Bargaining After the Breach – NLRB says failure to engage in collective bargaining over data breach remedies violates federal law

Posted by on May 13, 2015 in Data Security, Employment and Labor

The National Labor Relations Board (NLRB) recently took the unprecedented position that an employer violated federal law by failing to engage its employees’ union in collective bargaining regarding its response to a data breach. The U.S. Postal Service (USPS) was the target of a 2014 data breach affecting over 800,000 of its current and former employees. The NLRB filed complaints against the USPS claiming that it executed its response to the breach without engaging in collective bargaining with the union. That’s a violation of National Labor Relations Act (NLRA) provisions mandating collective bargaining for any issue that relates to the “wages, hours, and other terms and conditions of employment,” the NLRA alleged.

The NLRB complaints specifically allege that the USPS violated the NLRA by failing to collectively bargain with the union about the impact of the breach on union members. The USPS also allegedly violated the NLRA by unilaterally providing a remedy for the breach (one year of credit monitoring services and fraud insurance at no cost to employees) without giving prior notice to the union and providing it with an opportunity to negotiate the remedy. The NLRB complaints arose from charges filed by the American Postal Workers Union and the National Rural Letter Carriers’ Association regarding the manner in which the USPS handled the breach.

This marks the first time the NLRB has suggested that data breach response and notification measures affecting employees relate “to the wages, hours, and other terms and conditions of employment” under the NLRA. If the NLRB’s position is found to have merit, that potentially makes the breach response process more complicated and costly for unionized organizations. Union negotiations would need to be conducted at the same time the organization is dealing with fallout from the data breach, such as repairing damage to internal systems, investigating the breach, and complying with breach notification laws. Union negotiations could put tremendous pressure on organizations trying to comply with data breach laws that require notification within a short time period after discovery of the breach. There is also a heightened risk of leaks to the press if organizations must notify unions before giving formal notification as required by law.

The NLRB’s complaints against the USPS reinforce the urgency of developing well-crafted breach response plans. Union organizations might wish to add items to their response plans that engage employee unions in the response process. Another precautionary measure is to solicit the input of the union in developing acceptable breach response protocols before a breach occurs rather than in the midst of a crisis situation.

Read More

NLRB Issues Corporate Email Decision That Will Have Employers Turning “Purple”

Posted by on Feb 12, 2015 in Employment and Labor

In 2007, the National Labor Relations Board (NLRB) issued its Register Guard decision allowing employers to prohibit employees from using company email to engage in discussions about the terms and conditions of their work with other employees or unions for purposes of “mutual aid and protection,” which are protected under Section 7 of the National Labor Relations Act. In April 2014, the NLRB issued a notice and invitation to the parties in a case involving Purple Communications, Inc. and interested amici curiae to file briefs on whether Register Guard should be overruled. The NLRB received numerous amici briefs on the issue. Employers were relieved when the NLRB deferred a decision on overruling Register Guard in September of last year.

The relief was short-lived. Just three months later, the NLRB reversed course and overruled Register Guard, noting that email “has become a critical means of communication” and is “a natural gathering place” for employees to communicate with each other. In a 3-2 decision involving Purple Communications, Inc., the NLRB ruled that employees who have access to their employer’s email system for work purposes presumptively have a right to use the system for protected communications on nonwork time.

Here are answers to some basic questions about how Purple Communications impacts company email policies:

Must employers give all their employees access to the company email system?

No. Employees have a right to use corporate email for protected communications only if they already are given access to the system for work or personal reasons. Purple Communications does not force employers to grant email access to anyone. For that matter, employers are not required to grant email access to non-employees, including unions and union organizers.

May employers put restrictions on use of company email for protected discussions during nonwork hours?

Maybe. Employers may restrict use of company email to engage in protected discussions during nonwork time by demonstrating that there are actual (as opposed to theoretical) “special circumstances” that “make the ban necessary to maintain production or discipline.” This appears to be a difficult standard to meet. Employers must establish a connection between the restriction and their interest in imposing the restriction.

