seventeenth annual institute on privacy and data security law

© Practising Law Institute

To order this book, call (800) 260-4PLI or fax us at (800) 321-0093. Ask our Customer Service Department for PLI Order Number 148906, Dept. BAV5.

Practising Law Institute1177 Avenue of the Americas

New York, New York 10036

Seventeenth Annual Institute on Privacy and

Data Security Law

Volume Two

INTELLECTUAL PROPERTYCourse Handbook Series

Number G-1277

Co-ChairsFrancoise Gilbert

Lisa J. SottoThomas J. Smedinghoff


57

Developments in Workplace Privacy 2015–2016

Margaret A. Keane

DLA Piper LLP (US)

If you find this article helpful, you can learn more about the subject by going to www.pli.edu to view the on demand program or segment for which it was written.

2-575


2-576


3

Privacy law continues to evolve, albeit at a much slower pace than rapid developments in technology. As a result, not only are employers caught in a legislative framework that they never contemplated, but also laws that are enacted are often reactionary and incomplete.

To illustrate the first point, employers now have the technical ability to use GPS tracking to monitor employee activity and the practical means to implement tracking on smart phones enrolled in Bring Your Own Device (BYOD) programs, and are struggling to determine how far to go with tracking. Wellness programs and wearables are creating new issues as the technology gives rise to new concerns and conflicts. This article will explore these recent developments in workplace privacy.

I. BEFORE THE EMPLOYMENT RELATIONSHIP BEGINS: BACKGROUND CHECKS, “BAN-THE-BOX” STATUTES, AND CREDIT CHECK REQUIREMENTS

The majority of employers conduct background and credit checks when recruiting employees. Within the last several years, criminal history checks, and credit checks have been the source of both litigation and legislation. Statutes that prohibit employers from inquiring into an applicant’s crimi-nal history, so called “ban the box” statutes, have popped up nationwide in city ordinances and state statutes. In addition, several states have enacted laws regulating the use of an applicant’s credit-worthiness in employment decisions. These statutes have caused employers to limit or omit questions involving an applicant’s criminal and credit histories at the pre-employment stage.

These two issues, while interrelated, have been regulated by separate entities entirely; with the Equal Employment Opportunity Commission (EEOC) addressing criminal background checks and the Federal Trade Commission (FTC) regulating credit checks. On March 10, 2014, how-ever, the two agencies released joint guidance on the use of background checks in employment decisions.1 The agencies made clear that employers need to be in compliance with both the technical and substantive require-ments set forth by regulation. The guidance highlights the fact that it is of

1. Background Checks: What Employers Need to Know, EQUAL EMPLOYMENT

OPPORTUNITY COMMISSION AND THE FEDERAL TRADE COMMISSION, March 10, 2014, available at: http://business.ftc.gov/documents/0487-background-checks-what-employers-need-know.

2-577


4

increasing importance that employers reexamine their current practices and policies to ensure that they are in compliance.

A. Criminal History

In April 2012, the EEOC issued recommendations to employers regarding their use of criminal records in making employment deci-sions.2 The EEOC guided employers to use caution when screening candidates based on criminal history because of its potential Title VII disparate impact implications.3 Studies that the EEOC conducted con-cluded that because Hispanics and African Americans were arrested and convicted at disproportionate rates, they were often being screened out of employment opportunities at higher rates as well.4 The EEOC also claimed a public policy interest in providing employment-related protections for ex-offenders by breaking down some of the barriers to reintegration into the workforce.5 As one of its top priorities, the EEOC has filed several prominent lawsuits related to background checks against employers.6 So far, the EEOC has had mixed results.

Since the EEOC issued recommendations, new legislation has been enacted at both the state and municipal levels. This lack of uni-formity has created a complex web of regulations, especially for employ-ers with a national workforce. This has led some employers to stop inquiring into an employee’s criminal history nationwide in order to implement a uniform policy and avoid costs associated with keeping up to date with the fluctuating state of the law.7

2. Consideration of Arrest and Conviction Records in Employment Decisions Under

Title VII of the Civil Rights Act of 1964, EEOC, 4/25/2012 available at: http:// www.eeoc.gov/laws/guidance/arrest_conviction.cfm.

3. Id. 4. Id. 5. Id. 6. In 2015, BMW Manufacturing Company agreed to pay $1.6 million to African-

American employees whom the company denied employment due to their criminal histories after its motion for summary judgment was denied. EEOC v. BMW Mfr. Co., LLC, No. 7:13-CV-01583-HMH, 2015 WL 5511210 (D.S.C. Sept. 8, 2015) (Verdict, Agreement and Settlement); compare with EEOC v. Freeman, 778 F.3d 463 (4th Cir. 2015) (affirming summary judgment in favor of the employer in a case involving a challenge to the employer’s use of criminal background and credit history checks in the hiring process).

7. Target Corporation Announces New “Ban the Box” Policy, Setting Example for Large Corporations Across the U.S., NATIONAL EMPLOYMENT LAW PROJECT,

2-578


5

States that have enacted legislation on the use of criminal history in employment decisions include: Colorado,8 California,9 Connecticut,10 Delaware,11 Hawaii,12 Georgia,13 Illinois,14 Maryland,15 Massachusetts,16 Minnesota,17 Nebraska,18 New Jersey,19 New Mexico,20 New York,21 Ohio,22 Oregon,23 Pennsylvania,24 Rhode Island,25 Vermont,26 Virginia,27 Washington,28 and Wisconsin.29

1. Scope of Prohibited Activity

As a general rule, the statutes prohibit employers from inquiring into an applicant’s criminal history. However, the statutes vary in material respect. In Connecticut, Delaware, Georgia, Maryland, Nebraska, New Mexico, Ohio, Vermont, and Virginia “ban the box” statutes only apply to state government applicants and employees.

Oct. 29, 2013, available at: http://www.nelp.org/page/-Press%20Releases/2013/PR- Target-Ban-the-Box.pdf?nocdn=1%20\.

