Delaware Social Media Privacy Law Moves Ahead

At our Annual Employment Law Seminar last week, I spoke about the “Facebook Privacy” bill that was then pending in Delaware’s House of Representatives.  The bill passed the House on later that day and is now headed to the Senate.  For those of you who weren’t in attendance last week, here’s a brief recap of the proposed law. 

The stated purpose of HB 109 is to protect individuals’ privacy in their personal social media accounts.  Generally speaking, HB 109 would prohibit employers from requiring or requesting that an employee or applicant give the employer access to their personal social-media accounts-either by giving up their passwords or by logging in and letting the employer take a look (also known as “shoulder surfing”). 

As we all know, though, with any law, the devil is in the details.  And there are, not surprisingly, a few devilish details.  For example. . .

HB 109 prohibits an employer from asking an employee (or applicant) from disclosing “a username . . . for the purpose of enabling the employer to access personal social media.”  As written, that would mean that an employer could not ask a candidate what his or her Twitter handle is.  Twitter is, generally speaking, a publicly available site. 

So an applicant could have a public Twitter account, where he tweets racist or sexist speech or talks about how he likes to steal money from his current employer, but the employer wouldn’t be able to ask about it?  Huh?  I supposed we’d just have to wait till discovery in a lawsuit before we could ask for that (public information)?  Not my favorite part of this law.

There are other confusing parts of HB 109 that I think likely are unintended consequences of the legislation.  But, with 38 votes in favor and none against, it appears that the unintended consequences are well on their way to becoming law.  We’ll see what the Senate has to say about it and will be sure to keep you updated.  In the meantime, you can track HB 109 here.

Three Tips for Protecting Your Electronically Stored Confidential Information

Employers, do you know what apps your employees are using?  That’s the question posed by a recent article in the WSJ.  (See Companies Don’t Know What Apps Their Employees Are Using).  My guess is that the answer to this important question is, “No.”  Here are my top tips for how not to be the employer discussed in the WSJ article. cloud storage file cabinet drawer and folders_3

First, have a policy about employees’ use of cloud-based apps to save work-related documents.  Consider prohibiting employees from saving work documents to cloud-based storage accounts such as Dropbox, SkyDrive, and Box.net.  Also consider prohibiting employees from backing up the contents of their work laptops to cloud-based back-up accounts, such as Mozy and Carbonite.

Second, communicate your policy to all affected employees.  If employees don’t know about the prohibitions, your policy is unlikely to have the desired deterrent factor.  This means that your policy needs to be written in plain English and that it should be publicized to employees in a way that will actually be heard.

Third, enforce the policy.  Don’t make exceptions.  If an employee violates the policy, the employee should be disciplined accordingly.  Even if the employee is your favorite employee.  And even if the employee complains a lot about the policy-and claims that he or she needs the online storage and/or back-up accounts.  The answer is “no.”  And that answer must be consistent, regardless of how loudly an employee complains.

As a bonus point, I’ll note that employers should consider having all employees execute a confidentiality agreement.  The agreement can be very brief-a paragraph long does the trick, most of the time.  But the key is to have all employees execute the document.  And, ideally, have the employees reaffirm their adherence to the confidentiality agreement on a yearly basis.

A lot of additional work?   Yes.  But, if you have an employee who defects to a competitor and takes with him several gigabytes worth of your confidential data, the extra “work” will be worthwhile.  You’ll be glad you have taken these steps-and don’t hesitate to thank me for the great suggestions.

A Perk of BYOD Policies at Work

Employers face a serious challenge when trying to prevent employees from taking confidential and proprietary information with them when they leave to join a new employer-particularly when the new employer is a competitor.   When an employer becomes suspicious about an ex-employee’s activities prior to his or her last day of work, there are a limited number of safe avenues for the employer to pursue. privacy policy with green folder_thumb

Generally, an employer should not review the employee’s personal emails or text messages if they were sent or received outside the employer’s network.  But what if the employee turns over his personal emails or text messages without realizing it?  The answer is, as always, “it depends.”  A recent case from a federal court in California addresses the issue in a limited context.

After the employee resigned, the employer sued him for misappropriating trade secrets.  He filed counterclaims, accusing the employer of violating the federal Wiretap Act, the Stored Communications Act (SCA), and state privacy laws.  The employee alleged that the employer had reviewed his text personal text messages on the iPhone issued to him by the former employer after he’d returned it but before he unlinked his Apple account from the phone.

All of the employee’s counter-claims were dismissed by the court.  The court found that the Wiretap Act claim failed because there was no allegation that the employer had intentionally intercepted any messages.  The SCA claims failed because there was no allegation that the employer had accessed any messages.  And, perhaps most obviously, the privacy claims failed because the employee could not have had a reasonable expectation of privacy.

The court specifically found that the employee had “failed to comport himself in a manner consistent with objectively reasonable expectation of privacy” by failing to unlink his old phone from his Apple account, which is what caused the transmission of his text messages to his former employer.

Sunbelt Rentals, Inc. v. Victor, No. C 13-4240-SBA (N.D. Cal. Aug. 28, 2014).

See also

Too Creepy to Win: Employer Access to Employee Emails

Traveling for Work and Late-Night Emails

Lawful Employer Investigations of Facebook . . . Sort Of

Employers, Facebook, and the SCA Do Not a Love Triangle Make

Delaware Employers Have New Recordkeeping Obligations

Delaware’s Governor has signed legislation related to the safe destruction of documents containing personal identifying information. The bill is effective January 1, 2015, and requires that commercial entities take all reasonable steps to destroy a consumer’s personal identifying information within the business’s custody and control, when the information is no longer to be retained. Destruction includes shredding, erasing, or otherwise destroying or modifying the personal identifying information to make it entirely unreadable or indecipherable through any means.crumbled paper trash_3

Personal identifying information includes, but is not limited to, a consumer’s first name or first initial and last name in combination with any one of the following: a signature; date of birth; social security number; passport number; driver’s license number, insurance policy number; or financial information (such as a credit card number).

There are exceptions for federally regulated financial institutions, healthcare organizations subject to HIPAA, consumer reporting agencies subject to the FCRA, and governmental bodies.

Violation of the statute carries stiff penalties, including treble damages.

The legislation is not a model of clarity, and leaves a lot of questions as to how it will be applied to Delaware businesses. Until the courts provide additional guidance, Delaware businesses are well advised to carefully review their document security.

Is It Time to Reconsider Your Personal Email Policy?

The Heartbleed Internet-security flaw has compromised the security of an unknown number of web servers.  This is just one story in a string of recent headlines involving the vulnerability of the Internet sites.  But consumers aren’t the only ones affected.  The companies whose websites have been attacked are employers, after all.computer help button_3

Although data security has become increasingly impossible to ensure, it has also become increasingly critical to employers’ viability.  So employers are looking for ways to mitigate the exponentially increasing risks associated with the Internet.

One option being considered by some employers is blocking employees from their personal, web-based email accounts from the company’s servers.  Companies can install powerful (albeit not impenetrable) spamware that can catch and prevent many Internet-based security threats.  But that spamware works only on emails that come through the Company’s email servers.  Email that is opened through a web-based account, such as GMail or Hotmail is not subject to the company’s protective measures.

Which is precisely why many IT professionals see web-based email accounts as a major security threat.  But what’s an employer to do?  Employers have long been trying to prevent the productivity loss associated with employees’ personal use of the Internet during working time.  But now this effort has become a top priority.

Will employees stop checking their personal email at work if they’re asked nicely?  If they understand the risks?  Maybe.  Maybe not.  But it certainly wouldn’t be a bad place to start.  Perhaps your company should consider explaining to its employees exactly why you don’t want them to check their personal email during working time.  Hey, it’s worth a try.

By the way . . .

Data Security is the topic of one of the sessions at this year’s Annual Employment Law Seminar, which is coming up on May 8.  If you haven’t registered, there’s still time.  Just click here to get to the Seminar Registration page.

Boss Hacks Personal Email Account of Employee. Emotional Distress Follows.

Another case involving employer access to an employee’s personal email account.  And the bad things that follow.

The plaintiff was an administrative assistant to the Athletic Director of a public school district in Tulsa, Oklahoma.  In her complaint, she alleged that she had reported that the Director and two Assistant Directors had “endangered the health and safety of students” and had “misappropriated funds.”  In other words, she was a whistleblower. email hacked_thumb

Shortly after she made these reports, the Director suspended her and recommended that she be terminated.  She grieved the recommendation.

Apparently during the grievance process, the plaintiff was contacted by the cyber-crimes division of the Tulsa Police Department, who informed her that her private email account had been hacked.

She filed suit, alleging that the Director and two Assistant Directors intentionally obtained access to her private emails and used the information that they unlawfully obtained in order to pursue the recommendation to terminate her employment.  She brought several claims, including constitutional claims under the 1st and 4th Amendments, statutory claims under the federal and state wiretapping laws, and state tort claims.  The defendants moved to dismiss.

The opinion addresses several arguments on each claim but there are certain holdings that bear mention here.

