A recent National Labor Relations Board Shore Point Advisory Letter gives a bit of good news to employers who want to use modern monitoring technology to monitor employees that they suspect are breaking work rules. On November 2, 2015, the NLRB concluded that an alcoholic beverage distributor (Shore Point), did not violate labor laws by failing to negotiate with its employees’ union before installing a GPS tracking device on an employee’s company truck. Shore Point suspected that the employee was stealing time while on his work routes. Shore Point’s collective bargaining agreement contains rules against stealing time.
Shore Point hired a private investigator to follow the employee to collect evidence for disciplinary purposes, an established practice the union had not objected to in the past. The investigator placed a GPS tracking device on the employee’s truck to maintain and regain visual contact. The GPS was only installed on the employee’s vehicle on the days when the investigator was following the employee, and was used as a backup method in case the investigator lost visual sight of the employee and his truck. Based on the investigator’s observations of the employee engaging in misconduct, Shore Point terminated the employee. The union filed a charge alleging that the employer unilaterally engaged in electronic surveillance without bargaining in violation of the National Labor Relations Act.
The NLRB determined that Shore Point did not have an obligation to bargain over the installation and use of the GPS device. Although the use of the device was a mandatory subject of bargaining, it did not amount to a material, substantial, and significant change in the terms and conditions of employment. Shore Point had an existing practice of using a personal investigator to monitor employees suspected of misconduct. Using a GPS tracking device was just “a mechanical method to assist in the enforcement of an established policy,” and therefore was not a material, substantial, or significant change in policy. The NLRB also noted that the GPS device only added to information that the private investigator had collected through personal observation, did not increase the likelihood of employee discipline, and did not provide an independent basis for termination.
At least two lessons can be learned from this case. First, when crafting employee work rules subject to bargaining, build in flexibility to allow for use of technological advances in enforcement methods. Second, disciplinary action against an employee should be supported with various types of evidence if possible. Just relying on evidence collected with a controversial or untested method is risky because if the use of the method is determined unlawful, the basis for the disciplinary action disappears.
The New York Times recently reported that Hillary Rodham Clinton used a personal email address for work and personal matters while she served as Secretary of State. Many employees could probably appreciate why Ms. Clinton chose to use a private email address for work purposes. She enjoyed the convenience of carrying one mobile device instead of two. That’s the same reason the Bring Your Own Device movement has been rapidly gaining momentum.
The convenience of commingling professional and personal online accounts comes at a price. One danger is unauthorized disclosure of confidential information. Work-related information stored in an employee’s personal online account is not subject to security measures like firewalls, anti-virus software, and metadata scrubbing programs. Private online accounts may be vulnerable to cyberattacks, putting the confidentiality of their contents at risk. While such records might not concern national security matters as in the Clinton controversy, they could contain personnel information, medical history, or trade secrets, the disclosure of which could violate data privacy laws like HIPAA and the Sarbanes-Oxley Act, not to mention hurting a company’s competitive edge or creating a public relations debacle.
Another risk is noncompliance with recordkeeping policies. Work rules dictating how long work files are kept before they’re disposed help organizations manage the task of responding to information inquiries like discovery requests in litigation. In some jurisdictions, an organization’s failure to produce a document in discovery because it was destroyed in compliance with the organization’s document retention policy generally is not considered unlawful destruction of evidence. (Note: Hawaii’s court rules were amended this year to recognize such a defense). But spotty enforcement of a document retention policy could destroy that defense. Popular ways of transferring work files include forwarding them to a personal email address or uploading them to a personal cloud storage account. Such practices could result in work files being kept beyond their authorized retention period, thus casting doubt on whether an organization actually follows its document retention policy.
Managing these risks begins with adopting a formal policy on use of personal accounts for work purposes and training employees to follow the policy. Without a policy in place, employees might have few qualms about using their personal accounts for work. Consult with a lawyer with data privacy experience to ensure that your policy manages legal risks.
If your company decides to prohibit the transfer of work data to external locations, enforce that policy diligently. Work with your IT department or outside vendors to implement physical and software safeguards against unauthorized transfers. Conduct audits to ensure compliance with the policy.
