|
3220 M Street Sacramento, CA
95816 Telephone:
(916) 492-6555 Facsimile: (916) 492-6556 www.theisonlawgroup.com |
Email: Policy
and Practices |
According to one study, over 130 million workers are currently sending out 2.8 billion e‑mail messages each workday.[1] With e-mails quickly becoming the predominant form of business communication, employers have many legitimate reasons to monitor their employees’ e-mails and define “best practices” for e-mail usage. These reasons range from maintaining a professional image and productivity, to legal issues such as sexual harassment, defamation and disclosure of trade secrets.
Privacy
Issues
Monitoring employee e-mail will, of course, raise issues of employee privacy. Article I, Section I, of the California Constitution protects the privacy of all persons (including employees in the workplace). California courts have recognized that employees have a constitutionally protected right of privacy in their workplace e-mails. TGB Insurance Services Corp. v. Superior Court (2003) 96 Cal. App. 4th 443 (“TGB”).
The extent of the employee’s privacy interest is not, however, independent of the circumstances and other factors (including advance notice) that affect a person’s reasonable expectation of privacy. Hill v. National Collegiate Athletic Ass’n (1994) 7 Cal. 4th 1, 36. “A ‘reasonable’ expectation of privacy is an objective entitlement founded on broadly based and widely accepted community norms,” and “the presence or absence of opportunities to consent voluntarily to activities impacting privacy interests obviously affects the expectations of the participant.” Id. at p. 37.
In TGB, supra, the court held that “the use of computers in the employment context carries with it social norms that effectively diminish the employee's reasonable expectation of privacy with regard to his use of his employer's computers.” TGB, supra, 96 Cal. App. 4th at 452. The court also outlined steps the employer can take to further reduce an employee’s expectation of privacy and legitimize an e-mail monitoring policy:
First, employers can diminish an individual employee's expectation of privacy by clearly stating in [electronic communications] policy that electronic communications are to be used solely for company business, and that the com[2]pany reserves the right to monitor or access all employee Internet or e-mail usage. The policy should further emphasize that the company will keep copies of Internet or e-mail passwords, and that the existence of such passwords is not an assurance of the confidentiality of the communications. An electronic communications policy should include a statement prohibiting the transmission of any discriminatory, offensive or unprofessional messages. Employers should also inform employees that access to any Internet [sites] that are discriminatory or offensive is not allowed, and no employee should be permitted to post personal opinions on the Internet using the company's access, particularly if the opinion is of a political or discriminatory nature.
TGB, supra, 96
A written (and communicated)
e-mail policy of the type outlined in TGB, supra, limits exposure
to employee privacy claims based on e-mail monitoring. According to the court, advance notice of a
valid e-mail policy gives the employee “the opportunity to consent to or
reject” e-mail monitoring and, “combined with [the employee’s] written consent
to the policy, defeats [any] claim that [the employee] had a reasonable
expectation of privacy. TGB, supra, 96
A sample e-mail policy that addresses these key points is provided as Appendix 1.
The Electronic
Communications Privacy Act
One additional concern in the context of employee e-mail monitoring is the Electronic Communications Privacy Act of 1986 (“ECPA”), 18 USC §§251O-2711. The relevant provisions of the ECPA are provided as Appendix 2. The ECPA applies to employee e-mail, and specifically “prohibits the intentional or willful interception, accession, disclosure or use of one’s electronic communication.” The ECPA has three exceptions, however, that effectively limit its applicability to employer monitoring:
The “provider” exception
exempts employers from the ECPA if they provide their employees with e-mail
service through a company-owned system. See Title 18 U.S.C. §2511(2)(a)(i); see also
The “ordinary course of business exception” is actually an exclusion from the definition of an “electronic device” under the ECPA. See Title 18 U.S.C. §2510(5). This exception has not been specifically applied to workplace e-mail, but could potentially provide an additional shield for employers who engage in routine monitoring of their employees’ e-mail (particularly in the absence of a written e-mail usage policy).
Finally, the “consent” exception applies when one party to the e-mail has given prior consent, actual or implied, to the interception or accession of the e-mail. See Title 18 U.S.C. §2510(5)(a). As a practical matter, the consent exception appears to exempt from ECPA coverage any employer that publishes an e-mail monitoring policy to all employees. In these cases, the employer can safely argue, consistent with TGB, supra, that its employees are informed of an e-mail monitoring policy and manifest their “consent” through their continued use of the e-mail system.
Despite the above authorities, and because the law in this area remains somewhat unclear, California employers should be judicious in accessing employee e-mails. The risk-averse employer will limit review of employee e-mails to legitimate administrative purposes, or investigative purposes when there is reasonable suspicion of work-related misconduct by the employee.
Best Practices
In addition to addressing privacy issues, employers can reduce the risk of legal liability arising from employee e-mail usage by adopting “best practices” policies designed to ensure that employees use e-mail in a responsible, effective and lawful manner.
From a strictly legal perspective, best practices policies should prohibit employees from engaging in any of the following:
· Sending or forwarding e-mails containing libelous, defamatory, offensive, racist or obscene remarks. Definitions of libelous, defamatory, offensive, racist and/or obscene remarks or conduct should be included in the company’s employment handbook. Employees should be advised to refer specific questions about e-mail content to the company’s human resources department.
· Forwarding a message without acquiring permission from the sender first.
· Sending unsolicited e-mail messages.
· Forging or attempting to forge e-mail messages.
· Sending e-mail messages using another person’s e-mail account.
· Copying any message or attachment belonging to another user without permission of the originator.
· Disguising or attempting to disguise the employee’s identity when sending mail.
Other provisions that typically appear in best practices policies include guidelines for writing e-mails (use of well-structured e-mails and short, descriptive subjects), e-mail signature requirements (inclusion of name, job title and company name), and the use of legal disclaimers in all e-mails. A sample “Best Practices” e-mail policy is provided as Appendix 3.
|
3220 M Street Sacramento,
CA 95816 Telephone: (916) 492-6555 Facsimile: (916) 492-6556 www.theisonlawgroup.com |
Paperless Personnel Records |
Validity
of Electronic Personnel Files
California law does not specifically address the validity of personnel records maintained in electronic form. Instead, the validity of electronic personnel records must be analyzed under the federal Electronic Signatures in Global and National Commerce Act, 15 U.S.C. §7001 et. seq. (“E-SIGN”). A copy of E-Sign is provided as Appendix 4. E-Sign specifically authorizes the electronic retention of employment documents, including records that are typically not available in electronic form (such as PDF copies of identification records required for I-9 eligibility for work reliance). Under E-Sign, a valid electronic personnel document must meet two essential requirements. First, the electronic record must “accurately reflect the information set forth in the contract or other record.” Second, the electronic record must “remain accessible to all persons who are entitled to access by statute, regulation or rule of law, for the period required by such statute, regulation or rule of law, in a form that is capable of being accurately reproduced for later reference, whether by transmission, printing or otherwise.” See Title 15 U.S.C. §7001(d).
Other than these basic accuracy and accessibility standards, E-Sign does not establish rules (or provide additional guidance) for compliance with record retention requirements. E‑Sign does permit state and federal regulatory agencies to establish more specific standards for compliance with particular record retention requirements, but prohibits such agencies from requiring the use of any specific technology unless doing so serves important government objectives. See Title 15 U.S.C. §7004 (b)(3).
E-Signatures
Perhaps the biggest obstacle to achieving a paperless personnel system is the need to obtain legally sufficient (and enforceable) employee signatures on personnel documents. The validity of employee “e-signatures” is also governed by E-Sign, as well as California’s version of the Uniform Electronic Transactions Act, Cal. Civil Code §§ 1633.1-1633.17 (“UETA”). Copies of E-Sign and the UETA are provided as Appendix 4 and Appendix 5, respectively.
The primary purpose of the E-Sign is to validate the use of electronic signatures, contracts and records by giving them the same legal effect as if they were conducted in paper form. E-Sign does not change the substantive requirements for a legally enforceable contract or other transaction. Nor does it require a party to use or accept electronic signatures or documents. Rather, it affirms that contracts or other records may not be denied legal effect because an electronic signature is used in its formation.
Under E-Sign, an “electronic signature” is broadly defined as any symbol, sign or process, attached to or logically associated with an electronic record and made with the intent to sign the electronic record. See Title 15 U.S.C. § 7006(5). E-Sign does not require the use of any specific form of electronic signature, and examples might include a name typed at the end of an e-mail message by the sender, a digitized image of a handwritten signature, a biometric identifier (e.g., fingerprint), a personal identification number (“PIN”) or a digital signature in a public key cryptography system.
The form of the electronic signature itself is not critical – the key is to establish procedures for using and accepting e-signatures that create independent mechanisms for establishing the trustworthiness of the document. Unfortunately, neither E-Sign nor the UETA offers any specific rules for employers to follow to ensure that their electronic personnel records will be accepted by state and federal agencies (or in a court of law) as valid and trustworthy. Instead, employers are left with somewhat vague guidance provided by the UETA -- the authenticity of an e-signature “may be shown in any manner, including a showing of the efficacy of any security procedure applied to determine the person to which the electronic record or electronic signature was attributable.” See Cal. Civil Code §1633.9(a).
Early adopters of paperless personnel records should, therefore, expect challenges to the validity of their personnel records from all sides – from state and federal auditors, employees, judges and plaintiff’s lawyers. With this in mind, before any employer elects to convert to a paperless system, careful consideration must be given to the development of secure and trustworthy e-signature policies, including the use of digital signature system technology to maximize the likelihood that electronic personnel records will be accepted in all forums as authentic and trustworthy documents.
Identity Theft and Electronic Storage of Employee
Information
Another legal landmine for an employer interested in adopting a paperless personnel system is the threat of identity theft. California employers have long been required to establish appropriate procedures to ensure the confidentiality of employee information and to protect such information from unauthorized use and disclosure. See, e.g., Cal. Civ. Code §§ 56.20, et. seq. (confidentiality of employee medical information) [Appendix 6]. With the increased risk of identity theft that is inherent in electronic personnel records storage, any employer that adopts this technology must reassess whether existing practices adequately protect its employees’ personal information.
The FBI has correctly referred to identity theft as an “increasingly insidious and pervasive problem.” According to the FBI, identity theft “costs American businesses and consumers a reported $50 billion a year, causes untold headaches for an estimated 10 million U.S. victims annually and even makes it easier for terrorists and spies to launch attacks against our nation.”[3]
The Federal Trade Commission (FTC) reports that, in 2004, 9.3 million Americans (one in every 25 adults) were victims of identity theft. Perhaps more alarming to employers, as much as 50% of identity theft occurs in the workplace.[4] Since 2004, identity theft has been the fastest growing crime in the United States, and the FTC estimates that the majority of Americans will have been victimized by identity theft by 2011.[5]
Statutory Protections
To combat the rise of identity theft, state and federal legislatures have feverishly enacted laws that impose specific affirmative duties on employers to protect employee personal information in a paperless environment. Unfortunately, these statutes typically require that employers exercise “reasonable” care in protecting such information, without clear guidance as to how to meet the statutory requirements. This is an emerging area of law, and courts will likely grapple with these issues for years to come.
California Civil Code §§ 1798.81.5 and 1798.84: California businesses that “own or license” personal information are obligated to implement and maintain reasonable security procedures and practices to protect personal information from unauthorized access, destruction, use, modification or disclosure. The information protected by these statutes is defined broadly to include any personal information that a business retains as part of the business’ internal customer accounts or for the purpose of using that information in transactions with the person to whom the information relates. [Appendix 7].
Civil Code §§ 1798.85–1798.86: Employers are prohibited from using social security numbers for identification purposes or publicly posting or displaying their employees’ social security numbers “in any manner.” [Appendix 8].
Civil Code §§ 1798.81 and 1798.84: Employers must take all reasonable steps to destroy or arrange for the destruction of customer records containing personal information that are no longer to be retained by the business by shredding, erasing or otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means. [Appendix 9].
Civil Code §§ 1798.29, 1798.82, and 1798.84: Employers that maintain unencrypted computerized data that includes “personal information” must notify any California resident whose “unencrypted personal information” was, or is reasonably believed to have been, acquired by an unauthorized person. [Appendix 10].
Labor Code § 226(a): Effective January 1, 2008, employers may not print more than the last four digits of an employee’s social security number, or must use an employee identification number other than the social security number, on employee pay stubs or itemized statements. [Appendix 11].
FACT Act. The Federal Trade Commission (“FTC”), pursuant to its authority under the Fair and Accurate Credit Transactions Act, 15 U.S.C. 1681 et seq. (“FACT Act”), has issued a “disposal rule” that requires all employers to shred or effectively destroy any computer media containing personal information derived from a consumer report before discarding it. The disposal rule is available for download at the FTC website at the following web address: http://www.ftc.gov/os/2004/11/041118disposalfrn.pdf.
Common
Law Liability
In addition to the above statutory protections, employers can expect the courts to expand liability for identity theft under traditional common law principles. Employers that fail to adequately protect computerized employee information should anticipate legal claims under common law agency principles or negligence theories.
For example, a federal court in Kansas denied summary judgment to an employer whose employee allegedly violated the Federal Credit Reporting Act (“FCRA”)[6] by obtaining the credit report of a co-worker’s ex-wife without authorization. See Cole v. American Family Mutual Insurance Co., 410. F. Supp. 2d 1020, 1025–26 (D. Kan. 2006). The employee had access to the credit report on his employer’s computer system, and therefore the court determined that the plaintiff could state a valid FCRA claim, alleging either “apparent agency” or liability under an “aided-in-the-agency-relation” theory on evidence that the employer did not have reasonable procedures in place to ensure compliance with the FCRA.
In 2006, the Michigan Court of Appeal upheld a jury award of $275,000 in a negligence action against a union whose members were victimized by identity theft. Bell v. Michigan, 2005 Mich. App. LEXIS 353 (February 15, 2006). In this unpublished opinion, the court recounted the jury’s findings that identity theft had been perpetrated by the daughter of the union treasurer and that the union had been negligent in permitting the union treasurer to bring home documents containing the names and social security numbers of union members. The court upheld the jury’s verdict in favor of the plaintiff, on the theory that the union owed a duty to the union members to protect them from identity theft by providing some safeguards to ensure the security of their most essential confidential identifying information. Bell represents the first (but almost certainly not the last) appellate court upholding a plaintiff’s jury verdict on the grounds that a custodian of employee information failed to exercise reasonable care to safeguard personnel records.[7] See also Kittle v. First Republic Mortgage, 2007 U.S. Dist. LEXIS 49192 (W.D. KY 2007)(former employee alleges employer permitted theft of confidential personnel information – lawsuit still pending).
Although the Bell court relied, at least in part, on a finding that the employer had a “special relationship” with union members and insisted that it was not creating a new tort of “identity theft negligence,” California employers should take note of the court’s theory of liability. It is likely that the California courts will ultimately impose a similar duty upon employers who require their employees, job applicants, business partners, and customers to provide them with personal, identifying information. This is particularly true in light of California’s public policy of protecting employee information against identity theft – as reflected in the California statutes described above. Bell highlights that, in the event an information security breach leads to identity theft of employee personnel records, victims will likely seek legal remedies against the employer responsible for unauthorized disclosure of their personal information.
Practical
Considerations
The best thing employers can do to minimize exposure to identity theft liability is to conduct a comprehensive evaluation of which and how many employees have access to personal information and through what means. In accordance with their assessment, employers should implement or revise policies and procedures to provide reasonable protection to personal information collected in the course of business, with special consideration to the myriad of security issues that arise in the electronic workplace. At a minimum, employers must ensure that personal information is secure and accessible only to the few employees who need that information to perform their jobs.
Employers must also impress upon employees the importance of this issue and provide clear guidelines regarding how employees are personally expected to safeguard personal information and the possible disciplinary consequences of failing to do so. Employment policies and procedures should specifically address whether and how employees may access or transmit personal information outside of the office through use of laptops, e-mail, home computers, PDAs, and electronic storage devices. Finally, as with all HR matters, employers should consult with experienced employment law counsel and/or HR professionals to learn the current best practices in addressing identity theft in the workplace.