Employees’ Informational Privacy Rights — Supreme Court Decides NASA v. Nelson
[Readers: The Supreme Court decided two employment cases in the last two weeks. I already have analyzed the Thompson decision (see the discussion below QQ # 169). Set forth below is an analysis of the Supreme Court's decision in NASA v. Nelson that was prepared by my colleague, Jillian Kornblatt. If you have any questions about this decision, do not hesitate to reach out to Jillian at 612.492.6156 or kornblatt.jillian@dorsey.com. Additional information regarding Jillian is available at http://www.dorsey.com/jillian-kornblatt/.
We are publishing Jillian's analysis in lieu of my response to QQ # 168. Tune in next Monday for that article. This week we also will have an analysis of our West Coast Quirky Question (# 169), and an article about the United Kingdom's anti-bribery statute. Finally, after a surprising delay, we do have a winner to the current Trivia Game. The answer, and a new question, will be posted Thursday. Regards, Roy]
Employees’ Informational Privacy Rights — Supreme Court Decides NASA v. Nelson
By: Jillian Kornblatt
On January 19, 2011, the United States Supreme Court decided the case of NASA v. Nelson, No. 09-530. The Court unanimously (a six justice majority, two concurring opinions, and Justice Kagan recusing herself), held that it did not violate the Constitution for employees of a government contractor to be required to submit to background checks in order to retain their jobs. The Court stated that the reasonableness of the government’s inquiries and the privacy protections in place meant that the background checks did not violate a “constitutional right to informational privacy.” The practical implications of this decision are discussed in the last section of this article. Read more
City of Ontario v. Quon, The Supreme Court Weighs In on Employee Privacy Expectations
City of Ontario vs. Quon, 560 U.S. ___ (2010)
On June 17, 2010, the U.S. Supreme Court decided the case of City of Ontario v. Quon, No. 08-1332, 560 U.S. ___ (2010). The decision was unanimous, with the Court’s opinion written by Justice Kennedy. Justices Stevens and Scalia filed separate concurring opinions. The Court held that the City of Ontario’s review of Jeff Quon’s, and others’, text messages sent on City-issued pagers did not constitute an unreasonable search and did not violate the Fourth Amendment to the Constitution.
Consumer Privacy Issues
The Federal Trade Commission’s Sears Holdings Enforcement Action – Developments in Online Behavioral Advertising, Privacy and Social Media
By: Melissa Krasnow and Peter Skrief
Companies engaged in online behavioral advertising – the practice of tracking an individual’s online activities to deliver advertising tailored to the individual’s interests – should review their privacy policies, terms of use and agreements and similar documents against their actual and contemplated online behavioral advertising practices in light of the Federal Trade Commission focus on this area.
In 2009, the FTC brought the enforcement action In the Matter of Sears Holdings Management Corporation, FTC File No. 082 3099. Sears Holdings Management Corporation (“Sears Holdings”) disseminated via the Internet a software application for consumers to install onto their computers (the “Application”) to participate in an online community. The “Privacy Statement and User License Agreement” (the “Agreement”) on the consumer registration page described the Application’s specific functions beginning at the 75th line, including how consumers could stop participating and remove the Application from their computers. The Agreement also included a reservation of right to continue to use information collected before a consumer’s “resignation.” Consumers needed to indicate through a blank checkbox next to a statement that they had read and agreed to the terms and conditions of the Agreement before installation. The Application functioned and transmitted information substantially as described in the Agreement when installed.
The FTC alleged that the following facts would be material to consumers in deciding to install the Application and the failure to disclose these facts, in light of the representations made, was a deceptive practice in violation of Section 5 of the Federal Trade Commission Act. The Application when installed would (i) monitor nearly all of the Internet behavior occurring on consumers’ computers, including (A) information exchanged between consumers and websites other than those owned, operated or affiliated with Sears Holdings, (B) information provided in secure sessions when interacting with third-party websites, shopping carts and online accounts and (C) headers of web-based email; (ii) track certain non-Internet related activities on those computers and (iii) transmit nearly all monitored information to the remote computer servers of Sears Holdings.
The FTC issued and approved a consent order in late 2009. This order is in effect for approximately 20 years. First, Sears Holdings must cease collecting any data transmitted, and destroy any information or data transmitted from a computer, by an Application installed before the order to any Sears Holdings computer server.