Another strategy is to offer solutions that allow employees to work outside of the office conveniently without having to use their personal accounts. Consider hosting a private cloud storage site where employees can share files in a secured environment under your control. Also popular is virtual desktop software that allows employees to access their workstation remotely in a controlled environment.
Don’t wait until your employees’ data handling practices make the headlines before taking action to protect the confidentiality of your work files.
(Photo credit: Wikipedia)
“Smile, you’re on Candid Camera.” Originally coined on the eponymous TV show, that catchphrase is becoming more of common refrain in the workplace. Any employee with a smartphone can easily record an office conversation in secret. But are such covert recordings legal? And what control, if any, does management have over the making of such recordings?
The Law of Recording Face-to-Face Conversations
A majority of states (approximately 37) follow the one-person consent rule for recording face-to-face conversations. This rule authorizes the recording of a conversation so as long as one person in the conversation consents. The consenting party can also be the person recording the conversation. Practically speaking, this means it is legal to record a conversation with another person without his or her knowledge.
Most other states require the consent of all participants in the conversation. Covert recording of face-to-face conversations would not be permitted in states that follow the all-party consent rule.
Workplace Bans on Covert Recordings
Even if covert recordings are legal, management may regulate the practice if done so consistently with the right of employees to engage in concerted activity, which is protected under Section 7 of the National Labor Relations Act (NLRA). A recent National Labor Relations Board decision illustrates this. Whole Foods Market, Inc., Case No. 01-CA-096965 (Oct. 30, 2013). The case involved a challenge to a company policy that banned employees from recording conversations without prior management approval. The company’s stated purpose for the policy was “to eliminate a chilling effect to the expression of views that may exist when one person is concerned that his or her conversation with another is being secretly recorded.”
The administrative law judge (ALJ) in the case upheld the policy. The ALJ noted that there is no protected right to record conversations in the workplace, but even if there were such a right, management may regulate the exercise of that right. It was not adopted in response to union activity, and it was clearly tied to the company’s core value of fostering open and honest dialogue about company matters. The ALJ disagreed that the policy could reasonably be interpreted as a restriction on using social media to communicate and share information about work conditions through video recordings made at the workplace. The policy regulated a means of communication as opposed to the protected activity itself. It also did not prohibit employees from making recordings during non-work time. The policy therefore did not violate Section 7 rights.
The Whole Foods Market decision suggests questions that management should consider when drafting a work rule against covert recordings to ensure that the rule does not violate the NLRA:
- Is the rule clearly linked to a purpose besides preventing employees from engaging in Section 7 activity?
- Does the rule leave open alternative channels for employees to communicate about Section 7 activity?
- Does the rule allow employees to make recordings during non-work hours?
A ban on covert recordings is more likely to withstand a legal challenge if management can answer “yes” to each of these questions.
No, it’s not an acronym advising you to come to dinner with your favorite vintage of pinot noir. BYOD stands for Bring Your Own Device, a movement that’s changing the landscape of information technology at workplaces across the globe. In the “old days,” companies issued electronic equipment to employees for work use. Today, employees want to use the latest electronics of their own choice for both work and play. Surveys consistently show that companies are giving in to such requests, citing the benefits of increased productivity and morale, as well as cost savings from not having to buy the equipment themselves. However, BYOD programs also create legal risks for companies, including:
- Violation of labor laws like the Fair Labor Standards Act due to the ability of workers to rack up overtime by doing work on personal devices practically anywhere and at any time, whether or not such overtime is authorized by management
- Violation of laws prohibiting disclosure of the private information of customers, clients, or patients, such as the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act
- Inadvertent disclosure of proprietary company information, which jeopardizes their confidentiality, and as a result, their status as protected trade secrets
- Complicating the e-discovery process, because electronic data that fall within the scope of a discovery request may reside on devices besides those under the direct control of the company
In light of these risks, the knee-jerk response of management might be to forbid BYOD entirely, but that is not necessarily the best approach. BYOD is more prevalent than one might think. A form of BYOD is in play whenever someone stores work data on a personal cloud storage account, uses a personal laptop to draft a memo for work, or forwards work-related word processing files to a private email account for easy access from home. A company need not officially adopt a BYOD program to have one, which is all the reason why management should be proactive about putting BYOD policies in place.
