At our Annual Employment Law Seminar last week, I spoke about the “Facebook Privacy” bill that was then pending in Delaware’s House of Representatives. The bill passed the House on later that day and is now headed to the Senate. For those of you who weren’t in attendance last week, here’s a brief recap of the proposed law. Continue reading
Employers, do you know what apps your employees are using? That’s the question posed by a recent article in the WSJ. (See Companies Don’t Know What Apps Their Employees Are Using). My guess is that the answer to this important question is, “No.” Here are my top tips for how not to be the employer discussed in the WSJ article.
First, have a policy about employees’ use of cloud-based apps to save work-related documents. Consider prohibiting employees from saving work documents to cloud-based storage accounts such as Dropbox, SkyDrive, and Box.net. Also consider prohibiting employees from backing up the contents of their work laptops to cloud-based back-up accounts, such as Mozy and Carbonite.
Second, communicate your policy to all affected employees. If employees don’t know about the prohibitions, your policy is unlikely to have the desired deterrent factor. This means that your policy needs to be written in plain English and that it should be publicized to employees in a way that will actually be heard.
Third, enforce the policy. Don’t make exceptions. If an employee violates the policy, the employee should be disciplined accordingly. Even if the employee is your favorite employee. And even if the employee complains a lot about the policy-and claims that he or she needs the online storage and/or back-up accounts. The answer is “no.” And that answer must be consistent, regardless of how loudly an employee complains.
As a bonus point, I’ll note that employers should consider having all employees execute a confidentiality agreement. The agreement can be very brief-a paragraph long does the trick, most of the time. But the key is to have all employees execute the document. And, ideally, have the employees reaffirm their adherence to the confidentiality agreement on a yearly basis.
A lot of additional work? Yes. But, if you have an employee who defects to a competitor and takes with him several gigabytes worth of your confidential data, the extra “work” will be worthwhile. You’ll be glad you have taken these steps-and don’t hesitate to thank me for the great suggestions.
Employers face a serious challenge when trying to prevent employees from taking confidential and proprietary information with them when they leave to join a new employer-particularly when the new employer is a competitor. When an employer becomes suspicious about an ex-employee’s activities prior to his or her last day of work, there are a limited number of safe avenues for the employer to pursue.
Generally, an employer should not review the employee’s personal emails or text messages if they were sent or received outside the employer’s network. But what if the employee turns over his personal emails or text messages without realizing it? The answer is, as always, “it depends.” A recent case from a federal court in California addresses the issue in a limited context.
After the employee resigned, the employer sued him for misappropriating trade secrets. He filed counterclaims, accusing the employer of violating the federal Wiretap Act, the Stored Communications Act (SCA), and state privacy laws. The employee alleged that the employer had reviewed his text personal text messages on the iPhone issued to him by the former employer after he’d returned it but before he unlinked his Apple account from the phone.
All of the employee’s counter-claims were dismissed by the court. The court found that the Wiretap Act claim failed because there was no allegation that the employer had intentionally intercepted any messages. The SCA claims failed because there was no allegation that the employer had accessed any messages. And, perhaps most obviously, the privacy claims failed because the employee could not have had a reasonable expectation of privacy.
The court specifically found that the employee had “failed to comport himself in a manner consistent with objectively reasonable expectation of privacy” by failing to unlink his old phone from his Apple account, which is what caused the transmission of his text messages to his former employer.
Sunbelt Rentals, Inc. v. Victor, No. C 13-4240-SBA (N.D. Cal. Aug. 28, 2014).
Delaware’s Governor has signed legislation related to the safe destruction of documents containing personal identifying information. The bill is effective January 1, 2015, and requires that commercial entities take all reasonable steps to destroy a consumer’s personal identifying information within the business’s custody and control, when the information is no longer to be retained. Destruction includes shredding, erasing, or otherwise destroying or modifying the personal identifying information to make it entirely unreadable or indecipherable through any means.
Personal identifying information includes, but is not limited to, a consumer’s first name or first initial and last name in combination with any one of the following: a signature; date of birth; social security number; passport number; driver’s license number, insurance policy number; or financial information (such as a credit card number).
There are exceptions for federally regulated financial institutions, healthcare organizations subject to HIPAA, consumer reporting agencies subject to the FCRA, and governmental bodies.
Violation of the statute carries stiff penalties, including treble damages.
The legislation is not a model of clarity, and leaves a lot of questions as to how it will be applied to Delaware businesses. Until the courts provide additional guidance, Delaware businesses are well advised to carefully review their document security.
During the 2007-2008 school year, Ms. Kimble was employed as a cook and cheerleading coach at a high school. In December 2007, she took the cheerleaders on an overnight Christmas party held in a cabin located outside the county. The trip was not approved as was required by district policy. When administration learned about the trip, Ms. Kimble was instructed that all future out-of-county trips must have prior approval.
The following year, Ms. Kimble worked as a cook at an elementary school and as the cheerleading coach at the same high school at which she had coached the prior year. In December 2008, Ms. Kimble took the cheerleaders to the same cabin for another overnight Christmas party. Ms. Kimble and a parent went as “chaperones” but Ms. Kimble did not seek or obtain approval for the trip.