8. Colo. Rev. Stat. § 24-72-701 (2013). 9. Cal. Lab. Code § 432.7 (1999). 10. Gen. Stat. Conn. § 31-51i (2010). 11. Del. Code Ann. tit. 19, §§ 710 & 711(g)(1)-(4) (West 2015); and Del. Code Ann.

tit. 29, § 6909B (West 2015). 12. Haw. Rev. Stat. § 378-2.5 (2013 Supp.). 13. Ga. Exec. Order No. (Feb. 23, 2015), https://gov.georgia.gov/sites/gov.georgia.gov/

files/related_files/document/02.23.15.03.pdf. 14. 820 Ill. Comp. Stat. Ann. 75/1 et seq. (West 2015). 15. Md. Code Ann. § 2-203 (2013). 16. Mass. Gen. Laws Ch. 151B, § 4(9) and (9½). (2013 Supp.). 17. Minn. Stat. § 364.021 (2013 Supp.). 18. Neb. Rev. Stat. § 48-202 (2014). 19. N.J. Stat. Ann. §§34:6B-11 et seq. (West 2015). 20. N.M. Stat. § 28-2-3 (1996). 21. N.Y. Exec. Law § 296(15) (2001). 22. Ohio Rev. Code Ann. § 9.73 (West 2016) (effective March 23, 2016). 23. Or. Laws Ch. 559, §1 (2015). 24. 18 Pa. Stat. Ann. § 9125 (1999). 25. R.I. Gen. Laws § 28-5-7(7)iii (2013 Supp.). 26. Vt. Exec. Order No. 03-15 (Apr. 21, 2015), http://governor.vermont.gov/sites/

governor/files/executive_orders/EO%2003-15%20Ban%20the%20Box%20Policy.pdf. 27. Va. Exec. Order No. 41 (Apr. 3, 2015), https://governor.virginia.gov/media/3762/

eo-41-ban-the-boxada.pdf. 28. Legislative information available at: http://www.njleg.state.nj.us/2012/Bills/S3000/

2586_I1.PDF. 29. Wis. Stat. Ann. § 111.335 (Supp. 2000).

2-579


6

The rest of the state statutes apply to both public and private employers.

The scope of prohibited activity also varies from state to state. Some states, like California, prohibit inquiry into arrests that did not result in a conviction; others, like Maryland, prohibit inquiries into sealed or expunged criminal records; whereas Massachusetts prohibits inquiry into any state convictions.30

The statutes also vary in terms of procedural timing of when an employer may ask about an applicant’s criminal background. Minnesota’s ban the box law, for example, prohibits an employer from inquiring about his or her criminal history or performing a background check until the applicant has been selected for an inter-view or extended an offer of employment contingent on the background check.31

2. Exceptions

While exceptions to the statutes across states, all allow an employer to carry out a background check on an applicant or employee in order to be compliant with federal law. Hawaii, Ohio, and Washington allow employers to ask about and consider an applicant’s criminal conviction record if such records are rationally related to the applicant’s job, duties, and responsibilities. However, in Hawaii and Washington, those inquiries are limited to the most recent 10-year period. Michigan allows employers to inquire into an applicant’s felony criminal history – including incidents that did not result in a conviction or dismissal. Nebraska permits school dis-tricts and educational service units to require applicants to disclose his or her criminal history. Oregon allows an employer to consider past criminal convictions when seeking a nonemployee volunteer.

3. Conclusion: What Employers Should Know About Criminal History Checks

Given the EEOC’s focus on the use of criminal background checks in employment decisions, it is ever more important and timely for employers who plan to inquire into an applicant’s criminal history to stay current on evolving legislative activity and to have

30. Mass. Gen. Laws ch. 151B, § 4(9) and (9½). (2013 Supp.). 31. Minn. Stat. § 364.021 (2013).

2-580


7

legal counsel review their employment application and background check forms to ensure that they remain compliant.

Employers who plan on removing such questions from their employment application, may still want to run a check or ask about an applicant’s criminal history at the appropriate stage (e.g., after giving the applicant an offer) in order to ensure that it addresses any potential compliance and safety concerns and to avoid negligent hiring claims.

B. Credit History

In addition to prohibiting inquiry into an applicant’s criminal history, several states now limit consideration of an individual’s credit in employment decisions. In addition, Senator Elizabeth Warren (D-MA) introduced a bill in late December that would prohibit employers from asking prospective employees about their credit histories or obtaining such information through a consumer or credit report.32

States that have additional regulations regarding the consideration of credit in employment decisions include: California,33 Colorado,34 Connecticut,35 Delaware,36 Hawaii,37 Illinois,38 Maryland,39 Oregon,40 Nevada,41 Oregon,42 Vermont,43 and Washington.44

1. Scope of Prohibited Activity

The majority of states that have enacted a statute prohibit the use of an applicant’s credit history in making employment

32. EQUAL EMPLOYMENT FOR ALL ACT OF 2013, text of the bill available at: http://www.

warren.senate.gov/files/documents/Bill%20text%20-%20Equal%20Employment%20 for%20All%20Act.pdf.

33. Cal. Lab. Code § 1024.5 (2013). 34. Colo. Lab. Code § 8-2-126 (2013 Supp.). 35. Conn. Lab. Code § 31-51tt (2013 Supp.). 36. Del. Code Ann. tit. 19, §§ 710 & 711(g)(1)-(4) (West 2015); and Del. Code Ann.

tit. 29, § 6909B (West 2015). 37. Haw. Rev. Stat. § 378-2.7 (2013.). 38. 820 ILCS 70/1-30 (2013 Supp.). 39. Md. Lab. Code § 3-711 (2013 Supp.). 40. Or. Rev. Stat. § 659A.320 (2013 Supp.). 41. Nev. Rev. Stat. § 613.520 et seq. (2013 Supp.). 42. Or. Rev. Stat § 659A.320 (2010). 43. Vt. Stat. Ann. Tit. 21, § 495i (2013 Supp.). 44. Wash. Rev. Code § 19.182.020 et seq. (2013 Supp.).

2-581


8

decisions.45 Vermont’s statute includes an additional prohibition on asking about an applicant or employee’s credit history, and Illinois includes both of those prohibitions and also bans employ-ers from obtaining an applicant or employee’s credit report. In contrast, Washington allows employers to obtain and consider an employee or applicant’s credit report only after providing the employee or applicant with written notice that his or her credit his-tory may be used for employment decisions. However, employers may only do so if the employee or applicant’s credit worthiness is substantially related to his or her job function or required by law. Hawaii’s statute allows an employer to consider a prospective employee’s credit history only after the prospective employee has received a conditional offer of employment.46

2. Exceptions

Generally, the statutes include exceptions for applicants and employees whose credit information is substantially related to their prospective or current jobs and for jobs where a credit report is required by law. In addition to those requirements, some states provide exceptions for positions that involve access to confidential or proprietary information,47 where the employer is a bank or finan-cial institution,48 or where the employer can demonstrate that the information is a valid and reliable predictor of employee per-formance in a specific position.49

3. Remedies

Remedies under the statute vary, some, like California, do not include a remedy. While others like Colorado, Connecticut, Hawaii, and Maryland allow an aggrieved applicant or employee to file a complaint with the division of labor. In Maryland the Commissioner may impose a fine on the employer. In Illinois, Oregon, and Vermont, a person may bring a civil claim in order to obtain injunc-tive relief, damages, or, in Oregon, reinstatement.