Second, Sears Holdings must notify affected consumers who downloaded and installed the Application on a computer in connection with the on-line community (i) that they have installed the Application on their computers (which collects and transmits to Sears Holdings and others the data described in the Agreement) and (ii) of how to uninstall the Application. Sears Holdings must provide prompt, toll-free, telephonic and electronic mail support to help affected consumers uninstall any Application. Notification must be made for two years by posting of a clear and prominent notice on the on-line community website. The order defines “clearly and prominent” with respect to text, video, audio and interactive media. For three years, Sears Holdings must notify affected consumers who complain or inquire about any Application.
Third, in connection with the advertising, promotion, offering for sale, sale or dissemination of any Application before the consumer downloading or installing it, Sears Holdings must disclose clearly and prominently, and before the display of, and on a separate screen from, any final “end user license agreement,” “privacy policy,” “terms of use” page or similar document: (i) all types of data that the Application will monitor, record, or transmit (including, without limitation, whether (A) the data may include information from the consumer’s interactions with a specific set of websites or from a broader range of Internet interaction, (B) the data may include transactions or information exchanged between the consumer and third parties in secure sessions, interactions with shopping baskets, application forms, or online accounts and (C) the information may include personal financial or health information); (ii) how the data may be used and (iii) whether the data may be used by a third party.
Fourth, Sears Holdings must obtain express consent from the consumer to the download or installation of the Application and the collection of data by having the consumer indicate assent to those processes by clicking on a button or link that is (i) not pre-selected as the default option and (ii) clearly labeled or otherwise clearly represented to convey that it will initiate those processes or by taking a substantially similar action.
Finally, Sears Holdings must (i) file with the FTC written reports regarding the manner and form of its compliance with the order and (iii) maintain and upon request make available to the FTC copies of all documents relating to compliance with the order for four years.
According to FTC Chairman Jon Leibowitz at the FTC Privacy Roundtable in December 2009, “[t]he thrust of our case was that, while the extent of tracking was described in the [Agreement], that disclosure wasn’t sufficiently clear or prominent given the extent of the information tracked, which included online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size for web-based e-mails. So consumers didn’t consent with an adequate understanding of the deal they were making.”
This enforcement action followed the FTC’s issuance of its Staff Report on Self-Regulatory Principles for Online Behavioral Advertising in 2009, which describes the following four Principles: (i) transparency and consumer control, (ii) affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising, (iii) reasonable security and limited data retention for consumer data and (iv) affirmative express consent for material changes to existing privacy promises. The first and second Principles are relevant to the enforcement action. First, every website where data is collected for behavioral advertising should provide a clear, concise, consumer-friendly, and prominent statement that (A) data about consumers’ activities online is being collected at the site for use in providing advertising about products and services tailored to individual consumers’ interests and (B) consumers can choose whether or not to have their information collected for this purpose. The website should also provide consumers with a clear, easy-to-use, and accessible method for exercising this option. Second, companies should collect sensitive data for behavioral advertising only after they obtain affirmative express consent from the consumer to receive this advertising.
Federal and State Privacy Laws, Compliance Deadlines Fast Approaching
Federal and State Privacy Laws
By: Melissa Krasnow
The number and complexity of federal and state privacy laws continue to increase. These laws affect a broad range of public and private companies, including U.S. companies as well as foreign companies that conduct business in the United States.
Any company that possesses personal information relating to U.S. employees, customers, shareholders or others likely is subject to privacy laws. For purposes of the privacy laws, personal information typically includes names together with information like social security numbers, financial account information or driver’s license numbers. Protected health information is covered by the federal Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act.
A number of new privacy law compliance deadlines are fast approaching. Failure to comply with privacy laws could trigger U.S. regulator and State Attorney General action as well as monetary penalties. In some cases, there also could be private lawsuits.
Below is a brief summary of upcoming privacy law compliance deadlines.
November 1, 2009 – Federal Trade Commission Written Identity Theft Prevention Program
A company that regularly extends, renews or continues credit, including accepting deferred payments for goods and services, may need to comply with the Federal Trade Commission’s “Red Flags” Rule. Examples of these companies include utility companies, telecommunications companies, finance companies, mortgage brokers, real estate agents, health care providers, lawyers, accountants, other professionals, automobile dealers, retailers that offer financing or collect or process credit applications for third party lenders and third party debt collectors that regularly renegotiate the terms of a debt. This Rule requires that a written identity theft prevention program be in place.
January 1, 2010 – Nevada Requirements for Encryption
A company (except for a telecommunications provider) doing business in Nevada that deals with personal information must comply with specific encryption requirements if it does not accept a payment card (a credit card or similar card) in connection with a sale of goods or services. This law also requires that a company that does accept payment cards in connection with a sale of goods or services comply with the current version of the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is an industry security standard developed by the PCI Security Standards Council (including American Express, Discover, JCB, MasterCard and Visa) for the protection of customer account data.
February 17, 2010 – Federal HITECH Act Requirements
Under the federal HITECH Act, health plans, health care providers and health care clearinghouses (i.e., covered entities), among other things, must review and update their business associate agreements, as well as their privacy and security policies and procedures, regarding (i) marketing, (ii) sale of protected health information, (iii) minimum necessary standards, (iv) accounting of disclosures and (v) restrictions on disclosure of services paid out-of-pocket. Business associates (those who perform functions on behalf of, or provide services to, covered entities that involve the use of protected health information) will be directly regulated under the HIPAA privacy and security rules, and must comply for the first time with those rules, including, among other things, a requirement to perform security risk assessments and develop security policies and procedures to address HIPAA security standards.
March 1, 2010 (Subject to a Revised Version of This Regulation) – Massachusetts Comprehensive Written Information Security Program
A company that owns or licenses personal information regarding Massachusetts residents must have a comprehensive written information security program with encryption requirements in place. In addition, third-party service providers – by contract – must implement and maintain appropriate security measures for personal information. A company that complies with HIPAA requirements or the Gramm-Leach-Bliley Act also must comply with this regulation. On September 22, 2009, a public hearing on this regulation was held. The Massachusetts Office of Consumer Affairs and Business Regulation expects to issue a revised version of this regulation in the coming weeks.
We Can Help
The upcoming compliance deadlines just hint at the many applicable privacy laws that present traps for the unwary. Implementing policies and procedures is not only advisable, but often times required under applicable privacy laws. From data breach notification procedures to record retention policies to social media policies, we can help you navigate the ever-changing landscape of privacy laws. For additional information and updates, please contact Melissa Krasnow at krasnow.melissa@dorsey.com.
Privacy Update
Readers: Although we posted Melissa Krasnow’s Privacy Analysis earlier this week, it needs updating already. As Melissa notes:
“The Federal Trade Commission (the “FTC”) is delaying enforcement of the “Red Flags” Rule until June 1, 2010, for financial institutions and creditors subject to enforcement by the FTC.
The Massachusetts Office of Consumer Affairs and Business Regulation (“MOCABR”) posted the final version of the Massachusetts Privacy Regulation (the “Regulation”). According to MOCABR, this really is the final version!
The Regulation requires a company that owns or licenses personal information regarding Massachusetts residents to have a comprehensive written information security program with encryption and third party service provider requirements in place by March 1, 2010. While this compliance deadline remains unchanged from the August 2009 version of the Massachusetts Privacy Regulation, there are other changes.
Companies that are developing or have developed programs need to revisit what they have done thus far to make sure it complies with the both the Regulation, as well as the Nevada encryption law, if applicable.
Other companies immediately need to determine whether they are covered by the Regulation. Their compliance efforts should begin now if they determine that they are covered.
Finally, companies that determine that they are not covered typically prepare a written summary of their determination.”
If you would like additional guidance, please contact Melissa at krasnow.melissa@dorsey.com. Regards, Roy
Use of Surveillance Cameras to Monitor Worksite, Quirky Question # 116
Quirky Question # 116:
I am the owner of a small private company. I was recently alerted by my secretary that various computers around the office, including some in private offices, have been used late at night to access the internet. The late-night use has included accessing pornographic websites from a couple of the offices. I need to discovery who the unauthorized user is, but I cannot afford a security system or security guards. Can I install a hidden video camera in the offices that have been accessed?
[Readers: Set forth below is our monthly West Coast Quirky Question. The analysis that follows was provided by Jennifer Prieb of our Palo Alto office. If you have any questions about this analysis, please don't hesitate to contact Jennifer directly at 650.843.2745 or via email at prieb.jennifer@dorsey.com. Additional information regarding Jennifer is available at http://www.dorsey.com/prieb_jennifer/. Regards, Roy]
Jennifer’s Analysis:
Well, that depends on a number of factors. How “private” are these offices? What is the general layout of your workplace? What exactly do you intend to video, and when?
