Privacy in the Pandemic Age: Balancing Business Need-to-Know vs. Employee Privacy
'Employer vs. employee privacy and technology legal issues are convoluted and getting more convoluted by the day,' writes Levick chairman and CEO Richard Levick.
April 15, 2020 at 07:48 PM
7 minute read
With almost everyone working from home during the novel coronavirus pandemic, it has expedited an already growing personal privacy versus business need-to-know issue—just how much can your company use its devices such as a second laptop used almost exclusively at home or the office-purchased cellphone to retrieve employee personal data?
Among the big issues that in-house counsel must monitor include:
Where does an employee's claim to privacy begin and a company's claim to "control" over its devices end?
How does E&O—the errors and omissions professional liability issues that protect companies and their professionals from negligent work—factor into a radically different workplace where work gets entangled with the personal?
Is existing law adequate? Or does it need to be overhauled at the federal and state levels? And will California's tough and controversial new privacy law end up setting national standards on privacy and technology?
These are thorny issues. Organizations and their general counsels need to stay on top of them, embracing policies that protect themselves, their subsidiaries and supply chains, and their employees. GCs also need to recognize that their companies' interests are not necessarily their employees' interests—and that the dynamic could get increasingly strained.
Jules Polonetsky, the CEO of the Future of Privacy Forum, argues that, "People have always communicated in the workplace; now email and computers have made it possible for employers to track those conversations."
"Employers should understand that their right to exert control over their devices needs to be balanced with an individual's right to privacy," Polonetsky says. "When employees use company-owned devices at home, it's reasonable for employers to take certain precautions when those devices hold sensitive information, such as patient records, financial records, or other types of sensitive data."
Company Risks
But what equates to "certain precautions"? Many legal analysts believe that when a company allows its devices to leave the office, it takes on the following risks:
Employees' wi-fi, which enables them to access unsecured networks, triggering security breaches.
If an employee resigns, the company may lose access to that device for some length of time—or forever.
The device could be stolen or lost.
Now that work and personal information are mixed onto single devices, new dangers have emerged.
At many businesses these days, work extends into the evening or weekend hours. Companies can't be expected to "turn off" normal monitoring and privacy protocol just because the employee is using the device out of the office and beyond work hours. Many devices are equipped with a GPS tracking software, which effectively gives the employer a method of tracking its employee, especially if the device is tied to a cell phone. Since the company owns the device, it has the right—up to a point—to do what it wishes. Too often these days, that point is being violated.
Observes Brian Kropp, a group vice president with business consultancy Gartner, "This is the modern workplace now. If you work at a medium- to large-sized company, the odds are the different behaviors you engage in will be tracked by your employer, generated and collected by somebody in the organization."
Some 80% of businesses will be monitoring employees, deploying all manner of tools and data sources, which is more than double the trend that existed in 2015, Kropp estimates.
If you're using a company-issued device and in doing so access the firm's network, "they can get access" to your data, Kropp says.
Global Legal Play
It's not just the U.S. that is fixated on these issues.
A Canadian Supreme Court decision constituted a crucial pronouncement on privacy by holding that an employee had a reasonable expectation of privacy, even on a work-issued laptop.
A precedent delivered by the European Court of Human Rights is also creating a stir. In the case of Bărbulescu v Romania, the employee (Bărbulescu) found himself fired and told that he had breached the company's strict prohibition of email use for personal reasons. The court eventually ruled that his private life had been violated, which could also find its way into U.S. courts.
Current litigation in New York State also portends a significant precedent. In an ongoing lawsuit, Paul Iacovacci v. Brevet Capital Management LLC, Iacovacci accuses the investment firm of accessing his home computer to read his personal emails and stealing data stored on personal hard drives, including sensitive religious information, alleging that the activity violates federal anti-hacking laws. (In full disclosure, my firm has a relationship with a law firm for a litigation funder in this matter.)
Voice-enabled assistant devices are also attracting concern. A study released in early 2020 documents how often smart devices record audio clips without the speaker's permission. Even more sophisticated smart speakers can "accidentally" record audio nearly 20 times per day.
Here's another quandary. If an employee takes a device home, is that now tantamount to a tacit agreement to allow that device to capture personal recordings?
What about the technology that's embedded in employer-owned cars? Laws that prevent the use of mobile tracking devices to monitor the whereabouts of individuals apparently do not apply to GPS in employer-owned vehicles.
Lewis Maltby, the president of the National Workrights Institute, describes the situation as being "very vague," essentially dependent on "whatever shocks the judge."
Companies looking to avoid invasion-of-privacy claims should limit the information they gather to the bare minimum needed for "legitimate business reasons." They should also disable tracking capabilities whenever they're not essential.
Nearly two-thirds of states (plus the District of Columbia) have some kind of law on the books that prevent companies from dismissing employees for off-duty conduct. Since companies increasingly find themselves crosswise with these state statutes, a good rule is: "Don't collect what you can't protect."
Anthem paid $115 million in fines for 2014 and 2015 violations in neglecting to safeguard proprietary employee data.
In 2018, Cox Communications in San Diego was sued over the manner in which it dumped hazardous materials. The suit maintained that the company disposed of customer records without shredding or erasing sensitive information.
Given this track record, a good corollary rule for companies is: "Don't collect what you can't dispose of."
Businesses may get in trouble for deceptively collecting personal data—especially when it becomes increasingly confusing and "deception" becomes increasingly vague. Remember: both could "shock" the judge.
Priorities for Moving Forward
Here's a quick primer for companies and their general counsels.
First, designate someone in the GC's office to become its work/home devices expert and keep everyone apprised of the latest developments. Second, establish a company task force with representatives from the GC's office, IT, and Human Resources, and task it with developing internal policies designed to protect the company's interests while recognizing employee rights, too.
Summarize those policies in a simple guidelines statement, handed out to every employee. And make your company's procedures the focal point of give-and-take seminars jointly run by IT and HR.
Employer vs. employee privacy and technology legal issues are convoluted and getting more convoluted by the day. Stay on top of them.
Letter to the Editor: Read more for a response concerning Paul Iacovacci case.
Richard Levick, Esq., @richardlevick, is Chairman and CEO of LEVICK. He is a frequent television, radio, online, and print commentator.
|This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllWhy the Founders of IP Boutique Fisch Sigler Are Stepping Away From the Law and Starting an AI Venture
‘How to Succeed as a Trial Lawyer’: Talking Shop With Author and Veteran Litigator Stewart Edelstein
Litigation Leaders: Labaton’s Eric Belfi on Running Case Investigation, Analysis and Evaluation In-House
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250