Is it ok to ban all nonbusiness use of company email?

A total ban would be subject to the “special circumstances” test discussed above. According to the NLRB, the existence of special circumstances “will be a rare case.”

May employers impose guidelines on using nonbusiness of company email?

Yes. Employers may establish specific guidelines for nonbusiness use of corporate email.  Use of corporate e-mail for protected communications may be restricted to nonworking time. Employers also have the right to establish “uniform and consistently enforced controls over its email system to the extent such controls are necessary to maintain production and discipline.”  The single example provided by the NLRB is “prohibiting large attachments or audio/video segments, if the employer can demonstrate that they would interfere with the email system’s efficient functioning.”

May employers monitor their employees’ email use?

Yes. Employers may monitor computer and email systems for legitimate management reasons, such as ensuring productivity and preventing email use for harassment or other activities that could give rise to employer liability. However, employers may not change their monitoring practices specifically in response to union or other protected activity. On that note, any modifications to an email policy that targets protected activity for discrimination is likely unlawful.

Do employers need to change their email policies now?

Purple Communications applies retroactively, so unless the decision is appealed and stayed in the interim, employers should seriously consider modifying their company email policy to comply with the decision.

Does Purple Communications apply to other company electronic communications systems like texting or instant messaging?

Currently no, but the NLRB has signaled that it might extend the reasoning in the Purple Communications decision to other forms of electronic communication in the future.

Prior Coverage:

Purple Haze: NLRB Still Unclear on Whether It Will Stop Employers From Limiting Use of Company Email to Business Purposes

Read More

“Purple” Haze – NLRB Still Unclear on Whether It Will Stop Employers From Limiting Use of Company Email to Business Purposes

Posted by on Oct 15, 2014 in Employment and Labor

Federal law clearly gives employees the right to communicate with each other and with unions about work-related matters for purposes of “mutual aid and protection.” Commiseration among co-workers about working conditions, work policies, wages, and the like are concerted, protected activity under the National Labor Relations Act (NLRA).  But must an employer allow employees to use its computer equipment for such communications? Employers breathed a sigh of relief when the National Labor Relations Board (NLRB) answered “no” in its Register Guard decision issued in 2007. Under Register Guard, employees generally don’t have a right to use their employer’s electronic equipment and systems to engage in protected activity, and employers may adopt a policy prohibiting employees from using company email for non-work purposes, including communications concerning protected activity.

Seven years later, the Register Guard rule is cast into doubt. In Purple Communications, Inc., an employee handbook declared that all company computers, Internet access, voice mail, and the e-mail system were the exclusive property of the company and were to be used only for business purposes. The employer prohibited employees from using such company property to engage in activities on behalf of organizations or persons with no business affiliation with the company. Appling Register Guard, the Administrative Law Judge in the case dismissed a union’s claim that Purple Communications’ employee handbook violated the NLRA. The NLRB’s General Counsel appealed the decision, asking the NLRB to overrule Register Guard.

The NLRB invited interested groups to file briefs addressing whether the Register Guard rule should be overturned. Over twenty organizations representing a broad range of union and management interests accepted the invitation and filed amicus briefs with the NLRB. However, the NLRB ultimately chose to defer deciding the issue. See Purple Communications, Inc., 361 NLRB 43 (Sept. 24, 2014).

The NLRB decided the appeal without reaching the controversial issue of whether to overturn Register Guard because it found that the employer had committed other unfair labor practices. A footnote in the decision noted that the NLRB would “sever and hold for further consideration the question whether Purple’s electronic communications policy was unlawful.” This signals that the NLRB is still open to overruling Register Guard, perhaps when a case involving what it considers a more appropriate factual scenario comes along.

For now at least, employers may lawfully adopt work rules restricting use of its email and other electronic equipment and systems to business purposes, and employees may be disciplined for violating such rules. How much longer such rules will stand remains to be seen.

