A three-judge panel of the Ninth Circuit Court of Appeals1 recently upheld the position of the California Attorney General (AG) that charities located or doing business in California must provide a copy of their unredacted Form 990 Schedule B, including the names, addresses and contribution amounts for all donors listed with the annual report filed with the AG.2 While the AG has indicated that the collected information will not be made publicly available, this is unwelcome news for charities that are concerned about protecting their donors’ identities.3 Continue Reading Ninth Circuit Court of Appeals Reaffirms CA Attorney General’s Demand for Donor List
Social media and related issues in the workplace can be a headache for employers. There is no denying that social media has transformed the way that companies conduct business. In light of the rapid evolution of social media, companies today face significant legal challenges on a variety of issues, ranging from employee privacy and protected activity to data practices, identity theft, cybersecurity, and protection of intellectual property.
On September 28th at 12:00 p.m. Central, in Seyfarth’s fifth installment in its Trade Secrets Webinar Series, Seyfarth attorneys Justin Beyer, Ryan Behndleman, and Dawn Mertineit will discuss the relationship between trade secrets and social media.
The panel will specifically address the following topics:
- The interplay between social media privacy laws and workplace investigations and how developing internal company policy and/or contracts can protect company assets
- Defining, understanding, and protecting trade secrets in social media
- How courts are interpreting ownership of social media accounts and whether social media sites constitute property
- How to prevent trade secret misappropriation or distribution through social media channels
- The interplay between protection of company information and ownership of company accounts in the social media age
Please join us for this informative webinar.
Seyfarth Shaw is pleased to announce the launch of Carpe Datum Law, a one-stop resource for legal professionals seeking to stay abreast of fast-paced developments in eDiscovery and information governance, including data privacy, data security, and records and information management. Seyfarth’s eDiscovery and Information Governance (eDIG) practice group created Carpe Datum Law to serve as a timely and unique resource for executives and corporate in-house counsel to obtain reports on developments, trends and game-changing decisions in these data-driven areas of the law.
Click here to access the new Carpe Datum Law blogsite.
The Carpe Datum Law blog takes a comprehensive view of the legal and practical aspects of corporate data challenges, reflecting the broad strength across the spectrum of data law by Seyfarth’s veteran 14-lawyer eDIG practice group, which has served clients since 2004. Regular readers will benefit from its comprehensive perspective and guidance on how the law is adapting to the interrelated challenges of keeping corporate data secure and in compliance with data privacy laws, adapting to new best practices in information governance, and maintaining defensible data preservation, collection and review when eDiscovery is required.
Carpe Datum Law is a must-read for anyone expected to stay ahead of the curve on how best to manage the growing risks in these areas, in particular:
- C-Level Executives whose portfolios of responsibility include managing risks with respect to their corporate data
- In-House Counsel responsible for eDiscovery, data and cybersecurity, data privacy compliance and/or the enterprise’s information governance
- eDiscovery, IT, IT Security and Privacy Managers who work closely on these issues with their organization’s executives and legal teams
- Consultants, Academics and Thought Leaders who must stay up-to-speed on legal developments in order to serve their organizational clients
Whether steering policy or implementing it, Carpe Datum Law provides well-informed news and analysis that will keep you and your team up-to-speed. From judicial decisions implementing the new eDiscovery amendments to the Federal Rules of Civil Procedure to guidance on compliance with the upcoming European Union General Data Protection Regulation, Carpe Datum Law provides the news and seasoned analysis you would expect from Seyfarth’s eDIG group.
Carpe Datum Law can be accessed at www.carpedatumlaw.com.
On Wednesday, November 2, at 1:00 p.m. Central, Seyfarth attorneys Karla Grossenbacher, Ari Hersher, Stacey Blecher, Meredith-Anne Berger, Elizabeth Levy and Selyn Hon will present “Navigating Employee Privacy Issues in the Workplace.”
The rise of technology in the workplace has resulted in a myriad of complex privacy issues. Employee privacy concerns are impacting employer decision-making more than ever. Is your company equipped to navigate these issues? In this cutting-edge webinar we will discuss:
- The legal issues presented by an employer’s review of employee texts, emails and social media postings during workplace investigations;
- The latest decisions from the NLRB regarding an employer’s ability to take action against employees based on social media postings;
- Privacy considerations presented by the implementation of a BYOD policy; and
- Private data security risks that arise from the use of cloud-based storage in the workplace
Please join us for this informative webinar so you will be prepared to confront the ever-increasing amount of privacy issues facing employers.
Over the last decade, communication via email and text has become a vital part of how many of us communicate in the workplace. In fact, most employees could not fathom the idea of performing their jobs without the use of email. For convenience, employees often use one device for both personal and work-related communications, whether that device is employee-owned or employer-provided. Some employees even combine their personal and work email accounts into one inbox (which sometimes results in work emails being accidentally sent from a personal account). This blurring of the lines between personal and work-related communications creates novel legal issues when it comes to determining whether an employer has the right to access and review all work-related communications made by its employees.
Employers have legitimate business reasons for monitoring employee communications. Take, for example, the scenario in which an employee leaves her employment, and the employer is concerned that she has taken proprietary information or solicited clients in violation of her duty of loyalty or a contractual agreement. Another common scenario that gives rise to the need for employers to review all of an employee’s work-related emails is when the employer is in litigation that requires production of employee communications.
Most employers are comfortable with the notion that, with a properly worded policy that provides notice to employees of the ability and intent to monitor email, an employer can access emails on an email server provided by the employer. However, what about cases in which the employer does not provide the email service? With employees using web-based emails, like Gmail and Hotmail, and texts to communicate in the workplace, the relevant communications may be elsewhere. In these situations, what are an employer’s rights to access and review such communications?
An employer’s ability to review electronic communications is governed by the Electronic Communication Privacy Act (ECPA) and the Stored Communications Act (SCA). The ECPA prohibits the interception of electronic communications, and the term “interception” as used in the ECPA has been interpreted so narrowly that this title of the ECPA rarely comes into play in cases involving an employer’s review of employee email or texts. The SCA makes it illegal to access without authorization a facility through which electronic communication service is provided and thereby obtain access to communications in electronic storage.
With regard to an employer’s review of employee emails sent through web-based email accounts like Gmail or Hotmail, the most frequent scenario confronted by courts is one in which a former employer accesses the web-based email of a former employee, looking for evidence of malfeasance. In these cases, the former employer is typically able to access the former employee’s web-based email account because the employee has saved her username and password on a device provided by the employer, which was returned at termination, or failed to delink an account from such a device. In these cases, courts have been reluctant to punish the former employee for failing to take appropriate steps to secure their own personal, and allegedly private, communications.
For example, a district court in New York considered an employee’s claim that his former employer’s review of emails in his Hotmail account after his termination violated the SCA because it was unauthorized. The defendant argued that its review of the emails did not violate the SCA because the employee had implicitly authorized its review of the emails on his Hotmail account because the employee had stored his username and password on the employer’s computer system or forgot to remove such an account from an employer-provided phone before returning it.
The court rejected this argument, holding that it was tantamount to arguing that, if the employee had left his house keys on the reception desk at the office, he would have been implicitly authorizing his employer to enter his home without his knowledge. The court also noted that the employer’s computer usage policy did not provide the necessary authorization because it only referred to communications sent over the employer’s systems.
Likewise, a district court in Ohio confronted with similar facts, refused to hold the plaintiff responsible for his own failure to safeguard his information. In this case, the employee had turned in a company-issued blackberry upon termination without first deleting the Gmail account he had added to the phone. The former employer reviewed the emails in the former employee’s Gmail account, and the former employee alleged that this violated the SCA. The former employer argued that the former employee had negligently or implicitly consented to their review of the emails in her Gmail account by returning the blackberry to the company without deleting the account. However, the court held that the employee’s “negligence” in leaving the Gmail account on her phone when she turned it in was not tantamount to her authorizing the defendant to review the emails on her Gmail account.
However, a federal district court in California reached a different result in a case involving text messages. In this case, a company had sued its former employee for misappropriating trade secrets when it discovered, upon his termination, a number of text messages on the former employee’s company-issued iPhone that documented his misappropriation. The former employee had forgotten to delink his Apple account from the company phone he returned, and thus, his text messages continued to go to the phone — and his former employer. The court granted the company’s motion to dismiss the former employee’s counter claim that the company’s review of his text messages violated the SCA. The court held that text messages stored on phones are not in “electronic storage” within the meaning of the SCA, citing a Fifth Circuit case that reached the same conclusion about text messages. Of course, a violation of the SCA is not the only issue in these cases.
For example, in this case, the employee also alleged that his employer had invaded his privacy. However, the court held that the employee had no reasonable expectation of privacy in a company-owned phone that was no longer in his possession. In contrast to the two cases above, the court found that the employee’s failure to undertake precautions to maintain the privacy of his text messages showed he had no right to exclude others from accessing them.
The main lesson from these cases is that, if an employer wants to have the ability to review all employee communications that take place in the workplace, the employer needs to have, at a minimum, a policy that specifically provides for the right to monitor and review, for legitimate business reasons, any work-related communications made by the employee on a device provided by the company or a personal device used for work purposes. (Although the SCA does not require any showing about the employer’s motives in accessing the emails, a traditional invasion of privacy analysis would take this into account.) As a practical matter, the employer may not have the ability to access such accounts, but where access is available, this policy language is critical.
Over the past several years, technology has dramatically increased employee accountability in the workplace. For example, in an office environment, employees are expected to respond to emails immediately because they are either sitting in front of their computers or carrying a mobile device on which they can access their email. As for employees who work outside the office, the availability of employer-issued phones and, alternatively, the proliferation of BYOD policies, has resulted in off-site employees being generally just a phone call away. In specific industries in which employees drive motor vehicles while conducting business for the employer, yet another method of accountability exists: Global Positioning Systems (GPS).
For businesses that provide transportation or delivery services, it is not surprising to find that such employers have installed GPS devices in the vehicles used by their employees. The use of such devices can benefit both the employer and the employee in situations in which delivery status needs to be checked or a vehicle breaks down. In all likelihood, the employee in these situations is aware that a GPS device has been installed on the company vehicle he or she is driving and that the employee’s movements are being tracked while on duty. Privacy issues tend to arise, however, when employers use GPS data in connection with investigating alleged misconduct in the workplace.
There cases in which courts have addressed the legal parameters of an employer’s use of GPS devices to track workers in order to investigate potential misconduct are few but nonetheless instructive.
In Elgin v. Coca-Cola Bottling Co. (E.D.Mo. 2005), the employer attached a GPS device to a company-owned vehicle used by the employee to service vending machines after a cash shortage was reported on a number of machines. Although the employee was cleared of any wrongdoing in the investigation, when he found out that a GPS device had been installed on the company vehicle he drove during the investigation, he filed a claim for intrusion upon seclusion under state law. The court rejected this claim, noting that the vehicle was owned by the employer and the only information potentially revealed by the alleged “intrusion” was the whereabouts of the company vehicle. In another case, Tubbs v. Wynne Transport (S.D. Texas 2007), the court dismissed an invasion of privacy claim against an employer who had used information gathered by a GPS device that had been installed as a matter of course on a company-owned vehicle driven by the employee to perform his duties as a truck driver. The court did not, however, provide any substantive analysis regarding its decision to dismiss the claim.
Elgin and Tubbs both involved employers attaching GPS devices to company-owned vehicles. The balance between the employer’s interest in rooting out misconduct and the employee’s individual privacy rights shifts, however, when an employee’s personal vehicle is at issue — even if it is used for work purposes. In Cunningham v. New York Department of Labor (NY Ct. App. 2013), a state employee was under investigation for falsifying time records and voucher information related to work travel and had used his personal vehicle during work hours in connection with some of the suspected misconduct. As part of its investigation into the alleged misconduct, the employer had a GPS device installed on the employee’s personal vehicle to gather information about his movements during periods in which he was suspected of misconduct. The employee was ultimately discharged and filed suit to exclude the GPS data from evidence at his disciplinary hearing based on federal and state constitutional grounds.
The New York Court of Appeals held that installation of the GPS device on the employee’s personal vehicle was an unreasonable search under constitutional law principles. Although the Court held the search was reasonable at its inception because the employer had a reasonable suspicion that the employee was engaging in workplace misconduct, the search was unreasonable in its scope because it had not been designed to obtain only the information the employer needed to determine if workplace misconduct had occurred. Rather, the employer had monitored the employee’s personal vehicle 24/7, as opposed to only during working hours, and made no attempt to remove the device prior to the employee’s scheduled vacation. The Court concluded that “[w]here an employer conducts a GPS search without making a reasonable effort to avoid tracking an employee outside of business hours, the search as a whole must be considered unreasonable.”
However, the extent to which a personal vehicle is used for work purposes can alter the analysis. In two cases involving the revocation of a New York City taxi cab driver’s license for over-charging passengers, two New York city state courts held that taxi drivers had no legitimate expectation of privacy in GPS data gathered from the Taxi Technology System (TTS) installed on the cabs. The court also held that, even if the drivers had a legitimate expectation of privacy in the data, the city had a legitimate interest in determining whether or not the driver was overcharging passengers and had narrowly tailored its search to obtain information from the TTS only during the driver’s work hours. In these two cases, even though the cabs were personally owned by the drivers, the court found that the cab drivers had limited privacy rights with respect to the vehicles because they were open to public use and subject to regulation by the state. The regulatory authority required that all city cabs have the TTS equipment installed and drivers were required to use the system to transmit information regarding location, trip and fare information to the regulatory authority.
The takeaway from these cases is that, although an employer appears to be on solid ground attaching a GPS device to a company-owned vehicle and using data gathered by the device in an investigation of workplace misconduct, especially where the employee is aware the device is on the vehicle and the information is only being gathered while the employee is on duty, caution should be taken in attaching a GPS device to a personal vehicle used by the employee for work purposes. Employers also need to be mindful of complying with state laws regarding electronic surveillance. California, Connecticut, Delaware and Texas all have laws requiring either notice or consent prior to placing a GPS on another person’s motor vehicle.
As the foothold of technology sinks deeper into the terrain of the workplace, the privacy issues confronted by employers will only grow in complexity. However, courts have been reticent about making broad pronouncements about the intersection of law and technology in the workplace. As the Supreme Court stated in United States v. Kwon, a case involving a state employer’s review of an employee’s text messages on a state-issued pager, “[t]he judiciary risks error by elaborating too fully on the Fourth Amendment implications of emerging technology before its role society has become clear.” This restraint, while understandable, can leave employers with unanswered questions about how to balance the competing interests of legitimate business needs and individual privacy concerns in the workplace, particularly where technology is involved. Perhaps in 2016, the courts will offer more guidance in this area. Stay tuned.
In Seyfarth’s eighth installment in its series of Trade Secrets Webinars, Seyfarth social media attorneys discussed their recently released Social Media Privacy Legislation Desktop Reference and addressed the relationship between trade secrets, social media, and privacy legislation.
As a conclusion to this well-received webinar, we compiled a list of brief summaries of the more significant cases that were discussed during the webinar:
- In KNF&T Staffing Inc. v. Muller, Case No. 13-3676 (Mass. Super. Oct. 24, 2013) a Massachusetts court held that updating a LinkedIn account to identify one’s new employer and listing generic skills does not constitute solicitation. The court did not address whether a LinkedIn post could ever violate a restrictive covenant.
- Outside of the employment context, the Indiana Court of Appeals in Enhanced Network Solutions Group Inc. v. Hypersonic Technologies Corp., 951 N.E.2d 265 (Ind. Ct. App. 2011) held that a nonsolicitation agreement between a company and its vendor was not violated when the vendor posted a job on LinkedIn and an employee of the company applied and was hired for the position, because the employee initiated all major steps that led to the employment.
- In the context of Facebook, a Massachusetts court ruled in Invidia LLC v. DiFonzo, 2012 WL 5576406 (Mass. Super. Oct. 22, 2012) that a hairstylist did not violate her nonsolicitation provision by “friending” her former employer’s customers on Facebook because “one can be Facebook friends with others without soliciting those friends to change hair salons, and [plaintiff] has presented no evidence of any communications, through Facebook or otherwise, in which [defendant] has suggested to these Facebook friends that they should take their business to her chair.”
- Similarly, in Pre-Paid Legal Services, Inc. v. Cahill, Case No. CIV-12-346-JHP, 2013 U.S. Dist. LEXIS 19323 (E.D. Okla., Jan. 22, 2013) a former employee posted information about his new employer on his Facebook page “touting both the benefits of [its] products and his professional satisfaction with [it]” and sent general requests to his former co-employees to join Twitter. A federal court in Oklahoma denied his former employer’s request for a preliminary injunction, holding that communications were neither solicitations nor impermissible conduct under the terms of his restrictive covenants
- The Virginia Supreme Court in Allied Concrete Co. v. Lester, 285 Va. 295 (2013) upheld a decision sanctioning a plaintiff and his attorney a combined $722,000 for deleting a Facebook account and associated photographs that undermined the plaintiff’s claim for damages stemming from the wrongful death of his wife in an car accident. The deleted photographs showed plaintiff holding a beer while wearing a T-shirt with the message, “I Love hot moms.” Subsequent testimony revealed that the plaintiff’s attorney had instructed his paralegal to tell the plaintiff to “clean up” his Facebook entries because “we do not want blowups of this stuff at trial.”
- PhoneDog v. Noah Kravitz, No. C11-03474 MEJ, 2011 U.S. Dist. LEXIS 129229 (N.D. Cal., 2012) involved a dispute over whether a Twitter account’s followers constitute trade secrets even when they are publically visible. The court denied the defendant’s motion to dismiss and ruled that PhoneDog, an interactive mobile news and reviews web resource, could proceed with its lawsuit against Noah Kravitz, a former employee, who PhoneDog claimed unlawfully continued using the company’s Twitter account after he quit. The court held that PhoneDog had described the subject matter of the trade secret with “sufficient particularity” and satisfied its pleading burden as to Kravitz’s alleged misappropriation by alleging that it had demanded that Kravitz relinquish use of the password and Twitter account, but that he has refused to do so. With respect to Kravitz’s challenge to PhoneDog’s assertion that the password and the Account followers do, in fact, constitute trade secrets — and whether Kravitz’s conduct constitutes misappropriation, the court ruled that the such determinations require the consideration of evidence outside the scope of the pleading and should, therefore, be raised at summary judgment, rather than on a motion to dismiss. The parties ultimately resolved the dispute.
- The Second Circuit Court of Appeals in Triple Play v. National Labor Relations Board, No. 14-3284 (2d. Cir. Oct. 21, 2015) affirmed an NLRB decision that a Facebook discussion regarding an employer’s tax withholding calculations and an employee’s “like” of the discussion constituted concerted activities protected by Section 7 of the National Labor Relations Act. The Facebook activity at issued involved a former employee posting to Facebook, “[m]aybe someone should do the owners of Triple Play a favor and buy it from them. They can’t even do the tax paperwork correctly!!! Now I OWE money . . . Wtf!!!!” A current employee “liked” the post and another current employee posted, “I owe too. Such an asshole.” The employer terminated the two employees for their Facebook activity. The 2nd Circuit affirmed the NLRB’s decision that the employer’s termination of the two employees for their aforementioned Facebook activity was unlawful.
The following is a collection of social media policies that have been implemented by various companies: http://socialmediagovernance.com/policies/. While these policies can serve as a helpful guide, companies should tailor their own social media policies and consult with counsel.
Social media and related issues in the workplace can be a headache for employers. There is no denying that social media has transformed the way that companies conduct business. In light of the rapid evolution of social media, companies today face significant legal challenges on a variety of issues ranging from employee privacy and protected activity to data practices, identity theft, cybersecurity, and protection of intellectual property.
On Tuesday, October 27, 2015 at 10:00 a.m. Central, Robert B. Milligan, Daniel P. Hart and Joshua Salinas will present the eighth installment in its series of Trade Secrets Webinars. They will discuss their recently released Social Media Privacy Legislation Desktop Reference and address the relationship between trade secrets, social media, and privacy legislation.
The Seyfarth panel will specifically address the following topics:
- Discussing recent and proposed employee privacy legislation, and how it may impact policies dictating mandatory turnover of social networking passwords and employee privacy concerns.
- Discussing the National Labor Relations Board’s (NLRB) treatment of employer social media policies, whether it applies to you, and what steps should be taken to avoid potential penalties for violating NLRB rulings.
- Discussing the interplay between social medial privacy laws and workplace investigations, and how developing internal company policy and/or contracts can protect companies’ assets.
- Defining, understanding, and protecting trade secrets in social media.
- How courts are interpreting ownership of social media accounts and whether social media sites constitute property and preventing trade secret misappropriation or distribution through social media channels.
- Discussing the interplay between protection of company information and ownership of company accounts in the social media age.
There is no cost to attend this program, however, registration is required.
*CLE Credit for this webinar has been awarded in the following states: CA, IL, NJ and NY. CLE Credit is pending for GA, TX and VA. Please note that in order to receive full credit for attending this webinar, the registrant must be present for the entire session.
If you have any questions, please contact email@example.com.
With the recent uptick of high-profile data breaches and lawsuits being filed as a result by both employees and consumers as a result, every business should take a fresh look at its information security policies and data breach response plans with two thoughts in mind: compliance with applicable laws, and limiting liability in the event of litigation. Cybersecurity is a critical and timely issue for all businesses. If your company has employees and pays them or gives them benefits, then your company is maintaining their personally identifiable information and faces liability in the event of a data breach.
Currently, there is no comprehensive federal law that sets forth a uniform compliance standard for information security best practices or data breach response plans. Companies operating in the U.S. must comply with a patchwork of 47 different states’ laws that set forth a company’s obligations in the event of a data breach. In the wake of several high-profile data breaches, state legislators in the U.S. have been updating these state laws in the past few months, adding new requirements.
In addition to dictating how and when a company must respond in the event of a data breach in which personal information has been compromised, a number of these laws also contain substantive requirements about cybersecurity measures a company must take generally. Add into this mix that a U.S. Court of Appeals agreed with the Federal Trade Commission (FTC) that it has the right to file lawsuits against businesses that it deems have lax information security protocols – without informing companies in advance of the standard to which they will be held.
Against this backdrop, Seyfarth attorneys Karla Grossenbacher and John T. Tomaszewski provided a high-level discussion on how businesses can structure an information security program to comply with applicable law and minimize liability – since waiting for a breach is not an option. They discussed, from a legal perspective:
- Essential components of a comprehensive information security policy;
- Key elements of a data breach response plan including strategies for state law compliance; and
- Best practices for dealing with third party vendors that store personally identifiable information for your company.
Social Media Privacy Legislation Desktop Reference
What Employers Need to Know
There is no denying that social media has transformed the way that companies conduct business. In light of the rapid evolution of social media, companies today face significant legal challenges on a variety of issues ranging from employee privacy and protected activity to data practices, identity theft, cybersecurity, and protection of intellectual property.
Seyfarth’s Social Media practice group has prepared an easy-to-use “Social Media Privacy Legislation Desktop Reference,” as a starting point to formulating guidance when these issues arise.
The Desktop Reference:
- Describes the content and purpose of the various states’ new social media privacy laws.
- Delivers a detailed state-by-state description of each law, listing a general overview, what is prohibited, what is allowed, the remedies for violations, and special notes for each statute.
- Provides an easy-to-use chart summarizing existing social media privacy laws by state.
- Offers our thoughts on the implications of this legislation in other areas, including technological advances in the workplace, trade secret misappropriation, bring your own device (BYOD) issues and concerns, social media discovery, and federal law implications.
- Concludes with some best practices to assist companies in navigating this challenging area.
We hope that you find its content useful.
How to get your Desktop Reference:
This publication may be requested from your Seyfarth contact in hard copy or is available as an eBook, which is compatible with PCs, Macs and most major mobile devices*. The eBook format is fully searchable and offers the ability to bookmark useful sections for easy future reference and make notes within the eBook.
To request the 2015-2016 Edition of the Social Media Privacy Legislation Desktop Reference in eBook or hard copy, please click the button below: