market decision suggests questions that management should consider when drafting a work rule against covert recordings to ensure that the rule does not violate the NLRA:
- Is the rule clearly linked to a purpose besides preventing employees from engaging in Section 7 activity?
- Does the rule leave open alternative channels for employees to communicate about Section 7 activity?
- Does the rule allow employees to make recordings during non-work hours?
A ban on covert recordings is more likely to withstand a legal challenge if management can answer “yes” to each of these questions.
Supervisor snoops into former employee’s personal Gmail account after she returns company-issued Blackberry — Lazette v. Kulmatycki, 2013 WL 2455937 (N.D. Ohio June 5, 2013)
The line between personal and business use of electronic devices is increasingly getting blurry, especially as more and more workers carry dual-use devices (devices designed for both work and personal use) like smartphones and tablets. Businesses can benefit from the increases in productivity and morale resulting from this trend, but they also face new privacy concerns. The recent case of Lazette v. Kulmatycki (N.D. Ohio June 5, 2013), highlights this risk.
Verizon issued a Blackberry smartphone to its employee, Sandi Lazette. Lazette set up a personal Gmail account on the phone with Verizon’s permission. Lazette returned the Blackberry to her supervisor when she stopped working for Verizon, understanding that the phone would be “recycled” for use by another Verizon employee. Lazette thought she had deleted her personal Gmail account before returning the phone, but she had not. Over the next eighteen months, Lazette’s supervisor read 48,000 emails in her Gmail account without her knowledge or authorization, and shared the contents of certain emails with others.
Lazette sued Verizon and her supervisor for claims including violation of the Stored Communications Act (SCA) and invasion of privacy. A federal court ruled that Lazette’s supervisor was potentially liable under the SCA for reading personal emails that Lazette had not previously opened, and that Verizon could be vicariously liable for the supervisor’s actions. The court also allowed Lazette’s privacy claim to move forward.
LegalTXTS Lesson: Lazette teaches important lessons about protecting the privacy of personal employee data on work devices, including dual-use devices.
1. Don’t read your employees’ personal messages—even if they are readily accessible. Management should treat an employee’s personal account as private, even if restrictions to accessing the count are minimal or non-existent. A person does not need to hack into an account or otherwise circumvent access restrictions to electronic communications to be liable under the SCA. Lazette’s Gmail account was accessible to her supervisor for no reason other than the fact that Lazette failed to delete her account from her Blackberry. Yet, the court ruled that Lazette’s negligence did not give her former employer implied consent to read her private emails. The simple act of opening an unread message in an employee’s personal email account was enough to create liability under the SCA.
2. Construe grants of access narrowly. If an employee allows a supervisor access to his or her personal email account for work purposes, that is not a grant of access to everything in the account. In Cheng v. Romo (D. Mass. Nov. 28, 2012), an employee of a medical imaging company gave his supervisor the password to his Yahoo! email account. Although the employee did not attach conditions to sharing the password, his unstated objective was to share radiologic images that were emailed directly to him. Years later, the supervisor logged into the account to read emails about the status of the company. In the lawsuit that followed, the court allowed the employee’s SCA and invasion of privacy claims to go to trial. Cheng teaches that management should err on the side of preserving privacy if given access to an employee’s private online account for a specific work purpose or no stated reason at all.
3. Thoroughly purge personal data from company-issued electronic devices before reusing them. Companies commonly reuse electronic devices (e.g., desktop and laptop computers, cell phones, PDAs, tablets) for work purposes after it has been returned or repaired. Employees can leave behind personal data on devices such as saved passwords, emails, web history, internet cookies, and the like. Set and enforce policies requiring the purging of all such data from electronic devices before the devices are issued to another employee.
4. Clarify employee expectations of privacy upfront if implementing mobile device management (MDM) tools. One measure for mitigating the risk of security breaches relating to dual-use mobile devices is the use of MDM tools controls such as the ability to “remotely wipe” a device should it get lost or compromised. MDM measures could raise privacy concerns if they result in alteration or destruction of personal data on a dual-use device. To mitigate such concerns, a company should devise policies clarifying upfront the expectations to privacy that employees should to have if they choose to use a dual-use device at work.