During the party, Ms. Kimble was photographed in the hot tub, surrounded by several female cheerleaders. Although Ms. Kimble was clothed, most of the girls were topless. All of the girls were minors.
Ms. Kimble posted several photos of the party on her MySpace page, although the girls were fully clothed in all of the pictures that she posted. To one of the photos, in which the girls were wearing Santa Claus hats, Ms. Kimble added the caption:
my girls acting like their self[sic] . . . hoes.
The photos were discovered and reported to the school and Ms. Kimble was suspended without pay. After a hearing, she was terminated from both her position as cook and as coach based on the determination that she had committed insubordination, immoral conduct, and sexual harassment.
Ms. Kimble challenged the termination. An administrative law judge overturned the board’s decision to terminate her from her position as cook. The board appealed and the circuit court affirmed the finding of the ALJ. The board appealed to the state’s highest court, which reversed, siding with the board and finding the termination lawful.
As the grounds for its opinion, the state’s Supreme Court held that Ms. Kimble had been insubordinate by ignoring the directive and policy to first obtain permission from the school prior to taking students on any out-of-county trip. That was the easy part.
The more difficult part (at least for the ALJ and the lower court), was the finding that Ms. Kimble had, indeed, engaged in immoral conduct by:
sitting in a hot tub surrounded, literally, by several topless female students.
The court also found that calling your minor students “hoes” also is relevant to the immorality question.
Finally, the court rejected Ms. Kimble’s argument that she could not be disciplined for conduct that occurred off duty. This argument is a favorite among plaintiff-employees everywhere but always a loser. The conduct was within the scope of Ms. Kimble’s employment–she, as cheerleading coach, took cheerleaders on an authorized trip outside the county, was photographed with several of them topless, and then called them “hoes” on her MySpace page.
The fact that she was not on duty at the time of these acts does not serve as a defense. This case serves as yet another example of how off-duty conduct can (and should) serve as a basis for discipline and/or termination. When an employee engages in conduct off-duty that undermines or interferes with his or her ability to effectively carry out his or her job duties, discipline is appropriate . . . and lawful. The same rule applies when the conduct is carried out in cyberspace, particularly on social-media sites.
On the most basic level, it’s difficult to imagine that the parents of the female students would appreciate their daughters being called “hoes” by anyone but especially not by their cheerleading coach.
Kanawha County Bd. of Ed. v. Kimble, No. 13-0810, 2014 W. Va. LEXIS 584 (W. Va. May 30, 2014).
The Heartbleed Internet-security flaw has compromised the security of an unknown number of web servers. This is just one story in a string of recent headlines involving the vulnerability of the Internet sites. But consumers aren’t the only ones affected. The companies whose websites have been attacked are employers, after all.
Although data security has become increasingly impossible to ensure, it has also become increasingly critical to employers’ viability. So employers are looking for ways to mitigate the exponentially increasing risks associated with the Internet.
One option being considered by some employers is blocking employees from their personal, web-based email accounts from the company’s servers. Companies can install powerful (albeit not impenetrable) spamware that can catch and prevent many Internet-based security threats. But that spamware works only on emails that come through the Company’s email servers. Email that is opened through a web-based account, such as GMail or Hotmail is not subject to the company’s protective measures.
Which is precisely why many IT professionals see web-based email accounts as a major security threat. But what’s an employer to do? Employers have long been trying to prevent the productivity loss associated with employees’ personal use of the Internet during working time. But now this effort has become a top priority.
Will employees stop checking their personal email at work if they’re asked nicely? If they understand the risks? Maybe. Maybe not. But it certainly wouldn’t be a bad place to start. Perhaps your company should consider explaining to its employees exactly why you don’t want them to check their personal email during working time. Hey, it’s worth a try.
By the way . . .
Data Security is the topic of one of the sessions at this year’s Annual Employment Law Seminar, which is coming up on May 8. If you haven’t registered, there’s still time. Just click here to get to the Seminar Registration page.
Delaware Chief Medical Examiner Richard T. Callery has made news headlines for his off-duty conduct. According to The News Journal, Callery is the subject of a criminal investigation relating to his testimony as an expert witness in cases outside of Delaware.
In short, the claim is that Callery spent a lot of time serving as a paid witness in cases in other States, while neglecting his own duties. And, to add insult to injury, Callery apparently testified on behalf of the defense in several cases, which, some argue, diminishes his credibility when called to testify in Delaware on behalf of the State.
The lesson to be learned for employers is an important one. Many employers put limitations on moonlighting by employees. Such limits may be included in an employment contract or in a personnel handbook.
The policies vary. For example, some employers prohibit employees from working in a second job altogether. Others prohibit only secondary employment in the same field or with the same duties that the employee performs in his or her full-time employment. And others only prohibit secondary employment that conflicts with the employee’s job duties.
The State of Delaware, like many employers, does not have such a policy. But, if it had, it would likely have prohibited Callery from working as an expert witness, even in his off-duty time. Do you have such a policy? Should you?