Make Something Good Out Of COVID-19: Adopt Worker Privacy Protections on Company Devices
If properly handled, argues labor and employment attorney Karen Hertz, the response to COVID-19 has the power to define how companies and their company-device wielding employees should operate in our brave new work from home world.
April 07, 2020 at 07:00 AM
6 minute read
|
The economic, cultural and societal impact of the COVID-19 pandemic—The Big Pause—will be incalculable. America will, quite literally, never be the same. Our economy will eventually be turned back on, but our business dealings will be different, our social interactions will be different, the way we go about our daily lives will be different.
The new normal won't be like the old normal. At all.
No one can precisely know how much our work habits will be affected, but this much is certain: The Big Pause in all its repercussions will forever alter our workforce. Once we stop pausing, we need to update our working-from-home policies and overhaul our commitment to employee privacy rights.
Most working Americans are currently quarantined in their houses. They're using either personal devices or company-issued devices, without clear regulations on privacy. Indeed, it's been nearly 35 years since Congress adopted consumer privacy protections in the Electronic Communications Privacy Act of 1986. To put that into perspective, the first smartphone wasn't invented until 1992.
So, we've essentially had two generations of workers using cell and smartphones for business purposes without a clear articulation of where their employers' rights "stop"—and where their individual privacy rights "start."
If properly handled, the response to COVID-19 has the power to define how companies and their company-device wielding employees should operate in our brave new work from home world. Without clear data privacy laws, however, America is inviting a wave of thorny litigation and withering security risks.
Look no further than Paul Iacovacci, who used a company-issued computer at his home that was maliciously hacked by his employer. In addition to pilfering private emails, the company got access, without Iacovacci's knowledge, to deeply personal data, including religious and family information and data stored on personal hard drives. Iacovacci's lawsuit alleges his employer's actions violated federal antihacking laws, specifically the Computer Fraud and Abuse Act (CFAA), which prohibits intentionally accessing a computer "without authorization or in excess of authorization." His employer's behavior is the precise kind of corporate recklessness proscribed by the California's new Consumer Privacy Act.
If in the future Americans will have to spend more time teleworking—and that's almost certainly the case—security risks will only escalate. In a time of fully connected devices, streamlined password sync, and blurred lines between personal and professional time, company BYOD-policies must be strengthened to educate employees and equip employers once we transition out of The Big Pause.
Given today's blurred lines between "work" and "home" and the fact that businesses often own the digital devices used by their employees, it's not a surprise that legal strains would arise over the rights of employers vs. their workers and executives. What is a surprise is that it's taken Congress so long to catch up with technology and work trends.
New federal legislation, therefore, needs to address the following:
Determine the point at which a company's claim to "control" over its devices ends—and an employee's equally legitimate claims to privacy begin? Another legitimate concern for employers is to the extent employees utilize company property for personal use, does such use of employer property "waive" their expectation or right to privacy?
Enforce criminal sanctions on companies that willfully invade a worker's privacy. Several civil laws already exist to protect worker privacy—among them the Americans with Disabilities Act (ADA), the Health Insurance Portability and Accountability Act (HIPAA), the Whistleblower Act, and the 1986 Electronic Communications Privacy Act (ECPA)—in some form, but need to be updated, given technological developments.
Expand the ECPA protections. As amended, ECPA protects wire, oral, and electronic communications, at least while those communications are being made or when they're stored on computers. It expressly prohibits employers from monitoring employees' personal phone calls even if the calls were made or received on an employer's property. The act also requires the employer to disclose the fact that calls are being monitored and makes it a civil liability for employers to read, disclose, delete, or prevent access to an employee's voicemail.
Update errors and omissions laws, the whole sweep of professional liability issues that safeguard companies and their professionals against negligent or defective work.
While Congress is strengthening worker privacy rights, it must also assess California's tough new privacy statute and determine how it will factor into the setting of new national standards on privacy.
Employers, meanwhile, must observe their employees' continued right to privacy, including under ADA, HIPAA, and/or relevant state and local laws, while maintaining a safe and healthy workplace.
Many types of monitoring are legal; most employers monitor their employees' activities on some level. Many technologies allow employers to observer their employees'' "digital footprints" and thereby gain insight into employee behavior.
In fact, a 2005 survey of more than 500 U.S. companies found that over half of employers had disciplined employees and about one in four had terminated (fired) an employee for "inappropriate" use of the internet, such as sending an inappropriate email message to a client or supervisor, neglecting work while chatting with friends, or viewing pornography during work hours.
Nearly any activity on your office computer can be monitored, almost completely without regulation. The employer may watch, read and listen to most of the employee's workplace communications. Employees need to be mindful that when they use an employer's equipment, their expectations of privacy should be diminished. It is essential therefore that employers maintain and update their monitoring policies and that they be well documented, well defined, and require written acknowledgement by employees; in other words, they need to clearly state that employees should not expect privacy when they use their employer's resources or on their employer's property.
Congress also needs to address limiting the information a company gathers on employees to the bare minimum needed for "legitimate business reasons," as well as its disabling tracking capabilities whenever they're not needed. Too many companies are needlessly and recklessly tracking their employee's whereabouts and behaviors.
Some 30 states and the District of Columbia have adopted laws that discourage or prevent companies from firing employees for their "off-duty" conduct. As more and more companies find themselves in legal hot water for getting crosswise with these state statutes, a good rule is: "Don't collect what you can't protect."
Our new post-pandemic "normal" must include a renewed commitment to worker privacy rights—and a Congress that resolves to keep in step with technological developments and their impact on privacy.
Karen Hertz, Esq. is a Labor and Employment Attorney and Owner of Hertz Legal, PC.
Letter to the Editor: Read more for a response concerning the Paul Iacovacci case.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250