Read More

NLRB Strikes Down Selective Enforcement of Work Email Policy

Posted by on Apr 21, 2014 in Employment and Labor

Birth announcements. Girl Scout cookies fundraisers. Leftovers in the company lounge. We’ve all probably received an email at work on these or similar subjects. It’s uncommon for an employee be disciplined for sending an email of such nature. But would that limit a company’s ability to act when employees circulate emails on more controversial topics?

This question was raised in a recent National Labor Relations Board (NLRB) decision involving the Jet Propulsion Laboratory (JPL) affiliated with NASA.  In re California Inst. of Tech. Jet Propulsion Lab, 360 NLRB 63 (Mar. 12, 2014).  Based on a Homeland Security directive, NASA began requiring JPL employees to submit to federal background checks as a condition of continued employment. Twenty-eight JPL employees who believed that the background check process violated their privacy rights filed a federal class action. The case led to a U.S. Supreme Court decision holding that mandatory compliance with the background check process did not violate the right to informational privacy.  See NASA v. Nelson, 131 S. Ct. 746 (2011).

Several of the plaintiffs felt that management did not adequately inform employees about the actual impact of the Supreme Court decision, so they expressed their view of the decision in emails to their colleagues. The emails were sent to several thousand JPL employees using NASA-owned computers and JPL email addresses. After allegedly receiving complaints about the emails, management issued written warnings to the authors of the emails. The warnings alleged that the authors had violated several work policies prohibiting, among other things, “spamming” co-workers; sending unauthorized, non-work-related emails; and implying JPL endorsement of a position on political, social, or legal issues. The authors filed charges with the NLRB claiming that JPL violated their right to engage in concerted protected activity under Section 7 of the National Labor Relations Act.

The NLRB found that JPL employees frequently circulated emails on topics like charity fundraisers and social causes. Such emails technically violated work policies, but there was no evidence of enforcement in those instances. The discipline in this case was thus suspect. Although employees have no legally protected right to use their employer’s computers to engage in protected concerted or union activity, and may be lawfully disciplined for doing so, management may not choose to enforce only work policies involving concerted protected activity.

The decision is not a prompt to start disciplining employees who offer home-baked cookies to co-workers using email. Email can be a convenient tool for building company morale. But the decision does warn against using work policies pretextually to control discussion of work matters. JPL selectively enforced its work policies to silence certain viewpoints on a work-related issue, as highlighted by the fact that JPL supervisors commented on the Supreme Court decision using their work email accounts without being subjected to discipline. Work rules commonly included in an employee manual but inconsistently enforced– like an email use policy – shouldn’t be used as a basis for silencing employees who criticize management or express dissatisfaction with work conditions.

Enhanced by Zemanta
Read More

A Tale of Two Facebook Firings

Posted by on Sep 10, 2013 in Employment and Labor, Social Media

Facebook comments about condition of company vehicles are protected under the NLRA; a Facebook rant about fake problems with the company car, not so muchButler Medical Transport, LLC, 2013 WL 4761153 (N.L.R.B. Div. of Judges)

A recent decision by a National Labor Relations Board (NLRB) Administrative Law Judge (ALJ) gives employers insight on when they can and cannot fire an employee for their social media conduct outside of work.  Particularly interesting is the fact that this decision involved two separate terminations, one of which the ALJ found illegal, and the other not.

The Norvell Termination

William Norvell worked as an emergency medical technician for an ambulance company, Butler Medical Transport (Butler).  While on his personal computer at home, Norvell read a post by a co-worker (Zalewski) on her Facebook page stating that she had been fired.  Zalewski attributed the firing to a patient report to management that she complained about the condition of Butler’s ambulances.  Several people, including another Butler employee, posted comments inquiring into the incident, to which Zalewski responded with more posts about the patient’s report.  Norvell responded to Zalewski with this comment:

“Sorry to hear that but if you want you may think about getting a lawyer and taking them to court.”

Another person posted a comment suggesting that Zalewski find a job with another ambulance company.  After Zalewski asked where the company was located, Norvell posted the location and added, “You could contact the labor board too.”

