Employee Privacy in the Mobile World
Transcript of Employee Privacy in the Mobile World
EMPLOYEE PRIVACY
IN THE MOBILE WORLD
Margaret Keane
DLA Piper
Presented to Practicing Law Institute:
June 6, 2016
Workplace Privacy is a Function of Context
2
Information That Your Employees Provide Voluntarily
Employee Information You Obtain From Third Party Sources,
including Background Checks and Social Media
Employee Information Obtained from GPS, Wearables, RFID
and the IOT
Employee Information Obtained From Monitoring Associated
with Mobile Devices and GPS
Employer and Customer Information Entrusted to Employees
Company Liability for Inappropriate Use of Employee Information
Company Liability for Employee Breaches
Different Playing Field for Global Employers
No Comprehensive Regulatory Scheme
Numerous laws touch workplace privacy
Federal Trade Commission (FTC) is leading federal regulator
Department of Labor has significant role, with enforcement responsibility for
National Labor Relations Act, ADA and GINA
Relevant federal laws include Health Insurance Portability and Accountability Act of 1996 (“HIPPA”), Gramm-Leach-Bliley (“GLB”), Electronic Communications Protection Act (“ECPA”), Stored Communications Act (“SCA”), Fair Credit Reporting Act (“FCRA”), Genetic Information Non-Discrimination Act (“GINA”), Americans with Disabilities Act (“ADA”), Telephone Consumer Protection Act (“TCPA”)
State laws address “lifestyle information,” data breach, social media passwords and activity, background checks, biometrics and use of GPS, RFID and other forms of tracking
Related Laws
Record Retention Requirements, particularly important for government contractors, medical and financial services sectors – state and federal laws
Data Breach Notification Statutes
3
Employee Data Governance
248382415.2 4
WE ARE MOBILE
Work is no longer a place.
Fair Credit Reporting Act
(“FCRA”)
EEOC & FTC Issue Joint Background
Check Guidance, March 10, 2014
“Background Checks: What Employers Need to Know”
Must notify applicant or employee that information may be used to make employment decisions
Need written permission before getting background reports from a company in the business of compiling background information
Illegal to discriminate based on a person’s race, national origin, sex, religion, disability, or age or genetic information when requesting or using background information for employment
Must comply with all FCRA requirements
Must keep all personnel or employment records, whether hired or not, for one year, or until case concluded if applicant/employee files charge of discrimination
Must securely dispose of background reports
“Background Checks: What Job Applicants and Employees Should Know”
Not illegal for potential employers to ask someone about their background as long as employer does not unlawfully discriminate
Right to review background report for accuracy and explain negative information, if report was basis for denial of job or promotion
Source: “Background Checks: What Employers Need to Know,” March 10, 2014. http://www.eeoc.gov/eeoc/publications/background_checks_employers.cfm
Source: “Background Checks: What Job Applicants and Employees Should Know,” March 10, 2014. http://www.eeoc.gov/eeoc/publications/background_checks_employees.cfm
7
FCRA Remedies
Cases can be based on failure to use FCRA disclosure and authorization
forms; failure to give adverse action notices or practices with disparate
impact
Minimum statutory damages of $100 to $1,000 for willful violations
Class action-friendly remedy where CRA’s and employer follow standard
procedures
Low damages add up when multiplied against large applicant pools
Actual damages for negligent violations
Attorney fees to a successful plaintiff
No statutory cap on defendant’s exposure
8
EEOC & Disparate Impact Claims
Courts have not embraced EEOC’s aggressive
pursuit of “disparate impact” claims related to
credit checks and criminal records
EEOC v. Kaplan, Case No. 1:10-cv-02882 (6th Cir.
2014)
Kaplan ran credit checks on applicants for positions that
provide access to financial loan information
N.D. Ohio held that EEOC’s expert evidence was
inadmissible, and EEOC could not present prima facie case
of disparate impact discrimination
Decision focused only on whether EEOC had presented
reliable expert testimony, so likely that EEOC will continue to
pursue litigation against employers while it further hones its
method of proof and expert techniques
EEOC v. Freeman, No. 13-2365 (4th Cir. 2015)
EEOC’s expert testimony was properly excluded as
unreliable.