In our answer to Quirky Question #49, we covered the general issue of surreptitious video surveillance to monitor employees. We also covered employee access of pornographic websites in Quirky Question #109. But your question is a little more specific in that it includes private offices and the use of video surveillance to catch the culprit who is accessing pornographic websites late at night.
A case with similar facts recently changed California law governing video surveillance of employees. There, the California Supreme Court reversed the Court of Appeals’ decision in Hernandez v. Hillsides, Inc., No. S147522, 2009 Cal. LEXIS 7804 (August 3, 2009). [Please note that this case was referenced in our answer to Quirky Question #49 and, as a result, the analysis of that case in Question #49 is no longer accurate.]
Previously, a California employee could succeed in a cause of action for invasion of privacy even if he could not establish that he was actually viewed or recorded. Now, however, an employer’s intrusion into an employee’s privacy may be justified, depending on the particular office environment and the nature and scope of the employer’s conduct.
Employee Expectations of Privacy
If you want to install hidden video cameras in the private offices that have been used for late-night Internet access, the first issue you need to consider is the privacy interests of your employees whose offices are involved.
In Hernandez, the Court began by noting that “while privacy expectations may be significantly diminished in the workplace, they are not lacking altogether.” The Court explained that workplace expectations of privacy vary, depending on whether the employee could be overheard or observed by others, the physical layout of the office intruded upon, and the nature of the activities commonly performed in such offices. At one end of this spectrum are offices in which work or business is conducted in open areas, in plain sight of supervisors, customers, and visitors. On the other end of the spectrum are areas in the workplace that are subject to limited view and hearing, restricted access and closed doors or blinds.
Your question says that the offices at your company are “private.” Without more details about your workplace layout, I can only advise you that employees in private offices which are separate or enclosed from other work areas have a heightened expectation of privacy. Given the extremely intrusive nature of hidden video cameras, even some employees who share offices but work in relative seclusion have an expectation to be free from secret filming by their employer. Under circumstances nearly identical to yours, the Court in Hernandez found that the employer intruded on the employees’ zone of privacy because the employer used the highly invasive method of video surveillance where plaintiffs had a heightened expectation of privacy in a relatively secluded office.
In its decision, the California Supreme Court also suggested that an employer who wishes to install surveillance equipment inside employee offices should provide notice to its employees that they will be subjected to the risk of such surveillance Employers who obtain consent to the possibility of intrusion can reduce the employee’s reasonable expectations of privacy because the employees have been put on notice of potential surveillance.
Offensiveness of the Intrusion
An employer may be able to justify an intrusion into employee privacy expectations if the surveillance is for a legitimate business purpose and limited in scope. The second element to a claim for invasion of privacy requires that the intrusion must be “highly offensive” to a reasonable person and an “egregious breach of the social norms.” To determine whether an intrusion falls into these categories, courts look at the place, time and scope of the employer’s video surveillance efforts, as well as the employer’s motives and justifications.
In the Hernandez case, the employer was careful in choosing the location of the video camera. The company first tried to videotape the culprit from an open workplace area but, due to high traffic, needed to find a more secluded area in which the unauthorized computer use occurred. In the plaintiff’s office, the employer focused the camera only on the specific computer workstation in question. He was also certain to limit the scope of the surveillance to a time only after the plaintiffs’ shifts ended and they had left the facility for the night. He never activated the system during regular business hours when the plaintiffs were present, and plaintiffs were never secretly viewed or taped. Finally, the employer’s purpose was legitimate: to determine who had been viewing pornographic websites at the nonprofit residential facility for neglected and abused children. Thus, even though the employer invaded the employees’ expectations of privacy, its actions were justified because they were narrowly tailored and served a legitimate purpose.
Tips for California Employers
1. Understand that employees have a reasonable expectation of privacy in the workplace and that expectation is heightened in secluded offices where an employee does not expect to be overheard or observed by others. There is a broad spectrum of employee privacy rights in the workplace, depending on whether the workplace is open to the public, the employee works in an open area or an office with a door that closes or locks, or an employee shares offices.
2. Provide employees with formal notice that they are subject to surveillance. Any monitoring practices or policies should be carefully followed in order to decrease or eliminate a reasonable expectation of privacy.
3. Monitor employees in the least intrusive manner possible, considering the place, time and scope of surveillance. Also, be certain that you have a legitimate purpose to conduct the surveillance.
Follow
