The Brave New World of e-Workplace Privacy Policies

Embodying some of the aspects of Big Brother is not a new role for an employer. Traditional concerns for employers have included: loss of information sensitive to the employer or to employees; harassing, discriminatory, or other conduct potentially leading to liability to third parties; forbidden fraternizing; misappropriation of trade secrets to form a competing venture; criminal activity; and “frolic and detour” or other slacking. In the past 15 years, however, workplaces have become increasingly digitized as electronic information has come to dominate all aspects of modern life. See generally, Robert D. Brownstone, Workplace Privacy Policies (Aug. 2009) (“Brownstone eWorkplace”), at 1-3, available at www.fenwick.com/docstore/publications/EIM/eWorkplace_Policies_Materials_Public_Sector_EEO_8-28-09.pdf#page=7. With the advent of Web 2.0 and User-Generated-Content (“UGC”) ' blogs, wikis and social-networking sites (such as Facebook, LinkedIn, MySpace and Twitter) ' there are heightened concerns surrounding employees' digital activity.

Part One of this article examines the potential liability for employers involved with social media and e-mail use. Part Two, next month, discusses implementing compliant and defensible workplace policies.

Liability Risks in the Web 2.0 Landscape

Employers now have a magnified legitimate interest in protecting themselves. Employees have access to, and are the gatekeepers of, trade secrets and other sensitive and confidential information. A single malicious or negligent employee can cause irreparable harm to the employer. Given the relatively desperate state of the economy the last couple of years, employees are apparently more likely to steal corporate information. See, “37% of [UK] Employees Would Sell Data,” Information Management, Sep./Oct. 2009, at 18. Thus, organizations are even more worried about data leakage, whether intentional or unintentional. Consequently, monitoring of employees' digital activity seems to have increased to an all-time high. See, Proofpoint, Inc., “Outbound e-Mail and Data Loss Prevention in Today's Enterprise,” Aug. 7, 2009, available at www.proofpoint.com/downloads/Proofpoint-Outbound-Email-and-Data-Loss-Prevention-2009.pdf. See also, “New Hires to Monitor Outbound e-Mail,” Nat'l L.J. (Sep. 30, 2009), available at www.law.com/jsp/cc/PubArticleCC.jsp?id=1202434171378.

Other constituencies are also at risk for damage due to data leakage. Most organizations ' whether public or private ' are legally and morally bound to protect individual customers and employees from identity theft. During 2009, two highly publicized incidents ostensibly involved the loss of personally identifiable information (“PII”) as to 97,000 and 29,000 co-workers, respectively (see, Class Action Complaint, Krottner v. Starbucks Corp., No. 09-CV-00216-CMP (W.D. Wash. Feb. 19, 2009), available at https://ecf.wawd.uscourts.gov/doc1/19703090338; Fenwick & West, “Starbucks Sued for Failing to Safeguard Employee Information,” Emp. Brief, Mar. 12, 2009, available at www.fenwick.com/publications/6.5.4.asp?mid=44&WT.mc_id=EB_031209. See also, Sandy Kleffman, “Kaiser Warns Nearly 30,000 Employees of Data Breach,” Contra Costa Times, Feb. 6, 2009, available at www.mercurynews.com/ci_11646163?nclick_check=1). In the latter situation, the theft occurred while the data was in the possession of the employees' labor union rather than of the employer. See, Sandy Kleffman, “Kaiser: Stolen Data Was from Union Offices,” Contra Costa Times, Feb. 27, 2009, www.mercurynews.com/breakingnews/ci_11804740?nclick_check=1.

Overall, employers face an increasingly challenging environment with new and sometimes conflicting responsibilities to employees. Millions of employees' electronic activities can be under ongoing surveillance as to content, length, attachments, time spent, and keystrokes. See, Brownstone eWorkplace, supra note 1, at 3 (.pdf at 9). Technological developments provide employers with new tools to aid legitimate monitoring of employees' electronic activities in the workplace. Tech tools, however, also create new risks of liability for invasion of privacy, as well as potentially lowered morale and mistrust by employees.

Employees' Damaging e-Mails

e-Mail messages are scrutinized in all aspects of litigation and governmental proceedings, from discovery and motion practice to trials. As a quick, cheap, and easy means of communication, e-mail has become an indispensible business tool. e-Mails also tend to be more candid, less formal, and less thoughtful than other writings. In today's world, one regularly learns of pivotal “smoking gun” e-mails or other types of digital gaffes in business, as well as national and local politics. Id.

Employment discrimination cases provide an object lesson. In a bias or harassment case, one or two explicit messages can bolster other evidence of a hostile environment or discrimination. For example, in the highly publicized gender discrimination case of Zubulake v. UBS Warburg, No. 02-CV-1243-SAS (S.D.N.Y.) (Scheindlin, J.), the plaintiff Ms. Zubulake produced over 450 pages of relevant e-mails. One “smoking gun” e-mail suggesting that Zubulake be fired “ASAP” after her Equal Employment Opportunity Commission charge was filed, in part so she would be ineligible for year-end bonuses. The jury awarded Zubulake over $29 million in total damages.

Consider also this recent gem that led to a huge verdict in an age discrimination case against Kmart: “Hawkins is 64 yrs old with 20 yrs with km. I think I can get him to retire. Let me work on him.” See, Jason W. Armstrong, “Mystery e-Mail Leads Del Mar Lawyers to Huge Verdict,” New Niche, Aug. 27, 2009 (“e-Mail triggered testimony that helped persuade a Riverside jury ' to award ' nearly $1 million in compensatory damages and $25 million in punitive damages”), available by subscription at http://dailyjournal.com/subscriber/index.cfm?cat=search.

Employees' Damaging Internet Use and Postings

e-Mail is by no means alone a realm rife with risk. Internet conduct and postings can memorialize liability evidence. For example, employee Web surfing can entail visiting pornographic Web sites, not only cutting into productivity, but also potentially creating a hostile work environment ' as well as a malware risk. In 2006, the Oregon Department of Revenue had to contact 2,300 taxpayers to notify them that their names, addresses, and/or Social Security numbers may have been stolen by a Trojan horse program downloaded accidentally by a former employee who had been surfing pornographic sites while at work. See, Todd Weiss, “Trojan Horse Captured Data On 2,300 Oregon Taxpayers,” Computerworld, June 15, 2006, available at www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001222.

Even the use of legal, legitimate Web platforms can go awry. Once employees have conditioned themselves to receive friend requests from Facebook, Twitter “follower” messages, and the like in their work e-mail accounts, they leave their employer's network more susceptible to spoofing, phishing, and whaling schemes, some of which harbor malware and/or links to malicious Web sites. See, Brownstone eWorkplace, supra note 1, at 8 (.pdf p.14).

The content posted on various 21st-century platforms trigger many risk-management legal issues. Built on a conversational model, blogs and social networking sites are paradoxical. They are not only intimate, but they also encourage public discussion and exposure. The ramifications for employers from the content of employee postings or leaks include intentional or unintentional disclosure of confidential information. In 2009, the mayor of Battle Creek, MI, unintentionally posted a wrong document containing personally identifiable information of 65 city employees, including Social Security numbers for six of them. See, ComputerWeekly.com, “Top 10 Twitter Marketing Blunders in Photos,” July 2, 2009, available at www.computerweekly.com/galleries/236700-10/Mayor-Mark-Behnke-Top-10-Twitter-marketing-blunders.htm; Newkirk, Barrett, “Battle Creek Mayor Accidentally Tweets Employee Social Security Numbers,” Battle Creek Enquirer, June 24, 2009, available at http://m.freep.com/news.jsp?key=481472. As to intentional disclosures, one troublesome scenario includes “sock-puppeting,” (see, e.g., Brad Stone and Matt Richtel, “The Hand That Controls the Sock Puppet Could Get Slapped,” N.Y. Times, July 16, 2007 (“on the Internet nobody knows you're a dog ' or the chief executive”), available at www.nytimes.com/2007/07/16/technology/16blog.html?pagewanted=print) which involves an insider's pseudonymous, favorable postings about his or her company on a public site.

Is Anything Truly 'Off-Duty' Today?

Many modern-day prospective or current employees leave a digital trail of “off-duty” conduct that may result in adverse action by a prospective or current employer. Much has been written recently about the “brave new world of Web 2.0 and the quandary it creates for employers considering hiring a given applicant or disciplining a current employee.” Brownstone eWorkplace, supra note 1, at 47-48 (.pdf at 53-54). As to both applicants and employees, well-thought-out policies and consistent application thereof can provide an employer with a legally defensible approach.

As to applicants, some of the emerging principles seem to be:

• Those who post information about themselves on the Web without using protections to keep it from being publicly available will have an exceedingly weak “expectation of privacy” argument.
• An employer may lawfully use Google to research an applicant.
• The extent to which an employer can use information it finds on an applicant's Web 2.0 page is subject to traditional labor law concepts such as discrimination. As in the traditional “off-duty” context regarding existing employees, if an applicant's posted content demonstrates a lack of ability to do, or interest in, the job, presumably there is no problem with the prospective employer relying on it. Id.

However, what if a hiring department only learns of a prospect's religion, race, gender, marital status and/or sexual preference from the individual's social-networking page? Given the theoretical pitfalls of trying to parse ' and, if challenged later, to prove ' what someone did and did not view or rely upon, an employer can take alternative approaches along a spectrum. On the one hand, an organization can develop and write up (as well as train on and do its best to follow) a realistic policy that allows lawful Web-searching regarding prospects. See, ARMA Int'l, “Employer Policy Urged for Blog Mining,” ARMA Info. Mgmt. NewsWire, Feb. 25, 2009, available at www.arma.org/news/enewsletters/printFriendly.cfm?id=3445. On the other hand, at least one employer has publicly announced that it has taken the ostrich-like approach of avoiding Web research on applicants altogether. See, Jenny B. Davis, “Bank Nixes Use of Social Networking Sites in Hiring Process,” Texas Lawyer, Apr. 13, 2009, available at www.law.com/jsp/ihc/PubArticleFriendlyIHC.jsp?id=1202429840060.

As to a given person already in its employ, especially if the person is an avid Web 2.0 user, a 21st-century employer has the potential to access a vast amount of publicly available information. Some strange but true scenarios include:

• The Ninth Circuit upheld the job dismissal of an Arizona police officer who was fired based on his Web site of sexually explicit photos and videos of his wife.
• Teaching credentials were not awarded to a Pennsylvania high school student-teacher who received a negative evaluation in light of her posting a photo of herself, captioned the “Drunken Pirate,” on her MySpace page; the decision not to award such credentials was upheld.
• A North Carolina school teacher was suspended and faces possible termination based on her posting of racially derogatory comments on her own Facebook page.
• A federal district court upheld the non-renewal of a Connecticut high school teacher's contract based on the school superintendent's objections to the teacher's MySpace content and associated communications with students.
• An Iowa community college president resigned after a newspaper photo depicted him shirtless while holding a small Coors Light keg over a woman's mouth.
• A Swiss insurance worker was fired because her at-home
  Facebook activity belied her prior contention that, when out on sick leave, she could not use a computer screen ( see, Emma Thomasson, “Facebook Surfing While Sick Costs Swiss Woman Job,” Reuters, Apr. 24, 2009, available at www.washingtonpost.com/wp-dyn/content/article/2009/04/24/AR2009042402019_pf.html.
• A police officer's posts on his MySpace page about his persona and an ongoing criminal matter purportedly aided a defendant in getting acquitted of a more serious charge at trial.
• A former high school student's privacy causes of action were dismissed against the principal of her alma mater, who had forwarded to the press a negative ode the student previously published on the student's own MySpace page.

In Part Two, next month, the author discusses compliance, privacy policies, training and information security.

Embodying some of the aspects of Big Brother is not a new role for an employer. Traditional concerns for employers have included: loss of information sensitive to the employer or to employees; harassing, discriminatory, or other conduct potentially leading to liability to third parties; forbidden fraternizing; misappropriation of trade secrets to form a competing venture; criminal activity; and “frolic and detour” or other slacking. In the past 15 years, however, workplaces have become increasingly digitized as electronic information has come to dominate all aspects of modern life. See generally, Robert D. Brownstone, Workplace Privacy Policies (Aug. 2009) (“Brownstone eWorkplace”), at 1-3, available at www.fenwick.com/docstore/publications/EIM/eWorkplace_Policies_Materials_Public_Sector_EEO_8-28-09.pdf#page=7. With the advent of Web 2.0 and User-Generated-Content (“UGC”) ' blogs, wikis and social-networking sites (such as Facebook, LinkedIn, MySpace and Twitter) ' there are heightened concerns surrounding employees' digital activity.

Part One of this article examines the potential liability for employers involved with social media and e-mail use. Part Two, next month, discusses implementing compliant and defensible workplace policies.

Liability Risks in the Web 2.0 Landscape

Employers now have a magnified legitimate interest in protecting themselves. Employees have access to, and are the gatekeepers of, trade secrets and other sensitive and confidential information. A single malicious or negligent employee can cause irreparable harm to the employer. Given the relatively desperate state of the economy the last couple of years, employees are apparently more likely to steal corporate information. See, “37% of [UK] Employees Would Sell Data,” Information Management, Sep./Oct. 2009, at 18. Thus, organizations are even more worried about data leakage, whether intentional or unintentional. Consequently, monitoring of employees' digital activity seems to have increased to an all-time high. See, Proofpoint, Inc., “Outbound e-Mail and Data Loss Prevention in Today's Enterprise,” Aug. 7, 2009, available at www.proofpoint.com/downloads/Proofpoint-Outbound-Email-and-Data-Loss-Prevention-2009.pdf. See also, “New Hires to Monitor Outbound e-Mail,” Nat'l L.J. (Sep. 30, 2009), available at www.law.com/jsp/cc/PubArticleCC.jsp?id=1202434171378.

Other constituencies are also at risk for damage due to data leakage. Most organizations ' whether public or private ' are legally and morally bound to protect individual customers and employees from identity theft. During 2009, two highly publicized incidents ostensibly involved the loss of personally identifiable information (“PII”) as to 97,000 and 29,000 co-workers, respectively (see, Class Action Complaint, Krottner v. Starbucks Corp., No. 09-CV-00216-CMP (W.D. Wash. Feb. 19, 2009), available at https://ecf.wawd.uscourts.gov/doc1/19703090338; Fenwick & West, “Starbucks Sued for Failing to Safeguard Employee Information,” Emp. Brief, Mar. 12, 2009, available at www.fenwick.com/publications/6.5.4.asp?mid=44&WT.mc_id=EB_031209. See also, Sandy Kleffman, “Kaiser Warns Nearly 30,000 Employees of Data Breach,” Contra Costa Times, Feb. 6, 2009, available at www.mercurynews.com/ci_11646163?nclick_check=1). In the latter situation, the theft occurred while the data was in the possession of the employees' labor union rather than of the employer. See, Sandy Kleffman, “Kaiser: Stolen Data Was from Union Offices,” Contra Costa Times, Feb. 27, 2009, www.mercurynews.com/breakingnews/ci_11804740?nclick_check=1.

Overall, employers face an increasingly challenging environment with new and sometimes conflicting responsibilities to employees. Millions of employees' electronic activities can be under ongoing surveillance as to content, length, attachments, time spent, and keystrokes. See, Brownstone eWorkplace, supra note 1, at 3 (.pdf at 9). Technological developments provide employers with new tools to aid legitimate monitoring of employees' electronic activities in the workplace. Tech tools, however, also create new risks of liability for invasion of privacy, as well as potentially lowered morale and mistrust by employees.

Employees' Damaging e-Mails

e-Mail messages are scrutinized in all aspects of litigation and governmental proceedings, from discovery and motion practice to trials. As a quick, cheap, and easy means of communication, e-mail has become an indispensible business tool. e-Mails also tend to be more candid, less formal, and less thoughtful than other writings. In today's world, one regularly learns of pivotal “smoking gun” e-mails or other types of digital gaffes in business, as well as national and local politics. Id.

Employment discrimination cases provide an object lesson. In a bias or harassment case, one or two explicit messages can bolster other evidence of a hostile environment or discrimination. For example, in the highly publicized gender discrimination case of Zubulake v. UBS Warburg, No. 02-CV-1243-SAS (S.D.N.Y.) (Scheindlin, J.), the plaintiff Ms. Zubulake produced over 450 pages of relevant e-mails. One “smoking gun” e-mail suggesting that Zubulake be fired “ASAP” after her Equal Employment Opportunity Commission charge was filed, in part so she would be ineligible for year-end bonuses. The jury awarded Zubulake over $29 million in total damages.

Consider also this recent gem that led to a huge verdict in an age discrimination case against Kmart: “Hawkins is 64 yrs old with 20 yrs with km. I think I can get him to retire. Let me work on him.” See, Jason W. Armstrong, “Mystery e-Mail Leads Del Mar Lawyers to Huge Verdict,” New Niche, Aug. 27, 2009 (“e-Mail triggered testimony that helped persuade a Riverside jury ' to award ' nearly $1 million in compensatory damages and $25 million in punitive damages”), available by subscription at http://dailyjournal.com/subscriber/index.cfm?cat=search.

Employees' Damaging Internet Use and Postings

e-Mail is by no means alone a realm rife with risk. Internet conduct and postings can memorialize liability evidence. For example, employee Web surfing can entail visiting pornographic Web sites, not only cutting into productivity, but also potentially creating a hostile work environment ' as well as a malware risk. In 2006, the Oregon Department of Revenue had to contact 2,300 taxpayers to notify them that their names, addresses, and/or Social Security numbers may have been stolen by a Trojan horse program downloaded accidentally by a former employee who had been surfing pornographic sites while at work. See, Todd Weiss, “Trojan Horse Captured Data On 2,300 Oregon Taxpayers,” Computerworld, June 15, 2006, available at www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001222.

Even the use of legal, legitimate Web platforms can go awry. Once employees have conditioned themselves to receive friend requests from Facebook, Twitter “follower” messages, and the like in their work e-mail accounts, they leave their employer's network more susceptible to spoofing, phishing, and whaling schemes, some of which harbor malware and/or links to malicious Web sites. See, Brownstone eWorkplace, supra note 1, at 8 (.pdf p.14).

The content posted on various 21st-century platforms trigger many risk-management legal issues. Built on a conversational model, blogs and social networking sites are paradoxical. They are not only intimate, but they also encourage public discussion and exposure. The ramifications for employers from the content of employee postings or leaks include intentional or unintentional disclosure of confidential information. In 2009, the mayor of Battle Creek, MI, unintentionally posted a wrong document containing personally identifiable information of 65 city employees, including Social Security numbers for six of them. See, ComputerWeekly.com, “Top 10 Twitter Marketing Blunders in Photos,” July 2, 2009, available at www.computerweekly.com/galleries/236700-10/Mayor-Mark-Behnke-Top-10-Twitter-marketing-blunders.htm; Newkirk, Barrett, “Battle Creek Mayor Accidentally Tweets Employee Social Security Numbers,” Battle Creek Enquirer, June 24, 2009, available at http://m.freep.com/news.jsp?key=481472. As to intentional disclosures, one troublesome scenario includes “sock-puppeting,” (see, e.g., Brad Stone and Matt Richtel, “The Hand That Controls the Sock Puppet Could Get Slapped,” N.Y. Times, July 16, 2007 (“on the Internet nobody knows you're a dog ' or the chief executive”), available at www.nytimes.com/2007/07/16/technology/16blog.html?pagewanted=print) which involves an insider's pseudonymous, favorable postings about his or her company on a public site.

Is Anything Truly 'Off-Duty' Today?

Many modern-day prospective or current employees leave a digital trail of “off-duty” conduct that may result in adverse action by a prospective or current employer. Much has been written recently about the “brave new world of Web 2.0 and the quandary it creates for employers considering hiring a given applicant or disciplining a current employee.” Brownstone eWorkplace, supra note 1, at 47-48 (.pdf at 53-54). As to both applicants and employees, well-thought-out policies and consistent application thereof can provide an employer with a legally defensible approach.

As to applicants, some of the emerging principles seem to be:

• Those who post information about themselves on the Web without using protections to keep it from being publicly available will have an exceedingly weak “expectation of privacy” argument.
• An employer may lawfully use Google to research an applicant.
• The extent to which an employer can use information it finds on an applicant's Web 2.0 page is subject to traditional labor law concepts such as discrimination. As in the traditional “off-duty” context regarding existing employees, if an applicant's posted content demonstrates a lack of ability to do, or interest in, the job, presumably there is no problem with the prospective employer relying on it. Id.

However, what if a hiring department only learns of a prospect's religion, race, gender, marital status and/or sexual preference from the individual's social-networking page? Given the theoretical pitfalls of trying to parse ' and, if challenged later, to prove ' what someone did and did not view or rely upon, an employer can take alternative approaches along a spectrum. On the one hand, an organization can develop and write up (as well as train on and do its best to follow) a realistic policy that allows lawful Web-searching regarding prospects. See, ARMA Int'l, “Employer Policy Urged for Blog Mining,” ARMA Info. Mgmt. NewsWire, Feb. 25, 2009, available at www.arma.org/news/enewsletters/printFriendly.cfm?id=3445. On the other hand, at least one employer has publicly announced that it has taken the ostrich-like approach of avoiding Web research on applicants altogether. See, Jenny B. Davis, “Bank Nixes Use of Social Networking Sites in Hiring Process,” Texas Lawyer, Apr. 13, 2009, available at www.law.com/jsp/ihc/PubArticleFriendlyIHC.jsp?id=1202429840060.

As to a given person already in its employ, especially if the person is an avid Web 2.0 user, a 21st-century employer has the potential to access a vast amount of publicly available information. Some strange but true scenarios include:

• The Ninth Circuit upheld the job dismissal of an Arizona police officer who was fired based on his Web site of sexually explicit photos and videos of his wife.
• Teaching credentials were not awarded to a Pennsylvania high school student-teacher who received a negative evaluation in light of her posting a photo of herself, captioned the “Drunken Pirate,” on her MySpace page; the decision not to award such credentials was upheld.
• A North Carolina school teacher was suspended and faces possible termination based on her posting of racially derogatory comments on her own Facebook page.
• A federal district court upheld the non-renewal of a Connecticut high school teacher's contract based on the school superintendent's objections to the teacher's MySpace content and associated communications with students.
• An Iowa community college president resigned after a newspaper photo depicted him shirtless while holding a small Coors Light keg over a woman's mouth.
• A Swiss insurance worker was fired because her at-home
  Facebook activity belied her prior contention that, when out on sick leave, she could not use a computer screen ( see, Emma Thomasson, “Facebook Surfing While Sick Costs Swiss Woman Job,” Reuters, Apr. 24, 2009, available at www.washingtonpost.com/wp-dyn/content/article/2009/04/24/AR2009042402019_pf.html.
• A police officer's posts on his MySpace page about his persona and an ongoing criminal matter purportedly aided a defendant in getting acquitted of a more serious charge at trial.
• A former high school student's privacy causes of action were dismissed against the principal of her alma mater, who had forwarded to the press a negative ode the student previously published on the student's own MySpace page.

In Part Two, next month, the author discusses compliance, privacy policies, training and information security.