Summary judgment granted for defendant based on EEOC
opportunity to establish prima facie case
9
State Laws
State restrictions on credit checks – NY, CA, IL, MD, CT
(more flexible)
Specific ex-offender protections and Ban the Box laws
Workplace posting and notice obligations
Sequencing restrictions (when an employer can
ask questions)
Inquiry restrictions (what employer cannot ask about)
Source restrictions (what employer cannot access)
“Job-relatedness” requirements (what discretion
employer has to screen out applicants)
10
Managing Mobile Devices
Dual Use Mobile Devices and BYOD
BYOD: Bring Your Own Device
A BYOD program includes:
Policies that govern use of personal devices to
access corporate services
Policies attempt to manage risk associated with
storage and transmittal of data using devices that
may be outside of the employers control
Policies to address impact of mobile devices on existing
workplace behavior
COPE: Corporate Owned, Personally Enabled
BYOA: Bring your own apps
BYOT: Bring your own technology
BYOL: Bring your own laptop
12
Policies Affected by BYOD:
Mobile devices have impact on policies throughout your business
Data Privacy & Security
Harassment, Discrimination & EEO
Workplace Safety
Time Recording and Overtime
Compliance and Ethics
Records Management
Litigation Holds
Confidentiality & Trade Secret Protection
13
Setting Up a BYOD Program:
A Master Plan for mobile device use in your organization
Balance employee’s privacy interest vs. employer’s need for
security and protection of IP
Need to address challenges of dual use devices, REGARDLESS
of whether you adopt a BYOD program
BYOD policy should be part of an integrated Information
Governance Plan
Determine goals and objectives
Privacy Considerations
Remote wipes
Containers/sandboxes
Backups
14
Setting Up a BYOD Program
Who Participates?
Who pays?
Program may include limits on acceptable applications, passwords, encryption, employer monitoring, reporting obligations and remote wipes
Address access to legally protected personal information on device – personal health and financial information
Address post-termination right to phone numbers
Address obligation to produce device for inspection
15
What Happens When Employee
Refuses to Produce Device?
16
“The Association does
not dispute that the
Commissioner properly
used the destruction of
the cell phone to draw
an adverse inference.”
NFL v. NFLPA, April 25,
2016 (2nd Circuit)
Privacy in a BYOD World
Will your program distinguish between personal and
business use?
Privacy Parameters
Distinguish between data and device
Device
May require return upon demand or inspection as part of investigation
May require return, with data intact, upon separation from employment
Data
Determine whether employer will retain right to review all contents of device or will exclude categories such as music and photos
Require employee to provide access to cloud backups or home server?
Monitor/limit employee’s use of web-based applications? Example: Siri, Dropbox, iCloud, etc.
Set parameters for timing, terms and extent of remote wipes
17
Privacy in a BYOD World
1. Remote wipes of lost devices – can be viewed as either pro-privacy or an intrusion. Participation in BYOD program may be conditioned upon consent to remote wipes.
2. Litigation issues:
Identification of BYOD devices/information
Practical challenges of data collection
Does the employee “control” data on the devices?
Is the device in employer’s possession, custody or control?
Will employees be required to produce mobile devices to employer for inspection, preservation and production?
18
Social Media, Privacy and
Employees
“A Little Knowledge is a Dangerous Thing.
So Is a Lot.” Alexander Pope
Be cautious about using information obtained from social
media for employment decisions
State statutes prohibit requests for user names, passwords
and other information used to access social media accounts
Some have exceptions for workplace investigations or to
comply with applicable state or federal law (FINRA regs)
Employers may be banned from “Shoulder Surfing” and
requiring applicants/employees to accept friend requests
State definitions of social media may include personal email,
blogs, instant and text messages and podcasts
20
Health, Wellness and a
World of Information
21
Genetic Information
Nondiscrimination Act of 2008 ⦅GINA⦆
Illegal to discriminate against employees or applicants because of genetic
information
Employers may not use genetic information in making employment decisions
and may not request, require or purchase genetic information
Any employer that possesses genetic information about an employee must
maintain such information in separate files; and must treat it as a
confidential medical record and may disclose it only under very limited
circumstances
Prohibition on requesting information defines “request” to include “conducting
an internet search on an individual in a way that is likely to result in a
covered entity obtaining genetic information.” 29 C.F.R. §1635
Safe harbor for inadvertent acquisition applies where employer “inadvertently
learns genetic information from a social media platform where he or she was
given permission to access by the creator of the profile at issue (e.g., a
supervisor and employee are connected on a social networking site and the
employee provides family medical history on his page).” 29 C.F.R. §1634
22
Confidentiality of Medical Information Act
CMIA, Cal. Civ. Code § 56, et seq.