45. California, Colorado, Connecticut, Hawaii, and Maryland. 46. Haw. Rev. Stat. § 378-2. 7 (2013) 47. California, Connecticut, Illinois, and Maryland. 48. Colorado and Maryland. 49. Vermont.

2-582


9

4. Conclusion: What Employers Should Know About Credit Checks

Employers should check to ensure that their current hiring practices comply with all applicable state statutes and should monitor legislative activity. In general, however, when an employer requests a credit report it must comply with the requirements of the Fair Credit Reporting Act (“FCRA”), which require the employer to provide the applicant with a clear disclosure statement that iden-tifies the consumer credit agency, the employee or applicant’s right to view the report, the legally permissible purpose of the report, and the nature and scope of the credit check. In addition, it should obtain the applicant or employee’s signed authorization form.

Spokeo v. Robins,50 currently being reviewed before the Supreme Court, will determine whether consumers can sue companies for violating the FCRA and similar statutes without alleging an actual injury. The plaintiff sued Spokeo, a “people search engine,” for allegedly violating the FCRA by falsely reporting that he was wealthy and had a graduate degree when in fact he was struggling to find work. The Ninth Circuit in 2014 sided with the plaintiff and found that Spokeo’s alleged violation of the FCRA amounted to an injury.51 The United States Supreme Court’s decision will impact plaintiffs seeking statutory damages under the FCRA against employers in federal courts.

II. MONITORING EMPLOYEES IN AND OUT OF THE WORKPLACE

A. “Bring Your Own Device” (BYOD), and Employee Dual Use Devices

1. Introduction

For employers, dual use devices are an increasingly popular alternative to providing employees with an employer owned mobile device. It is an attractive solution for many because it saves costs and provides employees greater flexibility in selecting their devices for work, which, in turn, leads to boosts in productivity. While

50. Spokeo v. Robins, Inc., 742 F.3d 409 (9th Cir. 2014), cert. granted, 82 U.S.L.W.

3815 (U.S. Apr. 21, 2015) (No. 13-1339). 51. Spokeo v. Robins, Inc., 742 F.3d 409, 414 (9th Cir. 2014).

2-583


10

much attention has been devoted to the data security issues that such policies create; these devices also implicate privacy issues as well. The old view that employees have little to no expectation of privacy is gradually eroding, but no clear lines have been drawn on the privacy limitations of an employee owned device.

BYOD policies present complicated privacy issues because while the employee ultimately owns the device, the employer needs a certain degree of control over the use of the device. In a recent survey of employees, the largest concern cited by employees was employer access to personal data.52 In order to gain that control, a growing number of companies are deploying mobile device man-agement (MDM) software to manage their BYOD policies. Increas-ingly, as MDM grows more complicated, employers and security vendors are implementing additional mobile security platforms to manage application security (Mobile Application Management, or MAM) and mobile data (Mobile Information Management or MIM). Together, these services are being packaged as Enterprise Mobility Management (EMM) and promoted as a comprehensive mobile security solution. These tools increase an employer’s control of the device, potentially at the expense of the employee’s privacy interests.

EMM software gives an employer a broad range of options from basic user access restrictions on specific applications to moni-toring how the device is being used. For example, employers can block access to certain applications or to the applications “store,” disable the phone camera, and as discussed below, track an employee’s movements.

EMM systems implicate more than a few privacy issues, especially in an era where a smart phone is used not only to access email and make calls, but also to store a diverse array of infor-mation. People increasingly use their smartphones to track and store health and finance data, as well as the more common personal photos, communications, social media profiles, and lifestyle information.

Eventually, employers can expect the development of regu-lations governing these devices, but for now, there is little clear

52. Mobile Security: Fixing the Disconnect Between Employer and Employee for

BYOD (Bring Your Own Device), Webroot (July 2014). Available at http://www. webroot.com/shared/pdf/WebrootBYODSecurityReport2014.pdf (last accessed March 18, 2015).

2-584


11

guidance. Potential liability could arise from traditional privacy torts, such as intrusion onto seclusion; federal regulations under the Stored Communications Act (SCA); or state lifestyle statues that prohibit an employer from taking adverse employment actions against employees based on their off-duty conduct.

2. Federal Statutes on the Unauthorized Access or Use of Electronic Information

Federal laws have failed to keep pace with the rapidly changing digital environment. Employers and employees, not to mention courts, are struggling to apply largely outdated statutory schemes to fact patterns that could not have existed with the laws were first written. Nonetheless, case law applying several federal electronic data and communications statute can illuminate some of the pitfalls for employers.

The federal Stored Communications Act (SCA) addresses access to stored wire and electronic communications and transac-tional records.53 Under the Act, it is an offense to “intentionally access without authorization a facility through which an electronic communication service is provided and thereby obtain access to a wire or electronic communication while it is in electronic storage in such system.54 The SCA was enacted in 1986 and since then it has occasionally been used in the context of workplace privacy. One such case that is informative on BYOD issues is Lazette v. Kulmatycki, et al.55

In Lazette, an employee, upon her leaving the company, returned an employer owned smartphone that she had inadvertently left connected to her personal email account, thus enabling her former supervisor to access her personal email account without her knowledge.56 She brought suit and alleged several causes of action, including violation of the SCA.57 The district court held in the employee’s favor by denying the employer’s motion to dismiss.58 While there were several issues, the two most relevant in the BYOD

53. 18 U.S.C. §§ 2701–2712. 54. Id. at § 2701(a)(1). 55. Lazette v. Kulmatycki, 949 F. Supp. 2d, 748 (N.D. Ohio June 5, 2013). 56. Id.at 751. 57. Id.at 752. 58. Id.at 763.

2-585


12

context involve whether or not the smartphone was a “facility through which an electronic communication service is provided,” and whether the emails that were accessed were in “electronic storage.”

With respect to the first issue, the court held that cell phones, Blackberries, and personal computers do not constitute “facilities” under the SCA, because the SCA is intended to protect the facili-ties that are operated by electronic communication service providers and are used to store and maintain electronic storage.59 On the second issue, the court decided that some of the employee’s emails were in “electronic storage” as defined by the SCA.60 While the Lazette case did not involve a BYOD policy, employers should pay close attention to it because it could easily apply to a dual use device. While untested, the SCA may have important implications when considering the unauthorized access of an employee’s personal information stored on a dual use device.

On the other hand, at least one court has recently found that an employer who wiped a dual use device of an employee’s personal data did not violate the Computer Fraud and Abuse Act (CFAA), or the Electronic Communications Privacy Act (ECPA). In Rajaee v. Design Tech Homes, Ltd.,61 the plaintiff was an employee who had provided his own mobile device for use in his work. Upon his termination, the company wiped his phone, resetting it to factory settings. As a result, his personal data was also destroyed. The court dismissed his claims on summary judgment, finding that he could not show damages as required by the act.

3. Acting on Employee Personal Data May Violate State Lifestyle Statutes or Privacy Laws

While not all states recognize the privacy tort intrusion onto seclusion, those that do generally take the Restatement § 2 approach by providing for civil liability for intentional physical intrusion upon the solitude or seclusion of another.62 The physical intrusion

59. Id.at 755. 60. Id.at 759. 61. 2014 BL 318273, No. 4:13-cv-02517 (S.D. Tex. November 11, 2014). 62. Restatement (Second) of Torts §652B.

2-586


13

may include investigation or examination of a person’s personal concerns or effects, including electronic devices.63

Case law on the issue is sparse. However, one case, decided by a Court of Appeals in Georgia addressed the issue in Sitton v. Print Direction, Inc.64 In Sitton, an employee alleged that his employer had violated the tort by accessing his personal computer that he used for work, while the employee was away from his desk.65 The court, in determining that no intrusion had occurred, reasoned that while the employer’s access was intrusive, it was “reasonable in light of the situation” because the employer had reason to believe that the employee was violating a policy not to compete and accessed the employee’s computer as part of an investigation into the employee’s potential misconduct. 66 Sitton is instructive insofar as serving as one example of the limits on the use of a personal device for work and an employer’s ability to monitor employee activity.

In addition, some states have “lifestyle” statutes that address specific off-duty activity that an employer cannot consider when making employment decisions. The states with the broadest statutes, like California,67 Colorado,68 New York,69 and North Dakota,70 prohibit discrimination based on any lawful activity by an employee off the premises and during non-working hours. Other states like Illinois,71 Minnesota,72 Montana,73 Nevada,74 North Carolina,75 and Wisconsin76 have slightly narrower lifestyle statutes that prohibit discrimination based on an employee’s use of “lawful products” or “lawful consumable products.” Another 30 or so states prohibit discrimination based on the use of tobacco, which was the original reason that these lifestyle statutes were enacted. These statutes may

63. Id. 64. Sitton v. Print Direction, Inc., 312 Ga. App. 365 (2011). 65. Id. at 367. 66. Id. at 369. 67. Cal. Lab. Code § 96(k) (2000). 68. Colo. Rev. Stat. Ann. § 24-34-402.5(1) (2004). 69. N.Y. Lab. Law § 201-d(b) (2004). 70. N.D. Cent. Code § 14-02.4-08 (2003). 71. 820 ILCS 55/5 (1992). 72. Minn. Stat. § 181.938 (2003). 73. Mont. Code Ann. §§ 39-2-313 – 314 (2004). 74. Nev. Rev. Stat. Ann. § 613.333 (2004). 75. N.C. Gen. Stat. § 95-28.2 (2004). 76. Wis. Stat. Ann. § 111.321 (2004).

2-587


14

pose a risk to employers who, intentionally or not, come across an employee’s personal information and make adverse employment decisions based on that information.

4. Employee and Employer Obligation to Produce Information from Employee Device

Legal discovery presents another challenge to employers imple-menting BYOD policies. Electronic data that may fall within the scope of discovery requests made upon the employer can reside on an employee’s personal device. Thus, when there is a legal pro-ceeding involving the employer, an employee’s device may become discoverable. This leads to significant privacy concerns as people store all sorts of personal information on their mobile devices. On the other hand, a company’s own sensitive information may be at risk if its employee is in litigation and produces his or her device for discovery.

The early trend shows that courts are willing to enforce dis-covery requests for information contained on employee devices. In In re Pradaxa,77 the court held that a litigation hold should extend to personal devices (at least some of which were company-issued), in order to preserve any text messages that might be relevant to the lawsuit. The employer there did not take steps to turn off the auto delete function for texts on employee devices, despite the litigation hold, and the employer consequently failed to produce relevant texts during discovery.

Similarly, the Ninth Circuit held in EEOC v. McLane that during the course of an investigation, the EEOC can require employers to produce “pedigree information” (i.e., address, name, telephone number, and Social Security number) of applicants and workers other than the charging party if the information is relevant to the underlying investigation.78 In rejecting the employer’s argu-ment that the requested information was not necessary, the court

77. In re Pradaxa (Dabigatran Etexilate) Products Liability Litigations, MDL No.

2385, 2013 WL 6486921, at *42 (S.D. Ill. Dec. 9, 2013), rescinded on other grounds sub nom. In re Petition of Boehringer Ingelheim Pharm., Inc., & Boehringer Ingelheim Int’l GmbH, in Pradaxa (Dabigatran Etexilate) Products Liab. Litig., 745 F.3d 216 (7th Cir. 2014).

78. EEOC v. McLane, 804 F.3d 1051, 1057 (9th Cir. 2015).

2-588


15

noted that “the governing standard is not ‘necessity’; it is relevance.”79

Failure to cooperate with discovery requests may lead to sig-nificant punitive legal consequences. In Small v. University Medical Center of Southern Nevada,80 the defendant lost over two years of messages and other electronically stored information (ESI) that were potentially relevant to the litigation. The special master declared the defendant’s conduct a “mockery of the orderly administration of justice,” and recommended that the court enter an order of default judgment.81

5. Conclusion: What an Employer Should know About Dual-Use Devices

First and foremost, employers should implement or revise their BYOD policies and user agreements so that employees who decide to use their own devices for work have clear guidelines on security and privacy issues. Those policies should include information on security, the scope and situations under which the employer is allowed to monitor and access the device, the need to preserve data in the event of litigation, and actions that need to be taken upon the employee’s resignation or termination.

In terms of security, the employer should obtain employee consent to wipe the device remotely in the event it is lost or stolen or if a virus or other security threat is detected on the device. In addition, the policy should clearly state the scope of potential employer monitoring, including the data that an employer is author-ized to access, and certain triggers to monitoring, e.g., if there is reasonable suspicion of employee misconduct. Employees should be warned that they may be obligated to preserve data in the event of litigation.

Finally, employers may want to limit their access to data collected on the device. Employers should not seek out more infor-mation than they need in order to ensure that the device is secure and that employees are complying with company policies.

79. Id. 80. Small v. Univ. Med. Center of S. Nev., No. 2:13-CV-00298-APG-PAL, 2014 WL

4079507, at *50 (D. Nev. Aug. 18, 2014). 81. Id. at *69.