Learn about the specific risks that a BYOD program creates for your company. Develop guidelines on acceptable and unacceptable use of personal devices for work-related purposes. Notify employees of the policies in writing and provide training. Don’t wait until it’s too late!
Want more tips on BYOD? Come to the Advanced Employment Issues Symposium in Las Vegas from November 13-15, where I’ll be giving a presentation on “BYOD Challenges: When Employees Bring Their Own Devices to Work.” Registration information is available at www.aeisonline.com.
Creative Commons image courtesy of Daigo Oliva on Flickr
The Hawaii anti-paparazzi bill eponymously named after its chief supporter is back after getting an extreme makeover, and it just took another step toward becoming law in Hawaii. The Senate Judiciary Committee has recommended passage of a revised version of the Steven Tyler Act (SB426, S.D. 1). The revised bill is a big improvement from the original version. It goes a long way toward remedying the problems discussed in my previous post on the Act, and now it looks much more like the California statute after which it was patterned. But despite the revisions, the Act remains quirky in some ways, and it still doesn’t answer the question of why we need a brand-new privacy law.
Here are the highlights of the revised bill. The revised bill:
- creates an actual tort for constructive invasion of privacy, not just one in the name. The original bill tried to create a constructive invasion of privacy tort, but the parameters of the tort were not well-defined.
- defines certain concepts that are key to liability under the Act, like “personal and familial activity.”
- makes it very difficult to impose liability on those publicizing or selling images or sound recordings that were captured in violation of the Act.
- carves out exceptions to liability, including one for law enforcement activities.
- creates a fairly novel process for raising a defense against invasion of privacy claims in court based on the First Amendment or its counterpart in the Hawaii State Constitution.
Now, let’s look at some of the features of the revised bill in greater detail.
Constructive Right of Privacy
The revised bill creates two types of invasion of privacy, one physical in nature and the other constructive. Both require an intrusion into land owned or leased by the plaintiff. This is an important revision because it gets rid of the “taking pictures at the beach” scenario (i.e., why should a celebrity complain about invasion of privacy if her picture is taken on a public beach?)
An intrusion, however, does not necessarily require a physical trespass onto the plaintiff’s property. Spying and eavesdropping could constitute intrusion, but does not necessarily involve a physical trespass. The tort of constructive invasion of privacy accounts for this distinction, stating that non-physical intrusions will be treated as invasions of privacy. The use of “visual or auditory enhancing devices” to probe into the plaintiff’s private affairs, regardless of whether it involves a physical trespass, counts as an invasion of privacy. That’s how constructive invasion of privacy works.
The original bill bungled the concept of constructive invasion of privacy by not tying liability to the use of visual or auditory enhancing devices. The revised bill fixes that problem.
“Personal and Familial Activity”
The original bill left out definitions of key concepts. A notable one was “personal and familial activity,” which is what the plaintiff must have been engaged in when the defendant captured images or recordings of him or her. The original bill did not define the term. The revised bill adopts the definition used in the California anti-paparazzi law.
Having a definition rather than none is a step in the right definition, but the definition is still too vague. The revised bill defines “personal and familial activity” as “intimate details of the plaintiff’s personal life, interactions with the plaintiff’s family or significant others, or other aspects of the plaintiff’s private affairs or concerns.” What range of activities does “the plaintiff’s private affairs or concerns” include? The revised bill doesn’t say.
Liability of Sellers of Images and Recordings
One criticism of the Act was that it punishes sellers of images or recordings of celebrities. The Act imposes liability on those who sold images or recordings that were captured in violation of the Act if they had “actual knowledge” of the violation and received compensation for the rights to the images or recordings. One problem of the original bill is that “actual knowledge” was not defined, so the level of intent needed to trigger liability wasn’t clear. The revised bill remedies that problem by defining “actual knowledge.” The definition requires “actual awareness, understanding, and recognition” that the image or recording was taken or captured in violation of the Act. That’s difficult to prove.
