The Ever Expanding Scope of Employee Privacy Protections

Charlotte Employment & Labor Member Karin McGinnis was published in the Association of Corporate Counsel Charlotte Chapter's Q4 2014 Newsletter, which was distributed on December 4.  McGinnis’s piece, “The Ever Expanding Scope of Employee Privacy Protections,” can be seen in its entirety below.

The Ever Expanding Scope of Employee Privacy Protections

Gone are the days when an employer’s biggest privacy concerns were disclosing employee medical information or a manager spying on employees in the locker room.  Courts and legislatures are commanding increased privacy protections for employees, with a trend towards protecting information that previously was fair game. 

For over a hundred years, courts have recognized that individuals have certain rights to control how their persona is used and to protect private facts about themselves from public disclosure.  Most states permit individuals to sue for misappropriation of likeness against those who, without the individual’s consent, use the individual’s name or likeness in connection with an advertisement or other commercial enterprise. Thus a woman in North Carolina could recover nominal damages for use of her face and figure in connection with an advertisement for bread even though she could not show any personal harm from the use.  Flake v. Greensboro News Co., 195 S.E. 55, 63 (N.C. 1937)).  In the Internet age, keeping a former employee’s picture and bio on your company’s website without her consent might constitute a misappropriation of likeness.  Merritt, Flebotte, Wilson, Webb & Caruso, PLLC v. Hemmings, 676 S.E.2d 79 (NC 2009). 

Some states also recognize a claim by individuals for the public disclosure of private facts placing that person in a false light.  Dissemination of such information by e‑mail, even internally within the company, could result in liability if the other elements of the tort exist as well.  Many states recognize the tort of  “intrusion into seclusion.”  The claim exists when “[o]ne … intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns. . .if the intrusion would be highly offensive to a reasonable person.”  Restatement (Second) of Torts, § 652B.   The claim turns on whether the person had a reasonable expectation of privacy in the communication or area monitored.  Surveillance cameras in highly personal areas of the workplace or going through an employee’s  personal mail could suffice.  Consent to the surveillance can be a defense to the claim, and notifying the person that monitoring will occur can take away their “reasonable expectation of privacy.” 

Protection of Privacy through Legislation

Protection of employee privacy through legislation is a relatively more recent trend, and has generally fallen into three categories:  (1) Statutes restricting unauthorized access or monitoring of data –think wiretapping or computer trespass laws; (2) the alphabet soup of statutes protecting health related information (the Genetic Information Nondiscrimination Act (“GINA”), the Americans with Disabilities Act (as amended) (“ADAAA”), the Family and Medical Leave Act (“FMLA”), HIPAA, and state drug testing laws);  and (3) statutes protecting personally identifiable information (“PII”) such as identity theft statutes, the Fair and Accurate Credit Transactions Act, and state data breach laws.  Thus an employer cannot, except in certain circumstances—such as monitoring calls for quality—listen in on an employee’s telephone conversations without the employee’s consent.  Computer trespass laws limit an employer’s ability to access data without the employee’s consent on the employee’s personal device.  Courts also have recognized that accessing an employee’s social media accounts can violate the Stored Communications Act (“SCA”).  In one case, an Illinois federal court recognized a SCA claim when the employer used the employee’s Twitter and Facebook passwords to access her personal Twitter and Facebook accounts in excess of the authorization she gave.   Maremont v. Susan Fredman Design Group, Ltd. et al., Case No. 10 C 7811 (E.D. Ill., March 3, 2014).   An employer also might violate the SCA by accessing private portions of an employee’s Facebook page to gain evidence that the employee was abusing FMLA leave if the co-worker who accessed the Facebook pages was not already “friended” by the employee.  Ehling v. Monmouth-Ocean Hospital Service Corp., No. 2:11-cv-3305 (WMJ) (D.N.J. Aug. 20, 2013).  

Information about an employee’s medical condition, genetics, disability, reasonable accommodations, and positive drug test results should be kept confidential, in a separate, secure electronic or physical file, and disclosed only to those within the company who need to know the information.  In addition, targeted videotaping has been interpreted as interference with legitimate union activity under the National Labor Relations Act.  See e.g. F. W. Woolworth Co., 310 N.L.R.B. 1197 (1993)(employer’s surveillance activity violates the NLRA when it constitutes more than “mere observation.”).