No health care provider shall disclose or release medical information regarding a patient of the provider without first obtaining authorization
Eisenhower Medical Center v. Superior Court, Case No. E058378 (Cal. Ct. App. May 21, 2014)
Demographic information (name, birth date, last four digits of SSN, and medical record number) is not medical information within meaning of CMIA
Assignment of medical record number does not signify that a person has had medical treatment
Demographic or numeric information or mere fact that a person may have been a patient at one time does not reveal medical history, diagnosis, or care
23
Electronic Big Brother:
Good or Bad?
The Enablers
Evolution of wireless
tracking technologies –
RFID and GPS
Declining computing, data
storage, and bandwidth
costs
Improved data mining and
analytics tools
Emergence of pattern-
driven problem solving
25
High-Tech Surveillance Trackers
Employee tracking sensors
Electronic badge is attached to employee
Sensors identify tags and report wearer’s location to database
System can track employee’s exact location within the office (including restroom) and amount of time spent at each location
May record personnel with whom the employee interacts
Records face, time, body, and behavior rhythm data
Valuable data for defending wage & hour litigation
Internet tracking
Records employee’s internet and application usage (including websites visited, screen shots taken, social media, chat and instant messaging, document tracking, and keywords and keystrokes used)
26
Why Record Data?
Boost employee productivity
Research on 90 call-center workers
Data: most productive workers belonged to close-knit teams and spoke
frequently with colleagues
Action: scheduled workers for group breaks
Result: productivity rose by >10%
Reveal how workers use office space
Office study
Complaint: office short on meeting space
Data: groups of 3-4 employees gathering in meeting rooms designed
for much larger numbers
Action: created more and smaller conference spaces designed for
small groups
27
Cell Phone Tracking
Why Do We Care
Can track the location of a person in possession of a cellphone by GPS or
cell tower location
GPS can be accurate to within ten meters
Case law has developed in search & seizure context
US Supreme Court, Grady v. North Carolina, March 2015, recidivist sex offender
ordered to wear ankle bracelet with GPS monitor at all times, for the rest of his life.
N.C. court held that ankle bracelet was not a search, so therefore not unreasonable
search and seizure. Supreme Court held installing the bracelet is a search by
“physically intruding on a subject’s body.”
US Supreme Court, California v. Riley, July 2014, addressed warrantless search of
smartphone seized incidental to arrest. "Modern cell phones, as a category,
implicate privacy concerns far beyond those implicated by the search of a cigarette
pack, wallet or purse." Court held warrant was required, not directly applicable to
private sector but should inform employers decisions to search employee phones.
28
Constitutional Implications of
Employee Surveillance Tracking
United States v. Jones, 565 U.S. __ (2012)
Government GPS tracking device on suspect’s car is “search” under 4th Amendment
Effect of decision on private sector unclear
Laws vary from state to state
CA: No person or entity in this state shall use an electronic tracking device to determine the location or movement of a person.
NY: GPS in public employee’s personal vehicle lawful to investigate misconduct during working hours
NJ: No privacy breach when private investigator placed GPS on plaintiff’s vehicle because no travel to secluded or private area where privacy would be expected
TX: GPS on vehicle without owner’s consent is unlawful
MO: No privacy invasion if GPS is used on company vehicle
Boundaries around GPS in the private workplace still unclear
29
Internet of Things
A global, immersive, invisible, ambient networked computing
environment built through the continued proliferation of smart sensors,
cameras, software, databases, and massive data centers in a world-
spanning information fabric known as the Internet of Things
“Augmented reality” enhancements to the real-world input that people
perceive through the use of portable/wearable/implantable technologies
Disruption of business models established in the 20th century (most
notably impacting finance, entertainment, publishers of all sorts, and
education)
Tagging, databasing, and intelligent analytical mapping of the physical
and social realms
Pew Research Center, May 2014, “The Internet of Things Will Thrive by
2025“
Available at: http://www.pewinternet.org/2014/05/14/internet-of-things/
30
Questions?
258631937.3