But the revised bill goes one step further in limiting publisher and seller liability. The plaintiff has the burden of establishing actual knowledge by “clear and convincing evidence.” This is the highest standard of proof in a civil matter (just below the “beyond a reasonable doubt” standard in criminal cases).
The plaintiff’s burden to prove the liability of publishers and sellers is reminiscent of the “actual malice” standard applicable in libel cases brought by a public official or public figure. In other words, the revised bill makes it very, very difficult to prove publisher and seller liability.
The revised bill also makes clear that there is no derivative liability for publicizing or selling an image or recording if it had been previously publicized or sold before without violating the Act.
Exceptions to Liability
The revised bill creates exceptions to liability, most notably for activities relating to law enforcement and investigation into illegal conduct. The revised bill also clarifies that the Act does not preclude suits for other legal or equitable relief under other theories, including the Hawai‘i anti-SLAPP law or a claim for publication of private facts.
First Amendment Defense
Perhaps the most interesting feature of the revised bill is an expedited process for handling defenses based on the First Amendment or its Hawaii counterpart, i.e., Hawaii Constitution, Article I, Section 4 (the revised bill does not cite specifically to Section 4, which is the section that parallels the First Amendment, so the expedited process apparently applies to a defense based on any portion of Article I is raised). The basic idea is to give first priority to resolving questions of the constitutionality of enforcing the Act in a particular situation.
Here’s how the expedited process works. If the defendant files a motion to dismiss a claim for violation of the Act based on First Amendment/Article I grounds, the case basically comes to a halt until the motion is decided. The court cannot look outside the allegations in the pleadings to decide the motion, and all discovery is suspended until the motion is decided. The court must hold a hearing and rule on the motion on an expedited basis. If the court denies the motion, the defendant may immediately appeal the denial.
The revised bill also flips the burden of proof. When the defendant files a motion to dismiss based on a First Amendment/Article I defense, the plaintiff has the burden to prove that, more likely than not, the plaintiff’s “claim is [not] barred by a defense based on the First Amendment of the United States Constitution or article I of the Hawaii State Constitution” (note that the quoted language in the revised bill omits the word “not”; that’s probably a typo). If the defendant wins the motion, it can recover damages, attorneys’ fees, costs, punitive damages, and other sanctions against the plaintiff and even the attorneys and law firm representing the plaintiff.
Thoughts on the Revised Bill
The revised bill is much better than the original version. I’m still not convinced, though, that the solution to the problem of overzealous paparazzi is a new law. Hawaii already recognizes the privacy tort of inclusion into seclusion, and that seems to cover the type of intrusion addressed in the concept of “constructive invasion of privacy.” The tort of intrusion into seclusion does not require a physical invasion into the plaintiff’s personal space. The use of visual or auditory enhancing equipment to remotely gain access to the plaintiff’s private affairs would seem already covered under existing law. Creating a new law to deal with the issue would add little new benefits while potentially creating more problems.
Take the expedited process for dealing with First Amendment issues, for example. According to a Standing Committee Report, the expedited process was created in response to constitutional concerns about the Act. As a lawyer who represents media defendants, I welcome extra procedural protections for airing out First Amendment issues. But I do think the expedited process is somewhat sloppy. The process gives too much incentive to a defendant to respond initially to a Tyler Act claim with First Amendment defenses, even unmeritorious ones. The defendant has nothing to lose and everything to gain by using such a tactic. By filing a motion to dismiss on First Amendment grounds, the defendant can freeze discovery in the case, shift the burden of proof to the plaintiff, and potentially reap the benefit of recovering fees, costs, and damages from the plaintiff, his or her attorney, and even the attorneys’ law firm! There are few circumstances in which a defendant should not raise a First Amendment defense. And on the flip side, true victims of constructive invasion of privacy might think twice before suing under Tyler Act due to the risks involved. Which again begs the question: Do we really need the Tyler Act?