Hawai‘i has jumped on the bandwagon of states (along with 31 other states, according to the National Conference of State Legislatures) introducing legislation to ban employers from requesting access to social media accounts of job applicants. Several bills on the subject were introduced in this year’s legislative session, but the one that appears to have the best chance of becoming law is HB713 H.D. 2 S.D. 1 (HB713). The bill has passed the House and gained the approval of two Senate committees. Next up for the bill is review by the Senate Judiciary Committee. As HB713 gains traction, let’s take a look at what it says and some issues it raises in its current form.
SUMMARY OF HB713, H.D. 2
HB713 would insert a new section into the Hawai‘i statute governing discriminatory employment practices, Hawai‘i Revised Statutes (HRS) chapter 378, part I. The proposed law would apply to both job applicants and existing employees. Employers are prohibited from gaining access to a “personal account,” which is defined as:
An account, service, or profile on a social networking website that is used by an employee or potential employee exclusively for personal communications unrelated to any business purposes of the employer. This definition shall not apply to any account, service, profile, or electronic mail created, maintained, used, or accessed by an employee or potential employee for business purposes of the employer or to engage in business-related communications.
Specifically, an employer may not “require, request, suggest, or cause” an employee or job applicant to: (1) turn over access to his or her personal account; (2) access his or her personal account while the employer looks on; or (3) divulge any personal account. An employer also may not fire, discipline, threaten, or retaliate against an employee or job applicant for turning down an illegal request for access.
There are exceptions, however.
- An employer may conduct an investigation to ensure compliance with law, regulatory requirements, or prohibitions against work-related employee misconduct based on receipt of specific information about activity on a personal online account or service by an employee or other source.
- An employer may conduct an investigation of an employee’s actions based on the receipt of specific information about unauthorized transfer of the employer’s proprietary information, confidential information, or financial data to a personal online account or service.
- An employer may monitor, review, access, or block electronic data (a) stored on an electronic communications device that it pays for in part or in whole, or (b) traveling through or stored on an employer’s network, in compliance with state and federal law.
- An employer may get an employee’s login credentials to access an electronic communications device supplied or paid for in whole or in part by the employer.
- An employer may get an employee’s login credentials to access accounts or services provided by the employer or “by virtue of the employee’s employment relationship with the employer” or that the employee uses for business purposes.
- HB713 specifies that the proposed law is not intended to prevent an employer from complying with other law or the rules of self-regulatory organizations, and that the proposed law should not be construed to conflict with federal law.
OBSERVATIONS AND CONCERNS
Shoulder surfing nixed. The bill appears to make “shoulder surfing” by an employer illegal per se. Suppose an employee tells his boss, “Man, you cannot believe the whales my friend saw on her boat this weekend! She sent me a video of it on Facebook.” Intrigued, the boss says he wants to see the video. The employee obliges by logging on to her Facebook account while her boss watches over her shoulder. Did the boss unlawfully “request” that the employee grant him access to her “personal account”? Technically, yes. Note that HB713 has no exception for voluntary consent of the employee.
“Friending” employees might become illegal. Employers and employees sometimes connect on the same social network. While it isn’t always a good idea for an employer to “friend” an employee, it’s not illegal to do so—unless, perhaps, HB713 becomes the law. HB713 bans an employer from requesting that an employee “divulge any personal account.” Yet, that’s exactly what a friend request does—it requests access to portions of a social media account that can be viewed only by the account owner’s “friends.” The “divulge” language probably was intended to reach situations where an employer demands that an employee hand over access to another employee’s personal account. But as written, HB713’s prohibition against divulging any personal account could be interpreted to apply to innocent “friending.”
The line between personal and private is blurry. In a perfect world, employees would use business social media accounts strictly for business purposes and conduct all of their personal social media activity using separate social media accounts. That’s a best practice, not necessarily reality. The line between personal and business can get blurry in the social media space. It’s not unusual for employees to talk about work or promote their company within their personal social networks. If the employee uses his or her personal account for work purposes, shouldn’t the employer, who might have responsibility for the actions of its employee, be entitled to access the employee’s personal account in certain circumstances? On the other hand, to what extent must an employee use his or her personal account for work-related interactions before the employer should be allowed access to the account? These are difficult issues.
To address the issue, the latest draft of the bill tightens up the definition of “personal account” a bit and specifies that an employer may obtain login credentials from an employee to access “[a]ny accounts or services provided by the employer or by virtue of the employee’s employment relationship with the employer or that the employee uses for business purposes.” This language is somewhat vague. For example, what does “by virtue of the employer’s employment relationship with the employer” mean? It might well be that HB713 is trying to draw artificial distinctions between personal and work social media accounts when in practice, the distinction is sometimes fuzzy at best.
HB713 still has a few hurdles to overcome before it becomes law. Here at LegalTXTS, we’ll keep an eye out for the status of the bill.
Creative Commons image courtesy of Daigo Oliva on Flickr
The Hawaii anti-paparazzi bill eponymously named after its chief supporter is back after getting an extreme makeover, and it just took another step toward becoming law in Hawaii. The Senate Judiciary Committee has recommended passage of a revised version of the Steven Tyler Act (SB426, S.D. 1). The revised bill is a big improvement from the original version. It goes a long way toward remedying the problems discussed in my previous post on the Act, and now it looks much more like the California statute after which it was patterned. But despite the revisions, the Act remains quirky in some ways, and it still doesn’t answer the question of why we need a brand-new privacy law.
Here are the highlights of the revised bill. The revised bill:
- creates an actual tort for constructive invasion of privacy, not just one in the name. The original bill tried to create a constructive invasion of privacy tort, but the parameters of the tort were not well-defined.
- defines certain concepts that are key to liability under the Act, like “personal and familial activity.”
- makes it very difficult to impose liability on those publicizing or selling images or sound recordings that were captured in violation of the Act.
- carves out exceptions to liability, including one for law enforcement activities.
- creates a fairly novel process for raising a defense against invasion of privacy claims in court based on the First Amendment or its counterpart in the Hawaii State Constitution.
Now, let’s look at some of the features of the revised bill in greater detail.
Constructive Right of Privacy
The revised bill creates two types of invasion of privacy, one physical in nature and the other constructive. Both require an intrusion into land owned or leased by the plaintiff. This is an important revision because it gets rid of the “taking pictures at the beach” scenario (i.e., why should a celebrity complain about invasion of privacy if her picture is taken on a public beach?)
An intrusion, however, does not necessarily require a physical trespass onto the plaintiff’s property. Spying and eavesdropping could constitute intrusion, but does not necessarily involve a physical trespass. The tort of constructive invasion of privacy accounts for this distinction, stating that non-physical intrusions will be treated as invasions of privacy. The use of “visual or auditory enhancing devices” to probe into the plaintiff’s private affairs, regardless of whether it involves a physical trespass, counts as an invasion of privacy. That’s how constructive invasion of privacy works.
The original bill bungled the concept of constructive invasion of privacy by not tying liability to the use of visual or auditory enhancing devices. The revised bill fixes that problem.
“Personal and Familial Activity”
The original bill left out definitions of key concepts. A notable one was “personal and familial activity,” which is what the plaintiff must have been engaged in when the defendant captured images or recordings of him or her. The original bill did not define the term. The revised bill adopts the definition used in the California anti-paparazzi law.
Having a definition rather than none is a step in the right definition, but the definition is still too vague. The revised bill defines “personal and familial activity” as “intimate details of the plaintiff’s personal life, interactions with the plaintiff’s family or significant others, or other aspects of the plaintiff’s private affairs or concerns.” What range of activities does “the plaintiff’s private affairs or concerns” include? The revised bill doesn’t say.
Liability of Sellers of Images and Recordings
One criticism of the Act was that it punishes sellers of images or recordings of celebrities. The Act imposes liability on those who sold images or recordings that were captured in violation of the Act if they had “actual knowledge” of the violation and received compensation for the rights to the images or recordings. One problem of the original bill is that “actual knowledge” was not defined, so the level of intent needed to trigger liability wasn’t clear. The revised bill remedies that problem by defining “actual knowledge.” The definition requires “actual awareness, understanding, and recognition” that the image or recording was taken or captured in violation of the Act. That’s difficult to prove.
But the revised bill goes one step further in limiting publisher and seller liability. The plaintiff has the burden of establishing actual knowledge by “clear and convincing evidence.” This is the highest standard of proof in a civil matter (just below the “beyond a reasonable doubt” standard in criminal cases).
The plaintiff’s burden to prove the liability of publishers and sellers is reminiscent of the “actual malice” standard applicable in libel cases brought by a public official or public figure. In other words, the revised bill makes it very, very difficult to prove publisher and seller liability.
The revised bill also makes clear that there is no derivative liability for publicizing or selling an image or recording if it had been previously publicized or sold before without violating the Act.
Exceptions to Liability
The revised bill creates exceptions to liability, most notably for activities relating to law enforcement and investigation into illegal conduct. The revised bill also clarifies that the Act does not preclude suits for other legal or equitable relief under other theories, including the Hawai‘i anti-SLAPP law or a claim for publication of private facts.
First Amendment Defense
Perhaps the most interesting feature of the revised bill is an expedited process for handling defenses based on the First Amendment or its Hawaii counterpart, i.e., Hawaii Constitution, Article I, Section 4 (the revised bill does not cite specifically to Section 4, which is the section that parallels the First Amendment, so the expedited process apparently applies to a defense based on any portion of Article I is raised). The basic idea is to give first priority to resolving questions of the constitutionality of enforcing the Act in a particular situation.
Here’s how the expedited process works. If the defendant files a motion to dismiss a claim for violation of the Act based on First Amendment/Article I grounds, the case basically comes to a halt until the motion is decided. The court cannot look outside the allegations in the pleadings to decide the motion, and all discovery is suspended until the motion is decided. The court must hold a hearing and rule on the motion on an expedited basis. If the court denies the motion, the defendant may immediately appeal the denial.
The revised bill also flips the burden of proof. When the defendant files a motion to dismiss based on a First Amendment/Article I defense, the plaintiff has the burden to prove that, more likely than not, the plaintiff’s “claim is [not] barred by a defense based on the First Amendment of the United States Constitution or article I of the Hawaii State Constitution” (note that the quoted language in the revised bill omits the word “not”; that’s probably a typo). If the defendant wins the motion, it can recover damages, attorneys’ fees, costs, punitive damages, and other sanctions against the plaintiff and even the attorneys and law firm representing the plaintiff.
Thoughts on the Revised Bill
The revised bill is much better than the original version. I’m still not convinced, though, that the solution to the problem of overzealous paparazzi is a new law. Hawaii already recognizes the privacy tort of inclusion into seclusion, and that seems to cover the type of intrusion addressed in the concept of “constructive invasion of privacy.” The tort of intrusion into seclusion does not require a physical invasion into the plaintiff’s personal space. The use of visual or auditory enhancing equipment to remotely gain access to the plaintiff’s private affairs would seem already covered under existing law. Creating a new law to deal with the issue would add little new benefits while potentially creating more problems.
Take the expedited process for dealing with First Amendment issues, for example. According to a Standing Committee Report, the expedited process was created in response to constitutional concerns about the Act. As a lawyer who represents media defendants, I welcome extra procedural protections for airing out First Amendment issues. But I do think the expedited process is somewhat sloppy. The process gives too much incentive to a defendant to respond initially to a Tyler Act claim with First Amendment defenses, even unmeritorious ones. The defendant has nothing to lose and everything to gain by using such a tactic. By filing a motion to dismiss on First Amendment grounds, the defendant can freeze discovery in the case, shift the burden of proof to the plaintiff, and potentially reap the benefit of recovering fees, costs, and damages from the plaintiff, his or her attorney, and even the attorneys’ law firm! There are few circumstances in which a defendant should not raise a First Amendment defense. And on the flip side, true victims of constructive invasion of privacy might think twice before suing under Tyler Act due to the risks involved. Which again begs the question: Do we really need the Tyler Act?