First, the plaintiff’s Fourth Amendment claim survived dismissal.  The court found that she had adequately pleaded that she had a reasonable expectation of privacy in her personal email account and that the hacking constituted an unlawful search and seizure of her account and/or emails in the account.

Second,  her privacy claim survived for the same reasons.  Basically, the court found that having your private email hacked and then the contents used against you in proceedings to have you terminated from your employment would be a “highly offensive” intrusion to a reasonable person.  This was further supported by the fact that the Tulsa Police Department considered her to be a victim of cyber-crime.

Third, the claim for intentional infliction of emotional distress survived, again, largely for the same reason.  The court concluded that the conduct could be plausibly deemed outrageous in nature.

I think many of us would agree that this motion to dismiss did not stand much of a chance.  (Although, the opinion is not very detailed in its description of the alleged events and did leave me with some unanswered questions about the actual allegations contained in the complaint.)  If an individual’s personal email account is intentionally targeted for hacking by anyone, it’s going to be a serious source of distress.  If the hacking is done by your direct supervisors for the purpose of making sure you lose your job because you (allegedly) blew the whistle about what you believed to be improper conduct, you are likely to be very close to “extreme” distress.  Wouldn’t you think?  The Northern District of Oklahoma did.

Murphy v. Spring, No. 13-cv-96-TCK-PJC (N.D. Okla. Sept. 12, 2013).

Delaware Chancery Ct. Finds No Privilege for Email Sent from Work Account

Does an employee who communicates with his lawyer from a company email account waive the attorney-client privilege with respect to those communications?  The answer is not terribly well settled-not in Delaware and not in most jurisdictions.  But a recent decision by the Delaware Court of Chancery gives Delaware employers and litigants a pretty good idea of the analysis to be applied.

The case, In re Information Management Services, is an unusual type of derivative litigation in that it involves two families, each suing the other for breaches of fiduciary duty.  Two of the company’s senior executives, who were alleged to have mismanaged the company in violation of their fiduciary duties, sent emails to their personal lawyers from their company-issued email accounts.  During discovery, the executives refused to produce the emails, claiming them to be protected by the attorney-client privilege.  The plaintiffs sought to compel production of the emails.

The court adopted the four-factor test first enumerated in In re Asia Global Crossing, Ltd. (Bankr. S.D.N.Y. 2005), and applied it to determine whether the executives had a reasonable expectation of privacy in the contents of the emails that they sought to protect.  The court determined that the executives did not have a reasonable expectation of privacy in the contents of the emails because the company’s policy expressly warned that employee emails were “open to access” the company’s staff.  The policy permitted personal use of the company’s computers “after hours” but warned that, if an employee wanted to keep files private, the files should be saved offline.  Thus, the policy was key in ensuring the company can now access emails between the executives and their counsel.

There are a few particularly notable points in the decision that are worth mention. 

First, Delaware law generally provides great deference to the attorney-client privilege.  Usually, the privilege is considered very difficult to waive.  By contrast, this case suggests that a company policy is sufficient to overcome that otherwise difficult hurdle.  The court goes so far as to say that a policy that prohibits all personal use would likely be sufficient to waive the privilege without any further analysis.

Second, the court seemed to place a high burden on the executives. Vice Chancellor Laster recognized that the executives wrote in the subject lines of the emails, “Subject to Attorney Client Privilege” but concluded that the failure to use webmail (such as G-Mail or Yahoo!) or encryption rendered the communications not confidential.  The court wrote that there could be no reasonable expectation of privacy because:

a third party to the communication had the right to access [the] emails when [the executives] communicated using their work accounts.

The “third party” in this case was the company and its IT staff. But the holding raises questions of whether use of a service such as Dropbox, which, by its terms of service, expressly notifies users of its right to access the contents of any account, would also waive the privilege.  In that case, a third party has the right to access contents so, in accordance with the court’s decision, there could be no reasonable expectation of privacy and, therefore, no privilege.

The decision is very well researched and contains a stockpile of case citations and references for those who may be interested in the subject matter.  And even for those who may not be interested in the macro view of this area of the law, there is one key lesson to take away-Delaware employers should carefully review their policies to ensure that the language clearly warns employees that the company reserves the right to monitor, access, and/or review all emails sent or received from a company email account.  Now, the question of whether a personal, web-based email account, accessed via the company’s servers, would be subject to the same analysis is an even trickier one and one that we’ll save for a later date. 

In re Info. Mgmt. Servs., Inc., No. 8168-VCL (Del. Ch. Sept. 5, 2013).