Employers also have obligations under the variety of statutes designed to prevent identity theft.  The information that these statutes protect—PII—varies depending on the statute and the state.  Generally, PII includes an individual’s name or first initial and last name in combination with social security number, driver’s license number, date of birth, credit card number, and bank account number with access data.  PII could also include alien registration numbers, government passport numbers, employer or taxpayer ID, unique biometric data, and other unique information.  See e.g. 18 U.S.C. §1028(d)(7).  Employers who experience a data breach involving their employees’ PII are subject to data breach notification statutes. 

Employers also must take care to dispose of records containing employee PII.  For example, under FACTA, documents containing information from a third party employee background check must be properly destroyed.  16 C.F.R. § 682.3(b).  Similarly, many state identity theft statutes require proper disposal of employee PII.  See e.g. N.C. Gen. Stat. § 75-64 (2014).  Proper disposal includes burning, pulverizing or shredding papers; destroying or erasing electronic files or media.

Many states also limit the use or publication of social security numbers, including, for example, mailing documents containing social security numbers, including social security numbers on certain documents, or transmitting unencrypted social security numbers over the Internet.  California Civil Code § 1798.85. 

Increasing Protections for Employees

The past five years have seen a sea-change in employee privacy.  Eighteen states have passed social media password protection statutes applicable to employers.  These statutes prohibit requiring or requesting an employee or applicant to disclose his or her username or password to access personal social media.  Many also prohibit an employer from requiring the individual to access his personal social media in the employer’s presence or to divulge its contents.  Many of these statutes have exceptions, such as  for investigations protecting confidential and proprietary company information.  Consent, however, is not an exception.  Under these statutes, an employer cannot even ask the employee to give the employer access. 

Other trends include “ban the box” legislation, limiting inquiries into applicants’ criminal history.  Over a dozen states and even more cities and counties have enacted “Ban the Box” laws prohibiting an employer from requiring an employee to disclose his/her criminal history on a job application.  Employers can inquire into criminal history only later in the hiring process, although when that can occur varies depending on the applicable law.  Many of these laws apply to public employers and/or government contractors; however, there is a growing trend to apply prohibitions to private employers too.  

What is next on the horizon?  Other states may follow the lead of Illinois, which prohibits, with some limited exceptions, inquiries into or obtaining an employee’s or applicant’s credit history unless there is a specific “bona fide” reason.  Illinois Employee Credit Privacy Act (820 ILCS 70/1).  In addition, although a number of states prohibit adverse action against employees for lawful use of lawful products, Illinois prohibits employers from gathering or keeping “a record of an employee’s associations, political activities, publications, communications or nonemployment activities, unless the employee submits the information in writing or authorizes the employer in writing to keep or gather the information.”  820 ILCS 40/9.  The prohibition does not apply to activities that occur on the employer’s premises or during the employee’s working hours that interfere with the performance of the employee’s duties or the duties of other employees or activities; criminal conduct; conduct that could be reasonably be expected to harm the employer’s property, operations or business or cause the employer financial liability.  Id.

Practical Advice

Because consent is a defense to most common law and statutory invasion of privacy claims, employers should obtain their employees’ written consent to (i) use of employee names or likeness for commercial gain, (ii) review and monitoring of employees and of their personal devices used for company business, and (iii) any other circumstance in which accessing or using the employee’s persona or information is important to the company’s business.  Before requesting consent to an employee’s or applicant’s social media page, however, check applicable state law, and consider whether the access may violate the Stored Communications Act or otherwise expose your company to information that it would rather not have, such as the employee or applicant’s religion, national origin or other protected characteristics. 

When monitoring, employers should avoid targeting certain groups of employees and monitoring ultra-private areas of the workplace, such as bathrooms.  In addition, employers should have a legitimate business reason for the monitoring, and any monitoring should not exceed the scope of the employee’s consent.  To minimize SCA and other privacy claims with respect to employee social media, employers should prohibit employees from conducting company business, including making connections, on social media accounts not owned by the company.  Employers also should prohibit employees from sending or receiving emails or text messages about company business on the employee’s personal accounts.

Employers should also have a policy and procedure to protect employee PII.  These procedures should include keeping employee PII secure, encrypting employee PII on portable devices (if you allow PII out of the office at all), reviewing computer systems for adequate border and internal firewalls, logging records and antivirus software, avoiding use of employee social security numbers as means of employee identification and not including employee social security numbers on mailed documents unless permitted under applicable law.  Employers also should have a record retention program that permanently deletes/shreds employee PII after any applicable retention period expires.  Employers should train employees who deal with PII on adequate security measures and should ensure that the company’s vendors have adequate data protection in place. 

And, yes, employee personal information still should be disclosed only on a need to know basis.  Above all, keep an eye on this area of the law.  It is rapidly changing, and employers can expect increasing privacy protections for employees in the future.