2-589


16

B. Wellness, Wearables, and Privacy

1. Introduction

Workplace health and wellness programs are becoming a common employee benefit in the United States. In fact, according to a 2013 Rand Health study,82 about 50 percent of employers offer wellness programs to their employees, and the number has been on the rise. These programs consist of activities such as health education, coaching, weight management programs, medical screen-ings, on-site fitness programs, and more. Employers have begun to incorporate wearable technology such as the Apple Watch, and Fitbit into these programs,83 increasing concerns over the whether the biometric data collected is subject to the current federal and state regulatory framework. It is likely that the more specialized the health information collected becomes, the more important the question of privacy will turn out to be.

When it comes to employer-sponsored wellness programs and health plans, a range of laws may apply raising questions about what data can be collected, how it can be used and disclosed, and what security safeguards should be in place. At the federal level, the Health Insurance Portability and Accountability Act (HIPAA), the Americans with Disabilities Act (ADA), and the Genetic Information Nondiscrimination Act (GINA) should be observed. State laws, such as California’s Confidentiality Medical Information Act, also have to be taken into account when using these devices in an employment context.

2. ADA Regulations and Wellness Programs

Under the ADA, employer medical inquiries and exams are prohibited unless they are a business necessity or are “voluntary.” The connection between the ADA and many wellness programs is that the programs frequently require the completion of a health risk assessment (HRA) and some biometric screening for things like

82. Soeren Mattke, et al., Workplace Wellness Programs Study, Final Report, RAND

Corporation (2013). Available at http://www.rand.org/pubs/research_reports/ RR254.html (last accessed February 16, 2016).

83. Jason Cipriani, Here’s Why Fitbit is giving Target 335,000 fitness-tracking devices, Fortune (September 16, 2015). Available at http://fortune.com/2015/09/16/fitbit-hipaa/ (last accessed February, 11 2016).

2-590


17

body mass index, cholesterol, blood pressure, glucose, etc., as a condition of receiving the incentive.

In 2014, the EEOC initiated three lawsuits targeting employer wellness programs. The third of these suits, EEOC v. Honeywell International Inc.,84 was particularly problematic for employers because Honeywell’s program was carefully designed to conform to the Final Wellness Program Regulations, promulgated by the DOL in 2013.85 In line with its obviously increased enforcement position, on April 20, 2015, the EEOC issued a Notice of Proposed Rule Making (NPRM)86 on what employer wellness programs must do to comply with the ADA. If finalized in their current form, among other safeguards, the regulations would require employers to provide a notice informing employee about:

What medical information will be obtained;

Who will receive medical information;

How the medical information will be used;

The restrictions on its disclosure; and

The methods that will be used to prevent improper disclosure. Employers and wellness providers thus need to act with care

on program design. At a minimum, they should ensure compliance with regular ADA concerns, such as alternatives for earning rewards for individuals who cannot meet regular requirements, and ensuring that employees who refuse to participate are not discriminated against.

3. GINA Regulations and Wellness Programs

President George W. Bush signed the Genetic Information Nondiscrimination Act (GINA)87 into law in May 2008 to ensure Americans would be able to take important genetic tests for health reasons without worrying that they would be discriminated against

84. EEOC v. Honeywell Int’l Inc., No. 0:14-cv-04517, 2014 WL 5795481 (D. Minn.

Oct. 27, 2014). 85. Available online at http://www.dol.gov/ebsa/pdf/workplacewellnessstudyfinalrule.pdf. 86. Americans with Disabilities Act of 1990 (proposed Apr. 20, 2015) (to be codified

at 42 U.S.C. §12101 et seq). 87. 42 U.S.C. 2000ff et seq.

2-591


18

over their genetic information. Congress also expressed concerns about common misconceptions that an individual’s genetic predis-position for a condition necessarily leads to the individuals devel-oping the condition, explaining that “[a]n employer might use infor-mation about an employee’s genetic profile to deny employment to an individual who is healthy and able to perform the job.”88

Title I of GINA bars group health plans and health insurance issuers from discriminating based on genetic information, and Title II prevents employers from using that information when making employment decisions. Consequently, GINA restricts acquisition and disclosure of genetic information, and includes an absolute pro-hibition on the use of genetic information in making employment decisions. Violation of GINA may result in serious penalties.89 The EEOC issued implementing regulations on November 9, 2010, to provide all persons subject to Title II of GINA additional guidance with regard to the law’s requirements.90 Failure to

On October 30, 2015, the EEOC issued a NPRM91 to amend the regulations implementing Title II of the GINA as they relate to employer wellness programs that are part of group health plans. The proposed rule clarifies that an employer may offer, as part of its health plan, a limited incentive (in the form of a reward or penalty) to an employee whose spouse (1) is covered under the employee’s health plan; (2) receives health or genetic services offered by the employer, including such services as part of a wellness program; and (3) provides information about his or her current or past health status. The proposal creates a narrow excep-tion to the general prohibition on providing incentives in exchange for an employee’s genetic information.

88. H. Rep. 110-28, Part 1, 28 (Mar. 5, 2007). 89. Lowe et al. v. Atlas Logistics Grp. Retail Servs. (Atlanta), LLC, No: 1:13-CV-

2425-AT, 2015 WL 4724511 (N.D. Ga. Jun. 22, 2015) (jury awarded plaintiffs $2.23 million in compensatory and punitive damages for employer’s GINA violation where employer forced two men suspected of defecating around warehouse to undergo DNA testing); see generally Lowe et al. v. Atlas Logistics Grp. Retail Servs. (Atlanta), LLC, 102 F. Supp. 3d 1360 (N.D. Ga. 2015).

90. See 75 FR 68912 (Nov. 9, 2010). 91. Genetic Information Nondiscrimination Act of 2008 (proposed Apr. 20, 2015) (to

be codified at 29 C.F.R. pt. 1635 et seq.).

2-592


19

4. Conclusion: What an Employer Should know about Wellness Programs, Wearables, and Privacy

First and foremost, employers must train and educate their managers, supervisors, and human resources staff, so they know all of the things that ADA and GINA prohibits. It is important for employers to think before requesting from an employee or appli-cant anything that falls within the definition of genetic info under GINA.

Working through plans for the design and implementation of a typical wellness program certainly must involve privacy and security; more so for programs that incorporate wearables. Employers should consult their attorneys about these issues, especially in an area where the law continues to develop. It will be important to keep a watchful eye for more regulation on the horizon as the EEOC plans to issue final rules regarding wellness plan incentives under the ADA and GINA likely in the spring of 2016.

C. Social Media Password Protection Statutes

1. Introduction

Employers are struggling to implement and manage new policies and practices that address the issue of controlling their image in social media without crossing any lines. Employers must balance the benefits of employee social media use that contributes to a positive brand image against the detriments of negative participation. Some employers reportedly compelled job applicants or employees to provide their social media passwords to them. While this is arguably not a common practice among employers,92 national atten-tion was drawn to the issue when the Associated Press published an article detailing a few reported incidents.93 In response, numerous states quickly enacted statutes banning employers from seeking employee passwords.

92. Rethinking and Rejecting Social Media “Password Protection” Legislation,

Littler Mendelson, July 10, 2012. 93. Id.

2-593


20

2. Federal Legislation

At the federal level, members of congress are attempting to pass the Password Protection Act and the Social Networking Online Protection Act (SNOPA). Both bills were first introduced to Congress in 2012 but neither made it past committee review.94 The 2013 version of the bills were submitted to committee review on August 1, 201395 and February 6, 2013,96 respectively.

Both Acts prohibit the same behavior but provide for different consequences. They prohibit employers from requiring employees or applicants to disclose passwords to their social media accounts. Employers are also prohibited from taking retaliatory or discipli-nary action against an applicant or employee who fails to comply with such a request. The Password Protection Act imposes criminal fines on any employer who violates the act, whereas SNOPA imposes civil liability in the form of fines or injunctive relief and provides the employee with equitable relief, including reinstatement, promotion, or payment of lost wages or benefits.

The Password Protection Act provides several exceptions. The Act includes exemptions for four scenarios: where an employee is discharged for good cause; where necessary to comply with federal or state law governing brokers, dealers, and investment advisers; where a state enacts a law that waives the prohibition for certain classes of state or agency employees; and where another branch or agency specifically waives the prohibition with respect to a certain class of employee who has access to classified information.97

3. State Statutes

Maryland was the first state to enact legislation restricting employers’ access to applicants’ and employees’ personal social

94. PASSWORD PROTECTION ACT OF 2012, S. 3074 (112th). Legislative history avail-

able at: https://www.govtrack.us/congress/bills/112/s3074; SOCIAL NETWORKING ONLINE PROTECTION ACT, H.R. 5050 (112th). Legislative history available at: https://www.govtrack.us/congress/bills/112/hr5050.

95. SOCIAL NETWORKING ONLINE PROTECTION ACT, Id. 96. SOCIAL NETWORKING ONLINE PROTECTION ACT, H.R. 527. Legislative history

available at: https://www.govtrack.us/congress/bills/113/hr537. 97. PASSWORD PROTECTION ACT OF 2013, H.R. 2077. Legislative history available at:

https://www.govtrack.us/congress/bills/113/hr2077#summary/libraryofcongress.

2-594


21

media accounts in May 2012. 98 Since then, many other states have enacted similar legislation, including: Arkansas,99 California,100 Colorado,101 Connecticut,102 Delaware,103 Illinois,104 Maine,105 Michigan,106 Montana,107 New Jersey,108 New Mexico,109 Nevada,110 Oregon,111 Utah,112 Virginia,113 and Washington.114 In addition, several other states have legislation currently pending.115

a. Scope of Prohibited Activity

At the heart of each of the state statutes is a general prohibition on requesting an applicant or employee’s username, password, or other information necessary to access his or her social media accounts. The exception is New Mexico’s statute, which prohibits such activity with respect to applicants but not employees.116

New Jersey passed the most recent and most compre-hensive password protection statute in September 2013. Its broad language prohibits activities explicitly detailed in the statutes of Illinois, Michigan, and Washington which include 1) requiring an applicant or employee to accept the employer’s

98. MD Code 3-712 Lab. & Empl. (2012). 99. Ark. Code § 11-2-124 (2013). 100. Cal. Lab. Code § 980 (2013, effective until 1/1/2014). 101. Colorado Revised Statutes, Section 8-2-127. 102. 2015 Conn. Legis. Serv. P.A. 15-6 (S.B. 426) (West). 103. 19 Del. Code Ann. tit. 19, § 709A (West 2015). 104. 820 ILSC 55/10 (2013, effective until 1/1/2014). 105. Me. Rev. Stat. tit. 26, § 615 et seq. (2015). 106. Mich. Stat. § 37.272 et seq. (2012). 107. Mont. Code Ann. § 39-2-307 (2015). 108. N.J. Rev. Stat. Ann. § 34:6B-6 (2013). 109. N.M. Stat. § 50-4-34 (2013). 110. N.R.S. § 613.135 (2013). 111. Or. Rev. Stat. § 659A.330 (2015). 112. Utah Code § 34-48-201 (2013). 113. Va. Code Ann. § 40.1-28.7:5 (West 2015). 114. Wash. Rev. Cope.§ 49.44.200 (2013). 115. Those states include: Alaska, Florida, Georgia, Hawaii, Iowa, Kansas, Massa-

chusetts, Minnesota, Missouri, Nebraska, New Hampshire, New York, North Carolina, Oklahoma, Ohio, Rhode Island, and Wisconsin. http://www.ncsl.org/ research/telecommunications-and-information-technology/employer-access-to-social-media-passwords-2013.aspx.

116. N.M. Stat. § 50-4-34 (2013).

2-595


22

‘friend’ request, 2) “shoulder surfing” – where the employer requires access to a social media account in the presence of the applicant or employee, and 3) requiring the applicant or employee to change his or her privacy settings so that the employer has access to the information on his or her account. The remainder of the states prohibit differing degrees of those activities. For example, Arkansas and Colorado do not explicitly prohibit “shoulder surfing,” while California, Michigan, and Oregon do not expressly prohibit requiring an applicant or employee to change his or her privacy settings to allow employer access.

Another obstacle that national employers need to navigate when reviewing social media policies is the scope of “social media” protected under the statutes. While some states have limited their statutes to popular social media websites such as Facebook and Twitter, others have included an expanded defi-nition of “social media accounts” to include personal email accounts, blogs, podcasts, instant and text messages, and videos. States with a more expansive definition of social media include Arkansas, California, Colorado, Maryland, Michigan, Nevada, and Utah.

b. Exceptions

While the exceptions vary from state to state, there is one that all of the states have included, that is to allow employers to require an employee to disclose the username and password of any “professional” social media account – one that has been set-up and used for the employer’s business purposes.

In addition, nearly all of the states provide an exception for workplace investigations; however, the scope and limi-tations of those exceptions vary widely. Currently, New Mexico is the lone state that does not provide any such exception. Other states provide for an employer exception in order to comply with any applicable state or federal law. Those states include Nevada, Washington, and Oregon. Other states carve out exceptions for specific state and federal laws. For example, Illinois recently amended its statute to include an exception for the financial services sector, to enable those employers to comply with federal regulations. In addition, Colorado and Maryland permit requests for access to an employee’s personal social media account in order to investigate violations of

2-596


23

securities laws of the potential misappropriation of trade secrets. Another set of states have an even broader exception for workplace investigations. Those states include Arkansas, California, Michigan, New Jersey, and Utah. In particular, New Jersey has included several workplace investigation exceptions, including in order to investigate compliance with applicable state and federal laws, as well as to investigate specific allegations of employee misconduct. In addition, like Illinois, New Jersey includes an exception for compliance with financial regulations under the Financial Industry Regulatory Authority (“FINRA”).

4. Conclusion: What Employers Should know About Accessing Personal Social Media Accounts

Generally, given the current structure of the legislation and the desire for multistate employers to implement a unified policy, employers should consider the following practices.

Recruiting and HR. Employers should ensure that HR person-nel are not asking for, requiring, or otherwise attempting to obtain an applicant’s username or password to a personal social media account. That said, nothing in the state statutes prohibits an employer from gleaning information on an applicant or employee that is publically available.

Company Social Media. Employers should make clear, in their social media policies that any accounts used to conduct the employer’s business are not considered “personal accounts” and that the passwords to business accounts are company property. This will ensure that employers retain value created on social media sites in the face of employee turnover. In addition, employer should include in their policies a prohibition on storing confidential information on personal social media accounts.

D. Tracking Employees Using GPS Enabled Mobile Devices

1. Introduction

As location tracking technology becomes more prevalent, employers are increasingly using such technology to monitor their employees’ whereabouts.

Given the rise in the use of GPS enabled devices in the workplace, and the lowered costs of such devices, the percentage of

2-597


24

employers using it has risen dramatically. In fact, in 2012, Google launched an application that allows employers to track their employees by installing an application on an employee’s Android-powered smartphone.117 The program has the capability of relaying the employee’s location back to his or her employer as often as every five seconds.118 In addition to Google, several other compa-nies have started offering tracking technology services as well.

With the increased prevalence of the use of GPS tracking technology, employers are often left without guidance on where to draw the line. A flurry of cases has attracted attention to the issue, forcing courts to work with existing statutes which provide an awkward framework to address the issue. While imperfect, these state statutes offer employers limited guidance. States that have a statute that address the issue to a certain extent include: California,119 Connecticut,120 Delaware,121 Florida,122 Louisiana,123 New Hampshire,124 Texas,125 and Wisconsin.126 In addition, Oklahoma is considering legislation that would include GPS tracking of an individual in its definition of criminal stalking.127

2. State Statutes on Location Monitoring

a. California

In 1998, California enacted a statute that forbids the use of electronic tracking devices to determine the location of a private individual.128 The statute defines “electronic tracking device” as “any device attached to a vehicle or other movable

117. Google Maps: Now Helping Your Boss Track Your Every Move, TIME, June 27,

2012. Available at: http://business.time.com/2012/06/27/google-maps-now-helping-your-boss-track-your-every-move/.

118. Id. 119. Cal. Pen. Code § 637.7. 120. Conn. Gen. Stat. § 31-48(d). 121. 11 Del. C. § 1335. 122. Fla. Stat. Ann. § 934.425 (West 2015). 123. La. Rev. Stat. § 14:323. 124. N.H. Rev. Stat. Ann. § 644-A:1 et seq. (2015). 125. Tex. Penal Code § 16.06. 126. Wis. Stat. Ann. § 940.315 (West 2015). 127. Bill text available at: http://webserver1.lsb.state.ok.us/cf_pdf/2015-16%

20COMMITTEE%20SUBS/HCCS/HB1516%20CCS.PDF. 128. Supra note 3.

2-598


25

thing that reveals its location or movement by the trans-mission of electronic signals.” In enacting the statute, the leg-islature’s main concern was to protect individual privacy rights.129 The statute includes two exceptions: where the owner, lessor, or lessee consents to the tracking,130 and for the legal use of tracking devices by law enforcement.131 Violations of the statute at the individual level are considered misdemeanors, whereas a violation by a business or corporation can result in the revocation of its business license.132

b. Connecticut

Thus far, Connecticut is the sole state to enact a statute that addresses an employer’s use of electronic devices to monitor its employees. The statute requires that employers obtain employee consent prior to electronically monitoring them. Inter-estingly, the statute defines “electronic monitoring” as the collection of information on an employer’s premises concerning employees’ activities or communications...”133 In addition, where the employer has a reasonable belief that the employee is violating the law, or violating the employer or other employee’s legal rights, or creating a hostile workplace, and electronic monitoring may produce evidence of the employee’s conduct, then the employer need not obtain the employee’s consent prior to monitoring him or her.134

c. Delaware

Delaware’s statute is similar to California’s in that it prohibits the installation of a location tracking device on a car without the consent of the owner.135 It provides for two excep-tions: the legal installation by law enforcement, and installation by parents on the car of their minor child.136

129. Id. 130. Id at (b). 131. Id at (c). 132. Id at sections (e) and (f). 133. Supra note 4 (emphasis added). 134. Id. 135. Supra note 5. 136. Id.

2-599


26

d. Florida

Florida Statute section 934.425 prohibits the installation of a GPS tracking device and software on private property without permission from the property owner.137 The statute, however, creates an exception for people “acting in good faith on behalf of a business entity for a legitimate purpose.”138 The law also exempts any law enforcement professionals who legally use tracking devices or tracking software as part of an official criminal investigation.139

e. Louisiana

Louisiana’s law takes into account the use of mobile devices to track an individual. It defines “tracking device” as “any device that reveals its location or movement by the trans-mission of electronic signals,140 which, compared to other state statutes, is far more comprehensive. The statute prohibits the use of such devices to determine another individual’s loca-tion or movements without his or her consent, with some exceptions.141 Those exceptions include its legal use by a law enforcement agency, for parents to track a minor child, and for a provider of commercial mobile radio services which allows the provider to determine the location and movement to a customer.142

f. New Hampshire

New Hampshire’s recently enacted statute prohibits using “an electronic device on the person or property of another and obtain location information from such electronic device.”143

The statute includes exceptions for parents, foster parents, or legal guardians of a minor obtaining location information for his or her child.144

137. Fla. Stat. Ann. § 934.425 (West 2015). 138. Id. 139. Id. 140. Supra note 6. 141. Id. 142. Id. 143. N.H. Rev. Stat. Ann. § 644-A:1 et seq. (2015) 144. Id.

2-600


27

g. Texas

Texas Penal Code §16.06 prohibits the unlawful instal-lation of tracking devices on vehicles.145 It allows the instal-lation of a GPS tracking device with the consent of the owner, and the lawful installation of such a device by a law enforce-ment agency in the course of a criminal investigation.146 The Code defines “electronic or mechanical tracking device” as a “[d]evice capable of emitting an electronic frequency or other signal that may be used by a person to identify, monitor, or record the location of another person or object.”147

h. Wisconsin

Under Wisconsin law, it is a criminal misdemeanor to install a GPS tracking device on vehicles owned or leased by another person without that person’s consent.148 However, the statute exempts businesses tracking employees who drive company-owned vehicles, lienholders tracking a vehicle in order to repossess the vehicle, police acting in his or her official capacity, and parents who track children under the age of eighteen.149

3. Issues with State Statutes

When considering the issue of tracking an employee’s location through GPS enabled mobile devices, the statutes have several shortcomings. The majority of them, especially those enacted prior to the surge in use of mobile device tracking, do not account for the use of such devices. In addition, nearly all of the statutes fail to give clear instructions to employers on the use of tracking devices on employees. Likewise, they do not address an increasingly popu-lar employment practice, BYOD policies and the use of tracking information from those devices.

145. Supra note 7. 146. Id. 147. Id. 148. Wis. Stat. Ann. § 940.315 (West 2015). 149. Id.

2-601


28

4. Failure to Address Mobile Device Tracking Technology

All of the statutes, with exception of Louisiana’s statute and New Hampshire’s pending bill, refer to the “installation” or “attach-ment” of a device onto a vehicle. In that respect, those statutes assume the use of a device that is surreptitiously attached to a vehicle as opposed to a device that is carried either voluntarily or as a requirement of work. In the latter situation, employees may have consented to use their employer’s device for work related business, but that does not necessarily mean that they have con-sented to GPS monitoring.

In addition, employees who have devices either provided to them by their employer, or bring their own device to be used for work-related business, typically carry those devices from work to home. This common practice presents additional issues because an employer has the ability to constantly monitor an employee even while he or she is off-duty.

5. No Exception for the Legitimate use of GPS to Monitor Employees

While most of the statutes provide limited exceptions for law enforcement, they do not account for an employer’s legitimate interest in monitoring the movement of its employees. While Connecticut’s statute and New Hampshire’s proposed legislation touch upon the subject, neither adequately covers the issue. Connecticut’s statute addresses the issue of employee monitoring by employers, how-ever, its application is limited to monitoring that takes place on the employer’s premises. In contrast, New Hampshire’s proposed statute on electronic GPS monitoring carves out an exception for employers. Employers are allowed, upon giving reasonable notice, to track employees in connection with the employment relationship or an employee’s work-related functions. Such monitoring may take place during or after working hours. Its shortcoming, however, is that it does not address the issues associated with BYOD policies, as discussed below.

6. BYOD Policies

When issues of GPS monitoring have arisen, they are usually within the context of monitoring an employee’s movements in a vehicle. In that scenario, the general trend is to allow the use of GPS monitoring when an employee is using an employer-owned

2-602


29

vehicle. Thus far, there has only been one case which permitted the use of GPS monitoring of an employee’s personal vehicle, subject to limitations.150 Given that framework, employers may likely argue that they can use GPS to monitor an employee when employees are using employer owned devices, however, the argument for enabling GPS tracking on a personal device owned by the employee but used partially for work is likely less compelling.

7. Conclusion: What Employers Should know About GPS Tracking

Given the great uncertainty in the current state of the law, employers are advised to proceed with caution when contemplating the use of mobile device GPS monitoring. If implementing such a policy, they should give notice or gain consent from employees prior to instituting the policy. Notice should include details on the scope of tracking and explain its legitimate business reason for the tracking. In addition, employers should limit location-tracking to working hours and work-related activities and restrict access to the information that it gathers to only those that need it.

E. Employee Data Breaches and Notice Rights

Large data breaches continue to take center stage in media reports on business privacy obligations. To date, forty-seven states in the United States, as well as the District of Columbia, Puerto Rico and the U.S. Virgin Islands, have enacted security breach notification laws. While these laws are generally understood to encompass noti-fication to consumers for breach of their personal information, they could require notification to employees for breaches of their personal data as well. Many state security breach notification laws are modeled on the California breach notification law, which went into effect on July 1, 2003.151 The California law exempts from the definition of a security breach the good faith acquisition of personal information of an employee for business purposes. The majority of state breach notification laws contain similar exceptions. However, should employee information included in a security breach caused by an outside actor,

150. Cunningham v. New York State Dep’t. of Labor, 21 N.Y.3d 515 (2013). 151. Cal. Civ. Code § 1798.82.

2-603


30

the employees would be entitled to notification in accordance with those laws on the same basis as any other consumer.

In addition, employers should be increasingly aware of how data breaches can implicate the Health Insurance Portability and Accounta-bility Act of 1996 (HIPAA). HIPAA is not just a concern for health care employers. The HIPAA privacy rule protects all individually identifiable health information, including demographic information and common identifiers such as name, address birth date and Social Security Numbers associated with a health plan. The fact that a data breach may not involve medical records or clinical information does not mean it is not a HIPAA breach. Employers should also be mindful of current trends that place an increasing amount of employee health and wellness information on mobile devices. Tracking devices such as Fitbits and the associated applications can monitor a user’s weight, caloric intake, heart rate, and blood sugar, among other things. This information can be stored on the mobile device and also on the employer’s computers and storage systems used to sync the devices. As employees increasingly mingle their personal and work data, security breaches present ever complicated issues for employers. Some states specifically include biometric data in the definition of personally identifiable information in their data breach notification laws. Those states include Connecticut,152 Illinois,153 Iowa,154 Nebraska,155 North Carolina,156 Oregon,157 Wisconsin,158 and Wyoming.159

Recently, an Illinois district court denied Shutterfly’s motion to dismiss a claim that photographs of a plaintiff posted to its website without consent to a written biometrics policy violated the Illinois Biometric Information Act (BIPA).160

152. Conn. Gen. Stat. Ann. § 15-142 (West 2015). 153. 740 Ill. Comp. Stat. 14/1 et seq. (2008). 154. Iowa Code § 715C.1 (2014). 155. Neb. Rev. Stat. § 87-802 (2006). 156. N.C. Gen Stat. § 75-66 (2012). 157. Or. Rev. Stat. § 807.024 (2008). 158. Wis. Stat. § 943.201 (2015). 159. Wyo. Stat. Ann. § 6-3-901 (West 2015). 160. Norberg v. Shutterfly Inc. et al., No. 15 CV 5351, 2015 WL 9914203 at *2 (N.D.

Ill. Dec. 29, 2015).

2-604


31

III. CONCLUSION

As new challenges and developments arise in workplace privacy, employers and employees will continue to seek balance in a gray area. Keeping up to date on these important new developments is the first step towards finding that balance. Employers should also be sure to keep updating their policies and implementing training when making significant changes to their policies to ensure that employees have the proper tools to confront these workplace privacy issues.

2-605


NOTES

2-606

seventeenth annual institute on privacy and data security law

Documents