Butler’s HR director obtained hard copies of these posts, and in consultation with the COO, decided to terminate Norvell.  The HR director told Norvell that he was being terminated for violating Butler’s bullet point list of work rules, one of which prohibited employees from using social networking sites that could discredit Butler or damage its image.

The ALJ determined that Norvell’s Facebook posts were protected concerted activity.  By advising Zalewski to see a lawyer or contact the labor board, Norvell was “making common cause” with a co-worker about a matter of mutual concern to the employees, i.e., the condition of Butler’s ambulances.  Norvell’s posts had protected status even though they were accessible to people outside of the company because Section 7 of the National Labor Relations Act (NLRA) extends to employee efforts to improve the terms and conditions of employment through channels outside of the employer-employee relationship.  The ALJ did not find posts to be so disloyal, reckless, or maliciously untrue as to lose their protected status.  The termination of Norvell based on his Facebook posts therefore violated Section 8(a)(1) of the NLRA.

The Rice Termination

Another Butler employee, Michael Rice, posted this comment on Facebook:

“Hey everybody!!!!! Im fuckin broke down in the same shit I was broke in last week because they don’t wantna buy new shit!!!! Cha-Chinnngggggg chinnng-at Sheetz Convenience Store,”

Butler terminated Rice for making this post.  At the trial hearing before the ALJ, Butler produced maintenance records showing that Rice’s vehicle was not in disrepair when he made the post.  Rice had also testified at his unemployment insurance hearing that his post referred to a private vehicle rather than a Butler ambulance.  There being no evidence to the contrary, the ALJ determined that Rice’s post was not protected by Section 7 because it was maliciously untrue and made with the knowledge of its falsity.  As a result, Rice’s termination was not illegal.

Legality of Work Rules

Also under scrutiny was the legality of two of Butler’s work rules, one prohibiting the “unauthorized posting or distribution of papers,” and the other requiring employees to acknowledge that they “will refrain from using social networking sights [sic] which could discredit Butler Medical Transport or damages its image.”  Butler argued that the rules were not official company policy because they were stated in a bullet point list.  The ALJ rejected the argument as making a distinction without a difference.  Butler relied on the bullet point rules in terminating Norvell and Zalewski, and new employees were required to acknowledge receipt of the list.  As such, employees could reasonably understand that they would be disciplined for failing to follow the rules on the list.  The ALJ found that the rules violated Section 7 activity because they prohibited employees from communicating to others about their work conditions.

LegalTXTS LessonThis case doesn’t break new ground, but it does contain a few important reminders for employers grappling with how far they can go in regulating the social media activity of employees.

1.  A policy by any other name … is still a policy. Butler’s failure to convince the ALJ that the bullet point list was not company policy should serve as a reminder that if a company communicates a rule to its employees in writing, expects them to follow the rule, and disciplines them if they don’t, the rule is effectively a policy.  It doesn’t matter that the rule appears in a document whose title doesn’t include the word “policy,” or that the wording of the rule is informal.

2.  Write it right.  Given how easily a supposedly informal rule could qualify as a policy, a company should take care in articulating its work rules in the form of an official written policy.  Consult with counsel to make sure the wording doesn’t inadvertently violate the law.

3.  Don’t go overboard.  The NLRB has consistently frowned upon work rules that flat out prohibit employees from posting content on social media that damages the reputation of their employer, or worse yet, bars them completely from speaking to others about work-related issues, whether on social networking sites or other media.  (For examples, see the related posts below).  Reject categorical bans on employee speech in favor of rules that focus on creating or avoiding specific results.

4.  Context matters.  Before disciplining an employee for a social media post, understand the context in which the post was made.  Is the post about a work-related issue that other employees have discussed before?  Does the post call for co-workers to take action?  Asking such questions helps management determine if the post is protected under the NLRA.

Related Posts:

NLRB dishes out confusion on social media policies

NLRB sanctions employees who fire employees for online “protected concerted activity”

DirectTV’s work rules invalidated by NLRB

 

Read More
%d bloggers like this: